Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Christian Heim (phreak)" <phreak@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] hardened r91 - in hardened-sources/2.6/tags: . 2.6.23-8
Date: Wed, 30 Apr 2008 11:35:48
Message-Id: E1JrAZN-00019c-Fe@stork.gentoo.org
1 Author: phreak
2 Date: 2008-04-30 11:33:52 +0000 (Wed, 30 Apr 2008)
3 New Revision: 91
4
5 Added:
6 hardened-sources/2.6/tags/2.6.23-8/
7 hardened-sources/2.6/tags/2.6.23-8/1701_x86-signal-setup_frame-clear-df.patch
8 hardened-sources/2.6/tags/2.6.23-8/4420_grsec-2.1.11-2.6.23.15-20080210.patch
9 hardened-sources/2.6/tags/2.6.23-8/4425_grsec-2.1.10-mute-warnings.patch
10 hardened-sources/2.6/tags/2.6.23-8/4430_grsec-2.1.10-pax_curr_ip-fixes.patch
11 hardened-sources/2.6/tags/2.6.23-8/4435_grsec-kconfig-gentoo.patch
12 hardened-sources/2.6/tags/2.6.23-8/4440_selinux-avc_audit-log-curr_ip.patch
13 hardened-sources/2.6/tags/2.6.23-8/4445_grsec-kconfig-default-gids.patch
14 hardened-sources/2.6/tags/2.6.23-8/4450_disable-compat_vdso.patch
15 hardened-sources/2.6/tags/2.6.23-8/4455_pax-hook-build-error.patch
16 hardened-sources/2.6/tags/2.6.23-8/4460_acct_stack_growth-null-deref.patch
17 hardened-sources/2.6/tags/2.6.23-8/4465_pax-vma-mirroring-fixes.patch
18 hardened-sources/2.6/tags/2.6.23-8/4470_vesafb-pmi-kernexec-fix.patch
19 hardened-sources/2.6/tags/2.6.23-8/4475_deselect-kernexec-on-unsupported-arches.patch
20 hardened-sources/2.6/tags/2.6.23-8/4480_ia64-modular-kernel-compile-fix.patch
21 hardened-sources/2.6/tags/2.6.23-8/4485_grsec-ptrace-recursive-lock-fix.patch
22 hardened-sources/2.6/tags/2.6.23-8/4490_grsec-netlink-security-fixes.patch
23 hardened-sources/2.6/tags/2.6.23-8/4495_pax-hang-when-coredump-disabled-fix.patch
24 hardened-sources/2.6/tags/2.6.23-8/4500_grsec-user_transition-bypass-fix.patch
25 Removed:
26 hardened-sources/2.6/tags/2.6.23-8/4430_grsec-2.1.11-2.6.23.15-20080210.patch
27 hardened-sources/2.6/tags/2.6.23-8/4435_grsec-2.1.10-mute-warnings.patch
28 hardened-sources/2.6/tags/2.6.23-8/4440_grsec-2.1.10-pax_curr_ip-fixes.patch
29 hardened-sources/2.6/tags/2.6.23-8/4445_grsec-kconfig-gentoo.patch
30 hardened-sources/2.6/tags/2.6.23-8/4450_selinux-avc_audit-log-curr_ip.patch
31 hardened-sources/2.6/tags/2.6.23-8/4455_grsec-kconfig-default-gids.patch
32 hardened-sources/2.6/tags/2.6.23-8/4460_disable-compat_vdso.patch
33 hardened-sources/2.6/tags/2.6.23-8/4465_pax-hook-build-error.patch
34 hardened-sources/2.6/tags/2.6.23-8/4470_acct_stack_growth-null-deref.patch
35 hardened-sources/2.6/tags/2.6.23-8/4475_pax-vma-mirroring-fixes.patch
36 hardened-sources/2.6/tags/2.6.23-8/4480_vesafb-pmi-kernexec-fix.patch
37 hardened-sources/2.6/tags/2.6.23-8/4485_deselect-kernexec-on-unsupported-arches.patch
38 hardened-sources/2.6/tags/2.6.23-8/4490_ia64-modular-kernel-compile-fix.patch
39 hardened-sources/2.6/tags/2.6.23-8/4495_grsec-ptrace-recursive-lock-fix.patch
40 hardened-sources/2.6/tags/2.6.23-8/4500_grsec-netlink-security-fixes.patch
41 hardened-sources/2.6/tags/2.6.23-8/4505_grsec-pax_emutramp-only-on-ppc32.patch
42 Log:
43 Tagging hardened-patches-2.6.23-8.
44
45 Copied: hardened-sources/2.6/tags/2.6.23-8 (from rev 86, hardened-sources/2.6/trunk/2.6.23)
46
47 Copied: hardened-sources/2.6/tags/2.6.23-8/1701_x86-signal-setup_frame-clear-df.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/1701_x86-signal-setup_frame-clear-df.patch)
48 ===================================================================
49 --- hardened-sources/2.6/tags/2.6.23-8/1701_x86-signal-setup_frame-clear-df.patch (rev 0)
50 +++ hardened-sources/2.6/tags/2.6.23-8/1701_x86-signal-setup_frame-clear-df.patch 2008-04-30 11:33:52 UTC (rev 91)
51 @@ -0,0 +1,78 @@
52 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
53 +
54 +x86: Clear DF before calling signal handler
55 +
56 +Linux 2.6-series kernels < 2.6.24.4 do not clear the direction flag
57 +before calling a signal handler, which is required by the x86/x86-64
58 +ABI.
59 +
60 +This bug has come to light as GCC 4.3 assumes that the direction flag
61 +is correctly cleared at the entry of a function.
62 +
63 +This patches changes the setup_frame() functions to clear the
64 +direction before entering the signal handler.
65 +
66 +This is a backport to kernel 2.6.23 of mainline kernel git commit:
67 +e40cd10ccff3d9fbffd57b93780bee4b7b9bff51
68 +
69 +Originally From: Aurelien Jarno <aurelien@×××××××.net>
70 +Originally Signed-off-by: Aurelien Jarno <aurelien@×××××××.net>
71 +Originally Signed-off-by: Chris Wright <chrisw@××××××××.org>
72 +Originally Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
73 +
74 +For more information, view:
75 +https://bugs.gentoo.org/show_bug.cgi?id=213811
76 +http://lkml.org/lkml/2008/3/5/207
77 +http://lwn.net/Articles/272203/
78 +
79 +--- a/arch/i386/kernel/signal.c
80 ++++ b/arch/i386/kernel/signal.c
81 +@@ -399,7 +399,7 @@ static int setup_frame(int sig, struct k
82 + * The tracer may want to single-step inside the
83 + * handler too.
84 + */
85 +- regs->eflags &= ~TF_MASK;
86 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
87 + if (test_thread_flag(TIF_SINGLESTEP))
88 + ptrace_notify(SIGTRAP);
89 +
90 +@@ -494,7 +494,7 @@ static int setup_rt_frame(int sig, struc
91 + * The tracer may want to single-step inside the
92 + * handler too.
93 + */
94 +- regs->eflags &= ~TF_MASK;
95 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
96 + if (test_thread_flag(TIF_SINGLESTEP))
97 + ptrace_notify(SIGTRAP);
98 +
99 +--- a/arch/x86_64/ia32/ia32_signal.c
100 ++++ b/arch/x86_64/ia32/ia32_signal.c
101 +@@ -494,7 +494,7 @@ int ia32_setup_frame(int sig, struct k_s
102 + regs->ss = __USER32_DS;
103 +
104 + set_fs(USER_DS);
105 +- regs->eflags &= ~TF_MASK;
106 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
107 + if (test_thread_flag(TIF_SINGLESTEP))
108 + ptrace_notify(SIGTRAP);
109 +
110 +@@ -601,7 +601,7 @@ int ia32_setup_rt_frame(int sig, struct
111 + regs->ss = __USER32_DS;
112 +
113 + set_fs(USER_DS);
114 +- regs->eflags &= ~TF_MASK;
115 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
116 + if (test_thread_flag(TIF_SINGLESTEP))
117 + ptrace_notify(SIGTRAP);
118 +
119 +--- a/arch/x86_64/kernel/signal.c
120 ++++ b/arch/x86_64/kernel/signal.c
121 +@@ -297,7 +297,7 @@ static int setup_rt_frame(int sig, struc
122 + see include/asm-x86_64/uaccess.h for details. */
123 + set_fs(USER_DS);
124 +
125 +- regs->eflags &= ~TF_MASK;
126 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
127 + if (test_thread_flag(TIF_SINGLESTEP))
128 + ptrace_notify(SIGTRAP);
129 + #ifdef DEBUG_SIG
130
131 Copied: hardened-sources/2.6/tags/2.6.23-8/4420_grsec-2.1.11-2.6.23.15-20080210.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4420_grsec-2.1.11-2.6.23.15-20080210.patch)
132 ===================================================================
133 --- hardened-sources/2.6/tags/2.6.23-8/4420_grsec-2.1.11-2.6.23.15-20080210.patch (rev 0)
134 +++ hardened-sources/2.6/tags/2.6.23-8/4420_grsec-2.1.11-2.6.23.15-20080210.patch 2008-04-30 11:33:52 UTC (rev 91)
135 @@ -0,0 +1,35665 @@
136 +From: Kerin Millar <kerframil@×××××.com>
137 +
138 +grsecurity-2.1.11-2.6.23.14-200801231800 forward ported to 2.6.23.15 for
139 +the Hardened Gentoo project. Thanks to pipacs for some advice concerning
140 +mmap.c changes.
141 +
142 +diff -Nurp linux-2.6.23.15/Documentation/dontdiff linux-2.6.23.15-grsec/Documentation/dontdiff
143 +--- linux-2.6.23.15/Documentation/dontdiff 2007-10-09 21:31:38.000000000 +0100
144 ++++ linux-2.6.23.15-grsec/Documentation/dontdiff 2008-02-11 10:37:44.000000000 +0000
145 +@@ -176,14 +176,18 @@ times.h*
146 + tkparse
147 + trix_boot.h
148 + utsrelease.h*
149 ++vdso.lds
150 + version.h*
151 + vmlinux
152 + vmlinux-*
153 + vmlinux.aout
154 ++vmlinux.bin.all
155 + vmlinux.lds
156 ++vmlinux.relocs
157 + vsyscall.lds
158 + wanxlfw.inc
159 + uImage
160 + unifdef
161 ++utsrelease.h
162 + zImage*
163 + zconf.hash.c
164 +diff -Nurp linux-2.6.23.15/Makefile linux-2.6.23.15-grsec/Makefile
165 +--- linux-2.6.23.15/Makefile 2008-02-11 10:36:03.000000000 +0000
166 ++++ linux-2.6.23.15-grsec/Makefile 2008-02-11 10:37:44.000000000 +0000
167 +@@ -312,7 +312,7 @@ LINUXINCLUDE := -Iinclude \
168 +
169 + CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
170 +
171 +-CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
172 ++CFLAGS := -Wall -W -Wno-unused -Wno-sign-compare -Wundef -Wstrict-prototypes -Wno-trigraphs \
173 + -fno-strict-aliasing -fno-common \
174 + -Werror-implicit-function-declaration
175 + AFLAGS := -D__ASSEMBLY__
176 +@@ -560,7 +560,7 @@ export mod_strip_cmd
177 +
178 +
179 + ifeq ($(KBUILD_EXTMOD),)
180 +-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
181 ++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
182 +
183 + vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
184 + $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
185 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/module.c linux-2.6.23.15-grsec/arch/alpha/kernel/module.c
186 +--- linux-2.6.23.15/arch/alpha/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
187 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
188 +@@ -176,7 +176,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
189 +
190 + /* The small sections were sorted to the end of the segment.
191 + The following should definitely cover them. */
192 +- gp = (u64)me->module_core + me->core_size - 0x8000;
193 ++ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
194 + got = sechdrs[me->arch.gotsecindex].sh_addr;
195 +
196 + for (i = 0; i < n; i++) {
197 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/osf_sys.c linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c
198 +--- linux-2.6.23.15/arch/alpha/kernel/osf_sys.c 2007-10-09 21:31:38.000000000 +0100
199 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c 2008-02-11 10:37:44.000000000 +0000
200 +@@ -1288,6 +1288,10 @@ arch_get_unmapped_area(struct file *filp
201 + merely specific addresses, but regions of memory -- perhaps
202 + this feature should be incorporated into all ports? */
203 +
204 ++#ifdef CONFIG_PAX_RANDMMAP
205 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
206 ++#endif
207 ++
208 + if (addr) {
209 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
210 + if (addr != (unsigned long) -ENOMEM)
211 +@@ -1295,8 +1299,8 @@ arch_get_unmapped_area(struct file *filp
212 + }
213 +
214 + /* Next, try allocating at TASK_UNMAPPED_BASE. */
215 +- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
216 +- len, limit);
217 ++ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
218 ++
219 + if (addr != (unsigned long) -ENOMEM)
220 + return addr;
221 +
222 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/ptrace.c linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c
223 +--- linux-2.6.23.15/arch/alpha/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
224 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
225 +@@ -15,6 +15,7 @@
226 + #include <linux/slab.h>
227 + #include <linux/security.h>
228 + #include <linux/signal.h>
229 ++#include <linux/grsecurity.h>
230 +
231 + #include <asm/uaccess.h>
232 + #include <asm/pgtable.h>
233 +@@ -283,6 +284,11 @@ do_sys_ptrace(long request, long pid, lo
234 + goto out_notsk;
235 + }
236 +
237 ++ if (gr_handle_ptrace(child, request)) {
238 ++ ret = -EPERM;
239 ++ goto out;
240 ++ }
241 ++
242 + if (request == PTRACE_ATTACH) {
243 + ret = ptrace_attach(child);
244 + goto out;
245 +diff -Nurp linux-2.6.23.15/arch/alpha/mm/fault.c linux-2.6.23.15-grsec/arch/alpha/mm/fault.c
246 +--- linux-2.6.23.15/arch/alpha/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
247 ++++ linux-2.6.23.15-grsec/arch/alpha/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
248 +@@ -23,6 +23,7 @@
249 + #include <linux/smp.h>
250 + #include <linux/interrupt.h>
251 + #include <linux/module.h>
252 ++#include <linux/binfmts.h>
253 +
254 + #include <asm/system.h>
255 + #include <asm/uaccess.h>
256 +@@ -54,6 +55,124 @@ __load_new_mm_context(struct mm_struct *
257 + __reload_thread(pcb);
258 + }
259 +
260 ++#ifdef CONFIG_PAX_PAGEEXEC
261 ++/*
262 ++ * PaX: decide what to do with offenders (regs->pc = fault address)
263 ++ *
264 ++ * returns 1 when task should be killed
265 ++ * 2 when patched PLT trampoline was detected
266 ++ * 3 when unpatched PLT trampoline was detected
267 ++ */
268 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
269 ++{
270 ++
271 ++#ifdef CONFIG_PAX_EMUPLT
272 ++ int err;
273 ++
274 ++ do { /* PaX: patched PLT emulation #1 */
275 ++ unsigned int ldah, ldq, jmp;
276 ++
277 ++ err = get_user(ldah, (unsigned int *)regs->pc);
278 ++ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
279 ++ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
280 ++
281 ++ if (err)
282 ++ break;
283 ++
284 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
285 ++ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
286 ++ jmp == 0x6BFB0000U)
287 ++ {
288 ++ unsigned long r27, addr;
289 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
290 ++ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
291 ++
292 ++ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
293 ++ err = get_user(r27, (unsigned long *)addr);
294 ++ if (err)
295 ++ break;
296 ++
297 ++ regs->r27 = r27;
298 ++ regs->pc = r27;
299 ++ return 2;
300 ++ }
301 ++ } while (0);
302 ++
303 ++ do { /* PaX: patched PLT emulation #2 */
304 ++ unsigned int ldah, lda, br;
305 ++
306 ++ err = get_user(ldah, (unsigned int *)regs->pc);
307 ++ err |= get_user(lda, (unsigned int *)(regs->pc+4));
308 ++ err |= get_user(br, (unsigned int *)(regs->pc+8));
309 ++
310 ++ if (err)
311 ++ break;
312 ++
313 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
314 ++ (lda & 0xFFFF0000U) == 0xA77B0000U &&
315 ++ (br & 0xFFE00000U) == 0xC3E00000U)
316 ++ {
317 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
318 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
319 ++ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
320 ++
321 ++ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
322 ++ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
323 ++ return 2;
324 ++ }
325 ++ } while (0);
326 ++
327 ++ do { /* PaX: unpatched PLT emulation */
328 ++ unsigned int br;
329 ++
330 ++ err = get_user(br, (unsigned int *)regs->pc);
331 ++
332 ++ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
333 ++ unsigned int br2, ldq, nop, jmp;
334 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
335 ++
336 ++ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
337 ++ err = get_user(br2, (unsigned int *)addr);
338 ++ err |= get_user(ldq, (unsigned int *)(addr+4));
339 ++ err |= get_user(nop, (unsigned int *)(addr+8));
340 ++ err |= get_user(jmp, (unsigned int *)(addr+12));
341 ++ err |= get_user(resolver, (unsigned long *)(addr+16));
342 ++
343 ++ if (err)
344 ++ break;
345 ++
346 ++ if (br2 == 0xC3600000U &&
347 ++ ldq == 0xA77B000CU &&
348 ++ nop == 0x47FF041FU &&
349 ++ jmp == 0x6B7B0000U)
350 ++ {
351 ++ regs->r28 = regs->pc+4;
352 ++ regs->r27 = addr+16;
353 ++ regs->pc = resolver;
354 ++ return 3;
355 ++ }
356 ++ }
357 ++ } while (0);
358 ++#endif
359 ++
360 ++ return 1;
361 ++}
362 ++
363 ++void pax_report_insns(void *pc, void *sp)
364 ++{
365 ++ unsigned long i;
366 ++
367 ++ printk(KERN_ERR "PAX: bytes at PC: ");
368 ++ for (i = 0; i < 5; i++) {
369 ++ unsigned int c;
370 ++ if (get_user(c, (unsigned int *)pc+i))
371 ++ printk("???????? ");
372 ++ else
373 ++ printk("%08x ", c);
374 ++ }
375 ++ printk("\n");
376 ++}
377 ++#endif
378 +
379 + /*
380 + * This routine handles page faults. It determines the address,
381 +@@ -131,8 +250,29 @@ do_page_fault(unsigned long address, uns
382 + good_area:
383 + si_code = SEGV_ACCERR;
384 + if (cause < 0) {
385 +- if (!(vma->vm_flags & VM_EXEC))
386 ++ if (!(vma->vm_flags & VM_EXEC)) {
387 ++
388 ++#ifdef CONFIG_PAX_PAGEEXEC
389 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
390 ++ goto bad_area;
391 ++
392 ++ up_read(&mm->mmap_sem);
393 ++ switch (pax_handle_fetch_fault(regs)) {
394 ++
395 ++#ifdef CONFIG_PAX_EMUPLT
396 ++ case 2:
397 ++ case 3:
398 ++ return;
399 ++#endif
400 ++
401 ++ }
402 ++ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
403 ++ do_exit(SIGKILL);
404 ++#else
405 + goto bad_area;
406 ++#endif
407 ++
408 ++ }
409 + } else if (!cause) {
410 + /* Allow reads even for write-only mappings */
411 + if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
412 +diff -Nurp linux-2.6.23.15/arch/arm/mm/mmap.c linux-2.6.23.15-grsec/arch/arm/mm/mmap.c
413 +--- linux-2.6.23.15/arch/arm/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
414 ++++ linux-2.6.23.15-grsec/arch/arm/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
415 +@@ -60,6 +60,10 @@ arch_get_unmapped_area(struct file *filp
416 + if (len > TASK_SIZE)
417 + return -ENOMEM;
418 +
419 ++#ifdef CONFIG_PAX_RANDMMAP
420 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
421 ++#endif
422 ++
423 + if (addr) {
424 + if (do_align)
425 + addr = COLOUR_ALIGN(addr, pgoff);
426 +@@ -72,10 +76,10 @@ arch_get_unmapped_area(struct file *filp
427 + return addr;
428 + }
429 + if (len > mm->cached_hole_size) {
430 +- start_addr = addr = mm->free_area_cache;
431 ++ start_addr = addr = mm->free_area_cache;
432 + } else {
433 +- start_addr = addr = TASK_UNMAPPED_BASE;
434 +- mm->cached_hole_size = 0;
435 ++ start_addr = addr = mm->mmap_base;
436 ++ mm->cached_hole_size = 0;
437 + }
438 +
439 + full_search:
440 +@@ -91,8 +95,8 @@ full_search:
441 + * Start a new search - just in case we missed
442 + * some holes.
443 + */
444 +- if (start_addr != TASK_UNMAPPED_BASE) {
445 +- start_addr = addr = TASK_UNMAPPED_BASE;
446 ++ if (start_addr != mm->mmap_base) {
447 ++ start_addr = addr = mm->mmap_base;
448 + mm->cached_hole_size = 0;
449 + goto full_search;
450 + }
451 +diff -Nurp linux-2.6.23.15/arch/avr32/mm/fault.c linux-2.6.23.15-grsec/arch/avr32/mm/fault.c
452 +--- linux-2.6.23.15/arch/avr32/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
453 ++++ linux-2.6.23.15-grsec/arch/avr32/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
454 +@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
455 +
456 + int exception_trace = 1;
457 +
458 ++#ifdef CONFIG_PAX_PAGEEXEC
459 ++void pax_report_insns(void *pc, void *sp)
460 ++{
461 ++ unsigned long i;
462 ++
463 ++ printk(KERN_ERR "PAX: bytes at PC: ");
464 ++ for (i = 0; i < 20; i++) {
465 ++ unsigned char c;
466 ++ if (get_user(c, (unsigned char *)pc+i))
467 ++ printk("???????? ");
468 ++ else
469 ++ printk("%02x ", c);
470 ++ }
471 ++ printk("\n");
472 ++}
473 ++#endif
474 ++
475 + /*
476 + * This routine handles page faults. It determines the address and the
477 + * problem, and then passes it off to one of the appropriate routines.
478 +@@ -157,6 +174,16 @@ bad_area:
479 + up_read(&mm->mmap_sem);
480 +
481 + if (user_mode(regs)) {
482 ++
483 ++#ifdef CONFIG_PAX_PAGEEXEC
484 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
485 ++ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
486 ++ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
487 ++ do_exit(SIGKILL);
488 ++ }
489 ++ }
490 ++#endif
491 ++
492 + if (exception_trace && printk_ratelimit())
493 + printk("%s%s[%d]: segfault at %08lx pc %08lx "
494 + "sp %08lx ecr %lu\n",
495 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig linux-2.6.23.15-grsec/arch/i386/Kconfig
496 +--- linux-2.6.23.15/arch/i386/Kconfig 2007-10-09 21:31:38.000000000 +0100
497 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig 2008-02-11 10:37:44.000000000 +0000
498 +@@ -592,7 +592,7 @@ config PAGE_OFFSET
499 + hex
500 + default 0xB0000000 if VMSPLIT_3G_OPT
501 + default 0x80000000 if VMSPLIT_2G
502 +- default 0x78000000 if VMSPLIT_2G_OPT
503 ++ default 0x70000000 if VMSPLIT_2G_OPT
504 + default 0x40000000 if VMSPLIT_1G
505 + default 0xC0000000
506 +
507 +@@ -831,7 +831,7 @@ config CRASH_DUMP
508 + config PHYSICAL_START
509 + hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
510 + default "0x1000000" if X86_NUMAQ
511 +- default "0x100000"
512 ++ default "0x200000"
513 + help
514 + This gives the physical address where the kernel is loaded.
515 +
516 +@@ -916,7 +916,7 @@ config HOTPLUG_CPU
517 +
518 + config COMPAT_VDSO
519 + bool "Compat VDSO support"
520 +- default y
521 ++ default n
522 + help
523 + Map the VDSO to the predictable old-style address too.
524 + ---help---
525 +@@ -1092,7 +1092,7 @@ config PCI
526 + choice
527 + prompt "PCI access mode"
528 + depends on PCI && !X86_VISWS
529 +- default PCI_GOANY
530 ++ default PCI_GODIRECT
531 + ---help---
532 + On PCI systems, the BIOS can be used to detect the PCI devices and
533 + determine their configuration. However, some old PCI motherboards
534 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.cpu linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu
535 +--- linux-2.6.23.15/arch/i386/Kconfig.cpu 2007-10-09 21:31:38.000000000 +0100
536 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu 2008-02-11 10:37:44.000000000 +0000
537 +@@ -274,7 +274,7 @@ config X86_PPRO_FENCE
538 +
539 + config X86_F00F_BUG
540 + bool
541 +- depends on M586MMX || M586TSC || M586 || M486 || M386
542 ++ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
543 + default y
544 +
545 + config X86_WP_WORKS_OK
546 +@@ -299,7 +299,7 @@ config X86_POPAD_OK
547 +
548 + config X86_ALIGNMENT_16
549 + bool
550 +- depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
551 ++ depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
552 + default y
553 +
554 + config X86_GOOD_APIC
555 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.debug linux-2.6.23.15-grsec/arch/i386/Kconfig.debug
556 +--- linux-2.6.23.15/arch/i386/Kconfig.debug 2007-10-09 21:31:38.000000000 +0100
557 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig.debug 2008-02-11 10:37:44.000000000 +0000
558 +@@ -46,16 +46,6 @@ config DEBUG_PAGEALLOC
559 + This results in a large slowdown, but helps to find certain types
560 + of memory corruptions.
561 +
562 +-config DEBUG_RODATA
563 +- bool "Write protect kernel read-only data structures"
564 +- depends on DEBUG_KERNEL
565 +- help
566 +- Mark the kernel read-only data as write-protected in the pagetables,
567 +- in order to catch accidental (and incorrect) writes to such const
568 +- data. This option may have a slight performance impact because a
569 +- portion of the kernel code won't be covered by a 2MB TLB anymore.
570 +- If in doubt, say "N".
571 +-
572 + config 4KSTACKS
573 + bool "Use 4Kb for kernel stacks instead of 8Kb"
574 + depends on DEBUG_KERNEL
575 +diff -Nurp linux-2.6.23.15/arch/i386/boot/bitops.h linux-2.6.23.15-grsec/arch/i386/boot/bitops.h
576 +--- linux-2.6.23.15/arch/i386/boot/bitops.h 2007-10-09 21:31:38.000000000 +0100
577 ++++ linux-2.6.23.15-grsec/arch/i386/boot/bitops.h 2008-02-11 10:37:44.000000000 +0000
578 +@@ -28,7 +28,7 @@ static inline int variable_test_bit(int
579 + u8 v;
580 + const u32 *p = (const u32 *)addr;
581 +
582 +- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
583 ++ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
584 + return v;
585 + }
586 +
587 +@@ -39,7 +39,7 @@ static inline int variable_test_bit(int
588 +
589 + static inline void set_bit(int nr, void *addr)
590 + {
591 +- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
592 ++ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
593 + }
594 +
595 + #endif /* BOOT_BITOPS_H */
596 +diff -Nurp linux-2.6.23.15/arch/i386/boot/boot.h linux-2.6.23.15-grsec/arch/i386/boot/boot.h
597 +--- linux-2.6.23.15/arch/i386/boot/boot.h 2008-02-11 10:36:03.000000000 +0000
598 ++++ linux-2.6.23.15-grsec/arch/i386/boot/boot.h 2008-02-11 10:37:44.000000000 +0000
599 +@@ -78,7 +78,7 @@ static inline void io_delay(void)
600 + static inline u16 ds(void)
601 + {
602 + u16 seg;
603 +- asm("movw %%ds,%0" : "=rm" (seg));
604 ++ asm volatile("movw %%ds,%0" : "=rm" (seg));
605 + return seg;
606 + }
607 +
608 +@@ -174,7 +174,7 @@ static inline void wrgs32(u32 v, addr_t
609 + static inline int memcmp(const void *s1, const void *s2, size_t len)
610 + {
611 + u8 diff;
612 +- asm("repe; cmpsb; setnz %0"
613 ++ asm volatile("repe; cmpsb; setnz %0"
614 + : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
615 + return diff;
616 + }
617 +diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/head.S linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S
618 +--- linux-2.6.23.15/arch/i386/boot/compressed/head.S 2007-10-09 21:31:38.000000000 +0100
619 ++++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S 2008-02-11 10:37:44.000000000 +0000
620 +@@ -159,9 +159,8 @@ relocated:
621 + */
622 +
623 + 1: subl $4, %edi
624 +- movl 0(%edi), %ecx
625 +- testl %ecx, %ecx
626 +- jz 2f
627 ++ movl (%edi), %ecx
628 ++ jecxz 2f
629 + addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
630 + jmp 1b
631 + 2:
632 +diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/relocs.c linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c
633 +--- linux-2.6.23.15/arch/i386/boot/compressed/relocs.c 2007-10-09 21:31:38.000000000 +0100
634 ++++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c 2008-02-11 10:37:44.000000000 +0000
635 +@@ -10,9 +10,13 @@
636 + #define USE_BSD
637 + #include <endian.h>
638 +
639 ++#include "../../../../include/linux/autoconf.h"
640 ++
641 ++#define MAX_PHDRS 100
642 + #define MAX_SHDRS 100
643 + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
644 + static Elf32_Ehdr ehdr;
645 ++static Elf32_Phdr phdr[MAX_PHDRS];
646 + static Elf32_Shdr shdr[MAX_SHDRS];
647 + static Elf32_Sym *symtab[MAX_SHDRS];
648 + static Elf32_Rel *reltab[MAX_SHDRS];
649 +@@ -246,6 +250,34 @@ static void read_ehdr(FILE *fp)
650 + }
651 + }
652 +
653 ++static void read_phdrs(FILE *fp)
654 ++{
655 ++ int i;
656 ++ if (ehdr.e_phnum > MAX_PHDRS) {
657 ++ die("%d program headers supported: %d\n",
658 ++ ehdr.e_phnum, MAX_PHDRS);
659 ++ }
660 ++ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
661 ++ die("Seek to %d failed: %s\n",
662 ++ ehdr.e_phoff, strerror(errno));
663 ++ }
664 ++ if (fread(&phdr, sizeof(phdr[0]), ehdr.e_phnum, fp) != ehdr.e_phnum) {
665 ++ die("Cannot read ELF program headers: %s\n",
666 ++ strerror(errno));
667 ++ }
668 ++ for(i = 0; i < ehdr.e_phnum; i++) {
669 ++ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
670 ++ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
671 ++ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
672 ++ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
673 ++ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
674 ++ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
675 ++ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
676 ++ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
677 ++ }
678 ++
679 ++}
680 ++
681 + static void read_shdrs(FILE *fp)
682 + {
683 + int i;
684 +@@ -332,6 +364,8 @@ static void read_symtabs(FILE *fp)
685 + static void read_relocs(FILE *fp)
686 + {
687 + int i,j;
688 ++ uint32_t base;
689 ++
690 + for(i = 0; i < ehdr.e_shnum; i++) {
691 + if (shdr[i].sh_type != SHT_REL) {
692 + continue;
693 +@@ -349,8 +383,17 @@ static void read_relocs(FILE *fp)
694 + die("Cannot read symbol table: %s\n",
695 + strerror(errno));
696 + }
697 ++ base = 0;
698 ++ for (j = 0; j < ehdr.e_phnum; j++) {
699 ++ if (phdr[j].p_type != PT_LOAD )
700 ++ continue;
701 ++ if (shdr[shdr[i].sh_info].sh_offset < phdr[j].p_offset || shdr[shdr[i].sh_info].sh_offset > phdr[j].p_offset + phdr[j].p_filesz)
702 ++ continue;
703 ++ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
704 ++ break;
705 ++ }
706 + for(j = 0; j < shdr[i].sh_size/sizeof(reltab[0][0]); j++) {
707 +- reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset);
708 ++ reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset) + base;
709 + reltab[i][j].r_info = elf32_to_cpu(reltab[i][j].r_info);
710 + }
711 + }
712 +@@ -487,6 +530,27 @@ static void walk_relocs(void (*visit)(El
713 + if (sym->st_shndx == SHN_ABS) {
714 + continue;
715 + }
716 ++ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
717 ++ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strncmp(sym_name(sym_strtab, sym), "__per_cpu_", 10)) {
718 ++ continue;
719 ++ }
720 ++#ifdef CONFIG_PAX_KERNEXEC
721 ++ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
722 ++ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) {
723 ++ continue;
724 ++ }
725 ++ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) {
726 ++ continue;
727 ++ }
728 ++ if (!strcmp(sec_name(sym->st_shndx), ".text.head"))
729 ++ if (strcmp(sym_name(sym_strtab, sym), "__init_end") &&
730 ++ strcmp(sym_name(sym_strtab, sym), "KERNEL_TEXT_OFFSET")) {
731 ++ continue;
732 ++ }
733 ++ if (!strcmp(sec_name(sym->st_shndx), ".text")) {
734 ++ continue;
735 ++ }
736 ++#endif
737 + if (r_type == R_386_PC32) {
738 + /* PC relative relocations don't need to be adjusted */
739 + }
740 +@@ -614,6 +678,7 @@ int main(int argc, char **argv)
741 + fname, strerror(errno));
742 + }
743 + read_ehdr(fp);
744 ++ read_phdrs(fp);
745 + read_shdrs(fp);
746 + read_strtabs(fp);
747 + read_symtabs(fp);
748 +diff -Nurp linux-2.6.23.15/arch/i386/boot/cpucheck.c linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c
749 +--- linux-2.6.23.15/arch/i386/boot/cpucheck.c 2007-10-09 21:31:38.000000000 +0100
750 ++++ linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c 2008-02-11 10:37:44.000000000 +0000
751 +@@ -90,7 +90,7 @@ static int has_fpu(void)
752 + u16 fcw = -1, fsw = -1;
753 + u32 cr0;
754 +
755 +- asm("movl %%cr0,%0" : "=r" (cr0));
756 ++ asm volatile("movl %%cr0,%0" : "=r" (cr0));
757 + if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
758 + cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
759 + asm volatile("movl %0,%%cr0" : : "r" (cr0));
760 +@@ -106,7 +106,7 @@ static int has_eflag(u32 mask)
761 + {
762 + u32 f0, f1;
763 +
764 +- asm("pushfl ; "
765 ++ asm volatile("pushfl ; "
766 + "pushfl ; "
767 + "popl %0 ; "
768 + "movl %0,%1 ; "
769 +@@ -131,7 +131,7 @@ static void get_flags(void)
770 + set_bit(X86_FEATURE_FPU, cpu.flags);
771 +
772 + if (has_eflag(X86_EFLAGS_ID)) {
773 +- asm("cpuid"
774 ++ asm volatile("cpuid"
775 + : "=a" (max_intel_level),
776 + "=b" (cpu_vendor[0]),
777 + "=d" (cpu_vendor[1]),
778 +@@ -140,7 +140,7 @@ static void get_flags(void)
779 +
780 + if (max_intel_level >= 0x00000001 &&
781 + max_intel_level <= 0x0000ffff) {
782 +- asm("cpuid"
783 ++ asm volatile("cpuid"
784 + : "=a" (tfms),
785 + "=c" (cpu.flags[4]),
786 + "=d" (cpu.flags[0])
787 +@@ -152,7 +152,7 @@ static void get_flags(void)
788 + cpu.model += ((tfms >> 16) & 0xf) << 4;
789 + }
790 +
791 +- asm("cpuid"
792 ++ asm volatile("cpuid"
793 + : "=a" (max_amd_level)
794 + : "a" (0x80000000)
795 + : "ebx", "ecx", "edx");
796 +@@ -160,7 +160,7 @@ static void get_flags(void)
797 + if (max_amd_level >= 0x80000001 &&
798 + max_amd_level <= 0x8000ffff) {
799 + u32 eax = 0x80000001;
800 +- asm("cpuid"
801 ++ asm volatile("cpuid"
802 + : "+a" (eax),
803 + "=c" (cpu.flags[6]),
804 + "=d" (cpu.flags[1])
805 +@@ -219,9 +219,9 @@ int check_cpu(int *cpu_level_ptr, int *r
806 + u32 ecx = MSR_K7_HWCR;
807 + u32 eax, edx;
808 +
809 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
810 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
811 + eax &= ~(1 << 15);
812 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
813 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
814 +
815 + get_flags(); /* Make sure it really did something */
816 + err = check_flags();
817 +@@ -234,9 +234,9 @@ int check_cpu(int *cpu_level_ptr, int *r
818 + u32 ecx = MSR_VIA_FCR;
819 + u32 eax, edx;
820 +
821 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
822 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
823 + eax |= (1<<1)|(1<<7);
824 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
825 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
826 +
827 + set_bit(X86_FEATURE_CX8, cpu.flags);
828 + err = check_flags();
829 +@@ -247,12 +247,12 @@ int check_cpu(int *cpu_level_ptr, int *r
830 + u32 eax, edx;
831 + u32 level = 1;
832 +
833 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
834 +- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
835 +- asm("cpuid"
836 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
837 ++ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
838 ++ asm volatile("cpuid"
839 + : "+a" (level), "=d" (cpu.flags[0])
840 + : : "ecx", "ebx");
841 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
842 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
843 +
844 + err = check_flags();
845 + }
846 +diff -Nurp linux-2.6.23.15/arch/i386/boot/edd.c linux-2.6.23.15-grsec/arch/i386/boot/edd.c
847 +--- linux-2.6.23.15/arch/i386/boot/edd.c 2007-10-09 21:31:38.000000000 +0100
848 ++++ linux-2.6.23.15-grsec/arch/i386/boot/edd.c 2008-02-11 10:37:44.000000000 +0000
849 +@@ -78,7 +78,7 @@ static int get_edd_info(u8 devno, struct
850 + ax = 0x4100;
851 + bx = EDDMAGIC1;
852 + dx = devno;
853 +- asm("pushfl; stc; int $0x13; setc %%al; popfl"
854 ++ asm volatile("pushfl; stc; int $0x13; setc %%al; popfl"
855 + : "+a" (ax), "+b" (bx), "=c" (cx), "+d" (dx)
856 + : : "esi", "edi");
857 +
858 +@@ -97,7 +97,7 @@ static int get_edd_info(u8 devno, struct
859 + ei->params.length = sizeof(ei->params);
860 + ax = 0x4800;
861 + dx = devno;
862 +- asm("pushfl; int $0x13; popfl"
863 ++ asm volatile("pushfl; int $0x13; popfl"
864 + : "+a" (ax), "+d" (dx), "=m" (ei->params)
865 + : "S" (&ei->params)
866 + : "ebx", "ecx", "edi");
867 +@@ -108,7 +108,7 @@ static int get_edd_info(u8 devno, struct
868 + ax = 0x0800;
869 + dx = devno;
870 + di = 0;
871 +- asm("pushw %%es; "
872 ++ asm volatile("pushw %%es; "
873 + "movw %%di,%%es; "
874 + "pushfl; stc; int $0x13; setc %%al; popfl; "
875 + "popw %%es"
876 +diff -Nurp linux-2.6.23.15/arch/i386/boot/main.c linux-2.6.23.15-grsec/arch/i386/boot/main.c
877 +--- linux-2.6.23.15/arch/i386/boot/main.c 2007-10-09 21:31:38.000000000 +0100
878 ++++ linux-2.6.23.15-grsec/arch/i386/boot/main.c 2008-02-11 10:37:44.000000000 +0000
879 +@@ -77,7 +77,7 @@ static void keyboard_set_repeat(void)
880 + */
881 + static void query_ist(void)
882 + {
883 +- asm("int $0x15"
884 ++ asm volatile("int $0x15"
885 + : "=a" (boot_params.ist_info.signature),
886 + "=b" (boot_params.ist_info.command),
887 + "=c" (boot_params.ist_info.event),
888 +diff -Nurp linux-2.6.23.15/arch/i386/boot/mca.c linux-2.6.23.15-grsec/arch/i386/boot/mca.c
889 +--- linux-2.6.23.15/arch/i386/boot/mca.c 2007-10-09 21:31:38.000000000 +0100
890 ++++ linux-2.6.23.15-grsec/arch/i386/boot/mca.c 2008-02-11 10:37:44.000000000 +0000
891 +@@ -21,7 +21,7 @@ int query_mca(void)
892 + u8 err;
893 + u16 es, bx, len;
894 +
895 +- asm("pushw %%es ; "
896 ++ asm volatile("pushw %%es ; "
897 + "int $0x15 ; "
898 + "setc %0 ; "
899 + "movw %%es, %1 ; "
900 +diff -Nurp linux-2.6.23.15/arch/i386/boot/memory.c linux-2.6.23.15-grsec/arch/i386/boot/memory.c
901 +--- linux-2.6.23.15/arch/i386/boot/memory.c 2007-10-09 21:31:38.000000000 +0100
902 ++++ linux-2.6.23.15-grsec/arch/i386/boot/memory.c 2008-02-11 10:37:44.000000000 +0000
903 +@@ -32,7 +32,7 @@ static int detect_memory_e820(void)
904 + /* Important: %edx is clobbered by some BIOSes,
905 + so it must be either used for the error output
906 + or explicitly marked clobbered. */
907 +- asm("int $0x15; setc %0"
908 ++ asm volatile("int $0x15; setc %0"
909 + : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
910 + "=m" (*desc)
911 + : "D" (desc), "d" (SMAP), "a" (0xe820));
912 +@@ -64,7 +64,7 @@ static int detect_memory_e801(void)
913 +
914 + bx = cx = dx = 0;
915 + ax = 0xe801;
916 +- asm("stc; int $0x15; setc %0"
917 ++ asm volatile("stc; int $0x15; setc %0"
918 + : "=m" (err), "+a" (ax), "+b" (bx), "+c" (cx), "+d" (dx));
919 +
920 + if (err)
921 +@@ -94,7 +94,7 @@ static int detect_memory_88(void)
922 + u8 err;
923 +
924 + ax = 0x8800;
925 +- asm("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
926 ++ asm volatile("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
927 +
928 + boot_params.screen_info.ext_mem_k = ax;
929 +
930 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vesa.c linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c
931 +--- linux-2.6.23.15/arch/i386/boot/video-vesa.c 2008-02-11 10:36:03.000000000 +0000
932 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c 2008-02-11 10:37:44.000000000 +0000
933 +@@ -41,7 +41,7 @@ static int vesa_probe(void)
934 +
935 + ax = 0x4f00;
936 + di = (size_t)&vginfo;
937 +- asm(INT10
938 ++ asm volatile(INT10
939 + : "+a" (ax), "+D" (di), "=m" (vginfo)
940 + : : "ebx", "ecx", "edx", "esi");
941 +
942 +@@ -68,7 +68,7 @@ static int vesa_probe(void)
943 + ax = 0x4f01;
944 + cx = mode;
945 + di = (size_t)&vminfo;
946 +- asm(INT10
947 ++ asm volatile(INT10
948 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
949 + : : "ebx", "edx", "esi");
950 +
951 +@@ -115,7 +115,7 @@ static int vesa_set_mode(struct mode_inf
952 + ax = 0x4f01;
953 + cx = vesa_mode;
954 + di = (size_t)&vminfo;
955 +- asm(INT10
956 ++ asm volatile(INT10
957 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
958 + : : "ebx", "edx", "esi");
959 +
960 +@@ -193,19 +193,20 @@ static void vesa_dac_set_8bits(void)
961 + /* Save the VESA protected mode info */
962 + static void vesa_store_pm_info(void)
963 + {
964 +- u16 ax, bx, di, es;
965 ++ u16 ax, bx, cx, di, es;
966 +
967 + ax = 0x4f0a;
968 +- bx = di = 0;
969 +- asm("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
970 +- : "=d" (es), "+a" (ax), "+b" (bx), "+D" (di)
971 +- : : "ecx", "esi");
972 ++ bx = cx = di = 0;
973 ++ asm volatile("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
974 ++ : "=d" (es), "+a" (ax), "+b" (bx), "+c" (cx), "+D" (di)
975 ++ : : "esi");
976 +
977 + if (ax != 0x004f)
978 + return;
979 +
980 + boot_params.screen_info.vesapm_seg = es;
981 + boot_params.screen_info.vesapm_off = di;
982 ++ boot_params.screen_info.vesapm_size = cx;
983 + }
984 +
985 + /*
986 +@@ -259,7 +260,7 @@ void vesa_store_edid(void)
987 + /* Note: The VBE DDC spec is different from the main VESA spec;
988 + we genuinely have to assume all registers are destroyed here. */
989 +
990 +- asm("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
991 ++ asm volatile("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
992 + : "+a" (ax), "+b" (bx)
993 + : "c" (cx), "D" (di)
994 + : "esi");
995 +@@ -275,7 +276,7 @@ void vesa_store_edid(void)
996 + cx = 0; /* Controller 0 */
997 + dx = 0; /* EDID block number */
998 + di =(size_t) &boot_params.edid_info; /* (ES:)Pointer to block */
999 +- asm(INT10
1000 ++ asm volatile(INT10
1001 + : "+a" (ax), "+b" (bx), "+d" (dx), "=m" (boot_params.edid_info)
1002 + : "c" (cx), "D" (di)
1003 + : "esi");
1004 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vga.c linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c
1005 +--- linux-2.6.23.15/arch/i386/boot/video-vga.c 2007-10-09 21:31:38.000000000 +0100
1006 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c 2008-02-11 10:37:44.000000000 +0000
1007 +@@ -225,7 +225,7 @@ static int vga_probe(void)
1008 + };
1009 + u8 vga_flag;
1010 +
1011 +- asm(INT10
1012 ++ asm volatile(INT10
1013 + : "=b" (boot_params.screen_info.orig_video_ega_bx)
1014 + : "a" (0x1200), "b" (0x10) /* Check EGA/VGA */
1015 + : "ecx", "edx", "esi", "edi");
1016 +@@ -233,7 +233,7 @@ static int vga_probe(void)
1017 + /* If we have MDA/CGA/HGC then BL will be unchanged at 0x10 */
1018 + if ((u8)boot_params.screen_info.orig_video_ega_bx != 0x10) {
1019 + /* EGA/VGA */
1020 +- asm(INT10
1021 ++ asm volatile(INT10
1022 + : "=a" (vga_flag)
1023 + : "a" (0x1a00)
1024 + : "ebx", "ecx", "edx", "esi", "edi");
1025 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video.c linux-2.6.23.15-grsec/arch/i386/boot/video.c
1026 +--- linux-2.6.23.15/arch/i386/boot/video.c 2008-02-11 10:36:03.000000000 +0000
1027 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video.c 2008-02-11 10:37:44.000000000 +0000
1028 +@@ -40,7 +40,7 @@ static void store_cursor_position(void)
1029 +
1030 + ax = 0x0300;
1031 + bx = 0;
1032 +- asm(INT10
1033 ++ asm volatile(INT10
1034 + : "=d" (curpos), "+a" (ax), "+b" (bx)
1035 + : : "ecx", "esi", "edi");
1036 +
1037 +@@ -55,7 +55,7 @@ static void store_video_mode(void)
1038 + /* N.B.: the saving of the video page here is a bit silly,
1039 + since we pretty much assume page 0 everywhere. */
1040 + ax = 0x0f00;
1041 +- asm(INT10
1042 ++ asm volatile(INT10
1043 + : "+a" (ax), "=b" (page)
1044 + : : "ecx", "edx", "esi", "edi");
1045 +
1046 +diff -Nurp linux-2.6.23.15/arch/i386/boot/voyager.c linux-2.6.23.15-grsec/arch/i386/boot/voyager.c
1047 +--- linux-2.6.23.15/arch/i386/boot/voyager.c 2007-10-09 21:31:38.000000000 +0100
1048 ++++ linux-2.6.23.15-grsec/arch/i386/boot/voyager.c 2008-02-11 10:37:44.000000000 +0000
1049 +@@ -27,7 +27,7 @@ int query_voyager(void)
1050 +
1051 + data_ptr[0] = 0xff; /* Flag on config not found(?) */
1052 +
1053 +- asm("pushw %%es ; "
1054 ++ asm volatile("pushw %%es ; "
1055 + "int $0x15 ; "
1056 + "setc %0 ; "
1057 + "movw %%es, %1 ; "
1058 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/boot.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c
1059 +--- linux-2.6.23.15/arch/i386/kernel/acpi/boot.c 2007-10-09 21:31:38.000000000 +0100
1060 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c 2008-02-11 10:37:44.000000000 +0000
1061 +@@ -1123,7 +1123,7 @@ static struct dmi_system_id __initdata a
1062 + DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
1063 + },
1064 + },
1065 +- {}
1066 ++ { NULL, NULL, {{0, NULL}}, NULL}
1067 + };
1068 +
1069 + #endif /* __i386__ */
1070 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c
1071 +--- linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c 2007-10-09 21:31:38.000000000 +0100
1072 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c 2008-02-11 10:37:44.000000000 +0000
1073 +@@ -98,7 +98,7 @@ static __initdata struct dmi_system_id a
1074 + DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),
1075 + },
1076 + },
1077 +- {}
1078 ++ { NULL, NULL, {{0, NULL}}, NULL}
1079 + };
1080 +
1081 + static int __init acpisleep_dmi_init(void)
1082 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S
1083 +--- linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S 2007-10-09 21:31:38.000000000 +0100
1084 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S 2008-02-11 10:37:44.000000000 +0000
1085 +@@ -2,6 +2,7 @@
1086 + #include <linux/linkage.h>
1087 + #include <asm/segment.h>
1088 + #include <asm/page.h>
1089 ++#include <asm/msr-index.h>
1090 +
1091 + #
1092 + # wakeup_code runs in real mode, and at unknown address (determined at run-time).
1093 +@@ -84,7 +85,7 @@ wakeup_code:
1094 + # restore efer setting
1095 + movl real_save_efer_edx - wakeup_code, %edx
1096 + movl real_save_efer_eax - wakeup_code, %eax
1097 +- mov $0xc0000080, %ecx
1098 ++ mov $MSR_EFER, %ecx
1099 + wrmsr
1100 + 4:
1101 + # make sure %cr4 is set correctly (features, etc)
1102 +@@ -209,13 +210,11 @@ wakeup_pmode_return:
1103 + # and restore the stack ... but you need gdt for this to work
1104 + movl saved_context_esp, %esp
1105 +
1106 +- movl %cs:saved_magic, %eax
1107 +- cmpl $0x12345678, %eax
1108 ++ cmpl $0x12345678, saved_magic
1109 + jne bogus_magic
1110 +
1111 + # jump to place where we left off
1112 +- movl saved_eip,%eax
1113 +- jmp *%eax
1114 ++ jmp *(saved_eip)
1115 +
1116 + bogus_magic:
1117 + movw $0x0e00 + 'B', 0xb8018
1118 +@@ -247,7 +246,7 @@ ENTRY(acpi_copy_wakeup_routine)
1119 + # save efer setting
1120 + pushl %eax
1121 + movl %eax, %ebx
1122 +- mov $0xc0000080, %ecx
1123 ++ mov $MSR_EFER, %ecx
1124 + rdmsr
1125 + movl %edx, real_save_efer_edx - wakeup_start (%ebx)
1126 + movl %eax, real_save_efer_eax - wakeup_start (%ebx)
1127 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/alternative.c linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c
1128 +--- linux-2.6.23.15/arch/i386/kernel/alternative.c 2007-10-09 21:31:38.000000000 +0100
1129 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c 2008-02-11 10:37:44.000000000 +0000
1130 +@@ -443,7 +443,20 @@ void __init alternative_instructions(voi
1131 + */
1132 + void __kprobes text_poke(void *addr, unsigned char *opcode, int len)
1133 + {
1134 ++
1135 ++#ifdef CONFIG_PAX_KERNEXEC
1136 ++ unsigned long cr0;
1137 ++
1138 ++ pax_open_kernel(cr0);
1139 ++#endif
1140 ++
1141 ++ addr += __KERNEL_TEXT_OFFSET;
1142 + memcpy(addr, opcode, len);
1143 ++
1144 ++#ifdef CONFIG_PAX_KERNEXEC
1145 ++ pax_close_kernel(cr0);
1146 ++#endif
1147 ++
1148 + sync_core();
1149 + /* Could also do a CLFLUSH here to speed up CPU recovery; but
1150 + that causes hangs on some VIA CPUs. */
1151 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/apm.c linux-2.6.23.15-grsec/arch/i386/kernel/apm.c
1152 +--- linux-2.6.23.15/arch/i386/kernel/apm.c 2008-02-11 10:36:03.000000000 +0000
1153 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/apm.c 2008-02-11 10:37:44.000000000 +0000
1154 +@@ -407,7 +407,7 @@ static DECLARE_WAIT_QUEUE_HEAD(apm_waitq
1155 + static DECLARE_WAIT_QUEUE_HEAD(apm_suspend_waitqueue);
1156 + static struct apm_user * user_list;
1157 + static DEFINE_SPINLOCK(user_list_lock);
1158 +-static const struct desc_struct bad_bios_desc = { 0, 0x00409200 };
1159 ++static const struct desc_struct bad_bios_desc = { 0, 0x00409300 };
1160 +
1161 + static const char driver_version[] = "1.16ac"; /* no spaces */
1162 +
1163 +@@ -601,19 +601,42 @@ static u8 apm_bios_call(u32 func, u32 eb
1164 + struct desc_struct save_desc_40;
1165 + struct desc_struct *gdt;
1166 +
1167 ++#ifdef CONFIG_PAX_KERNEXEC
1168 ++ unsigned long cr0;
1169 ++#endif
1170 ++
1171 + cpus = apm_save_cpus();
1172 +
1173 + cpu = get_cpu();
1174 + gdt = get_cpu_gdt_table(cpu);
1175 + save_desc_40 = gdt[0x40 / 8];
1176 ++
1177 ++#ifdef CONFIG_PAX_KERNEXEC
1178 ++ pax_open_kernel(cr0);
1179 ++#endif
1180 ++
1181 + gdt[0x40 / 8] = bad_bios_desc;
1182 +
1183 ++#ifdef CONFIG_PAX_KERNEXEC
1184 ++ pax_close_kernel(cr0);
1185 ++#endif
1186 ++
1187 + apm_irq_save(flags);
1188 + APM_DO_SAVE_SEGS;
1189 + apm_bios_call_asm(func, ebx_in, ecx_in, eax, ebx, ecx, edx, esi);
1190 + APM_DO_RESTORE_SEGS;
1191 + apm_irq_restore(flags);
1192 ++
1193 ++#ifdef CONFIG_PAX_KERNEXEC
1194 ++ pax_open_kernel(cr0);
1195 ++#endif
1196 ++
1197 + gdt[0x40 / 8] = save_desc_40;
1198 ++
1199 ++#ifdef CONFIG_PAX_KERNEXEC
1200 ++ pax_close_kernel(cr0);
1201 ++#endif
1202 ++
1203 + put_cpu();
1204 + apm_restore_cpus(cpus);
1205 +
1206 +@@ -644,19 +667,42 @@ static u8 apm_bios_call_simple(u32 func,
1207 + struct desc_struct save_desc_40;
1208 + struct desc_struct *gdt;
1209 +
1210 ++#ifdef CONFIG_PAX_KERNEXEC
1211 ++ unsigned long cr0;
1212 ++#endif
1213 ++
1214 + cpus = apm_save_cpus();
1215 +
1216 + cpu = get_cpu();
1217 + gdt = get_cpu_gdt_table(cpu);
1218 + save_desc_40 = gdt[0x40 / 8];
1219 ++
1220 ++#ifdef CONFIG_PAX_KERNEXEC
1221 ++ pax_open_kernel(cr0);
1222 ++#endif
1223 ++
1224 + gdt[0x40 / 8] = bad_bios_desc;
1225 +
1226 ++#ifdef CONFIG_PAX_KERNEXEC
1227 ++ pax_close_kernel(cr0);
1228 ++#endif
1229 ++
1230 + apm_irq_save(flags);
1231 + APM_DO_SAVE_SEGS;
1232 + error = apm_bios_call_simple_asm(func, ebx_in, ecx_in, eax);
1233 + APM_DO_RESTORE_SEGS;
1234 + apm_irq_restore(flags);
1235 ++
1236 ++#ifdef CONFIG_PAX_KERNEXEC
1237 ++ pax_open_kernel(cr0);
1238 ++#endif
1239 ++
1240 + gdt[0x40 / 8] = save_desc_40;
1241 ++
1242 ++#ifdef CONFIG_PAX_KERNEXEC
1243 ++ pax_close_kernel(cr0);
1244 ++#endif
1245 ++
1246 + put_cpu();
1247 + apm_restore_cpus(cpus);
1248 + return error;
1249 +@@ -924,7 +970,7 @@ recalc:
1250 +
1251 + static void apm_power_off(void)
1252 + {
1253 +- unsigned char po_bios_call[] = {
1254 ++ const unsigned char po_bios_call[] = {
1255 + 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
1256 + 0x8e, 0xd0, /* movw ax,ss */
1257 + 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
1258 +@@ -1864,7 +1910,10 @@ static const struct file_operations apm_
1259 + static struct miscdevice apm_device = {
1260 + APM_MINOR_DEV,
1261 + "apm_bios",
1262 +- &apm_bios_fops
1263 ++ &apm_bios_fops,
1264 ++ {NULL, NULL},
1265 ++ NULL,
1266 ++ NULL
1267 + };
1268 +
1269 +
1270 +@@ -1974,210 +2023,210 @@ static struct dmi_system_id __initdata a
1271 + print_if_true,
1272 + KERN_WARNING "IBM T23 - BIOS 1.03b+ and controller firmware 1.02+ may be needed for Linux APM.",
1273 + { DMI_MATCH(DMI_SYS_VENDOR, "IBM"),
1274 +- DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), },
1275 ++ DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), }, NULL
1276 + },
1277 + { /* Handle problems with APM on the C600 */
1278 + broken_ps2_resume, "Dell Latitude C600",
1279 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell"),
1280 +- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), },
1281 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), }, NULL
1282 + },
1283 + { /* Allow interrupts during suspend on Dell Latitude laptops*/
1284 + set_apm_ints, "Dell Latitude",
1285 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1286 +- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }
1287 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }, NULL
1288 + },
1289 + { /* APM crashes */
1290 + apm_is_horked, "Dell Inspiron 2500",
1291 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1292 + DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
1293 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
1294 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1295 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1296 + },
1297 + { /* Allow interrupts during suspend on Dell Inspiron laptops*/
1298 + set_apm_ints, "Dell Inspiron", {
1299 + DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1300 +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), },
1301 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), }, NULL
1302 + },
1303 + { /* Handle problems with APM on Inspiron 5000e */
1304 + broken_apm_power, "Dell Inspiron 5000e",
1305 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1306 + DMI_MATCH(DMI_BIOS_VERSION, "A04"),
1307 +- DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), },
1308 ++ DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), }, NULL
1309 + },
1310 + { /* Handle problems with APM on Inspiron 2500 */
1311 + broken_apm_power, "Dell Inspiron 2500",
1312 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1313 + DMI_MATCH(DMI_BIOS_VERSION, "A12"),
1314 +- DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), },
1315 ++ DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), }, NULL
1316 + },
1317 + { /* APM crashes */
1318 + apm_is_horked, "Dell Dimension 4100",
1319 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1320 + DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"),
1321 + DMI_MATCH(DMI_BIOS_VENDOR,"Intel Corp."),
1322 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1323 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1324 + },
1325 + { /* Allow interrupts during suspend on Compaq Laptops*/
1326 + set_apm_ints, "Compaq 12XL125",
1327 + { DMI_MATCH(DMI_SYS_VENDOR, "Compaq"),
1328 + DMI_MATCH(DMI_PRODUCT_NAME, "Compaq PC"),
1329 + DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1330 +- DMI_MATCH(DMI_BIOS_VERSION,"4.06"), },
1331 ++ DMI_MATCH(DMI_BIOS_VERSION,"4.06"), }, NULL
1332 + },
1333 + { /* Allow interrupts during APM or the clock goes slow */
1334 + set_apm_ints, "ASUSTeK",
1335 + { DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
1336 +- DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), },
1337 ++ DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), }, NULL
1338 + },
1339 + { /* APM blows on shutdown */
1340 + apm_is_horked, "ABIT KX7-333[R]",
1341 + { DMI_MATCH(DMI_BOARD_VENDOR, "ABIT"),
1342 +- DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), },
1343 ++ DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), }, NULL
1344 + },
1345 + { /* APM crashes */
1346 + apm_is_horked, "Trigem Delhi3",
1347 + { DMI_MATCH(DMI_SYS_VENDOR, "TriGem Computer, Inc"),
1348 +- DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), },
1349 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), }, NULL
1350 + },
1351 + { /* APM crashes */
1352 + apm_is_horked, "Fujitsu-Siemens",
1353 + { DMI_MATCH(DMI_BIOS_VENDOR, "hoenix/FUJITSU SIEMENS"),
1354 +- DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), },
1355 ++ DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), }, NULL
1356 + },
1357 + { /* APM crashes */
1358 + apm_is_horked_d850md, "Intel D850MD",
1359 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1360 +- DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), },
1361 ++ DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), }, NULL
1362 + },
1363 + { /* APM crashes */
1364 + apm_is_horked, "Intel D810EMO",
1365 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1366 +- DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), },
1367 ++ DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), }, NULL
1368 + },
1369 + { /* APM crashes */
1370 + apm_is_horked, "Dell XPS-Z",
1371 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1372 + DMI_MATCH(DMI_BIOS_VERSION, "A11"),
1373 +- DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), },
1374 ++ DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), }, NULL
1375 + },
1376 + { /* APM crashes */
1377 + apm_is_horked, "Sharp PC-PJ/AX",
1378 + { DMI_MATCH(DMI_SYS_VENDOR, "SHARP"),
1379 + DMI_MATCH(DMI_PRODUCT_NAME, "PC-PJ/AX"),
1380 + DMI_MATCH(DMI_BIOS_VENDOR,"SystemSoft"),
1381 +- DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), },
1382 ++ DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), }, NULL
1383 + },
1384 + { /* APM crashes */
1385 + apm_is_horked, "Dell Inspiron 2500",
1386 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1387 + DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
1388 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
1389 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1390 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1391 + },
1392 + { /* APM idle hangs */
1393 + apm_likes_to_melt, "Jabil AMD",
1394 + { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
1395 +- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), },
1396 ++ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), }, NULL
1397 + },
1398 + { /* APM idle hangs */
1399 + apm_likes_to_melt, "AMI Bios",
1400 + { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
1401 +- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), },
1402 ++ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), }, NULL
1403 + },
1404 + { /* Handle problems with APM on Sony Vaio PCG-N505X(DE) */
1405 + swab_apm_power_in_minutes, "Sony VAIO",
1406 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1407 + DMI_MATCH(DMI_BIOS_VERSION, "R0206H"),
1408 +- DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), },
1409 ++ DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), }, NULL
1410 + },
1411 + { /* Handle problems with APM on Sony Vaio PCG-N505VX */
1412 + swab_apm_power_in_minutes, "Sony VAIO",
1413 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1414 + DMI_MATCH(DMI_BIOS_VERSION, "W2K06H0"),
1415 +- DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), },
1416 ++ DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), }, NULL
1417 + },
1418 + { /* Handle problems with APM on Sony Vaio PCG-XG29 */
1419 + swab_apm_power_in_minutes, "Sony VAIO",
1420 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1421 + DMI_MATCH(DMI_BIOS_VERSION, "R0117A0"),
1422 +- DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), },
1423 ++ DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), }, NULL
1424 + },
1425 + { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
1426 + swab_apm_power_in_minutes, "Sony VAIO",
1427 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1428 + DMI_MATCH(DMI_BIOS_VERSION, "R0121Z1"),
1429 +- DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), },
1430 ++ DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), }, NULL
1431 + },
1432 + { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
1433 + swab_apm_power_in_minutes, "Sony VAIO",
1434 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1435 + DMI_MATCH(DMI_BIOS_VERSION, "WME01Z1"),
1436 +- DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), },
1437 ++ DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), }, NULL
1438 + },
1439 + { /* Handle problems with APM on Sony Vaio PCG-Z600LEK(DE) */
1440 + swab_apm_power_in_minutes, "Sony VAIO",
1441 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1442 + DMI_MATCH(DMI_BIOS_VERSION, "R0206Z3"),
1443 +- DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), },
1444 ++ DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), }, NULL
1445 + },
1446 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
1447 + swab_apm_power_in_minutes, "Sony VAIO",
1448 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1449 + DMI_MATCH(DMI_BIOS_VERSION, "R0203D0"),
1450 +- DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), },
1451 ++ DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), }, NULL
1452 + },
1453 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
1454 + swab_apm_power_in_minutes, "Sony VAIO",
1455 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1456 + DMI_MATCH(DMI_BIOS_VERSION, "R0203Z3"),
1457 +- DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), },
1458 ++ DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), }, NULL
1459 + },
1460 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS (with updated BIOS) */
1461 + swab_apm_power_in_minutes, "Sony VAIO",
1462 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1463 + DMI_MATCH(DMI_BIOS_VERSION, "R0209Z3"),
1464 +- DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), },
1465 ++ DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), }, NULL
1466 + },
1467 + { /* Handle problems with APM on Sony Vaio PCG-F104K */
1468 + swab_apm_power_in_minutes, "Sony VAIO",
1469 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1470 + DMI_MATCH(DMI_BIOS_VERSION, "R0204K2"),
1471 +- DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), },
1472 ++ DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), }, NULL
1473 + },
1474 +
1475 + { /* Handle problems with APM on Sony Vaio PCG-C1VN/C1VE */
1476 + swab_apm_power_in_minutes, "Sony VAIO",
1477 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1478 + DMI_MATCH(DMI_BIOS_VERSION, "R0208P1"),
1479 +- DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), },
1480 ++ DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), }, NULL
1481 + },
1482 + { /* Handle problems with APM on Sony Vaio PCG-C1VE */
1483 + swab_apm_power_in_minutes, "Sony VAIO",
1484 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1485 + DMI_MATCH(DMI_BIOS_VERSION, "R0204P1"),
1486 +- DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), },
1487 ++ DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), }, NULL
1488 + },
1489 + { /* Handle problems with APM on Sony Vaio PCG-C1VE */
1490 + swab_apm_power_in_minutes, "Sony VAIO",
1491 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1492 + DMI_MATCH(DMI_BIOS_VERSION, "WXPO1Z3"),
1493 +- DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), },
1494 ++ DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), }, NULL
1495 + },
1496 + { /* broken PM poweroff bios */
1497 + set_realmode_power_off, "Award Software v4.60 PGMA",
1498 + { DMI_MATCH(DMI_BIOS_VENDOR, "Award Software International, Inc."),
1499 + DMI_MATCH(DMI_BIOS_VERSION, "4.60 PGMA"),
1500 +- DMI_MATCH(DMI_BIOS_DATE, "134526184"), },
1501 ++ DMI_MATCH(DMI_BIOS_DATE, "134526184"), }, NULL
1502 + },
1503 +
1504 + /* Generic per vendor APM settings */
1505 +
1506 + { /* Allow interrupts during suspend on IBM laptops */
1507 + set_apm_ints, "IBM",
1508 +- { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
1509 ++ { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), }, NULL
1510 + },
1511 +
1512 +- { }
1513 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
1514 + };
1515 +
1516 + /*
1517 +@@ -2196,6 +2245,10 @@ static int __init apm_init(void)
1518 + struct desc_struct *gdt;
1519 + int err;
1520 +
1521 ++#ifdef CONFIG_PAX_KERNEXEC
1522 ++ unsigned long cr0;
1523 ++#endif
1524 ++
1525 + dmi_check_system(apm_dmi_table);
1526 +
1527 + if (apm_info.bios.version == 0 || paravirt_enabled()) {
1528 +@@ -2269,9 +2322,18 @@ static int __init apm_init(void)
1529 + * This is for buggy BIOS's that refer to (real mode) segment 0x40
1530 + * even though they are called in protected mode.
1531 + */
1532 ++
1533 ++#ifdef CONFIG_PAX_KERNEXEC
1534 ++ pax_open_kernel(cr0);
1535 ++#endif
1536 ++
1537 + set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
1538 + _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
1539 +
1540 ++#ifdef CONFIG_PAX_KERNEXEC
1541 ++ pax_close_kernel(cr0);
1542 ++#endif
1543 ++
1544 + /*
1545 + * Set up the long jump entry point to the APM BIOS, which is called
1546 + * from inline assembly.
1547 +@@ -2290,6 +2352,11 @@ static int __init apm_init(void)
1548 + * code to that CPU.
1549 + */
1550 + gdt = get_cpu_gdt_table(0);
1551 ++
1552 ++#ifdef CONFIG_PAX_KERNEXEC
1553 ++ pax_open_kernel(cr0);
1554 ++#endif
1555 ++
1556 + set_base(gdt[APM_CS >> 3],
1557 + __va((unsigned long)apm_info.bios.cseg << 4));
1558 + set_base(gdt[APM_CS_16 >> 3],
1559 +@@ -2297,6 +2364,10 @@ static int __init apm_init(void)
1560 + set_base(gdt[APM_DS >> 3],
1561 + __va((unsigned long)apm_info.bios.dseg << 4));
1562 +
1563 ++#ifdef CONFIG_PAX_KERNEXEC
1564 ++ pax_close_kernel(cr0);
1565 ++#endif
1566 ++
1567 + apm_proc = create_proc_entry("apm", 0, NULL);
1568 + if (apm_proc)
1569 + apm_proc->proc_fops = &apm_file_ops;
1570 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/asm-offsets.c linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c
1571 +--- linux-2.6.23.15/arch/i386/kernel/asm-offsets.c 2007-10-09 21:31:38.000000000 +0100
1572 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c 2008-02-11 10:37:44.000000000 +0000
1573 +@@ -109,6 +109,7 @@ void foo(void)
1574 + DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
1575 + DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
1576 + DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
1577 ++ DEFINE(PERCPU_MODULE_RESERVE, PERCPU_MODULE_RESERVE);
1578 +
1579 + DEFINE(VDSO_PRELINK_asm, VDSO_PRELINK);
1580 +
1581 +@@ -122,6 +123,7 @@ void foo(void)
1582 + OFFSET(PARAVIRT_irq_enable_sysexit, paravirt_ops, irq_enable_sysexit);
1583 + OFFSET(PARAVIRT_iret, paravirt_ops, iret);
1584 + OFFSET(PARAVIRT_read_cr0, paravirt_ops, read_cr0);
1585 ++ OFFSET(PARAVIRT_write_cr0, paravirt_ops, write_cr0);
1586 + #endif
1587 +
1588 + #ifdef CONFIG_XEN
1589 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/common.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c
1590 +--- linux-2.6.23.15/arch/i386/kernel/cpu/common.c 2007-10-09 21:31:38.000000000 +0100
1591 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c 2008-02-11 10:37:44.000000000 +0000
1592 +@@ -4,7 +4,6 @@
1593 + #include <linux/smp.h>
1594 + #include <linux/module.h>
1595 + #include <linux/percpu.h>
1596 +-#include <linux/bootmem.h>
1597 + #include <asm/semaphore.h>
1598 + #include <asm/processor.h>
1599 + #include <asm/i387.h>
1600 +@@ -21,39 +20,15 @@
1601 +
1602 + #include "cpu.h"
1603 +
1604 +-DEFINE_PER_CPU(struct gdt_page, gdt_page) = { .gdt = {
1605 +- [GDT_ENTRY_KERNEL_CS] = { 0x0000ffff, 0x00cf9a00 },
1606 +- [GDT_ENTRY_KERNEL_DS] = { 0x0000ffff, 0x00cf9200 },
1607 +- [GDT_ENTRY_DEFAULT_USER_CS] = { 0x0000ffff, 0x00cffa00 },
1608 +- [GDT_ENTRY_DEFAULT_USER_DS] = { 0x0000ffff, 0x00cff200 },
1609 +- /*
1610 +- * Segments used for calling PnP BIOS have byte granularity.
1611 +- * They code segments and data segments have fixed 64k limits,
1612 +- * the transfer segment sizes are set at run time.
1613 +- */
1614 +- [GDT_ENTRY_PNPBIOS_CS32] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
1615 +- [GDT_ENTRY_PNPBIOS_CS16] = { 0x0000ffff, 0x00009a00 },/* 16-bit code */
1616 +- [GDT_ENTRY_PNPBIOS_DS] = { 0x0000ffff, 0x00009200 }, /* 16-bit data */
1617 +- [GDT_ENTRY_PNPBIOS_TS1] = { 0x00000000, 0x00009200 },/* 16-bit data */
1618 +- [GDT_ENTRY_PNPBIOS_TS2] = { 0x00000000, 0x00009200 },/* 16-bit data */
1619 +- /*
1620 +- * The APM segments have byte granularity and their bases
1621 +- * are set at run time. All have 64k limits.
1622 +- */
1623 +- [GDT_ENTRY_APMBIOS_BASE] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
1624 +- /* 16-bit code */
1625 +- [GDT_ENTRY_APMBIOS_BASE+1] = { 0x0000ffff, 0x00009a00 },
1626 +- [GDT_ENTRY_APMBIOS_BASE+2] = { 0x0000ffff, 0x00409200 }, /* data */
1627 +-
1628 +- [GDT_ENTRY_ESPFIX_SS] = { 0x00000000, 0x00c09200 },
1629 +- [GDT_ENTRY_PERCPU] = { 0x00000000, 0x00000000 },
1630 +-} };
1631 +-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
1632 +-
1633 + static int cachesize_override __cpuinitdata = -1;
1634 + static int disable_x86_fxsr __cpuinitdata;
1635 + static int disable_x86_serial_nr __cpuinitdata = 1;
1636 +-static int disable_x86_sep __cpuinitdata;
1637 ++
1638 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
1639 ++int disable_x86_sep __cpuinitdata = 1;
1640 ++#else
1641 ++int disable_x86_sep __cpuinitdata;
1642 ++#endif
1643 +
1644 + struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {};
1645 +
1646 +@@ -261,10 +236,10 @@ static int __cpuinit have_cpuid_p(void)
1647 + void __init cpu_detect(struct cpuinfo_x86 *c)
1648 + {
1649 + /* Get vendor name */
1650 +- cpuid(0x00000000, &c->cpuid_level,
1651 +- (int *)&c->x86_vendor_id[0],
1652 +- (int *)&c->x86_vendor_id[8],
1653 +- (int *)&c->x86_vendor_id[4]);
1654 ++ cpuid(0x00000000, (unsigned int *)&c->cpuid_level,
1655 ++ (unsigned int *)&c->x86_vendor_id[0],
1656 ++ (unsigned int *)&c->x86_vendor_id[8],
1657 ++ (unsigned int *)&c->x86_vendor_id[4]);
1658 +
1659 + c->x86 = 4;
1660 + if (c->cpuid_level >= 0x00000001) {
1661 +@@ -304,15 +279,14 @@ static void __init early_cpu_detect(void
1662 +
1663 + static void __cpuinit generic_identify(struct cpuinfo_x86 * c)
1664 + {
1665 +- u32 tfms, xlvl;
1666 +- int ebx;
1667 ++ u32 tfms, xlvl, ebx;
1668 +
1669 + if (have_cpuid_p()) {
1670 + /* Get vendor name */
1671 +- cpuid(0x00000000, &c->cpuid_level,
1672 +- (int *)&c->x86_vendor_id[0],
1673 +- (int *)&c->x86_vendor_id[8],
1674 +- (int *)&c->x86_vendor_id[4]);
1675 ++ cpuid(0x00000000, (unsigned int *)&c->cpuid_level,
1676 ++ (unsigned int *)&c->x86_vendor_id[0],
1677 ++ (unsigned int *)&c->x86_vendor_id[8],
1678 ++ (unsigned int *)&c->x86_vendor_id[4]);
1679 +
1680 + get_cpu_vendor(c, 0);
1681 + /* Initialize the standard set of capabilities */
1682 +@@ -644,7 +618,7 @@ void switch_to_new_gdt(void)
1683 + {
1684 + struct Xgt_desc_struct gdt_descr;
1685 +
1686 +- gdt_descr.address = (long)get_cpu_gdt_table(smp_processor_id());
1687 ++ gdt_descr.address = get_cpu_gdt_table(smp_processor_id());
1688 + gdt_descr.size = GDT_SIZE - 1;
1689 + load_gdt(&gdt_descr);
1690 + asm("mov %0, %%fs" : : "r" (__KERNEL_PERCPU) : "memory");
1691 +@@ -660,7 +634,7 @@ void __cpuinit cpu_init(void)
1692 + {
1693 + int cpu = smp_processor_id();
1694 + struct task_struct *curr = current;
1695 +- struct tss_struct * t = &per_cpu(init_tss, cpu);
1696 ++ struct tss_struct *t = init_tss + cpu;
1697 + struct thread_struct *thread = &curr->thread;
1698 +
1699 + if (cpu_test_and_set(cpu, cpu_initialized)) {
1700 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c
1701 +--- linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c 2007-10-09 21:31:38.000000000 +0100
1702 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-02-11 10:37:44.000000000 +0000
1703 +@@ -549,7 +549,7 @@ static struct dmi_system_id sw_any_bug_d
1704 + DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
1705 + },
1706 + },
1707 +- { }
1708 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
1709 + };
1710 + #endif
1711 +
1712 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c
1713 +--- linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2007-10-09 21:31:38.000000000 +0100
1714 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2008-02-11 10:37:44.000000000 +0000
1715 +@@ -223,7 +223,7 @@ static struct cpu_model models[] =
1716 + { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
1717 + { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
1718 +
1719 +- { NULL, }
1720 ++ { NULL, NULL, 0, NULL}
1721 + };
1722 + #undef _BANIAS
1723 + #undef BANIAS
1724 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/intel_cacheinfo.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/intel_cacheinfo.c
1725 +--- linux-2.6.23.15/arch/i386/kernel/cpu/intel_cacheinfo.c 2007-10-09 21:31:38.000000000 +0100
1726 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/intel_cacheinfo.c 2008-02-11 10:37:44.000000000 +0000
1727 +@@ -351,8 +351,8 @@ unsigned int __cpuinit init_intel_cachei
1728 + */
1729 + if ((num_cache_leaves == 0 || c->x86 == 15) && c->cpuid_level > 1) {
1730 + /* supports eax=2 call */
1731 +- int i, j, n;
1732 +- int regs[4];
1733 ++ int j, n;
1734 ++ unsigned int regs[4];
1735 + unsigned char *dp = (unsigned char *)regs;
1736 + int only_trace = 0;
1737 +
1738 +@@ -367,7 +367,7 @@ unsigned int __cpuinit init_intel_cachei
1739 +
1740 + /* If bit 31 is set, this is an unknown format */
1741 + for ( j = 0 ; j < 3 ; j++ ) {
1742 +- if ( regs[j] < 0 ) regs[j] = 0;
1743 ++ if ( (int)regs[j] < 0 ) regs[j] = 0;
1744 + }
1745 +
1746 + /* Byte 0 is level count, not a descriptor */
1747 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/mcheck/therm_throt.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mcheck/therm_throt.c
1748 +--- linux-2.6.23.15/arch/i386/kernel/cpu/mcheck/therm_throt.c 2007-10-09 21:31:38.000000000 +0100
1749 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mcheck/therm_throt.c 2008-02-11 10:37:44.000000000 +0000
1750 +@@ -152,7 +152,7 @@ static __cpuinit int thermal_throttle_cp
1751 + return NOTIFY_OK;
1752 + }
1753 +
1754 +-static struct notifier_block thermal_throttle_cpu_notifier =
1755 ++static __cpuinitdata struct notifier_block thermal_throttle_cpu_notifier =
1756 + {
1757 + .notifier_call = thermal_throttle_cpu_callback,
1758 + };
1759 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/mtrr/generic.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mtrr/generic.c
1760 +--- linux-2.6.23.15/arch/i386/kernel/cpu/mtrr/generic.c 2007-10-09 21:31:38.000000000 +0100
1761 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mtrr/generic.c 2008-02-11 10:37:44.000000000 +0000
1762 +@@ -29,11 +29,11 @@ static struct fixed_range_block fixed_ra
1763 + { MTRRfix64K_00000_MSR, 1 }, /* one 64k MTRR */
1764 + { MTRRfix16K_80000_MSR, 2 }, /* two 16k MTRRs */
1765 + { MTRRfix4K_C0000_MSR, 8 }, /* eight 4k MTRRs */
1766 +- {}
1767 ++ { 0, 0 }
1768 + };
1769 +
1770 + static unsigned long smp_changes_mask;
1771 +-static struct mtrr_state mtrr_state = {};
1772 ++static struct mtrr_state mtrr_state;
1773 +
1774 + #undef MODULE_PARAM_PREFIX
1775 + #define MODULE_PARAM_PREFIX "mtrr."
1776 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/crash.c linux-2.6.23.15-grsec/arch/i386/kernel/crash.c
1777 +--- linux-2.6.23.15/arch/i386/kernel/crash.c 2007-10-09 21:31:38.000000000 +0100
1778 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/crash.c 2008-02-11 10:37:44.000000000 +0000
1779 +@@ -55,7 +55,7 @@ static int crash_nmi_callback(struct not
1780 + return NOTIFY_STOP;
1781 + local_irq_disable();
1782 +
1783 +- if (!user_mode_vm(regs)) {
1784 ++ if (!user_mode(regs)) {
1785 + crash_fixup_ss_esp(&fixed_regs, regs);
1786 + regs = &fixed_regs;
1787 + }
1788 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/doublefault.c linux-2.6.23.15-grsec/arch/i386/kernel/doublefault.c
1789 +--- linux-2.6.23.15/arch/i386/kernel/doublefault.c 2007-10-09 21:31:38.000000000 +0100
1790 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/doublefault.c 2008-02-11 10:37:44.000000000 +0000
1791 +@@ -11,17 +11,17 @@
1792 +
1793 + #define DOUBLEFAULT_STACKSIZE (1024)
1794 + static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
1795 +-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
1796 ++#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
1797 +
1798 + #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
1799 +
1800 + static void doublefault_fn(void)
1801 + {
1802 +- struct Xgt_desc_struct gdt_desc = {0, 0};
1803 ++ struct Xgt_desc_struct gdt_desc = {0, NULL, 0};
1804 + unsigned long gdt, tss;
1805 +
1806 + store_gdt(&gdt_desc);
1807 +- gdt = gdt_desc.address;
1808 ++ gdt = (unsigned long)gdt_desc.address;
1809 +
1810 + printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
1811 +
1812 +@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cach
1813 + /* 0x2 bit is always set */
1814 + .eflags = X86_EFLAGS_SF | 0x2,
1815 + .esp = STACK_START,
1816 +- .es = __USER_DS,
1817 ++ .es = __KERNEL_DS,
1818 + .cs = __KERNEL_CS,
1819 + .ss = __KERNEL_DS,
1820 +- .ds = __USER_DS,
1821 ++ .ds = __KERNEL_DS,
1822 + .fs = __KERNEL_PERCPU,
1823 +
1824 + .__cr3 = __pa(swapper_pg_dir)
1825 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/efi.c linux-2.6.23.15-grsec/arch/i386/kernel/efi.c
1826 +--- linux-2.6.23.15/arch/i386/kernel/efi.c 2007-10-09 21:31:38.000000000 +0100
1827 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/efi.c 2008-02-11 10:37:44.000000000 +0000
1828 +@@ -63,45 +63,23 @@ extern void * boot_ioremap(unsigned long
1829 +
1830 + static unsigned long efi_rt_eflags;
1831 + static DEFINE_SPINLOCK(efi_rt_lock);
1832 +-static pgd_t efi_bak_pg_dir_pointer[2];
1833 ++static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS] __attribute__ ((aligned (4096)));
1834 +
1835 + static void efi_call_phys_prelog(void) __acquires(efi_rt_lock)
1836 + {
1837 +- unsigned long cr4;
1838 +- unsigned long temp;
1839 + struct Xgt_desc_struct gdt_descr;
1840 +
1841 + spin_lock(&efi_rt_lock);
1842 + local_irq_save(efi_rt_eflags);
1843 +
1844 +- /*
1845 +- * If I don't have PSE, I should just duplicate two entries in page
1846 +- * directory. If I have PSE, I just need to duplicate one entry in
1847 +- * page directory.
1848 +- */
1849 +- cr4 = read_cr4();
1850 +-
1851 +- if (cr4 & X86_CR4_PSE) {
1852 +- efi_bak_pg_dir_pointer[0].pgd =
1853 +- swapper_pg_dir[pgd_index(0)].pgd;
1854 +- swapper_pg_dir[0].pgd =
1855 +- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
1856 +- } else {
1857 +- efi_bak_pg_dir_pointer[0].pgd =
1858 +- swapper_pg_dir[pgd_index(0)].pgd;
1859 +- efi_bak_pg_dir_pointer[1].pgd =
1860 +- swapper_pg_dir[pgd_index(0x400000)].pgd;
1861 +- swapper_pg_dir[pgd_index(0)].pgd =
1862 +- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
1863 +- temp = PAGE_OFFSET + 0x400000;
1864 +- swapper_pg_dir[pgd_index(0x400000)].pgd =
1865 +- swapper_pg_dir[pgd_index(temp)].pgd;
1866 +- }
1867 ++ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
1868 ++ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
1869 ++ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
1870 +
1871 + /*
1872 + * After the lock is released, the original page table is restored.
1873 + */
1874 +- local_flush_tlb();
1875 ++ __flush_tlb_all();
1876 +
1877 + gdt_descr.address = __pa(get_cpu_gdt_table(0));
1878 + gdt_descr.size = GDT_SIZE - 1;
1879 +@@ -110,35 +88,23 @@ static void efi_call_phys_prelog(void) _
1880 +
1881 + static void efi_call_phys_epilog(void) __releases(efi_rt_lock)
1882 + {
1883 +- unsigned long cr4;
1884 + struct Xgt_desc_struct gdt_descr;
1885 +
1886 +- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
1887 ++ gdt_descr.address = get_cpu_gdt_table(0);
1888 + gdt_descr.size = GDT_SIZE - 1;
1889 + load_gdt(&gdt_descr);
1890 +-
1891 +- cr4 = read_cr4();
1892 +-
1893 +- if (cr4 & X86_CR4_PSE) {
1894 +- swapper_pg_dir[pgd_index(0)].pgd =
1895 +- efi_bak_pg_dir_pointer[0].pgd;
1896 +- } else {
1897 +- swapper_pg_dir[pgd_index(0)].pgd =
1898 +- efi_bak_pg_dir_pointer[0].pgd;
1899 +- swapper_pg_dir[pgd_index(0x400000)].pgd =
1900 +- efi_bak_pg_dir_pointer[1].pgd;
1901 +- }
1902 ++ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
1903 +
1904 + /*
1905 + * After the lock is released, the original page table is restored.
1906 + */
1907 +- local_flush_tlb();
1908 ++ __flush_tlb_all();
1909 +
1910 + local_irq_restore(efi_rt_eflags);
1911 + spin_unlock(&efi_rt_lock);
1912 + }
1913 +
1914 +-static efi_status_t
1915 ++static efi_status_t __init
1916 + phys_efi_set_virtual_address_map(unsigned long memory_map_size,
1917 + unsigned long descriptor_size,
1918 + u32 descriptor_version,
1919 +@@ -154,7 +120,7 @@ phys_efi_set_virtual_address_map(unsigne
1920 + return status;
1921 + }
1922 +
1923 +-static efi_status_t
1924 ++static efi_status_t __init
1925 + phys_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)
1926 + {
1927 + efi_status_t status;
1928 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/efi_stub.S linux-2.6.23.15-grsec/arch/i386/kernel/efi_stub.S
1929 +--- linux-2.6.23.15/arch/i386/kernel/efi_stub.S 2007-10-09 21:31:38.000000000 +0100
1930 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/efi_stub.S 2008-02-11 10:37:44.000000000 +0000
1931 +@@ -6,6 +6,7 @@
1932 + */
1933 +
1934 + #include <linux/linkage.h>
1935 ++#include <linux/init.h>
1936 + #include <asm/page.h>
1937 +
1938 + /*
1939 +@@ -20,7 +21,7 @@
1940 + * service functions will comply with gcc calling convention, too.
1941 + */
1942 +
1943 +-.text
1944 ++__INIT
1945 + ENTRY(efi_call_phys)
1946 + /*
1947 + * 0. The function can only be called in Linux kernel. So CS has been
1948 +@@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
1949 + * The mapping of lower virtual memory has been created in prelog and
1950 + * epilog.
1951 + */
1952 +- movl $1f, %edx
1953 +- subl $__PAGE_OFFSET, %edx
1954 +- jmp *%edx
1955 ++ jmp 1f-__PAGE_OFFSET
1956 + 1:
1957 +
1958 + /*
1959 +@@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
1960 + * parameter 2, ..., param n. To make things easy, we save the return
1961 + * address of efi_call_phys in a global variable.
1962 + */
1963 +- popl %edx
1964 +- movl %edx, saved_return_addr
1965 +- /* get the function pointer into ECX*/
1966 +- popl %ecx
1967 +- movl %ecx, efi_rt_function_ptr
1968 +- movl $2f, %edx
1969 +- subl $__PAGE_OFFSET, %edx
1970 +- pushl %edx
1971 ++ popl (saved_return_addr)
1972 ++ popl (efi_rt_function_ptr)
1973 +
1974 + /*
1975 + * 3. Clear PG bit in %CR0.
1976 +@@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
1977 + /*
1978 + * 5. Call the physical function.
1979 + */
1980 +- jmp *%ecx
1981 ++ call *(efi_rt_function_ptr-__PAGE_OFFSET)
1982 +
1983 +-2:
1984 + /*
1985 + * 6. After EFI runtime service returns, control will return to
1986 + * following instruction. We'd better readjust stack pointer first.
1987 +@@ -88,34 +80,27 @@ ENTRY(efi_call_phys)
1988 + movl %cr0, %edx
1989 + orl $0x80000000, %edx
1990 + movl %edx, %cr0
1991 +- jmp 1f
1992 +-1:
1993 ++
1994 + /*
1995 + * 8. Now restore the virtual mode from flat mode by
1996 + * adding EIP with PAGE_OFFSET.
1997 + */
1998 +- movl $1f, %edx
1999 +- jmp *%edx
2000 ++ jmp 1f+__PAGE_OFFSET
2001 + 1:
2002 +
2003 + /*
2004 + * 9. Balance the stack. And because EAX contain the return value,
2005 + * we'd better not clobber it.
2006 + */
2007 +- leal efi_rt_function_ptr, %edx
2008 +- movl (%edx), %ecx
2009 +- pushl %ecx
2010 ++ pushl (efi_rt_function_ptr)
2011 +
2012 + /*
2013 +- * 10. Push the saved return address onto the stack and return.
2014 ++ * 10. Return to the saved return address.
2015 + */
2016 +- leal saved_return_addr, %edx
2017 +- movl (%edx), %ecx
2018 +- pushl %ecx
2019 +- ret
2020 ++ jmpl *(saved_return_addr)
2021 + .previous
2022 +
2023 +-.data
2024 ++__INITDATA
2025 + saved_return_addr:
2026 + .long 0
2027 + efi_rt_function_ptr:
2028 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/entry.S linux-2.6.23.15-grsec/arch/i386/kernel/entry.S
2029 +--- linux-2.6.23.15/arch/i386/kernel/entry.S 2007-10-09 21:31:38.000000000 +0100
2030 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/entry.S 2008-02-11 10:37:44.000000000 +0000
2031 +@@ -97,7 +97,7 @@ VM_MASK = 0x00020000
2032 + #define resume_userspace_sig resume_userspace
2033 + #endif
2034 +
2035 +-#define SAVE_ALL \
2036 ++#define __SAVE_ALL(_DS) \
2037 + cld; \
2038 + pushl %fs; \
2039 + CFI_ADJUST_CFA_OFFSET 4;\
2040 +@@ -129,12 +129,26 @@ VM_MASK = 0x00020000
2041 + pushl %ebx; \
2042 + CFI_ADJUST_CFA_OFFSET 4;\
2043 + CFI_REL_OFFSET ebx, 0;\
2044 +- movl $(__USER_DS), %edx; \
2045 ++ movl $(_DS), %edx; \
2046 + movl %edx, %ds; \
2047 + movl %edx, %es; \
2048 + movl $(__KERNEL_PERCPU), %edx; \
2049 + movl %edx, %fs
2050 +
2051 ++#ifdef CONFIG_PAX_KERNEXEC
2052 ++#define SAVE_ALL \
2053 ++ __SAVE_ALL(__KERNEL_DS); \
2054 ++ GET_CR0_INTO_EDX; \
2055 ++ movl %edx, %esi; \
2056 ++ orl $X86_CR0_WP, %edx; \
2057 ++ xorl %edx, %esi; \
2058 ++ SET_CR0_FROM_EDX
2059 ++#elif defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2060 ++#define SAVE_ALL __SAVE_ALL(__KERNEL_DS)
2061 ++#else
2062 ++#define SAVE_ALL __SAVE_ALL(__USER_DS)
2063 ++#endif
2064 ++
2065 + #define RESTORE_INT_REGS \
2066 + popl %ebx; \
2067 + CFI_ADJUST_CFA_OFFSET -4;\
2068 +@@ -248,7 +262,17 @@ check_userspace:
2069 + movb PT_CS(%esp), %al
2070 + andl $(VM_MASK | SEGMENT_RPL_MASK), %eax
2071 + cmpl $USER_RPL, %eax
2072 ++
2073 ++#ifdef CONFIG_PAX_KERNEXEC
2074 ++ jae resume_userspace
2075 ++
2076 ++ GET_CR0_INTO_EDX
2077 ++ xorl %esi, %edx
2078 ++ SET_CR0_FROM_EDX
2079 ++ jmp resume_kernel
2080 ++#else
2081 + jb resume_kernel # not returning to v8086 or userspace
2082 ++#endif
2083 +
2084 + ENTRY(resume_userspace)
2085 + DISABLE_INTERRUPTS(CLBR_ANY) # make sure we don't miss an interrupt
2086 +@@ -307,10 +331,9 @@ sysenter_past_esp:
2087 + /*CFI_REL_OFFSET cs, 0*/
2088 + /*
2089 + * Push current_thread_info()->sysenter_return to the stack.
2090 +- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
2091 +- * pushed above; +8 corresponds to copy_thread's esp0 setting.
2092 + */
2093 +- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
2094 ++ GET_THREAD_INFO(%ebp)
2095 ++ pushl TI_sysenter_return(%ebp)
2096 + CFI_ADJUST_CFA_OFFSET 4
2097 + CFI_REL_OFFSET eip, 0
2098 +
2099 +@@ -318,9 +341,17 @@ sysenter_past_esp:
2100 + * Load the potential sixth argument from user stack.
2101 + * Careful about security.
2102 + */
2103 ++ movl 12(%esp),%ebp
2104 ++
2105 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
2106 ++ mov 16(%esp),%ds
2107 ++1: movl %ds:(%ebp),%ebp
2108 ++#else
2109 + cmpl $__PAGE_OFFSET-3,%ebp
2110 + jae syscall_fault
2111 + 1: movl (%ebp),%ebp
2112 ++#endif
2113 ++
2114 + .section __ex_table,"a"
2115 + .align 4
2116 + .long 1b,syscall_fault
2117 +@@ -343,20 +374,37 @@ sysenter_past_esp:
2118 + movl TI_flags(%ebp), %ecx
2119 + testw $_TIF_ALLWORK_MASK, %cx
2120 + jne syscall_exit_work
2121 ++
2122 ++#ifdef CONFIG_PAX_RANDKSTACK
2123 ++ pushl %eax
2124 ++ CFI_ADJUST_CFA_OFFSET 4
2125 ++ call pax_randomize_kstack
2126 ++ popl %eax
2127 ++ CFI_ADJUST_CFA_OFFSET -4
2128 ++#endif
2129 ++
2130 + /* if something modifies registers it must also disable sysexit */
2131 + movl PT_EIP(%esp), %edx
2132 + movl PT_OLDESP(%esp), %ecx
2133 + xorl %ebp,%ebp
2134 + TRACE_IRQS_ON
2135 + 1: mov PT_FS(%esp), %fs
2136 ++2: mov PT_DS(%esp), %ds
2137 ++3: mov PT_ES(%esp), %es
2138 + ENABLE_INTERRUPTS_SYSEXIT
2139 + CFI_ENDPROC
2140 + .pushsection .fixup,"ax"
2141 +-2: movl $0,PT_FS(%esp)
2142 ++4: movl $0,PT_FS(%esp)
2143 + jmp 1b
2144 ++5: movl $0,PT_DS(%esp)
2145 ++ jmp 2b
2146 ++6: movl $0,PT_ES(%esp)
2147 ++ jmp 3b
2148 + .section __ex_table,"a"
2149 + .align 4
2150 +- .long 1b,2b
2151 ++ .long 1b,4b
2152 ++ .long 2b,5b
2153 ++ .long 3b,6b
2154 + .popsection
2155 + ENDPROC(sysenter_entry)
2156 +
2157 +@@ -389,6 +437,10 @@ no_singlestep:
2158 + testw $_TIF_ALLWORK_MASK, %cx # current->work
2159 + jne syscall_exit_work
2160 +
2161 ++#ifdef CONFIG_PAX_RANDKSTACK
2162 ++ call pax_randomize_kstack
2163 ++#endif
2164 ++
2165 + restore_all:
2166 + movl PT_EFLAGS(%esp), %eax # mix EFLAGS, SS and CS
2167 + # Warning: PT_OLDSS(%esp) contains the wrong/random values if we
2168 +@@ -552,17 +604,24 @@ syscall_badsys:
2169 + END(syscall_badsys)
2170 + CFI_ENDPROC
2171 +
2172 +-#define FIXUP_ESPFIX_STACK \
2173 +- /* since we are on a wrong stack, we cant make it a C code :( */ \
2174 +- PER_CPU(gdt_page, %ebx); \
2175 +- GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah); \
2176 +- addl %esp, %eax; \
2177 +- pushl $__KERNEL_DS; \
2178 +- CFI_ADJUST_CFA_OFFSET 4; \
2179 +- pushl %eax; \
2180 +- CFI_ADJUST_CFA_OFFSET 4; \
2181 +- lss (%esp), %esp; \
2182 ++.macro FIXUP_ESPFIX_STACK
2183 ++ /* since we are on a wrong stack, we cant make it a C code :( */
2184 ++#ifdef CONFIG_SMP
2185 ++ movl PER_CPU_VAR(cpu_number), %ebx;
2186 ++ shll $PAGE_SHIFT_asm, %ebx;
2187 ++ addl $cpu_gdt_table, %ebx;
2188 ++#else
2189 ++ movl $cpu_gdt_table, %ebx;
2190 ++#endif
2191 ++ GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah);
2192 ++ addl %esp, %eax;
2193 ++ pushl $__KERNEL_DS;
2194 ++ CFI_ADJUST_CFA_OFFSET 4;
2195 ++ pushl %eax;
2196 ++ CFI_ADJUST_CFA_OFFSET 4;
2197 ++ lss (%esp), %esp;
2198 + CFI_ADJUST_CFA_OFFSET -8;
2199 ++.endm
2200 + #define UNWIND_ESPFIX_STACK \
2201 + movl %ss, %eax; \
2202 + /* see if on espfix stack */ \
2203 +@@ -579,7 +638,7 @@ END(syscall_badsys)
2204 + * Build the entry stubs and pointer table with
2205 + * some assembler magic.
2206 + */
2207 +-.data
2208 ++.section .rodata,"a",@progbits
2209 + ENTRY(interrupt)
2210 + .text
2211 +
2212 +@@ -679,12 +738,21 @@ error_code:
2213 + popl %ecx
2214 + CFI_ADJUST_CFA_OFFSET -4
2215 + /*CFI_REGISTER es, ecx*/
2216 ++
2217 ++#ifdef CONFIG_PAX_KERNEXEC
2218 ++ GET_CR0_INTO_EDX
2219 ++ movl %edx, %esi
2220 ++ orl $X86_CR0_WP, %edx
2221 ++ xorl %edx, %esi
2222 ++ SET_CR0_FROM_EDX
2223 ++#endif
2224 ++
2225 + movl PT_FS(%esp), %edi # get the function address
2226 + movl PT_ORIG_EAX(%esp), %edx # get the error code
2227 + movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
2228 + mov %ecx, PT_FS(%esp)
2229 + /*CFI_REL_OFFSET fs, ES*/
2230 +- movl $(__USER_DS), %ecx
2231 ++ movl $(__KERNEL_DS), %ecx
2232 + movl %ecx, %ds
2233 + movl %ecx, %es
2234 + movl %esp,%eax # pt_regs pointer
2235 +@@ -818,6 +886,13 @@ nmi_stack_correct:
2236 + xorl %edx,%edx # zero error code
2237 + movl %esp,%eax # pt_regs pointer
2238 + call do_nmi
2239 ++
2240 ++#ifdef CONFIG_PAX_KERNEXEC
2241 ++ GET_CR0_INTO_EDX
2242 ++ xorl %esi, %edx
2243 ++ SET_CR0_FROM_EDX
2244 ++#endif
2245 ++
2246 + jmp restore_nocheck_notrace
2247 + CFI_ENDPROC
2248 +
2249 +@@ -858,6 +933,13 @@ nmi_espfix_stack:
2250 + FIXUP_ESPFIX_STACK # %eax == %esp
2251 + xorl %edx,%edx # zero error code
2252 + call do_nmi
2253 ++
2254 ++#ifdef CONFIG_PAX_KERNEXEC
2255 ++ GET_CR0_INTO_EDX
2256 ++ xorl %esi, %edx
2257 ++ SET_CR0_FROM_EDX
2258 ++#endif
2259 ++
2260 + RESTORE_REGS
2261 + lss 12+4(%esp), %esp # back to espfix stack
2262 + CFI_ADJUST_CFA_OFFSET -24
2263 +@@ -1106,7 +1188,6 @@ ENDPROC(xen_failsafe_callback)
2264 +
2265 + #endif /* CONFIG_XEN */
2266 +
2267 +-.section .rodata,"a"
2268 + #include "syscall_table.S"
2269 +
2270 + syscall_table_size=(.-sys_call_table)
2271 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/head.S linux-2.6.23.15-grsec/arch/i386/kernel/head.S
2272 +--- linux-2.6.23.15/arch/i386/kernel/head.S 2007-10-09 21:31:38.000000000 +0100
2273 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/head.S 2008-02-11 10:37:44.000000000 +0000
2274 +@@ -18,6 +18,7 @@
2275 + #include <asm/thread_info.h>
2276 + #include <asm/asm-offsets.h>
2277 + #include <asm/setup.h>
2278 ++#include <asm/msr-index.h>
2279 +
2280 + /*
2281 + * References to members of the new_cpu_data structure.
2282 +@@ -51,17 +52,22 @@
2283 + */
2284 + LOW_PAGES = 1<<(32-PAGE_SHIFT_asm)
2285 +
2286 +-#if PTRS_PER_PMD > 1
2287 +-PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PMD) + PTRS_PER_PGD
2288 +-#else
2289 +-PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PGD)
2290 +-#endif
2291 ++PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PTE)
2292 + BOOTBITMAP_SIZE = LOW_PAGES / 8
2293 + ALLOCATOR_SLOP = 4
2294 +
2295 + INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE + (PAGE_TABLE_SIZE + ALLOCATOR_SLOP)*PAGE_SIZE_asm
2296 +
2297 + /*
2298 ++ * Real beginning of normal "text" segment
2299 ++ */
2300 ++ENTRY(stext)
2301 ++ENTRY(_stext)
2302 ++
2303 ++.section .text.startup,"ax",@progbits
2304 ++ ljmp $(__BOOT_CS),$phys_startup_32
2305 ++
2306 ++/*
2307 + * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
2308 + * %esi points to the real-mode code as a 32-bit pointer.
2309 + * CS and DS must be 4 GB flat segments, but we don't depend on
2310 +@@ -69,6 +75,12 @@ INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE +
2311 + * can.
2312 + */
2313 + .section .text.head,"ax",@progbits
2314 ++
2315 ++#ifdef CONFIG_PAX_KERNEXEC
2316 ++/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
2317 ++.fill 4096,1,0xcc
2318 ++#endif
2319 ++
2320 + ENTRY(startup_32)
2321 +
2322 + /*
2323 +@@ -82,6 +94,43 @@ ENTRY(startup_32)
2324 + movl %eax,%fs
2325 + movl %eax,%gs
2326 +
2327 ++ movl $__per_cpu_start,%eax
2328 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 2)
2329 ++ rorl $16,%eax
2330 ++ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 4)
2331 ++ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 7)
2332 ++ movl $__per_cpu_end + PERCPU_MODULE_RESERVE,%eax
2333 ++ subl $__per_cpu_start,%eax
2334 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 0)
2335 ++
2336 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
2337 ++ /* check for VMware */
2338 ++ movl $0x564d5868,%eax
2339 ++ xorl %ebx,%ebx
2340 ++ movl $0xa,%ecx
2341 ++ movl $0x5658,%edx
2342 ++ in (%dx),%eax
2343 ++ cmpl $0x564d5868,%ebx
2344 ++ jz 1f
2345 ++
2346 ++ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),%eax
2347 ++ movl %eax,(cpu_gdt_table - __PAGE_OFFSET + GDT_ENTRY_KERNEL_DS * 8 + 4)
2348 ++1:
2349 ++#endif
2350 ++
2351 ++#ifdef CONFIG_PAX_KERNEXEC
2352 ++ movl $KERNEL_TEXT_OFFSET,%eax
2353 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 2)
2354 ++ rorl $16,%eax
2355 ++ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 4)
2356 ++ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 7)
2357 ++
2358 ++ movb %al,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 4)
2359 ++ movb %ah,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 7)
2360 ++ rorl $16,%eax
2361 ++ movw %ax,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 2)
2362 ++#endif
2363 ++
2364 + /*
2365 + * Clear BSS first so that there are no surprises...
2366 + * No need to cld as DF is already clear from cld above...
2367 +@@ -129,24 +178,42 @@ ENTRY(startup_32)
2368 + * Warning: don't use %esi or the stack in this code. However, %esp
2369 + * can be used as a GPR if you really need it...
2370 + */
2371 +-page_pde_offset = (__PAGE_OFFSET >> 20);
2372 +-
2373 ++#ifdef CONFIG_X86_PAE
2374 ++page_pde_offset = ((__PAGE_OFFSET >> 21) * (PAGE_SIZE_asm / PTRS_PER_PTE));
2375 ++#else
2376 ++page_pde_offset = ((__PAGE_OFFSET >> 22) * (PAGE_SIZE_asm / PTRS_PER_PTE));
2377 ++#endif
2378 + movl $(pg0 - __PAGE_OFFSET), %edi
2379 ++#ifdef CONFIG_X86_PAE
2380 ++ movl $(swapper_pm_dir - __PAGE_OFFSET), %edx
2381 ++#else
2382 + movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
2383 +- movl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
2384 ++#endif
2385 ++ movl $0x063, %eax /* 0x063 = PRESENT+RW+ACCESSED+DIRTY */
2386 + 10:
2387 +- leal 0x007(%edi),%ecx /* Create PDE entry */
2388 ++ leal 0x063(%edi),%ecx /* Create PDE entry */
2389 + movl %ecx,(%edx) /* Store identity PDE entry */
2390 + movl %ecx,page_pde_offset(%edx) /* Store kernel PDE entry */
2391 ++#ifdef CONFIG_X86_PAE
2392 ++ movl $0,4(%edx)
2393 ++ movl $0,page_pde_offset+4(%edx)
2394 ++ addl $8,%edx
2395 ++ movl $512, %ecx
2396 ++#else
2397 + addl $4,%edx
2398 + movl $1024, %ecx
2399 ++#endif
2400 + 11:
2401 + stosl
2402 ++#ifdef CONFIG_X86_PAE
2403 ++ movl $0,(%edi)
2404 ++ addl $4,%edi
2405 ++#endif
2406 + addl $0x1000,%eax
2407 + loop 11b
2408 + /* End condition: we must map up to and including INIT_MAP_BEYOND_END */
2409 +- /* bytes beyond the end of our own page tables; the +0x007 is the attribute bits */
2410 +- leal (INIT_MAP_BEYOND_END+0x007)(%edi),%ebp
2411 ++ /* bytes beyond the end of our own page tables; the +0x063 is the attribute bits */
2412 ++ leal (INIT_MAP_BEYOND_END+0x063)(%edi),%ebp
2413 + cmpl %ebp,%eax
2414 + jb 10b
2415 + movl %edi,(init_pg_tables_end - __PAGE_OFFSET)
2416 +@@ -167,10 +234,12 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
2417 + #endif
2418 +
2419 + /* Do an early initialization of the fixmap area */
2420 +- movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
2421 +- movl $(swapper_pg_pmd - __PAGE_OFFSET), %eax
2422 +- addl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
2423 +- movl %eax, 4092(%edx)
2424 ++ /* 0x067 = PRESENT+RW+USER+ACCESSED+DIRTY */
2425 ++#ifdef CONFIG_X86_PAE
2426 ++ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pm_dir - __PAGE_OFFSET + 4096 - 8)
2427 ++#else
2428 ++ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pg_dir - __PAGE_OFFSET + 4096 - 4)
2429 ++#endif
2430 +
2431 + #ifdef CONFIG_SMP
2432 + ENTRY(startup_32_smp)
2433 +@@ -181,6 +250,11 @@ ENTRY(startup_32_smp)
2434 + movl %eax,%fs
2435 + movl %eax,%gs
2436 +
2437 ++ /* This is a secondary processor (AP) */
2438 ++ xorl %ebx,%ebx
2439 ++ incl %ebx
2440 ++#endif /* CONFIG_SMP */
2441 ++
2442 + /*
2443 + * New page tables may be in 4Mbyte page mode and may
2444 + * be using the global pages.
2445 +@@ -196,42 +270,47 @@ ENTRY(startup_32_smp)
2446 + * not yet offset PAGE_OFFSET..
2447 + */
2448 + #define cr4_bits mmu_cr4_features-__PAGE_OFFSET
2449 ++3:
2450 + movl cr4_bits,%edx
2451 + andl %edx,%edx
2452 +- jz 6f
2453 ++ jz 5f
2454 + movl %cr4,%eax # Turn on paging options (PSE,PAE,..)
2455 + orl %edx,%eax
2456 + movl %eax,%cr4
2457 +
2458 +- btl $5, %eax # check if PAE is enabled
2459 +- jnc 6f
2460 ++#ifdef CONFIG_X86_PAE
2461 ++ movl %ebx,%edi
2462 +
2463 + /* Check if extended functions are implemented */
2464 + movl $0x80000000, %eax
2465 + cpuid
2466 + cmpl $0x80000000, %eax
2467 +- jbe 6f
2468 ++ jbe 4f
2469 + mov $0x80000001, %eax
2470 + cpuid
2471 + /* Execute Disable bit supported? */
2472 + btl $20, %edx
2473 +- jnc 6f
2474 ++ jnc 4f
2475 +
2476 + /* Setup EFER (Extended Feature Enable Register) */
2477 +- movl $0xc0000080, %ecx
2478 ++ movl $MSR_EFER, %ecx
2479 + rdmsr
2480 +
2481 + btsl $11, %eax
2482 + /* Make changes effective */
2483 + wrmsr
2484 +
2485 +-6:
2486 +- /* This is a secondary processor (AP) */
2487 +- xorl %ebx,%ebx
2488 +- incl %ebx
2489 ++ btsl $63-32,__supported_pte_mask+4-__PAGE_OFFSET
2490 ++ movl $1,nx_enabled-__PAGE_OFFSET
2491 +
2492 +-#endif /* CONFIG_SMP */
2493 +-3:
2494 ++#if !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
2495 ++ movl $0,disable_x86_sep-__PAGE_OFFSET
2496 ++#endif
2497 ++
2498 ++4:
2499 ++ movl %edi,%ebx
2500 ++#endif
2501 ++5:
2502 +
2503 + /*
2504 + * Enable paging
2505 +@@ -256,9 +335,7 @@ ENTRY(startup_32_smp)
2506 +
2507 + #ifdef CONFIG_SMP
2508 + andl %ebx,%ebx
2509 +- jz 1f /* Initial CPU cleans BSS */
2510 +- jmp checkCPUtype
2511 +-1:
2512 ++ jnz checkCPUtype /* Initial CPU cleans BSS */
2513 + #endif /* CONFIG_SMP */
2514 +
2515 + /*
2516 +@@ -335,12 +412,12 @@ is386: movl $2,%ecx # set MP
2517 + ljmp $(__KERNEL_CS),$1f
2518 + 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
2519 + movl %eax,%ss # after changing gdt.
2520 +- movl %eax,%fs # gets reset once there's real percpu
2521 +-
2522 +- movl $(__USER_DS),%eax # DS/ES contains default USER segment
2523 + movl %eax,%ds
2524 + movl %eax,%es
2525 +
2526 ++ movl $(__KERNEL_PERCPU), %eax
2527 ++ movl %eax,%fs # set this cpu's percpu
2528 ++
2529 + xorl %eax,%eax # Clear GS and LDT
2530 + movl %eax,%gs
2531 + lldt %ax
2532 +@@ -351,11 +428,7 @@ is386: movl $2,%ecx # set MP
2533 + movb ready, %cl
2534 + movb $1, ready
2535 + cmpb $0,%cl # the first CPU calls start_kernel
2536 +- je 1f
2537 +- movl $(__KERNEL_PERCPU), %eax
2538 +- movl %eax,%fs # set this cpu's percpu
2539 +- jmp initialize_secondary # all other CPUs call initialize_secondary
2540 +-1:
2541 ++ jne initialize_secondary # all other CPUs call initialize_secondary
2542 + #endif /* CONFIG_SMP */
2543 + jmp start_kernel
2544 +
2545 +@@ -441,8 +514,8 @@ early_page_fault:
2546 + jmp early_fault
2547 +
2548 + early_fault:
2549 +- cld
2550 + #ifdef CONFIG_PRINTK
2551 ++ cld
2552 + movl $(__KERNEL_DS),%eax
2553 + movl %eax,%ds
2554 + movl %eax,%es
2555 +@@ -466,8 +539,8 @@ hlt_loop:
2556 + /* This is the default interrupt "handler" :-) */
2557 + ALIGN
2558 + ignore_int:
2559 +- cld
2560 + #ifdef CONFIG_PRINTK
2561 ++ cld
2562 + pushl %eax
2563 + pushl %ecx
2564 + pushl %edx
2565 +@@ -498,31 +571,58 @@ ignore_int:
2566 + #endif
2567 + iret
2568 +
2569 +-.section .text
2570 +-/*
2571 +- * Real beginning of normal "text" segment
2572 +- */
2573 +-ENTRY(stext)
2574 +-ENTRY(_stext)
2575 +-
2576 + /*
2577 + * BSS section
2578 + */
2579 +-.section ".bss.page_aligned","wa"
2580 ++.section .swapper_pg_dir,"a",@progbits
2581 + .align PAGE_SIZE_asm
2582 + ENTRY(swapper_pg_dir)
2583 ++#ifdef CONFIG_X86_PAE
2584 ++ .long swapper_pm_dir-__PAGE_OFFSET+1
2585 ++ .long 0
2586 ++ .long swapper_pm_dir+512*8-__PAGE_OFFSET+1
2587 ++ .long 0
2588 ++ .long swapper_pm_dir+512*16-__PAGE_OFFSET+1
2589 ++ .long 0
2590 ++ .long swapper_pm_dir+512*24-__PAGE_OFFSET+1
2591 ++ .long 0
2592 ++#else
2593 + .fill 1024,4,0
2594 ++#endif
2595 ++
2596 ++.section .swapper_pm_dir,"a",@progbits
2597 ++#ifdef CONFIG_X86_PAE
2598 ++ENTRY(swapper_pm_dir)
2599 ++ .fill 512,8,0
2600 ++ .fill 512,8,0
2601 ++ .fill 512,8,0
2602 ++ .fill 512,8,0
2603 ++#endif
2604 ++
2605 + ENTRY(swapper_pg_pmd)
2606 + .fill 1024,4,0
2607 ++
2608 ++.section .empty_zero_page,"a",@progbits
2609 + ENTRY(empty_zero_page)
2610 + .fill 4096,1,0
2611 +
2612 + /*
2613 ++ * The IDT has to be page-aligned to simplify the Pentium
2614 ++ * F0 0F bug workaround.. We have a special link segment
2615 ++ * for this.
2616 ++ */
2617 ++.section .idt,"a",@progbits
2618 ++ENTRY(idt_table)
2619 ++ .fill 256,8,0
2620 ++
2621 ++/*
2622 + * This starts the data section.
2623 + */
2624 + .data
2625 ++
2626 ++.section .rodata,"a",@progbits
2627 + ENTRY(stack_start)
2628 +- .long init_thread_union+THREAD_SIZE
2629 ++ .long init_thread_union+THREAD_SIZE-8
2630 + .long __BOOT_DS
2631 +
2632 + ready: .byte 0
2633 +@@ -565,7 +665,7 @@ idt_descr:
2634 + .word 0 # 32 bit align gdt_desc.address
2635 + ENTRY(early_gdt_descr)
2636 + .word GDT_ENTRIES*8-1
2637 +- .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
2638 ++ .long cpu_gdt_table /* Overwritten for secondary CPUs */
2639 +
2640 + /*
2641 + * The boot_gdt must mirror the equivalent in setup.S and is
2642 +@@ -574,5 +674,61 @@ ENTRY(early_gdt_descr)
2643 + .align L1_CACHE_BYTES
2644 + ENTRY(boot_gdt)
2645 + .fill GDT_ENTRY_BOOT_CS,8,0
2646 +- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
2647 +- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
2648 ++ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
2649 ++ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
2650 ++
2651 ++ .align PAGE_SIZE_asm
2652 ++ENTRY(cpu_gdt_table)
2653 ++ .quad 0x0000000000000000 /* NULL descriptor */
2654 ++ .quad 0x0000000000000000 /* 0x0b reserved */
2655 ++ .quad 0x0000000000000000 /* 0x13 reserved */
2656 ++ .quad 0x0000000000000000 /* 0x1b reserved */
2657 ++ .quad 0x0000000000000000 /* 0x20 unused */
2658 ++ .quad 0x0000000000000000 /* 0x28 unused */
2659 ++ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
2660 ++ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
2661 ++ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
2662 ++ .quad 0x0000000000000000 /* 0x4b reserved */
2663 ++ .quad 0x0000000000000000 /* 0x53 reserved */
2664 ++ .quad 0x0000000000000000 /* 0x5b reserved */
2665 ++
2666 ++ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
2667 ++ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
2668 ++ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
2669 ++ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
2670 ++
2671 ++ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
2672 ++ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
2673 ++
2674 ++ /*
2675 ++ * Segments used for calling PnP BIOS have byte granularity.
2676 ++ * The code segments and data segments have fixed 64k limits,
2677 ++ * the transfer segment sizes are set at run time.
2678 ++ */
2679 ++ .quad 0x00409b000000ffff /* 0x90 32-bit code */
2680 ++ .quad 0x00009b000000ffff /* 0x98 16-bit code */
2681 ++ .quad 0x000093000000ffff /* 0xa0 16-bit data */
2682 ++ .quad 0x0000930000000000 /* 0xa8 16-bit data */
2683 ++ .quad 0x0000930000000000 /* 0xb0 16-bit data */
2684 ++
2685 ++ /*
2686 ++ * The APM segments have byte granularity and their bases
2687 ++ * are set at run time. All have 64k limits.
2688 ++ */
2689 ++ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
2690 ++ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
2691 ++ .quad 0x004093000000ffff /* 0xc8 APM DS data */
2692 ++
2693 ++ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
2694 ++ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
2695 ++ .quad 0x0000000000000000 /* 0xe0 - PCIBIOS_CS */
2696 ++ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_DS */
2697 ++ .quad 0x0000000000000000 /* 0xf0 - unused */
2698 ++ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
2699 ++
2700 ++ /* Be sure this is zeroed to avoid false validations in Xen */
2701 ++ .fill PAGE_SIZE_asm - GDT_ENTRIES,1,0
2702 ++
2703 ++#ifdef CONFIG_SMP
2704 ++ .fill (NR_CPUS-1) * (PAGE_SIZE_asm),1,0 /* other CPU's GDT */
2705 ++#endif
2706 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/hpet.c linux-2.6.23.15-grsec/arch/i386/kernel/hpet.c
2707 +--- linux-2.6.23.15/arch/i386/kernel/hpet.c 2007-10-09 21:31:38.000000000 +0100
2708 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/hpet.c 2008-02-11 10:37:44.000000000 +0000
2709 +@@ -96,7 +96,7 @@ static void hpet_reserve_platform_timers
2710 + hd.hd_irq[1] = HPET_LEGACY_RTC;
2711 +
2712 + for (i = 2; i < nrtimers; timer++, i++)
2713 +- hd.hd_irq[i] = (timer->hpet_config & Tn_INT_ROUTE_CNF_MASK) >>
2714 ++ hd.hd_irq[i] = (readl(&timer->hpet_config) & Tn_INT_ROUTE_CNF_MASK) >>
2715 + Tn_INT_ROUTE_CNF_SHIFT;
2716 +
2717 + hpet_alloc(&hd);
2718 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/i386_ksyms.c linux-2.6.23.15-grsec/arch/i386/kernel/i386_ksyms.c
2719 +--- linux-2.6.23.15/arch/i386/kernel/i386_ksyms.c 2007-10-09 21:31:38.000000000 +0100
2720 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/i386_ksyms.c 2008-02-11 10:37:44.000000000 +0000
2721 +@@ -2,12 +2,16 @@
2722 + #include <asm/checksum.h>
2723 + #include <asm/desc.h>
2724 +
2725 ++EXPORT_SYMBOL_GPL(cpu_gdt_table);
2726 ++
2727 + EXPORT_SYMBOL(__down_failed);
2728 + EXPORT_SYMBOL(__down_failed_interruptible);
2729 + EXPORT_SYMBOL(__down_failed_trylock);
2730 + EXPORT_SYMBOL(__up_wakeup);
2731 + /* Networking helper routines. */
2732 + EXPORT_SYMBOL(csum_partial_copy_generic);
2733 ++EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
2734 ++EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
2735 +
2736 + EXPORT_SYMBOL(__get_user_1);
2737 + EXPORT_SYMBOL(__get_user_2);
2738 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/i8259.c linux-2.6.23.15-grsec/arch/i386/kernel/i8259.c
2739 +--- linux-2.6.23.15/arch/i386/kernel/i8259.c 2007-10-09 21:31:38.000000000 +0100
2740 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/i8259.c 2008-02-11 10:37:44.000000000 +0000
2741 +@@ -350,7 +350,7 @@ static irqreturn_t math_error_irq(int cp
2742 + * New motherboards sometimes make IRQ 13 be a PCI interrupt,
2743 + * so allow interrupt sharing.
2744 + */
2745 +-static struct irqaction fpu_irq = { math_error_irq, 0, CPU_MASK_NONE, "fpu", NULL, NULL };
2746 ++static struct irqaction fpu_irq = { math_error_irq, 0, CPU_MASK_NONE, "fpu", NULL, NULL, 0, NULL };
2747 +
2748 + void __init init_ISA_irqs (void)
2749 + {
2750 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/init_task.c linux-2.6.23.15-grsec/arch/i386/kernel/init_task.c
2751 +--- linux-2.6.23.15/arch/i386/kernel/init_task.c 2007-10-09 21:31:38.000000000 +0100
2752 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/init_task.c 2008-02-11 10:37:44.000000000 +0000
2753 +@@ -42,5 +42,5 @@ EXPORT_SYMBOL(init_task);
2754 + * per-CPU TSS segments. Threads are completely 'soft' on Linux,
2755 + * no more per-task TSS's.
2756 + */
2757 +-DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
2758 ++struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
2759 +
2760 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/ioport.c linux-2.6.23.15-grsec/arch/i386/kernel/ioport.c
2761 +--- linux-2.6.23.15/arch/i386/kernel/ioport.c 2007-10-09 21:31:38.000000000 +0100
2762 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/ioport.c 2008-02-11 10:37:44.000000000 +0000
2763 +@@ -16,6 +16,7 @@
2764 + #include <linux/slab.h>
2765 + #include <linux/thread_info.h>
2766 + #include <linux/syscalls.h>
2767 ++#include <linux/grsecurity.h>
2768 +
2769 + /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
2770 + static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
2771 +@@ -64,9 +65,16 @@ asmlinkage long sys_ioperm(unsigned long
2772 +
2773 + if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
2774 + return -EINVAL;
2775 ++#ifdef CONFIG_GRKERNSEC_IO
2776 ++ if (turn_on) {
2777 ++ gr_handle_ioperm();
2778 ++#else
2779 + if (turn_on && !capable(CAP_SYS_RAWIO))
2780 ++#endif
2781 + return -EPERM;
2782 +-
2783 ++#ifdef CONFIG_GRKERNSEC_IO
2784 ++ }
2785 ++#endif
2786 + /*
2787 + * If it's the first ioperm() call in this thread's lifetime, set the
2788 + * IO bitmap up. ioperm() is much less timing critical than clone(),
2789 +@@ -89,7 +97,7 @@ asmlinkage long sys_ioperm(unsigned long
2790 + * because the ->io_bitmap_max value must match the bitmap
2791 + * contents:
2792 + */
2793 +- tss = &per_cpu(init_tss, get_cpu());
2794 ++ tss = init_tss + get_cpu();
2795 +
2796 + set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
2797 +
2798 +@@ -143,8 +151,13 @@ asmlinkage long sys_iopl(unsigned long u
2799 + return -EINVAL;
2800 + /* Trying to gain more privileges? */
2801 + if (level > old) {
2802 ++#ifdef CONFIG_GRKERNSEC_IO
2803 ++ gr_handle_iopl();
2804 ++ return -EPERM;
2805 ++#else
2806 + if (!capable(CAP_SYS_RAWIO))
2807 + return -EPERM;
2808 ++#endif
2809 + }
2810 + t->iopl = level << 12;
2811 + regs->eflags = (regs->eflags & ~X86_EFLAGS_IOPL) | t->iopl;
2812 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/irq.c linux-2.6.23.15-grsec/arch/i386/kernel/irq.c
2813 +--- linux-2.6.23.15/arch/i386/kernel/irq.c 2007-10-09 21:31:38.000000000 +0100
2814 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/irq.c 2008-02-11 10:37:44.000000000 +0000
2815 +@@ -117,7 +117,7 @@ fastcall unsigned int do_IRQ(struct pt_r
2816 + int arg1, arg2, ebx;
2817 +
2818 + /* build the stack frame on the IRQ stack */
2819 +- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
2820 ++ isp = (u32*) ((char*)irqctx + sizeof(*irqctx)) - 2;
2821 + irqctx->tinfo.task = curctx->tinfo.task;
2822 + irqctx->tinfo.previous_esp = current_stack_pointer;
2823 +
2824 +@@ -213,7 +213,7 @@ asmlinkage void do_softirq(void)
2825 + irqctx->tinfo.previous_esp = current_stack_pointer;
2826 +
2827 + /* build the stack frame on the softirq stack */
2828 +- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
2829 ++ isp = (u32*) ((char*)irqctx + sizeof(*irqctx)) - 2;
2830 +
2831 + asm volatile(
2832 + " xchgl %%ebx,%%esp \n"
2833 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/kprobes.c linux-2.6.23.15-grsec/arch/i386/kernel/kprobes.c
2834 +--- linux-2.6.23.15/arch/i386/kernel/kprobes.c 2007-10-09 21:31:38.000000000 +0100
2835 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/kprobes.c 2008-02-11 10:37:44.000000000 +0000
2836 +@@ -49,9 +49,24 @@ static __always_inline void set_jmp_op(v
2837 + char op;
2838 + long raddr;
2839 + } __attribute__((packed)) *jop;
2840 +- jop = (struct __arch_jmp_op *)from;
2841 ++
2842 ++#ifdef CONFIG_PAX_KERNEXEC
2843 ++ unsigned long cr0;
2844 ++#endif
2845 ++
2846 ++ jop = (struct __arch_jmp_op *)(from + __KERNEL_TEXT_OFFSET);
2847 ++
2848 ++#ifdef CONFIG_PAX_KERNEXEC
2849 ++ pax_open_kernel(cr0);
2850 ++#endif
2851 ++
2852 + jop->raddr = (long)(to) - ((long)(from) + 5);
2853 + jop->op = RELATIVEJUMP_INSTRUCTION;
2854 ++
2855 ++#ifdef CONFIG_PAX_KERNEXEC
2856 ++ pax_close_kernel(cr0);
2857 ++#endif
2858 ++
2859 + }
2860 +
2861 + /*
2862 +@@ -153,14 +168,28 @@ static int __kprobes is_IF_modifier(kpro
2863 +
2864 + int __kprobes arch_prepare_kprobe(struct kprobe *p)
2865 + {
2866 ++
2867 ++#ifdef CONFIG_PAX_KERNEXEC
2868 ++ unsigned long cr0;
2869 ++#endif
2870 ++
2871 + /* insn: must be on special executable page on i386. */
2872 + p->ainsn.insn = get_insn_slot();
2873 + if (!p->ainsn.insn)
2874 + return -ENOMEM;
2875 +
2876 +- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
2877 +- p->opcode = *p->addr;
2878 +- if (can_boost(p->addr)) {
2879 ++#ifdef CONFIG_PAX_KERNEXEC
2880 ++ pax_open_kernel(cr0);
2881 ++#endif
2882 ++
2883 ++ memcpy(p->ainsn.insn, p->addr + __KERNEL_TEXT_OFFSET, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
2884 ++
2885 ++#ifdef CONFIG_PAX_KERNEXEC
2886 ++ pax_close_kernel(cr0);
2887 ++#endif
2888 ++
2889 ++ p->opcode = *(p->addr + __KERNEL_TEXT_OFFSET);
2890 ++ if (can_boost(p->addr + __KERNEL_TEXT_OFFSET)) {
2891 + p->ainsn.boostable = 0;
2892 + } else {
2893 + p->ainsn.boostable = -1;
2894 +@@ -219,7 +248,7 @@ static void __kprobes prepare_singlestep
2895 + if (p->opcode == BREAKPOINT_INSTRUCTION)
2896 + regs->eip = (unsigned long)p->addr;
2897 + else
2898 +- regs->eip = (unsigned long)p->ainsn.insn;
2899 ++ regs->eip = (unsigned long)p->ainsn.insn - __KERNEL_TEXT_OFFSET;
2900 + }
2901 +
2902 + /* Called with kretprobe_lock held */
2903 +@@ -325,7 +354,7 @@ ss_probe:
2904 + if (p->ainsn.boostable == 1 && !p->post_handler){
2905 + /* Boost up -- we can execute copied instructions directly */
2906 + reset_current_kprobe();
2907 +- regs->eip = (unsigned long)p->ainsn.insn;
2908 ++ regs->eip = (unsigned long)p->ainsn.insn - __KERNEL_TEXT_OFFSET;
2909 + preempt_enable_no_resched();
2910 + return 1;
2911 + }
2912 +@@ -475,7 +504,7 @@ static void __kprobes resume_execution(s
2913 + struct pt_regs *regs, struct kprobe_ctlblk *kcb)
2914 + {
2915 + unsigned long *tos = (unsigned long *)&regs->esp;
2916 +- unsigned long copy_eip = (unsigned long)p->ainsn.insn;
2917 ++ unsigned long copy_eip = (unsigned long)p->ainsn.insn - __KERNEL_TEXT_OFFSET;
2918 + unsigned long orig_eip = (unsigned long)p->addr;
2919 +
2920 + regs->eflags &= ~TF_MASK;
2921 +@@ -648,7 +677,7 @@ int __kprobes kprobe_exceptions_notify(s
2922 + struct die_args *args = (struct die_args *)data;
2923 + int ret = NOTIFY_DONE;
2924 +
2925 +- if (args->regs && user_mode_vm(args->regs))
2926 ++ if (args->regs && user_mode(args->regs))
2927 + return ret;
2928 +
2929 + switch (val) {
2930 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/ldt.c linux-2.6.23.15-grsec/arch/i386/kernel/ldt.c
2931 +--- linux-2.6.23.15/arch/i386/kernel/ldt.c 2007-10-09 21:31:38.000000000 +0100
2932 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/ldt.c 2008-02-11 10:37:44.000000000 +0000
2933 +@@ -58,7 +58,7 @@ static int alloc_ldt(mm_context_t *pc, i
2934 + #ifdef CONFIG_SMP
2935 + cpumask_t mask;
2936 + preempt_disable();
2937 +- load_LDT(pc);
2938 ++ load_LDT_nolock(pc);
2939 + mask = cpumask_of_cpu(smp_processor_id());
2940 + if (!cpus_equal(current->mm->cpu_vm_mask, mask))
2941 + smp_call_function(flush_ldt, NULL, 1, 1);
2942 +@@ -102,6 +102,22 @@ int init_new_context(struct task_struct
2943 + retval = copy_ldt(&mm->context, &old_mm->context);
2944 + up(&old_mm->context.sem);
2945 + }
2946 ++
2947 ++ if (tsk == current) {
2948 ++ mm->context.vdso = ~0UL;
2949 ++
2950 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
2951 ++ mm->context.user_cs_base = 0UL;
2952 ++ mm->context.user_cs_limit = ~0UL;
2953 ++
2954 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
2955 ++ cpus_clear(mm->context.cpu_user_cs_mask);
2956 ++#endif
2957 ++
2958 ++#endif
2959 ++
2960 ++ }
2961 ++
2962 + return retval;
2963 + }
2964 +
2965 +@@ -212,6 +228,13 @@ static int write_ldt(void __user * ptr,
2966 + }
2967 + }
2968 +
2969 ++#ifdef CONFIG_PAX_SEGMEXEC
2970 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
2971 ++ error = -EINVAL;
2972 ++ goto out_unlock;
2973 ++ }
2974 ++#endif
2975 ++
2976 + entry_1 = LDT_entry_a(&ldt_info);
2977 + entry_2 = LDT_entry_b(&ldt_info);
2978 + if (oldmode)
2979 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/machine_kexec.c linux-2.6.23.15-grsec/arch/i386/kernel/machine_kexec.c
2980 +--- linux-2.6.23.15/arch/i386/kernel/machine_kexec.c 2007-10-09 21:31:38.000000000 +0100
2981 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/machine_kexec.c 2008-02-11 10:37:44.000000000 +0000
2982 +@@ -29,25 +29,25 @@ static u32 kexec_pmd1[1024] PAGE_ALIGNED
2983 + static u32 kexec_pte0[1024] PAGE_ALIGNED;
2984 + static u32 kexec_pte1[1024] PAGE_ALIGNED;
2985 +
2986 +-static void set_idt(void *newidt, __u16 limit)
2987 ++static void set_idt(struct desc_struct *newidt, __u16 limit)
2988 + {
2989 + struct Xgt_desc_struct curidt;
2990 +
2991 + /* ia32 supports unaliged loads & stores */
2992 + curidt.size = limit;
2993 +- curidt.address = (unsigned long)newidt;
2994 ++ curidt.address = newidt;
2995 +
2996 + load_idt(&curidt);
2997 + };
2998 +
2999 +
3000 +-static void set_gdt(void *newgdt, __u16 limit)
3001 ++static void set_gdt(struct desc_struct *newgdt, __u16 limit)
3002 + {
3003 + struct Xgt_desc_struct curgdt;
3004 +
3005 + /* ia32 supports unaligned loads & stores */
3006 + curgdt.size = limit;
3007 +- curgdt.address = (unsigned long)newgdt;
3008 ++ curgdt.address = newgdt;
3009 +
3010 + load_gdt(&curgdt);
3011 + };
3012 +@@ -110,10 +110,10 @@ NORET_TYPE void machine_kexec(struct kim
3013 + local_irq_disable();
3014 +
3015 + control_page = page_address(image->control_code_page);
3016 +- memcpy(control_page, relocate_kernel, PAGE_SIZE);
3017 ++ memcpy(control_page, relocate_kernel + __KERNEL_TEXT_OFFSET, PAGE_SIZE);
3018 +
3019 + page_list[PA_CONTROL_PAGE] = __pa(control_page);
3020 +- page_list[VA_CONTROL_PAGE] = (unsigned long)relocate_kernel;
3021 ++ page_list[VA_CONTROL_PAGE] = (unsigned long)relocate_kernel + __KERNEL_TEXT_OFFSET;
3022 + page_list[PA_PGD] = __pa(kexec_pgd);
3023 + page_list[VA_PGD] = (unsigned long)kexec_pgd;
3024 + #ifdef CONFIG_X86_PAE
3025 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/module.c linux-2.6.23.15-grsec/arch/i386/kernel/module.c
3026 +--- linux-2.6.23.15/arch/i386/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
3027 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
3028 +@@ -23,6 +23,8 @@
3029 + #include <linux/kernel.h>
3030 + #include <linux/bug.h>
3031 +
3032 ++#include <asm/desc.h>
3033 ++
3034 + #if 0
3035 + #define DEBUGP printk
3036 + #else
3037 +@@ -33,9 +35,30 @@ void *module_alloc(unsigned long size)
3038 + {
3039 + if (size == 0)
3040 + return NULL;
3041 ++
3042 ++#ifdef CONFIG_PAX_KERNEXEC
3043 ++ return vmalloc(size);
3044 ++#else
3045 + return vmalloc_exec(size);
3046 ++#endif
3047 ++
3048 + }
3049 +
3050 ++#ifdef CONFIG_PAX_KERNEXEC
3051 ++void *module_alloc_exec(unsigned long size)
3052 ++{
3053 ++ struct vm_struct *area;
3054 ++
3055 ++ if (size == 0)
3056 ++ return NULL;
3057 ++
3058 ++ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_VADDR, (unsigned long)&MODULES_END);
3059 ++ if (area)
3060 ++ return area->addr;
3061 ++
3062 ++ return NULL;
3063 ++}
3064 ++#endif
3065 +
3066 + /* Free memory returned from module_alloc */
3067 + void module_free(struct module *mod, void *module_region)
3068 +@@ -45,6 +68,45 @@ void module_free(struct module *mod, voi
3069 + table entries. */
3070 + }
3071 +
3072 ++#ifdef CONFIG_PAX_KERNEXEC
3073 ++void module_free_exec(struct module *mod, void *module_region)
3074 ++{
3075 ++ struct vm_struct **p, *tmp;
3076 ++
3077 ++ if (!module_region)
3078 ++ return;
3079 ++
3080 ++ if ((PAGE_SIZE-1) & (unsigned long)module_region) {
3081 ++ printk(KERN_ERR "Trying to module_free_exec() bad address (%p)\n", module_region);
3082 ++ WARN_ON(1);
3083 ++ return;
3084 ++ }
3085 ++
3086 ++ write_lock(&vmlist_lock);
3087 ++ for (p = &vmlist; (tmp = *p) != NULL; p = &tmp->next)
3088 ++ if (tmp->addr == module_region)
3089 ++ break;
3090 ++
3091 ++ if (tmp) {
3092 ++ unsigned long cr0;
3093 ++
3094 ++ pax_open_kernel(cr0);
3095 ++ memset(tmp->addr, 0xCC, tmp->size);
3096 ++ pax_close_kernel(cr0);
3097 ++
3098 ++ *p = tmp->next;
3099 ++ kfree(tmp);
3100 ++ }
3101 ++ write_unlock(&vmlist_lock);
3102 ++
3103 ++ if (!tmp) {
3104 ++ printk(KERN_ERR "Trying to module_free_exec() nonexistent vm area (%p)\n",
3105 ++ module_region);
3106 ++ WARN_ON(1);
3107 ++ }
3108 ++}
3109 ++#endif
3110 ++
3111 + /* We don't need anything special. */
3112 + int module_frob_arch_sections(Elf_Ehdr *hdr,
3113 + Elf_Shdr *sechdrs,
3114 +@@ -63,14 +125,20 @@ int apply_relocate(Elf32_Shdr *sechdrs,
3115 + unsigned int i;
3116 + Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
3117 + Elf32_Sym *sym;
3118 +- uint32_t *location;
3119 ++ uint32_t *plocation, location;
3120 ++
3121 ++#ifdef CONFIG_PAX_KERNEXEC
3122 ++ unsigned long cr0;
3123 ++#endif
3124 +
3125 + DEBUGP("Applying relocate section %u to %u\n", relsec,
3126 + sechdrs[relsec].sh_info);
3127 + for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
3128 + /* This is where to make the change */
3129 +- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
3130 +- + rel[i].r_offset;
3131 ++ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
3132 ++ location = (uint32_t)plocation;
3133 ++ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
3134 ++ plocation = (void *)plocation + __KERNEL_TEXT_OFFSET;
3135 + /* This is the symbol it is referring to. Note that all
3136 + undefined symbols have been resolved. */
3137 + sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
3138 +@@ -78,12 +146,32 @@ int apply_relocate(Elf32_Shdr *sechdrs,
3139 +
3140 + switch (ELF32_R_TYPE(rel[i].r_info)) {
3141 + case R_386_32:
3142 ++
3143 ++#ifdef CONFIG_PAX_KERNEXEC
3144 ++ pax_open_kernel(cr0);
3145 ++#endif
3146 ++
3147 + /* We add the value into the location given */
3148 +- *location += sym->st_value;
3149 ++ *plocation += sym->st_value;
3150 ++
3151 ++#ifdef CONFIG_PAX_KERNEXEC
3152 ++ pax_close_kernel(cr0);
3153 ++#endif
3154 ++
3155 + break;
3156 + case R_386_PC32:
3157 ++
3158 ++#ifdef CONFIG_PAX_KERNEXEC
3159 ++ pax_open_kernel(cr0);
3160 ++#endif
3161 ++
3162 + /* Add the value, subtract its postition */
3163 +- *location += sym->st_value - (uint32_t)location;
3164 ++ *plocation += sym->st_value - location;
3165 ++
3166 ++#ifdef CONFIG_PAX_KERNEXEC
3167 ++ pax_close_kernel(cr0);
3168 ++#endif
3169 ++
3170 + break;
3171 + default:
3172 + printk(KERN_ERR "module %s: Unknown relocation: %u\n",
3173 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/paravirt.c linux-2.6.23.15-grsec/arch/i386/kernel/paravirt.c
3174 +--- linux-2.6.23.15/arch/i386/kernel/paravirt.c 2007-10-09 21:31:38.000000000 +0100
3175 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/paravirt.c 2008-02-11 10:37:44.000000000 +0000
3176 +@@ -198,7 +198,7 @@ unsigned paravirt_patch_insns(void *insn
3177 + if (insn_len > len || start == NULL)
3178 + insn_len = len;
3179 + else
3180 +- memcpy(insnbuf, start, insn_len);
3181 ++ memcpy(insnbuf, start + __KERNEL_TEXT_OFFSET, insn_len);
3182 +
3183 + return insn_len;
3184 + }
3185 +@@ -273,7 +273,7 @@ int paravirt_disable_iospace(void)
3186 + return ret;
3187 + }
3188 +
3189 +-struct paravirt_ops paravirt_ops = {
3190 ++struct paravirt_ops paravirt_ops __read_only = {
3191 + .name = "bare hardware",
3192 + .paravirt_enabled = 0,
3193 + .kernel_rpl = 0,
3194 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/process.c linux-2.6.23.15-grsec/arch/i386/kernel/process.c
3195 +--- linux-2.6.23.15/arch/i386/kernel/process.c 2007-10-09 21:31:38.000000000 +0100
3196 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/process.c 2008-02-11 10:37:44.000000000 +0000
3197 +@@ -68,15 +68,17 @@ EXPORT_SYMBOL(boot_option_idle_override)
3198 + DEFINE_PER_CPU(struct task_struct *, current_task) = &init_task;
3199 + EXPORT_PER_CPU_SYMBOL(current_task);
3200 +
3201 ++#ifdef CONFIG_SMP
3202 + DEFINE_PER_CPU(int, cpu_number);
3203 + EXPORT_PER_CPU_SYMBOL(cpu_number);
3204 ++#endif
3205 +
3206 + /*
3207 + * Return saved PC of a blocked thread.
3208 + */
3209 + unsigned long thread_saved_pc(struct task_struct *tsk)
3210 + {
3211 +- return ((unsigned long *)tsk->thread.esp)[3];
3212 ++ return tsk->thread.eip;
3213 + }
3214 +
3215 + /*
3216 +@@ -307,7 +309,7 @@ void show_regs(struct pt_regs * regs)
3217 + printk("EIP: %04x:[<%08lx>] CPU: %d\n",0xffff & regs->xcs,regs->eip, smp_processor_id());
3218 + print_symbol("EIP is at %s\n", regs->eip);
3219 +
3220 +- if (user_mode_vm(regs))
3221 ++ if (user_mode(regs))
3222 + printk(" ESP: %04x:%08lx",0xffff & regs->xss,regs->esp);
3223 + printk(" EFLAGS: %08lx %s (%s %.*s)\n",
3224 + regs->eflags, print_tainted(), init_utsname()->release,
3225 +@@ -358,8 +360,8 @@ int kernel_thread(int (*fn)(void *), voi
3226 + regs.ebx = (unsigned long) fn;
3227 + regs.edx = (unsigned long) arg;
3228 +
3229 +- regs.xds = __USER_DS;
3230 +- regs.xes = __USER_DS;
3231 ++ regs.xds = __KERNEL_DS;
3232 ++ regs.xes = __KERNEL_DS;
3233 + regs.xfs = __KERNEL_PERCPU;
3234 + regs.orig_eax = -1;
3235 + regs.eip = (unsigned long) kernel_thread_helper;
3236 +@@ -381,7 +383,7 @@ void exit_thread(void)
3237 + struct task_struct *tsk = current;
3238 + struct thread_struct *t = &tsk->thread;
3239 + int cpu = get_cpu();
3240 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
3241 ++ struct tss_struct *tss = init_tss + cpu;
3242 +
3243 + kfree(t->io_bitmap_ptr);
3244 + t->io_bitmap_ptr = NULL;
3245 +@@ -402,6 +404,7 @@ void flush_thread(void)
3246 + {
3247 + struct task_struct *tsk = current;
3248 +
3249 ++ __asm__("mov %0,%%gs\n" : : "r" (0) : "memory");
3250 + memset(tsk->thread.debugreg, 0, sizeof(unsigned long)*8);
3251 + memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
3252 + clear_tsk_thread_flag(tsk, TIF_DEBUG);
3253 +@@ -435,7 +438,7 @@ int copy_thread(int nr, unsigned long cl
3254 + struct task_struct *tsk;
3255 + int err;
3256 +
3257 +- childregs = task_pt_regs(p);
3258 ++ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
3259 + *childregs = *regs;
3260 + childregs->eax = 0;
3261 + childregs->esp = esp;
3262 +@@ -477,6 +480,11 @@ int copy_thread(int nr, unsigned long cl
3263 + if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
3264 + goto out;
3265 +
3266 ++#ifdef CONFIG_PAX_SEGMEXEC
3267 ++ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
3268 ++ goto out;
3269 ++#endif
3270 ++
3271 + desc = p->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
3272 + desc->a = LDT_entry_a(&info);
3273 + desc->b = LDT_entry_b(&info);
3274 +@@ -663,7 +671,7 @@ struct task_struct fastcall * __switch_t
3275 + struct thread_struct *prev = &prev_p->thread,
3276 + *next = &next_p->thread;
3277 + int cpu = smp_processor_id();
3278 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
3279 ++ struct tss_struct *tss = init_tss + cpu;
3280 +
3281 + /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
3282 +
3283 +@@ -691,6 +699,11 @@ struct task_struct fastcall * __switch_t
3284 + */
3285 + savesegment(gs, prev->gs);
3286 +
3287 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
3288 ++ if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
3289 ++ __set_fs(task_thread_info(next_p)->addr_limit, cpu);
3290 ++#endif
3291 ++
3292 + /*
3293 + * Load the per-thread Thread-Local Storage descriptor.
3294 + */
3295 +@@ -855,6 +868,12 @@ asmlinkage int sys_set_thread_area(struc
3296 +
3297 + if (copy_from_user(&info, u_info, sizeof(info)))
3298 + return -EFAULT;
3299 ++
3300 ++#ifdef CONFIG_PAX_SEGMEXEC
3301 ++ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
3302 ++ return -EINVAL;
3303 ++#endif
3304 ++
3305 + idx = info.entry_number;
3306 +
3307 + /*
3308 +@@ -943,9 +962,28 @@ asmlinkage int sys_get_thread_area(struc
3309 + return 0;
3310 + }
3311 +
3312 +-unsigned long arch_align_stack(unsigned long sp)
3313 ++#ifdef CONFIG_PAX_RANDKSTACK
3314 ++asmlinkage void pax_randomize_kstack(void)
3315 + {
3316 +- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
3317 +- sp -= get_random_int() % 8192;
3318 +- return sp & ~0xf;
3319 ++ struct tss_struct *tss;
3320 ++ unsigned long time;
3321 ++
3322 ++ if (!randomize_va_space)
3323 ++ return;
3324 ++
3325 ++ tss = init_tss + smp_processor_id();
3326 ++ rdtscl(time);
3327 ++
3328 ++ /* P4 seems to return a 0 LSB, ignore it */
3329 ++#ifdef CONFIG_MPENTIUM4
3330 ++ time &= 0x1EUL;
3331 ++ time <<= 2;
3332 ++#else
3333 ++ time &= 0xFUL;
3334 ++ time <<= 3;
3335 ++#endif
3336 ++
3337 ++ tss->x86_tss.esp0 ^= time;
3338 ++ current->thread.esp0 = tss->x86_tss.esp0;
3339 + }
3340 ++#endif
3341 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/ptrace.c linux-2.6.23.15-grsec/arch/i386/kernel/ptrace.c
3342 +--- linux-2.6.23.15/arch/i386/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
3343 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
3344 +@@ -161,22 +161,20 @@ static unsigned long convert_eip_to_line
3345 + * and APM bios ones we just ignore here.
3346 + */
3347 + if (seg & LDT_SEGMENT) {
3348 +- u32 *desc;
3349 ++ struct desc_struct *desc;
3350 + unsigned long base;
3351 +
3352 + seg &= ~7UL;
3353 +
3354 + down(&child->mm->context.sem);
3355 + if (unlikely((seg >> 3) >= child->mm->context.size))
3356 +- addr = -1L; /* bogus selector, access would fault */
3357 ++ addr = -EINVAL;
3358 + else {
3359 +- desc = child->mm->context.ldt + seg;
3360 +- base = ((desc[0] >> 16) |
3361 +- ((desc[1] & 0xff) << 16) |
3362 +- (desc[1] & 0xff000000));
3363 ++ desc = &child->mm->context.ldt[seg >> 3];
3364 ++ base = (desc->a >> 16) | ((desc->b & 0xff) << 16) | (desc->b & 0xff000000);
3365 +
3366 + /* 16-bit code segment? */
3367 +- if (!((desc[1] >> 22) & 1))
3368 ++ if (!((desc->b >> 22) & 1))
3369 + addr &= 0xffff;
3370 + addr += base;
3371 + }
3372 +@@ -191,6 +189,9 @@ static inline int is_setting_trap_flag(s
3373 + unsigned char opcode[15];
3374 + unsigned long addr = convert_eip_to_linear(child, regs);
3375 +
3376 ++ if (addr == -EINVAL)
3377 ++ return 0;
3378 ++
3379 + copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
3380 + for (i = 0; i < copied; i++) {
3381 + switch (opcode[i]) {
3382 +@@ -341,6 +342,11 @@ ptrace_set_thread_area(struct task_struc
3383 + if (copy_from_user(&info, user_desc, sizeof(info)))
3384 + return -EFAULT;
3385 +
3386 ++#ifdef CONFIG_PAX_SEGMEXEC
3387 ++ if ((child->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
3388 ++ return -EINVAL;
3389 ++#endif
3390 ++
3391 + if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
3392 + return -EINVAL;
3393 +
3394 +@@ -420,6 +426,17 @@ long arch_ptrace(struct task_struct *chi
3395 + if(addr == (long) &dummy->u_debugreg[5]) break;
3396 + if(addr < (long) &dummy->u_debugreg[4] &&
3397 + ((unsigned long) data) >= TASK_SIZE-3) break;
3398 ++
3399 ++#ifdef CONFIG_GRKERNSEC
3400 ++ if(addr >= (long) &dummy->u_debugreg[0] &&
3401 ++ addr <= (long) &dummy->u_debugreg[3]){
3402 ++ long reg = (addr - (long) &dummy->u_debugreg[0]) >> 2;
3403 ++ long type = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 4*reg)) & 3;
3404 ++ long align = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 2 + 4*reg)) & 3;
3405 ++ if((type & 1) && (data & align))
3406 ++ break;
3407 ++ }
3408 ++#endif
3409 +
3410 + /* Sanity-check data. Take one half-byte at once with
3411 + * check = (val >> (16 + 4*i)) & 0xf. It contains the
3412 +@@ -636,7 +653,7 @@ void send_sigtrap(struct task_struct *ts
3413 + info.si_code = TRAP_BRKPT;
3414 +
3415 + /* User-mode eip? */
3416 +- info.si_addr = user_mode_vm(regs) ? (void __user *) regs->eip : NULL;
3417 ++ info.si_addr = user_mode(regs) ? (void __user *) regs->eip : NULL;
3418 +
3419 + /* Send us the fakey SIGTRAP */
3420 + force_sig_info(SIGTRAP, &info, tsk);
3421 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/reboot.c linux-2.6.23.15-grsec/arch/i386/kernel/reboot.c
3422 +--- linux-2.6.23.15/arch/i386/kernel/reboot.c 2007-10-09 21:31:38.000000000 +0100
3423 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/reboot.c 2008-02-11 10:37:44.000000000 +0000
3424 +@@ -26,7 +26,7 @@
3425 + void (*pm_power_off)(void);
3426 + EXPORT_SYMBOL(pm_power_off);
3427 +
3428 +-static int reboot_mode;
3429 ++static unsigned short reboot_mode;
3430 + static int reboot_thru_bios;
3431 +
3432 + #ifdef CONFIG_SMP
3433 +@@ -138,7 +138,7 @@ static struct dmi_system_id __initdata r
3434 + DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq"),
3435 + },
3436 + },
3437 +- { }
3438 ++ { NULL, NULL, {{0, NULL}}, NULL}
3439 + };
3440 +
3441 + static int __init reboot_init(void)
3442 +@@ -156,18 +156,18 @@ core_initcall(reboot_init);
3443 + doesn't work with at least one type of 486 motherboard. It is easy
3444 + to stop this code working; hence the copious comments. */
3445 +
3446 +-static unsigned long long
3447 +-real_mode_gdt_entries [3] =
3448 ++static struct desc_struct
3449 ++real_mode_gdt_entries [3] __read_only =
3450 + {
3451 +- 0x0000000000000000ULL, /* Null descriptor */
3452 +- 0x00009a000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
3453 +- 0x000092000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
3454 ++ {0x00000000, 0x00000000}, /* Null descriptor */
3455 ++ {0x0000ffff, 0x00009b00}, /* 16-bit real-mode 64k code at 0x00000000 */
3456 ++ {0x0100ffff, 0x00009300} /* 16-bit real-mode 64k data at 0x00000100 */
3457 + };
3458 +
3459 +-static struct Xgt_desc_struct
3460 +-real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (long)real_mode_gdt_entries },
3461 +-real_mode_idt = { 0x3ff, 0 },
3462 +-no_idt = { 0, 0 };
3463 ++static const struct Xgt_desc_struct
3464 ++real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (struct desc_struct *)__pa(real_mode_gdt_entries), 0 },
3465 ++real_mode_idt = { 0x3ff, NULL, 0 },
3466 ++no_idt = { 0, NULL, 0 };
3467 +
3468 +
3469 + /* This is 16-bit protected mode code to disable paging and the cache,
3470 +@@ -189,7 +189,7 @@ no_idt = { 0, 0 };
3471 + More could be done here to set up the registers as if a CPU reset had
3472 + occurred; hopefully real BIOSs don't assume much. */
3473 +
3474 +-static unsigned char real_mode_switch [] =
3475 ++static const unsigned char real_mode_switch [] =
3476 + {
3477 + 0x66, 0x0f, 0x20, 0xc0, /* movl %cr0,%eax */
3478 + 0x66, 0x83, 0xe0, 0x11, /* andl $0x00000011,%eax */
3479 +@@ -203,7 +203,7 @@ static unsigned char real_mode_switch []
3480 + 0x24, 0x10, /* f: andb $0x10,al */
3481 + 0x66, 0x0f, 0x22, 0xc0 /* movl %eax,%cr0 */
3482 + };
3483 +-static unsigned char jump_to_bios [] =
3484 ++static const unsigned char jump_to_bios [] =
3485 + {
3486 + 0xea, 0x00, 0x00, 0xff, 0xff /* ljmp $0xffff,$0x0000 */
3487 + };
3488 +@@ -213,7 +213,7 @@ static unsigned char jump_to_bios [] =
3489 + * specified by the code and length parameters.
3490 + * We assume that length will aways be less that 100!
3491 + */
3492 +-void machine_real_restart(unsigned char *code, int length)
3493 ++void machine_real_restart(const unsigned char *code, unsigned int length)
3494 + {
3495 + local_irq_disable();
3496 +
3497 +@@ -234,9 +234,8 @@ void machine_real_restart(unsigned char
3498 + /* Remap the kernel at virtual address zero, as well as offset zero
3499 + from the kernel segment. This assumes the kernel segment starts at
3500 + virtual address PAGE_OFFSET. */
3501 +-
3502 +- memcpy (swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
3503 +- sizeof (swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
3504 ++ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
3505 ++ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
3506 +
3507 + /*
3508 + * Use `swapper_pg_dir' as our page directory.
3509 +@@ -249,7 +248,7 @@ void machine_real_restart(unsigned char
3510 + REBOOT.COM programs, and the previous reset routine did this
3511 + too. */
3512 +
3513 +- *((unsigned short *)0x472) = reboot_mode;
3514 ++ *(unsigned short *)(__va(0x472)) = reboot_mode;
3515 +
3516 + /* For the switch to real mode, copy some code to low memory. It has
3517 + to be in the first 64k because it is running in 16-bit mode, and it
3518 +@@ -257,9 +256,8 @@ void machine_real_restart(unsigned char
3519 + off paging. Copy it near the end of the first page, out of the way
3520 + of BIOS variables. */
3521 +
3522 +- memcpy ((void *) (0x1000 - sizeof (real_mode_switch) - 100),
3523 +- real_mode_switch, sizeof (real_mode_switch));
3524 +- memcpy ((void *) (0x1000 - 100), code, length);
3525 ++ memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
3526 ++ memcpy(__va(0x1000 - 100), code, length);
3527 +
3528 + /* Set up the IDT for real mode. */
3529 +
3530 +@@ -345,7 +343,7 @@ static void native_machine_emergency_res
3531 + __asm__ __volatile__("int3");
3532 + }
3533 + /* rebooting needs to touch the page at absolute addr 0 */
3534 +- *((unsigned short *)__va(0x472)) = reboot_mode;
3535 ++ *(unsigned short *)(__va(0x472)) = reboot_mode;
3536 + for (;;) {
3537 + mach_reboot_fixups(); /* for board specific fixups */
3538 + mach_reboot();
3539 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/setup.c linux-2.6.23.15-grsec/arch/i386/kernel/setup.c
3540 +--- linux-2.6.23.15/arch/i386/kernel/setup.c 2007-10-09 21:31:38.000000000 +0100
3541 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/setup.c 2008-02-11 10:37:44.000000000 +0000
3542 +@@ -82,7 +82,11 @@ struct cpuinfo_x86 new_cpu_data __cpuini
3543 + struct cpuinfo_x86 boot_cpu_data __read_mostly = { 0, 0, 0, 0, -1, 1, 0, 0, -1 };
3544 + EXPORT_SYMBOL(boot_cpu_data);
3545 +
3546 ++#ifdef CONFIG_X86_PAE
3547 ++unsigned long mmu_cr4_features = X86_CR4_PAE;
3548 ++#else
3549 + unsigned long mmu_cr4_features;
3550 ++#endif
3551 +
3552 + /* for MCA, but anyone else can use it if they want */
3553 + unsigned int machine_id;
3554 +@@ -395,8 +399,8 @@ void __init setup_bootmem_allocator(void
3555 + * the (very unlikely) case of us accidentally initializing the
3556 + * bootmem allocator with an invalid RAM area.
3557 + */
3558 +- reserve_bootmem(__pa_symbol(_text), (PFN_PHYS(min_low_pfn) +
3559 +- bootmap_size + PAGE_SIZE-1) - __pa_symbol(_text));
3560 ++ reserve_bootmem(LOAD_PHYSICAL_ADDR, (PFN_PHYS(min_low_pfn) +
3561 ++ bootmap_size + PAGE_SIZE-1) - LOAD_PHYSICAL_ADDR);
3562 +
3563 + /*
3564 + * reserve physical page 0 - it's a special BIOS page on many boxes,
3565 +@@ -549,14 +553,14 @@ void __init setup_arch(char **cmdline_p)
3566 +
3567 + if (!MOUNT_ROOT_RDONLY)
3568 + root_mountflags &= ~MS_RDONLY;
3569 +- init_mm.start_code = (unsigned long) _text;
3570 +- init_mm.end_code = (unsigned long) _etext;
3571 ++ init_mm.start_code = (unsigned long) _text + __KERNEL_TEXT_OFFSET;
3572 ++ init_mm.end_code = (unsigned long) _etext + __KERNEL_TEXT_OFFSET;
3573 + init_mm.end_data = (unsigned long) _edata;
3574 + init_mm.brk = init_pg_tables_end + PAGE_OFFSET;
3575 +
3576 +- code_resource.start = virt_to_phys(_text);
3577 +- code_resource.end = virt_to_phys(_etext)-1;
3578 +- data_resource.start = virt_to_phys(_etext);
3579 ++ code_resource.start = virt_to_phys(_text + __KERNEL_TEXT_OFFSET);
3580 ++ code_resource.end = virt_to_phys(_etext + __KERNEL_TEXT_OFFSET)-1;
3581 ++ data_resource.start = virt_to_phys(_data);
3582 + data_resource.end = virt_to_phys(_edata)-1;
3583 +
3584 + parse_early_param();
3585 +@@ -651,3 +655,23 @@ void __init setup_arch(char **cmdline_p)
3586 + #endif
3587 + #endif
3588 + }
3589 ++
3590 ++unsigned long __per_cpu_offset[NR_CPUS] __read_only;
3591 ++
3592 ++EXPORT_SYMBOL(__per_cpu_offset);
3593 ++
3594 ++void __init setup_per_cpu_areas(void)
3595 ++{
3596 ++ unsigned long size, i;
3597 ++ char *ptr;
3598 ++
3599 ++ /* Copy section for each CPU (we discard the original) */
3600 ++ size = ALIGN(PERCPU_ENOUGH_ROOM, PAGE_SIZE);
3601 ++ ptr = alloc_bootmem_pages(size * num_possible_cpus());
3602 ++
3603 ++ for_each_possible_cpu(i) {
3604 ++ __per_cpu_offset[i] = (unsigned long)ptr;
3605 ++ memcpy(ptr, __per_cpu_start, __per_cpu_end - __per_cpu_start);
3606 ++ ptr += size;
3607 ++ }
3608 ++}
3609 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/signal.c linux-2.6.23.15-grsec/arch/i386/kernel/signal.c
3610 +--- linux-2.6.23.15/arch/i386/kernel/signal.c 2007-10-09 21:31:38.000000000 +0100
3611 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/signal.c 2008-02-11 10:37:44.000000000 +0000
3612 +@@ -357,9 +357,9 @@ static int setup_frame(int sig, struct k
3613 + }
3614 +
3615 + if (current->binfmt->hasvdso)
3616 +- restorer = (void *)VDSO_SYM(&__kernel_sigreturn);
3617 ++ restorer = (void __user *)VDSO_SYM(&__kernel_sigreturn);
3618 + else
3619 +- restorer = (void *)&frame->retcode;
3620 ++ restorer = (void __user *)&frame->retcode;
3621 + if (ka->sa.sa_flags & SA_RESTORER)
3622 + restorer = ka->sa.sa_restorer;
3623 +
3624 +@@ -455,7 +455,8 @@ static int setup_rt_frame(int sig, struc
3625 + goto give_sigsegv;
3626 +
3627 + /* Set up to return from userspace. */
3628 +- restorer = (void *)VDSO_SYM(&__kernel_rt_sigreturn);
3629 ++
3630 ++ restorer = (void __user *)VDSO_SYM(&__kernel_rt_sigreturn);
3631 + if (ka->sa.sa_flags & SA_RESTORER)
3632 + restorer = ka->sa.sa_restorer;
3633 + err |= __put_user(restorer, &frame->pretcode);
3634 +@@ -588,7 +589,7 @@ static void fastcall do_signal(struct pt
3635 + * before reaching here, so testing against kernel
3636 + * CS suffices.
3637 + */
3638 +- if (!user_mode(regs))
3639 ++ if (!user_mode_novm(regs))
3640 + return;
3641 +
3642 + if (test_thread_flag(TIF_RESTORE_SIGMASK))
3643 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/smp.c linux-2.6.23.15-grsec/arch/i386/kernel/smp.c
3644 +--- linux-2.6.23.15/arch/i386/kernel/smp.c 2007-10-09 21:31:38.000000000 +0100
3645 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/smp.c 2008-02-11 10:37:44.000000000 +0000
3646 +@@ -104,7 +104,7 @@
3647 + * about nothing of note with C stepping upwards.
3648 + */
3649 +
3650 +-DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, };
3651 ++DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, {0} };
3652 +
3653 + /*
3654 + * the following functions deal with sending IPIs between CPUs.
3655 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/smpboot.c linux-2.6.23.15-grsec/arch/i386/kernel/smpboot.c
3656 +--- linux-2.6.23.15/arch/i386/kernel/smpboot.c 2007-10-09 21:31:38.000000000 +0100
3657 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/smpboot.c 2008-02-11 10:37:44.000000000 +0000
3658 +@@ -118,7 +118,7 @@ DEFINE_PER_CPU(int, cpu_state) = { 0 };
3659 + * has made sure it's suitably aligned.
3660 + */
3661 +
3662 +-static unsigned long __devinit setup_trampoline(void)
3663 ++static unsigned long __cpuinit setup_trampoline(void)
3664 + {
3665 + memcpy(trampoline_base, trampoline_data, trampoline_end - trampoline_data);
3666 + return virt_to_phys(trampoline_base);
3667 +@@ -772,6 +772,10 @@ static int __cpuinit do_boot_cpu(int api
3668 + unsigned long start_eip;
3669 + unsigned short nmi_high = 0, nmi_low = 0;
3670 +
3671 ++#ifdef CONFIG_PAX_KERNEXEC
3672 ++ unsigned long cr0;
3673 ++#endif
3674 ++
3675 + /*
3676 + * Save current MTRR state in case it was changed since early boot
3677 + * (e.g. by the ACPI SMI) to initialize new CPUs with MTRRs in sync:
3678 +@@ -788,7 +792,16 @@ static int __cpuinit do_boot_cpu(int api
3679 +
3680 + init_gdt(cpu);
3681 + per_cpu(current_task, cpu) = idle;
3682 +- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
3683 ++
3684 ++#ifdef CONFIG_PAX_KERNEXEC
3685 ++ pax_open_kernel(cr0);
3686 ++#endif
3687 ++
3688 ++ early_gdt_descr.address = get_cpu_gdt_table(cpu);
3689 ++
3690 ++#ifdef CONFIG_PAX_KERNEXEC
3691 ++ pax_close_kernel(cr0);
3692 ++#endif
3693 +
3694 + idle->thread.eip = (unsigned long) start_secondary;
3695 + /* start_eip had better be page-aligned! */
3696 +@@ -1105,7 +1118,7 @@ static void __init smp_boot_cpus(unsigne
3697 + * construct cpu_sibling_map[], so that we can tell sibling CPUs
3698 + * efficiently.
3699 + */
3700 +- for (cpu = 0; cpu < NR_CPUS; cpu++) {
3701 ++ for_each_possible_cpu(cpu) {
3702 + cpus_clear(cpu_sibling_map[cpu]);
3703 + cpus_clear(cpu_core_map[cpu]);
3704 + }
3705 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/smpcommon.c linux-2.6.23.15-grsec/arch/i386/kernel/smpcommon.c
3706 +--- linux-2.6.23.15/arch/i386/kernel/smpcommon.c 2007-10-09 21:31:38.000000000 +0100
3707 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/smpcommon.c 2008-02-11 10:37:44.000000000 +0000
3708 +@@ -3,6 +3,7 @@
3709 + */
3710 + #include <linux/module.h>
3711 + #include <asm/smp.h>
3712 ++#include <asm/sections.h>
3713 +
3714 + DEFINE_PER_CPU(unsigned long, this_cpu_off);
3715 + EXPORT_PER_CPU_SYMBOL(this_cpu_off);
3716 +@@ -14,10 +15,29 @@ __cpuinit void init_gdt(int cpu)
3717 + {
3718 + struct desc_struct *gdt = get_cpu_gdt_table(cpu);
3719 +
3720 +- pack_descriptor((u32 *)&gdt[GDT_ENTRY_PERCPU].a,
3721 +- (u32 *)&gdt[GDT_ENTRY_PERCPU].b,
3722 +- __per_cpu_offset[cpu], 0xFFFFF,
3723 +- 0x80 | DESCTYPE_S | 0x2, 0x8);
3724 ++#ifdef CONFIG_PAX_KERNEXEC
3725 ++ unsigned long cr0;
3726 ++
3727 ++ pax_open_kernel(cr0);
3728 ++#endif
3729 ++
3730 ++ if (cpu)
3731 ++ memcpy(gdt, cpu_gdt_table, GDT_SIZE);
3732 ++
3733 ++ if (PERCPU_ENOUGH_ROOM <= 64*1024*1024)
3734 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
3735 ++ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
3736 ++ __per_cpu_offset[cpu], PERCPU_ENOUGH_ROOM-1,
3737 ++ 0x80 | DESCTYPE_S | 0x3, 0x4);
3738 ++ else
3739 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
3740 ++ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
3741 ++ __per_cpu_offset[cpu], ((PERCPU_ENOUGH_ROOM-1) >> PAGE_SHIFT),
3742 ++ 0x80 | DESCTYPE_S | 0x3, 0xC);
3743 ++
3744 ++#ifdef CONFIG_PAX_KERNEXEC
3745 ++ pax_close_kernel(cr0);
3746 ++#endif
3747 +
3748 + per_cpu(this_cpu_off, cpu) = __per_cpu_offset[cpu];
3749 + per_cpu(cpu_number, cpu) = cpu;
3750 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/sys_i386.c linux-2.6.23.15-grsec/arch/i386/kernel/sys_i386.c
3751 +--- linux-2.6.23.15/arch/i386/kernel/sys_i386.c 2007-10-09 21:31:38.000000000 +0100
3752 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/sys_i386.c 2008-02-11 10:37:44.000000000 +0000
3753 +@@ -41,6 +41,21 @@ asmlinkage int sys_pipe(unsigned long __
3754 + return error;
3755 + }
3756 +
3757 ++int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
3758 ++{
3759 ++ unsigned long task_size = TASK_SIZE;
3760 ++
3761 ++#ifdef CONFIG_PAX_SEGMEXEC
3762 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
3763 ++ task_size = SEGMEXEC_TASK_SIZE;
3764 ++#endif
3765 ++
3766 ++ if (len > task_size || addr > task_size - len)
3767 ++ return -EINVAL;
3768 ++
3769 ++ return 0;
3770 ++}
3771 ++
3772 + asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
3773 + unsigned long prot, unsigned long flags,
3774 + unsigned long fd, unsigned long pgoff)
3775 +@@ -100,6 +115,205 @@ out:
3776 + return err;
3777 + }
3778 +
3779 ++unsigned long
3780 ++arch_get_unmapped_area(struct file *filp, unsigned long addr,
3781 ++ unsigned long len, unsigned long pgoff, unsigned long flags)
3782 ++{
3783 ++ struct mm_struct *mm = current->mm;
3784 ++ struct vm_area_struct *vma;
3785 ++ unsigned long start_addr, task_size = TASK_SIZE;
3786 ++
3787 ++#ifdef CONFIG_PAX_SEGMEXEC
3788 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
3789 ++ task_size = SEGMEXEC_TASK_SIZE;
3790 ++#endif
3791 ++
3792 ++ if (len > task_size)
3793 ++ return -ENOMEM;
3794 ++
3795 ++ if (flags & MAP_FIXED)
3796 ++ return addr;
3797 ++
3798 ++#ifdef CONFIG_PAX_RANDMMAP
3799 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
3800 ++#endif
3801 ++
3802 ++ if (addr) {
3803 ++ addr = PAGE_ALIGN(addr);
3804 ++ vma = find_vma(mm, addr);
3805 ++ if (task_size - len >= addr &&
3806 ++ (!vma || addr + len <= vma->vm_start))
3807 ++ return addr;
3808 ++ }
3809 ++ if (len > mm->cached_hole_size) {
3810 ++ start_addr = addr = mm->free_area_cache;
3811 ++ } else {
3812 ++ start_addr = addr = mm->mmap_base;
3813 ++ mm->cached_hole_size = 0;
3814 ++ }
3815 ++
3816 ++#ifdef CONFIG_PAX_PAGEEXEC
3817 ++ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
3818 ++ start_addr = 0x00110000UL;
3819 ++
3820 ++#ifdef CONFIG_PAX_RANDMMAP
3821 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
3822 ++ start_addr += mm->delta_mmap & 0x03FFF000UL;
3823 ++#endif
3824 ++
3825 ++ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
3826 ++ start_addr = addr = mm->mmap_base;
3827 ++ else
3828 ++ addr = start_addr;
3829 ++ }
3830 ++#endif
3831 ++
3832 ++full_search:
3833 ++ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
3834 ++ /* At this point: (!vma || addr < vma->vm_end). */
3835 ++ if (task_size - len < addr) {
3836 ++ /*
3837 ++ * Start a new search - just in case we missed
3838 ++ * some holes.
3839 ++ */
3840 ++ if (start_addr != mm->mmap_base) {
3841 ++ start_addr = addr = mm->mmap_base;
3842 ++ mm->cached_hole_size = 0;
3843 ++ goto full_search;
3844 ++ }
3845 ++ return -ENOMEM;
3846 ++ }
3847 ++ if (!vma || addr + len <= vma->vm_start) {
3848 ++ /*
3849 ++ * Remember the place where we stopped the search:
3850 ++ */
3851 ++ mm->free_area_cache = addr + len;
3852 ++ return addr;
3853 ++ }
3854 ++ if (addr + mm->cached_hole_size < vma->vm_start)
3855 ++ mm->cached_hole_size = vma->vm_start - addr;
3856 ++ addr = vma->vm_end;
3857 ++ if (mm->start_brk <= addr && addr < mm->mmap_base) {
3858 ++ start_addr = addr = mm->mmap_base;
3859 ++ mm->cached_hole_size = 0;
3860 ++ goto full_search;
3861 ++ }
3862 ++ }
3863 ++}
3864 ++
3865 ++unsigned long
3866 ++arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
3867 ++ const unsigned long len, const unsigned long pgoff,
3868 ++ const unsigned long flags)
3869 ++{
3870 ++ struct vm_area_struct *vma;
3871 ++ struct mm_struct *mm = current->mm;
3872 ++ unsigned long base = mm->mmap_base, addr = addr0, task_size = TASK_SIZE;
3873 ++
3874 ++#ifdef CONFIG_PAX_SEGMEXEC
3875 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
3876 ++ task_size = SEGMEXEC_TASK_SIZE;
3877 ++#endif
3878 ++
3879 ++ /* requested length too big for entire address space */
3880 ++ if (len > task_size)
3881 ++ return -ENOMEM;
3882 ++
3883 ++ if (flags & MAP_FIXED)
3884 ++ return addr;
3885 ++
3886 ++#ifdef CONFIG_PAX_PAGEEXEC
3887 ++ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
3888 ++ goto bottomup;
3889 ++#endif
3890 ++
3891 ++#ifdef CONFIG_PAX_RANDMMAP
3892 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
3893 ++#endif
3894 ++
3895 ++ /* requesting a specific address */
3896 ++ if (addr) {
3897 ++ addr = PAGE_ALIGN(addr);
3898 ++ vma = find_vma(mm, addr);
3899 ++ if (task_size - len >= addr &&
3900 ++ (!vma || addr + len <= vma->vm_start))
3901 ++ return addr;
3902 ++ }
3903 ++
3904 ++ /* check if free_area_cache is useful for us */
3905 ++ if (len <= mm->cached_hole_size) {
3906 ++ mm->cached_hole_size = 0;
3907 ++ mm->free_area_cache = mm->mmap_base;
3908 ++ }
3909 ++
3910 ++ /* either no address requested or can't fit in requested address hole */
3911 ++ addr = mm->free_area_cache;
3912 ++
3913 ++ /* make sure it can fit in the remaining address space */
3914 ++ if (addr > len) {
3915 ++ vma = find_vma(mm, addr-len);
3916 ++ if (!vma || addr <= vma->vm_start)
3917 ++ /* remember the address as a hint for next time */
3918 ++ return (mm->free_area_cache = addr-len);
3919 ++ }
3920 ++
3921 ++ if (mm->mmap_base < len)
3922 ++ goto bottomup;
3923 ++
3924 ++ addr = mm->mmap_base-len;
3925 ++
3926 ++ do {
3927 ++ /*
3928 ++ * Lookup failure means no vma is above this address,
3929 ++ * else if new region fits below vma->vm_start,
3930 ++ * return with success:
3931 ++ */
3932 ++ vma = find_vma(mm, addr);
3933 ++ if (!vma || addr+len <= vma->vm_start)
3934 ++ /* remember the address as a hint for next time */
3935 ++ return (mm->free_area_cache = addr);
3936 ++
3937 ++ /* remember the largest hole we saw so far */
3938 ++ if (addr + mm->cached_hole_size < vma->vm_start)
3939 ++ mm->cached_hole_size = vma->vm_start - addr;
3940 ++
3941 ++ /* try just below the current vma->vm_start */
3942 ++ addr = vma->vm_start-len;
3943 ++ } while (len < vma->vm_start);
3944 ++
3945 ++bottomup:
3946 ++ /*
3947 ++ * A failed mmap() very likely causes application failure,
3948 ++ * so fall back to the bottom-up function here. This scenario
3949 ++ * can happen with large stack limits and large mmap()
3950 ++ * allocations.
3951 ++ */
3952 ++
3953 ++#ifdef CONFIG_PAX_SEGMEXEC
3954 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
3955 ++ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
3956 ++ else
3957 ++#endif
3958 ++
3959 ++ mm->mmap_base = TASK_UNMAPPED_BASE;
3960 ++
3961 ++#ifdef CONFIG_PAX_RANDMMAP
3962 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
3963 ++ mm->mmap_base += mm->delta_mmap;
3964 ++#endif
3965 ++
3966 ++ mm->free_area_cache = mm->mmap_base;
3967 ++ mm->cached_hole_size = ~0UL;
3968 ++ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
3969 ++ /*
3970 ++ * Restore the topdown base:
3971 ++ */
3972 ++ mm->mmap_base = base;
3973 ++ mm->free_area_cache = base;
3974 ++ mm->cached_hole_size = ~0UL;
3975 ++
3976 ++ return addr;
3977 ++}
3978 +
3979 + struct sel_arg_struct {
3980 + unsigned long n;
3981 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/syscall_table.S linux-2.6.23.15-grsec/arch/i386/kernel/syscall_table.S
3982 +--- linux-2.6.23.15/arch/i386/kernel/syscall_table.S 2007-10-09 21:31:38.000000000 +0100
3983 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/syscall_table.S 2008-02-11 10:37:44.000000000 +0000
3984 +@@ -1,3 +1,4 @@
3985 ++.section .rodata,"a",@progbits
3986 + ENTRY(sys_call_table)
3987 + .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
3988 + .long sys_exit
3989 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/sysenter.c linux-2.6.23.15-grsec/arch/i386/kernel/sysenter.c
3990 +--- linux-2.6.23.15/arch/i386/kernel/sysenter.c 2007-10-09 21:31:38.000000000 +0100
3991 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/sysenter.c 2008-02-11 10:37:44.000000000 +0000
3992 +@@ -177,7 +177,7 @@ static __init void relocate_vdso(Elf32_E
3993 + void enable_sep_cpu(void)
3994 + {
3995 + int cpu = get_cpu();
3996 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
3997 ++ struct tss_struct *tss = init_tss + cpu;
3998 +
3999 + if (!boot_cpu_has(X86_FEATURE_SEP)) {
4000 + put_cpu();
4001 +@@ -200,7 +200,7 @@ static int __init gate_vma_init(void)
4002 + gate_vma.vm_start = FIXADDR_USER_START;
4003 + gate_vma.vm_end = FIXADDR_USER_END;
4004 + gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
4005 +- gate_vma.vm_page_prot = __P101;
4006 ++ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
4007 + /*
4008 + * Make sure the vDSO gets into every core dump.
4009 + * Dumping its contents makes post-mortem fully interpretable later
4010 +@@ -283,7 +283,7 @@ int arch_setup_additional_pages(struct l
4011 + if (compat)
4012 + addr = VDSO_HIGH_BASE;
4013 + else {
4014 +- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
4015 ++ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
4016 + if (IS_ERR_VALUE(addr)) {
4017 + ret = addr;
4018 + goto up_fail;
4019 +@@ -308,7 +308,7 @@ int arch_setup_additional_pages(struct l
4020 + goto up_fail;
4021 + }
4022 +
4023 +- current->mm->context.vdso = (void *)addr;
4024 ++ current->mm->context.vdso = addr;
4025 + current_thread_info()->sysenter_return =
4026 + (void *)VDSO_SYM(&SYSENTER_RETURN);
4027 +
4028 +@@ -320,8 +320,14 @@ int arch_setup_additional_pages(struct l
4029 +
4030 + const char *arch_vma_name(struct vm_area_struct *vma)
4031 + {
4032 +- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
4033 ++ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
4034 + return "[vdso]";
4035 ++
4036 ++#ifdef CONFIG_PAX_SEGMEXEC
4037 ++ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
4038 ++ return "[vdso]";
4039 ++#endif
4040 ++
4041 + return NULL;
4042 + }
4043 +
4044 +@@ -330,7 +336,7 @@ struct vm_area_struct *get_gate_vma(stru
4045 + struct mm_struct *mm = tsk->mm;
4046 +
4047 + /* Check to see if this task was created in compat vdso mode */
4048 +- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
4049 ++ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
4050 + return &gate_vma;
4051 + return NULL;
4052 + }
4053 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/time.c linux-2.6.23.15-grsec/arch/i386/kernel/time.c
4054 +--- linux-2.6.23.15/arch/i386/kernel/time.c 2007-10-09 21:31:38.000000000 +0100
4055 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/time.c 2008-02-11 10:37:44.000000000 +0000
4056 +@@ -132,20 +132,30 @@ unsigned long profile_pc(struct pt_regs
4057 + if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs) &&
4058 + in_lock_functions(pc)) {
4059 + #ifdef CONFIG_FRAME_POINTER
4060 +- return *(unsigned long *)(regs->ebp + 4);
4061 ++ return *(unsigned long *)(regs->ebp + 4) + __KERNEL_TEXT_OFFSET;
4062 + #else
4063 + unsigned long *sp = (unsigned long *)&regs->esp;
4064 +
4065 + /* Return address is either directly at stack pointer
4066 + or above a saved eflags. Eflags has bits 22-31 zero,
4067 + kernel addresses don't. */
4068 ++
4069 ++#ifdef CONFIG_PAX_KERNEXEC
4070 ++ return sp[0] + __KERNEL_TEXT_OFFSET;
4071 ++#else
4072 + if (sp[0] >> 22)
4073 + return sp[0];
4074 + if (sp[1] >> 22)
4075 + return sp[1];
4076 + #endif
4077 ++
4078 ++#endif
4079 + }
4080 + #endif
4081 ++
4082 ++ if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs))
4083 ++ pc += __KERNEL_TEXT_OFFSET;
4084 ++
4085 + return pc;
4086 + }
4087 + EXPORT_SYMBOL(profile_pc);
4088 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/traps.c linux-2.6.23.15-grsec/arch/i386/kernel/traps.c
4089 +--- linux-2.6.23.15/arch/i386/kernel/traps.c 2007-10-09 21:31:38.000000000 +0100
4090 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/traps.c 2008-02-11 10:37:44.000000000 +0000
4091 +@@ -31,6 +31,7 @@
4092 + #include <linux/uaccess.h>
4093 + #include <linux/nmi.h>
4094 + #include <linux/bug.h>
4095 ++#include <linux/binfmts.h>
4096 +
4097 + #ifdef CONFIG_EISA
4098 + #include <linux/ioport.h>
4099 +@@ -70,12 +71,7 @@ asmlinkage int system_call(void);
4100 + /* Do we ignore FPU interrupts ? */
4101 + char ignore_fpu_irq = 0;
4102 +
4103 +-/*
4104 +- * The IDT has to be page-aligned to simplify the Pentium
4105 +- * F0 0F bug workaround.. We have a special link segment
4106 +- * for this.
4107 +- */
4108 +-struct desc_struct idt_table[256] __attribute__((__section__(".data.idt"))) = { {0, 0}, };
4109 ++extern struct desc_struct idt_table[256];
4110 +
4111 + asmlinkage void divide_error(void);
4112 + asmlinkage void debug(void);
4113 +@@ -297,7 +293,7 @@ void show_registers(struct pt_regs *regs
4114 + esp = (unsigned long) (&regs->esp);
4115 + savesegment(ss, ss);
4116 + savesegment(gs, gs);
4117 +- if (user_mode_vm(regs)) {
4118 ++ if (user_mode(regs)) {
4119 + in_kernel = 0;
4120 + esp = regs->esp;
4121 + ss = regs->xss & 0xffff;
4122 +@@ -329,17 +325,18 @@ void show_registers(struct pt_regs *regs
4123 + unsigned int code_prologue = code_bytes * 43 / 64;
4124 + unsigned int code_len = code_bytes;
4125 + unsigned char c;
4126 ++ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->xcs) >> 3]);
4127 +
4128 + printk("\n" KERN_EMERG "Stack: ");
4129 + show_stack_log_lvl(NULL, regs, (unsigned long *)esp, KERN_EMERG);
4130 +
4131 + printk(KERN_EMERG "Code: ");
4132 +
4133 +- eip = (u8 *)regs->eip - code_prologue;
4134 ++ eip = (u8 *)regs->eip - code_prologue + cs_base;
4135 + if (eip < (u8 *)PAGE_OFFSET ||
4136 + probe_kernel_address(eip, c)) {
4137 + /* try starting at EIP */
4138 +- eip = (u8 *)regs->eip;
4139 ++ eip = (u8 *)regs->eip + cs_base;
4140 + code_len = code_len - code_prologue + 1;
4141 + }
4142 + for (i = 0; i < code_len; i++, eip++) {
4143 +@@ -348,7 +345,7 @@ void show_registers(struct pt_regs *regs
4144 + printk(" Bad EIP value.");
4145 + break;
4146 + }
4147 +- if (eip == (u8 *)regs->eip)
4148 ++ if (eip == (u8 *)regs->eip + cs_base)
4149 + printk("<%02x> ", c);
4150 + else
4151 + printk("%02x ", c);
4152 +@@ -361,6 +358,7 @@ int is_valid_bugaddr(unsigned long eip)
4153 + {
4154 + unsigned short ud2;
4155 +
4156 ++ eip += __KERNEL_TEXT_OFFSET;
4157 + if (eip < PAGE_OFFSET)
4158 + return 0;
4159 + if (probe_kernel_address((unsigned short *)eip, ud2))
4160 +@@ -468,7 +466,7 @@ void die(const char * str, struct pt_reg
4161 +
4162 + static inline void die_if_kernel(const char * str, struct pt_regs * regs, long err)
4163 + {
4164 +- if (!user_mode_vm(regs))
4165 ++ if (!user_mode(regs))
4166 + die(str, regs, err);
4167 + }
4168 +
4169 +@@ -484,7 +482,7 @@ static void __kprobes do_trap(int trapnr
4170 + goto trap_signal;
4171 + }
4172 +
4173 +- if (!user_mode(regs))
4174 ++ if (!user_mode_novm(regs))
4175 + goto kernel_trap;
4176 +
4177 + trap_signal: {
4178 +@@ -589,7 +587,7 @@ fastcall void __kprobes do_general_prote
4179 + long error_code)
4180 + {
4181 + int cpu = get_cpu();
4182 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
4183 ++ struct tss_struct *tss = &init_tss[cpu];
4184 + struct thread_struct *thread = &current->thread;
4185 +
4186 + /*
4187 +@@ -622,9 +620,25 @@ fastcall void __kprobes do_general_prote
4188 + if (regs->eflags & VM_MASK)
4189 + goto gp_in_vm86;
4190 +
4191 +- if (!user_mode(regs))
4192 ++ if (!user_mode_novm(regs))
4193 + goto gp_in_kernel;
4194 +
4195 ++#ifdef CONFIG_PAX_PAGEEXEC
4196 ++ if (!nx_enabled && current->mm && (current->mm->pax_flags & MF_PAX_PAGEEXEC)) {
4197 ++ struct mm_struct *mm = current->mm;
4198 ++ unsigned long limit;
4199 ++
4200 ++ down_write(&mm->mmap_sem);
4201 ++ limit = mm->context.user_cs_limit;
4202 ++ if (limit < TASK_SIZE) {
4203 ++ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
4204 ++ up_write(&mm->mmap_sem);
4205 ++ return;
4206 ++ }
4207 ++ up_write(&mm->mmap_sem);
4208 ++ }
4209 ++#endif
4210 ++
4211 + current->thread.error_code = error_code;
4212 + current->thread.trap_no = 13;
4213 + if (show_unhandled_signals && unhandled_signal(current, SIGSEGV) &&
4214 +@@ -649,6 +663,13 @@ gp_in_kernel:
4215 + if (notify_die(DIE_GPF, "general protection fault", regs,
4216 + error_code, 13, SIGSEGV) == NOTIFY_STOP)
4217 + return;
4218 ++
4219 ++#ifdef CONFIG_PAX_KERNEXEC
4220 ++ if ((regs->xcs & 0xFFFF) == __KERNEL_CS)
4221 ++ die("PAX: suspicious general protection fault", regs, error_code);
4222 ++ else
4223 ++#endif
4224 ++
4225 + die("general protection fault", regs, error_code);
4226 + }
4227 + }
4228 +@@ -738,7 +759,7 @@ void __kprobes die_nmi(struct pt_regs *r
4229 + /* If we are in kernel we are probably nested up pretty bad
4230 + * and might aswell get out now while we still can.
4231 + */
4232 +- if (!user_mode_vm(regs)) {
4233 ++ if (!user_mode(regs)) {
4234 + current->thread.trap_no = 2;
4235 + crash_kexec(regs);
4236 + }
4237 +@@ -885,7 +906,7 @@ fastcall void __kprobes do_debug(struct
4238 + * check for kernel mode by just checking the CPL
4239 + * of CS.
4240 + */
4241 +- if (!user_mode(regs))
4242 ++ if (!user_mode_novm(regs))
4243 + goto clear_TF_reenable;
4244 + }
4245 +
4246 +@@ -1063,18 +1084,14 @@ fastcall void do_spurious_interrupt_bug(
4247 + fastcall unsigned long patch_espfix_desc(unsigned long uesp,
4248 + unsigned long kesp)
4249 + {
4250 +- struct desc_struct *gdt = __get_cpu_var(gdt_page).gdt;
4251 + unsigned long base = (kesp - uesp) & -THREAD_SIZE;
4252 + unsigned long new_kesp = kesp - base;
4253 + unsigned long lim_pages = (new_kesp | (THREAD_SIZE - 1)) >> PAGE_SHIFT;
4254 +- __u64 desc = *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS];
4255 ++ __u32 a, b;
4256 ++
4257 + /* Set up base for espfix segment */
4258 +- desc &= 0x00f0ff0000000000ULL;
4259 +- desc |= ((((__u64)base) << 16) & 0x000000ffffff0000ULL) |
4260 +- ((((__u64)base) << 32) & 0xff00000000000000ULL) |
4261 +- ((((__u64)lim_pages) << 32) & 0x000f000000000000ULL) |
4262 +- (lim_pages & 0xffff);
4263 +- *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS] = desc;
4264 ++ pack_descriptor(&a, &b, base, lim_pages, 0x93, 0xC);
4265 ++ write_gdt_entry(get_cpu_gdt_table(smp_processor_id()), GDT_ENTRY_ESPFIX_SS, a, b);
4266 + return new_kesp;
4267 + }
4268 +
4269 +@@ -1123,7 +1140,7 @@ void __init trap_init_f00f_bug(void)
4270 + * Update the IDT descriptor and reload the IDT so that
4271 + * it uses the read-only mapped virtual address.
4272 + */
4273 +- idt_descr.address = fix_to_virt(FIX_F00F_IDT);
4274 ++ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
4275 + load_idt(&idt_descr);
4276 + }
4277 + #endif
4278 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/tsc.c linux-2.6.23.15-grsec/arch/i386/kernel/tsc.c
4279 +--- linux-2.6.23.15/arch/i386/kernel/tsc.c 2008-02-11 10:36:03.000000000 +0000
4280 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/tsc.c 2008-02-11 10:37:44.000000000 +0000
4281 +@@ -322,7 +322,7 @@ static struct dmi_system_id __initdata b
4282 + DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
4283 + },
4284 + },
4285 +- {}
4286 ++ { NULL, NULL, {{0, NULL}}, NULL}
4287 + };
4288 +
4289 + /*
4290 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/vm86.c linux-2.6.23.15-grsec/arch/i386/kernel/vm86.c
4291 +--- linux-2.6.23.15/arch/i386/kernel/vm86.c 2007-10-09 21:31:38.000000000 +0100
4292 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/vm86.c 2008-02-11 10:37:44.000000000 +0000
4293 +@@ -148,7 +148,7 @@ struct pt_regs * fastcall save_v86_state
4294 + do_exit(SIGSEGV);
4295 + }
4296 +
4297 +- tss = &per_cpu(init_tss, get_cpu());
4298 ++ tss = init_tss + get_cpu();
4299 + current->thread.esp0 = current->thread.saved_esp0;
4300 + current->thread.sysenter_cs = __KERNEL_CS;
4301 + load_esp0(tss, &current->thread);
4302 +@@ -324,7 +324,7 @@ static void do_sys_vm86(struct kernel_vm
4303 + tsk->thread.saved_fs = info->regs32->xfs;
4304 + savesegment(gs, tsk->thread.saved_gs);
4305 +
4306 +- tss = &per_cpu(init_tss, get_cpu());
4307 ++ tss = init_tss + get_cpu();
4308 + tsk->thread.esp0 = (unsigned long) &info->VM86_TSS_ESP0;
4309 + if (cpu_has_sep)
4310 + tsk->thread.sysenter_cs = 0;
4311 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/vmi.c linux-2.6.23.15-grsec/arch/i386/kernel/vmi.c
4312 +--- linux-2.6.23.15/arch/i386/kernel/vmi.c 2007-10-09 21:31:38.000000000 +0100
4313 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/vmi.c 2008-02-11 10:37:44.000000000 +0000
4314 +@@ -98,18 +98,43 @@ static unsigned patch_internal(int call,
4315 + {
4316 + u64 reloc;
4317 + struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
4318 ++
4319 ++#ifdef CONFIG_PAX_KERNEXEC
4320 ++ unsigned long cr0;
4321 ++#endif
4322 ++
4323 + reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
4324 + switch(rel->type) {
4325 + case VMI_RELOCATION_CALL_REL:
4326 + BUG_ON(len < 5);
4327 ++
4328 ++#ifdef CONFIG_PAX_KERNEXEC
4329 ++ pax_open_kernel(cr0);
4330 ++#endif
4331 ++
4332 + *(char *)insnbuf = MNEM_CALL;
4333 + patch_offset(insnbuf, eip, (unsigned long)rel->eip);
4334 ++
4335 ++#ifdef CONFIG_PAX_KERNEXEC
4336 ++ pax_close_kernel(cr0);
4337 ++#endif
4338 ++
4339 + return 5;
4340 +
4341 + case VMI_RELOCATION_JUMP_REL:
4342 + BUG_ON(len < 5);
4343 ++
4344 ++#ifdef CONFIG_PAX_KERNEXEC
4345 ++ pax_open_kernel(cr0);
4346 ++#endif
4347 ++
4348 + *(char *)insnbuf = MNEM_JMP;
4349 + patch_offset(insnbuf, eip, (unsigned long)rel->eip);
4350 ++
4351 ++#ifdef CONFIG_PAX_KERNEXEC
4352 ++ pax_close_kernel(cr0);
4353 ++#endif
4354 ++
4355 + return 5;
4356 +
4357 + case VMI_RELOCATION_NOP:
4358 +@@ -492,14 +517,14 @@ static void vmi_set_pud(pud_t *pudp, pud
4359 +
4360 + static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
4361 + {
4362 +- const pte_t pte = { 0 };
4363 ++ const pte_t pte = __pte(0ULL);
4364 + vmi_check_page_type(__pa(ptep) >> PAGE_SHIFT, VMI_PAGE_PTE);
4365 + vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
4366 + }
4367 +
4368 + static void vmi_pmd_clear(pmd_t *pmd)
4369 + {
4370 +- const pte_t pte = { 0 };
4371 ++ const pte_t pte = __pte(0ULL);
4372 + vmi_check_page_type(__pa(pmd) >> PAGE_SHIFT, VMI_PAGE_PMD);
4373 + vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
4374 + }
4375 +@@ -528,8 +553,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
4376 + ap.ss = __KERNEL_DS;
4377 + ap.esp = (unsigned long) start_esp;
4378 +
4379 +- ap.ds = __USER_DS;
4380 +- ap.es = __USER_DS;
4381 ++ ap.ds = __KERNEL_DS;
4382 ++ ap.es = __KERNEL_DS;
4383 + ap.fs = __KERNEL_PERCPU;
4384 + ap.gs = 0;
4385 +
4386 +@@ -726,12 +751,20 @@ static inline int __init activate_vmi(vo
4387 + u64 reloc;
4388 + const struct vmi_relocation_info *rel = (struct vmi_relocation_info *)&reloc;
4389 +
4390 ++#ifdef CONFIG_PAX_KERNEXEC
4391 ++ unsigned long cr0;
4392 ++#endif
4393 ++
4394 + if (call_vrom_func(vmi_rom, vmi_init) != 0) {
4395 + printk(KERN_ERR "VMI ROM failed to initialize!");
4396 + return 0;
4397 + }
4398 + savesegment(cs, kernel_cs);
4399 +
4400 ++#ifdef CONFIG_PAX_KERNEXEC
4401 ++ pax_open_kernel(cr0);
4402 ++#endif
4403 ++
4404 + paravirt_ops.paravirt_enabled = 1;
4405 + paravirt_ops.kernel_rpl = kernel_cs & SEGMENT_RPL_MASK;
4406 +
4407 +@@ -910,6 +943,10 @@ static inline int __init activate_vmi(vo
4408 +
4409 + para_fill(safe_halt, Halt);
4410 +
4411 ++#ifdef CONFIG_PAX_KERNEXEC
4412 ++ pax_close_kernel(cr0);
4413 ++#endif
4414 ++
4415 + /*
4416 + * Alternative instruction rewriting doesn't happen soon enough
4417 + * to convert VMI_IRET to a call instead of a jump; so we have
4418 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/vmlinux.lds.S linux-2.6.23.15-grsec/arch/i386/kernel/vmlinux.lds.S
4419 +--- linux-2.6.23.15/arch/i386/kernel/vmlinux.lds.S 2007-10-09 21:31:38.000000000 +0100
4420 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/vmlinux.lds.S 2008-02-11 10:37:44.000000000 +0000
4421 +@@ -21,6 +21,13 @@
4422 + #include <asm/page.h>
4423 + #include <asm/cache.h>
4424 + #include <asm/boot.h>
4425 ++#include <asm/segment.h>
4426 ++
4427 ++#ifdef CONFIG_X86_PAE
4428 ++#define PMD_SHIFT 21
4429 ++#else
4430 ++#define PMD_SHIFT 22
4431 ++#endif
4432 +
4433 + OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
4434 + OUTPUT_ARCH(i386)
4435 +@@ -28,22 +35,124 @@ ENTRY(phys_startup_32)
4436 + jiffies = jiffies_64;
4437 +
4438 + PHDRS {
4439 +- text PT_LOAD FLAGS(5); /* R_E */
4440 +- data PT_LOAD FLAGS(7); /* RWE */
4441 +- note PT_NOTE FLAGS(0); /* ___ */
4442 ++ initdata PT_LOAD FLAGS(6); /* RW_ */
4443 ++ percpu PT_LOAD FLAGS(6); /* RW_ */
4444 ++ inittext PT_LOAD FLAGS(5); /* R_E */
4445 ++ text PT_LOAD FLAGS(5); /* R_E */
4446 ++ rodata PT_LOAD FLAGS(4); /* R__ */
4447 ++ data PT_LOAD FLAGS(6); /* RW_ */
4448 ++ note PT_NOTE FLAGS(0); /* ___ */
4449 + }
4450 + SECTIONS
4451 + {
4452 + . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
4453 +- phys_startup_32 = startup_32 - LOAD_OFFSET;
4454 +
4455 +- .text.head : AT(ADDR(.text.head) - LOAD_OFFSET) {
4456 +- _text = .; /* Text and read-only data */
4457 ++ .text.startup : AT(ADDR(.text.startup) - LOAD_OFFSET) {
4458 ++ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
4459 ++ *(.text.startup)
4460 ++ } :initdata
4461 ++
4462 ++ /* might get freed after init */
4463 ++ . = ALIGN(4096);
4464 ++ .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
4465 ++ __smp_locks = .;
4466 ++ *(.smp_locks)
4467 ++ __smp_locks_end = .;
4468 ++ }
4469 ++ /* will be freed after init
4470 ++ * Following ALIGN() is required to make sure no other data falls on the
4471 ++ * same page where __smp_alt_end is pointing as that page might be freed
4472 ++ * after boot. Always make sure that ALIGN() directive is present after
4473 ++ * the section which contains __smp_alt_end.
4474 ++ */
4475 ++ . = ALIGN(4096);
4476 ++
4477 ++ /* will be freed after init */
4478 ++ .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) {
4479 ++ __init_begin = .;
4480 ++ *(.init.data)
4481 ++ }
4482 ++ . = ALIGN(16);
4483 ++ .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
4484 ++ __setup_start = .;
4485 ++ *(.init.setup)
4486 ++ __setup_end = .;
4487 ++ }
4488 ++ .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
4489 ++ __initcall_start = .;
4490 ++ INITCALLS
4491 ++ __initcall_end = .;
4492 ++ }
4493 ++ .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
4494 ++ __con_initcall_start = .;
4495 ++ *(.con_initcall.init)
4496 ++ __con_initcall_end = .;
4497 ++ }
4498 ++ SECURITY_INIT
4499 ++ . = ALIGN(4);
4500 ++ .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
4501 ++ __alt_instructions = .;
4502 ++ *(.altinstructions)
4503 ++ __alt_instructions_end = .;
4504 ++ }
4505 ++ .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
4506 ++ *(.altinstr_replacement)
4507 ++ }
4508 ++ . = ALIGN(4);
4509 ++ .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
4510 ++ __parainstructions = .;
4511 ++ *(.parainstructions)
4512 ++ __parainstructions_end = .;
4513 ++ }
4514 ++ .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
4515 ++#if defined(CONFIG_BLK_DEV_INITRD)
4516 ++ . = ALIGN(4096);
4517 ++ .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
4518 ++ __initramfs_start = .;
4519 ++ *(.init.ramfs)
4520 ++ __initramfs_end = .;
4521 ++ }
4522 ++#endif
4523 ++ . = ALIGN(4096);
4524 ++ per_cpu_start = .;
4525 ++ .data.percpu (0) : AT(ADDR(.data.percpu) - LOAD_OFFSET + per_cpu_start) {
4526 ++ __per_cpu_start = . + per_cpu_start;
4527 ++ LONG(0)
4528 ++ *(.data.percpu)
4529 ++ *(.data.percpu.shared_aligned)
4530 ++ __per_cpu_end = . + per_cpu_start;
4531 ++ } :percpu
4532 ++ . += per_cpu_start;
4533 ++
4534 ++ /* read-only */
4535 ++
4536 ++ . = ALIGN(4096); /* Init code and data */
4537 ++ .init.text (. - __KERNEL_TEXT_OFFSET) : AT(ADDR(.init.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
4538 ++ _sinittext = .;
4539 ++ *(.init.text)
4540 ++ _einittext = .;
4541 ++ } :inittext
4542 ++
4543 ++ /* .exit.text is discard at runtime, not link time, to deal with references
4544 ++ from .altinstructions and .eh_frame */
4545 ++ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) { *(.exit.text) }
4546 ++
4547 ++ .filler : AT(ADDR(.filler) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
4548 ++ BYTE(0)
4549 ++ . = ALIGN(4*1024*1024) - 1;
4550 ++ }
4551 ++
4552 ++ /* freed after init ends here */
4553 ++
4554 ++ .text.head : AT(ADDR(.text.head) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
4555 ++ __init_end = . + __KERNEL_TEXT_OFFSET;
4556 ++ KERNEL_TEXT_OFFSET = . + __KERNEL_TEXT_OFFSET;
4557 ++ _text = .; /* Text and read-only data */
4558 + *(.text.head)
4559 + } :text = 0x9090
4560 +
4561 + /* read-only */
4562 +- .text : AT(ADDR(.text) - LOAD_OFFSET) {
4563 ++ .text : AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
4564 + TEXT_TEXT
4565 + SCHED_TEXT
4566 + LOCK_TEXT
4567 +@@ -53,16 +162,17 @@ SECTIONS
4568 + _etext = .; /* End of text section */
4569 + } :text = 0x9090
4570 +
4571 +- . = ALIGN(16); /* Exception table */
4572 ++ . += __KERNEL_TEXT_OFFSET;
4573 ++ . = ALIGN(4096); /* Exception table */
4574 + __ex_table : AT(ADDR(__ex_table) - LOAD_OFFSET) {
4575 + __start___ex_table = .;
4576 + *(__ex_table)
4577 + __stop___ex_table = .;
4578 +- }
4579 ++ } :rodata
4580 +
4581 +- NOTES :text :note
4582 ++ NOTES :rodata :note
4583 +
4584 +- BUG_TABLE :text
4585 ++ BUG_TABLE :rodata
4586 +
4587 + . = ALIGN(4);
4588 + .tracedata : AT(ADDR(.tracedata) - LOAD_OFFSET) {
4589 +@@ -73,9 +183,36 @@ SECTIONS
4590 +
4591 + RODATA
4592 +
4593 ++ . = ALIGN(4096);
4594 ++ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
4595 ++ *(.idt)
4596 ++ . = ALIGN(4096);
4597 ++ *(.empty_zero_page)
4598 ++ *(.swapper_pm_dir)
4599 ++ *(.swapper_pg_dir)
4600 ++ }
4601 ++
4602 ++#ifdef CONFIG_PAX_KERNEXEC
4603 ++
4604 ++#ifdef CONFIG_MODULES
4605 ++ . = ALIGN(4096);
4606 ++ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
4607 ++ MODULES_VADDR = .;
4608 ++ BYTE(0)
4609 ++ . += (6 * 1024 * 1024);
4610 ++ . = ALIGN(1 << PMD_SHIFT) - 1;
4611 ++ MODULES_END = .;
4612 ++ }
4613 ++#else
4614 ++ . = ALIGN(1 << PMD_SHIFT) - 1;
4615 ++#endif
4616 ++
4617 ++#endif
4618 ++
4619 + /* writeable */
4620 + . = ALIGN(4096);
4621 + .data : AT(ADDR(.data) - LOAD_OFFSET) { /* Data */
4622 ++ _data = .;
4623 + DATA_DATA
4624 + CONSTRUCTORS
4625 + } :data
4626 +@@ -91,7 +228,6 @@ SECTIONS
4627 + . = ALIGN(4096);
4628 + .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
4629 + *(.data.page_aligned)
4630 +- *(.data.idt)
4631 + }
4632 +
4633 + . = ALIGN(32);
4634 +@@ -111,86 +247,7 @@ SECTIONS
4635 + *(.data.init_task)
4636 + }
4637 +
4638 +- /* might get freed after init */
4639 +- . = ALIGN(4096);
4640 +- .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
4641 +- __smp_locks = .;
4642 +- *(.smp_locks)
4643 +- __smp_locks_end = .;
4644 +- }
4645 +- /* will be freed after init
4646 +- * Following ALIGN() is required to make sure no other data falls on the
4647 +- * same page where __smp_alt_end is pointing as that page might be freed
4648 +- * after boot. Always make sure that ALIGN() directive is present after
4649 +- * the section which contains __smp_alt_end.
4650 +- */
4651 +- . = ALIGN(4096);
4652 +-
4653 +- /* will be freed after init */
4654 +- . = ALIGN(4096); /* Init code and data */
4655 +- .init.text : AT(ADDR(.init.text) - LOAD_OFFSET) {
4656 +- __init_begin = .;
4657 +- _sinittext = .;
4658 +- *(.init.text)
4659 +- _einittext = .;
4660 +- }
4661 +- .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) { *(.init.data) }
4662 +- . = ALIGN(16);
4663 +- .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
4664 +- __setup_start = .;
4665 +- *(.init.setup)
4666 +- __setup_end = .;
4667 +- }
4668 +- .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
4669 +- __initcall_start = .;
4670 +- INITCALLS
4671 +- __initcall_end = .;
4672 +- }
4673 +- .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
4674 +- __con_initcall_start = .;
4675 +- *(.con_initcall.init)
4676 +- __con_initcall_end = .;
4677 +- }
4678 +- SECURITY_INIT
4679 +- . = ALIGN(4);
4680 +- .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
4681 +- __alt_instructions = .;
4682 +- *(.altinstructions)
4683 +- __alt_instructions_end = .;
4684 +- }
4685 +- .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
4686 +- *(.altinstr_replacement)
4687 +- }
4688 +- . = ALIGN(4);
4689 +- .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
4690 +- __parainstructions = .;
4691 +- *(.parainstructions)
4692 +- __parainstructions_end = .;
4693 +- }
4694 +- /* .exit.text is discard at runtime, not link time, to deal with references
4695 +- from .altinstructions and .eh_frame */
4696 +- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) { *(.exit.text) }
4697 +- .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
4698 +-#if defined(CONFIG_BLK_DEV_INITRD)
4699 +- . = ALIGN(4096);
4700 +- .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
4701 +- __initramfs_start = .;
4702 +- *(.init.ramfs)
4703 +- __initramfs_end = .;
4704 +- }
4705 +-#endif
4706 +- . = ALIGN(4096);
4707 +- .data.percpu : AT(ADDR(.data.percpu) - LOAD_OFFSET) {
4708 +- __per_cpu_start = .;
4709 +- *(.data.percpu)
4710 +- *(.data.percpu.shared_aligned)
4711 +- __per_cpu_end = .;
4712 +- }
4713 +- . = ALIGN(4096);
4714 +- /* freed after init ends here */
4715 +-
4716 + .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
4717 +- __init_end = .;
4718 + __bss_start = .; /* BSS */
4719 + *(.bss.page_aligned)
4720 + *(.bss)
4721 +diff -Nurp linux-2.6.23.15/arch/i386/lib/checksum.S linux-2.6.23.15-grsec/arch/i386/lib/checksum.S
4722 +--- linux-2.6.23.15/arch/i386/lib/checksum.S 2007-10-09 21:31:38.000000000 +0100
4723 ++++ linux-2.6.23.15-grsec/arch/i386/lib/checksum.S 2008-02-11 10:37:44.000000000 +0000
4724 +@@ -28,7 +28,8 @@
4725 + #include <linux/linkage.h>
4726 + #include <asm/dwarf2.h>
4727 + #include <asm/errno.h>
4728 +-
4729 ++#include <asm/segment.h>
4730 ++
4731 + /*
4732 + * computes a partial checksum, e.g. for TCP/UDP fragments
4733 + */
4734 +@@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
4735 +
4736 + #define ARGBASE 16
4737 + #define FP 12
4738 +-
4739 +-ENTRY(csum_partial_copy_generic)
4740 ++
4741 ++ENTRY(csum_partial_copy_generic_to_user)
4742 + CFI_STARTPROC
4743 ++ pushl $(__USER_DS)
4744 ++ CFI_ADJUST_CFA_OFFSET 4
4745 ++ popl %es
4746 ++ CFI_ADJUST_CFA_OFFSET -4
4747 ++ jmp csum_partial_copy_generic
4748 ++
4749 ++ENTRY(csum_partial_copy_generic_from_user)
4750 ++ pushl $(__USER_DS)
4751 ++ CFI_ADJUST_CFA_OFFSET 4
4752 ++ popl %ds
4753 ++ CFI_ADJUST_CFA_OFFSET -4
4754 ++
4755 ++ENTRY(csum_partial_copy_generic)
4756 + subl $4,%esp
4757 + CFI_ADJUST_CFA_OFFSET 4
4758 + pushl %edi
4759 +@@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
4760 + jmp 4f
4761 + SRC(1: movw (%esi), %bx )
4762 + addl $2, %esi
4763 +-DST( movw %bx, (%edi) )
4764 ++DST( movw %bx, %es:(%edi) )
4765 + addl $2, %edi
4766 + addw %bx, %ax
4767 + adcl $0, %eax
4768 +@@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
4769 + SRC(1: movl (%esi), %ebx )
4770 + SRC( movl 4(%esi), %edx )
4771 + adcl %ebx, %eax
4772 +-DST( movl %ebx, (%edi) )
4773 ++DST( movl %ebx, %es:(%edi) )
4774 + adcl %edx, %eax
4775 +-DST( movl %edx, 4(%edi) )
4776 ++DST( movl %edx, %es:4(%edi) )
4777 +
4778 + SRC( movl 8(%esi), %ebx )
4779 + SRC( movl 12(%esi), %edx )
4780 + adcl %ebx, %eax
4781 +-DST( movl %ebx, 8(%edi) )
4782 ++DST( movl %ebx, %es:8(%edi) )
4783 + adcl %edx, %eax
4784 +-DST( movl %edx, 12(%edi) )
4785 ++DST( movl %edx, %es:12(%edi) )
4786 +
4787 + SRC( movl 16(%esi), %ebx )
4788 + SRC( movl 20(%esi), %edx )
4789 + adcl %ebx, %eax
4790 +-DST( movl %ebx, 16(%edi) )
4791 ++DST( movl %ebx, %es:16(%edi) )
4792 + adcl %edx, %eax
4793 +-DST( movl %edx, 20(%edi) )
4794 ++DST( movl %edx, %es:20(%edi) )
4795 +
4796 + SRC( movl 24(%esi), %ebx )
4797 + SRC( movl 28(%esi), %edx )
4798 + adcl %ebx, %eax
4799 +-DST( movl %ebx, 24(%edi) )
4800 ++DST( movl %ebx, %es:24(%edi) )
4801 + adcl %edx, %eax
4802 +-DST( movl %edx, 28(%edi) )
4803 ++DST( movl %edx, %es:28(%edi) )
4804 +
4805 + lea 32(%esi), %esi
4806 + lea 32(%edi), %edi
4807 +@@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
4808 + shrl $2, %edx # This clears CF
4809 + SRC(3: movl (%esi), %ebx )
4810 + adcl %ebx, %eax
4811 +-DST( movl %ebx, (%edi) )
4812 ++DST( movl %ebx, %es:(%edi) )
4813 + lea 4(%esi), %esi
4814 + lea 4(%edi), %edi
4815 + dec %edx
4816 +@@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
4817 + jb 5f
4818 + SRC( movw (%esi), %cx )
4819 + leal 2(%esi), %esi
4820 +-DST( movw %cx, (%edi) )
4821 ++DST( movw %cx, %es:(%edi) )
4822 + leal 2(%edi), %edi
4823 + je 6f
4824 + shll $16,%ecx
4825 + SRC(5: movb (%esi), %cl )
4826 +-DST( movb %cl, (%edi) )
4827 ++DST( movb %cl, %es:(%edi) )
4828 + 6: addl %ecx, %eax
4829 + adcl $0, %eax
4830 + 7:
4831 +@@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
4832 +
4833 + 6001:
4834 + movl ARGBASE+20(%esp), %ebx # src_err_ptr
4835 +- movl $-EFAULT, (%ebx)
4836 ++ movl $-EFAULT, %ss:(%ebx)
4837 +
4838 + # zero the complete destination - computing the rest
4839 + # is too much work
4840 +@@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
4841 +
4842 + 6002:
4843 + movl ARGBASE+24(%esp), %ebx # dst_err_ptr
4844 +- movl $-EFAULT,(%ebx)
4845 ++ movl $-EFAULT,%ss:(%ebx)
4846 + jmp 5000b
4847 +
4848 + .previous
4849 +
4850 ++ pushl %ss
4851 ++ CFI_ADJUST_CFA_OFFSET 4
4852 ++ popl %ds
4853 ++ CFI_ADJUST_CFA_OFFSET -4
4854 ++ pushl %ss
4855 ++ CFI_ADJUST_CFA_OFFSET 4
4856 ++ popl %es
4857 ++ CFI_ADJUST_CFA_OFFSET -4
4858 + popl %ebx
4859 + CFI_ADJUST_CFA_OFFSET -4
4860 + CFI_RESTORE ebx
4861 +@@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
4862 + CFI_ADJUST_CFA_OFFSET -4
4863 + ret
4864 + CFI_ENDPROC
4865 +-ENDPROC(csum_partial_copy_generic)
4866 ++ENDPROC(csum_partial_copy_generic_to_user)
4867 +
4868 + #else
4869 +
4870 + /* Version for PentiumII/PPro */
4871 +
4872 + #define ROUND1(x) \
4873 ++ nop; nop; nop; \
4874 + SRC(movl x(%esi), %ebx ) ; \
4875 + addl %ebx, %eax ; \
4876 +- DST(movl %ebx, x(%edi) ) ;
4877 ++ DST(movl %ebx, %es:x(%edi)) ;
4878 +
4879 + #define ROUND(x) \
4880 ++ nop; nop; nop; \
4881 + SRC(movl x(%esi), %ebx ) ; \
4882 + adcl %ebx, %eax ; \
4883 +- DST(movl %ebx, x(%edi) ) ;
4884 ++ DST(movl %ebx, %es:x(%edi)) ;
4885 +
4886 + #define ARGBASE 12
4887 +-
4888 +-ENTRY(csum_partial_copy_generic)
4889 ++
4890 ++ENTRY(csum_partial_copy_generic_to_user)
4891 + CFI_STARTPROC
4892 ++ pushl $(__USER_DS)
4893 ++ CFI_ADJUST_CFA_OFFSET 4
4894 ++ popl %es
4895 ++ CFI_ADJUST_CFA_OFFSET -4
4896 ++ jmp csum_partial_copy_generic
4897 ++
4898 ++ENTRY(csum_partial_copy_generic_from_user)
4899 ++ pushl $(__USER_DS)
4900 ++ CFI_ADJUST_CFA_OFFSET 4
4901 ++ popl %ds
4902 ++ CFI_ADJUST_CFA_OFFSET -4
4903 ++
4904 ++ENTRY(csum_partial_copy_generic)
4905 + pushl %ebx
4906 + CFI_ADJUST_CFA_OFFSET 4
4907 + CFI_REL_OFFSET ebx, 0
4908 +@@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
4909 + subl %ebx, %edi
4910 + lea -1(%esi),%edx
4911 + andl $-32,%edx
4912 +- lea 3f(%ebx,%ebx), %ebx
4913 ++ lea 3f(%ebx,%ebx,2), %ebx
4914 + testl %esi, %esi
4915 + jmp *%ebx
4916 + 1: addl $64,%esi
4917 +@@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
4918 + jb 5f
4919 + SRC( movw (%esi), %dx )
4920 + leal 2(%esi), %esi
4921 +-DST( movw %dx, (%edi) )
4922 ++DST( movw %dx, %es:(%edi) )
4923 + leal 2(%edi), %edi
4924 + je 6f
4925 + shll $16,%edx
4926 + 5:
4927 + SRC( movb (%esi), %dl )
4928 +-DST( movb %dl, (%edi) )
4929 ++DST( movb %dl, %es:(%edi) )
4930 + 6: addl %edx, %eax
4931 + adcl $0, %eax
4932 + 7:
4933 + .section .fixup, "ax"
4934 + 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
4935 +- movl $-EFAULT, (%ebx)
4936 ++ movl $-EFAULT, %ss:(%ebx)
4937 + # zero the complete destination (computing the rest is too much work)
4938 + movl ARGBASE+8(%esp),%edi # dst
4939 + movl ARGBASE+12(%esp),%ecx # len
4940 +@@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
4941 + rep; stosb
4942 + jmp 7b
4943 + 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
4944 +- movl $-EFAULT, (%ebx)
4945 ++ movl $-EFAULT, %ss:(%ebx)
4946 + jmp 7b
4947 + .previous
4948 +
4949 ++ pushl %ss
4950 ++ CFI_ADJUST_CFA_OFFSET 4
4951 ++ popl %ds
4952 ++ CFI_ADJUST_CFA_OFFSET -4
4953 ++ pushl %ss
4954 ++ CFI_ADJUST_CFA_OFFSET 4
4955 ++ popl %es
4956 ++ CFI_ADJUST_CFA_OFFSET -4
4957 + popl %esi
4958 + CFI_ADJUST_CFA_OFFSET -4
4959 + CFI_RESTORE esi
4960 +@@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
4961 + CFI_RESTORE ebx
4962 + ret
4963 + CFI_ENDPROC
4964 +-ENDPROC(csum_partial_copy_generic)
4965 ++ENDPROC(csum_partial_copy_generic_to_user)
4966 +
4967 + #undef ROUND
4968 + #undef ROUND1
4969 +diff -Nurp linux-2.6.23.15/arch/i386/lib/getuser.S linux-2.6.23.15-grsec/arch/i386/lib/getuser.S
4970 +--- linux-2.6.23.15/arch/i386/lib/getuser.S 2007-10-09 21:31:38.000000000 +0100
4971 ++++ linux-2.6.23.15-grsec/arch/i386/lib/getuser.S 2008-02-11 10:37:44.000000000 +0000
4972 +@@ -11,7 +11,7 @@
4973 + #include <linux/linkage.h>
4974 + #include <asm/dwarf2.h>
4975 + #include <asm/thread_info.h>
4976 +-
4977 ++#include <asm/segment.h>
4978 +
4979 + /*
4980 + * __get_user_X
4981 +@@ -31,7 +31,11 @@ ENTRY(__get_user_1)
4982 + GET_THREAD_INFO(%edx)
4983 + cmpl TI_addr_limit(%edx),%eax
4984 + jae bad_get_user
4985 ++ pushl $(__USER_DS)
4986 ++ popl %ds
4987 + 1: movzbl (%eax),%edx
4988 ++ pushl %ss
4989 ++ pop %ds
4990 + xorl %eax,%eax
4991 + ret
4992 + CFI_ENDPROC
4993 +@@ -44,7 +48,11 @@ ENTRY(__get_user_2)
4994 + GET_THREAD_INFO(%edx)
4995 + cmpl TI_addr_limit(%edx),%eax
4996 + jae bad_get_user
4997 ++ pushl $(__USER_DS)
4998 ++ popl %ds
4999 + 2: movzwl -1(%eax),%edx
5000 ++ pushl %ss
5001 ++ pop %ds
5002 + xorl %eax,%eax
5003 + ret
5004 + CFI_ENDPROC
5005 +@@ -57,7 +65,11 @@ ENTRY(__get_user_4)
5006 + GET_THREAD_INFO(%edx)
5007 + cmpl TI_addr_limit(%edx),%eax
5008 + jae bad_get_user
5009 ++ pushl $(__USER_DS)
5010 ++ popl %ds
5011 + 3: movl -3(%eax),%edx
5012 ++ pushl %ss
5013 ++ pop %ds
5014 + xorl %eax,%eax
5015 + ret
5016 + CFI_ENDPROC
5017 +@@ -65,6 +77,8 @@ ENDPROC(__get_user_4)
5018 +
5019 + bad_get_user:
5020 + CFI_STARTPROC
5021 ++ pushl %ss
5022 ++ pop %ds
5023 + xorl %edx,%edx
5024 + movl $-14,%eax
5025 + ret
5026 +diff -Nurp linux-2.6.23.15/arch/i386/lib/mmx.c linux-2.6.23.15-grsec/arch/i386/lib/mmx.c
5027 +--- linux-2.6.23.15/arch/i386/lib/mmx.c 2007-10-09 21:31:38.000000000 +0100
5028 ++++ linux-2.6.23.15-grsec/arch/i386/lib/mmx.c 2008-02-11 10:37:44.000000000 +0000
5029 +@@ -30,6 +30,7 @@ void *_mmx_memcpy(void *to, const void *
5030 + {
5031 + void *p;
5032 + int i;
5033 ++ unsigned long cr0;
5034 +
5035 + if (unlikely(in_interrupt()))
5036 + return __memcpy(to, from, len);
5037 +@@ -40,52 +41,80 @@ void *_mmx_memcpy(void *to, const void *
5038 + kernel_fpu_begin();
5039 +
5040 + __asm__ __volatile__ (
5041 +- "1: prefetch (%0)\n" /* This set is 28 bytes */
5042 +- " prefetch 64(%0)\n"
5043 +- " prefetch 128(%0)\n"
5044 +- " prefetch 192(%0)\n"
5045 +- " prefetch 256(%0)\n"
5046 ++ "1: prefetch (%1)\n" /* This set is 28 bytes */
5047 ++ " prefetch 64(%1)\n"
5048 ++ " prefetch 128(%1)\n"
5049 ++ " prefetch 192(%1)\n"
5050 ++ " prefetch 256(%1)\n"
5051 + "2: \n"
5052 + ".section .fixup, \"ax\"\n"
5053 +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
5054 ++ "3: \n"
5055 ++
5056 ++#ifdef CONFIG_PAX_KERNEXEC
5057 ++ " movl %%cr0, %0\n"
5058 ++ " movl %0, %%eax\n"
5059 ++ " andl $0xFFFEFFFF, %%eax\n"
5060 ++ " movl %%eax, %%cr0\n"
5061 ++#endif
5062 ++
5063 ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
5064 ++
5065 ++#ifdef CONFIG_PAX_KERNEXEC
5066 ++ " movl %0, %%cr0\n"
5067 ++#endif
5068 ++
5069 + " jmp 2b\n"
5070 + ".previous\n"
5071 + ".section __ex_table,\"a\"\n"
5072 + " .align 4\n"
5073 + " .long 1b, 3b\n"
5074 + ".previous"
5075 +- : : "r" (from) );
5076 ++ : "=&r" (cr0) : "r" (from) : "ax");
5077 +
5078 +
5079 + for(; i>5; i--)
5080 + {
5081 + __asm__ __volatile__ (
5082 +- "1: prefetch 320(%0)\n"
5083 +- "2: movq (%0), %%mm0\n"
5084 +- " movq 8(%0), %%mm1\n"
5085 +- " movq 16(%0), %%mm2\n"
5086 +- " movq 24(%0), %%mm3\n"
5087 +- " movq %%mm0, (%1)\n"
5088 +- " movq %%mm1, 8(%1)\n"
5089 +- " movq %%mm2, 16(%1)\n"
5090 +- " movq %%mm3, 24(%1)\n"
5091 +- " movq 32(%0), %%mm0\n"
5092 +- " movq 40(%0), %%mm1\n"
5093 +- " movq 48(%0), %%mm2\n"
5094 +- " movq 56(%0), %%mm3\n"
5095 +- " movq %%mm0, 32(%1)\n"
5096 +- " movq %%mm1, 40(%1)\n"
5097 +- " movq %%mm2, 48(%1)\n"
5098 +- " movq %%mm3, 56(%1)\n"
5099 ++ "1: prefetch 320(%1)\n"
5100 ++ "2: movq (%1), %%mm0\n"
5101 ++ " movq 8(%1), %%mm1\n"
5102 ++ " movq 16(%1), %%mm2\n"
5103 ++ " movq 24(%1), %%mm3\n"
5104 ++ " movq %%mm0, (%2)\n"
5105 ++ " movq %%mm1, 8(%2)\n"
5106 ++ " movq %%mm2, 16(%2)\n"
5107 ++ " movq %%mm3, 24(%2)\n"
5108 ++ " movq 32(%1), %%mm0\n"
5109 ++ " movq 40(%1), %%mm1\n"
5110 ++ " movq 48(%1), %%mm2\n"
5111 ++ " movq 56(%1), %%mm3\n"
5112 ++ " movq %%mm0, 32(%2)\n"
5113 ++ " movq %%mm1, 40(%2)\n"
5114 ++ " movq %%mm2, 48(%2)\n"
5115 ++ " movq %%mm3, 56(%2)\n"
5116 + ".section .fixup, \"ax\"\n"
5117 +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
5118 ++ "3:\n"
5119 ++
5120 ++#ifdef CONFIG_PAX_KERNEXEC
5121 ++ " movl %%cr0, %0\n"
5122 ++ " movl %0, %%eax\n"
5123 ++ " andl $0xFFFEFFFF, %%eax\n"
5124 ++ " movl %%eax, %%cr0\n"
5125 ++#endif
5126 ++
5127 ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
5128 ++
5129 ++#ifdef CONFIG_PAX_KERNEXEC
5130 ++ " movl %0, %%cr0\n"
5131 ++#endif
5132 ++
5133 + " jmp 2b\n"
5134 + ".previous\n"
5135 + ".section __ex_table,\"a\"\n"
5136 + " .align 4\n"
5137 + " .long 1b, 3b\n"
5138 + ".previous"
5139 +- : : "r" (from), "r" (to) : "memory");
5140 ++ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
5141 + from+=64;
5142 + to+=64;
5143 + }
5144 +@@ -164,6 +193,7 @@ static void fast_clear_page(void *page)
5145 + static void fast_copy_page(void *to, void *from)
5146 + {
5147 + int i;
5148 ++ unsigned long cr0;
5149 +
5150 + kernel_fpu_begin();
5151 +
5152 +@@ -171,51 +201,79 @@ static void fast_copy_page(void *to, voi
5153 + * but that is for later. -AV
5154 + */
5155 + __asm__ __volatile__ (
5156 +- "1: prefetch (%0)\n"
5157 +- " prefetch 64(%0)\n"
5158 +- " prefetch 128(%0)\n"
5159 +- " prefetch 192(%0)\n"
5160 +- " prefetch 256(%0)\n"
5161 ++ "1: prefetch (%1)\n"
5162 ++ " prefetch 64(%1)\n"
5163 ++ " prefetch 128(%1)\n"
5164 ++ " prefetch 192(%1)\n"
5165 ++ " prefetch 256(%1)\n"
5166 + "2: \n"
5167 + ".section .fixup, \"ax\"\n"
5168 +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
5169 ++ "3: \n"
5170 ++
5171 ++#ifdef CONFIG_PAX_KERNEXEC
5172 ++ " movl %%cr0, %0\n"
5173 ++ " movl %0, %%eax\n"
5174 ++ " andl $0xFFFEFFFF, %%eax\n"
5175 ++ " movl %%eax, %%cr0\n"
5176 ++#endif
5177 ++
5178 ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
5179 ++
5180 ++#ifdef CONFIG_PAX_KERNEXEC
5181 ++ " movl %0, %%cr0\n"
5182 ++#endif
5183 ++
5184 + " jmp 2b\n"
5185 + ".previous\n"
5186 + ".section __ex_table,\"a\"\n"
5187 + " .align 4\n"
5188 + " .long 1b, 3b\n"
5189 + ".previous"
5190 +- : : "r" (from) );
5191 ++ : "=&r" (cr0) : "r" (from) : "ax");
5192 +
5193 + for(i=0; i<(4096-320)/64; i++)
5194 + {
5195 + __asm__ __volatile__ (
5196 +- "1: prefetch 320(%0)\n"
5197 +- "2: movq (%0), %%mm0\n"
5198 +- " movntq %%mm0, (%1)\n"
5199 +- " movq 8(%0), %%mm1\n"
5200 +- " movntq %%mm1, 8(%1)\n"
5201 +- " movq 16(%0), %%mm2\n"
5202 +- " movntq %%mm2, 16(%1)\n"
5203 +- " movq 24(%0), %%mm3\n"
5204 +- " movntq %%mm3, 24(%1)\n"
5205 +- " movq 32(%0), %%mm4\n"
5206 +- " movntq %%mm4, 32(%1)\n"
5207 +- " movq 40(%0), %%mm5\n"
5208 +- " movntq %%mm5, 40(%1)\n"
5209 +- " movq 48(%0), %%mm6\n"
5210 +- " movntq %%mm6, 48(%1)\n"
5211 +- " movq 56(%0), %%mm7\n"
5212 +- " movntq %%mm7, 56(%1)\n"
5213 ++ "1: prefetch 320(%1)\n"
5214 ++ "2: movq (%1), %%mm0\n"
5215 ++ " movntq %%mm0, (%2)\n"
5216 ++ " movq 8(%1), %%mm1\n"
5217 ++ " movntq %%mm1, 8(%2)\n"
5218 ++ " movq 16(%1), %%mm2\n"
5219 ++ " movntq %%mm2, 16(%2)\n"
5220 ++ " movq 24(%1), %%mm3\n"
5221 ++ " movntq %%mm3, 24(%2)\n"
5222 ++ " movq 32(%1), %%mm4\n"
5223 ++ " movntq %%mm4, 32(%2)\n"
5224 ++ " movq 40(%1), %%mm5\n"
5225 ++ " movntq %%mm5, 40(%2)\n"
5226 ++ " movq 48(%1), %%mm6\n"
5227 ++ " movntq %%mm6, 48(%2)\n"
5228 ++ " movq 56(%1), %%mm7\n"
5229 ++ " movntq %%mm7, 56(%2)\n"
5230 + ".section .fixup, \"ax\"\n"
5231 +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
5232 ++ "3:\n"
5233 ++
5234 ++#ifdef CONFIG_PAX_KERNEXEC
5235 ++ " movl %%cr0, %0\n"
5236 ++ " movl %0, %%eax\n"
5237 ++ " andl $0xFFFEFFFF, %%eax\n"
5238 ++ " movl %%eax, %%cr0\n"
5239 ++#endif
5240 ++
5241 ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
5242 ++
5243 ++#ifdef CONFIG_PAX_KERNEXEC
5244 ++ " movl %0, %%cr0\n"
5245 ++#endif
5246 ++
5247 + " jmp 2b\n"
5248 + ".previous\n"
5249 + ".section __ex_table,\"a\"\n"
5250 + " .align 4\n"
5251 + " .long 1b, 3b\n"
5252 + ".previous"
5253 +- : : "r" (from), "r" (to) : "memory");
5254 ++ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
5255 + from+=64;
5256 + to+=64;
5257 + }
5258 +@@ -296,56 +354,84 @@ static void fast_clear_page(void *page)
5259 + static void fast_copy_page(void *to, void *from)
5260 + {
5261 + int i;
5262 +-
5263 +-
5264 ++ unsigned long cr0;
5265 ++
5266 + kernel_fpu_begin();
5267 +
5268 + __asm__ __volatile__ (
5269 +- "1: prefetch (%0)\n"
5270 +- " prefetch 64(%0)\n"
5271 +- " prefetch 128(%0)\n"
5272 +- " prefetch 192(%0)\n"
5273 +- " prefetch 256(%0)\n"
5274 ++ "1: prefetch (%1)\n"
5275 ++ " prefetch 64(%1)\n"
5276 ++ " prefetch 128(%1)\n"
5277 ++ " prefetch 192(%1)\n"
5278 ++ " prefetch 256(%1)\n"
5279 + "2: \n"
5280 + ".section .fixup, \"ax\"\n"
5281 +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
5282 ++ "3: \n"
5283 ++
5284 ++#ifdef CONFIG_PAX_KERNEXEC
5285 ++ " movl %%cr0, %0\n"
5286 ++ " movl %0, %%eax\n"
5287 ++ " andl $0xFFFEFFFF, %%eax\n"
5288 ++ " movl %%eax, %%cr0\n"
5289 ++#endif
5290 ++
5291 ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
5292 ++
5293 ++#ifdef CONFIG_PAX_KERNEXEC
5294 ++ " movl %0, %%cr0\n"
5295 ++#endif
5296 ++
5297 + " jmp 2b\n"
5298 + ".previous\n"
5299 + ".section __ex_table,\"a\"\n"
5300 + " .align 4\n"
5301 + " .long 1b, 3b\n"
5302 + ".previous"
5303 +- : : "r" (from) );
5304 ++ : "=&r" (cr0) : "r" (from) : "ax");
5305 +
5306 + for(i=0; i<4096/64; i++)
5307 + {
5308 + __asm__ __volatile__ (
5309 +- "1: prefetch 320(%0)\n"
5310 +- "2: movq (%0), %%mm0\n"
5311 +- " movq 8(%0), %%mm1\n"
5312 +- " movq 16(%0), %%mm2\n"
5313 +- " movq 24(%0), %%mm3\n"
5314 +- " movq %%mm0, (%1)\n"
5315 +- " movq %%mm1, 8(%1)\n"
5316 +- " movq %%mm2, 16(%1)\n"
5317 +- " movq %%mm3, 24(%1)\n"
5318 +- " movq 32(%0), %%mm0\n"
5319 +- " movq 40(%0), %%mm1\n"
5320 +- " movq 48(%0), %%mm2\n"
5321 +- " movq 56(%0), %%mm3\n"
5322 +- " movq %%mm0, 32(%1)\n"
5323 +- " movq %%mm1, 40(%1)\n"
5324 +- " movq %%mm2, 48(%1)\n"
5325 +- " movq %%mm3, 56(%1)\n"
5326 ++ "1: prefetch 320(%1)\n"
5327 ++ "2: movq (%1), %%mm0\n"
5328 ++ " movq 8(%1), %%mm1\n"
5329 ++ " movq 16(%1), %%mm2\n"
5330 ++ " movq 24(%1), %%mm3\n"
5331 ++ " movq %%mm0, (%2)\n"
5332 ++ " movq %%mm1, 8(%2)\n"
5333 ++ " movq %%mm2, 16(%2)\n"
5334 ++ " movq %%mm3, 24(%2)\n"
5335 ++ " movq 32(%1), %%mm0\n"
5336 ++ " movq 40(%1), %%mm1\n"
5337 ++ " movq 48(%1), %%mm2\n"
5338 ++ " movq 56(%1), %%mm3\n"
5339 ++ " movq %%mm0, 32(%2)\n"
5340 ++ " movq %%mm1, 40(%2)\n"
5341 ++ " movq %%mm2, 48(%2)\n"
5342 ++ " movq %%mm3, 56(%2)\n"
5343 + ".section .fixup, \"ax\"\n"
5344 +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
5345 ++ "3:\n"
5346 ++
5347 ++#ifdef CONFIG_PAX_KERNEXEC
5348 ++ " movl %%cr0, %0\n"
5349 ++ " movl %0, %%eax\n"
5350 ++ " andl $0xFFFEFFFF, %%eax\n"
5351 ++ " movl %%eax, %%cr0\n"
5352 ++#endif
5353 ++
5354 ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
5355 ++
5356 ++#ifdef CONFIG_PAX_KERNEXEC
5357 ++ " movl %0, %%cr0\n"
5358 ++#endif
5359 ++
5360 + " jmp 2b\n"
5361 + ".previous\n"
5362 + ".section __ex_table,\"a\"\n"
5363 + " .align 4\n"
5364 + " .long 1b, 3b\n"
5365 + ".previous"
5366 +- : : "r" (from), "r" (to) : "memory");
5367 ++ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
5368 + from+=64;
5369 + to+=64;
5370 + }
5371 +diff -Nurp linux-2.6.23.15/arch/i386/lib/putuser.S linux-2.6.23.15-grsec/arch/i386/lib/putuser.S
5372 +--- linux-2.6.23.15/arch/i386/lib/putuser.S 2007-10-09 21:31:38.000000000 +0100
5373 ++++ linux-2.6.23.15-grsec/arch/i386/lib/putuser.S 2008-02-11 10:37:44.000000000 +0000
5374 +@@ -11,7 +11,7 @@
5375 + #include <linux/linkage.h>
5376 + #include <asm/dwarf2.h>
5377 + #include <asm/thread_info.h>
5378 +-
5379 ++#include <asm/segment.h>
5380 +
5381 + /*
5382 + * __put_user_X
5383 +@@ -41,7 +41,11 @@ ENTRY(__put_user_1)
5384 + ENTER
5385 + cmpl TI_addr_limit(%ebx),%ecx
5386 + jae bad_put_user
5387 ++ pushl $(__USER_DS)
5388 ++ popl %ds
5389 + 1: movb %al,(%ecx)
5390 ++ pushl %ss
5391 ++ popl %ds
5392 + xorl %eax,%eax
5393 + EXIT
5394 + ENDPROC(__put_user_1)
5395 +@@ -52,7 +56,11 @@ ENTRY(__put_user_2)
5396 + subl $1,%ebx
5397 + cmpl %ebx,%ecx
5398 + jae bad_put_user
5399 ++ pushl $(__USER_DS)
5400 ++ popl %ds
5401 + 2: movw %ax,(%ecx)
5402 ++ pushl %ss
5403 ++ popl %ds
5404 + xorl %eax,%eax
5405 + EXIT
5406 + ENDPROC(__put_user_2)
5407 +@@ -63,7 +71,11 @@ ENTRY(__put_user_4)
5408 + subl $3,%ebx
5409 + cmpl %ebx,%ecx
5410 + jae bad_put_user
5411 ++ pushl $(__USER_DS)
5412 ++ popl %ds
5413 + 3: movl %eax,(%ecx)
5414 ++ pushl %ss
5415 ++ popl %ds
5416 + xorl %eax,%eax
5417 + EXIT
5418 + ENDPROC(__put_user_4)
5419 +@@ -74,8 +86,12 @@ ENTRY(__put_user_8)
5420 + subl $7,%ebx
5421 + cmpl %ebx,%ecx
5422 + jae bad_put_user
5423 ++ pushl $(__USER_DS)
5424 ++ popl %ds
5425 + 4: movl %eax,(%ecx)
5426 + 5: movl %edx,4(%ecx)
5427 ++ pushl %ss
5428 ++ popl %ds
5429 + xorl %eax,%eax
5430 + EXIT
5431 + ENDPROC(__put_user_8)
5432 +@@ -85,6 +101,10 @@ bad_put_user:
5433 + CFI_DEF_CFA esp, 2*4
5434 + CFI_OFFSET eip, -1*4
5435 + CFI_OFFSET ebx, -2*4
5436 ++ pushl %ss
5437 ++ CFI_ADJUST_CFA_OFFSET 4
5438 ++ popl %ds
5439 ++ CFI_ADJUST_CFA_OFFSET -4
5440 + movl $-14,%eax
5441 + EXIT
5442 + END(bad_put_user)
5443 +diff -Nurp linux-2.6.23.15/arch/i386/lib/usercopy.c linux-2.6.23.15-grsec/arch/i386/lib/usercopy.c
5444 +--- linux-2.6.23.15/arch/i386/lib/usercopy.c 2007-10-09 21:31:38.000000000 +0100
5445 ++++ linux-2.6.23.15-grsec/arch/i386/lib/usercopy.c 2008-02-11 10:37:44.000000000 +0000
5446 +@@ -29,34 +29,41 @@ static inline int __movsl_is_ok(unsigned
5447 + * Copy a null terminated string from userspace.
5448 + */
5449 +
5450 +-#define __do_strncpy_from_user(dst,src,count,res) \
5451 +-do { \
5452 +- int __d0, __d1, __d2; \
5453 +- might_sleep(); \
5454 +- __asm__ __volatile__( \
5455 +- " testl %1,%1\n" \
5456 +- " jz 2f\n" \
5457 +- "0: lodsb\n" \
5458 +- " stosb\n" \
5459 +- " testb %%al,%%al\n" \
5460 +- " jz 1f\n" \
5461 +- " decl %1\n" \
5462 +- " jnz 0b\n" \
5463 +- "1: subl %1,%0\n" \
5464 +- "2:\n" \
5465 +- ".section .fixup,\"ax\"\n" \
5466 +- "3: movl %5,%0\n" \
5467 +- " jmp 2b\n" \
5468 +- ".previous\n" \
5469 +- ".section __ex_table,\"a\"\n" \
5470 +- " .align 4\n" \
5471 +- " .long 0b,3b\n" \
5472 +- ".previous" \
5473 +- : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1), \
5474 +- "=&D" (__d2) \
5475 +- : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
5476 +- : "memory"); \
5477 +-} while (0)
5478 ++static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
5479 ++{
5480 ++ int __d0, __d1, __d2;
5481 ++ long res = -EFAULT;
5482 ++
5483 ++ might_sleep();
5484 ++ __asm__ __volatile__(
5485 ++ " movw %w10,%%ds\n"
5486 ++ " testl %1,%1\n"
5487 ++ " jz 2f\n"
5488 ++ "0: lodsb\n"
5489 ++ " stosb\n"
5490 ++ " testb %%al,%%al\n"
5491 ++ " jz 1f\n"
5492 ++ " decl %1\n"
5493 ++ " jnz 0b\n"
5494 ++ "1: subl %1,%0\n"
5495 ++ "2:\n"
5496 ++ " pushl %%ss\n"
5497 ++ " popl %%ds\n"
5498 ++ ".section .fixup,\"ax\"\n"
5499 ++ "3: movl %5,%0\n"
5500 ++ " jmp 2b\n"
5501 ++ ".previous\n"
5502 ++ ".section __ex_table,\"a\"\n"
5503 ++ " .align 4\n"
5504 ++ " .long 0b,3b\n"
5505 ++ ".previous"
5506 ++ : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1),
5507 ++ "=&D" (__d2)
5508 ++ : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
5509 ++ "r"(__USER_DS)
5510 ++ : "memory");
5511 ++ return res;
5512 ++}
5513 +
5514 + /**
5515 + * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
5516 +@@ -81,9 +88,7 @@ do { \
5517 + long
5518 + __strncpy_from_user(char *dst, const char __user *src, long count)
5519 + {
5520 +- long res;
5521 +- __do_strncpy_from_user(dst, src, count, res);
5522 +- return res;
5523 ++ return __do_strncpy_from_user(dst, src, count);
5524 + }
5525 + EXPORT_SYMBOL(__strncpy_from_user);
5526 +
5527 +@@ -110,7 +115,7 @@ strncpy_from_user(char *dst, const char
5528 + {
5529 + long res = -EFAULT;
5530 + if (access_ok(VERIFY_READ, src, 1))
5531 +- __do_strncpy_from_user(dst, src, count, res);
5532 ++ res = __do_strncpy_from_user(dst, src, count);
5533 + return res;
5534 + }
5535 + EXPORT_SYMBOL(strncpy_from_user);
5536 +@@ -119,27 +124,33 @@ EXPORT_SYMBOL(strncpy_from_user);
5537 + * Zero Userspace
5538 + */
5539 +
5540 +-#define __do_clear_user(addr,size) \
5541 +-do { \
5542 +- int __d0; \
5543 +- might_sleep(); \
5544 +- __asm__ __volatile__( \
5545 +- "0: rep; stosl\n" \
5546 +- " movl %2,%0\n" \
5547 +- "1: rep; stosb\n" \
5548 +- "2:\n" \
5549 +- ".section .fixup,\"ax\"\n" \
5550 +- "3: lea 0(%2,%0,4),%0\n" \
5551 +- " jmp 2b\n" \
5552 +- ".previous\n" \
5553 +- ".section __ex_table,\"a\"\n" \
5554 +- " .align 4\n" \
5555 +- " .long 0b,3b\n" \
5556 +- " .long 1b,2b\n" \
5557 +- ".previous" \
5558 +- : "=&c"(size), "=&D" (__d0) \
5559 +- : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
5560 +-} while (0)
5561 ++static unsigned long __do_clear_user(void __user *addr, unsigned long size)
5562 ++{
5563 ++ int __d0;
5564 ++
5565 ++ might_sleep();
5566 ++ __asm__ __volatile__(
5567 ++ " movw %w6,%%es\n"
5568 ++ "0: rep; stosl\n"
5569 ++ " movl %2,%0\n"
5570 ++ "1: rep; stosb\n"
5571 ++ "2:\n"
5572 ++ " pushl %%ss\n"
5573 ++ " popl %%es\n"
5574 ++ ".section .fixup,\"ax\"\n"
5575 ++ "3: lea 0(%2,%0,4),%0\n"
5576 ++ " jmp 2b\n"
5577 ++ ".previous\n"
5578 ++ ".section __ex_table,\"a\"\n"
5579 ++ " .align 4\n"
5580 ++ " .long 0b,3b\n"
5581 ++ " .long 1b,2b\n"
5582 ++ ".previous"
5583 ++ : "=&c"(size), "=&D" (__d0)
5584 ++ : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
5585 ++ "r"(__USER_DS));
5586 ++ return size;
5587 ++}
5588 +
5589 + /**
5590 + * clear_user: - Zero a block of memory in user space.
5591 +@@ -156,7 +167,7 @@ clear_user(void __user *to, unsigned lon
5592 + {
5593 + might_sleep();
5594 + if (access_ok(VERIFY_WRITE, to, n))
5595 +- __do_clear_user(to, n);
5596 ++ n = __do_clear_user(to, n);
5597 + return n;
5598 + }
5599 + EXPORT_SYMBOL(clear_user);
5600 +@@ -175,8 +186,7 @@ EXPORT_SYMBOL(clear_user);
5601 + unsigned long
5602 + __clear_user(void __user *to, unsigned long n)
5603 + {
5604 +- __do_clear_user(to, n);
5605 +- return n;
5606 ++ return __do_clear_user(to, n);
5607 + }
5608 + EXPORT_SYMBOL(__clear_user);
5609 +
5610 +@@ -199,14 +209,17 @@ long strnlen_user(const char __user *s,
5611 + might_sleep();
5612 +
5613 + __asm__ __volatile__(
5614 ++ " movw %w8,%%es\n"
5615 + " testl %0, %0\n"
5616 + " jz 3f\n"
5617 +- " andl %0,%%ecx\n"
5618 ++ " movl %0,%%ecx\n"
5619 + "0: repne; scasb\n"
5620 + " setne %%al\n"
5621 + " subl %%ecx,%0\n"
5622 + " addl %0,%%eax\n"
5623 + "1:\n"
5624 ++ " pushl %%ss\n"
5625 ++ " popl %%es\n"
5626 + ".section .fixup,\"ax\"\n"
5627 + "2: xorl %%eax,%%eax\n"
5628 + " jmp 1b\n"
5629 +@@ -218,7 +231,7 @@ long strnlen_user(const char __user *s,
5630 + " .long 0b,2b\n"
5631 + ".previous"
5632 + :"=r" (n), "=D" (s), "=a" (res), "=c" (tmp)
5633 +- :"0" (n), "1" (s), "2" (0), "3" (mask)
5634 ++ :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
5635 + :"cc");
5636 + return res & mask;
5637 + }
5638 +@@ -226,10 +239,121 @@ EXPORT_SYMBOL(strnlen_user);
5639 +
5640 + #ifdef CONFIG_X86_INTEL_USERCOPY
5641 + static unsigned long
5642 +-__copy_user_intel(void __user *to, const void *from, unsigned long size)
5643 ++__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
5644 ++{
5645 ++ int d0, d1;
5646 ++ __asm__ __volatile__(
5647 ++ " movw %w6, %%es\n"
5648 ++ " .align 2,0x90\n"
5649 ++ "1: movl 32(%4), %%eax\n"
5650 ++ " cmpl $67, %0\n"
5651 ++ " jbe 3f\n"
5652 ++ "2: movl 64(%4), %%eax\n"
5653 ++ " .align 2,0x90\n"
5654 ++ "3: movl 0(%4), %%eax\n"
5655 ++ "4: movl 4(%4), %%edx\n"
5656 ++ "5: movl %%eax, %%es:0(%3)\n"
5657 ++ "6: movl %%edx, %%es:4(%3)\n"
5658 ++ "7: movl 8(%4), %%eax\n"
5659 ++ "8: movl 12(%4),%%edx\n"
5660 ++ "9: movl %%eax, %%es:8(%3)\n"
5661 ++ "10: movl %%edx, %%es:12(%3)\n"
5662 ++ "11: movl 16(%4), %%eax\n"
5663 ++ "12: movl 20(%4), %%edx\n"
5664 ++ "13: movl %%eax, %%es:16(%3)\n"
5665 ++ "14: movl %%edx, %%es:20(%3)\n"
5666 ++ "15: movl 24(%4), %%eax\n"
5667 ++ "16: movl 28(%4), %%edx\n"
5668 ++ "17: movl %%eax, %%es:24(%3)\n"
5669 ++ "18: movl %%edx, %%es:28(%3)\n"
5670 ++ "19: movl 32(%4), %%eax\n"
5671 ++ "20: movl 36(%4), %%edx\n"
5672 ++ "21: movl %%eax, %%es:32(%3)\n"
5673 ++ "22: movl %%edx, %%es:36(%3)\n"
5674 ++ "23: movl 40(%4), %%eax\n"
5675 ++ "24: movl 44(%4), %%edx\n"
5676 ++ "25: movl %%eax, %%es:40(%3)\n"
5677 ++ "26: movl %%edx, %%es:44(%3)\n"
5678 ++ "27: movl 48(%4), %%eax\n"
5679 ++ "28: movl 52(%4), %%edx\n"
5680 ++ "29: movl %%eax, %%es:48(%3)\n"
5681 ++ "30: movl %%edx, %%es:52(%3)\n"
5682 ++ "31: movl 56(%4), %%eax\n"
5683 ++ "32: movl 60(%4), %%edx\n"
5684 ++ "33: movl %%eax, %%es:56(%3)\n"
5685 ++ "34: movl %%edx, %%es:60(%3)\n"
5686 ++ " addl $-64, %0\n"
5687 ++ " addl $64, %4\n"
5688 ++ " addl $64, %3\n"
5689 ++ " cmpl $63, %0\n"
5690 ++ " ja 1b\n"
5691 ++ "35: movl %0, %%eax\n"
5692 ++ " shrl $2, %0\n"
5693 ++ " andl $3, %%eax\n"
5694 ++ " cld\n"
5695 ++ "99: rep; movsl\n"
5696 ++ "36: movl %%eax, %0\n"
5697 ++ "37: rep; movsb\n"
5698 ++ "100:\n"
5699 ++ " pushl %%ss\n"
5700 ++ " popl %%es\n"
5701 ++ ".section .fixup,\"ax\"\n"
5702 ++ "101: lea 0(%%eax,%0,4),%0\n"
5703 ++ " jmp 100b\n"
5704 ++ ".previous\n"
5705 ++ ".section __ex_table,\"a\"\n"
5706 ++ " .align 4\n"
5707 ++ " .long 1b,100b\n"
5708 ++ " .long 2b,100b\n"
5709 ++ " .long 3b,100b\n"
5710 ++ " .long 4b,100b\n"
5711 ++ " .long 5b,100b\n"
5712 ++ " .long 6b,100b\n"
5713 ++ " .long 7b,100b\n"
5714 ++ " .long 8b,100b\n"
5715 ++ " .long 9b,100b\n"
5716 ++ " .long 10b,100b\n"
5717 ++ " .long 11b,100b\n"
5718 ++ " .long 12b,100b\n"
5719 ++ " .long 13b,100b\n"
5720 ++ " .long 14b,100b\n"
5721 ++ " .long 15b,100b\n"
5722 ++ " .long 16b,100b\n"
5723 ++ " .long 17b,100b\n"
5724 ++ " .long 18b,100b\n"
5725 ++ " .long 19b,100b\n"
5726 ++ " .long 20b,100b\n"
5727 ++ " .long 21b,100b\n"
5728 ++ " .long 22b,100b\n"
5729 ++ " .long 23b,100b\n"
5730 ++ " .long 24b,100b\n"
5731 ++ " .long 25b,100b\n"
5732 ++ " .long 26b,100b\n"
5733 ++ " .long 27b,100b\n"
5734 ++ " .long 28b,100b\n"
5735 ++ " .long 29b,100b\n"
5736 ++ " .long 30b,100b\n"
5737 ++ " .long 31b,100b\n"
5738 ++ " .long 32b,100b\n"
5739 ++ " .long 33b,100b\n"
5740 ++ " .long 34b,100b\n"
5741 ++ " .long 35b,100b\n"
5742 ++ " .long 36b,100b\n"
5743 ++ " .long 37b,100b\n"
5744 ++ " .long 99b,101b\n"
5745 ++ ".previous"
5746 ++ : "=&c"(size), "=&D" (d0), "=&S" (d1)
5747 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
5748 ++ : "eax", "edx", "memory");
5749 ++ return size;
5750 ++}
5751 ++
5752 ++static unsigned long
5753 ++__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
5754 + {
5755 + int d0, d1;
5756 + __asm__ __volatile__(
5757 ++ " movw %w6, %%ds\n"
5758 + " .align 2,0x90\n"
5759 + "1: movl 32(%4), %%eax\n"
5760 + " cmpl $67, %0\n"
5761 +@@ -238,36 +362,36 @@ __copy_user_intel(void __user *to, const
5762 + " .align 2,0x90\n"
5763 + "3: movl 0(%4), %%eax\n"
5764 + "4: movl 4(%4), %%edx\n"
5765 +- "5: movl %%eax, 0(%3)\n"
5766 +- "6: movl %%edx, 4(%3)\n"
5767 ++ "5: movl %%eax, %%es:0(%3)\n"
5768 ++ "6: movl %%edx, %%es:4(%3)\n"
5769 + "7: movl 8(%4), %%eax\n"
5770 + "8: movl 12(%4),%%edx\n"
5771 +- "9: movl %%eax, 8(%3)\n"
5772 +- "10: movl %%edx, 12(%3)\n"
5773 ++ "9: movl %%eax, %%es:8(%3)\n"
5774 ++ "10: movl %%edx, %%es:12(%3)\n"
5775 + "11: movl 16(%4), %%eax\n"
5776 + "12: movl 20(%4), %%edx\n"
5777 +- "13: movl %%eax, 16(%3)\n"
5778 +- "14: movl %%edx, 20(%3)\n"
5779 ++ "13: movl %%eax, %%es:16(%3)\n"
5780 ++ "14: movl %%edx, %%es:20(%3)\n"
5781 + "15: movl 24(%4), %%eax\n"
5782 + "16: movl 28(%4), %%edx\n"
5783 +- "17: movl %%eax, 24(%3)\n"
5784 +- "18: movl %%edx, 28(%3)\n"
5785 ++ "17: movl %%eax, %%es:24(%3)\n"
5786 ++ "18: movl %%edx, %%es:28(%3)\n"
5787 + "19: movl 32(%4), %%eax\n"
5788 + "20: movl 36(%4), %%edx\n"
5789 +- "21: movl %%eax, 32(%3)\n"
5790 +- "22: movl %%edx, 36(%3)\n"
5791 ++ "21: movl %%eax, %%es:32(%3)\n"
5792 ++ "22: movl %%edx, %%es:36(%3)\n"
5793 + "23: movl 40(%4), %%eax\n"
5794 + "24: movl 44(%4), %%edx\n"
5795 +- "25: movl %%eax, 40(%3)\n"
5796 +- "26: movl %%edx, 44(%3)\n"
5797 ++ "25: movl %%eax, %%es:40(%3)\n"
5798 ++ "26: movl %%edx, %%es:44(%3)\n"
5799 + "27: movl 48(%4), %%eax\n"
5800 + "28: movl 52(%4), %%edx\n"
5801 +- "29: movl %%eax, 48(%3)\n"
5802 +- "30: movl %%edx, 52(%3)\n"
5803 ++ "29: movl %%eax, %%es:48(%3)\n"
5804 ++ "30: movl %%edx, %%es:52(%3)\n"
5805 + "31: movl 56(%4), %%eax\n"
5806 + "32: movl 60(%4), %%edx\n"
5807 +- "33: movl %%eax, 56(%3)\n"
5808 +- "34: movl %%edx, 60(%3)\n"
5809 ++ "33: movl %%eax, %%es:56(%3)\n"
5810 ++ "34: movl %%edx, %%es:60(%3)\n"
5811 + " addl $-64, %0\n"
5812 + " addl $64, %4\n"
5813 + " addl $64, %3\n"
5814 +@@ -281,6 +405,8 @@ __copy_user_intel(void __user *to, const
5815 + "36: movl %%eax, %0\n"
5816 + "37: rep; movsb\n"
5817 + "100:\n"
5818 ++ " pushl %%ss\n"
5819 ++ " popl %%ds\n"
5820 + ".section .fixup,\"ax\"\n"
5821 + "101: lea 0(%%eax,%0,4),%0\n"
5822 + " jmp 100b\n"
5823 +@@ -327,7 +453,7 @@ __copy_user_intel(void __user *to, const
5824 + " .long 99b,101b\n"
5825 + ".previous"
5826 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
5827 +- : "1"(to), "2"(from), "0"(size)
5828 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
5829 + : "eax", "edx", "memory");
5830 + return size;
5831 + }
5832 +@@ -337,6 +463,7 @@ __copy_user_zeroing_intel(void *to, cons
5833 + {
5834 + int d0, d1;
5835 + __asm__ __volatile__(
5836 ++ " movw %w6, %%ds\n"
5837 + " .align 2,0x90\n"
5838 + "0: movl 32(%4), %%eax\n"
5839 + " cmpl $67, %0\n"
5840 +@@ -345,36 +472,36 @@ __copy_user_zeroing_intel(void *to, cons
5841 + " .align 2,0x90\n"
5842 + "2: movl 0(%4), %%eax\n"
5843 + "21: movl 4(%4), %%edx\n"
5844 +- " movl %%eax, 0(%3)\n"
5845 +- " movl %%edx, 4(%3)\n"
5846 ++ " movl %%eax, %%es:0(%3)\n"
5847 ++ " movl %%edx, %%es:4(%3)\n"
5848 + "3: movl 8(%4), %%eax\n"
5849 + "31: movl 12(%4),%%edx\n"
5850 +- " movl %%eax, 8(%3)\n"
5851 +- " movl %%edx, 12(%3)\n"
5852 ++ " movl %%eax, %%es:8(%3)\n"
5853 ++ " movl %%edx, %%es:12(%3)\n"
5854 + "4: movl 16(%4), %%eax\n"
5855 + "41: movl 20(%4), %%edx\n"
5856 +- " movl %%eax, 16(%3)\n"
5857 +- " movl %%edx, 20(%3)\n"
5858 ++ " movl %%eax, %%es:16(%3)\n"
5859 ++ " movl %%edx, %%es:20(%3)\n"
5860 + "10: movl 24(%4), %%eax\n"
5861 + "51: movl 28(%4), %%edx\n"
5862 +- " movl %%eax, 24(%3)\n"
5863 +- " movl %%edx, 28(%3)\n"
5864 ++ " movl %%eax, %%es:24(%3)\n"
5865 ++ " movl %%edx, %%es:28(%3)\n"
5866 + "11: movl 32(%4), %%eax\n"
5867 + "61: movl 36(%4), %%edx\n"
5868 +- " movl %%eax, 32(%3)\n"
5869 +- " movl %%edx, 36(%3)\n"
5870 ++ " movl %%eax, %%es:32(%3)\n"
5871 ++ " movl %%edx, %%es:36(%3)\n"
5872 + "12: movl 40(%4), %%eax\n"
5873 + "71: movl 44(%4), %%edx\n"
5874 +- " movl %%eax, 40(%3)\n"
5875 +- " movl %%edx, 44(%3)\n"
5876 ++ " movl %%eax, %%es:40(%3)\n"
5877 ++ " movl %%edx, %%es:44(%3)\n"
5878 + "13: movl 48(%4), %%eax\n"
5879 + "81: movl 52(%4), %%edx\n"
5880 +- " movl %%eax, 48(%3)\n"
5881 +- " movl %%edx, 52(%3)\n"
5882 ++ " movl %%eax, %%es:48(%3)\n"
5883 ++ " movl %%edx, %%es:52(%3)\n"
5884 + "14: movl 56(%4), %%eax\n"
5885 + "91: movl 60(%4), %%edx\n"
5886 +- " movl %%eax, 56(%3)\n"
5887 +- " movl %%edx, 60(%3)\n"
5888 ++ " movl %%eax, %%es:56(%3)\n"
5889 ++ " movl %%edx, %%es:60(%3)\n"
5890 + " addl $-64, %0\n"
5891 + " addl $64, %4\n"
5892 + " addl $64, %3\n"
5893 +@@ -388,6 +515,8 @@ __copy_user_zeroing_intel(void *to, cons
5894 + " movl %%eax,%0\n"
5895 + "7: rep; movsb\n"
5896 + "8:\n"
5897 ++ " pushl %%ss\n"
5898 ++ " popl %%ds\n"
5899 + ".section .fixup,\"ax\"\n"
5900 + "9: lea 0(%%eax,%0,4),%0\n"
5901 + "16: pushl %0\n"
5902 +@@ -422,7 +551,7 @@ __copy_user_zeroing_intel(void *to, cons
5903 + " .long 7b,16b\n"
5904 + ".previous"
5905 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
5906 +- : "1"(to), "2"(from), "0"(size)
5907 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
5908 + : "eax", "edx", "memory");
5909 + return size;
5910 + }
5911 +@@ -438,6 +567,7 @@ static unsigned long __copy_user_zeroing
5912 + int d0, d1;
5913 +
5914 + __asm__ __volatile__(
5915 ++ " movw %w6, %%ds\n"
5916 + " .align 2,0x90\n"
5917 + "0: movl 32(%4), %%eax\n"
5918 + " cmpl $67, %0\n"
5919 +@@ -446,36 +576,36 @@ static unsigned long __copy_user_zeroing
5920 + " .align 2,0x90\n"
5921 + "2: movl 0(%4), %%eax\n"
5922 + "21: movl 4(%4), %%edx\n"
5923 +- " movnti %%eax, 0(%3)\n"
5924 +- " movnti %%edx, 4(%3)\n"
5925 ++ " movnti %%eax, %%es:0(%3)\n"
5926 ++ " movnti %%edx, %%es:4(%3)\n"
5927 + "3: movl 8(%4), %%eax\n"
5928 + "31: movl 12(%4),%%edx\n"
5929 +- " movnti %%eax, 8(%3)\n"
5930 +- " movnti %%edx, 12(%3)\n"
5931 ++ " movnti %%eax, %%es:8(%3)\n"
5932 ++ " movnti %%edx, %%es:12(%3)\n"
5933 + "4: movl 16(%4), %%eax\n"
5934 + "41: movl 20(%4), %%edx\n"
5935 +- " movnti %%eax, 16(%3)\n"
5936 +- " movnti %%edx, 20(%3)\n"
5937 ++ " movnti %%eax, %%es:16(%3)\n"
5938 ++ " movnti %%edx, %%es:20(%3)\n"
5939 + "10: movl 24(%4), %%eax\n"
5940 + "51: movl 28(%4), %%edx\n"
5941 +- " movnti %%eax, 24(%3)\n"
5942 +- " movnti %%edx, 28(%3)\n"
5943 ++ " movnti %%eax, %%es:24(%3)\n"
5944 ++ " movnti %%edx, %%es:28(%3)\n"
5945 + "11: movl 32(%4), %%eax\n"
5946 + "61: movl 36(%4), %%edx\n"
5947 +- " movnti %%eax, 32(%3)\n"
5948 +- " movnti %%edx, 36(%3)\n"
5949 ++ " movnti %%eax, %%es:32(%3)\n"
5950 ++ " movnti %%edx, %%es:36(%3)\n"
5951 + "12: movl 40(%4), %%eax\n"
5952 + "71: movl 44(%4), %%edx\n"
5953 +- " movnti %%eax, 40(%3)\n"
5954 +- " movnti %%edx, 44(%3)\n"
5955 ++ " movnti %%eax, %%es:40(%3)\n"
5956 ++ " movnti %%edx, %%es:44(%3)\n"
5957 + "13: movl 48(%4), %%eax\n"
5958 + "81: movl 52(%4), %%edx\n"
5959 +- " movnti %%eax, 48(%3)\n"
5960 +- " movnti %%edx, 52(%3)\n"
5961 ++ " movnti %%eax, %%es:48(%3)\n"
5962 ++ " movnti %%edx, %%es:52(%3)\n"
5963 + "14: movl 56(%4), %%eax\n"
5964 + "91: movl 60(%4), %%edx\n"
5965 +- " movnti %%eax, 56(%3)\n"
5966 +- " movnti %%edx, 60(%3)\n"
5967 ++ " movnti %%eax, %%es:56(%3)\n"
5968 ++ " movnti %%edx, %%es:60(%3)\n"
5969 + " addl $-64, %0\n"
5970 + " addl $64, %4\n"
5971 + " addl $64, %3\n"
5972 +@@ -490,6 +620,8 @@ static unsigned long __copy_user_zeroing
5973 + " movl %%eax,%0\n"
5974 + "7: rep; movsb\n"
5975 + "8:\n"
5976 ++ " pushl %%ss\n"
5977 ++ " popl %%ds\n"
5978 + ".section .fixup,\"ax\"\n"
5979 + "9: lea 0(%%eax,%0,4),%0\n"
5980 + "16: pushl %0\n"
5981 +@@ -524,7 +656,7 @@ static unsigned long __copy_user_zeroing
5982 + " .long 7b,16b\n"
5983 + ".previous"
5984 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
5985 +- : "1"(to), "2"(from), "0"(size)
5986 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
5987 + : "eax", "edx", "memory");
5988 + return size;
5989 + }
5990 +@@ -535,6 +667,7 @@ static unsigned long __copy_user_intel_n
5991 + int d0, d1;
5992 +
5993 + __asm__ __volatile__(
5994 ++ " movw %w6, %%ds\n"
5995 + " .align 2,0x90\n"
5996 + "0: movl 32(%4), %%eax\n"
5997 + " cmpl $67, %0\n"
5998 +@@ -543,36 +676,36 @@ static unsigned long __copy_user_intel_n
5999 + " .align 2,0x90\n"
6000 + "2: movl 0(%4), %%eax\n"
6001 + "21: movl 4(%4), %%edx\n"
6002 +- " movnti %%eax, 0(%3)\n"
6003 +- " movnti %%edx, 4(%3)\n"
6004 ++ " movnti %%eax, %%es:0(%3)\n"
6005 ++ " movnti %%edx, %%es:4(%3)\n"
6006 + "3: movl 8(%4), %%eax\n"
6007 + "31: movl 12(%4),%%edx\n"
6008 +- " movnti %%eax, 8(%3)\n"
6009 +- " movnti %%edx, 12(%3)\n"
6010 ++ " movnti %%eax, %%es:8(%3)\n"
6011 ++ " movnti %%edx, %%es:12(%3)\n"
6012 + "4: movl 16(%4), %%eax\n"
6013 + "41: movl 20(%4), %%edx\n"
6014 +- " movnti %%eax, 16(%3)\n"
6015 +- " movnti %%edx, 20(%3)\n"
6016 ++ " movnti %%eax, %%es:16(%3)\n"
6017 ++ " movnti %%edx, %%es:20(%3)\n"
6018 + "10: movl 24(%4), %%eax\n"
6019 + "51: movl 28(%4), %%edx\n"
6020 +- " movnti %%eax, 24(%3)\n"
6021 +- " movnti %%edx, 28(%3)\n"
6022 ++ " movnti %%eax, %%es:24(%3)\n"
6023 ++ " movnti %%edx, %%es:28(%3)\n"
6024 + "11: movl 32(%4), %%eax\n"
6025 + "61: movl 36(%4), %%edx\n"
6026 +- " movnti %%eax, 32(%3)\n"
6027 +- " movnti %%edx, 36(%3)\n"
6028 ++ " movnti %%eax, %%es:32(%3)\n"
6029 ++ " movnti %%edx, %%es:36(%3)\n"
6030 + "12: movl 40(%4), %%eax\n"
6031 + "71: movl 44(%4), %%edx\n"
6032 +- " movnti %%eax, 40(%3)\n"
6033 +- " movnti %%edx, 44(%3)\n"
6034 ++ " movnti %%eax, %%es:40(%3)\n"
6035 ++ " movnti %%edx, %%es:44(%3)\n"
6036 + "13: movl 48(%4), %%eax\n"
6037 + "81: movl 52(%4), %%edx\n"
6038 +- " movnti %%eax, 48(%3)\n"
6039 +- " movnti %%edx, 52(%3)\n"
6040 ++ " movnti %%eax, %%es:48(%3)\n"
6041 ++ " movnti %%edx, %%es:52(%3)\n"
6042 + "14: movl 56(%4), %%eax\n"
6043 + "91: movl 60(%4), %%edx\n"
6044 +- " movnti %%eax, 56(%3)\n"
6045 +- " movnti %%edx, 60(%3)\n"
6046 ++ " movnti %%eax, %%es:56(%3)\n"
6047 ++ " movnti %%edx, %%es:60(%3)\n"
6048 + " addl $-64, %0\n"
6049 + " addl $64, %4\n"
6050 + " addl $64, %3\n"
6051 +@@ -587,6 +720,8 @@ static unsigned long __copy_user_intel_n
6052 + " movl %%eax,%0\n"
6053 + "7: rep; movsb\n"
6054 + "8:\n"
6055 ++ " pushl %%ss\n"
6056 ++ " popl %%ds\n"
6057 + ".section .fixup,\"ax\"\n"
6058 + "9: lea 0(%%eax,%0,4),%0\n"
6059 + "16: jmp 8b\n"
6060 +@@ -615,7 +750,7 @@ static unsigned long __copy_user_intel_n
6061 + " .long 7b,16b\n"
6062 + ".previous"
6063 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
6064 +- : "1"(to), "2"(from), "0"(size)
6065 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
6066 + : "eax", "edx", "memory");
6067 + return size;
6068 + }
6069 +@@ -628,90 +763,146 @@ static unsigned long __copy_user_intel_n
6070 + */
6071 + unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
6072 + unsigned long size);
6073 +-unsigned long __copy_user_intel(void __user *to, const void *from,
6074 ++unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
6075 ++ unsigned long size);
6076 ++unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
6077 + unsigned long size);
6078 + unsigned long __copy_user_zeroing_intel_nocache(void *to,
6079 + const void __user *from, unsigned long size);
6080 + #endif /* CONFIG_X86_INTEL_USERCOPY */
6081 +
6082 + /* Generic arbitrary sized copy. */
6083 +-#define __copy_user(to,from,size) \
6084 +-do { \
6085 +- int __d0, __d1, __d2; \
6086 +- __asm__ __volatile__( \
6087 +- " cmp $7,%0\n" \
6088 +- " jbe 1f\n" \
6089 +- " movl %1,%0\n" \
6090 +- " negl %0\n" \
6091 +- " andl $7,%0\n" \
6092 +- " subl %0,%3\n" \
6093 +- "4: rep; movsb\n" \
6094 +- " movl %3,%0\n" \
6095 +- " shrl $2,%0\n" \
6096 +- " andl $3,%3\n" \
6097 +- " .align 2,0x90\n" \
6098 +- "0: rep; movsl\n" \
6099 +- " movl %3,%0\n" \
6100 +- "1: rep; movsb\n" \
6101 +- "2:\n" \
6102 +- ".section .fixup,\"ax\"\n" \
6103 +- "5: addl %3,%0\n" \
6104 +- " jmp 2b\n" \
6105 +- "3: lea 0(%3,%0,4),%0\n" \
6106 +- " jmp 2b\n" \
6107 +- ".previous\n" \
6108 +- ".section __ex_table,\"a\"\n" \
6109 +- " .align 4\n" \
6110 +- " .long 4b,5b\n" \
6111 +- " .long 0b,3b\n" \
6112 +- " .long 1b,2b\n" \
6113 +- ".previous" \
6114 +- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
6115 +- : "3"(size), "0"(size), "1"(to), "2"(from) \
6116 +- : "memory"); \
6117 +-} while (0)
6118 +-
6119 +-#define __copy_user_zeroing(to,from,size) \
6120 +-do { \
6121 +- int __d0, __d1, __d2; \
6122 +- __asm__ __volatile__( \
6123 +- " cmp $7,%0\n" \
6124 +- " jbe 1f\n" \
6125 +- " movl %1,%0\n" \
6126 +- " negl %0\n" \
6127 +- " andl $7,%0\n" \
6128 +- " subl %0,%3\n" \
6129 +- "4: rep; movsb\n" \
6130 +- " movl %3,%0\n" \
6131 +- " shrl $2,%0\n" \
6132 +- " andl $3,%3\n" \
6133 +- " .align 2,0x90\n" \
6134 +- "0: rep; movsl\n" \
6135 +- " movl %3,%0\n" \
6136 +- "1: rep; movsb\n" \
6137 +- "2:\n" \
6138 +- ".section .fixup,\"ax\"\n" \
6139 +- "5: addl %3,%0\n" \
6140 +- " jmp 6f\n" \
6141 +- "3: lea 0(%3,%0,4),%0\n" \
6142 +- "6: pushl %0\n" \
6143 +- " pushl %%eax\n" \
6144 +- " xorl %%eax,%%eax\n" \
6145 +- " rep; stosb\n" \
6146 +- " popl %%eax\n" \
6147 +- " popl %0\n" \
6148 +- " jmp 2b\n" \
6149 +- ".previous\n" \
6150 +- ".section __ex_table,\"a\"\n" \
6151 +- " .align 4\n" \
6152 +- " .long 4b,5b\n" \
6153 +- " .long 0b,3b\n" \
6154 +- " .long 1b,6b\n" \
6155 +- ".previous" \
6156 +- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
6157 +- : "3"(size), "0"(size), "1"(to), "2"(from) \
6158 +- : "memory"); \
6159 +-} while (0)
6160 ++static unsigned long
6161 ++__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
6162 ++{
6163 ++ int __d0, __d1, __d2;
6164 ++
6165 ++ __asm__ __volatile__(
6166 ++ " movw %w8,%%es\n"
6167 ++ " cmp $7,%0\n"
6168 ++ " jbe 1f\n"
6169 ++ " movl %1,%0\n"
6170 ++ " negl %0\n"
6171 ++ " andl $7,%0\n"
6172 ++ " subl %0,%3\n"
6173 ++ "4: rep; movsb\n"
6174 ++ " movl %3,%0\n"
6175 ++ " shrl $2,%0\n"
6176 ++ " andl $3,%3\n"
6177 ++ " .align 2,0x90\n"
6178 ++ "0: rep; movsl\n"
6179 ++ " movl %3,%0\n"
6180 ++ "1: rep; movsb\n"
6181 ++ "2:\n"
6182 ++ " pushl %%ss\n"
6183 ++ " popl %%es\n"
6184 ++ ".section .fixup,\"ax\"\n"
6185 ++ "5: addl %3,%0\n"
6186 ++ " jmp 2b\n"
6187 ++ "3: lea 0(%3,%0,4),%0\n"
6188 ++ " jmp 2b\n"
6189 ++ ".previous\n"
6190 ++ ".section __ex_table,\"a\"\n"
6191 ++ " .align 4\n"
6192 ++ " .long 4b,5b\n"
6193 ++ " .long 0b,3b\n"
6194 ++ " .long 1b,2b\n"
6195 ++ ".previous"
6196 ++ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
6197 ++ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
6198 ++ : "memory");
6199 ++ return size;
6200 ++}
6201 ++
6202 ++static unsigned long
6203 ++__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
6204 ++{
6205 ++ int __d0, __d1, __d2;
6206 ++
6207 ++ __asm__ __volatile__(
6208 ++ " movw %w8,%%ds\n"
6209 ++ " cmp $7,%0\n"
6210 ++ " jbe 1f\n"
6211 ++ " movl %1,%0\n"
6212 ++ " negl %0\n"
6213 ++ " andl $7,%0\n"
6214 ++ " subl %0,%3\n"
6215 ++ "4: rep; movsb\n"
6216 ++ " movl %3,%0\n"
6217 ++ " shrl $2,%0\n"
6218 ++ " andl $3,%3\n"
6219 ++ " .align 2,0x90\n"
6220 ++ "0: rep; movsl\n"
6221 ++ " movl %3,%0\n"
6222 ++ "1: rep; movsb\n"
6223 ++ "2:\n"
6224 ++ " pushl %%ss\n"
6225 ++ " popl %%ds\n"
6226 ++ ".section .fixup,\"ax\"\n"
6227 ++ "5: addl %3,%0\n"
6228 ++ " jmp 2b\n"
6229 ++ "3: lea 0(%3,%0,4),%0\n"
6230 ++ " jmp 2b\n"
6231 ++ ".previous\n"
6232 ++ ".section __ex_table,\"a\"\n"
6233 ++ " .align 4\n"
6234 ++ " .long 4b,5b\n"
6235 ++ " .long 0b,3b\n"
6236 ++ " .long 1b,2b\n"
6237 ++ ".previous"
6238 ++ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
6239 ++ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
6240 ++ : "memory");
6241 ++ return size;
6242 ++}
6243 ++
6244 ++static unsigned long
6245 ++__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
6246 ++{
6247 ++ int __d0, __d1, __d2;
6248 ++
6249 ++ __asm__ __volatile__(
6250 ++ " movw %w8,%%ds\n"
6251 ++ " cmp $7,%0\n"
6252 ++ " jbe 1f\n"
6253 ++ " movl %1,%0\n"
6254 ++ " negl %0\n"
6255 ++ " andl $7,%0\n"
6256 ++ " subl %0,%3\n"
6257 ++ "4: rep; movsb\n"
6258 ++ " movl %3,%0\n"
6259 ++ " shrl $2,%0\n"
6260 ++ " andl $3,%3\n"
6261 ++ " .align 2,0x90\n"
6262 ++ "0: rep; movsl\n"
6263 ++ " movl %3,%0\n"
6264 ++ "1: rep; movsb\n"
6265 ++ "2:\n"
6266 ++ " pushl %%ss\n"
6267 ++ " popl %%ds\n"
6268 ++ ".section .fixup,\"ax\"\n"
6269 ++ "5: addl %3,%0\n"
6270 ++ " jmp 6f\n"
6271 ++ "3: lea 0(%3,%0,4),%0\n"
6272 ++ "6: pushl %0\n"
6273 ++ " pushl %%eax\n"
6274 ++ " xorl %%eax,%%eax\n"
6275 ++ " rep; stosb\n"
6276 ++ " popl %%eax\n"
6277 ++ " popl %0\n"
6278 ++ " jmp 2b\n"
6279 ++ ".previous\n"
6280 ++ ".section __ex_table,\"a\"\n"
6281 ++ " .align 4\n"
6282 ++ " .long 4b,5b\n"
6283 ++ " .long 0b,3b\n"
6284 ++ " .long 1b,6b\n"
6285 ++ ".previous"
6286 ++ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
6287 ++ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
6288 ++ : "memory");
6289 ++ return size;
6290 ++}
6291 +
6292 + unsigned long __copy_to_user_ll(void __user *to, const void *from,
6293 + unsigned long n)
6294 +@@ -774,9 +965,9 @@ survive:
6295 + }
6296 + #endif
6297 + if (movsl_is_ok(to, from, n))
6298 +- __copy_user(to, from, n);
6299 ++ n = __generic_copy_to_user(to, from, n);
6300 + else
6301 +- n = __copy_user_intel(to, from, n);
6302 ++ n = __generic_copy_to_user_intel(to, from, n);
6303 + return n;
6304 + }
6305 + EXPORT_SYMBOL(__copy_to_user_ll);
6306 +@@ -785,7 +976,7 @@ unsigned long __copy_from_user_ll(void *
6307 + unsigned long n)
6308 + {
6309 + if (movsl_is_ok(to, from, n))
6310 +- __copy_user_zeroing(to, from, n);
6311 ++ n = __copy_user_zeroing(to, from, n);
6312 + else
6313 + n = __copy_user_zeroing_intel(to, from, n);
6314 + return n;
6315 +@@ -796,9 +987,9 @@ unsigned long __copy_from_user_ll_nozero
6316 + unsigned long n)
6317 + {
6318 + if (movsl_is_ok(to, from, n))
6319 +- __copy_user(to, from, n);
6320 ++ n = __generic_copy_from_user(to, from, n);
6321 + else
6322 +- n = __copy_user_intel((void __user *)to,
6323 ++ n = __generic_copy_from_user_intel((void __user *)to,
6324 + (const void *)from, n);
6325 + return n;
6326 + }
6327 +@@ -809,11 +1000,11 @@ unsigned long __copy_from_user_ll_nocach
6328 + {
6329 + #ifdef CONFIG_X86_INTEL_USERCOPY
6330 + if ( n > 64 && cpu_has_xmm2)
6331 +- n = __copy_user_zeroing_intel_nocache(to, from, n);
6332 ++ n = __copy_user_zeroing_intel_nocache(to, from, n);
6333 + else
6334 +- __copy_user_zeroing(to, from, n);
6335 ++ n = __copy_user_zeroing(to, from, n);
6336 + #else
6337 +- __copy_user_zeroing(to, from, n);
6338 ++ n = __copy_user_zeroing(to, from, n);
6339 + #endif
6340 + return n;
6341 + }
6342 +@@ -823,11 +1014,11 @@ unsigned long __copy_from_user_ll_nocach
6343 + {
6344 + #ifdef CONFIG_X86_INTEL_USERCOPY
6345 + if ( n > 64 && cpu_has_xmm2)
6346 +- n = __copy_user_intel_nocache(to, from, n);
6347 ++ n = __copy_user_intel_nocache(to, from, n);
6348 + else
6349 +- __copy_user(to, from, n);
6350 ++ n = __generic_copy_from_user(to, from, n);
6351 + #else
6352 +- __copy_user(to, from, n);
6353 ++ n = __generic_copy_from_user(to, from, n);
6354 + #endif
6355 + return n;
6356 + }
6357 +@@ -880,3 +1071,30 @@ copy_from_user(void *to, const void __us
6358 + return n;
6359 + }
6360 + EXPORT_SYMBOL(copy_from_user);
6361 ++
6362 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
6363 ++void __set_fs(mm_segment_t x, int cpu)
6364 ++{
6365 ++ unsigned long limit = x.seg;
6366 ++ __u32 a, b;
6367 ++
6368 ++ current_thread_info()->addr_limit = x;
6369 ++ if (likely(limit))
6370 ++ limit = (limit - 1UL) >> PAGE_SHIFT;
6371 ++ pack_descriptor(&a, &b, 0UL, limit, 0xF3, 0xC);
6372 ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, a, b);
6373 ++}
6374 ++
6375 ++void set_fs(mm_segment_t x)
6376 ++{
6377 ++ __set_fs(x, get_cpu());
6378 ++ put_cpu_no_resched();
6379 ++}
6380 ++#else
6381 ++void set_fs(mm_segment_t x)
6382 ++{
6383 ++ current_thread_info()->addr_limit = x;
6384 ++}
6385 ++#endif
6386 ++
6387 ++EXPORT_SYMBOL(set_fs);
6388 +diff -Nurp linux-2.6.23.15/arch/i386/mach-default/setup.c linux-2.6.23.15-grsec/arch/i386/mach-default/setup.c
6389 +--- linux-2.6.23.15/arch/i386/mach-default/setup.c 2007-10-09 21:31:38.000000000 +0100
6390 ++++ linux-2.6.23.15-grsec/arch/i386/mach-default/setup.c 2008-02-11 10:37:44.000000000 +0000
6391 +@@ -35,7 +35,7 @@ void __init pre_intr_init_hook(void)
6392 + /*
6393 + * IRQ2 is cascade interrupt to second interrupt controller
6394 + */
6395 +-static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL};
6396 ++static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL, 0, NULL};
6397 +
6398 + /**
6399 + * intr_init_hook - post gate setup interrupt initialisation
6400 +diff -Nurp linux-2.6.23.15/arch/i386/mach-voyager/voyager_basic.c linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_basic.c
6401 +--- linux-2.6.23.15/arch/i386/mach-voyager/voyager_basic.c 2007-10-09 21:31:38.000000000 +0100
6402 ++++ linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_basic.c 2008-02-11 10:37:44.000000000 +0000
6403 +@@ -130,7 +130,7 @@ voyager_memory_detect(int region, __u32
6404 + __u8 cmos[4];
6405 + ClickMap_t *map;
6406 + unsigned long map_addr;
6407 +- unsigned long old;
6408 ++ pte_t old;
6409 +
6410 + if(region >= CLICK_ENTRIES) {
6411 + printk("Voyager: Illegal ClickMap region %d\n", region);
6412 +@@ -144,7 +144,7 @@ voyager_memory_detect(int region, __u32
6413 +
6414 + /* steal page 0 for this */
6415 + old = pg0[0];
6416 +- pg0[0] = ((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
6417 ++ pg0[0] = __pte((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
6418 + local_flush_tlb();
6419 + /* now clear everything out but page 0 */
6420 + map = (ClickMap_t *)(map_addr & (~PAGE_MASK));
6421 +diff -Nurp linux-2.6.23.15/arch/i386/mach-voyager/voyager_smp.c linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_smp.c
6422 +--- linux-2.6.23.15/arch/i386/mach-voyager/voyager_smp.c 2007-10-09 21:31:38.000000000 +0100
6423 ++++ linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_smp.c 2008-02-11 10:37:44.000000000 +0000
6424 +@@ -554,6 +554,10 @@ do_boot_cpu(__u8 cpu)
6425 + __u32 *hijack_vector;
6426 + __u32 start_phys_address = setup_trampoline();
6427 +
6428 ++#ifdef CONFIG_PAX_KERNEXEC
6429 ++ unsigned long cr0;
6430 ++#endif
6431 ++
6432 + /* There's a clever trick to this: The linux trampoline is
6433 + * compiled to begin at absolute location zero, so make the
6434 + * address zero but have the data segment selector compensate
6435 +@@ -573,7 +577,17 @@ do_boot_cpu(__u8 cpu)
6436 +
6437 + init_gdt(cpu);
6438 + per_cpu(current_task, cpu) = idle;
6439 +- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
6440 ++
6441 ++#ifdef CONFIG_PAX_KERNEXEC
6442 ++ pax_open_kernel(cr0);
6443 ++#endif
6444 ++
6445 ++ early_gdt_descr.address = get_cpu_gdt_table(cpu);
6446 ++
6447 ++#ifdef CONFIG_PAX_KERNEXEC
6448 ++ pax_close_kernel(cr0);
6449 ++#endif
6450 ++
6451 + irq_ctx_init(cpu);
6452 +
6453 + /* Note: Don't modify initial ss override */
6454 +@@ -1276,7 +1290,7 @@ smp_local_timer_interrupt(void)
6455 + per_cpu(prof_counter, cpu);
6456 + }
6457 +
6458 +- update_process_times(user_mode_vm(get_irq_regs()));
6459 ++ update_process_times(user_mode(get_irq_regs()));
6460 + }
6461 +
6462 + if( ((1<<cpu) & voyager_extended_vic_processors) == 0)
6463 +diff -Nurp linux-2.6.23.15/arch/i386/mm/boot_ioremap.c linux-2.6.23.15-grsec/arch/i386/mm/boot_ioremap.c
6464 +--- linux-2.6.23.15/arch/i386/mm/boot_ioremap.c 2007-10-09 21:31:38.000000000 +0100
6465 ++++ linux-2.6.23.15-grsec/arch/i386/mm/boot_ioremap.c 2008-02-11 10:37:44.000000000 +0000
6466 +@@ -7,57 +7,37 @@
6467 + * Written by Dave Hansen <haveblue@××××××.com>
6468 + */
6469 +
6470 +-
6471 +-/*
6472 +- * We need to use the 2-level pagetable functions, but CONFIG_X86_PAE
6473 +- * keeps that from happenning. If anyone has a better way, I'm listening.
6474 +- *
6475 +- * boot_pte_t is defined only if this all works correctly
6476 +- */
6477 +-
6478 +-#undef CONFIG_X86_PAE
6479 + #undef CONFIG_PARAVIRT
6480 + #include <asm/page.h>
6481 + #include <asm/pgtable.h>
6482 + #include <asm/tlbflush.h>
6483 + #include <linux/init.h>
6484 + #include <linux/stddef.h>
6485 +-
6486 +-/*
6487 +- * I'm cheating here. It is known that the two boot PTE pages are
6488 +- * allocated next to each other. I'm pretending that they're just
6489 +- * one big array.
6490 +- */
6491 +-
6492 +-#define BOOT_PTE_PTRS (PTRS_PER_PTE*2)
6493 +-
6494 +-static unsigned long boot_pte_index(unsigned long vaddr)
6495 +-{
6496 +- return __pa(vaddr) >> PAGE_SHIFT;
6497 +-}
6498 +-
6499 +-static inline boot_pte_t* boot_vaddr_to_pte(void *address)
6500 +-{
6501 +- boot_pte_t* boot_pg = (boot_pte_t*)pg0;
6502 +- return &boot_pg[boot_pte_index((unsigned long)address)];
6503 +-}
6504 ++#include <linux/sched.h>
6505 +
6506 + /*
6507 + * This is only for a caller who is clever enough to page-align
6508 + * phys_addr and virtual_source, and who also has a preference
6509 + * about which virtual address from which to steal ptes
6510 + */
6511 +-static void __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
6512 +- void* virtual_source)
6513 ++static void __init __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
6514 ++ char* virtual_source)
6515 + {
6516 +- boot_pte_t* pte;
6517 +- int i;
6518 +- char *vaddr = virtual_source;
6519 ++ pgd_t *pgd;
6520 ++ pud_t *pud;
6521 ++ pmd_t *pmd;
6522 ++ pte_t* pte;
6523 ++ unsigned int i;
6524 ++ unsigned long vaddr = (unsigned long)virtual_source;
6525 ++
6526 ++ pgd = pgd_offset_k(vaddr);
6527 ++ pud = pud_offset(pgd, vaddr);
6528 ++ pmd = pmd_offset(pud, vaddr);
6529 ++ pte = pte_offset_kernel(pmd, vaddr);
6530 +
6531 +- pte = boot_vaddr_to_pte(virtual_source);
6532 + for (i=0; i < nrpages; i++, phys_addr += PAGE_SIZE, pte++) {
6533 + set_pte(pte, pfn_pte(phys_addr>>PAGE_SHIFT, PAGE_KERNEL));
6534 +- __flush_tlb_one(&vaddr[i*PAGE_SIZE]);
6535 ++ __flush_tlb_one(&virtual_source[i*PAGE_SIZE]);
6536 + }
6537 + }
6538 +
6539 +diff -Nurp linux-2.6.23.15/arch/i386/mm/extable.c linux-2.6.23.15-grsec/arch/i386/mm/extable.c
6540 +--- linux-2.6.23.15/arch/i386/mm/extable.c 2007-10-09 21:31:38.000000000 +0100
6541 ++++ linux-2.6.23.15-grsec/arch/i386/mm/extable.c 2008-02-11 10:37:44.000000000 +0000
6542 +@@ -4,14 +4,63 @@
6543 +
6544 + #include <linux/module.h>
6545 + #include <linux/spinlock.h>
6546 ++#include <linux/sort.h>
6547 + #include <asm/uaccess.h>
6548 +
6549 ++/*
6550 ++ * The exception table needs to be sorted so that the binary
6551 ++ * search that we use to find entries in it works properly.
6552 ++ * This is used both for the kernel exception table and for
6553 ++ * the exception tables of modules that get loaded.
6554 ++ */
6555 ++static int cmp_ex(const void *a, const void *b)
6556 ++{
6557 ++ const struct exception_table_entry *x = a, *y = b;
6558 ++
6559 ++ /* avoid overflow */
6560 ++ if (x->insn > y->insn)
6561 ++ return 1;
6562 ++ if (x->insn < y->insn)
6563 ++ return -1;
6564 ++ return 0;
6565 ++}
6566 ++
6567 ++static void swap_ex(void *a, void *b, int size)
6568 ++{
6569 ++ struct exception_table_entry t, *x = a, *y = b;
6570 ++
6571 ++#ifdef CONFIG_PAX_KERNEXEC
6572 ++ unsigned long cr0;
6573 ++#endif
6574 ++
6575 ++ t = *x;
6576 ++
6577 ++#ifdef CONFIG_PAX_KERNEXEC
6578 ++ pax_open_kernel(cr0);
6579 ++#endif
6580 ++
6581 ++ *x = *y;
6582 ++ *y = t;
6583 ++
6584 ++#ifdef CONFIG_PAX_KERNEXEC
6585 ++ pax_close_kernel(cr0);
6586 ++#endif
6587 ++
6588 ++}
6589 ++
6590 ++void sort_extable(struct exception_table_entry *start,
6591 ++ struct exception_table_entry *finish)
6592 ++{
6593 ++ sort(start, finish - start, sizeof(struct exception_table_entry),
6594 ++ cmp_ex, swap_ex);
6595 ++}
6596 ++
6597 + int fixup_exception(struct pt_regs *regs)
6598 + {
6599 + const struct exception_table_entry *fixup;
6600 +
6601 + #ifdef CONFIG_PNPBIOS
6602 +- if (unlikely(SEGMENT_IS_PNP_CODE(regs->xcs)))
6603 ++ if (unlikely(!(regs->eflags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->xcs)))
6604 + {
6605 + extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
6606 + extern u32 pnp_bios_is_utter_crap;
6607 +diff -Nurp linux-2.6.23.15/arch/i386/mm/fault.c linux-2.6.23.15-grsec/arch/i386/mm/fault.c
6608 +--- linux-2.6.23.15/arch/i386/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
6609 ++++ linux-2.6.23.15-grsec/arch/i386/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
6610 +@@ -25,10 +25,14 @@
6611 + #include <linux/kprobes.h>
6612 + #include <linux/uaccess.h>
6613 + #include <linux/kdebug.h>
6614 ++#include <linux/unistd.h>
6615 ++#include <linux/compiler.h>
6616 ++#include <linux/binfmts.h>
6617 +
6618 + #include <asm/system.h>
6619 + #include <asm/desc.h>
6620 + #include <asm/segment.h>
6621 ++#include <asm/tlbflush.h>
6622 +
6623 + extern void die(const char *,struct pt_regs *,long);
6624 +
6625 +@@ -79,7 +83,8 @@ static inline unsigned long get_segment_
6626 + {
6627 + unsigned long eip = regs->eip;
6628 + unsigned seg = regs->xcs & 0xffff;
6629 +- u32 seg_ar, seg_limit, base, *desc;
6630 ++ u32 seg_ar, seg_limit, base;
6631 ++ struct desc_struct *desc;
6632 +
6633 + /* Unlikely, but must come before segment checks. */
6634 + if (unlikely(regs->eflags & VM_MASK)) {
6635 +@@ -93,7 +98,7 @@ static inline unsigned long get_segment_
6636 +
6637 + /* By far the most common cases. */
6638 + if (likely(SEGMENT_IS_FLAT_CODE(seg)))
6639 +- return eip;
6640 ++ return eip + (seg == __KERNEL_CS ? __KERNEL_TEXT_OFFSET : 0);
6641 +
6642 + /* Check the segment exists, is within the current LDT/GDT size,
6643 + that kernel/user (ring 0..3) has the appropriate privilege,
6644 +@@ -111,16 +116,19 @@ static inline unsigned long get_segment_
6645 + if (seg & (1<<2)) {
6646 + /* Must lock the LDT while reading it. */
6647 + down(&current->mm->context.sem);
6648 +- desc = current->mm->context.ldt;
6649 +- desc = (void *)desc + (seg & ~7);
6650 ++ if ((seg >> 3) >= current->mm->context.size) {
6651 ++ up(&current->mm->context.sem);
6652 ++ *eip_limit = 0;
6653 ++ return 1; /* So that returned eip > *eip_limit. */
6654 ++ }
6655 ++ desc = &current->mm->context.ldt[seg >> 3];
6656 + } else {
6657 + /* Must disable preemption while reading the GDT. */
6658 +- desc = (u32 *)get_cpu_gdt_table(get_cpu());
6659 +- desc = (void *)desc + (seg & ~7);
6660 ++ desc = &get_cpu_gdt_table(get_cpu())[seg >> 3];
6661 + }
6662 +
6663 + /* Decode the code segment base from the descriptor */
6664 +- base = get_desc_base((unsigned long *)desc);
6665 ++ base = get_desc_base(desc);
6666 +
6667 + if (seg & (1<<2)) {
6668 + up(&current->mm->context.sem);
6669 +@@ -221,6 +229,30 @@ static noinline void force_sig_info_faul
6670 +
6671 + fastcall void do_invalid_op(struct pt_regs *, unsigned long);
6672 +
6673 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
6674 ++static int pax_handle_fetch_fault(struct pt_regs *regs);
6675 ++#endif
6676 ++
6677 ++#ifdef CONFIG_PAX_PAGEEXEC
6678 ++static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
6679 ++{
6680 ++ pgd_t *pgd;
6681 ++ pud_t *pud;
6682 ++ pmd_t *pmd;
6683 ++
6684 ++ pgd = pgd_offset(mm, address);
6685 ++ if (!pgd_present(*pgd))
6686 ++ return NULL;
6687 ++ pud = pud_offset(pgd, address);
6688 ++ if (!pud_present(*pud))
6689 ++ return NULL;
6690 ++ pmd = pmd_offset(pud, address);
6691 ++ if (!pmd_present(*pmd))
6692 ++ return NULL;
6693 ++ return pmd;
6694 ++}
6695 ++#endif
6696 ++
6697 + static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address)
6698 + {
6699 + unsigned index = pgd_index(address);
6700 +@@ -304,14 +336,21 @@ fastcall void __kprobes do_page_fault(st
6701 + struct task_struct *tsk;
6702 + struct mm_struct *mm;
6703 + struct vm_area_struct * vma;
6704 +- unsigned long address;
6705 + int write, si_code;
6706 + int fault;
6707 ++ pte_t *pte;
6708 ++
6709 ++#ifdef CONFIG_PAX_PAGEEXEC
6710 ++ pmd_t *pmd;
6711 ++ spinlock_t *ptl;
6712 ++ unsigned char pte_mask;
6713 ++#endif
6714 +
6715 + /* get the address */
6716 +- address = read_cr2();
6717 ++ const unsigned long address = read_cr2();
6718 +
6719 + tsk = current;
6720 ++ mm = tsk->mm;
6721 +
6722 + si_code = SEGV_MAPERR;
6723 +
6724 +@@ -348,14 +387,12 @@ fastcall void __kprobes do_page_fault(st
6725 + if (regs->eflags & (X86_EFLAGS_IF|VM_MASK))
6726 + local_irq_enable();
6727 +
6728 +- mm = tsk->mm;
6729 +-
6730 + /*
6731 + * If we're in an interrupt, have no user context or are running in an
6732 + * atomic region then we must not take the fault..
6733 + */
6734 + if (in_atomic() || !mm)
6735 +- goto bad_area_nosemaphore;
6736 ++ goto bad_area_nopax;
6737 +
6738 + /* When running in the kernel we expect faults to occur only to
6739 + * addresses in user space. All other faults represent errors in the
6740 +@@ -375,10 +412,104 @@ fastcall void __kprobes do_page_fault(st
6741 + if (!down_read_trylock(&mm->mmap_sem)) {
6742 + if ((error_code & 4) == 0 &&
6743 + !search_exception_tables(regs->eip))
6744 +- goto bad_area_nosemaphore;
6745 ++ goto bad_area_nopax;
6746 + down_read(&mm->mmap_sem);
6747 + }
6748 +
6749 ++#ifdef CONFIG_PAX_PAGEEXEC
6750 ++ if (nx_enabled || (error_code & 5) != 5 || (regs->eflags & X86_EFLAGS_VM) ||
6751 ++ !(mm->pax_flags & MF_PAX_PAGEEXEC))
6752 ++ goto not_pax_fault;
6753 ++
6754 ++ /* PaX: it's our fault, let's handle it if we can */
6755 ++
6756 ++ /* PaX: take a look at read faults before acquiring any locks */
6757 ++ if (unlikely(!(error_code & 2) && (regs->eip == address))) {
6758 ++ /* instruction fetch attempt from a protected page in user mode */
6759 ++ up_read(&mm->mmap_sem);
6760 ++
6761 ++#ifdef CONFIG_PAX_EMUTRAMP
6762 ++ switch (pax_handle_fetch_fault(regs)) {
6763 ++ case 2:
6764 ++ return;
6765 ++ }
6766 ++#endif
6767 ++
6768 ++ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
6769 ++ do_exit(SIGKILL);
6770 ++ }
6771 ++
6772 ++ pmd = pax_get_pmd(mm, address);
6773 ++ if (unlikely(!pmd))
6774 ++ goto not_pax_fault;
6775 ++
6776 ++ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
6777 ++ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
6778 ++ pte_unmap_unlock(pte, ptl);
6779 ++ goto not_pax_fault;
6780 ++ }
6781 ++
6782 ++ if (unlikely((error_code & 2) && !pte_write(*pte))) {
6783 ++ /* write attempt to a protected page in user mode */
6784 ++ pte_unmap_unlock(pte, ptl);
6785 ++ goto not_pax_fault;
6786 ++ }
6787 ++
6788 ++#ifdef CONFIG_SMP
6789 ++ if (likely(address > get_limit(regs->xcs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
6790 ++#else
6791 ++ if (likely(address > get_limit(regs->xcs)))
6792 ++#endif
6793 ++ {
6794 ++ set_pte(pte, pte_mkread(*pte));
6795 ++ __flush_tlb_one(address);
6796 ++ pte_unmap_unlock(pte, ptl);
6797 ++ up_read(&mm->mmap_sem);
6798 ++ return;
6799 ++ }
6800 ++
6801 ++ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & 2) << (_PAGE_BIT_DIRTY-1));
6802 ++
6803 ++ /*
6804 ++ * PaX: fill DTLB with user rights and retry
6805 ++ */
6806 ++ __asm__ __volatile__ (
6807 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
6808 ++ "movw %w4,%%es\n"
6809 ++#endif
6810 ++ "orb %2,(%1)\n"
6811 ++#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
6812 ++/*
6813 ++ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
6814 ++ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
6815 ++ * page fault when examined during a TLB load attempt. this is true not only
6816 ++ * for PTEs holding a non-present entry but also present entries that will
6817 ++ * raise a page fault (such as those set up by PaX, or the copy-on-write
6818 ++ * mechanism). in effect it means that we do *not* need to flush the TLBs
6819 ++ * for our target pages since their PTEs are simply not in the TLBs at all.
6820 ++
6821 ++ * the best thing in omitting it is that we gain around 15-20% speed in the
6822 ++ * fast path of the page fault handler and can get rid of tracing since we
6823 ++ * can no longer flush unintended entries.
6824 ++ */
6825 ++ "invlpg (%0)\n"
6826 ++#endif
6827 ++ "testb $0,%%es:(%0)\n"
6828 ++ "xorb %3,(%1)\n"
6829 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
6830 ++ "pushl %%ss\n"
6831 ++ "popl %%es\n"
6832 ++#endif
6833 ++ :
6834 ++ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
6835 ++ : "memory", "cc");
6836 ++ pte_unmap_unlock(pte, ptl);
6837 ++ up_read(&mm->mmap_sem);
6838 ++ return;
6839 ++
6840 ++not_pax_fault:
6841 ++#endif
6842 ++
6843 + vma = find_vma(mm, address);
6844 + if (!vma)
6845 + goto bad_area;
6846 +@@ -396,6 +527,12 @@ fastcall void __kprobes do_page_fault(st
6847 + if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp)
6848 + goto bad_area;
6849 + }
6850 ++
6851 ++#ifdef CONFIG_PAX_SEGMEXEC
6852 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)
6853 ++ goto bad_area;
6854 ++#endif
6855 ++
6856 + if (expand_stack(vma, address))
6857 + goto bad_area;
6858 + /*
6859 +@@ -405,6 +542,8 @@ fastcall void __kprobes do_page_fault(st
6860 + good_area:
6861 + si_code = SEGV_ACCERR;
6862 + write = 0;
6863 ++ if (nx_enabled && (error_code & 16) && !(vma->vm_flags & VM_EXEC))
6864 ++ goto bad_area;
6865 + switch (error_code & 3) {
6866 + default: /* 3: write, present */
6867 + /* fall through */
6868 +@@ -458,6 +597,41 @@ bad_area:
6869 + up_read(&mm->mmap_sem);
6870 +
6871 + bad_area_nosemaphore:
6872 ++
6873 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
6874 ++ if (mm && (error_code & 4) && !(regs->eflags & X86_EFLAGS_VM)) {
6875 ++ /*
6876 ++ * It's possible to have interrupts off here.
6877 ++ */
6878 ++ local_irq_enable();
6879 ++
6880 ++#ifdef CONFIG_PAX_PAGEEXEC
6881 ++ if ((nx_enabled && (error_code & 16)) ||
6882 ++ ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(error_code & 3) && (regs->eip == address))) {
6883 ++ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
6884 ++ do_exit(SIGKILL);
6885 ++ }
6886 ++#endif
6887 ++
6888 ++#ifdef CONFIG_PAX_SEGMEXEC
6889 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & 3) && (regs->eip + SEGMEXEC_TASK_SIZE == address)) {
6890 ++
6891 ++#ifdef CONFIG_PAX_EMUTRAMP
6892 ++ switch (pax_handle_fetch_fault(regs)) {
6893 ++ case 2:
6894 ++ return;
6895 ++ }
6896 ++#endif
6897 ++
6898 ++ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
6899 ++ do_exit(SIGKILL);
6900 ++ }
6901 ++#endif
6902 ++
6903 ++ }
6904 ++#endif
6905 ++
6906 ++bad_area_nopax:
6907 + /* User mode accesses just cause a SIGSEGV */
6908 + if (error_code & 4) {
6909 + /*
6910 +@@ -495,7 +669,7 @@ bad_area_nosemaphore:
6911 + if (boot_cpu_data.f00f_bug) {
6912 + unsigned long nr;
6913 +
6914 +- nr = (address - idt_descr.address) >> 3;
6915 ++ nr = (address - (unsigned long)idt_descr.address) >> 3;
6916 +
6917 + if (nr == 6) {
6918 + do_invalid_op(regs, 0);
6919 +@@ -528,18 +702,34 @@ no_context:
6920 + __typeof__(pte_val(__pte(0))) page;
6921 +
6922 + #ifdef CONFIG_X86_PAE
6923 +- if (error_code & 16) {
6924 +- pte_t *pte = lookup_address(address);
6925 ++ if (nx_enabled && (error_code & 16)) {
6926 ++ pte = lookup_address(address);
6927 +
6928 + if (pte && pte_present(*pte) && !pte_exec_kernel(*pte))
6929 + printk(KERN_CRIT "kernel tried to execute "
6930 + "NX-protected page - exploit attempt? "
6931 +- "(uid: %d)\n", current->uid);
6932 ++ "(uid: %d, task: %s, pid: %d)\n",
6933 ++ current->uid, current->comm, current->pid);
6934 + }
6935 + #endif
6936 + if (address < PAGE_SIZE)
6937 + printk(KERN_ALERT "BUG: unable to handle kernel NULL "
6938 + "pointer dereference");
6939 ++
6940 ++#ifdef CONFIG_PAX_KERNEXEC
6941 ++#ifdef CONFIG_MODULES
6942 ++ else if (init_mm.start_code <= address && address < (unsigned long)MODULES_END)
6943 ++#else
6944 ++ else if (init_mm.start_code <= address && address < init_mm.end_code)
6945 ++#endif
6946 ++ if (tsk->signal->curr_ip)
6947 ++ printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
6948 ++ NIPQUAD(tsk->signal->curr_ip), tsk->comm, tsk->pid, tsk->uid, tsk->euid);
6949 ++ else
6950 ++ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
6951 ++ tsk->comm, tsk->pid, tsk->uid, tsk->euid);
6952 ++#endif
6953 ++
6954 + else
6955 + printk(KERN_ALERT "BUG: unable to handle kernel paging"
6956 + " request");
6957 +@@ -570,7 +760,7 @@ no_context:
6958 + * it's allocated already.
6959 + */
6960 + if ((page >> PAGE_SHIFT) < max_low_pfn
6961 +- && (page & _PAGE_PRESENT)) {
6962 ++ && (page & (_PAGE_PRESENT | _PAGE_PSE)) == _PAGE_PRESENT) {
6963 + page &= PAGE_MASK;
6964 + page = ((__typeof__(page) *) __va(page))[(address >> PAGE_SHIFT)
6965 + & (PTRS_PER_PTE - 1)];
6966 +@@ -655,3 +845,92 @@ void vmalloc_sync_all(void)
6967 + start = address + PGDIR_SIZE;
6968 + }
6969 + }
6970 ++
6971 ++#ifdef CONFIG_PAX_EMUTRAMP
6972 ++/*
6973 ++ * PaX: decide what to do with offenders (regs->eip = fault address)
6974 ++ *
6975 ++ * returns 1 when task should be killed
6976 ++ * 2 when gcc trampoline was detected
6977 ++ */
6978 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
6979 ++{
6980 ++ int err;
6981 ++
6982 ++ if (regs->eflags & X86_EFLAGS_VM)
6983 ++ return 1;
6984 ++
6985 ++ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
6986 ++ return 1;
6987 ++
6988 ++ do { /* PaX: gcc trampoline emulation #1 */
6989 ++ unsigned char mov1, mov2;
6990 ++ unsigned short jmp;
6991 ++ unsigned long addr1, addr2;
6992 ++
6993 ++ err = get_user(mov1, (unsigned char __user *)regs->eip);
6994 ++ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
6995 ++ err |= get_user(mov2, (unsigned char __user *)(regs->eip + 5));
6996 ++ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
6997 ++ err |= get_user(jmp, (unsigned short __user *)(regs->eip + 10));
6998 ++
6999 ++ if (err)
7000 ++ break;
7001 ++
7002 ++ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
7003 ++ regs->ecx = addr1;
7004 ++ regs->eax = addr2;
7005 ++ regs->eip = addr2;
7006 ++ return 2;
7007 ++ }
7008 ++ } while (0);
7009 ++
7010 ++ do { /* PaX: gcc trampoline emulation #2 */
7011 ++ unsigned char mov, jmp;
7012 ++ unsigned long addr1, addr2;
7013 ++
7014 ++ err = get_user(mov, (unsigned char __user *)regs->eip);
7015 ++ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
7016 ++ err |= get_user(jmp, (unsigned char __user *)(regs->eip + 5));
7017 ++ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
7018 ++
7019 ++ if (err)
7020 ++ break;
7021 ++
7022 ++ if (mov == 0xB9 && jmp == 0xE9) {
7023 ++ regs->ecx = addr1;
7024 ++ regs->eip += addr2 + 10;
7025 ++ return 2;
7026 ++ }
7027 ++ } while (0);
7028 ++
7029 ++ return 1; /* PaX in action */
7030 ++}
7031 ++#endif
7032 ++
7033 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7034 ++void pax_report_insns(void *pc, void *sp)
7035 ++{
7036 ++ long i;
7037 ++
7038 ++ printk(KERN_ERR "PAX: bytes at PC: ");
7039 ++ for (i = 0; i < 20; i++) {
7040 ++ unsigned char c;
7041 ++ if (get_user(c, (unsigned char __user *)pc+i))
7042 ++ printk("?? ");
7043 ++ else
7044 ++ printk("%02x ", c);
7045 ++ }
7046 ++ printk("\n");
7047 ++
7048 ++ printk(KERN_ERR "PAX: bytes at SP-4: ");
7049 ++ for (i = -1; i < 20; i++) {
7050 ++ unsigned long c;
7051 ++ if (get_user(c, (unsigned long __user *)sp+i))
7052 ++ printk("???????? ");
7053 ++ else
7054 ++ printk("%08lx ", c);
7055 ++ }
7056 ++ printk("\n");
7057 ++}
7058 ++#endif
7059 +diff -Nurp linux-2.6.23.15/arch/i386/mm/hugetlbpage.c linux-2.6.23.15-grsec/arch/i386/mm/hugetlbpage.c
7060 +--- linux-2.6.23.15/arch/i386/mm/hugetlbpage.c 2007-10-09 21:31:38.000000000 +0100
7061 ++++ linux-2.6.23.15-grsec/arch/i386/mm/hugetlbpage.c 2008-02-11 10:37:44.000000000 +0000
7062 +@@ -229,13 +229,18 @@ static unsigned long hugetlb_get_unmappe
7063 + {
7064 + struct mm_struct *mm = current->mm;
7065 + struct vm_area_struct *vma;
7066 +- unsigned long start_addr;
7067 ++ unsigned long start_addr, task_size = TASK_SIZE;
7068 ++
7069 ++#ifdef CONFIG_PAX_SEGMEXEC
7070 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7071 ++ task_size = SEGMEXEC_TASK_SIZE;
7072 ++#endif
7073 +
7074 + if (len > mm->cached_hole_size) {
7075 +- start_addr = mm->free_area_cache;
7076 ++ start_addr = mm->free_area_cache;
7077 + } else {
7078 +- start_addr = TASK_UNMAPPED_BASE;
7079 +- mm->cached_hole_size = 0;
7080 ++ start_addr = mm->mmap_base;
7081 ++ mm->cached_hole_size = 0;
7082 + }
7083 +
7084 + full_search:
7085 +@@ -243,13 +248,13 @@ full_search:
7086 +
7087 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
7088 + /* At this point: (!vma || addr < vma->vm_end). */
7089 +- if (TASK_SIZE - len < addr) {
7090 ++ if (task_size - len < addr) {
7091 + /*
7092 + * Start a new search - just in case we missed
7093 + * some holes.
7094 + */
7095 +- if (start_addr != TASK_UNMAPPED_BASE) {
7096 +- start_addr = TASK_UNMAPPED_BASE;
7097 ++ if (start_addr != mm->mmap_base) {
7098 ++ start_addr = mm->mmap_base;
7099 + mm->cached_hole_size = 0;
7100 + goto full_search;
7101 + }
7102 +@@ -271,9 +276,8 @@ static unsigned long hugetlb_get_unmappe
7103 + {
7104 + struct mm_struct *mm = current->mm;
7105 + struct vm_area_struct *vma, *prev_vma;
7106 +- unsigned long base = mm->mmap_base, addr = addr0;
7107 ++ unsigned long base = mm->mmap_base, addr;
7108 + unsigned long largest_hole = mm->cached_hole_size;
7109 +- int first_time = 1;
7110 +
7111 + /* don't allow allocations above current base */
7112 + if (mm->free_area_cache > base)
7113 +@@ -283,7 +287,7 @@ static unsigned long hugetlb_get_unmappe
7114 + largest_hole = 0;
7115 + mm->free_area_cache = base;
7116 + }
7117 +-try_again:
7118 ++
7119 + /* make sure it can fit in the remaining address space */
7120 + if (mm->free_area_cache < len)
7121 + goto fail;
7122 +@@ -325,22 +329,26 @@ try_again:
7123 +
7124 + fail:
7125 + /*
7126 +- * if hint left us with no space for the requested
7127 +- * mapping then try again:
7128 +- */
7129 +- if (first_time) {
7130 +- mm->free_area_cache = base;
7131 +- largest_hole = 0;
7132 +- first_time = 0;
7133 +- goto try_again;
7134 +- }
7135 +- /*
7136 + * A failed mmap() very likely causes application failure,
7137 + * so fall back to the bottom-up function here. This scenario
7138 + * can happen with large stack limits and large mmap()
7139 + * allocations.
7140 + */
7141 +- mm->free_area_cache = TASK_UNMAPPED_BASE;
7142 ++
7143 ++#ifdef CONFIG_PAX_SEGMEXEC
7144 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7145 ++ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
7146 ++ else
7147 ++#endif
7148 ++
7149 ++ mm->mmap_base = TASK_UNMAPPED_BASE;
7150 ++
7151 ++#ifdef CONFIG_PAX_RANDMMAP
7152 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
7153 ++ mm->mmap_base += mm->delta_mmap;
7154 ++#endif
7155 ++
7156 ++ mm->free_area_cache = mm->mmap_base;
7157 + mm->cached_hole_size = ~0UL;
7158 + addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
7159 + len, pgoff, flags);
7160 +@@ -348,6 +356,7 @@ fail:
7161 + /*
7162 + * Restore the topdown base:
7163 + */
7164 ++ mm->mmap_base = base;
7165 + mm->free_area_cache = base;
7166 + mm->cached_hole_size = ~0UL;
7167 +
7168 +@@ -360,10 +369,17 @@ hugetlb_get_unmapped_area(struct file *f
7169 + {
7170 + struct mm_struct *mm = current->mm;
7171 + struct vm_area_struct *vma;
7172 ++ unsigned long task_size = TASK_SIZE;
7173 +
7174 + if (len & ~HPAGE_MASK)
7175 + return -EINVAL;
7176 +- if (len > TASK_SIZE)
7177 ++
7178 ++#ifdef CONFIG_PAX_SEGMEXEC
7179 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7180 ++ task_size = SEGMEXEC_TASK_SIZE;
7181 ++#endif
7182 ++
7183 ++ if (len > task_size)
7184 + return -ENOMEM;
7185 +
7186 + if (flags & MAP_FIXED) {
7187 +@@ -375,7 +391,7 @@ hugetlb_get_unmapped_area(struct file *f
7188 + if (addr) {
7189 + addr = ALIGN(addr, HPAGE_SIZE);
7190 + vma = find_vma(mm, addr);
7191 +- if (TASK_SIZE - len >= addr &&
7192 ++ if (task_size - len >= addr &&
7193 + (!vma || addr + len <= vma->vm_start))
7194 + return addr;
7195 + }
7196 +diff -Nurp linux-2.6.23.15/arch/i386/mm/init.c linux-2.6.23.15-grsec/arch/i386/mm/init.c
7197 +--- linux-2.6.23.15/arch/i386/mm/init.c 2007-10-09 21:31:38.000000000 +0100
7198 ++++ linux-2.6.23.15-grsec/arch/i386/mm/init.c 2008-02-11 10:37:44.000000000 +0000
7199 +@@ -44,6 +44,7 @@
7200 + #include <asm/tlbflush.h>
7201 + #include <asm/sections.h>
7202 + #include <asm/paravirt.h>
7203 ++#include <asm/desc.h>
7204 +
7205 + unsigned int __VMALLOC_RESERVE = 128 << 20;
7206 +
7207 +@@ -53,32 +54,6 @@ unsigned long highstart_pfn, highend_pfn
7208 + static int noinline do_test_wp_bit(void);
7209 +
7210 + /*
7211 +- * Creates a middle page table and puts a pointer to it in the
7212 +- * given global directory entry. This only returns the gd entry
7213 +- * in non-PAE compilation mode, since the middle layer is folded.
7214 +- */
7215 +-static pmd_t * __init one_md_table_init(pgd_t *pgd)
7216 +-{
7217 +- pud_t *pud;
7218 +- pmd_t *pmd_table;
7219 +-
7220 +-#ifdef CONFIG_X86_PAE
7221 +- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
7222 +- pmd_table = (pmd_t *) alloc_bootmem_low_pages(PAGE_SIZE);
7223 +-
7224 +- paravirt_alloc_pd(__pa(pmd_table) >> PAGE_SHIFT);
7225 +- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
7226 +- pud = pud_offset(pgd, 0);
7227 +- if (pmd_table != pmd_offset(pud, 0))
7228 +- BUG();
7229 +- }
7230 +-#endif
7231 +- pud = pud_offset(pgd, 0);
7232 +- pmd_table = pmd_offset(pud, 0);
7233 +- return pmd_table;
7234 +-}
7235 +-
7236 +-/*
7237 + * Create a page table and place a pointer to it in a middle page
7238 + * directory entry.
7239 + */
7240 +@@ -88,7 +63,11 @@ static pte_t * __init one_page_table_ini
7241 + pte_t *page_table = (pte_t *) alloc_bootmem_low_pages(PAGE_SIZE);
7242 +
7243 + paravirt_alloc_pt(&init_mm, __pa(page_table) >> PAGE_SHIFT);
7244 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7245 ++ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
7246 ++#else
7247 + set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
7248 ++#endif
7249 + BUG_ON(page_table != pte_offset_kernel(pmd, 0));
7250 + }
7251 +
7252 +@@ -109,6 +88,7 @@ static pte_t * __init one_page_table_ini
7253 + static void __init page_table_range_init (unsigned long start, unsigned long end, pgd_t *pgd_base)
7254 + {
7255 + pgd_t *pgd;
7256 ++ pud_t *pud;
7257 + pmd_t *pmd;
7258 + int pgd_idx, pmd_idx;
7259 + unsigned long vaddr;
7260 +@@ -119,8 +99,13 @@ static void __init page_table_range_init
7261 + pgd = pgd_base + pgd_idx;
7262 +
7263 + for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
7264 +- pmd = one_md_table_init(pgd);
7265 +- pmd = pmd + pmd_index(vaddr);
7266 ++ pud = pud_offset(pgd, vaddr);
7267 ++ pmd = pmd_offset(pud, vaddr);
7268 ++
7269 ++#ifdef CONFIG_X86_PAE
7270 ++ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
7271 ++#endif
7272 ++
7273 + for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end); pmd++, pmd_idx++) {
7274 + one_page_table_init(pmd);
7275 +
7276 +@@ -130,11 +115,23 @@ static void __init page_table_range_init
7277 + }
7278 + }
7279 +
7280 +-static inline int is_kernel_text(unsigned long addr)
7281 ++static inline int is_kernel_text(unsigned long start, unsigned long end)
7282 + {
7283 +- if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
7284 +- return 1;
7285 +- return 0;
7286 ++ unsigned long etext;
7287 ++
7288 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
7289 ++ etext = (unsigned long)&MODULES_END - __KERNEL_TEXT_OFFSET;
7290 ++#else
7291 ++ etext = (unsigned long)&_etext;
7292 ++#endif
7293 ++
7294 ++ if ((start > etext + __KERNEL_TEXT_OFFSET ||
7295 ++ end <= (unsigned long)_stext + __KERNEL_TEXT_OFFSET) &&
7296 ++ (start > (unsigned long)_einittext + __KERNEL_TEXT_OFFSET ||
7297 ++ end <= (unsigned long)_sinittext + __KERNEL_TEXT_OFFSET) &&
7298 ++ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
7299 ++ return 0;
7300 ++ return 1;
7301 + }
7302 +
7303 + /*
7304 +@@ -146,25 +143,29 @@ static void __init kernel_physical_mappi
7305 + {
7306 + unsigned long pfn;
7307 + pgd_t *pgd;
7308 ++ pud_t *pud;
7309 + pmd_t *pmd;
7310 + pte_t *pte;
7311 +- int pgd_idx, pmd_idx, pte_ofs;
7312 ++ unsigned int pgd_idx, pmd_idx, pte_ofs;
7313 +
7314 + pgd_idx = pgd_index(PAGE_OFFSET);
7315 + pgd = pgd_base + pgd_idx;
7316 + pfn = 0;
7317 +
7318 +- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
7319 +- pmd = one_md_table_init(pgd);
7320 +- if (pfn >= max_low_pfn)
7321 +- continue;
7322 ++ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
7323 ++ pud = pud_offset(pgd, 0);
7324 ++ pmd = pmd_offset(pud, 0);
7325 ++
7326 ++#ifdef CONFIG_X86_PAE
7327 ++ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
7328 ++#endif
7329 ++
7330 + for (pmd_idx = 0; pmd_idx < PTRS_PER_PMD && pfn < max_low_pfn; pmd++, pmd_idx++) {
7331 +- unsigned int address = pfn * PAGE_SIZE + PAGE_OFFSET;
7332 ++ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
7333 +
7334 + /* Map with big pages if possible, otherwise create normal page tables. */
7335 +- if (cpu_has_pse) {
7336 +- unsigned int address2 = (pfn + PTRS_PER_PTE - 1) * PAGE_SIZE + PAGE_OFFSET + PAGE_SIZE-1;
7337 +- if (is_kernel_text(address) || is_kernel_text(address2))
7338 ++ if (cpu_has_pse && address >= (unsigned long)__va(0x100000)) {
7339 ++ if (is_kernel_text(address, address + PMD_SIZE))
7340 + set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE_EXEC));
7341 + else
7342 + set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE));
7343 +@@ -176,7 +177,7 @@ static void __init kernel_physical_mappi
7344 + for (pte_ofs = 0;
7345 + pte_ofs < PTRS_PER_PTE && pfn < max_low_pfn;
7346 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
7347 +- if (is_kernel_text(address))
7348 ++ if (is_kernel_text(address, address + PAGE_SIZE))
7349 + set_pte(pte, pfn_pte(pfn, PAGE_KERNEL_EXEC));
7350 + else
7351 + set_pte(pte, pfn_pte(pfn, PAGE_KERNEL));
7352 +@@ -326,9 +327,9 @@ static void __init set_highmem_pages_ini
7353 + #define set_highmem_pages_init(bad_ppro) do { } while (0)
7354 + #endif /* CONFIG_HIGHMEM */
7355 +
7356 +-unsigned long long __PAGE_KERNEL = _PAGE_KERNEL;
7357 ++unsigned long long __PAGE_KERNEL __read_only = _PAGE_KERNEL;
7358 + EXPORT_SYMBOL(__PAGE_KERNEL);
7359 +-unsigned long long __PAGE_KERNEL_EXEC = _PAGE_KERNEL_EXEC;
7360 ++unsigned long long __PAGE_KERNEL_EXEC __read_only = _PAGE_KERNEL_EXEC;
7361 +
7362 + #ifdef CONFIG_NUMA
7363 + extern void __init remap_numa_kva(void);
7364 +@@ -339,26 +340,10 @@ extern void __init remap_numa_kva(void);
7365 + void __init native_pagetable_setup_start(pgd_t *base)
7366 + {
7367 + #ifdef CONFIG_X86_PAE
7368 +- int i;
7369 ++ unsigned int i;
7370 +
7371 +- /*
7372 +- * Init entries of the first-level page table to the
7373 +- * zero page, if they haven't already been set up.
7374 +- *
7375 +- * In a normal native boot, we'll be running on a
7376 +- * pagetable rooted in swapper_pg_dir, but not in PAE
7377 +- * mode, so this will end up clobbering the mappings
7378 +- * for the lower 24Mbytes of the address space,
7379 +- * without affecting the kernel address space.
7380 +- */
7381 +- for (i = 0; i < USER_PTRS_PER_PGD; i++)
7382 +- set_pgd(&base[i],
7383 +- __pgd(__pa(empty_zero_page) | _PAGE_PRESENT));
7384 +-
7385 +- /* Make sure kernel address space is empty so that a pagetable
7386 +- will be allocated for it. */
7387 +- memset(&base[USER_PTRS_PER_PGD], 0,
7388 +- KERNEL_PGD_PTRS * sizeof(pgd_t));
7389 ++ for (i = 0; i < PTRS_PER_PGD; i++)
7390 ++ paravirt_alloc_pd(__pa(swapper_pm_dir + i) >> PAGE_SHIFT);
7391 + #else
7392 + paravirt_alloc_pd(__pa(swapper_pg_dir) >> PAGE_SHIFT);
7393 + #endif
7394 +@@ -366,16 +351,6 @@ void __init native_pagetable_setup_start
7395 +
7396 + void __init native_pagetable_setup_done(pgd_t *base)
7397 + {
7398 +-#ifdef CONFIG_X86_PAE
7399 +- /*
7400 +- * Add low memory identity-mappings - SMP needs it when
7401 +- * starting up on an AP from real-mode. In the non-PAE
7402 +- * case we already have these mappings through head.S.
7403 +- * All user-space mappings are explicitly cleared after
7404 +- * SMP startup.
7405 +- */
7406 +- set_pgd(&base[0], base[USER_PTRS_PER_PGD]);
7407 +-#endif
7408 + }
7409 +
7410 + /*
7411 +@@ -437,12 +412,12 @@ static void __init pagetable_init (void)
7412 + * Swap suspend & friends need this for resume because things like the intel-agp
7413 + * driver might have split up a kernel 4MB mapping.
7414 + */
7415 +-char __nosavedata swsusp_pg_dir[PAGE_SIZE]
7416 ++pgd_t __nosavedata swsusp_pg_dir[PTRS_PER_PGD]
7417 + __attribute__ ((aligned (PAGE_SIZE)));
7418 +
7419 + static inline void save_pg_dir(void)
7420 + {
7421 +- memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
7422 ++ clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
7423 + }
7424 + #else
7425 + static inline void save_pg_dir(void)
7426 +@@ -471,12 +446,11 @@ void zap_low_mappings (void)
7427 + flush_tlb_all();
7428 + }
7429 +
7430 +-int nx_enabled = 0;
7431 ++int nx_enabled;
7432 +
7433 + #ifdef CONFIG_X86_PAE
7434 +
7435 +-static int disable_nx __initdata = 0;
7436 +-u64 __supported_pte_mask __read_mostly = ~_PAGE_NX;
7437 ++u64 __supported_pte_mask __read_only = ~_PAGE_NX;
7438 + EXPORT_SYMBOL_GPL(__supported_pte_mask);
7439 +
7440 + /*
7441 +@@ -487,36 +461,31 @@ EXPORT_SYMBOL_GPL(__supported_pte_mask);
7442 + * on Enable
7443 + * off Disable
7444 + */
7445 ++#if !defined(CONFIG_PAX_PAGEEXEC)
7446 + static int __init noexec_setup(char *str)
7447 + {
7448 + if (!str || !strcmp(str, "on")) {
7449 +- if (cpu_has_nx) {
7450 +- __supported_pte_mask |= _PAGE_NX;
7451 +- disable_nx = 0;
7452 +- }
7453 ++ if (cpu_has_nx)
7454 ++ nx_enabled = 1;
7455 + } else if (!strcmp(str,"off")) {
7456 +- disable_nx = 1;
7457 +- __supported_pte_mask &= ~_PAGE_NX;
7458 ++ nx_enabled = 0;
7459 + } else
7460 + return -EINVAL;
7461 +
7462 + return 0;
7463 + }
7464 + early_param("noexec", noexec_setup);
7465 ++#endif
7466 +
7467 + static void __init set_nx(void)
7468 + {
7469 +- unsigned int v[4], l, h;
7470 ++ if (!nx_enabled && cpu_has_nx) {
7471 ++ unsigned l, h;
7472 +
7473 +- if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
7474 +- cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
7475 +- if ((v[3] & (1 << 20)) && !disable_nx) {
7476 +- rdmsr(MSR_EFER, l, h);
7477 +- l |= EFER_NX;
7478 +- wrmsr(MSR_EFER, l, h);
7479 +- nx_enabled = 1;
7480 +- __supported_pte_mask |= _PAGE_NX;
7481 +- }
7482 ++ __supported_pte_mask &= ~_PAGE_NX;
7483 ++ rdmsr(MSR_EFER, l, h);
7484 ++ l &= ~EFER_NX;
7485 ++ wrmsr(MSR_EFER, l, h);
7486 + }
7487 + }
7488 +
7489 +@@ -569,14 +538,6 @@ void __init paging_init(void)
7490 +
7491 + load_cr3(swapper_pg_dir);
7492 +
7493 +-#ifdef CONFIG_X86_PAE
7494 +- /*
7495 +- * We will bail out later - printk doesn't work right now so
7496 +- * the user would just see a hanging kernel.
7497 +- */
7498 +- if (cpu_has_pae)
7499 +- set_in_cr4(X86_CR4_PAE);
7500 +-#endif
7501 + __flush_tlb_all();
7502 +
7503 + kmap_init();
7504 +@@ -647,7 +608,7 @@ void __init mem_init(void)
7505 + set_highmem_pages_init(bad_ppro);
7506 +
7507 + codesize = (unsigned long) &_etext - (unsigned long) &_text;
7508 +- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
7509 ++ datasize = (unsigned long) &_edata - (unsigned long) &_data;
7510 + initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
7511 +
7512 + kclist_add(&kcore_mem, __va(0), max_low_pfn << PAGE_SHIFT);
7513 +@@ -692,10 +653,10 @@ void __init mem_init(void)
7514 + (unsigned long)&__init_begin, (unsigned long)&__init_end,
7515 + ((unsigned long)&__init_end - (unsigned long)&__init_begin) >> 10,
7516 +
7517 +- (unsigned long)&_etext, (unsigned long)&_edata,
7518 +- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
7519 ++ (unsigned long)&_data, (unsigned long)&_edata,
7520 ++ ((unsigned long)&_edata - (unsigned long)&_data) >> 10,
7521 +
7522 +- (unsigned long)&_text, (unsigned long)&_etext,
7523 ++ (unsigned long)&_text + __KERNEL_TEXT_OFFSET, (unsigned long)&_etext + __KERNEL_TEXT_OFFSET,
7524 + ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
7525 +
7526 + #ifdef CONFIG_HIGHMEM
7527 +@@ -706,10 +667,6 @@ void __init mem_init(void)
7528 + BUG_ON((unsigned long)high_memory > VMALLOC_START);
7529 + #endif /* double-sanity-check paranoia */
7530 +
7531 +-#ifdef CONFIG_X86_PAE
7532 +- if (!cpu_has_pae)
7533 +- panic("cannot execute a PAE-enabled kernel on a PAE-less CPU!");
7534 +-#endif
7535 + if (boot_cpu_data.wp_works_ok < 0)
7536 + test_wp_bit();
7537 +
7538 +@@ -844,6 +801,38 @@ void free_init_pages(char *what, unsigne
7539 +
7540 + void free_initmem(void)
7541 + {
7542 ++
7543 ++#ifdef CONFIG_PAX_KERNEXEC
7544 ++ /* PaX: limit KERNEL_CS to actual size */
7545 ++ unsigned long addr, limit;
7546 ++ __u32 a, b;
7547 ++ int cpu;
7548 ++ pgd_t *pgd;
7549 ++ pud_t *pud;
7550 ++ pmd_t *pmd;
7551 ++
7552 ++#ifdef CONFIG_MODULES
7553 ++ limit = (unsigned long)&MODULES_END - __KERNEL_TEXT_OFFSET;
7554 ++#else
7555 ++ limit = (unsigned long)&_etext;
7556 ++#endif
7557 ++ limit = (limit - 1UL) >> PAGE_SHIFT;
7558 ++
7559 ++ for (cpu = 0; cpu < NR_CPUS; cpu++) {
7560 ++ pack_descriptor(&a, &b, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
7561 ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, a, b);
7562 ++ }
7563 ++
7564 ++ /* PaX: make KERNEL_CS read-only */
7565 ++ for (addr = __KERNEL_TEXT_OFFSET; addr < (unsigned long)&_data; addr += PMD_SIZE) {
7566 ++ pgd = pgd_offset_k(addr);
7567 ++ pud = pud_offset(pgd, addr);
7568 ++ pmd = pmd_offset(pud, addr);
7569 ++ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
7570 ++ }
7571 ++ flush_tlb_all();
7572 ++#endif
7573 ++
7574 + free_init_pages("unused kernel memory",
7575 + (unsigned long)(&__init_begin),
7576 + (unsigned long)(&__init_end));
7577 +diff -Nurp linux-2.6.23.15/arch/i386/mm/mmap.c linux-2.6.23.15-grsec/arch/i386/mm/mmap.c
7578 +--- linux-2.6.23.15/arch/i386/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
7579 ++++ linux-2.6.23.15-grsec/arch/i386/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
7580 +@@ -35,12 +35,18 @@
7581 + * Leave an at least ~128 MB hole.
7582 + */
7583 + #define MIN_GAP (128*1024*1024)
7584 +-#define MAX_GAP (TASK_SIZE/6*5)
7585 ++#define MAX_GAP (task_size/6*5)
7586 +
7587 + static inline unsigned long mmap_base(struct mm_struct *mm)
7588 + {
7589 + unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
7590 + unsigned long random_factor = 0;
7591 ++ unsigned long task_size = TASK_SIZE;
7592 ++
7593 ++#ifdef CONFIG_PAX_SEGMEXEC
7594 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7595 ++ task_size = SEGMEXEC_TASK_SIZE;
7596 ++#endif
7597 +
7598 + if (current->flags & PF_RANDOMIZE)
7599 + random_factor = get_random_int() % (1024*1024);
7600 +@@ -50,7 +56,7 @@ static inline unsigned long mmap_base(st
7601 + else if (gap > MAX_GAP)
7602 + gap = MAX_GAP;
7603 +
7604 +- return PAGE_ALIGN(TASK_SIZE - gap - random_factor);
7605 ++ return PAGE_ALIGN(task_size - gap - random_factor);
7606 + }
7607 +
7608 + /*
7609 +@@ -66,11 +72,30 @@ void arch_pick_mmap_layout(struct mm_str
7610 + if (sysctl_legacy_va_layout ||
7611 + (current->personality & ADDR_COMPAT_LAYOUT) ||
7612 + current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
7613 ++
7614 ++#ifdef CONFIG_PAX_SEGMEXEC
7615 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7616 ++ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
7617 ++ else
7618 ++#endif
7619 ++
7620 + mm->mmap_base = TASK_UNMAPPED_BASE;
7621 ++
7622 ++#ifdef CONFIG_PAX_RANDMMAP
7623 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
7624 ++ mm->mmap_base += mm->delta_mmap;
7625 ++#endif
7626 ++
7627 + mm->get_unmapped_area = arch_get_unmapped_area;
7628 + mm->unmap_area = arch_unmap_area;
7629 + } else {
7630 + mm->mmap_base = mmap_base(mm);
7631 ++
7632 ++#ifdef CONFIG_PAX_RANDMMAP
7633 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
7634 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
7635 ++#endif
7636 ++
7637 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
7638 + mm->unmap_area = arch_unmap_area_topdown;
7639 + }
7640 +diff -Nurp linux-2.6.23.15/arch/i386/mm/pageattr.c linux-2.6.23.15-grsec/arch/i386/mm/pageattr.c
7641 +--- linux-2.6.23.15/arch/i386/mm/pageattr.c 2007-10-09 21:31:38.000000000 +0100
7642 ++++ linux-2.6.23.15-grsec/arch/i386/mm/pageattr.c 2008-02-11 10:37:44.000000000 +0000
7643 +@@ -13,6 +13,7 @@
7644 + #include <asm/tlbflush.h>
7645 + #include <asm/pgalloc.h>
7646 + #include <asm/sections.h>
7647 ++#include <asm/desc.h>
7648 +
7649 + static DEFINE_SPINLOCK(cpa_lock);
7650 + static struct list_head df_list = LIST_HEAD_INIT(df_list);
7651 +@@ -37,16 +38,16 @@ pte_t *lookup_address(unsigned long addr
7652 + }
7653 +
7654 + static struct page *split_large_page(unsigned long address, pgprot_t prot,
7655 +- pgprot_t ref_prot)
7656 ++ pgprot_t ref_prot, unsigned long flags)
7657 + {
7658 + int i;
7659 + unsigned long addr;
7660 + struct page *base;
7661 + pte_t *pbase;
7662 +
7663 +- spin_unlock_irq(&cpa_lock);
7664 ++ spin_unlock_irqrestore(&cpa_lock, flags);
7665 + base = alloc_pages(GFP_KERNEL, 0);
7666 +- spin_lock_irq(&cpa_lock);
7667 ++ spin_lock_irqsave(&cpa_lock, flags);
7668 + if (!base)
7669 + return NULL;
7670 +
7671 +@@ -99,7 +100,18 @@ static void set_pmd_pte(pte_t *kpte, uns
7672 + struct page *page;
7673 + unsigned long flags;
7674 +
7675 ++#ifdef CONFIG_PAX_KERNEXEC
7676 ++ unsigned long cr0;
7677 ++
7678 ++ pax_open_kernel(cr0);
7679 ++#endif
7680 ++
7681 + set_pte_atomic(kpte, pte); /* change init_mm */
7682 ++
7683 ++#ifdef CONFIG_PAX_KERNEXEC
7684 ++ pax_close_kernel(cr0);
7685 ++#endif
7686 ++
7687 + if (SHARED_KERNEL_PMD)
7688 + return;
7689 +
7690 +@@ -126,7 +138,7 @@ static inline void revert_page(struct pa
7691 + pte_t *linear;
7692 +
7693 + ref_prot =
7694 +- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
7695 ++ ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext + __KERNEL_TEXT_OFFSET)
7696 + ? PAGE_KERNEL_LARGE_EXEC : PAGE_KERNEL_LARGE;
7697 +
7698 + linear = (pte_t *)
7699 +@@ -143,7 +155,7 @@ static inline void save_page(struct page
7700 + }
7701 +
7702 + static int
7703 +-__change_page_attr(struct page *page, pgprot_t prot)
7704 ++__change_page_attr(struct page *page, pgprot_t prot, unsigned long flags)
7705 + {
7706 + pte_t *kpte;
7707 + unsigned long address;
7708 +@@ -167,13 +179,20 @@ __change_page_attr(struct page *page, pg
7709 + struct page *split;
7710 +
7711 + ref_prot =
7712 +- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
7713 ++ ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext + __KERNEL_TEXT_OFFSET)
7714 + ? PAGE_KERNEL_EXEC : PAGE_KERNEL;
7715 +- split = split_large_page(address, prot, ref_prot);
7716 ++ split = split_large_page(address, prot, ref_prot, flags);
7717 + if (!split)
7718 + return -ENOMEM;
7719 +- set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
7720 +- kpte_page = split;
7721 ++ if (pte_huge(*kpte)) {
7722 ++ set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
7723 ++ kpte_page = split;
7724 ++ } else {
7725 ++ __free_pages(split, 0);
7726 ++ kpte = lookup_address(address);
7727 ++ kpte_page = virt_to_page(kpte);
7728 ++ set_pte_atomic(kpte, mk_pte(page, prot));
7729 ++ }
7730 + }
7731 + page_private(kpte_page)++;
7732 + } else if (!pte_huge(*kpte)) {
7733 +@@ -225,7 +244,7 @@ int change_page_attr(struct page *page,
7734 +
7735 + spin_lock_irqsave(&cpa_lock, flags);
7736 + for (i = 0; i < numpages; i++, page++) {
7737 +- err = __change_page_attr(page, prot);
7738 ++ err = __change_page_attr(page, prot, flags);
7739 + if (err)
7740 + break;
7741 + }
7742 +diff -Nurp linux-2.6.23.15/arch/i386/oprofile/backtrace.c linux-2.6.23.15-grsec/arch/i386/oprofile/backtrace.c
7743 +--- linux-2.6.23.15/arch/i386/oprofile/backtrace.c 2007-10-09 21:31:38.000000000 +0100
7744 ++++ linux-2.6.23.15-grsec/arch/i386/oprofile/backtrace.c 2008-02-11 10:37:44.000000000 +0000
7745 +@@ -22,7 +22,7 @@ struct frame_head {
7746 + static struct frame_head *
7747 + dump_kernel_backtrace(struct frame_head * head)
7748 + {
7749 +- oprofile_add_trace(head->ret);
7750 ++ oprofile_add_trace(head->ret + __KERNEL_TEXT_OFFSET);
7751 +
7752 + /* frame pointers should strictly progress back up the stack
7753 + * (towards higher addresses) */
7754 +@@ -116,7 +116,7 @@ x86_backtrace(struct pt_regs * const reg
7755 + head = (struct frame_head *)regs->ebp;
7756 + #endif
7757 +
7758 +- if (!user_mode_vm(regs)) {
7759 ++ if (!user_mode(regs)) {
7760 + while (depth-- && valid_kernel_stack(head, regs))
7761 + head = dump_kernel_backtrace(head);
7762 + return;
7763 +diff -Nurp linux-2.6.23.15/arch/i386/oprofile/op_model_p4.c linux-2.6.23.15-grsec/arch/i386/oprofile/op_model_p4.c
7764 +--- linux-2.6.23.15/arch/i386/oprofile/op_model_p4.c 2007-10-09 21:31:38.000000000 +0100
7765 ++++ linux-2.6.23.15-grsec/arch/i386/oprofile/op_model_p4.c 2008-02-11 10:37:44.000000000 +0000
7766 +@@ -47,7 +47,7 @@ static inline void setup_num_counters(vo
7767 + #endif
7768 + }
7769 +
7770 +-static int inline addr_increment(void)
7771 ++static inline int addr_increment(void)
7772 + {
7773 + #ifdef CONFIG_SMP
7774 + return smp_num_siblings == 2 ? 2 : 1;
7775 +diff -Nurp linux-2.6.23.15/arch/i386/pci/common.c linux-2.6.23.15-grsec/arch/i386/pci/common.c
7776 +--- linux-2.6.23.15/arch/i386/pci/common.c 2007-10-09 21:31:38.000000000 +0100
7777 ++++ linux-2.6.23.15-grsec/arch/i386/pci/common.c 2008-02-11 10:37:44.000000000 +0000
7778 +@@ -287,7 +287,7 @@ static struct dmi_system_id __devinitdat
7779 + DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant BL685c G1"),
7780 + },
7781 + },
7782 +- {}
7783 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
7784 + };
7785 +
7786 + struct pci_bus * __devinit pcibios_scan_root(int busnum)
7787 +diff -Nurp linux-2.6.23.15/arch/i386/pci/early.c linux-2.6.23.15-grsec/arch/i386/pci/early.c
7788 +--- linux-2.6.23.15/arch/i386/pci/early.c 2007-10-09 21:31:38.000000000 +0100
7789 ++++ linux-2.6.23.15-grsec/arch/i386/pci/early.c 2008-02-11 10:37:44.000000000 +0000
7790 +@@ -7,7 +7,7 @@
7791 + /* Direct PCI access. This is used for PCI accesses in early boot before
7792 + the PCI subsystem works. */
7793 +
7794 +-#define PDprintk(x...)
7795 ++#define PDprintk(x...) do {} while (0)
7796 +
7797 + u32 read_pci_config(u8 bus, u8 slot, u8 func, u8 offset)
7798 + {
7799 +diff -Nurp linux-2.6.23.15/arch/i386/pci/fixup.c linux-2.6.23.15-grsec/arch/i386/pci/fixup.c
7800 +--- linux-2.6.23.15/arch/i386/pci/fixup.c 2007-10-09 21:31:38.000000000 +0100
7801 ++++ linux-2.6.23.15-grsec/arch/i386/pci/fixup.c 2008-02-11 10:37:44.000000000 +0000
7802 +@@ -386,7 +386,7 @@ static struct dmi_system_id __devinitdat
7803 + DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
7804 + },
7805 + },
7806 +- { }
7807 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
7808 + };
7809 +
7810 + static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
7811 +diff -Nurp linux-2.6.23.15/arch/i386/pci/irq.c linux-2.6.23.15-grsec/arch/i386/pci/irq.c
7812 +--- linux-2.6.23.15/arch/i386/pci/irq.c 2007-10-09 21:31:38.000000000 +0100
7813 ++++ linux-2.6.23.15-grsec/arch/i386/pci/irq.c 2008-02-11 10:37:44.000000000 +0000
7814 +@@ -508,7 +508,7 @@ static __init int intel_router_probe(str
7815 + static struct pci_device_id __initdata pirq_440gx[] = {
7816 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
7817 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
7818 +- { },
7819 ++ { PCI_DEVICE(0, 0) }
7820 + };
7821 +
7822 + /* 440GX has a proprietary PIRQ router -- don't use it */
7823 +@@ -1051,7 +1051,7 @@ static struct dmi_system_id __initdata p
7824 + DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
7825 + },
7826 + },
7827 +- { }
7828 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
7829 + };
7830 +
7831 + static int __init pcibios_irq_init(void)
7832 +diff -Nurp linux-2.6.23.15/arch/i386/pci/pcbios.c linux-2.6.23.15-grsec/arch/i386/pci/pcbios.c
7833 +--- linux-2.6.23.15/arch/i386/pci/pcbios.c 2007-10-09 21:31:38.000000000 +0100
7834 ++++ linux-2.6.23.15-grsec/arch/i386/pci/pcbios.c 2008-02-11 10:37:44.000000000 +0000
7835 +@@ -57,50 +57,124 @@ union bios32 {
7836 + static struct {
7837 + unsigned long address;
7838 + unsigned short segment;
7839 +-} bios32_indirect = { 0, __KERNEL_CS };
7840 ++} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
7841 +
7842 + /*
7843 + * Returns the entry point for the given service, NULL on error
7844 + */
7845 +
7846 +-static unsigned long bios32_service(unsigned long service)
7847 ++static unsigned long __devinit bios32_service(unsigned long service)
7848 + {
7849 + unsigned char return_code; /* %al */
7850 + unsigned long address; /* %ebx */
7851 + unsigned long length; /* %ecx */
7852 + unsigned long entry; /* %edx */
7853 + unsigned long flags;
7854 ++ struct desc_struct *gdt;
7855 ++
7856 ++#ifdef CONFIG_PAX_KERNEXEC
7857 ++ unsigned long cr0;
7858 ++#endif
7859 +
7860 + local_irq_save(flags);
7861 +- __asm__("lcall *(%%edi); cld"
7862 ++
7863 ++ gdt = get_cpu_gdt_table(smp_processor_id());
7864 ++
7865 ++#ifdef CONFIG_PAX_KERNEXEC
7866 ++ pax_open_kernel(cr0);
7867 ++#endif
7868 ++
7869 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
7870 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
7871 ++ 0UL, 0xFFFFFUL, 0x9B, 0xC);
7872 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
7873 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
7874 ++ 0UL, 0xFFFFFUL, 0x93, 0xC);
7875 ++
7876 ++#ifdef CONFIG_PAX_KERNEXEC
7877 ++ pax_close_kernel(cr0);
7878 ++#endif
7879 ++
7880 ++ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
7881 + : "=a" (return_code),
7882 + "=b" (address),
7883 + "=c" (length),
7884 + "=d" (entry)
7885 + : "0" (service),
7886 + "1" (0),
7887 +- "D" (&bios32_indirect));
7888 ++ "D" (&bios32_indirect),
7889 ++ "r"(__PCIBIOS_DS)
7890 ++ : "memory");
7891 ++
7892 ++#ifdef CONFIG_PAX_KERNEXEC
7893 ++ pax_open_kernel(cr0);
7894 ++#endif
7895 ++
7896 ++ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
7897 ++ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
7898 ++ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
7899 ++ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
7900 ++
7901 ++#ifdef CONFIG_PAX_KERNEXEC
7902 ++ pax_close_kernel(cr0);
7903 ++#endif
7904 ++
7905 + local_irq_restore(flags);
7906 +
7907 + switch (return_code) {
7908 +- case 0:
7909 +- return address + entry;
7910 +- case 0x80: /* Not present */
7911 +- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
7912 +- return 0;
7913 +- default: /* Shouldn't happen */
7914 +- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
7915 +- service, return_code);
7916 ++ case 0: {
7917 ++ int cpu;
7918 ++ unsigned char flags;
7919 ++
7920 ++ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
7921 ++ if (address >= 0xFFFF0 || length >= 0xFFFF0 - address || length <= entry) {
7922 ++ printk(KERN_WARNING "bios32_service: not valid\n");
7923 + return 0;
7924 ++ }
7925 ++ address = address + PAGE_OFFSET;
7926 ++ length += 16UL; /* some BIOSs underreport this... */
7927 ++ flags = 4;
7928 ++ if (length >= 64*1024*1024) {
7929 ++ length >>= PAGE_SHIFT;
7930 ++ flags |= 8;
7931 ++ }
7932 ++
7933 ++#ifdef CONFIG_PAX_KERNEXEC
7934 ++ pax_open_kernel(cr0);
7935 ++#endif
7936 ++
7937 ++ for (cpu = 0; cpu < NR_CPUS; cpu++) {
7938 ++ gdt = get_cpu_gdt_table(cpu);
7939 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
7940 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
7941 ++ address, length, 0x9b, flags);
7942 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
7943 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
7944 ++ address, length, 0x93, flags);
7945 ++ }
7946 ++
7947 ++#ifdef CONFIG_PAX_KERNEXEC
7948 ++ pax_close_kernel(cr0);
7949 ++#endif
7950 ++
7951 ++ return entry;
7952 ++ }
7953 ++ case 0x80: /* Not present */
7954 ++ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
7955 ++ return 0;
7956 ++ default: /* Shouldn't happen */
7957 ++ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
7958 ++ service, return_code);
7959 ++ return 0;
7960 + }
7961 + }
7962 +
7963 + static struct {
7964 + unsigned long address;
7965 + unsigned short segment;
7966 +-} pci_indirect = { 0, __KERNEL_CS };
7967 ++} pci_indirect __read_only = { 0, __PCIBIOS_CS };
7968 +
7969 +-static int pci_bios_present;
7970 ++static int pci_bios_present __read_only;
7971 +
7972 + static int __devinit check_pcibios(void)
7973 + {
7974 +@@ -109,11 +183,13 @@ static int __devinit check_pcibios(void)
7975 + unsigned long flags, pcibios_entry;
7976 +
7977 + if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
7978 +- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
7979 ++ pci_indirect.address = pcibios_entry;
7980 +
7981 + local_irq_save(flags);
7982 +- __asm__(
7983 +- "lcall *(%%edi); cld\n\t"
7984 ++ __asm__("movw %w6, %%ds\n\t"
7985 ++ "lcall *%%ss:(%%edi); cld\n\t"
7986 ++ "push %%ss\n\t"
7987 ++ "pop %%ds\n\t"
7988 + "jc 1f\n\t"
7989 + "xor %%ah, %%ah\n"
7990 + "1:"
7991 +@@ -122,7 +198,8 @@ static int __devinit check_pcibios(void)
7992 + "=b" (ebx),
7993 + "=c" (ecx)
7994 + : "1" (PCIBIOS_PCI_BIOS_PRESENT),
7995 +- "D" (&pci_indirect)
7996 ++ "D" (&pci_indirect),
7997 ++ "r" (__PCIBIOS_DS)
7998 + : "memory");
7999 + local_irq_restore(flags);
8000 +
8001 +@@ -158,7 +235,10 @@ static int __devinit pci_bios_find_devic
8002 + unsigned short bx;
8003 + unsigned short ret;
8004 +
8005 +- __asm__("lcall *(%%edi); cld\n\t"
8006 ++ __asm__("movw %w7, %%ds\n\t"
8007 ++ "lcall *%%ss:(%%edi); cld\n\t"
8008 ++ "push %%ss\n\t"
8009 ++ "pop %%ds\n\t"
8010 + "jc 1f\n\t"
8011 + "xor %%ah, %%ah\n"
8012 + "1:"
8013 +@@ -168,7 +248,8 @@ static int __devinit pci_bios_find_devic
8014 + "c" (device_id),
8015 + "d" (vendor),
8016 + "S" ((int) index),
8017 +- "D" (&pci_indirect));
8018 ++ "D" (&pci_indirect),
8019 ++ "r" (__PCIBIOS_DS));
8020 + *bus = (bx >> 8) & 0xff;
8021 + *device_fn = bx & 0xff;
8022 + return (int) (ret & 0xff00) >> 8;
8023 +@@ -188,7 +269,10 @@ static int pci_bios_read(unsigned int se
8024 +
8025 + switch (len) {
8026 + case 1:
8027 +- __asm__("lcall *(%%esi); cld\n\t"
8028 ++ __asm__("movw %w6, %%ds\n\t"
8029 ++ "lcall *%%ss:(%%esi); cld\n\t"
8030 ++ "push %%ss\n\t"
8031 ++ "pop %%ds\n\t"
8032 + "jc 1f\n\t"
8033 + "xor %%ah, %%ah\n"
8034 + "1:"
8035 +@@ -197,10 +281,14 @@ static int pci_bios_read(unsigned int se
8036 + : "1" (PCIBIOS_READ_CONFIG_BYTE),
8037 + "b" (bx),
8038 + "D" ((long)reg),
8039 +- "S" (&pci_indirect));
8040 ++ "S" (&pci_indirect),
8041 ++ "r" (__PCIBIOS_DS));
8042 + break;
8043 + case 2:
8044 +- __asm__("lcall *(%%esi); cld\n\t"
8045 ++ __asm__("movw %w6, %%ds\n\t"
8046 ++ "lcall *%%ss:(%%esi); cld\n\t"
8047 ++ "push %%ss\n\t"
8048 ++ "pop %%ds\n\t"
8049 + "jc 1f\n\t"
8050 + "xor %%ah, %%ah\n"
8051 + "1:"
8052 +@@ -209,10 +297,14 @@ static int pci_bios_read(unsigned int se
8053 + : "1" (PCIBIOS_READ_CONFIG_WORD),
8054 + "b" (bx),
8055 + "D" ((long)reg),
8056 +- "S" (&pci_indirect));
8057 ++ "S" (&pci_indirect),
8058 ++ "r" (__PCIBIOS_DS));
8059 + break;
8060 + case 4:
8061 +- __asm__("lcall *(%%esi); cld\n\t"
8062 ++ __asm__("movw %w6, %%ds\n\t"
8063 ++ "lcall *%%ss:(%%esi); cld\n\t"
8064 ++ "push %%ss\n\t"
8065 ++ "pop %%ds\n\t"
8066 + "jc 1f\n\t"
8067 + "xor %%ah, %%ah\n"
8068 + "1:"
8069 +@@ -221,7 +313,8 @@ static int pci_bios_read(unsigned int se
8070 + : "1" (PCIBIOS_READ_CONFIG_DWORD),
8071 + "b" (bx),
8072 + "D" ((long)reg),
8073 +- "S" (&pci_indirect));
8074 ++ "S" (&pci_indirect),
8075 ++ "r" (__PCIBIOS_DS));
8076 + break;
8077 + }
8078 +
8079 +@@ -244,7 +337,10 @@ static int pci_bios_write(unsigned int s
8080 +
8081 + switch (len) {
8082 + case 1:
8083 +- __asm__("lcall *(%%esi); cld\n\t"
8084 ++ __asm__("movw %w6, %%ds\n\t"
8085 ++ "lcall *%%ss:(%%esi); cld\n\t"
8086 ++ "push %%ss\n\t"
8087 ++ "pop %%ds\n\t"
8088 + "jc 1f\n\t"
8089 + "xor %%ah, %%ah\n"
8090 + "1:"
8091 +@@ -253,10 +349,14 @@ static int pci_bios_write(unsigned int s
8092 + "c" (value),
8093 + "b" (bx),
8094 + "D" ((long)reg),
8095 +- "S" (&pci_indirect));
8096 ++ "S" (&pci_indirect),
8097 ++ "r" (__PCIBIOS_DS));
8098 + break;
8099 + case 2:
8100 +- __asm__("lcall *(%%esi); cld\n\t"
8101 ++ __asm__("movw %w6, %%ds\n\t"
8102 ++ "lcall *%%ss:(%%esi); cld\n\t"
8103 ++ "push %%ss\n\t"
8104 ++ "pop %%ds\n\t"
8105 + "jc 1f\n\t"
8106 + "xor %%ah, %%ah\n"
8107 + "1:"
8108 +@@ -265,10 +365,14 @@ static int pci_bios_write(unsigned int s
8109 + "c" (value),
8110 + "b" (bx),
8111 + "D" ((long)reg),
8112 +- "S" (&pci_indirect));
8113 ++ "S" (&pci_indirect),
8114 ++ "r" (__PCIBIOS_DS));
8115 + break;
8116 + case 4:
8117 +- __asm__("lcall *(%%esi); cld\n\t"
8118 ++ __asm__("movw %w6, %%ds\n\t"
8119 ++ "lcall *%%ss:(%%esi); cld\n\t"
8120 ++ "push %%ss\n\t"
8121 ++ "pop %%ds\n\t"
8122 + "jc 1f\n\t"
8123 + "xor %%ah, %%ah\n"
8124 + "1:"
8125 +@@ -277,7 +381,8 @@ static int pci_bios_write(unsigned int s
8126 + "c" (value),
8127 + "b" (bx),
8128 + "D" ((long)reg),
8129 +- "S" (&pci_indirect));
8130 ++ "S" (&pci_indirect),
8131 ++ "r" (__PCIBIOS_DS));
8132 + break;
8133 + }
8134 +
8135 +@@ -430,10 +535,13 @@ struct irq_routing_table * pcibios_get_i
8136 +
8137 + DBG("PCI: Fetching IRQ routing table... ");
8138 + __asm__("push %%es\n\t"
8139 ++ "movw %w8, %%ds\n\t"
8140 + "push %%ds\n\t"
8141 + "pop %%es\n\t"
8142 +- "lcall *(%%esi); cld\n\t"
8143 ++ "lcall *%%ss:(%%esi); cld\n\t"
8144 + "pop %%es\n\t"
8145 ++ "push %%ss\n\t"
8146 ++ "pop %%ds\n"
8147 + "jc 1f\n\t"
8148 + "xor %%ah, %%ah\n"
8149 + "1:"
8150 +@@ -444,7 +552,8 @@ struct irq_routing_table * pcibios_get_i
8151 + "1" (0),
8152 + "D" ((long) &opt),
8153 + "S" (&pci_indirect),
8154 +- "m" (opt)
8155 ++ "m" (opt),
8156 ++ "r" (__PCIBIOS_DS)
8157 + : "memory");
8158 + DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
8159 + if (ret & 0xff00)
8160 +@@ -468,7 +577,10 @@ int pcibios_set_irq_routing(struct pci_d
8161 + {
8162 + int ret;
8163 +
8164 +- __asm__("lcall *(%%esi); cld\n\t"
8165 ++ __asm__("movw %w5, %%ds\n\t"
8166 ++ "lcall *%%ss:(%%esi); cld\n\t"
8167 ++ "push %%ss\n\t"
8168 ++ "pop %%ds\n"
8169 + "jc 1f\n\t"
8170 + "xor %%ah, %%ah\n"
8171 + "1:"
8172 +@@ -476,7 +588,8 @@ int pcibios_set_irq_routing(struct pci_d
8173 + : "0" (PCIBIOS_SET_PCI_HW_INT),
8174 + "b" ((dev->bus->number << 8) | dev->devfn),
8175 + "c" ((irq << 8) | (pin + 10)),
8176 +- "S" (&pci_indirect));
8177 ++ "S" (&pci_indirect),
8178 ++ "r" (__PCIBIOS_DS));
8179 + return !(ret & 0xff00);
8180 + }
8181 + EXPORT_SYMBOL(pcibios_set_irq_routing);
8182 +diff -Nurp linux-2.6.23.15/arch/i386/power/cpu.c linux-2.6.23.15-grsec/arch/i386/power/cpu.c
8183 +--- linux-2.6.23.15/arch/i386/power/cpu.c 2007-10-09 21:31:38.000000000 +0100
8184 ++++ linux-2.6.23.15-grsec/arch/i386/power/cpu.c 2008-02-11 10:37:44.000000000 +0000
8185 +@@ -64,7 +64,7 @@ static void do_fpu_end(void)
8186 + static void fix_processor_context(void)
8187 + {
8188 + int cpu = smp_processor_id();
8189 +- struct tss_struct * t = &per_cpu(init_tss, cpu);
8190 ++ struct tss_struct *t = init_tss + cpu;
8191 +
8192 + set_tss_desc(cpu,t); /* This just modifies memory; should not be necessary. But... This is necessary, because 386 hardware has concept of busy TSS or some similar stupidity. */
8193 +
8194 +diff -Nurp linux-2.6.23.15/arch/i386/xen/enlighten.c linux-2.6.23.15-grsec/arch/i386/xen/enlighten.c
8195 +--- linux-2.6.23.15/arch/i386/xen/enlighten.c 2008-02-11 10:36:03.000000000 +0000
8196 ++++ linux-2.6.23.15-grsec/arch/i386/xen/enlighten.c 2008-02-11 10:37:44.000000000 +0000
8197 +@@ -320,7 +320,7 @@ static void xen_set_ldt(const void *addr
8198 + static void xen_load_gdt(const struct Xgt_desc_struct *dtr)
8199 + {
8200 + unsigned long *frames;
8201 +- unsigned long va = dtr->address;
8202 ++ unsigned long va = (unsigned long)dtr->address;
8203 + unsigned int size = dtr->size + 1;
8204 + unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
8205 + int f;
8206 +@@ -335,7 +335,7 @@ static void xen_load_gdt(const struct Xg
8207 + mcs = xen_mc_entry(sizeof(*frames) * pages);
8208 + frames = mcs.args;
8209 +
8210 +- for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
8211 ++ for (f = 0; va < (unsigned long)dtr->address + size; va += PAGE_SIZE, f++) {
8212 + frames[f] = virt_to_mfn(va);
8213 + make_lowmem_page_readonly((void *)va);
8214 + }
8215 +@@ -429,7 +429,7 @@ static void xen_write_idt_entry(struct d
8216 +
8217 + preempt_disable();
8218 +
8219 +- start = __get_cpu_var(idt_desc).address;
8220 ++ start = (unsigned long)__get_cpu_var(idt_desc).address;
8221 + end = start + __get_cpu_var(idt_desc).size + 1;
8222 +
8223 + xen_mc_flush();
8224 +diff -Nurp linux-2.6.23.15/arch/i386/xen/smp.c linux-2.6.23.15-grsec/arch/i386/xen/smp.c
8225 +--- linux-2.6.23.15/arch/i386/xen/smp.c 2007-10-09 21:31:38.000000000 +0100
8226 ++++ linux-2.6.23.15-grsec/arch/i386/xen/smp.c 2008-02-11 10:37:44.000000000 +0000
8227 +@@ -144,7 +144,7 @@ void __init xen_smp_prepare_boot_cpu(voi
8228 +
8229 + /* We've switched to the "real" per-cpu gdt, so make sure the
8230 + old memory can be recycled */
8231 +- make_lowmem_page_readwrite(&per_cpu__gdt_page);
8232 ++ make_lowmem_page_readwrite(get_cpu_gdt_table(smp_processor_id()));
8233 +
8234 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
8235 + cpus_clear(cpu_sibling_map[cpu]);
8236 +@@ -198,7 +198,7 @@ static __cpuinit int
8237 + cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
8238 + {
8239 + struct vcpu_guest_context *ctxt;
8240 +- struct gdt_page *gdt = &per_cpu(gdt_page, cpu);
8241 ++ struct desc_struct *gdt = get_cpu_gdt_table(cpu);
8242 +
8243 + if (cpu_test_and_set(cpu, cpu_initialized_map))
8244 + return 0;
8245 +@@ -222,11 +222,11 @@ cpu_initialize_context(unsigned int cpu,
8246 +
8247 + ctxt->ldt_ents = 0;
8248 +
8249 +- BUG_ON((unsigned long)gdt->gdt & ~PAGE_MASK);
8250 +- make_lowmem_page_readonly(gdt->gdt);
8251 ++ BUG_ON((unsigned long)gdt & ~PAGE_MASK);
8252 ++ make_lowmem_page_readonly(gdt);
8253 +
8254 +- ctxt->gdt_frames[0] = virt_to_mfn(gdt->gdt);
8255 +- ctxt->gdt_ents = ARRAY_SIZE(gdt->gdt);
8256 ++ ctxt->gdt_frames[0] = virt_to_mfn(gdt);
8257 ++ ctxt->gdt_ents = GDT_ENTRIES;
8258 +
8259 + ctxt->user_regs.cs = __KERNEL_CS;
8260 + ctxt->user_regs.esp = idle->thread.esp0 - sizeof(struct pt_regs);
8261 +diff -Nurp linux-2.6.23.15/arch/ia64/ia32/binfmt_elf32.c linux-2.6.23.15-grsec/arch/ia64/ia32/binfmt_elf32.c
8262 +--- linux-2.6.23.15/arch/ia64/ia32/binfmt_elf32.c 2007-10-09 21:31:38.000000000 +0100
8263 ++++ linux-2.6.23.15-grsec/arch/ia64/ia32/binfmt_elf32.c 2008-02-11 10:37:44.000000000 +0000
8264 +@@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
8265 +
8266 + #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
8267 +
8268 ++#ifdef CONFIG_PAX_ASLR
8269 ++#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
8270 ++
8271 ++#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
8272 ++#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
8273 ++#endif
8274 ++
8275 + /* Ugly but avoids duplication */
8276 + #include "../../../fs/binfmt_elf.c"
8277 +
8278 +diff -Nurp linux-2.6.23.15/arch/ia64/ia32/ia32priv.h linux-2.6.23.15-grsec/arch/ia64/ia32/ia32priv.h
8279 +--- linux-2.6.23.15/arch/ia64/ia32/ia32priv.h 2007-10-09 21:31:38.000000000 +0100
8280 ++++ linux-2.6.23.15-grsec/arch/ia64/ia32/ia32priv.h 2008-02-11 10:37:44.000000000 +0000
8281 +@@ -304,7 +304,14 @@ struct old_linux32_dirent {
8282 + #define ELF_DATA ELFDATA2LSB
8283 + #define ELF_ARCH EM_386
8284 +
8285 +-#define IA32_STACK_TOP IA32_PAGE_OFFSET
8286 ++#ifdef CONFIG_PAX_RANDUSTACK
8287 ++#define __IA32_DELTA_STACK (current->mm->delta_stack)
8288 ++#else
8289 ++#define __IA32_DELTA_STACK 0UL
8290 ++#endif
8291 ++
8292 ++#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
8293 ++
8294 + #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
8295 + #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
8296 +
8297 +diff -Nurp linux-2.6.23.15/arch/ia64/kernel/module.c linux-2.6.23.15-grsec/arch/ia64/kernel/module.c
8298 +--- linux-2.6.23.15/arch/ia64/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
8299 ++++ linux-2.6.23.15-grsec/arch/ia64/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
8300 +@@ -321,7 +321,7 @@ module_alloc (unsigned long size)
8301 + void
8302 + module_free (struct module *mod, void *module_region)
8303 + {
8304 +- if (mod->arch.init_unw_table && module_region == mod->module_init) {
8305 ++ if (mod->arch.init_unw_table && module_region == mod->module_init_rx) {
8306 + unw_remove_unwind_table(mod->arch.init_unw_table);
8307 + mod->arch.init_unw_table = NULL;
8308 + }
8309 +@@ -499,15 +499,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
8310 + }
8311 +
8312 + static inline int
8313 ++in_init_rx (const struct module *mod, uint64_t addr)
8314 ++{
8315 ++ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
8316 ++}
8317 ++
8318 ++static inline int
8319 ++in_init_rw (const struct module *mod, uint64_t addr)
8320 ++{
8321 ++ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
8322 ++}
8323 ++
8324 ++static inline int
8325 + in_init (const struct module *mod, uint64_t addr)
8326 + {
8327 +- return addr - (uint64_t) mod->module_init < mod->init_size;
8328 ++ return in_init_rx(mod, value) || in_init_rw(mod, value);
8329 ++}
8330 ++
8331 ++static inline int
8332 ++in_core_rx (const struct module *mod, uint64_t addr)
8333 ++{
8334 ++ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
8335 ++}
8336 ++
8337 ++static inline int
8338 ++in_core_rw (const struct module *mod, uint64_t addr)
8339 ++{
8340 ++ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
8341 + }
8342 +
8343 + static inline int
8344 + in_core (const struct module *mod, uint64_t addr)
8345 + {
8346 +- return addr - (uint64_t) mod->module_core < mod->core_size;
8347 ++ return in_core_rx(mod, value) || in_core_rw(mod, value);
8348 + }
8349 +
8350 + static inline int
8351 +@@ -691,7 +715,14 @@ do_reloc (struct module *mod, uint8_t r_
8352 + break;
8353 +
8354 + case RV_BDREL:
8355 +- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
8356 ++ if (in_init_rx(mod, val))
8357 ++ val -= (uint64_t) mod->module_init_rx;
8358 ++ else if (in_init_rw(mod, val))
8359 ++ val -= (uint64_t) mod->module_init_rw;
8360 ++ else if (in_core_rx(mod, val))
8361 ++ val -= (uint64_t) mod->module_core_rx;
8362 ++ else if (in_core_rw(mod, val))
8363 ++ val -= (uint64_t) mod->module_core_rw;
8364 + break;
8365 +
8366 + case RV_LTV:
8367 +@@ -825,15 +856,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
8368 + * addresses have been selected...
8369 + */
8370 + uint64_t gp;
8371 +- if (mod->core_size > MAX_LTOFF)
8372 ++ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
8373 + /*
8374 + * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
8375 + * at the end of the module.
8376 + */
8377 +- gp = mod->core_size - MAX_LTOFF / 2;
8378 ++ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
8379 + else
8380 +- gp = mod->core_size / 2;
8381 +- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
8382 ++ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
8383 ++ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
8384 + mod->arch.gp = gp;
8385 + DEBUGP("%s: placing gp at 0x%lx\n", __FUNCTION__, gp);
8386 + }
8387 +diff -Nurp linux-2.6.23.15/arch/ia64/kernel/ptrace.c linux-2.6.23.15-grsec/arch/ia64/kernel/ptrace.c
8388 +--- linux-2.6.23.15/arch/ia64/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
8389 ++++ linux-2.6.23.15-grsec/arch/ia64/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
8390 +@@ -17,6 +17,7 @@
8391 + #include <linux/security.h>
8392 + #include <linux/audit.h>
8393 + #include <linux/signal.h>
8394 ++#include <linux/grsecurity.h>
8395 +
8396 + #include <asm/pgtable.h>
8397 + #include <asm/processor.h>
8398 +@@ -1451,6 +1452,9 @@ sys_ptrace (long request, pid_t pid, uns
8399 + if (pid == 1) /* no messing around with init! */
8400 + goto out_tsk;
8401 +
8402 ++ if (gr_handle_ptrace(child, request))
8403 ++ goto out_tsk;
8404 ++
8405 + if (request == PTRACE_ATTACH) {
8406 + ret = ptrace_attach(child);
8407 + goto out_tsk;
8408 +diff -Nurp linux-2.6.23.15/arch/ia64/kernel/sys_ia64.c linux-2.6.23.15-grsec/arch/ia64/kernel/sys_ia64.c
8409 +--- linux-2.6.23.15/arch/ia64/kernel/sys_ia64.c 2007-10-09 21:31:38.000000000 +0100
8410 ++++ linux-2.6.23.15-grsec/arch/ia64/kernel/sys_ia64.c 2008-02-11 10:37:44.000000000 +0000
8411 +@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
8412 + if (REGION_NUMBER(addr) == RGN_HPAGE)
8413 + addr = 0;
8414 + #endif
8415 ++
8416 ++#ifdef CONFIG_PAX_RANDMMAP
8417 ++ if ((mm->pax_flags & MF_PAX_RANDMMAP) && addr && filp)
8418 ++ addr = mm->free_area_cache;
8419 ++ else
8420 ++#endif
8421 ++
8422 + if (!addr)
8423 + addr = mm->free_area_cache;
8424 +
8425 +@@ -61,9 +68,9 @@ arch_get_unmapped_area (struct file *fil
8426 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
8427 + /* At this point: (!vma || addr < vma->vm_end). */
8428 + if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
8429 +- if (start_addr != TASK_UNMAPPED_BASE) {
8430 ++ if (start_addr != mm->mmap_base) {
8431 + /* Start a new search --- just in case we missed some holes. */
8432 +- addr = TASK_UNMAPPED_BASE;
8433 ++ addr = mm->mmap_base;
8434 + goto full_search;
8435 + }
8436 + return -ENOMEM;
8437 +diff -Nurp linux-2.6.23.15/arch/ia64/mm/fault.c linux-2.6.23.15-grsec/arch/ia64/mm/fault.c
8438 +--- linux-2.6.23.15/arch/ia64/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
8439 ++++ linux-2.6.23.15-grsec/arch/ia64/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
8440 +@@ -10,6 +10,7 @@
8441 + #include <linux/interrupt.h>
8442 + #include <linux/kprobes.h>
8443 + #include <linux/kdebug.h>
8444 ++#include <linux/binfmts.h>
8445 +
8446 + #include <asm/pgtable.h>
8447 + #include <asm/processor.h>
8448 +@@ -72,6 +73,23 @@ mapped_kernel_page_is_present (unsigned
8449 + return pte_present(pte);
8450 + }
8451 +
8452 ++#ifdef CONFIG_PAX_PAGEEXEC
8453 ++void pax_report_insns(void *pc, void *sp)
8454 ++{
8455 ++ unsigned long i;
8456 ++
8457 ++ printk(KERN_ERR "PAX: bytes at PC: ");
8458 ++ for (i = 0; i < 8; i++) {
8459 ++ unsigned int c;
8460 ++ if (get_user(c, (unsigned int *)pc+i))
8461 ++ printk("???????? ");
8462 ++ else
8463 ++ printk("%08x ", c);
8464 ++ }
8465 ++ printk("\n");
8466 ++}
8467 ++#endif
8468 ++
8469 + void __kprobes
8470 + ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
8471 + {
8472 +@@ -145,9 +163,23 @@ ia64_do_page_fault (unsigned long addres
8473 + mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
8474 + | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
8475 +
8476 +- if ((vma->vm_flags & mask) != mask)
8477 ++ if ((vma->vm_flags & mask) != mask) {
8478 ++
8479 ++#ifdef CONFIG_PAX_PAGEEXEC
8480 ++ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
8481 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
8482 ++ goto bad_area;
8483 ++
8484 ++ up_read(&mm->mmap_sem);
8485 ++ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
8486 ++ do_exit(SIGKILL);
8487 ++ }
8488 ++#endif
8489 ++
8490 + goto bad_area;
8491 +
8492 ++ }
8493 ++
8494 + survive:
8495 + /*
8496 + * If for any reason at all we couldn't handle the fault, make
8497 +diff -Nurp linux-2.6.23.15/arch/ia64/mm/init.c linux-2.6.23.15-grsec/arch/ia64/mm/init.c
8498 +--- linux-2.6.23.15/arch/ia64/mm/init.c 2007-10-09 21:31:38.000000000 +0100
8499 ++++ linux-2.6.23.15-grsec/arch/ia64/mm/init.c 2008-02-11 10:37:44.000000000 +0000
8500 +@@ -20,8 +20,8 @@
8501 + #include <linux/proc_fs.h>
8502 + #include <linux/bitops.h>
8503 + #include <linux/kexec.h>
8504 ++#include <linux/a.out.h>
8505 +
8506 +-#include <asm/a.out.h>
8507 + #include <asm/dma.h>
8508 + #include <asm/ia32.h>
8509 + #include <asm/io.h>
8510 +@@ -130,8 +130,21 @@ ia64_init_addr_space (void)
8511 + vma->vm_mm = current->mm;
8512 + vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
8513 + vma->vm_end = vma->vm_start + PAGE_SIZE;
8514 +- vma->vm_page_prot = protection_map[VM_DATA_DEFAULT_FLAGS & 0x7];
8515 + vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
8516 ++
8517 ++#ifdef CONFIG_PAX_PAGEEXEC
8518 ++ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
8519 ++ vm->vm_flags &= ~VM_EXEC;
8520 ++
8521 ++#ifdef CONFIG_PAX_MPROTECT
8522 ++ if (current->mm->pax_flags & MF_PAX_MPROTECT)
8523 ++ vma->vm_flags &= ~VM_MAYEXEC;
8524 ++#endif
8525 ++
8526 ++ }
8527 ++#endif
8528 ++
8529 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
8530 + down_write(&current->mm->mmap_sem);
8531 + if (insert_vm_struct(current->mm, vma)) {
8532 + up_write(&current->mm->mmap_sem);
8533 +diff -Nurp linux-2.6.23.15/arch/mips/kernel/binfmt_elfn32.c linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfn32.c
8534 +--- linux-2.6.23.15/arch/mips/kernel/binfmt_elfn32.c 2007-10-09 21:31:38.000000000 +0100
8535 ++++ linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfn32.c 2008-02-11 10:37:44.000000000 +0000
8536 +@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
8537 + #undef ELF_ET_DYN_BASE
8538 + #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
8539 +
8540 ++#ifdef CONFIG_PAX_ASLR
8541 ++#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
8542 ++
8543 ++#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
8544 ++#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
8545 ++#endif
8546 ++
8547 + #include <asm/processor.h>
8548 + #include <linux/module.h>
8549 + #include <linux/elfcore.h>
8550 +diff -Nurp linux-2.6.23.15/arch/mips/kernel/binfmt_elfo32.c linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfo32.c
8551 +--- linux-2.6.23.15/arch/mips/kernel/binfmt_elfo32.c 2007-10-09 21:31:38.000000000 +0100
8552 ++++ linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfo32.c 2008-02-11 10:37:44.000000000 +0000
8553 +@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
8554 + #undef ELF_ET_DYN_BASE
8555 + #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
8556 +
8557 ++#ifdef CONFIG_PAX_ASLR
8558 ++#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
8559 ++
8560 ++#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
8561 ++#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
8562 ++#endif
8563 ++
8564 + #include <asm/processor.h>
8565 + #include <linux/module.h>
8566 + #include <linux/elfcore.h>
8567 +diff -Nurp linux-2.6.23.15/arch/mips/kernel/syscall.c linux-2.6.23.15-grsec/arch/mips/kernel/syscall.c
8568 +--- linux-2.6.23.15/arch/mips/kernel/syscall.c 2007-10-09 21:31:38.000000000 +0100
8569 ++++ linux-2.6.23.15-grsec/arch/mips/kernel/syscall.c 2008-02-11 10:37:44.000000000 +0000
8570 +@@ -88,6 +88,11 @@ unsigned long arch_get_unmapped_area(str
8571 + do_color_align = 0;
8572 + if (filp || (flags & MAP_SHARED))
8573 + do_color_align = 1;
8574 ++
8575 ++#ifdef CONFIG_PAX_RANDMMAP
8576 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
8577 ++#endif
8578 ++
8579 + if (addr) {
8580 + if (do_color_align)
8581 + addr = COLOUR_ALIGN(addr, pgoff);
8582 +@@ -98,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
8583 + (!vmm || addr + len <= vmm->vm_start))
8584 + return addr;
8585 + }
8586 +- addr = TASK_UNMAPPED_BASE;
8587 ++ addr = current->mm->mmap_base;
8588 + if (do_color_align)
8589 + addr = COLOUR_ALIGN(addr, pgoff);
8590 + else
8591 +diff -Nurp linux-2.6.23.15/arch/mips/mm/fault.c linux-2.6.23.15-grsec/arch/mips/mm/fault.c
8592 +--- linux-2.6.23.15/arch/mips/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
8593 ++++ linux-2.6.23.15-grsec/arch/mips/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
8594 +@@ -26,6 +26,23 @@
8595 + #include <asm/ptrace.h>
8596 + #include <asm/highmem.h> /* For VMALLOC_END */
8597 +
8598 ++#ifdef CONFIG_PAX_PAGEEXEC
8599 ++void pax_report_insns(void *pc)
8600 ++{
8601 ++ unsigned long i;
8602 ++
8603 ++ printk(KERN_ERR "PAX: bytes at PC: ");
8604 ++ for (i = 0; i < 5; i++) {
8605 ++ unsigned int c;
8606 ++ if (get_user(c, (unsigned int *)pc+i))
8607 ++ printk("???????? ");
8608 ++ else
8609 ++ printk("%08x ", c);
8610 ++ }
8611 ++ printk("\n");
8612 ++}
8613 ++#endif
8614 ++
8615 + /*
8616 + * This routine handles page faults. It determines the address,
8617 + * and the problem, and then passes it off to one of the appropriate
8618 +diff -Nurp linux-2.6.23.15/arch/parisc/kernel/module.c linux-2.6.23.15-grsec/arch/parisc/kernel/module.c
8619 +--- linux-2.6.23.15/arch/parisc/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
8620 ++++ linux-2.6.23.15-grsec/arch/parisc/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
8621 +@@ -73,16 +73,38 @@
8622 +
8623 + /* three functions to determine where in the module core
8624 + * or init pieces the location is */
8625 ++static inline int in_init_rx(struct module *me, void *loc)
8626 ++{
8627 ++ return (loc >= me->module_init_rx &&
8628 ++ loc < (me->module_init_rx + me->init_size_rx));
8629 ++}
8630 ++
8631 ++static inline int in_init_rw(struct module *me, void *loc)
8632 ++{
8633 ++ return (loc >= me->module_init_rw &&
8634 ++ loc < (me->module_init_rw + me->init_size_rw));
8635 ++}
8636 ++
8637 + static inline int in_init(struct module *me, void *loc)
8638 + {
8639 +- return (loc >= me->module_init &&
8640 +- loc <= (me->module_init + me->init_size));
8641 ++ return in_init_rx(me, loc) || in_init_rw(me, loc);
8642 ++}
8643 ++
8644 ++static inline int in_core_rx(struct module *me, void *loc)
8645 ++{
8646 ++ return (loc >= me->module_core_rx &&
8647 ++ loc < (me->module_core_rx + me->core_size_rx));
8648 ++}
8649 ++
8650 ++static inline int in_core_rw(struct module *me, void *loc)
8651 ++{
8652 ++ return (loc >= me->module_core_rw &&
8653 ++ loc < (me->module_core_rw + me->core_size_rw));
8654 + }
8655 +
8656 + static inline int in_core(struct module *me, void *loc)
8657 + {
8658 +- return (loc >= me->module_core &&
8659 +- loc <= (me->module_core + me->core_size));
8660 ++ return in_core_rx(me, loc) || in_core_rw(me, loc);
8661 + }
8662 +
8663 + static inline int in_local(struct module *me, void *loc)
8664 +@@ -296,21 +318,21 @@ int module_frob_arch_sections(CONST Elf_
8665 + }
8666 +
8667 + /* align things a bit */
8668 +- me->core_size = ALIGN(me->core_size, 16);
8669 +- me->arch.got_offset = me->core_size;
8670 +- me->core_size += gots * sizeof(struct got_entry);
8671 +-
8672 +- me->core_size = ALIGN(me->core_size, 16);
8673 +- me->arch.fdesc_offset = me->core_size;
8674 +- me->core_size += fdescs * sizeof(Elf_Fdesc);
8675 +-
8676 +- me->core_size = ALIGN(me->core_size, 16);
8677 +- me->arch.stub_offset = me->core_size;
8678 +- me->core_size += stubs * sizeof(struct stub_entry);
8679 +-
8680 +- me->init_size = ALIGN(me->init_size, 16);
8681 +- me->arch.init_stub_offset = me->init_size;
8682 +- me->init_size += init_stubs * sizeof(struct stub_entry);
8683 ++ me->core_size_rw = ALIGN(me->core_size_rw, 16);
8684 ++ me->arch.got_offset = me->core_size_rw;
8685 ++ me->core_size_rw += gots * sizeof(struct got_entry);
8686 ++
8687 ++ me->core_size_rw = ALIGN(me->core_size_rw, 16);
8688 ++ me->arch.fdesc_offset = me->core_size_rw;
8689 ++ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
8690 ++
8691 ++ me->core_size_rx = ALIGN(me->core_size_rx, 16);
8692 ++ me->arch.stub_offset = me->core_size_rx;
8693 ++ me->core_size_rx += stubs * sizeof(struct stub_entry);
8694 ++
8695 ++ me->init_size_rx = ALIGN(me->init_size_rx, 16);
8696 ++ me->arch.init_stub_offset = me->init_size_rx;
8697 ++ me->init_size_rx += init_stubs * sizeof(struct stub_entry);
8698 +
8699 + me->arch.got_max = gots;
8700 + me->arch.fdesc_max = fdescs;
8701 +@@ -330,7 +352,7 @@ static Elf64_Word get_got(struct module
8702 +
8703 + BUG_ON(value == 0);
8704 +
8705 +- got = me->module_core + me->arch.got_offset;
8706 ++ got = me->module_core_rw + me->arch.got_offset;
8707 + for (i = 0; got[i].addr; i++)
8708 + if (got[i].addr == value)
8709 + goto out;
8710 +@@ -348,7 +370,7 @@ static Elf64_Word get_got(struct module
8711 + #ifdef CONFIG_64BIT
8712 + static Elf_Addr get_fdesc(struct module *me, unsigned long value)
8713 + {
8714 +- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
8715 ++ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
8716 +
8717 + if (!value) {
8718 + printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
8719 +@@ -366,7 +388,7 @@ static Elf_Addr get_fdesc(struct module
8720 +
8721 + /* Create new one */
8722 + fdesc->addr = value;
8723 +- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
8724 ++ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
8725 + return (Elf_Addr)fdesc;
8726 + }
8727 + #endif /* CONFIG_64BIT */
8728 +@@ -386,12 +408,12 @@ static Elf_Addr get_stub(struct module *
8729 + if(init_section) {
8730 + i = me->arch.init_stub_count++;
8731 + BUG_ON(me->arch.init_stub_count > me->arch.init_stub_max);
8732 +- stub = me->module_init + me->arch.init_stub_offset +
8733 ++ stub = me->module_init_rx + me->arch.init_stub_offset +
8734 + i * sizeof(struct stub_entry);
8735 + } else {
8736 + i = me->arch.stub_count++;
8737 + BUG_ON(me->arch.stub_count > me->arch.stub_max);
8738 +- stub = me->module_core + me->arch.stub_offset +
8739 ++ stub = me->module_core_rx + me->arch.stub_offset +
8740 + i * sizeof(struct stub_entry);
8741 + }
8742 +
8743 +@@ -759,7 +781,7 @@ register_unwind_table(struct module *me,
8744 +
8745 + table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
8746 + end = table + sechdrs[me->arch.unwind_section].sh_size;
8747 +- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
8748 ++ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
8749 +
8750 + DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
8751 + me->arch.unwind_section, table, end, gp);
8752 +diff -Nurp linux-2.6.23.15/arch/parisc/kernel/sys_parisc.c linux-2.6.23.15-grsec/arch/parisc/kernel/sys_parisc.c
8753 +--- linux-2.6.23.15/arch/parisc/kernel/sys_parisc.c 2007-10-09 21:31:38.000000000 +0100
8754 ++++ linux-2.6.23.15-grsec/arch/parisc/kernel/sys_parisc.c 2008-02-11 10:37:44.000000000 +0000
8755 +@@ -111,7 +111,7 @@ unsigned long arch_get_unmapped_area(str
8756 + if (flags & MAP_FIXED)
8757 + return addr;
8758 + if (!addr)
8759 +- addr = TASK_UNMAPPED_BASE;
8760 ++ addr = current->mm->mmap_base;
8761 +
8762 + if (filp) {
8763 + addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
8764 +diff -Nurp linux-2.6.23.15/arch/parisc/kernel/traps.c linux-2.6.23.15-grsec/arch/parisc/kernel/traps.c
8765 +--- linux-2.6.23.15/arch/parisc/kernel/traps.c 2007-10-09 21:31:38.000000000 +0100
8766 ++++ linux-2.6.23.15-grsec/arch/parisc/kernel/traps.c 2008-02-11 10:37:44.000000000 +0000
8767 +@@ -713,9 +713,7 @@ void handle_interruption(int code, struc
8768 +
8769 + down_read(&current->mm->mmap_sem);
8770 + vma = find_vma(current->mm,regs->iaoq[0]);
8771 +- if (vma && (regs->iaoq[0] >= vma->vm_start)
8772 +- && (vma->vm_flags & VM_EXEC)) {
8773 +-
8774 ++ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
8775 + fault_address = regs->iaoq[0];
8776 + fault_space = regs->iasq[0];
8777 +
8778 +diff -Nurp linux-2.6.23.15/arch/parisc/mm/fault.c linux-2.6.23.15-grsec/arch/parisc/mm/fault.c
8779 +--- linux-2.6.23.15/arch/parisc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
8780 ++++ linux-2.6.23.15-grsec/arch/parisc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
8781 +@@ -16,6 +16,8 @@
8782 + #include <linux/sched.h>
8783 + #include <linux/interrupt.h>
8784 + #include <linux/module.h>
8785 ++#include <linux/unistd.h>
8786 ++#include <linux/binfmts.h>
8787 +
8788 + #include <asm/uaccess.h>
8789 + #include <asm/traps.h>
8790 +@@ -53,7 +55,7 @@ DEFINE_PER_CPU(struct exception_data, ex
8791 + static unsigned long
8792 + parisc_acctyp(unsigned long code, unsigned int inst)
8793 + {
8794 +- if (code == 6 || code == 16)
8795 ++ if (code == 6 || code == 7 || code == 16)
8796 + return VM_EXEC;
8797 +
8798 + switch (inst & 0xf0000000) {
8799 +@@ -139,6 +141,116 @@ parisc_acctyp(unsigned long code, unsign
8800 + }
8801 + #endif
8802 +
8803 ++#ifdef CONFIG_PAX_PAGEEXEC
8804 ++/*
8805 ++ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
8806 ++ *
8807 ++ * returns 1 when task should be killed
8808 ++ * 2 when rt_sigreturn trampoline was detected
8809 ++ * 3 when unpatched PLT trampoline was detected
8810 ++ */
8811 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
8812 ++{
8813 ++
8814 ++#ifdef CONFIG_PAX_EMUPLT
8815 ++ int err;
8816 ++
8817 ++ do { /* PaX: unpatched PLT emulation */
8818 ++ unsigned int bl, depwi;
8819 ++
8820 ++ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
8821 ++ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
8822 ++
8823 ++ if (err)
8824 ++ break;
8825 ++
8826 ++ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
8827 ++ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
8828 ++
8829 ++ err = get_user(ldw, (unsigned int *)addr);
8830 ++ err |= get_user(bv, (unsigned int *)(addr+4));
8831 ++ err |= get_user(ldw2, (unsigned int *)(addr+8));
8832 ++
8833 ++ if (err)
8834 ++ break;
8835 ++
8836 ++ if (ldw == 0x0E801096U &&
8837 ++ bv == 0xEAC0C000U &&
8838 ++ ldw2 == 0x0E881095U)
8839 ++ {
8840 ++ unsigned int resolver, map;
8841 ++
8842 ++ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
8843 ++ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
8844 ++ if (err)
8845 ++ break;
8846 ++
8847 ++ regs->gr[20] = instruction_pointer(regs)+8;
8848 ++ regs->gr[21] = map;
8849 ++ regs->gr[22] = resolver;
8850 ++ regs->iaoq[0] = resolver | 3UL;
8851 ++ regs->iaoq[1] = regs->iaoq[0] + 4;
8852 ++ return 3;
8853 ++ }
8854 ++ }
8855 ++ } while (0);
8856 ++#endif
8857 ++
8858 ++#ifdef CONFIG_PAX_EMUTRAMP
8859 ++
8860 ++#ifndef CONFIG_PAX_EMUSIGRT
8861 ++ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
8862 ++ return 1;
8863 ++#endif
8864 ++
8865 ++ do { /* PaX: rt_sigreturn emulation */
8866 ++ unsigned int ldi1, ldi2, bel, nop;
8867 ++
8868 ++ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
8869 ++ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
8870 ++ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
8871 ++ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
8872 ++
8873 ++ if (err)
8874 ++ break;
8875 ++
8876 ++ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
8877 ++ ldi2 == 0x3414015AU &&
8878 ++ bel == 0xE4008200U &&
8879 ++ nop == 0x08000240U)
8880 ++ {
8881 ++ regs->gr[25] = (ldi1 & 2) >> 1;
8882 ++ regs->gr[20] = __NR_rt_sigreturn;
8883 ++ regs->gr[31] = regs->iaoq[1] + 16;
8884 ++ regs->sr[0] = regs->iasq[1];
8885 ++ regs->iaoq[0] = 0x100UL;
8886 ++ regs->iaoq[1] = regs->iaoq[0] + 4;
8887 ++ regs->iasq[0] = regs->sr[2];
8888 ++ regs->iasq[1] = regs->sr[2];
8889 ++ return 2;
8890 ++ }
8891 ++ } while (0);
8892 ++#endif
8893 ++
8894 ++ return 1;
8895 ++}
8896 ++
8897 ++void pax_report_insns(void *pc, void *sp)
8898 ++{
8899 ++ unsigned long i;
8900 ++
8901 ++ printk(KERN_ERR "PAX: bytes at PC: ");
8902 ++ for (i = 0; i < 5; i++) {
8903 ++ unsigned int c;
8904 ++ if (get_user(c, (unsigned int *)pc+i))
8905 ++ printk("???????? ");
8906 ++ else
8907 ++ printk("%08x ", c);
8908 ++ }
8909 ++ printk("\n");
8910 ++}
8911 ++#endif
8912 ++
8913 + void do_page_fault(struct pt_regs *regs, unsigned long code,
8914 + unsigned long address)
8915 + {
8916 +@@ -165,8 +277,33 @@ good_area:
8917 +
8918 + acc_type = parisc_acctyp(code,regs->iir);
8919 +
8920 +- if ((vma->vm_flags & acc_type) != acc_type)
8921 ++ if ((vma->vm_flags & acc_type) != acc_type) {
8922 ++
8923 ++#ifdef CONFIG_PAX_PAGEEXEC
8924 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
8925 ++ (address & ~3UL) == instruction_pointer(regs))
8926 ++ {
8927 ++ up_read(&mm->mmap_sem);
8928 ++ switch (pax_handle_fetch_fault(regs)) {
8929 ++
8930 ++#ifdef CONFIG_PAX_EMUPLT
8931 ++ case 3:
8932 ++ return;
8933 ++#endif
8934 ++
8935 ++#ifdef CONFIG_PAX_EMUTRAMP
8936 ++ case 2:
8937 ++ return;
8938 ++#endif
8939 ++
8940 ++ }
8941 ++ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
8942 ++ do_exit(SIGKILL);
8943 ++ }
8944 ++#endif
8945 ++
8946 + goto bad_area;
8947 ++ }
8948 +
8949 + /*
8950 + * If for any reason at all we couldn't handle the fault, make
8951 +diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/module_32.c linux-2.6.23.15-grsec/arch/powerpc/kernel/module_32.c
8952 +--- linux-2.6.23.15/arch/powerpc/kernel/module_32.c 2007-10-09 21:31:38.000000000 +0100
8953 ++++ linux-2.6.23.15-grsec/arch/powerpc/kernel/module_32.c 2008-02-11 10:37:44.000000000 +0000
8954 +@@ -126,7 +126,7 @@ int module_frob_arch_sections(Elf32_Ehdr
8955 + me->arch.core_plt_section = i;
8956 + }
8957 + if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
8958 +- printk("Module doesn't contain .plt or .init.plt sections.\n");
8959 ++ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
8960 + return -ENOEXEC;
8961 + }
8962 +
8963 +@@ -167,11 +167,16 @@ static uint32_t do_plt_call(void *locati
8964 +
8965 + DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
8966 + /* Init, or core PLT? */
8967 +- if (location >= mod->module_core
8968 +- && location < mod->module_core + mod->core_size)
8969 ++ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
8970 ++ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
8971 + entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
8972 +- else
8973 ++ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
8974 ++ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
8975 + entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
8976 ++ else {
8977 ++ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
8978 ++ return ~0UL;
8979 ++ }
8980 +
8981 + /* Find this entry, or if that fails, the next avail. entry */
8982 + while (entry->jump[0]) {
8983 +diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/signal_32.c linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_32.c
8984 +--- linux-2.6.23.15/arch/powerpc/kernel/signal_32.c 2007-10-09 21:31:38.000000000 +0100
8985 ++++ linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_32.c 2008-02-11 10:37:44.000000000 +0000
8986 +@@ -728,7 +728,7 @@ int handle_rt_signal32(unsigned long sig
8987 +
8988 + /* Save user registers on the stack */
8989 + frame = &rt_sf->uc.uc_mcontext;
8990 +- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
8991 ++ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
8992 + if (save_user_regs(regs, frame, 0))
8993 + goto badframe;
8994 + regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
8995 +diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/signal_64.c linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_64.c
8996 +--- linux-2.6.23.15/arch/powerpc/kernel/signal_64.c 2007-10-09 21:31:38.000000000 +0100
8997 ++++ linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_64.c 2008-02-11 10:37:44.000000000 +0000
8998 +@@ -359,7 +359,7 @@ int handle_rt_signal64(int signr, struct
8999 + current->thread.fpscr.val = 0;
9000 +
9001 + /* Set up to return from userspace. */
9002 +- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
9003 ++ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
9004 + regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
9005 + } else {
9006 + err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
9007 +diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/vdso.c linux-2.6.23.15-grsec/arch/powerpc/kernel/vdso.c
9008 +--- linux-2.6.23.15/arch/powerpc/kernel/vdso.c 2007-10-09 21:31:38.000000000 +0100
9009 ++++ linux-2.6.23.15-grsec/arch/powerpc/kernel/vdso.c 2008-02-11 10:37:44.000000000 +0000
9010 +@@ -211,7 +211,7 @@ int arch_setup_additional_pages(struct l
9011 + vdso_base = VDSO32_MBASE;
9012 + #endif
9013 +
9014 +- current->mm->context.vdso_base = 0;
9015 ++ current->mm->context.vdso_base = ~0UL;
9016 +
9017 + /* vDSO has a problem and was disabled, just don't "enable" it for the
9018 + * process
9019 +@@ -228,7 +228,7 @@ int arch_setup_additional_pages(struct l
9020 + */
9021 + down_write(&mm->mmap_sem);
9022 + vdso_base = get_unmapped_area(NULL, vdso_base,
9023 +- vdso_pages << PAGE_SHIFT, 0, 0);
9024 ++ vdso_pages << PAGE_SHIFT, 0, MAP_PRIVATE | MAP_EXECUTABLE);
9025 + if (IS_ERR_VALUE(vdso_base)) {
9026 + rc = vdso_base;
9027 + goto fail_mmapsem;
9028 +diff -Nurp linux-2.6.23.15/arch/powerpc/mm/fault.c linux-2.6.23.15-grsec/arch/powerpc/mm/fault.c
9029 +--- linux-2.6.23.15/arch/powerpc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
9030 ++++ linux-2.6.23.15-grsec/arch/powerpc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
9031 +@@ -29,6 +29,12 @@
9032 + #include <linux/module.h>
9033 + #include <linux/kprobes.h>
9034 + #include <linux/kdebug.h>
9035 ++#include <linux/binfmts.h>
9036 ++#include <linux/slab.h>
9037 ++#include <linux/pagemap.h>
9038 ++#include <linux/compiler.h>
9039 ++#include <linux/binfmts.h>
9040 ++#include <linux/unistd.h>
9041 +
9042 + #include <asm/page.h>
9043 + #include <asm/pgtable.h>
9044 +@@ -62,6 +68,364 @@ static inline int notify_page_fault(stru
9045 + }
9046 + #endif
9047 +
9048 ++#ifdef CONFIG_PAX_EMUSIGRT
9049 ++void pax_syscall_close(struct vm_area_struct *vma)
9050 ++{
9051 ++ vma->vm_mm->call_syscall = 0UL;
9052 ++}
9053 ++
9054 ++static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
9055 ++{
9056 ++ struct page *page;
9057 ++ unsigned int *kaddr;
9058 ++
9059 ++ page = alloc_page(GFP_HIGHUSER);
9060 ++ if (!page)
9061 ++ return NOPAGE_OOM;
9062 ++
9063 ++ kaddr = kmap(page);
9064 ++ memset(kaddr, 0, PAGE_SIZE);
9065 ++ kaddr[0] = 0x44000002U; /* sc */
9066 ++ __flush_dcache_icache(kaddr);
9067 ++ kunmap(page);
9068 ++ if (type)
9069 ++ *type = VM_FAULT_MAJOR;
9070 ++ return page;
9071 ++}
9072 ++
9073 ++static struct vm_operations_struct pax_vm_ops = {
9074 ++ .close = pax_syscall_close,
9075 ++ .nopage = pax_syscall_nopage,
9076 ++};
9077 ++
9078 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
9079 ++{
9080 ++ int ret;
9081 ++
9082 ++ memset(vma, 0, sizeof(*vma));
9083 ++ vma->vm_mm = current->mm;
9084 ++ vma->vm_start = addr;
9085 ++ vma->vm_end = addr + PAGE_SIZE;
9086 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
9087 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
9088 ++ vma->vm_ops = &pax_vm_ops;
9089 ++
9090 ++ ret = insert_vm_struct(current->mm, vma);
9091 ++ if (ret)
9092 ++ return ret;
9093 ++
9094 ++ ++current->mm->total_vm;
9095 ++ return 0;
9096 ++}
9097 ++#endif
9098 ++
9099 ++#ifdef CONFIG_PAX_PAGEEXEC
9100 ++/*
9101 ++ * PaX: decide what to do with offenders (regs->nip = fault address)
9102 ++ *
9103 ++ * returns 1 when task should be killed
9104 ++ * 2 when patched GOT trampoline was detected
9105 ++ * 3 when patched PLT trampoline was detected
9106 ++ * 4 when unpatched PLT trampoline was detected
9107 ++ * 5 when sigreturn trampoline was detected
9108 ++ * 6 when rt_sigreturn trampoline was detected
9109 ++ */
9110 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
9111 ++{
9112 ++
9113 ++#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
9114 ++ int err;
9115 ++#endif
9116 ++
9117 ++#ifdef CONFIG_PAX_EMUPLT
9118 ++ do { /* PaX: patched GOT emulation */
9119 ++ unsigned int blrl;
9120 ++
9121 ++ err = get_user(blrl, (unsigned int *)regs->nip);
9122 ++
9123 ++ if (!err && blrl == 0x4E800021U) {
9124 ++ unsigned long temp = regs->nip;
9125 ++
9126 ++ regs->nip = regs->link & 0xFFFFFFFCUL;
9127 ++ regs->link = temp + 4UL;
9128 ++ return 2;
9129 ++ }
9130 ++ } while (0);
9131 ++
9132 ++ do { /* PaX: patched PLT emulation #1 */
9133 ++ unsigned int b;
9134 ++
9135 ++ err = get_user(b, (unsigned int *)regs->nip);
9136 ++
9137 ++ if (!err && (b & 0xFC000003U) == 0x48000000U) {
9138 ++ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
9139 ++ return 3;
9140 ++ }
9141 ++ } while (0);
9142 ++
9143 ++ do { /* PaX: unpatched PLT emulation #1 */
9144 ++ unsigned int li, b;
9145 ++
9146 ++ err = get_user(li, (unsigned int *)regs->nip);
9147 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
9148 ++
9149 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
9150 ++ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
9151 ++ unsigned long addr = b | 0xFC000000UL;
9152 ++
9153 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
9154 ++ err = get_user(rlwinm, (unsigned int *)addr);
9155 ++ err |= get_user(add, (unsigned int *)(addr+4));
9156 ++ err |= get_user(li2, (unsigned int *)(addr+8));
9157 ++ err |= get_user(addis2, (unsigned int *)(addr+12));
9158 ++ err |= get_user(mtctr, (unsigned int *)(addr+16));
9159 ++ err |= get_user(li3, (unsigned int *)(addr+20));
9160 ++ err |= get_user(addis3, (unsigned int *)(addr+24));
9161 ++ err |= get_user(bctr, (unsigned int *)(addr+28));
9162 ++
9163 ++ if (err)
9164 ++ break;
9165 ++
9166 ++ if (rlwinm == 0x556C083CU &&
9167 ++ add == 0x7D6C5A14U &&
9168 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
9169 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
9170 ++ mtctr == 0x7D8903A6U &&
9171 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
9172 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
9173 ++ bctr == 0x4E800420U)
9174 ++ {
9175 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9176 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9177 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
9178 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9179 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
9180 ++ regs->nip = regs->ctr;
9181 ++ return 4;
9182 ++ }
9183 ++ }
9184 ++ } while (0);
9185 ++
9186 ++#if 0
9187 ++ do { /* PaX: unpatched PLT emulation #2 */
9188 ++ unsigned int lis, lwzu, b, bctr;
9189 ++
9190 ++ err = get_user(lis, (unsigned int *)regs->nip);
9191 ++ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
9192 ++ err |= get_user(b, (unsigned int *)(regs->nip+8));
9193 ++ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
9194 ++
9195 ++ if (err)
9196 ++ break;
9197 ++
9198 ++ if ((lis & 0xFFFF0000U) == 0x39600000U &&
9199 ++ (lwzu & 0xU) == 0xU &&
9200 ++ (b & 0xFC000003U) == 0x48000000U &&
9201 ++ bctr == 0x4E800420U)
9202 ++ {
9203 ++ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
9204 ++ unsigned long addr = b | 0xFC000000UL;
9205 ++
9206 ++ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
9207 ++ err = get_user(addis, (unsigned int*)addr);
9208 ++ err |= get_user(addi, (unsigned int*)(addr+4));
9209 ++ err |= get_user(rlwinm, (unsigned int*)(addr+8));
9210 ++ err |= get_user(add, (unsigned int*)(addr+12));
9211 ++ err |= get_user(li2, (unsigned int*)(addr+16));
9212 ++ err |= get_user(addis2, (unsigned int*)(addr+20));
9213 ++ err |= get_user(mtctr, (unsigned int*)(addr+24));
9214 ++ err |= get_user(li3, (unsigned int*)(addr+28));
9215 ++ err |= get_user(addis3, (unsigned int*)(addr+32));
9216 ++ err |= get_user(bctr, (unsigned int*)(addr+36));
9217 ++
9218 ++ if (err)
9219 ++ break;
9220 ++
9221 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
9222 ++ (addi & 0xFFFF0000U) == 0x396B0000U &&
9223 ++ rlwinm == 0x556C083CU &&
9224 ++ add == 0x7D6C5A14U &&
9225 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
9226 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
9227 ++ mtctr == 0x7D8903A6U &&
9228 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
9229 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
9230 ++ bctr == 0x4E800420U)
9231 ++ {
9232 ++ regs->gpr[PT_R11] =
9233 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9234 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9235 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
9236 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9237 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
9238 ++ regs->nip = regs->ctr;
9239 ++ return 4;
9240 ++ }
9241 ++ }
9242 ++ } while (0);
9243 ++#endif
9244 ++
9245 ++ do { /* PaX: unpatched PLT emulation #3 */
9246 ++ unsigned int li, b;
9247 ++
9248 ++ err = get_user(li, (unsigned int *)regs->nip);
9249 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
9250 ++
9251 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
9252 ++ unsigned int addis, lwz, mtctr, bctr;
9253 ++ unsigned long addr = b | 0xFC000000UL;
9254 ++
9255 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
9256 ++ err = get_user(addis, (unsigned int *)addr);
9257 ++ err |= get_user(lwz, (unsigned int *)(addr+4));
9258 ++ err |= get_user(mtctr, (unsigned int *)(addr+8));
9259 ++ err |= get_user(bctr, (unsigned int *)(addr+12));
9260 ++
9261 ++ if (err)
9262 ++ break;
9263 ++
9264 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
9265 ++ (lwz & 0xFFFF0000U) == 0x816B0000U &&
9266 ++ mtctr == 0x7D6903A6U &&
9267 ++ bctr == 0x4E800420U)
9268 ++ {
9269 ++ unsigned int r11;
9270 ++
9271 ++ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9272 ++ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9273 ++
9274 ++ err = get_user(r11, (unsigned int *)addr);
9275 ++ if (err)
9276 ++ break;
9277 ++
9278 ++ regs->gpr[PT_R11] = r11;
9279 ++ regs->ctr = r11;
9280 ++ regs->nip = r11;
9281 ++ return 4;
9282 ++ }
9283 ++ }
9284 ++ } while (0);
9285 ++#endif
9286 ++
9287 ++#ifdef CONFIG_PAX_EMUSIGRT
9288 ++ do { /* PaX: sigreturn emulation */
9289 ++ unsigned int li, sc;
9290 ++
9291 ++ err = get_user(li, (unsigned int *)regs->nip);
9292 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
9293 ++
9294 ++ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
9295 ++ struct vm_area_struct *vma;
9296 ++ unsigned long call_syscall;
9297 ++
9298 ++ down_read(&current->mm->mmap_sem);
9299 ++ call_syscall = current->mm->call_syscall;
9300 ++ up_read(&current->mm->mmap_sem);
9301 ++ if (likely(call_syscall))
9302 ++ goto emulate;
9303 ++
9304 ++ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
9305 ++
9306 ++ down_write(&current->mm->mmap_sem);
9307 ++ if (current->mm->call_syscall) {
9308 ++ call_syscall = current->mm->call_syscall;
9309 ++ up_write(&current->mm->mmap_sem);
9310 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9311 ++ goto emulate;
9312 ++ }
9313 ++
9314 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
9315 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
9316 ++ up_write(&current->mm->mmap_sem);
9317 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9318 ++ return 1;
9319 ++ }
9320 ++
9321 ++ if (pax_insert_vma(vma, call_syscall)) {
9322 ++ up_write(&current->mm->mmap_sem);
9323 ++ kmem_cache_free(vm_area_cachep, vma);
9324 ++ return 1;
9325 ++ }
9326 ++
9327 ++ current->mm->call_syscall = call_syscall;
9328 ++ up_write(&current->mm->mmap_sem);
9329 ++
9330 ++emulate:
9331 ++ regs->gpr[PT_R0] = __NR_sigreturn;
9332 ++ regs->nip = call_syscall;
9333 ++ return 5;
9334 ++ }
9335 ++ } while (0);
9336 ++
9337 ++ do { /* PaX: rt_sigreturn emulation */
9338 ++ unsigned int li, sc;
9339 ++
9340 ++ err = get_user(li, (unsigned int *)regs->nip);
9341 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
9342 ++
9343 ++ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
9344 ++ struct vm_area_struct *vma;
9345 ++ unsigned int call_syscall;
9346 ++
9347 ++ down_read(&current->mm->mmap_sem);
9348 ++ call_syscall = current->mm->call_syscall;
9349 ++ up_read(&current->mm->mmap_sem);
9350 ++ if (likely(call_syscall))
9351 ++ goto rt_emulate;
9352 ++
9353 ++ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
9354 ++
9355 ++ down_write(&current->mm->mmap_sem);
9356 ++ if (current->mm->call_syscall) {
9357 ++ call_syscall = current->mm->call_syscall;
9358 ++ up_write(&current->mm->mmap_sem);
9359 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9360 ++ goto rt_emulate;
9361 ++ }
9362 ++
9363 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
9364 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
9365 ++ up_write(&current->mm->mmap_sem);
9366 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9367 ++ return 1;
9368 ++ }
9369 ++
9370 ++ if (pax_insert_vma(vma, call_syscall)) {
9371 ++ up_write(&current->mm->mmap_sem);
9372 ++ kmem_cache_free(vm_area_cachep, vma);
9373 ++ return 1;
9374 ++ }
9375 ++
9376 ++ current->mm->call_syscall = call_syscall;
9377 ++ up_write(&current->mm->mmap_sem);
9378 ++
9379 ++rt_emulate:
9380 ++ regs->gpr[PT_R0] = __NR_rt_sigreturn;
9381 ++ regs->nip = call_syscall;
9382 ++ return 6;
9383 ++ }
9384 ++ } while (0);
9385 ++#endif
9386 ++
9387 ++ return 1;
9388 ++}
9389 ++
9390 ++void pax_report_insns(void *pc, void *sp)
9391 ++{
9392 ++ unsigned long i;
9393 ++
9394 ++ printk(KERN_ERR "PAX: bytes at PC: ");
9395 ++ for (i = 0; i < 5; i++) {
9396 ++ unsigned int c;
9397 ++ if (get_user(c, (unsigned int *)pc+i))
9398 ++ printk("???????? ");
9399 ++ else
9400 ++ printk("%08x ", c);
9401 ++ }
9402 ++ printk("\n");
9403 ++}
9404 ++#endif
9405 ++
9406 + /*
9407 + * Check whether the instruction at regs->nip is a store using
9408 + * an update addressing form which will update r1.
9409 +@@ -157,7 +521,7 @@ int __kprobes do_page_fault(struct pt_re
9410 + * indicate errors in DSISR but can validly be set in SRR1.
9411 + */
9412 + if (trap == 0x400)
9413 +- error_code &= 0x48200000;
9414 ++ error_code &= 0x58200000;
9415 + else
9416 + is_write = error_code & DSISR_ISSTORE;
9417 + #else
9418 +@@ -357,6 +721,37 @@ bad_area:
9419 + bad_area_nosemaphore:
9420 + /* User mode accesses cause a SIGSEGV */
9421 + if (user_mode(regs)) {
9422 ++
9423 ++#ifdef CONFIG_PAX_PAGEEXEC
9424 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
9425 ++#ifdef CONFIG_PPC64
9426 ++ if (is_exec && (error_code & DSISR_PROTFAULT)) {
9427 ++#else
9428 ++ if (is_exec && regs->nip == address) {
9429 ++#endif
9430 ++ switch (pax_handle_fetch_fault(regs)) {
9431 ++
9432 ++#ifdef CONFIG_PAX_EMUPLT
9433 ++ case 2:
9434 ++ case 3:
9435 ++ case 4:
9436 ++ return 0;
9437 ++#endif
9438 ++
9439 ++#ifdef CONFIG_PAX_EMUSIGRT
9440 ++ case 5:
9441 ++ case 6:
9442 ++ return 0;
9443 ++#endif
9444 ++
9445 ++ }
9446 ++
9447 ++ pax_report_fault(regs, (void*)regs->nip, (void*)regs->gpr[PT_R1]);
9448 ++ do_exit(SIGKILL);
9449 ++ }
9450 ++ }
9451 ++#endif
9452 ++
9453 + _exception(SIGSEGV, regs, code, address);
9454 + return 0;
9455 + }
9456 +diff -Nurp linux-2.6.23.15/arch/powerpc/mm/mmap.c linux-2.6.23.15-grsec/arch/powerpc/mm/mmap.c
9457 +--- linux-2.6.23.15/arch/powerpc/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
9458 ++++ linux-2.6.23.15-grsec/arch/powerpc/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
9459 +@@ -75,10 +75,22 @@ void arch_pick_mmap_layout(struct mm_str
9460 + */
9461 + if (mmap_is_legacy()) {
9462 + mm->mmap_base = TASK_UNMAPPED_BASE;
9463 ++
9464 ++#ifdef CONFIG_PAX_RANDMMAP
9465 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
9466 ++ mm->mmap_base += mm->delta_mmap;
9467 ++#endif
9468 ++
9469 + mm->get_unmapped_area = arch_get_unmapped_area;
9470 + mm->unmap_area = arch_unmap_area;
9471 + } else {
9472 + mm->mmap_base = mmap_base();
9473 ++
9474 ++#ifdef CONFIG_PAX_RANDMMAP
9475 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
9476 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
9477 ++#endif
9478 ++
9479 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
9480 + mm->unmap_area = arch_unmap_area_topdown;
9481 + }
9482 +diff -Nurp linux-2.6.23.15/arch/ppc/mm/fault.c linux-2.6.23.15-grsec/arch/ppc/mm/fault.c
9483 +--- linux-2.6.23.15/arch/ppc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
9484 ++++ linux-2.6.23.15-grsec/arch/ppc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
9485 +@@ -25,6 +25,11 @@
9486 + #include <linux/interrupt.h>
9487 + #include <linux/highmem.h>
9488 + #include <linux/module.h>
9489 ++#include <linux/slab.h>
9490 ++#include <linux/pagemap.h>
9491 ++#include <linux/compiler.h>
9492 ++#include <linux/binfmts.h>
9493 ++#include <linux/unistd.h>
9494 +
9495 + #include <asm/page.h>
9496 + #include <asm/pgtable.h>
9497 +@@ -48,6 +53,364 @@ unsigned long pte_misses; /* updated by
9498 + unsigned long pte_errors; /* updated by do_page_fault() */
9499 + unsigned int probingmem;
9500 +
9501 ++#ifdef CONFIG_PAX_EMUSIGRT
9502 ++void pax_syscall_close(struct vm_area_struct *vma)
9503 ++{
9504 ++ vma->vm_mm->call_syscall = 0UL;
9505 ++}
9506 ++
9507 ++static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
9508 ++{
9509 ++ struct page *page;
9510 ++ unsigned int *kaddr;
9511 ++
9512 ++ page = alloc_page(GFP_HIGHUSER);
9513 ++ if (!page)
9514 ++ return NOPAGE_OOM;
9515 ++
9516 ++ kaddr = kmap(page);
9517 ++ memset(kaddr, 0, PAGE_SIZE);
9518 ++ kaddr[0] = 0x44000002U; /* sc */
9519 ++ __flush_dcache_icache(kaddr);
9520 ++ kunmap(page);
9521 ++ if (type)
9522 ++ *type = VM_FAULT_MAJOR;
9523 ++ return page;
9524 ++}
9525 ++
9526 ++static struct vm_operations_struct pax_vm_ops = {
9527 ++ .close = pax_syscall_close,
9528 ++ .nopage = pax_syscall_nopage,
9529 ++};
9530 ++
9531 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
9532 ++{
9533 ++ int ret;
9534 ++
9535 ++ memset(vma, 0, sizeof(*vma));
9536 ++ vma->vm_mm = current->mm;
9537 ++ vma->vm_start = addr;
9538 ++ vma->vm_end = addr + PAGE_SIZE;
9539 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
9540 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
9541 ++ vma->vm_ops = &pax_vm_ops;
9542 ++
9543 ++ ret = insert_vm_struct(current->mm, vma);
9544 ++ if (ret)
9545 ++ return ret;
9546 ++
9547 ++ ++current->mm->total_vm;
9548 ++ return 0;
9549 ++}
9550 ++#endif
9551 ++
9552 ++#ifdef CONFIG_PAX_PAGEEXEC
9553 ++/*
9554 ++ * PaX: decide what to do with offenders (regs->nip = fault address)
9555 ++ *
9556 ++ * returns 1 when task should be killed
9557 ++ * 2 when patched GOT trampoline was detected
9558 ++ * 3 when patched PLT trampoline was detected
9559 ++ * 4 when unpatched PLT trampoline was detected
9560 ++ * 5 when sigreturn trampoline was detected
9561 ++ * 6 when rt_sigreturn trampoline was detected
9562 ++ */
9563 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
9564 ++{
9565 ++
9566 ++#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
9567 ++ int err;
9568 ++#endif
9569 ++
9570 ++#ifdef CONFIG_PAX_EMUPLT
9571 ++ do { /* PaX: patched GOT emulation */
9572 ++ unsigned int blrl;
9573 ++
9574 ++ err = get_user(blrl, (unsigned int *)regs->nip);
9575 ++
9576 ++ if (!err && blrl == 0x4E800021U) {
9577 ++ unsigned long temp = regs->nip;
9578 ++
9579 ++ regs->nip = regs->link & 0xFFFFFFFCUL;
9580 ++ regs->link = temp + 4UL;
9581 ++ return 2;
9582 ++ }
9583 ++ } while (0);
9584 ++
9585 ++ do { /* PaX: patched PLT emulation #1 */
9586 ++ unsigned int b;
9587 ++
9588 ++ err = get_user(b, (unsigned int *)regs->nip);
9589 ++
9590 ++ if (!err && (b & 0xFC000003U) == 0x48000000U) {
9591 ++ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
9592 ++ return 3;
9593 ++ }
9594 ++ } while (0);
9595 ++
9596 ++ do { /* PaX: unpatched PLT emulation #1 */
9597 ++ unsigned int li, b;
9598 ++
9599 ++ err = get_user(li, (unsigned int *)regs->nip);
9600 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
9601 ++
9602 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
9603 ++ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
9604 ++ unsigned long addr = b | 0xFC000000UL;
9605 ++
9606 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
9607 ++ err = get_user(rlwinm, (unsigned int *)addr);
9608 ++ err |= get_user(add, (unsigned int *)(addr+4));
9609 ++ err |= get_user(li2, (unsigned int *)(addr+8));
9610 ++ err |= get_user(addis2, (unsigned int *)(addr+12));
9611 ++ err |= get_user(mtctr, (unsigned int *)(addr+16));
9612 ++ err |= get_user(li3, (unsigned int *)(addr+20));
9613 ++ err |= get_user(addis3, (unsigned int *)(addr+24));
9614 ++ err |= get_user(bctr, (unsigned int *)(addr+28));
9615 ++
9616 ++ if (err)
9617 ++ break;
9618 ++
9619 ++ if (rlwinm == 0x556C083CU &&
9620 ++ add == 0x7D6C5A14U &&
9621 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
9622 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
9623 ++ mtctr == 0x7D8903A6U &&
9624 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
9625 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
9626 ++ bctr == 0x4E800420U)
9627 ++ {
9628 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9629 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9630 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
9631 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9632 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
9633 ++ regs->nip = regs->ctr;
9634 ++ return 4;
9635 ++ }
9636 ++ }
9637 ++ } while (0);
9638 ++
9639 ++#if 0
9640 ++ do { /* PaX: unpatched PLT emulation #2 */
9641 ++ unsigned int lis, lwzu, b, bctr;
9642 ++
9643 ++ err = get_user(lis, (unsigned int *)regs->nip);
9644 ++ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
9645 ++ err |= get_user(b, (unsigned int *)(regs->nip+8));
9646 ++ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
9647 ++
9648 ++ if (err)
9649 ++ break;
9650 ++
9651 ++ if ((lis & 0xFFFF0000U) == 0x39600000U &&
9652 ++ (lwzu & 0xU) == 0xU &&
9653 ++ (b & 0xFC000003U) == 0x48000000U &&
9654 ++ bctr == 0x4E800420U)
9655 ++ {
9656 ++ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
9657 ++ unsigned long addr = b | 0xFC000000UL;
9658 ++
9659 ++ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
9660 ++ err = get_user(addis, (unsigned int*)addr);
9661 ++ err |= get_user(addi, (unsigned int*)(addr+4));
9662 ++ err |= get_user(rlwinm, (unsigned int*)(addr+8));
9663 ++ err |= get_user(add, (unsigned int*)(addr+12));
9664 ++ err |= get_user(li2, (unsigned int*)(addr+16));
9665 ++ err |= get_user(addis2, (unsigned int*)(addr+20));
9666 ++ err |= get_user(mtctr, (unsigned int*)(addr+24));
9667 ++ err |= get_user(li3, (unsigned int*)(addr+28));
9668 ++ err |= get_user(addis3, (unsigned int*)(addr+32));
9669 ++ err |= get_user(bctr, (unsigned int*)(addr+36));
9670 ++
9671 ++ if (err)
9672 ++ break;
9673 ++
9674 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
9675 ++ (addi & 0xFFFF0000U) == 0x396B0000U &&
9676 ++ rlwinm == 0x556C083CU &&
9677 ++ add == 0x7D6C5A14U &&
9678 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
9679 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
9680 ++ mtctr == 0x7D8903A6U &&
9681 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
9682 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
9683 ++ bctr == 0x4E800420U)
9684 ++ {
9685 ++ regs->gpr[PT_R11] =
9686 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9687 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9688 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
9689 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9690 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
9691 ++ regs->nip = regs->ctr;
9692 ++ return 4;
9693 ++ }
9694 ++ }
9695 ++ } while (0);
9696 ++#endif
9697 ++
9698 ++ do { /* PaX: unpatched PLT emulation #3 */
9699 ++ unsigned int li, b;
9700 ++
9701 ++ err = get_user(li, (unsigned int *)regs->nip);
9702 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
9703 ++
9704 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
9705 ++ unsigned int addis, lwz, mtctr, bctr;
9706 ++ unsigned long addr = b | 0xFC000000UL;
9707 ++
9708 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
9709 ++ err = get_user(addis, (unsigned int *)addr);
9710 ++ err |= get_user(lwz, (unsigned int *)(addr+4));
9711 ++ err |= get_user(mtctr, (unsigned int *)(addr+8));
9712 ++ err |= get_user(bctr, (unsigned int *)(addr+12));
9713 ++
9714 ++ if (err)
9715 ++ break;
9716 ++
9717 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
9718 ++ (lwz & 0xFFFF0000U) == 0x816B0000U &&
9719 ++ mtctr == 0x7D6903A6U &&
9720 ++ bctr == 0x4E800420U)
9721 ++ {
9722 ++ unsigned int r11;
9723 ++
9724 ++ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9725 ++ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9726 ++
9727 ++ err = get_user(r11, (unsigned int *)addr);
9728 ++ if (err)
9729 ++ break;
9730 ++
9731 ++ regs->gpr[PT_R11] = r11;
9732 ++ regs->ctr = r11;
9733 ++ regs->nip = r11;
9734 ++ return 4;
9735 ++ }
9736 ++ }
9737 ++ } while (0);
9738 ++#endif
9739 ++
9740 ++#ifdef CONFIG_PAX_EMUSIGRT
9741 ++ do { /* PaX: sigreturn emulation */
9742 ++ unsigned int li, sc;
9743 ++
9744 ++ err = get_user(li, (unsigned int *)regs->nip);
9745 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
9746 ++
9747 ++ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
9748 ++ struct vm_area_struct *vma;
9749 ++ unsigned long call_syscall;
9750 ++
9751 ++ down_read(&current->mm->mmap_sem);
9752 ++ call_syscall = current->mm->call_syscall;
9753 ++ up_read(&current->mm->mmap_sem);
9754 ++ if (likely(call_syscall))
9755 ++ goto emulate;
9756 ++
9757 ++ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
9758 ++
9759 ++ down_write(&current->mm->mmap_sem);
9760 ++ if (current->mm->call_syscall) {
9761 ++ call_syscall = current->mm->call_syscall;
9762 ++ up_write(&current->mm->mmap_sem);
9763 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9764 ++ goto emulate;
9765 ++ }
9766 ++
9767 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
9768 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
9769 ++ up_write(&current->mm->mmap_sem);
9770 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9771 ++ return 1;
9772 ++ }
9773 ++
9774 ++ if (pax_insert_vma(vma, call_syscall)) {
9775 ++ up_write(&current->mm->mmap_sem);
9776 ++ kmem_cache_free(vm_area_cachep, vma);
9777 ++ return 1;
9778 ++ }
9779 ++
9780 ++ current->mm->call_syscall = call_syscall;
9781 ++ up_write(&current->mm->mmap_sem);
9782 ++
9783 ++emulate:
9784 ++ regs->gpr[PT_R0] = __NR_sigreturn;
9785 ++ regs->nip = call_syscall;
9786 ++ return 5;
9787 ++ }
9788 ++ } while (0);
9789 ++
9790 ++ do { /* PaX: rt_sigreturn emulation */
9791 ++ unsigned int li, sc;
9792 ++
9793 ++ err = get_user(li, (unsigned int *)regs->nip);
9794 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
9795 ++
9796 ++ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
9797 ++ struct vm_area_struct *vma;
9798 ++ unsigned int call_syscall;
9799 ++
9800 ++ down_read(&current->mm->mmap_sem);
9801 ++ call_syscall = current->mm->call_syscall;
9802 ++ up_read(&current->mm->mmap_sem);
9803 ++ if (likely(call_syscall))
9804 ++ goto rt_emulate;
9805 ++
9806 ++ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
9807 ++
9808 ++ down_write(&current->mm->mmap_sem);
9809 ++ if (current->mm->call_syscall) {
9810 ++ call_syscall = current->mm->call_syscall;
9811 ++ up_write(&current->mm->mmap_sem);
9812 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9813 ++ goto rt_emulate;
9814 ++ }
9815 ++
9816 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
9817 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
9818 ++ up_write(&current->mm->mmap_sem);
9819 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9820 ++ return 1;
9821 ++ }
9822 ++
9823 ++ if (pax_insert_vma(vma, call_syscall)) {
9824 ++ up_write(&current->mm->mmap_sem);
9825 ++ kmem_cache_free(vm_area_cachep, vma);
9826 ++ return 1;
9827 ++ }
9828 ++
9829 ++ current->mm->call_syscall = call_syscall;
9830 ++ up_write(&current->mm->mmap_sem);
9831 ++
9832 ++rt_emulate:
9833 ++ regs->gpr[PT_R0] = __NR_rt_sigreturn;
9834 ++ regs->nip = call_syscall;
9835 ++ return 6;
9836 ++ }
9837 ++ } while (0);
9838 ++#endif
9839 ++
9840 ++ return 1;
9841 ++}
9842 ++
9843 ++void pax_report_insns(void *pc, void *sp)
9844 ++{
9845 ++ unsigned long i;
9846 ++
9847 ++ printk(KERN_ERR "PAX: bytes at PC: ");
9848 ++ for (i = 0; i < 5; i++) {
9849 ++ unsigned int c;
9850 ++ if (get_user(c, (unsigned int *)pc+i))
9851 ++ printk("???????? ");
9852 ++ else
9853 ++ printk("%08x ", c);
9854 ++ }
9855 ++ printk("\n");
9856 ++}
9857 ++#endif
9858 ++
9859 + /*
9860 + * Check whether the instruction at regs->nip is a store using
9861 + * an update addressing form which will update r1.
9862 +@@ -109,7 +472,7 @@ int do_page_fault(struct pt_regs *regs,
9863 + * indicate errors in DSISR but can validly be set in SRR1.
9864 + */
9865 + if (TRAP(regs) == 0x400)
9866 +- error_code &= 0x48200000;
9867 ++ error_code &= 0x58200000;
9868 + else
9869 + is_write = error_code & 0x02000000;
9870 + #endif /* CONFIG_4xx || CONFIG_BOOKE */
9871 +@@ -204,15 +567,14 @@ good_area:
9872 + pte_t *ptep;
9873 + pmd_t *pmdp;
9874 +
9875 +-#if 0
9876 ++#if 1
9877 + /* It would be nice to actually enforce the VM execute
9878 + permission on CPUs which can do so, but far too
9879 + much stuff in userspace doesn't get the permissions
9880 + right, so we let any page be executed for now. */
9881 + if (! (vma->vm_flags & VM_EXEC))
9882 + goto bad_area;
9883 +-#endif
9884 +-
9885 ++#else
9886 + /* Since 4xx/Book-E supports per-page execute permission,
9887 + * we lazily flush dcache to icache. */
9888 + ptep = NULL;
9889 +@@ -235,6 +597,7 @@ good_area:
9890 + pte_unmap_unlock(ptep, ptl);
9891 + }
9892 + #endif
9893 ++#endif
9894 + /* a read */
9895 + } else {
9896 + /* protection fault */
9897 +@@ -278,6 +641,33 @@ bad_area:
9898 +
9899 + /* User mode accesses cause a SIGSEGV */
9900 + if (user_mode(regs)) {
9901 ++
9902 ++#ifdef CONFIG_PAX_PAGEEXEC
9903 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
9904 ++ if ((TRAP(regs) == 0x400) && (regs->nip == address)) {
9905 ++ switch (pax_handle_fetch_fault(regs)) {
9906 ++
9907 ++#ifdef CONFIG_PAX_EMUPLT
9908 ++ case 2:
9909 ++ case 3:
9910 ++ case 4:
9911 ++ return 0;
9912 ++#endif
9913 ++
9914 ++#ifdef CONFIG_PAX_EMUSIGRT
9915 ++ case 5:
9916 ++ case 6:
9917 ++ return 0;
9918 ++#endif
9919 ++
9920 ++ }
9921 ++
9922 ++ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[1]);
9923 ++ do_exit(SIGKILL);
9924 ++ }
9925 ++ }
9926 ++#endif
9927 ++
9928 + _exception(SIGSEGV, regs, code, address);
9929 + return 0;
9930 + }
9931 +diff -Nurp linux-2.6.23.15/arch/s390/kernel/module.c linux-2.6.23.15-grsec/arch/s390/kernel/module.c
9932 +--- linux-2.6.23.15/arch/s390/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
9933 ++++ linux-2.6.23.15-grsec/arch/s390/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
9934 +@@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
9935 +
9936 + /* Increase core size by size of got & plt and set start
9937 + offsets for got and plt. */
9938 +- me->core_size = ALIGN(me->core_size, 4);
9939 +- me->arch.got_offset = me->core_size;
9940 +- me->core_size += me->arch.got_size;
9941 +- me->arch.plt_offset = me->core_size;
9942 +- me->core_size += me->arch.plt_size;
9943 ++ me->core_size_rw = ALIGN(me->core_size_rw, 4);
9944 ++ me->arch.got_offset = me->core_size_rw;
9945 ++ me->core_size_rw += me->arch.got_size;
9946 ++ me->arch.plt_offset = me->core_size_rx;
9947 ++ me->core_size_rx += me->arch.plt_size;
9948 + return 0;
9949 + }
9950 +
9951 +@@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
9952 + if (info->got_initialized == 0) {
9953 + Elf_Addr *gotent;
9954 +
9955 +- gotent = me->module_core + me->arch.got_offset +
9956 ++ gotent = me->module_core_rw + me->arch.got_offset +
9957 + info->got_offset;
9958 + *gotent = val;
9959 + info->got_initialized = 1;
9960 +@@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
9961 + else if (r_type == R_390_GOTENT ||
9962 + r_type == R_390_GOTPLTENT)
9963 + *(unsigned int *) loc =
9964 +- (val + (Elf_Addr) me->module_core - loc) >> 1;
9965 ++ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
9966 + else if (r_type == R_390_GOT64 ||
9967 + r_type == R_390_GOTPLT64)
9968 + *(unsigned long *) loc = val;
9969 +@@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
9970 + case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
9971 + if (info->plt_initialized == 0) {
9972 + unsigned int *ip;
9973 +- ip = me->module_core + me->arch.plt_offset +
9974 ++ ip = me->module_core_rx + me->arch.plt_offset +
9975 + info->plt_offset;
9976 + #ifndef CONFIG_64BIT
9977 + ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
9978 +@@ -316,7 +316,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
9979 + val = me->arch.plt_offset - me->arch.got_offset +
9980 + info->plt_offset + rela->r_addend;
9981 + else
9982 +- val = (Elf_Addr) me->module_core +
9983 ++ val = (Elf_Addr) me->module_core_rx +
9984 + me->arch.plt_offset + info->plt_offset +
9985 + rela->r_addend - loc;
9986 + if (r_type == R_390_PLT16DBL)
9987 +@@ -336,7 +336,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
9988 + case R_390_GOTOFF32: /* 32 bit offset to GOT. */
9989 + case R_390_GOTOFF64: /* 64 bit offset to GOT. */
9990 + val = val + rela->r_addend -
9991 +- ((Elf_Addr) me->module_core + me->arch.got_offset);
9992 ++ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
9993 + if (r_type == R_390_GOTOFF16)
9994 + *(unsigned short *) loc = val;
9995 + else if (r_type == R_390_GOTOFF32)
9996 +@@ -346,7 +346,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
9997 + break;
9998 + case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
9999 + case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
10000 +- val = (Elf_Addr) me->module_core + me->arch.got_offset +
10001 ++ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
10002 + rela->r_addend - loc;
10003 + if (r_type == R_390_GOTPC)
10004 + *(unsigned int *) loc = val;
10005 +diff -Nurp linux-2.6.23.15/arch/sparc/Makefile linux-2.6.23.15-grsec/arch/sparc/Makefile
10006 +--- linux-2.6.23.15/arch/sparc/Makefile 2007-10-09 21:31:38.000000000 +0100
10007 ++++ linux-2.6.23.15-grsec/arch/sparc/Makefile 2008-02-11 10:37:44.000000000 +0000
10008 +@@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
10009 + # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
10010 + INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
10011 + CORE_Y := $(core-y)
10012 +-CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
10013 ++CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
10014 + CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
10015 + DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
10016 + NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
10017 +diff -Nurp linux-2.6.23.15/arch/sparc/kernel/ptrace.c linux-2.6.23.15-grsec/arch/sparc/kernel/ptrace.c
10018 +--- linux-2.6.23.15/arch/sparc/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
10019 ++++ linux-2.6.23.15-grsec/arch/sparc/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
10020 +@@ -19,6 +19,7 @@
10021 + #include <linux/smp_lock.h>
10022 + #include <linux/security.h>
10023 + #include <linux/signal.h>
10024 ++#include <linux/grsecurity.h>
10025 +
10026 + #include <asm/pgtable.h>
10027 + #include <asm/system.h>
10028 +@@ -303,6 +304,11 @@ asmlinkage void do_ptrace(struct pt_regs
10029 + goto out;
10030 + }
10031 +
10032 ++ if (gr_handle_ptrace(child, request)) {
10033 ++ pt_error_return(regs, EPERM);
10034 ++ goto out_tsk;
10035 ++ }
10036 ++
10037 + if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
10038 + || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
10039 + if (ptrace_attach(child)) {
10040 +diff -Nurp linux-2.6.23.15/arch/sparc/kernel/sys_sparc.c linux-2.6.23.15-grsec/arch/sparc/kernel/sys_sparc.c
10041 +--- linux-2.6.23.15/arch/sparc/kernel/sys_sparc.c 2007-10-09 21:31:38.000000000 +0100
10042 ++++ linux-2.6.23.15-grsec/arch/sparc/kernel/sys_sparc.c 2008-02-11 10:37:44.000000000 +0000
10043 +@@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
10044 + if (ARCH_SUN4C_SUN4 && len > 0x20000000)
10045 + return -ENOMEM;
10046 + if (!addr)
10047 +- addr = TASK_UNMAPPED_BASE;
10048 ++ addr = current->mm->mmap_base;
10049 +
10050 + if (flags & MAP_SHARED)
10051 + addr = COLOUR_ALIGN(addr);
10052 +diff -Nurp linux-2.6.23.15/arch/sparc/mm/fault.c linux-2.6.23.15-grsec/arch/sparc/mm/fault.c
10053 +--- linux-2.6.23.15/arch/sparc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
10054 ++++ linux-2.6.23.15-grsec/arch/sparc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
10055 +@@ -21,6 +21,10 @@
10056 + #include <linux/interrupt.h>
10057 + #include <linux/module.h>
10058 + #include <linux/kdebug.h>
10059 ++#include <linux/slab.h>
10060 ++#include <linux/pagemap.h>
10061 ++#include <linux/compiler.h>
10062 ++#include <linux/binfmts.h>
10063 +
10064 + #include <asm/system.h>
10065 + #include <asm/page.h>
10066 +@@ -216,6 +220,252 @@ static unsigned long compute_si_addr(str
10067 + return safe_compute_effective_address(regs, insn);
10068 + }
10069 +
10070 ++#ifdef CONFIG_PAX_PAGEEXEC
10071 ++void pax_emuplt_close(struct vm_area_struct *vma)
10072 ++{
10073 ++ vma->vm_mm->call_dl_resolve = 0UL;
10074 ++}
10075 ++
10076 ++static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
10077 ++{
10078 ++ struct page *page;
10079 ++ unsigned int *kaddr;
10080 ++
10081 ++ page = alloc_page(GFP_HIGHUSER);
10082 ++ if (!page)
10083 ++ return NOPAGE_OOM;
10084 ++
10085 ++ kaddr = kmap(page);
10086 ++ memset(kaddr, 0, PAGE_SIZE);
10087 ++ kaddr[0] = 0x9DE3BFA8U; /* save */
10088 ++ flush_dcache_page(page);
10089 ++ kunmap(page);
10090 ++ if (type)
10091 ++ *type = VM_FAULT_MAJOR;
10092 ++
10093 ++ return page;
10094 ++}
10095 ++
10096 ++static struct vm_operations_struct pax_vm_ops = {
10097 ++ .close = pax_emuplt_close,
10098 ++ .nopage = pax_emuplt_nopage,
10099 ++};
10100 ++
10101 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
10102 ++{
10103 ++ int ret;
10104 ++
10105 ++ memset(vma, 0, sizeof(*vma));
10106 ++ vma->vm_mm = current->mm;
10107 ++ vma->vm_start = addr;
10108 ++ vma->vm_end = addr + PAGE_SIZE;
10109 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
10110 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
10111 ++ vma->vm_ops = &pax_vm_ops;
10112 ++
10113 ++ ret = insert_vm_struct(current->mm, vma);
10114 ++ if (ret)
10115 ++ return ret;
10116 ++
10117 ++ ++current->mm->total_vm;
10118 ++ return 0;
10119 ++}
10120 ++
10121 ++/*
10122 ++ * PaX: decide what to do with offenders (regs->pc = fault address)
10123 ++ *
10124 ++ * returns 1 when task should be killed
10125 ++ * 2 when patched PLT trampoline was detected
10126 ++ * 3 when unpatched PLT trampoline was detected
10127 ++ */
10128 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
10129 ++{
10130 ++
10131 ++#ifdef CONFIG_PAX_EMUPLT
10132 ++ int err;
10133 ++
10134 ++ do { /* PaX: patched PLT emulation #1 */
10135 ++ unsigned int sethi1, sethi2, jmpl;
10136 ++
10137 ++ err = get_user(sethi1, (unsigned int *)regs->pc);
10138 ++ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
10139 ++ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
10140 ++
10141 ++ if (err)
10142 ++ break;
10143 ++
10144 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
10145 ++ (sethi2 & 0xFFC00000U) == 0x03000000U &&
10146 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U)
10147 ++ {
10148 ++ unsigned int addr;
10149 ++
10150 ++ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
10151 ++ addr = regs->u_regs[UREG_G1];
10152 ++ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
10153 ++ regs->pc = addr;
10154 ++ regs->npc = addr+4;
10155 ++ return 2;
10156 ++ }
10157 ++ } while (0);
10158 ++
10159 ++ { /* PaX: patched PLT emulation #2 */
10160 ++ unsigned int ba;
10161 ++
10162 ++ err = get_user(ba, (unsigned int *)regs->pc);
10163 ++
10164 ++ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
10165 ++ unsigned int addr;
10166 ++
10167 ++ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
10168 ++ regs->pc = addr;
10169 ++ regs->npc = addr+4;
10170 ++ return 2;
10171 ++ }
10172 ++ }
10173 ++
10174 ++ do { /* PaX: patched PLT emulation #3 */
10175 ++ unsigned int sethi, jmpl, nop;
10176 ++
10177 ++ err = get_user(sethi, (unsigned int *)regs->pc);
10178 ++ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
10179 ++ err |= get_user(nop, (unsigned int *)(regs->pc+8));
10180 ++
10181 ++ if (err)
10182 ++ break;
10183 ++
10184 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
10185 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
10186 ++ nop == 0x01000000U)
10187 ++ {
10188 ++ unsigned int addr;
10189 ++
10190 ++ addr = (sethi & 0x003FFFFFU) << 10;
10191 ++ regs->u_regs[UREG_G1] = addr;
10192 ++ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
10193 ++ regs->pc = addr;
10194 ++ regs->npc = addr+4;
10195 ++ return 2;
10196 ++ }
10197 ++ } while (0);
10198 ++
10199 ++ do { /* PaX: unpatched PLT emulation step 1 */
10200 ++ unsigned int sethi, ba, nop;
10201 ++
10202 ++ err = get_user(sethi, (unsigned int *)regs->pc);
10203 ++ err |= get_user(ba, (unsigned int *)(regs->pc+4));
10204 ++ err |= get_user(nop, (unsigned int *)(regs->pc+8));
10205 ++
10206 ++ if (err)
10207 ++ break;
10208 ++
10209 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
10210 ++ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
10211 ++ nop == 0x01000000U)
10212 ++ {
10213 ++ unsigned int addr, save, call;
10214 ++
10215 ++ if ((ba & 0xFFC00000U) == 0x30800000U)
10216 ++ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
10217 ++ else
10218 ++ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
10219 ++
10220 ++ err = get_user(save, (unsigned int *)addr);
10221 ++ err |= get_user(call, (unsigned int *)(addr+4));
10222 ++ err |= get_user(nop, (unsigned int *)(addr+8));
10223 ++ if (err)
10224 ++ break;
10225 ++
10226 ++ if (save == 0x9DE3BFA8U &&
10227 ++ (call & 0xC0000000U) == 0x40000000U &&
10228 ++ nop == 0x01000000U)
10229 ++ {
10230 ++ struct vm_area_struct *vma;
10231 ++ unsigned long call_dl_resolve;
10232 ++
10233 ++ down_read(&current->mm->mmap_sem);
10234 ++ call_dl_resolve = current->mm->call_dl_resolve;
10235 ++ up_read(&current->mm->mmap_sem);
10236 ++ if (likely(call_dl_resolve))
10237 ++ goto emulate;
10238 ++
10239 ++ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
10240 ++
10241 ++ down_write(&current->mm->mmap_sem);
10242 ++ if (current->mm->call_dl_resolve) {
10243 ++ call_dl_resolve = current->mm->call_dl_resolve;
10244 ++ up_write(&current->mm->mmap_sem);
10245 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
10246 ++ goto emulate;
10247 ++ }
10248 ++
10249 ++ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
10250 ++ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
10251 ++ up_write(&current->mm->mmap_sem);
10252 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
10253 ++ return 1;
10254 ++ }
10255 ++
10256 ++ if (pax_insert_vma(vma, call_dl_resolve)) {
10257 ++ up_write(&current->mm->mmap_sem);
10258 ++ kmem_cache_free(vm_area_cachep, vma);
10259 ++ return 1;
10260 ++ }
10261 ++
10262 ++ current->mm->call_dl_resolve = call_dl_resolve;
10263 ++ up_write(&current->mm->mmap_sem);
10264 ++
10265 ++emulate:
10266 ++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
10267 ++ regs->pc = call_dl_resolve;
10268 ++ regs->npc = addr+4;
10269 ++ return 3;
10270 ++ }
10271 ++ }
10272 ++ } while (0);
10273 ++
10274 ++ do { /* PaX: unpatched PLT emulation step 2 */
10275 ++ unsigned int save, call, nop;
10276 ++
10277 ++ err = get_user(save, (unsigned int *)(regs->pc-4));
10278 ++ err |= get_user(call, (unsigned int *)regs->pc);
10279 ++ err |= get_user(nop, (unsigned int *)(regs->pc+4));
10280 ++ if (err)
10281 ++ break;
10282 ++
10283 ++ if (save == 0x9DE3BFA8U &&
10284 ++ (call & 0xC0000000U) == 0x40000000U &&
10285 ++ nop == 0x01000000U)
10286 ++ {
10287 ++ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
10288 ++
10289 ++ regs->u_regs[UREG_RETPC] = regs->pc;
10290 ++ regs->pc = dl_resolve;
10291 ++ regs->npc = dl_resolve+4;
10292 ++ return 3;
10293 ++ }
10294 ++ } while (0);
10295 ++#endif
10296 ++
10297 ++ return 1;
10298 ++}
10299 ++
10300 ++void pax_report_insns(void *pc, void *sp)
10301 ++{
10302 ++ unsigned long i;
10303 ++
10304 ++ printk(KERN_ERR "PAX: bytes at PC: ");
10305 ++ for (i = 0; i < 5; i++) {
10306 ++ unsigned int c;
10307 ++ if (get_user(c, (unsigned int *)pc+i))
10308 ++ printk("???????? ");
10309 ++ else
10310 ++ printk("%08x ", c);
10311 ++ }
10312 ++ printk("\n");
10313 ++}
10314 ++#endif
10315 ++
10316 + asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
10317 + unsigned long address)
10318 + {
10319 +@@ -280,6 +530,24 @@ good_area:
10320 + if(!(vma->vm_flags & VM_WRITE))
10321 + goto bad_area;
10322 + } else {
10323 ++
10324 ++#ifdef CONFIG_PAX_PAGEEXEC
10325 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
10326 ++ up_read(&mm->mmap_sem);
10327 ++ switch (pax_handle_fetch_fault(regs)) {
10328 ++
10329 ++#ifdef CONFIG_PAX_EMUPLT
10330 ++ case 2:
10331 ++ case 3:
10332 ++ return;
10333 ++#endif
10334 ++
10335 ++ }
10336 ++ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
10337 ++ do_exit(SIGKILL);
10338 ++ }
10339 ++#endif
10340 ++
10341 + /* Allow reads even for write-only mappings */
10342 + if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
10343 + goto bad_area;
10344 +diff -Nurp linux-2.6.23.15/arch/sparc/mm/init.c linux-2.6.23.15-grsec/arch/sparc/mm/init.c
10345 +--- linux-2.6.23.15/arch/sparc/mm/init.c 2007-10-09 21:31:38.000000000 +0100
10346 ++++ linux-2.6.23.15-grsec/arch/sparc/mm/init.c 2008-02-11 10:37:44.000000000 +0000
10347 +@@ -336,17 +336,17 @@ void __init paging_init(void)
10348 +
10349 + /* Initialize the protection map with non-constant, MMU dependent values. */
10350 + protection_map[0] = PAGE_NONE;
10351 +- protection_map[1] = PAGE_READONLY;
10352 +- protection_map[2] = PAGE_COPY;
10353 +- protection_map[3] = PAGE_COPY;
10354 ++ protection_map[1] = PAGE_READONLY_NOEXEC;
10355 ++ protection_map[2] = PAGE_COPY_NOEXEC;
10356 ++ protection_map[3] = PAGE_COPY_NOEXEC;
10357 + protection_map[4] = PAGE_READONLY;
10358 + protection_map[5] = PAGE_READONLY;
10359 + protection_map[6] = PAGE_COPY;
10360 + protection_map[7] = PAGE_COPY;
10361 + protection_map[8] = PAGE_NONE;
10362 +- protection_map[9] = PAGE_READONLY;
10363 +- protection_map[10] = PAGE_SHARED;
10364 +- protection_map[11] = PAGE_SHARED;
10365 ++ protection_map[9] = PAGE_READONLY_NOEXEC;
10366 ++ protection_map[10] = PAGE_SHARED_NOEXEC;
10367 ++ protection_map[11] = PAGE_SHARED_NOEXEC;
10368 + protection_map[12] = PAGE_READONLY;
10369 + protection_map[13] = PAGE_READONLY;
10370 + protection_map[14] = PAGE_SHARED;
10371 +diff -Nurp linux-2.6.23.15/arch/sparc/mm/srmmu.c linux-2.6.23.15-grsec/arch/sparc/mm/srmmu.c
10372 +--- linux-2.6.23.15/arch/sparc/mm/srmmu.c 2007-10-09 21:31:38.000000000 +0100
10373 ++++ linux-2.6.23.15-grsec/arch/sparc/mm/srmmu.c 2008-02-11 10:37:44.000000000 +0000
10374 +@@ -2157,6 +2157,13 @@ void __init ld_mmu_srmmu(void)
10375 + PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
10376 + BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
10377 + BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
10378 ++
10379 ++#ifdef CONFIG_PAX_PAGEEXEC
10380 ++ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
10381 ++ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
10382 ++ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
10383 ++#endif
10384 ++
10385 + BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
10386 + page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
10387 +
10388 +diff -Nurp linux-2.6.23.15/arch/sparc64/kernel/Makefile linux-2.6.23.15-grsec/arch/sparc64/kernel/Makefile
10389 +--- linux-2.6.23.15/arch/sparc64/kernel/Makefile 2007-10-09 21:31:38.000000000 +0100
10390 ++++ linux-2.6.23.15-grsec/arch/sparc64/kernel/Makefile 2008-02-11 10:37:44.000000000 +0000
10391 +@@ -3,7 +3,7 @@
10392 + #
10393 +
10394 + EXTRA_AFLAGS := -ansi
10395 +-EXTRA_CFLAGS := -Werror
10396 ++#EXTRA_CFLAGS := -Werror
10397 +
10398 + extra-y := head.o init_task.o vmlinux.lds
10399 +
10400 +diff -Nurp linux-2.6.23.15/arch/sparc64/kernel/ptrace.c linux-2.6.23.15-grsec/arch/sparc64/kernel/ptrace.c
10401 +--- linux-2.6.23.15/arch/sparc64/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
10402 ++++ linux-2.6.23.15-grsec/arch/sparc64/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
10403 +@@ -22,6 +22,7 @@
10404 + #include <linux/seccomp.h>
10405 + #include <linux/audit.h>
10406 + #include <linux/signal.h>
10407 ++#include <linux/grsecurity.h>
10408 +
10409 + #include <asm/asi.h>
10410 + #include <asm/pgtable.h>
10411 +@@ -216,6 +217,11 @@ asmlinkage void do_ptrace(struct pt_regs
10412 + goto out;
10413 + }
10414 +
10415 ++ if (gr_handle_ptrace(child, (long)request)) {
10416 ++ pt_error_return(regs, EPERM);
10417 ++ goto out_tsk;
10418 ++ }
10419 ++
10420 + if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
10421 + || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
10422 + if (ptrace_attach(child)) {
10423 +diff -Nurp linux-2.6.23.15/arch/sparc64/kernel/sys_sparc.c linux-2.6.23.15-grsec/arch/sparc64/kernel/sys_sparc.c
10424 +--- linux-2.6.23.15/arch/sparc64/kernel/sys_sparc.c 2008-02-11 10:36:03.000000000 +0000
10425 ++++ linux-2.6.23.15-grsec/arch/sparc64/kernel/sys_sparc.c 2008-02-11 10:37:44.000000000 +0000
10426 +@@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
10427 + /* We do not accept a shared mapping if it would violate
10428 + * cache aliasing constraints.
10429 + */
10430 +- if ((flags & MAP_SHARED) &&
10431 ++ if ((filp || (flags & MAP_SHARED)) &&
10432 + ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
10433 + return -EINVAL;
10434 + return addr;
10435 +@@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
10436 + if (filp || (flags & MAP_SHARED))
10437 + do_color_align = 1;
10438 +
10439 ++#ifdef CONFIG_PAX_RANDMMAP
10440 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
10441 ++#endif
10442 ++
10443 + if (addr) {
10444 + if (do_color_align)
10445 + addr = COLOUR_ALIGN(addr, pgoff);
10446 +@@ -152,9 +156,9 @@ unsigned long arch_get_unmapped_area(str
10447 + }
10448 +
10449 + if (len > mm->cached_hole_size) {
10450 +- start_addr = addr = mm->free_area_cache;
10451 ++ start_addr = addr = mm->free_area_cache;
10452 + } else {
10453 +- start_addr = addr = TASK_UNMAPPED_BASE;
10454 ++ start_addr = addr = mm->mmap_base;
10455 + mm->cached_hole_size = 0;
10456 + }
10457 +
10458 +@@ -174,8 +178,8 @@ full_search:
10459 + vma = find_vma(mm, VA_EXCLUDE_END);
10460 + }
10461 + if (unlikely(task_size < addr)) {
10462 +- if (start_addr != TASK_UNMAPPED_BASE) {
10463 +- start_addr = addr = TASK_UNMAPPED_BASE;
10464 ++ if (start_addr != mm->mmap_base) {
10465 ++ start_addr = addr = mm->mmap_base;
10466 + mm->cached_hole_size = 0;
10467 + goto full_search;
10468 + }
10469 +@@ -215,7 +219,7 @@ arch_get_unmapped_area_topdown(struct fi
10470 + /* We do not accept a shared mapping if it would violate
10471 + * cache aliasing constraints.
10472 + */
10473 +- if ((flags & MAP_SHARED) &&
10474 ++ if ((filp || (flags & MAP_SHARED)) &&
10475 + ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
10476 + return -EINVAL;
10477 + return addr;
10478 +@@ -378,6 +382,12 @@ void arch_pick_mmap_layout(struct mm_str
10479 + current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
10480 + sysctl_legacy_va_layout) {
10481 + mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
10482 ++
10483 ++#ifdef CONFIG_PAX_RANDMMAP
10484 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
10485 ++ mm->mmap_base += mm->delta_mmap;
10486 ++#endif
10487 ++
10488 + mm->get_unmapped_area = arch_get_unmapped_area;
10489 + mm->unmap_area = arch_unmap_area;
10490 + } else {
10491 +@@ -392,6 +402,12 @@ void arch_pick_mmap_layout(struct mm_str
10492 + gap = (task_size / 6 * 5);
10493 +
10494 + mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
10495 ++
10496 ++#ifdef CONFIG_PAX_RANDMMAP
10497 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
10498 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
10499 ++#endif
10500 ++
10501 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
10502 + mm->unmap_area = arch_unmap_area_topdown;
10503 + }
10504 +diff -Nurp linux-2.6.23.15/arch/sparc64/mm/Makefile linux-2.6.23.15-grsec/arch/sparc64/mm/Makefile
10505 +--- linux-2.6.23.15/arch/sparc64/mm/Makefile 2007-10-09 21:31:38.000000000 +0100
10506 ++++ linux-2.6.23.15-grsec/arch/sparc64/mm/Makefile 2008-02-11 10:37:44.000000000 +0000
10507 +@@ -3,7 +3,7 @@
10508 + #
10509 +
10510 + EXTRA_AFLAGS := -ansi
10511 +-EXTRA_CFLAGS := -Werror
10512 ++#EXTRA_CFLAGS := -Werror
10513 +
10514 + obj-y := ultra.o tlb.o tsb.o fault.o init.o generic.o
10515 +
10516 +diff -Nurp linux-2.6.23.15/arch/sparc64/mm/fault.c linux-2.6.23.15-grsec/arch/sparc64/mm/fault.c
10517 +--- linux-2.6.23.15/arch/sparc64/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
10518 ++++ linux-2.6.23.15-grsec/arch/sparc64/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
10519 +@@ -20,6 +20,10 @@
10520 + #include <linux/kprobes.h>
10521 + #include <linux/kallsyms.h>
10522 + #include <linux/kdebug.h>
10523 ++#include <linux/slab.h>
10524 ++#include <linux/pagemap.h>
10525 ++#include <linux/compiler.h>
10526 ++#include <linux/binfmts.h>
10527 +
10528 + #include <asm/page.h>
10529 + #include <asm/pgtable.h>
10530 +@@ -270,6 +274,369 @@ cannot_handle:
10531 + unhandled_fault (address, current, regs);
10532 + }
10533 +
10534 ++#ifdef CONFIG_PAX_PAGEEXEC
10535 ++#ifdef CONFIG_PAX_EMUPLT
10536 ++static void pax_emuplt_close(struct vm_area_struct *vma)
10537 ++{
10538 ++ vma->vm_mm->call_dl_resolve = 0UL;
10539 ++}
10540 ++
10541 ++static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
10542 ++{
10543 ++ struct page *page;
10544 ++ unsigned int *kaddr;
10545 ++
10546 ++ page = alloc_page(GFP_HIGHUSER);
10547 ++ if (!page)
10548 ++ return NOPAGE_OOM;
10549 ++
10550 ++ kaddr = kmap(page);
10551 ++ memset(kaddr, 0, PAGE_SIZE);
10552 ++ kaddr[0] = 0x9DE3BFA8U; /* save */
10553 ++ flush_dcache_page(page);
10554 ++ kunmap(page);
10555 ++ if (type)
10556 ++ *type = VM_FAULT_MAJOR;
10557 ++ return page;
10558 ++}
10559 ++
10560 ++static struct vm_operations_struct pax_vm_ops = {
10561 ++ .close = pax_emuplt_close,
10562 ++ .nopage = pax_emuplt_nopage,
10563 ++};
10564 ++
10565 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
10566 ++{
10567 ++ int ret;
10568 ++
10569 ++ memset(vma, 0, sizeof(*vma));
10570 ++ vma->vm_mm = current->mm;
10571 ++ vma->vm_start = addr;
10572 ++ vma->vm_end = addr + PAGE_SIZE;
10573 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
10574 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
10575 ++ vma->vm_ops = &pax_vm_ops;
10576 ++
10577 ++ ret = insert_vm_struct(current->mm, vma);
10578 ++ if (ret)
10579 ++ return ret;
10580 ++
10581 ++ ++current->mm->total_vm;
10582 ++ return 0;
10583 ++}
10584 ++#endif
10585 ++
10586 ++/*
10587 ++ * PaX: decide what to do with offenders (regs->tpc = fault address)
10588 ++ *
10589 ++ * returns 1 when task should be killed
10590 ++ * 2 when patched PLT trampoline was detected
10591 ++ * 3 when unpatched PLT trampoline was detected
10592 ++ */
10593 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
10594 ++{
10595 ++
10596 ++#ifdef CONFIG_PAX_EMUPLT
10597 ++ int err;
10598 ++
10599 ++ do { /* PaX: patched PLT emulation #1 */
10600 ++ unsigned int sethi1, sethi2, jmpl;
10601 ++
10602 ++ err = get_user(sethi1, (unsigned int *)regs->tpc);
10603 ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
10604 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
10605 ++
10606 ++ if (err)
10607 ++ break;
10608 ++
10609 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
10610 ++ (sethi2 & 0xFFC00000U) == 0x03000000U &&
10611 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U)
10612 ++ {
10613 ++ unsigned long addr;
10614 ++
10615 ++ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
10616 ++ addr = regs->u_regs[UREG_G1];
10617 ++ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
10618 ++ regs->tpc = addr;
10619 ++ regs->tnpc = addr+4;
10620 ++ return 2;
10621 ++ }
10622 ++ } while (0);
10623 ++
10624 ++ { /* PaX: patched PLT emulation #2 */
10625 ++ unsigned int ba;
10626 ++
10627 ++ err = get_user(ba, (unsigned int *)regs->tpc);
10628 ++
10629 ++ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
10630 ++ unsigned long addr;
10631 ++
10632 ++ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
10633 ++ regs->tpc = addr;
10634 ++ regs->tnpc = addr+4;
10635 ++ return 2;
10636 ++ }
10637 ++ }
10638 ++
10639 ++ do { /* PaX: patched PLT emulation #3 */
10640 ++ unsigned int sethi, jmpl, nop;
10641 ++
10642 ++ err = get_user(sethi, (unsigned int *)regs->tpc);
10643 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
10644 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
10645 ++
10646 ++ if (err)
10647 ++ break;
10648 ++
10649 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
10650 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
10651 ++ nop == 0x01000000U)
10652 ++ {
10653 ++ unsigned long addr;
10654 ++
10655 ++ addr = (sethi & 0x003FFFFFU) << 10;
10656 ++ regs->u_regs[UREG_G1] = addr;
10657 ++ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
10658 ++ regs->tpc = addr;
10659 ++ regs->tnpc = addr+4;
10660 ++ return 2;
10661 ++ }
10662 ++ } while (0);
10663 ++
10664 ++ do { /* PaX: patched PLT emulation #4 */
10665 ++ unsigned int mov1, call, mov2;
10666 ++
10667 ++ err = get_user(mov1, (unsigned int *)regs->tpc);
10668 ++ err |= get_user(call, (unsigned int *)(regs->tpc+4));
10669 ++ err |= get_user(mov2, (unsigned int *)(regs->tpc+8));
10670 ++
10671 ++ if (err)
10672 ++ break;
10673 ++
10674 ++ if (mov1 == 0x8210000FU &&
10675 ++ (call & 0xC0000000U) == 0x40000000U &&
10676 ++ mov2 == 0x9E100001U)
10677 ++ {
10678 ++ unsigned long addr;
10679 ++
10680 ++ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
10681 ++ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
10682 ++ regs->tpc = addr;
10683 ++ regs->tnpc = addr+4;
10684 ++ return 2;
10685 ++ }
10686 ++ } while (0);
10687 ++
10688 ++ do { /* PaX: patched PLT emulation #5 */
10689 ++ unsigned int sethi1, sethi2, or1, or2, sllx, jmpl, nop;
10690 ++
10691 ++ err = get_user(sethi1, (unsigned int *)regs->tpc);
10692 ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
10693 ++ err |= get_user(or1, (unsigned int *)(regs->tpc+8));
10694 ++ err |= get_user(or2, (unsigned int *)(regs->tpc+12));
10695 ++ err |= get_user(sllx, (unsigned int *)(regs->tpc+16));
10696 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
10697 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
10698 ++
10699 ++ if (err)
10700 ++ break;
10701 ++
10702 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
10703 ++ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
10704 ++ (or1 & 0xFFFFE000U) == 0x82106000U &&
10705 ++ (or2 & 0xFFFFE000U) == 0x8A116000U &&
10706 ++ sllx == 0x83287020 &&
10707 ++ jmpl == 0x81C04005U &&
10708 ++ nop == 0x01000000U)
10709 ++ {
10710 ++ unsigned long addr;
10711 ++
10712 ++ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
10713 ++ regs->u_regs[UREG_G1] <<= 32;
10714 ++ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
10715 ++ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
10716 ++ regs->tpc = addr;
10717 ++ regs->tnpc = addr+4;
10718 ++ return 2;
10719 ++ }
10720 ++ } while (0);
10721 ++
10722 ++ do { /* PaX: patched PLT emulation #6 */
10723 ++ unsigned int sethi1, sethi2, sllx, or, jmpl, nop;
10724 ++
10725 ++ err = get_user(sethi1, (unsigned int *)regs->tpc);
10726 ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
10727 ++ err |= get_user(sllx, (unsigned int *)(regs->tpc+8));
10728 ++ err |= get_user(or, (unsigned int *)(regs->tpc+12));
10729 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+16));
10730 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+20));
10731 ++
10732 ++ if (err)
10733 ++ break;
10734 ++
10735 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
10736 ++ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
10737 ++ sllx == 0x83287020 &&
10738 ++ (or & 0xFFFFE000U) == 0x8A116000U &&
10739 ++ jmpl == 0x81C04005U &&
10740 ++ nop == 0x01000000U)
10741 ++ {
10742 ++ unsigned long addr;
10743 ++
10744 ++ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
10745 ++ regs->u_regs[UREG_G1] <<= 32;
10746 ++ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
10747 ++ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
10748 ++ regs->tpc = addr;
10749 ++ regs->tnpc = addr+4;
10750 ++ return 2;
10751 ++ }
10752 ++ } while (0);
10753 ++
10754 ++ do { /* PaX: patched PLT emulation #7 */
10755 ++ unsigned int sethi, ba, nop;
10756 ++
10757 ++ err = get_user(sethi, (unsigned int *)regs->tpc);
10758 ++ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
10759 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
10760 ++
10761 ++ if (err)
10762 ++ break;
10763 ++
10764 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
10765 ++ (ba & 0xFFF00000U) == 0x30600000U &&
10766 ++ nop == 0x01000000U)
10767 ++ {
10768 ++ unsigned long addr;
10769 ++
10770 ++ addr = (sethi & 0x003FFFFFU) << 10;
10771 ++ regs->u_regs[UREG_G1] = addr;
10772 ++ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
10773 ++ regs->tpc = addr;
10774 ++ regs->tnpc = addr+4;
10775 ++ return 2;
10776 ++ }
10777 ++ } while (0);
10778 ++
10779 ++ do { /* PaX: unpatched PLT emulation step 1 */
10780 ++ unsigned int sethi, ba, nop;
10781 ++
10782 ++ err = get_user(sethi, (unsigned int *)regs->tpc);
10783 ++ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
10784 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
10785 ++
10786 ++ if (err)
10787 ++ break;
10788 ++
10789 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
10790 ++ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
10791 ++ nop == 0x01000000U)
10792 ++ {
10793 ++ unsigned long addr;
10794 ++ unsigned int save, call;
10795 ++
10796 ++ if ((ba & 0xFFC00000U) == 0x30800000U)
10797 ++ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
10798 ++ else
10799 ++ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
10800 ++
10801 ++ err = get_user(save, (unsigned int *)addr);
10802 ++ err |= get_user(call, (unsigned int *)(addr+4));
10803 ++ err |= get_user(nop, (unsigned int *)(addr+8));
10804 ++ if (err)
10805 ++ break;
10806 ++
10807 ++ if (save == 0x9DE3BFA8U &&
10808 ++ (call & 0xC0000000U) == 0x40000000U &&
10809 ++ nop == 0x01000000U)
10810 ++ {
10811 ++ struct vm_area_struct *vma;
10812 ++ unsigned long call_dl_resolve;
10813 ++
10814 ++ down_read(&current->mm->mmap_sem);
10815 ++ call_dl_resolve = current->mm->call_dl_resolve;
10816 ++ up_read(&current->mm->mmap_sem);
10817 ++ if (likely(call_dl_resolve))
10818 ++ goto emulate;
10819 ++
10820 ++ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
10821 ++
10822 ++ down_write(&current->mm->mmap_sem);
10823 ++ if (current->mm->call_dl_resolve) {
10824 ++ call_dl_resolve = current->mm->call_dl_resolve;
10825 ++ up_write(&current->mm->mmap_sem);
10826 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
10827 ++ goto emulate;
10828 ++ }
10829 ++
10830 ++ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
10831 ++ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
10832 ++ up_write(&current->mm->mmap_sem);
10833 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
10834 ++ return 1;
10835 ++ }
10836 ++
10837 ++ if (pax_insert_vma(vma, call_dl_resolve)) {
10838 ++ up_write(&current->mm->mmap_sem);
10839 ++ kmem_cache_free(vm_area_cachep, vma);
10840 ++ return 1;
10841 ++ }
10842 ++
10843 ++ current->mm->call_dl_resolve = call_dl_resolve;
10844 ++ up_write(&current->mm->mmap_sem);
10845 ++
10846 ++emulate:
10847 ++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
10848 ++ regs->tpc = call_dl_resolve;
10849 ++ regs->tnpc = addr+4;
10850 ++ return 3;
10851 ++ }
10852 ++ }
10853 ++ } while (0);
10854 ++
10855 ++ do { /* PaX: unpatched PLT emulation step 2 */
10856 ++ unsigned int save, call, nop;
10857 ++
10858 ++ err = get_user(save, (unsigned int *)(regs->tpc-4));
10859 ++ err |= get_user(call, (unsigned int *)regs->tpc);
10860 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
10861 ++ if (err)
10862 ++ break;
10863 ++
10864 ++ if (save == 0x9DE3BFA8U &&
10865 ++ (call & 0xC0000000U) == 0x40000000U &&
10866 ++ nop == 0x01000000U)
10867 ++ {
10868 ++ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
10869 ++
10870 ++ regs->u_regs[UREG_RETPC] = regs->tpc;
10871 ++ regs->tpc = dl_resolve;
10872 ++ regs->tnpc = dl_resolve+4;
10873 ++ return 3;
10874 ++ }
10875 ++ } while (0);
10876 ++#endif
10877 ++
10878 ++ return 1;
10879 ++}
10880 ++
10881 ++void pax_report_insns(void *pc, void *sp)
10882 ++{
10883 ++ unsigned long i;
10884 ++
10885 ++ printk(KERN_ERR "PAX: bytes at PC: ");
10886 ++ for (i = 0; i < 5; i++) {
10887 ++ unsigned int c;
10888 ++ if (get_user(c, (unsigned int *)pc+i))
10889 ++ printk("???????? ");
10890 ++ else
10891 ++ printk("%08x ", c);
10892 ++ }
10893 ++ printk("\n");
10894 ++}
10895 ++#endif
10896 ++
10897 + asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
10898 + {
10899 + struct mm_struct *mm = current->mm;
10900 +@@ -311,8 +678,10 @@ asmlinkage void __kprobes do_sparc64_fau
10901 + goto intr_or_no_mm;
10902 +
10903 + if (test_thread_flag(TIF_32BIT)) {
10904 +- if (!(regs->tstate & TSTATE_PRIV))
10905 ++ if (!(regs->tstate & TSTATE_PRIV)) {
10906 + regs->tpc &= 0xffffffff;
10907 ++ regs->tnpc &= 0xffffffff;
10908 ++ }
10909 + address &= 0xffffffff;
10910 + }
10911 +
10912 +@@ -329,6 +698,29 @@ asmlinkage void __kprobes do_sparc64_fau
10913 + if (!vma)
10914 + goto bad_area;
10915 +
10916 ++#ifdef CONFIG_PAX_PAGEEXEC
10917 ++ /* PaX: detect ITLB misses on non-exec pages */
10918 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
10919 ++ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
10920 ++ {
10921 ++ if (address != regs->tpc)
10922 ++ goto good_area;
10923 ++
10924 ++ up_read(&mm->mmap_sem);
10925 ++ switch (pax_handle_fetch_fault(regs)) {
10926 ++
10927 ++#ifdef CONFIG_PAX_EMUPLT
10928 ++ case 2:
10929 ++ case 3:
10930 ++ return;
10931 ++#endif
10932 ++
10933 ++ }
10934 ++ pax_report_fault(regs, (void*)regs->tpc, (void*)(regs->u_regs[UREG_FP] + STACK_BIAS));
10935 ++ do_exit(SIGKILL);
10936 ++ }
10937 ++#endif
10938 ++
10939 + /* Pure DTLB misses do not tell us whether the fault causing
10940 + * load/store/atomic was a write or not, it only says that there
10941 + * was no match. So in such a case we (carefully) read the
10942 +diff -Nurp linux-2.6.23.15/arch/v850/kernel/module.c linux-2.6.23.15-grsec/arch/v850/kernel/module.c
10943 +--- linux-2.6.23.15/arch/v850/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
10944 ++++ linux-2.6.23.15-grsec/arch/v850/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
10945 +@@ -150,8 +150,8 @@ static uint32_t do_plt_call (void *locat
10946 + tramp[1] = ((val >> 16) & 0xffff) + 0x610000; /* ...; jmp r1 */
10947 +
10948 + /* Init, or core PLT? */
10949 +- if (location >= mod->module_core
10950 +- && location < mod->module_core + mod->core_size)
10951 ++ if (location >= mod->module_core_rx
10952 ++ && location < mod->module_core_rx + mod->core_size_rx)
10953 + entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
10954 + else
10955 + entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
10956 +diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/ia32_binfmt.c linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_binfmt.c
10957 +--- linux-2.6.23.15/arch/x86_64/ia32/ia32_binfmt.c 2007-10-09 21:31:38.000000000 +0100
10958 ++++ linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_binfmt.c 2008-02-11 10:37:44.000000000 +0000
10959 +@@ -36,12 +36,12 @@
10960 + #define AT_SYSINFO 32
10961 + #define AT_SYSINFO_EHDR 33
10962 +
10963 +-int sysctl_vsyscall32 = 1;
10964 ++int sysctl_vsyscall32;
10965 +
10966 + #undef ARCH_DLINFO
10967 + #define ARCH_DLINFO do { \
10968 + if (sysctl_vsyscall32) { \
10969 +- current->mm->context.vdso = (void *)VSYSCALL32_BASE; \
10970 ++ current->mm->context.vdso = VSYSCALL32_BASE; \
10971 + NEW_AUX_ENT(AT_SYSINFO, (u32)(u64)VSYSCALL32_VSYSCALL); \
10972 + NEW_AUX_ENT(AT_SYSINFO_EHDR, VSYSCALL32_BASE); \
10973 + } \
10974 +@@ -145,6 +145,13 @@ struct elf_prpsinfo
10975 + //#include <asm/ia32.h>
10976 + #include <linux/elf.h>
10977 +
10978 ++#ifdef CONFIG_PAX_ASLR
10979 ++#define PAX_ELF_ET_DYN_BASE 0x08048000UL
10980 ++
10981 ++#define PAX_DELTA_MMAP_LEN 16
10982 ++#define PAX_DELTA_STACK_LEN 16
10983 ++#endif
10984 ++
10985 + typedef struct user_i387_ia32_struct elf_fpregset_t;
10986 + typedef struct user32_fxsr_struct elf_fpxregset_t;
10987 +
10988 +@@ -298,7 +305,7 @@ static ctl_table abi_table2[] = {
10989 + .mode = 0644,
10990 + .proc_handler = proc_dointvec
10991 + },
10992 +- {}
10993 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
10994 + };
10995 +
10996 + static ctl_table abi_root_table2[] = {
10997 +@@ -308,7 +315,7 @@ static ctl_table abi_root_table2[] = {
10998 + .mode = 0555,
10999 + .child = abi_table2
11000 + },
11001 +- {}
11002 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
11003 + };
11004 +
11005 + static __init int ia32_binfmt_init(void)
11006 +diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/ia32_signal.c linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_signal.c
11007 +--- linux-2.6.23.15/arch/x86_64/ia32/ia32_signal.c 2007-10-09 21:31:38.000000000 +0100
11008 ++++ linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_signal.c 2008-02-11 10:37:44.000000000 +0000
11009 +@@ -573,6 +573,7 @@ int ia32_setup_rt_frame(int sig, struct
11010 + __NR_ia32_rt_sigreturn,
11011 + 0x80cd,
11012 + 0,
11013 ++ 0
11014 + };
11015 + err |= __copy_to_user(frame->retcode, &code, 8);
11016 + }
11017 +diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/mmap32.c linux-2.6.23.15-grsec/arch/x86_64/ia32/mmap32.c
11018 +--- linux-2.6.23.15/arch/x86_64/ia32/mmap32.c 2007-10-09 21:31:38.000000000 +0100
11019 ++++ linux-2.6.23.15-grsec/arch/x86_64/ia32/mmap32.c 2008-02-11 10:37:44.000000000 +0000
11020 +@@ -69,10 +69,22 @@ void ia32_pick_mmap_layout(struct mm_str
11021 + (current->personality & ADDR_COMPAT_LAYOUT) ||
11022 + current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
11023 + mm->mmap_base = TASK_UNMAPPED_BASE;
11024 ++
11025 ++#ifdef CONFIG_PAX_RANDMMAP
11026 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
11027 ++ mm->mmap_base += mm->delta_mmap;
11028 ++#endif
11029 ++
11030 + mm->get_unmapped_area = arch_get_unmapped_area;
11031 + mm->unmap_area = arch_unmap_area;
11032 + } else {
11033 + mm->mmap_base = mmap_base(mm);
11034 ++
11035 ++#ifdef CONFIG_PAX_RANDMMAP
11036 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
11037 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
11038 ++#endif
11039 ++
11040 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
11041 + mm->unmap_area = arch_unmap_area_topdown;
11042 + }
11043 +diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/ptrace32.c linux-2.6.23.15-grsec/arch/x86_64/ia32/ptrace32.c
11044 +--- linux-2.6.23.15/arch/x86_64/ia32/ptrace32.c 2007-10-09 21:31:38.000000000 +0100
11045 ++++ linux-2.6.23.15-grsec/arch/x86_64/ia32/ptrace32.c 2008-02-11 10:37:44.000000000 +0000
11046 +@@ -382,7 +382,7 @@ asmlinkage long sys32_ptrace(long reques
11047 + /* no checking to be bug-to-bug compatible with i386. */
11048 + /* but silence warning */
11049 + if (__copy_from_user(&child->thread.i387.fxsave, u, sizeof(*u)))
11050 +- ;
11051 ++ {}
11052 + set_stopped_child_used_math(child);
11053 + child->thread.i387.fxsave.mxcsr &= mxcsr_feature_mask;
11054 + ret = 0;
11055 +diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/syscall32.c linux-2.6.23.15-grsec/arch/x86_64/ia32/syscall32.c
11056 +--- linux-2.6.23.15/arch/x86_64/ia32/syscall32.c 2007-10-09 21:31:38.000000000 +0100
11057 ++++ linux-2.6.23.15-grsec/arch/x86_64/ia32/syscall32.c 2008-02-11 10:37:44.000000000 +0000
11058 +@@ -30,6 +30,9 @@ int syscall32_setup_pages(struct linux_b
11059 + struct mm_struct *mm = current->mm;
11060 + int ret;
11061 +
11062 ++ if (!sysctl_vsyscall32)
11063 ++ return 0;
11064 ++
11065 + down_write(&mm->mmap_sem);
11066 + /*
11067 + * MAYWRITE to allow gdb to COW and set breakpoints
11068 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/hpet.c linux-2.6.23.15-grsec/arch/x86_64/kernel/hpet.c
11069 +--- linux-2.6.23.15/arch/x86_64/kernel/hpet.c 2007-10-09 21:31:38.000000000 +0100
11070 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/hpet.c 2008-02-11 10:37:44.000000000 +0000
11071 +@@ -65,7 +65,7 @@ static __init int late_hpet_init(void)
11072 + hpet = (struct hpet *) fix_to_virt(FIX_HPET_BASE);
11073 + timer = &hpet->hpet_timers[2];
11074 + for (i = 2; i < ntimer; timer++, i++)
11075 +- hd.hd_irq[i] = (timer->hpet_config &
11076 ++ hd.hd_irq[i] = (readl(&timer->hpet_config) &
11077 + Tn_INT_ROUTE_CNF_MASK) >>
11078 + Tn_INT_ROUTE_CNF_SHIFT;
11079 +
11080 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/i8259.c linux-2.6.23.15-grsec/arch/x86_64/kernel/i8259.c
11081 +--- linux-2.6.23.15/arch/x86_64/kernel/i8259.c 2007-10-09 21:31:38.000000000 +0100
11082 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/i8259.c 2008-02-11 10:37:44.000000000 +0000
11083 +@@ -395,7 +395,7 @@ device_initcall(i8259A_init_sysfs);
11084 + * IRQ2 is cascade interrupt to second interrupt controller
11085 + */
11086 +
11087 +-static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL};
11088 ++static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL, 0, NULL};
11089 + DEFINE_PER_CPU(vector_irq_t, vector_irq) = {
11090 + [0 ... IRQ0_VECTOR - 1] = -1,
11091 + [IRQ0_VECTOR] = 0,
11092 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/ioport.c linux-2.6.23.15-grsec/arch/x86_64/kernel/ioport.c
11093 +--- linux-2.6.23.15/arch/x86_64/kernel/ioport.c 2007-10-09 21:31:38.000000000 +0100
11094 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/ioport.c 2008-02-11 10:37:44.000000000 +0000
11095 +@@ -16,6 +16,7 @@
11096 + #include <linux/slab.h>
11097 + #include <linux/thread_info.h>
11098 + #include <linux/syscalls.h>
11099 ++#include <linux/grsecurity.h>
11100 +
11101 + /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
11102 + static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
11103 +@@ -41,8 +42,16 @@ asmlinkage long sys_ioperm(unsigned long
11104 +
11105 + if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
11106 + return -EINVAL;
11107 ++
11108 ++#ifdef CONFIG_GRKERNSEC_IO
11109 ++ if (turn_on) {
11110 ++ gr_handle_ioperm();
11111 ++ return -EPERM;
11112 ++ }
11113 ++#else
11114 + if (turn_on && !capable(CAP_SYS_RAWIO))
11115 + return -EPERM;
11116 ++#endif
11117 +
11118 + /*
11119 + * If it's the first ioperm() call in this thread's lifetime, set the
11120 +@@ -111,8 +120,13 @@ asmlinkage long sys_iopl(unsigned int le
11121 + return -EINVAL;
11122 + /* Trying to gain more privileges? */
11123 + if (level > old) {
11124 ++#ifdef CONFIG_GRKERNSEC_IO
11125 ++ gr_handle_iopl();
11126 ++ return -EPERM;
11127 ++#else
11128 + if (!capable(CAP_SYS_RAWIO))
11129 + return -EPERM;
11130 ++#endif
11131 + }
11132 + regs->eflags = (regs->eflags &~ X86_EFLAGS_IOPL) | (level << 12);
11133 + return 0;
11134 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/mce.c linux-2.6.23.15-grsec/arch/x86_64/kernel/mce.c
11135 +--- linux-2.6.23.15/arch/x86_64/kernel/mce.c 2007-10-09 21:31:38.000000000 +0100
11136 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/mce.c 2008-02-11 10:37:44.000000000 +0000
11137 +@@ -665,6 +665,7 @@ static struct miscdevice mce_log_device
11138 + MISC_MCELOG_MINOR,
11139 + "mcelog",
11140 + &mce_chrdev_ops,
11141 ++ {NULL, NULL}, NULL, NULL
11142 + };
11143 +
11144 + static unsigned long old_cr4 __initdata;
11145 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/process.c linux-2.6.23.15-grsec/arch/x86_64/kernel/process.c
11146 +--- linux-2.6.23.15/arch/x86_64/kernel/process.c 2007-10-09 21:31:38.000000000 +0100
11147 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/process.c 2008-02-11 10:37:44.000000000 +0000
11148 +@@ -894,10 +894,3 @@ int dump_task_regs(struct task_struct *t
11149 +
11150 + return 1;
11151 + }
11152 +-
11153 +-unsigned long arch_align_stack(unsigned long sp)
11154 +-{
11155 +- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
11156 +- sp -= get_random_int() % 8192;
11157 +- return sp & ~0xf;
11158 +-}
11159 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/setup64.c linux-2.6.23.15-grsec/arch/x86_64/kernel/setup64.c
11160 +--- linux-2.6.23.15/arch/x86_64/kernel/setup64.c 2007-10-09 21:31:38.000000000 +0100
11161 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/setup64.c 2008-02-11 10:37:44.000000000 +0000
11162 +@@ -37,7 +37,7 @@ struct desc_ptr idt_descr = { 256 * 16 -
11163 + char boot_cpu_stack[IRQSTACKSIZE] __attribute__((section(".bss.page_aligned")));
11164 +
11165 + unsigned long __supported_pte_mask __read_mostly = ~0UL;
11166 +-static int do_not_nx __cpuinitdata = 0;
11167 ++EXPORT_SYMBOL(__supported_pte_mask);
11168 +
11169 + /* noexec=on|off
11170 + Control non executable mappings for 64bit processes.
11171 +@@ -51,16 +51,14 @@ static int __init nonx_setup(char *str)
11172 + return -EINVAL;
11173 + if (!strncmp(str, "on", 2)) {
11174 + __supported_pte_mask |= _PAGE_NX;
11175 +- do_not_nx = 0;
11176 + } else if (!strncmp(str, "off", 3)) {
11177 +- do_not_nx = 1;
11178 + __supported_pte_mask &= ~_PAGE_NX;
11179 + }
11180 + return 0;
11181 + }
11182 + early_param("noexec", nonx_setup);
11183 +
11184 +-int force_personality32 = 0;
11185 ++int force_personality32;
11186 +
11187 + /* noexec32=on|off
11188 + Control non executable heap for 32bit processes.
11189 +@@ -177,7 +175,7 @@ void __cpuinit check_efer(void)
11190 + unsigned long efer;
11191 +
11192 + rdmsrl(MSR_EFER, efer);
11193 +- if (!(efer & EFER_NX) || do_not_nx) {
11194 ++ if (!(efer & EFER_NX)) {
11195 + __supported_pte_mask &= ~_PAGE_NX;
11196 + }
11197 + }
11198 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/signal.c linux-2.6.23.15-grsec/arch/x86_64/kernel/signal.c
11199 +--- linux-2.6.23.15/arch/x86_64/kernel/signal.c 2007-10-09 21:31:38.000000000 +0100
11200 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/signal.c 2008-02-11 10:37:44.000000000 +0000
11201 +@@ -254,8 +254,8 @@ static int setup_rt_frame(int sig, struc
11202 + err |= setup_sigcontext(&frame->uc.uc_mcontext, regs, set->sig[0], me);
11203 + err |= __put_user(fp, &frame->uc.uc_mcontext.fpstate);
11204 + if (sizeof(*set) == 16) {
11205 +- __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
11206 +- __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
11207 ++ err |= __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
11208 ++ err |= __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
11209 + } else
11210 + err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
11211 +
11212 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/sys_x86_64.c linux-2.6.23.15-grsec/arch/x86_64/kernel/sys_x86_64.c
11213 +--- linux-2.6.23.15/arch/x86_64/kernel/sys_x86_64.c 2007-10-09 21:31:38.000000000 +0100
11214 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/sys_x86_64.c 2008-02-11 10:37:44.000000000 +0000
11215 +@@ -65,8 +65,8 @@ out:
11216 + return error;
11217 + }
11218 +
11219 +-static void find_start_end(unsigned long flags, unsigned long *begin,
11220 +- unsigned long *end)
11221 ++static void find_start_end(struct mm_struct *mm, unsigned long flags,
11222 ++ unsigned long *begin, unsigned long *end)
11223 + {
11224 + if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
11225 + /* This is usually used needed to map code in small
11226 +@@ -79,7 +79,7 @@ static void find_start_end(unsigned long
11227 + *begin = 0x40000000;
11228 + *end = 0x80000000;
11229 + } else {
11230 +- *begin = TASK_UNMAPPED_BASE;
11231 ++ *begin = mm->mmap_base;
11232 + *end = TASK_SIZE;
11233 + }
11234 + }
11235 +@@ -96,11 +96,15 @@ arch_get_unmapped_area(struct file *filp
11236 + if (flags & MAP_FIXED)
11237 + return addr;
11238 +
11239 +- find_start_end(flags, &begin, &end);
11240 ++ find_start_end(mm, flags, &begin, &end);
11241 +
11242 + if (len > end)
11243 + return -ENOMEM;
11244 +
11245 ++#ifdef CONFIG_PAX_RANDMMAP
11246 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
11247 ++#endif
11248 ++
11249 + if (addr) {
11250 + addr = PAGE_ALIGN(addr);
11251 + vma = find_vma(mm, addr);
11252 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/vsyscall.c linux-2.6.23.15-grsec/arch/x86_64/kernel/vsyscall.c
11253 +--- linux-2.6.23.15/arch/x86_64/kernel/vsyscall.c 2007-10-09 21:31:38.000000000 +0100
11254 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/vsyscall.c 2008-02-11 10:37:44.000000000 +0000
11255 +@@ -273,13 +273,13 @@ static ctl_table kernel_table2[] = {
11256 + .mode = 0644,
11257 + .strategy = vsyscall_sysctl_nostrat,
11258 + .proc_handler = vsyscall_sysctl_change },
11259 +- {}
11260 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
11261 + };
11262 +
11263 + static ctl_table kernel_root_table2[] = {
11264 + { .ctl_name = CTL_KERN, .procname = "kernel", .mode = 0555,
11265 + .child = kernel_table2 },
11266 +- {}
11267 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
11268 + };
11269 +
11270 + #endif
11271 +diff -Nurp linux-2.6.23.15/arch/x86_64/mm/fault.c linux-2.6.23.15-grsec/arch/x86_64/mm/fault.c
11272 +--- linux-2.6.23.15/arch/x86_64/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
11273 ++++ linux-2.6.23.15-grsec/arch/x86_64/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
11274 +@@ -25,6 +25,7 @@
11275 + #include <linux/kprobes.h>
11276 + #include <linux/uaccess.h>
11277 + #include <linux/kdebug.h>
11278 ++#include <linux/binfmts.h>
11279 +
11280 + #include <asm/system.h>
11281 + #include <asm/pgalloc.h>
11282 +@@ -291,6 +292,163 @@ static int vmalloc_fault(unsigned long a
11283 + return 0;
11284 + }
11285 +
11286 ++#ifdef CONFIG_PAX_EMUTRAMP
11287 ++static int pax_handle_fetch_fault_32(struct pt_regs *regs)
11288 ++{
11289 ++ int err;
11290 ++
11291 ++ do { /* PaX: gcc trampoline emulation #1 */
11292 ++ unsigned char mov1, mov2;
11293 ++ unsigned short jmp;
11294 ++ unsigned int addr1, addr2;
11295 ++
11296 ++ if ((regs->rip + 11) >> 32)
11297 ++ break;
11298 ++
11299 ++ err = get_user(mov1, (unsigned char __user *)regs->rip);
11300 ++ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
11301 ++ err |= get_user(mov2, (unsigned char __user *)(regs->rip + 5));
11302 ++ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
11303 ++ err |= get_user(jmp, (unsigned short __user *)(regs->rip + 10));
11304 ++
11305 ++ if (err)
11306 ++ break;
11307 ++
11308 ++ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
11309 ++ regs->rcx = addr1;
11310 ++ regs->rax = addr2;
11311 ++ regs->rip = addr2;
11312 ++ return 2;
11313 ++ }
11314 ++ } while (0);
11315 ++
11316 ++ do { /* PaX: gcc trampoline emulation #2 */
11317 ++ unsigned char mov, jmp;
11318 ++ unsigned int addr1, addr2;
11319 ++
11320 ++ if ((regs->rip + 9) >> 32)
11321 ++ break;
11322 ++
11323 ++ err = get_user(mov, (unsigned char __user *)regs->rip);
11324 ++ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
11325 ++ err |= get_user(jmp, (unsigned char __user *)(regs->rip + 5));
11326 ++ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
11327 ++
11328 ++ if (err)
11329 ++ break;
11330 ++
11331 ++ if (mov == 0xB9 && jmp == 0xE9) {
11332 ++ regs->rcx = addr1;
11333 ++ regs->rip = (unsigned int)(regs->rip + addr2 + 10);
11334 ++ return 2;
11335 ++ }
11336 ++ } while (0);
11337 ++
11338 ++ return 1; /* PaX in action */
11339 ++}
11340 ++
11341 ++static int pax_handle_fetch_fault_64(struct pt_regs *regs)
11342 ++{
11343 ++ int err;
11344 ++
11345 ++ do { /* PaX: gcc trampoline emulation #1 */
11346 ++ unsigned short mov1, mov2, jmp1;
11347 ++ unsigned char jmp2;
11348 ++ unsigned int addr1;
11349 ++ unsigned long addr2;
11350 ++
11351 ++ err = get_user(mov1, (unsigned short __user *)regs->rip);
11352 ++ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 2));
11353 ++ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 6));
11354 ++ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 8));
11355 ++ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 16));
11356 ++ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 18));
11357 ++
11358 ++ if (err)
11359 ++ break;
11360 ++
11361 ++ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
11362 ++ regs->r11 = addr1;
11363 ++ regs->r10 = addr2;
11364 ++ regs->rip = addr1;
11365 ++ return 2;
11366 ++ }
11367 ++ } while (0);
11368 ++
11369 ++ do { /* PaX: gcc trampoline emulation #2 */
11370 ++ unsigned short mov1, mov2, jmp1;
11371 ++ unsigned char jmp2;
11372 ++ unsigned long addr1, addr2;
11373 ++
11374 ++ err = get_user(mov1, (unsigned short __user *)regs->rip);
11375 ++ err |= get_user(addr1, (unsigned long __user *)(regs->rip + 2));
11376 ++ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 10));
11377 ++ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 12));
11378 ++ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 20));
11379 ++ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 22));
11380 ++
11381 ++ if (err)
11382 ++ break;
11383 ++
11384 ++ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
11385 ++ regs->r11 = addr1;
11386 ++ regs->r10 = addr2;
11387 ++ regs->rip = addr1;
11388 ++ return 2;
11389 ++ }
11390 ++ } while (0);
11391 ++
11392 ++ return 1; /* PaX in action */
11393 ++}
11394 ++
11395 ++/*
11396 ++ * PaX: decide what to do with offenders (regs->rip = fault address)
11397 ++ *
11398 ++ * returns 1 when task should be killed
11399 ++ * 2 when gcc trampoline was detected
11400 ++ */
11401 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
11402 ++{
11403 ++ if (regs->eflags & X86_EFLAGS_VM)
11404 ++ return 1;
11405 ++
11406 ++ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
11407 ++ return 1;
11408 ++
11409 ++ if (regs->cs == __USER32_CS || (regs->cs & (1<<2)))
11410 ++ return pax_handle_fetch_fault_32(regs);
11411 ++ else
11412 ++ return pax_handle_fetch_fault_64(regs);
11413 ++}
11414 ++#endif
11415 ++
11416 ++#ifdef CONFIG_PAX_PAGEEXEC
11417 ++void pax_report_insns(void *pc, void *sp)
11418 ++{
11419 ++ long i;
11420 ++
11421 ++ printk(KERN_ERR "PAX: bytes at PC: ");
11422 ++ for (i = 0; i < 20; i++) {
11423 ++ unsigned char c;
11424 ++ if (get_user(c, (unsigned char __user *)pc+i))
11425 ++ printk("?? ");
11426 ++ else
11427 ++ printk("%02x ", c);
11428 ++ }
11429 ++ printk("\n");
11430 ++
11431 ++ printk(KERN_ERR "PAX: bytes at SP-8: ");
11432 ++ for (i = -1; i < 10; i++) {
11433 ++ unsigned long c;
11434 ++ if (get_user(c, (unsigned long __user *)sp+i))
11435 ++ printk("???????????????? ");
11436 ++ else
11437 ++ printk("%016lx ", c);
11438 ++ }
11439 ++ printk("\n");
11440 ++}
11441 ++#endif
11442 ++
11443 + static int page_fault_trace;
11444 + int show_unhandled_signals = 1;
11445 +
11446 +@@ -427,6 +585,8 @@ asmlinkage void __kprobes do_page_fault(
11447 + good_area:
11448 + info.si_code = SEGV_ACCERR;
11449 + write = 0;
11450 ++ if ((error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
11451 ++ goto bad_area;
11452 + switch (error_code & (PF_PROT|PF_WRITE)) {
11453 + default: /* 3: write, present */
11454 + /* fall through */
11455 +@@ -478,6 +638,21 @@ bad_area_nosemaphore:
11456 + */
11457 + local_irq_enable();
11458 +
11459 ++#ifdef CONFIG_PAX_PAGEEXEC
11460 ++ if (mm && (mm->pax_flags & MF_PAX_PAGEEXEC) && (error_code & 16)) {
11461 ++
11462 ++#ifdef CONFIG_PAX_EMUTRAMP
11463 ++ switch (pax_handle_fetch_fault(regs)) {
11464 ++ case 2:
11465 ++ return;
11466 ++ }
11467 ++#endif
11468 ++
11469 ++ pax_report_fault(regs, (void*)regs->rip, (void*)regs->rsp);
11470 ++ do_exit(SIGKILL);
11471 ++ }
11472 ++#endif
11473 ++
11474 + if (is_prefetch(regs, address, error_code))
11475 + return;
11476 +
11477 +@@ -499,7 +674,7 @@ bad_area_nosemaphore:
11478 + tsk->comm, tsk->pid, address, regs->rip,
11479 + regs->rsp, error_code);
11480 + }
11481 +-
11482 ++
11483 + tsk->thread.cr2 = address;
11484 + /* Kernel addresses are always protection faults */
11485 + tsk->thread.error_code = error_code | (address >= TASK_SIZE);
11486 +diff -Nurp linux-2.6.23.15/arch/x86_64/mm/init.c linux-2.6.23.15-grsec/arch/x86_64/mm/init.c
11487 +--- linux-2.6.23.15/arch/x86_64/mm/init.c 2008-02-11 10:36:03.000000000 +0000
11488 ++++ linux-2.6.23.15-grsec/arch/x86_64/mm/init.c 2008-02-11 10:37:44.000000000 +0000
11489 +@@ -45,7 +45,7 @@
11490 + #include <asm/sections.h>
11491 +
11492 + #ifndef Dprintk
11493 +-#define Dprintk(x...)
11494 ++#define Dprintk(x...) do {} while (0)
11495 + #endif
11496 +
11497 + const struct dma_mapping_ops* dma_ops;
11498 +@@ -736,7 +736,7 @@ int in_gate_area_no_task(unsigned long a
11499 +
11500 + const char *arch_vma_name(struct vm_area_struct *vma)
11501 + {
11502 +- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
11503 ++ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
11504 + return "[vdso]";
11505 + if (vma == &gate_vma)
11506 + return "[vsyscall]";
11507 +diff -Nurp linux-2.6.23.15/arch/x86_64/mm/mmap.c linux-2.6.23.15-grsec/arch/x86_64/mm/mmap.c
11508 +--- linux-2.6.23.15/arch/x86_64/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
11509 ++++ linux-2.6.23.15-grsec/arch/x86_64/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
11510 +@@ -23,6 +23,12 @@ void arch_pick_mmap_layout(struct mm_str
11511 + unsigned rnd = get_random_int() & 0xfffffff;
11512 + mm->mmap_base += ((unsigned long)rnd) << PAGE_SHIFT;
11513 + }
11514 ++
11515 ++#ifdef CONFIG_PAX_RANDMMAP
11516 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
11517 ++ mm->mmap_base += mm->delta_mmap;
11518 ++#endif
11519 ++
11520 + mm->get_unmapped_area = arch_get_unmapped_area;
11521 + mm->unmap_area = arch_unmap_area;
11522 + }
11523 +diff -Nurp linux-2.6.23.15/arch/x86_64/mm/numa.c linux-2.6.23.15-grsec/arch/x86_64/mm/numa.c
11524 +--- linux-2.6.23.15/arch/x86_64/mm/numa.c 2007-10-09 21:31:38.000000000 +0100
11525 ++++ linux-2.6.23.15-grsec/arch/x86_64/mm/numa.c 2008-02-11 10:37:44.000000000 +0000
11526 +@@ -19,7 +19,7 @@
11527 + #include <asm/acpi.h>
11528 +
11529 + #ifndef Dprintk
11530 +-#define Dprintk(x...)
11531 ++#define Dprintk(x...) do {} while (0)
11532 + #endif
11533 +
11534 + struct pglist_data *node_data[MAX_NUMNODES] __read_mostly;
11535 +diff -Nurp linux-2.6.23.15/arch/x86_64/vdso/vma.c linux-2.6.23.15-grsec/arch/x86_64/vdso/vma.c
11536 +--- linux-2.6.23.15/arch/x86_64/vdso/vma.c 2007-10-09 21:31:38.000000000 +0100
11537 ++++ linux-2.6.23.15-grsec/arch/x86_64/vdso/vma.c 2008-02-11 10:37:44.000000000 +0000
11538 +@@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
11539 + if (ret)
11540 + goto up_fail;
11541 +
11542 +- current->mm->context.vdso = (void *)addr;
11543 ++ current->mm->context.vdso = addr;
11544 + up_fail:
11545 + up_write(&mm->mmap_sem);
11546 + return ret;
11547 +diff -Nurp linux-2.6.23.15/crypto/async_tx/async_tx.c linux-2.6.23.15-grsec/crypto/async_tx/async_tx.c
11548 +--- linux-2.6.23.15/crypto/async_tx/async_tx.c 2007-10-09 21:31:38.000000000 +0100
11549 ++++ linux-2.6.23.15-grsec/crypto/async_tx/async_tx.c 2008-02-11 10:37:44.000000000 +0000
11550 +@@ -342,8 +342,8 @@ async_tx_init(void)
11551 + err:
11552 + printk(KERN_ERR "async_tx: initialization failure\n");
11553 +
11554 +- while (--cap >= 0)
11555 +- free_percpu(channel_table[cap]);
11556 ++ while (cap)
11557 ++ free_percpu(channel_table[--cap]);
11558 +
11559 + return 1;
11560 + }
11561 +diff -Nurp linux-2.6.23.15/crypto/lrw.c linux-2.6.23.15-grsec/crypto/lrw.c
11562 +--- linux-2.6.23.15/crypto/lrw.c 2007-10-09 21:31:38.000000000 +0100
11563 ++++ linux-2.6.23.15-grsec/crypto/lrw.c 2008-02-11 10:37:44.000000000 +0000
11564 +@@ -54,7 +54,7 @@ static int setkey(struct crypto_tfm *par
11565 + struct priv *ctx = crypto_tfm_ctx(parent);
11566 + struct crypto_cipher *child = ctx->child;
11567 + int err, i;
11568 +- be128 tmp = { 0 };
11569 ++ be128 tmp = { 0, 0 };
11570 + int bsize = crypto_cipher_blocksize(child);
11571 +
11572 + crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
11573 +diff -Nurp linux-2.6.23.15/drivers/acpi/blacklist.c linux-2.6.23.15-grsec/drivers/acpi/blacklist.c
11574 +--- linux-2.6.23.15/drivers/acpi/blacklist.c 2008-02-11 10:36:03.000000000 +0000
11575 ++++ linux-2.6.23.15-grsec/drivers/acpi/blacklist.c 2008-02-11 10:37:44.000000000 +0000
11576 +@@ -71,7 +71,7 @@ static struct acpi_blacklist_item acpi_b
11577 + {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
11578 + "Incorrect _ADR", 1},
11579 +
11580 +- {""}
11581 ++ {"", "", 0, 0, 0, all_versions, 0}
11582 + };
11583 +
11584 + #if CONFIG_ACPI_BLACKLIST_YEAR
11585 +diff -Nurp linux-2.6.23.15/drivers/acpi/processor_core.c linux-2.6.23.15-grsec/drivers/acpi/processor_core.c
11586 +--- linux-2.6.23.15/drivers/acpi/processor_core.c 2007-10-09 21:31:38.000000000 +0100
11587 ++++ linux-2.6.23.15-grsec/drivers/acpi/processor_core.c 2008-02-11 10:37:44.000000000 +0000
11588 +@@ -643,7 +643,7 @@ static int __cpuinit acpi_processor_star
11589 + return 0;
11590 + }
11591 +
11592 +- BUG_ON((pr->id >= NR_CPUS) || (pr->id < 0));
11593 ++ BUG_ON(pr->id >= NR_CPUS);
11594 +
11595 + /*
11596 + * Buggy BIOS check
11597 +diff -Nurp linux-2.6.23.15/drivers/acpi/processor_idle.c linux-2.6.23.15-grsec/drivers/acpi/processor_idle.c
11598 +--- linux-2.6.23.15/drivers/acpi/processor_idle.c 2007-10-09 21:31:38.000000000 +0100
11599 ++++ linux-2.6.23.15-grsec/drivers/acpi/processor_idle.c 2008-02-11 10:37:44.000000000 +0000
11600 +@@ -164,7 +164,7 @@ static struct dmi_system_id __cpuinitdat
11601 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
11602 + DMI_MATCH(DMI_BIOS_VERSION,"SHE845M0.86C.0013.D.0302131307")},
11603 + (void *)2},
11604 +- {},
11605 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
11606 + };
11607 +
11608 + static inline u32 ticks_elapsed(u32 t1, u32 t2)
11609 +diff -Nurp linux-2.6.23.15/drivers/acpi/sleep/main.c linux-2.6.23.15-grsec/drivers/acpi/sleep/main.c
11610 +--- linux-2.6.23.15/drivers/acpi/sleep/main.c 2008-02-11 10:36:03.000000000 +0000
11611 ++++ linux-2.6.23.15-grsec/drivers/acpi/sleep/main.c 2008-02-11 10:37:44.000000000 +0000
11612 +@@ -228,7 +228,7 @@ static struct dmi_system_id __initdata a
11613 + .ident = "Toshiba Satellite 4030cdt",
11614 + .matches = {DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),},
11615 + },
11616 +- {},
11617 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
11618 + };
11619 + #endif /* CONFIG_SUSPEND */
11620 +
11621 +diff -Nurp linux-2.6.23.15/drivers/acpi/tables/tbfadt.c linux-2.6.23.15-grsec/drivers/acpi/tables/tbfadt.c
11622 +--- linux-2.6.23.15/drivers/acpi/tables/tbfadt.c 2007-10-09 21:31:38.000000000 +0100
11623 ++++ linux-2.6.23.15-grsec/drivers/acpi/tables/tbfadt.c 2008-02-11 10:37:44.000000000 +0000
11624 +@@ -48,7 +48,7 @@
11625 + ACPI_MODULE_NAME("tbfadt")
11626 +
11627 + /* Local prototypes */
11628 +-static void inline
11629 ++static inline void
11630 + acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
11631 + u8 bit_width, u64 address);
11632 +
11633 +@@ -122,7 +122,7 @@ static struct acpi_fadt_info fadt_info_t
11634 + *
11635 + ******************************************************************************/
11636 +
11637 +-static void inline
11638 ++static inline void
11639 + acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
11640 + u8 bit_width, u64 address)
11641 + {
11642 +diff -Nurp linux-2.6.23.15/drivers/ata/ahci.c linux-2.6.23.15-grsec/drivers/ata/ahci.c
11643 +--- linux-2.6.23.15/drivers/ata/ahci.c 2008-02-11 10:36:03.000000000 +0000
11644 ++++ linux-2.6.23.15-grsec/drivers/ata/ahci.c 2008-02-11 10:37:44.000000000 +0000
11645 +@@ -523,7 +523,7 @@ static const struct pci_device_id ahci_p
11646 + { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
11647 + PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
11648 +
11649 +- { } /* terminate list */
11650 ++ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
11651 + };
11652 +
11653 +
11654 +diff -Nurp linux-2.6.23.15/drivers/ata/ata_piix.c linux-2.6.23.15-grsec/drivers/ata/ata_piix.c
11655 +--- linux-2.6.23.15/drivers/ata/ata_piix.c 2007-10-09 21:31:38.000000000 +0100
11656 ++++ linux-2.6.23.15-grsec/drivers/ata/ata_piix.c 2008-02-11 10:37:44.000000000 +0000
11657 +@@ -257,7 +257,7 @@ static const struct pci_device_id piix_p
11658 + /* SATA Controller IDE (Tolapai) */
11659 + { 0x8086, 0x5028, PCI_ANY_ID, PCI_ANY_ID, 0, 0, tolapai_sata_ahci },
11660 +
11661 +- { } /* terminate list */
11662 ++ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
11663 + };
11664 +
11665 + static struct pci_driver piix_pci_driver = {
11666 +@@ -617,7 +617,7 @@ static const struct ich_laptop ich_lapto
11667 + { 0x27DF, 0x1043, 0x1267 }, /* ICH7 on Asus W5F */
11668 + { 0x24CA, 0x1025, 0x0061 }, /* ICH4 on ACER Aspire 2023WLMi */
11669 + /* end marker */
11670 +- { 0, }
11671 ++ { 0, 0, 0 }
11672 + };
11673 +
11674 + /**
11675 +@@ -963,7 +963,7 @@ static int piix_broken_suspend(void)
11676 + },
11677 + },
11678 +
11679 +- { } /* terminate list */
11680 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL } /* terminate list */
11681 + };
11682 + static const char *oemstrs[] = {
11683 + "Tecra M3,",
11684 +diff -Nurp linux-2.6.23.15/drivers/ata/libata-core.c linux-2.6.23.15-grsec/drivers/ata/libata-core.c
11685 +--- linux-2.6.23.15/drivers/ata/libata-core.c 2008-02-11 10:36:03.000000000 +0000
11686 ++++ linux-2.6.23.15-grsec/drivers/ata/libata-core.c 2008-02-11 10:37:44.000000000 +0000
11687 +@@ -472,7 +472,7 @@ static const struct ata_xfer_ent {
11688 + { ATA_SHIFT_PIO, ATA_BITS_PIO, XFER_PIO_0 },
11689 + { ATA_SHIFT_MWDMA, ATA_BITS_MWDMA, XFER_MW_DMA_0 },
11690 + { ATA_SHIFT_UDMA, ATA_BITS_UDMA, XFER_UDMA_0 },
11691 +- { -1, },
11692 ++ { -1, 0, 0 },
11693 + };
11694 +
11695 + /**
11696 +@@ -2546,7 +2546,7 @@ static const struct ata_timing ata_timin
11697 +
11698 + /* { XFER_PIO_SLOW, 120, 290, 240, 960, 290, 240, 960, 0 }, */
11699 +
11700 +- { 0xFF }
11701 ++ { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
11702 + };
11703 +
11704 + #define ENOUGH(v,unit) (((v)-1)/(unit)+1)
11705 +@@ -3799,7 +3799,7 @@ static const struct ata_blacklist_entry
11706 + { "MAXTOR 6L080L4", "A93.0500", ATA_HORKAGE_BROKEN_HPA },
11707 +
11708 + /* End Marker */
11709 +- { }
11710 ++ { NULL, NULL, 0 }
11711 + };
11712 +
11713 + static unsigned long ata_dev_blacklisted(const struct ata_device *dev)
11714 +diff -Nurp linux-2.6.23.15/drivers/char/agp/frontend.c linux-2.6.23.15-grsec/drivers/char/agp/frontend.c
11715 +--- linux-2.6.23.15/drivers/char/agp/frontend.c 2007-10-09 21:31:38.000000000 +0100
11716 ++++ linux-2.6.23.15-grsec/drivers/char/agp/frontend.c 2008-02-11 10:37:44.000000000 +0000
11717 +@@ -820,7 +820,7 @@ static int agpioc_reserve_wrap(struct ag
11718 + if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
11719 + return -EFAULT;
11720 +
11721 +- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
11722 ++ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
11723 + return -EFAULT;
11724 +
11725 + client = agp_find_client_by_pid(reserve.pid);
11726 +diff -Nurp linux-2.6.23.15/drivers/char/agp/intel-agp.c linux-2.6.23.15-grsec/drivers/char/agp/intel-agp.c
11727 +--- linux-2.6.23.15/drivers/char/agp/intel-agp.c 2007-10-09 21:31:38.000000000 +0100
11728 ++++ linux-2.6.23.15-grsec/drivers/char/agp/intel-agp.c 2008-02-11 10:37:44.000000000 +0000
11729 +@@ -2071,7 +2071,7 @@ static struct pci_device_id agp_intel_pc
11730 + ID(PCI_DEVICE_ID_INTEL_G33_HB),
11731 + ID(PCI_DEVICE_ID_INTEL_Q35_HB),
11732 + ID(PCI_DEVICE_ID_INTEL_Q33_HB),
11733 +- { }
11734 ++ { 0, 0, 0, 0, 0, 0, 0 }
11735 + };
11736 +
11737 + MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
11738 +diff -Nurp linux-2.6.23.15/drivers/char/drm/drm_pciids.h linux-2.6.23.15-grsec/drivers/char/drm/drm_pciids.h
11739 +--- linux-2.6.23.15/drivers/char/drm/drm_pciids.h 2007-10-09 21:31:38.000000000 +0100
11740 ++++ linux-2.6.23.15-grsec/drivers/char/drm/drm_pciids.h 2008-02-11 10:37:44.000000000 +0000
11741 +@@ -251,7 +251,7 @@
11742 + {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
11743 + {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
11744 + {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
11745 +- {0, 0, 0}
11746 ++ {0, 0, 0, 0, 0, 0, 0 }
11747 +
11748 + #define i830_PCI_IDS \
11749 + {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
11750 +diff -Nurp linux-2.6.23.15/drivers/char/hpet.c linux-2.6.23.15-grsec/drivers/char/hpet.c
11751 +--- linux-2.6.23.15/drivers/char/hpet.c 2007-10-09 21:31:38.000000000 +0100
11752 ++++ linux-2.6.23.15-grsec/drivers/char/hpet.c 2008-02-11 10:37:44.000000000 +0000
11753 +@@ -1028,7 +1028,7 @@ static struct acpi_driver hpet_acpi_driv
11754 + },
11755 + };
11756 +
11757 +-static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
11758 ++static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
11759 +
11760 + static int __init hpet_init(void)
11761 + {
11762 +diff -Nurp linux-2.6.23.15/drivers/char/keyboard.c linux-2.6.23.15-grsec/drivers/char/keyboard.c
11763 +--- linux-2.6.23.15/drivers/char/keyboard.c 2007-10-09 21:31:38.000000000 +0100
11764 ++++ linux-2.6.23.15-grsec/drivers/char/keyboard.c 2008-02-11 10:37:44.000000000 +0000
11765 +@@ -605,6 +605,16 @@ static void k_spec(struct vc_data *vc, u
11766 + kbd->kbdmode == VC_MEDIUMRAW) &&
11767 + value != KVAL(K_SAK))
11768 + return; /* SAK is allowed even in raw mode */
11769 ++
11770 ++#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
11771 ++ {
11772 ++ void *func = fn_handler[value];
11773 ++ if (func == fn_show_state || func == fn_show_ptregs ||
11774 ++ func == fn_show_mem)
11775 ++ return;
11776 ++ }
11777 ++#endif
11778 ++
11779 + fn_handler[value](vc);
11780 + }
11781 +
11782 +@@ -1340,7 +1350,7 @@ static const struct input_device_id kbd_
11783 + .evbit = { BIT(EV_SND) },
11784 + },
11785 +
11786 +- { }, /* Terminating entry */
11787 ++ { 0 }, /* Terminating entry */
11788 + };
11789 +
11790 + MODULE_DEVICE_TABLE(input, kbd_ids);
11791 +diff -Nurp linux-2.6.23.15/drivers/char/mem.c linux-2.6.23.15-grsec/drivers/char/mem.c
11792 +--- linux-2.6.23.15/drivers/char/mem.c 2007-10-09 21:31:38.000000000 +0100
11793 ++++ linux-2.6.23.15-grsec/drivers/char/mem.c 2008-02-11 10:37:44.000000000 +0000
11794 +@@ -26,6 +26,7 @@
11795 + #include <linux/bootmem.h>
11796 + #include <linux/splice.h>
11797 + #include <linux/pfn.h>
11798 ++#include <linux/grsecurity.h>
11799 +
11800 + #include <asm/uaccess.h>
11801 + #include <asm/io.h>
11802 +@@ -34,6 +35,10 @@
11803 + # include <linux/efi.h>
11804 + #endif
11805 +
11806 ++#ifdef CONFIG_GRKERNSEC
11807 ++extern struct file_operations grsec_fops;
11808 ++#endif
11809 ++
11810 + /*
11811 + * Architectures vary in how they handle caching for addresses
11812 + * outside of main memory.
11813 +@@ -180,6 +185,11 @@ static ssize_t write_mem(struct file * f
11814 + if (!valid_phys_addr_range(p, count))
11815 + return -EFAULT;
11816 +
11817 ++#ifdef CONFIG_GRKERNSEC_KMEM
11818 ++ gr_handle_mem_write();
11819 ++ return -EPERM;
11820 ++#endif
11821 ++
11822 + written = 0;
11823 +
11824 + #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
11825 +@@ -281,6 +291,11 @@ static int mmap_mem(struct file * file,
11826 + if (!private_mapping_ok(vma))
11827 + return -ENOSYS;
11828 +
11829 ++#ifdef CONFIG_GRKERNSEC_KMEM
11830 ++ if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
11831 ++ return -EPERM;
11832 ++#endif
11833 ++
11834 + vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
11835 + size,
11836 + vma->vm_page_prot);
11837 +@@ -512,6 +527,11 @@ static ssize_t write_kmem(struct file *
11838 + ssize_t written;
11839 + char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
11840 +
11841 ++#ifdef CONFIG_GRKERNSEC_KMEM
11842 ++ gr_handle_kmem_write();
11843 ++ return -EPERM;
11844 ++#endif
11845 ++
11846 + if (p < (unsigned long) high_memory) {
11847 +
11848 + wrote = count;
11849 +@@ -635,6 +655,10 @@ static inline size_t read_zero_pagealign
11850 + struct vm_area_struct * vma;
11851 + unsigned long addr=(unsigned long)buf;
11852 +
11853 ++#ifdef CONFIG_PAX_SEGMEXEC
11854 ++ struct vm_area_struct *vma_m;
11855 ++#endif
11856 ++
11857 + mm = current->mm;
11858 + /* Oops, this was forgotten before. -ben */
11859 + down_read(&mm->mmap_sem);
11860 +@@ -651,8 +675,14 @@ static inline size_t read_zero_pagealign
11861 + if (count > size)
11862 + count = size;
11863 +
11864 ++#ifdef CONFIG_PAX_SEGMEXEC
11865 ++ vma_m = pax_find_mirror_vma(vma);
11866 ++ if (vma_m)
11867 ++ zap_page_range(vma_m, addr + SEGMEXEC_TASK_SIZE, count, NULL);
11868 ++#endif
11869 ++
11870 + zap_page_range(vma, addr, count, NULL);
11871 +- if (zeromap_page_range(vma, addr, count, PAGE_COPY))
11872 ++ if (zeromap_page_range(vma, addr, count, vma->vm_page_prot))
11873 + break;
11874 +
11875 + size -= count;
11876 +@@ -805,6 +835,16 @@ static loff_t memory_lseek(struct file *
11877 +
11878 + static int open_port(struct inode * inode, struct file * filp)
11879 + {
11880 ++#ifdef CONFIG_GRKERNSEC_KMEM
11881 ++ gr_handle_open_port();
11882 ++ return -EPERM;
11883 ++#endif
11884 ++
11885 ++ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
11886 ++}
11887 ++
11888 ++static int open_mem(struct inode * inode, struct file * filp)
11889 ++{
11890 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
11891 + }
11892 +
11893 +@@ -812,7 +852,6 @@ static int open_port(struct inode * inod
11894 + #define full_lseek null_lseek
11895 + #define write_zero write_null
11896 + #define read_full read_zero
11897 +-#define open_mem open_port
11898 + #define open_kmem open_mem
11899 + #define open_oldmem open_mem
11900 +
11901 +@@ -945,6 +984,11 @@ static int memory_open(struct inode * in
11902 + filp->f_op = &oldmem_fops;
11903 + break;
11904 + #endif
11905 ++#ifdef CONFIG_GRKERNSEC
11906 ++ case 13:
11907 ++ filp->f_op = &grsec_fops;
11908 ++ break;
11909 ++#endif
11910 + default:
11911 + return -ENXIO;
11912 + }
11913 +@@ -977,6 +1021,9 @@ static const struct {
11914 + #ifdef CONFIG_CRASH_DUMP
11915 + {12,"oldmem", S_IRUSR | S_IWUSR | S_IRGRP, &oldmem_fops},
11916 + #endif
11917 ++#ifdef CONFIG_GRKERNSEC
11918 ++ {13,"grsec", S_IRUSR | S_IWUGO, &grsec_fops},
11919 ++#endif
11920 + };
11921 +
11922 + static struct class *mem_class;
11923 +diff -Nurp linux-2.6.23.15/drivers/char/nvram.c linux-2.6.23.15-grsec/drivers/char/nvram.c
11924 +--- linux-2.6.23.15/drivers/char/nvram.c 2007-10-09 21:31:38.000000000 +0100
11925 ++++ linux-2.6.23.15-grsec/drivers/char/nvram.c 2008-02-11 10:37:44.000000000 +0000
11926 +@@ -430,7 +430,10 @@ static const struct file_operations nvra
11927 + static struct miscdevice nvram_dev = {
11928 + NVRAM_MINOR,
11929 + "nvram",
11930 +- &nvram_fops
11931 ++ &nvram_fops,
11932 ++ {NULL, NULL},
11933 ++ NULL,
11934 ++ NULL
11935 + };
11936 +
11937 + static int __init
11938 +diff -Nurp linux-2.6.23.15/drivers/char/random.c linux-2.6.23.15-grsec/drivers/char/random.c
11939 +--- linux-2.6.23.15/drivers/char/random.c 2008-02-11 10:36:03.000000000 +0000
11940 ++++ linux-2.6.23.15-grsec/drivers/char/random.c 2008-02-11 10:37:44.000000000 +0000
11941 +@@ -248,8 +248,13 @@
11942 + /*
11943 + * Configuration information
11944 + */
11945 ++#ifdef CONFIG_GRKERNSEC_RANDNET
11946 ++#define INPUT_POOL_WORDS 512
11947 ++#define OUTPUT_POOL_WORDS 128
11948 ++#else
11949 + #define INPUT_POOL_WORDS 128
11950 + #define OUTPUT_POOL_WORDS 32
11951 ++#endif
11952 + #define SEC_XFER_SIZE 512
11953 +
11954 + /*
11955 +@@ -286,10 +291,17 @@ static struct poolinfo {
11956 + int poolwords;
11957 + int tap1, tap2, tap3, tap4, tap5;
11958 + } poolinfo_table[] = {
11959 ++#ifdef CONFIG_GRKERNSEC_RANDNET
11960 ++ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
11961 ++ { 512, 411, 308, 208, 104, 1 },
11962 ++ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
11963 ++ { 128, 103, 76, 51, 25, 1 },
11964 ++#else
11965 + /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
11966 + { 128, 103, 76, 51, 25, 1 },
11967 + /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
11968 + { 32, 26, 20, 14, 7, 1 },
11969 ++#endif
11970 + #if 0
11971 + /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
11972 + { 2048, 1638, 1231, 819, 411, 1 },
11973 +@@ -1172,7 +1184,7 @@ EXPORT_SYMBOL(generate_random_uuid);
11974 + #include <linux/sysctl.h>
11975 +
11976 + static int min_read_thresh = 8, min_write_thresh;
11977 +-static int max_read_thresh = INPUT_POOL_WORDS * 32;
11978 ++static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
11979 + static int max_write_thresh = INPUT_POOL_WORDS * 32;
11980 + static char sysctl_bootid[16];
11981 +
11982 +diff -Nurp linux-2.6.23.15/drivers/char/vt_ioctl.c linux-2.6.23.15-grsec/drivers/char/vt_ioctl.c
11983 +--- linux-2.6.23.15/drivers/char/vt_ioctl.c 2007-10-09 21:31:38.000000000 +0100
11984 ++++ linux-2.6.23.15-grsec/drivers/char/vt_ioctl.c 2008-02-11 10:37:44.000000000 +0000
11985 +@@ -95,6 +95,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
11986 + case KDSKBENT:
11987 + if (!perm)
11988 + return -EPERM;
11989 ++
11990 ++#ifdef CONFIG_GRKERNSEC
11991 ++ if (!capable(CAP_SYS_TTY_CONFIG))
11992 ++ return -EPERM;
11993 ++#endif
11994 ++
11995 + if (!i && v == K_NOSUCHMAP) {
11996 + /* deallocate map */
11997 + key_map = key_maps[s];
11998 +@@ -235,6 +241,13 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
11999 + goto reterr;
12000 + }
12001 +
12002 ++#ifdef CONFIG_GRKERNSEC
12003 ++ if (!capable(CAP_SYS_TTY_CONFIG)) {
12004 ++ ret = -EPERM;
12005 ++ goto reterr;
12006 ++ }
12007 ++#endif
12008 ++
12009 + q = func_table[i];
12010 + first_free = funcbufptr + (funcbufsize - funcbufleft);
12011 + for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
12012 +diff -Nurp linux-2.6.23.15/drivers/dma/ioatdma.c linux-2.6.23.15-grsec/drivers/dma/ioatdma.c
12013 +--- linux-2.6.23.15/drivers/dma/ioatdma.c 2007-10-09 21:31:38.000000000 +0100
12014 ++++ linux-2.6.23.15-grsec/drivers/dma/ioatdma.c 2008-02-11 10:37:44.000000000 +0000
12015 +@@ -244,7 +244,6 @@ static void ioat_dma_free_chan_resources
12016 + struct ioat_dma_chan *ioat_chan = to_ioat_chan(chan);
12017 + struct ioat_device *ioat_device = to_ioat_device(chan->device);
12018 + struct ioat_desc_sw *desc, *_desc;
12019 +- u16 chanctrl;
12020 + int in_use_descs = 0;
12021 +
12022 + ioat_dma_memcpy_cleanup(ioat_chan);
12023 +diff -Nurp linux-2.6.23.15/drivers/edac/edac_core.h linux-2.6.23.15-grsec/drivers/edac/edac_core.h
12024 +--- linux-2.6.23.15/drivers/edac/edac_core.h 2007-10-09 21:31:38.000000000 +0100
12025 ++++ linux-2.6.23.15-grsec/drivers/edac/edac_core.h 2008-02-11 10:37:44.000000000 +0000
12026 +@@ -86,11 +86,11 @@ extern int edac_debug_level;
12027 +
12028 + #else /* !CONFIG_EDAC_DEBUG */
12029 +
12030 +-#define debugf0( ... )
12031 +-#define debugf1( ... )
12032 +-#define debugf2( ... )
12033 +-#define debugf3( ... )
12034 +-#define debugf4( ... )
12035 ++#define debugf0( ... ) do {} while (0)
12036 ++#define debugf1( ... ) do {} while (0)
12037 ++#define debugf2( ... ) do {} while (0)
12038 ++#define debugf3( ... ) do {} while (0)
12039 ++#define debugf4( ... ) do {} while (0)
12040 +
12041 + #endif /* !CONFIG_EDAC_DEBUG */
12042 +
12043 +diff -Nurp linux-2.6.23.15/drivers/hwmon/fscpos.c linux-2.6.23.15-grsec/drivers/hwmon/fscpos.c
12044 +--- linux-2.6.23.15/drivers/hwmon/fscpos.c 2007-10-09 21:31:38.000000000 +0100
12045 ++++ linux-2.6.23.15-grsec/drivers/hwmon/fscpos.c 2008-02-11 10:37:44.000000000 +0000
12046 +@@ -231,7 +231,6 @@ static ssize_t set_pwm(struct i2c_client
12047 + unsigned long v = simple_strtoul(buf, NULL, 10);
12048 +
12049 + /* Range: 0..255 */
12050 +- if (v < 0) v = 0;
12051 + if (v > 255) v = 255;
12052 +
12053 + mutex_lock(&data->update_lock);
12054 +diff -Nurp linux-2.6.23.15/drivers/hwmon/k8temp.c linux-2.6.23.15-grsec/drivers/hwmon/k8temp.c
12055 +--- linux-2.6.23.15/drivers/hwmon/k8temp.c 2007-10-09 21:31:38.000000000 +0100
12056 ++++ linux-2.6.23.15-grsec/drivers/hwmon/k8temp.c 2008-02-11 10:37:44.000000000 +0000
12057 +@@ -130,7 +130,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
12058 +
12059 + static struct pci_device_id k8temp_ids[] = {
12060 + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
12061 +- { 0 },
12062 ++ { 0, 0, 0, 0, 0, 0, 0 },
12063 + };
12064 +
12065 + MODULE_DEVICE_TABLE(pci, k8temp_ids);
12066 +diff -Nurp linux-2.6.23.15/drivers/hwmon/sis5595.c linux-2.6.23.15-grsec/drivers/hwmon/sis5595.c
12067 +--- linux-2.6.23.15/drivers/hwmon/sis5595.c 2007-10-09 21:31:38.000000000 +0100
12068 ++++ linux-2.6.23.15-grsec/drivers/hwmon/sis5595.c 2008-02-11 10:37:44.000000000 +0000
12069 +@@ -673,7 +673,7 @@ static struct sis5595_data *sis5595_upda
12070 +
12071 + static struct pci_device_id sis5595_pci_ids[] = {
12072 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
12073 +- { 0, }
12074 ++ { 0, 0, 0, 0, 0, 0, 0 }
12075 + };
12076 +
12077 + MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
12078 +diff -Nurp linux-2.6.23.15/drivers/hwmon/thmc50.c linux-2.6.23.15-grsec/drivers/hwmon/thmc50.c
12079 +--- linux-2.6.23.15/drivers/hwmon/thmc50.c 2007-10-09 21:31:38.000000000 +0100
12080 ++++ linux-2.6.23.15-grsec/drivers/hwmon/thmc50.c 2008-02-11 10:37:44.000000000 +0000
12081 +@@ -47,9 +47,9 @@ I2C_CLIENT_MODULE_PARM(adm1022_temp3, "L
12082 + #define THMC50_REG_DIE_CODE 0x3F
12083 + #define THMC50_REG_ANALOG_OUT 0x19
12084 +
12085 +-const static u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
12086 +-const static u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
12087 +-const static u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
12088 ++static const u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
12089 ++static const u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
12090 ++static const u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
12091 +
12092 + #define THMC50_REG_CONF_nFANOFF 0x20
12093 +
12094 +diff -Nurp linux-2.6.23.15/drivers/hwmon/via686a.c linux-2.6.23.15-grsec/drivers/hwmon/via686a.c
12095 +--- linux-2.6.23.15/drivers/hwmon/via686a.c 2007-10-09 21:31:38.000000000 +0100
12096 ++++ linux-2.6.23.15-grsec/drivers/hwmon/via686a.c 2008-02-11 10:37:44.000000000 +0000
12097 +@@ -740,7 +740,7 @@ static struct via686a_data *via686a_upda
12098 +
12099 + static struct pci_device_id via686a_pci_ids[] = {
12100 + { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
12101 +- { 0, }
12102 ++ { 0, 0, 0, 0, 0, 0, 0 }
12103 + };
12104 +
12105 + MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
12106 +diff -Nurp linux-2.6.23.15/drivers/hwmon/vt8231.c linux-2.6.23.15-grsec/drivers/hwmon/vt8231.c
12107 +--- linux-2.6.23.15/drivers/hwmon/vt8231.c 2007-10-09 21:31:38.000000000 +0100
12108 ++++ linux-2.6.23.15-grsec/drivers/hwmon/vt8231.c 2008-02-11 10:37:44.000000000 +0000
12109 +@@ -662,7 +662,7 @@ static struct platform_driver vt8231_dri
12110 +
12111 + static struct pci_device_id vt8231_pci_ids[] = {
12112 + { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
12113 +- { 0, }
12114 ++ { 0, 0, 0, 0, 0, 0, 0 }
12115 + };
12116 +
12117 + MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
12118 +diff -Nurp linux-2.6.23.15/drivers/hwmon/w83791d.c linux-2.6.23.15-grsec/drivers/hwmon/w83791d.c
12119 +--- linux-2.6.23.15/drivers/hwmon/w83791d.c 2007-10-09 21:31:38.000000000 +0100
12120 ++++ linux-2.6.23.15-grsec/drivers/hwmon/w83791d.c 2008-02-11 10:37:44.000000000 +0000
12121 +@@ -289,8 +289,8 @@ static int w83791d_attach_adapter(struct
12122 + static int w83791d_detect(struct i2c_adapter *adapter, int address, int kind);
12123 + static int w83791d_detach_client(struct i2c_client *client);
12124 +
12125 +-static int w83791d_read(struct i2c_client *client, u8 register);
12126 +-static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
12127 ++static int w83791d_read(struct i2c_client *client, u8 reg);
12128 ++static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
12129 + static struct w83791d_data *w83791d_update_device(struct device *dev);
12130 +
12131 + #ifdef DEBUG
12132 +diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-i801.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i801.c
12133 +--- linux-2.6.23.15/drivers/i2c/busses/i2c-i801.c 2007-10-09 21:31:38.000000000 +0100
12134 ++++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i801.c 2008-02-11 10:37:44.000000000 +0000
12135 +@@ -543,7 +543,7 @@ static struct pci_device_id i801_ids[] =
12136 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ESB2_17) },
12137 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH8_5) },
12138 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH9_6) },
12139 +- { 0, }
12140 ++ { 0, 0, 0, 0, 0, 0, 0 }
12141 + };
12142 +
12143 + MODULE_DEVICE_TABLE (pci, i801_ids);
12144 +diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-i810.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i810.c
12145 +--- linux-2.6.23.15/drivers/i2c/busses/i2c-i810.c 2007-10-09 21:31:38.000000000 +0100
12146 ++++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i810.c 2008-02-11 10:37:44.000000000 +0000
12147 +@@ -198,7 +198,7 @@ static struct pci_device_id i810_ids[] _
12148 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82810E_IG) },
12149 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC) },
12150 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82845G_IG) },
12151 +- { 0, },
12152 ++ { 0, 0, 0, 0, 0, 0, 0 },
12153 + };
12154 +
12155 + MODULE_DEVICE_TABLE (pci, i810_ids);
12156 +diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-piix4.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-piix4.c
12157 +--- linux-2.6.23.15/drivers/i2c/busses/i2c-piix4.c 2007-10-09 21:31:38.000000000 +0100
12158 ++++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-piix4.c 2008-02-11 10:37:44.000000000 +0000
12159 +@@ -113,7 +113,7 @@ static struct dmi_system_id __devinitdat
12160 + .ident = "IBM",
12161 + .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
12162 + },
12163 +- { },
12164 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL },
12165 + };
12166 +
12167 + static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
12168 +@@ -411,7 +411,7 @@ static struct pci_device_id piix4_ids[]
12169 + .driver_data = 3 },
12170 + { PCI_DEVICE(PCI_VENDOR_ID_EFAR, PCI_DEVICE_ID_EFAR_SLC90E66_3),
12171 + .driver_data = 0 },
12172 +- { 0, }
12173 ++ { 0, 0, 0, 0, 0, 0, 0 }
12174 + };
12175 +
12176 + MODULE_DEVICE_TABLE (pci, piix4_ids);
12177 +diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-sis630.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis630.c
12178 +--- linux-2.6.23.15/drivers/i2c/busses/i2c-sis630.c 2007-10-09 21:31:38.000000000 +0100
12179 ++++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis630.c 2008-02-11 10:37:44.000000000 +0000
12180 +@@ -465,7 +465,7 @@ static struct i2c_adapter sis630_adapter
12181 + static struct pci_device_id sis630_ids[] __devinitdata = {
12182 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
12183 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
12184 +- { 0, }
12185 ++ { PCI_DEVICE(0, 0) }
12186 + };
12187 +
12188 + MODULE_DEVICE_TABLE (pci, sis630_ids);
12189 +diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-sis96x.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis96x.c
12190 +--- linux-2.6.23.15/drivers/i2c/busses/i2c-sis96x.c 2007-10-09 21:31:38.000000000 +0100
12191 ++++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis96x.c 2008-02-11 10:37:44.000000000 +0000
12192 +@@ -255,7 +255,7 @@ static struct i2c_adapter sis96x_adapter
12193 +
12194 + static struct pci_device_id sis96x_ids[] = {
12195 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
12196 +- { 0, }
12197 ++ { PCI_DEVICE(0, 0) }
12198 + };
12199 +
12200 + MODULE_DEVICE_TABLE (pci, sis96x_ids);
12201 +diff -Nurp linux-2.6.23.15/drivers/ide/ide-cd.c linux-2.6.23.15-grsec/drivers/ide/ide-cd.c
12202 +--- linux-2.6.23.15/drivers/ide/ide-cd.c 2007-10-09 21:31:38.000000000 +0100
12203 ++++ linux-2.6.23.15-grsec/drivers/ide/ide-cd.c 2008-02-11 10:37:44.000000000 +0000
12204 +@@ -457,8 +457,6 @@ void cdrom_analyze_sense_data(ide_drive_
12205 + sector &= ~(bio_sectors -1);
12206 + valid = (sector - failed_command->sector) << 9;
12207 +
12208 +- if (valid < 0)
12209 +- valid = 0;
12210 + if (sector < get_capacity(info->disk) &&
12211 + drive->probed_capacity - sector < 4 * 75) {
12212 + set_capacity(info->disk, sector);
12213 +diff -Nurp linux-2.6.23.15/drivers/ieee1394/dv1394.c linux-2.6.23.15-grsec/drivers/ieee1394/dv1394.c
12214 +--- linux-2.6.23.15/drivers/ieee1394/dv1394.c 2007-10-09 21:31:38.000000000 +0100
12215 ++++ linux-2.6.23.15-grsec/drivers/ieee1394/dv1394.c 2008-02-11 10:37:44.000000000 +0000
12216 +@@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
12217 + based upon DIF section and sequence
12218 + */
12219 +
12220 +-static void inline
12221 ++static inline void
12222 + frame_put_packet (struct frame *f, struct packet *p)
12223 + {
12224 + int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
12225 +@@ -918,7 +918,7 @@ static int do_dv1394_init(struct video_c
12226 + /* default SYT offset is 3 cycles */
12227 + init->syt_offset = 3;
12228 +
12229 +- if ( (init->channel > 63) || (init->channel < 0) )
12230 ++ if (init->channel > 63)
12231 + init->channel = 63;
12232 +
12233 + chan_mask = (u64)1 << init->channel;
12234 +@@ -2173,7 +2173,7 @@ static struct ieee1394_device_id dv1394_
12235 + .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
12236 + .version = AVC_SW_VERSION_ENTRY & 0xffffff
12237 + },
12238 +- { }
12239 ++ { 0, 0, 0, 0, 0, 0 }
12240 + };
12241 +
12242 + MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
12243 +diff -Nurp linux-2.6.23.15/drivers/ieee1394/eth1394.c linux-2.6.23.15-grsec/drivers/ieee1394/eth1394.c
12244 +--- linux-2.6.23.15/drivers/ieee1394/eth1394.c 2007-10-09 21:31:38.000000000 +0100
12245 ++++ linux-2.6.23.15-grsec/drivers/ieee1394/eth1394.c 2008-02-11 10:37:44.000000000 +0000
12246 +@@ -449,7 +449,7 @@ static struct ieee1394_device_id eth1394
12247 + .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
12248 + .version = ETHER1394_GASP_VERSION,
12249 + },
12250 +- {}
12251 ++ { 0, 0, 0, 0, 0, 0 }
12252 + };
12253 +
12254 + MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
12255 +diff -Nurp linux-2.6.23.15/drivers/ieee1394/hosts.c linux-2.6.23.15-grsec/drivers/ieee1394/hosts.c
12256 +--- linux-2.6.23.15/drivers/ieee1394/hosts.c 2007-10-09 21:31:38.000000000 +0100
12257 ++++ linux-2.6.23.15-grsec/drivers/ieee1394/hosts.c 2008-02-11 10:37:44.000000000 +0000
12258 +@@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
12259 + }
12260 +
12261 + static struct hpsb_host_driver dummy_driver = {
12262 ++ .name = "dummy",
12263 + .transmit_packet = dummy_transmit_packet,
12264 + .devctl = dummy_devctl,
12265 + .isoctl = dummy_isoctl
12266 +diff -Nurp linux-2.6.23.15/drivers/ieee1394/ohci1394.c linux-2.6.23.15-grsec/drivers/ieee1394/ohci1394.c
12267 +--- linux-2.6.23.15/drivers/ieee1394/ohci1394.c 2007-10-09 21:31:38.000000000 +0100
12268 ++++ linux-2.6.23.15-grsec/drivers/ieee1394/ohci1394.c 2008-02-11 10:37:44.000000000 +0000
12269 +@@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
12270 + printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
12271 +
12272 + /* Module Parameters */
12273 +-static int phys_dma = 1;
12274 ++static int phys_dma;
12275 + module_param(phys_dma, int, 0444);
12276 +-MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 1).");
12277 ++MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 0).");
12278 +
12279 + static void dma_trm_tasklet(unsigned long data);
12280 + static void dma_trm_reset(struct dma_trm_ctx *d);
12281 +@@ -3396,7 +3396,7 @@ static struct pci_device_id ohci1394_pci
12282 + .subvendor = PCI_ANY_ID,
12283 + .subdevice = PCI_ANY_ID,
12284 + },
12285 +- { 0, },
12286 ++ { 0, 0, 0, 0, 0, 0, 0 },
12287 + };
12288 +
12289 + MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
12290 +diff -Nurp linux-2.6.23.15/drivers/ieee1394/raw1394.c linux-2.6.23.15-grsec/drivers/ieee1394/raw1394.c
12291 +--- linux-2.6.23.15/drivers/ieee1394/raw1394.c 2007-10-09 21:31:38.000000000 +0100
12292 ++++ linux-2.6.23.15-grsec/drivers/ieee1394/raw1394.c 2008-02-11 10:37:44.000000000 +0000
12293 +@@ -2952,7 +2952,7 @@ static struct ieee1394_device_id raw1394
12294 + .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
12295 + .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
12296 + .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
12297 +- {}
12298 ++ { 0, 0, 0, 0, 0, 0 }
12299 + };
12300 +
12301 + MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
12302 +diff -Nurp linux-2.6.23.15/drivers/ieee1394/sbp2.c linux-2.6.23.15-grsec/drivers/ieee1394/sbp2.c
12303 +--- linux-2.6.23.15/drivers/ieee1394/sbp2.c 2007-10-09 21:31:38.000000000 +0100
12304 ++++ linux-2.6.23.15-grsec/drivers/ieee1394/sbp2.c 2008-02-11 10:37:44.000000000 +0000
12305 +@@ -272,7 +272,7 @@ static struct ieee1394_device_id sbp2_id
12306 + .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
12307 + .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
12308 + .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
12309 +- {}
12310 ++ { 0, 0, 0, 0, 0, 0 }
12311 + };
12312 + MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
12313 +
12314 +@@ -2063,7 +2063,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
12315 + MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
12316 + MODULE_LICENSE("GPL");
12317 +
12318 +-static int sbp2_module_init(void)
12319 ++static int __init sbp2_module_init(void)
12320 + {
12321 + int ret;
12322 +
12323 +diff -Nurp linux-2.6.23.15/drivers/ieee1394/video1394.c linux-2.6.23.15-grsec/drivers/ieee1394/video1394.c
12324 +--- linux-2.6.23.15/drivers/ieee1394/video1394.c 2007-10-09 21:31:38.000000000 +0100
12325 ++++ linux-2.6.23.15-grsec/drivers/ieee1394/video1394.c 2008-02-11 10:37:44.000000000 +0000
12326 +@@ -893,7 +893,7 @@ static long video1394_ioctl(struct file
12327 + if (unlikely(d == NULL))
12328 + return -EFAULT;
12329 +
12330 +- if (unlikely((v.buffer<0) || (v.buffer>=d->num_desc - 1))) {
12331 ++ if (unlikely(v.buffer>=d->num_desc - 1)) {
12332 + PRINT(KERN_ERR, ohci->host->id,
12333 + "Buffer %d out of range",v.buffer);
12334 + return -EINVAL;
12335 +@@ -959,7 +959,7 @@ static long video1394_ioctl(struct file
12336 + if (unlikely(d == NULL))
12337 + return -EFAULT;
12338 +
12339 +- if (unlikely((v.buffer<0) || (v.buffer>d->num_desc - 1))) {
12340 ++ if (unlikely(v.buffer>d->num_desc - 1)) {
12341 + PRINT(KERN_ERR, ohci->host->id,
12342 + "Buffer %d out of range",v.buffer);
12343 + return -EINVAL;
12344 +@@ -1030,7 +1030,7 @@ static long video1394_ioctl(struct file
12345 + d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
12346 + if (d == NULL) return -EFAULT;
12347 +
12348 +- if ((v.buffer<0) || (v.buffer>=d->num_desc - 1)) {
12349 ++ if (v.buffer>=d->num_desc - 1) {
12350 + PRINT(KERN_ERR, ohci->host->id,
12351 + "Buffer %d out of range",v.buffer);
12352 + return -EINVAL;
12353 +@@ -1137,7 +1137,7 @@ static long video1394_ioctl(struct file
12354 + d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
12355 + if (d == NULL) return -EFAULT;
12356 +
12357 +- if ((v.buffer<0) || (v.buffer>=d->num_desc-1)) {
12358 ++ if (v.buffer>=d->num_desc-1) {
12359 + PRINT(KERN_ERR, ohci->host->id,
12360 + "Buffer %d out of range",v.buffer);
12361 + return -EINVAL;
12362 +@@ -1309,7 +1309,7 @@ static struct ieee1394_device_id video13
12363 + .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
12364 + .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
12365 + },
12366 +- { }
12367 ++ { 0, 0, 0, 0, 0, 0 }
12368 + };
12369 +
12370 + MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
12371 +diff -Nurp linux-2.6.23.15/drivers/input/keyboard/atkbd.c linux-2.6.23.15-grsec/drivers/input/keyboard/atkbd.c
12372 +--- linux-2.6.23.15/drivers/input/keyboard/atkbd.c 2007-10-09 21:31:38.000000000 +0100
12373 ++++ linux-2.6.23.15-grsec/drivers/input/keyboard/atkbd.c 2008-02-11 10:37:44.000000000 +0000
12374 +@@ -1075,7 +1075,7 @@ static struct serio_device_id atkbd_seri
12375 + .id = SERIO_ANY,
12376 + .extra = SERIO_ANY,
12377 + },
12378 +- { 0 }
12379 ++ { 0, 0, 0, 0 }
12380 + };
12381 +
12382 + MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
12383 +diff -Nurp linux-2.6.23.15/drivers/input/mouse/lifebook.c linux-2.6.23.15-grsec/drivers/input/mouse/lifebook.c
12384 +--- linux-2.6.23.15/drivers/input/mouse/lifebook.c 2007-10-09 21:31:38.000000000 +0100
12385 ++++ linux-2.6.23.15-grsec/drivers/input/mouse/lifebook.c 2008-02-11 10:37:44.000000000 +0000
12386 +@@ -102,7 +102,7 @@ static struct dmi_system_id lifebook_dmi
12387 + DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
12388 + },
12389 + },
12390 +- { }
12391 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
12392 + };
12393 +
12394 + static psmouse_ret_t lifebook_process_byte(struct psmouse *psmouse)
12395 +diff -Nurp linux-2.6.23.15/drivers/input/mouse/psmouse-base.c linux-2.6.23.15-grsec/drivers/input/mouse/psmouse-base.c
12396 +--- linux-2.6.23.15/drivers/input/mouse/psmouse-base.c 2007-10-09 21:31:38.000000000 +0100
12397 ++++ linux-2.6.23.15-grsec/drivers/input/mouse/psmouse-base.c 2008-02-11 10:37:44.000000000 +0000
12398 +@@ -1325,7 +1325,7 @@ static struct serio_device_id psmouse_se
12399 + .id = SERIO_ANY,
12400 + .extra = SERIO_ANY,
12401 + },
12402 +- { 0 }
12403 ++ { 0, 0, 0, 0 }
12404 + };
12405 +
12406 + MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
12407 +diff -Nurp linux-2.6.23.15/drivers/input/mouse/synaptics.c linux-2.6.23.15-grsec/drivers/input/mouse/synaptics.c
12408 +--- linux-2.6.23.15/drivers/input/mouse/synaptics.c 2007-10-09 21:31:38.000000000 +0100
12409 ++++ linux-2.6.23.15-grsec/drivers/input/mouse/synaptics.c 2008-02-11 10:37:44.000000000 +0000
12410 +@@ -417,7 +417,7 @@ static void synaptics_process_packet(str
12411 + break;
12412 + case 2:
12413 + if (SYN_MODEL_PEN(priv->model_id))
12414 +- ; /* Nothing, treat a pen as a single finger */
12415 ++ break; /* Nothing, treat a pen as a single finger */
12416 + break;
12417 + case 4 ... 15:
12418 + if (SYN_CAP_PALMDETECT(priv->capabilities))
12419 +@@ -624,7 +624,7 @@ static struct dmi_system_id toshiba_dmi_
12420 + DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
12421 + },
12422 + },
12423 +- { }
12424 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
12425 + };
12426 + #endif
12427 +
12428 +diff -Nurp linux-2.6.23.15/drivers/input/mousedev.c linux-2.6.23.15-grsec/drivers/input/mousedev.c
12429 +--- linux-2.6.23.15/drivers/input/mousedev.c 2008-02-11 10:36:03.000000000 +0000
12430 ++++ linux-2.6.23.15-grsec/drivers/input/mousedev.c 2008-02-11 10:37:44.000000000 +0000
12431 +@@ -1048,7 +1048,7 @@ static struct input_handler mousedev_han
12432 +
12433 + #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
12434 + static struct miscdevice psaux_mouse = {
12435 +- PSMOUSE_MINOR, "psaux", &mousedev_fops
12436 ++ PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
12437 + };
12438 + static int psaux_registered;
12439 + #endif
12440 +diff -Nurp linux-2.6.23.15/drivers/input/serio/i8042-x86ia64io.h linux-2.6.23.15-grsec/drivers/input/serio/i8042-x86ia64io.h
12441 +--- linux-2.6.23.15/drivers/input/serio/i8042-x86ia64io.h 2007-10-09 21:31:38.000000000 +0100
12442 ++++ linux-2.6.23.15-grsec/drivers/input/serio/i8042-x86ia64io.h 2008-02-11 10:37:44.000000000 +0000
12443 +@@ -110,7 +110,7 @@ static struct dmi_system_id __initdata i
12444 + DMI_MATCH(DMI_PRODUCT_VERSION, "5a"),
12445 + },
12446 + },
12447 +- { }
12448 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
12449 + };
12450 +
12451 + /*
12452 +@@ -262,7 +262,7 @@ static struct dmi_system_id __initdata i
12453 + DMI_MATCH(DMI_PRODUCT_NAME, "M636/A737 platform"),
12454 + },
12455 + },
12456 +- { }
12457 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
12458 + };
12459 +
12460 +
12461 +diff -Nurp linux-2.6.23.15/drivers/input/serio/serio_raw.c linux-2.6.23.15-grsec/drivers/input/serio/serio_raw.c
12462 +--- linux-2.6.23.15/drivers/input/serio/serio_raw.c 2007-10-09 21:31:38.000000000 +0100
12463 ++++ linux-2.6.23.15-grsec/drivers/input/serio/serio_raw.c 2008-02-11 10:37:44.000000000 +0000
12464 +@@ -369,7 +369,7 @@ static struct serio_device_id serio_raw_
12465 + .id = SERIO_ANY,
12466 + .extra = SERIO_ANY,
12467 + },
12468 +- { 0 }
12469 ++ { 0, 0, 0, 0 }
12470 + };
12471 +
12472 + MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
12473 +diff -Nurp linux-2.6.23.15/drivers/kvm/kvm_main.c linux-2.6.23.15-grsec/drivers/kvm/kvm_main.c
12474 +--- linux-2.6.23.15/drivers/kvm/kvm_main.c 2008-02-11 10:36:03.000000000 +0000
12475 ++++ linux-2.6.23.15-grsec/drivers/kvm/kvm_main.c 2008-02-11 10:37:44.000000000 +0000
12476 +@@ -63,21 +63,21 @@ static struct kvm_stats_debugfs_item {
12477 + int offset;
12478 + struct dentry *dentry;
12479 + } debugfs_entries[] = {
12480 +- { "pf_fixed", STAT_OFFSET(pf_fixed) },
12481 +- { "pf_guest", STAT_OFFSET(pf_guest) },
12482 +- { "tlb_flush", STAT_OFFSET(tlb_flush) },
12483 +- { "invlpg", STAT_OFFSET(invlpg) },
12484 +- { "exits", STAT_OFFSET(exits) },
12485 +- { "io_exits", STAT_OFFSET(io_exits) },
12486 +- { "mmio_exits", STAT_OFFSET(mmio_exits) },
12487 +- { "signal_exits", STAT_OFFSET(signal_exits) },
12488 +- { "irq_window", STAT_OFFSET(irq_window_exits) },
12489 +- { "halt_exits", STAT_OFFSET(halt_exits) },
12490 +- { "request_irq", STAT_OFFSET(request_irq_exits) },
12491 +- { "irq_exits", STAT_OFFSET(irq_exits) },
12492 +- { "light_exits", STAT_OFFSET(light_exits) },
12493 +- { "efer_reload", STAT_OFFSET(efer_reload) },
12494 +- { NULL }
12495 ++ { "pf_fixed", STAT_OFFSET(pf_fixed), NULL },
12496 ++ { "pf_guest", STAT_OFFSET(pf_guest), NULL },
12497 ++ { "tlb_flush", STAT_OFFSET(tlb_flush), NULL },
12498 ++ { "invlpg", STAT_OFFSET(invlpg), NULL },
12499 ++ { "exits", STAT_OFFSET(exits), NULL },
12500 ++ { "io_exits", STAT_OFFSET(io_exits), NULL },
12501 ++ { "mmio_exits", STAT_OFFSET(mmio_exits), NULL },
12502 ++ { "signal_exits", STAT_OFFSET(signal_exits), NULL },
12503 ++ { "irq_window", STAT_OFFSET(irq_window_exits), NULL },
12504 ++ { "halt_exits", STAT_OFFSET(halt_exits), NULL },
12505 ++ { "request_irq", STAT_OFFSET(request_irq_exits), NULL },
12506 ++ { "irq_exits", STAT_OFFSET(irq_exits), NULL },
12507 ++ { "light_exits", STAT_OFFSET(light_exits), NULL },
12508 ++ { "efer_reload", STAT_OFFSET(efer_reload), NULL },
12509 ++ { NULL, 0, NULL }
12510 + };
12511 +
12512 + static struct dentry *debugfs_dir;
12513 +@@ -2255,7 +2255,7 @@ static int kvm_vcpu_ioctl_translate(stru
12514 + static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
12515 + struct kvm_interrupt *irq)
12516 + {
12517 +- if (irq->irq < 0 || irq->irq >= 256)
12518 ++ if (irq->irq >= 256)
12519 + return -EINVAL;
12520 + vcpu_load(vcpu);
12521 +
12522 +@@ -2895,6 +2895,9 @@ static struct miscdevice kvm_dev = {
12523 + KVM_MINOR,
12524 + "kvm",
12525 + &kvm_chardev_ops,
12526 ++ {NULL, NULL},
12527 ++ NULL,
12528 ++ NULL
12529 + };
12530 +
12531 + static int kvm_reboot(struct notifier_block *notifier, unsigned long val,
12532 +diff -Nurp linux-2.6.23.15/drivers/kvm/vmx.c linux-2.6.23.15-grsec/drivers/kvm/vmx.c
12533 +--- linux-2.6.23.15/drivers/kvm/vmx.c 2008-02-11 10:36:03.000000000 +0000
12534 ++++ linux-2.6.23.15-grsec/drivers/kvm/vmx.c 2008-02-11 10:37:44.000000000 +0000
12535 +@@ -2148,7 +2148,7 @@ again:
12536 +
12537 + vcpu->interrupt_window_open = (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & 3) == 0;
12538 +
12539 +- asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
12540 ++ asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
12541 +
12542 + if (unlikely(fail)) {
12543 + kvm_run->exit_reason = KVM_EXIT_FAIL_ENTRY;
12544 +diff -Nurp linux-2.6.23.15/drivers/kvm/x86_emulate.c linux-2.6.23.15-grsec/drivers/kvm/x86_emulate.c
12545 +--- linux-2.6.23.15/drivers/kvm/x86_emulate.c 2008-02-11 10:36:03.000000000 +0000
12546 ++++ linux-2.6.23.15-grsec/drivers/kvm/x86_emulate.c 2008-02-11 10:37:44.000000000 +0000
12547 +@@ -823,7 +823,7 @@ done_prefixes:
12548 + case DstReg:
12549 + dst.type = OP_REG;
12550 + if ((d & ByteOp)
12551 +- && !(twobyte_table && (b == 0xb6 || b == 0xb7))) {
12552 ++ && !(twobyte && (b == 0xb6 || b == 0xb7))) {
12553 + dst.ptr = decode_register(modrm_reg, _regs,
12554 + (rex_prefix == 0));
12555 + dst.val = *(u8 *) dst.ptr;
12556 +diff -Nurp linux-2.6.23.15/drivers/md/bitmap.c linux-2.6.23.15-grsec/drivers/md/bitmap.c
12557 +--- linux-2.6.23.15/drivers/md/bitmap.c 2008-02-11 10:36:03.000000000 +0000
12558 ++++ linux-2.6.23.15-grsec/drivers/md/bitmap.c 2008-02-11 10:37:44.000000000 +0000
12559 +@@ -57,7 +57,7 @@
12560 + # if DEBUG > 0
12561 + # define PRINTK(x...) printk(KERN_DEBUG x)
12562 + # else
12563 +-# define PRINTK(x...)
12564 ++# define PRINTK(x...) do {} while (0)
12565 + # endif
12566 + #endif
12567 +
12568 +diff -Nurp linux-2.6.23.15/drivers/mtd/devices/doc2000.c linux-2.6.23.15-grsec/drivers/mtd/devices/doc2000.c
12569 +--- linux-2.6.23.15/drivers/mtd/devices/doc2000.c 2007-10-09 21:31:38.000000000 +0100
12570 ++++ linux-2.6.23.15-grsec/drivers/mtd/devices/doc2000.c 2008-02-11 10:37:44.000000000 +0000
12571 +@@ -632,7 +632,7 @@ static int doc_read(struct mtd_info *mtd
12572 + len = ((from | 0x1ff) + 1) - from;
12573 +
12574 + /* The ECC will not be calculated correctly if less than 512 is read */
12575 +- if (len != 0x200 && eccbuf)
12576 ++ if (len != 0x200)
12577 + printk(KERN_WARNING
12578 + "ECC needs a full sector read (adr: %lx size %lx)\n",
12579 + (long) from, (long) len);
12580 +diff -Nurp linux-2.6.23.15/drivers/mtd/devices/doc2001.c linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001.c
12581 +--- linux-2.6.23.15/drivers/mtd/devices/doc2001.c 2007-10-09 21:31:38.000000000 +0100
12582 ++++ linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001.c 2008-02-11 10:37:44.000000000 +0000
12583 +@@ -398,6 +398,8 @@ static int doc_read (struct mtd_info *mt
12584 + /* Don't allow read past end of device */
12585 + if (from >= this->totlen)
12586 + return -EINVAL;
12587 ++ if (!len)
12588 ++ return -EINVAL;
12589 +
12590 + /* Don't allow a single read to cross a 512-byte block boundary */
12591 + if (from + len > ((from | 0x1ff) + 1))
12592 +diff -Nurp linux-2.6.23.15/drivers/mtd/devices/doc2001plus.c linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001plus.c
12593 +--- linux-2.6.23.15/drivers/mtd/devices/doc2001plus.c 2007-10-09 21:31:38.000000000 +0100
12594 ++++ linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001plus.c 2008-02-11 10:37:44.000000000 +0000
12595 +@@ -748,7 +748,7 @@ static int doc_write(struct mtd_info *mt
12596 + WriteDOC(DoC_GetDataOffset(mtd, &fto), docptr, Mplus_FlashCmd);
12597 +
12598 + /* On interleaved devices the flags for 2nd half 512 are before data */
12599 +- if (eccbuf && before)
12600 ++ if (before)
12601 + fto -= 2;
12602 +
12603 + /* issue the Serial Data In command to initial the Page Program process */
12604 +diff -Nurp linux-2.6.23.15/drivers/mtd/devices/slram.c linux-2.6.23.15-grsec/drivers/mtd/devices/slram.c
12605 +--- linux-2.6.23.15/drivers/mtd/devices/slram.c 2007-10-09 21:31:38.000000000 +0100
12606 ++++ linux-2.6.23.15-grsec/drivers/mtd/devices/slram.c 2008-02-11 10:37:44.000000000 +0000
12607 +@@ -270,7 +270,7 @@ static int parse_cmdline(char *devname,
12608 + }
12609 + T("slram: devname=%s, devstart=0x%lx, devlength=0x%lx\n",
12610 + devname, devstart, devlength);
12611 +- if ((devstart < 0) || (devlength < 0) || (devlength % SLRAM_BLK_SZ != 0)) {
12612 ++ if (devlength % SLRAM_BLK_SZ != 0) {
12613 + E("slram: Illegal start / length parameter.\n");
12614 + return(-EINVAL);
12615 + }
12616 +diff -Nurp linux-2.6.23.15/drivers/mtd/ubi/build.c linux-2.6.23.15-grsec/drivers/mtd/ubi/build.c
12617 +--- linux-2.6.23.15/drivers/mtd/ubi/build.c 2007-10-09 21:31:38.000000000 +0100
12618 ++++ linux-2.6.23.15-grsec/drivers/mtd/ubi/build.c 2008-02-11 10:37:44.000000000 +0000
12619 +@@ -727,7 +727,7 @@ static int __init bytes_str_to_int(const
12620 + unsigned long result;
12621 +
12622 + result = simple_strtoul(str, &endp, 0);
12623 +- if (str == endp || result < 0) {
12624 ++ if (str == endp) {
12625 + printk("UBI error: incorrect bytes count: \"%s\"\n", str);
12626 + return -EINVAL;
12627 + }
12628 +diff -Nurp linux-2.6.23.15/drivers/net/eepro100.c linux-2.6.23.15-grsec/drivers/net/eepro100.c
12629 +--- linux-2.6.23.15/drivers/net/eepro100.c 2007-10-09 21:31:38.000000000 +0100
12630 ++++ linux-2.6.23.15-grsec/drivers/net/eepro100.c 2008-02-11 10:37:44.000000000 +0000
12631 +@@ -47,7 +47,7 @@ static int rxdmacount /* = 0 */;
12632 + # define rx_align(skb) skb_reserve((skb), 2)
12633 + # define RxFD_ALIGNMENT __attribute__ ((aligned (2), packed))
12634 + #else
12635 +-# define rx_align(skb)
12636 ++# define rx_align(skb) do {} while (0)
12637 + # define RxFD_ALIGNMENT
12638 + #endif
12639 +
12640 +@@ -2344,33 +2344,33 @@ static void __devexit eepro100_remove_on
12641 + }
12642 +
12643 + static struct pci_device_id eepro100_pci_tbl[] = {
12644 +- { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, },
12645 +- { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, },
12646 +- { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, },
12647 +- { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, },
12648 +- { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, },
12649 +- { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, },
12650 +- { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, },
12651 +- { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, },
12652 +- { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, },
12653 +- { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, },
12654 +- { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, },
12655 +- { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, },
12656 +- { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, },
12657 +- { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, },
12658 +- { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, },
12659 +- { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, },
12660 +- { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, },
12661 +- { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, },
12662 +- { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, },
12663 +- { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, },
12664 +- { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, },
12665 +- { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, },
12666 +- { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, },
12667 +- { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, },
12668 +- { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, },
12669 +- { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, },
12670 +- { 0,}
12671 ++ { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12672 ++ { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12673 ++ { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12674 ++ { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12675 ++ { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12676 ++ { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12677 ++ { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12678 ++ { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12679 ++ { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12680 ++ { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12681 ++ { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12682 ++ { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12683 ++ { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12684 ++ { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12685 ++ { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12686 ++ { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12687 ++ { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12688 ++ { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12689 ++ { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12690 ++ { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12691 ++ { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12692 ++ { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12693 ++ { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12694 ++ { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12695 ++ { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12696 ++ { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12697 ++ { 0, 0, 0, 0, 0, 0, 0 }
12698 + };
12699 + MODULE_DEVICE_TABLE(pci, eepro100_pci_tbl);
12700 +
12701 +diff -Nurp linux-2.6.23.15/drivers/net/irda/vlsi_ir.c linux-2.6.23.15-grsec/drivers/net/irda/vlsi_ir.c
12702 +--- linux-2.6.23.15/drivers/net/irda/vlsi_ir.c 2007-10-09 21:31:38.000000000 +0100
12703 ++++ linux-2.6.23.15-grsec/drivers/net/irda/vlsi_ir.c 2008-02-11 10:37:44.000000000 +0000
12704 +@@ -906,13 +906,12 @@ static int vlsi_hard_start_xmit(struct s
12705 + /* no race - tx-ring already empty */
12706 + vlsi_set_baud(idev, iobase);
12707 + netif_wake_queue(ndev);
12708 +- }
12709 +- else
12710 +- ;
12711 ++ } else {
12712 + /* keep the speed change pending like it would
12713 + * for any len>0 packet. tx completion interrupt
12714 + * will apply it when the tx ring becomes empty.
12715 + */
12716 ++ }
12717 + spin_unlock_irqrestore(&idev->lock, flags);
12718 + dev_kfree_skb_any(skb);
12719 + return 0;
12720 +diff -Nurp linux-2.6.23.15/drivers/net/pcnet32.c linux-2.6.23.15-grsec/drivers/net/pcnet32.c
12721 +--- linux-2.6.23.15/drivers/net/pcnet32.c 2007-10-09 21:31:38.000000000 +0100
12722 ++++ linux-2.6.23.15-grsec/drivers/net/pcnet32.c 2008-02-11 10:37:44.000000000 +0000
12723 +@@ -82,7 +82,7 @@ static int cards_found;
12724 + /*
12725 + * VLB I/O addresses
12726 + */
12727 +-static unsigned int pcnet32_portlist[] __initdata =
12728 ++static unsigned int pcnet32_portlist[] __devinitdata =
12729 + { 0x300, 0x320, 0x340, 0x360, 0 };
12730 +
12731 + static int pcnet32_debug = 0;
12732 +diff -Nurp linux-2.6.23.15/drivers/net/tg3.h linux-2.6.23.15-grsec/drivers/net/tg3.h
12733 +--- linux-2.6.23.15/drivers/net/tg3.h 2007-10-09 21:31:38.000000000 +0100
12734 ++++ linux-2.6.23.15-grsec/drivers/net/tg3.h 2008-02-11 10:37:44.000000000 +0000
12735 +@@ -127,6 +127,7 @@
12736 + #define CHIPREV_ID_5750_A0 0x4000
12737 + #define CHIPREV_ID_5750_A1 0x4001
12738 + #define CHIPREV_ID_5750_A3 0x4003
12739 ++#define CHIPREV_ID_5750_C1 0x4201
12740 + #define CHIPREV_ID_5750_C2 0x4202
12741 + #define CHIPREV_ID_5752_A0_HW 0x5000
12742 + #define CHIPREV_ID_5752_A0 0x6000
12743 +diff -Nurp linux-2.6.23.15/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.23.15-grsec/drivers/pci/hotplug/cpqphp_nvram.c
12744 +--- linux-2.6.23.15/drivers/pci/hotplug/cpqphp_nvram.c 2007-10-09 21:31:38.000000000 +0100
12745 ++++ linux-2.6.23.15-grsec/drivers/pci/hotplug/cpqphp_nvram.c 2008-02-11 10:37:44.000000000 +0000
12746 +@@ -425,9 +425,13 @@ static u32 store_HRT (void __iomem *rom_
12747 +
12748 + void compaq_nvram_init (void __iomem *rom_start)
12749 + {
12750 ++
12751 ++#ifndef CONFIG_PAX_KERNEXEC
12752 + if (rom_start) {
12753 + compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
12754 + }
12755 ++#endif
12756 ++
12757 + dbg("int15 entry = %p\n", compaq_int15_entry_point);
12758 +
12759 + /* initialize our int15 lock */
12760 +diff -Nurp linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv.c linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv.c
12761 +--- linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv.c 2007-10-09 21:31:38.000000000 +0100
12762 ++++ linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv.c 2008-02-11 10:37:44.000000000 +0000
12763 +@@ -58,7 +58,7 @@ static struct pcie_port_service_id aer_i
12764 + .port_type = PCIE_RC_PORT,
12765 + .service_type = PCIE_PORT_SERVICE_AER,
12766 + },
12767 +- { /* end: all zeroes */ }
12768 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0 }
12769 + };
12770 +
12771 + static struct pci_error_handlers aer_error_handlers = {
12772 +diff -Nurp linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv_core.c linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv_core.c
12773 +--- linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv_core.c 2007-10-09 21:31:38.000000000 +0100
12774 ++++ linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv_core.c 2008-02-11 10:37:44.000000000 +0000
12775 +@@ -660,7 +660,7 @@ static void aer_isr_one_error(struct pci
12776 + struct aer_err_source *e_src)
12777 + {
12778 + struct device *s_device;
12779 +- struct aer_err_info e_info = {0, 0, 0,};
12780 ++ struct aer_err_info e_info = {0, 0, 0, {0, 0, 0, 0}};
12781 + int i;
12782 + u16 id;
12783 +
12784 +diff -Nurp linux-2.6.23.15/drivers/pci/pcie/portdrv_pci.c linux-2.6.23.15-grsec/drivers/pci/pcie/portdrv_pci.c
12785 +--- linux-2.6.23.15/drivers/pci/pcie/portdrv_pci.c 2007-10-09 21:31:38.000000000 +0100
12786 ++++ linux-2.6.23.15-grsec/drivers/pci/pcie/portdrv_pci.c 2008-02-11 10:37:44.000000000 +0000
12787 +@@ -265,7 +265,7 @@ static void pcie_portdrv_err_resume(stru
12788 + static const struct pci_device_id port_pci_ids[] = { {
12789 + /* handle any PCI-Express port */
12790 + PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
12791 +- }, { /* end: all zeroes */ }
12792 ++ }, { 0, 0, 0, 0, 0, 0, 0 }
12793 + };
12794 + MODULE_DEVICE_TABLE(pci, port_pci_ids);
12795 +
12796 +diff -Nurp linux-2.6.23.15/drivers/pci/proc.c linux-2.6.23.15-grsec/drivers/pci/proc.c
12797 +--- linux-2.6.23.15/drivers/pci/proc.c 2007-10-09 21:31:38.000000000 +0100
12798 ++++ linux-2.6.23.15-grsec/drivers/pci/proc.c 2008-02-11 10:37:44.000000000 +0000
12799 +@@ -466,7 +466,15 @@ static int __init pci_proc_init(void)
12800 + {
12801 + struct proc_dir_entry *entry;
12802 + struct pci_dev *dev = NULL;
12803 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
12804 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
12805 ++ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
12806 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
12807 ++ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
12808 ++#endif
12809 ++#else
12810 + proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
12811 ++#endif
12812 + entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
12813 + if (entry)
12814 + entry->proc_fops = &proc_bus_pci_dev_operations;
12815 +diff -Nurp linux-2.6.23.15/drivers/pcmcia/ti113x.h linux-2.6.23.15-grsec/drivers/pcmcia/ti113x.h
12816 +--- linux-2.6.23.15/drivers/pcmcia/ti113x.h 2007-10-09 21:31:38.000000000 +0100
12817 ++++ linux-2.6.23.15-grsec/drivers/pcmcia/ti113x.h 2008-02-11 10:37:44.000000000 +0000
12818 +@@ -897,7 +897,7 @@ static struct pci_device_id ene_tune_tbl
12819 + DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
12820 + ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
12821 +
12822 +- {}
12823 ++ { 0, 0, 0, 0, 0, 0, 0 }
12824 + };
12825 +
12826 + static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
12827 +diff -Nurp linux-2.6.23.15/drivers/pcmcia/yenta_socket.c linux-2.6.23.15-grsec/drivers/pcmcia/yenta_socket.c
12828 +--- linux-2.6.23.15/drivers/pcmcia/yenta_socket.c 2007-10-09 21:31:38.000000000 +0100
12829 ++++ linux-2.6.23.15-grsec/drivers/pcmcia/yenta_socket.c 2008-02-11 10:37:44.000000000 +0000
12830 +@@ -1358,7 +1358,7 @@ static struct pci_device_id yenta_table
12831 +
12832 + /* match any cardbus bridge */
12833 + CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
12834 +- { /* all zeroes */ }
12835 ++ { 0, 0, 0, 0, 0, 0, 0 }
12836 + };
12837 + MODULE_DEVICE_TABLE(pci, yenta_table);
12838 +
12839 +diff -Nurp linux-2.6.23.15/drivers/pnp/pnpbios/bioscalls.c linux-2.6.23.15-grsec/drivers/pnp/pnpbios/bioscalls.c
12840 +--- linux-2.6.23.15/drivers/pnp/pnpbios/bioscalls.c 2007-10-09 21:31:38.000000000 +0100
12841 ++++ linux-2.6.23.15-grsec/drivers/pnp/pnpbios/bioscalls.c 2008-02-11 10:37:44.000000000 +0000
12842 +@@ -61,7 +61,7 @@ set_base(gdt[(selname) >> 3], (u32)(addr
12843 + set_limit(gdt[(selname) >> 3], size); \
12844 + } while(0)
12845 +
12846 +-static struct desc_struct bad_bios_desc = { 0, 0x00409200 };
12847 ++static struct desc_struct bad_bios_desc __read_only = { 0, 0x00409300 };
12848 +
12849 + /*
12850 + * At some point we want to use this stack frame pointer to unwind
12851 +@@ -88,6 +88,10 @@ static inline u16 call_pnp_bios(u16 func
12852 + struct desc_struct save_desc_40;
12853 + int cpu;
12854 +
12855 ++#ifdef CONFIG_PAX_KERNEXEC
12856 ++ unsigned long cr0;
12857 ++#endif
12858 ++
12859 + /*
12860 + * PnP BIOSes are generally not terribly re-entrant.
12861 + * Also, don't rely on them to save everything correctly.
12862 +@@ -97,8 +101,17 @@ static inline u16 call_pnp_bios(u16 func
12863 +
12864 + cpu = get_cpu();
12865 + save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
12866 ++
12867 ++#ifdef CONFIG_PAX_KERNEXEC
12868 ++ pax_open_kernel(cr0);
12869 ++#endif
12870 ++
12871 + get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
12872 +
12873 ++#ifdef CONFIG_PAX_KERNEXEC
12874 ++ pax_close_kernel(cr0);
12875 ++#endif
12876 ++
12877 + /* On some boxes IRQ's during PnP BIOS calls are deadly. */
12878 + spin_lock_irqsave(&pnp_bios_lock, flags);
12879 +
12880 +@@ -135,7 +148,16 @@ static inline u16 call_pnp_bios(u16 func
12881 + :"memory");
12882 + spin_unlock_irqrestore(&pnp_bios_lock, flags);
12883 +
12884 ++#ifdef CONFIG_PAX_KERNEXEC
12885 ++ pax_open_kernel(cr0);
12886 ++#endif
12887 ++
12888 + get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
12889 ++
12890 ++#ifdef CONFIG_PAX_KERNEXEC
12891 ++ pax_close_kernel(cr0);
12892 ++#endif
12893 ++
12894 + put_cpu();
12895 +
12896 + /* If we get here and this is set then the PnP BIOS faulted on us. */
12897 +@@ -469,16 +491,25 @@ int pnp_bios_read_escd(char *data, u32 n
12898 + return status;
12899 + }
12900 +
12901 +-void pnpbios_calls_init(union pnp_bios_install_struct *header)
12902 ++void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
12903 + {
12904 + int i;
12905 +
12906 ++#ifdef CONFIG_PAX_KERNEXEC
12907 ++ unsigned long cr0;
12908 ++#endif
12909 ++
12910 + spin_lock_init(&pnp_bios_lock);
12911 + pnp_bios_callpoint.offset = header->fields.pm16offset;
12912 + pnp_bios_callpoint.segment = PNP_CS16;
12913 +
12914 + set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
12915 + _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
12916 ++
12917 ++#ifdef CONFIG_PAX_KERNEXEC
12918 ++ pax_open_kernel(cr0);
12919 ++#endif
12920 ++
12921 + for (i = 0; i < NR_CPUS; i++) {
12922 + struct desc_struct *gdt = get_cpu_gdt_table(i);
12923 + if (!gdt)
12924 +@@ -489,4 +520,9 @@ void pnpbios_calls_init(union pnp_bios_i
12925 + set_base(gdt[GDT_ENTRY_PNPBIOS_DS],
12926 + __va(header->fields.pm16dseg));
12927 + }
12928 ++
12929 ++#ifdef CONFIG_PAX_KERNEXEC
12930 ++ pax_close_kernel(cr0);
12931 ++#endif
12932 ++
12933 + }
12934 +diff -Nurp linux-2.6.23.15/drivers/pnp/quirks.c linux-2.6.23.15-grsec/drivers/pnp/quirks.c
12935 +--- linux-2.6.23.15/drivers/pnp/quirks.c 2007-10-09 21:31:38.000000000 +0100
12936 ++++ linux-2.6.23.15-grsec/drivers/pnp/quirks.c 2008-02-11 10:37:44.000000000 +0000
12937 +@@ -127,7 +127,7 @@ static struct pnp_fixup pnp_fixups[] = {
12938 + {"CTL0043", quirk_sb16audio_resources},
12939 + {"CTL0044", quirk_sb16audio_resources},
12940 + {"CTL0045", quirk_sb16audio_resources},
12941 +- {""}
12942 ++ {"", NULL}
12943 + };
12944 +
12945 + void pnp_fixup_device(struct pnp_dev *dev)
12946 +diff -Nurp linux-2.6.23.15/drivers/pnp/resource.c linux-2.6.23.15-grsec/drivers/pnp/resource.c
12947 +--- linux-2.6.23.15/drivers/pnp/resource.c 2007-10-09 21:31:38.000000000 +0100
12948 ++++ linux-2.6.23.15-grsec/drivers/pnp/resource.c 2008-02-11 10:37:44.000000000 +0000
12949 +@@ -345,7 +345,7 @@ int pnp_check_irq(struct pnp_dev *dev, i
12950 + return 1;
12951 +
12952 + /* check if the resource is valid */
12953 +- if (*irq < 0 || *irq > 15)
12954 ++ if (*irq > 15)
12955 + return 0;
12956 +
12957 + /* check if the resource is reserved */
12958 +@@ -412,7 +412,7 @@ int pnp_check_dma(struct pnp_dev *dev, i
12959 + return 1;
12960 +
12961 + /* check if the resource is valid */
12962 +- if (*dma < 0 || *dma == 4 || *dma > 7)
12963 ++ if (*dma == 4 || *dma > 7)
12964 + return 0;
12965 +
12966 + /* check if the resource is reserved */
12967 +diff -Nurp linux-2.6.23.15/drivers/scsi/scsi_lib.c linux-2.6.23.15-grsec/drivers/scsi/scsi_lib.c
12968 +--- linux-2.6.23.15/drivers/scsi/scsi_lib.c 2007-10-09 21:31:38.000000000 +0100
12969 ++++ linux-2.6.23.15-grsec/drivers/scsi/scsi_lib.c 2008-02-11 10:37:44.000000000 +0000
12970 +@@ -44,7 +44,7 @@ struct scsi_host_sg_pool {
12971 + #error SCSI_MAX_PHYS_SEGMENTS is too small
12972 + #endif
12973 +
12974 +-#define SP(x) { x, "sgpool-" #x }
12975 ++#define SP(x) { x, "sgpool-" #x, NULL, NULL }
12976 + static struct scsi_host_sg_pool scsi_sg_pools[] = {
12977 + SP(8),
12978 + SP(16),
12979 +diff -Nurp linux-2.6.23.15/drivers/scsi/scsi_logging.h linux-2.6.23.15-grsec/drivers/scsi/scsi_logging.h
12980 +--- linux-2.6.23.15/drivers/scsi/scsi_logging.h 2007-10-09 21:31:38.000000000 +0100
12981 ++++ linux-2.6.23.15-grsec/drivers/scsi/scsi_logging.h 2008-02-11 10:37:44.000000000 +0000
12982 +@@ -51,7 +51,7 @@ do { \
12983 + } while (0); \
12984 + } while (0)
12985 + #else
12986 +-#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
12987 ++#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
12988 + #endif /* CONFIG_SCSI_LOGGING */
12989 +
12990 + /*
12991 +diff -Nurp linux-2.6.23.15/drivers/serial/8250_pci.c linux-2.6.23.15-grsec/drivers/serial/8250_pci.c
12992 +--- linux-2.6.23.15/drivers/serial/8250_pci.c 2007-10-09 21:31:38.000000000 +0100
12993 ++++ linux-2.6.23.15-grsec/drivers/serial/8250_pci.c 2008-02-11 10:37:44.000000000 +0000
12994 +@@ -2589,7 +2589,7 @@ static struct pci_device_id serial_pci_t
12995 + PCI_ANY_ID, PCI_ANY_ID,
12996 + PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
12997 + 0xffff00, pbn_default },
12998 +- { 0, }
12999 ++ { 0, 0, 0, 0, 0, 0, 0 }
13000 + };
13001 +
13002 + static struct pci_driver serial_pci_driver = {
13003 +diff -Nurp linux-2.6.23.15/drivers/usb/class/cdc-acm.c linux-2.6.23.15-grsec/drivers/usb/class/cdc-acm.c
13004 +--- linux-2.6.23.15/drivers/usb/class/cdc-acm.c 2007-10-09 21:31:38.000000000 +0100
13005 ++++ linux-2.6.23.15-grsec/drivers/usb/class/cdc-acm.c 2008-02-11 10:37:44.000000000 +0000
13006 +@@ -1199,7 +1199,7 @@ static struct usb_device_id acm_ids[] =
13007 + USB_CDC_ACM_PROTO_AT_CDMA) },
13008 +
13009 + /* NOTE: COMM/ACM/0xff is likely MSFT RNDIS ... NOT a modem!! */
13010 +- { }
13011 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
13012 + };
13013 +
13014 + MODULE_DEVICE_TABLE (usb, acm_ids);
13015 +diff -Nurp linux-2.6.23.15/drivers/usb/class/usblp.c linux-2.6.23.15-grsec/drivers/usb/class/usblp.c
13016 +--- linux-2.6.23.15/drivers/usb/class/usblp.c 2007-10-09 21:31:38.000000000 +0100
13017 ++++ linux-2.6.23.15-grsec/drivers/usb/class/usblp.c 2008-02-11 10:37:44.000000000 +0000
13018 +@@ -225,7 +225,7 @@ static const struct quirk_printer_struct
13019 + { 0x0409, 0xf1be, USBLP_QUIRK_BIDIR }, /* NEC Picty800 (HP OEM) */
13020 + { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@×××.de> */
13021 + { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
13022 +- { 0, 0 }
13023 ++ { 0, 0, 0 }
13024 + };
13025 +
13026 + static int usblp_wwait(struct usblp *usblp, int nonblock);
13027 +@@ -1376,7 +1376,7 @@ static struct usb_device_id usblp_ids []
13028 + { USB_INTERFACE_INFO(7, 1, 2) },
13029 + { USB_INTERFACE_INFO(7, 1, 3) },
13030 + { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
13031 +- { } /* Terminating entry */
13032 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
13033 + };
13034 +
13035 + MODULE_DEVICE_TABLE (usb, usblp_ids);
13036 +diff -Nurp linux-2.6.23.15/drivers/usb/core/hub.c linux-2.6.23.15-grsec/drivers/usb/core/hub.c
13037 +--- linux-2.6.23.15/drivers/usb/core/hub.c 2008-02-11 10:36:03.000000000 +0000
13038 ++++ linux-2.6.23.15-grsec/drivers/usb/core/hub.c 2008-02-11 10:37:44.000000000 +0000
13039 +@@ -2762,7 +2762,7 @@ static struct usb_device_id hub_id_table
13040 + .bDeviceClass = USB_CLASS_HUB},
13041 + { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
13042 + .bInterfaceClass = USB_CLASS_HUB},
13043 +- { } /* Terminating entry */
13044 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
13045 + };
13046 +
13047 + MODULE_DEVICE_TABLE (usb, hub_id_table);
13048 +diff -Nurp linux-2.6.23.15/drivers/usb/host/ehci-pci.c linux-2.6.23.15-grsec/drivers/usb/host/ehci-pci.c
13049 +--- linux-2.6.23.15/drivers/usb/host/ehci-pci.c 2007-10-09 21:31:38.000000000 +0100
13050 ++++ linux-2.6.23.15-grsec/drivers/usb/host/ehci-pci.c 2008-02-11 10:37:44.000000000 +0000
13051 +@@ -377,7 +377,7 @@ static const struct pci_device_id pci_id
13052 + PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
13053 + .driver_data = (unsigned long) &ehci_pci_hc_driver,
13054 + },
13055 +- { /* end: all zeroes */ }
13056 ++ { 0, 0, 0, 0, 0, 0, 0 }
13057 + };
13058 + MODULE_DEVICE_TABLE(pci, pci_ids);
13059 +
13060 +diff -Nurp linux-2.6.23.15/drivers/usb/host/uhci-hcd.c linux-2.6.23.15-grsec/drivers/usb/host/uhci-hcd.c
13061 +--- linux-2.6.23.15/drivers/usb/host/uhci-hcd.c 2007-10-09 21:31:38.000000000 +0100
13062 ++++ linux-2.6.23.15-grsec/drivers/usb/host/uhci-hcd.c 2008-02-11 10:37:44.000000000 +0000
13063 +@@ -894,7 +894,7 @@ static const struct pci_device_id uhci_p
13064 + /* handle any USB UHCI controller */
13065 + PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
13066 + .driver_data = (unsigned long) &uhci_driver,
13067 +- }, { /* end: all zeroes */ }
13068 ++ }, { 0, 0, 0, 0, 0, 0, 0 }
13069 + };
13070 +
13071 + MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
13072 +diff -Nurp linux-2.6.23.15/drivers/usb/storage/debug.h linux-2.6.23.15-grsec/drivers/usb/storage/debug.h
13073 +--- linux-2.6.23.15/drivers/usb/storage/debug.h 2007-10-09 21:31:38.000000000 +0100
13074 ++++ linux-2.6.23.15-grsec/drivers/usb/storage/debug.h 2008-02-11 10:37:44.000000000 +0000
13075 +@@ -56,9 +56,9 @@ void usb_stor_show_sense( unsigned char
13076 + #define US_DEBUGPX(x...) printk( x )
13077 + #define US_DEBUG(x) x
13078 + #else
13079 +-#define US_DEBUGP(x...)
13080 +-#define US_DEBUGPX(x...)
13081 +-#define US_DEBUG(x)
13082 ++#define US_DEBUGP(x...) do {} while (0)
13083 ++#define US_DEBUGPX(x...) do {} while (0)
13084 ++#define US_DEBUG(x) do {} while (0)
13085 + #endif
13086 +
13087 + #endif
13088 +diff -Nurp linux-2.6.23.15/drivers/usb/storage/usb.c linux-2.6.23.15-grsec/drivers/usb/storage/usb.c
13089 +--- linux-2.6.23.15/drivers/usb/storage/usb.c 2007-10-09 21:31:38.000000000 +0100
13090 ++++ linux-2.6.23.15-grsec/drivers/usb/storage/usb.c 2008-02-11 10:37:44.000000000 +0000
13091 +@@ -134,7 +134,7 @@ static struct usb_device_id storage_usb_
13092 + #undef UNUSUAL_DEV
13093 + #undef USUAL_DEV
13094 + /* Terminating entry */
13095 +- { }
13096 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
13097 + };
13098 +
13099 + MODULE_DEVICE_TABLE (usb, storage_usb_ids);
13100 +@@ -174,7 +174,7 @@ static struct us_unusual_dev us_unusual_
13101 + # undef USUAL_DEV
13102 +
13103 + /* Terminating entry */
13104 +- { NULL }
13105 ++ { NULL, NULL, 0, 0, NULL }
13106 + };
13107 +
13108 +
13109 +diff -Nurp linux-2.6.23.15/drivers/video/fbcmap.c linux-2.6.23.15-grsec/drivers/video/fbcmap.c
13110 +--- linux-2.6.23.15/drivers/video/fbcmap.c 2007-10-09 21:31:38.000000000 +0100
13111 ++++ linux-2.6.23.15-grsec/drivers/video/fbcmap.c 2008-02-11 10:37:44.000000000 +0000
13112 +@@ -251,8 +251,7 @@ int fb_set_user_cmap(struct fb_cmap_user
13113 + int rc, size = cmap->len * sizeof(u16);
13114 + struct fb_cmap umap;
13115 +
13116 +- if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
13117 +- !info->fbops->fb_setcmap))
13118 ++ if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap)
13119 + return -EINVAL;
13120 +
13121 + memset(&umap, 0, sizeof(struct fb_cmap));
13122 +diff -Nurp linux-2.6.23.15/drivers/video/fbmem.c linux-2.6.23.15-grsec/drivers/video/fbmem.c
13123 +--- linux-2.6.23.15/drivers/video/fbmem.c 2007-10-09 21:31:38.000000000 +0100
13124 ++++ linux-2.6.23.15-grsec/drivers/video/fbmem.c 2008-02-11 10:37:44.000000000 +0000
13125 +@@ -394,7 +394,7 @@ static void fb_do_show_logo(struct fb_in
13126 + image->dx += image->width + 8;
13127 + }
13128 + } else if (rotate == FB_ROTATE_UD) {
13129 +- for (x = 0; x < num && image->dx >= 0; x++) {
13130 ++ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
13131 + info->fbops->fb_imageblit(info, image);
13132 + image->dx -= image->width + 8;
13133 + }
13134 +@@ -406,7 +406,7 @@ static void fb_do_show_logo(struct fb_in
13135 + image->dy += image->height + 8;
13136 + }
13137 + } else if (rotate == FB_ROTATE_CCW) {
13138 +- for (x = 0; x < num && image->dy >= 0; x++) {
13139 ++ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
13140 + info->fbops->fb_imageblit(info, image);
13141 + image->dy -= image->height + 8;
13142 + }
13143 +@@ -1057,9 +1057,9 @@ fb_ioctl(struct inode *inode, struct fil
13144 + case FBIOPUT_CON2FBMAP:
13145 + if (copy_from_user(&con2fb, argp, sizeof(con2fb)))
13146 + return - EFAULT;
13147 +- if (con2fb.console < 0 || con2fb.console > MAX_NR_CONSOLES)
13148 ++ if (con2fb.console > MAX_NR_CONSOLES)
13149 + return -EINVAL;
13150 +- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
13151 ++ if (con2fb.framebuffer >= FB_MAX)
13152 + return -EINVAL;
13153 + #ifdef CONFIG_KMOD
13154 + if (!registered_fb[con2fb.framebuffer])
13155 +diff -Nurp linux-2.6.23.15/drivers/video/fbmon.c linux-2.6.23.15-grsec/drivers/video/fbmon.c
13156 +--- linux-2.6.23.15/drivers/video/fbmon.c 2007-10-09 21:31:38.000000000 +0100
13157 ++++ linux-2.6.23.15-grsec/drivers/video/fbmon.c 2008-02-11 10:37:44.000000000 +0000
13158 +@@ -45,7 +45,7 @@
13159 + #ifdef DEBUG
13160 + #define DPRINTK(fmt, args...) printk(fmt,## args)
13161 + #else
13162 +-#define DPRINTK(fmt, args...)
13163 ++#define DPRINTK(fmt, args...) do {} while (0)
13164 + #endif
13165 +
13166 + #define FBMON_FIX_HEADER 1
13167 +diff -Nurp linux-2.6.23.15/drivers/video/i810/i810_accel.c linux-2.6.23.15-grsec/drivers/video/i810/i810_accel.c
13168 +--- linux-2.6.23.15/drivers/video/i810/i810_accel.c 2007-10-09 21:31:38.000000000 +0100
13169 ++++ linux-2.6.23.15-grsec/drivers/video/i810/i810_accel.c 2008-02-11 10:37:44.000000000 +0000
13170 +@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
13171 + }
13172 + }
13173 + printk("ringbuffer lockup!!!\n");
13174 ++ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
13175 + i810_report_error(mmio);
13176 + par->dev_flags |= LOCKUP;
13177 + info->pixmap.scan_align = 1;
13178 +diff -Nurp linux-2.6.23.15/drivers/video/i810/i810_main.c linux-2.6.23.15-grsec/drivers/video/i810/i810_main.c
13179 +--- linux-2.6.23.15/drivers/video/i810/i810_main.c 2007-10-09 21:31:38.000000000 +0100
13180 ++++ linux-2.6.23.15-grsec/drivers/video/i810/i810_main.c 2008-02-11 10:37:44.000000000 +0000
13181 +@@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
13182 + PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
13183 + { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
13184 + PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
13185 +- { 0 },
13186 ++ { 0, 0, 0, 0, 0, 0, 0 },
13187 + };
13188 +
13189 + static struct pci_driver i810fb_driver = {
13190 +@@ -1509,7 +1509,7 @@ static int i810fb_cursor(struct fb_info
13191 + int size = ((cursor->image.width + 7) >> 3) *
13192 + cursor->image.height;
13193 + int i;
13194 +- u8 *data = kmalloc(64 * 8, GFP_ATOMIC);
13195 ++ u8 *data = kmalloc(64 * 8, GFP_KERNEL);
13196 +
13197 + if (data == NULL)
13198 + return -ENOMEM;
13199 +diff -Nurp linux-2.6.23.15/drivers/video/modedb.c linux-2.6.23.15-grsec/drivers/video/modedb.c
13200 +--- linux-2.6.23.15/drivers/video/modedb.c 2007-10-09 21:31:38.000000000 +0100
13201 ++++ linux-2.6.23.15-grsec/drivers/video/modedb.c 2008-02-11 10:37:44.000000000 +0000
13202 +@@ -37,228 +37,228 @@ static const struct fb_videomode modedb[
13203 + {
13204 + /* 640x400 @ 70 Hz, 31.5 kHz hsync */
13205 + NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
13206 +- 0, FB_VMODE_NONINTERLACED
13207 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13208 + }, {
13209 + /* 640x480 @ 60 Hz, 31.5 kHz hsync */
13210 + NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
13211 +- 0, FB_VMODE_NONINTERLACED
13212 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13213 + }, {
13214 + /* 800x600 @ 56 Hz, 35.15 kHz hsync */
13215 + NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
13216 +- 0, FB_VMODE_NONINTERLACED
13217 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13218 + }, {
13219 + /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
13220 + NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
13221 +- 0, FB_VMODE_INTERLACED
13222 ++ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
13223 + }, {
13224 + /* 640x400 @ 85 Hz, 37.86 kHz hsync */
13225 + NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
13226 +- FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13227 ++ FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13228 + }, {
13229 + /* 640x480 @ 72 Hz, 36.5 kHz hsync */
13230 + NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
13231 +- 0, FB_VMODE_NONINTERLACED
13232 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13233 + }, {
13234 + /* 640x480 @ 75 Hz, 37.50 kHz hsync */
13235 + NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
13236 +- 0, FB_VMODE_NONINTERLACED
13237 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13238 + }, {
13239 + /* 800x600 @ 60 Hz, 37.8 kHz hsync */
13240 + NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
13241 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13242 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13243 + }, {
13244 + /* 640x480 @ 85 Hz, 43.27 kHz hsync */
13245 + NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
13246 +- 0, FB_VMODE_NONINTERLACED
13247 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13248 + }, {
13249 + /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
13250 + NULL, 69, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
13251 +- 0, FB_VMODE_INTERLACED
13252 ++ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
13253 + }, {
13254 + /* 800x600 @ 72 Hz, 48.0 kHz hsync */
13255 + NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
13256 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13257 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13258 + }, {
13259 + /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
13260 + NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
13261 +- 0, FB_VMODE_NONINTERLACED
13262 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13263 + }, {
13264 + /* 640x480 @ 100 Hz, 53.01 kHz hsync */
13265 + NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
13266 +- 0, FB_VMODE_NONINTERLACED
13267 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13268 + }, {
13269 + /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
13270 + NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
13271 +- 0, FB_VMODE_NONINTERLACED
13272 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13273 + }, {
13274 + /* 800x600 @ 85 Hz, 55.84 kHz hsync */
13275 + NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
13276 +- 0, FB_VMODE_NONINTERLACED
13277 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13278 + }, {
13279 + /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
13280 + NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
13281 +- 0, FB_VMODE_NONINTERLACED
13282 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13283 + }, {
13284 + /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
13285 + NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
13286 +- 0, FB_VMODE_INTERLACED
13287 ++ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
13288 + }, {
13289 + /* 800x600 @ 100 Hz, 64.02 kHz hsync */
13290 + NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
13291 +- 0, FB_VMODE_NONINTERLACED
13292 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13293 + }, {
13294 + /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
13295 + NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
13296 +- 0, FB_VMODE_NONINTERLACED
13297 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13298 + }, {
13299 + /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
13300 + NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
13301 +- 0, FB_VMODE_NONINTERLACED
13302 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13303 + }, {
13304 + /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
13305 + NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
13306 +- 0, FB_VMODE_NONINTERLACED
13307 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13308 + }, {
13309 + /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
13310 + NULL, 68, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
13311 +- 0, FB_VMODE_NONINTERLACED
13312 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13313 + }, {
13314 + /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
13315 + NULL, 75, 1400, 1050, 9271, 120, 56, 13, 0, 112, 3,
13316 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13317 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13318 + }, {
13319 + /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
13320 + NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
13321 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13322 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13323 + }, {
13324 + /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
13325 + NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
13326 +- 0, FB_VMODE_NONINTERLACED
13327 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13328 + }, {
13329 + /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
13330 + NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
13331 +- 0, FB_VMODE_NONINTERLACED
13332 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13333 + }, {
13334 + /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
13335 + NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
13336 +- 0, FB_VMODE_NONINTERLACED
13337 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13338 + }, {
13339 + /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
13340 + NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
13341 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13342 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13343 + }, {
13344 + /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
13345 + NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
13346 +- 0, FB_VMODE_NONINTERLACED
13347 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13348 + }, {
13349 + /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
13350 + NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
13351 +- 0, FB_VMODE_NONINTERLACED
13352 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13353 + }, {
13354 + /* 1024x768 @ 100Hz, 80.21 kHz hsync */
13355 + NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
13356 +- 0, FB_VMODE_NONINTERLACED
13357 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13358 + }, {
13359 + /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
13360 + NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
13361 +- 0, FB_VMODE_NONINTERLACED
13362 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13363 + }, {
13364 + /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
13365 + NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
13366 +- 0, FB_VMODE_NONINTERLACED
13367 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13368 + }, {
13369 + /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
13370 + NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
13371 +- 0, FB_VMODE_NONINTERLACED
13372 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13373 + }, {
13374 + /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
13375 + NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
13376 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13377 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13378 + }, {
13379 + /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
13380 + NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
13381 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13382 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13383 + }, {
13384 + /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
13385 + NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
13386 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13387 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13388 + }, {
13389 + /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
13390 + NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
13391 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13392 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13393 + }, {
13394 + /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
13395 + NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
13396 +- 0, FB_VMODE_NONINTERLACED
13397 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13398 + }, {
13399 + /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
13400 + NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
13401 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13402 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13403 + }, {
13404 + /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
13405 + NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
13406 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13407 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13408 + }, {
13409 + /* 512x384 @ 78 Hz, 31.50 kHz hsync */
13410 + NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
13411 +- 0, FB_VMODE_NONINTERLACED
13412 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13413 + }, {
13414 + /* 512x384 @ 85 Hz, 34.38 kHz hsync */
13415 + NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
13416 +- 0, FB_VMODE_NONINTERLACED
13417 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13418 + }, {
13419 + /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
13420 + NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
13421 +- 0, FB_VMODE_DOUBLE
13422 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13423 + }, {
13424 + /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
13425 + NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
13426 +- 0, FB_VMODE_DOUBLE
13427 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13428 + }, {
13429 + /* 320x240 @ 72 Hz, 36.5 kHz hsync */
13430 + NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
13431 +- 0, FB_VMODE_DOUBLE
13432 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13433 + }, {
13434 + /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
13435 + NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
13436 +- 0, FB_VMODE_DOUBLE
13437 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13438 + }, {
13439 + /* 400x300 @ 60 Hz, 37.8 kHz hsync */
13440 + NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
13441 +- 0, FB_VMODE_DOUBLE
13442 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13443 + }, {
13444 + /* 400x300 @ 72 Hz, 48.0 kHz hsync */
13445 + NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
13446 +- 0, FB_VMODE_DOUBLE
13447 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13448 + }, {
13449 + /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
13450 + NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
13451 +- 0, FB_VMODE_DOUBLE
13452 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13453 + }, {
13454 + /* 480x300 @ 60 Hz, 37.8 kHz hsync */
13455 + NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
13456 +- 0, FB_VMODE_DOUBLE
13457 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13458 + }, {
13459 + /* 480x300 @ 63 Hz, 39.6 kHz hsync */
13460 + NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
13461 +- 0, FB_VMODE_DOUBLE
13462 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13463 + }, {
13464 + /* 480x300 @ 72 Hz, 48.0 kHz hsync */
13465 + NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
13466 +- 0, FB_VMODE_DOUBLE
13467 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13468 + }, {
13469 + /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
13470 + NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
13471 + FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
13472 +- FB_VMODE_NONINTERLACED
13473 ++ FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13474 + }, {
13475 + /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
13476 + NULL, 60, 1152, 768, 15386, 158, 26, 29, 3, 136, 6,
13477 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13478 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13479 + }, {
13480 + /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
13481 + NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
13482 +- 0, FB_VMODE_NONINTERLACED
13483 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13484 + },
13485 + };
13486 +
13487 +diff -Nurp linux-2.6.23.15/drivers/video/vesafb.c linux-2.6.23.15-grsec/drivers/video/vesafb.c
13488 +--- linux-2.6.23.15/drivers/video/vesafb.c 2007-10-09 21:31:38.000000000 +0100
13489 ++++ linux-2.6.23.15-grsec/drivers/video/vesafb.c 2008-02-11 10:37:44.000000000 +0000
13490 +@@ -9,6 +9,7 @@
13491 + */
13492 +
13493 + #include <linux/module.h>
13494 ++#include <linux/moduleloader.h>
13495 + #include <linux/kernel.h>
13496 + #include <linux/errno.h>
13497 + #include <linux/string.h>
13498 +@@ -224,6 +225,7 @@ static int __init vesafb_probe(struct pl
13499 + unsigned int size_vmode;
13500 + unsigned int size_remap;
13501 + unsigned int size_total;
13502 ++ void *pmi_code = NULL;
13503 +
13504 + if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
13505 + return -ENODEV;
13506 +@@ -266,10 +268,6 @@ static int __init vesafb_probe(struct pl
13507 + size_remap = size_total;
13508 + vesafb_fix.smem_len = size_remap;
13509 +
13510 +-#ifndef __i386__
13511 +- screen_info.vesapm_seg = 0;
13512 +-#endif
13513 +-
13514 + if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
13515 + printk(KERN_WARNING
13516 + "vesafb: cannot reserve video memory at 0x%lx\n",
13517 +@@ -302,9 +300,21 @@ static int __init vesafb_probe(struct pl
13518 + printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
13519 + vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
13520 +
13521 ++#ifdef __i386__
13522 ++
13523 ++#ifdef CONFIG_PAX_KERNEXEC
13524 ++ pmi_code = module_alloc_exec(screen_info.vesapm_size);
13525 ++ if (!pmi_code)
13526 ++#else
13527 ++ if (0)
13528 ++#endif
13529 ++
13530 ++#endif
13531 ++ screen_info.vesapm_seg = 0;
13532 ++
13533 + if (screen_info.vesapm_seg) {
13534 +- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
13535 +- screen_info.vesapm_seg,screen_info.vesapm_off);
13536 ++ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
13537 ++ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
13538 + }
13539 +
13540 + if (screen_info.vesapm_seg < 0xc000)
13541 +@@ -312,9 +322,29 @@ static int __init vesafb_probe(struct pl
13542 +
13543 + if (ypan || pmi_setpal) {
13544 + unsigned short *pmi_base;
13545 +- pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
13546 +- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
13547 +- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
13548 ++
13549 ++#ifdef CONFIG_PAX_KERNEXEC
13550 ++ unsigned long cr0;
13551 ++#endif
13552 ++
13553 ++ pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
13554 ++
13555 ++#ifdef CONFIG_PAX_KERNEXEC
13556 ++ pax_open_kernel(cr0);
13557 ++ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
13558 ++ pax_close_kernel(cr0);
13559 ++#else
13560 ++ pmi_code = pmi_base;
13561 ++#endif
13562 ++
13563 ++ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
13564 ++ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
13565 ++
13566 ++#ifdef CONFIG_PAX_KERNEXEC
13567 ++ pmi_start -= __KERNEL_TEXT_OFFSET;
13568 ++ pmi_pal -= __KERNEL_TEXT_OFFSET;
13569 ++#endif
13570 ++
13571 + printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
13572 + if (pmi_base[3]) {
13573 + printk(KERN_INFO "vesafb: pmi: ports = ");
13574 +@@ -456,6 +486,11 @@ static int __init vesafb_probe(struct pl
13575 + info->node, info->fix.id);
13576 + return 0;
13577 + err:
13578 ++
13579 ++#ifdef CONFIG_PAX_KERNEXEC
13580 ++ module_free_exec(NULL, pmi_code);
13581 ++#endif
13582 ++
13583 + if (info->screen_base)
13584 + iounmap(info->screen_base);
13585 + framebuffer_release(info);
13586 +diff -Nurp linux-2.6.23.15/fs/Kconfig linux-2.6.23.15-grsec/fs/Kconfig
13587 +--- linux-2.6.23.15/fs/Kconfig 2007-10-09 21:31:38.000000000 +0100
13588 ++++ linux-2.6.23.15-grsec/fs/Kconfig 2008-02-11 10:37:44.000000000 +0000
13589 +@@ -909,7 +909,7 @@ config PROC_FS
13590 +
13591 + config PROC_KCORE
13592 + bool "/proc/kcore support" if !ARM
13593 +- depends on PROC_FS && MMU
13594 ++ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
13595 +
13596 + config PROC_VMCORE
13597 + bool "/proc/vmcore support (EXPERIMENTAL)"
13598 +diff -Nurp linux-2.6.23.15/fs/binfmt_aout.c linux-2.6.23.15-grsec/fs/binfmt_aout.c
13599 +--- linux-2.6.23.15/fs/binfmt_aout.c 2007-10-09 21:31:38.000000000 +0100
13600 ++++ linux-2.6.23.15-grsec/fs/binfmt_aout.c 2008-02-11 10:37:44.000000000 +0000
13601 +@@ -24,6 +24,7 @@
13602 + #include <linux/binfmts.h>
13603 + #include <linux/personality.h>
13604 + #include <linux/init.h>
13605 ++#include <linux/grsecurity.h>
13606 +
13607 + #include <asm/system.h>
13608 + #include <asm/uaccess.h>
13609 +@@ -123,10 +124,12 @@ static int aout_core_dump(long signr, st
13610 + /* If the size of the dump file exceeds the rlimit, then see what would happen
13611 + if we wrote the stack, but not the data area. */
13612 + #ifdef __sparc__
13613 ++ gr_learn_resource(current, RLIMIT_CORE, dump.u_dsize+dump.u_ssize, 1);
13614 + if ((dump.u_dsize+dump.u_ssize) >
13615 + current->signal->rlim[RLIMIT_CORE].rlim_cur)
13616 + dump.u_dsize = 0;
13617 + #else
13618 ++ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE, 1);
13619 + if ((dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE >
13620 + current->signal->rlim[RLIMIT_CORE].rlim_cur)
13621 + dump.u_dsize = 0;
13622 +@@ -134,10 +137,12 @@ static int aout_core_dump(long signr, st
13623 +
13624 + /* Make sure we have enough room to write the stack and data areas. */
13625 + #ifdef __sparc__
13626 ++ gr_learn_resource(current, RLIMIT_CORE, dump.u_ssize, 1);
13627 + if ((dump.u_ssize) >
13628 + current->signal->rlim[RLIMIT_CORE].rlim_cur)
13629 + dump.u_ssize = 0;
13630 + #else
13631 ++ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize+1) * PAGE_SIZE, 1);
13632 + if ((dump.u_ssize+1) * PAGE_SIZE >
13633 + current->signal->rlim[RLIMIT_CORE].rlim_cur)
13634 + dump.u_ssize = 0;
13635 +@@ -294,6 +299,8 @@ static int load_aout_binary(struct linux
13636 + rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
13637 + if (rlim >= RLIM_INFINITY)
13638 + rlim = ~0;
13639 ++
13640 ++ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
13641 + if (ex.a_data + ex.a_bss > rlim)
13642 + return -ENOMEM;
13643 +
13644 +@@ -326,6 +333,28 @@ static int load_aout_binary(struct linux
13645 + current->mm->mmap = NULL;
13646 + compute_creds(bprm);
13647 + current->flags &= ~PF_FORKNOEXEC;
13648 ++
13649 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
13650 ++ current->mm->pax_flags = 0UL;
13651 ++#endif
13652 ++
13653 ++#ifdef CONFIG_PAX_PAGEEXEC
13654 ++ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
13655 ++ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
13656 ++
13657 ++#ifdef CONFIG_PAX_EMUTRAMP
13658 ++ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
13659 ++ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
13660 ++#endif
13661 ++
13662 ++#ifdef CONFIG_PAX_MPROTECT
13663 ++ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
13664 ++ current->mm->pax_flags |= MF_PAX_MPROTECT;
13665 ++#endif
13666 ++
13667 ++ }
13668 ++#endif
13669 ++
13670 + #ifdef __sparc__
13671 + if (N_MAGIC(ex) == NMAGIC) {
13672 + loff_t pos = fd_offset;
13673 +@@ -421,7 +450,7 @@ static int load_aout_binary(struct linux
13674 +
13675 + down_write(&current->mm->mmap_sem);
13676 + error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
13677 +- PROT_READ | PROT_WRITE | PROT_EXEC,
13678 ++ PROT_READ | PROT_WRITE,
13679 + MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
13680 + fd_offset + ex.a_text);
13681 + up_write(&current->mm->mmap_sem);
13682 +diff -Nurp linux-2.6.23.15/fs/binfmt_elf.c linux-2.6.23.15-grsec/fs/binfmt_elf.c
13683 +--- linux-2.6.23.15/fs/binfmt_elf.c 2007-10-09 21:31:38.000000000 +0100
13684 ++++ linux-2.6.23.15-grsec/fs/binfmt_elf.c 2008-02-11 10:37:44.000000000 +0000
13685 +@@ -39,10 +39,21 @@
13686 + #include <linux/random.h>
13687 + #include <linux/elf.h>
13688 + #include <linux/utsname.h>
13689 ++#include <linux/grsecurity.h>
13690 ++
13691 + #include <asm/uaccess.h>
13692 + #include <asm/param.h>
13693 + #include <asm/page.h>
13694 +
13695 ++#ifdef CONFIG_PAX_SEGMEXEC
13696 ++#include <asm/desc.h>
13697 ++#endif
13698 ++
13699 ++#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
13700 ++void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
13701 ++EXPORT_SYMBOL(pax_set_initial_flags_func);
13702 ++#endif
13703 ++
13704 + static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs);
13705 + static int load_elf_library(struct file *);
13706 + static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int);
13707 +@@ -84,6 +95,8 @@ static struct linux_binfmt elf_format =
13708 +
13709 + static int set_brk(unsigned long start, unsigned long end)
13710 + {
13711 ++ unsigned long e = end;
13712 ++
13713 + start = ELF_PAGEALIGN(start);
13714 + end = ELF_PAGEALIGN(end);
13715 + if (end > start) {
13716 +@@ -94,7 +107,7 @@ static int set_brk(unsigned long start,
13717 + if (BAD_ADDR(addr))
13718 + return addr;
13719 + }
13720 +- current->mm->start_brk = current->mm->brk = end;
13721 ++ current->mm->start_brk = current->mm->brk = e;
13722 + return 0;
13723 + }
13724 +
13725 +@@ -325,10 +338,9 @@ static unsigned long load_elf_interp(str
13726 + {
13727 + struct elf_phdr *elf_phdata;
13728 + struct elf_phdr *eppnt;
13729 +- unsigned long load_addr = 0;
13730 +- int load_addr_set = 0;
13731 ++ unsigned long load_addr = 0, min_addr, max_addr, task_size = TASK_SIZE;
13732 + unsigned long last_bss = 0, elf_bss = 0;
13733 +- unsigned long error = ~0UL;
13734 ++ unsigned long error = -EINVAL;
13735 + int retval, i, size;
13736 +
13737 + /* First of all, some simple consistency checks */
13738 +@@ -367,66 +379,86 @@ static unsigned long load_elf_interp(str
13739 + goto out_close;
13740 + }
13741 +
13742 ++#ifdef CONFIG_PAX_SEGMEXEC
13743 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
13744 ++ task_size = SEGMEXEC_TASK_SIZE;
13745 ++#endif
13746 ++
13747 + eppnt = elf_phdata;
13748 ++ min_addr = task_size;
13749 ++ max_addr = 0;
13750 ++ error = -ENOMEM;
13751 ++
13752 + for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
13753 +- if (eppnt->p_type == PT_LOAD) {
13754 +- int elf_type = MAP_PRIVATE | MAP_DENYWRITE;
13755 +- int elf_prot = 0;
13756 +- unsigned long vaddr = 0;
13757 +- unsigned long k, map_addr;
13758 +-
13759 +- if (eppnt->p_flags & PF_R)
13760 +- elf_prot = PROT_READ;
13761 +- if (eppnt->p_flags & PF_W)
13762 +- elf_prot |= PROT_WRITE;
13763 +- if (eppnt->p_flags & PF_X)
13764 +- elf_prot |= PROT_EXEC;
13765 +- vaddr = eppnt->p_vaddr;
13766 +- if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
13767 +- elf_type |= MAP_FIXED;
13768 +-
13769 +- map_addr = elf_map(interpreter, load_addr + vaddr,
13770 +- eppnt, elf_prot, elf_type);
13771 +- error = map_addr;
13772 +- if (BAD_ADDR(map_addr))
13773 +- goto out_close;
13774 +-
13775 +- if (!load_addr_set &&
13776 +- interp_elf_ex->e_type == ET_DYN) {
13777 +- load_addr = map_addr - ELF_PAGESTART(vaddr);
13778 +- load_addr_set = 1;
13779 +- }
13780 ++ if (eppnt->p_type != PT_LOAD)
13781 ++ continue;
13782 +
13783 +- /*
13784 +- * Check to see if the section's size will overflow the
13785 +- * allowed task size. Note that p_filesz must always be
13786 +- * <= p_memsize so it's only necessary to check p_memsz.
13787 +- */
13788 +- k = load_addr + eppnt->p_vaddr;
13789 +- if (BAD_ADDR(k) ||
13790 +- eppnt->p_filesz > eppnt->p_memsz ||
13791 +- eppnt->p_memsz > TASK_SIZE ||
13792 +- TASK_SIZE - eppnt->p_memsz < k) {
13793 +- error = -ENOMEM;
13794 +- goto out_close;
13795 +- }
13796 ++ /*
13797 ++ * Check to see if the section's size will overflow the
13798 ++ * allowed task size. Note that p_filesz must always be
13799 ++ * <= p_memsize so it is only necessary to check p_memsz.
13800 ++ */
13801 ++ if (eppnt->p_filesz > eppnt->p_memsz || eppnt->p_vaddr >= eppnt->p_vaddr + eppnt->p_memsz)
13802 ++ goto out_close;
13803 +
13804 +- /*
13805 +- * Find the end of the file mapping for this phdr, and
13806 +- * keep track of the largest address we see for this.
13807 +- */
13808 +- k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
13809 +- if (k > elf_bss)
13810 +- elf_bss = k;
13811 ++ if (min_addr > ELF_PAGESTART(eppnt->p_vaddr))
13812 ++ min_addr = ELF_PAGESTART(eppnt->p_vaddr);
13813 ++ if (max_addr < ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz))
13814 ++ max_addr = ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz);
13815 ++ }
13816 ++ if (min_addr >= max_addr || max_addr > task_size)
13817 ++ goto out_close;
13818 +
13819 +- /*
13820 +- * Do the same thing for the memory mapping - between
13821 +- * elf_bss and last_bss is the bss section.
13822 +- */
13823 +- k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
13824 +- if (k > last_bss)
13825 +- last_bss = k;
13826 +- }
13827 ++ if (interp_elf_ex->e_type == ET_DYN) {
13828 ++ load_addr = get_unmapped_area(interpreter, 0, max_addr - min_addr, 0, MAP_PRIVATE | MAP_EXECUTABLE);
13829 ++
13830 ++ if (load_addr >= task_size)
13831 ++ goto out_close;
13832 ++
13833 ++ load_addr -= min_addr;
13834 ++ }
13835 ++
13836 ++ eppnt = elf_phdata;
13837 ++ for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
13838 ++ int elf_type = MAP_PRIVATE | MAP_DENYWRITE | MAP_FIXED;
13839 ++ int elf_prot = 0;
13840 ++ unsigned long vaddr = 0;
13841 ++ unsigned long k, map_addr;
13842 ++
13843 ++ if (eppnt->p_type != PT_LOAD)
13844 ++ continue;
13845 ++
13846 ++ if (eppnt->p_flags & PF_R)
13847 ++ elf_prot = PROT_READ;
13848 ++ if (eppnt->p_flags & PF_W)
13849 ++ elf_prot |= PROT_WRITE;
13850 ++ if (eppnt->p_flags & PF_X)
13851 ++ elf_prot |= PROT_EXEC;
13852 ++ vaddr = eppnt->p_vaddr;
13853 ++
13854 ++ map_addr = elf_map(interpreter, load_addr + vaddr,
13855 ++ eppnt, elf_prot, elf_type);
13856 ++ error = map_addr;
13857 ++ if (BAD_ADDR(map_addr))
13858 ++ goto out_close;
13859 ++
13860 ++ k = load_addr + eppnt->p_vaddr;
13861 ++
13862 ++ /*
13863 ++ * Find the end of the file mapping for this phdr, and
13864 ++ * keep track of the largest address we see for this.
13865 ++ */
13866 ++ k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
13867 ++ if (k > elf_bss)
13868 ++ elf_bss = k;
13869 ++
13870 ++ /*
13871 ++ * Do the same thing for the memory mapping - between
13872 ++ * elf_bss and last_bss is the bss section.
13873 ++ */
13874 ++ k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
13875 ++ if (k > last_bss)
13876 ++ last_bss = k;
13877 + }
13878 +
13879 + /*
13880 +@@ -454,6 +486,8 @@ static unsigned long load_elf_interp(str
13881 +
13882 + *interp_load_addr = load_addr;
13883 + error = ((unsigned long)interp_elf_ex->e_entry) + load_addr;
13884 ++ if (BAD_ADDR(error))
13885 ++ error = -EFAULT;
13886 +
13887 + out_close:
13888 + kfree(elf_phdata);
13889 +@@ -464,7 +498,7 @@ out:
13890 + static unsigned long load_aout_interp(struct exec *interp_ex,
13891 + struct file *interpreter)
13892 + {
13893 +- unsigned long text_data, elf_entry = ~0UL;
13894 ++ unsigned long text_data, elf_entry = -EINVAL;
13895 + char __user * addr;
13896 + loff_t offset;
13897 +
13898 +@@ -507,6 +541,177 @@ out:
13899 + return elf_entry;
13900 + }
13901 +
13902 ++#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
13903 ++static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
13904 ++{
13905 ++ unsigned long pax_flags = 0UL;
13906 ++
13907 ++#ifdef CONFIG_PAX_PAGEEXEC
13908 ++ if (elf_phdata->p_flags & PF_PAGEEXEC)
13909 ++ pax_flags |= MF_PAX_PAGEEXEC;
13910 ++#endif
13911 ++
13912 ++#ifdef CONFIG_PAX_SEGMEXEC
13913 ++ if (elf_phdata->p_flags & PF_SEGMEXEC)
13914 ++ pax_flags |= MF_PAX_SEGMEXEC;
13915 ++#endif
13916 ++
13917 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
13918 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
13919 ++ if (nx_enabled)
13920 ++ pax_flags &= ~MF_PAX_SEGMEXEC;
13921 ++ else
13922 ++ pax_flags &= ~MF_PAX_PAGEEXEC;
13923 ++ }
13924 ++#endif
13925 ++
13926 ++#ifdef CONFIG_PAX_EMUTRAMP
13927 ++ if (elf_phdata->p_flags & PF_EMUTRAMP)
13928 ++ pax_flags |= MF_PAX_EMUTRAMP;
13929 ++#endif
13930 ++
13931 ++#ifdef CONFIG_PAX_MPROTECT
13932 ++ if (elf_phdata->p_flags & PF_MPROTECT)
13933 ++ pax_flags |= MF_PAX_MPROTECT;
13934 ++#endif
13935 ++
13936 ++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
13937 ++ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
13938 ++ pax_flags |= MF_PAX_RANDMMAP;
13939 ++#endif
13940 ++
13941 ++ return pax_flags;
13942 ++}
13943 ++#endif
13944 ++
13945 ++#ifdef CONFIG_PAX_PT_PAX_FLAGS
13946 ++static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
13947 ++{
13948 ++ unsigned long pax_flags = 0UL;
13949 ++
13950 ++#ifdef CONFIG_PAX_PAGEEXEC
13951 ++ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
13952 ++ pax_flags |= MF_PAX_PAGEEXEC;
13953 ++#endif
13954 ++
13955 ++#ifdef CONFIG_PAX_SEGMEXEC
13956 ++ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
13957 ++ pax_flags |= MF_PAX_SEGMEXEC;
13958 ++#endif
13959 ++
13960 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
13961 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
13962 ++ if (nx_enabled)
13963 ++ pax_flags &= ~MF_PAX_SEGMEXEC;
13964 ++ else
13965 ++ pax_flags &= ~MF_PAX_PAGEEXEC;
13966 ++ }
13967 ++#endif
13968 ++
13969 ++#ifdef CONFIG_PAX_EMUTRAMP
13970 ++ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
13971 ++ pax_flags |= MF_PAX_EMUTRAMP;
13972 ++#endif
13973 ++
13974 ++#ifdef CONFIG_PAX_MPROTECT
13975 ++ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
13976 ++ pax_flags |= MF_PAX_MPROTECT;
13977 ++#endif
13978 ++
13979 ++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
13980 ++ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
13981 ++ pax_flags |= MF_PAX_RANDMMAP;
13982 ++#endif
13983 ++
13984 ++ return pax_flags;
13985 ++}
13986 ++#endif
13987 ++
13988 ++#ifdef CONFIG_PAX_EI_PAX
13989 ++static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
13990 ++{
13991 ++ unsigned long pax_flags = 0UL;
13992 ++
13993 ++#ifdef CONFIG_PAX_PAGEEXEC
13994 ++ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
13995 ++ pax_flags |= MF_PAX_PAGEEXEC;
13996 ++#endif
13997 ++
13998 ++#ifdef CONFIG_PAX_SEGMEXEC
13999 ++ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
14000 ++ pax_flags |= MF_PAX_SEGMEXEC;
14001 ++#endif
14002 ++
14003 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
14004 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
14005 ++ if (nx_enabled)
14006 ++ pax_flags &= ~MF_PAX_SEGMEXEC;
14007 ++ else
14008 ++ pax_flags &= ~MF_PAX_PAGEEXEC;
14009 ++ }
14010 ++#endif
14011 ++
14012 ++#ifdef CONFIG_PAX_EMUTRAMP
14013 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
14014 ++ pax_flags |= MF_PAX_EMUTRAMP;
14015 ++#endif
14016 ++
14017 ++#ifdef CONFIG_PAX_MPROTECT
14018 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
14019 ++ pax_flags |= MF_PAX_MPROTECT;
14020 ++#endif
14021 ++
14022 ++#ifdef CONFIG_PAX_ASLR
14023 ++ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
14024 ++ pax_flags |= MF_PAX_RANDMMAP;
14025 ++#endif
14026 ++
14027 ++ return pax_flags;
14028 ++}
14029 ++#endif
14030 ++
14031 ++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
14032 ++static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
14033 ++{
14034 ++ unsigned long pax_flags = 0UL;
14035 ++
14036 ++#ifdef CONFIG_PAX_PT_PAX_FLAGS
14037 ++ unsigned long i;
14038 ++#endif
14039 ++
14040 ++#ifdef CONFIG_PAX_EI_PAX
14041 ++ pax_flags = pax_parse_ei_pax(elf_ex);
14042 ++#endif
14043 ++
14044 ++#ifdef CONFIG_PAX_PT_PAX_FLAGS
14045 ++ for (i = 0UL; i < elf_ex->e_phnum; i++)
14046 ++ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
14047 ++ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
14048 ++ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
14049 ++ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
14050 ++ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
14051 ++ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
14052 ++ return -EINVAL;
14053 ++
14054 ++#ifdef CONFIG_PAX_SOFTMODE
14055 ++ if (pax_softmode)
14056 ++ pax_flags = pax_parse_softmode(&elf_phdata[i]);
14057 ++ else
14058 ++#endif
14059 ++
14060 ++ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
14061 ++ break;
14062 ++ }
14063 ++#endif
14064 ++
14065 ++ if (0 > pax_check_flags(&pax_flags))
14066 ++ return -EINVAL;
14067 ++
14068 ++ current->mm->pax_flags = pax_flags;
14069 ++ return 0;
14070 ++}
14071 ++#endif
14072 ++
14073 + /*
14074 + * These are the functions used to load ELF style executables and shared
14075 + * libraries. There is no binary dependent code anywhere else.
14076 +@@ -544,7 +749,7 @@ static int load_elf_binary(struct linux_
14077 + char * elf_interpreter = NULL;
14078 + unsigned int interpreter_type = INTERPRETER_NONE;
14079 + unsigned char ibcs2_interpreter = 0;
14080 +- unsigned long error;
14081 ++ unsigned long error = 0;
14082 + struct elf_phdr *elf_ppnt, *elf_phdata;
14083 + unsigned long elf_bss, elf_brk;
14084 + int elf_exec_fileno;
14085 +@@ -556,12 +761,12 @@ static int load_elf_binary(struct linux_
14086 + char passed_fileno[6];
14087 + struct files_struct *files;
14088 + int executable_stack = EXSTACK_DEFAULT;
14089 +- unsigned long def_flags = 0;
14090 + struct {
14091 + struct elfhdr elf_ex;
14092 + struct elfhdr interp_elf_ex;
14093 + struct exec interp_ex;
14094 + } *loc;
14095 ++ unsigned long task_size = TASK_SIZE;
14096 +
14097 + loc = kmalloc(sizeof(*loc), GFP_KERNEL);
14098 + if (!loc) {
14099 +@@ -788,14 +993,89 @@ static int load_elf_binary(struct linux_
14100 +
14101 + /* OK, This is the point of no return */
14102 + current->flags &= ~PF_FORKNOEXEC;
14103 +- current->mm->def_flags = def_flags;
14104 ++
14105 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
14106 ++ current->mm->pax_flags = 0UL;
14107 ++#endif
14108 ++
14109 ++#ifdef CONFIG_PAX_DLRESOLVE
14110 ++ current->mm->call_dl_resolve = 0UL;
14111 ++#endif
14112 ++
14113 ++#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
14114 ++ current->mm->call_syscall = 0UL;
14115 ++#endif
14116 ++
14117 ++#ifdef CONFIG_PAX_ASLR
14118 ++ current->mm->delta_mmap = 0UL;
14119 ++ current->mm->delta_stack = 0UL;
14120 ++#endif
14121 ++
14122 ++ current->mm->def_flags = 0;
14123 ++
14124 ++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
14125 ++ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
14126 ++ send_sig(SIGKILL, current, 0);
14127 ++ goto out_free_dentry;
14128 ++ }
14129 ++#endif
14130 ++
14131 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
14132 ++ pax_set_initial_flags(bprm);
14133 ++#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
14134 ++ if (pax_set_initial_flags_func)
14135 ++ (pax_set_initial_flags_func)(bprm);
14136 ++#endif
14137 ++
14138 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
14139 ++ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
14140 ++ current->mm->context.user_cs_limit = PAGE_SIZE;
14141 ++ current->mm->def_flags |= VM_PAGEEXEC;
14142 ++ }
14143 ++#endif
14144 ++
14145 ++#ifdef CONFIG_PAX_SEGMEXEC
14146 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
14147 ++ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
14148 ++ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
14149 ++ task_size = SEGMEXEC_TASK_SIZE;
14150 ++ }
14151 ++#endif
14152 ++
14153 ++#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
14154 ++ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
14155 ++ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
14156 ++ put_cpu_no_resched();
14157 ++ }
14158 ++#endif
14159 ++
14160 ++#ifdef CONFIG_PAX_ASLR
14161 ++ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
14162 ++ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
14163 ++ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
14164 ++ }
14165 ++#endif
14166 ++
14167 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14168 ++ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
14169 ++ executable_stack = EXSTACK_DEFAULT;
14170 ++#endif
14171 +
14172 + /* Do this immediately, since STACK_TOP as used in setup_arg_pages
14173 + may depend on the personality. */
14174 + SET_PERSONALITY(loc->elf_ex, ibcs2_interpreter);
14175 ++
14176 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14177 ++ if (!(current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
14178 ++#endif
14179 ++
14180 + if (elf_read_implies_exec(loc->elf_ex, executable_stack))
14181 + current->personality |= READ_IMPLIES_EXEC;
14182 +
14183 ++#ifdef CONFIG_PAX_ASLR
14184 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
14185 ++#endif
14186 ++
14187 + if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
14188 + current->flags |= PF_RANDOMIZE;
14189 + arch_pick_mmap_layout(current->mm);
14190 +@@ -871,6 +1151,20 @@ static int load_elf_binary(struct linux_
14191 + * might try to exec. This is because the brk will
14192 + * follow the loader, and is not movable. */
14193 + load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
14194 ++
14195 ++#ifdef CONFIG_PAX_RANDMMAP
14196 ++ /* PaX: randomize base address at the default exe base if requested */
14197 ++ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
14198 ++#ifdef CONFIG_SPARC64
14199 ++ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
14200 ++#else
14201 ++ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
14202 ++#endif
14203 ++ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
14204 ++ elf_flags |= MAP_FIXED;
14205 ++ }
14206 ++#endif
14207 ++
14208 + }
14209 +
14210 + error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
14211 +@@ -903,9 +1197,9 @@ static int load_elf_binary(struct linux_
14212 + * allowed task size. Note that p_filesz must always be
14213 + * <= p_memsz so it is only necessary to check p_memsz.
14214 + */
14215 +- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
14216 +- elf_ppnt->p_memsz > TASK_SIZE ||
14217 +- TASK_SIZE - elf_ppnt->p_memsz < k) {
14218 ++ if (k >= task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
14219 ++ elf_ppnt->p_memsz > task_size ||
14220 ++ task_size - elf_ppnt->p_memsz < k) {
14221 + /* set_brk can never work. Avoid overflows. */
14222 + send_sig(SIGKILL, current, 0);
14223 + retval = -EINVAL;
14224 +@@ -933,6 +1227,11 @@ static int load_elf_binary(struct linux_
14225 + start_data += load_bias;
14226 + end_data += load_bias;
14227 +
14228 ++#ifdef CONFIG_PAX_RANDMMAP
14229 ++ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
14230 ++ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
14231 ++#endif
14232 ++
14233 + /* Calling set_brk effectively mmaps the pages that we need
14234 + * for the bss and break sections. We must do this before
14235 + * mapping in the interpreter, to make sure it doesn't wind
14236 +@@ -944,9 +1243,11 @@ static int load_elf_binary(struct linux_
14237 + goto out_free_dentry;
14238 + }
14239 + if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
14240 +- send_sig(SIGSEGV, current, 0);
14241 +- retval = -EFAULT; /* Nobody gets to see this, but.. */
14242 +- goto out_free_dentry;
14243 ++ /*
14244 ++ * This bss-zeroing can fail if the ELF
14245 ++ * file specifies odd protections. So
14246 ++ * we don't check the return value
14247 ++ */
14248 + }
14249 +
14250 + if (elf_interpreter) {
14251 +@@ -1183,8 +1484,10 @@ static int dump_seek(struct file *file,
14252 + unsigned long n = off;
14253 + if (n > PAGE_SIZE)
14254 + n = PAGE_SIZE;
14255 +- if (!dump_write(file, buf, n))
14256 ++ if (!dump_write(file, buf, n)) {
14257 ++ free_page((unsigned long)buf);
14258 + return 0;
14259 ++ }
14260 + off -= n;
14261 + }
14262 + free_page((unsigned long)buf);
14263 +@@ -1199,7 +1502,7 @@ static int dump_seek(struct file *file,
14264 + *
14265 + * I think we should skip something. But I am not sure how. H.J.
14266 + */
14267 +-static int maydump(struct vm_area_struct *vma, unsigned long mm_flags)
14268 ++static int maydump(struct vm_area_struct *vma, unsigned long mm_flags, long signr)
14269 + {
14270 + /* The vma can be set up to tell us the answer directly. */
14271 + if (vma->vm_flags & VM_ALWAYSDUMP)
14272 +@@ -1218,7 +1521,7 @@ static int maydump(struct vm_area_struct
14273 + }
14274 +
14275 + /* By default, if it hasn't been written to, don't write it out. */
14276 +- if (!vma->anon_vma)
14277 ++ if (signr != SIGKILL && !vma->anon_vma)
14278 + return test_bit(MMF_DUMP_MAPPED_PRIVATE, &mm_flags);
14279 +
14280 + return test_bit(MMF_DUMP_ANON_PRIVATE, &mm_flags);
14281 +@@ -1275,8 +1578,11 @@ static int writenote(struct memelfnote *
14282 + #undef DUMP_WRITE
14283 +
14284 + #define DUMP_WRITE(addr, nr) \
14285 ++ do { \
14286 ++ gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
14287 + if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
14288 +- goto end_coredump;
14289 ++ goto end_coredump; \
14290 ++ } while (0);
14291 + #define DUMP_SEEK(off) \
14292 + if (!dump_seek(file, (off))) \
14293 + goto end_coredump;
14294 +@@ -1676,7 +1982,7 @@ static int elf_core_dump(long signr, str
14295 + phdr.p_offset = offset;
14296 + phdr.p_vaddr = vma->vm_start;
14297 + phdr.p_paddr = 0;
14298 +- phdr.p_filesz = maydump(vma, mm_flags) ? sz : 0;
14299 ++ phdr.p_filesz = maydump(vma, mm_flags, signr) ? sz : 0;
14300 + phdr.p_memsz = sz;
14301 + offset += phdr.p_filesz;
14302 + phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
14303 +@@ -1720,7 +2026,7 @@ static int elf_core_dump(long signr, str
14304 + vma = next_vma(vma, gate_vma)) {
14305 + unsigned long addr;
14306 +
14307 +- if (!maydump(vma, mm_flags))
14308 ++ if (!maydump(vma, mm_flags, signr))
14309 + continue;
14310 +
14311 + for (addr = vma->vm_start;
14312 +@@ -1743,6 +2049,7 @@ static int elf_core_dump(long signr, str
14313 + flush_cache_page(vma, addr,
14314 + page_to_pfn(page));
14315 + kaddr = kmap(page);
14316 ++ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
14317 + if ((size += PAGE_SIZE) > limit ||
14318 + !dump_write(file, kaddr,
14319 + PAGE_SIZE)) {
14320 +diff -Nurp linux-2.6.23.15/fs/binfmt_flat.c linux-2.6.23.15-grsec/fs/binfmt_flat.c
14321 +--- linux-2.6.23.15/fs/binfmt_flat.c 2007-10-09 21:31:38.000000000 +0100
14322 ++++ linux-2.6.23.15-grsec/fs/binfmt_flat.c 2008-02-11 10:37:44.000000000 +0000
14323 +@@ -559,7 +559,9 @@ static int load_flat_file(struct linux_b
14324 + realdatastart = (unsigned long) -ENOMEM;
14325 + printk("Unable to allocate RAM for process data, errno %d\n",
14326 + (int)-realdatastart);
14327 ++ down_write(&current->mm->mmap_sem);
14328 + do_munmap(current->mm, textpos, text_len);
14329 ++ up_write(&current->mm->mmap_sem);
14330 + ret = realdatastart;
14331 + goto err;
14332 + }
14333 +@@ -581,8 +583,10 @@ static int load_flat_file(struct linux_b
14334 + }
14335 + if (result >= (unsigned long)-4096) {
14336 + printk("Unable to read data+bss, errno %d\n", (int)-result);
14337 ++ down_write(&current->mm->mmap_sem);
14338 + do_munmap(current->mm, textpos, text_len);
14339 + do_munmap(current->mm, realdatastart, data_len + extra);
14340 ++ up_write(&current->mm->mmap_sem);
14341 + ret = result;
14342 + goto err;
14343 + }
14344 +@@ -655,8 +659,10 @@ static int load_flat_file(struct linux_b
14345 + }
14346 + if (result >= (unsigned long)-4096) {
14347 + printk("Unable to read code+data+bss, errno %d\n",(int)-result);
14348 ++ down_write(&current->mm->mmap_sem);
14349 + do_munmap(current->mm, textpos, text_len + data_len + extra +
14350 + MAX_SHARED_LIBS * sizeof(unsigned long));
14351 ++ up_write(&current->mm->mmap_sem);
14352 + ret = result;
14353 + goto err;
14354 + }
14355 +diff -Nurp linux-2.6.23.15/fs/binfmt_misc.c linux-2.6.23.15-grsec/fs/binfmt_misc.c
14356 +--- linux-2.6.23.15/fs/binfmt_misc.c 2007-10-09 21:31:38.000000000 +0100
14357 ++++ linux-2.6.23.15-grsec/fs/binfmt_misc.c 2008-02-11 10:37:44.000000000 +0000
14358 +@@ -113,9 +113,11 @@ static int load_misc_binary(struct linux
14359 + struct files_struct *files = NULL;
14360 +
14361 + retval = -ENOEXEC;
14362 +- if (!enabled)
14363 ++ if (!enabled || bprm->misc)
14364 + goto _ret;
14365 +
14366 ++ bprm->misc++;
14367 ++
14368 + /* to keep locking time low, we copy the interpreter string */
14369 + read_lock(&entries_lock);
14370 + fmt = check_file(bprm);
14371 +@@ -720,7 +722,7 @@ static int bm_fill_super(struct super_bl
14372 + static struct tree_descr bm_files[] = {
14373 + [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
14374 + [3] = {"register", &bm_register_operations, S_IWUSR},
14375 +- /* last one */ {""}
14376 ++ /* last one */ {"", NULL, 0}
14377 + };
14378 + int err = simple_fill_super(sb, 0x42494e4d, bm_files);
14379 + if (!err)
14380 +diff -Nurp linux-2.6.23.15/fs/buffer.c linux-2.6.23.15-grsec/fs/buffer.c
14381 +--- linux-2.6.23.15/fs/buffer.c 2007-10-09 21:31:38.000000000 +0100
14382 ++++ linux-2.6.23.15-grsec/fs/buffer.c 2008-02-11 10:37:44.000000000 +0000
14383 +@@ -41,6 +41,7 @@
14384 + #include <linux/bitops.h>
14385 + #include <linux/mpage.h>
14386 + #include <linux/bit_spinlock.h>
14387 ++#include <linux/grsecurity.h>
14388 +
14389 + static int fsync_buffers_list(spinlock_t *lock, struct list_head *list);
14390 +
14391 +@@ -2017,6 +2018,7 @@ static int __generic_cont_expand(struct
14392 +
14393 + err = -EFBIG;
14394 + limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
14395 ++ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long) size, 1);
14396 + if (limit != RLIM_INFINITY && size > (loff_t)limit) {
14397 + send_sig(SIGXFSZ, current, 0);
14398 + goto out;
14399 +diff -Nurp linux-2.6.23.15/fs/cifs/cifs_uniupr.h linux-2.6.23.15-grsec/fs/cifs/cifs_uniupr.h
14400 +--- linux-2.6.23.15/fs/cifs/cifs_uniupr.h 2007-10-09 21:31:38.000000000 +0100
14401 ++++ linux-2.6.23.15-grsec/fs/cifs/cifs_uniupr.h 2008-02-11 10:37:44.000000000 +0000
14402 +@@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
14403 + {0x0490, 0x04cc, UniCaseRangeU0490},
14404 + {0x1e00, 0x1ffc, UniCaseRangeU1e00},
14405 + {0xff40, 0xff5a, UniCaseRangeUff40},
14406 +- {0}
14407 ++ {0, 0, NULL}
14408 + };
14409 + #endif
14410 +
14411 +diff -Nurp linux-2.6.23.15/fs/cifs/dir.c linux-2.6.23.15-grsec/fs/cifs/dir.c
14412 +--- linux-2.6.23.15/fs/cifs/dir.c 2007-10-09 21:31:38.000000000 +0100
14413 ++++ linux-2.6.23.15-grsec/fs/cifs/dir.c 2008-02-11 10:37:44.000000000 +0000
14414 +@@ -397,7 +397,7 @@ int cifs_mknod(struct inode *inode, stru
14415 + /* BB Do not bother to decode buf since no
14416 + local inode yet to put timestamps in,
14417 + but we can reuse it safely */
14418 +- int bytes_written;
14419 ++ unsigned int bytes_written;
14420 + struct win_dev *pdev;
14421 + pdev = (struct win_dev *)buf;
14422 + if (S_ISCHR(mode)) {
14423 +diff -Nurp linux-2.6.23.15/fs/cifs/inode.c linux-2.6.23.15-grsec/fs/cifs/inode.c
14424 +--- linux-2.6.23.15/fs/cifs/inode.c 2008-02-11 10:36:03.000000000 +0000
14425 ++++ linux-2.6.23.15-grsec/fs/cifs/inode.c 2008-02-11 10:37:44.000000000 +0000
14426 +@@ -1470,7 +1470,7 @@ int cifs_setattr(struct dentry *direntry
14427 + atomic_dec(&open_file->wrtPending);
14428 + cFYI(1, ("SetFSize for attrs rc = %d", rc));
14429 + if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) {
14430 +- int bytes_written;
14431 ++ unsigned int bytes_written;
14432 + rc = CIFSSMBWrite(xid, pTcon,
14433 + nfid, 0, attrs->ia_size,
14434 + &bytes_written, NULL, NULL,
14435 +@@ -1503,7 +1503,7 @@ int cifs_setattr(struct dentry *direntry
14436 + cifs_sb->mnt_cifs_flags &
14437 + CIFS_MOUNT_MAP_SPECIAL_CHR);
14438 + if (rc == 0) {
14439 +- int bytes_written;
14440 ++ unsigned int bytes_written;
14441 + rc = CIFSSMBWrite(xid, pTcon,
14442 + netfid, 0,
14443 + attrs->ia_size,
14444 +diff -Nurp linux-2.6.23.15/fs/compat.c linux-2.6.23.15-grsec/fs/compat.c
14445 +--- linux-2.6.23.15/fs/compat.c 2007-10-09 21:31:38.000000000 +0100
14446 ++++ linux-2.6.23.15-grsec/fs/compat.c 2008-02-11 10:37:44.000000000 +0000
14447 +@@ -50,6 +50,7 @@
14448 + #include <linux/poll.h>
14449 + #include <linux/mm.h>
14450 + #include <linux/eventpoll.h>
14451 ++#include <linux/grsecurity.h>
14452 +
14453 + #include <asm/uaccess.h>
14454 + #include <asm/mmu_context.h>
14455 +@@ -1300,14 +1301,12 @@ static int compat_copy_strings(int argc,
14456 + if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
14457 + struct page *page;
14458 +
14459 +-#ifdef CONFIG_STACK_GROWSUP
14460 + ret = expand_stack_downwards(bprm->vma, pos);
14461 + if (ret < 0) {
14462 + /* We've exceed the stack rlimit. */
14463 + ret = -E2BIG;
14464 + goto out;
14465 + }
14466 +-#endif
14467 + ret = get_user_pages(current, bprm->mm, pos,
14468 + 1, 1, 1, &page, NULL);
14469 + if (ret <= 0) {
14470 +@@ -1353,6 +1352,11 @@ int compat_do_execve(char * filename,
14471 + compat_uptr_t __user *envp,
14472 + struct pt_regs * regs)
14473 + {
14474 ++#ifdef CONFIG_GRKERNSEC
14475 ++ struct file *old_exec_file;
14476 ++ struct acl_subject_label *old_acl;
14477 ++ struct rlimit old_rlim[RLIM_NLIMITS];
14478 ++#endif
14479 + struct linux_binprm *bprm;
14480 + struct file *file;
14481 + int retval;
14482 +@@ -1373,6 +1377,14 @@ int compat_do_execve(char * filename,
14483 + bprm->filename = filename;
14484 + bprm->interp = filename;
14485 +
14486 ++ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
14487 ++ retval = -EAGAIN;
14488 ++ if (gr_handle_nproc())
14489 ++ goto out_file;
14490 ++ retval = -EACCES;
14491 ++ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
14492 ++ goto out_file;
14493 ++
14494 + retval = bprm_mm_init(bprm);
14495 + if (retval)
14496 + goto out_file;
14497 +@@ -1406,8 +1418,36 @@ int compat_do_execve(char * filename,
14498 + if (retval < 0)
14499 + goto out;
14500 +
14501 ++ if (!gr_tpe_allow(file)) {
14502 ++ retval = -EACCES;
14503 ++ goto out;
14504 ++ }
14505 ++
14506 ++ if (gr_check_crash_exec(file)) {
14507 ++ retval = -EACCES;
14508 ++ goto out;
14509 ++ }
14510 ++
14511 ++ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
14512 ++
14513 ++ gr_handle_exec_args(bprm, (char __user * __user *)argv);
14514 ++
14515 ++#ifdef CONFIG_GRKERNSEC
14516 ++ old_acl = current->acl;
14517 ++ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
14518 ++ old_exec_file = current->exec_file;
14519 ++ get_file(file);
14520 ++ current->exec_file = file;
14521 ++#endif
14522 ++
14523 ++ gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
14524 ++
14525 + retval = search_binary_handler(bprm, regs);
14526 + if (retval >= 0) {
14527 ++#ifdef CONFIG_GRKERNSEC
14528 ++ if (old_exec_file)
14529 ++ fput(old_exec_file);
14530 ++#endif
14531 + /* execve success */
14532 + security_bprm_free(bprm);
14533 + acct_update_integrals(current);
14534 +@@ -1415,6 +1455,13 @@ int compat_do_execve(char * filename,
14535 + return retval;
14536 + }
14537 +
14538 ++#ifdef CONFIG_GRKERNSEC
14539 ++ current->acl = old_acl;
14540 ++ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
14541 ++ fput(current->exec_file);
14542 ++ current->exec_file = old_exec_file;
14543 ++#endif
14544 ++
14545 + out:
14546 + if (bprm->security)
14547 + security_bprm_free(bprm);
14548 +diff -Nurp linux-2.6.23.15/fs/compat_ioctl.c linux-2.6.23.15-grsec/fs/compat_ioctl.c
14549 +--- linux-2.6.23.15/fs/compat_ioctl.c 2007-10-09 21:31:38.000000000 +0100
14550 ++++ linux-2.6.23.15-grsec/fs/compat_ioctl.c 2008-02-11 10:37:44.000000000 +0000
14551 +@@ -2431,15 +2431,15 @@ struct ioctl_trans {
14552 + };
14553 +
14554 + #define HANDLE_IOCTL(cmd,handler) \
14555 +- { (cmd), (ioctl_trans_handler_t)(handler) },
14556 ++ { (cmd), (ioctl_trans_handler_t)(handler), NULL },
14557 +
14558 + /* pointer to compatible structure or no argument */
14559 + #define COMPATIBLE_IOCTL(cmd) \
14560 +- { (cmd), do_ioctl32_pointer },
14561 ++ { (cmd), do_ioctl32_pointer, NULL },
14562 +
14563 + /* argument is an unsigned long integer, not a pointer */
14564 + #define ULONG_IOCTL(cmd) \
14565 +- { (cmd), (ioctl_trans_handler_t)sys_ioctl },
14566 ++ { (cmd), (ioctl_trans_handler_t)sys_ioctl, NULL },
14567 +
14568 + /* ioctl should not be warned about even if it's not implemented.
14569 + Valid reasons to use this:
14570 +diff -Nurp linux-2.6.23.15/fs/debugfs/inode.c linux-2.6.23.15-grsec/fs/debugfs/inode.c
14571 +--- linux-2.6.23.15/fs/debugfs/inode.c 2007-10-09 21:31:38.000000000 +0100
14572 ++++ linux-2.6.23.15-grsec/fs/debugfs/inode.c 2008-02-11 10:37:44.000000000 +0000
14573 +@@ -125,7 +125,7 @@ static inline int debugfs_positive(struc
14574 +
14575 + static int debug_fill_super(struct super_block *sb, void *data, int silent)
14576 + {
14577 +- static struct tree_descr debug_files[] = {{""}};
14578 ++ static struct tree_descr debug_files[] = {{"", NULL, 0}};
14579 +
14580 + return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
14581 + }
14582 +diff -Nurp linux-2.6.23.15/fs/exec.c linux-2.6.23.15-grsec/fs/exec.c
14583 +--- linux-2.6.23.15/fs/exec.c 2008-02-11 10:36:03.000000000 +0000
14584 ++++ linux-2.6.23.15-grsec/fs/exec.c 2008-02-11 10:37:44.000000000 +0000
14585 +@@ -50,6 +50,8 @@
14586 + #include <linux/tsacct_kern.h>
14587 + #include <linux/cn_proc.h>
14588 + #include <linux/audit.h>
14589 ++#include <linux/random.h>
14590 ++#include <linux/grsecurity.h>
14591 +
14592 + #include <asm/uaccess.h>
14593 + #include <asm/mmu_context.h>
14594 +@@ -184,18 +186,10 @@ static struct page *get_arg_page(struct
14595 + int write)
14596 + {
14597 + struct page *page;
14598 +- int ret;
14599 +
14600 +-#ifdef CONFIG_STACK_GROWSUP
14601 +- if (write) {
14602 +- ret = expand_stack_downwards(bprm->vma, pos);
14603 +- if (ret < 0)
14604 +- return NULL;
14605 +- }
14606 +-#endif
14607 +- ret = get_user_pages(current, bprm->mm, pos,
14608 +- 1, write, 1, &page, NULL);
14609 +- if (ret <= 0)
14610 ++ if (0 > expand_stack_downwards(bprm->vma, pos))
14611 ++ return NULL;
14612 ++ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
14613 + return NULL;
14614 +
14615 + if (write) {
14616 +@@ -260,7 +254,12 @@ static int __bprm_mm_init(struct linux_b
14617 + vma->vm_start = vma->vm_end - PAGE_SIZE;
14618 +
14619 + vma->vm_flags = VM_STACK_FLAGS;
14620 +- vma->vm_page_prot = protection_map[vma->vm_flags & 0x7];
14621 ++
14622 ++#ifdef CONFIG_PAX_SEGMEXEC
14623 ++ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
14624 ++#endif
14625 ++
14626 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
14627 + err = insert_vm_struct(mm, vma);
14628 + if (err) {
14629 + up_write(&mm->mmap_sem);
14630 +@@ -272,6 +271,11 @@ static int __bprm_mm_init(struct linux_b
14631 +
14632 + bprm->p = vma->vm_end - sizeof(void *);
14633 +
14634 ++#ifdef CONFIG_PAX_RANDUSTACK
14635 ++ if (randomize_va_space)
14636 ++ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
14637 ++#endif
14638 ++
14639 + return 0;
14640 +
14641 + err:
14642 +@@ -395,7 +399,7 @@ static int count(char __user * __user *
14643 + if (!p)
14644 + break;
14645 + argv++;
14646 +- if(++i > max)
14647 ++ if (++i > max)
14648 + return -E2BIG;
14649 + cond_resched();
14650 + }
14651 +@@ -535,6 +539,10 @@ static int shift_arg_pages(struct vm_are
14652 + if (vma != find_vma(mm, new_start))
14653 + return -EFAULT;
14654 +
14655 ++#ifdef CONFIG_PAX_SEGMEXEC
14656 ++ BUG_ON(pax_find_mirror_vma(vma));
14657 ++#endif
14658 ++
14659 + /*
14660 + * cover the whole range: [new_start, old_end)
14661 + */
14662 +@@ -623,6 +631,14 @@ int setup_arg_pages(struct linux_binprm
14663 + bprm->exec -= stack_shift;
14664 +
14665 + down_write(&mm->mmap_sem);
14666 ++
14667 ++ /* Move stack pages down in memory. */
14668 ++ if (stack_shift) {
14669 ++ ret = shift_arg_pages(vma, stack_shift);
14670 ++ if (ret)
14671 ++ goto out_unlock;
14672 ++ }
14673 ++
14674 + vm_flags = vma->vm_flags;
14675 +
14676 + /*
14677 +@@ -634,23 +650,28 @@ int setup_arg_pages(struct linux_binprm
14678 + vm_flags |= VM_EXEC;
14679 + else if (executable_stack == EXSTACK_DISABLE_X)
14680 + vm_flags &= ~VM_EXEC;
14681 ++ else
14682 ++ vm_flags = VM_STACK_FLAGS;
14683 + vm_flags |= mm->def_flags;
14684 +
14685 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14686 ++ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
14687 ++ vm_flags &= ~VM_EXEC;
14688 ++
14689 ++#ifdef CONFIG_PAX_MPROTECT
14690 ++ if (mm->pax_flags & MF_PAX_MPROTECT)
14691 ++ vm_flags &= ~VM_MAYEXEC;
14692 ++#endif
14693 ++
14694 ++ }
14695 ++#endif
14696 ++
14697 + ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
14698 + vm_flags);
14699 + if (ret)
14700 + goto out_unlock;
14701 + BUG_ON(prev != vma);
14702 +
14703 +- /* Move stack pages down in memory. */
14704 +- if (stack_shift) {
14705 +- ret = shift_arg_pages(vma, stack_shift);
14706 +- if (ret) {
14707 +- up_write(&mm->mmap_sem);
14708 +- return ret;
14709 +- }
14710 +- }
14711 +-
14712 + #ifdef CONFIG_STACK_GROWSUP
14713 + stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE;
14714 + #else
14715 +@@ -662,7 +683,7 @@ int setup_arg_pages(struct linux_binprm
14716 +
14717 + out_unlock:
14718 + up_write(&mm->mmap_sem);
14719 +- return 0;
14720 ++ return ret;
14721 + }
14722 + EXPORT_SYMBOL(setup_arg_pages);
14723 +
14724 +@@ -682,7 +703,7 @@ struct file *open_exec(const char *name)
14725 + file = ERR_PTR(-EACCES);
14726 + if (!(nd.mnt->mnt_flags & MNT_NOEXEC) &&
14727 + S_ISREG(inode->i_mode)) {
14728 +- int err = vfs_permission(&nd, MAY_EXEC);
14729 ++ err = vfs_permission(&nd, MAY_EXEC);
14730 + file = ERR_PTR(err);
14731 + if (!err) {
14732 + file = nameidata_to_filp(&nd, O_RDONLY);
14733 +@@ -1339,6 +1360,11 @@ int do_execve(char * filename,
14734 + char __user *__user *envp,
14735 + struct pt_regs * regs)
14736 + {
14737 ++#ifdef CONFIG_GRKERNSEC
14738 ++ struct file *old_exec_file;
14739 ++ struct acl_subject_label *old_acl;
14740 ++ struct rlimit old_rlim[RLIM_NLIMITS];
14741 ++#endif
14742 + struct linux_binprm *bprm;
14743 + struct file *file;
14744 + unsigned long env_p;
14745 +@@ -1354,6 +1380,20 @@ int do_execve(char * filename,
14746 + if (IS_ERR(file))
14747 + goto out_kfree;
14748 +
14749 ++ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
14750 ++
14751 ++ if (gr_handle_nproc()) {
14752 ++ allow_write_access(file);
14753 ++ fput(file);
14754 ++ return -EAGAIN;
14755 ++ }
14756 ++
14757 ++ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
14758 ++ allow_write_access(file);
14759 ++ fput(file);
14760 ++ return -EACCES;
14761 ++ }
14762 ++
14763 + sched_exec();
14764 +
14765 + bprm->file = file;
14766 +@@ -1395,8 +1435,38 @@ int do_execve(char * filename,
14767 + goto out;
14768 + bprm->argv_len = env_p - bprm->p;
14769 +
14770 ++ if (!gr_tpe_allow(file)) {
14771 ++ retval = -EACCES;
14772 ++ goto out;
14773 ++ }
14774 ++
14775 ++ if (gr_check_crash_exec(file)) {
14776 ++ retval = -EACCES;
14777 ++ goto out;
14778 ++ }
14779 ++
14780 ++ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
14781 ++
14782 ++ gr_handle_exec_args(bprm, argv);
14783 ++
14784 ++#ifdef CONFIG_GRKERNSEC
14785 ++ old_acl = current->acl;
14786 ++ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
14787 ++ old_exec_file = current->exec_file;
14788 ++ get_file(file);
14789 ++ current->exec_file = file;
14790 ++#endif
14791 ++
14792 ++ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
14793 ++ if (retval < 0)
14794 ++ goto out_fail;
14795 ++
14796 + retval = search_binary_handler(bprm,regs);
14797 + if (retval >= 0) {
14798 ++#ifdef CONFIG_GRKERNSEC
14799 ++ if (old_exec_file)
14800 ++ fput(old_exec_file);
14801 ++#endif
14802 + /* execve success */
14803 + free_arg_pages(bprm);
14804 + security_bprm_free(bprm);
14805 +@@ -1405,6 +1475,14 @@ int do_execve(char * filename,
14806 + return retval;
14807 + }
14808 +
14809 ++out_fail:
14810 ++#ifdef CONFIG_GRKERNSEC
14811 ++ current->acl = old_acl;
14812 ++ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
14813 ++ fput(current->exec_file);
14814 ++ current->exec_file = old_exec_file;
14815 ++#endif
14816 ++
14817 + out:
14818 + free_arg_pages(bprm);
14819 + if (bprm->security)
14820 +@@ -1561,6 +1639,114 @@ out:
14821 + return ispipe;
14822 + }
14823 +
14824 ++int pax_check_flags(unsigned long *flags)
14825 ++{
14826 ++ int retval = 0;
14827 ++
14828 ++#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
14829 ++ if (*flags & MF_PAX_SEGMEXEC)
14830 ++ {
14831 ++ *flags &= ~MF_PAX_SEGMEXEC;
14832 ++ retval = -EINVAL;
14833 ++ }
14834 ++#endif
14835 ++
14836 ++ if ((*flags & MF_PAX_PAGEEXEC)
14837 ++
14838 ++#ifdef CONFIG_PAX_PAGEEXEC
14839 ++ && (*flags & MF_PAX_SEGMEXEC)
14840 ++#endif
14841 ++
14842 ++ )
14843 ++ {
14844 ++ *flags &= ~MF_PAX_PAGEEXEC;
14845 ++ retval = -EINVAL;
14846 ++ }
14847 ++
14848 ++ if ((*flags & MF_PAX_MPROTECT)
14849 ++
14850 ++#ifdef CONFIG_PAX_MPROTECT
14851 ++ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
14852 ++#endif
14853 ++
14854 ++ )
14855 ++ {
14856 ++ *flags &= ~MF_PAX_MPROTECT;
14857 ++ retval = -EINVAL;
14858 ++ }
14859 ++
14860 ++ if ((*flags & MF_PAX_EMUTRAMP)
14861 ++
14862 ++#ifdef CONFIG_PAX_EMUTRAMP
14863 ++ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
14864 ++#endif
14865 ++
14866 ++ )
14867 ++ {
14868 ++ *flags &= ~MF_PAX_EMUTRAMP;
14869 ++ retval = -EINVAL;
14870 ++ }
14871 ++
14872 ++ return retval;
14873 ++}
14874 ++
14875 ++EXPORT_SYMBOL(pax_check_flags);
14876 ++
14877 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14878 ++void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
14879 ++{
14880 ++ struct task_struct *tsk = current;
14881 ++ struct mm_struct *mm = current->mm;
14882 ++ char *buffer_exec = (char *)__get_free_page(GFP_ATOMIC);
14883 ++ char *buffer_fault = (char *)__get_free_page(GFP_ATOMIC);
14884 ++ char *path_exec = NULL;
14885 ++ char *path_fault = NULL;
14886 ++ unsigned long start = 0UL, end = 0UL, offset = 0UL;
14887 ++
14888 ++ if (buffer_exec && buffer_fault) {
14889 ++ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
14890 ++
14891 ++ down_read(&mm->mmap_sem);
14892 ++ vma = mm->mmap;
14893 ++ while (vma && (!vma_exec || !vma_fault)) {
14894 ++ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
14895 ++ vma_exec = vma;
14896 ++ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
14897 ++ vma_fault = vma;
14898 ++ vma = vma->vm_next;
14899 ++ }
14900 ++ if (vma_exec) {
14901 ++ path_exec = d_path(vma_exec->vm_file->f_path.dentry, vma_exec->vm_file->f_path.mnt, buffer_exec, PAGE_SIZE);
14902 ++ if (IS_ERR(path_exec))
14903 ++ path_exec = "<path too long>";
14904 ++ }
14905 ++ if (vma_fault) {
14906 ++ start = vma_fault->vm_start;
14907 ++ end = vma_fault->vm_end;
14908 ++ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
14909 ++ if (vma_fault->vm_file) {
14910 ++ path_fault = d_path(vma_fault->vm_file->f_path.dentry, vma_fault->vm_file->f_path.mnt, buffer_fault, PAGE_SIZE);
14911 ++ if (IS_ERR(path_fault))
14912 ++ path_fault = "<path too long>";
14913 ++ } else
14914 ++ path_fault = "<anonymous mapping>";
14915 ++ }
14916 ++ up_read(&mm->mmap_sem);
14917 ++ }
14918 ++ if (tsk->signal->curr_ip)
14919 ++ printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
14920 ++ else
14921 ++ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
14922 ++ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
14923 ++ "PC: %p, SP: %p\n", path_exec, tsk->comm, tsk->pid,
14924 ++ tsk->uid, tsk->euid, pc, sp);
14925 ++ free_page((unsigned long)buffer_exec);
14926 ++ free_page((unsigned long)buffer_fault);
14927 ++ pax_report_insns(pc, sp);
14928 ++ do_coredump(SIGKILL, SIGKILL, regs);
14929 ++}
14930 ++#endif
14931 ++
14932 + static void zap_process(struct task_struct *start)
14933 + {
14934 + struct task_struct *t;
14935 +@@ -1753,6 +1939,10 @@ int do_coredump(long signr, int exit_cod
14936 + */
14937 + clear_thread_flag(TIF_SIGPENDING);
14938 +
14939 ++ if (signr == SIGKILL || signr == SIGILL)
14940 ++ gr_handle_brute_attach(current);
14941 ++
14942 ++ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
14943 + if (current->signal->rlim[RLIMIT_CORE].rlim_cur < binfmt->min_coredump)
14944 + goto fail_unlock;
14945 +
14946 +diff -Nurp linux-2.6.23.15/fs/ext2/balloc.c linux-2.6.23.15-grsec/fs/ext2/balloc.c
14947 +--- linux-2.6.23.15/fs/ext2/balloc.c 2007-10-09 21:31:38.000000000 +0100
14948 ++++ linux-2.6.23.15-grsec/fs/ext2/balloc.c 2008-02-11 10:37:44.000000000 +0000
14949 +@@ -111,7 +111,7 @@ static int reserve_blocks(struct super_b
14950 + if (free_blocks < count)
14951 + count = free_blocks;
14952 +
14953 +- if (free_blocks < root_blocks + count && !capable(CAP_SYS_RESOURCE) &&
14954 ++ if (free_blocks < root_blocks + count && !capable_nolog(CAP_SYS_RESOURCE) &&
14955 + sbi->s_resuid != current->fsuid &&
14956 + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
14957 + /*
14958 +diff -Nurp linux-2.6.23.15/fs/ext3/balloc.c linux-2.6.23.15-grsec/fs/ext3/balloc.c
14959 +--- linux-2.6.23.15/fs/ext3/balloc.c 2007-10-09 21:31:38.000000000 +0100
14960 ++++ linux-2.6.23.15-grsec/fs/ext3/balloc.c 2008-02-11 10:37:44.000000000 +0000
14961 +@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
14962 +
14963 + free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
14964 + root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
14965 +- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
14966 ++ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
14967 + sbi->s_resuid != current->fsuid &&
14968 + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
14969 + return 0;
14970 +diff -Nurp linux-2.6.23.15/fs/ext3/namei.c linux-2.6.23.15-grsec/fs/ext3/namei.c
14971 +--- linux-2.6.23.15/fs/ext3/namei.c 2007-10-09 21:31:38.000000000 +0100
14972 ++++ linux-2.6.23.15-grsec/fs/ext3/namei.c 2008-02-11 10:37:44.000000000 +0000
14973 +@@ -1188,9 +1188,9 @@ static struct ext3_dir_entry_2 *do_split
14974 + u32 hash2;
14975 + struct dx_map_entry *map;
14976 + char *data1 = (*bh)->b_data, *data2;
14977 +- unsigned split, move, size, i;
14978 ++ unsigned split, move, size;
14979 + struct ext3_dir_entry_2 *de = NULL, *de2;
14980 +- int err = 0;
14981 ++ int i, err = 0;
14982 +
14983 + bh2 = ext3_append (handle, dir, &newblock, &err);
14984 + if (!(bh2)) {
14985 +diff -Nurp linux-2.6.23.15/fs/ext3/xattr.c linux-2.6.23.15-grsec/fs/ext3/xattr.c
14986 +--- linux-2.6.23.15/fs/ext3/xattr.c 2007-10-09 21:31:38.000000000 +0100
14987 ++++ linux-2.6.23.15-grsec/fs/ext3/xattr.c 2008-02-11 10:37:44.000000000 +0000
14988 +@@ -89,8 +89,8 @@
14989 + printk("\n"); \
14990 + } while (0)
14991 + #else
14992 +-# define ea_idebug(f...)
14993 +-# define ea_bdebug(f...)
14994 ++# define ea_idebug(f...) do {} while (0)
14995 ++# define ea_bdebug(f...) do {} while (0)
14996 + #endif
14997 +
14998 + static void ext3_xattr_cache_insert(struct buffer_head *);
14999 +diff -Nurp linux-2.6.23.15/fs/ext4/balloc.c linux-2.6.23.15-grsec/fs/ext4/balloc.c
15000 +--- linux-2.6.23.15/fs/ext4/balloc.c 2007-10-09 21:31:38.000000000 +0100
15001 ++++ linux-2.6.23.15-grsec/fs/ext4/balloc.c 2008-02-11 10:37:44.000000000 +0000
15002 +@@ -1376,7 +1376,7 @@ static int ext4_has_free_blocks(struct e
15003 +
15004 + free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
15005 + root_blocks = ext4_r_blocks_count(sbi->s_es);
15006 +- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
15007 ++ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
15008 + sbi->s_resuid != current->fsuid &&
15009 + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
15010 + return 0;
15011 +diff -Nurp linux-2.6.23.15/fs/ext4/namei.c linux-2.6.23.15-grsec/fs/ext4/namei.c
15012 +--- linux-2.6.23.15/fs/ext4/namei.c 2007-10-09 21:31:38.000000000 +0100
15013 ++++ linux-2.6.23.15-grsec/fs/ext4/namei.c 2008-02-11 10:37:44.000000000 +0000
15014 +@@ -1186,9 +1186,9 @@ static struct ext4_dir_entry_2 *do_split
15015 + u32 hash2;
15016 + struct dx_map_entry *map;
15017 + char *data1 = (*bh)->b_data, *data2;
15018 +- unsigned split, move, size, i;
15019 ++ unsigned split, move, size;
15020 + struct ext4_dir_entry_2 *de = NULL, *de2;
15021 +- int err = 0;
15022 ++ int i, err = 0;
15023 +
15024 + bh2 = ext4_append (handle, dir, &newblock, &err);
15025 + if (!(bh2)) {
15026 +diff -Nurp linux-2.6.23.15/fs/fcntl.c linux-2.6.23.15-grsec/fs/fcntl.c
15027 +--- linux-2.6.23.15/fs/fcntl.c 2007-10-09 21:31:38.000000000 +0100
15028 ++++ linux-2.6.23.15-grsec/fs/fcntl.c 2008-02-11 10:37:44.000000000 +0000
15029 +@@ -18,6 +18,7 @@
15030 + #include <linux/ptrace.h>
15031 + #include <linux/signal.h>
15032 + #include <linux/rcupdate.h>
15033 ++#include <linux/grsecurity.h>
15034 +
15035 + #include <asm/poll.h>
15036 + #include <asm/siginfo.h>
15037 +@@ -63,6 +64,7 @@ static int locate_fd(struct files_struct
15038 + struct fdtable *fdt;
15039 +
15040 + error = -EINVAL;
15041 ++ gr_learn_resource(current, RLIMIT_NOFILE, orig_start, 0);
15042 + if (orig_start >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
15043 + goto out;
15044 +
15045 +@@ -82,6 +84,7 @@ repeat:
15046 + fdt->max_fds, start);
15047 +
15048 + error = -EMFILE;
15049 ++ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
15050 + if (newfd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
15051 + goto out;
15052 +
15053 +@@ -140,6 +143,8 @@ asmlinkage long sys_dup2(unsigned int ol
15054 + struct files_struct * files = current->files;
15055 + struct fdtable *fdt;
15056 +
15057 ++ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
15058 ++
15059 + spin_lock(&files->file_lock);
15060 + if (!(file = fcheck(oldfd)))
15061 + goto out_unlock;
15062 +@@ -458,7 +463,8 @@ static inline int sigio_perm(struct task
15063 + return (((fown->euid == 0) ||
15064 + (fown->euid == p->suid) || (fown->euid == p->uid) ||
15065 + (fown->uid == p->suid) || (fown->uid == p->uid)) &&
15066 +- !security_file_send_sigiotask(p, fown, sig));
15067 ++ !security_file_send_sigiotask(p, fown, sig) &&
15068 ++ !gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
15069 + }
15070 +
15071 + static void send_sigio_to_task(struct task_struct *p,
15072 +diff -Nurp linux-2.6.23.15/fs/fuse/control.c linux-2.6.23.15-grsec/fs/fuse/control.c
15073 +--- linux-2.6.23.15/fs/fuse/control.c 2007-10-09 21:31:38.000000000 +0100
15074 ++++ linux-2.6.23.15-grsec/fs/fuse/control.c 2008-02-11 10:37:44.000000000 +0000
15075 +@@ -159,7 +159,7 @@ void fuse_ctl_remove_conn(struct fuse_co
15076 +
15077 + static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
15078 + {
15079 +- struct tree_descr empty_descr = {""};
15080 ++ struct tree_descr empty_descr = {"", NULL, 0};
15081 + struct fuse_conn *fc;
15082 + int err;
15083 +
15084 +diff -Nurp linux-2.6.23.15/fs/hfs/inode.c linux-2.6.23.15-grsec/fs/hfs/inode.c
15085 +--- linux-2.6.23.15/fs/hfs/inode.c 2007-10-09 21:31:38.000000000 +0100
15086 ++++ linux-2.6.23.15-grsec/fs/hfs/inode.c 2008-02-11 10:37:44.000000000 +0000
15087 +@@ -415,7 +415,7 @@ int hfs_write_inode(struct inode *inode,
15088 +
15089 + if (S_ISDIR(main_inode->i_mode)) {
15090 + if (fd.entrylength < sizeof(struct hfs_cat_dir))
15091 +- /* panic? */;
15092 ++ {/* panic? */}
15093 + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
15094 + sizeof(struct hfs_cat_dir));
15095 + if (rec.type != HFS_CDR_DIR ||
15096 +@@ -436,7 +436,7 @@ int hfs_write_inode(struct inode *inode,
15097 + sizeof(struct hfs_cat_file));
15098 + } else {
15099 + if (fd.entrylength < sizeof(struct hfs_cat_file))
15100 +- /* panic? */;
15101 ++ {/* panic? */}
15102 + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
15103 + sizeof(struct hfs_cat_file));
15104 + if (rec.type != HFS_CDR_FIL ||
15105 +diff -Nurp linux-2.6.23.15/fs/hfsplus/inode.c linux-2.6.23.15-grsec/fs/hfsplus/inode.c
15106 +--- linux-2.6.23.15/fs/hfsplus/inode.c 2007-10-09 21:31:38.000000000 +0100
15107 ++++ linux-2.6.23.15-grsec/fs/hfsplus/inode.c 2008-02-11 10:37:44.000000000 +0000
15108 +@@ -418,7 +418,7 @@ int hfsplus_cat_read_inode(struct inode
15109 + struct hfsplus_cat_folder *folder = &entry.folder;
15110 +
15111 + if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
15112 +- /* panic? */;
15113 ++ {/* panic? */}
15114 + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
15115 + sizeof(struct hfsplus_cat_folder));
15116 + hfsplus_get_perms(inode, &folder->permissions, 1);
15117 +@@ -435,7 +435,7 @@ int hfsplus_cat_read_inode(struct inode
15118 + struct hfsplus_cat_file *file = &entry.file;
15119 +
15120 + if (fd->entrylength < sizeof(struct hfsplus_cat_file))
15121 +- /* panic? */;
15122 ++ {/* panic? */}
15123 + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
15124 + sizeof(struct hfsplus_cat_file));
15125 +
15126 +@@ -491,7 +491,7 @@ int hfsplus_cat_write_inode(struct inode
15127 + struct hfsplus_cat_folder *folder = &entry.folder;
15128 +
15129 + if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
15130 +- /* panic? */;
15131 ++ {/* panic? */}
15132 + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
15133 + sizeof(struct hfsplus_cat_folder));
15134 + /* simple node checks? */
15135 +@@ -513,7 +513,7 @@ int hfsplus_cat_write_inode(struct inode
15136 + struct hfsplus_cat_file *file = &entry.file;
15137 +
15138 + if (fd.entrylength < sizeof(struct hfsplus_cat_file))
15139 +- /* panic? */;
15140 ++ {/* panic? */}
15141 + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
15142 + sizeof(struct hfsplus_cat_file));
15143 + hfsplus_inode_write_fork(inode, &file->data_fork);
15144 +diff -Nurp linux-2.6.23.15/fs/jffs2/debug.h linux-2.6.23.15-grsec/fs/jffs2/debug.h
15145 +--- linux-2.6.23.15/fs/jffs2/debug.h 2007-10-09 21:31:38.000000000 +0100
15146 ++++ linux-2.6.23.15-grsec/fs/jffs2/debug.h 2008-02-11 10:37:44.000000000 +0000
15147 +@@ -51,13 +51,13 @@
15148 + #if CONFIG_JFFS2_FS_DEBUG > 0
15149 + #define D1(x) x
15150 + #else
15151 +-#define D1(x)
15152 ++#define D1(x) do {} while (0);
15153 + #endif
15154 +
15155 + #if CONFIG_JFFS2_FS_DEBUG > 1
15156 + #define D2(x) x
15157 + #else
15158 +-#define D2(x)
15159 ++#define D2(x) do {} while (0);
15160 + #endif
15161 +
15162 + /* The prefixes of JFFS2 messages */
15163 +@@ -113,68 +113,68 @@
15164 + #ifdef JFFS2_DBG_READINODE_MESSAGES
15165 + #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15166 + #else
15167 +-#define dbg_readinode(fmt, ...)
15168 ++#define dbg_readinode(fmt, ...) do {} while (0)
15169 + #endif
15170 +
15171 + /* Fragtree build debugging messages */
15172 + #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
15173 + #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15174 + #else
15175 +-#define dbg_fragtree(fmt, ...)
15176 ++#define dbg_fragtree(fmt, ...) do {} while (0)
15177 + #endif
15178 + #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
15179 + #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15180 + #else
15181 +-#define dbg_fragtree2(fmt, ...)
15182 ++#define dbg_fragtree2(fmt, ...) do {} while (0)
15183 + #endif
15184 +
15185 + /* Directory entry list manilulation debugging messages */
15186 + #ifdef JFFS2_DBG_DENTLIST_MESSAGES
15187 + #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15188 + #else
15189 +-#define dbg_dentlist(fmt, ...)
15190 ++#define dbg_dentlist(fmt, ...) do {} while (0)
15191 + #endif
15192 +
15193 + /* Print the messages about manipulating node_refs */
15194 + #ifdef JFFS2_DBG_NODEREF_MESSAGES
15195 + #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15196 + #else
15197 +-#define dbg_noderef(fmt, ...)
15198 ++#define dbg_noderef(fmt, ...) do {} while (0)
15199 + #endif
15200 +
15201 + /* Manipulations with the list of inodes (JFFS2 inocache) */
15202 + #ifdef JFFS2_DBG_INOCACHE_MESSAGES
15203 + #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15204 + #else
15205 +-#define dbg_inocache(fmt, ...)
15206 ++#define dbg_inocache(fmt, ...) do {} while (0)
15207 + #endif
15208 +
15209 + /* Summary debugging messages */
15210 + #ifdef JFFS2_DBG_SUMMARY_MESSAGES
15211 + #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15212 + #else
15213 +-#define dbg_summary(fmt, ...)
15214 ++#define dbg_summary(fmt, ...) do {} while (0)
15215 + #endif
15216 +
15217 + /* File system build messages */
15218 + #ifdef JFFS2_DBG_FSBUILD_MESSAGES
15219 + #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15220 + #else
15221 +-#define dbg_fsbuild(fmt, ...)
15222 ++#define dbg_fsbuild(fmt, ...) do {} while (0)
15223 + #endif
15224 +
15225 + /* Watch the object allocations */
15226 + #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
15227 + #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15228 + #else
15229 +-#define dbg_memalloc(fmt, ...)
15230 ++#define dbg_memalloc(fmt, ...) do {} while (0)
15231 + #endif
15232 +
15233 + /* Watch the XATTR subsystem */
15234 + #ifdef JFFS2_DBG_XATTR_MESSAGES
15235 + #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15236 + #else
15237 +-#define dbg_xattr(fmt, ...)
15238 ++#define dbg_xattr(fmt, ...) do {} while (0)
15239 + #endif
15240 +
15241 + /* "Sanity" checks */
15242 +diff -Nurp linux-2.6.23.15/fs/jffs2/erase.c linux-2.6.23.15-grsec/fs/jffs2/erase.c
15243 +--- linux-2.6.23.15/fs/jffs2/erase.c 2007-10-09 21:31:38.000000000 +0100
15244 ++++ linux-2.6.23.15-grsec/fs/jffs2/erase.c 2008-02-11 10:37:44.000000000 +0000
15245 +@@ -389,7 +389,8 @@ static void jffs2_mark_erased_block(stru
15246 + struct jffs2_unknown_node marker = {
15247 + .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
15248 + .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
15249 +- .totlen = cpu_to_je32(c->cleanmarker_size)
15250 ++ .totlen = cpu_to_je32(c->cleanmarker_size),
15251 ++ .hdr_crc = cpu_to_je32(0)
15252 + };
15253 +
15254 + jffs2_prealloc_raw_node_refs(c, jeb, 1);
15255 +diff -Nurp linux-2.6.23.15/fs/jffs2/summary.h linux-2.6.23.15-grsec/fs/jffs2/summary.h
15256 +--- linux-2.6.23.15/fs/jffs2/summary.h 2007-10-09 21:31:38.000000000 +0100
15257 ++++ linux-2.6.23.15-grsec/fs/jffs2/summary.h 2008-02-11 10:37:44.000000000 +0000
15258 +@@ -188,18 +188,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
15259 +
15260 + #define jffs2_sum_active() (0)
15261 + #define jffs2_sum_init(a) (0)
15262 +-#define jffs2_sum_exit(a)
15263 +-#define jffs2_sum_disable_collecting(a)
15264 ++#define jffs2_sum_exit(a) do {} while (0)
15265 ++#define jffs2_sum_disable_collecting(a) do {} while (0)
15266 + #define jffs2_sum_is_disabled(a) (0)
15267 +-#define jffs2_sum_reset_collected(a)
15268 ++#define jffs2_sum_reset_collected(a) do {} while (0)
15269 + #define jffs2_sum_add_kvec(a,b,c,d) (0)
15270 +-#define jffs2_sum_move_collected(a,b)
15271 ++#define jffs2_sum_move_collected(a,b) do {} while (0)
15272 + #define jffs2_sum_write_sumnode(a) (0)
15273 +-#define jffs2_sum_add_padding_mem(a,b)
15274 +-#define jffs2_sum_add_inode_mem(a,b,c)
15275 +-#define jffs2_sum_add_dirent_mem(a,b,c)
15276 +-#define jffs2_sum_add_xattr_mem(a,b,c)
15277 +-#define jffs2_sum_add_xref_mem(a,b,c)
15278 ++#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
15279 ++#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
15280 ++#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
15281 ++#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
15282 ++#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
15283 + #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
15284 +
15285 + #endif /* CONFIG_JFFS2_SUMMARY */
15286 +diff -Nurp linux-2.6.23.15/fs/jffs2/wbuf.c linux-2.6.23.15-grsec/fs/jffs2/wbuf.c
15287 +--- linux-2.6.23.15/fs/jffs2/wbuf.c 2007-10-09 21:31:38.000000000 +0100
15288 ++++ linux-2.6.23.15-grsec/fs/jffs2/wbuf.c 2008-02-11 10:37:44.000000000 +0000
15289 +@@ -973,7 +973,8 @@ static const struct jffs2_unknown_node o
15290 + {
15291 + .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
15292 + .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
15293 +- .totlen = constant_cpu_to_je32(8)
15294 ++ .totlen = constant_cpu_to_je32(8),
15295 ++ .hdr_crc = constant_cpu_to_je32(0)
15296 + };
15297 +
15298 + /*
15299 +diff -Nurp linux-2.6.23.15/fs/namei.c linux-2.6.23.15-grsec/fs/namei.c
15300 +--- linux-2.6.23.15/fs/namei.c 2008-02-11 10:36:03.000000000 +0000
15301 ++++ linux-2.6.23.15-grsec/fs/namei.c 2008-02-11 10:37:44.000000000 +0000
15302 +@@ -31,6 +31,7 @@
15303 + #include <linux/file.h>
15304 + #include <linux/fcntl.h>
15305 + #include <linux/namei.h>
15306 ++#include <linux/grsecurity.h>
15307 + #include <asm/namei.h>
15308 + #include <asm/uaccess.h>
15309 +
15310 +@@ -638,6 +639,13 @@ static inline int do_follow_link(struct
15311 + err = security_inode_follow_link(path->dentry, nd);
15312 + if (err)
15313 + goto loop;
15314 ++
15315 ++ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
15316 ++ path->dentry->d_inode, path->dentry, nd->mnt)) {
15317 ++ err = -EACCES;
15318 ++ goto loop;
15319 ++ }
15320 ++
15321 + current->link_count++;
15322 + current->total_link_count++;
15323 + nd->depth++;
15324 +@@ -983,11 +991,18 @@ return_reval:
15325 + break;
15326 + }
15327 + return_base:
15328 ++ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt)) {
15329 ++ path_release(nd);
15330 ++ return -ENOENT;
15331 ++ }
15332 + return 0;
15333 + out_dput:
15334 + dput_path(&next, nd);
15335 + break;
15336 + }
15337 ++ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt))
15338 ++ err = -ENOENT;
15339 ++
15340 + path_release(nd);
15341 + return_err:
15342 + return err;
15343 +@@ -1649,9 +1664,17 @@ static int open_namei_create(struct name
15344 + int error;
15345 + struct dentry *dir = nd->dentry;
15346 +
15347 ++ if (!gr_acl_handle_creat(path->dentry, nd->dentry, nd->mnt, flag, mode)) {
15348 ++ error = -EACCES;
15349 ++ goto out_unlock_dput;
15350 ++ }
15351 ++
15352 + if (!IS_POSIXACL(dir->d_inode))
15353 + mode &= ~current->fs->umask;
15354 + error = vfs_create(dir->d_inode, path->dentry, mode, nd);
15355 ++ if (!error)
15356 ++ gr_handle_create(path->dentry, nd->mnt);
15357 ++out_unlock_dput:
15358 + mutex_unlock(&dir->d_inode->i_mutex);
15359 + dput(nd->dentry);
15360 + nd->dentry = path->dentry;
15361 +@@ -1702,6 +1725,17 @@ int open_namei(int dfd, const char *path
15362 + nd, flag);
15363 + if (error)
15364 + return error;
15365 ++
15366 ++ if (gr_handle_rawio(nd->dentry->d_inode)) {
15367 ++ error = -EPERM;
15368 ++ goto exit;
15369 ++ }
15370 ++
15371 ++ if (!gr_acl_handle_open(nd->dentry, nd->mnt, flag)) {
15372 ++ error = -EACCES;
15373 ++ goto exit;
15374 ++ }
15375 ++
15376 + goto ok;
15377 + }
15378 +
15379 +@@ -1751,6 +1785,23 @@ do_last:
15380 + /*
15381 + * It already exists.
15382 + */
15383 ++
15384 ++ if (gr_handle_rawio(path.dentry->d_inode)) {
15385 ++ mutex_unlock(&dir->d_inode->i_mutex);
15386 ++ error = -EPERM;
15387 ++ goto exit_dput;
15388 ++ }
15389 ++ if (!gr_acl_handle_open(path.dentry, nd->mnt, flag)) {
15390 ++ mutex_unlock(&dir->d_inode->i_mutex);
15391 ++ error = -EACCES;
15392 ++ goto exit_dput;
15393 ++ }
15394 ++ if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) {
15395 ++ mutex_unlock(&dir->d_inode->i_mutex);
15396 ++ error = -EACCES;
15397 ++ goto exit_dput;
15398 ++ }
15399 ++
15400 + mutex_unlock(&dir->d_inode->i_mutex);
15401 + audit_inode(pathname, path.dentry->d_inode);
15402 +
15403 +@@ -1806,6 +1857,13 @@ do_link:
15404 + error = security_inode_follow_link(path.dentry, nd);
15405 + if (error)
15406 + goto exit_dput;
15407 ++
15408 ++ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
15409 ++ path.dentry, nd->mnt)) {
15410 ++ error = -EACCES;
15411 ++ goto exit_dput;
15412 ++ }
15413 ++
15414 + error = __do_follow_link(&path, nd);
15415 + if (error) {
15416 + /* Does someone understand code flow here? Or it is only
15417 +@@ -1934,6 +1992,22 @@ asmlinkage long sys_mknodat(int dfd, con
15418 + if (!IS_POSIXACL(nd.dentry->d_inode))
15419 + mode &= ~current->fs->umask;
15420 + if (!IS_ERR(dentry)) {
15421 ++ if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) {
15422 ++ error = -EPERM;
15423 ++ dput(dentry);
15424 ++ mutex_unlock(&nd.dentry->d_inode->i_mutex);
15425 ++ path_release(&nd);
15426 ++ goto out;
15427 ++ }
15428 ++
15429 ++ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
15430 ++ error = -EACCES;
15431 ++ dput(dentry);
15432 ++ mutex_unlock(&nd.dentry->d_inode->i_mutex);
15433 ++ path_release(&nd);
15434 ++ goto out;
15435 ++ }
15436 ++
15437 + switch (mode & S_IFMT) {
15438 + case 0: case S_IFREG:
15439 + error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd);
15440 +@@ -1951,6 +2025,10 @@ asmlinkage long sys_mknodat(int dfd, con
15441 + default:
15442 + error = -EINVAL;
15443 + }
15444 ++
15445 ++ if (!error)
15446 ++ gr_handle_create(dentry, nd.mnt);
15447 ++
15448 + dput(dentry);
15449 + }
15450 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
15451 +@@ -2008,9 +2086,18 @@ asmlinkage long sys_mkdirat(int dfd, con
15452 + if (IS_ERR(dentry))
15453 + goto out_unlock;
15454 +
15455 ++ if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt)) {
15456 ++ error = -EACCES;
15457 ++ goto out_unlock_dput;
15458 ++ }
15459 ++
15460 + if (!IS_POSIXACL(nd.dentry->d_inode))
15461 + mode &= ~current->fs->umask;
15462 + error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
15463 ++
15464 ++ if (!error)
15465 ++ gr_handle_create(dentry, nd.mnt);
15466 ++out_unlock_dput:
15467 + dput(dentry);
15468 + out_unlock:
15469 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
15470 +@@ -2092,6 +2179,8 @@ static long do_rmdir(int dfd, const char
15471 + char * name;
15472 + struct dentry *dentry;
15473 + struct nameidata nd;
15474 ++ ino_t saved_ino = 0;
15475 ++ dev_t saved_dev = 0;
15476 +
15477 + name = getname(pathname);
15478 + if(IS_ERR(name))
15479 +@@ -2117,7 +2206,22 @@ static long do_rmdir(int dfd, const char
15480 + error = PTR_ERR(dentry);
15481 + if (IS_ERR(dentry))
15482 + goto exit2;
15483 ++
15484 ++ if (dentry->d_inode != NULL) {
15485 ++ if (dentry->d_inode->i_nlink <= 1) {
15486 ++ saved_ino = dentry->d_inode->i_ino;
15487 ++ saved_dev = dentry->d_inode->i_sb->s_dev;
15488 ++ }
15489 ++
15490 ++ if (!gr_acl_handle_rmdir(dentry, nd.mnt)) {
15491 ++ error = -EACCES;
15492 ++ goto dput_exit2;
15493 ++ }
15494 ++ }
15495 + error = vfs_rmdir(nd.dentry->d_inode, dentry);
15496 ++ if (!error && (saved_dev || saved_ino))
15497 ++ gr_handle_delete(saved_ino, saved_dev);
15498 ++dput_exit2:
15499 + dput(dentry);
15500 + exit2:
15501 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
15502 +@@ -2176,6 +2280,8 @@ static long do_unlinkat(int dfd, const c
15503 + struct dentry *dentry;
15504 + struct nameidata nd;
15505 + struct inode *inode = NULL;
15506 ++ ino_t saved_ino = 0;
15507 ++ dev_t saved_dev = 0;
15508 +
15509 + name = getname(pathname);
15510 + if(IS_ERR(name))
15511 +@@ -2191,13 +2297,26 @@ static long do_unlinkat(int dfd, const c
15512 + dentry = lookup_hash(&nd);
15513 + error = PTR_ERR(dentry);
15514 + if (!IS_ERR(dentry)) {
15515 ++ error = 0;
15516 + /* Why not before? Because we want correct error value */
15517 + if (nd.last.name[nd.last.len])
15518 + goto slashes;
15519 + inode = dentry->d_inode;
15520 +- if (inode)
15521 ++ if (inode) {
15522 ++ if (inode->i_nlink <= 1) {
15523 ++ saved_ino = inode->i_ino;
15524 ++ saved_dev = inode->i_sb->s_dev;
15525 ++ }
15526 ++
15527 ++ if (!gr_acl_handle_unlink(dentry, nd.mnt))
15528 ++ error = -EACCES;
15529 ++
15530 + atomic_inc(&inode->i_count);
15531 +- error = vfs_unlink(nd.dentry->d_inode, dentry);
15532 ++ }
15533 ++ if (!error)
15534 ++ error = vfs_unlink(nd.dentry->d_inode, dentry);
15535 ++ if (!error && (saved_ino || saved_dev))
15536 ++ gr_handle_delete(saved_ino, saved_dev);
15537 + exit2:
15538 + dput(dentry);
15539 + }
15540 +@@ -2278,7 +2397,16 @@ asmlinkage long sys_symlinkat(const char
15541 + if (IS_ERR(dentry))
15542 + goto out_unlock;
15543 +
15544 ++ if (!gr_acl_handle_symlink(dentry, nd.dentry, nd.mnt, from)) {
15545 ++ error = -EACCES;
15546 ++ goto out_dput_unlock;
15547 ++ }
15548 ++
15549 + error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
15550 ++
15551 ++ if (!error)
15552 ++ gr_handle_create(dentry, nd.mnt);
15553 ++out_dput_unlock:
15554 + dput(dentry);
15555 + out_unlock:
15556 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
15557 +@@ -2373,7 +2501,25 @@ asmlinkage long sys_linkat(int olddfd, c
15558 + error = PTR_ERR(new_dentry);
15559 + if (IS_ERR(new_dentry))
15560 + goto out_unlock;
15561 ++
15562 ++ if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
15563 ++ old_nd.dentry->d_inode,
15564 ++ old_nd.dentry->d_inode->i_mode, to)) {
15565 ++ error = -EACCES;
15566 ++ goto out_unlock_dput;
15567 ++ }
15568 ++
15569 ++ if (!gr_acl_handle_link(new_dentry, nd.dentry, nd.mnt,
15570 ++ old_nd.dentry, old_nd.mnt, to)) {
15571 ++ error = -EACCES;
15572 ++ goto out_unlock_dput;
15573 ++ }
15574 ++
15575 + error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
15576 ++
15577 ++ if (!error)
15578 ++ gr_handle_create(new_dentry, nd.mnt);
15579 ++out_unlock_dput:
15580 + dput(new_dentry);
15581 + out_unlock:
15582 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
15583 +@@ -2599,8 +2745,16 @@ static int do_rename(int olddfd, const c
15584 + if (new_dentry == trap)
15585 + goto exit5;
15586 +
15587 +- error = vfs_rename(old_dir->d_inode, old_dentry,
15588 ++ error = gr_acl_handle_rename(new_dentry, newnd.dentry, newnd.mnt,
15589 ++ old_dentry, old_dir->d_inode, oldnd.mnt,
15590 ++ newname);
15591 ++
15592 ++ if (!error)
15593 ++ error = vfs_rename(old_dir->d_inode, old_dentry,
15594 + new_dir->d_inode, new_dentry);
15595 ++ if (!error)
15596 ++ gr_handle_rename(old_dir->d_inode, newnd.dentry->d_inode, old_dentry,
15597 ++ new_dentry, oldnd.mnt, new_dentry->d_inode ? 1 : 0);
15598 + exit5:
15599 + dput(new_dentry);
15600 + exit4:
15601 +diff -Nurp linux-2.6.23.15/fs/namespace.c linux-2.6.23.15-grsec/fs/namespace.c
15602 +--- linux-2.6.23.15/fs/namespace.c 2007-10-09 21:31:38.000000000 +0100
15603 ++++ linux-2.6.23.15-grsec/fs/namespace.c 2008-02-11 10:37:44.000000000 +0000
15604 +@@ -25,6 +25,7 @@
15605 + #include <linux/security.h>
15606 + #include <linux/mount.h>
15607 + #include <linux/ramfs.h>
15608 ++#include <linux/grsecurity.h>
15609 + #include <asm/uaccess.h>
15610 + #include <asm/unistd.h>
15611 + #include "pnode.h"
15612 +@@ -597,6 +598,8 @@ static int do_umount(struct vfsmount *mn
15613 + DQUOT_OFF(sb);
15614 + retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
15615 + unlock_kernel();
15616 ++
15617 ++ gr_log_remount(mnt->mnt_devname, retval);
15618 + }
15619 + up_write(&sb->s_umount);
15620 + return retval;
15621 +@@ -617,6 +620,9 @@ static int do_umount(struct vfsmount *mn
15622 + security_sb_umount_busy(mnt);
15623 + up_write(&namespace_sem);
15624 + release_mounts(&umount_list);
15625 ++
15626 ++ gr_log_unmount(mnt->mnt_devname, retval);
15627 ++
15628 + return retval;
15629 + }
15630 +
15631 +@@ -1422,6 +1428,11 @@ long do_mount(char *dev_name, char *dir_
15632 + if (retval)
15633 + goto dput_out;
15634 +
15635 ++ if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) {
15636 ++ retval = -EPERM;
15637 ++ goto dput_out;
15638 ++ }
15639 ++
15640 + if (flags & MS_REMOUNT)
15641 + retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
15642 + data_page);
15643 +@@ -1436,6 +1447,9 @@ long do_mount(char *dev_name, char *dir_
15644 + dev_name, data_page);
15645 + dput_out:
15646 + path_release(&nd);
15647 ++
15648 ++ gr_log_mount(dev_name, dir_name, retval);
15649 ++
15650 + return retval;
15651 + }
15652 +
15653 +@@ -1673,6 +1687,9 @@ asmlinkage long sys_pivot_root(const cha
15654 + if (!capable(CAP_SYS_ADMIN))
15655 + return -EPERM;
15656 +
15657 ++ if (gr_handle_chroot_pivot())
15658 ++ return -EPERM;
15659 ++
15660 + lock_kernel();
15661 +
15662 + error = __user_walk(new_root, LOOKUP_FOLLOW | LOOKUP_DIRECTORY,
15663 +diff -Nurp linux-2.6.23.15/fs/nfs/callback_xdr.c linux-2.6.23.15-grsec/fs/nfs/callback_xdr.c
15664 +--- linux-2.6.23.15/fs/nfs/callback_xdr.c 2007-10-09 21:31:38.000000000 +0100
15665 ++++ linux-2.6.23.15-grsec/fs/nfs/callback_xdr.c 2008-02-11 10:37:44.000000000 +0000
15666 +@@ -139,7 +139,7 @@ static __be32 decode_compound_hdr_arg(st
15667 + if (unlikely(status != 0))
15668 + return status;
15669 + /* We do not like overly long tags! */
15670 +- if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12 || hdr->taglen < 0) {
15671 ++ if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12) {
15672 + printk("NFSv4 CALLBACK %s: client sent tag of length %u\n",
15673 + __FUNCTION__, hdr->taglen);
15674 + return htonl(NFS4ERR_RESOURCE);
15675 +diff -Nurp linux-2.6.23.15/fs/nfs/nfs4proc.c linux-2.6.23.15-grsec/fs/nfs/nfs4proc.c
15676 +--- linux-2.6.23.15/fs/nfs/nfs4proc.c 2007-10-09 21:31:38.000000000 +0100
15677 ++++ linux-2.6.23.15-grsec/fs/nfs/nfs4proc.c 2008-02-11 10:37:44.000000000 +0000
15678 +@@ -657,7 +657,7 @@ static int _nfs4_do_open_reclaim(struct
15679 + static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
15680 + {
15681 + struct nfs_server *server = NFS_SERVER(state->inode);
15682 +- struct nfs4_exception exception = { };
15683 ++ struct nfs4_exception exception = {0, 0};
15684 + int err;
15685 + do {
15686 + err = _nfs4_do_open_reclaim(ctx, state);
15687 +@@ -699,7 +699,7 @@ static int _nfs4_open_delegation_recall(
15688 +
15689 + int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
15690 + {
15691 +- struct nfs4_exception exception = { };
15692 ++ struct nfs4_exception exception = {0, 0};
15693 + struct nfs_server *server = NFS_SERVER(state->inode);
15694 + int err;
15695 + do {
15696 +@@ -1020,7 +1020,7 @@ static int _nfs4_open_expired(struct nfs
15697 + static inline int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
15698 + {
15699 + struct nfs_server *server = NFS_SERVER(state->inode);
15700 +- struct nfs4_exception exception = { };
15701 ++ struct nfs4_exception exception = {0, 0};
15702 + int err;
15703 +
15704 + do {
15705 +@@ -1122,7 +1122,7 @@ out_err:
15706 +
15707 + static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, int flags, struct iattr *sattr, struct rpc_cred *cred)
15708 + {
15709 +- struct nfs4_exception exception = { };
15710 ++ struct nfs4_exception exception = {0, 0};
15711 + struct nfs4_state *res;
15712 + int status;
15713 +
15714 +@@ -1211,7 +1211,7 @@ static int nfs4_do_setattr(struct inode
15715 + struct iattr *sattr, struct nfs4_state *state)
15716 + {
15717 + struct nfs_server *server = NFS_SERVER(inode);
15718 +- struct nfs4_exception exception = { };
15719 ++ struct nfs4_exception exception = {0, 0};
15720 + int err;
15721 + do {
15722 + err = nfs4_handle_exception(server,
15723 +@@ -1504,7 +1504,7 @@ static int _nfs4_server_capabilities(str
15724 +
15725 + int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
15726 + {
15727 +- struct nfs4_exception exception = { };
15728 ++ struct nfs4_exception exception = {0, 0};
15729 + int err;
15730 + do {
15731 + err = nfs4_handle_exception(server,
15732 +@@ -1537,7 +1537,7 @@ static int _nfs4_lookup_root(struct nfs_
15733 + static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
15734 + struct nfs_fsinfo *info)
15735 + {
15736 +- struct nfs4_exception exception = { };
15737 ++ struct nfs4_exception exception = {0, 0};
15738 + int err;
15739 + do {
15740 + err = nfs4_handle_exception(server,
15741 +@@ -1626,7 +1626,7 @@ static int _nfs4_proc_getattr(struct nfs
15742 +
15743 + static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
15744 + {
15745 +- struct nfs4_exception exception = { };
15746 ++ struct nfs4_exception exception = {0, 0};
15747 + int err;
15748 + do {
15749 + err = nfs4_handle_exception(server,
15750 +@@ -1716,7 +1716,7 @@ static int nfs4_proc_lookupfh(struct nfs
15751 + struct qstr *name, struct nfs_fh *fhandle,
15752 + struct nfs_fattr *fattr)
15753 + {
15754 +- struct nfs4_exception exception = { };
15755 ++ struct nfs4_exception exception = {0, 0};
15756 + int err;
15757 + do {
15758 + err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
15759 +@@ -1745,7 +1745,7 @@ static int _nfs4_proc_lookup(struct inod
15760 +
15761 + static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
15762 + {
15763 +- struct nfs4_exception exception = { };
15764 ++ struct nfs4_exception exception = {0, 0};
15765 + int err;
15766 + do {
15767 + err = nfs4_handle_exception(NFS_SERVER(dir),
15768 +@@ -1801,7 +1801,7 @@ static int _nfs4_proc_access(struct inod
15769 +
15770 + static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
15771 + {
15772 +- struct nfs4_exception exception = { };
15773 ++ struct nfs4_exception exception = {0, 0};
15774 + int err;
15775 + do {
15776 + err = nfs4_handle_exception(NFS_SERVER(inode),
15777 +@@ -1856,7 +1856,7 @@ static int _nfs4_proc_readlink(struct in
15778 + static int nfs4_proc_readlink(struct inode *inode, struct page *page,
15779 + unsigned int pgbase, unsigned int pglen)
15780 + {
15781 +- struct nfs4_exception exception = { };
15782 ++ struct nfs4_exception exception = {0, 0};
15783 + int err;
15784 + do {
15785 + err = nfs4_handle_exception(NFS_SERVER(inode),
15786 +@@ -1950,7 +1950,7 @@ static int _nfs4_proc_remove(struct inod
15787 +
15788 + static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
15789 + {
15790 +- struct nfs4_exception exception = { };
15791 ++ struct nfs4_exception exception = {0, 0};
15792 + int err;
15793 + do {
15794 + err = nfs4_handle_exception(NFS_SERVER(dir),
15795 +@@ -2022,7 +2022,7 @@ static int _nfs4_proc_rename(struct inod
15796 + static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
15797 + struct inode *new_dir, struct qstr *new_name)
15798 + {
15799 +- struct nfs4_exception exception = { };
15800 ++ struct nfs4_exception exception = {0, 0};
15801 + int err;
15802 + do {
15803 + err = nfs4_handle_exception(NFS_SERVER(old_dir),
15804 +@@ -2069,7 +2069,7 @@ static int _nfs4_proc_link(struct inode
15805 +
15806 + static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
15807 + {
15808 +- struct nfs4_exception exception = { };
15809 ++ struct nfs4_exception exception = {0, 0};
15810 + int err;
15811 + do {
15812 + err = nfs4_handle_exception(NFS_SERVER(inode),
15813 +@@ -2126,7 +2126,7 @@ static int _nfs4_proc_symlink(struct ino
15814 + static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
15815 + struct page *page, unsigned int len, struct iattr *sattr)
15816 + {
15817 +- struct nfs4_exception exception = { };
15818 ++ struct nfs4_exception exception = {0, 0};
15819 + int err;
15820 + do {
15821 + err = nfs4_handle_exception(NFS_SERVER(dir),
15822 +@@ -2179,7 +2179,7 @@ static int _nfs4_proc_mkdir(struct inode
15823 + static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
15824 + struct iattr *sattr)
15825 + {
15826 +- struct nfs4_exception exception = { };
15827 ++ struct nfs4_exception exception = {0, 0};
15828 + int err;
15829 + do {
15830 + err = nfs4_handle_exception(NFS_SERVER(dir),
15831 +@@ -2225,7 +2225,7 @@ static int _nfs4_proc_readdir(struct den
15832 + static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
15833 + u64 cookie, struct page *page, unsigned int count, int plus)
15834 + {
15835 +- struct nfs4_exception exception = { };
15836 ++ struct nfs4_exception exception = {0, 0};
15837 + int err;
15838 + do {
15839 + err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
15840 +@@ -2295,7 +2295,7 @@ static int _nfs4_proc_mknod(struct inode
15841 + static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
15842 + struct iattr *sattr, dev_t rdev)
15843 + {
15844 +- struct nfs4_exception exception = { };
15845 ++ struct nfs4_exception exception = {0, 0};
15846 + int err;
15847 + do {
15848 + err = nfs4_handle_exception(NFS_SERVER(dir),
15849 +@@ -2324,7 +2324,7 @@ static int _nfs4_proc_statfs(struct nfs_
15850 +
15851 + static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
15852 + {
15853 +- struct nfs4_exception exception = { };
15854 ++ struct nfs4_exception exception = {0, 0};
15855 + int err;
15856 + do {
15857 + err = nfs4_handle_exception(server,
15858 +@@ -2352,7 +2352,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
15859 +
15860 + static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
15861 + {
15862 +- struct nfs4_exception exception = { };
15863 ++ struct nfs4_exception exception = {0, 0};
15864 + int err;
15865 +
15866 + do {
15867 +@@ -2395,7 +2395,7 @@ static int _nfs4_proc_pathconf(struct nf
15868 + static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
15869 + struct nfs_pathconf *pathconf)
15870 + {
15871 +- struct nfs4_exception exception = { };
15872 ++ struct nfs4_exception exception = {0, 0};
15873 + int err;
15874 +
15875 + do {
15876 +@@ -2714,7 +2714,7 @@ out_free:
15877 +
15878 + static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
15879 + {
15880 +- struct nfs4_exception exception = { };
15881 ++ struct nfs4_exception exception = {0, 0};
15882 + ssize_t ret;
15883 + do {
15884 + ret = __nfs4_get_acl_uncached(inode, buf, buflen);
15885 +@@ -2768,7 +2768,7 @@ static int __nfs4_proc_set_acl(struct in
15886 +
15887 + static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
15888 + {
15889 +- struct nfs4_exception exception = { };
15890 ++ struct nfs4_exception exception = {0, 0};
15891 + int err;
15892 + do {
15893 + err = nfs4_handle_exception(NFS_SERVER(inode),
15894 +@@ -3065,7 +3065,7 @@ static int _nfs4_proc_delegreturn(struct
15895 + int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid)
15896 + {
15897 + struct nfs_server *server = NFS_SERVER(inode);
15898 +- struct nfs4_exception exception = { };
15899 ++ struct nfs4_exception exception = {0, 0};
15900 + int err;
15901 + do {
15902 + err = _nfs4_proc_delegreturn(inode, cred, stateid);
15903 +@@ -3140,7 +3140,7 @@ out:
15904 +
15905 + static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
15906 + {
15907 +- struct nfs4_exception exception = { };
15908 ++ struct nfs4_exception exception = {0, 0};
15909 + int err;
15910 +
15911 + do {
15912 +@@ -3474,7 +3474,7 @@ static int _nfs4_do_setlk(struct nfs4_st
15913 + static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
15914 + {
15915 + struct nfs_server *server = NFS_SERVER(state->inode);
15916 +- struct nfs4_exception exception = { };
15917 ++ struct nfs4_exception exception = {0, 0};
15918 + int err;
15919 +
15920 + do {
15921 +@@ -3492,7 +3492,7 @@ static int nfs4_lock_reclaim(struct nfs4
15922 + static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
15923 + {
15924 + struct nfs_server *server = NFS_SERVER(state->inode);
15925 +- struct nfs4_exception exception = { };
15926 ++ struct nfs4_exception exception = {0, 0};
15927 + int err;
15928 +
15929 + err = nfs4_set_lock_state(state, request);
15930 +@@ -3553,7 +3553,7 @@ out:
15931 +
15932 + static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
15933 + {
15934 +- struct nfs4_exception exception = { };
15935 ++ struct nfs4_exception exception = {0, 0};
15936 + int err;
15937 +
15938 + do {
15939 +@@ -3603,7 +3603,7 @@ nfs4_proc_lock(struct file *filp, int cm
15940 + int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
15941 + {
15942 + struct nfs_server *server = NFS_SERVER(state->inode);
15943 +- struct nfs4_exception exception = { };
15944 ++ struct nfs4_exception exception = {0, 0};
15945 + int err;
15946 +
15947 + err = nfs4_set_lock_state(state, fl);
15948 +diff -Nurp linux-2.6.23.15/fs/nfsd/export.c linux-2.6.23.15-grsec/fs/nfsd/export.c
15949 +--- linux-2.6.23.15/fs/nfsd/export.c 2007-10-09 21:31:38.000000000 +0100
15950 ++++ linux-2.6.23.15-grsec/fs/nfsd/export.c 2008-02-11 10:37:44.000000000 +0000
15951 +@@ -478,7 +478,7 @@ static int secinfo_parse(char **mesg, ch
15952 + * probably discover the problem when someone fails to
15953 + * authenticate.
15954 + */
15955 +- if (f->pseudoflavor < 0)
15956 ++ if ((s32)f->pseudoflavor < 0)
15957 + return -EINVAL;
15958 + err = get_int(mesg, &f->flags);
15959 + if (err)
15960 +diff -Nurp linux-2.6.23.15/fs/nfsd/nfs4state.c linux-2.6.23.15-grsec/fs/nfsd/nfs4state.c
15961 +--- linux-2.6.23.15/fs/nfsd/nfs4state.c 2007-10-09 21:31:38.000000000 +0100
15962 ++++ linux-2.6.23.15-grsec/fs/nfsd/nfs4state.c 2008-02-11 10:37:44.000000000 +0000
15963 +@@ -1248,7 +1248,7 @@ static int access_valid(u32 x)
15964 +
15965 + static int deny_valid(u32 x)
15966 + {
15967 +- return (x >= 0 && x < 5);
15968 ++ return (x < 5);
15969 + }
15970 +
15971 + static void
15972 +diff -Nurp linux-2.6.23.15/fs/nls/nls_base.c linux-2.6.23.15-grsec/fs/nls/nls_base.c
15973 +--- linux-2.6.23.15/fs/nls/nls_base.c 2007-10-09 21:31:38.000000000 +0100
15974 ++++ linux-2.6.23.15-grsec/fs/nls/nls_base.c 2008-02-11 10:37:44.000000000 +0000
15975 +@@ -42,7 +42,7 @@ static struct utf8_table utf8_table[] =
15976 + {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
15977 + {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
15978 + {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
15979 +- {0, /* end of table */}
15980 ++ {0, 0, 0, 0, 0, /* end of table */}
15981 + };
15982 +
15983 + int
15984 +diff -Nurp linux-2.6.23.15/fs/ntfs/file.c linux-2.6.23.15-grsec/fs/ntfs/file.c
15985 +--- linux-2.6.23.15/fs/ntfs/file.c 2007-10-09 21:31:38.000000000 +0100
15986 ++++ linux-2.6.23.15-grsec/fs/ntfs/file.c 2008-02-11 10:37:44.000000000 +0000
15987 +@@ -2295,6 +2295,6 @@ const struct inode_operations ntfs_file_
15988 + #endif /* NTFS_RW */
15989 + };
15990 +
15991 +-const struct file_operations ntfs_empty_file_ops = {};
15992 ++const struct file_operations ntfs_empty_file_ops;
15993 +
15994 +-const struct inode_operations ntfs_empty_inode_ops = {};
15995 ++const struct inode_operations ntfs_empty_inode_ops;
15996 +diff -Nurp linux-2.6.23.15/fs/open.c linux-2.6.23.15-grsec/fs/open.c
15997 +--- linux-2.6.23.15/fs/open.c 2007-10-09 21:31:38.000000000 +0100
15998 ++++ linux-2.6.23.15-grsec/fs/open.c 2008-02-11 10:37:44.000000000 +0000
15999 +@@ -27,6 +27,7 @@
16000 + #include <linux/rcupdate.h>
16001 + #include <linux/audit.h>
16002 + #include <linux/falloc.h>
16003 ++#include <linux/grsecurity.h>
16004 +
16005 + int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
16006 + {
16007 +@@ -204,6 +205,9 @@ int do_truncate(struct dentry *dentry, l
16008 + if (length < 0)
16009 + return -EINVAL;
16010 +
16011 ++ if (filp && !gr_acl_handle_truncate(dentry, filp->f_vfsmnt))
16012 ++ return -EACCES;
16013 ++
16014 + newattrs.ia_size = length;
16015 + newattrs.ia_valid = ATTR_SIZE | time_attrs;
16016 + if (filp) {
16017 +@@ -461,6 +465,9 @@ asmlinkage long sys_faccessat(int dfd, c
16018 + if(IS_RDONLY(nd.dentry->d_inode))
16019 + res = -EROFS;
16020 +
16021 ++ if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode))
16022 ++ res = -EACCES;
16023 ++
16024 + out_path_release:
16025 + path_release(&nd);
16026 + out:
16027 +@@ -490,6 +497,8 @@ asmlinkage long sys_chdir(const char __u
16028 + if (error)
16029 + goto dput_and_out;
16030 +
16031 ++ gr_log_chdir(nd.dentry, nd.mnt);
16032 ++
16033 + set_fs_pwd(current->fs, nd.mnt, nd.dentry);
16034 +
16035 + dput_and_out:
16036 +@@ -520,6 +529,13 @@ asmlinkage long sys_fchdir(unsigned int
16037 + goto out_putf;
16038 +
16039 + error = file_permission(file, MAY_EXEC);
16040 ++
16041 ++ if (!error && !gr_chroot_fchdir(dentry, mnt))
16042 ++ error = -EPERM;
16043 ++
16044 ++ if (!error)
16045 ++ gr_log_chdir(dentry, mnt);
16046 ++
16047 + if (!error)
16048 + set_fs_pwd(current->fs, mnt, dentry);
16049 + out_putf:
16050 +@@ -545,8 +561,16 @@ asmlinkage long sys_chroot(const char __
16051 + if (!capable(CAP_SYS_CHROOT))
16052 + goto dput_and_out;
16053 +
16054 ++ if (gr_handle_chroot_chroot(nd.dentry, nd.mnt))
16055 ++ goto dput_and_out;
16056 ++
16057 + set_fs_root(current->fs, nd.mnt, nd.dentry);
16058 + set_fs_altroot();
16059 ++
16060 ++ gr_handle_chroot_caps(current);
16061 ++
16062 ++ gr_handle_chroot_chdir(nd.dentry, nd.mnt);
16063 ++
16064 + error = 0;
16065 + dput_and_out:
16066 + path_release(&nd);
16067 +@@ -577,9 +601,22 @@ asmlinkage long sys_fchmod(unsigned int
16068 + err = -EPERM;
16069 + if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
16070 + goto out_putf;
16071 ++
16072 ++ if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
16073 ++ err = -EACCES;
16074 ++ goto out_putf;
16075 ++ }
16076 ++
16077 + mutex_lock(&inode->i_mutex);
16078 + if (mode == (mode_t) -1)
16079 + mode = inode->i_mode;
16080 ++
16081 ++ if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
16082 ++ err = -EPERM;
16083 ++ mutex_unlock(&inode->i_mutex);
16084 ++ goto out_putf;
16085 ++ }
16086 ++
16087 + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
16088 + newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
16089 + err = notify_change(dentry, &newattrs);
16090 +@@ -612,9 +649,21 @@ asmlinkage long sys_fchmodat(int dfd, co
16091 + if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
16092 + goto dput_and_out;
16093 +
16094 ++ if (!gr_acl_handle_chmod(nd.dentry, nd.mnt, mode)) {
16095 ++ error = -EACCES;
16096 ++ goto dput_and_out;
16097 ++ };
16098 ++
16099 + mutex_lock(&inode->i_mutex);
16100 + if (mode == (mode_t) -1)
16101 + mode = inode->i_mode;
16102 ++
16103 ++ if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) {
16104 ++ error = -EACCES;
16105 ++ mutex_unlock(&inode->i_mutex);
16106 ++ goto dput_and_out;
16107 ++ }
16108 ++
16109 + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
16110 + newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
16111 + error = notify_change(nd.dentry, &newattrs);
16112 +@@ -631,7 +680,7 @@ asmlinkage long sys_chmod(const char __u
16113 + return sys_fchmodat(AT_FDCWD, filename, mode);
16114 + }
16115 +
16116 +-static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
16117 ++static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
16118 + {
16119 + struct inode * inode;
16120 + int error;
16121 +@@ -648,6 +697,12 @@ static int chown_common(struct dentry *
16122 + error = -EPERM;
16123 + if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
16124 + goto out;
16125 ++
16126 ++ if (!gr_acl_handle_chown(dentry, mnt)) {
16127 ++ error = -EACCES;
16128 ++ goto out;
16129 ++ }
16130 ++
16131 + newattrs.ia_valid = ATTR_CTIME;
16132 + if (user != (uid_t) -1) {
16133 + newattrs.ia_valid |= ATTR_UID;
16134 +@@ -674,7 +729,7 @@ asmlinkage long sys_chown(const char __u
16135 + error = user_path_walk(filename, &nd);
16136 + if (error)
16137 + goto out;
16138 +- error = chown_common(nd.dentry, user, group);
16139 ++ error = chown_common(nd.dentry, user, group, nd.mnt);
16140 + path_release(&nd);
16141 + out:
16142 + return error;
16143 +@@ -694,7 +749,7 @@ asmlinkage long sys_fchownat(int dfd, co
16144 + error = __user_walk_fd(dfd, filename, follow, &nd);
16145 + if (error)
16146 + goto out;
16147 +- error = chown_common(nd.dentry, user, group);
16148 ++ error = chown_common(nd.dentry, user, group, nd.mnt);
16149 + path_release(&nd);
16150 + out:
16151 + return error;
16152 +@@ -708,7 +763,7 @@ asmlinkage long sys_lchown(const char __
16153 + error = user_path_walk_link(filename, &nd);
16154 + if (error)
16155 + goto out;
16156 +- error = chown_common(nd.dentry, user, group);
16157 ++ error = chown_common(nd.dentry, user, group, nd.mnt);
16158 + path_release(&nd);
16159 + out:
16160 + return error;
16161 +@@ -727,7 +782,7 @@ asmlinkage long sys_fchown(unsigned int
16162 +
16163 + dentry = file->f_path.dentry;
16164 + audit_inode(NULL, dentry->d_inode);
16165 +- error = chown_common(dentry, user, group);
16166 ++ error = chown_common(dentry, user, group, file->f_vfsmnt);
16167 + fput(file);
16168 + out:
16169 + return error;
16170 +@@ -934,6 +989,7 @@ repeat:
16171 + * N.B. For clone tasks sharing a files structure, this test
16172 + * will limit the total number of files that can be opened.
16173 + */
16174 ++ gr_learn_resource(current, RLIMIT_NOFILE, fd, 0);
16175 + if (fd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
16176 + goto out;
16177 +
16178 +diff -Nurp linux-2.6.23.15/fs/partitions/efi.c linux-2.6.23.15-grsec/fs/partitions/efi.c
16179 +--- linux-2.6.23.15/fs/partitions/efi.c 2007-10-09 21:31:38.000000000 +0100
16180 ++++ linux-2.6.23.15-grsec/fs/partitions/efi.c 2008-02-11 10:37:44.000000000 +0000
16181 +@@ -99,7 +99,7 @@
16182 + #ifdef EFI_DEBUG
16183 + #define Dprintk(x...) printk(KERN_DEBUG x)
16184 + #else
16185 +-#define Dprintk(x...)
16186 ++#define Dprintk(x...) do {} while (0)
16187 + #endif
16188 +
16189 + /* This allows a kernel command line option 'gpt' to override
16190 +diff -Nurp linux-2.6.23.15/fs/pipe.c linux-2.6.23.15-grsec/fs/pipe.c
16191 +--- linux-2.6.23.15/fs/pipe.c 2007-10-09 21:31:38.000000000 +0100
16192 ++++ linux-2.6.23.15-grsec/fs/pipe.c 2008-02-11 10:37:44.000000000 +0000
16193 +@@ -888,7 +888,7 @@ void free_pipe_info(struct inode *inode)
16194 + inode->i_pipe = NULL;
16195 + }
16196 +
16197 +-static struct vfsmount *pipe_mnt __read_mostly;
16198 ++struct vfsmount *pipe_mnt __read_mostly;
16199 + static int pipefs_delete_dentry(struct dentry *dentry)
16200 + {
16201 + /*
16202 +diff -Nurp linux-2.6.23.15/fs/proc/array.c linux-2.6.23.15-grsec/fs/proc/array.c
16203 +--- linux-2.6.23.15/fs/proc/array.c 2008-02-11 10:36:03.000000000 +0000
16204 ++++ linux-2.6.23.15-grsec/fs/proc/array.c 2008-02-11 10:37:44.000000000 +0000
16205 +@@ -298,6 +298,21 @@ static inline char *task_context_switch_
16206 + p->nivcsw);
16207 + }
16208 +
16209 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
16210 ++static inline char *task_pax(struct task_struct *p, char *buffer)
16211 ++{
16212 ++ if (p->mm)
16213 ++ return buffer + sprintf(buffer, "PaX:\t%c%c%c%c%c\n",
16214 ++ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
16215 ++ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
16216 ++ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
16217 ++ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
16218 ++ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
16219 ++ else
16220 ++ return buffer + sprintf(buffer, "PaX:\t-----\n");
16221 ++}
16222 ++#endif
16223 ++
16224 + int proc_pid_status(struct task_struct *task, char *buffer)
16225 + {
16226 + char *orig = buffer;
16227 +@@ -317,6 +332,11 @@ int proc_pid_status(struct task_struct *
16228 + buffer = task_show_regs(task, buffer);
16229 + #endif
16230 + buffer = task_context_switch_counts(task, buffer);
16231 ++
16232 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
16233 ++ buffer = task_pax(task, buffer);
16234 ++#endif
16235 ++
16236 + return buffer - orig;
16237 + }
16238 +
16239 +@@ -372,6 +392,12 @@ static cputime_t task_stime(struct task_
16240 + }
16241 + #endif
16242 +
16243 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
16244 ++#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
16245 ++ (_mm->pax_flags & MF_PAX_RANDMMAP || \
16246 ++ _mm->pax_flags & MF_PAX_SEGMEXEC))
16247 ++#endif
16248 ++
16249 + static int do_task_stat(struct task_struct *task, char *buffer, int whole)
16250 + {
16251 + unsigned long vsize, eip, esp, wchan = ~0UL;
16252 +@@ -458,6 +484,19 @@ static int do_task_stat(struct task_stru
16253 + stime = task_stime(task);
16254 + }
16255 +
16256 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
16257 ++ if (PAX_RAND_FLAGS(mm)) {
16258 ++ eip = 0;
16259 ++ esp = 0;
16260 ++ wchan = 0;
16261 ++ }
16262 ++#endif
16263 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
16264 ++ wchan = 0;
16265 ++ eip =0;
16266 ++ esp =0;
16267 ++#endif
16268 ++
16269 + /* scale priority and nice values from timeslices to -20..20 */
16270 + /* to make it look like a "normal" Unix priority/nice value */
16271 + priority = task_prio(task);
16272 +@@ -498,9 +537,15 @@ static int do_task_stat(struct task_stru
16273 + vsize,
16274 + mm ? get_mm_rss(mm) : 0,
16275 + rsslim,
16276 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
16277 ++ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
16278 ++ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
16279 ++ PAX_RAND_FLAGS(mm) ? 0 : (mm ? mm->start_stack : 0),
16280 ++#else
16281 + mm ? mm->start_code : 0,
16282 + mm ? mm->end_code : 0,
16283 + mm ? mm->start_stack : 0,
16284 ++#endif
16285 + esp,
16286 + eip,
16287 + /* The signal information here is obsolete.
16288 +@@ -547,3 +592,14 @@ int proc_pid_statm(struct task_struct *t
16289 + return sprintf(buffer, "%d %d %d %d %d %d %d\n",
16290 + size, resident, shared, text, lib, data, 0);
16291 + }
16292 ++
16293 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
16294 ++int proc_pid_ipaddr(struct task_struct *task, char * buffer)
16295 ++{
16296 ++ int len;
16297 ++
16298 ++ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
16299 ++ return len;
16300 ++}
16301 ++#endif
16302 ++
16303 +diff -Nurp linux-2.6.23.15/fs/proc/base.c linux-2.6.23.15-grsec/fs/proc/base.c
16304 +--- linux-2.6.23.15/fs/proc/base.c 2007-10-09 21:31:38.000000000 +0100
16305 ++++ linux-2.6.23.15-grsec/fs/proc/base.c 2008-02-11 10:37:44.000000000 +0000
16306 +@@ -73,6 +73,7 @@
16307 + #include <linux/nsproxy.h>
16308 + #include <linux/oom.h>
16309 + #include <linux/elf.h>
16310 ++#include <linux/grsecurity.h>
16311 + #include "internal.h"
16312 +
16313 + /* NOTE:
16314 +@@ -123,7 +124,7 @@ struct pid_entry {
16315 + NULL, &proc_info_file_operations, \
16316 + { .proc_read = &proc_##OTYPE } )
16317 +
16318 +-int maps_protect;
16319 ++int maps_protect = 1;
16320 + EXPORT_SYMBOL(maps_protect);
16321 +
16322 + static struct fs_struct *get_fs_struct(struct task_struct *task)
16323 +@@ -197,7 +198,7 @@ static int proc_root_link(struct inode *
16324 + (task->parent == current && \
16325 + (task->ptrace & PT_PTRACED) && \
16326 + (task->state == TASK_STOPPED || task->state == TASK_TRACED) && \
16327 +- security_ptrace(current,task) == 0))
16328 ++ security_ptrace(current,task) == 0 && !gr_handle_proc_ptrace(task)))
16329 +
16330 + static int proc_pid_environ(struct task_struct *task, char * buffer)
16331 + {
16332 +@@ -263,9 +264,9 @@ static int proc_pid_auxv(struct task_str
16333 + struct mm_struct *mm = get_task_mm(task);
16334 + if (mm) {
16335 + unsigned int nwords = 0;
16336 +- do
16337 ++ do {
16338 + nwords += 2;
16339 +- while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
16340 ++ } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
16341 + res = nwords * sizeof(mm->saved_auxv[0]);
16342 + if (res > PAGE_SIZE)
16343 + res = PAGE_SIZE;
16344 +@@ -338,6 +339,8 @@ static int proc_fd_access_allowed(struct
16345 + task = get_proc_task(inode);
16346 + if (task) {
16347 + allowed = ptrace_may_attach(task);
16348 ++ if (allowed != 0)
16349 ++ allowed = !gr_acl_handle_procpidmem(task);
16350 + put_task_struct(task);
16351 + }
16352 + return allowed;
16353 +@@ -528,7 +531,7 @@ static ssize_t mem_read(struct file * fi
16354 + if (!task)
16355 + goto out_no_task;
16356 +
16357 +- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
16358 ++ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
16359 + goto out;
16360 +
16361 + ret = -ENOMEM;
16362 +@@ -598,7 +601,7 @@ static ssize_t mem_write(struct file * f
16363 + if (!task)
16364 + goto out_no_task;
16365 +
16366 +- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
16367 ++ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
16368 + goto out;
16369 +
16370 + copied = -ENOMEM;
16371 +@@ -1050,7 +1053,11 @@ static struct inode *proc_pid_make_inode
16372 + inode->i_gid = 0;
16373 + if (task_dumpable(task)) {
16374 + inode->i_uid = task->euid;
16375 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
16376 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
16377 ++#else
16378 + inode->i_gid = task->egid;
16379 ++#endif
16380 + }
16381 + security_task_to_inode(task, inode);
16382 +
16383 +@@ -1066,17 +1073,45 @@ static int pid_getattr(struct vfsmount *
16384 + {
16385 + struct inode *inode = dentry->d_inode;
16386 + struct task_struct *task;
16387 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
16388 ++ struct task_struct *tmp = current;
16389 ++#endif
16390 ++
16391 + generic_fillattr(inode, stat);
16392 +
16393 + rcu_read_lock();
16394 + stat->uid = 0;
16395 + stat->gid = 0;
16396 + task = pid_task(proc_pid(inode), PIDTYPE_PID);
16397 +- if (task) {
16398 ++
16399 ++ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
16400 ++ rcu_read_unlock();
16401 ++ return -ENOENT;
16402 ++ }
16403 ++
16404 ++
16405 ++ if (task
16406 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
16407 ++ && (!tmp->uid || (tmp->uid == task->uid)
16408 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
16409 ++ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
16410 ++#endif
16411 ++ )
16412 ++#endif
16413 ++ ) {
16414 + if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
16415 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
16416 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
16417 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
16418 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
16419 ++#endif
16420 + task_dumpable(task)) {
16421 + stat->uid = task->euid;
16422 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
16423 ++ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
16424 ++#else
16425 + stat->gid = task->egid;
16426 ++#endif
16427 + }
16428 + }
16429 + rcu_read_unlock();
16430 +@@ -1104,11 +1139,21 @@ static int pid_revalidate(struct dentry
16431 + {
16432 + struct inode *inode = dentry->d_inode;
16433 + struct task_struct *task = get_proc_task(inode);
16434 ++
16435 + if (task) {
16436 + if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
16437 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
16438 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
16439 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
16440 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
16441 ++#endif
16442 + task_dumpable(task)) {
16443 + inode->i_uid = task->euid;
16444 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
16445 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
16446 ++#else
16447 + inode->i_gid = task->egid;
16448 ++#endif
16449 + } else {
16450 + inode->i_uid = 0;
16451 + inode->i_gid = 0;
16452 +@@ -1118,6 +1163,7 @@ static int pid_revalidate(struct dentry
16453 + put_task_struct(task);
16454 + return 1;
16455 + }
16456 ++out:
16457 + d_drop(dentry);
16458 + return 0;
16459 + }
16460 +@@ -1374,6 +1420,9 @@ static struct dentry *proc_lookupfd_comm
16461 + if (fd == ~0U)
16462 + goto out;
16463 +
16464 ++ if (gr_acl_handle_procpidmem(task))
16465 ++ goto out;
16466 ++
16467 + result = instantiate(dir, dentry, task, &fd);
16468 + out:
16469 + put_task_struct(task);
16470 +@@ -1410,6 +1459,8 @@ static int proc_readfd_common(struct fil
16471 + goto out;
16472 + filp->f_pos++;
16473 + default:
16474 ++ if (gr_acl_handle_procpidmem(p))
16475 ++ goto out;
16476 + files = get_files_struct(p);
16477 + if (!files)
16478 + goto out;
16479 +@@ -1598,6 +1649,9 @@ static struct dentry *proc_pident_lookup
16480 + if (!task)
16481 + goto out_no_task;
16482 +
16483 ++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
16484 ++ goto out;
16485 ++
16486 + /*
16487 + * Yes, it does not scale. And it should not. Don't add
16488 + * new entries into /proc/<tgid>/ without very good reasons.
16489 +@@ -1643,6 +1697,9 @@ static int proc_pident_readdir(struct fi
16490 + if (!task)
16491 + goto out_no_task;
16492 +
16493 ++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
16494 ++ goto out;
16495 ++
16496 + ret = 0;
16497 + pid = task->pid;
16498 + i = filp->f_pos;
16499 +@@ -1998,6 +2055,9 @@ static struct dentry *proc_base_lookup(s
16500 + if (p > last)
16501 + goto out;
16502 +
16503 ++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
16504 ++ goto out;
16505 ++
16506 + error = proc_base_instantiate(dir, dentry, task, p);
16507 +
16508 + out:
16509 +@@ -2097,6 +2157,9 @@ static const struct pid_entry tgid_base_
16510 + #ifdef CONFIG_TASK_IO_ACCOUNTING
16511 + INF("io", S_IRUGO, pid_io_accounting),
16512 + #endif
16513 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
16514 ++ INF("ipaddr", S_IRUSR, pid_ipaddr),
16515 ++#endif
16516 + };
16517 +
16518 + static int proc_tgid_base_readdir(struct file * filp,
16519 +@@ -2200,7 +2263,14 @@ static struct dentry *proc_pid_instantia
16520 + if (!inode)
16521 + goto out;
16522 +
16523 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
16524 ++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
16525 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
16526 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
16527 ++ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
16528 ++#else
16529 + inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
16530 ++#endif
16531 + inode->i_op = &proc_tgid_base_inode_operations;
16532 + inode->i_fop = &proc_tgid_base_operations;
16533 + inode->i_flags|=S_IMMUTABLE;
16534 +@@ -2241,7 +2311,11 @@ struct dentry *proc_pid_lookup(struct in
16535 + if (!task)
16536 + goto out;
16537 +
16538 ++ if (gr_check_hidden_task(task))
16539 ++ goto out_put_task;
16540 ++
16541 + result = proc_pid_instantiate(dir, dentry, task, NULL);
16542 ++out_put_task:
16543 + put_task_struct(task);
16544 + out:
16545 + return result;
16546 +@@ -2299,6 +2373,9 @@ int proc_pid_readdir(struct file * filp,
16547 + {
16548 + unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
16549 + struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
16550 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
16551 ++ struct task_struct *tmp = current;
16552 ++#endif
16553 + struct task_struct *task;
16554 + int tgid;
16555 +
16556 +@@ -2316,6 +2393,18 @@ int proc_pid_readdir(struct file * filp,
16557 + task;
16558 + put_task_struct(task), task = next_tgid(tgid + 1)) {
16559 + tgid = task->pid;
16560 ++
16561 ++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task)
16562 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
16563 ++ || (tmp->uid && (task->uid != tmp->uid)
16564 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
16565 ++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
16566 ++#endif
16567 ++ )
16568 ++#endif
16569 ++ )
16570 ++ continue;
16571 ++
16572 + filp->f_pos = tgid + TGID_OFFSET;
16573 + if (proc_pid_fill_cache(filp, dirent, filldir, task, tgid) < 0) {
16574 + put_task_struct(task);
16575 +diff -Nurp linux-2.6.23.15/fs/proc/inode.c linux-2.6.23.15-grsec/fs/proc/inode.c
16576 +--- linux-2.6.23.15/fs/proc/inode.c 2007-10-09 21:31:38.000000000 +0100
16577 ++++ linux-2.6.23.15-grsec/fs/proc/inode.c 2008-02-11 10:37:44.000000000 +0000
16578 +@@ -418,7 +418,11 @@ struct inode *proc_get_inode(struct supe
16579 + if (de->mode) {
16580 + inode->i_mode = de->mode;
16581 + inode->i_uid = de->uid;
16582 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
16583 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
16584 ++#else
16585 + inode->i_gid = de->gid;
16586 ++#endif
16587 + }
16588 + if (de->size)
16589 + inode->i_size = de->size;
16590 +diff -Nurp linux-2.6.23.15/fs/proc/internal.h linux-2.6.23.15-grsec/fs/proc/internal.h
16591 +--- linux-2.6.23.15/fs/proc/internal.h 2007-10-09 21:31:38.000000000 +0100
16592 ++++ linux-2.6.23.15-grsec/fs/proc/internal.h 2008-02-11 10:37:44.000000000 +0000
16593 +@@ -45,6 +45,9 @@ extern int proc_tid_stat(struct task_str
16594 + extern int proc_tgid_stat(struct task_struct *, char *);
16595 + extern int proc_pid_status(struct task_struct *, char *);
16596 + extern int proc_pid_statm(struct task_struct *, char *);
16597 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
16598 ++extern int proc_pid_ipaddr(struct task_struct*,char*);
16599 ++#endif
16600 +
16601 + extern const struct file_operations proc_maps_operations;
16602 + extern const struct file_operations proc_numa_maps_operations;
16603 +diff -Nurp linux-2.6.23.15/fs/proc/proc_misc.c linux-2.6.23.15-grsec/fs/proc/proc_misc.c
16604 +--- linux-2.6.23.15/fs/proc/proc_misc.c 2007-10-09 21:31:38.000000000 +0100
16605 ++++ linux-2.6.23.15-grsec/fs/proc/proc_misc.c 2008-02-11 10:37:44.000000000 +0000
16606 +@@ -668,6 +668,8 @@ void create_seq_entry(char *name, mode_t
16607 +
16608 + void __init proc_misc_init(void)
16609 + {
16610 ++ int gr_mode = 0;
16611 ++
16612 + static struct {
16613 + char *name;
16614 + int (*read_proc)(char*,char**,off_t,int,int*,void*);
16615 +@@ -683,7 +685,9 @@ void __init proc_misc_init(void)
16616 + {"stram", stram_read_proc},
16617 + #endif
16618 + {"filesystems", filesystems_read_proc},
16619 ++#ifndef CONFIG_GRKERNSEC_PROC_ADD
16620 + {"cmdline", cmdline_read_proc},
16621 ++#endif
16622 + {"locks", locks_read_proc},
16623 + {"execdomains", execdomains_read_proc},
16624 + {NULL,}
16625 +@@ -691,6 +695,15 @@ void __init proc_misc_init(void)
16626 + for (p = simple_ones; p->name; p++)
16627 + create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
16628 +
16629 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
16630 ++ gr_mode = S_IRUSR;
16631 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
16632 ++ gr_mode = S_IRUSR | S_IRGRP;
16633 ++#endif
16634 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
16635 ++ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
16636 ++#endif
16637 ++
16638 + proc_symlink("mounts", NULL, "self/mounts");
16639 +
16640 + /* And now for trickier ones */
16641 +@@ -702,7 +715,11 @@ void __init proc_misc_init(void)
16642 + entry->proc_fops = &proc_kmsg_operations;
16643 + }
16644 + #endif
16645 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
16646 ++ create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
16647 ++#else
16648 + create_seq_entry("devices", 0, &proc_devinfo_operations);
16649 ++#endif
16650 + create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
16651 + #ifdef CONFIG_BLOCK
16652 + create_seq_entry("partitions", 0, &proc_partitions_operations);
16653 +@@ -710,7 +727,11 @@ void __init proc_misc_init(void)
16654 + create_seq_entry("stat", 0, &proc_stat_operations);
16655 + create_seq_entry("interrupts", 0, &proc_interrupts_operations);
16656 + #ifdef CONFIG_SLAB
16657 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
16658 ++ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
16659 ++#else
16660 + create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
16661 ++#endif
16662 + #ifdef CONFIG_DEBUG_SLAB_LEAK
16663 + create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
16664 + #endif
16665 +@@ -727,7 +748,7 @@ void __init proc_misc_init(void)
16666 + #ifdef CONFIG_SCHEDSTATS
16667 + create_seq_entry("schedstat", 0, &proc_schedstat_operations);
16668 + #endif
16669 +-#ifdef CONFIG_PROC_KCORE
16670 ++#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
16671 + proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
16672 + if (proc_root_kcore) {
16673 + proc_root_kcore->proc_fops = &proc_kcore_operations;
16674 +diff -Nurp linux-2.6.23.15/fs/proc/proc_sysctl.c linux-2.6.23.15-grsec/fs/proc/proc_sysctl.c
16675 +--- linux-2.6.23.15/fs/proc/proc_sysctl.c 2007-10-09 21:31:38.000000000 +0100
16676 ++++ linux-2.6.23.15-grsec/fs/proc/proc_sysctl.c 2008-02-11 10:37:44.000000000 +0000
16677 +@@ -7,6 +7,8 @@
16678 + #include <linux/security.h>
16679 + #include "internal.h"
16680 +
16681 ++extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
16682 ++
16683 + static struct dentry_operations proc_sys_dentry_operations;
16684 + static const struct file_operations proc_sys_file_operations;
16685 + static struct inode_operations proc_sys_inode_operations;
16686 +@@ -151,6 +153,9 @@ static struct dentry *proc_sys_lookup(st
16687 + if (!table)
16688 + goto out;
16689 +
16690 ++ if (gr_handle_sysctl(table, 001))
16691 ++ goto out;
16692 ++
16693 + err = ERR_PTR(-ENOMEM);
16694 + inode = proc_sys_make_inode(dir, table);
16695 + if (!inode)
16696 +@@ -358,6 +363,9 @@ static int proc_sys_readdir(struct file
16697 + if (pos < filp->f_pos)
16698 + continue;
16699 +
16700 ++ if (gr_handle_sysctl(table, 0))
16701 ++ continue;
16702 ++
16703 + if (proc_sys_fill_cache(filp, dirent, filldir, table) < 0)
16704 + goto out;
16705 + filp->f_pos = pos + 1;
16706 +@@ -420,6 +428,30 @@ out:
16707 + return error;
16708 + }
16709 +
16710 ++/* Eric Biederman is to blame */
16711 ++static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
16712 ++{
16713 ++ int error = 0;
16714 ++ struct ctl_table_header *head;
16715 ++ struct ctl_table *table;
16716 ++
16717 ++ table = do_proc_sys_lookup(dentry->d_parent, &dentry->d_name, &head);
16718 ++ /* Has the sysctl entry disappeared on us? */
16719 ++ if (!table)
16720 ++ goto out;
16721 ++
16722 ++ if (gr_handle_sysctl(table, 001)) {
16723 ++ error = -ENOENT;
16724 ++ goto out;
16725 ++ }
16726 ++
16727 ++out:
16728 ++ sysctl_head_finish(head);
16729 ++
16730 ++ generic_fillattr(dentry->d_inode, stat);
16731 ++
16732 ++ return error;
16733 ++}
16734 + static int proc_sys_setattr(struct dentry *dentry, struct iattr *attr)
16735 + {
16736 + struct inode *inode = dentry->d_inode;
16737 +@@ -448,6 +480,7 @@ static struct inode_operations proc_sys_
16738 + .lookup = proc_sys_lookup,
16739 + .permission = proc_sys_permission,
16740 + .setattr = proc_sys_setattr,
16741 ++ .getattr = proc_sys_getattr,
16742 + };
16743 +
16744 + static int proc_sys_revalidate(struct dentry *dentry, struct nameidata *nd)
16745 +diff -Nurp linux-2.6.23.15/fs/proc/root.c linux-2.6.23.15-grsec/fs/proc/root.c
16746 +--- linux-2.6.23.15/fs/proc/root.c 2007-10-09 21:31:38.000000000 +0100
16747 ++++ linux-2.6.23.15-grsec/fs/proc/root.c 2008-02-11 10:37:44.000000000 +0000
16748 +@@ -61,7 +61,13 @@ void __init proc_root_init(void)
16749 + return;
16750 + }
16751 + proc_misc_init();
16752 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
16753 ++ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
16754 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
16755 ++ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
16756 ++#else
16757 + proc_net = proc_mkdir("net", NULL);
16758 ++#endif
16759 + proc_net_stat = proc_mkdir("net/stat", NULL);
16760 +
16761 + #ifdef CONFIG_SYSVIPC
16762 +@@ -78,7 +84,15 @@ void __init proc_root_init(void)
16763 + #ifdef CONFIG_PROC_DEVICETREE
16764 + proc_device_tree_init();
16765 + #endif
16766 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
16767 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
16768 ++ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
16769 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
16770 ++ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
16771 ++#endif
16772 ++#else
16773 + proc_bus = proc_mkdir("bus", NULL);
16774 ++#endif
16775 + proc_sys_init();
16776 + }
16777 +
16778 +diff -Nurp linux-2.6.23.15/fs/proc/task_mmu.c linux-2.6.23.15-grsec/fs/proc/task_mmu.c
16779 +--- linux-2.6.23.15/fs/proc/task_mmu.c 2007-10-09 21:31:38.000000000 +0100
16780 ++++ linux-2.6.23.15-grsec/fs/proc/task_mmu.c 2008-02-11 10:37:44.000000000 +0000
16781 +@@ -44,15 +44,27 @@ char *task_mem(struct mm_struct *mm, cha
16782 + "VmStk:\t%8lu kB\n"
16783 + "VmExe:\t%8lu kB\n"
16784 + "VmLib:\t%8lu kB\n"
16785 +- "VmPTE:\t%8lu kB\n",
16786 +- hiwater_vm << (PAGE_SHIFT-10),
16787 ++ "VmPTE:\t%8lu kB\n"
16788 ++
16789 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
16790 ++ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
16791 ++#endif
16792 ++
16793 ++ ,hiwater_vm << (PAGE_SHIFT-10),
16794 + (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
16795 + mm->locked_vm << (PAGE_SHIFT-10),
16796 + hiwater_rss << (PAGE_SHIFT-10),
16797 + total_rss << (PAGE_SHIFT-10),
16798 + data << (PAGE_SHIFT-10),
16799 + mm->stack_vm << (PAGE_SHIFT-10), text, lib,
16800 +- (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
16801 ++ (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
16802 ++
16803 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
16804 ++ , mm->context.user_cs_base, mm->context.user_cs_limit
16805 ++#endif
16806 ++
16807 ++ );
16808 ++
16809 + return buffer;
16810 + }
16811 +
16812 +@@ -131,6 +143,12 @@ struct pmd_walker {
16813 + unsigned long, void *);
16814 + };
16815 +
16816 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
16817 ++#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
16818 ++ (_mm->pax_flags & MF_PAX_RANDMMAP || \
16819 ++ _mm->pax_flags & MF_PAX_SEGMEXEC))
16820 ++#endif
16821 ++
16822 + static int show_map_internal(struct seq_file *m, void *v, struct mem_size_stats *mss)
16823 + {
16824 + struct proc_maps_private *priv = m->private;
16825 +@@ -153,13 +171,22 @@ static int show_map_internal(struct seq_
16826 + }
16827 +
16828 + seq_printf(m, "%08lx-%08lx %c%c%c%c %08lx %02x:%02x %lu %n",
16829 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
16830 ++ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
16831 ++ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
16832 ++#else
16833 + vma->vm_start,
16834 + vma->vm_end,
16835 ++#endif
16836 + flags & VM_READ ? 'r' : '-',
16837 + flags & VM_WRITE ? 'w' : '-',
16838 + flags & VM_EXEC ? 'x' : '-',
16839 + flags & VM_MAYSHARE ? 's' : 'p',
16840 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
16841 ++ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_pgoff << PAGE_SHIFT,
16842 ++#else
16843 + vma->vm_pgoff << PAGE_SHIFT,
16844 ++#endif
16845 + MAJOR(dev), MINOR(dev), ino, &len);
16846 +
16847 + /*
16848 +@@ -173,11 +200,11 @@ static int show_map_internal(struct seq_
16849 + const char *name = arch_vma_name(vma);
16850 + if (!name) {
16851 + if (mm) {
16852 +- if (vma->vm_start <= mm->start_brk &&
16853 +- vma->vm_end >= mm->brk) {
16854 ++ if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
16855 + name = "[heap]";
16856 +- } else if (vma->vm_start <= mm->start_stack &&
16857 +- vma->vm_end >= mm->start_stack) {
16858 ++ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
16859 ++ (vma->vm_start <= mm->start_stack &&
16860 ++ vma->vm_end >= mm->start_stack)) {
16861 + name = "[stack]";
16862 + }
16863 + } else {
16864 +@@ -191,7 +218,27 @@ static int show_map_internal(struct seq_
16865 + }
16866 + seq_putc(m, '\n');
16867 +
16868 +- if (mss)
16869 ++
16870 ++ if (mss) {
16871 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
16872 ++ if (PAX_RAND_FLAGS(mm))
16873 ++ seq_printf(m,
16874 ++ "Size: %8lu kB\n"
16875 ++ "Rss: %8lu kB\n"
16876 ++ "Shared_Clean: %8lu kB\n"
16877 ++ "Shared_Dirty: %8lu kB\n"
16878 ++ "Private_Clean: %8lu kB\n"
16879 ++ "Private_Dirty: %8lu kB\n",
16880 ++ "Referenced: %8lu kB\n",
16881 ++ 0UL,
16882 ++ 0UL,
16883 ++ 0UL,
16884 ++ 0UL,
16885 ++ 0UL,
16886 ++ 0UL,
16887 ++ 0UL);
16888 ++ else
16889 ++#endif
16890 + seq_printf(m,
16891 + "Size: %8lu kB\n"
16892 + "Rss: %8lu kB\n"
16893 +@@ -207,6 +254,7 @@ static int show_map_internal(struct seq_
16894 + mss->private_clean >> 10,
16895 + mss->private_dirty >> 10,
16896 + mss->referenced >> 10);
16897 ++ }
16898 +
16899 + if (m->count < m->size) /* vma is copied successfully */
16900 + m->version = (vma != get_gate_vma(task))? vma->vm_start: 0;
16901 +diff -Nurp linux-2.6.23.15/fs/readdir.c linux-2.6.23.15-grsec/fs/readdir.c
16902 +--- linux-2.6.23.15/fs/readdir.c 2007-10-09 21:31:38.000000000 +0100
16903 ++++ linux-2.6.23.15-grsec/fs/readdir.c 2008-02-11 10:37:44.000000000 +0000
16904 +@@ -16,6 +16,8 @@
16905 + #include <linux/security.h>
16906 + #include <linux/syscalls.h>
16907 + #include <linux/unistd.h>
16908 ++#include <linux/namei.h>
16909 ++#include <linux/grsecurity.h>
16910 +
16911 + #include <asm/uaccess.h>
16912 +
16913 +@@ -64,6 +66,7 @@ struct old_linux_dirent {
16914 +
16915 + struct readdir_callback {
16916 + struct old_linux_dirent __user * dirent;
16917 ++ struct file * file;
16918 + int result;
16919 + };
16920 +
16921 +@@ -79,6 +82,10 @@ static int fillonedir(void * __buf, cons
16922 + d_ino = ino;
16923 + if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
16924 + return -EOVERFLOW;
16925 ++
16926 ++ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
16927 ++ return 0;
16928 ++
16929 + buf->result++;
16930 + dirent = buf->dirent;
16931 + if (!access_ok(VERIFY_WRITE, dirent,
16932 +@@ -110,6 +117,7 @@ asmlinkage long old_readdir(unsigned int
16933 +
16934 + buf.result = 0;
16935 + buf.dirent = dirent;
16936 ++ buf.file = file;
16937 +
16938 + error = vfs_readdir(file, fillonedir, &buf);
16939 + if (error >= 0)
16940 +@@ -136,6 +144,7 @@ struct linux_dirent {
16941 + struct getdents_callback {
16942 + struct linux_dirent __user * current_dir;
16943 + struct linux_dirent __user * previous;
16944 ++ struct file * file;
16945 + int count;
16946 + int error;
16947 + };
16948 +@@ -154,6 +163,10 @@ static int filldir(void * __buf, const c
16949 + d_ino = ino;
16950 + if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
16951 + return -EOVERFLOW;
16952 ++
16953 ++ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
16954 ++ return 0;
16955 ++
16956 + dirent = buf->previous;
16957 + if (dirent) {
16958 + if (__put_user(offset, &dirent->d_off))
16959 +@@ -200,6 +213,7 @@ asmlinkage long sys_getdents(unsigned in
16960 + buf.previous = NULL;
16961 + buf.count = count;
16962 + buf.error = 0;
16963 ++ buf.file = file;
16964 +
16965 + error = vfs_readdir(file, filldir, &buf);
16966 + if (error < 0)
16967 +@@ -222,6 +236,7 @@ out:
16968 + struct getdents_callback64 {
16969 + struct linux_dirent64 __user * current_dir;
16970 + struct linux_dirent64 __user * previous;
16971 ++ struct file *file;
16972 + int count;
16973 + int error;
16974 + };
16975 +@@ -236,6 +251,10 @@ static int filldir64(void * __buf, const
16976 + buf->error = -EINVAL; /* only used if we fail.. */
16977 + if (reclen > buf->count)
16978 + return -EINVAL;
16979 ++
16980 ++ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
16981 ++ return 0;
16982 ++
16983 + dirent = buf->previous;
16984 + if (dirent) {
16985 + if (__put_user(offset, &dirent->d_off))
16986 +@@ -282,6 +301,7 @@ asmlinkage long sys_getdents64(unsigned
16987 +
16988 + buf.current_dir = dirent;
16989 + buf.previous = NULL;
16990 ++ buf.file = file;
16991 + buf.count = count;
16992 + buf.error = 0;
16993 +
16994 +diff -Nurp linux-2.6.23.15/fs/udf/balloc.c linux-2.6.23.15-grsec/fs/udf/balloc.c
16995 +--- linux-2.6.23.15/fs/udf/balloc.c 2007-10-09 21:31:38.000000000 +0100
16996 ++++ linux-2.6.23.15-grsec/fs/udf/balloc.c 2008-02-11 10:37:44.000000000 +0000
16997 +@@ -154,8 +154,7 @@ static void udf_bitmap_free_blocks(struc
16998 + unsigned long overflow;
16999 +
17000 + mutex_lock(&sbi->s_alloc_mutex);
17001 +- if (bloc.logicalBlockNum < 0 ||
17002 +- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
17003 ++ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
17004 + udf_debug("%d < %d || %d + %d > %d\n",
17005 + bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
17006 + UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
17007 +@@ -221,7 +220,7 @@ static int udf_bitmap_prealloc_blocks(st
17008 + struct buffer_head *bh;
17009 +
17010 + mutex_lock(&sbi->s_alloc_mutex);
17011 +- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
17012 ++ if (first_block >= UDF_SB_PARTLEN(sb, partition))
17013 + goto out;
17014 +
17015 + if (first_block + block_count > UDF_SB_PARTLEN(sb, partition))
17016 +@@ -287,7 +286,7 @@ static int udf_bitmap_new_block(struct s
17017 + mutex_lock(&sbi->s_alloc_mutex);
17018 +
17019 + repeat:
17020 +- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
17021 ++ if (goal >= UDF_SB_PARTLEN(sb, partition))
17022 + goal = 0;
17023 +
17024 + nr_groups = bitmap->s_nr_groups;
17025 +@@ -420,8 +419,7 @@ static void udf_table_free_blocks(struct
17026 + int i;
17027 +
17028 + mutex_lock(&sbi->s_alloc_mutex);
17029 +- if (bloc.logicalBlockNum < 0 ||
17030 +- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
17031 ++ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
17032 + udf_debug("%d < %d || %d + %d > %d\n",
17033 + bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
17034 + UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
17035 +@@ -627,7 +625,7 @@ static int udf_table_prealloc_blocks(str
17036 + struct extent_position epos;
17037 + int8_t etype = -1;
17038 +
17039 +- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
17040 ++ if (first_block >= UDF_SB_PARTLEN(sb, partition))
17041 + return 0;
17042 +
17043 + if (UDF_I_ALLOCTYPE(table) == ICBTAG_FLAG_AD_SHORT)
17044 +@@ -703,7 +701,7 @@ static int udf_table_new_block(struct su
17045 + return newblock;
17046 +
17047 + mutex_lock(&sbi->s_alloc_mutex);
17048 +- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
17049 ++ if (goal >= UDF_SB_PARTLEN(sb, partition))
17050 + goal = 0;
17051 +
17052 + /* We search for the closest matching block to goal. If we find a exact hit,
17053 +diff -Nurp linux-2.6.23.15/fs/udf/inode.c linux-2.6.23.15-grsec/fs/udf/inode.c
17054 +--- linux-2.6.23.15/fs/udf/inode.c 2007-10-09 21:31:38.000000000 +0100
17055 ++++ linux-2.6.23.15-grsec/fs/udf/inode.c 2008-02-11 10:37:44.000000000 +0000
17056 +@@ -308,9 +308,6 @@ static int udf_get_block(struct inode *i
17057 +
17058 + lock_kernel();
17059 +
17060 +- if (block < 0)
17061 +- goto abort_negative;
17062 +-
17063 + if (block == UDF_I_NEXT_ALLOC_BLOCK(inode) + 1) {
17064 + UDF_I_NEXT_ALLOC_BLOCK(inode)++;
17065 + UDF_I_NEXT_ALLOC_GOAL(inode)++;
17066 +@@ -331,10 +328,6 @@ static int udf_get_block(struct inode *i
17067 + abort:
17068 + unlock_kernel();
17069 + return err;
17070 +-
17071 +-abort_negative:
17072 +- udf_warning(inode->i_sb, "udf_get_block", "block < 0");
17073 +- goto abort;
17074 + }
17075 +
17076 + static struct buffer_head *udf_getblk(struct inode *inode, long block,
17077 +diff -Nurp linux-2.6.23.15/fs/ufs/inode.c linux-2.6.23.15-grsec/fs/ufs/inode.c
17078 +--- linux-2.6.23.15/fs/ufs/inode.c 2007-10-09 21:31:38.000000000 +0100
17079 ++++ linux-2.6.23.15-grsec/fs/ufs/inode.c 2008-02-11 10:37:44.000000000 +0000
17080 +@@ -55,9 +55,7 @@ static int ufs_block_to_path(struct inod
17081 +
17082 +
17083 + UFSD("ptrs=uspi->s_apb = %d,double_blocks=%ld \n",ptrs,double_blocks);
17084 +- if (i_block < 0) {
17085 +- ufs_warning(inode->i_sb, "ufs_block_to_path", "block < 0");
17086 +- } else if (i_block < direct_blocks) {
17087 ++ if (i_block < direct_blocks) {
17088 + offsets[n++] = i_block;
17089 + } else if ((i_block -= direct_blocks) < indirect_blocks) {
17090 + offsets[n++] = UFS_IND_BLOCK;
17091 +@@ -439,8 +437,6 @@ int ufs_getfrag_block(struct inode *inod
17092 + lock_kernel();
17093 +
17094 + UFSD("ENTER, ino %lu, fragment %llu\n", inode->i_ino, (unsigned long long)fragment);
17095 +- if (fragment < 0)
17096 +- goto abort_negative;
17097 + if (fragment >
17098 + ((UFS_NDADDR + uspi->s_apb + uspi->s_2apb + uspi->s_3apb)
17099 + << uspi->s_fpbshift))
17100 +@@ -503,10 +499,6 @@ abort:
17101 + unlock_kernel();
17102 + return err;
17103 +
17104 +-abort_negative:
17105 +- ufs_warning(sb, "ufs_get_block", "block < 0");
17106 +- goto abort;
17107 +-
17108 + abort_too_big:
17109 + ufs_warning(sb, "ufs_get_block", "block > big");
17110 + goto abort;
17111 +diff -Nurp linux-2.6.23.15/fs/utimes.c linux-2.6.23.15-grsec/fs/utimes.c
17112 +--- linux-2.6.23.15/fs/utimes.c 2007-10-09 21:31:38.000000000 +0100
17113 ++++ linux-2.6.23.15-grsec/fs/utimes.c 2008-02-11 10:37:44.000000000 +0000
17114 +@@ -6,6 +6,7 @@
17115 + #include <linux/sched.h>
17116 + #include <linux/stat.h>
17117 + #include <linux/utime.h>
17118 ++#include <linux/grsecurity.h>
17119 + #include <asm/uaccess.h>
17120 + #include <asm/unistd.h>
17121 +
17122 +@@ -47,6 +48,7 @@ long do_utimes(int dfd, char __user *fil
17123 + int error;
17124 + struct nameidata nd;
17125 + struct dentry *dentry;
17126 ++ struct vfsmount *mnt;
17127 + struct inode *inode;
17128 + struct iattr newattrs;
17129 + struct file *f = NULL;
17130 +@@ -65,12 +67,14 @@ long do_utimes(int dfd, char __user *fil
17131 + if (!f)
17132 + goto out;
17133 + dentry = f->f_path.dentry;
17134 ++ mnt = f->f_path.mnt;
17135 + } else {
17136 + error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd);
17137 + if (error)
17138 + goto out;
17139 +
17140 + dentry = nd.dentry;
17141 ++ mnt = nd.mnt;
17142 + }
17143 +
17144 + inode = dentry->d_inode;
17145 +@@ -117,6 +121,12 @@ long do_utimes(int dfd, char __user *fil
17146 + }
17147 + }
17148 + }
17149 ++
17150 ++ if (!gr_acl_handle_utime(dentry, mnt)) {
17151 ++ error = -EACCES;
17152 ++ goto dput_and_out;
17153 ++ }
17154 ++
17155 + mutex_lock(&inode->i_mutex);
17156 + error = notify_change(dentry, &newattrs);
17157 + mutex_unlock(&inode->i_mutex);
17158 +diff -Nurp linux-2.6.23.15/fs/xfs/xfs_bmap.c linux-2.6.23.15-grsec/fs/xfs/xfs_bmap.c
17159 +--- linux-2.6.23.15/fs/xfs/xfs_bmap.c 2007-10-09 21:31:38.000000000 +0100
17160 ++++ linux-2.6.23.15-grsec/fs/xfs/xfs_bmap.c 2008-02-11 10:37:44.000000000 +0000
17161 +@@ -374,7 +374,7 @@ xfs_bmap_validate_ret(
17162 + int nmap,
17163 + int ret_nmap);
17164 + #else
17165 +-#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
17166 ++#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
17167 + #endif /* DEBUG */
17168 +
17169 + #if defined(XFS_RW_TRACE)
17170 +diff -Nurp linux-2.6.23.15/grsecurity/Kconfig linux-2.6.23.15-grsec/grsecurity/Kconfig
17171 +--- linux-2.6.23.15/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100
17172 ++++ linux-2.6.23.15-grsec/grsecurity/Kconfig 2008-02-11 10:37:44.000000000 +0000
17173 +@@ -0,0 +1,873 @@
17174 ++#
17175 ++# grecurity configuration
17176 ++#
17177 ++
17178 ++menu "Grsecurity"
17179 ++
17180 ++config GRKERNSEC
17181 ++ bool "Grsecurity"
17182 ++ select CRYPTO
17183 ++ select CRYPTO_SHA256
17184 ++ help
17185 ++ If you say Y here, you will be able to configure many features
17186 ++ that will enhance the security of your system. It is highly
17187 ++ recommended that you say Y here and read through the help
17188 ++ for each option so that you fully understand the features and
17189 ++ can evaluate their usefulness for your machine.
17190 ++
17191 ++choice
17192 ++ prompt "Security Level"
17193 ++ depends GRKERNSEC
17194 ++ default GRKERNSEC_CUSTOM
17195 ++
17196 ++config GRKERNSEC_LOW
17197 ++ bool "Low"
17198 ++ select GRKERNSEC_LINK
17199 ++ select GRKERNSEC_FIFO
17200 ++ select GRKERNSEC_EXECVE
17201 ++ select GRKERNSEC_RANDNET
17202 ++ select GRKERNSEC_DMESG
17203 ++ select GRKERNSEC_CHROOT_CHDIR
17204 ++ select GRKERNSEC_MODSTOP if (MODULES)
17205 ++
17206 ++ help
17207 ++ If you choose this option, several of the grsecurity options will
17208 ++ be enabled that will give you greater protection against a number
17209 ++ of attacks, while assuring that none of your software will have any
17210 ++ conflicts with the additional security measures. If you run a lot
17211 ++ of unusual software, or you are having problems with the higher
17212 ++ security levels, you should say Y here. With this option, the
17213 ++ following features are enabled:
17214 ++
17215 ++ - Linking restrictions
17216 ++ - FIFO restrictions
17217 ++ - Enforcing RLIMIT_NPROC on execve
17218 ++ - Restricted dmesg
17219 ++ - Enforced chdir("/") on chroot
17220 ++ - Runtime module disabling
17221 ++
17222 ++config GRKERNSEC_MEDIUM
17223 ++ bool "Medium"
17224 ++ select PAX
17225 ++ select PAX_EI_PAX
17226 ++ select PAX_PT_PAX_FLAGS
17227 ++ select PAX_HAVE_ACL_FLAGS
17228 ++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
17229 ++ select GRKERNSEC_CHROOT_SYSCTL
17230 ++ select GRKERNSEC_LINK
17231 ++ select GRKERNSEC_FIFO
17232 ++ select GRKERNSEC_EXECVE
17233 ++ select GRKERNSEC_DMESG
17234 ++ select GRKERNSEC_RANDNET
17235 ++ select GRKERNSEC_FORKFAIL
17236 ++ select GRKERNSEC_TIME
17237 ++ select GRKERNSEC_SIGNAL
17238 ++ select GRKERNSEC_CHROOT
17239 ++ select GRKERNSEC_CHROOT_UNIX
17240 ++ select GRKERNSEC_CHROOT_MOUNT
17241 ++ select GRKERNSEC_CHROOT_PIVOT
17242 ++ select GRKERNSEC_CHROOT_DOUBLE
17243 ++ select GRKERNSEC_CHROOT_CHDIR
17244 ++ select GRKERNSEC_CHROOT_MKNOD
17245 ++ select GRKERNSEC_PROC
17246 ++ select GRKERNSEC_PROC_USERGROUP
17247 ++ select GRKERNSEC_MODSTOP if (MODULES)
17248 ++ select PAX_RANDUSTACK
17249 ++ select PAX_ASLR
17250 ++ select PAX_RANDMMAP
17251 ++
17252 ++ help
17253 ++ If you say Y here, several features in addition to those included
17254 ++ in the low additional security level will be enabled. These
17255 ++ features provide even more security to your system, though in rare
17256 ++ cases they may be incompatible with very old or poorly written
17257 ++ software. If you enable this option, make sure that your auth
17258 ++ service (identd) is running as gid 1001. With this option,
17259 ++ the following features (in addition to those provided in the
17260 ++ low additional security level) will be enabled:
17261 ++
17262 ++ - Randomized TCP source ports
17263 ++ - Failed fork logging
17264 ++ - Time change logging
17265 ++ - Signal logging
17266 ++ - Deny mounts in chroot
17267 ++ - Deny double chrooting
17268 ++ - Deny sysctl writes in chroot
17269 ++ - Deny mknod in chroot
17270 ++ - Deny access to abstract AF_UNIX sockets out of chroot
17271 ++ - Deny pivot_root in chroot
17272 ++ - Denied writes of /dev/kmem, /dev/mem, and /dev/port
17273 ++ - /proc restrictions with special GID set to 10 (usually wheel)
17274 ++ - Address Space Layout Randomization (ASLR)
17275 ++
17276 ++config GRKERNSEC_HIGH
17277 ++ bool "High"
17278 ++ select GRKERNSEC_LINK
17279 ++ select GRKERNSEC_FIFO
17280 ++ select GRKERNSEC_EXECVE
17281 ++ select GRKERNSEC_DMESG
17282 ++ select GRKERNSEC_FORKFAIL
17283 ++ select GRKERNSEC_TIME
17284 ++ select GRKERNSEC_SIGNAL
17285 ++ select GRKERNSEC_CHROOT_SHMAT
17286 ++ select GRKERNSEC_CHROOT_UNIX
17287 ++ select GRKERNSEC_CHROOT_MOUNT
17288 ++ select GRKERNSEC_CHROOT_FCHDIR
17289 ++ select GRKERNSEC_CHROOT_PIVOT
17290 ++ select GRKERNSEC_CHROOT_DOUBLE
17291 ++ select GRKERNSEC_CHROOT_CHDIR
17292 ++ select GRKERNSEC_CHROOT_MKNOD
17293 ++ select GRKERNSEC_CHROOT_CAPS
17294 ++ select GRKERNSEC_CHROOT_SYSCTL
17295 ++ select GRKERNSEC_CHROOT_FINDTASK
17296 ++ select GRKERNSEC_PROC
17297 ++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
17298 ++ select GRKERNSEC_HIDESYM
17299 ++ select GRKERNSEC_BRUTE
17300 ++ select GRKERNSEC_SHM if (SYSVIPC)
17301 ++ select GRKERNSEC_PROC_USERGROUP
17302 ++ select GRKERNSEC_KMEM
17303 ++ select GRKERNSEC_RESLOG
17304 ++ select GRKERNSEC_RANDNET
17305 ++ select GRKERNSEC_PROC_ADD
17306 ++ select GRKERNSEC_CHROOT_CHMOD
17307 ++ select GRKERNSEC_CHROOT_NICE
17308 ++ select GRKERNSEC_AUDIT_MOUNT
17309 ++ select GRKERNSEC_MODSTOP if (MODULES)
17310 ++ select PAX
17311 ++ select PAX_RANDUSTACK
17312 ++ select PAX_ASLR
17313 ++ select PAX_RANDMMAP
17314 ++ select PAX_NOEXEC
17315 ++ select PAX_MPROTECT
17316 ++ select PAX_EI_PAX
17317 ++ select PAX_PT_PAX_FLAGS
17318 ++ select PAX_HAVE_ACL_FLAGS
17319 ++ select PAX_KERNEXEC if (!X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
17320 ++ select PAX_MEMORY_UDEREF if (!X86_64 && !COMPAT_VDSO)
17321 ++ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
17322 ++ select PAX_SEGMEXEC if (X86 && !X86_64)
17323 ++ select PAX_PAGEEXEC if (!X86)
17324 ++ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
17325 ++ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
17326 ++ select PAX_SYSCALL if (PPC32)
17327 ++ select PAX_EMUTRAMP if (PARISC)
17328 ++ select PAX_EMUSIGRT if (PARISC)
17329 ++ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
17330 ++ help
17331 ++ If you say Y here, many of the features of grsecurity will be
17332 ++ enabled, which will protect you against many kinds of attacks
17333 ++ against your system. The heightened security comes at a cost
17334 ++ of an increased chance of incompatibilities with rare software
17335 ++ on your machine. Since this security level enables PaX, you should
17336 ++ view <http://pax.grsecurity.net> and read about the PaX
17337 ++ project. While you are there, download chpax and run it on
17338 ++ binaries that cause problems with PaX. Also remember that
17339 ++ since the /proc restrictions are enabled, you must run your
17340 ++ identd as gid 1001. This security level enables the following
17341 ++ features in addition to those listed in the low and medium
17342 ++ security levels:
17343 ++
17344 ++ - Additional /proc restrictions
17345 ++ - Chmod restrictions in chroot
17346 ++ - No signals, ptrace, or viewing of processes outside of chroot
17347 ++ - Capability restrictions in chroot
17348 ++ - Deny fchdir out of chroot
17349 ++ - Priority restrictions in chroot
17350 ++ - Segmentation-based implementation of PaX
17351 ++ - Mprotect restrictions
17352 ++ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
17353 ++ - Kernel stack randomization
17354 ++ - Mount/unmount/remount logging
17355 ++ - Kernel symbol hiding
17356 ++ - Destroy unused shared memory
17357 ++ - Prevention of memory exhaustion-based exploits
17358 ++config GRKERNSEC_CUSTOM
17359 ++ bool "Custom"
17360 ++ help
17361 ++ If you say Y here, you will be able to configure every grsecurity
17362 ++ option, which allows you to enable many more features that aren't
17363 ++ covered in the basic security levels. These additional features
17364 ++ include TPE, socket restrictions, and the sysctl system for
17365 ++ grsecurity. It is advised that you read through the help for
17366 ++ each option to determine its usefulness in your situation.
17367 ++
17368 ++endchoice
17369 ++
17370 ++menu "Address Space Protection"
17371 ++depends on GRKERNSEC
17372 ++
17373 ++config GRKERNSEC_KMEM
17374 ++ bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
17375 ++ help
17376 ++ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
17377 ++ be written to via mmap or otherwise to modify the running kernel.
17378 ++ /dev/port will also not be allowed to be opened. If you have module
17379 ++ support disabled, enabling this will close up four ways that are
17380 ++ currently used to insert malicious code into the running kernel.
17381 ++ Even with all these features enabled, we still highly recommend that
17382 ++ you use the RBAC system, as it is still possible for an attacker to
17383 ++ modify the running kernel through privileged I/O granted by ioperm/iopl.
17384 ++ If you are not using XFree86, you may be able to stop this additional
17385 ++ case by enabling the 'Disable privileged I/O' option. Though nothing
17386 ++ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
17387 ++ but only to video memory, which is the only writing we allow in this
17388 ++ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
17389 ++ not be allowed to mprotect it with PROT_WRITE later.
17390 ++ It is highly recommended that you say Y here if you meet all the
17391 ++ conditions above.
17392 ++
17393 ++config GRKERNSEC_IO
17394 ++ bool "Disable privileged I/O"
17395 ++ depends on X86
17396 ++ select RTC
17397 ++ help
17398 ++ If you say Y here, all ioperm and iopl calls will return an error.
17399 ++ Ioperm and iopl can be used to modify the running kernel.
17400 ++ Unfortunately, some programs need this access to operate properly,
17401 ++ the most notable of which are XFree86 and hwclock. hwclock can be
17402 ++ remedied by having RTC support in the kernel, so CONFIG_RTC is
17403 ++ enabled if this option is enabled, to ensure that hwclock operates
17404 ++ correctly. XFree86 still will not operate correctly with this option
17405 ++ enabled, so DO NOT CHOOSE Y IF YOU USE XFree86. If you use XFree86
17406 ++ and you still want to protect your kernel against modification,
17407 ++ use the RBAC system.
17408 ++
17409 ++config GRKERNSEC_PROC_MEMMAP
17410 ++ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
17411 ++ depends on PAX_NOEXEC || PAX_ASLR
17412 ++ help
17413 ++ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
17414 ++ give no information about the addresses of its mappings if
17415 ++ PaX features that rely on random addresses are enabled on the task.
17416 ++ If you use PaX it is greatly recommended that you say Y here as it
17417 ++ closes up a hole that makes the full ASLR useless for suid
17418 ++ binaries.
17419 ++
17420 ++config GRKERNSEC_BRUTE
17421 ++ bool "Deter exploit bruteforcing"
17422 ++ help
17423 ++ If you say Y here, attempts to bruteforce exploits against forking
17424 ++ daemons such as apache or sshd will be deterred. When a child of a
17425 ++ forking daemon is killed by PaX or crashes due to an illegal
17426 ++ instruction, the parent process will be delayed 30 seconds upon every
17427 ++ subsequent fork until the administrator is able to assess the
17428 ++ situation and restart the daemon. It is recommended that you also
17429 ++ enable signal logging in the auditing section so that logs are
17430 ++ generated when a process performs an illegal instruction.
17431 ++
17432 ++config GRKERNSEC_MODSTOP
17433 ++ bool "Runtime module disabling"
17434 ++ depends on MODULES
17435 ++ help
17436 ++ If you say Y here, you will be able to disable the ability to (un)load
17437 ++ modules at runtime. This feature is useful if you need the ability
17438 ++ to load kernel modules at boot time, but do not want to allow an
17439 ++ attacker to load a rootkit kernel module into the system, or to remove
17440 ++ a loaded kernel module important to system functioning. You should
17441 ++ enable the /dev/mem protection feature as well, since rootkits can be
17442 ++ inserted into the kernel via other methods than kernel modules. Since
17443 ++ an untrusted module could still be loaded by modifying init scripts and
17444 ++ rebooting the system, it is also recommended that you enable the RBAC
17445 ++ system. If you enable this option, a sysctl option with name
17446 ++ "disable_modules" will be created. Setting this option to "1" disables
17447 ++ module loading. After this option is set, no further writes to it are
17448 ++ allowed until the system is rebooted.
17449 ++
17450 ++config GRKERNSEC_HIDESYM
17451 ++ bool "Hide kernel symbols"
17452 ++ help
17453 ++ If you say Y here, getting information on loaded modules, and
17454 ++ displaying all kernel symbols through a syscall will be restricted
17455 ++ to users with CAP_SYS_MODULE. This option is only effective
17456 ++ provided the following conditions are met:
17457 ++ 1) The kernel using grsecurity is not precompiled by some distribution
17458 ++ 2) You are using the RBAC system and hiding other files such as your
17459 ++ kernel image and System.map
17460 ++ 3) You have the additional /proc restrictions enabled, which removes
17461 ++ /proc/kcore
17462 ++ If the above conditions are met, this option will aid to provide a
17463 ++ useful protection against local and remote kernel exploitation of
17464 ++ overflows and arbitrary read/write vulnerabilities.
17465 ++
17466 ++endmenu
17467 ++menu "Role Based Access Control Options"
17468 ++depends on GRKERNSEC
17469 ++
17470 ++config GRKERNSEC_ACL_HIDEKERN
17471 ++ bool "Hide kernel processes"
17472 ++ help
17473 ++ If you say Y here, all kernel threads will be hidden to all
17474 ++ processes but those whose subject has the "view hidden processes"
17475 ++ flag.
17476 ++
17477 ++config GRKERNSEC_ACL_MAXTRIES
17478 ++ int "Maximum tries before password lockout"
17479 ++ default 3
17480 ++ help
17481 ++ This option enforces the maximum number of times a user can attempt
17482 ++ to authorize themselves with the grsecurity RBAC system before being
17483 ++ denied the ability to attempt authorization again for a specified time.
17484 ++ The lower the number, the harder it will be to brute-force a password.
17485 ++
17486 ++config GRKERNSEC_ACL_TIMEOUT
17487 ++ int "Time to wait after max password tries, in seconds"
17488 ++ default 30
17489 ++ help
17490 ++ This option specifies the time the user must wait after attempting to
17491 ++ authorize to the RBAC system with the maximum number of invalid
17492 ++ passwords. The higher the number, the harder it will be to brute-force
17493 ++ a password.
17494 ++
17495 ++endmenu
17496 ++menu "Filesystem Protections"
17497 ++depends on GRKERNSEC
17498 ++
17499 ++config GRKERNSEC_PROC
17500 ++ bool "Proc restrictions"
17501 ++ help
17502 ++ If you say Y here, the permissions of the /proc filesystem
17503 ++ will be altered to enhance system security and privacy. You MUST
17504 ++ choose either a user only restriction or a user and group restriction.
17505 ++ Depending upon the option you choose, you can either restrict users to
17506 ++ see only the processes they themselves run, or choose a group that can
17507 ++ view all processes and files normally restricted to root if you choose
17508 ++ the "restrict to user only" option. NOTE: If you're running identd as
17509 ++ a non-root user, you will have to run it as the group you specify here.
17510 ++
17511 ++config GRKERNSEC_PROC_USER
17512 ++ bool "Restrict /proc to user only"
17513 ++ depends on GRKERNSEC_PROC
17514 ++ help
17515 ++ If you say Y here, non-root users will only be able to view their own
17516 ++ processes, and restricts them from viewing network-related information,
17517 ++ and viewing kernel symbol and module information.
17518 ++
17519 ++config GRKERNSEC_PROC_USERGROUP
17520 ++ bool "Allow special group"
17521 ++ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
17522 ++ help
17523 ++ If you say Y here, you will be able to select a group that will be
17524 ++ able to view all processes, network-related information, and
17525 ++ kernel and symbol information. This option is useful if you want
17526 ++ to run identd as a non-root user.
17527 ++
17528 ++config GRKERNSEC_PROC_GID
17529 ++ int "GID for special group"
17530 ++ depends on GRKERNSEC_PROC_USERGROUP
17531 ++ default 1001
17532 ++
17533 ++config GRKERNSEC_PROC_ADD
17534 ++ bool "Additional restrictions"
17535 ++ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
17536 ++ help
17537 ++ If you say Y here, additional restrictions will be placed on
17538 ++ /proc that keep normal users from viewing device information and
17539 ++ slabinfo information that could be useful for exploits.
17540 ++
17541 ++config GRKERNSEC_LINK
17542 ++ bool "Linking restrictions"
17543 ++ help
17544 ++ If you say Y here, /tmp race exploits will be prevented, since users
17545 ++ will no longer be able to follow symlinks owned by other users in
17546 ++ world-writable +t directories (i.e. /tmp), unless the owner of the
17547 ++ symlink is the owner of the directory. users will also not be
17548 ++ able to hardlink to files they do not own. If the sysctl option is
17549 ++ enabled, a sysctl option with name "linking_restrictions" is created.
17550 ++
17551 ++config GRKERNSEC_FIFO
17552 ++ bool "FIFO restrictions"
17553 ++ help
17554 ++ If you say Y here, users will not be able to write to FIFOs they don't
17555 ++ own in world-writable +t directories (i.e. /tmp), unless the owner of
17556 ++ the FIFO is the same owner of the directory it's held in. If the sysctl
17557 ++ option is enabled, a sysctl option with name "fifo_restrictions" is
17558 ++ created.
17559 ++
17560 ++config GRKERNSEC_CHROOT
17561 ++ bool "Chroot jail restrictions"
17562 ++ help
17563 ++ If you say Y here, you will be able to choose several options that will
17564 ++ make breaking out of a chrooted jail much more difficult. If you
17565 ++ encounter no software incompatibilities with the following options, it
17566 ++ is recommended that you enable each one.
17567 ++
17568 ++config GRKERNSEC_CHROOT_MOUNT
17569 ++ bool "Deny mounts"
17570 ++ depends on GRKERNSEC_CHROOT
17571 ++ help
17572 ++ If you say Y here, processes inside a chroot will not be able to
17573 ++ mount or remount filesystems. If the sysctl option is enabled, a
17574 ++ sysctl option with name "chroot_deny_mount" is created.
17575 ++
17576 ++config GRKERNSEC_CHROOT_DOUBLE
17577 ++ bool "Deny double-chroots"
17578 ++ depends on GRKERNSEC_CHROOT
17579 ++ help
17580 ++ If you say Y here, processes inside a chroot will not be able to chroot
17581 ++ again outside the chroot. This is a widely used method of breaking
17582 ++ out of a chroot jail and should not be allowed. If the sysctl
17583 ++ option is enabled, a sysctl option with name
17584 ++ "chroot_deny_chroot" is created.
17585 ++
17586 ++config GRKERNSEC_CHROOT_PIVOT
17587 ++ bool "Deny pivot_root in chroot"
17588 ++ depends on GRKERNSEC_CHROOT
17589 ++ help
17590 ++ If you say Y here, processes inside a chroot will not be able to use
17591 ++ a function called pivot_root() that was introduced in Linux 2.3.41. It
17592 ++ works similar to chroot in that it changes the root filesystem. This
17593 ++ function could be misused in a chrooted process to attempt to break out
17594 ++ of the chroot, and therefore should not be allowed. If the sysctl
17595 ++ option is enabled, a sysctl option with name "chroot_deny_pivot" is
17596 ++ created.
17597 ++
17598 ++config GRKERNSEC_CHROOT_CHDIR
17599 ++ bool "Enforce chdir(\"/\") on all chroots"
17600 ++ depends on GRKERNSEC_CHROOT
17601 ++ help
17602 ++ If you say Y here, the current working directory of all newly-chrooted
17603 ++ applications will be set to the the root directory of the chroot.
17604 ++ The man page on chroot(2) states:
17605 ++ Note that this call does not change the current working
17606 ++ directory, so that `.' can be outside the tree rooted at
17607 ++ `/'. In particular, the super-user can escape from a
17608 ++ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
17609 ++
17610 ++ It is recommended that you say Y here, since it's not known to break
17611 ++ any software. If the sysctl option is enabled, a sysctl option with
17612 ++ name "chroot_enforce_chdir" is created.
17613 ++
17614 ++config GRKERNSEC_CHROOT_CHMOD
17615 ++ bool "Deny (f)chmod +s"
17616 ++ depends on GRKERNSEC_CHROOT
17617 ++ help
17618 ++ If you say Y here, processes inside a chroot will not be able to chmod
17619 ++ or fchmod files to make them have suid or sgid bits. This protects
17620 ++ against another published method of breaking a chroot. If the sysctl
17621 ++ option is enabled, a sysctl option with name "chroot_deny_chmod" is
17622 ++ created.
17623 ++
17624 ++config GRKERNSEC_CHROOT_FCHDIR
17625 ++ bool "Deny fchdir out of chroot"
17626 ++ depends on GRKERNSEC_CHROOT
17627 ++ help
17628 ++ If you say Y here, a well-known method of breaking chroots by fchdir'ing
17629 ++ to a file descriptor of the chrooting process that points to a directory
17630 ++ outside the filesystem will be stopped. If the sysctl option
17631 ++ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
17632 ++
17633 ++config GRKERNSEC_CHROOT_MKNOD
17634 ++ bool "Deny mknod"
17635 ++ depends on GRKERNSEC_CHROOT
17636 ++ help
17637 ++ If you say Y here, processes inside a chroot will not be allowed to
17638 ++ mknod. The problem with using mknod inside a chroot is that it
17639 ++ would allow an attacker to create a device entry that is the same
17640 ++ as one on the physical root of your system, which could range from
17641 ++ anything from the console device to a device for your harddrive (which
17642 ++ they could then use to wipe the drive or steal data). It is recommended
17643 ++ that you say Y here, unless you run into software incompatibilities.
17644 ++ If the sysctl option is enabled, a sysctl option with name
17645 ++ "chroot_deny_mknod" is created.
17646 ++
17647 ++config GRKERNSEC_CHROOT_SHMAT
17648 ++ bool "Deny shmat() out of chroot"
17649 ++ depends on GRKERNSEC_CHROOT
17650 ++ help
17651 ++ If you say Y here, processes inside a chroot will not be able to attach
17652 ++ to shared memory segments that were created outside of the chroot jail.
17653 ++ It is recommended that you say Y here. If the sysctl option is enabled,
17654 ++ a sysctl option with name "chroot_deny_shmat" is created.
17655 ++
17656 ++config GRKERNSEC_CHROOT_UNIX
17657 ++ bool "Deny access to abstract AF_UNIX sockets out of chroot"
17658 ++ depends on GRKERNSEC_CHROOT
17659 ++ help
17660 ++ If you say Y here, processes inside a chroot will not be able to
17661 ++ connect to abstract (meaning not belonging to a filesystem) Unix
17662 ++ domain sockets that were bound outside of a chroot. It is recommended
17663 ++ that you say Y here. If the sysctl option is enabled, a sysctl option
17664 ++ with name "chroot_deny_unix" is created.
17665 ++
17666 ++config GRKERNSEC_CHROOT_FINDTASK
17667 ++ bool "Protect outside processes"
17668 ++ depends on GRKERNSEC_CHROOT
17669 ++ help
17670 ++ If you say Y here, processes inside a chroot will not be able to
17671 ++ kill, send signals with fcntl, ptrace, capget, getpgid, getsid,
17672 ++ or view any process outside of the chroot. If the sysctl
17673 ++ option is enabled, a sysctl option with name "chroot_findtask" is
17674 ++ created.
17675 ++
17676 ++config GRKERNSEC_CHROOT_NICE
17677 ++ bool "Restrict priority changes"
17678 ++ depends on GRKERNSEC_CHROOT
17679 ++ help
17680 ++ If you say Y here, processes inside a chroot will not be able to raise
17681 ++ the priority of processes in the chroot, or alter the priority of
17682 ++ processes outside the chroot. This provides more security than simply
17683 ++ removing CAP_SYS_NICE from the process' capability set. If the
17684 ++ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
17685 ++ is created.
17686 ++
17687 ++config GRKERNSEC_CHROOT_SYSCTL
17688 ++ bool "Deny sysctl writes"
17689 ++ depends on GRKERNSEC_CHROOT
17690 ++ help
17691 ++ If you say Y here, an attacker in a chroot will not be able to
17692 ++ write to sysctl entries, either by sysctl(2) or through a /proc
17693 ++ interface. It is strongly recommended that you say Y here. If the
17694 ++ sysctl option is enabled, a sysctl option with name
17695 ++ "chroot_deny_sysctl" is created.
17696 ++
17697 ++config GRKERNSEC_CHROOT_CAPS
17698 ++ bool "Capability restrictions"
17699 ++ depends on GRKERNSEC_CHROOT
17700 ++ help
17701 ++ If you say Y here, the capabilities on all root processes within a
17702 ++ chroot jail will be lowered to stop module insertion, raw i/o,
17703 ++ system and net admin tasks, rebooting the system, modifying immutable
17704 ++ files, modifying IPC owned by another, and changing the system time.
17705 ++ This is left an option because it can break some apps. Disable this
17706 ++ if your chrooted apps are having problems performing those kinds of
17707 ++ tasks. If the sysctl option is enabled, a sysctl option with
17708 ++ name "chroot_caps" is created.
17709 ++
17710 ++endmenu
17711 ++menu "Kernel Auditing"
17712 ++depends on GRKERNSEC
17713 ++
17714 ++config GRKERNSEC_AUDIT_GROUP
17715 ++ bool "Single group for auditing"
17716 ++ help
17717 ++ If you say Y here, the exec, chdir, (un)mount, and ipc logging features
17718 ++ will only operate on a group you specify. This option is recommended
17719 ++ if you only want to watch certain users instead of having a large
17720 ++ amount of logs from the entire system. If the sysctl option is enabled,
17721 ++ a sysctl option with name "audit_group" is created.
17722 ++
17723 ++config GRKERNSEC_AUDIT_GID
17724 ++ int "GID for auditing"
17725 ++ depends on GRKERNSEC_AUDIT_GROUP
17726 ++ default 1007
17727 ++
17728 ++config GRKERNSEC_EXECLOG
17729 ++ bool "Exec logging"
17730 ++ help
17731 ++ If you say Y here, all execve() calls will be logged (since the
17732 ++ other exec*() calls are frontends to execve(), all execution
17733 ++ will be logged). Useful for shell-servers that like to keep track
17734 ++ of their users. If the sysctl option is enabled, a sysctl option with
17735 ++ name "exec_logging" is created.
17736 ++ WARNING: This option when enabled will produce a LOT of logs, especially
17737 ++ on an active system.
17738 ++
17739 ++config GRKERNSEC_RESLOG
17740 ++ bool "Resource logging"
17741 ++ help
17742 ++ If you say Y here, all attempts to overstep resource limits will
17743 ++ be logged with the resource name, the requested size, and the current
17744 ++ limit. It is highly recommended that you say Y here. If the sysctl
17745 ++ option is enabled, a sysctl option with name "resource_logging" is
17746 ++ created. If the RBAC system is enabled, the sysctl value is ignored.
17747 ++
17748 ++config GRKERNSEC_CHROOT_EXECLOG
17749 ++ bool "Log execs within chroot"
17750 ++ help
17751 ++ If you say Y here, all executions inside a chroot jail will be logged
17752 ++ to syslog. This can cause a large amount of logs if certain
17753 ++ applications (eg. djb's daemontools) are installed on the system, and
17754 ++ is therefore left as an option. If the sysctl option is enabled, a
17755 ++ sysctl option with name "chroot_execlog" is created.
17756 ++
17757 ++config GRKERNSEC_AUDIT_CHDIR
17758 ++ bool "Chdir logging"
17759 ++ help
17760 ++ If you say Y here, all chdir() calls will be logged. If the sysctl
17761 ++ option is enabled, a sysctl option with name "audit_chdir" is created.
17762 ++
17763 ++config GRKERNSEC_AUDIT_MOUNT
17764 ++ bool "(Un)Mount logging"
17765 ++ help
17766 ++ If you say Y here, all mounts and unmounts will be logged. If the
17767 ++ sysctl option is enabled, a sysctl option with name "audit_mount" is
17768 ++ created.
17769 ++
17770 ++config GRKERNSEC_AUDIT_IPC
17771 ++ bool "IPC logging"
17772 ++ help
17773 ++ If you say Y here, creation and removal of message queues, semaphores,
17774 ++ and shared memory will be logged. If the sysctl option is enabled, a
17775 ++ sysctl option with name "audit_ipc" is created.
17776 ++
17777 ++config GRKERNSEC_SIGNAL
17778 ++ bool "Signal logging"
17779 ++ help
17780 ++ If you say Y here, certain important signals will be logged, such as
17781 ++ SIGSEGV, which will as a result inform you of when a error in a program
17782 ++ occurred, which in some cases could mean a possible exploit attempt.
17783 ++ If the sysctl option is enabled, a sysctl option with name
17784 ++ "signal_logging" is created.
17785 ++
17786 ++config GRKERNSEC_FORKFAIL
17787 ++ bool "Fork failure logging"
17788 ++ help
17789 ++ If you say Y here, all failed fork() attempts will be logged.
17790 ++ This could suggest a fork bomb, or someone attempting to overstep
17791 ++ their process limit. If the sysctl option is enabled, a sysctl option
17792 ++ with name "forkfail_logging" is created.
17793 ++
17794 ++config GRKERNSEC_TIME
17795 ++ bool "Time change logging"
17796 ++ help
17797 ++ If you say Y here, any changes of the system clock will be logged.
17798 ++ If the sysctl option is enabled, a sysctl option with name
17799 ++ "timechange_logging" is created.
17800 ++
17801 ++config GRKERNSEC_PROC_IPADDR
17802 ++ bool "/proc/<pid>/ipaddr support"
17803 ++ help
17804 ++ If you say Y here, a new entry will be added to each /proc/<pid>
17805 ++ directory that contains the IP address of the person using the task.
17806 ++ The IP is carried across local TCP and AF_UNIX stream sockets.
17807 ++ This information can be useful for IDS/IPSes to perform remote response
17808 ++ to a local attack. The entry is readable by only the owner of the
17809 ++ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
17810 ++ the RBAC system), and thus does not create privacy concerns.
17811 ++
17812 ++config GRKERNSEC_AUDIT_TEXTREL
17813 ++ bool 'ELF text relocations logging (READ HELP)'
17814 ++ depends on PAX_MPROTECT
17815 ++ help
17816 ++ If you say Y here, text relocations will be logged with the filename
17817 ++ of the offending library or binary. The purpose of the feature is
17818 ++ to help Linux distribution developers get rid of libraries and
17819 ++ binaries that need text relocations which hinder the future progress
17820 ++ of PaX. Only Linux distribution developers should say Y here, and
17821 ++ never on a production machine, as this option creates an information
17822 ++ leak that could aid an attacker in defeating the randomization of
17823 ++ a single memory region. If the sysctl option is enabled, a sysctl
17824 ++ option with name "audit_textrel" is created.
17825 ++
17826 ++endmenu
17827 ++
17828 ++menu "Executable Protections"
17829 ++depends on GRKERNSEC
17830 ++
17831 ++config GRKERNSEC_EXECVE
17832 ++ bool "Enforce RLIMIT_NPROC on execs"
17833 ++ help
17834 ++ If you say Y here, users with a resource limit on processes will
17835 ++ have the value checked during execve() calls. The current system
17836 ++ only checks the system limit during fork() calls. If the sysctl option
17837 ++ is enabled, a sysctl option with name "execve_limiting" is created.
17838 ++
17839 ++config GRKERNSEC_SHM
17840 ++ bool "Destroy unused shared memory"
17841 ++ depends on SYSVIPC
17842 ++ help
17843 ++ If you say Y here, shared memory will be destroyed when no one is
17844 ++ attached to it. Otherwise, resources involved with the shared
17845 ++ memory can be used up and not be associated with any process (as the
17846 ++ shared memory still exists, and the creating process has exited). If
17847 ++ the sysctl option is enabled, a sysctl option with name
17848 ++ "destroy_unused_shm" is created.
17849 ++
17850 ++config GRKERNSEC_DMESG
17851 ++ bool "Dmesg(8) restriction"
17852 ++ help
17853 ++ If you say Y here, non-root users will not be able to use dmesg(8)
17854 ++ to view up to the last 4kb of messages in the kernel's log buffer.
17855 ++ If the sysctl option is enabled, a sysctl option with name "dmesg" is
17856 ++ created.
17857 ++
17858 ++config GRKERNSEC_TPE
17859 ++ bool "Trusted Path Execution (TPE)"
17860 ++ help
17861 ++ If you say Y here, you will be able to choose a gid to add to the
17862 ++ supplementary groups of users you want to mark as "untrusted."
17863 ++ These users will not be able to execute any files that are not in
17864 ++ root-owned directories writable only by root. If the sysctl option
17865 ++ is enabled, a sysctl option with name "tpe" is created.
17866 ++
17867 ++config GRKERNSEC_TPE_ALL
17868 ++ bool "Partially restrict non-root users"
17869 ++ depends on GRKERNSEC_TPE
17870 ++ help
17871 ++ If you say Y here, All non-root users other than the ones in the
17872 ++ group specified in the main TPE option will only be allowed to
17873 ++ execute files in directories they own that are not group or
17874 ++ world-writable, or in directories owned by root and writable only by
17875 ++ root. If the sysctl option is enabled, a sysctl option with name
17876 ++ "tpe_restrict_all" is created.
17877 ++
17878 ++config GRKERNSEC_TPE_INVERT
17879 ++ bool "Invert GID option"
17880 ++ depends on GRKERNSEC_TPE
17881 ++ help
17882 ++ If you say Y here, the group you specify in the TPE configuration will
17883 ++ decide what group TPE restrictions will be *disabled* for. This
17884 ++ option is useful if you want TPE restrictions to be applied to most
17885 ++ users on the system.
17886 ++
17887 ++config GRKERNSEC_TPE_GID
17888 ++ int "GID for untrusted users"
17889 ++ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
17890 ++ default 1005
17891 ++ help
17892 ++ If you have selected the "Invert GID option" above, setting this
17893 ++ GID determines what group TPE restrictions will be *disabled* for.
17894 ++ If you have not selected the "Invert GID option" above, setting this
17895 ++ GID determines what group TPE restrictions will be *enabled* for.
17896 ++ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
17897 ++ is created.
17898 ++
17899 ++config GRKERNSEC_TPE_GID
17900 ++ int "GID for trusted users"
17901 ++ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
17902 ++ default 1005
17903 ++ help
17904 ++ If you have selected the "Invert GID option" above, setting this
17905 ++ GID determines what group TPE restrictions will be *disabled* for.
17906 ++ If you have not selected the "Invert GID option" above, setting this
17907 ++ GID determines what group TPE restrictions will be *enabled* for.
17908 ++ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
17909 ++ is created.
17910 ++
17911 ++endmenu
17912 ++menu "Network Protections"
17913 ++depends on GRKERNSEC
17914 ++
17915 ++config GRKERNSEC_RANDNET
17916 ++ bool "Larger entropy pools"
17917 ++ help
17918 ++ If you say Y here, the entropy pools used for many features of Linux
17919 ++ and grsecurity will be doubled in size. Since several grsecurity
17920 ++ features use additional randomness, it is recommended that you say Y
17921 ++ here. Saying Y here has a similar effect as modifying
17922 ++ /proc/sys/kernel/random/poolsize.
17923 ++
17924 ++config GRKERNSEC_SOCKET
17925 ++ bool "Socket restrictions"
17926 ++ help
17927 ++ If you say Y here, you will be able to choose from several options.
17928 ++ If you assign a GID on your system and add it to the supplementary
17929 ++ groups of users you want to restrict socket access to, this patch
17930 ++ will perform up to three things, based on the option(s) you choose.
17931 ++
17932 ++config GRKERNSEC_SOCKET_ALL
17933 ++ bool "Deny any sockets to group"
17934 ++ depends on GRKERNSEC_SOCKET
17935 ++ help
17936 ++ If you say Y here, you will be able to choose a GID of whose users will
17937 ++ be unable to connect to other hosts from your machine or run server
17938 ++ applications from your machine. If the sysctl option is enabled, a
17939 ++ sysctl option with name "socket_all" is created.
17940 ++
17941 ++config GRKERNSEC_SOCKET_ALL_GID
17942 ++ int "GID to deny all sockets for"
17943 ++ depends on GRKERNSEC_SOCKET_ALL
17944 ++ default 1004
17945 ++ help
17946 ++ Here you can choose the GID to disable socket access for. Remember to
17947 ++ add the users you want socket access disabled for to the GID
17948 ++ specified here. If the sysctl option is enabled, a sysctl option
17949 ++ with name "socket_all_gid" is created.
17950 ++
17951 ++config GRKERNSEC_SOCKET_CLIENT
17952 ++ bool "Deny client sockets to group"
17953 ++ depends on GRKERNSEC_SOCKET
17954 ++ help
17955 ++ If you say Y here, you will be able to choose a GID of whose users will
17956 ++ be unable to connect to other hosts from your machine, but will be
17957 ++ able to run servers. If this option is enabled, all users in the group
17958 ++ you specify will have to use passive mode when initiating ftp transfers
17959 ++ from the shell on your machine. If the sysctl option is enabled, a
17960 ++ sysctl option with name "socket_client" is created.
17961 ++
17962 ++config GRKERNSEC_SOCKET_CLIENT_GID
17963 ++ int "GID to deny client sockets for"
17964 ++ depends on GRKERNSEC_SOCKET_CLIENT
17965 ++ default 1003
17966 ++ help
17967 ++ Here you can choose the GID to disable client socket access for.
17968 ++ Remember to add the users you want client socket access disabled for to
17969 ++ the GID specified here. If the sysctl option is enabled, a sysctl
17970 ++ option with name "socket_client_gid" is created.
17971 ++
17972 ++config GRKERNSEC_SOCKET_SERVER
17973 ++ bool "Deny server sockets to group"
17974 ++ depends on GRKERNSEC_SOCKET
17975 ++ help
17976 ++ If you say Y here, you will be able to choose a GID of whose users will
17977 ++ be unable to run server applications from your machine. If the sysctl
17978 ++ option is enabled, a sysctl option with name "socket_server" is created.
17979 ++
17980 ++config GRKERNSEC_SOCKET_SERVER_GID
17981 ++ int "GID to deny server sockets for"
17982 ++ depends on GRKERNSEC_SOCKET_SERVER
17983 ++ default 1002
17984 ++ help
17985 ++ Here you can choose the GID to disable server socket access for.
17986 ++ Remember to add the users you want server socket access disabled for to
17987 ++ the GID specified here. If the sysctl option is enabled, a sysctl
17988 ++ option with name "socket_server_gid" is created.
17989 ++
17990 ++endmenu
17991 ++menu "Sysctl support"
17992 ++depends on GRKERNSEC && SYSCTL
17993 ++
17994 ++config GRKERNSEC_SYSCTL
17995 ++ bool "Sysctl support"
17996 ++ help
17997 ++ If you say Y here, you will be able to change the options that
17998 ++ grsecurity runs with at bootup, without having to recompile your
17999 ++ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
18000 ++ to enable (1) or disable (0) various features. All the sysctl entries
18001 ++ are mutable until the "grsec_lock" entry is set to a non-zero value.
18002 ++ All features enabled in the kernel configuration are disabled at boot
18003 ++ if you do not say Y to the "Turn on features by default" option.
18004 ++ All options should be set at startup, and the grsec_lock entry should
18005 ++ be set to a non-zero value after all the options are set.
18006 ++ *THIS IS EXTREMELY IMPORTANT*
18007 ++
18008 ++config GRKERNSEC_SYSCTL_ON
18009 ++ bool "Turn on features by default"
18010 ++ depends on GRKERNSEC_SYSCTL
18011 ++ help
18012 ++ If you say Y here, instead of having all features enabled in the
18013 ++ kernel configuration disabled at boot time, the features will be
18014 ++ enabled at boot time. It is recommended you say Y here unless
18015 ++ there is some reason you would want all sysctl-tunable features to
18016 ++ be disabled by default. As mentioned elsewhere, it is important
18017 ++ to enable the grsec_lock entry once you have finished modifying
18018 ++ the sysctl entries.
18019 ++
18020 ++endmenu
18021 ++menu "Logging Options"
18022 ++depends on GRKERNSEC
18023 ++
18024 ++config GRKERNSEC_FLOODTIME
18025 ++ int "Seconds in between log messages (minimum)"
18026 ++ default 10
18027 ++ help
18028 ++ This option allows you to enforce the number of seconds between
18029 ++ grsecurity log messages. The default should be suitable for most
18030 ++ people, however, if you choose to change it, choose a value small enough
18031 ++ to allow informative logs to be produced, but large enough to
18032 ++ prevent flooding.
18033 ++
18034 ++config GRKERNSEC_FLOODBURST
18035 ++ int "Number of messages in a burst (maximum)"
18036 ++ default 4
18037 ++ help
18038 ++ This option allows you to choose the maximum number of messages allowed
18039 ++ within the flood time interval you chose in a separate option. The
18040 ++ default should be suitable for most people, however if you find that
18041 ++ many of your logs are being interpreted as flooding, you may want to
18042 ++ raise this value.
18043 ++
18044 ++endmenu
18045 ++
18046 ++endmenu
18047 +diff -Nurp linux-2.6.23.15/grsecurity/Makefile linux-2.6.23.15-grsec/grsecurity/Makefile
18048 +--- linux-2.6.23.15/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100
18049 ++++ linux-2.6.23.15-grsec/grsecurity/Makefile 2008-02-11 10:37:44.000000000 +0000
18050 +@@ -0,0 +1,20 @@
18051 ++# grsecurity's ACL system was originally written in 2001 by Michael Dalton
18052 ++# during 2001-2005 it has been completely redesigned by Brad Spengler
18053 ++# into an RBAC system
18054 ++#
18055 ++# All code in this directory and various hooks inserted throughout the kernel
18056 ++# are copyright Brad Spengler, and released under the GPL v2 or higher
18057 ++
18058 ++obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
18059 ++ grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
18060 ++ grsec_time.o grsec_tpe.o grsec_ipc.o grsec_link.o grsec_textrel.o
18061 ++
18062 ++obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
18063 ++ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
18064 ++ gracl_learn.o grsec_log.o
18065 ++obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
18066 ++
18067 ++ifndef CONFIG_GRKERNSEC
18068 ++obj-y += grsec_disabled.o
18069 ++endif
18070 ++
18071 +diff -Nurp linux-2.6.23.15/grsecurity/gracl.c linux-2.6.23.15-grsec/grsecurity/gracl.c
18072 +--- linux-2.6.23.15/grsecurity/gracl.c 1970-01-01 01:00:00.000000000 +0100
18073 ++++ linux-2.6.23.15-grsec/grsecurity/gracl.c 2008-02-11 10:37:44.000000000 +0000
18074 +@@ -0,0 +1,3722 @@
18075 ++#include <linux/kernel.h>
18076 ++#include <linux/module.h>
18077 ++#include <linux/sched.h>
18078 ++#include <linux/mm.h>
18079 ++#include <linux/file.h>
18080 ++#include <linux/fs.h>
18081 ++#include <linux/namei.h>
18082 ++#include <linux/mount.h>
18083 ++#include <linux/tty.h>
18084 ++#include <linux/proc_fs.h>
18085 ++#include <linux/smp_lock.h>
18086 ++#include <linux/slab.h>
18087 ++#include <linux/vmalloc.h>
18088 ++#include <linux/types.h>
18089 ++#include <linux/capability.h>
18090 ++#include <linux/sysctl.h>
18091 ++#include <linux/netdevice.h>
18092 ++#include <linux/ptrace.h>
18093 ++#include <linux/gracl.h>
18094 ++#include <linux/gralloc.h>
18095 ++#include <linux/grsecurity.h>
18096 ++#include <linux/grinternal.h>
18097 ++#include <linux/pid_namespace.h>
18098 ++#include <linux/percpu.h>
18099 ++
18100 ++#include <asm/uaccess.h>
18101 ++#include <asm/errno.h>
18102 ++#include <asm/mman.h>
18103 ++
18104 ++static struct acl_role_db acl_role_set;
18105 ++static struct name_db name_set;
18106 ++static struct inodev_db inodev_set;
18107 ++
18108 ++/* for keeping track of userspace pointers used for subjects, so we
18109 ++ can share references in the kernel as well
18110 ++*/
18111 ++
18112 ++static struct dentry *real_root;
18113 ++static struct vfsmount *real_root_mnt;
18114 ++
18115 ++static struct acl_subj_map_db subj_map_set;
18116 ++
18117 ++static struct acl_role_label *default_role;
18118 ++
18119 ++static u16 acl_sp_role_value;
18120 ++
18121 ++extern char *gr_shared_page[4];
18122 ++static DECLARE_MUTEX(gr_dev_sem);
18123 ++rwlock_t gr_inode_lock = RW_LOCK_UNLOCKED;
18124 ++
18125 ++struct gr_arg *gr_usermode;
18126 ++
18127 ++static unsigned int gr_status = GR_STATUS_INIT;
18128 ++
18129 ++extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
18130 ++extern void gr_clear_learn_entries(void);
18131 ++
18132 ++#ifdef CONFIG_GRKERNSEC_RESLOG
18133 ++extern void gr_log_resource(const struct task_struct *task,
18134 ++ const int res, const unsigned long wanted, const int gt);
18135 ++#endif
18136 ++
18137 ++unsigned char *gr_system_salt;
18138 ++unsigned char *gr_system_sum;
18139 ++
18140 ++static struct sprole_pw **acl_special_roles = NULL;
18141 ++static __u16 num_sprole_pws = 0;
18142 ++
18143 ++static struct acl_role_label *kernel_role = NULL;
18144 ++
18145 ++static unsigned int gr_auth_attempts = 0;
18146 ++static unsigned long gr_auth_expires = 0UL;
18147 ++
18148 ++extern struct vfsmount *sock_mnt;
18149 ++extern struct vfsmount *pipe_mnt;
18150 ++extern struct vfsmount *shm_mnt;
18151 ++static struct acl_object_label *fakefs_obj;
18152 ++
18153 ++extern int gr_init_uidset(void);
18154 ++extern void gr_free_uidset(void);
18155 ++extern void gr_remove_uid(uid_t uid);
18156 ++extern int gr_find_uid(uid_t uid);
18157 ++
18158 ++__inline__ int
18159 ++gr_acl_is_enabled(void)
18160 ++{
18161 ++ return (gr_status & GR_READY);
18162 ++}
18163 ++
18164 ++char gr_roletype_to_char(void)
18165 ++{
18166 ++ switch (current->role->roletype &
18167 ++ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
18168 ++ GR_ROLE_SPECIAL)) {
18169 ++ case GR_ROLE_DEFAULT:
18170 ++ return 'D';
18171 ++ case GR_ROLE_USER:
18172 ++ return 'U';
18173 ++ case GR_ROLE_GROUP:
18174 ++ return 'G';
18175 ++ case GR_ROLE_SPECIAL:
18176 ++ return 'S';
18177 ++ }
18178 ++
18179 ++ return 'X';
18180 ++}
18181 ++
18182 ++__inline__ int
18183 ++gr_acl_tpe_check(void)
18184 ++{
18185 ++ if (unlikely(!(gr_status & GR_READY)))
18186 ++ return 0;
18187 ++ if (current->role->roletype & GR_ROLE_TPE)
18188 ++ return 1;
18189 ++ else
18190 ++ return 0;
18191 ++}
18192 ++
18193 ++int
18194 ++gr_handle_rawio(const struct inode *inode)
18195 ++{
18196 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
18197 ++ if (inode && S_ISBLK(inode->i_mode) &&
18198 ++ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
18199 ++ !capable(CAP_SYS_RAWIO))
18200 ++ return 1;
18201 ++#endif
18202 ++ return 0;
18203 ++}
18204 ++
18205 ++static int
18206 ++gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
18207 ++{
18208 ++ int i;
18209 ++ unsigned long *l1;
18210 ++ unsigned long *l2;
18211 ++ unsigned char *c1;
18212 ++ unsigned char *c2;
18213 ++ int num_longs;
18214 ++
18215 ++ if (likely(lena != lenb))
18216 ++ return 0;
18217 ++
18218 ++ l1 = (unsigned long *)a;
18219 ++ l2 = (unsigned long *)b;
18220 ++
18221 ++ num_longs = lena / sizeof(unsigned long);
18222 ++
18223 ++ for (i = num_longs; i--; l1++, l2++) {
18224 ++ if (unlikely(*l1 != *l2))
18225 ++ return 0;
18226 ++ }
18227 ++
18228 ++ c1 = (unsigned char *) l1;
18229 ++ c2 = (unsigned char *) l2;
18230 ++
18231 ++ i = lena - (num_longs * sizeof(unsigned long));
18232 ++
18233 ++ for (; i--; c1++, c2++) {
18234 ++ if (unlikely(*c1 != *c2))
18235 ++ return 0;
18236 ++ }
18237 ++
18238 ++ return 1;
18239 ++}
18240 ++
18241 ++static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
18242 ++ struct dentry *root, struct vfsmount *rootmnt,
18243 ++ char *buffer, int buflen)
18244 ++{
18245 ++ char * end = buffer+buflen;
18246 ++ char * retval;
18247 ++ int namelen;
18248 ++
18249 ++ *--end = '\0';
18250 ++ buflen--;
18251 ++
18252 ++ if (buflen < 1)
18253 ++ goto Elong;
18254 ++ /* Get '/' right */
18255 ++ retval = end-1;
18256 ++ *retval = '/';
18257 ++
18258 ++ for (;;) {
18259 ++ struct dentry * parent;
18260 ++
18261 ++ if (dentry == root && vfsmnt == rootmnt)
18262 ++ break;
18263 ++ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
18264 ++ /* Global root? */
18265 ++ spin_lock(&vfsmount_lock);
18266 ++ if (vfsmnt->mnt_parent == vfsmnt) {
18267 ++ spin_unlock(&vfsmount_lock);
18268 ++ goto global_root;
18269 ++ }
18270 ++ dentry = vfsmnt->mnt_mountpoint;
18271 ++ vfsmnt = vfsmnt->mnt_parent;
18272 ++ spin_unlock(&vfsmount_lock);
18273 ++ continue;
18274 ++ }
18275 ++ parent = dentry->d_parent;
18276 ++ prefetch(parent);
18277 ++ namelen = dentry->d_name.len;
18278 ++ buflen -= namelen + 1;
18279 ++ if (buflen < 0)
18280 ++ goto Elong;
18281 ++ end -= namelen;
18282 ++ memcpy(end, dentry->d_name.name, namelen);
18283 ++ *--end = '/';
18284 ++ retval = end;
18285 ++ dentry = parent;
18286 ++ }
18287 ++
18288 ++ return retval;
18289 ++
18290 ++global_root:
18291 ++ namelen = dentry->d_name.len;
18292 ++ buflen -= namelen;
18293 ++ if (buflen < 0)
18294 ++ goto Elong;
18295 ++ retval -= namelen-1; /* hit the slash */
18296 ++ memcpy(retval, dentry->d_name.name, namelen);
18297 ++ return retval;
18298 ++Elong:
18299 ++ return ERR_PTR(-ENAMETOOLONG);
18300 ++}
18301 ++
18302 ++static char *
18303 ++gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
18304 ++ struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
18305 ++{
18306 ++ char *retval;
18307 ++
18308 ++ retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
18309 ++ if (unlikely(IS_ERR(retval)))
18310 ++ retval = strcpy(buf, "<path too long>");
18311 ++ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
18312 ++ retval[1] = '\0';
18313 ++
18314 ++ return retval;
18315 ++}
18316 ++
18317 ++static char *
18318 ++__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
18319 ++ char *buf, int buflen)
18320 ++{
18321 ++ char *res;
18322 ++
18323 ++ /* we can use real_root, real_root_mnt, because this is only called
18324 ++ by the RBAC system */
18325 ++ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
18326 ++
18327 ++ return res;
18328 ++}
18329 ++
18330 ++static char *
18331 ++d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
18332 ++ char *buf, int buflen)
18333 ++{
18334 ++ char *res;
18335 ++ struct dentry *root;
18336 ++ struct vfsmount *rootmnt;
18337 ++ struct task_struct *reaper = child_reaper(current);
18338 ++
18339 ++ /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
18340 ++ read_lock(&reaper->fs->lock);
18341 ++ root = dget(reaper->fs->root);
18342 ++ rootmnt = mntget(reaper->fs->rootmnt);
18343 ++ read_unlock(&reaper->fs->lock);
18344 ++
18345 ++ spin_lock(&dcache_lock);
18346 ++ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
18347 ++ spin_unlock(&dcache_lock);
18348 ++
18349 ++ dput(root);
18350 ++ mntput(rootmnt);
18351 ++ return res;
18352 ++}
18353 ++
18354 ++static char *
18355 ++gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
18356 ++{
18357 ++ char *ret;
18358 ++ spin_lock(&dcache_lock);
18359 ++ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
18360 ++ PAGE_SIZE);
18361 ++ spin_unlock(&dcache_lock);
18362 ++ return ret;
18363 ++}
18364 ++
18365 ++char *
18366 ++gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
18367 ++{
18368 ++ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
18369 ++ PAGE_SIZE);
18370 ++}
18371 ++
18372 ++char *
18373 ++gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
18374 ++{
18375 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
18376 ++ PAGE_SIZE);
18377 ++}
18378 ++
18379 ++char *
18380 ++gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
18381 ++{
18382 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
18383 ++ PAGE_SIZE);
18384 ++}
18385 ++
18386 ++char *
18387 ++gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
18388 ++{
18389 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
18390 ++ PAGE_SIZE);
18391 ++}
18392 ++
18393 ++char *
18394 ++gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
18395 ++{
18396 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
18397 ++ PAGE_SIZE);
18398 ++}
18399 ++
18400 ++__inline__ __u32
18401 ++to_gr_audit(const __u32 reqmode)
18402 ++{
18403 ++ /* masks off auditable permission flags, then shifts them to create
18404 ++ auditing flags, and adds the special case of append auditing if
18405 ++ we're requesting write */
18406 ++ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
18407 ++}
18408 ++
18409 ++struct acl_subject_label *
18410 ++lookup_subject_map(const struct acl_subject_label *userp)
18411 ++{
18412 ++ unsigned int index = shash(userp, subj_map_set.s_size);
18413 ++ struct subject_map *match;
18414 ++
18415 ++ match = subj_map_set.s_hash[index];
18416 ++
18417 ++ while (match && match->user != userp)
18418 ++ match = match->next;
18419 ++
18420 ++ if (match != NULL)
18421 ++ return match->kernel;
18422 ++ else
18423 ++ return NULL;
18424 ++}
18425 ++
18426 ++static void
18427 ++insert_subj_map_entry(struct subject_map *subjmap)
18428 ++{
18429 ++ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
18430 ++ struct subject_map **curr;
18431 ++
18432 ++ subjmap->prev = NULL;
18433 ++
18434 ++ curr = &subj_map_set.s_hash[index];
18435 ++ if (*curr != NULL)
18436 ++ (*curr)->prev = subjmap;
18437 ++
18438 ++ subjmap->next = *curr;
18439 ++ *curr = subjmap;
18440 ++
18441 ++ return;
18442 ++}
18443 ++
18444 ++static struct acl_role_label *
18445 ++lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
18446 ++ const gid_t gid)
18447 ++{
18448 ++ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
18449 ++ struct acl_role_label *match;
18450 ++ struct role_allowed_ip *ipp;
18451 ++ unsigned int x;
18452 ++
18453 ++ match = acl_role_set.r_hash[index];
18454 ++
18455 ++ while (match) {
18456 ++ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
18457 ++ for (x = 0; x < match->domain_child_num; x++) {
18458 ++ if (match->domain_children[x] == uid)
18459 ++ goto found;
18460 ++ }
18461 ++ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
18462 ++ break;
18463 ++ match = match->next;
18464 ++ }
18465 ++found:
18466 ++ if (match == NULL) {
18467 ++ try_group:
18468 ++ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
18469 ++ match = acl_role_set.r_hash[index];
18470 ++
18471 ++ while (match) {
18472 ++ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
18473 ++ for (x = 0; x < match->domain_child_num; x++) {
18474 ++ if (match->domain_children[x] == gid)
18475 ++ goto found2;
18476 ++ }
18477 ++ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
18478 ++ break;
18479 ++ match = match->next;
18480 ++ }
18481 ++found2:
18482 ++ if (match == NULL)
18483 ++ match = default_role;
18484 ++ if (match->allowed_ips == NULL)
18485 ++ return match;
18486 ++ else {
18487 ++ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
18488 ++ if (likely
18489 ++ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
18490 ++ (ntohl(ipp->addr) & ipp->netmask)))
18491 ++ return match;
18492 ++ }
18493 ++ match = default_role;
18494 ++ }
18495 ++ } else if (match->allowed_ips == NULL) {
18496 ++ return match;
18497 ++ } else {
18498 ++ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
18499 ++ if (likely
18500 ++ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
18501 ++ (ntohl(ipp->addr) & ipp->netmask)))
18502 ++ return match;
18503 ++ }
18504 ++ goto try_group;
18505 ++ }
18506 ++
18507 ++ return match;
18508 ++}
18509 ++
18510 ++struct acl_subject_label *
18511 ++lookup_acl_subj_label(const ino_t ino, const dev_t dev,
18512 ++ const struct acl_role_label *role)
18513 ++{
18514 ++ unsigned int index = fhash(ino, dev, role->subj_hash_size);
18515 ++ struct acl_subject_label *match;
18516 ++
18517 ++ match = role->subj_hash[index];
18518 ++
18519 ++ while (match && (match->inode != ino || match->device != dev ||
18520 ++ (match->mode & GR_DELETED))) {
18521 ++ match = match->next;
18522 ++ }
18523 ++
18524 ++ if (match && !(match->mode & GR_DELETED))
18525 ++ return match;
18526 ++ else
18527 ++ return NULL;
18528 ++}
18529 ++
18530 ++static struct acl_object_label *
18531 ++lookup_acl_obj_label(const ino_t ino, const dev_t dev,
18532 ++ const struct acl_subject_label *subj)
18533 ++{
18534 ++ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
18535 ++ struct acl_object_label *match;
18536 ++
18537 ++ match = subj->obj_hash[index];
18538 ++
18539 ++ while (match && (match->inode != ino || match->device != dev ||
18540 ++ (match->mode & GR_DELETED))) {
18541 ++ match = match->next;
18542 ++ }
18543 ++
18544 ++ if (match && !(match->mode & GR_DELETED))
18545 ++ return match;
18546 ++ else
18547 ++ return NULL;
18548 ++}
18549 ++
18550 ++static struct acl_object_label *
18551 ++lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
18552 ++ const struct acl_subject_label *subj)
18553 ++{
18554 ++ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
18555 ++ struct acl_object_label *match;
18556 ++
18557 ++ match = subj->obj_hash[index];
18558 ++
18559 ++ while (match && (match->inode != ino || match->device != dev ||
18560 ++ !(match->mode & GR_DELETED))) {
18561 ++ match = match->next;
18562 ++ }
18563 ++
18564 ++ if (match && (match->mode & GR_DELETED))
18565 ++ return match;
18566 ++
18567 ++ match = subj->obj_hash[index];
18568 ++
18569 ++ while (match && (match->inode != ino || match->device != dev ||
18570 ++ (match->mode & GR_DELETED))) {
18571 ++ match = match->next;
18572 ++ }
18573 ++
18574 ++ if (match && !(match->mode & GR_DELETED))
18575 ++ return match;
18576 ++ else
18577 ++ return NULL;
18578 ++}
18579 ++
18580 ++static struct name_entry *
18581 ++lookup_name_entry(const char *name)
18582 ++{
18583 ++ unsigned int len = strlen(name);
18584 ++ unsigned int key = full_name_hash(name, len);
18585 ++ unsigned int index = key % name_set.n_size;
18586 ++ struct name_entry *match;
18587 ++
18588 ++ match = name_set.n_hash[index];
18589 ++
18590 ++ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
18591 ++ match = match->next;
18592 ++
18593 ++ return match;
18594 ++}
18595 ++
18596 ++static struct name_entry *
18597 ++lookup_name_entry_create(const char *name)
18598 ++{
18599 ++ unsigned int len = strlen(name);
18600 ++ unsigned int key = full_name_hash(name, len);
18601 ++ unsigned int index = key % name_set.n_size;
18602 ++ struct name_entry *match;
18603 ++
18604 ++ match = name_set.n_hash[index];
18605 ++
18606 ++ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
18607 ++ !match->deleted))
18608 ++ match = match->next;
18609 ++
18610 ++ if (match && match->deleted)
18611 ++ return match;
18612 ++
18613 ++ match = name_set.n_hash[index];
18614 ++
18615 ++ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
18616 ++ match->deleted))
18617 ++ match = match->next;
18618 ++
18619 ++ if (match && !match->deleted)
18620 ++ return match;
18621 ++ else
18622 ++ return NULL;
18623 ++}
18624 ++
18625 ++static struct inodev_entry *
18626 ++lookup_inodev_entry(const ino_t ino, const dev_t dev)
18627 ++{
18628 ++ unsigned int index = fhash(ino, dev, inodev_set.i_size);
18629 ++ struct inodev_entry *match;
18630 ++
18631 ++ match = inodev_set.i_hash[index];
18632 ++
18633 ++ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
18634 ++ match = match->next;
18635 ++
18636 ++ return match;
18637 ++}
18638 ++
18639 ++static void
18640 ++insert_inodev_entry(struct inodev_entry *entry)
18641 ++{
18642 ++ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
18643 ++ inodev_set.i_size);
18644 ++ struct inodev_entry **curr;
18645 ++
18646 ++ entry->prev = NULL;
18647 ++
18648 ++ curr = &inodev_set.i_hash[index];
18649 ++ if (*curr != NULL)
18650 ++ (*curr)->prev = entry;
18651 ++
18652 ++ entry->next = *curr;
18653 ++ *curr = entry;
18654 ++
18655 ++ return;
18656 ++}
18657 ++
18658 ++static void
18659 ++__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
18660 ++{
18661 ++ unsigned int index =
18662 ++ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
18663 ++ struct acl_role_label **curr;
18664 ++
18665 ++ role->prev = NULL;
18666 ++
18667 ++ curr = &acl_role_set.r_hash[index];
18668 ++ if (*curr != NULL)
18669 ++ (*curr)->prev = role;
18670 ++
18671 ++ role->next = *curr;
18672 ++ *curr = role;
18673 ++
18674 ++ return;
18675 ++}
18676 ++
18677 ++static void
18678 ++insert_acl_role_label(struct acl_role_label *role)
18679 ++{
18680 ++ int i;
18681 ++
18682 ++ if (role->roletype & GR_ROLE_DOMAIN) {
18683 ++ for (i = 0; i < role->domain_child_num; i++)
18684 ++ __insert_acl_role_label(role, role->domain_children[i]);
18685 ++ } else
18686 ++ __insert_acl_role_label(role, role->uidgid);
18687 ++}
18688 ++
18689 ++static int
18690 ++insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
18691 ++{
18692 ++ struct name_entry **curr, *nentry;
18693 ++ struct inodev_entry *ientry;
18694 ++ unsigned int len = strlen(name);
18695 ++ unsigned int key = full_name_hash(name, len);
18696 ++ unsigned int index = key % name_set.n_size;
18697 ++
18698 ++ curr = &name_set.n_hash[index];
18699 ++
18700 ++ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
18701 ++ curr = &((*curr)->next);
18702 ++
18703 ++ if (*curr != NULL)
18704 ++ return 1;
18705 ++
18706 ++ nentry = acl_alloc(sizeof (struct name_entry));
18707 ++ if (nentry == NULL)
18708 ++ return 0;
18709 ++ ientry = acl_alloc(sizeof (struct inodev_entry));
18710 ++ if (ientry == NULL)
18711 ++ return 0;
18712 ++ ientry->nentry = nentry;
18713 ++
18714 ++ nentry->key = key;
18715 ++ nentry->name = name;
18716 ++ nentry->inode = inode;
18717 ++ nentry->device = device;
18718 ++ nentry->len = len;
18719 ++ nentry->deleted = deleted;
18720 ++
18721 ++ nentry->prev = NULL;
18722 ++ curr = &name_set.n_hash[index];
18723 ++ if (*curr != NULL)
18724 ++ (*curr)->prev = nentry;
18725 ++ nentry->next = *curr;
18726 ++ *curr = nentry;
18727 ++
18728 ++ /* insert us into the table searchable by inode/dev */
18729 ++ insert_inodev_entry(ientry);
18730 ++
18731 ++ return 1;
18732 ++}
18733 ++
18734 ++static void
18735 ++insert_acl_obj_label(struct acl_object_label *obj,
18736 ++ struct acl_subject_label *subj)
18737 ++{
18738 ++ unsigned int index =
18739 ++ fhash(obj->inode, obj->device, subj->obj_hash_size);
18740 ++ struct acl_object_label **curr;
18741 ++
18742 ++
18743 ++ obj->prev = NULL;
18744 ++
18745 ++ curr = &subj->obj_hash[index];
18746 ++ if (*curr != NULL)
18747 ++ (*curr)->prev = obj;
18748 ++
18749 ++ obj->next = *curr;
18750 ++ *curr = obj;
18751 ++
18752 ++ return;
18753 ++}
18754 ++
18755 ++static void
18756 ++insert_acl_subj_label(struct acl_subject_label *obj,
18757 ++ struct acl_role_label *role)
18758 ++{
18759 ++ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
18760 ++ struct acl_subject_label **curr;
18761 ++
18762 ++ obj->prev = NULL;
18763 ++
18764 ++ curr = &role->subj_hash[index];
18765 ++ if (*curr != NULL)
18766 ++ (*curr)->prev = obj;
18767 ++
18768 ++ obj->next = *curr;
18769 ++ *curr = obj;
18770 ++
18771 ++ return;
18772 ++}
18773 ++
18774 ++/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
18775 ++
18776 ++static void *
18777 ++create_table(__u32 * len, int elementsize)
18778 ++{
18779 ++ unsigned int table_sizes[] = {
18780 ++ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
18781 ++ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
18782 ++ 4194301, 8388593, 16777213, 33554393, 67108859, 134217689,
18783 ++ 268435399, 536870909, 1073741789, 2147483647
18784 ++ };
18785 ++ void *newtable = NULL;
18786 ++ unsigned int pwr = 0;
18787 ++
18788 ++ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
18789 ++ table_sizes[pwr] <= *len)
18790 ++ pwr++;
18791 ++
18792 ++ if (table_sizes[pwr] <= *len)
18793 ++ return newtable;
18794 ++
18795 ++ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
18796 ++ newtable =
18797 ++ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
18798 ++ else
18799 ++ newtable = vmalloc(table_sizes[pwr] * elementsize);
18800 ++
18801 ++ *len = table_sizes[pwr];
18802 ++
18803 ++ return newtable;
18804 ++}
18805 ++
18806 ++static int
18807 ++init_variables(const struct gr_arg *arg)
18808 ++{
18809 ++ struct task_struct *reaper = child_reaper(current);
18810 ++ unsigned int stacksize;
18811 ++
18812 ++ subj_map_set.s_size = arg->role_db.num_subjects;
18813 ++ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
18814 ++ name_set.n_size = arg->role_db.num_objects;
18815 ++ inodev_set.i_size = arg->role_db.num_objects;
18816 ++
18817 ++ if (!subj_map_set.s_size || !acl_role_set.r_size ||
18818 ++ !name_set.n_size || !inodev_set.i_size)
18819 ++ return 1;
18820 ++
18821 ++ if (!gr_init_uidset())
18822 ++ return 1;
18823 ++
18824 ++ /* set up the stack that holds allocation info */
18825 ++
18826 ++ stacksize = arg->role_db.num_pointers + 5;
18827 ++
18828 ++ if (!acl_alloc_stack_init(stacksize))
18829 ++ return 1;
18830 ++
18831 ++ /* grab reference for the real root dentry and vfsmount */
18832 ++ read_lock(&reaper->fs->lock);
18833 ++ real_root_mnt = mntget(reaper->fs->rootmnt);
18834 ++ real_root = dget(reaper->fs->root);
18835 ++ read_unlock(&reaper->fs->lock);
18836 ++
18837 ++ fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
18838 ++ if (fakefs_obj == NULL)
18839 ++ return 1;
18840 ++ fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
18841 ++
18842 ++ subj_map_set.s_hash =
18843 ++ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
18844 ++ acl_role_set.r_hash =
18845 ++ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
18846 ++ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
18847 ++ inodev_set.i_hash =
18848 ++ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
18849 ++
18850 ++ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
18851 ++ !name_set.n_hash || !inodev_set.i_hash)
18852 ++ return 1;
18853 ++
18854 ++ memset(subj_map_set.s_hash, 0,
18855 ++ sizeof(struct subject_map *) * subj_map_set.s_size);
18856 ++ memset(acl_role_set.r_hash, 0,
18857 ++ sizeof (struct acl_role_label *) * acl_role_set.r_size);
18858 ++ memset(name_set.n_hash, 0,
18859 ++ sizeof (struct name_entry *) * name_set.n_size);
18860 ++ memset(inodev_set.i_hash, 0,
18861 ++ sizeof (struct inodev_entry *) * inodev_set.i_size);
18862 ++
18863 ++ return 0;
18864 ++}
18865 ++
18866 ++/* free information not needed after startup
18867 ++ currently contains user->kernel pointer mappings for subjects
18868 ++*/
18869 ++
18870 ++static void
18871 ++free_init_variables(void)
18872 ++{
18873 ++ __u32 i;
18874 ++
18875 ++ if (subj_map_set.s_hash) {
18876 ++ for (i = 0; i < subj_map_set.s_size; i++) {
18877 ++ if (subj_map_set.s_hash[i]) {
18878 ++ kfree(subj_map_set.s_hash[i]);
18879 ++ subj_map_set.s_hash[i] = NULL;
18880 ++ }
18881 ++ }
18882 ++
18883 ++ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
18884 ++ PAGE_SIZE)
18885 ++ kfree(subj_map_set.s_hash);
18886 ++ else
18887 ++ vfree(subj_map_set.s_hash);
18888 ++ }
18889 ++
18890 ++ return;
18891 ++}
18892 ++
18893 ++static void
18894 ++free_variables(void)
18895 ++{
18896 ++ struct acl_subject_label *s;
18897 ++ struct acl_role_label *r;
18898 ++ struct task_struct *task, *task2;
18899 ++ unsigned int i, x;
18900 ++
18901 ++ gr_clear_learn_entries();
18902 ++
18903 ++ read_lock(&tasklist_lock);
18904 ++ do_each_thread(task2, task) {
18905 ++ task->acl_sp_role = 0;
18906 ++ task->acl_role_id = 0;
18907 ++ task->acl = NULL;
18908 ++ task->role = NULL;
18909 ++ } while_each_thread(task2, task);
18910 ++ read_unlock(&tasklist_lock);
18911 ++
18912 ++ /* release the reference to the real root dentry and vfsmount */
18913 ++ if (real_root)
18914 ++ dput(real_root);
18915 ++ real_root = NULL;
18916 ++ if (real_root_mnt)
18917 ++ mntput(real_root_mnt);
18918 ++ real_root_mnt = NULL;
18919 ++
18920 ++ /* free all object hash tables */
18921 ++
18922 ++ FOR_EACH_ROLE_START(r, i)
18923 ++ if (r->subj_hash == NULL)
18924 ++ break;
18925 ++ FOR_EACH_SUBJECT_START(r, s, x)
18926 ++ if (s->obj_hash == NULL)
18927 ++ break;
18928 ++ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
18929 ++ kfree(s->obj_hash);
18930 ++ else
18931 ++ vfree(s->obj_hash);
18932 ++ FOR_EACH_SUBJECT_END(s, x)
18933 ++ FOR_EACH_NESTED_SUBJECT_START(r, s)
18934 ++ if (s->obj_hash == NULL)
18935 ++ break;
18936 ++ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
18937 ++ kfree(s->obj_hash);
18938 ++ else
18939 ++ vfree(s->obj_hash);
18940 ++ FOR_EACH_NESTED_SUBJECT_END(s)
18941 ++ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
18942 ++ kfree(r->subj_hash);
18943 ++ else
18944 ++ vfree(r->subj_hash);
18945 ++ r->subj_hash = NULL;
18946 ++ FOR_EACH_ROLE_END(r,i)
18947 ++
18948 ++ acl_free_all();
18949 ++
18950 ++ if (acl_role_set.r_hash) {
18951 ++ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
18952 ++ PAGE_SIZE)
18953 ++ kfree(acl_role_set.r_hash);
18954 ++ else
18955 ++ vfree(acl_role_set.r_hash);
18956 ++ }
18957 ++ if (name_set.n_hash) {
18958 ++ if ((name_set.n_size * sizeof (struct name_entry *)) <=
18959 ++ PAGE_SIZE)
18960 ++ kfree(name_set.n_hash);
18961 ++ else
18962 ++ vfree(name_set.n_hash);
18963 ++ }
18964 ++
18965 ++ if (inodev_set.i_hash) {
18966 ++ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
18967 ++ PAGE_SIZE)
18968 ++ kfree(inodev_set.i_hash);
18969 ++ else
18970 ++ vfree(inodev_set.i_hash);
18971 ++ }
18972 ++
18973 ++ gr_free_uidset();
18974 ++
18975 ++ memset(&name_set, 0, sizeof (struct name_db));
18976 ++ memset(&inodev_set, 0, sizeof (struct inodev_db));
18977 ++ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
18978 ++ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
18979 ++
18980 ++ default_role = NULL;
18981 ++
18982 ++ return;
18983 ++}
18984 ++
18985 ++static __u32
18986 ++count_user_objs(struct acl_object_label *userp)
18987 ++{
18988 ++ struct acl_object_label o_tmp;
18989 ++ __u32 num = 0;
18990 ++
18991 ++ while (userp) {
18992 ++ if (copy_from_user(&o_tmp, userp,
18993 ++ sizeof (struct acl_object_label)))
18994 ++ break;
18995 ++
18996 ++ userp = o_tmp.prev;
18997 ++ num++;
18998 ++ }
18999 ++
19000 ++ return num;
19001 ++}
19002 ++
19003 ++static struct acl_subject_label *
19004 ++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
19005 ++
19006 ++static int
19007 ++copy_user_glob(struct acl_object_label *obj)
19008 ++{
19009 ++ struct acl_object_label *g_tmp, **guser;
19010 ++ unsigned int len;
19011 ++ char *tmp;
19012 ++
19013 ++ if (obj->globbed == NULL)
19014 ++ return 0;
19015 ++
19016 ++ guser = &obj->globbed;
19017 ++ while (*guser) {
19018 ++ g_tmp = (struct acl_object_label *)
19019 ++ acl_alloc(sizeof (struct acl_object_label));
19020 ++ if (g_tmp == NULL)
19021 ++ return -ENOMEM;
19022 ++
19023 ++ if (copy_from_user(g_tmp, *guser,
19024 ++ sizeof (struct acl_object_label)))
19025 ++ return -EFAULT;
19026 ++
19027 ++ len = strnlen_user(g_tmp->filename, PATH_MAX);
19028 ++
19029 ++ if (!len || len >= PATH_MAX)
19030 ++ return -EINVAL;
19031 ++
19032 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
19033 ++ return -ENOMEM;
19034 ++
19035 ++ if (copy_from_user(tmp, g_tmp->filename, len))
19036 ++ return -EFAULT;
19037 ++
19038 ++ g_tmp->filename = tmp;
19039 ++
19040 ++ *guser = g_tmp;
19041 ++ guser = &(g_tmp->next);
19042 ++ }
19043 ++
19044 ++ return 0;
19045 ++}
19046 ++
19047 ++static int
19048 ++copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
19049 ++ struct acl_role_label *role)
19050 ++{
19051 ++ struct acl_object_label *o_tmp;
19052 ++ unsigned int len;
19053 ++ int ret;
19054 ++ char *tmp;
19055 ++
19056 ++ while (userp) {
19057 ++ if ((o_tmp = (struct acl_object_label *)
19058 ++ acl_alloc(sizeof (struct acl_object_label))) == NULL)
19059 ++ return -ENOMEM;
19060 ++
19061 ++ if (copy_from_user(o_tmp, userp,
19062 ++ sizeof (struct acl_object_label)))
19063 ++ return -EFAULT;
19064 ++
19065 ++ userp = o_tmp->prev;
19066 ++
19067 ++ len = strnlen_user(o_tmp->filename, PATH_MAX);
19068 ++
19069 ++ if (!len || len >= PATH_MAX)
19070 ++ return -EINVAL;
19071 ++
19072 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
19073 ++ return -ENOMEM;
19074 ++
19075 ++ if (copy_from_user(tmp, o_tmp->filename, len))
19076 ++ return -EFAULT;
19077 ++
19078 ++ o_tmp->filename = tmp;
19079 ++
19080 ++ insert_acl_obj_label(o_tmp, subj);
19081 ++ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
19082 ++ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
19083 ++ return -ENOMEM;
19084 ++
19085 ++ ret = copy_user_glob(o_tmp);
19086 ++ if (ret)
19087 ++ return ret;
19088 ++
19089 ++ if (o_tmp->nested) {
19090 ++ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
19091 ++ if (IS_ERR(o_tmp->nested))
19092 ++ return PTR_ERR(o_tmp->nested);
19093 ++
19094 ++ /* insert into nested subject list */
19095 ++ o_tmp->nested->next = role->hash->first;
19096 ++ role->hash->first = o_tmp->nested;
19097 ++ }
19098 ++ }
19099 ++
19100 ++ return 0;
19101 ++}
19102 ++
19103 ++static __u32
19104 ++count_user_subjs(struct acl_subject_label *userp)
19105 ++{
19106 ++ struct acl_subject_label s_tmp;
19107 ++ __u32 num = 0;
19108 ++
19109 ++ while (userp) {
19110 ++ if (copy_from_user(&s_tmp, userp,
19111 ++ sizeof (struct acl_subject_label)))
19112 ++ break;
19113 ++
19114 ++ userp = s_tmp.prev;
19115 ++ /* do not count nested subjects against this count, since
19116 ++ they are not included in the hash table, but are
19117 ++ attached to objects. We have already counted
19118 ++ the subjects in userspace for the allocation
19119 ++ stack
19120 ++ */
19121 ++ if (!(s_tmp.mode & GR_NESTED))
19122 ++ num++;
19123 ++ }
19124 ++
19125 ++ return num;
19126 ++}
19127 ++
19128 ++static int
19129 ++copy_user_allowedips(struct acl_role_label *rolep)
19130 ++{
19131 ++ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
19132 ++
19133 ++ ruserip = rolep->allowed_ips;
19134 ++
19135 ++ while (ruserip) {
19136 ++ rlast = rtmp;
19137 ++
19138 ++ if ((rtmp = (struct role_allowed_ip *)
19139 ++ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
19140 ++ return -ENOMEM;
19141 ++
19142 ++ if (copy_from_user(rtmp, ruserip,
19143 ++ sizeof (struct role_allowed_ip)))
19144 ++ return -EFAULT;
19145 ++
19146 ++ ruserip = rtmp->prev;
19147 ++
19148 ++ if (!rlast) {
19149 ++ rtmp->prev = NULL;
19150 ++ rolep->allowed_ips = rtmp;
19151 ++ } else {
19152 ++ rlast->next = rtmp;
19153 ++ rtmp->prev = rlast;
19154 ++ }
19155 ++
19156 ++ if (!ruserip)
19157 ++ rtmp->next = NULL;
19158 ++ }
19159 ++
19160 ++ return 0;
19161 ++}
19162 ++
19163 ++static int
19164 ++copy_user_transitions(struct acl_role_label *rolep)
19165 ++{
19166 ++ struct role_transition *rusertp, *rtmp = NULL, *rlast;
19167 ++
19168 ++ unsigned int len;
19169 ++ char *tmp;
19170 ++
19171 ++ rusertp = rolep->transitions;
19172 ++
19173 ++ while (rusertp) {
19174 ++ rlast = rtmp;
19175 ++
19176 ++ if ((rtmp = (struct role_transition *)
19177 ++ acl_alloc(sizeof (struct role_transition))) == NULL)
19178 ++ return -ENOMEM;
19179 ++
19180 ++ if (copy_from_user(rtmp, rusertp,
19181 ++ sizeof (struct role_transition)))
19182 ++ return -EFAULT;
19183 ++
19184 ++ rusertp = rtmp->prev;
19185 ++
19186 ++ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
19187 ++
19188 ++ if (!len || len >= GR_SPROLE_LEN)
19189 ++ return -EINVAL;
19190 ++
19191 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
19192 ++ return -ENOMEM;
19193 ++
19194 ++ if (copy_from_user(tmp, rtmp->rolename, len))
19195 ++ return -EFAULT;
19196 ++
19197 ++ rtmp->rolename = tmp;
19198 ++
19199 ++ if (!rlast) {
19200 ++ rtmp->prev = NULL;
19201 ++ rolep->transitions = rtmp;
19202 ++ } else {
19203 ++ rlast->next = rtmp;
19204 ++ rtmp->prev = rlast;
19205 ++ }
19206 ++
19207 ++ if (!rusertp)
19208 ++ rtmp->next = NULL;
19209 ++ }
19210 ++
19211 ++ return 0;
19212 ++}
19213 ++
19214 ++static struct acl_subject_label *
19215 ++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
19216 ++{
19217 ++ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
19218 ++ unsigned int len;
19219 ++ char *tmp;
19220 ++ __u32 num_objs;
19221 ++ struct acl_ip_label **i_tmp, *i_utmp2;
19222 ++ struct gr_hash_struct ghash;
19223 ++ struct subject_map *subjmap;
19224 ++ unsigned int i_num;
19225 ++ int err;
19226 ++
19227 ++ s_tmp = lookup_subject_map(userp);
19228 ++
19229 ++ /* we've already copied this subject into the kernel, just return
19230 ++ the reference to it, and don't copy it over again
19231 ++ */
19232 ++ if (s_tmp)
19233 ++ return(s_tmp);
19234 ++
19235 ++ if ((s_tmp = (struct acl_subject_label *)
19236 ++ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
19237 ++ return ERR_PTR(-ENOMEM);
19238 ++
19239 ++ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
19240 ++ if (subjmap == NULL)
19241 ++ return ERR_PTR(-ENOMEM);
19242 ++
19243 ++ subjmap->user = userp;
19244 ++ subjmap->kernel = s_tmp;
19245 ++ insert_subj_map_entry(subjmap);
19246 ++
19247 ++ if (copy_from_user(s_tmp, userp,
19248 ++ sizeof (struct acl_subject_label)))
19249 ++ return ERR_PTR(-EFAULT);
19250 ++
19251 ++ len = strnlen_user(s_tmp->filename, PATH_MAX);
19252 ++
19253 ++ if (!len || len >= PATH_MAX)
19254 ++ return ERR_PTR(-EINVAL);
19255 ++
19256 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
19257 ++ return ERR_PTR(-ENOMEM);
19258 ++
19259 ++ if (copy_from_user(tmp, s_tmp->filename, len))
19260 ++ return ERR_PTR(-EFAULT);
19261 ++
19262 ++ s_tmp->filename = tmp;
19263 ++
19264 ++ if (!strcmp(s_tmp->filename, "/"))
19265 ++ role->root_label = s_tmp;
19266 ++
19267 ++ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
19268 ++ return ERR_PTR(-EFAULT);
19269 ++
19270 ++ /* copy user and group transition tables */
19271 ++
19272 ++ if (s_tmp->user_trans_num) {
19273 ++ uid_t *uidlist;
19274 ++
19275 ++ uidlist = (uid_t *)acl_alloc(s_tmp->user_trans_num * sizeof(uid_t));
19276 ++ if (uidlist == NULL)
19277 ++ return ERR_PTR(-ENOMEM);
19278 ++ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
19279 ++ return ERR_PTR(-EFAULT);
19280 ++
19281 ++ s_tmp->user_transitions = uidlist;
19282 ++ }
19283 ++
19284 ++ if (s_tmp->group_trans_num) {
19285 ++ gid_t *gidlist;
19286 ++
19287 ++ gidlist = (gid_t *)acl_alloc(s_tmp->group_trans_num * sizeof(gid_t));
19288 ++ if (gidlist == NULL)
19289 ++ return ERR_PTR(-ENOMEM);
19290 ++ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
19291 ++ return ERR_PTR(-EFAULT);
19292 ++
19293 ++ s_tmp->group_transitions = gidlist;
19294 ++ }
19295 ++
19296 ++ /* set up object hash table */
19297 ++ num_objs = count_user_objs(ghash.first);
19298 ++
19299 ++ s_tmp->obj_hash_size = num_objs;
19300 ++ s_tmp->obj_hash =
19301 ++ (struct acl_object_label **)
19302 ++ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
19303 ++
19304 ++ if (!s_tmp->obj_hash)
19305 ++ return ERR_PTR(-ENOMEM);
19306 ++
19307 ++ memset(s_tmp->obj_hash, 0,
19308 ++ s_tmp->obj_hash_size *
19309 ++ sizeof (struct acl_object_label *));
19310 ++
19311 ++ /* add in objects */
19312 ++ err = copy_user_objs(ghash.first, s_tmp, role);
19313 ++
19314 ++ if (err)
19315 ++ return ERR_PTR(err);
19316 ++
19317 ++ /* set pointer for parent subject */
19318 ++ if (s_tmp->parent_subject) {
19319 ++ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
19320 ++
19321 ++ if (IS_ERR(s_tmp2))
19322 ++ return s_tmp2;
19323 ++
19324 ++ s_tmp->parent_subject = s_tmp2;
19325 ++ }
19326 ++
19327 ++ /* add in ip acls */
19328 ++
19329 ++ if (!s_tmp->ip_num) {
19330 ++ s_tmp->ips = NULL;
19331 ++ goto insert;
19332 ++ }
19333 ++
19334 ++ i_tmp =
19335 ++ (struct acl_ip_label **) acl_alloc(s_tmp->ip_num *
19336 ++ sizeof (struct
19337 ++ acl_ip_label *));
19338 ++
19339 ++ if (!i_tmp)
19340 ++ return ERR_PTR(-ENOMEM);
19341 ++
19342 ++ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
19343 ++ *(i_tmp + i_num) =
19344 ++ (struct acl_ip_label *)
19345 ++ acl_alloc(sizeof (struct acl_ip_label));
19346 ++ if (!*(i_tmp + i_num))
19347 ++ return ERR_PTR(-ENOMEM);
19348 ++
19349 ++ if (copy_from_user
19350 ++ (&i_utmp2, s_tmp->ips + i_num,
19351 ++ sizeof (struct acl_ip_label *)))
19352 ++ return ERR_PTR(-EFAULT);
19353 ++
19354 ++ if (copy_from_user
19355 ++ (*(i_tmp + i_num), i_utmp2,
19356 ++ sizeof (struct acl_ip_label)))
19357 ++ return ERR_PTR(-EFAULT);
19358 ++
19359 ++ if ((*(i_tmp + i_num))->iface == NULL)
19360 ++ continue;
19361 ++
19362 ++ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
19363 ++ if (!len || len >= IFNAMSIZ)
19364 ++ return ERR_PTR(-EINVAL);
19365 ++ tmp = acl_alloc(len);
19366 ++ if (tmp == NULL)
19367 ++ return ERR_PTR(-ENOMEM);
19368 ++ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
19369 ++ return ERR_PTR(-EFAULT);
19370 ++ (*(i_tmp + i_num))->iface = tmp;
19371 ++ }
19372 ++
19373 ++ s_tmp->ips = i_tmp;
19374 ++
19375 ++insert:
19376 ++ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
19377 ++ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
19378 ++ return ERR_PTR(-ENOMEM);
19379 ++
19380 ++ return s_tmp;
19381 ++}
19382 ++
19383 ++static int
19384 ++copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
19385 ++{
19386 ++ struct acl_subject_label s_pre;
19387 ++ struct acl_subject_label * ret;
19388 ++ int err;
19389 ++
19390 ++ while (userp) {
19391 ++ if (copy_from_user(&s_pre, userp,
19392 ++ sizeof (struct acl_subject_label)))
19393 ++ return -EFAULT;
19394 ++
19395 ++ /* do not add nested subjects here, add
19396 ++ while parsing objects
19397 ++ */
19398 ++
19399 ++ if (s_pre.mode & GR_NESTED) {
19400 ++ userp = s_pre.prev;
19401 ++ continue;
19402 ++ }
19403 ++
19404 ++ ret = do_copy_user_subj(userp, role);
19405 ++
19406 ++ err = PTR_ERR(ret);
19407 ++ if (IS_ERR(ret))
19408 ++ return err;
19409 ++
19410 ++ insert_acl_subj_label(ret, role);
19411 ++
19412 ++ userp = s_pre.prev;
19413 ++ }
19414 ++
19415 ++ return 0;
19416 ++}
19417 ++
19418 ++static int
19419 ++copy_user_acl(struct gr_arg *arg)
19420 ++{
19421 ++ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
19422 ++ struct sprole_pw *sptmp;
19423 ++ struct gr_hash_struct *ghash;
19424 ++ uid_t *domainlist;
19425 ++ unsigned int r_num;
19426 ++ unsigned int len;
19427 ++ char *tmp;
19428 ++ int err = 0;
19429 ++ __u16 i;
19430 ++ __u32 num_subjs;
19431 ++
19432 ++ /* we need a default and kernel role */
19433 ++ if (arg->role_db.num_roles < 2)
19434 ++ return -EINVAL;
19435 ++
19436 ++ /* copy special role authentication info from userspace */
19437 ++
19438 ++ num_sprole_pws = arg->num_sprole_pws;
19439 ++ acl_special_roles = (struct sprole_pw **) acl_alloc(num_sprole_pws * sizeof(struct sprole_pw *));
19440 ++
19441 ++ if (!acl_special_roles) {
19442 ++ err = -ENOMEM;
19443 ++ goto cleanup;
19444 ++ }
19445 ++
19446 ++ for (i = 0; i < num_sprole_pws; i++) {
19447 ++ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
19448 ++ if (!sptmp) {
19449 ++ err = -ENOMEM;
19450 ++ goto cleanup;
19451 ++ }
19452 ++ if (copy_from_user(sptmp, arg->sprole_pws + i,
19453 ++ sizeof (struct sprole_pw))) {
19454 ++ err = -EFAULT;
19455 ++ goto cleanup;
19456 ++ }
19457 ++
19458 ++ len =
19459 ++ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
19460 ++
19461 ++ if (!len || len >= GR_SPROLE_LEN) {
19462 ++ err = -EINVAL;
19463 ++ goto cleanup;
19464 ++ }
19465 ++
19466 ++ if ((tmp = (char *) acl_alloc(len)) == NULL) {
19467 ++ err = -ENOMEM;
19468 ++ goto cleanup;
19469 ++ }
19470 ++
19471 ++ if (copy_from_user(tmp, sptmp->rolename, len)) {
19472 ++ err = -EFAULT;
19473 ++ goto cleanup;
19474 ++ }
19475 ++
19476 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
19477 ++ printk(KERN_ALERT "Copying special role %s\n", tmp);
19478 ++#endif
19479 ++ sptmp->rolename = tmp;
19480 ++ acl_special_roles[i] = sptmp;
19481 ++ }
19482 ++
19483 ++ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
19484 ++
19485 ++ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
19486 ++ r_tmp = acl_alloc(sizeof (struct acl_role_label));
19487 ++
19488 ++ if (!r_tmp) {
19489 ++ err = -ENOMEM;
19490 ++ goto cleanup;
19491 ++ }
19492 ++
19493 ++ if (copy_from_user(&r_utmp2, r_utmp + r_num,
19494 ++ sizeof (struct acl_role_label *))) {
19495 ++ err = -EFAULT;
19496 ++ goto cleanup;
19497 ++ }
19498 ++
19499 ++ if (copy_from_user(r_tmp, r_utmp2,
19500 ++ sizeof (struct acl_role_label))) {
19501 ++ err = -EFAULT;
19502 ++ goto cleanup;
19503 ++ }
19504 ++
19505 ++ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
19506 ++
19507 ++ if (!len || len >= PATH_MAX) {
19508 ++ err = -EINVAL;
19509 ++ goto cleanup;
19510 ++ }
19511 ++
19512 ++ if ((tmp = (char *) acl_alloc(len)) == NULL) {
19513 ++ err = -ENOMEM;
19514 ++ goto cleanup;
19515 ++ }
19516 ++ if (copy_from_user(tmp, r_tmp->rolename, len)) {
19517 ++ err = -EFAULT;
19518 ++ goto cleanup;
19519 ++ }
19520 ++ r_tmp->rolename = tmp;
19521 ++
19522 ++ if (!strcmp(r_tmp->rolename, "default")
19523 ++ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
19524 ++ default_role = r_tmp;
19525 ++ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
19526 ++ kernel_role = r_tmp;
19527 ++ }
19528 ++
19529 ++ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
19530 ++ err = -ENOMEM;
19531 ++ goto cleanup;
19532 ++ }
19533 ++ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
19534 ++ err = -EFAULT;
19535 ++ goto cleanup;
19536 ++ }
19537 ++
19538 ++ r_tmp->hash = ghash;
19539 ++
19540 ++ num_subjs = count_user_subjs(r_tmp->hash->first);
19541 ++
19542 ++ r_tmp->subj_hash_size = num_subjs;
19543 ++ r_tmp->subj_hash =
19544 ++ (struct acl_subject_label **)
19545 ++ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
19546 ++
19547 ++ if (!r_tmp->subj_hash) {
19548 ++ err = -ENOMEM;
19549 ++ goto cleanup;
19550 ++ }
19551 ++
19552 ++ err = copy_user_allowedips(r_tmp);
19553 ++ if (err)
19554 ++ goto cleanup;
19555 ++
19556 ++ /* copy domain info */
19557 ++ if (r_tmp->domain_children != NULL) {
19558 ++ domainlist = acl_alloc(r_tmp->domain_child_num * sizeof(uid_t));
19559 ++ if (domainlist == NULL) {
19560 ++ err = -ENOMEM;
19561 ++ goto cleanup;
19562 ++ }
19563 ++ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
19564 ++ err = -EFAULT;
19565 ++ goto cleanup;
19566 ++ }
19567 ++ r_tmp->domain_children = domainlist;
19568 ++ }
19569 ++
19570 ++ err = copy_user_transitions(r_tmp);
19571 ++ if (err)
19572 ++ goto cleanup;
19573 ++
19574 ++ memset(r_tmp->subj_hash, 0,
19575 ++ r_tmp->subj_hash_size *
19576 ++ sizeof (struct acl_subject_label *));
19577 ++
19578 ++ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
19579 ++
19580 ++ if (err)
19581 ++ goto cleanup;
19582 ++
19583 ++ /* set nested subject list to null */
19584 ++ r_tmp->hash->first = NULL;
19585 ++
19586 ++ insert_acl_role_label(r_tmp);
19587 ++ }
19588 ++
19589 ++ goto return_err;
19590 ++ cleanup:
19591 ++ free_variables();
19592 ++ return_err:
19593 ++ return err;
19594 ++
19595 ++}
19596 ++
19597 ++static int
19598 ++gracl_init(struct gr_arg *args)
19599 ++{
19600 ++ int error = 0;
19601 ++
19602 ++ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
19603 ++ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
19604 ++
19605 ++ if (init_variables(args)) {
19606 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
19607 ++ error = -ENOMEM;
19608 ++ free_variables();
19609 ++ goto out;
19610 ++ }
19611 ++
19612 ++ error = copy_user_acl(args);
19613 ++ free_init_variables();
19614 ++ if (error) {
19615 ++ free_variables();
19616 ++ goto out;
19617 ++ }
19618 ++
19619 ++ if ((error = gr_set_acls(0))) {
19620 ++ free_variables();
19621 ++ goto out;
19622 ++ }
19623 ++
19624 ++ gr_status |= GR_READY;
19625 ++ out:
19626 ++ return error;
19627 ++}
19628 ++
19629 ++/* derived from glibc fnmatch() 0: match, 1: no match*/
19630 ++
19631 ++static int
19632 ++glob_match(const char *p, const char *n)
19633 ++{
19634 ++ char c;
19635 ++
19636 ++ while ((c = *p++) != '\0') {
19637 ++ switch (c) {
19638 ++ case '?':
19639 ++ if (*n == '\0')
19640 ++ return 1;
19641 ++ else if (*n == '/')
19642 ++ return 1;
19643 ++ break;
19644 ++ case '\\':
19645 ++ if (*n != c)
19646 ++ return 1;
19647 ++ break;
19648 ++ case '*':
19649 ++ for (c = *p++; c == '?' || c == '*'; c = *p++) {
19650 ++ if (*n == '/')
19651 ++ return 1;
19652 ++ else if (c == '?') {
19653 ++ if (*n == '\0')
19654 ++ return 1;
19655 ++ else
19656 ++ ++n;
19657 ++ }
19658 ++ }
19659 ++ if (c == '\0') {
19660 ++ return 0;
19661 ++ } else {
19662 ++ const char *endp;
19663 ++
19664 ++ if ((endp = strchr(n, '/')) == NULL)
19665 ++ endp = n + strlen(n);
19666 ++
19667 ++ if (c == '[') {
19668 ++ for (--p; n < endp; ++n)
19669 ++ if (!glob_match(p, n))
19670 ++ return 0;
19671 ++ } else if (c == '/') {
19672 ++ while (*n != '\0' && *n != '/')
19673 ++ ++n;
19674 ++ if (*n == '/' && !glob_match(p, n + 1))
19675 ++ return 0;
19676 ++ } else {
19677 ++ for (--p; n < endp; ++n)
19678 ++ if (*n == c && !glob_match(p, n))
19679 ++ return 0;
19680 ++ }
19681 ++
19682 ++ return 1;
19683 ++ }
19684 ++ case '[':
19685 ++ {
19686 ++ int not;
19687 ++ char cold;
19688 ++
19689 ++ if (*n == '\0' || *n == '/')
19690 ++ return 1;
19691 ++
19692 ++ not = (*p == '!' || *p == '^');
19693 ++ if (not)
19694 ++ ++p;
19695 ++
19696 ++ c = *p++;
19697 ++ for (;;) {
19698 ++ unsigned char fn = (unsigned char)*n;
19699 ++
19700 ++ if (c == '\0')
19701 ++ return 1;
19702 ++ else {
19703 ++ if (c == fn)
19704 ++ goto matched;
19705 ++ cold = c;
19706 ++ c = *p++;
19707 ++
19708 ++ if (c == '-' && *p != ']') {
19709 ++ unsigned char cend = *p++;
19710 ++
19711 ++ if (cend == '\0')
19712 ++ return 1;
19713 ++
19714 ++ if (cold <= fn && fn <= cend)
19715 ++ goto matched;
19716 ++
19717 ++ c = *p++;
19718 ++ }
19719 ++ }
19720 ++
19721 ++ if (c == ']')
19722 ++ break;
19723 ++ }
19724 ++ if (!not)
19725 ++ return 1;
19726 ++ break;
19727 ++ matched:
19728 ++ while (c != ']') {
19729 ++ if (c == '\0')
19730 ++ return 1;
19731 ++
19732 ++ c = *p++;
19733 ++ }
19734 ++ if (not)
19735 ++ return 1;
19736 ++ }
19737 ++ break;
19738 ++ default:
19739 ++ if (c != *n)
19740 ++ return 1;
19741 ++ }
19742 ++
19743 ++ ++n;
19744 ++ }
19745 ++
19746 ++ if (*n == '\0')
19747 ++ return 0;
19748 ++
19749 ++ if (*n == '/')
19750 ++ return 0;
19751 ++
19752 ++ return 1;
19753 ++}
19754 ++
19755 ++static struct acl_object_label *
19756 ++chk_glob_label(struct acl_object_label *globbed,
19757 ++ struct dentry *dentry, struct vfsmount *mnt, char **path)
19758 ++{
19759 ++ struct acl_object_label *tmp;
19760 ++
19761 ++ if (*path == NULL)
19762 ++ *path = gr_to_filename_nolock(dentry, mnt);
19763 ++
19764 ++ tmp = globbed;
19765 ++
19766 ++ while (tmp) {
19767 ++ if (!glob_match(tmp->filename, *path))
19768 ++ return tmp;
19769 ++ tmp = tmp->next;
19770 ++ }
19771 ++
19772 ++ return NULL;
19773 ++}
19774 ++
19775 ++static struct acl_object_label *
19776 ++__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
19777 ++ const ino_t curr_ino, const dev_t curr_dev,
19778 ++ const struct acl_subject_label *subj, char **path)
19779 ++{
19780 ++ struct acl_subject_label *tmpsubj;
19781 ++ struct acl_object_label *retval;
19782 ++ struct acl_object_label *retval2;
19783 ++
19784 ++ tmpsubj = (struct acl_subject_label *) subj;
19785 ++ read_lock(&gr_inode_lock);
19786 ++ do {
19787 ++ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
19788 ++ if (retval) {
19789 ++ if (retval->globbed) {
19790 ++ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
19791 ++ (struct vfsmount *)orig_mnt, path);
19792 ++ if (retval2)
19793 ++ retval = retval2;
19794 ++ }
19795 ++ break;
19796 ++ }
19797 ++ } while ((tmpsubj = tmpsubj->parent_subject));
19798 ++ read_unlock(&gr_inode_lock);
19799 ++
19800 ++ return retval;
19801 ++}
19802 ++
19803 ++static __inline__ struct acl_object_label *
19804 ++full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
19805 ++ const struct dentry *curr_dentry,
19806 ++ const struct acl_subject_label *subj, char **path)
19807 ++{
19808 ++ return __full_lookup(orig_dentry, orig_mnt,
19809 ++ curr_dentry->d_inode->i_ino,
19810 ++ curr_dentry->d_inode->i_sb->s_dev, subj, path);
19811 ++}
19812 ++
19813 ++static struct acl_object_label *
19814 ++__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
19815 ++ const struct acl_subject_label *subj, char *path)
19816 ++{
19817 ++ struct dentry *dentry = (struct dentry *) l_dentry;
19818 ++ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
19819 ++ struct acl_object_label *retval;
19820 ++
19821 ++ spin_lock(&dcache_lock);
19822 ++
19823 ++ if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
19824 ++ /* ignore Eric Biederman */
19825 ++ IS_PRIVATE(l_dentry->d_inode))) {
19826 ++ retval = fakefs_obj;
19827 ++ goto out;
19828 ++ }
19829 ++
19830 ++ for (;;) {
19831 ++ if (dentry == real_root && mnt == real_root_mnt)
19832 ++ break;
19833 ++
19834 ++ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
19835 ++ if (mnt->mnt_parent == mnt)
19836 ++ break;
19837 ++
19838 ++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
19839 ++ if (retval != NULL)
19840 ++ goto out;
19841 ++
19842 ++ dentry = mnt->mnt_mountpoint;
19843 ++ mnt = mnt->mnt_parent;
19844 ++ continue;
19845 ++ }
19846 ++
19847 ++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
19848 ++ if (retval != NULL)
19849 ++ goto out;
19850 ++
19851 ++ dentry = dentry->d_parent;
19852 ++ }
19853 ++
19854 ++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
19855 ++
19856 ++ if (retval == NULL)
19857 ++ retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path);
19858 ++out:
19859 ++ spin_unlock(&dcache_lock);
19860 ++ return retval;
19861 ++}
19862 ++
19863 ++static __inline__ struct acl_object_label *
19864 ++chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
19865 ++ const struct acl_subject_label *subj)
19866 ++{
19867 ++ char *path = NULL;
19868 ++ return __chk_obj_label(l_dentry, l_mnt, subj, path);
19869 ++}
19870 ++
19871 ++static __inline__ struct acl_object_label *
19872 ++chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
19873 ++ const struct acl_subject_label *subj, char *path)
19874 ++{
19875 ++ return __chk_obj_label(l_dentry, l_mnt, subj, path);
19876 ++}
19877 ++
19878 ++static struct acl_subject_label *
19879 ++chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
19880 ++ const struct acl_role_label *role)
19881 ++{
19882 ++ struct dentry *dentry = (struct dentry *) l_dentry;
19883 ++ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
19884 ++ struct acl_subject_label *retval;
19885 ++
19886 ++ spin_lock(&dcache_lock);
19887 ++
19888 ++ for (;;) {
19889 ++ if (dentry == real_root && mnt == real_root_mnt)
19890 ++ break;
19891 ++ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
19892 ++ if (mnt->mnt_parent == mnt)
19893 ++ break;
19894 ++
19895 ++ read_lock(&gr_inode_lock);
19896 ++ retval =
19897 ++ lookup_acl_subj_label(dentry->d_inode->i_ino,
19898 ++ dentry->d_inode->i_sb->s_dev, role);
19899 ++ read_unlock(&gr_inode_lock);
19900 ++ if (retval != NULL)
19901 ++ goto out;
19902 ++
19903 ++ dentry = mnt->mnt_mountpoint;
19904 ++ mnt = mnt->mnt_parent;
19905 ++ continue;
19906 ++ }
19907 ++
19908 ++ read_lock(&gr_inode_lock);
19909 ++ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
19910 ++ dentry->d_inode->i_sb->s_dev, role);
19911 ++ read_unlock(&gr_inode_lock);
19912 ++ if (retval != NULL)
19913 ++ goto out;
19914 ++
19915 ++ dentry = dentry->d_parent;
19916 ++ }
19917 ++
19918 ++ read_lock(&gr_inode_lock);
19919 ++ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
19920 ++ dentry->d_inode->i_sb->s_dev, role);
19921 ++ read_unlock(&gr_inode_lock);
19922 ++
19923 ++ if (unlikely(retval == NULL)) {
19924 ++ read_lock(&gr_inode_lock);
19925 ++ retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
19926 ++ real_root->d_inode->i_sb->s_dev, role);
19927 ++ read_unlock(&gr_inode_lock);
19928 ++ }
19929 ++out:
19930 ++ spin_unlock(&dcache_lock);
19931 ++
19932 ++ return retval;
19933 ++}
19934 ++
19935 ++static void
19936 ++gr_log_learn(const struct task_struct *task, const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
19937 ++{
19938 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
19939 ++ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
19940 ++ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
19941 ++ 1, 1, gr_to_filename(dentry, mnt), (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
19942 ++
19943 ++ return;
19944 ++}
19945 ++
19946 ++static void
19947 ++gr_log_learn_sysctl(const struct task_struct *task, const char *path, const __u32 mode)
19948 ++{
19949 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
19950 ++ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
19951 ++ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
19952 ++ 1, 1, path, (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
19953 ++
19954 ++ return;
19955 ++}
19956 ++
19957 ++static void
19958 ++gr_log_learn_id_change(const struct task_struct *task, const char type, const unsigned int real,
19959 ++ const unsigned int effective, const unsigned int fs)
19960 ++{
19961 ++ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
19962 ++ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
19963 ++ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
19964 ++ type, real, effective, fs, NIPQUAD(task->signal->curr_ip));
19965 ++
19966 ++ return;
19967 ++}
19968 ++
19969 ++__u32
19970 ++gr_check_link(const struct dentry * new_dentry,
19971 ++ const struct dentry * parent_dentry,
19972 ++ const struct vfsmount * parent_mnt,
19973 ++ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
19974 ++{
19975 ++ struct acl_object_label *obj;
19976 ++ __u32 oldmode, newmode;
19977 ++ __u32 needmode;
19978 ++
19979 ++ if (unlikely(!(gr_status & GR_READY)))
19980 ++ return (GR_CREATE | GR_LINK);
19981 ++
19982 ++ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
19983 ++ oldmode = obj->mode;
19984 ++
19985 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
19986 ++ oldmode |= (GR_CREATE | GR_LINK);
19987 ++
19988 ++ needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
19989 ++ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
19990 ++ needmode |= GR_SETID | GR_AUDIT_SETID;
19991 ++
19992 ++ newmode =
19993 ++ gr_check_create(new_dentry, parent_dentry, parent_mnt,
19994 ++ oldmode | needmode);
19995 ++
19996 ++ needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
19997 ++ GR_SETID | GR_READ | GR_FIND | GR_DELETE |
19998 ++ GR_INHERIT | GR_AUDIT_INHERIT);
19999 ++
20000 ++ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
20001 ++ goto bad;
20002 ++
20003 ++ if ((oldmode & needmode) != needmode)
20004 ++ goto bad;
20005 ++
20006 ++ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
20007 ++ if ((newmode & needmode) != needmode)
20008 ++ goto bad;
20009 ++
20010 ++ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
20011 ++ return newmode;
20012 ++bad:
20013 ++ needmode = oldmode;
20014 ++ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
20015 ++ needmode |= GR_SETID;
20016 ++
20017 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
20018 ++ gr_log_learn(current, old_dentry, old_mnt, needmode);
20019 ++ return (GR_CREATE | GR_LINK);
20020 ++ } else if (newmode & GR_SUPPRESS)
20021 ++ return GR_SUPPRESS;
20022 ++ else
20023 ++ return 0;
20024 ++}
20025 ++
20026 ++__u32
20027 ++gr_search_file(const struct dentry * dentry, const __u32 mode,
20028 ++ const struct vfsmount * mnt)
20029 ++{
20030 ++ __u32 retval = mode;
20031 ++ struct acl_subject_label *curracl;
20032 ++ struct acl_object_label *currobj;
20033 ++
20034 ++ if (unlikely(!(gr_status & GR_READY)))
20035 ++ return (mode & ~GR_AUDITS);
20036 ++
20037 ++ curracl = current->acl;
20038 ++
20039 ++ currobj = chk_obj_label(dentry, mnt, curracl);
20040 ++ retval = currobj->mode & mode;
20041 ++
20042 ++ if (unlikely
20043 ++ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
20044 ++ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
20045 ++ __u32 new_mode = mode;
20046 ++
20047 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
20048 ++
20049 ++ retval = new_mode;
20050 ++
20051 ++ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
20052 ++ new_mode |= GR_INHERIT;
20053 ++
20054 ++ if (!(mode & GR_NOLEARN))
20055 ++ gr_log_learn(current, dentry, mnt, new_mode);
20056 ++ }
20057 ++
20058 ++ return retval;
20059 ++}
20060 ++
20061 ++__u32
20062 ++gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
20063 ++ const struct vfsmount * mnt, const __u32 mode)
20064 ++{
20065 ++ struct name_entry *match;
20066 ++ struct acl_object_label *matchpo;
20067 ++ struct acl_subject_label *curracl;
20068 ++ char *path;
20069 ++ __u32 retval;
20070 ++
20071 ++ if (unlikely(!(gr_status & GR_READY)))
20072 ++ return (mode & ~GR_AUDITS);
20073 ++
20074 ++ preempt_disable();
20075 ++ path = gr_to_filename_rbac(new_dentry, mnt);
20076 ++ match = lookup_name_entry_create(path);
20077 ++
20078 ++ if (!match)
20079 ++ goto check_parent;
20080 ++
20081 ++ curracl = current->acl;
20082 ++
20083 ++ read_lock(&gr_inode_lock);
20084 ++ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
20085 ++ read_unlock(&gr_inode_lock);
20086 ++
20087 ++ if (matchpo) {
20088 ++ if ((matchpo->mode & mode) !=
20089 ++ (mode & ~(GR_AUDITS | GR_SUPPRESS))
20090 ++ && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
20091 ++ __u32 new_mode = mode;
20092 ++
20093 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
20094 ++
20095 ++ gr_log_learn(current, new_dentry, mnt, new_mode);
20096 ++
20097 ++ preempt_enable();
20098 ++ return new_mode;
20099 ++ }
20100 ++ preempt_enable();
20101 ++ return (matchpo->mode & mode);
20102 ++ }
20103 ++
20104 ++ check_parent:
20105 ++ curracl = current->acl;
20106 ++
20107 ++ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
20108 ++ retval = matchpo->mode & mode;
20109 ++
20110 ++ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
20111 ++ && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
20112 ++ __u32 new_mode = mode;
20113 ++
20114 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
20115 ++
20116 ++ gr_log_learn(current, new_dentry, mnt, new_mode);
20117 ++ preempt_enable();
20118 ++ return new_mode;
20119 ++ }
20120 ++
20121 ++ preempt_enable();
20122 ++ return retval;
20123 ++}
20124 ++
20125 ++int
20126 ++gr_check_hidden_task(const struct task_struct *task)
20127 ++{
20128 ++ if (unlikely(!(gr_status & GR_READY)))
20129 ++ return 0;
20130 ++
20131 ++ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
20132 ++ return 1;
20133 ++
20134 ++ return 0;
20135 ++}
20136 ++
20137 ++int
20138 ++gr_check_protected_task(const struct task_struct *task)
20139 ++{
20140 ++ if (unlikely(!(gr_status & GR_READY) || !task))
20141 ++ return 0;
20142 ++
20143 ++ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
20144 ++ task->acl != current->acl)
20145 ++ return 1;
20146 ++
20147 ++ return 0;
20148 ++}
20149 ++
20150 ++void
20151 ++gr_copy_label(struct task_struct *tsk)
20152 ++{
20153 ++ tsk->signal->used_accept = 0;
20154 ++ tsk->acl_sp_role = 0;
20155 ++ tsk->acl_role_id = current->acl_role_id;
20156 ++ tsk->acl = current->acl;
20157 ++ tsk->role = current->role;
20158 ++ tsk->signal->curr_ip = current->signal->curr_ip;
20159 ++ if (current->exec_file)
20160 ++ get_file(current->exec_file);
20161 ++ tsk->exec_file = current->exec_file;
20162 ++ tsk->is_writable = current->is_writable;
20163 ++ if (unlikely(current->signal->used_accept))
20164 ++ current->signal->curr_ip = 0;
20165 ++
20166 ++ return;
20167 ++}
20168 ++
20169 ++static void
20170 ++gr_set_proc_res(struct task_struct *task)
20171 ++{
20172 ++ struct acl_subject_label *proc;
20173 ++ unsigned short i;
20174 ++
20175 ++ proc = task->acl;
20176 ++
20177 ++ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
20178 ++ return;
20179 ++
20180 ++ for (i = 0; i < (GR_NLIMITS - 1); i++) {
20181 ++ if (!(proc->resmask & (1 << i)))
20182 ++ continue;
20183 ++
20184 ++ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
20185 ++ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
20186 ++ }
20187 ++
20188 ++ return;
20189 ++}
20190 ++
20191 ++int
20192 ++gr_check_user_change(int real, int effective, int fs)
20193 ++{
20194 ++ unsigned int i;
20195 ++ __u16 num;
20196 ++ uid_t *uidlist;
20197 ++ int curuid;
20198 ++ int realok = 0;
20199 ++ int effectiveok = 0;
20200 ++ int fsok = 0;
20201 ++
20202 ++ if (unlikely(!(gr_status & GR_READY)))
20203 ++ return 0;
20204 ++
20205 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
20206 ++ gr_log_learn_id_change(current, 'u', real, effective, fs);
20207 ++
20208 ++ num = current->acl->user_trans_num;
20209 ++ uidlist = current->acl->user_transitions;
20210 ++
20211 ++ if (uidlist == NULL)
20212 ++ return 0;
20213 ++
20214 ++ if (real == -1)
20215 ++ realok = 1;
20216 ++ if (effective == -1)
20217 ++ effectiveok = 1;
20218 ++ if (fs == -1)
20219 ++ fsok = 1;
20220 ++
20221 ++ if (current->acl->user_trans_type & GR_ID_ALLOW) {
20222 ++ for (i = 0; i < num; i++) {
20223 ++ curuid = (int)uidlist[i];
20224 ++ if (real == curuid)
20225 ++ realok = 1;
20226 ++ if (effective == curuid)
20227 ++ effectiveok = 1;
20228 ++ if (fs == curuid)
20229 ++ fsok = 1;
20230 ++ }
20231 ++ } else if (current->acl->user_trans_type & GR_ID_DENY) {
20232 ++ for (i = 0; i < num; i++) {
20233 ++ curuid = (int)uidlist[i];
20234 ++ if (real == curuid)
20235 ++ break;
20236 ++ if (effective == curuid)
20237 ++ break;
20238 ++ if (fs == curuid)
20239 ++ break;
20240 ++ }
20241 ++ /* not in deny list */
20242 ++ if (i == num) {
20243 ++ realok = 1;
20244 ++ effectiveok = 1;
20245 ++ fsok = 1;
20246 ++ }
20247 ++ }
20248 ++
20249 ++ if (realok && effectiveok && fsok)
20250 ++ return 0;
20251 ++ else {
20252 ++ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
20253 ++ return 1;
20254 ++ }
20255 ++}
20256 ++
20257 ++int
20258 ++gr_check_group_change(int real, int effective, int fs)
20259 ++{
20260 ++ unsigned int i;
20261 ++ __u16 num;
20262 ++ gid_t *gidlist;
20263 ++ int curgid;
20264 ++ int realok = 0;
20265 ++ int effectiveok = 0;
20266 ++ int fsok = 0;
20267 ++
20268 ++ if (unlikely(!(gr_status & GR_READY)))
20269 ++ return 0;
20270 ++
20271 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
20272 ++ gr_log_learn_id_change(current, 'g', real, effective, fs);
20273 ++
20274 ++ num = current->acl->group_trans_num;
20275 ++ gidlist = current->acl->group_transitions;
20276 ++
20277 ++ if (gidlist == NULL)
20278 ++ return 0;
20279 ++
20280 ++ if (real == -1)
20281 ++ realok = 1;
20282 ++ if (effective == -1)
20283 ++ effectiveok = 1;
20284 ++ if (fs == -1)
20285 ++ fsok = 1;
20286 ++
20287 ++ if (current->acl->group_trans_type & GR_ID_ALLOW) {
20288 ++ for (i = 0; i < num; i++) {
20289 ++ curgid = (int)gidlist[i];
20290 ++ if (real == curgid)
20291 ++ realok = 1;
20292 ++ if (effective == curgid)
20293 ++ effectiveok = 1;
20294 ++ if (fs == curgid)
20295 ++ fsok = 1;
20296 ++ }
20297 ++ } else if (current->acl->group_trans_type & GR_ID_DENY) {
20298 ++ for (i = 0; i < num; i++) {
20299 ++ curgid = (int)gidlist[i];
20300 ++ if (real == curgid)
20301 ++ break;
20302 ++ if (effective == curgid)
20303 ++ break;
20304 ++ if (fs == curgid)
20305 ++ break;
20306 ++ }
20307 ++ /* not in deny list */
20308 ++ if (i == num) {
20309 ++ realok = 1;
20310 ++ effectiveok = 1;
20311 ++ fsok = 1;
20312 ++ }
20313 ++ }
20314 ++
20315 ++ if (realok && effectiveok && fsok)
20316 ++ return 0;
20317 ++ else {
20318 ++ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
20319 ++ return 1;
20320 ++ }
20321 ++}
20322 ++
20323 ++void
20324 ++gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
20325 ++{
20326 ++ struct acl_role_label *role = task->role;
20327 ++ struct acl_subject_label *subj = NULL;
20328 ++ struct acl_object_label *obj;
20329 ++ struct file *filp;
20330 ++
20331 ++ if (unlikely(!(gr_status & GR_READY)))
20332 ++ return;
20333 ++
20334 ++ filp = task->exec_file;
20335 ++
20336 ++ /* kernel process, we'll give them the kernel role */
20337 ++ if (unlikely(!filp)) {
20338 ++ task->role = kernel_role;
20339 ++ task->acl = kernel_role->root_label;
20340 ++ return;
20341 ++ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
20342 ++ role = lookup_acl_role_label(task, uid, gid);
20343 ++
20344 ++ /* perform subject lookup in possibly new role
20345 ++ we can use this result below in the case where role == task->role
20346 ++ */
20347 ++ subj = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, role);
20348 ++
20349 ++ /* if we changed uid/gid, but result in the same role
20350 ++ and are using inheritance, don't lose the inherited subject
20351 ++ if current subject is other than what normal lookup
20352 ++ would result in, we arrived via inheritance, don't
20353 ++ lose subject
20354 ++ */
20355 ++ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
20356 ++ (subj == task->acl)))
20357 ++ task->acl = subj;
20358 ++
20359 ++ task->role = role;
20360 ++
20361 ++ task->is_writable = 0;
20362 ++
20363 ++ /* ignore additional mmap checks for processes that are writable
20364 ++ by the default ACL */
20365 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
20366 ++ if (unlikely(obj->mode & GR_WRITE))
20367 ++ task->is_writable = 1;
20368 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
20369 ++ if (unlikely(obj->mode & GR_WRITE))
20370 ++ task->is_writable = 1;
20371 ++
20372 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
20373 ++ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
20374 ++#endif
20375 ++
20376 ++ gr_set_proc_res(task);
20377 ++
20378 ++ return;
20379 ++}
20380 ++
20381 ++int
20382 ++gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
20383 ++{
20384 ++ struct task_struct *task = current;
20385 ++ struct acl_subject_label *newacl;
20386 ++ struct acl_object_label *obj;
20387 ++ __u32 retmode;
20388 ++
20389 ++ if (unlikely(!(gr_status & GR_READY)))
20390 ++ return 0;
20391 ++
20392 ++ newacl = chk_subj_label(dentry, mnt, task->role);
20393 ++
20394 ++ task_lock(task);
20395 ++ if (((task->ptrace & PT_PTRACED) && !(task->acl->mode &
20396 ++ GR_POVERRIDE) && (task->acl != newacl) &&
20397 ++ !(task->role->roletype & GR_ROLE_GOD) &&
20398 ++ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
20399 ++ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN))) ||
20400 ++ (atomic_read(&task->fs->count) > 1 ||
20401 ++ atomic_read(&task->files->count) > 1 ||
20402 ++ atomic_read(&task->sighand->count) > 1)) {
20403 ++ task_unlock(task);
20404 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
20405 ++ return -EACCES;
20406 ++ }
20407 ++ task_unlock(task);
20408 ++
20409 ++ obj = chk_obj_label(dentry, mnt, task->acl);
20410 ++ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
20411 ++
20412 ++ if (!(task->acl->mode & GR_INHERITLEARN) &&
20413 ++ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
20414 ++ if (obj->nested)
20415 ++ task->acl = obj->nested;
20416 ++ else
20417 ++ task->acl = newacl;
20418 ++ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
20419 ++ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
20420 ++
20421 ++ task->is_writable = 0;
20422 ++
20423 ++ /* ignore additional mmap checks for processes that are writable
20424 ++ by the default ACL */
20425 ++ obj = chk_obj_label(dentry, mnt, default_role->root_label);
20426 ++ if (unlikely(obj->mode & GR_WRITE))
20427 ++ task->is_writable = 1;
20428 ++ obj = chk_obj_label(dentry, mnt, task->role->root_label);
20429 ++ if (unlikely(obj->mode & GR_WRITE))
20430 ++ task->is_writable = 1;
20431 ++
20432 ++ gr_set_proc_res(task);
20433 ++
20434 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
20435 ++ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
20436 ++#endif
20437 ++ return 0;
20438 ++}
20439 ++
20440 ++/* always called with valid inodev ptr */
20441 ++static void
20442 ++do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
20443 ++{
20444 ++ struct acl_object_label *matchpo;
20445 ++ struct acl_subject_label *matchps;
20446 ++ struct acl_subject_label *subj;
20447 ++ struct acl_role_label *role;
20448 ++ unsigned int i, x;
20449 ++
20450 ++ FOR_EACH_ROLE_START(role, i)
20451 ++ FOR_EACH_SUBJECT_START(role, subj, x)
20452 ++ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
20453 ++ matchpo->mode |= GR_DELETED;
20454 ++ FOR_EACH_SUBJECT_END(subj,x)
20455 ++ FOR_EACH_NESTED_SUBJECT_START(role, subj)
20456 ++ if (subj->inode == ino && subj->device == dev)
20457 ++ subj->mode |= GR_DELETED;
20458 ++ FOR_EACH_NESTED_SUBJECT_END(subj)
20459 ++ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
20460 ++ matchps->mode |= GR_DELETED;
20461 ++ FOR_EACH_ROLE_END(role,i)
20462 ++
20463 ++ inodev->nentry->deleted = 1;
20464 ++
20465 ++ return;
20466 ++}
20467 ++
20468 ++void
20469 ++gr_handle_delete(const ino_t ino, const dev_t dev)
20470 ++{
20471 ++ struct inodev_entry *inodev;
20472 ++
20473 ++ if (unlikely(!(gr_status & GR_READY)))
20474 ++ return;
20475 ++
20476 ++ write_lock(&gr_inode_lock);
20477 ++ inodev = lookup_inodev_entry(ino, dev);
20478 ++ if (inodev != NULL)
20479 ++ do_handle_delete(inodev, ino, dev);
20480 ++ write_unlock(&gr_inode_lock);
20481 ++
20482 ++ return;
20483 ++}
20484 ++
20485 ++static void
20486 ++update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
20487 ++ const ino_t newinode, const dev_t newdevice,
20488 ++ struct acl_subject_label *subj)
20489 ++{
20490 ++ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
20491 ++ struct acl_object_label *match;
20492 ++
20493 ++ match = subj->obj_hash[index];
20494 ++
20495 ++ while (match && (match->inode != oldinode ||
20496 ++ match->device != olddevice ||
20497 ++ !(match->mode & GR_DELETED)))
20498 ++ match = match->next;
20499 ++
20500 ++ if (match && (match->inode == oldinode)
20501 ++ && (match->device == olddevice)
20502 ++ && (match->mode & GR_DELETED)) {
20503 ++ if (match->prev == NULL) {
20504 ++ subj->obj_hash[index] = match->next;
20505 ++ if (match->next != NULL)
20506 ++ match->next->prev = NULL;
20507 ++ } else {
20508 ++ match->prev->next = match->next;
20509 ++ if (match->next != NULL)
20510 ++ match->next->prev = match->prev;
20511 ++ }
20512 ++ match->prev = NULL;
20513 ++ match->next = NULL;
20514 ++ match->inode = newinode;
20515 ++ match->device = newdevice;
20516 ++ match->mode &= ~GR_DELETED;
20517 ++
20518 ++ insert_acl_obj_label(match, subj);
20519 ++ }
20520 ++
20521 ++ return;
20522 ++}
20523 ++
20524 ++static void
20525 ++update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
20526 ++ const ino_t newinode, const dev_t newdevice,
20527 ++ struct acl_role_label *role)
20528 ++{
20529 ++ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
20530 ++ struct acl_subject_label *match;
20531 ++
20532 ++ match = role->subj_hash[index];
20533 ++
20534 ++ while (match && (match->inode != oldinode ||
20535 ++ match->device != olddevice ||
20536 ++ !(match->mode & GR_DELETED)))
20537 ++ match = match->next;
20538 ++
20539 ++ if (match && (match->inode == oldinode)
20540 ++ && (match->device == olddevice)
20541 ++ && (match->mode & GR_DELETED)) {
20542 ++ if (match->prev == NULL) {
20543 ++ role->subj_hash[index] = match->next;
20544 ++ if (match->next != NULL)
20545 ++ match->next->prev = NULL;
20546 ++ } else {
20547 ++ match->prev->next = match->next;
20548 ++ if (match->next != NULL)
20549 ++ match->next->prev = match->prev;
20550 ++ }
20551 ++ match->prev = NULL;
20552 ++ match->next = NULL;
20553 ++ match->inode = newinode;
20554 ++ match->device = newdevice;
20555 ++ match->mode &= ~GR_DELETED;
20556 ++
20557 ++ insert_acl_subj_label(match, role);
20558 ++ }
20559 ++
20560 ++ return;
20561 ++}
20562 ++
20563 ++static void
20564 ++update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
20565 ++ const ino_t newinode, const dev_t newdevice)
20566 ++{
20567 ++ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
20568 ++ struct inodev_entry *match;
20569 ++
20570 ++ match = inodev_set.i_hash[index];
20571 ++
20572 ++ while (match && (match->nentry->inode != oldinode ||
20573 ++ match->nentry->device != olddevice || !match->nentry->deleted))
20574 ++ match = match->next;
20575 ++
20576 ++ if (match && (match->nentry->inode == oldinode)
20577 ++ && (match->nentry->device == olddevice) &&
20578 ++ match->nentry->deleted) {
20579 ++ if (match->prev == NULL) {
20580 ++ inodev_set.i_hash[index] = match->next;
20581 ++ if (match->next != NULL)
20582 ++ match->next->prev = NULL;
20583 ++ } else {
20584 ++ match->prev->next = match->next;
20585 ++ if (match->next != NULL)
20586 ++ match->next->prev = match->prev;
20587 ++ }
20588 ++ match->prev = NULL;
20589 ++ match->next = NULL;
20590 ++ match->nentry->inode = newinode;
20591 ++ match->nentry->device = newdevice;
20592 ++ match->nentry->deleted = 0;
20593 ++
20594 ++ insert_inodev_entry(match);
20595 ++ }
20596 ++
20597 ++ return;
20598 ++}
20599 ++
20600 ++static void
20601 ++do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
20602 ++ const struct vfsmount *mnt)
20603 ++{
20604 ++ struct acl_subject_label *subj;
20605 ++ struct acl_role_label *role;
20606 ++ unsigned int i, x;
20607 ++
20608 ++ FOR_EACH_ROLE_START(role, i)
20609 ++ update_acl_subj_label(matchn->inode, matchn->device,
20610 ++ dentry->d_inode->i_ino,
20611 ++ dentry->d_inode->i_sb->s_dev, role);
20612 ++
20613 ++ FOR_EACH_NESTED_SUBJECT_START(role, subj)
20614 ++ if ((subj->inode == dentry->d_inode->i_ino) &&
20615 ++ (subj->device == dentry->d_inode->i_sb->s_dev)) {
20616 ++ subj->inode = dentry->d_inode->i_ino;
20617 ++ subj->device = dentry->d_inode->i_sb->s_dev;
20618 ++ }
20619 ++ FOR_EACH_NESTED_SUBJECT_END(subj)
20620 ++ FOR_EACH_SUBJECT_START(role, subj, x)
20621 ++ update_acl_obj_label(matchn->inode, matchn->device,
20622 ++ dentry->d_inode->i_ino,
20623 ++ dentry->d_inode->i_sb->s_dev, subj);
20624 ++ FOR_EACH_SUBJECT_END(subj,x)
20625 ++ FOR_EACH_ROLE_END(role,i)
20626 ++
20627 ++ update_inodev_entry(matchn->inode, matchn->device,
20628 ++ dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
20629 ++
20630 ++ return;
20631 ++}
20632 ++
20633 ++void
20634 ++gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
20635 ++{
20636 ++ struct name_entry *matchn;
20637 ++
20638 ++ if (unlikely(!(gr_status & GR_READY)))
20639 ++ return;
20640 ++
20641 ++ preempt_disable();
20642 ++ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
20643 ++
20644 ++ if (unlikely((unsigned long)matchn)) {
20645 ++ write_lock(&gr_inode_lock);
20646 ++ do_handle_create(matchn, dentry, mnt);
20647 ++ write_unlock(&gr_inode_lock);
20648 ++ }
20649 ++ preempt_enable();
20650 ++
20651 ++ return;
20652 ++}
20653 ++
20654 ++void
20655 ++gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
20656 ++ struct dentry *old_dentry,
20657 ++ struct dentry *new_dentry,
20658 ++ struct vfsmount *mnt, const __u8 replace)
20659 ++{
20660 ++ struct name_entry *matchn;
20661 ++ struct inodev_entry *inodev;
20662 ++
20663 ++ /* vfs_rename swaps the name and parent link for old_dentry and
20664 ++ new_dentry
20665 ++ at this point, old_dentry has the new name, parent link, and inode
20666 ++ for the renamed file
20667 ++ if a file is being replaced by a rename, new_dentry has the inode
20668 ++ and name for the replaced file
20669 ++ */
20670 ++
20671 ++ if (unlikely(!(gr_status & GR_READY)))
20672 ++ return;
20673 ++
20674 ++ preempt_disable();
20675 ++ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
20676 ++
20677 ++ /* we wouldn't have to check d_inode if it weren't for
20678 ++ NFS silly-renaming
20679 ++ */
20680 ++
20681 ++ write_lock(&gr_inode_lock);
20682 ++ if (unlikely(replace && new_dentry->d_inode)) {
20683 ++ inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
20684 ++ new_dentry->d_inode->i_sb->s_dev);
20685 ++ if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
20686 ++ do_handle_delete(inodev, new_dentry->d_inode->i_ino,
20687 ++ new_dentry->d_inode->i_sb->s_dev);
20688 ++ }
20689 ++
20690 ++ inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
20691 ++ old_dentry->d_inode->i_sb->s_dev);
20692 ++ if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
20693 ++ do_handle_delete(inodev, old_dentry->d_inode->i_ino,
20694 ++ old_dentry->d_inode->i_sb->s_dev);
20695 ++
20696 ++ if (unlikely((unsigned long)matchn))
20697 ++ do_handle_create(matchn, old_dentry, mnt);
20698 ++
20699 ++ write_unlock(&gr_inode_lock);
20700 ++ preempt_enable();
20701 ++
20702 ++ return;
20703 ++}
20704 ++
20705 ++static int
20706 ++lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
20707 ++ unsigned char **sum)
20708 ++{
20709 ++ struct acl_role_label *r;
20710 ++ struct role_allowed_ip *ipp;
20711 ++ struct role_transition *trans;
20712 ++ unsigned int i;
20713 ++ int found = 0;
20714 ++
20715 ++ /* check transition table */
20716 ++
20717 ++ for (trans = current->role->transitions; trans; trans = trans->next) {
20718 ++ if (!strcmp(rolename, trans->rolename)) {
20719 ++ found = 1;
20720 ++ break;
20721 ++ }
20722 ++ }
20723 ++
20724 ++ if (!found)
20725 ++ return 0;
20726 ++
20727 ++ /* handle special roles that do not require authentication
20728 ++ and check ip */
20729 ++
20730 ++ FOR_EACH_ROLE_START(r, i)
20731 ++ if (!strcmp(rolename, r->rolename) &&
20732 ++ (r->roletype & GR_ROLE_SPECIAL)) {
20733 ++ found = 0;
20734 ++ if (r->allowed_ips != NULL) {
20735 ++ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
20736 ++ if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
20737 ++ (ntohl(ipp->addr) & ipp->netmask))
20738 ++ found = 1;
20739 ++ }
20740 ++ } else
20741 ++ found = 2;
20742 ++ if (!found)
20743 ++ return 0;
20744 ++
20745 ++ if (((mode == SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
20746 ++ ((mode == SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
20747 ++ *salt = NULL;
20748 ++ *sum = NULL;
20749 ++ return 1;
20750 ++ }
20751 ++ }
20752 ++ FOR_EACH_ROLE_END(r,i)
20753 ++
20754 ++ for (i = 0; i < num_sprole_pws; i++) {
20755 ++ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
20756 ++ *salt = acl_special_roles[i]->salt;
20757 ++ *sum = acl_special_roles[i]->sum;
20758 ++ return 1;
20759 ++ }
20760 ++ }
20761 ++
20762 ++ return 0;
20763 ++}
20764 ++
20765 ++static void
20766 ++assign_special_role(char *rolename)
20767 ++{
20768 ++ struct acl_object_label *obj;
20769 ++ struct acl_role_label *r;
20770 ++ struct acl_role_label *assigned = NULL;
20771 ++ struct task_struct *tsk;
20772 ++ struct file *filp;
20773 ++ unsigned int i;
20774 ++
20775 ++ FOR_EACH_ROLE_START(r, i)
20776 ++ if (!strcmp(rolename, r->rolename) &&
20777 ++ (r->roletype & GR_ROLE_SPECIAL))
20778 ++ assigned = r;
20779 ++ FOR_EACH_ROLE_END(r,i)
20780 ++
20781 ++ if (!assigned)
20782 ++ return;
20783 ++
20784 ++ read_lock(&tasklist_lock);
20785 ++ read_lock(&grsec_exec_file_lock);
20786 ++
20787 ++ tsk = current->parent;
20788 ++ if (tsk == NULL)
20789 ++ goto out_unlock;
20790 ++
20791 ++ filp = tsk->exec_file;
20792 ++ if (filp == NULL)
20793 ++ goto out_unlock;
20794 ++
20795 ++ tsk->is_writable = 0;
20796 ++
20797 ++ tsk->acl_sp_role = 1;
20798 ++ tsk->acl_role_id = ++acl_sp_role_value;
20799 ++ tsk->role = assigned;
20800 ++ tsk->acl = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role);
20801 ++
20802 ++ /* ignore additional mmap checks for processes that are writable
20803 ++ by the default ACL */
20804 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
20805 ++ if (unlikely(obj->mode & GR_WRITE))
20806 ++ tsk->is_writable = 1;
20807 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role->root_label);
20808 ++ if (unlikely(obj->mode & GR_WRITE))
20809 ++ tsk->is_writable = 1;
20810 ++
20811 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
20812 ++ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
20813 ++#endif
20814 ++
20815 ++out_unlock:
20816 ++ read_unlock(&grsec_exec_file_lock);
20817 ++ read_unlock(&tasklist_lock);
20818 ++ return;
20819 ++}
20820 ++
20821 ++int gr_check_secure_terminal(struct task_struct *task)
20822 ++{
20823 ++ struct task_struct *p, *p2, *p3;
20824 ++ struct files_struct *files;
20825 ++ struct fdtable *fdt;
20826 ++ struct file *our_file = NULL, *file;
20827 ++ int i;
20828 ++
20829 ++ if (task->signal->tty == NULL)
20830 ++ return 1;
20831 ++
20832 ++ files = get_files_struct(task);
20833 ++ if (files != NULL) {
20834 ++ rcu_read_lock();
20835 ++ fdt = files_fdtable(files);
20836 ++ for (i=0; i < fdt->max_fds; i++) {
20837 ++ file = fcheck_files(files, i);
20838 ++ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
20839 ++ get_file(file);
20840 ++ our_file = file;
20841 ++ }
20842 ++ }
20843 ++ rcu_read_unlock();
20844 ++ put_files_struct(files);
20845 ++ }
20846 ++
20847 ++ if (our_file == NULL)
20848 ++ return 1;
20849 ++
20850 ++ read_lock(&tasklist_lock);
20851 ++ do_each_thread(p2, p) {
20852 ++ files = get_files_struct(p);
20853 ++ if (files == NULL ||
20854 ++ (p->signal && p->signal->tty == task->signal->tty)) {
20855 ++ if (files != NULL)
20856 ++ put_files_struct(files);
20857 ++ continue;
20858 ++ }
20859 ++ rcu_read_lock();
20860 ++ fdt = files_fdtable(files);
20861 ++ for (i=0; i < fdt->max_fds; i++) {
20862 ++ file = fcheck_files(files, i);
20863 ++ if (file && S_ISCHR(file->f_dentry->d_inode->i_mode) &&
20864 ++ file->f_dentry->d_inode->i_rdev == our_file->f_dentry->d_inode->i_rdev) {
20865 ++ p3 = task;
20866 ++ while (p3->pid > 0) {
20867 ++ if (p3 == p)
20868 ++ break;
20869 ++ p3 = p3->parent;
20870 ++ }
20871 ++ if (p3 == p)
20872 ++ break;
20873 ++ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
20874 ++ gr_handle_alertkill(p);
20875 ++ rcu_read_unlock();
20876 ++ put_files_struct(files);
20877 ++ read_unlock(&tasklist_lock);
20878 ++ fput(our_file);
20879 ++ return 0;
20880 ++ }
20881 ++ }
20882 ++ rcu_read_unlock();
20883 ++ put_files_struct(files);
20884 ++ } while_each_thread(p2, p);
20885 ++ read_unlock(&tasklist_lock);
20886 ++
20887 ++ fput(our_file);
20888 ++ return 1;
20889 ++}
20890 ++
20891 ++ssize_t
20892 ++write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
20893 ++{
20894 ++ struct gr_arg_wrapper uwrap;
20895 ++ unsigned char *sprole_salt;
20896 ++ unsigned char *sprole_sum;
20897 ++ int error = sizeof (struct gr_arg_wrapper);
20898 ++ int error2 = 0;
20899 ++
20900 ++ down(&gr_dev_sem);
20901 ++
20902 ++ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
20903 ++ error = -EPERM;
20904 ++ goto out;
20905 ++ }
20906 ++
20907 ++ if (count != sizeof (struct gr_arg_wrapper)) {
20908 ++ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
20909 ++ error = -EINVAL;
20910 ++ goto out;
20911 ++ }
20912 ++
20913 ++
20914 ++ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
20915 ++ gr_auth_expires = 0;
20916 ++ gr_auth_attempts = 0;
20917 ++ }
20918 ++
20919 ++ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
20920 ++ error = -EFAULT;
20921 ++ goto out;
20922 ++ }
20923 ++
20924 ++ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
20925 ++ error = -EINVAL;
20926 ++ goto out;
20927 ++ }
20928 ++
20929 ++ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
20930 ++ error = -EFAULT;
20931 ++ goto out;
20932 ++ }
20933 ++
20934 ++ if (gr_usermode->mode != SPROLE && gr_usermode->mode != SPROLEPAM &&
20935 ++ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
20936 ++ time_after(gr_auth_expires, get_seconds())) {
20937 ++ error = -EBUSY;
20938 ++ goto out;
20939 ++ }
20940 ++
20941 ++ /* if non-root trying to do anything other than use a special role,
20942 ++ do not attempt authentication, do not count towards authentication
20943 ++ locking
20944 ++ */
20945 ++
20946 ++ if (gr_usermode->mode != SPROLE && gr_usermode->mode != STATUS &&
20947 ++ gr_usermode->mode != UNSPROLE && gr_usermode->mode != SPROLEPAM &&
20948 ++ current->uid) {
20949 ++ error = -EPERM;
20950 ++ goto out;
20951 ++ }
20952 ++
20953 ++ /* ensure pw and special role name are null terminated */
20954 ++
20955 ++ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
20956 ++ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
20957 ++
20958 ++ /* Okay.
20959 ++ * We have our enough of the argument structure..(we have yet
20960 ++ * to copy_from_user the tables themselves) . Copy the tables
20961 ++ * only if we need them, i.e. for loading operations. */
20962 ++
20963 ++ switch (gr_usermode->mode) {
20964 ++ case STATUS:
20965 ++ if (gr_status & GR_READY) {
20966 ++ error = 1;
20967 ++ if (!gr_check_secure_terminal(current))
20968 ++ error = 3;
20969 ++ } else
20970 ++ error = 2;
20971 ++ goto out;
20972 ++ case SHUTDOWN:
20973 ++ if ((gr_status & GR_READY)
20974 ++ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
20975 ++ gr_status &= ~GR_READY;
20976 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
20977 ++ free_variables();
20978 ++ memset(gr_usermode, 0, sizeof (struct gr_arg));
20979 ++ memset(gr_system_salt, 0, GR_SALT_LEN);
20980 ++ memset(gr_system_sum, 0, GR_SHA_LEN);
20981 ++ } else if (gr_status & GR_READY) {
20982 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
20983 ++ error = -EPERM;
20984 ++ } else {
20985 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
20986 ++ error = -EAGAIN;
20987 ++ }
20988 ++ break;
20989 ++ case ENABLE:
20990 ++ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
20991 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
20992 ++ else {
20993 ++ if (gr_status & GR_READY)
20994 ++ error = -EAGAIN;
20995 ++ else
20996 ++ error = error2;
20997 ++ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
20998 ++ }
20999 ++ break;
21000 ++ case RELOAD:
21001 ++ if (!(gr_status & GR_READY)) {
21002 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
21003 ++ error = -EAGAIN;
21004 ++ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
21005 ++ lock_kernel();
21006 ++ gr_status &= ~GR_READY;
21007 ++ free_variables();
21008 ++ if (!(error2 = gracl_init(gr_usermode))) {
21009 ++ unlock_kernel();
21010 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
21011 ++ } else {
21012 ++ unlock_kernel();
21013 ++ error = error2;
21014 ++ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
21015 ++ }
21016 ++ } else {
21017 ++ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
21018 ++ error = -EPERM;
21019 ++ }
21020 ++ break;
21021 ++ case SEGVMOD:
21022 ++ if (unlikely(!(gr_status & GR_READY))) {
21023 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
21024 ++ error = -EAGAIN;
21025 ++ break;
21026 ++ }
21027 ++
21028 ++ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
21029 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
21030 ++ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
21031 ++ struct acl_subject_label *segvacl;
21032 ++ segvacl =
21033 ++ lookup_acl_subj_label(gr_usermode->segv_inode,
21034 ++ gr_usermode->segv_device,
21035 ++ current->role);
21036 ++ if (segvacl) {
21037 ++ segvacl->crashes = 0;
21038 ++ segvacl->expires = 0;
21039 ++ }
21040 ++ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
21041 ++ gr_remove_uid(gr_usermode->segv_uid);
21042 ++ }
21043 ++ } else {
21044 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
21045 ++ error = -EPERM;
21046 ++ }
21047 ++ break;
21048 ++ case SPROLE:
21049 ++ case SPROLEPAM:
21050 ++ if (unlikely(!(gr_status & GR_READY))) {
21051 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
21052 ++ error = -EAGAIN;
21053 ++ break;
21054 ++ }
21055 ++
21056 ++ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
21057 ++ current->role->expires = 0;
21058 ++ current->role->auth_attempts = 0;
21059 ++ }
21060 ++
21061 ++ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
21062 ++ time_after(current->role->expires, get_seconds())) {
21063 ++ error = -EBUSY;
21064 ++ goto out;
21065 ++ }
21066 ++
21067 ++ if (lookup_special_role_auth
21068 ++ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
21069 ++ && ((!sprole_salt && !sprole_sum)
21070 ++ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
21071 ++ char *p = "";
21072 ++ assign_special_role(gr_usermode->sp_role);
21073 ++ read_lock(&tasklist_lock);
21074 ++ if (current->parent)
21075 ++ p = current->parent->role->rolename;
21076 ++ read_unlock(&tasklist_lock);
21077 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
21078 ++ p, acl_sp_role_value);
21079 ++ } else {
21080 ++ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
21081 ++ error = -EPERM;
21082 ++ if(!(current->role->auth_attempts++))
21083 ++ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
21084 ++
21085 ++ goto out;
21086 ++ }
21087 ++ break;
21088 ++ case UNSPROLE:
21089 ++ if (unlikely(!(gr_status & GR_READY))) {
21090 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
21091 ++ error = -EAGAIN;
21092 ++ break;
21093 ++ }
21094 ++
21095 ++ if (current->role->roletype & GR_ROLE_SPECIAL) {
21096 ++ char *p = "";
21097 ++ int i = 0;
21098 ++
21099 ++ read_lock(&tasklist_lock);
21100 ++ if (current->parent) {
21101 ++ p = current->parent->role->rolename;
21102 ++ i = current->parent->acl_role_id;
21103 ++ }
21104 ++ read_unlock(&tasklist_lock);
21105 ++
21106 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
21107 ++ gr_set_acls(1);
21108 ++ } else {
21109 ++ gr_log_str(GR_DONT_AUDIT, GR_UNSPROLEF_ACL_MSG, current->role->rolename);
21110 ++ error = -EPERM;
21111 ++ goto out;
21112 ++ }
21113 ++ break;
21114 ++ default:
21115 ++ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
21116 ++ error = -EINVAL;
21117 ++ break;
21118 ++ }
21119 ++
21120 ++ if (error != -EPERM)
21121 ++ goto out;
21122 ++
21123 ++ if(!(gr_auth_attempts++))
21124 ++ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
21125 ++
21126 ++ out:
21127 ++ up(&gr_dev_sem);
21128 ++ return error;
21129 ++}
21130 ++
21131 ++int
21132 ++gr_set_acls(const int type)
21133 ++{
21134 ++ struct acl_object_label *obj;
21135 ++ struct task_struct *task, *task2;
21136 ++ struct file *filp;
21137 ++ struct acl_role_label *role = current->role;
21138 ++ __u16 acl_role_id = current->acl_role_id;
21139 ++
21140 ++ read_lock(&tasklist_lock);
21141 ++ read_lock(&grsec_exec_file_lock);
21142 ++ do_each_thread(task2, task) {
21143 ++ /* check to see if we're called from the exit handler,
21144 ++ if so, only replace ACLs that have inherited the admin
21145 ++ ACL */
21146 ++
21147 ++ if (type && (task->role != role ||
21148 ++ task->acl_role_id != acl_role_id))
21149 ++ continue;
21150 ++
21151 ++ task->acl_role_id = 0;
21152 ++ task->acl_sp_role = 0;
21153 ++
21154 ++ if ((filp = task->exec_file)) {
21155 ++ task->role = lookup_acl_role_label(task, task->uid, task->gid);
21156 ++
21157 ++ task->acl =
21158 ++ chk_subj_label(filp->f_dentry, filp->f_vfsmnt,
21159 ++ task->role);
21160 ++ if (task->acl) {
21161 ++ struct acl_subject_label *curr;
21162 ++ curr = task->acl;
21163 ++
21164 ++ task->is_writable = 0;
21165 ++ /* ignore additional mmap checks for processes that are writable
21166 ++ by the default ACL */
21167 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
21168 ++ if (unlikely(obj->mode & GR_WRITE))
21169 ++ task->is_writable = 1;
21170 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
21171 ++ if (unlikely(obj->mode & GR_WRITE))
21172 ++ task->is_writable = 1;
21173 ++
21174 ++ gr_set_proc_res(task);
21175 ++
21176 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
21177 ++ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
21178 ++#endif
21179 ++ } else {
21180 ++ read_unlock(&grsec_exec_file_lock);
21181 ++ read_unlock(&tasklist_lock);
21182 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
21183 ++ return 1;
21184 ++ }
21185 ++ } else {
21186 ++ // it's a kernel process
21187 ++ task->role = kernel_role;
21188 ++ task->acl = kernel_role->root_label;
21189 ++#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
21190 ++ task->acl->mode &= ~GR_PROCFIND;
21191 ++#endif
21192 ++ }
21193 ++ } while_each_thread(task2, task);
21194 ++ read_unlock(&grsec_exec_file_lock);
21195 ++ read_unlock(&tasklist_lock);
21196 ++ return 0;
21197 ++}
21198 ++
21199 ++void
21200 ++gr_learn_resource(const struct task_struct *task,
21201 ++ const int res, const unsigned long wanted, const int gt)
21202 ++{
21203 ++ struct acl_subject_label *acl;
21204 ++
21205 ++ if (unlikely((gr_status & GR_READY) &&
21206 ++ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
21207 ++ goto skip_reslog;
21208 ++
21209 ++#ifdef CONFIG_GRKERNSEC_RESLOG
21210 ++ gr_log_resource(task, res, wanted, gt);
21211 ++#endif
21212 ++ skip_reslog:
21213 ++
21214 ++ if (unlikely(!(gr_status & GR_READY) || !wanted))
21215 ++ return;
21216 ++
21217 ++ acl = task->acl;
21218 ++
21219 ++ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
21220 ++ !(acl->resmask & (1 << (unsigned short) res))))
21221 ++ return;
21222 ++
21223 ++ if (wanted >= acl->res[res].rlim_cur) {
21224 ++ unsigned long res_add;
21225 ++
21226 ++ res_add = wanted;
21227 ++ switch (res) {
21228 ++ case RLIMIT_CPU:
21229 ++ res_add += GR_RLIM_CPU_BUMP;
21230 ++ break;
21231 ++ case RLIMIT_FSIZE:
21232 ++ res_add += GR_RLIM_FSIZE_BUMP;
21233 ++ break;
21234 ++ case RLIMIT_DATA:
21235 ++ res_add += GR_RLIM_DATA_BUMP;
21236 ++ break;
21237 ++ case RLIMIT_STACK:
21238 ++ res_add += GR_RLIM_STACK_BUMP;
21239 ++ break;
21240 ++ case RLIMIT_CORE:
21241 ++ res_add += GR_RLIM_CORE_BUMP;
21242 ++ break;
21243 ++ case RLIMIT_RSS:
21244 ++ res_add += GR_RLIM_RSS_BUMP;
21245 ++ break;
21246 ++ case RLIMIT_NPROC:
21247 ++ res_add += GR_RLIM_NPROC_BUMP;
21248 ++ break;
21249 ++ case RLIMIT_NOFILE:
21250 ++ res_add += GR_RLIM_NOFILE_BUMP;
21251 ++ break;
21252 ++ case RLIMIT_MEMLOCK:
21253 ++ res_add += GR_RLIM_MEMLOCK_BUMP;
21254 ++ break;
21255 ++ case RLIMIT_AS:
21256 ++ res_add += GR_RLIM_AS_BUMP;
21257 ++ break;
21258 ++ case RLIMIT_LOCKS:
21259 ++ res_add += GR_RLIM_LOCKS_BUMP;
21260 ++ break;
21261 ++ }
21262 ++
21263 ++ acl->res[res].rlim_cur = res_add;
21264 ++
21265 ++ if (wanted > acl->res[res].rlim_max)
21266 ++ acl->res[res].rlim_max = res_add;
21267 ++
21268 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
21269 ++ task->role->roletype, acl->filename,
21270 ++ acl->res[res].rlim_cur, acl->res[res].rlim_max,
21271 ++ "", (unsigned long) res);
21272 ++ }
21273 ++
21274 ++ return;
21275 ++}
21276 ++
21277 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
21278 ++void
21279 ++pax_set_initial_flags(struct linux_binprm *bprm)
21280 ++{
21281 ++ struct task_struct *task = current;
21282 ++ struct acl_subject_label *proc;
21283 ++ unsigned long flags;
21284 ++
21285 ++ if (unlikely(!(gr_status & GR_READY)))
21286 ++ return;
21287 ++
21288 ++ flags = pax_get_flags(task);
21289 ++
21290 ++ proc = task->acl;
21291 ++
21292 ++ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
21293 ++ flags &= ~MF_PAX_PAGEEXEC;
21294 ++ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
21295 ++ flags &= ~MF_PAX_SEGMEXEC;
21296 ++ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
21297 ++ flags &= ~MF_PAX_RANDMMAP;
21298 ++ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
21299 ++ flags &= ~MF_PAX_EMUTRAMP;
21300 ++ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
21301 ++ flags &= ~MF_PAX_MPROTECT;
21302 ++
21303 ++ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
21304 ++ flags |= MF_PAX_PAGEEXEC;
21305 ++ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
21306 ++ flags |= MF_PAX_SEGMEXEC;
21307 ++ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
21308 ++ flags |= MF_PAX_RANDMMAP;
21309 ++ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
21310 ++ flags |= MF_PAX_EMUTRAMP;
21311 ++ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
21312 ++ flags |= MF_PAX_MPROTECT;
21313 ++
21314 ++ pax_set_flags(task, flags);
21315 ++
21316 ++ return;
21317 ++}
21318 ++#endif
21319 ++
21320 ++#ifdef CONFIG_SYSCTL
21321 ++/* Eric Biederman likes breaking userland ABI and every inode-based security
21322 ++ system to save 35kb of memory */
21323 ++
21324 ++/* we modify the passed in filename, but adjust it back before returning */
21325 ++static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
21326 ++{
21327 ++ struct name_entry *nmatch;
21328 ++ char *p, *lastp = NULL;
21329 ++ struct acl_object_label *obj = NULL, *tmp;
21330 ++ struct acl_subject_label *tmpsubj;
21331 ++ int done = 0;
21332 ++ char c = '\0';
21333 ++
21334 ++ read_lock(&gr_inode_lock);
21335 ++
21336 ++ p = name + len - 1;
21337 ++ do {
21338 ++ nmatch = lookup_name_entry(name);
21339 ++ if (lastp != NULL)
21340 ++ *lastp = c;
21341 ++
21342 ++ if (nmatch == NULL)
21343 ++ goto next_component;
21344 ++ tmpsubj = current->acl;
21345 ++ do {
21346 ++ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
21347 ++ if (obj != NULL) {
21348 ++ tmp = obj->globbed;
21349 ++ while (tmp) {
21350 ++ if (!glob_match(tmp->filename, name)) {
21351 ++ obj = tmp;
21352 ++ goto found_obj;
21353 ++ }
21354 ++ tmp = tmp->next;
21355 ++ }
21356 ++ goto found_obj;
21357 ++ }
21358 ++ } while ((tmpsubj = tmpsubj->parent_subject));
21359 ++next_component:
21360 ++ /* end case */
21361 ++ if (p == name)
21362 ++ break;
21363 ++
21364 ++ while (*p != '/')
21365 ++ p--;
21366 ++ if (p == name)
21367 ++ lastp = p + 1;
21368 ++ else {
21369 ++ lastp = p;
21370 ++ p--;
21371 ++ }
21372 ++ c = *lastp;
21373 ++ *lastp = '\0';
21374 ++ } while (1);
21375 ++found_obj:
21376 ++ read_unlock(&gr_inode_lock);
21377 ++ /* obj returned will always be non-null */
21378 ++ return obj;
21379 ++}
21380 ++
21381 ++/* returns 0 when allowing, non-zero on error
21382 ++ op of 0 is used for readdir, so we don't log the names of hidden files
21383 ++*/
21384 ++__u32
21385 ++gr_handle_sysctl(const struct ctl_table *table, const int op)
21386 ++{
21387 ++ ctl_table *tmp;
21388 ++ struct nameidata nd;
21389 ++ const char *proc_sys = "/proc/sys";
21390 ++ char *path;
21391 ++ struct acl_object_label *obj;
21392 ++ unsigned short len = 0, pos = 0, depth = 0, i;
21393 ++ __u32 err = 0;
21394 ++ __u32 mode = 0;
21395 ++
21396 ++ if (unlikely(!(gr_status & GR_READY)))
21397 ++ return 0;
21398 ++
21399 ++ /* for now, ignore operations on non-sysctl entries if it's not a
21400 ++ readdir*/
21401 ++ if (table->child != NULL && op != 0)
21402 ++ return 0;
21403 ++
21404 ++ mode |= GR_FIND;
21405 ++ /* it's only a read if it's an entry, read on dirs is for readdir */
21406 ++ if (op & 004)
21407 ++ mode |= GR_READ;
21408 ++ if (op & 002)
21409 ++ mode |= GR_WRITE;
21410 ++
21411 ++ preempt_disable();
21412 ++
21413 ++ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
21414 ++
21415 ++ /* it's only a read/write if it's an actual entry, not a dir
21416 ++ (which are opened for readdir)
21417 ++ */
21418 ++
21419 ++ /* convert the requested sysctl entry into a pathname */
21420 ++
21421 ++ for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
21422 ++ len += strlen(tmp->procname);
21423 ++ len++;
21424 ++ depth++;
21425 ++ }
21426 ++
21427 ++ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
21428 ++ /* deny */
21429 ++ goto out;
21430 ++ }
21431 ++
21432 ++ memset(path, 0, PAGE_SIZE);
21433 ++
21434 ++ memcpy(path, proc_sys, strlen(proc_sys));
21435 ++
21436 ++ pos += strlen(proc_sys);
21437 ++
21438 ++ for (; depth > 0; depth--) {
21439 ++ path[pos] = '/';
21440 ++ pos++;
21441 ++ for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
21442 ++ if (depth == i) {
21443 ++ memcpy(path + pos, tmp->procname,
21444 ++ strlen(tmp->procname));
21445 ++ pos += strlen(tmp->procname);
21446 ++ }
21447 ++ i++;
21448 ++ }
21449 ++ }
21450 ++
21451 ++ obj = gr_lookup_by_name(path, pos);
21452 ++ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
21453 ++
21454 ++ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
21455 ++ ((err & mode) != mode))) {
21456 ++ __u32 new_mode = mode;
21457 ++
21458 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
21459 ++
21460 ++ err = 0;
21461 ++ gr_log_learn_sysctl(current, path, new_mode);
21462 ++ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
21463 ++ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
21464 ++ err = -ENOENT;
21465 ++ } else if (!(err & GR_FIND)) {
21466 ++ err = -ENOENT;
21467 ++ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
21468 ++ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
21469 ++ path, (mode & GR_READ) ? " reading" : "",
21470 ++ (mode & GR_WRITE) ? " writing" : "");
21471 ++ err = -EACCES;
21472 ++ } else if ((err & mode) != mode) {
21473 ++ err = -EACCES;
21474 ++ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
21475 ++ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
21476 ++ path, (mode & GR_READ) ? " reading" : "",
21477 ++ (mode & GR_WRITE) ? " writing" : "");
21478 ++ err = 0;
21479 ++ } else
21480 ++ err = 0;
21481 ++
21482 ++ out:
21483 ++ preempt_enable();
21484 ++
21485 ++ return err;
21486 ++}
21487 ++#endif
21488 ++
21489 ++int
21490 ++gr_handle_proc_ptrace(struct task_struct *task)
21491 ++{
21492 ++ struct file *filp;
21493 ++ struct task_struct *tmp = task;
21494 ++ struct task_struct *curtemp = current;
21495 ++ __u32 retmode;
21496 ++
21497 ++ if (unlikely(!(gr_status & GR_READY)))
21498 ++ return 0;
21499 ++
21500 ++ read_lock(&tasklist_lock);
21501 ++ read_lock(&grsec_exec_file_lock);
21502 ++ filp = task->exec_file;
21503 ++
21504 ++ while (tmp->pid > 0) {
21505 ++ if (tmp == curtemp)
21506 ++ break;
21507 ++ tmp = tmp->parent;
21508 ++ }
21509 ++
21510 ++ if (!filp || (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE))) {
21511 ++ read_unlock(&grsec_exec_file_lock);
21512 ++ read_unlock(&tasklist_lock);
21513 ++ return 1;
21514 ++ }
21515 ++
21516 ++ retmode = gr_search_file(filp->f_dentry, GR_NOPTRACE, filp->f_vfsmnt);
21517 ++ read_unlock(&grsec_exec_file_lock);
21518 ++ read_unlock(&tasklist_lock);
21519 ++
21520 ++ if (retmode & GR_NOPTRACE)
21521 ++ return 1;
21522 ++
21523 ++ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
21524 ++ && (current->acl != task->acl || (current->acl != current->role->root_label
21525 ++ && current->pid != task->pid)))
21526 ++ return 1;
21527 ++
21528 ++ return 0;
21529 ++}
21530 ++
21531 ++int
21532 ++gr_handle_ptrace(struct task_struct *task, const long request)
21533 ++{
21534 ++ struct task_struct *tmp = task;
21535 ++ struct task_struct *curtemp = current;
21536 ++ __u32 retmode;
21537 ++
21538 ++ if (unlikely(!(gr_status & GR_READY)))
21539 ++ return 0;
21540 ++
21541 ++ read_lock(&tasklist_lock);
21542 ++ while (tmp->pid > 0) {
21543 ++ if (tmp == curtemp)
21544 ++ break;
21545 ++ tmp = tmp->parent;
21546 ++ }
21547 ++
21548 ++ if (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE)) {
21549 ++ read_unlock(&tasklist_lock);
21550 ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
21551 ++ return 1;
21552 ++ }
21553 ++ read_unlock(&tasklist_lock);
21554 ++
21555 ++ read_lock(&grsec_exec_file_lock);
21556 ++ if (unlikely(!task->exec_file)) {
21557 ++ read_unlock(&grsec_exec_file_lock);
21558 ++ return 0;
21559 ++ }
21560 ++
21561 ++ retmode = gr_search_file(task->exec_file->f_dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_vfsmnt);
21562 ++ read_unlock(&grsec_exec_file_lock);
21563 ++
21564 ++ if (retmode & GR_NOPTRACE) {
21565 ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
21566 ++ return 1;
21567 ++ }
21568 ++
21569 ++ if (retmode & GR_PTRACERD) {
21570 ++ switch (request) {
21571 ++ case PTRACE_POKETEXT:
21572 ++ case PTRACE_POKEDATA:
21573 ++ case PTRACE_POKEUSR:
21574 ++#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
21575 ++ case PTRACE_SETREGS:
21576 ++ case PTRACE_SETFPREGS:
21577 ++#endif
21578 ++#ifdef CONFIG_X86
21579 ++ case PTRACE_SETFPXREGS:
21580 ++#endif
21581 ++#ifdef CONFIG_ALTIVEC
21582 ++ case PTRACE_SETVRREGS:
21583 ++#endif
21584 ++ return 1;
21585 ++ default:
21586 ++ return 0;
21587 ++ }
21588 ++ } else if (!(current->acl->mode & GR_POVERRIDE) &&
21589 ++ !(current->role->roletype & GR_ROLE_GOD) &&
21590 ++ (current->acl != task->acl)) {
21591 ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
21592 ++ return 1;
21593 ++ }
21594 ++
21595 ++ return 0;
21596 ++}
21597 ++
21598 ++static int is_writable_mmap(const struct file *filp)
21599 ++{
21600 ++ struct task_struct *task = current;
21601 ++ struct acl_object_label *obj, *obj2;
21602 ++
21603 ++ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
21604 ++ !task->is_writable && S_ISREG(filp->f_dentry->d_inode->i_mode)) {
21605 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
21606 ++ obj2 = chk_obj_label(filp->f_dentry, filp->f_vfsmnt,
21607 ++ task->role->root_label);
21608 ++ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
21609 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_dentry, filp->f_vfsmnt);
21610 ++ return 1;
21611 ++ }
21612 ++ }
21613 ++ return 0;
21614 ++}
21615 ++
21616 ++int
21617 ++gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
21618 ++{
21619 ++ __u32 mode;
21620 ++
21621 ++ if (unlikely(!file || !(prot & PROT_EXEC)))
21622 ++ return 1;
21623 ++
21624 ++ if (is_writable_mmap(file))
21625 ++ return 0;
21626 ++
21627 ++ mode =
21628 ++ gr_search_file(file->f_dentry,
21629 ++ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
21630 ++ file->f_vfsmnt);
21631 ++
21632 ++ if (!gr_tpe_allow(file))
21633 ++ return 0;
21634 ++
21635 ++ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
21636 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
21637 ++ return 0;
21638 ++ } else if (unlikely(!(mode & GR_EXEC))) {
21639 ++ return 0;
21640 ++ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
21641 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
21642 ++ return 1;
21643 ++ }
21644 ++
21645 ++ return 1;
21646 ++}
21647 ++
21648 ++int
21649 ++gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
21650 ++{
21651 ++ __u32 mode;
21652 ++
21653 ++ if (unlikely(!file || !(prot & PROT_EXEC)))
21654 ++ return 1;
21655 ++
21656 ++ if (is_writable_mmap(file))
21657 ++ return 0;
21658 ++
21659 ++ mode =
21660 ++ gr_search_file(file->f_dentry,
21661 ++ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
21662 ++ file->f_vfsmnt);
21663 ++
21664 ++ if (!gr_tpe_allow(file))
21665 ++ return 0;
21666 ++
21667 ++ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
21668 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
21669 ++ return 0;
21670 ++ } else if (unlikely(!(mode & GR_EXEC))) {
21671 ++ return 0;
21672 ++ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
21673 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
21674 ++ return 1;
21675 ++ }
21676 ++
21677 ++ return 1;
21678 ++}
21679 ++
21680 ++void
21681 ++gr_acl_handle_psacct(struct task_struct *task, const long code)
21682 ++{
21683 ++ unsigned long runtime;
21684 ++ unsigned long cputime;
21685 ++ unsigned int wday, cday;
21686 ++ __u8 whr, chr;
21687 ++ __u8 wmin, cmin;
21688 ++ __u8 wsec, csec;
21689 ++
21690 ++ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
21691 ++ !(task->acl->mode & GR_PROCACCT)))
21692 ++ return;
21693 ++
21694 ++ runtime = xtime.tv_sec - task->start_time.tv_sec;
21695 ++ wday = runtime / (3600 * 24);
21696 ++ runtime -= wday * (3600 * 24);
21697 ++ whr = runtime / 3600;
21698 ++ runtime -= whr * 3600;
21699 ++ wmin = runtime / 60;
21700 ++ runtime -= wmin * 60;
21701 ++ wsec = runtime;
21702 ++
21703 ++ cputime = (task->utime + task->stime) / HZ;
21704 ++ cday = cputime / (3600 * 24);
21705 ++ cputime -= cday * (3600 * 24);
21706 ++ chr = cputime / 3600;
21707 ++ cputime -= chr * 3600;
21708 ++ cmin = cputime / 60;
21709 ++ cputime -= cmin * 60;
21710 ++ csec = cputime;
21711 ++
21712 ++ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
21713 ++
21714 ++ return;
21715 ++}
21716 ++
21717 ++void gr_set_kernel_label(struct task_struct *task)
21718 ++{
21719 ++ if (gr_status & GR_READY) {
21720 ++ task->role = kernel_role;
21721 ++ task->acl = kernel_role->root_label;
21722 ++ }
21723 ++ return;
21724 ++}
21725 ++
21726 ++int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
21727 ++{
21728 ++ struct task_struct *task = current;
21729 ++ struct dentry *dentry = file->f_dentry;
21730 ++ struct vfsmount *mnt = file->f_vfsmnt;
21731 ++ struct acl_object_label *obj, *tmp;
21732 ++ struct acl_subject_label *subj;
21733 ++ unsigned int bufsize;
21734 ++ int is_not_root;
21735 ++ char *path;
21736 ++
21737 ++ if (unlikely(!(gr_status & GR_READY)))
21738 ++ return 1;
21739 ++
21740 ++ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
21741 ++ return 1;
21742 ++
21743 ++ /* ignore Eric Biederman */
21744 ++ if (IS_PRIVATE(dentry->d_inode))
21745 ++ return 1;
21746 ++
21747 ++ subj = task->acl;
21748 ++ do {
21749 ++ obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
21750 ++ if (obj != NULL)
21751 ++ return (obj->mode & GR_FIND) ? 1 : 0;
21752 ++ } while ((subj = subj->parent_subject));
21753 ++
21754 ++ obj = chk_obj_label(dentry, mnt, task->acl);
21755 ++ if (obj->globbed == NULL)
21756 ++ return (obj->mode & GR_FIND) ? 1 : 0;
21757 ++
21758 ++ is_not_root = ((obj->filename[0] == '/') &&
21759 ++ (obj->filename[1] == '\0')) ? 0 : 1;
21760 ++ bufsize = PAGE_SIZE - namelen - is_not_root;
21761 ++
21762 ++ /* check bufsize > PAGE_SIZE || bufsize == 0 */
21763 ++ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
21764 ++ return 1;
21765 ++
21766 ++ preempt_disable();
21767 ++ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
21768 ++ bufsize);
21769 ++
21770 ++ bufsize = strlen(path);
21771 ++
21772 ++ /* if base is "/", don't append an additional slash */
21773 ++ if (is_not_root)
21774 ++ *(path + bufsize) = '/';
21775 ++ memcpy(path + bufsize + is_not_root, name, namelen);
21776 ++ *(path + bufsize + namelen + is_not_root) = '\0';
21777 ++
21778 ++ tmp = obj->globbed;
21779 ++ while (tmp) {
21780 ++ if (!glob_match(tmp->filename, path)) {
21781 ++ preempt_enable();
21782 ++ return (tmp->mode & GR_FIND) ? 1 : 0;
21783 ++ }
21784 ++ tmp = tmp->next;
21785 ++ }
21786 ++ preempt_enable();
21787 ++ return (obj->mode & GR_FIND) ? 1 : 0;
21788 ++}
21789 ++
21790 ++EXPORT_SYMBOL(gr_learn_resource);
21791 ++EXPORT_SYMBOL(gr_set_kernel_label);
21792 ++#ifdef CONFIG_SECURITY
21793 ++EXPORT_SYMBOL(gr_check_user_change);
21794 ++EXPORT_SYMBOL(gr_check_group_change);
21795 ++#endif
21796 ++
21797 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_alloc.c linux-2.6.23.15-grsec/grsecurity/gracl_alloc.c
21798 +--- linux-2.6.23.15/grsecurity/gracl_alloc.c 1970-01-01 01:00:00.000000000 +0100
21799 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_alloc.c 2008-02-11 10:37:44.000000000 +0000
21800 +@@ -0,0 +1,91 @@
21801 ++#include <linux/kernel.h>
21802 ++#include <linux/mm.h>
21803 ++#include <linux/slab.h>
21804 ++#include <linux/vmalloc.h>
21805 ++#include <linux/gracl.h>
21806 ++#include <linux/grsecurity.h>
21807 ++
21808 ++static unsigned long alloc_stack_next = 1;
21809 ++static unsigned long alloc_stack_size = 1;
21810 ++static void **alloc_stack;
21811 ++
21812 ++static __inline__ int
21813 ++alloc_pop(void)
21814 ++{
21815 ++ if (alloc_stack_next == 1)
21816 ++ return 0;
21817 ++
21818 ++ kfree(alloc_stack[alloc_stack_next - 2]);
21819 ++
21820 ++ alloc_stack_next--;
21821 ++
21822 ++ return 1;
21823 ++}
21824 ++
21825 ++static __inline__ void
21826 ++alloc_push(void *buf)
21827 ++{
21828 ++ if (alloc_stack_next >= alloc_stack_size)
21829 ++ BUG();
21830 ++
21831 ++ alloc_stack[alloc_stack_next - 1] = buf;
21832 ++
21833 ++ alloc_stack_next++;
21834 ++
21835 ++ return;
21836 ++}
21837 ++
21838 ++void *
21839 ++acl_alloc(unsigned long len)
21840 ++{
21841 ++ void *ret;
21842 ++
21843 ++ if (len > PAGE_SIZE)
21844 ++ BUG();
21845 ++
21846 ++ ret = kmalloc(len, GFP_KERNEL);
21847 ++
21848 ++ if (ret)
21849 ++ alloc_push(ret);
21850 ++
21851 ++ return ret;
21852 ++}
21853 ++
21854 ++void
21855 ++acl_free_all(void)
21856 ++{
21857 ++ if (gr_acl_is_enabled() || !alloc_stack)
21858 ++ return;
21859 ++
21860 ++ while (alloc_pop()) ;
21861 ++
21862 ++ if (alloc_stack) {
21863 ++ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
21864 ++ kfree(alloc_stack);
21865 ++ else
21866 ++ vfree(alloc_stack);
21867 ++ }
21868 ++
21869 ++ alloc_stack = NULL;
21870 ++ alloc_stack_size = 1;
21871 ++ alloc_stack_next = 1;
21872 ++
21873 ++ return;
21874 ++}
21875 ++
21876 ++int
21877 ++acl_alloc_stack_init(unsigned long size)
21878 ++{
21879 ++ if ((size * sizeof (void *)) <= PAGE_SIZE)
21880 ++ alloc_stack =
21881 ++ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
21882 ++ else
21883 ++ alloc_stack = (void **) vmalloc(size * sizeof (void *));
21884 ++
21885 ++ alloc_stack_size = size;
21886 ++
21887 ++ if (!alloc_stack)
21888 ++ return 0;
21889 ++ else
21890 ++ return 1;
21891 ++}
21892 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_cap.c linux-2.6.23.15-grsec/grsecurity/gracl_cap.c
21893 +--- linux-2.6.23.15/grsecurity/gracl_cap.c 1970-01-01 01:00:00.000000000 +0100
21894 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_cap.c 2008-02-11 10:37:44.000000000 +0000
21895 +@@ -0,0 +1,112 @@
21896 ++#include <linux/kernel.h>
21897 ++#include <linux/module.h>
21898 ++#include <linux/sched.h>
21899 ++#include <linux/capability.h>
21900 ++#include <linux/gracl.h>
21901 ++#include <linux/grsecurity.h>
21902 ++#include <linux/grinternal.h>
21903 ++
21904 ++static const char *captab_log[] = {
21905 ++ "CAP_CHOWN",
21906 ++ "CAP_DAC_OVERRIDE",
21907 ++ "CAP_DAC_READ_SEARCH",
21908 ++ "CAP_FOWNER",
21909 ++ "CAP_FSETID",
21910 ++ "CAP_KILL",
21911 ++ "CAP_SETGID",
21912 ++ "CAP_SETUID",
21913 ++ "CAP_SETPCAP",
21914 ++ "CAP_LINUX_IMMUTABLE",
21915 ++ "CAP_NET_BIND_SERVICE",
21916 ++ "CAP_NET_BROADCAST",
21917 ++ "CAP_NET_ADMIN",
21918 ++ "CAP_NET_RAW",
21919 ++ "CAP_IPC_LOCK",
21920 ++ "CAP_IPC_OWNER",
21921 ++ "CAP_SYS_MODULE",
21922 ++ "CAP_SYS_RAWIO",
21923 ++ "CAP_SYS_CHROOT",
21924 ++ "CAP_SYS_PTRACE",
21925 ++ "CAP_SYS_PACCT",
21926 ++ "CAP_SYS_ADMIN",
21927 ++ "CAP_SYS_BOOT",
21928 ++ "CAP_SYS_NICE",
21929 ++ "CAP_SYS_RESOURCE",
21930 ++ "CAP_SYS_TIME",
21931 ++ "CAP_SYS_TTY_CONFIG",
21932 ++ "CAP_MKNOD",
21933 ++ "CAP_LEASE",
21934 ++ "CAP_AUDIT_WRITE",
21935 ++ "CAP_AUDIT_CONTROL"
21936 ++};
21937 ++
21938 ++EXPORT_SYMBOL(gr_task_is_capable);
21939 ++EXPORT_SYMBOL(gr_is_capable_nolog);
21940 ++
21941 ++int
21942 ++gr_task_is_capable(struct task_struct *task, const int cap)
21943 ++{
21944 ++ struct acl_subject_label *curracl;
21945 ++ __u32 cap_drop = 0, cap_mask = 0;
21946 ++
21947 ++ if (!gr_acl_is_enabled())
21948 ++ return 1;
21949 ++
21950 ++ curracl = task->acl;
21951 ++
21952 ++ cap_drop = curracl->cap_lower;
21953 ++ cap_mask = curracl->cap_mask;
21954 ++
21955 ++ while ((curracl = curracl->parent_subject)) {
21956 ++ if (!(cap_mask & (1 << cap)) && (curracl->cap_mask & (1 << cap)))
21957 ++ cap_drop |= curracl->cap_lower & (1 << cap);
21958 ++ cap_mask |= curracl->cap_mask;
21959 ++ }
21960 ++
21961 ++ if (!cap_raised(cap_drop, cap))
21962 ++ return 1;
21963 ++
21964 ++ curracl = task->acl;
21965 ++
21966 ++ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
21967 ++ && cap_raised(task->cap_effective, cap)) {
21968 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
21969 ++ task->role->roletype, task->uid,
21970 ++ task->gid, task->exec_file ?
21971 ++ gr_to_filename(task->exec_file->f_dentry,
21972 ++ task->exec_file->f_vfsmnt) : curracl->filename,
21973 ++ curracl->filename, 0UL,
21974 ++ 0UL, "", (unsigned long) cap, NIPQUAD(task->signal->curr_ip));
21975 ++ return 1;
21976 ++ }
21977 ++
21978 ++ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(task->cap_effective, cap))
21979 ++ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
21980 ++ return 0;
21981 ++}
21982 ++
21983 ++int
21984 ++gr_is_capable_nolog(const int cap)
21985 ++{
21986 ++ struct acl_subject_label *curracl;
21987 ++ __u32 cap_drop = 0, cap_mask = 0;
21988 ++
21989 ++ if (!gr_acl_is_enabled())
21990 ++ return 1;
21991 ++
21992 ++ curracl = current->acl;
21993 ++
21994 ++ cap_drop = curracl->cap_lower;
21995 ++ cap_mask = curracl->cap_mask;
21996 ++
21997 ++ while ((curracl = curracl->parent_subject)) {
21998 ++ cap_drop |= curracl->cap_lower & (cap_mask & ~curracl->cap_mask);
21999 ++ cap_mask |= curracl->cap_mask;
22000 ++ }
22001 ++
22002 ++ if (!cap_raised(cap_drop, cap))
22003 ++ return 1;
22004 ++
22005 ++ return 0;
22006 ++}
22007 ++
22008 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_fs.c linux-2.6.23.15-grsec/grsecurity/gracl_fs.c
22009 +--- linux-2.6.23.15/grsecurity/gracl_fs.c 1970-01-01 01:00:00.000000000 +0100
22010 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_fs.c 2008-02-11 10:37:44.000000000 +0000
22011 +@@ -0,0 +1,423 @@
22012 ++#include <linux/kernel.h>
22013 ++#include <linux/sched.h>
22014 ++#include <linux/types.h>
22015 ++#include <linux/fs.h>
22016 ++#include <linux/file.h>
22017 ++#include <linux/stat.h>
22018 ++#include <linux/grsecurity.h>
22019 ++#include <linux/grinternal.h>
22020 ++#include <linux/gracl.h>
22021 ++
22022 ++__u32
22023 ++gr_acl_handle_hidden_file(const struct dentry * dentry,
22024 ++ const struct vfsmount * mnt)
22025 ++{
22026 ++ __u32 mode;
22027 ++
22028 ++ if (unlikely(!dentry->d_inode))
22029 ++ return GR_FIND;
22030 ++
22031 ++ mode =
22032 ++ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
22033 ++
22034 ++ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
22035 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
22036 ++ return mode;
22037 ++ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
22038 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
22039 ++ return 0;
22040 ++ } else if (unlikely(!(mode & GR_FIND)))
22041 ++ return 0;
22042 ++
22043 ++ return GR_FIND;
22044 ++}
22045 ++
22046 ++__u32
22047 ++gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
22048 ++ const int fmode)
22049 ++{
22050 ++ __u32 reqmode = GR_FIND;
22051 ++ __u32 mode;
22052 ++
22053 ++ if (unlikely(!dentry->d_inode))
22054 ++ return reqmode;
22055 ++
22056 ++ if (unlikely(fmode & O_APPEND))
22057 ++ reqmode |= GR_APPEND;
22058 ++ else if (unlikely(fmode & FMODE_WRITE))
22059 ++ reqmode |= GR_WRITE;
22060 ++ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
22061 ++ reqmode |= GR_READ;
22062 ++
22063 ++ mode =
22064 ++ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
22065 ++ mnt);
22066 ++
22067 ++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
22068 ++ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
22069 ++ reqmode & GR_READ ? " reading" : "",
22070 ++ reqmode & GR_WRITE ? " writing" : reqmode &
22071 ++ GR_APPEND ? " appending" : "");
22072 ++ return reqmode;
22073 ++ } else
22074 ++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
22075 ++ {
22076 ++ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
22077 ++ reqmode & GR_READ ? " reading" : "",
22078 ++ reqmode & GR_WRITE ? " writing" : reqmode &
22079 ++ GR_APPEND ? " appending" : "");
22080 ++ return 0;
22081 ++ } else if (unlikely((mode & reqmode) != reqmode))
22082 ++ return 0;
22083 ++
22084 ++ return reqmode;
22085 ++}
22086 ++
22087 ++__u32
22088 ++gr_acl_handle_creat(const struct dentry * dentry,
22089 ++ const struct dentry * p_dentry,
22090 ++ const struct vfsmount * p_mnt, const int fmode,
22091 ++ const int imode)
22092 ++{
22093 ++ __u32 reqmode = GR_WRITE | GR_CREATE;
22094 ++ __u32 mode;
22095 ++
22096 ++ if (unlikely(fmode & O_APPEND))
22097 ++ reqmode |= GR_APPEND;
22098 ++ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
22099 ++ reqmode |= GR_READ;
22100 ++ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
22101 ++ reqmode |= GR_SETID;
22102 ++
22103 ++ mode =
22104 ++ gr_check_create(dentry, p_dentry, p_mnt,
22105 ++ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
22106 ++
22107 ++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
22108 ++ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
22109 ++ reqmode & GR_READ ? " reading" : "",
22110 ++ reqmode & GR_WRITE ? " writing" : reqmode &
22111 ++ GR_APPEND ? " appending" : "");
22112 ++ return reqmode;
22113 ++ } else
22114 ++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
22115 ++ {
22116 ++ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
22117 ++ reqmode & GR_READ ? " reading" : "",
22118 ++ reqmode & GR_WRITE ? " writing" : reqmode &
22119 ++ GR_APPEND ? " appending" : "");
22120 ++ return 0;
22121 ++ } else if (unlikely((mode & reqmode) != reqmode))
22122 ++ return 0;
22123 ++
22124 ++ return reqmode;
22125 ++}
22126 ++
22127 ++__u32
22128 ++gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
22129 ++ const int fmode)
22130 ++{
22131 ++ __u32 mode, reqmode = GR_FIND;
22132 ++
22133 ++ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
22134 ++ reqmode |= GR_EXEC;
22135 ++ if (fmode & S_IWOTH)
22136 ++ reqmode |= GR_WRITE;
22137 ++ if (fmode & S_IROTH)
22138 ++ reqmode |= GR_READ;
22139 ++
22140 ++ mode =
22141 ++ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
22142 ++ mnt);
22143 ++
22144 ++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
22145 ++ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
22146 ++ reqmode & GR_READ ? " reading" : "",
22147 ++ reqmode & GR_WRITE ? " writing" : "",
22148 ++ reqmode & GR_EXEC ? " executing" : "");
22149 ++ return reqmode;
22150 ++ } else
22151 ++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
22152 ++ {
22153 ++ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
22154 ++ reqmode & GR_READ ? " reading" : "",
22155 ++ reqmode & GR_WRITE ? " writing" : "",
22156 ++ reqmode & GR_EXEC ? " executing" : "");
22157 ++ return 0;
22158 ++ } else if (unlikely((mode & reqmode) != reqmode))
22159 ++ return 0;
22160 ++
22161 ++ return reqmode;
22162 ++}
22163 ++
22164 ++static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
22165 ++{
22166 ++ __u32 mode;
22167 ++
22168 ++ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
22169 ++
22170 ++ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
22171 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
22172 ++ return mode;
22173 ++ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
22174 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
22175 ++ return 0;
22176 ++ } else if (unlikely((mode & (reqmode)) != (reqmode)))
22177 ++ return 0;
22178 ++
22179 ++ return (reqmode);
22180 ++}
22181 ++
22182 ++__u32
22183 ++gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
22184 ++{
22185 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
22186 ++}
22187 ++
22188 ++__u32
22189 ++gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
22190 ++{
22191 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
22192 ++}
22193 ++
22194 ++__u32
22195 ++gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
22196 ++{
22197 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
22198 ++}
22199 ++
22200 ++__u32
22201 ++gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
22202 ++{
22203 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
22204 ++}
22205 ++
22206 ++__u32
22207 ++gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
22208 ++ mode_t mode)
22209 ++{
22210 ++ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
22211 ++ return 1;
22212 ++
22213 ++ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
22214 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
22215 ++ GR_FCHMOD_ACL_MSG);
22216 ++ } else {
22217 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
22218 ++ }
22219 ++}
22220 ++
22221 ++__u32
22222 ++gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
22223 ++ mode_t mode)
22224 ++{
22225 ++ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
22226 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
22227 ++ GR_CHMOD_ACL_MSG);
22228 ++ } else {
22229 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
22230 ++ }
22231 ++}
22232 ++
22233 ++__u32
22234 ++gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
22235 ++{
22236 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
22237 ++}
22238 ++
22239 ++__u32
22240 ++gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
22241 ++{
22242 ++ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
22243 ++}
22244 ++
22245 ++__u32
22246 ++gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
22247 ++{
22248 ++ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
22249 ++ GR_UNIXCONNECT_ACL_MSG);
22250 ++}
22251 ++
22252 ++/* hardlinks require at minimum create permission,
22253 ++ any additional privilege required is based on the
22254 ++ privilege of the file being linked to
22255 ++*/
22256 ++__u32
22257 ++gr_acl_handle_link(const struct dentry * new_dentry,
22258 ++ const struct dentry * parent_dentry,
22259 ++ const struct vfsmount * parent_mnt,
22260 ++ const struct dentry * old_dentry,
22261 ++ const struct vfsmount * old_mnt, const char *to)
22262 ++{
22263 ++ __u32 mode;
22264 ++ __u32 needmode = GR_CREATE | GR_LINK;
22265 ++ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
22266 ++
22267 ++ mode =
22268 ++ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
22269 ++ old_mnt);
22270 ++
22271 ++ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
22272 ++ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
22273 ++ return mode;
22274 ++ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
22275 ++ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
22276 ++ return 0;
22277 ++ } else if (unlikely((mode & needmode) != needmode))
22278 ++ return 0;
22279 ++
22280 ++ return 1;
22281 ++}
22282 ++
22283 ++__u32
22284 ++gr_acl_handle_symlink(const struct dentry * new_dentry,
22285 ++ const struct dentry * parent_dentry,
22286 ++ const struct vfsmount * parent_mnt, const char *from)
22287 ++{
22288 ++ __u32 needmode = GR_WRITE | GR_CREATE;
22289 ++ __u32 mode;
22290 ++
22291 ++ mode =
22292 ++ gr_check_create(new_dentry, parent_dentry, parent_mnt,
22293 ++ GR_CREATE | GR_AUDIT_CREATE |
22294 ++ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
22295 ++
22296 ++ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
22297 ++ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
22298 ++ return mode;
22299 ++ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
22300 ++ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
22301 ++ return 0;
22302 ++ } else if (unlikely((mode & needmode) != needmode))
22303 ++ return 0;
22304 ++
22305 ++ return (GR_WRITE | GR_CREATE);
22306 ++}
22307 ++
22308 ++static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
22309 ++{
22310 ++ __u32 mode;
22311 ++
22312 ++ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
22313 ++
22314 ++ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
22315 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
22316 ++ return mode;
22317 ++ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
22318 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
22319 ++ return 0;
22320 ++ } else if (unlikely((mode & (reqmode)) != (reqmode)))
22321 ++ return 0;
22322 ++
22323 ++ return (reqmode);
22324 ++}
22325 ++
22326 ++__u32
22327 ++gr_acl_handle_mknod(const struct dentry * new_dentry,
22328 ++ const struct dentry * parent_dentry,
22329 ++ const struct vfsmount * parent_mnt,
22330 ++ const int mode)
22331 ++{
22332 ++ __u32 reqmode = GR_WRITE | GR_CREATE;
22333 ++ if (unlikely(mode & (S_ISUID | S_ISGID)))
22334 ++ reqmode |= GR_SETID;
22335 ++
22336 ++ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
22337 ++ reqmode, GR_MKNOD_ACL_MSG);
22338 ++}
22339 ++
22340 ++__u32
22341 ++gr_acl_handle_mkdir(const struct dentry *new_dentry,
22342 ++ const struct dentry *parent_dentry,
22343 ++ const struct vfsmount *parent_mnt)
22344 ++{
22345 ++ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
22346 ++ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
22347 ++}
22348 ++
22349 ++#define RENAME_CHECK_SUCCESS(old, new) \
22350 ++ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
22351 ++ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
22352 ++
22353 ++int
22354 ++gr_acl_handle_rename(struct dentry *new_dentry,
22355 ++ struct dentry *parent_dentry,
22356 ++ const struct vfsmount *parent_mnt,
22357 ++ struct dentry *old_dentry,
22358 ++ struct inode *old_parent_inode,
22359 ++ struct vfsmount *old_mnt, const char *newname)
22360 ++{
22361 ++ __u32 comp1, comp2;
22362 ++ int error = 0;
22363 ++
22364 ++ if (unlikely(!gr_acl_is_enabled()))
22365 ++ return 0;
22366 ++
22367 ++ if (!new_dentry->d_inode) {
22368 ++ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
22369 ++ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
22370 ++ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
22371 ++ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
22372 ++ GR_DELETE | GR_AUDIT_DELETE |
22373 ++ GR_AUDIT_READ | GR_AUDIT_WRITE |
22374 ++ GR_SUPPRESS, old_mnt);
22375 ++ } else {
22376 ++ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
22377 ++ GR_CREATE | GR_DELETE |
22378 ++ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
22379 ++ GR_AUDIT_READ | GR_AUDIT_WRITE |
22380 ++ GR_SUPPRESS, parent_mnt);
22381 ++ comp2 =
22382 ++ gr_search_file(old_dentry,
22383 ++ GR_READ | GR_WRITE | GR_AUDIT_READ |
22384 ++ GR_DELETE | GR_AUDIT_DELETE |
22385 ++ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
22386 ++ }
22387 ++
22388 ++ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
22389 ++ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
22390 ++ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
22391 ++ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
22392 ++ && !(comp2 & GR_SUPPRESS)) {
22393 ++ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
22394 ++ error = -EACCES;
22395 ++ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
22396 ++ error = -EACCES;
22397 ++
22398 ++ return error;
22399 ++}
22400 ++
22401 ++void
22402 ++gr_acl_handle_exit(void)
22403 ++{
22404 ++ u16 id;
22405 ++ char *rolename;
22406 ++ struct file *exec_file;
22407 ++
22408 ++ if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
22409 ++ id = current->acl_role_id;
22410 ++ rolename = current->role->rolename;
22411 ++ gr_set_acls(1);
22412 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
22413 ++ }
22414 ++
22415 ++ write_lock(&grsec_exec_file_lock);
22416 ++ exec_file = current->exec_file;
22417 ++ current->exec_file = NULL;
22418 ++ write_unlock(&grsec_exec_file_lock);
22419 ++
22420 ++ if (exec_file)
22421 ++ fput(exec_file);
22422 ++}
22423 ++
22424 ++int
22425 ++gr_acl_handle_procpidmem(const struct task_struct *task)
22426 ++{
22427 ++ if (unlikely(!gr_acl_is_enabled()))
22428 ++ return 0;
22429 ++
22430 ++ if (task->acl->mode & GR_PROTPROCFD)
22431 ++ return -EACCES;
22432 ++
22433 ++ return 0;
22434 ++}
22435 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_ip.c linux-2.6.23.15-grsec/grsecurity/gracl_ip.c
22436 +--- linux-2.6.23.15/grsecurity/gracl_ip.c 1970-01-01 01:00:00.000000000 +0100
22437 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_ip.c 2008-02-11 10:37:44.000000000 +0000
22438 +@@ -0,0 +1,313 @@
22439 ++#include <linux/kernel.h>
22440 ++#include <asm/uaccess.h>
22441 ++#include <asm/errno.h>
22442 ++#include <net/sock.h>
22443 ++#include <linux/file.h>
22444 ++#include <linux/fs.h>
22445 ++#include <linux/net.h>
22446 ++#include <linux/in.h>
22447 ++#include <linux/skbuff.h>
22448 ++#include <linux/ip.h>
22449 ++#include <linux/udp.h>
22450 ++#include <linux/smp_lock.h>
22451 ++#include <linux/types.h>
22452 ++#include <linux/sched.h>
22453 ++#include <linux/netdevice.h>
22454 ++#include <linux/inetdevice.h>
22455 ++#include <linux/gracl.h>
22456 ++#include <linux/grsecurity.h>
22457 ++#include <linux/grinternal.h>
22458 ++
22459 ++#define GR_BIND 0x01
22460 ++#define GR_CONNECT 0x02
22461 ++#define GR_INVERT 0x04
22462 ++
22463 ++static const char * gr_protocols[256] = {
22464 ++ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
22465 ++ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
22466 ++ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
22467 ++ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
22468 ++ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
22469 ++ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
22470 ++ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
22471 ++ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
22472 ++ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
22473 ++ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
22474 ++ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
22475 ++ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
22476 ++ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
22477 ++ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
22478 ++ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
22479 ++ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
22480 ++ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
22481 ++ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
22482 ++ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
22483 ++ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
22484 ++ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
22485 ++ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
22486 ++ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
22487 ++ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
22488 ++ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
22489 ++ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
22490 ++ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
22491 ++ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
22492 ++ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
22493 ++ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
22494 ++ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
22495 ++ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
22496 ++ };
22497 ++
22498 ++static const char * gr_socktypes[11] = {
22499 ++ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
22500 ++ "unknown:7", "unknown:8", "unknown:9", "packet"
22501 ++ };
22502 ++
22503 ++const char *
22504 ++gr_proto_to_name(unsigned char proto)
22505 ++{
22506 ++ return gr_protocols[proto];
22507 ++}
22508 ++
22509 ++const char *
22510 ++gr_socktype_to_name(unsigned char type)
22511 ++{
22512 ++ return gr_socktypes[type];
22513 ++}
22514 ++
22515 ++int
22516 ++gr_search_socket(const int domain, const int type, const int protocol)
22517 ++{
22518 ++ struct acl_subject_label *curr;
22519 ++
22520 ++ if (unlikely(!gr_acl_is_enabled()))
22521 ++ goto exit;
22522 ++
22523 ++ if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
22524 ++ || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
22525 ++ goto exit; // let the kernel handle it
22526 ++
22527 ++ curr = current->acl;
22528 ++
22529 ++ if (!curr->ips)
22530 ++ goto exit;
22531 ++
22532 ++ if ((curr->ip_type & (1 << type)) &&
22533 ++ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
22534 ++ goto exit;
22535 ++
22536 ++ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
22537 ++ /* we don't place acls on raw sockets , and sometimes
22538 ++ dgram/ip sockets are opened for ioctl and not
22539 ++ bind/connect, so we'll fake a bind learn log */
22540 ++ if (type == SOCK_RAW || type == SOCK_PACKET) {
22541 ++ __u32 fakeip = 0;
22542 ++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
22543 ++ current->role->roletype, current->uid,
22544 ++ current->gid, current->exec_file ?
22545 ++ gr_to_filename(current->exec_file->f_dentry,
22546 ++ current->exec_file->f_vfsmnt) :
22547 ++ curr->filename, curr->filename,
22548 ++ NIPQUAD(fakeip), 0, type,
22549 ++ protocol, GR_CONNECT,
22550 ++NIPQUAD(current->signal->curr_ip));
22551 ++ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
22552 ++ __u32 fakeip = 0;
22553 ++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
22554 ++ current->role->roletype, current->uid,
22555 ++ current->gid, current->exec_file ?
22556 ++ gr_to_filename(current->exec_file->f_dentry,
22557 ++ current->exec_file->f_vfsmnt) :
22558 ++ curr->filename, curr->filename,
22559 ++ NIPQUAD(fakeip), 0, type,
22560 ++ protocol, GR_BIND, NIPQUAD(current->signal->curr_ip));
22561 ++ }
22562 ++ /* we'll log when they use connect or bind */
22563 ++ goto exit;
22564 ++ }
22565 ++
22566 ++ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
22567 ++ gr_socktype_to_name(type), gr_proto_to_name(protocol));
22568 ++
22569 ++ return 0;
22570 ++ exit:
22571 ++ return 1;
22572 ++}
22573 ++
22574 ++int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
22575 ++{
22576 ++ if ((ip->mode & mode) &&
22577 ++ (ip_port >= ip->low) &&
22578 ++ (ip_port <= ip->high) &&
22579 ++ ((ntohl(ip_addr) & our_netmask) ==
22580 ++ (ntohl(our_addr) & our_netmask))
22581 ++ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
22582 ++ && (ip->type & (1 << type))) {
22583 ++ if (ip->mode & GR_INVERT)
22584 ++ return 2; // specifically denied
22585 ++ else
22586 ++ return 1; // allowed
22587 ++ }
22588 ++
22589 ++ return 0; // not specifically allowed, may continue parsing
22590 ++}
22591 ++
22592 ++static int
22593 ++gr_search_connectbind(const int mode, const struct sock *sk,
22594 ++ const struct sockaddr_in *addr, const int type)
22595 ++{
22596 ++ char iface[IFNAMSIZ] = {0};
22597 ++ struct acl_subject_label *curr;
22598 ++ struct acl_ip_label *ip;
22599 ++ struct net_device *dev;
22600 ++ struct in_device *idev;
22601 ++ unsigned long i;
22602 ++ int ret;
22603 ++ __u32 ip_addr = 0;
22604 ++ __u32 our_addr;
22605 ++ __u32 our_netmask;
22606 ++ char *p;
22607 ++ __u16 ip_port = 0;
22608 ++
22609 ++ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
22610 ++ return 1;
22611 ++
22612 ++ curr = current->acl;
22613 ++
22614 ++ if (!curr->ips)
22615 ++ return 1;
22616 ++
22617 ++ ip_addr = addr->sin_addr.s_addr;
22618 ++ ip_port = ntohs(addr->sin_port);
22619 ++
22620 ++ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
22621 ++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
22622 ++ current->role->roletype, current->uid,
22623 ++ current->gid, current->exec_file ?
22624 ++ gr_to_filename(current->exec_file->f_dentry,
22625 ++ current->exec_file->f_vfsmnt) :
22626 ++ curr->filename, curr->filename,
22627 ++ NIPQUAD(ip_addr), ip_port, type,
22628 ++ sk->sk_protocol, mode, NIPQUAD(current->signal->curr_ip));
22629 ++ return 1;
22630 ++ }
22631 ++
22632 ++ for (i = 0; i < curr->ip_num; i++) {
22633 ++ ip = *(curr->ips + i);
22634 ++ if (ip->iface != NULL) {
22635 ++ strncpy(iface, ip->iface, IFNAMSIZ - 1);
22636 ++ p = strchr(iface, ':');
22637 ++ if (p != NULL)
22638 ++ *p = '\0';
22639 ++ dev = dev_get_by_name(iface);
22640 ++ if (dev == NULL)
22641 ++ continue;
22642 ++ idev = in_dev_get(dev);
22643 ++ if (idev == NULL) {
22644 ++ dev_put(dev);
22645 ++ continue;
22646 ++ }
22647 ++ rcu_read_lock();
22648 ++ for_ifa(idev) {
22649 ++ if (!strcmp(ip->iface, ifa->ifa_label)) {
22650 ++ our_addr = ifa->ifa_address;
22651 ++ our_netmask = 0xffffffff;
22652 ++ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
22653 ++ if (ret == 1) {
22654 ++ rcu_read_unlock();
22655 ++ in_dev_put(idev);
22656 ++ dev_put(dev);
22657 ++ return 1;
22658 ++ } else if (ret == 2) {
22659 ++ rcu_read_unlock();
22660 ++ in_dev_put(idev);
22661 ++ dev_put(dev);
22662 ++ goto denied;
22663 ++ }
22664 ++ }
22665 ++ } endfor_ifa(idev);
22666 ++ rcu_read_unlock();
22667 ++ in_dev_put(idev);
22668 ++ dev_put(dev);
22669 ++ } else {
22670 ++ our_addr = ip->addr;
22671 ++ our_netmask = ip->netmask;
22672 ++ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
22673 ++ if (ret == 1)
22674 ++ return 1;
22675 ++ else if (ret == 2)
22676 ++ goto denied;
22677 ++ }
22678 ++ }
22679 ++
22680 ++denied:
22681 ++ if (mode == GR_BIND)
22682 ++ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
22683 ++ else if (mode == GR_CONNECT)
22684 ++ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
22685 ++
22686 ++ return 0;
22687 ++}
22688 ++
22689 ++int
22690 ++gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
22691 ++{
22692 ++ return gr_search_connectbind(GR_CONNECT, sock->sk, addr, sock->type);
22693 ++}
22694 ++
22695 ++int
22696 ++gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
22697 ++{
22698 ++ return gr_search_connectbind(GR_BIND, sock->sk, addr, sock->type);
22699 ++}
22700 ++
22701 ++int gr_search_listen(const struct socket *sock)
22702 ++{
22703 ++ struct sock *sk = sock->sk;
22704 ++ struct sockaddr_in addr;
22705 ++
22706 ++ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
22707 ++ addr.sin_port = inet_sk(sk)->sport;
22708 ++
22709 ++ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
22710 ++}
22711 ++
22712 ++int gr_search_accept(const struct socket *sock)
22713 ++{
22714 ++ struct sock *sk = sock->sk;
22715 ++ struct sockaddr_in addr;
22716 ++
22717 ++ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
22718 ++ addr.sin_port = inet_sk(sk)->sport;
22719 ++
22720 ++ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
22721 ++}
22722 ++
22723 ++int
22724 ++gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
22725 ++{
22726 ++ if (addr)
22727 ++ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
22728 ++ else {
22729 ++ struct sockaddr_in sin;
22730 ++ const struct inet_sock *inet = inet_sk(sk);
22731 ++
22732 ++ sin.sin_addr.s_addr = inet->daddr;
22733 ++ sin.sin_port = inet->dport;
22734 ++
22735 ++ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
22736 ++ }
22737 ++}
22738 ++
22739 ++int
22740 ++gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
22741 ++{
22742 ++ struct sockaddr_in sin;
22743 ++
22744 ++ if (unlikely(skb->len < sizeof (struct udphdr)))
22745 ++ return 1; // skip this packet
22746 ++
22747 ++ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
22748 ++ sin.sin_port = udp_hdr(skb)->source;
22749 ++
22750 ++ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
22751 ++}
22752 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_learn.c linux-2.6.23.15-grsec/grsecurity/gracl_learn.c
22753 +--- linux-2.6.23.15/grsecurity/gracl_learn.c 1970-01-01 01:00:00.000000000 +0100
22754 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_learn.c 2008-02-11 10:37:44.000000000 +0000
22755 +@@ -0,0 +1,211 @@
22756 ++#include <linux/kernel.h>
22757 ++#include <linux/mm.h>
22758 ++#include <linux/sched.h>
22759 ++#include <linux/poll.h>
22760 ++#include <linux/smp_lock.h>
22761 ++#include <linux/string.h>
22762 ++#include <linux/file.h>
22763 ++#include <linux/types.h>
22764 ++#include <linux/vmalloc.h>
22765 ++#include <linux/grinternal.h>
22766 ++
22767 ++extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
22768 ++ size_t count, loff_t *ppos);
22769 ++extern int gr_acl_is_enabled(void);
22770 ++
22771 ++static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
22772 ++static int gr_learn_attached;
22773 ++
22774 ++/* use a 512k buffer */
22775 ++#define LEARN_BUFFER_SIZE (512 * 1024)
22776 ++
22777 ++static spinlock_t gr_learn_lock = SPIN_LOCK_UNLOCKED;
22778 ++static DECLARE_MUTEX(gr_learn_user_sem);
22779 ++
22780 ++/* we need to maintain two buffers, so that the kernel context of grlearn
22781 ++ uses a semaphore around the userspace copying, and the other kernel contexts
22782 ++ use a spinlock when copying into the buffer, since they cannot sleep
22783 ++*/
22784 ++static char *learn_buffer;
22785 ++static char *learn_buffer_user;
22786 ++static int learn_buffer_len;
22787 ++static int learn_buffer_user_len;
22788 ++
22789 ++static ssize_t
22790 ++read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
22791 ++{
22792 ++ DECLARE_WAITQUEUE(wait, current);
22793 ++ ssize_t retval = 0;
22794 ++
22795 ++ add_wait_queue(&learn_wait, &wait);
22796 ++ set_current_state(TASK_INTERRUPTIBLE);
22797 ++ do {
22798 ++ down(&gr_learn_user_sem);
22799 ++ spin_lock(&gr_learn_lock);
22800 ++ if (learn_buffer_len)
22801 ++ break;
22802 ++ spin_unlock(&gr_learn_lock);
22803 ++ up(&gr_learn_user_sem);
22804 ++ if (file->f_flags & O_NONBLOCK) {
22805 ++ retval = -EAGAIN;
22806 ++ goto out;
22807 ++ }
22808 ++ if (signal_pending(current)) {
22809 ++ retval = -ERESTARTSYS;
22810 ++ goto out;
22811 ++ }
22812 ++
22813 ++ schedule();
22814 ++ } while (1);
22815 ++
22816 ++ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
22817 ++ learn_buffer_user_len = learn_buffer_len;
22818 ++ retval = learn_buffer_len;
22819 ++ learn_buffer_len = 0;
22820 ++
22821 ++ spin_unlock(&gr_learn_lock);
22822 ++
22823 ++ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
22824 ++ retval = -EFAULT;
22825 ++
22826 ++ up(&gr_learn_user_sem);
22827 ++out:
22828 ++ set_current_state(TASK_RUNNING);
22829 ++ remove_wait_queue(&learn_wait, &wait);
22830 ++ return retval;
22831 ++}
22832 ++
22833 ++static unsigned int
22834 ++poll_learn(struct file * file, poll_table * wait)
22835 ++{
22836 ++ poll_wait(file, &learn_wait, wait);
22837 ++
22838 ++ if (learn_buffer_len)
22839 ++ return (POLLIN | POLLRDNORM);
22840 ++
22841 ++ return 0;
22842 ++}
22843 ++
22844 ++void
22845 ++gr_clear_learn_entries(void)
22846 ++{
22847 ++ char *tmp;
22848 ++
22849 ++ down(&gr_learn_user_sem);
22850 ++ if (learn_buffer != NULL) {
22851 ++ spin_lock(&gr_learn_lock);
22852 ++ tmp = learn_buffer;
22853 ++ learn_buffer = NULL;
22854 ++ spin_unlock(&gr_learn_lock);
22855 ++ vfree(learn_buffer);
22856 ++ }
22857 ++ if (learn_buffer_user != NULL) {
22858 ++ vfree(learn_buffer_user);
22859 ++ learn_buffer_user = NULL;
22860 ++ }
22861 ++ learn_buffer_len = 0;
22862 ++ up(&gr_learn_user_sem);
22863 ++
22864 ++ return;
22865 ++}
22866 ++
22867 ++void
22868 ++gr_add_learn_entry(const char *fmt, ...)
22869 ++{
22870 ++ va_list args;
22871 ++ unsigned int len;
22872 ++
22873 ++ if (!gr_learn_attached)
22874 ++ return;
22875 ++
22876 ++ spin_lock(&gr_learn_lock);
22877 ++
22878 ++ /* leave a gap at the end so we know when it's "full" but don't have to
22879 ++ compute the exact length of the string we're trying to append
22880 ++ */
22881 ++ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
22882 ++ spin_unlock(&gr_learn_lock);
22883 ++ wake_up_interruptible(&learn_wait);
22884 ++ return;
22885 ++ }
22886 ++ if (learn_buffer == NULL) {
22887 ++ spin_unlock(&gr_learn_lock);
22888 ++ return;
22889 ++ }
22890 ++
22891 ++ va_start(args, fmt);
22892 ++ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
22893 ++ va_end(args);
22894 ++
22895 ++ learn_buffer_len += len + 1;
22896 ++
22897 ++ spin_unlock(&gr_learn_lock);
22898 ++ wake_up_interruptible(&learn_wait);
22899 ++
22900 ++ return;
22901 ++}
22902 ++
22903 ++static int
22904 ++open_learn(struct inode *inode, struct file *file)
22905 ++{
22906 ++ if (file->f_mode & FMODE_READ && gr_learn_attached)
22907 ++ return -EBUSY;
22908 ++ if (file->f_mode & FMODE_READ) {
22909 ++ int retval = 0;
22910 ++ down(&gr_learn_user_sem);
22911 ++ if (learn_buffer == NULL)
22912 ++ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
22913 ++ if (learn_buffer_user == NULL)
22914 ++ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
22915 ++ if (learn_buffer == NULL) {
22916 ++ retval = -ENOMEM;
22917 ++ goto out_error;
22918 ++ }
22919 ++ if (learn_buffer_user == NULL) {
22920 ++ retval = -ENOMEM;
22921 ++ goto out_error;
22922 ++ }
22923 ++ learn_buffer_len = 0;
22924 ++ learn_buffer_user_len = 0;
22925 ++ gr_learn_attached = 1;
22926 ++out_error:
22927 ++ up(&gr_learn_user_sem);
22928 ++ return retval;
22929 ++ }
22930 ++ return 0;
22931 ++}
22932 ++
22933 ++static int
22934 ++close_learn(struct inode *inode, struct file *file)
22935 ++{
22936 ++ char *tmp;
22937 ++
22938 ++ if (file->f_mode & FMODE_READ) {
22939 ++ down(&gr_learn_user_sem);
22940 ++ if (learn_buffer != NULL) {
22941 ++ spin_lock(&gr_learn_lock);
22942 ++ tmp = learn_buffer;
22943 ++ learn_buffer = NULL;
22944 ++ spin_unlock(&gr_learn_lock);
22945 ++ vfree(tmp);
22946 ++ }
22947 ++ if (learn_buffer_user != NULL) {
22948 ++ vfree(learn_buffer_user);
22949 ++ learn_buffer_user = NULL;
22950 ++ }
22951 ++ learn_buffer_len = 0;
22952 ++ learn_buffer_user_len = 0;
22953 ++ gr_learn_attached = 0;
22954 ++ up(&gr_learn_user_sem);
22955 ++ }
22956 ++
22957 ++ return 0;
22958 ++}
22959 ++
22960 ++struct file_operations grsec_fops = {
22961 ++ .read = read_learn,
22962 ++ .write = write_grsec_handler,
22963 ++ .open = open_learn,
22964 ++ .release = close_learn,
22965 ++ .poll = poll_learn,
22966 ++};
22967 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_res.c linux-2.6.23.15-grsec/grsecurity/gracl_res.c
22968 +--- linux-2.6.23.15/grsecurity/gracl_res.c 1970-01-01 01:00:00.000000000 +0100
22969 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_res.c 2008-02-11 10:37:44.000000000 +0000
22970 +@@ -0,0 +1,45 @@
22971 ++#include <linux/kernel.h>
22972 ++#include <linux/sched.h>
22973 ++#include <linux/gracl.h>
22974 ++#include <linux/grinternal.h>
22975 ++
22976 ++static const char *restab_log[] = {
22977 ++ [RLIMIT_CPU] = "RLIMIT_CPU",
22978 ++ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
22979 ++ [RLIMIT_DATA] = "RLIMIT_DATA",
22980 ++ [RLIMIT_STACK] = "RLIMIT_STACK",
22981 ++ [RLIMIT_CORE] = "RLIMIT_CORE",
22982 ++ [RLIMIT_RSS] = "RLIMIT_RSS",
22983 ++ [RLIMIT_NPROC] = "RLIMIT_NPROC",
22984 ++ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
22985 ++ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
22986 ++ [RLIMIT_AS] = "RLIMIT_AS",
22987 ++ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
22988 ++ [RLIMIT_LOCKS + 1] = "RLIMIT_CRASH"
22989 ++};
22990 ++
22991 ++void
22992 ++gr_log_resource(const struct task_struct *task,
22993 ++ const int res, const unsigned long wanted, const int gt)
22994 ++{
22995 ++ if (res == RLIMIT_NPROC &&
22996 ++ (cap_raised(task->cap_effective, CAP_SYS_ADMIN) ||
22997 ++ cap_raised(task->cap_effective, CAP_SYS_RESOURCE)))
22998 ++ return;
22999 ++ else if (res == RLIMIT_MEMLOCK &&
23000 ++ cap_raised(task->cap_effective, CAP_IPC_LOCK))
23001 ++ return;
23002 ++
23003 ++ if (!gr_acl_is_enabled() && !grsec_resource_logging)
23004 ++ return;
23005 ++
23006 ++ preempt_disable();
23007 ++
23008 ++ if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
23009 ++ (!gt && wanted >= task->signal->rlim[res].rlim_cur)) &&
23010 ++ task->signal->rlim[res].rlim_cur != RLIM_INFINITY))
23011 ++ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur);
23012 ++ preempt_enable_no_resched();
23013 ++
23014 ++ return;
23015 ++}
23016 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_segv.c linux-2.6.23.15-grsec/grsecurity/gracl_segv.c
23017 +--- linux-2.6.23.15/grsecurity/gracl_segv.c 1970-01-01 01:00:00.000000000 +0100
23018 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_segv.c 2008-02-11 10:37:44.000000000 +0000
23019 +@@ -0,0 +1,301 @@
23020 ++#include <linux/kernel.h>
23021 ++#include <linux/mm.h>
23022 ++#include <asm/uaccess.h>
23023 ++#include <asm/errno.h>
23024 ++#include <asm/mman.h>
23025 ++#include <net/sock.h>
23026 ++#include <linux/file.h>
23027 ++#include <linux/fs.h>
23028 ++#include <linux/net.h>
23029 ++#include <linux/in.h>
23030 ++#include <linux/smp_lock.h>
23031 ++#include <linux/slab.h>
23032 ++#include <linux/types.h>
23033 ++#include <linux/sched.h>
23034 ++#include <linux/timer.h>
23035 ++#include <linux/gracl.h>
23036 ++#include <linux/grsecurity.h>
23037 ++#include <linux/grinternal.h>
23038 ++
23039 ++static struct crash_uid *uid_set;
23040 ++static unsigned short uid_used;
23041 ++static spinlock_t gr_uid_lock = SPIN_LOCK_UNLOCKED;
23042 ++extern rwlock_t gr_inode_lock;
23043 ++extern struct acl_subject_label *
23044 ++ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
23045 ++ struct acl_role_label *role);
23046 ++extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
23047 ++
23048 ++int
23049 ++gr_init_uidset(void)
23050 ++{
23051 ++ uid_set =
23052 ++ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
23053 ++ uid_used = 0;
23054 ++
23055 ++ return uid_set ? 1 : 0;
23056 ++}
23057 ++
23058 ++void
23059 ++gr_free_uidset(void)
23060 ++{
23061 ++ if (uid_set)
23062 ++ kfree(uid_set);
23063 ++
23064 ++ return;
23065 ++}
23066 ++
23067 ++int
23068 ++gr_find_uid(const uid_t uid)
23069 ++{
23070 ++ struct crash_uid *tmp = uid_set;
23071 ++ uid_t buid;
23072 ++ int low = 0, high = uid_used - 1, mid;
23073 ++
23074 ++ while (high >= low) {
23075 ++ mid = (low + high) >> 1;
23076 ++ buid = tmp[mid].uid;
23077 ++ if (buid == uid)
23078 ++ return mid;
23079 ++ if (buid > uid)
23080 ++ high = mid - 1;
23081 ++ if (buid < uid)
23082 ++ low = mid + 1;
23083 ++ }
23084 ++
23085 ++ return -1;
23086 ++}
23087 ++
23088 ++static __inline__ void
23089 ++gr_insertsort(void)
23090 ++{
23091 ++ unsigned short i, j;
23092 ++ struct crash_uid index;
23093 ++
23094 ++ for (i = 1; i < uid_used; i++) {
23095 ++ index = uid_set[i];
23096 ++ j = i;
23097 ++ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
23098 ++ uid_set[j] = uid_set[j - 1];
23099 ++ j--;
23100 ++ }
23101 ++ uid_set[j] = index;
23102 ++ }
23103 ++
23104 ++ return;
23105 ++}
23106 ++
23107 ++static __inline__ void
23108 ++gr_insert_uid(const uid_t uid, const unsigned long expires)
23109 ++{
23110 ++ int loc;
23111 ++
23112 ++ if (uid_used == GR_UIDTABLE_MAX)
23113 ++ return;
23114 ++
23115 ++ loc = gr_find_uid(uid);
23116 ++
23117 ++ if (loc >= 0) {
23118 ++ uid_set[loc].expires = expires;
23119 ++ return;
23120 ++ }
23121 ++
23122 ++ uid_set[uid_used].uid = uid;
23123 ++ uid_set[uid_used].expires = expires;
23124 ++ uid_used++;
23125 ++
23126 ++ gr_insertsort();
23127 ++
23128 ++ return;
23129 ++}
23130 ++
23131 ++void
23132 ++gr_remove_uid(const unsigned short loc)
23133 ++{
23134 ++ unsigned short i;
23135 ++
23136 ++ for (i = loc + 1; i < uid_used; i++)
23137 ++ uid_set[i - 1] = uid_set[i];
23138 ++
23139 ++ uid_used--;
23140 ++
23141 ++ return;
23142 ++}
23143 ++
23144 ++int
23145 ++gr_check_crash_uid(const uid_t uid)
23146 ++{
23147 ++ int loc;
23148 ++ int ret = 0;
23149 ++
23150 ++ if (unlikely(!gr_acl_is_enabled()))
23151 ++ return 0;
23152 ++
23153 ++ spin_lock(&gr_uid_lock);
23154 ++ loc = gr_find_uid(uid);
23155 ++
23156 ++ if (loc < 0)
23157 ++ goto out_unlock;
23158 ++
23159 ++ if (time_before_eq(uid_set[loc].expires, get_seconds()))
23160 ++ gr_remove_uid(loc);
23161 ++ else
23162 ++ ret = 1;
23163 ++
23164 ++out_unlock:
23165 ++ spin_unlock(&gr_uid_lock);
23166 ++ return ret;
23167 ++}
23168 ++
23169 ++static __inline__ int
23170 ++proc_is_setxid(const struct task_struct *task)
23171 ++{
23172 ++ if (task->uid != task->euid || task->uid != task->suid ||
23173 ++ task->uid != task->fsuid)
23174 ++ return 1;
23175 ++ if (task->gid != task->egid || task->gid != task->sgid ||
23176 ++ task->gid != task->fsgid)
23177 ++ return 1;
23178 ++
23179 ++ return 0;
23180 ++}
23181 ++static __inline__ int
23182 ++gr_fake_force_sig(int sig, struct task_struct *t)
23183 ++{
23184 ++ unsigned long int flags;
23185 ++ int ret, blocked, ignored;
23186 ++ struct k_sigaction *action;
23187 ++
23188 ++ spin_lock_irqsave(&t->sighand->siglock, flags);
23189 ++ action = &t->sighand->action[sig-1];
23190 ++ ignored = action->sa.sa_handler == SIG_IGN;
23191 ++ blocked = sigismember(&t->blocked, sig);
23192 ++ if (blocked || ignored) {
23193 ++ action->sa.sa_handler = SIG_DFL;
23194 ++ if (blocked) {
23195 ++ sigdelset(&t->blocked, sig);
23196 ++ recalc_sigpending_and_wake(t);
23197 ++ }
23198 ++ }
23199 ++ ret = specific_send_sig_info(sig, (void*)1L, t);
23200 ++ spin_unlock_irqrestore(&t->sighand->siglock, flags);
23201 ++
23202 ++ return ret;
23203 ++}
23204 ++
23205 ++void
23206 ++gr_handle_crash(struct task_struct *task, const int sig)
23207 ++{
23208 ++ struct acl_subject_label *curr;
23209 ++ struct acl_subject_label *curr2;
23210 ++ struct task_struct *tsk, *tsk2;
23211 ++
23212 ++ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
23213 ++ return;
23214 ++
23215 ++ if (unlikely(!gr_acl_is_enabled()))
23216 ++ return;
23217 ++
23218 ++ curr = task->acl;
23219 ++
23220 ++ if (!(curr->resmask & (1 << GR_CRASH_RES)))
23221 ++ return;
23222 ++
23223 ++ if (time_before_eq(curr->expires, get_seconds())) {
23224 ++ curr->expires = 0;
23225 ++ curr->crashes = 0;
23226 ++ }
23227 ++
23228 ++ curr->crashes++;
23229 ++
23230 ++ if (!curr->expires)
23231 ++ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
23232 ++
23233 ++ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
23234 ++ time_after(curr->expires, get_seconds())) {
23235 ++ if (task->uid && proc_is_setxid(task)) {
23236 ++ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
23237 ++ spin_lock(&gr_uid_lock);
23238 ++ gr_insert_uid(task->uid, curr->expires);
23239 ++ spin_unlock(&gr_uid_lock);
23240 ++ curr->expires = 0;
23241 ++ curr->crashes = 0;
23242 ++ read_lock(&tasklist_lock);
23243 ++ do_each_thread(tsk2, tsk) {
23244 ++ if (tsk != task && tsk->uid == task->uid)
23245 ++ gr_fake_force_sig(SIGKILL, tsk);
23246 ++ } while_each_thread(tsk2, tsk);
23247 ++ read_unlock(&tasklist_lock);
23248 ++ } else {
23249 ++ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
23250 ++ read_lock(&tasklist_lock);
23251 ++ do_each_thread(tsk2, tsk) {
23252 ++ if (likely(tsk != task)) {
23253 ++ curr2 = tsk->acl;
23254 ++
23255 ++ if (curr2->device == curr->device &&
23256 ++ curr2->inode == curr->inode)
23257 ++ gr_fake_force_sig(SIGKILL, tsk);
23258 ++ }
23259 ++ } while_each_thread(tsk2, tsk);
23260 ++ read_unlock(&tasklist_lock);
23261 ++ }
23262 ++ }
23263 ++
23264 ++ return;
23265 ++}
23266 ++
23267 ++int
23268 ++gr_check_crash_exec(const struct file *filp)
23269 ++{
23270 ++ struct acl_subject_label *curr;
23271 ++
23272 ++ if (unlikely(!gr_acl_is_enabled()))
23273 ++ return 0;
23274 ++
23275 ++ read_lock(&gr_inode_lock);
23276 ++ curr = lookup_acl_subj_label(filp->f_dentry->d_inode->i_ino,
23277 ++ filp->f_dentry->d_inode->i_sb->s_dev,
23278 ++ current->role);
23279 ++ read_unlock(&gr_inode_lock);
23280 ++
23281 ++ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
23282 ++ (!curr->crashes && !curr->expires))
23283 ++ return 0;
23284 ++
23285 ++ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
23286 ++ time_after(curr->expires, get_seconds()))
23287 ++ return 1;
23288 ++ else if (time_before_eq(curr->expires, get_seconds())) {
23289 ++ curr->crashes = 0;
23290 ++ curr->expires = 0;
23291 ++ }
23292 ++
23293 ++ return 0;
23294 ++}
23295 ++
23296 ++void
23297 ++gr_handle_alertkill(struct task_struct *task)
23298 ++{
23299 ++ struct acl_subject_label *curracl;
23300 ++ __u32 curr_ip;
23301 ++ struct task_struct *p, *p2;
23302 ++
23303 ++ if (unlikely(!gr_acl_is_enabled()))
23304 ++ return;
23305 ++
23306 ++ curracl = task->acl;
23307 ++ curr_ip = task->signal->curr_ip;
23308 ++
23309 ++ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
23310 ++ read_lock(&tasklist_lock);
23311 ++ do_each_thread(p2, p) {
23312 ++ if (p->signal->curr_ip == curr_ip)
23313 ++ gr_fake_force_sig(SIGKILL, p);
23314 ++ } while_each_thread(p2, p);
23315 ++ read_unlock(&tasklist_lock);
23316 ++ } else if (curracl->mode & GR_KILLPROC)
23317 ++ gr_fake_force_sig(SIGKILL, task);
23318 ++
23319 ++ return;
23320 ++}
23321 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_shm.c linux-2.6.23.15-grsec/grsecurity/gracl_shm.c
23322 +--- linux-2.6.23.15/grsecurity/gracl_shm.c 1970-01-01 01:00:00.000000000 +0100
23323 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_shm.c 2008-02-11 10:37:44.000000000 +0000
23324 +@@ -0,0 +1,33 @@
23325 ++#include <linux/kernel.h>
23326 ++#include <linux/mm.h>
23327 ++#include <linux/sched.h>
23328 ++#include <linux/file.h>
23329 ++#include <linux/ipc.h>
23330 ++#include <linux/gracl.h>
23331 ++#include <linux/grsecurity.h>
23332 ++#include <linux/grinternal.h>
23333 ++
23334 ++int
23335 ++gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
23336 ++ const time_t shm_createtime, const uid_t cuid, const int shmid)
23337 ++{
23338 ++ struct task_struct *task;
23339 ++
23340 ++ if (!gr_acl_is_enabled())
23341 ++ return 1;
23342 ++
23343 ++ task = find_task_by_pid(shm_cprid);
23344 ++
23345 ++ if (unlikely(!task))
23346 ++ task = find_task_by_pid(shm_lapid);
23347 ++
23348 ++ if (unlikely(task && (time_before((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
23349 ++ (task->pid == shm_lapid)) &&
23350 ++ (task->acl->mode & GR_PROTSHM) &&
23351 ++ (task->acl != current->acl))) {
23352 ++ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
23353 ++ return 0;
23354 ++ }
23355 ++
23356 ++ return 1;
23357 ++}
23358 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_chdir.c linux-2.6.23.15-grsec/grsecurity/grsec_chdir.c
23359 +--- linux-2.6.23.15/grsecurity/grsec_chdir.c 1970-01-01 01:00:00.000000000 +0100
23360 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_chdir.c 2008-02-11 10:37:44.000000000 +0000
23361 +@@ -0,0 +1,19 @@
23362 ++#include <linux/kernel.h>
23363 ++#include <linux/sched.h>
23364 ++#include <linux/fs.h>
23365 ++#include <linux/file.h>
23366 ++#include <linux/grsecurity.h>
23367 ++#include <linux/grinternal.h>
23368 ++
23369 ++void
23370 ++gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
23371 ++{
23372 ++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
23373 ++ if ((grsec_enable_chdir && grsec_enable_group &&
23374 ++ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
23375 ++ !grsec_enable_group)) {
23376 ++ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
23377 ++ }
23378 ++#endif
23379 ++ return;
23380 ++}
23381 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_chroot.c linux-2.6.23.15-grsec/grsecurity/grsec_chroot.c
23382 +--- linux-2.6.23.15/grsecurity/grsec_chroot.c 1970-01-01 01:00:00.000000000 +0100
23383 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_chroot.c 2008-02-11 10:37:44.000000000 +0000
23384 +@@ -0,0 +1,335 @@
23385 ++#include <linux/kernel.h>
23386 ++#include <linux/module.h>
23387 ++#include <linux/sched.h>
23388 ++#include <linux/file.h>
23389 ++#include <linux/fs.h>
23390 ++#include <linux/mount.h>
23391 ++#include <linux/types.h>
23392 ++#include <linux/pid_namespace.h>
23393 ++#include <linux/grsecurity.h>
23394 ++#include <linux/grinternal.h>
23395 ++
23396 ++int
23397 ++gr_handle_chroot_unix(const pid_t pid)
23398 ++{
23399 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
23400 ++ struct pid *spid = NULL;
23401 ++
23402 ++ if (unlikely(!grsec_enable_chroot_unix))
23403 ++ return 1;
23404 ++
23405 ++ if (likely(!proc_is_chrooted(current)))
23406 ++ return 1;
23407 ++
23408 ++ read_lock(&tasklist_lock);
23409 ++
23410 ++ spid = find_pid(pid);
23411 ++ if (spid) {
23412 ++ struct task_struct *p;
23413 ++ p = pid_task(spid, PIDTYPE_PID);
23414 ++ task_lock(p);
23415 ++ if (unlikely(!have_same_root(current, p))) {
23416 ++ task_unlock(p);
23417 ++ read_unlock(&tasklist_lock);
23418 ++ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
23419 ++ return 0;
23420 ++ }
23421 ++ task_unlock(p);
23422 ++ }
23423 ++ read_unlock(&tasklist_lock);
23424 ++#endif
23425 ++ return 1;
23426 ++}
23427 ++
23428 ++int
23429 ++gr_handle_chroot_nice(void)
23430 ++{
23431 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
23432 ++ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
23433 ++ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
23434 ++ return -EPERM;
23435 ++ }
23436 ++#endif
23437 ++ return 0;
23438 ++}
23439 ++
23440 ++int
23441 ++gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
23442 ++{
23443 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
23444 ++ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
23445 ++ && proc_is_chrooted(current)) {
23446 ++ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
23447 ++ return -EACCES;
23448 ++ }
23449 ++#endif
23450 ++ return 0;
23451 ++}
23452 ++
23453 ++int
23454 ++gr_handle_chroot_rawio(const struct inode *inode)
23455 ++{
23456 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
23457 ++ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
23458 ++ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
23459 ++ return 1;
23460 ++#endif
23461 ++ return 0;
23462 ++}
23463 ++
23464 ++int
23465 ++gr_pid_is_chrooted(struct task_struct *p)
23466 ++{
23467 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
23468 ++ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
23469 ++ return 0;
23470 ++
23471 ++ task_lock(p);
23472 ++ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
23473 ++ !have_same_root(current, p)) {
23474 ++ task_unlock(p);
23475 ++ return 1;
23476 ++ }
23477 ++ task_unlock(p);
23478 ++#endif
23479 ++ return 0;
23480 ++}
23481 ++
23482 ++EXPORT_SYMBOL(gr_pid_is_chrooted);
23483 ++
23484 ++#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
23485 ++int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
23486 ++{
23487 ++ struct dentry *dentry = (struct dentry *)u_dentry;
23488 ++ struct vfsmount *mnt = (struct vfsmount *)u_mnt;
23489 ++ struct dentry *realroot;
23490 ++ struct vfsmount *realrootmnt;
23491 ++ struct dentry *currentroot;
23492 ++ struct vfsmount *currentmnt;
23493 ++ struct task_struct *reaper = child_reaper(current);
23494 ++ int ret = 1;
23495 ++
23496 ++ read_lock(&reaper->fs->lock);
23497 ++ realrootmnt = mntget(reaper->fs->rootmnt);
23498 ++ realroot = dget(reaper->fs->root);
23499 ++ read_unlock(&reaper->fs->lock);
23500 ++
23501 ++ read_lock(&current->fs->lock);
23502 ++ currentmnt = mntget(current->fs->rootmnt);
23503 ++ currentroot = dget(current->fs->root);
23504 ++ read_unlock(&current->fs->lock);
23505 ++
23506 ++ spin_lock(&dcache_lock);
23507 ++ for (;;) {
23508 ++ if (unlikely((dentry == realroot && mnt == realrootmnt)
23509 ++ || (dentry == currentroot && mnt == currentmnt)))
23510 ++ break;
23511 ++ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
23512 ++ if (mnt->mnt_parent == mnt)
23513 ++ break;
23514 ++ dentry = mnt->mnt_mountpoint;
23515 ++ mnt = mnt->mnt_parent;
23516 ++ continue;
23517 ++ }
23518 ++ dentry = dentry->d_parent;
23519 ++ }
23520 ++ spin_unlock(&dcache_lock);
23521 ++
23522 ++ dput(currentroot);
23523 ++ mntput(currentmnt);
23524 ++
23525 ++ /* access is outside of chroot */
23526 ++ if (dentry == realroot && mnt == realrootmnt)
23527 ++ ret = 0;
23528 ++
23529 ++ dput(realroot);
23530 ++ mntput(realrootmnt);
23531 ++ return ret;
23532 ++}
23533 ++#endif
23534 ++
23535 ++int
23536 ++gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
23537 ++{
23538 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
23539 ++ if (!grsec_enable_chroot_fchdir)
23540 ++ return 1;
23541 ++
23542 ++ if (!proc_is_chrooted(current))
23543 ++ return 1;
23544 ++ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
23545 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
23546 ++ return 0;
23547 ++ }
23548 ++#endif
23549 ++ return 1;
23550 ++}
23551 ++
23552 ++int
23553 ++gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
23554 ++ const time_t shm_createtime)
23555 ++{
23556 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
23557 ++ struct pid *pid = NULL;
23558 ++ time_t starttime;
23559 ++
23560 ++ if (unlikely(!grsec_enable_chroot_shmat))
23561 ++ return 1;
23562 ++
23563 ++ if (likely(!proc_is_chrooted(current)))
23564 ++ return 1;
23565 ++
23566 ++ read_lock(&tasklist_lock);
23567 ++
23568 ++ pid = find_pid(shm_cprid);
23569 ++ if (pid) {
23570 ++ struct task_struct *p;
23571 ++ p = pid_task(pid, PIDTYPE_PID);
23572 ++ task_lock(p);
23573 ++ starttime = p->start_time.tv_sec;
23574 ++ if (unlikely(!have_same_root(current, p) &&
23575 ++ time_before((unsigned long)starttime, (unsigned long)shm_createtime))) {
23576 ++ task_unlock(p);
23577 ++ read_unlock(&tasklist_lock);
23578 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
23579 ++ return 0;
23580 ++ }
23581 ++ task_unlock(p);
23582 ++ } else {
23583 ++ pid = find_pid(shm_lapid);
23584 ++ if (pid) {
23585 ++ struct task_struct *p;
23586 ++ p = pid_task(pid, PIDTYPE_PID);
23587 ++ task_lock(p);
23588 ++ if (unlikely(!have_same_root(current, p))) {
23589 ++ task_unlock(p);
23590 ++ read_unlock(&tasklist_lock);
23591 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
23592 ++ return 0;
23593 ++ }
23594 ++ task_unlock(p);
23595 ++ }
23596 ++ }
23597 ++
23598 ++ read_unlock(&tasklist_lock);
23599 ++#endif
23600 ++ return 1;
23601 ++}
23602 ++
23603 ++void
23604 ++gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
23605 ++{
23606 ++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
23607 ++ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
23608 ++ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
23609 ++#endif
23610 ++ return;
23611 ++}
23612 ++
23613 ++int
23614 ++gr_handle_chroot_mknod(const struct dentry *dentry,
23615 ++ const struct vfsmount *mnt, const int mode)
23616 ++{
23617 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
23618 ++ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
23619 ++ proc_is_chrooted(current)) {
23620 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
23621 ++ return -EPERM;
23622 ++ }
23623 ++#endif
23624 ++ return 0;
23625 ++}
23626 ++
23627 ++int
23628 ++gr_handle_chroot_mount(const struct dentry *dentry,
23629 ++ const struct vfsmount *mnt, const char *dev_name)
23630 ++{
23631 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
23632 ++ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
23633 ++ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
23634 ++ return -EPERM;
23635 ++ }
23636 ++#endif
23637 ++ return 0;
23638 ++}
23639 ++
23640 ++int
23641 ++gr_handle_chroot_pivot(void)
23642 ++{
23643 ++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
23644 ++ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
23645 ++ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
23646 ++ return -EPERM;
23647 ++ }
23648 ++#endif
23649 ++ return 0;
23650 ++}
23651 ++
23652 ++int
23653 ++gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
23654 ++{
23655 ++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
23656 ++ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
23657 ++ !gr_is_outside_chroot(dentry, mnt)) {
23658 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
23659 ++ return -EPERM;
23660 ++ }
23661 ++#endif
23662 ++ return 0;
23663 ++}
23664 ++
23665 ++void
23666 ++gr_handle_chroot_caps(struct task_struct *task)
23667 ++{
23668 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
23669 ++ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
23670 ++ task->cap_permitted =
23671 ++ cap_drop(task->cap_permitted, GR_CHROOT_CAPS);
23672 ++ task->cap_inheritable =
23673 ++ cap_drop(task->cap_inheritable, GR_CHROOT_CAPS);
23674 ++ task->cap_effective =
23675 ++ cap_drop(task->cap_effective, GR_CHROOT_CAPS);
23676 ++ }
23677 ++#endif
23678 ++ return;
23679 ++}
23680 ++
23681 ++int
23682 ++gr_handle_chroot_sysctl(const int op)
23683 ++{
23684 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
23685 ++ if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
23686 ++ && (op & 002))
23687 ++ return -EACCES;
23688 ++#endif
23689 ++ return 0;
23690 ++}
23691 ++
23692 ++void
23693 ++gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt)
23694 ++{
23695 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
23696 ++ if (grsec_enable_chroot_chdir)
23697 ++ set_fs_pwd(current->fs, mnt, dentry);
23698 ++#endif
23699 ++ return;
23700 ++}
23701 ++
23702 ++int
23703 ++gr_handle_chroot_chmod(const struct dentry *dentry,
23704 ++ const struct vfsmount *mnt, const int mode)
23705 ++{
23706 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
23707 ++ if (grsec_enable_chroot_chmod &&
23708 ++ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
23709 ++ proc_is_chrooted(current)) {
23710 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
23711 ++ return -EPERM;
23712 ++ }
23713 ++#endif
23714 ++ return 0;
23715 ++}
23716 ++
23717 ++#ifdef CONFIG_SECURITY
23718 ++EXPORT_SYMBOL(gr_handle_chroot_caps);
23719 ++#endif
23720 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_disabled.c linux-2.6.23.15-grsec/grsecurity/grsec_disabled.c
23721 +--- linux-2.6.23.15/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100
23722 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_disabled.c 2008-02-11 10:37:44.000000000 +0000
23723 +@@ -0,0 +1,418 @@
23724 ++#include <linux/kernel.h>
23725 ++#include <linux/module.h>
23726 ++#include <linux/sched.h>
23727 ++#include <linux/file.h>
23728 ++#include <linux/fs.h>
23729 ++#include <linux/kdev_t.h>
23730 ++#include <linux/net.h>
23731 ++#include <linux/in.h>
23732 ++#include <linux/ip.h>
23733 ++#include <linux/skbuff.h>
23734 ++#include <linux/sysctl.h>
23735 ++
23736 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
23737 ++void
23738 ++pax_set_initial_flags(struct linux_binprm *bprm)
23739 ++{
23740 ++ return;
23741 ++}
23742 ++#endif
23743 ++
23744 ++#ifdef CONFIG_SYSCTL
23745 ++__u32
23746 ++gr_handle_sysctl(const struct ctl_table * table, const int op)
23747 ++{
23748 ++ return 0;
23749 ++}
23750 ++#endif
23751 ++
23752 ++int
23753 ++gr_acl_is_enabled(void)
23754 ++{
23755 ++ return 0;
23756 ++}
23757 ++
23758 ++int
23759 ++gr_handle_rawio(const struct inode *inode)
23760 ++{
23761 ++ return 0;
23762 ++}
23763 ++
23764 ++void
23765 ++gr_acl_handle_psacct(struct task_struct *task, const long code)
23766 ++{
23767 ++ return;
23768 ++}
23769 ++
23770 ++int
23771 ++gr_handle_ptrace(struct task_struct *task, const long request)
23772 ++{
23773 ++ return 0;
23774 ++}
23775 ++
23776 ++int
23777 ++gr_handle_proc_ptrace(struct task_struct *task)
23778 ++{
23779 ++ return 0;
23780 ++}
23781 ++
23782 ++void
23783 ++gr_learn_resource(const struct task_struct *task,
23784 ++ const int res, const unsigned long wanted, const int gt)
23785 ++{
23786 ++ return;
23787 ++}
23788 ++
23789 ++int
23790 ++gr_set_acls(const int type)
23791 ++{
23792 ++ return 0;
23793 ++}
23794 ++
23795 ++int
23796 ++gr_check_hidden_task(const struct task_struct *tsk)
23797 ++{
23798 ++ return 0;
23799 ++}
23800 ++
23801 ++int
23802 ++gr_check_protected_task(const struct task_struct *task)
23803 ++{
23804 ++ return 0;
23805 ++}
23806 ++
23807 ++void
23808 ++gr_copy_label(struct task_struct *tsk)
23809 ++{
23810 ++ return;
23811 ++}
23812 ++
23813 ++void
23814 ++gr_set_pax_flags(struct task_struct *task)
23815 ++{
23816 ++ return;
23817 ++}
23818 ++
23819 ++int
23820 ++gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
23821 ++{
23822 ++ return 0;
23823 ++}
23824 ++
23825 ++void
23826 ++gr_handle_delete(const ino_t ino, const dev_t dev)
23827 ++{
23828 ++ return;
23829 ++}
23830 ++
23831 ++void
23832 ++gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
23833 ++{
23834 ++ return;
23835 ++}
23836 ++
23837 ++void
23838 ++gr_handle_crash(struct task_struct *task, const int sig)
23839 ++{
23840 ++ return;
23841 ++}
23842 ++
23843 ++int
23844 ++gr_check_crash_exec(const struct file *filp)
23845 ++{
23846 ++ return 0;
23847 ++}
23848 ++
23849 ++int
23850 ++gr_check_crash_uid(const uid_t uid)
23851 ++{
23852 ++ return 0;
23853 ++}
23854 ++
23855 ++void
23856 ++gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
23857 ++ struct dentry *old_dentry,
23858 ++ struct dentry *new_dentry,
23859 ++ struct vfsmount *mnt, const __u8 replace)
23860 ++{
23861 ++ return;
23862 ++}
23863 ++
23864 ++int
23865 ++gr_search_socket(const int family, const int type, const int protocol)
23866 ++{
23867 ++ return 1;
23868 ++}
23869 ++
23870 ++int
23871 ++gr_search_connectbind(const int mode, const struct socket *sock,
23872 ++ const struct sockaddr_in *addr)
23873 ++{
23874 ++ return 1;
23875 ++}
23876 ++
23877 ++int
23878 ++gr_task_is_capable(struct task_struct *task, const int cap)
23879 ++{
23880 ++ return 1;
23881 ++}
23882 ++
23883 ++int
23884 ++gr_is_capable_nolog(const int cap)
23885 ++{
23886 ++ return 1;
23887 ++}
23888 ++
23889 ++void
23890 ++gr_handle_alertkill(struct task_struct *task)
23891 ++{
23892 ++ return;
23893 ++}
23894 ++
23895 ++__u32
23896 ++gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
23897 ++{
23898 ++ return 1;
23899 ++}
23900 ++
23901 ++__u32
23902 ++gr_acl_handle_hidden_file(const struct dentry * dentry,
23903 ++ const struct vfsmount * mnt)
23904 ++{
23905 ++ return 1;
23906 ++}
23907 ++
23908 ++__u32
23909 ++gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
23910 ++ const int fmode)
23911 ++{
23912 ++ return 1;
23913 ++}
23914 ++
23915 ++__u32
23916 ++gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
23917 ++{
23918 ++ return 1;
23919 ++}
23920 ++
23921 ++__u32
23922 ++gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
23923 ++{
23924 ++ return 1;
23925 ++}
23926 ++
23927 ++int
23928 ++gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
23929 ++ unsigned int *vm_flags)
23930 ++{
23931 ++ return 1;
23932 ++}
23933 ++
23934 ++__u32
23935 ++gr_acl_handle_truncate(const struct dentry * dentry,
23936 ++ const struct vfsmount * mnt)
23937 ++{
23938 ++ return 1;
23939 ++}
23940 ++
23941 ++__u32
23942 ++gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
23943 ++{
23944 ++ return 1;
23945 ++}
23946 ++
23947 ++__u32
23948 ++gr_acl_handle_access(const struct dentry * dentry,
23949 ++ const struct vfsmount * mnt, const int fmode)
23950 ++{
23951 ++ return 1;
23952 ++}
23953 ++
23954 ++__u32
23955 ++gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
23956 ++ mode_t mode)
23957 ++{
23958 ++ return 1;
23959 ++}
23960 ++
23961 ++__u32
23962 ++gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
23963 ++ mode_t mode)
23964 ++{
23965 ++ return 1;
23966 ++}
23967 ++
23968 ++__u32
23969 ++gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
23970 ++{
23971 ++ return 1;
23972 ++}
23973 ++
23974 ++void
23975 ++grsecurity_init(void)
23976 ++{
23977 ++ return;
23978 ++}
23979 ++
23980 ++__u32
23981 ++gr_acl_handle_mknod(const struct dentry * new_dentry,
23982 ++ const struct dentry * parent_dentry,
23983 ++ const struct vfsmount * parent_mnt,
23984 ++ const int mode)
23985 ++{
23986 ++ return 1;
23987 ++}
23988 ++
23989 ++__u32
23990 ++gr_acl_handle_mkdir(const struct dentry * new_dentry,
23991 ++ const struct dentry * parent_dentry,
23992 ++ const struct vfsmount * parent_mnt)
23993 ++{
23994 ++ return 1;
23995 ++}
23996 ++
23997 ++__u32
23998 ++gr_acl_handle_symlink(const struct dentry * new_dentry,
23999 ++ const struct dentry * parent_dentry,
24000 ++ const struct vfsmount * parent_mnt, const char *from)
24001 ++{
24002 ++ return 1;
24003 ++}
24004 ++
24005 ++__u32
24006 ++gr_acl_handle_link(const struct dentry * new_dentry,
24007 ++ const struct dentry * parent_dentry,
24008 ++ const struct vfsmount * parent_mnt,
24009 ++ const struct dentry * old_dentry,
24010 ++ const struct vfsmount * old_mnt, const char *to)
24011 ++{
24012 ++ return 1;
24013 ++}
24014 ++
24015 ++int
24016 ++gr_acl_handle_rename(const struct dentry *new_dentry,
24017 ++ const struct dentry *parent_dentry,
24018 ++ const struct vfsmount *parent_mnt,
24019 ++ const struct dentry *old_dentry,
24020 ++ const struct inode *old_parent_inode,
24021 ++ const struct vfsmount *old_mnt, const char *newname)
24022 ++{
24023 ++ return 0;
24024 ++}
24025 ++
24026 ++int
24027 ++gr_acl_handle_filldir(const struct file *file, const char *name,
24028 ++ const int namelen, const ino_t ino)
24029 ++{
24030 ++ return 1;
24031 ++}
24032 ++
24033 ++int
24034 ++gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
24035 ++ const time_t shm_createtime, const uid_t cuid, const int shmid)
24036 ++{
24037 ++ return 1;
24038 ++}
24039 ++
24040 ++int
24041 ++gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
24042 ++{
24043 ++ return 1;
24044 ++}
24045 ++
24046 ++int
24047 ++gr_search_accept(const struct socket *sock)
24048 ++{
24049 ++ return 1;
24050 ++}
24051 ++
24052 ++int
24053 ++gr_search_listen(const struct socket *sock)
24054 ++{
24055 ++ return 1;
24056 ++}
24057 ++
24058 ++int
24059 ++gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
24060 ++{
24061 ++ return 1;
24062 ++}
24063 ++
24064 ++__u32
24065 ++gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
24066 ++{
24067 ++ return 1;
24068 ++}
24069 ++
24070 ++__u32
24071 ++gr_acl_handle_creat(const struct dentry * dentry,
24072 ++ const struct dentry * p_dentry,
24073 ++ const struct vfsmount * p_mnt, const int fmode,
24074 ++ const int imode)
24075 ++{
24076 ++ return 1;
24077 ++}
24078 ++
24079 ++void
24080 ++gr_acl_handle_exit(void)
24081 ++{
24082 ++ return;
24083 ++}
24084 ++
24085 ++int
24086 ++gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
24087 ++{
24088 ++ return 1;
24089 ++}
24090 ++
24091 ++void
24092 ++gr_set_role_label(const uid_t uid, const gid_t gid)
24093 ++{
24094 ++ return;
24095 ++}
24096 ++
24097 ++int
24098 ++gr_acl_handle_procpidmem(const struct task_struct *task)
24099 ++{
24100 ++ return 0;
24101 ++}
24102 ++
24103 ++int
24104 ++gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
24105 ++{
24106 ++ return 1;
24107 ++}
24108 ++
24109 ++int
24110 ++gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
24111 ++{
24112 ++ return 1;
24113 ++}
24114 ++
24115 ++void
24116 ++gr_set_kernel_label(struct task_struct *task)
24117 ++{
24118 ++ return;
24119 ++}
24120 ++
24121 ++int
24122 ++gr_check_user_change(int real, int effective, int fs)
24123 ++{
24124 ++ return 0;
24125 ++}
24126 ++
24127 ++int
24128 ++gr_check_group_change(int real, int effective, int fs)
24129 ++{
24130 ++ return 0;
24131 ++}
24132 ++
24133 ++
24134 ++EXPORT_SYMBOL(gr_task_is_capable);
24135 ++EXPORT_SYMBOL(gr_is_capable_nolog);
24136 ++EXPORT_SYMBOL(gr_learn_resource);
24137 ++EXPORT_SYMBOL(gr_set_kernel_label);
24138 ++#ifdef CONFIG_SECURITY
24139 ++EXPORT_SYMBOL(gr_check_user_change);
24140 ++EXPORT_SYMBOL(gr_check_group_change);
24141 ++#endif
24142 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_exec.c linux-2.6.23.15-grsec/grsecurity/grsec_exec.c
24143 +--- linux-2.6.23.15/grsecurity/grsec_exec.c 1970-01-01 01:00:00.000000000 +0100
24144 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_exec.c 2008-02-11 10:37:44.000000000 +0000
24145 +@@ -0,0 +1,88 @@
24146 ++#include <linux/kernel.h>
24147 ++#include <linux/sched.h>
24148 ++#include <linux/file.h>
24149 ++#include <linux/binfmts.h>
24150 ++#include <linux/smp_lock.h>
24151 ++#include <linux/fs.h>
24152 ++#include <linux/types.h>
24153 ++#include <linux/grdefs.h>
24154 ++#include <linux/grinternal.h>
24155 ++#include <linux/capability.h>
24156 ++
24157 ++#include <asm/uaccess.h>
24158 ++
24159 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
24160 ++static char gr_exec_arg_buf[132];
24161 ++static DECLARE_MUTEX(gr_exec_arg_sem);
24162 ++#endif
24163 ++
24164 ++int
24165 ++gr_handle_nproc(void)
24166 ++{
24167 ++#ifdef CONFIG_GRKERNSEC_EXECVE
24168 ++ if (grsec_enable_execve && current->user &&
24169 ++ (atomic_read(&current->user->processes) >
24170 ++ current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
24171 ++ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
24172 ++ gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
24173 ++ return -EAGAIN;
24174 ++ }
24175 ++#endif
24176 ++ return 0;
24177 ++}
24178 ++
24179 ++void
24180 ++gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
24181 ++{
24182 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
24183 ++ char *grarg = gr_exec_arg_buf;
24184 ++ unsigned int i, x, execlen = 0;
24185 ++ char c;
24186 ++
24187 ++ if (!((grsec_enable_execlog && grsec_enable_group &&
24188 ++ in_group_p(grsec_audit_gid))
24189 ++ || (grsec_enable_execlog && !grsec_enable_group)))
24190 ++ return;
24191 ++
24192 ++ down(&gr_exec_arg_sem);
24193 ++ memset(grarg, 0, sizeof(gr_exec_arg_buf));
24194 ++
24195 ++ if (unlikely(argv == NULL))
24196 ++ goto log;
24197 ++
24198 ++ for (i = 0; i < bprm->argc && execlen < 128; i++) {
24199 ++ const char __user *p;
24200 ++ unsigned int len;
24201 ++
24202 ++ if (copy_from_user(&p, argv + i, sizeof(p)))
24203 ++ goto log;
24204 ++ if (!p)
24205 ++ goto log;
24206 ++ len = strnlen_user(p, 128 - execlen);
24207 ++ if (len > 128 - execlen)
24208 ++ len = 128 - execlen;
24209 ++ else if (len > 0)
24210 ++ len--;
24211 ++ if (copy_from_user(grarg + execlen, p, len))
24212 ++ goto log;
24213 ++
24214 ++ /* rewrite unprintable characters */
24215 ++ for (x = 0; x < len; x++) {
24216 ++ c = *(grarg + execlen + x);
24217 ++ if (c < 32 || c > 126)
24218 ++ *(grarg + execlen + x) = ' ';
24219 ++ }
24220 ++
24221 ++ execlen += len;
24222 ++ *(grarg + execlen) = ' ';
24223 ++ *(grarg + execlen + 1) = '\0';
24224 ++ execlen++;
24225 ++ }
24226 ++
24227 ++ log:
24228 ++ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_dentry,
24229 ++ bprm->file->f_vfsmnt, grarg);
24230 ++ up(&gr_exec_arg_sem);
24231 ++#endif
24232 ++ return;
24233 ++}
24234 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_fifo.c linux-2.6.23.15-grsec/grsecurity/grsec_fifo.c
24235 +--- linux-2.6.23.15/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100
24236 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_fifo.c 2008-02-11 10:37:44.000000000 +0000
24237 +@@ -0,0 +1,22 @@
24238 ++#include <linux/kernel.h>
24239 ++#include <linux/sched.h>
24240 ++#include <linux/fs.h>
24241 ++#include <linux/file.h>
24242 ++#include <linux/grinternal.h>
24243 ++
24244 ++int
24245 ++gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
24246 ++ const struct dentry *dir, const int flag, const int acc_mode)
24247 ++{
24248 ++#ifdef CONFIG_GRKERNSEC_FIFO
24249 ++ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
24250 ++ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
24251 ++ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
24252 ++ (current->fsuid != dentry->d_inode->i_uid)) {
24253 ++ if (!generic_permission(dentry->d_inode, acc_mode, NULL))
24254 ++ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
24255 ++ return -EACCES;
24256 ++ }
24257 ++#endif
24258 ++ return 0;
24259 ++}
24260 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_fork.c linux-2.6.23.15-grsec/grsecurity/grsec_fork.c
24261 +--- linux-2.6.23.15/grsecurity/grsec_fork.c 1970-01-01 01:00:00.000000000 +0100
24262 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_fork.c 2008-02-11 10:37:44.000000000 +0000
24263 +@@ -0,0 +1,15 @@
24264 ++#include <linux/kernel.h>
24265 ++#include <linux/sched.h>
24266 ++#include <linux/grsecurity.h>
24267 ++#include <linux/grinternal.h>
24268 ++#include <linux/errno.h>
24269 ++
24270 ++void
24271 ++gr_log_forkfail(const int retval)
24272 ++{
24273 ++#ifdef CONFIG_GRKERNSEC_FORKFAIL
24274 ++ if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
24275 ++ gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
24276 ++#endif
24277 ++ return;
24278 ++}
24279 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_init.c linux-2.6.23.15-grsec/grsecurity/grsec_init.c
24280 +--- linux-2.6.23.15/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100
24281 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_init.c 2008-02-11 10:37:44.000000000 +0000
24282 +@@ -0,0 +1,230 @@
24283 ++#include <linux/kernel.h>
24284 ++#include <linux/sched.h>
24285 ++#include <linux/mm.h>
24286 ++#include <linux/smp_lock.h>
24287 ++#include <linux/gracl.h>
24288 ++#include <linux/slab.h>
24289 ++#include <linux/vmalloc.h>
24290 ++#include <linux/percpu.h>
24291 ++
24292 ++int grsec_enable_shm;
24293 ++int grsec_enable_link;
24294 ++int grsec_enable_dmesg;
24295 ++int grsec_enable_fifo;
24296 ++int grsec_enable_execve;
24297 ++int grsec_enable_execlog;
24298 ++int grsec_enable_signal;
24299 ++int grsec_enable_forkfail;
24300 ++int grsec_enable_time;
24301 ++int grsec_enable_audit_textrel;
24302 ++int grsec_enable_group;
24303 ++int grsec_audit_gid;
24304 ++int grsec_enable_chdir;
24305 ++int grsec_enable_audit_ipc;
24306 ++int grsec_enable_mount;
24307 ++int grsec_enable_chroot_findtask;
24308 ++int grsec_enable_chroot_mount;
24309 ++int grsec_enable_chroot_shmat;
24310 ++int grsec_enable_chroot_fchdir;
24311 ++int grsec_enable_chroot_double;
24312 ++int grsec_enable_chroot_pivot;
24313 ++int grsec_enable_chroot_chdir;
24314 ++int grsec_enable_chroot_chmod;
24315 ++int grsec_enable_chroot_mknod;
24316 ++int grsec_enable_chroot_nice;
24317 ++int grsec_enable_chroot_execlog;
24318 ++int grsec_enable_chroot_caps;
24319 ++int grsec_enable_chroot_sysctl;
24320 ++int grsec_enable_chroot_unix;
24321 ++int grsec_enable_tpe;
24322 ++int grsec_tpe_gid;
24323 ++int grsec_enable_tpe_all;
24324 ++int grsec_enable_socket_all;
24325 ++int grsec_socket_all_gid;
24326 ++int grsec_enable_socket_client;
24327 ++int grsec_socket_client_gid;
24328 ++int grsec_enable_socket_server;
24329 ++int grsec_socket_server_gid;
24330 ++int grsec_resource_logging;
24331 ++int grsec_lock;
24332 ++
24333 ++spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED;
24334 ++unsigned long grsec_alert_wtime = 0;
24335 ++unsigned long grsec_alert_fyet = 0;
24336 ++
24337 ++spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED;
24338 ++
24339 ++rwlock_t grsec_exec_file_lock = RW_LOCK_UNLOCKED;
24340 ++
24341 ++char *gr_shared_page[4];
24342 ++
24343 ++char *gr_alert_log_fmt;
24344 ++char *gr_audit_log_fmt;
24345 ++char *gr_alert_log_buf;
24346 ++char *gr_audit_log_buf;
24347 ++
24348 ++extern struct gr_arg *gr_usermode;
24349 ++extern unsigned char *gr_system_salt;
24350 ++extern unsigned char *gr_system_sum;
24351 ++
24352 ++void
24353 ++grsecurity_init(void)
24354 ++{
24355 ++ int j;
24356 ++ /* create the per-cpu shared pages */
24357 ++
24358 ++ for (j = 0; j < 4; j++) {
24359 ++ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE);
24360 ++ if (gr_shared_page[j] == NULL) {
24361 ++ panic("Unable to allocate grsecurity shared page");
24362 ++ return;
24363 ++ }
24364 ++ }
24365 ++
24366 ++ /* allocate log buffers */
24367 ++ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
24368 ++ if (!gr_alert_log_fmt) {
24369 ++ panic("Unable to allocate grsecurity alert log format buffer");
24370 ++ return;
24371 ++ }
24372 ++ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
24373 ++ if (!gr_audit_log_fmt) {
24374 ++ panic("Unable to allocate grsecurity audit log format buffer");
24375 ++ return;
24376 ++ }
24377 ++ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
24378 ++ if (!gr_alert_log_buf) {
24379 ++ panic("Unable to allocate grsecurity alert log buffer");
24380 ++ return;
24381 ++ }
24382 ++ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
24383 ++ if (!gr_audit_log_buf) {
24384 ++ panic("Unable to allocate grsecurity audit log buffer");
24385 ++ return;
24386 ++ }
24387 ++
24388 ++ /* allocate memory for authentication structure */
24389 ++ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
24390 ++ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
24391 ++ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
24392 ++
24393 ++ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
24394 ++ panic("Unable to allocate grsecurity authentication structure");
24395 ++ return;
24396 ++ }
24397 ++
24398 ++#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
24399 ++#ifndef CONFIG_GRKERNSEC_SYSCTL
24400 ++ grsec_lock = 1;
24401 ++#endif
24402 ++#ifdef CONFIG_GRKERNSEC_SHM
24403 ++ grsec_enable_shm = 1;
24404 ++#endif
24405 ++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
24406 ++ grsec_enable_audit_textrel = 1;
24407 ++#endif
24408 ++#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
24409 ++ grsec_enable_group = 1;
24410 ++ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
24411 ++#endif
24412 ++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
24413 ++ grsec_enable_chdir = 1;
24414 ++#endif
24415 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24416 ++ grsec_enable_audit_ipc = 1;
24417 ++#endif
24418 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
24419 ++ grsec_enable_mount = 1;
24420 ++#endif
24421 ++#ifdef CONFIG_GRKERNSEC_LINK
24422 ++ grsec_enable_link = 1;
24423 ++#endif
24424 ++#ifdef CONFIG_GRKERNSEC_DMESG
24425 ++ grsec_enable_dmesg = 1;
24426 ++#endif
24427 ++#ifdef CONFIG_GRKERNSEC_FIFO
24428 ++ grsec_enable_fifo = 1;
24429 ++#endif
24430 ++#ifdef CONFIG_GRKERNSEC_EXECVE
24431 ++ grsec_enable_execve = 1;
24432 ++#endif
24433 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
24434 ++ grsec_enable_execlog = 1;
24435 ++#endif
24436 ++#ifdef CONFIG_GRKERNSEC_SIGNAL
24437 ++ grsec_enable_signal = 1;
24438 ++#endif
24439 ++#ifdef CONFIG_GRKERNSEC_FORKFAIL
24440 ++ grsec_enable_forkfail = 1;
24441 ++#endif
24442 ++#ifdef CONFIG_GRKERNSEC_TIME
24443 ++ grsec_enable_time = 1;
24444 ++#endif
24445 ++#ifdef CONFIG_GRKERNSEC_RESLOG
24446 ++ grsec_resource_logging = 1;
24447 ++#endif
24448 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
24449 ++ grsec_enable_chroot_findtask = 1;
24450 ++#endif
24451 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
24452 ++ grsec_enable_chroot_unix = 1;
24453 ++#endif
24454 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
24455 ++ grsec_enable_chroot_mount = 1;
24456 ++#endif
24457 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
24458 ++ grsec_enable_chroot_fchdir = 1;
24459 ++#endif
24460 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
24461 ++ grsec_enable_chroot_shmat = 1;
24462 ++#endif
24463 ++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
24464 ++ grsec_enable_chroot_double = 1;
24465 ++#endif
24466 ++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
24467 ++ grsec_enable_chroot_pivot = 1;
24468 ++#endif
24469 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
24470 ++ grsec_enable_chroot_chdir = 1;
24471 ++#endif
24472 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
24473 ++ grsec_enable_chroot_chmod = 1;
24474 ++#endif
24475 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
24476 ++ grsec_enable_chroot_mknod = 1;
24477 ++#endif
24478 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
24479 ++ grsec_enable_chroot_nice = 1;
24480 ++#endif
24481 ++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
24482 ++ grsec_enable_chroot_execlog = 1;
24483 ++#endif
24484 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
24485 ++ grsec_enable_chroot_caps = 1;
24486 ++#endif
24487 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
24488 ++ grsec_enable_chroot_sysctl = 1;
24489 ++#endif
24490 ++#ifdef CONFIG_GRKERNSEC_TPE
24491 ++ grsec_enable_tpe = 1;
24492 ++ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
24493 ++#ifdef CONFIG_GRKERNSEC_TPE_ALL
24494 ++ grsec_enable_tpe_all = 1;
24495 ++#endif
24496 ++#endif
24497 ++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
24498 ++ grsec_enable_socket_all = 1;
24499 ++ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
24500 ++#endif
24501 ++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
24502 ++ grsec_enable_socket_client = 1;
24503 ++ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
24504 ++#endif
24505 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
24506 ++ grsec_enable_socket_server = 1;
24507 ++ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
24508 ++#endif
24509 ++#endif
24510 ++
24511 ++ return;
24512 ++}
24513 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_ipc.c linux-2.6.23.15-grsec/grsecurity/grsec_ipc.c
24514 +--- linux-2.6.23.15/grsecurity/grsec_ipc.c 1970-01-01 01:00:00.000000000 +0100
24515 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_ipc.c 2008-02-11 10:37:44.000000000 +0000
24516 +@@ -0,0 +1,81 @@
24517 ++#include <linux/kernel.h>
24518 ++#include <linux/sched.h>
24519 ++#include <linux/types.h>
24520 ++#include <linux/ipc.h>
24521 ++#include <linux/grsecurity.h>
24522 ++#include <linux/grinternal.h>
24523 ++
24524 ++void
24525 ++gr_log_msgget(const int ret, const int msgflg)
24526 ++{
24527 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24528 ++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
24529 ++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
24530 ++ !grsec_enable_group)) && (ret >= 0)
24531 ++ && (msgflg & IPC_CREAT))
24532 ++ gr_log_noargs(GR_DO_AUDIT, GR_MSGQ_AUDIT_MSG);
24533 ++#endif
24534 ++ return;
24535 ++}
24536 ++
24537 ++void
24538 ++gr_log_msgrm(const uid_t uid, const uid_t cuid)
24539 ++{
24540 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24541 ++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
24542 ++ grsec_enable_audit_ipc) ||
24543 ++ (grsec_enable_audit_ipc && !grsec_enable_group))
24544 ++ gr_log_int_int(GR_DO_AUDIT, GR_MSGQR_AUDIT_MSG, uid, cuid);
24545 ++#endif
24546 ++ return;
24547 ++}
24548 ++
24549 ++void
24550 ++gr_log_semget(const int err, const int semflg)
24551 ++{
24552 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24553 ++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
24554 ++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
24555 ++ !grsec_enable_group)) && (err >= 0)
24556 ++ && (semflg & IPC_CREAT))
24557 ++ gr_log_noargs(GR_DO_AUDIT, GR_SEM_AUDIT_MSG);
24558 ++#endif
24559 ++ return;
24560 ++}
24561 ++
24562 ++void
24563 ++gr_log_semrm(const uid_t uid, const uid_t cuid)
24564 ++{
24565 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24566 ++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
24567 ++ grsec_enable_audit_ipc) ||
24568 ++ (grsec_enable_audit_ipc && !grsec_enable_group))
24569 ++ gr_log_int_int(GR_DO_AUDIT, GR_SEMR_AUDIT_MSG, uid, cuid);
24570 ++#endif
24571 ++ return;
24572 ++}
24573 ++
24574 ++void
24575 ++gr_log_shmget(const int err, const int shmflg, const size_t size)
24576 ++{
24577 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24578 ++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
24579 ++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
24580 ++ !grsec_enable_group)) && (err >= 0)
24581 ++ && (shmflg & IPC_CREAT))
24582 ++ gr_log_int(GR_DO_AUDIT, GR_SHM_AUDIT_MSG, size);
24583 ++#endif
24584 ++ return;
24585 ++}
24586 ++
24587 ++void
24588 ++gr_log_shmrm(const uid_t uid, const uid_t cuid)
24589 ++{
24590 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24591 ++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
24592 ++ grsec_enable_audit_ipc) ||
24593 ++ (grsec_enable_audit_ipc && !grsec_enable_group))
24594 ++ gr_log_int_int(GR_DO_AUDIT, GR_SHMR_AUDIT_MSG, uid, cuid);
24595 ++#endif
24596 ++ return;
24597 ++}
24598 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_link.c linux-2.6.23.15-grsec/grsecurity/grsec_link.c
24599 +--- linux-2.6.23.15/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100
24600 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_link.c 2008-02-11 10:37:44.000000000 +0000
24601 +@@ -0,0 +1,39 @@
24602 ++#include <linux/kernel.h>
24603 ++#include <linux/sched.h>
24604 ++#include <linux/fs.h>
24605 ++#include <linux/file.h>
24606 ++#include <linux/grinternal.h>
24607 ++
24608 ++int
24609 ++gr_handle_follow_link(const struct inode *parent,
24610 ++ const struct inode *inode,
24611 ++ const struct dentry *dentry, const struct vfsmount *mnt)
24612 ++{
24613 ++#ifdef CONFIG_GRKERNSEC_LINK
24614 ++ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
24615 ++ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
24616 ++ (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
24617 ++ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
24618 ++ return -EACCES;
24619 ++ }
24620 ++#endif
24621 ++ return 0;
24622 ++}
24623 ++
24624 ++int
24625 ++gr_handle_hardlink(const struct dentry *dentry,
24626 ++ const struct vfsmount *mnt,
24627 ++ struct inode *inode, const int mode, const char *to)
24628 ++{
24629 ++#ifdef CONFIG_GRKERNSEC_LINK
24630 ++ if (grsec_enable_link && current->fsuid != inode->i_uid &&
24631 ++ (!S_ISREG(mode) || (mode & S_ISUID) ||
24632 ++ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
24633 ++ (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
24634 ++ !capable(CAP_FOWNER) && current->uid) {
24635 ++ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
24636 ++ return -EPERM;
24637 ++ }
24638 ++#endif
24639 ++ return 0;
24640 ++}
24641 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_log.c linux-2.6.23.15-grsec/grsecurity/grsec_log.c
24642 +--- linux-2.6.23.15/grsecurity/grsec_log.c 1970-01-01 01:00:00.000000000 +0100
24643 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_log.c 2008-02-11 10:37:44.000000000 +0000
24644 +@@ -0,0 +1,269 @@
24645 ++#include <linux/kernel.h>
24646 ++#include <linux/sched.h>
24647 ++#include <linux/file.h>
24648 ++#include <linux/tty.h>
24649 ++#include <linux/fs.h>
24650 ++#include <linux/grinternal.h>
24651 ++
24652 ++#define BEGIN_LOCKS(x) \
24653 ++ read_lock(&tasklist_lock); \
24654 ++ read_lock(&grsec_exec_file_lock); \
24655 ++ if (x != GR_DO_AUDIT) \
24656 ++ spin_lock(&grsec_alert_lock); \
24657 ++ else \
24658 ++ spin_lock(&grsec_audit_lock)
24659 ++
24660 ++#define END_LOCKS(x) \
24661 ++ if (x != GR_DO_AUDIT) \
24662 ++ spin_unlock(&grsec_alert_lock); \
24663 ++ else \
24664 ++ spin_unlock(&grsec_audit_lock); \
24665 ++ read_unlock(&grsec_exec_file_lock); \
24666 ++ read_unlock(&tasklist_lock); \
24667 ++ if (x == GR_DONT_AUDIT) \
24668 ++ gr_handle_alertkill(current)
24669 ++
24670 ++enum {
24671 ++ FLOODING,
24672 ++ NO_FLOODING
24673 ++};
24674 ++
24675 ++extern char *gr_alert_log_fmt;
24676 ++extern char *gr_audit_log_fmt;
24677 ++extern char *gr_alert_log_buf;
24678 ++extern char *gr_audit_log_buf;
24679 ++
24680 ++static int gr_log_start(int audit)
24681 ++{
24682 ++ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
24683 ++ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
24684 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
24685 ++
24686 ++ if (audit == GR_DO_AUDIT)
24687 ++ goto set_fmt;
24688 ++
24689 ++ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
24690 ++ grsec_alert_wtime = jiffies;
24691 ++ grsec_alert_fyet = 0;
24692 ++ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
24693 ++ grsec_alert_fyet++;
24694 ++ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
24695 ++ grsec_alert_wtime = jiffies;
24696 ++ grsec_alert_fyet++;
24697 ++ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
24698 ++ return FLOODING;
24699 ++ } else return FLOODING;
24700 ++
24701 ++set_fmt:
24702 ++ memset(buf, 0, PAGE_SIZE);
24703 ++ if (current->signal->curr_ip && gr_acl_is_enabled()) {
24704 ++ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: (%.64s:%c:%.950s) ");
24705 ++ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip), current->role->rolename, gr_roletype_to_char(), current->acl->filename);
24706 ++ } else if (current->signal->curr_ip) {
24707 ++ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: ");
24708 ++ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip));
24709 ++ } else if (gr_acl_is_enabled()) {
24710 ++ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
24711 ++ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
24712 ++ } else {
24713 ++ sprintf(fmt, "%s%s", loglevel, "grsec: ");
24714 ++ strcpy(buf, fmt);
24715 ++ }
24716 ++
24717 ++ return NO_FLOODING;
24718 ++}
24719 ++
24720 ++static void gr_log_middle(int audit, const char *msg, va_list ap)
24721 ++{
24722 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
24723 ++ unsigned int len = strlen(buf);
24724 ++
24725 ++ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
24726 ++
24727 ++ return;
24728 ++}
24729 ++
24730 ++static void gr_log_middle_varargs(int audit, const char *msg, ...)
24731 ++{
24732 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
24733 ++ unsigned int len = strlen(buf);
24734 ++ va_list ap;
24735 ++
24736 ++ va_start(ap, msg);
24737 ++ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
24738 ++ va_end(ap);
24739 ++
24740 ++ return;
24741 ++}
24742 ++
24743 ++static void gr_log_end(int audit)
24744 ++{
24745 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
24746 ++ unsigned int len = strlen(buf);
24747 ++
24748 ++ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current));
24749 ++ printk("%s\n", buf);
24750 ++
24751 ++ return;
24752 ++}
24753 ++
24754 ++void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
24755 ++{
24756 ++ int logtype;
24757 ++ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
24758 ++ char *str1, *str2, *str3;
24759 ++ int num1, num2;
24760 ++ unsigned long ulong1, ulong2;
24761 ++ struct dentry *dentry;
24762 ++ struct vfsmount *mnt;
24763 ++ struct file *file;
24764 ++ struct task_struct *task;
24765 ++ va_list ap;
24766 ++
24767 ++ BEGIN_LOCKS(audit);
24768 ++ logtype = gr_log_start(audit);
24769 ++ if (logtype == FLOODING) {
24770 ++ END_LOCKS(audit);
24771 ++ return;
24772 ++ }
24773 ++ va_start(ap, argtypes);
24774 ++ switch (argtypes) {
24775 ++ case GR_TTYSNIFF:
24776 ++ task = va_arg(ap, struct task_struct *);
24777 ++ gr_log_middle_varargs(audit, msg, NIPQUAD(task->signal->curr_ip), gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
24778 ++ break;
24779 ++ case GR_SYSCTL_HIDDEN:
24780 ++ str1 = va_arg(ap, char *);
24781 ++ gr_log_middle_varargs(audit, msg, result, str1);
24782 ++ break;
24783 ++ case GR_RBAC:
24784 ++ dentry = va_arg(ap, struct dentry *);
24785 ++ mnt = va_arg(ap, struct vfsmount *);
24786 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
24787 ++ break;
24788 ++ case GR_RBAC_STR:
24789 ++ dentry = va_arg(ap, struct dentry *);
24790 ++ mnt = va_arg(ap, struct vfsmount *);
24791 ++ str1 = va_arg(ap, char *);
24792 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
24793 ++ break;
24794 ++ case GR_STR_RBAC:
24795 ++ str1 = va_arg(ap, char *);
24796 ++ dentry = va_arg(ap, struct dentry *);
24797 ++ mnt = va_arg(ap, struct vfsmount *);
24798 ++ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
24799 ++ break;
24800 ++ case GR_RBAC_MODE2:
24801 ++ dentry = va_arg(ap, struct dentry *);
24802 ++ mnt = va_arg(ap, struct vfsmount *);
24803 ++ str1 = va_arg(ap, char *);
24804 ++ str2 = va_arg(ap, char *);
24805 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
24806 ++ break;
24807 ++ case GR_RBAC_MODE3:
24808 ++ dentry = va_arg(ap, struct dentry *);
24809 ++ mnt = va_arg(ap, struct vfsmount *);
24810 ++ str1 = va_arg(ap, char *);
24811 ++ str2 = va_arg(ap, char *);
24812 ++ str3 = va_arg(ap, char *);
24813 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
24814 ++ break;
24815 ++ case GR_FILENAME:
24816 ++ dentry = va_arg(ap, struct dentry *);
24817 ++ mnt = va_arg(ap, struct vfsmount *);
24818 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
24819 ++ break;
24820 ++ case GR_STR_FILENAME:
24821 ++ str1 = va_arg(ap, char *);
24822 ++ dentry = va_arg(ap, struct dentry *);
24823 ++ mnt = va_arg(ap, struct vfsmount *);
24824 ++ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
24825 ++ break;
24826 ++ case GR_FILENAME_STR:
24827 ++ dentry = va_arg(ap, struct dentry *);
24828 ++ mnt = va_arg(ap, struct vfsmount *);
24829 ++ str1 = va_arg(ap, char *);
24830 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
24831 ++ break;
24832 ++ case GR_FILENAME_TWO_INT:
24833 ++ dentry = va_arg(ap, struct dentry *);
24834 ++ mnt = va_arg(ap, struct vfsmount *);
24835 ++ num1 = va_arg(ap, int);
24836 ++ num2 = va_arg(ap, int);
24837 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
24838 ++ break;
24839 ++ case GR_FILENAME_TWO_INT_STR:
24840 ++ dentry = va_arg(ap, struct dentry *);
24841 ++ mnt = va_arg(ap, struct vfsmount *);
24842 ++ num1 = va_arg(ap, int);
24843 ++ num2 = va_arg(ap, int);
24844 ++ str1 = va_arg(ap, char *);
24845 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
24846 ++ break;
24847 ++ case GR_TEXTREL:
24848 ++ file = va_arg(ap, struct file *);
24849 ++ ulong1 = va_arg(ap, unsigned long);
24850 ++ ulong2 = va_arg(ap, unsigned long);
24851 ++ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_dentry, file->f_vfsmnt) : "<anonymous mapping>", ulong1, ulong2);
24852 ++ break;
24853 ++ case GR_PTRACE:
24854 ++ task = va_arg(ap, struct task_struct *);
24855 ++ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_dentry, task->exec_file->f_vfsmnt) : "(none)", task->comm, task->pid);
24856 ++ break;
24857 ++ case GR_RESOURCE:
24858 ++ task = va_arg(ap, struct task_struct *);
24859 ++ ulong1 = va_arg(ap, unsigned long);
24860 ++ str1 = va_arg(ap, char *);
24861 ++ ulong2 = va_arg(ap, unsigned long);
24862 ++ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
24863 ++ break;
24864 ++ case GR_CAP:
24865 ++ task = va_arg(ap, struct task_struct *);
24866 ++ str1 = va_arg(ap, char *);
24867 ++ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
24868 ++ break;
24869 ++ case GR_SIG:
24870 ++ task = va_arg(ap, struct task_struct *);
24871 ++ num1 = va_arg(ap, int);
24872 ++ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
24873 ++ break;
24874 ++ case GR_CRASH1:
24875 ++ task = va_arg(ap, struct task_struct *);
24876 ++ ulong1 = va_arg(ap, unsigned long);
24877 ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, task->uid, ulong1);
24878 ++ break;
24879 ++ case GR_CRASH2:
24880 ++ task = va_arg(ap, struct task_struct *);
24881 ++ ulong1 = va_arg(ap, unsigned long);
24882 ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, ulong1);
24883 ++ break;
24884 ++ case GR_PSACCT:
24885 ++ {
24886 ++ unsigned int wday, cday;
24887 ++ __u8 whr, chr;
24888 ++ __u8 wmin, cmin;
24889 ++ __u8 wsec, csec;
24890 ++ char cur_tty[64] = { 0 };
24891 ++ char parent_tty[64] = { 0 };
24892 ++
24893 ++ task = va_arg(ap, struct task_struct *);
24894 ++ wday = va_arg(ap, unsigned int);
24895 ++ cday = va_arg(ap, unsigned int);
24896 ++ whr = va_arg(ap, int);
24897 ++ chr = va_arg(ap, int);
24898 ++ wmin = va_arg(ap, int);
24899 ++ cmin = va_arg(ap, int);
24900 ++ wsec = va_arg(ap, int);
24901 ++ csec = va_arg(ap, int);
24902 ++ ulong1 = va_arg(ap, unsigned long);
24903 ++
24904 ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, NIPQUAD(task->signal->curr_ip), tty_name(task->signal->tty, cur_tty), task->uid, task->euid, task->gid, task->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, NIPQUAD(task->parent->signal->curr_ip), tty_name(task->parent->signal->tty, parent_tty), task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
24905 ++ }
24906 ++ break;
24907 ++ default:
24908 ++ gr_log_middle(audit, msg, ap);
24909 ++ }
24910 ++ va_end(ap);
24911 ++ gr_log_end(audit);
24912 ++ END_LOCKS(audit);
24913 ++}
24914 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_mem.c linux-2.6.23.15-grsec/grsecurity/grsec_mem.c
24915 +--- linux-2.6.23.15/grsecurity/grsec_mem.c 1970-01-01 01:00:00.000000000 +0100
24916 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_mem.c 2008-02-11 10:37:44.000000000 +0000
24917 +@@ -0,0 +1,71 @@
24918 ++#include <linux/kernel.h>
24919 ++#include <linux/sched.h>
24920 ++#include <linux/mm.h>
24921 ++#include <linux/mman.h>
24922 ++#include <linux/grinternal.h>
24923 ++
24924 ++void
24925 ++gr_handle_ioperm(void)
24926 ++{
24927 ++ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
24928 ++ return;
24929 ++}
24930 ++
24931 ++void
24932 ++gr_handle_iopl(void)
24933 ++{
24934 ++ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
24935 ++ return;
24936 ++}
24937 ++
24938 ++void
24939 ++gr_handle_mem_write(void)
24940 ++{
24941 ++ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
24942 ++ return;
24943 ++}
24944 ++
24945 ++void
24946 ++gr_handle_kmem_write(void)
24947 ++{
24948 ++ gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
24949 ++ return;
24950 ++}
24951 ++
24952 ++void
24953 ++gr_handle_open_port(void)
24954 ++{
24955 ++ gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
24956 ++ return;
24957 ++}
24958 ++
24959 ++int
24960 ++gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
24961 ++{
24962 ++ unsigned long start, end;
24963 ++
24964 ++ start = offset;
24965 ++ end = start + vma->vm_end - vma->vm_start;
24966 ++
24967 ++ if (start > end) {
24968 ++ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
24969 ++ return -EPERM;
24970 ++ }
24971 ++
24972 ++ /* allowed ranges : ISA I/O BIOS */
24973 ++ if ((start >= __pa(high_memory))
24974 ++#ifdef CONFIG_X86
24975 ++ || (start >= 0x000a0000 && end <= 0x00100000)
24976 ++ || (start >= 0x00000000 && end <= 0x00001000)
24977 ++#endif
24978 ++ )
24979 ++ return 0;
24980 ++
24981 ++ if (vma->vm_flags & VM_WRITE) {
24982 ++ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
24983 ++ return -EPERM;
24984 ++ } else
24985 ++ vma->vm_flags &= ~VM_MAYWRITE;
24986 ++
24987 ++ return 0;
24988 ++}
24989 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_mount.c linux-2.6.23.15-grsec/grsecurity/grsec_mount.c
24990 +--- linux-2.6.23.15/grsecurity/grsec_mount.c 1970-01-01 01:00:00.000000000 +0100
24991 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_mount.c 2008-02-11 10:37:44.000000000 +0000
24992 +@@ -0,0 +1,34 @@
24993 ++#include <linux/kernel.h>
24994 ++#include <linux/sched.h>
24995 ++#include <linux/grsecurity.h>
24996 ++#include <linux/grinternal.h>
24997 ++
24998 ++void
24999 ++gr_log_remount(const char *devname, const int retval)
25000 ++{
25001 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
25002 ++ if (grsec_enable_mount && (retval >= 0))
25003 ++ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
25004 ++#endif
25005 ++ return;
25006 ++}
25007 ++
25008 ++void
25009 ++gr_log_unmount(const char *devname, const int retval)
25010 ++{
25011 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
25012 ++ if (grsec_enable_mount && (retval >= 0))
25013 ++ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
25014 ++#endif
25015 ++ return;
25016 ++}
25017 ++
25018 ++void
25019 ++gr_log_mount(const char *from, const char *to, const int retval)
25020 ++{
25021 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
25022 ++ if (grsec_enable_mount && (retval >= 0))
25023 ++ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
25024 ++#endif
25025 ++ return;
25026 ++}
25027 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_sig.c linux-2.6.23.15-grsec/grsecurity/grsec_sig.c
25028 +--- linux-2.6.23.15/grsecurity/grsec_sig.c 1970-01-01 01:00:00.000000000 +0100
25029 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_sig.c 2008-02-11 10:37:44.000000000 +0000
25030 +@@ -0,0 +1,59 @@
25031 ++#include <linux/kernel.h>
25032 ++#include <linux/sched.h>
25033 ++#include <linux/grsecurity.h>
25034 ++#include <linux/grinternal.h>
25035 ++
25036 ++void
25037 ++gr_log_signal(const int sig, const struct task_struct *t)
25038 ++{
25039 ++#ifdef CONFIG_GRKERNSEC_SIGNAL
25040 ++ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
25041 ++ (sig == SIGABRT) || (sig == SIGBUS))) {
25042 ++ if (t->pid == current->pid) {
25043 ++ gr_log_int(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, sig);
25044 ++ } else {
25045 ++ gr_log_sig(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
25046 ++ }
25047 ++ }
25048 ++#endif
25049 ++ return;
25050 ++}
25051 ++
25052 ++int
25053 ++gr_handle_signal(const struct task_struct *p, const int sig)
25054 ++{
25055 ++#ifdef CONFIG_GRKERNSEC
25056 ++ if (current->pid > 1 && gr_check_protected_task(p)) {
25057 ++ gr_log_sig(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
25058 ++ return -EPERM;
25059 ++ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
25060 ++ return -EPERM;
25061 ++ }
25062 ++#endif
25063 ++ return 0;
25064 ++}
25065 ++
25066 ++void gr_handle_brute_attach(struct task_struct *p)
25067 ++{
25068 ++#ifdef CONFIG_GRKERNSEC_BRUTE
25069 ++ read_lock(&tasklist_lock);
25070 ++ read_lock(&grsec_exec_file_lock);
25071 ++ if (p->parent && p->parent->exec_file == p->exec_file)
25072 ++ p->parent->brute = 1;
25073 ++ read_unlock(&grsec_exec_file_lock);
25074 ++ read_unlock(&tasklist_lock);
25075 ++#endif
25076 ++ return;
25077 ++}
25078 ++
25079 ++void gr_handle_brute_check(void)
25080 ++{
25081 ++#ifdef CONFIG_GRKERNSEC_BRUTE
25082 ++ if (current->brute) {
25083 ++ set_current_state(TASK_UNINTERRUPTIBLE);
25084 ++ schedule_timeout(30 * HZ);
25085 ++ }
25086 ++#endif
25087 ++ return;
25088 ++}
25089 ++
25090 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_sock.c linux-2.6.23.15-grsec/grsecurity/grsec_sock.c
25091 +--- linux-2.6.23.15/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100
25092 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_sock.c 2008-02-11 10:37:44.000000000 +0000
25093 +@@ -0,0 +1,263 @@
25094 ++#include <linux/kernel.h>
25095 ++#include <linux/module.h>
25096 ++#include <linux/sched.h>
25097 ++#include <linux/file.h>
25098 ++#include <linux/net.h>
25099 ++#include <linux/in.h>
25100 ++#include <linux/ip.h>
25101 ++#include <net/sock.h>
25102 ++#include <net/inet_sock.h>
25103 ++#include <linux/grsecurity.h>
25104 ++#include <linux/grinternal.h>
25105 ++#include <linux/gracl.h>
25106 ++
25107 ++#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE)
25108 ++extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
25109 ++EXPORT_SYMBOL(udp_v4_lookup);
25110 ++#endif
25111 ++
25112 ++EXPORT_SYMBOL(gr_cap_rtnetlink);
25113 ++
25114 ++extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
25115 ++extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
25116 ++
25117 ++EXPORT_SYMBOL(gr_search_udp_recvmsg);
25118 ++EXPORT_SYMBOL(gr_search_udp_sendmsg);
25119 ++
25120 ++#ifdef CONFIG_UNIX_MODULE
25121 ++EXPORT_SYMBOL(gr_acl_handle_unix);
25122 ++EXPORT_SYMBOL(gr_acl_handle_mknod);
25123 ++EXPORT_SYMBOL(gr_handle_chroot_unix);
25124 ++EXPORT_SYMBOL(gr_handle_create);
25125 ++#endif
25126 ++
25127 ++#ifdef CONFIG_GRKERNSEC
25128 ++#define gr_conn_table_size 32749
25129 ++struct conn_table_entry {
25130 ++ struct conn_table_entry *next;
25131 ++ struct signal_struct *sig;
25132 ++};
25133 ++
25134 ++struct conn_table_entry *gr_conn_table[gr_conn_table_size];
25135 ++spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
25136 ++
25137 ++extern const char * gr_socktype_to_name(unsigned char type);
25138 ++extern const char * gr_proto_to_name(unsigned char proto);
25139 ++
25140 ++static __inline__ int
25141 ++conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
25142 ++{
25143 ++ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
25144 ++}
25145 ++
25146 ++static __inline__ int
25147 ++conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
25148 ++ __u16 sport, __u16 dport)
25149 ++{
25150 ++ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
25151 ++ sig->gr_sport == sport && sig->gr_dport == dport))
25152 ++ return 1;
25153 ++ else
25154 ++ return 0;
25155 ++}
25156 ++
25157 ++static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
25158 ++{
25159 ++ struct conn_table_entry **match;
25160 ++ unsigned int index;
25161 ++
25162 ++ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
25163 ++ sig->gr_sport, sig->gr_dport,
25164 ++ gr_conn_table_size);
25165 ++
25166 ++ newent->sig = sig;
25167 ++
25168 ++ match = &gr_conn_table[index];
25169 ++ newent->next = *match;
25170 ++ *match = newent;
25171 ++
25172 ++ return;
25173 ++}
25174 ++
25175 ++static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
25176 ++{
25177 ++ struct conn_table_entry *match, *last = NULL;
25178 ++ unsigned int index;
25179 ++
25180 ++ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
25181 ++ sig->gr_sport, sig->gr_dport,
25182 ++ gr_conn_table_size);
25183 ++
25184 ++ match = gr_conn_table[index];
25185 ++ while (match && !conn_match(match->sig,
25186 ++ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
25187 ++ sig->gr_dport)) {
25188 ++ last = match;
25189 ++ match = match->next;
25190 ++ }
25191 ++
25192 ++ if (match) {
25193 ++ if (last)
25194 ++ last->next = match->next;
25195 ++ else
25196 ++ gr_conn_table[index] = NULL;
25197 ++ kfree(match);
25198 ++ }
25199 ++
25200 ++ return;
25201 ++}
25202 ++
25203 ++static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
25204 ++ __u16 sport, __u16 dport)
25205 ++{
25206 ++ struct conn_table_entry *match;
25207 ++ unsigned int index;
25208 ++
25209 ++ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
25210 ++
25211 ++ match = gr_conn_table[index];
25212 ++ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
25213 ++ match = match->next;
25214 ++
25215 ++ if (match)
25216 ++ return match->sig;
25217 ++ else
25218 ++ return NULL;
25219 ++}
25220 ++
25221 ++#endif
25222 ++
25223 ++void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
25224 ++{
25225 ++#ifdef CONFIG_GRKERNSEC
25226 ++ struct signal_struct *sig = task->signal;
25227 ++ struct conn_table_entry *newent;
25228 ++
25229 ++ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
25230 ++ if (newent == NULL)
25231 ++ return;
25232 ++ /* no bh lock needed since we are called with bh disabled */
25233 ++ spin_lock(&gr_conn_table_lock);
25234 ++ gr_del_task_from_ip_table_nolock(sig);
25235 ++ sig->gr_saddr = inet->rcv_saddr;
25236 ++ sig->gr_daddr = inet->daddr;
25237 ++ sig->gr_sport = inet->sport;
25238 ++ sig->gr_dport = inet->dport;
25239 ++ gr_add_to_task_ip_table_nolock(sig, newent);
25240 ++ spin_unlock(&gr_conn_table_lock);
25241 ++#endif
25242 ++ return;
25243 ++}
25244 ++
25245 ++void gr_del_task_from_ip_table(struct task_struct *task)
25246 ++{
25247 ++#ifdef CONFIG_GRKERNSEC
25248 ++ spin_lock(&gr_conn_table_lock);
25249 ++ gr_del_task_from_ip_table_nolock(task->signal);
25250 ++ spin_unlock(&gr_conn_table_lock);
25251 ++#endif
25252 ++ return;
25253 ++}
25254 ++
25255 ++void
25256 ++gr_attach_curr_ip(const struct sock *sk)
25257 ++{
25258 ++#ifdef CONFIG_GRKERNSEC
25259 ++ struct signal_struct *p, *set;
25260 ++ const struct inet_sock *inet = inet_sk(sk);
25261 ++
25262 ++ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
25263 ++ return;
25264 ++
25265 ++ set = current->signal;
25266 ++
25267 ++ spin_lock_bh(&gr_conn_table_lock);
25268 ++ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
25269 ++ inet->dport, inet->sport);
25270 ++ if (unlikely(p != NULL)) {
25271 ++ set->curr_ip = p->curr_ip;
25272 ++ set->used_accept = 1;
25273 ++ gr_del_task_from_ip_table_nolock(p);
25274 ++ spin_unlock_bh(&gr_conn_table_lock);
25275 ++ return;
25276 ++ }
25277 ++ spin_unlock_bh(&gr_conn_table_lock);
25278 ++
25279 ++ set->curr_ip = inet->daddr;
25280 ++ set->used_accept = 1;
25281 ++#endif
25282 ++ return;
25283 ++}
25284 ++
25285 ++int
25286 ++gr_handle_sock_all(const int family, const int type, const int protocol)
25287 ++{
25288 ++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
25289 ++ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
25290 ++ (family != AF_UNIX) && (family != AF_LOCAL)) {
25291 ++ gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
25292 ++ return -EACCES;
25293 ++ }
25294 ++#endif
25295 ++ return 0;
25296 ++}
25297 ++
25298 ++int
25299 ++gr_handle_sock_server(const struct sockaddr *sck)
25300 ++{
25301 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
25302 ++ if (grsec_enable_socket_server &&
25303 ++ in_group_p(grsec_socket_server_gid) &&
25304 ++ sck && (sck->sa_family != AF_UNIX) &&
25305 ++ (sck->sa_family != AF_LOCAL)) {
25306 ++ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
25307 ++ return -EACCES;
25308 ++ }
25309 ++#endif
25310 ++ return 0;
25311 ++}
25312 ++
25313 ++int
25314 ++gr_handle_sock_server_other(const struct sock *sck)
25315 ++{
25316 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
25317 ++ if (grsec_enable_socket_server &&
25318 ++ in_group_p(grsec_socket_server_gid) &&
25319 ++ sck && (sck->sk_family != AF_UNIX) &&
25320 ++ (sck->sk_family != AF_LOCAL)) {
25321 ++ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
25322 ++ return -EACCES;
25323 ++ }
25324 ++#endif
25325 ++ return 0;
25326 ++}
25327 ++
25328 ++int
25329 ++gr_handle_sock_client(const struct sockaddr *sck)
25330 ++{
25331 ++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
25332 ++ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
25333 ++ sck && (sck->sa_family != AF_UNIX) &&
25334 ++ (sck->sa_family != AF_LOCAL)) {
25335 ++ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
25336 ++ return -EACCES;
25337 ++ }
25338 ++#endif
25339 ++ return 0;
25340 ++}
25341 ++
25342 ++__u32
25343 ++gr_cap_rtnetlink(void)
25344 ++{
25345 ++#ifdef CONFIG_GRKERNSEC
25346 ++ if (!gr_acl_is_enabled())
25347 ++ return current->cap_effective;
25348 ++ else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
25349 ++ gr_task_is_capable(current, CAP_NET_ADMIN))
25350 ++ return current->cap_effective;
25351 ++ else
25352 ++ return 0;
25353 ++#else
25354 ++ return current->cap_effective;
25355 ++#endif
25356 ++}
25357 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_sysctl.c linux-2.6.23.15-grsec/grsecurity/grsec_sysctl.c
25358 +--- linux-2.6.23.15/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100
25359 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_sysctl.c 2008-02-11 10:37:44.000000000 +0000
25360 +@@ -0,0 +1,456 @@
25361 ++#include <linux/kernel.h>
25362 ++#include <linux/sched.h>
25363 ++#include <linux/sysctl.h>
25364 ++#include <linux/grsecurity.h>
25365 ++#include <linux/grinternal.h>
25366 ++
25367 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
25368 ++int grsec_modstop;
25369 ++#endif
25370 ++
25371 ++int
25372 ++gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
25373 ++{
25374 ++#ifdef CONFIG_GRKERNSEC_SYSCTL
25375 ++ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
25376 ++ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
25377 ++ return -EACCES;
25378 ++ }
25379 ++#endif
25380 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
25381 ++ if (!strcmp(dirname, "grsecurity") && !strcmp(name, "disable_modules") &&
25382 ++ grsec_modstop && (op & 002)) {
25383 ++ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
25384 ++ return -EACCES;
25385 ++ }
25386 ++#endif
25387 ++ return 0;
25388 ++}
25389 ++
25390 ++#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
25391 ++enum {GS_LINK=1, GS_FIFO, GS_EXECVE, GS_EXECLOG, GS_SIGNAL,
25392 ++GS_FORKFAIL, GS_TIME, GS_CHROOT_SHMAT, GS_CHROOT_UNIX, GS_CHROOT_MNT,
25393 ++GS_CHROOT_FCHDIR, GS_CHROOT_DBL, GS_CHROOT_PVT, GS_CHROOT_CD, GS_CHROOT_CM,
25394 ++GS_CHROOT_MK, GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS,
25395 ++GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS_TPE_ALL, GS_SIDCAPS,
25396 ++GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
25397 ++GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID,
25398 ++GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG,
25399 ++GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_LOCK, GS_MODSTOP, GS_RESLOG};
25400 ++
25401 ++
25402 ++ctl_table grsecurity_table[] = {
25403 ++#ifdef CONFIG_GRKERNSEC_SYSCTL
25404 ++#ifdef CONFIG_GRKERNSEC_LINK
25405 ++ {
25406 ++ .ctl_name = GS_LINK,
25407 ++ .procname = "linking_restrictions",
25408 ++ .data = &grsec_enable_link,
25409 ++ .maxlen = sizeof(int),
25410 ++ .mode = 0600,
25411 ++ .proc_handler = &proc_dointvec,
25412 ++ },
25413 ++#endif
25414 ++#ifdef CONFIG_GRKERNSEC_FIFO
25415 ++ {
25416 ++ .ctl_name = GS_FIFO,
25417 ++ .procname = "fifo_restrictions",
25418 ++ .data = &grsec_enable_fifo,
25419 ++ .maxlen = sizeof(int),
25420 ++ .mode = 0600,
25421 ++ .proc_handler = &proc_dointvec,
25422 ++ },
25423 ++#endif
25424 ++#ifdef CONFIG_GRKERNSEC_EXECVE
25425 ++ {
25426 ++ .ctl_name = GS_EXECVE,
25427 ++ .procname = "execve_limiting",
25428 ++ .data = &grsec_enable_execve,
25429 ++ .maxlen = sizeof(int),
25430 ++ .mode = 0600,
25431 ++ .proc_handler = &proc_dointvec,
25432 ++ },
25433 ++#endif
25434 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
25435 ++ {
25436 ++ .ctl_name = GS_EXECLOG,
25437 ++ .procname = "exec_logging",
25438 ++ .data = &grsec_enable_execlog,
25439 ++ .maxlen = sizeof(int),
25440 ++ .mode = 0600,
25441 ++ .proc_handler = &proc_dointvec,
25442 ++ },
25443 ++#endif
25444 ++#ifdef CONFIG_GRKERNSEC_SIGNAL
25445 ++ {
25446 ++ .ctl_name = GS_SIGNAL,
25447 ++ .procname = "signal_logging",
25448 ++ .data = &grsec_enable_signal,
25449 ++ .maxlen = sizeof(int),
25450 ++ .mode = 0600,
25451 ++ .proc_handler = &proc_dointvec,
25452 ++ },
25453 ++#endif
25454 ++#ifdef CONFIG_GRKERNSEC_FORKFAIL
25455 ++ {
25456 ++ .ctl_name = GS_FORKFAIL,
25457 ++ .procname = "forkfail_logging",
25458 ++ .data = &grsec_enable_forkfail,
25459 ++ .maxlen = sizeof(int),
25460 ++ .mode = 0600,
25461 ++ .proc_handler = &proc_dointvec,
25462 ++ },
25463 ++#endif
25464 ++#ifdef CONFIG_GRKERNSEC_TIME
25465 ++ {
25466 ++ .ctl_name = GS_TIME,
25467 ++ .procname = "timechange_logging",
25468 ++ .data = &grsec_enable_time,
25469 ++ .maxlen = sizeof(int),
25470 ++ .mode = 0600,
25471 ++ .proc_handler = &proc_dointvec,
25472 ++ },
25473 ++#endif
25474 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
25475 ++ {
25476 ++ .ctl_name = GS_CHROOT_SHMAT,
25477 ++ .procname = "chroot_deny_shmat",
25478 ++ .data = &grsec_enable_chroot_shmat,
25479 ++ .maxlen = sizeof(int),
25480 ++ .mode = 0600,
25481 ++ .proc_handler = &proc_dointvec,
25482 ++ },
25483 ++#endif
25484 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
25485 ++ {
25486 ++ .ctl_name = GS_CHROOT_UNIX,
25487 ++ .procname = "chroot_deny_unix",
25488 ++ .data = &grsec_enable_chroot_unix,
25489 ++ .maxlen = sizeof(int),
25490 ++ .mode = 0600,
25491 ++ .proc_handler = &proc_dointvec,
25492 ++ },
25493 ++#endif
25494 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
25495 ++ {
25496 ++ .ctl_name = GS_CHROOT_MNT,
25497 ++ .procname = "chroot_deny_mount",
25498 ++ .data = &grsec_enable_chroot_mount,
25499 ++ .maxlen = sizeof(int),
25500 ++ .mode = 0600,
25501 ++ .proc_handler = &proc_dointvec,
25502 ++ },
25503 ++#endif
25504 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
25505 ++ {
25506 ++ .ctl_name = GS_CHROOT_FCHDIR,
25507 ++ .procname = "chroot_deny_fchdir",
25508 ++ .data = &grsec_enable_chroot_fchdir,
25509 ++ .maxlen = sizeof(int),
25510 ++ .mode = 0600,
25511 ++ .proc_handler = &proc_dointvec,
25512 ++ },
25513 ++#endif
25514 ++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
25515 ++ {
25516 ++ .ctl_name = GS_CHROOT_DBL,
25517 ++ .procname = "chroot_deny_chroot",
25518 ++ .data = &grsec_enable_chroot_double,
25519 ++ .maxlen = sizeof(int),
25520 ++ .mode = 0600,
25521 ++ .proc_handler = &proc_dointvec,
25522 ++ },
25523 ++#endif
25524 ++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
25525 ++ {
25526 ++ .ctl_name = GS_CHROOT_PVT,
25527 ++ .procname = "chroot_deny_pivot",
25528 ++ .data = &grsec_enable_chroot_pivot,
25529 ++ .maxlen = sizeof(int),
25530 ++ .mode = 0600,
25531 ++ .proc_handler = &proc_dointvec,
25532 ++ },
25533 ++#endif
25534 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
25535 ++ {
25536 ++ .ctl_name = GS_CHROOT_CD,
25537 ++ .procname = "chroot_enforce_chdir",
25538 ++ .data = &grsec_enable_chroot_chdir,
25539 ++ .maxlen = sizeof(int),
25540 ++ .mode = 0600,
25541 ++ .proc_handler = &proc_dointvec,
25542 ++ },
25543 ++#endif
25544 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
25545 ++ {
25546 ++ .ctl_name = GS_CHROOT_CM,
25547 ++ .procname = "chroot_deny_chmod",
25548 ++ .data = &grsec_enable_chroot_chmod,
25549 ++ .maxlen = sizeof(int),
25550 ++ .mode = 0600,
25551 ++ .proc_handler = &proc_dointvec,
25552 ++ },
25553 ++#endif
25554 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
25555 ++ {
25556 ++ .ctl_name = GS_CHROOT_MK,
25557 ++ .procname = "chroot_deny_mknod",
25558 ++ .data = &grsec_enable_chroot_mknod,
25559 ++ .maxlen = sizeof(int),
25560 ++ .mode = 0600,
25561 ++ .proc_handler = &proc_dointvec,
25562 ++ },
25563 ++#endif
25564 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
25565 ++ {
25566 ++ .ctl_name = GS_CHROOT_NI,
25567 ++ .procname = "chroot_restrict_nice",
25568 ++ .data = &grsec_enable_chroot_nice,
25569 ++ .maxlen = sizeof(int),
25570 ++ .mode = 0600,
25571 ++ .proc_handler = &proc_dointvec,
25572 ++ },
25573 ++#endif
25574 ++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
25575 ++ {
25576 ++ .ctl_name = GS_CHROOT_EXECLOG,
25577 ++ .procname = "chroot_execlog",
25578 ++ .data = &grsec_enable_chroot_execlog,
25579 ++ .maxlen = sizeof(int),
25580 ++ .mode = 0600,
25581 ++ .proc_handler = &proc_dointvec,
25582 ++ },
25583 ++#endif
25584 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
25585 ++ {
25586 ++ .ctl_name = GS_CHROOT_CAPS,
25587 ++ .procname = "chroot_caps",
25588 ++ .data = &grsec_enable_chroot_caps,
25589 ++ .maxlen = sizeof(int),
25590 ++ .mode = 0600,
25591 ++ .proc_handler = &proc_dointvec,
25592 ++ },
25593 ++#endif
25594 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
25595 ++ {
25596 ++ .ctl_name = GS_CHROOT_SYSCTL,
25597 ++ .procname = "chroot_deny_sysctl",
25598 ++ .data = &grsec_enable_chroot_sysctl,
25599 ++ .maxlen = sizeof(int),
25600 ++ .mode = 0600,
25601 ++ .proc_handler = &proc_dointvec,
25602 ++ },
25603 ++#endif
25604 ++#ifdef CONFIG_GRKERNSEC_TPE
25605 ++ {
25606 ++ .ctl_name = GS_TPE,
25607 ++ .procname = "tpe",
25608 ++ .data = &grsec_enable_tpe,
25609 ++ .maxlen = sizeof(int),
25610 ++ .mode = 0600,
25611 ++ .proc_handler = &proc_dointvec,
25612 ++ },
25613 ++ {
25614 ++ .ctl_name = GS_TPE_GID,
25615 ++ .procname = "tpe_gid",
25616 ++ .data = &grsec_tpe_gid,
25617 ++ .maxlen = sizeof(int),
25618 ++ .mode = 0600,
25619 ++ .proc_handler = &proc_dointvec,
25620 ++ },
25621 ++#endif
25622 ++#ifdef CONFIG_GRKERNSEC_TPE_ALL
25623 ++ {
25624 ++ .ctl_name = GS_TPE_ALL,
25625 ++ .procname = "tpe_restrict_all",
25626 ++ .data = &grsec_enable_tpe_all,
25627 ++ .maxlen = sizeof(int),
25628 ++ .mode = 0600,
25629 ++ .proc_handler = &proc_dointvec,
25630 ++ },
25631 ++#endif
25632 ++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
25633 ++ {
25634 ++ .ctl_name = GS_SOCKET_ALL,
25635 ++ .procname = "socket_all",
25636 ++ .data = &grsec_enable_socket_all,
25637 ++ .maxlen = sizeof(int),
25638 ++ .mode = 0600,
25639 ++ .proc_handler = &proc_dointvec,
25640 ++ },
25641 ++ {
25642 ++ .ctl_name = GS_SOCKET_ALL_GID,
25643 ++ .procname = "socket_all_gid",
25644 ++ .data = &grsec_socket_all_gid,
25645 ++ .maxlen = sizeof(int),
25646 ++ .mode = 0600,
25647 ++ .proc_handler = &proc_dointvec,
25648 ++ },
25649 ++#endif
25650 ++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
25651 ++ {
25652 ++ .ctl_name = GS_SOCKET_CLIENT,
25653 ++ .procname = "socket_client",
25654 ++ .data = &grsec_enable_socket_client,
25655 ++ .maxlen = sizeof(int),
25656 ++ .mode = 0600,
25657 ++ .proc_handler = &proc_dointvec,
25658 ++ },
25659 ++ {
25660 ++ .ctl_name = GS_SOCKET_CLIENT_GID,
25661 ++ .procname = "socket_client_gid",
25662 ++ .data = &grsec_socket_client_gid,
25663 ++ .maxlen = sizeof(int),
25664 ++ .mode = 0600,
25665 ++ .proc_handler = &proc_dointvec,
25666 ++ },
25667 ++#endif
25668 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
25669 ++ {
25670 ++ .ctl_name = GS_SOCKET_SERVER,
25671 ++ .procname = "socket_server",
25672 ++ .data = &grsec_enable_socket_server,
25673 ++ .maxlen = sizeof(int),
25674 ++ .mode = 0600,
25675 ++ .proc_handler = &proc_dointvec,
25676 ++ },
25677 ++ {
25678 ++ .ctl_name = GS_SOCKET_SERVER_GID,
25679 ++ .procname = "socket_server_gid",
25680 ++ .data = &grsec_socket_server_gid,
25681 ++ .maxlen = sizeof(int),
25682 ++ .mode = 0600,
25683 ++ .proc_handler = &proc_dointvec,
25684 ++ },
25685 ++#endif
25686 ++#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
25687 ++ {
25688 ++ .ctl_name = GS_GROUP,
25689 ++ .procname = "audit_group",
25690 ++ .data = &grsec_enable_group,
25691 ++ .maxlen = sizeof(int),
25692 ++ .mode = 0600,
25693 ++ .proc_handler = &proc_dointvec,
25694 ++ },
25695 ++ {
25696 ++ .ctl_name = GS_GID,
25697 ++ .procname = "audit_gid",
25698 ++ .data = &grsec_audit_gid,
25699 ++ .maxlen = sizeof(int),
25700 ++ .mode = 0600,
25701 ++ .proc_handler = &proc_dointvec,
25702 ++ },
25703 ++#endif
25704 ++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
25705 ++ {
25706 ++ .ctl_name = GS_ACHDIR,
25707 ++ .procname = "audit_chdir",
25708 ++ .data = &grsec_enable_chdir,
25709 ++ .maxlen = sizeof(int),
25710 ++ .mode = 0600,
25711 ++ .proc_handler = &proc_dointvec,
25712 ++ },
25713 ++#endif
25714 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
25715 ++ {
25716 ++ .ctl_name = GS_AMOUNT,
25717 ++ .procname = "audit_mount",
25718 ++ .data = &grsec_enable_mount,
25719 ++ .maxlen = sizeof(int),
25720 ++ .mode = 0600,
25721 ++ .proc_handler = &proc_dointvec,
25722 ++ },
25723 ++#endif
25724 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
25725 ++ {
25726 ++ .ctl_name = GS_AIPC,
25727 ++ .procname = "audit_ipc",
25728 ++ .data = &grsec_enable_audit_ipc,
25729 ++ .maxlen = sizeof(int),
25730 ++ .mode = 0600,
25731 ++ .proc_handler = &proc_dointvec,
25732 ++ },
25733 ++#endif
25734 ++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
25735 ++ {
25736 ++ .ctl_name = GS_TEXTREL,
25737 ++ .procname = "audit_textrel",
25738 ++ .data = &grsec_enable_audit_textrel,
25739 ++ .maxlen = sizeof(int),
25740 ++ .mode = 0600,
25741 ++ .proc_handler = &proc_dointvec,
25742 ++ },
25743 ++#endif
25744 ++#ifdef CONFIG_GRKERNSEC_DMESG
25745 ++ {
25746 ++ .ctl_name = GS_DMSG,
25747 ++ .procname = "dmesg",
25748 ++ .data = &grsec_enable_dmesg,
25749 ++ .maxlen = sizeof(int),
25750 ++ .mode = 0600,
25751 ++ .proc_handler = &proc_dointvec,
25752 ++ },
25753 ++#endif
25754 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
25755 ++ {
25756 ++ .ctl_name = GS_FINDTASK,
25757 ++ .procname = "chroot_findtask",
25758 ++ .data = &grsec_enable_chroot_findtask,
25759 ++ .maxlen = sizeof(int),
25760 ++ .mode = 0600,
25761 ++ .proc_handler = &proc_dointvec,
25762 ++ },
25763 ++#endif
25764 ++#ifdef CONFIG_GRKERNSEC_SHM
25765 ++ {
25766 ++ .ctl_name = GS_SHM,
25767 ++ .procname = "destroy_unused_shm",
25768 ++ .data = &grsec_enable_shm,
25769 ++ .maxlen = sizeof(int),
25770 ++ .mode = 0600,
25771 ++ .proc_handler = &proc_dointvec,
25772 ++ },
25773 ++#endif
25774 ++#ifdef CONFIG_GRKERNSEC_RESLOG
25775 ++ {
25776 ++ .ctl_name = GS_RESLOG,
25777 ++ .procname = "resource_logging",
25778 ++ .data = &grsec_resource_logging,
25779 ++ .maxlen = sizeof(int),
25780 ++ .mode = 0600,
25781 ++ .proc_handler = &proc_dointvec,
25782 ++ },
25783 ++#endif
25784 ++ {
25785 ++ .ctl_name = GS_LOCK,
25786 ++ .procname = "grsec_lock",
25787 ++ .data = &grsec_lock,
25788 ++ .maxlen = sizeof(int),
25789 ++ .mode = 0600,
25790 ++ .proc_handler = &proc_dointvec,
25791 ++ },
25792 ++#endif
25793 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
25794 ++ {
25795 ++ .ctl_name = GS_MODSTOP,
25796 ++ .procname = "disable_modules",
25797 ++ .data = &grsec_modstop,
25798 ++ .maxlen = sizeof(int),
25799 ++ .mode = 0600,
25800 ++ .proc_handler = &proc_dointvec,
25801 ++ },
25802 ++#endif
25803 ++ { .ctl_name = 0 }
25804 ++};
25805 ++#endif
25806 ++
25807 ++int gr_check_modstop(void)
25808 ++{
25809 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
25810 ++ if (grsec_modstop == 1) {
25811 ++ gr_log_noargs(GR_DONT_AUDIT, GR_STOPMOD_MSG);
25812 ++ return 1;
25813 ++ }
25814 ++#endif
25815 ++ return 0;
25816 ++}
25817 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_textrel.c linux-2.6.23.15-grsec/grsecurity/grsec_textrel.c
25818 +--- linux-2.6.23.15/grsecurity/grsec_textrel.c 1970-01-01 01:00:00.000000000 +0100
25819 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_textrel.c 2008-02-11 10:37:44.000000000 +0000
25820 +@@ -0,0 +1,16 @@
25821 ++#include <linux/kernel.h>
25822 ++#include <linux/sched.h>
25823 ++#include <linux/mm.h>
25824 ++#include <linux/file.h>
25825 ++#include <linux/grinternal.h>
25826 ++#include <linux/grsecurity.h>
25827 ++
25828 ++void
25829 ++gr_log_textrel(struct vm_area_struct * vma)
25830 ++{
25831 ++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
25832 ++ if (grsec_enable_audit_textrel)
25833 ++ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
25834 ++#endif
25835 ++ return;
25836 ++}
25837 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_time.c linux-2.6.23.15-grsec/grsecurity/grsec_time.c
25838 +--- linux-2.6.23.15/grsecurity/grsec_time.c 1970-01-01 01:00:00.000000000 +0100
25839 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_time.c 2008-02-11 10:37:44.000000000 +0000
25840 +@@ -0,0 +1,13 @@
25841 ++#include <linux/kernel.h>
25842 ++#include <linux/sched.h>
25843 ++#include <linux/grinternal.h>
25844 ++
25845 ++void
25846 ++gr_log_timechange(void)
25847 ++{
25848 ++#ifdef CONFIG_GRKERNSEC_TIME
25849 ++ if (grsec_enable_time)
25850 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
25851 ++#endif
25852 ++ return;
25853 ++}
25854 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_tpe.c linux-2.6.23.15-grsec/grsecurity/grsec_tpe.c
25855 +--- linux-2.6.23.15/grsecurity/grsec_tpe.c 1970-01-01 01:00:00.000000000 +0100
25856 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_tpe.c 2008-02-11 10:37:44.000000000 +0000
25857 +@@ -0,0 +1,37 @@
25858 ++#include <linux/kernel.h>
25859 ++#include <linux/sched.h>
25860 ++#include <linux/file.h>
25861 ++#include <linux/fs.h>
25862 ++#include <linux/grinternal.h>
25863 ++
25864 ++extern int gr_acl_tpe_check(void);
25865 ++
25866 ++int
25867 ++gr_tpe_allow(const struct file *file)
25868 ++{
25869 ++#ifdef CONFIG_GRKERNSEC
25870 ++ struct inode *inode = file->f_dentry->d_parent->d_inode;
25871 ++
25872 ++ if (current->uid && ((grsec_enable_tpe &&
25873 ++#ifdef CONFIG_GRKERNSEC_TPE_INVERT
25874 ++ !in_group_p(grsec_tpe_gid)
25875 ++#else
25876 ++ in_group_p(grsec_tpe_gid)
25877 ++#endif
25878 ++ ) || gr_acl_tpe_check()) &&
25879 ++ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
25880 ++ (inode->i_mode & S_IWOTH))))) {
25881 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
25882 ++ return 0;
25883 ++ }
25884 ++#ifdef CONFIG_GRKERNSEC_TPE_ALL
25885 ++ if (current->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
25886 ++ ((inode->i_uid && (inode->i_uid != current->uid)) ||
25887 ++ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
25888 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
25889 ++ return 0;
25890 ++ }
25891 ++#endif
25892 ++#endif
25893 ++ return 1;
25894 ++}
25895 +diff -Nurp linux-2.6.23.15/grsecurity/grsum.c linux-2.6.23.15-grsec/grsecurity/grsum.c
25896 +--- linux-2.6.23.15/grsecurity/grsum.c 1970-01-01 01:00:00.000000000 +0100
25897 ++++ linux-2.6.23.15-grsec/grsecurity/grsum.c 2008-02-11 10:37:44.000000000 +0000
25898 +@@ -0,0 +1,59 @@
25899 ++#include <linux/err.h>
25900 ++#include <linux/kernel.h>
25901 ++#include <linux/sched.h>
25902 ++#include <linux/mm.h>
25903 ++#include <linux/scatterlist.h>
25904 ++#include <linux/crypto.h>
25905 ++#include <linux/gracl.h>
25906 ++
25907 ++
25908 ++#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
25909 ++#error "crypto and sha256 must be built into the kernel"
25910 ++#endif
25911 ++
25912 ++int
25913 ++chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
25914 ++{
25915 ++ char *p;
25916 ++ struct crypto_hash *tfm;
25917 ++ struct hash_desc desc;
25918 ++ struct scatterlist sg;
25919 ++ unsigned char temp_sum[GR_SHA_LEN];
25920 ++ volatile int retval = 0;
25921 ++ volatile int dummy = 0;
25922 ++ unsigned int i;
25923 ++
25924 ++ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
25925 ++ if (IS_ERR(tfm)) {
25926 ++ /* should never happen, since sha256 should be built in */
25927 ++ return 1;
25928 ++ }
25929 ++
25930 ++ desc.tfm = tfm;
25931 ++ desc.flags = 0;
25932 ++
25933 ++ crypto_hash_init(&desc);
25934 ++
25935 ++ p = salt;
25936 ++ sg_set_buf(&sg, p, GR_SALT_LEN);
25937 ++ crypto_hash_update(&desc, &sg, sg.length);
25938 ++
25939 ++ p = entry->pw;
25940 ++ sg_set_buf(&sg, p, strlen(p));
25941 ++
25942 ++ crypto_hash_update(&desc, &sg, sg.length);
25943 ++
25944 ++ crypto_hash_final(&desc, temp_sum);
25945 ++
25946 ++ memset(entry->pw, 0, GR_PW_LEN);
25947 ++
25948 ++ for (i = 0; i < GR_SHA_LEN; i++)
25949 ++ if (sum[i] != temp_sum[i])
25950 ++ retval = 1;
25951 ++ else
25952 ++ dummy = 1; // waste a cycle
25953 ++
25954 ++ crypto_free_hash(tfm);
25955 ++
25956 ++ return retval;
25957 ++}
25958 +diff -Nurp linux-2.6.23.15/include/asm-alpha/a.out.h linux-2.6.23.15-grsec/include/asm-alpha/a.out.h
25959 +--- linux-2.6.23.15/include/asm-alpha/a.out.h 2007-10-09 21:31:38.000000000 +0100
25960 ++++ linux-2.6.23.15-grsec/include/asm-alpha/a.out.h 2008-02-11 10:37:44.000000000 +0000
25961 +@@ -98,7 +98,7 @@ struct exec
25962 + set_personality (((BFPM->sh_bang || EX.ah.entry < 0x100000000L \
25963 + ? ADDR_LIMIT_32BIT : 0) | PER_OSF4))
25964 +
25965 +-#define STACK_TOP \
25966 ++#define __STACK_TOP \
25967 + (current->personality & ADDR_LIMIT_32BIT ? 0x80000000 : 0x00120000000UL)
25968 +
25969 + #define STACK_TOP_MAX 0x00120000000UL
25970 +diff -Nurp linux-2.6.23.15/include/asm-alpha/elf.h linux-2.6.23.15-grsec/include/asm-alpha/elf.h
25971 +--- linux-2.6.23.15/include/asm-alpha/elf.h 2007-10-09 21:31:38.000000000 +0100
25972 ++++ linux-2.6.23.15-grsec/include/asm-alpha/elf.h 2008-02-11 10:37:44.000000000 +0000
25973 +@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
25974 +
25975 + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
25976 +
25977 ++#ifdef CONFIG_PAX_ASLR
25978 ++#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
25979 ++
25980 ++#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
25981 ++#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
25982 ++#endif
25983 ++
25984 + /* $0 is set by ld.so to a pointer to a function which might be
25985 + registered using atexit. This provides a mean for the dynamic
25986 + linker to call DT_FINI functions for shared libraries that have
25987 +diff -Nurp linux-2.6.23.15/include/asm-alpha/kmap_types.h linux-2.6.23.15-grsec/include/asm-alpha/kmap_types.h
25988 +--- linux-2.6.23.15/include/asm-alpha/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
25989 ++++ linux-2.6.23.15-grsec/include/asm-alpha/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
25990 +@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
25991 + D(10) KM_IRQ1,
25992 + D(11) KM_SOFTIRQ0,
25993 + D(12) KM_SOFTIRQ1,
25994 +-D(13) KM_TYPE_NR
25995 ++D(13) KM_CLEARPAGE,
25996 ++D(14) KM_TYPE_NR
25997 + };
25998 +
25999 + #undef D
26000 +diff -Nurp linux-2.6.23.15/include/asm-alpha/pgtable.h linux-2.6.23.15-grsec/include/asm-alpha/pgtable.h
26001 +--- linux-2.6.23.15/include/asm-alpha/pgtable.h 2007-10-09 21:31:38.000000000 +0100
26002 ++++ linux-2.6.23.15-grsec/include/asm-alpha/pgtable.h 2008-02-11 10:37:44.000000000 +0000
26003 +@@ -101,6 +101,17 @@ struct vm_area_struct;
26004 + #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
26005 + #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
26006 + #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
26007 ++
26008 ++#ifdef CONFIG_PAX_PAGEEXEC
26009 ++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
26010 ++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
26011 ++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
26012 ++#else
26013 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
26014 ++# define PAGE_COPY_NOEXEC PAGE_COPY
26015 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
26016 ++#endif
26017 ++
26018 + #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
26019 +
26020 + #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
26021 +diff -Nurp linux-2.6.23.15/include/asm-arm/a.out.h linux-2.6.23.15-grsec/include/asm-arm/a.out.h
26022 +--- linux-2.6.23.15/include/asm-arm/a.out.h 2007-10-09 21:31:38.000000000 +0100
26023 ++++ linux-2.6.23.15-grsec/include/asm-arm/a.out.h 2008-02-11 10:37:44.000000000 +0000
26024 +@@ -28,7 +28,7 @@ struct exec
26025 + #define M_ARM 103
26026 +
26027 + #ifdef __KERNEL__
26028 +-#define STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
26029 ++#define __STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
26030 + TASK_SIZE : TASK_SIZE_26)
26031 + #define STACK_TOP_MAX TASK_SIZE
26032 + #endif
26033 +diff -Nurp linux-2.6.23.15/include/asm-arm/elf.h linux-2.6.23.15-grsec/include/asm-arm/elf.h
26034 +--- linux-2.6.23.15/include/asm-arm/elf.h 2007-10-09 21:31:38.000000000 +0100
26035 ++++ linux-2.6.23.15-grsec/include/asm-arm/elf.h 2008-02-11 10:37:44.000000000 +0000
26036 +@@ -90,6 +90,13 @@ extern char elf_platform[];
26037 +
26038 + #define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
26039 +
26040 ++#ifdef CONFIG_PAX_ASLR
26041 ++#define PAX_ELF_ET_DYN_BASE 0x00008000UL
26042 ++
26043 ++#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
26044 ++#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
26045 ++#endif
26046 ++
26047 + /* When the program starts, a1 contains a pointer to a function to be
26048 + registered with atexit, as per the SVR4 ABI. A value of 0 means we
26049 + have no such handler. */
26050 +diff -Nurp linux-2.6.23.15/include/asm-arm/kmap_types.h linux-2.6.23.15-grsec/include/asm-arm/kmap_types.h
26051 +--- linux-2.6.23.15/include/asm-arm/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
26052 ++++ linux-2.6.23.15-grsec/include/asm-arm/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
26053 +@@ -18,6 +18,7 @@ enum km_type {
26054 + KM_IRQ1,
26055 + KM_SOFTIRQ0,
26056 + KM_SOFTIRQ1,
26057 ++ KM_CLEARPAGE,
26058 + KM_TYPE_NR
26059 + };
26060 +
26061 +diff -Nurp linux-2.6.23.15/include/asm-avr32/a.out.h linux-2.6.23.15-grsec/include/asm-avr32/a.out.h
26062 +--- linux-2.6.23.15/include/asm-avr32/a.out.h 2007-10-09 21:31:38.000000000 +0100
26063 ++++ linux-2.6.23.15-grsec/include/asm-avr32/a.out.h 2008-02-11 10:37:44.000000000 +0000
26064 +@@ -19,8 +19,8 @@ struct exec
26065 +
26066 + #ifdef __KERNEL__
26067 +
26068 +-#define STACK_TOP TASK_SIZE
26069 +-#define STACK_TOP_MAX STACK_TOP
26070 ++#define __STACK_TOP TASK_SIZE
26071 ++#define STACK_TOP_MAX __STACK_TOP
26072 +
26073 + #endif
26074 +
26075 +diff -Nurp linux-2.6.23.15/include/asm-avr32/elf.h linux-2.6.23.15-grsec/include/asm-avr32/elf.h
26076 +--- linux-2.6.23.15/include/asm-avr32/elf.h 2007-10-09 21:31:38.000000000 +0100
26077 ++++ linux-2.6.23.15-grsec/include/asm-avr32/elf.h 2008-02-11 10:37:44.000000000 +0000
26078 +@@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
26079 + the loader. We need to make sure that it is out of the way of the program
26080 + that it will "exec", and that there is sufficient room for the brk. */
26081 +
26082 +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
26083 ++#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
26084 +
26085 ++#ifdef CONFIG_PAX_ASLR
26086 ++#define PAX_ELF_ET_DYN_BASE 0x00001000UL
26087 ++
26088 ++#define PAX_DELTA_MMAP_LEN 15
26089 ++#define PAX_DELTA_STACK_LEN 15
26090 ++#endif
26091 +
26092 + /* This yields a mask that user programs can use to figure out what
26093 + instruction set this CPU supports. This could be done in user space,
26094 +diff -Nurp linux-2.6.23.15/include/asm-avr32/kmap_types.h linux-2.6.23.15-grsec/include/asm-avr32/kmap_types.h
26095 +--- linux-2.6.23.15/include/asm-avr32/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
26096 ++++ linux-2.6.23.15-grsec/include/asm-avr32/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
26097 +@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
26098 + D(11) KM_IRQ1,
26099 + D(12) KM_SOFTIRQ0,
26100 + D(13) KM_SOFTIRQ1,
26101 +-D(14) KM_TYPE_NR
26102 ++D(14) KM_CLEARPAGE,
26103 ++D(15) KM_TYPE_NR
26104 + };
26105 +
26106 + #undef D
26107 +diff -Nurp linux-2.6.23.15/include/asm-blackfin/kmap_types.h linux-2.6.23.15-grsec/include/asm-blackfin/kmap_types.h
26108 +--- linux-2.6.23.15/include/asm-blackfin/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
26109 ++++ linux-2.6.23.15-grsec/include/asm-blackfin/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
26110 +@@ -15,6 +15,7 @@ enum km_type {
26111 + KM_IRQ1,
26112 + KM_SOFTIRQ0,
26113 + KM_SOFTIRQ1,
26114 ++ KM_CLEARPAGE,
26115 + KM_TYPE_NR
26116 + };
26117 +
26118 +diff -Nurp linux-2.6.23.15/include/asm-cris/kmap_types.h linux-2.6.23.15-grsec/include/asm-cris/kmap_types.h
26119 +--- linux-2.6.23.15/include/asm-cris/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
26120 ++++ linux-2.6.23.15-grsec/include/asm-cris/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
26121 +@@ -19,6 +19,7 @@ enum km_type {
26122 + KM_IRQ1,
26123 + KM_SOFTIRQ0,
26124 + KM_SOFTIRQ1,
26125 ++ KM_CLEARPAGE,
26126 + KM_TYPE_NR
26127 + };
26128 +
26129 +diff -Nurp linux-2.6.23.15/include/asm-frv/kmap_types.h linux-2.6.23.15-grsec/include/asm-frv/kmap_types.h
26130 +--- linux-2.6.23.15/include/asm-frv/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
26131 ++++ linux-2.6.23.15-grsec/include/asm-frv/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
26132 +@@ -23,6 +23,7 @@ enum km_type {
26133 + KM_IRQ1,
26134 + KM_SOFTIRQ0,
26135 + KM_SOFTIRQ1,
26136 ++ KM_CLEARPAGE,
26137 + KM_TYPE_NR
26138 + };
26139 +
26140 +diff -Nurp linux-2.6.23.15/include/asm-generic/futex.h linux-2.6.23.15-grsec/include/asm-generic/futex.h
26141 +--- linux-2.6.23.15/include/asm-generic/futex.h 2007-10-09 21:31:38.000000000 +0100
26142 ++++ linux-2.6.23.15-grsec/include/asm-generic/futex.h 2008-02-11 10:37:44.000000000 +0000
26143 +@@ -8,7 +8,7 @@
26144 + #include <asm/uaccess.h>
26145 +
26146 + static inline int
26147 +-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
26148 ++futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
26149 + {
26150 + int op = (encoded_op >> 28) & 7;
26151 + int cmp = (encoded_op >> 24) & 15;
26152 +@@ -50,7 +50,7 @@ futex_atomic_op_inuser (int encoded_op,
26153 + }
26154 +
26155 + static inline int
26156 +-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
26157 ++futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
26158 + {
26159 + return -ENOSYS;
26160 + }
26161 +diff -Nurp linux-2.6.23.15/include/asm-generic/vmlinux.lds.h linux-2.6.23.15-grsec/include/asm-generic/vmlinux.lds.h
26162 +--- linux-2.6.23.15/include/asm-generic/vmlinux.lds.h 2007-10-09 21:31:38.000000000 +0100
26163 ++++ linux-2.6.23.15-grsec/include/asm-generic/vmlinux.lds.h 2008-02-11 10:37:44.000000000 +0000
26164 +@@ -19,6 +19,7 @@
26165 + .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
26166 + VMLINUX_SYMBOL(__start_rodata) = .; \
26167 + *(.rodata) *(.rodata.*) \
26168 ++ *(.data.read_only) \
26169 + *(__vermagic) /* Kernel version magic */ \
26170 + } \
26171 + \
26172 +diff -Nurp linux-2.6.23.15/include/asm-h8300/kmap_types.h linux-2.6.23.15-grsec/include/asm-h8300/kmap_types.h
26173 +--- linux-2.6.23.15/include/asm-h8300/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
26174 ++++ linux-2.6.23.15-grsec/include/asm-h8300/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
26175 +@@ -15,6 +15,7 @@ enum km_type {
26176 + KM_IRQ1,
26177 + KM_SOFTIRQ0,
26178 + KM_SOFTIRQ1,
26179 ++ KM_CLEARPAGE,
26180 + KM_TYPE_NR
26181 + };
26182 +
26183 +diff -Nurp linux-2.6.23.15/include/asm-i386/a.out.h linux-2.6.23.15-grsec/include/asm-i386/a.out.h
26184 +--- linux-2.6.23.15/include/asm-i386/a.out.h 2007-10-09 21:31:38.000000000 +0100
26185 ++++ linux-2.6.23.15-grsec/include/asm-i386/a.out.h 2008-02-11 10:37:44.000000000 +0000
26186 +@@ -19,8 +19,13 @@ struct exec
26187 +
26188 + #ifdef __KERNEL__
26189 +
26190 +-#define STACK_TOP TASK_SIZE
26191 +-#define STACK_TOP_MAX STACK_TOP
26192 ++#ifdef CONFIG_PAX_SEGMEXEC
26193 ++#define __STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?TASK_SIZE/2:TASK_SIZE)
26194 ++#else
26195 ++#define __STACK_TOP TASK_SIZE
26196 ++#endif
26197 ++
26198 ++#define STACK_TOP_MAX TASK_SIZE
26199 +
26200 + #endif
26201 +
26202 +diff -Nurp linux-2.6.23.15/include/asm-i386/alternative.h linux-2.6.23.15-grsec/include/asm-i386/alternative.h
26203 +--- linux-2.6.23.15/include/asm-i386/alternative.h 2007-10-09 21:31:38.000000000 +0100
26204 ++++ linux-2.6.23.15-grsec/include/asm-i386/alternative.h 2008-02-11 10:37:44.000000000 +0000
26205 +@@ -54,7 +54,7 @@ static inline void alternatives_smp_swit
26206 + " .byte 662b-661b\n" /* sourcelen */ \
26207 + " .byte 664f-663f\n" /* replacementlen */ \
26208 + ".previous\n" \
26209 +- ".section .altinstr_replacement,\"ax\"\n" \
26210 ++ ".section .altinstr_replacement,\"a\"\n" \
26211 + "663:\n\t" newinstr "\n664:\n" /* replacement */\
26212 + ".previous" :: "i" (feature) : "memory")
26213 +
26214 +@@ -78,7 +78,7 @@ static inline void alternatives_smp_swit
26215 + " .byte 662b-661b\n" /* sourcelen */ \
26216 + " .byte 664f-663f\n" /* replacementlen */ \
26217 + ".previous\n" \
26218 +- ".section .altinstr_replacement,\"ax\"\n" \
26219 ++ ".section .altinstr_replacement,\"a\"\n" \
26220 + "663:\n\t" newinstr "\n664:\n" /* replacement */\
26221 + ".previous" :: "i" (feature), ##input)
26222 +
26223 +@@ -93,7 +93,7 @@ static inline void alternatives_smp_swit
26224 + " .byte 662b-661b\n" /* sourcelen */ \
26225 + " .byte 664f-663f\n" /* replacementlen */ \
26226 + ".previous\n" \
26227 +- ".section .altinstr_replacement,\"ax\"\n" \
26228 ++ ".section .altinstr_replacement,\"a\"\n" \
26229 + "663:\n\t" newinstr "\n664:\n" /* replacement */ \
26230 + ".previous" : output : [feat] "i" (feature), ##input)
26231 +
26232 +diff -Nurp linux-2.6.23.15/include/asm-i386/apic.h linux-2.6.23.15-grsec/include/asm-i386/apic.h
26233 +--- linux-2.6.23.15/include/asm-i386/apic.h 2007-10-09 21:31:38.000000000 +0100
26234 ++++ linux-2.6.23.15-grsec/include/asm-i386/apic.h 2008-02-11 10:37:44.000000000 +0000
26235 +@@ -8,7 +8,7 @@
26236 + #include <asm/processor.h>
26237 + #include <asm/system.h>
26238 +
26239 +-#define Dprintk(x...)
26240 ++#define Dprintk(x...) do {} while (0)
26241 +
26242 + /*
26243 + * Debugging macros
26244 +diff -Nurp linux-2.6.23.15/include/asm-i386/cache.h linux-2.6.23.15-grsec/include/asm-i386/cache.h
26245 +--- linux-2.6.23.15/include/asm-i386/cache.h 2007-10-09 21:31:38.000000000 +0100
26246 ++++ linux-2.6.23.15-grsec/include/asm-i386/cache.h 2008-02-11 10:37:44.000000000 +0000
26247 +@@ -10,5 +10,6 @@
26248 + #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
26249 +
26250 + #define __read_mostly __attribute__((__section__(".data.read_mostly")))
26251 ++#define __read_only __attribute__((__section__(".data.read_only")))
26252 +
26253 + #endif
26254 +diff -Nurp linux-2.6.23.15/include/asm-i386/checksum.h linux-2.6.23.15-grsec/include/asm-i386/checksum.h
26255 +--- linux-2.6.23.15/include/asm-i386/checksum.h 2007-10-09 21:31:38.000000000 +0100
26256 ++++ linux-2.6.23.15-grsec/include/asm-i386/checksum.h 2008-02-11 10:37:44.000000000 +0000
26257 +@@ -30,6 +30,12 @@ asmlinkage __wsum csum_partial(const voi
26258 + asmlinkage __wsum csum_partial_copy_generic(const void *src, void *dst,
26259 + int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
26260 +
26261 ++asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
26262 ++ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
26263 ++
26264 ++asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
26265 ++ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
26266 ++
26267 + /*
26268 + * Note: when you get a NULL pointer exception here this means someone
26269 + * passed in an incorrect kernel address to one of these functions.
26270 +@@ -49,7 +55,7 @@ __wsum csum_partial_copy_from_user(const
26271 + int len, __wsum sum, int *err_ptr)
26272 + {
26273 + might_sleep();
26274 +- return csum_partial_copy_generic((__force void *)src, dst,
26275 ++ return csum_partial_copy_generic_from_user((__force void *)src, dst,
26276 + len, sum, err_ptr, NULL);
26277 + }
26278 +
26279 +@@ -180,7 +186,7 @@ static __inline__ __wsum csum_and_copy_t
26280 + {
26281 + might_sleep();
26282 + if (access_ok(VERIFY_WRITE, dst, len))
26283 +- return csum_partial_copy_generic(src, (__force void *)dst, len, sum, NULL, err_ptr);
26284 ++ return csum_partial_copy_generic_to_user(src, (__force void *)dst, len, sum, NULL, err_ptr);
26285 +
26286 + if (len)
26287 + *err_ptr = -EFAULT;
26288 +diff -Nurp linux-2.6.23.15/include/asm-i386/desc.h linux-2.6.23.15-grsec/include/asm-i386/desc.h
26289 +--- linux-2.6.23.15/include/asm-i386/desc.h 2007-10-09 21:31:38.000000000 +0100
26290 ++++ linux-2.6.23.15-grsec/include/asm-i386/desc.h 2008-02-11 10:37:44.000000000 +0000
26291 +@@ -7,26 +7,22 @@
26292 + #ifndef __ASSEMBLY__
26293 +
26294 + #include <linux/preempt.h>
26295 +-#include <linux/smp.h>
26296 + #include <linux/percpu.h>
26297 ++#include <linux/smp.h>
26298 +
26299 + #include <asm/mmu.h>
26300 +
26301 ++extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
26302 ++
26303 + struct Xgt_desc_struct {
26304 + unsigned short size;
26305 +- unsigned long address __attribute__((packed));
26306 ++ struct desc_struct *address __attribute__((packed));
26307 + unsigned short pad;
26308 + } __attribute__ ((packed));
26309 +
26310 +-struct gdt_page
26311 +-{
26312 +- struct desc_struct gdt[GDT_ENTRIES];
26313 +-} __attribute__((aligned(PAGE_SIZE)));
26314 +-DECLARE_PER_CPU(struct gdt_page, gdt_page);
26315 +-
26316 + static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
26317 + {
26318 +- return per_cpu(gdt_page, cpu).gdt;
26319 ++ return cpu_gdt_table[cpu];
26320 + }
26321 +
26322 + extern struct Xgt_desc_struct idt_descr;
26323 +@@ -81,8 +77,20 @@ static inline void pack_gate(__u32 *a, _
26324 + static inline void write_dt_entry(struct desc_struct *dt,
26325 + int entry, u32 entry_low, u32 entry_high)
26326 + {
26327 ++
26328 ++#ifdef CONFIG_PAX_KERNEXEC
26329 ++ unsigned long cr0;
26330 ++
26331 ++ pax_open_kernel(cr0);
26332 ++#endif
26333 ++
26334 + dt[entry].a = entry_low;
26335 + dt[entry].b = entry_high;
26336 ++
26337 ++#ifdef CONFIG_PAX_KERNEXEC
26338 ++ pax_close_kernel(cr0);
26339 ++#endif
26340 ++
26341 + }
26342 +
26343 + static inline void native_set_ldt(const void *addr, unsigned int entries)
26344 +@@ -139,8 +147,19 @@ static inline void native_load_tls(struc
26345 + unsigned int i;
26346 + struct desc_struct *gdt = get_cpu_gdt_table(cpu);
26347 +
26348 ++#ifdef CONFIG_PAX_KERNEXEC
26349 ++ unsigned long cr0;
26350 ++
26351 ++ pax_open_kernel(cr0);
26352 ++#endif
26353 ++
26354 + for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
26355 + gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
26356 ++
26357 ++#ifdef CONFIG_PAX_KERNEXEC
26358 ++ pax_close_kernel(cr0);
26359 ++#endif
26360 ++
26361 + }
26362 +
26363 + static inline void _set_gate(int gate, unsigned int type, void *addr, unsigned short seg)
26364 +@@ -175,7 +194,7 @@ static inline void __set_tss_desc(unsign
26365 + ((info)->seg_32bit << 22) | \
26366 + ((info)->limit_in_pages << 23) | \
26367 + ((info)->useable << 20) | \
26368 +- 0x7000)
26369 ++ 0x7100)
26370 +
26371 + #define LDT_empty(info) (\
26372 + (info)->base_addr == 0 && \
26373 +@@ -207,15 +226,25 @@ static inline void load_LDT(mm_context_t
26374 + preempt_enable();
26375 + }
26376 +
26377 +-static inline unsigned long get_desc_base(unsigned long *desc)
26378 ++static inline unsigned long get_desc_base(struct desc_struct *desc)
26379 + {
26380 + unsigned long base;
26381 +- base = ((desc[0] >> 16) & 0x0000ffff) |
26382 +- ((desc[1] << 16) & 0x00ff0000) |
26383 +- (desc[1] & 0xff000000);
26384 ++ base = ((desc->a >> 16) & 0x0000ffff) |
26385 ++ ((desc->b << 16) & 0x00ff0000) |
26386 ++ (desc->b & 0xff000000);
26387 + return base;
26388 + }
26389 +
26390 ++static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
26391 ++{
26392 ++ __u32 a, b;
26393 ++
26394 ++ if (likely(limit))
26395 ++ limit = (limit - 1UL) >> PAGE_SHIFT;
26396 ++ pack_descriptor(&a, &b, base, limit, 0xFB, 0xC);
26397 ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, a, b);
26398 ++}
26399 ++
26400 + #else /* __ASSEMBLY__ */
26401 +
26402 + /*
26403 +diff -Nurp linux-2.6.23.15/include/asm-i386/elf.h linux-2.6.23.15-grsec/include/asm-i386/elf.h
26404 +--- linux-2.6.23.15/include/asm-i386/elf.h 2007-10-09 21:31:38.000000000 +0100
26405 ++++ linux-2.6.23.15-grsec/include/asm-i386/elf.h 2008-02-11 10:37:44.000000000 +0000
26406 +@@ -73,7 +73,18 @@ typedef struct user_fxsr_struct elf_fpxr
26407 + the loader. We need to make sure that it is out of the way of the program
26408 + that it will "exec", and that there is sufficient room for the brk. */
26409 +
26410 ++#ifdef CONFIG_PAX_SEGMEXEC
26411 ++#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
26412 ++#else
26413 + #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
26414 ++#endif
26415 ++
26416 ++#ifdef CONFIG_PAX_ASLR
26417 ++#define PAX_ELF_ET_DYN_BASE 0x10000000UL
26418 ++
26419 ++#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
26420 ++#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
26421 ++#endif
26422 +
26423 + /* regs is struct pt_regs, pr_reg is elf_gregset_t (which is
26424 + now struct_user_regs, they are different) */
26425 +@@ -131,7 +142,7 @@ extern int dump_task_extended_fpu (struc
26426 + #define ELF_CORE_COPY_XFPREGS(tsk, elf_xfpregs) dump_task_extended_fpu(tsk, elf_xfpregs)
26427 +
26428 + #define VDSO_HIGH_BASE (__fix_to_virt(FIX_VDSO))
26429 +-#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
26430 ++#define VDSO_CURRENT_BASE (current->mm->context.vdso)
26431 + #define VDSO_PRELINK 0
26432 +
26433 + #define VDSO_SYM(x) \
26434 +diff -Nurp linux-2.6.23.15/include/asm-i386/futex.h linux-2.6.23.15-grsec/include/asm-i386/futex.h
26435 +--- linux-2.6.23.15/include/asm-i386/futex.h 2007-10-09 21:31:38.000000000 +0100
26436 ++++ linux-2.6.23.15-grsec/include/asm-i386/futex.h 2008-02-11 10:37:44.000000000 +0000
26437 +@@ -11,8 +11,11 @@
26438 +
26439 + #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
26440 + __asm__ __volatile ( \
26441 ++ "movw %w6, %%ds\n"\
26442 + "1: " insn "\n" \
26443 +-"2: .section .fixup,\"ax\"\n\
26444 ++"2: pushl %%ss\n\
26445 ++ popl %%ds\n\
26446 ++ .section .fixup,\"ax\"\n\
26447 + 3: mov %3, %1\n\
26448 + jmp 2b\n\
26449 + .previous\n\
26450 +@@ -21,16 +24,19 @@
26451 + .long 1b,3b\n\
26452 + .previous" \
26453 + : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
26454 +- : "i" (-EFAULT), "0" (oparg), "1" (0))
26455 ++ : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
26456 +
26457 + #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
26458 + __asm__ __volatile ( \
26459 +-"1: movl %2, %0\n\
26460 ++" movw %w7, %%es\n\
26461 ++1: movl %%es:%2, %0\n\
26462 + movl %0, %3\n" \
26463 + insn "\n" \
26464 +-"2: " LOCK_PREFIX "cmpxchgl %3, %2\n\
26465 ++"2: " LOCK_PREFIX "cmpxchgl %3, %%es:%2\n\
26466 + jnz 1b\n\
26467 +-3: .section .fixup,\"ax\"\n\
26468 ++3: pushl %%ss\n\
26469 ++ popl %%es\n\
26470 ++ .section .fixup,\"ax\"\n\
26471 + 4: mov %5, %1\n\
26472 + jmp 3b\n\
26473 + .previous\n\
26474 +@@ -40,10 +46,10 @@
26475 + .previous" \
26476 + : "=&a" (oldval), "=&r" (ret), "+m" (*uaddr), \
26477 + "=&r" (tem) \
26478 +- : "r" (oparg), "i" (-EFAULT), "1" (0))
26479 ++ : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
26480 +
26481 + static inline int
26482 +-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
26483 ++futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
26484 + {
26485 + int op = (encoded_op >> 28) & 7;
26486 + int cmp = (encoded_op >> 24) & 15;
26487 +@@ -59,7 +65,7 @@ futex_atomic_op_inuser (int encoded_op,
26488 + pagefault_disable();
26489 +
26490 + if (op == FUTEX_OP_SET)
26491 +- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
26492 ++ __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
26493 + else {
26494 + #ifndef CONFIG_X86_BSWAP
26495 + if (boot_cpu_data.x86 == 3)
26496 +@@ -68,7 +74,7 @@ futex_atomic_op_inuser (int encoded_op,
26497 + #endif
26498 + switch (op) {
26499 + case FUTEX_OP_ADD:
26500 +- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret,
26501 ++ __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret,
26502 + oldval, uaddr, oparg);
26503 + break;
26504 + case FUTEX_OP_OR:
26505 +@@ -105,15 +111,17 @@ futex_atomic_op_inuser (int encoded_op,
26506 + }
26507 +
26508 + static inline int
26509 +-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
26510 ++futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
26511 + {
26512 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
26513 + return -EFAULT;
26514 +
26515 + __asm__ __volatile__(
26516 +- "1: " LOCK_PREFIX "cmpxchgl %3, %1 \n"
26517 +-
26518 +- "2: .section .fixup, \"ax\" \n"
26519 ++ " movw %w5, %%ds \n"
26520 ++ "1: " LOCK_PREFIX "cmpxchgl %3, %%ds:%1 \n"
26521 ++ "2: pushl %%ss \n"
26522 ++ " popl %%ds \n"
26523 ++ " .section .fixup, \"ax\" \n"
26524 + "3: mov %2, %0 \n"
26525 + " jmp 2b \n"
26526 + " .previous \n"
26527 +@@ -124,7 +132,7 @@ futex_atomic_cmpxchg_inatomic(int __user
26528 + " .previous \n"
26529 +
26530 + : "=a" (oldval), "+m" (*uaddr)
26531 +- : "i" (-EFAULT), "r" (newval), "0" (oldval)
26532 ++ : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
26533 + : "memory"
26534 + );
26535 +
26536 +diff -Nurp linux-2.6.23.15/include/asm-i386/i387.h linux-2.6.23.15-grsec/include/asm-i386/i387.h
26537 +--- linux-2.6.23.15/include/asm-i386/i387.h 2007-10-09 21:31:38.000000000 +0100
26538 ++++ linux-2.6.23.15-grsec/include/asm-i386/i387.h 2008-02-11 10:37:44.000000000 +0000
26539 +@@ -40,13 +40,8 @@ extern void kernel_fpu_begin(void);
26540 + #define kernel_fpu_end() do { stts(); preempt_enable(); } while(0)
26541 +
26542 + /* We need a safe address that is cheap to find and that is already
26543 +- in L1 during context switch. The best choices are unfortunately
26544 +- different for UP and SMP */
26545 +-#ifdef CONFIG_SMP
26546 +-#define safe_address (__per_cpu_offset[0])
26547 +-#else
26548 +-#define safe_address (kstat_cpu(0).cpustat.user)
26549 +-#endif
26550 ++ in L1 during context switch. */
26551 ++#define safe_address (init_tss[smp_processor_id()].x86_tss.esp0)
26552 +
26553 + /*
26554 + * These must be called with preempt disabled
26555 +diff -Nurp linux-2.6.23.15/include/asm-i386/irqflags.h linux-2.6.23.15-grsec/include/asm-i386/irqflags.h
26556 +--- linux-2.6.23.15/include/asm-i386/irqflags.h 2007-10-09 21:31:38.000000000 +0100
26557 ++++ linux-2.6.23.15-grsec/include/asm-i386/irqflags.h 2008-02-11 10:37:44.000000000 +0000
26558 +@@ -108,6 +108,8 @@ static inline unsigned long __raw_local_
26559 + #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
26560 + #define INTERRUPT_RETURN iret
26561 + #define GET_CR0_INTO_EAX movl %cr0, %eax
26562 ++#define GET_CR0_INTO_EDX movl %cr0, %edx
26563 ++#define SET_CR0_FROM_EDX movl %edx, %cr0
26564 + #endif /* __ASSEMBLY__ */
26565 + #endif /* CONFIG_PARAVIRT */
26566 +
26567 +diff -Nurp linux-2.6.23.15/include/asm-i386/kmap_types.h linux-2.6.23.15-grsec/include/asm-i386/kmap_types.h
26568 +--- linux-2.6.23.15/include/asm-i386/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
26569 ++++ linux-2.6.23.15-grsec/include/asm-i386/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
26570 +@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
26571 + D(10) KM_IRQ1,
26572 + D(11) KM_SOFTIRQ0,
26573 + D(12) KM_SOFTIRQ1,
26574 +-D(13) KM_TYPE_NR
26575 ++D(13) KM_CLEARPAGE,
26576 ++D(14) KM_TYPE_NR
26577 + };
26578 +
26579 + #undef D
26580 +diff -Nurp linux-2.6.23.15/include/asm-i386/mach-default/apm.h linux-2.6.23.15-grsec/include/asm-i386/mach-default/apm.h
26581 +--- linux-2.6.23.15/include/asm-i386/mach-default/apm.h 2007-10-09 21:31:38.000000000 +0100
26582 ++++ linux-2.6.23.15-grsec/include/asm-i386/mach-default/apm.h 2008-02-11 10:37:44.000000000 +0000
26583 +@@ -36,7 +36,7 @@ static inline void apm_bios_call_asm(u32
26584 + __asm__ __volatile__(APM_DO_ZERO_SEGS
26585 + "pushl %%edi\n\t"
26586 + "pushl %%ebp\n\t"
26587 +- "lcall *%%cs:apm_bios_entry\n\t"
26588 ++ "lcall *%%ss:apm_bios_entry\n\t"
26589 + "setc %%al\n\t"
26590 + "popl %%ebp\n\t"
26591 + "popl %%edi\n\t"
26592 +@@ -60,7 +60,7 @@ static inline u8 apm_bios_call_simple_as
26593 + __asm__ __volatile__(APM_DO_ZERO_SEGS
26594 + "pushl %%edi\n\t"
26595 + "pushl %%ebp\n\t"
26596 +- "lcall *%%cs:apm_bios_entry\n\t"
26597 ++ "lcall *%%ss:apm_bios_entry\n\t"
26598 + "setc %%bl\n\t"
26599 + "popl %%ebp\n\t"
26600 + "popl %%edi\n\t"
26601 +diff -Nurp linux-2.6.23.15/include/asm-i386/mman.h linux-2.6.23.15-grsec/include/asm-i386/mman.h
26602 +--- linux-2.6.23.15/include/asm-i386/mman.h 2007-10-09 21:31:38.000000000 +0100
26603 ++++ linux-2.6.23.15-grsec/include/asm-i386/mman.h 2008-02-11 10:37:44.000000000 +0000
26604 +@@ -14,4 +14,12 @@
26605 + #define MCL_CURRENT 1 /* lock all current mappings */
26606 + #define MCL_FUTURE 2 /* lock all future mappings */
26607 +
26608 ++#ifdef __KERNEL__
26609 ++#ifndef __ASSEMBLY__
26610 ++#define arch_mmap_check i386_mmap_check
26611 ++int i386_mmap_check(unsigned long addr, unsigned long len,
26612 ++ unsigned long flags);
26613 ++#endif
26614 ++#endif
26615 ++
26616 + #endif /* __I386_MMAN_H__ */
26617 +diff -Nurp linux-2.6.23.15/include/asm-i386/mmu.h linux-2.6.23.15-grsec/include/asm-i386/mmu.h
26618 +--- linux-2.6.23.15/include/asm-i386/mmu.h 2007-10-09 21:31:38.000000000 +0100
26619 ++++ linux-2.6.23.15-grsec/include/asm-i386/mmu.h 2008-02-11 10:37:44.000000000 +0000
26620 +@@ -11,8 +11,19 @@
26621 + typedef struct {
26622 + int size;
26623 + struct semaphore sem;
26624 +- void *ldt;
26625 +- void *vdso;
26626 ++ struct desc_struct *ldt;
26627 ++ unsigned long vdso;
26628 ++
26629 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
26630 ++ unsigned long user_cs_base;
26631 ++ unsigned long user_cs_limit;
26632 ++
26633 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
26634 ++ cpumask_t cpu_user_cs_mask;
26635 ++#endif
26636 ++
26637 ++#endif
26638 ++
26639 + } mm_context_t;
26640 +
26641 + #endif
26642 +diff -Nurp linux-2.6.23.15/include/asm-i386/mmu_context.h linux-2.6.23.15-grsec/include/asm-i386/mmu_context.h
26643 +--- linux-2.6.23.15/include/asm-i386/mmu_context.h 2007-10-09 21:31:38.000000000 +0100
26644 ++++ linux-2.6.23.15-grsec/include/asm-i386/mmu_context.h 2008-02-11 10:37:44.000000000 +0000
26645 +@@ -57,6 +57,22 @@ static inline void switch_mm(struct mm_s
26646 + */
26647 + if (unlikely(prev->context.ldt != next->context.ldt))
26648 + load_LDT_nolock(&next->context);
26649 ++
26650 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
26651 ++ if (!nx_enabled) {
26652 ++ smp_mb__before_clear_bit();
26653 ++ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
26654 ++ smp_mb__after_clear_bit();
26655 ++ cpu_set(cpu, next->context.cpu_user_cs_mask);
26656 ++ }
26657 ++#endif
26658 ++
26659 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
26660 ++ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
26661 ++ prev->context.user_cs_limit != next->context.user_cs_limit))
26662 ++ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
26663 ++#endif
26664 ++
26665 + }
26666 + #ifdef CONFIG_SMP
26667 + else {
26668 +@@ -69,6 +85,19 @@ static inline void switch_mm(struct mm_s
26669 + */
26670 + load_cr3(next->pgd);
26671 + load_LDT_nolock(&next->context);
26672 ++
26673 ++#ifdef CONFIG_PAX_PAGEEXEC
26674 ++ if (!nx_enabled)
26675 ++ cpu_set(cpu, next->context.cpu_user_cs_mask);
26676 ++#endif
26677 ++
26678 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
26679 ++#ifdef CONFIG_PAX_PAGEEXEC
26680 ++ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
26681 ++#endif
26682 ++ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
26683 ++#endif
26684 ++
26685 + }
26686 + }
26687 + #endif
26688 +diff -Nurp linux-2.6.23.15/include/asm-i386/module.h linux-2.6.23.15-grsec/include/asm-i386/module.h
26689 +--- linux-2.6.23.15/include/asm-i386/module.h 2007-10-09 21:31:38.000000000 +0100
26690 ++++ linux-2.6.23.15-grsec/include/asm-i386/module.h 2008-02-11 10:37:44.000000000 +0000
26691 +@@ -70,6 +70,12 @@ struct mod_arch_specific
26692 + #define MODULE_STACKSIZE ""
26693 + #endif
26694 +
26695 +-#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
26696 ++#ifdef CONFIG_GRKERNSEC
26697 ++#define MODULE_GRSEC "GRSECURTY "
26698 ++#else
26699 ++#define MODULE_GRSEC ""
26700 ++#endif
26701 ++
26702 ++#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC
26703 +
26704 + #endif /* _ASM_I386_MODULE_H */
26705 +diff -Nurp linux-2.6.23.15/include/asm-i386/page.h linux-2.6.23.15-grsec/include/asm-i386/page.h
26706 +--- linux-2.6.23.15/include/asm-i386/page.h 2007-10-09 21:31:38.000000000 +0100
26707 ++++ linux-2.6.23.15-grsec/include/asm-i386/page.h 2008-02-11 10:37:44.000000000 +0000
26708 +@@ -10,6 +10,7 @@
26709 + #define LARGE_PAGE_SIZE (1UL << PMD_SHIFT)
26710 +
26711 + #ifdef __KERNEL__
26712 ++#include <asm/boot.h>
26713 + #ifndef __ASSEMBLY__
26714 +
26715 + #ifdef CONFIG_X86_USE_3DNOW
26716 +@@ -90,7 +91,6 @@ static inline pte_t native_make_pte(unsi
26717 + typedef struct { unsigned long pte_low; } pte_t;
26718 + typedef struct { unsigned long pgd; } pgd_t;
26719 + typedef struct { unsigned long pgprot; } pgprot_t;
26720 +-#define boot_pte_t pte_t /* or would you rather have a typedef */
26721 +
26722 + static inline unsigned long native_pgd_val(pgd_t pgd)
26723 + {
26724 +@@ -175,6 +175,18 @@ extern int page_is_ram(unsigned long pag
26725 + #define __PAGE_OFFSET ((unsigned long)CONFIG_PAGE_OFFSET)
26726 + #endif
26727 +
26728 ++#ifdef CONFIG_PAX_KERNEXEC
26729 ++#ifdef __ASSEMBLY__
26730 ++#define __KERNEL_TEXT_OFFSET (__PAGE_OFFSET + ((LOAD_PHYSICAL_ADDR + 6*1024*1024 - 1) & ~(4*1024*1024 - 1)))
26731 ++#else
26732 ++extern unsigned char KERNEL_TEXT_OFFSET[];
26733 ++#define __KERNEL_TEXT_OFFSET ((unsigned long)KERNEL_TEXT_OFFSET)
26734 ++extern unsigned char MODULES_VADDR[];
26735 ++extern unsigned char MODULES_END[];
26736 ++#endif
26737 ++#else
26738 ++#define __KERNEL_TEXT_OFFSET (0)
26739 ++#endif
26740 +
26741 + #define PAGE_OFFSET ((unsigned long)__PAGE_OFFSET)
26742 + #define VMALLOC_RESERVE ((unsigned long)__VMALLOC_RESERVE)
26743 +@@ -197,6 +209,10 @@ extern int page_is_ram(unsigned long pag
26744 + ((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
26745 + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
26746 +
26747 ++#ifdef CONFIG_PAX_PAGEEXEC
26748 ++#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
26749 ++#endif
26750 ++
26751 + #include <asm-generic/memory_model.h>
26752 + #include <asm-generic/page.h>
26753 +
26754 +diff -Nurp linux-2.6.23.15/include/asm-i386/paravirt.h linux-2.6.23.15-grsec/include/asm-i386/paravirt.h
26755 +--- linux-2.6.23.15/include/asm-i386/paravirt.h 2007-10-09 21:31:38.000000000 +0100
26756 ++++ linux-2.6.23.15-grsec/include/asm-i386/paravirt.h 2008-02-11 10:37:44.000000000 +0000
26757 +@@ -1057,23 +1057,23 @@ static inline unsigned long __raw_local_
26758 +
26759 + #define INTERRUPT_RETURN \
26760 + PARA_SITE(PARA_PATCH(PARAVIRT_iret), CLBR_NONE, \
26761 +- jmp *%cs:paravirt_ops+PARAVIRT_iret)
26762 ++ jmp *%ss:paravirt_ops+PARAVIRT_iret)
26763 +
26764 + #define DISABLE_INTERRUPTS(clobbers) \
26765 + PARA_SITE(PARA_PATCH(PARAVIRT_irq_disable), clobbers, \
26766 + pushl %eax; pushl %ecx; pushl %edx; \
26767 +- call *%cs:paravirt_ops+PARAVIRT_irq_disable; \
26768 ++ call *%ss:paravirt_ops+PARAVIRT_irq_disable; \
26769 + popl %edx; popl %ecx; popl %eax) \
26770 +
26771 + #define ENABLE_INTERRUPTS(clobbers) \
26772 + PARA_SITE(PARA_PATCH(PARAVIRT_irq_enable), clobbers, \
26773 + pushl %eax; pushl %ecx; pushl %edx; \
26774 +- call *%cs:paravirt_ops+PARAVIRT_irq_enable; \
26775 ++ call *%ss:paravirt_ops+PARAVIRT_irq_enable; \
26776 + popl %edx; popl %ecx; popl %eax)
26777 +
26778 + #define ENABLE_INTERRUPTS_SYSEXIT \
26779 + PARA_SITE(PARA_PATCH(PARAVIRT_irq_enable_sysexit), CLBR_NONE, \
26780 +- jmp *%cs:paravirt_ops+PARAVIRT_irq_enable_sysexit)
26781 ++ jmp *%ss:paravirt_ops+PARAVIRT_irq_enable_sysexit)
26782 +
26783 + #define GET_CR0_INTO_EAX \
26784 + push %ecx; push %edx; \
26785 +diff -Nurp linux-2.6.23.15/include/asm-i386/percpu.h linux-2.6.23.15-grsec/include/asm-i386/percpu.h
26786 +--- linux-2.6.23.15/include/asm-i386/percpu.h 2007-10-09 21:31:38.000000000 +0100
26787 ++++ linux-2.6.23.15-grsec/include/asm-i386/percpu.h 2008-02-11 10:37:44.000000000 +0000
26788 +@@ -22,7 +22,7 @@
26789 + #define PER_CPU_VAR(var) %fs:per_cpu__##var
26790 + #else /* ! SMP */
26791 + #define PER_CPU(var, reg) \
26792 +- movl $per_cpu__##var, reg
26793 ++ movl per_cpu__##var, reg
26794 + #define PER_CPU_VAR(var) per_cpu__##var
26795 + #endif /* SMP */
26796 +
26797 +@@ -42,12 +42,12 @@
26798 + */
26799 + #ifdef CONFIG_SMP
26800 + /* Same as generic implementation except for optimized local access. */
26801 +-#define __GENERIC_PER_CPU
26802 +
26803 + /* This is used for other cpus to find our section. */
26804 + extern unsigned long __per_cpu_offset[];
26805 ++extern void setup_per_cpu_areas(void);
26806 +
26807 +-#define per_cpu_offset(x) (__per_cpu_offset[x])
26808 ++#define per_cpu_offset(x) (__per_cpu_offset[x] - (unsigned long)__per_cpu_start)
26809 +
26810 + /* Separate out the type, so (int[3], foo) works. */
26811 + #define DECLARE_PER_CPU(type, name) extern __typeof__(type) per_cpu__##name
26812 +@@ -64,11 +64,11 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
26813 +
26814 + /* var is in discarded region: offset to particular copy we want */
26815 + #define per_cpu(var, cpu) (*({ \
26816 +- extern int simple_indentifier_##var(void); \
26817 ++ extern int simple_identifier_##var(void); \
26818 + RELOC_HIDE(&per_cpu__##var, __per_cpu_offset[cpu]); }))
26819 +
26820 + #define __raw_get_cpu_var(var) (*({ \
26821 +- extern int simple_indentifier_##var(void); \
26822 ++ extern int simple_identifier_##var(void); \
26823 + RELOC_HIDE(&per_cpu__##var, x86_read_percpu(this_cpu_off)); \
26824 + }))
26825 +
26826 +@@ -79,7 +79,7 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
26827 + do { \
26828 + unsigned int __i; \
26829 + for_each_possible_cpu(__i) \
26830 +- memcpy((pcpudst)+__per_cpu_offset[__i], \
26831 ++ memcpy((pcpudst)+per_cpu_offset(__i), \
26832 + (src), (size)); \
26833 + } while (0)
26834 +
26835 +diff -Nurp linux-2.6.23.15/include/asm-i386/pgalloc.h linux-2.6.23.15-grsec/include/asm-i386/pgalloc.h
26836 +--- linux-2.6.23.15/include/asm-i386/pgalloc.h 2007-10-09 21:31:38.000000000 +0100
26837 ++++ linux-2.6.23.15-grsec/include/asm-i386/pgalloc.h 2008-02-11 10:37:44.000000000 +0000
26838 +@@ -15,11 +15,19 @@
26839 + #define paravirt_release_pd(pfn) do { } while (0)
26840 + #endif
26841 +
26842 ++#ifdef CONFIG_COMPAT_VDSO
26843 + #define pmd_populate_kernel(mm, pmd, pte) \
26844 + do { \
26845 + paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
26846 + set_pmd(pmd, __pmd(_PAGE_TABLE + __pa(pte))); \
26847 + } while (0)
26848 ++#else
26849 ++#define pmd_populate_kernel(mm, pmd, pte) \
26850 ++do { \
26851 ++ paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
26852 ++ set_pmd(pmd, __pmd(_KERNPG_TABLE + __pa(pte))); \
26853 ++} while (0)
26854 ++#endif
26855 +
26856 + #define pmd_populate(mm, pmd, pte) \
26857 + do { \
26858 +diff -Nurp linux-2.6.23.15/include/asm-i386/pgtable-2level.h linux-2.6.23.15-grsec/include/asm-i386/pgtable-2level.h
26859 +--- linux-2.6.23.15/include/asm-i386/pgtable-2level.h 2007-10-09 21:31:38.000000000 +0100
26860 ++++ linux-2.6.23.15-grsec/include/asm-i386/pgtable-2level.h 2008-02-11 10:37:44.000000000 +0000
26861 +@@ -22,7 +22,19 @@ static inline void native_set_pte_at(str
26862 + }
26863 + static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
26864 + {
26865 ++
26866 ++#ifdef CONFIG_PAX_KERNEXEC
26867 ++ unsigned long cr0;
26868 ++
26869 ++ pax_open_kernel(cr0);
26870 ++#endif
26871 ++
26872 + *pmdp = pmd;
26873 ++
26874 ++#ifdef CONFIG_PAX_KERNEXEC
26875 ++ pax_close_kernel(cr0);
26876 ++#endif
26877 ++
26878 + }
26879 + #ifndef CONFIG_PARAVIRT
26880 + #define set_pte(pteptr, pteval) native_set_pte(pteptr, pteval)
26881 +diff -Nurp linux-2.6.23.15/include/asm-i386/pgtable-3level.h linux-2.6.23.15-grsec/include/asm-i386/pgtable-3level.h
26882 +--- linux-2.6.23.15/include/asm-i386/pgtable-3level.h 2007-10-09 21:31:38.000000000 +0100
26883 ++++ linux-2.6.23.15-grsec/include/asm-i386/pgtable-3level.h 2008-02-11 10:37:44.000000000 +0000
26884 +@@ -67,11 +67,35 @@ static inline void native_set_pte_atomic
26885 + }
26886 + static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
26887 + {
26888 ++
26889 ++#ifdef CONFIG_PAX_KERNEXEC
26890 ++ unsigned long cr0;
26891 ++
26892 ++ pax_open_kernel(cr0);
26893 ++#endif
26894 ++
26895 + set_64bit((unsigned long long *)(pmdp),native_pmd_val(pmd));
26896 ++
26897 ++#ifdef CONFIG_PAX_KERNEXEC
26898 ++ pax_close_kernel(cr0);
26899 ++#endif
26900 ++
26901 + }
26902 + static inline void native_set_pud(pud_t *pudp, pud_t pud)
26903 + {
26904 ++
26905 ++#ifdef CONFIG_PAX_KERNEXEC
26906 ++ unsigned long cr0;
26907 ++
26908 ++ pax_open_kernel(cr0);
26909 ++#endif
26910 ++
26911 + *pudp = pud;
26912 ++
26913 ++#ifdef CONFIG_PAX_KERNEXEC
26914 ++ pax_close_kernel(cr0);
26915 ++#endif
26916 ++
26917 + }
26918 +
26919 + /*
26920 +diff -Nurp linux-2.6.23.15/include/asm-i386/pgtable.h linux-2.6.23.15-grsec/include/asm-i386/pgtable.h
26921 +--- linux-2.6.23.15/include/asm-i386/pgtable.h 2007-10-09 21:31:38.000000000 +0100
26922 ++++ linux-2.6.23.15-grsec/include/asm-i386/pgtable.h 2008-02-11 10:37:44.000000000 +0000
26923 +@@ -34,7 +34,6 @@ struct vm_area_struct;
26924 + */
26925 + #define ZERO_PAGE(vaddr) (virt_to_page(empty_zero_page))
26926 + extern unsigned long empty_zero_page[1024];
26927 +-extern pgd_t swapper_pg_dir[1024];
26928 + extern struct kmem_cache *pmd_cache;
26929 + extern spinlock_t pgd_lock;
26930 + extern struct page *pgd_list;
26931 +@@ -58,6 +57,11 @@ void paging_init(void);
26932 + # include <asm/pgtable-2level-defs.h>
26933 + #endif
26934 +
26935 ++extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
26936 ++#ifdef CONFIG_X86_PAE
26937 ++extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
26938 ++#endif
26939 ++
26940 + #define PGDIR_SIZE (1UL << PGDIR_SHIFT)
26941 + #define PGDIR_MASK (~(PGDIR_SIZE-1))
26942 +
26943 +@@ -67,9 +71,11 @@ void paging_init(void);
26944 + #define USER_PGD_PTRS (PAGE_OFFSET >> PGDIR_SHIFT)
26945 + #define KERNEL_PGD_PTRS (PTRS_PER_PGD-USER_PGD_PTRS)
26946 +
26947 ++#ifndef CONFIG_X86_PAE
26948 + #define TWOLEVEL_PGDIR_SHIFT 22
26949 + #define BOOT_USER_PGD_PTRS (__PAGE_OFFSET >> TWOLEVEL_PGDIR_SHIFT)
26950 + #define BOOT_KERNEL_PGD_PTRS (1024-BOOT_USER_PGD_PTRS)
26951 ++#endif
26952 +
26953 + /* Just any arbitrary offset to the start of the vmalloc VM area: the
26954 + * current 8MB value just means that there will be a 8MB "hole" after the
26955 +@@ -136,7 +142,7 @@ void paging_init(void);
26956 + #define PAGE_NONE \
26957 + __pgprot(_PAGE_PROTNONE | _PAGE_ACCESSED)
26958 + #define PAGE_SHARED \
26959 +- __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
26960 ++ __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
26961 +
26962 + #define PAGE_SHARED_EXEC \
26963 + __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
26964 +@@ -202,7 +208,7 @@ extern unsigned long long __PAGE_KERNEL,
26965 + #undef TEST_ACCESS_OK
26966 +
26967 + /* The boot page tables (all created as a single array) */
26968 +-extern unsigned long pg0[];
26969 ++extern pte_t pg0[];
26970 +
26971 + #define pte_present(x) ((x).pte_low & (_PAGE_PRESENT | _PAGE_PROTNONE))
26972 +
26973 +@@ -218,30 +224,55 @@ extern unsigned long pg0[];
26974 + * The following only work if pte_present() is true.
26975 + * Undefined behaviour if not..
26976 + */
26977 ++static inline int pte_user(pte_t pte) { return (pte).pte_low & _PAGE_USER; }
26978 + static inline int pte_dirty(pte_t pte) { return (pte).pte_low & _PAGE_DIRTY; }
26979 + static inline int pte_young(pte_t pte) { return (pte).pte_low & _PAGE_ACCESSED; }
26980 + static inline int pte_write(pte_t pte) { return (pte).pte_low & _PAGE_RW; }
26981 + static inline int pte_huge(pte_t pte) { return (pte).pte_low & _PAGE_PSE; }
26982 +
26983 ++#ifdef CONFIG_X86_PAE
26984 ++# include <asm/pgtable-3level.h>
26985 ++#else
26986 ++# include <asm/pgtable-2level.h>
26987 ++#endif
26988 ++
26989 + /*
26990 + * The following only works if pte_present() is not true.
26991 + */
26992 + static inline int pte_file(pte_t pte) { return (pte).pte_low & _PAGE_FILE; }
26993 +
26994 ++static inline pte_t pte_exprotect(pte_t pte)
26995 ++{
26996 ++#ifdef CONFIG_X86_PAE
26997 ++ if (__supported_pte_mask & _PAGE_NX)
26998 ++ set_pte(&pte, __pte(pte_val(pte) | _PAGE_NX));
26999 ++ else
27000 ++#endif
27001 ++ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_USER));
27002 ++ return pte;
27003 ++}
27004 ++
27005 + static inline pte_t pte_mkclean(pte_t pte) { (pte).pte_low &= ~_PAGE_DIRTY; return pte; }
27006 + static inline pte_t pte_mkold(pte_t pte) { (pte).pte_low &= ~_PAGE_ACCESSED; return pte; }
27007 + static inline pte_t pte_wrprotect(pte_t pte) { (pte).pte_low &= ~_PAGE_RW; return pte; }
27008 ++static inline pte_t pte_mkread(pte_t pte) { (pte).pte_low |= _PAGE_USER; return pte; }
27009 ++
27010 ++static inline pte_t pte_mkexec(pte_t pte)
27011 ++{
27012 ++#ifdef CONFIG_X86_PAE
27013 ++ if (__supported_pte_mask & _PAGE_NX)
27014 ++ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_NX));
27015 ++ else
27016 ++#endif
27017 ++ set_pte(&pte, __pte(pte_val(pte) | _PAGE_USER));
27018 ++ return pte;
27019 ++}
27020 ++
27021 + static inline pte_t pte_mkdirty(pte_t pte) { (pte).pte_low |= _PAGE_DIRTY; return pte; }
27022 + static inline pte_t pte_mkyoung(pte_t pte) { (pte).pte_low |= _PAGE_ACCESSED; return pte; }
27023 + static inline pte_t pte_mkwrite(pte_t pte) { (pte).pte_low |= _PAGE_RW; return pte; }
27024 + static inline pte_t pte_mkhuge(pte_t pte) { (pte).pte_low |= _PAGE_PSE; return pte; }
27025 +
27026 +-#ifdef CONFIG_X86_PAE
27027 +-# include <asm/pgtable-3level.h>
27028 +-#else
27029 +-# include <asm/pgtable-2level.h>
27030 +-#endif
27031 +-
27032 + #ifndef CONFIG_PARAVIRT
27033 + /*
27034 + * Rules for using pte_update - it must be called after any PTE update which
27035 +@@ -353,7 +384,19 @@ static inline void ptep_set_wrprotect(st
27036 + */
27037 + static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
27038 + {
27039 +- memcpy(dst, src, count * sizeof(pgd_t));
27040 ++
27041 ++#ifdef CONFIG_PAX_KERNEXEC
27042 ++ unsigned long cr0;
27043 ++
27044 ++ pax_open_kernel(cr0);
27045 ++#endif
27046 ++
27047 ++ memcpy(dst, src, count * sizeof(pgd_t));
27048 ++
27049 ++#ifdef CONFIG_PAX_KERNEXEC
27050 ++ pax_close_kernel(cr0);
27051 ++#endif
27052 ++
27053 + }
27054 +
27055 + /*
27056 +@@ -500,6 +543,9 @@ static inline void paravirt_pagetable_se
27057 +
27058 + #endif /* !__ASSEMBLY__ */
27059 +
27060 ++#define HAVE_ARCH_UNMAPPED_AREA
27061 ++#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
27062 ++
27063 + #ifdef CONFIG_FLATMEM
27064 + #define kern_addr_valid(addr) (1)
27065 + #endif /* CONFIG_FLATMEM */
27066 +diff -Nurp linux-2.6.23.15/include/asm-i386/processor.h linux-2.6.23.15-grsec/include/asm-i386/processor.h
27067 +--- linux-2.6.23.15/include/asm-i386/processor.h 2007-10-09 21:31:38.000000000 +0100
27068 ++++ linux-2.6.23.15-grsec/include/asm-i386/processor.h 2008-02-11 10:37:44.000000000 +0000
27069 +@@ -99,8 +99,6 @@ struct cpuinfo_x86 {
27070 +
27071 + extern struct cpuinfo_x86 boot_cpu_data;
27072 + extern struct cpuinfo_x86 new_cpu_data;
27073 +-extern struct tss_struct doublefault_tss;
27074 +-DECLARE_PER_CPU(struct tss_struct, init_tss);
27075 +
27076 + #ifdef CONFIG_SMP
27077 + extern struct cpuinfo_x86 cpu_data[];
27078 +@@ -209,11 +207,19 @@ extern int bootloader_type;
27079 + */
27080 + #define TASK_SIZE (PAGE_OFFSET)
27081 +
27082 ++#ifdef CONFIG_PAX_SEGMEXEC
27083 ++#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
27084 ++#endif
27085 ++
27086 + /* This decides where the kernel will search for a free chunk of vm
27087 + * space during mmap's.
27088 + */
27089 + #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
27090 +
27091 ++#ifdef CONFIG_PAX_SEGMEXEC
27092 ++#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
27093 ++#endif
27094 ++
27095 + #define HAVE_ARCH_PICK_MMAP_LAYOUT
27096 +
27097 + extern void hard_disable_TSC(void);
27098 +@@ -338,6 +344,9 @@ struct tss_struct {
27099 +
27100 + #define ARCH_MIN_TASKALIGN 16
27101 +
27102 ++extern struct tss_struct doublefault_tss;
27103 ++extern struct tss_struct init_tss[NR_CPUS];
27104 ++
27105 + struct thread_struct {
27106 + /* cached TLS descriptors. */
27107 + struct desc_struct tls_array[GDT_ENTRY_TLS_ENTRIES];
27108 +@@ -366,7 +375,7 @@ struct thread_struct {
27109 + };
27110 +
27111 + #define INIT_THREAD { \
27112 +- .esp0 = sizeof(init_stack) + (long)&init_stack, \
27113 ++ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
27114 + .vm86_info = NULL, \
27115 + .sysenter_cs = __KERNEL_CS, \
27116 + .io_bitmap_ptr = NULL, \
27117 +@@ -381,7 +390,7 @@ struct thread_struct {
27118 + */
27119 + #define INIT_TSS { \
27120 + .x86_tss = { \
27121 +- .esp0 = sizeof(init_stack) + (long)&init_stack, \
27122 ++ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
27123 + .ss0 = __KERNEL_DS, \
27124 + .ss1 = __KERNEL_CS, \
27125 + .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
27126 +@@ -422,11 +431,7 @@ void show_trace(struct task_struct *task
27127 + unsigned long get_wchan(struct task_struct *p);
27128 +
27129 + #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
27130 +-#define KSTK_TOP(info) \
27131 +-({ \
27132 +- unsigned long *__ptr = (unsigned long *)(info); \
27133 +- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
27134 +-})
27135 ++#define KSTK_TOP(info) ((info)->task.thread.esp0)
27136 +
27137 + /*
27138 + * The below -8 is to reserve 8 bytes on top of the ring0 stack.
27139 +@@ -441,7 +446,7 @@ unsigned long get_wchan(struct task_stru
27140 + #define task_pt_regs(task) \
27141 + ({ \
27142 + struct pt_regs *__regs__; \
27143 +- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
27144 ++ __regs__ = (struct pt_regs *)((task)->thread.esp0); \
27145 + __regs__ - 1; \
27146 + })
27147 +
27148 +@@ -603,8 +608,8 @@ static inline void cpuid(unsigned int op
27149 + }
27150 +
27151 + /* Some CPUID calls want 'count' to be placed in ecx */
27152 +-static inline void cpuid_count(int op, int count, int *eax, int *ebx, int *ecx,
27153 +- int *edx)
27154 ++static inline void cpuid_count(unsigned int op, unsigned int count, unsigned int *eax, unsigned int *ebx, unsigned int *ecx,
27155 ++ unsigned int *edx)
27156 + {
27157 + *eax = op;
27158 + *ecx = count;
27159 +diff -Nurp linux-2.6.23.15/include/asm-i386/ptrace.h linux-2.6.23.15-grsec/include/asm-i386/ptrace.h
27160 +--- linux-2.6.23.15/include/asm-i386/ptrace.h 2007-10-09 21:31:38.000000000 +0100
27161 ++++ linux-2.6.23.15-grsec/include/asm-i386/ptrace.h 2008-02-11 10:37:44.000000000 +0000
27162 +@@ -35,17 +35,18 @@ struct task_struct;
27163 + extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, int error_code);
27164 +
27165 + /*
27166 +- * user_mode_vm(regs) determines whether a register set came from user mode.
27167 ++ * user_mode(regs) determines whether a register set came from user mode.
27168 + * This is true if V8086 mode was enabled OR if the register set was from
27169 + * protected mode with RPL-3 CS value. This tricky test checks that with
27170 + * one comparison. Many places in the kernel can bypass this full check
27171 +- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
27172 ++ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
27173 ++ * be used.
27174 + */
27175 +-static inline int user_mode(struct pt_regs *regs)
27176 ++static inline int user_mode_novm(struct pt_regs *regs)
27177 + {
27178 + return (regs->xcs & SEGMENT_RPL_MASK) == USER_RPL;
27179 + }
27180 +-static inline int user_mode_vm(struct pt_regs *regs)
27181 ++static inline int user_mode(struct pt_regs *regs)
27182 + {
27183 + return ((regs->xcs & SEGMENT_RPL_MASK) | (regs->eflags & VM_MASK)) >= USER_RPL;
27184 + }
27185 +diff -Nurp linux-2.6.23.15/include/asm-i386/reboot.h linux-2.6.23.15-grsec/include/asm-i386/reboot.h
27186 +--- linux-2.6.23.15/include/asm-i386/reboot.h 2007-10-09 21:31:38.000000000 +0100
27187 ++++ linux-2.6.23.15-grsec/include/asm-i386/reboot.h 2008-02-11 10:37:44.000000000 +0000
27188 +@@ -15,6 +15,6 @@ struct machine_ops
27189 +
27190 + extern struct machine_ops machine_ops;
27191 +
27192 +-void machine_real_restart(unsigned char *code, int length);
27193 ++void machine_real_restart(const unsigned char *code, unsigned int length);
27194 +
27195 + #endif /* _ASM_REBOOT_H */
27196 +diff -Nurp linux-2.6.23.15/include/asm-i386/segment.h linux-2.6.23.15-grsec/include/asm-i386/segment.h
27197 +--- linux-2.6.23.15/include/asm-i386/segment.h 2007-10-09 21:31:38.000000000 +0100
27198 ++++ linux-2.6.23.15-grsec/include/asm-i386/segment.h 2008-02-11 10:37:44.000000000 +0000
27199 +@@ -81,6 +81,12 @@
27200 + #define __KERNEL_PERCPU 0
27201 + #endif
27202 +
27203 ++#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 16)
27204 ++#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
27205 ++
27206 ++#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 17)
27207 ++#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
27208 ++
27209 + #define GDT_ENTRY_DOUBLEFAULT_TSS 31
27210 +
27211 + /*
27212 +@@ -140,9 +146,9 @@
27213 + #define SEGMENT_IS_KERNEL_CODE(x) (((x) & 0xfc) == GDT_ENTRY_KERNEL_CS * 8)
27214 +
27215 + /* Matches __KERNEL_CS and __USER_CS (they must be 2 entries apart) */
27216 +-#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xec) == GDT_ENTRY_KERNEL_CS * 8)
27217 ++#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xFFFCU) == __KERNEL_CS || ((x) & 0xFFFCU) == __USER_CS)
27218 +
27219 + /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
27220 +-#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
27221 ++#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
27222 +
27223 + #endif
27224 +diff -Nurp linux-2.6.23.15/include/asm-i386/system.h linux-2.6.23.15-grsec/include/asm-i386/system.h
27225 +--- linux-2.6.23.15/include/asm-i386/system.h 2008-02-11 10:36:03.000000000 +0000
27226 ++++ linux-2.6.23.15-grsec/include/asm-i386/system.h 2008-02-11 10:37:44.000000000 +0000
27227 +@@ -183,6 +183,21 @@ static inline void native_wbinvd(void)
27228 + /* Set the 'TS' bit */
27229 + #define stts() write_cr0(8 | read_cr0())
27230 +
27231 ++#define pax_open_kernel(cr0) \
27232 ++do { \
27233 ++ typecheck(unsigned long, cr0); \
27234 ++ preempt_disable(); \
27235 ++ cr0 = read_cr0(); \
27236 ++ write_cr0(cr0 & ~X86_CR0_WP); \
27237 ++} while (0)
27238 ++
27239 ++#define pax_close_kernel(cr0) \
27240 ++do { \
27241 ++ typecheck(unsigned long, cr0); \
27242 ++ write_cr0(cr0); \
27243 ++ preempt_enable_no_resched(); \
27244 ++} while (0)
27245 ++
27246 + #endif /* __KERNEL__ */
27247 +
27248 + static inline unsigned long get_limit(unsigned long segment)
27249 +@@ -190,7 +205,7 @@ static inline unsigned long get_limit(un
27250 + unsigned long __limit;
27251 + __asm__("lsll %1,%0"
27252 + :"=r" (__limit):"r" (segment));
27253 +- return __limit+1;
27254 ++ return __limit;
27255 + }
27256 +
27257 + #define nop() __asm__ __volatile__ ("nop")
27258 +@@ -305,7 +320,7 @@ void enable_hlt(void);
27259 + extern int es7000_plat;
27260 + void cpu_idle_wait(void);
27261 +
27262 +-extern unsigned long arch_align_stack(unsigned long sp);
27263 ++#define arch_align_stack(x) (x)
27264 + extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
27265 +
27266 + void default_idle(void);
27267 +diff -Nurp linux-2.6.23.15/include/asm-i386/uaccess.h linux-2.6.23.15-grsec/include/asm-i386/uaccess.h
27268 +--- linux-2.6.23.15/include/asm-i386/uaccess.h 2007-10-09 21:31:38.000000000 +0100
27269 ++++ linux-2.6.23.15-grsec/include/asm-i386/uaccess.h 2008-02-11 10:37:44.000000000 +0000
27270 +@@ -9,6 +9,7 @@
27271 + #include <linux/prefetch.h>
27272 + #include <linux/string.h>
27273 + #include <asm/page.h>
27274 ++#include <asm/segment.h>
27275 +
27276 + #define VERIFY_READ 0
27277 + #define VERIFY_WRITE 1
27278 +@@ -29,7 +30,8 @@
27279 +
27280 + #define get_ds() (KERNEL_DS)
27281 + #define get_fs() (current_thread_info()->addr_limit)
27282 +-#define set_fs(x) (current_thread_info()->addr_limit = (x))
27283 ++void __set_fs(mm_segment_t x, int cpu);
27284 ++void set_fs(mm_segment_t x);
27285 +
27286 + #define segment_eq(a,b) ((a).seg == (b).seg)
27287 +
27288 +@@ -101,6 +103,7 @@ struct exception_table_entry
27289 + };
27290 +
27291 + extern int fixup_exception(struct pt_regs *regs);
27292 ++#define ARCH_HAS_SORT_EXTABLE
27293 +
27294 + /*
27295 + * These are the main single-value transfer routines. They automatically
27296 +@@ -280,9 +283,12 @@ extern void __put_user_8(void);
27297 +
27298 + #define __put_user_u64(x, addr, err) \
27299 + __asm__ __volatile__( \
27300 +- "1: movl %%eax,0(%2)\n" \
27301 +- "2: movl %%edx,4(%2)\n" \
27302 ++ " movw %w5,%%ds\n" \
27303 ++ "1: movl %%eax,%%ds:0(%2)\n" \
27304 ++ "2: movl %%edx,%%ds:4(%2)\n" \
27305 + "3:\n" \
27306 ++ " pushl %%ss\n" \
27307 ++ " popl %%ds\n" \
27308 + ".section .fixup,\"ax\"\n" \
27309 + "4: movl %3,%0\n" \
27310 + " jmp 3b\n" \
27311 +@@ -293,7 +299,8 @@ extern void __put_user_8(void);
27312 + " .long 2b,4b\n" \
27313 + ".previous" \
27314 + : "=r"(err) \
27315 +- : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err))
27316 ++ : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err), \
27317 ++ "r"(__USER_DS))
27318 +
27319 + #ifdef CONFIG_X86_WP_WORKS_OK
27320 +
27321 +@@ -332,8 +339,11 @@ struct __large_struct { unsigned long bu
27322 + */
27323 + #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
27324 + __asm__ __volatile__( \
27325 +- "1: mov"itype" %"rtype"1,%2\n" \
27326 ++ " movw %w5,%%ds\n" \
27327 ++ "1: mov"itype" %"rtype"1,%%ds:%2\n" \
27328 + "2:\n" \
27329 ++ " pushl %%ss\n" \
27330 ++ " popl %%ds\n" \
27331 + ".section .fixup,\"ax\"\n" \
27332 + "3: movl %3,%0\n" \
27333 + " jmp 2b\n" \
27334 +@@ -343,7 +353,8 @@ struct __large_struct { unsigned long bu
27335 + " .long 1b,3b\n" \
27336 + ".previous" \
27337 + : "=r"(err) \
27338 +- : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err))
27339 ++ : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err), \
27340 ++ "r"(__USER_DS))
27341 +
27342 +
27343 + #define __get_user_nocheck(x,ptr,size) \
27344 +@@ -371,8 +382,11 @@ do { \
27345 +
27346 + #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
27347 + __asm__ __volatile__( \
27348 +- "1: mov"itype" %2,%"rtype"1\n" \
27349 ++ " movw %w5,%%ds\n" \
27350 ++ "1: mov"itype" %%ds:%2,%"rtype"1\n" \
27351 + "2:\n" \
27352 ++ " pushl %%ss\n" \
27353 ++ " popl %%ds\n" \
27354 + ".section .fixup,\"ax\"\n" \
27355 + "3: movl %3,%0\n" \
27356 + " xor"itype" %"rtype"1,%"rtype"1\n" \
27357 +@@ -383,7 +397,7 @@ do { \
27358 + " .long 1b,3b\n" \
27359 + ".previous" \
27360 + : "=r"(err), ltype (x) \
27361 +- : "m"(__m(addr)), "i"(errret), "0"(err))
27362 ++ : "m"(__m(addr)), "i"(errret), "0"(err), "r"(__USER_DS))
27363 +
27364 +
27365 + unsigned long __must_check __copy_to_user_ll(void __user *to,
27366 +diff -Nurp linux-2.6.23.15/include/asm-ia64/elf.h linux-2.6.23.15-grsec/include/asm-ia64/elf.h
27367 +--- linux-2.6.23.15/include/asm-ia64/elf.h 2007-10-09 21:31:38.000000000 +0100
27368 ++++ linux-2.6.23.15-grsec/include/asm-ia64/elf.h 2008-02-11 10:37:44.000000000 +0000
27369 +@@ -162,7 +162,12 @@ typedef elf_greg_t elf_gregset_t[ELF_NGR
27370 + typedef struct ia64_fpreg elf_fpreg_t;
27371 + typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
27372 +
27373 ++#ifdef CONFIG_PAX_ASLR
27374 ++#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
27375 +
27376 ++#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
27377 ++#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
27378 ++#endif
27379 +
27380 + struct pt_regs; /* forward declaration... */
27381 + extern void ia64_elf_core_copy_regs (struct pt_regs *src, elf_gregset_t dst);
27382 +diff -Nurp linux-2.6.23.15/include/asm-ia64/kmap_types.h linux-2.6.23.15-grsec/include/asm-ia64/kmap_types.h
27383 +--- linux-2.6.23.15/include/asm-ia64/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27384 ++++ linux-2.6.23.15-grsec/include/asm-ia64/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27385 +@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
27386 + D(10) KM_IRQ1,
27387 + D(11) KM_SOFTIRQ0,
27388 + D(12) KM_SOFTIRQ1,
27389 +-D(13) KM_TYPE_NR
27390 ++D(13) KM_CLEARPAGE,
27391 ++D(14) KM_TYPE_NR
27392 + };
27393 +
27394 + #undef D
27395 +diff -Nurp linux-2.6.23.15/include/asm-ia64/pgtable.h linux-2.6.23.15-grsec/include/asm-ia64/pgtable.h
27396 +--- linux-2.6.23.15/include/asm-ia64/pgtable.h 2007-10-09 21:31:38.000000000 +0100
27397 ++++ linux-2.6.23.15-grsec/include/asm-ia64/pgtable.h 2008-02-11 10:37:44.000000000 +0000
27398 +@@ -143,6 +143,17 @@
27399 + #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27400 + #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27401 + #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
27402 ++
27403 ++#ifdef CONFIG_PAX_PAGEEXEC
27404 ++# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
27405 ++# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27406 ++# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27407 ++#else
27408 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
27409 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
27410 ++# define PAGE_COPY_NOEXEC PAGE_COPY
27411 ++#endif
27412 ++
27413 + #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
27414 + #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
27415 + #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
27416 +diff -Nurp linux-2.6.23.15/include/asm-ia64/processor.h linux-2.6.23.15-grsec/include/asm-ia64/processor.h
27417 +--- linux-2.6.23.15/include/asm-ia64/processor.h 2007-10-09 21:31:38.000000000 +0100
27418 ++++ linux-2.6.23.15-grsec/include/asm-ia64/processor.h 2008-02-11 10:37:44.000000000 +0000
27419 +@@ -275,7 +275,7 @@ struct thread_struct {
27420 + .on_ustack = 0, \
27421 + .ksp = 0, \
27422 + .map_base = DEFAULT_MAP_BASE, \
27423 +- .rbs_bot = STACK_TOP - DEFAULT_USER_STACK_SIZE, \
27424 ++ .rbs_bot = __STACK_TOP - DEFAULT_USER_STACK_SIZE, \
27425 + .task_size = DEFAULT_TASK_SIZE, \
27426 + .last_fph_cpu = -1, \
27427 + INIT_THREAD_IA32 \
27428 +diff -Nurp linux-2.6.23.15/include/asm-ia64/ustack.h linux-2.6.23.15-grsec/include/asm-ia64/ustack.h
27429 +--- linux-2.6.23.15/include/asm-ia64/ustack.h 2007-10-09 21:31:38.000000000 +0100
27430 ++++ linux-2.6.23.15-grsec/include/asm-ia64/ustack.h 2008-02-11 10:37:44.000000000 +0000
27431 +@@ -10,8 +10,8 @@
27432 +
27433 + /* The absolute hard limit for stack size is 1/2 of the mappable space in the region */
27434 + #define MAX_USER_STACK_SIZE (RGN_MAP_LIMIT/2)
27435 +-#define STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
27436 +-#define STACK_TOP_MAX STACK_TOP
27437 ++#define __STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
27438 ++#define STACK_TOP_MAX __STACK_TOP
27439 + #endif
27440 +
27441 + /* Make a default stack size of 2GiB */
27442 +diff -Nurp linux-2.6.23.15/include/asm-m32r/kmap_types.h linux-2.6.23.15-grsec/include/asm-m32r/kmap_types.h
27443 +--- linux-2.6.23.15/include/asm-m32r/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27444 ++++ linux-2.6.23.15-grsec/include/asm-m32r/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27445 +@@ -21,7 +21,8 @@ D(9) KM_IRQ0,
27446 + D(10) KM_IRQ1,
27447 + D(11) KM_SOFTIRQ0,
27448 + D(12) KM_SOFTIRQ1,
27449 +-D(13) KM_TYPE_NR
27450 ++D(13) KM_CLEARPAGE,
27451 ++D(14) KM_TYPE_NR
27452 + };
27453 +
27454 + #undef D
27455 +diff -Nurp linux-2.6.23.15/include/asm-m68k/kmap_types.h linux-2.6.23.15-grsec/include/asm-m68k/kmap_types.h
27456 +--- linux-2.6.23.15/include/asm-m68k/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27457 ++++ linux-2.6.23.15-grsec/include/asm-m68k/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27458 +@@ -15,6 +15,7 @@ enum km_type {
27459 + KM_IRQ1,
27460 + KM_SOFTIRQ0,
27461 + KM_SOFTIRQ1,
27462 ++ KM_CLEARPAGE,
27463 + KM_TYPE_NR
27464 + };
27465 +
27466 +diff -Nurp linux-2.6.23.15/include/asm-m68knommu/kmap_types.h linux-2.6.23.15-grsec/include/asm-m68knommu/kmap_types.h
27467 +--- linux-2.6.23.15/include/asm-m68knommu/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27468 ++++ linux-2.6.23.15-grsec/include/asm-m68knommu/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27469 +@@ -15,6 +15,7 @@ enum km_type {
27470 + KM_IRQ1,
27471 + KM_SOFTIRQ0,
27472 + KM_SOFTIRQ1,
27473 ++ KM_CLEARPAGE,
27474 + KM_TYPE_NR
27475 + };
27476 +
27477 +diff -Nurp linux-2.6.23.15/include/asm-mips/a.out.h linux-2.6.23.15-grsec/include/asm-mips/a.out.h
27478 +--- linux-2.6.23.15/include/asm-mips/a.out.h 2007-10-09 21:31:38.000000000 +0100
27479 ++++ linux-2.6.23.15-grsec/include/asm-mips/a.out.h 2008-02-11 10:37:44.000000000 +0000
27480 +@@ -35,10 +35,10 @@ struct exec
27481 + #ifdef __KERNEL__
27482 +
27483 + #ifdef CONFIG_32BIT
27484 +-#define STACK_TOP TASK_SIZE
27485 ++#define __STACK_TOP TASK_SIZE
27486 + #endif
27487 + #ifdef CONFIG_64BIT
27488 +-#define STACK_TOP \
27489 ++#define __STACK_TOP \
27490 + (test_thread_flag(TIF_32BIT_ADDR) ? TASK_SIZE32 : TASK_SIZE)
27491 + #endif
27492 + #define STACK_TOP_MAX TASK_SIZE
27493 +diff -Nurp linux-2.6.23.15/include/asm-mips/elf.h linux-2.6.23.15-grsec/include/asm-mips/elf.h
27494 +--- linux-2.6.23.15/include/asm-mips/elf.h 2007-10-09 21:31:38.000000000 +0100
27495 ++++ linux-2.6.23.15-grsec/include/asm-mips/elf.h 2008-02-11 10:37:44.000000000 +0000
27496 +@@ -372,4 +372,11 @@ extern int dump_task_fpu(struct task_str
27497 + #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
27498 + #endif
27499 +
27500 ++#ifdef CONFIG_PAX_ASLR
27501 ++#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
27502 ++
27503 ++#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
27504 ++#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
27505 ++#endif
27506 ++
27507 + #endif /* _ASM_ELF_H */
27508 +diff -Nurp linux-2.6.23.15/include/asm-mips/kmap_types.h linux-2.6.23.15-grsec/include/asm-mips/kmap_types.h
27509 +--- linux-2.6.23.15/include/asm-mips/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27510 ++++ linux-2.6.23.15-grsec/include/asm-mips/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27511 +@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
27512 + D(10) KM_IRQ1,
27513 + D(11) KM_SOFTIRQ0,
27514 + D(12) KM_SOFTIRQ1,
27515 +-D(13) KM_TYPE_NR
27516 ++D(13) KM_CLEARPAGE,
27517 ++D(14) KM_TYPE_NR
27518 + };
27519 +
27520 + #undef D
27521 +diff -Nurp linux-2.6.23.15/include/asm-mips/page.h linux-2.6.23.15-grsec/include/asm-mips/page.h
27522 +--- linux-2.6.23.15/include/asm-mips/page.h 2007-10-09 21:31:38.000000000 +0100
27523 ++++ linux-2.6.23.15-grsec/include/asm-mips/page.h 2008-02-11 10:37:44.000000000 +0000
27524 +@@ -82,7 +82,7 @@ extern void copy_user_highpage(struct pa
27525 + #ifdef CONFIG_CPU_MIPS32
27526 + typedef struct { unsigned long pte_low, pte_high; } pte_t;
27527 + #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
27528 +- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
27529 ++ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
27530 + #else
27531 + typedef struct { unsigned long long pte; } pte_t;
27532 + #define pte_val(x) ((x).pte)
27533 +diff -Nurp linux-2.6.23.15/include/asm-mips/system.h linux-2.6.23.15-grsec/include/asm-mips/system.h
27534 +--- linux-2.6.23.15/include/asm-mips/system.h 2007-10-09 21:31:38.000000000 +0100
27535 ++++ linux-2.6.23.15-grsec/include/asm-mips/system.h 2008-02-11 10:37:44.000000000 +0000
27536 +@@ -213,6 +213,6 @@ extern int stop_a_enabled;
27537 + */
27538 + #define __ARCH_WANT_UNLOCKED_CTXSW
27539 +
27540 +-extern unsigned long arch_align_stack(unsigned long sp);
27541 ++#define arch_align_stack(x) (x)
27542 +
27543 + #endif /* _ASM_SYSTEM_H */
27544 +diff -Nurp linux-2.6.23.15/include/asm-parisc/a.out.h linux-2.6.23.15-grsec/include/asm-parisc/a.out.h
27545 +--- linux-2.6.23.15/include/asm-parisc/a.out.h 2007-10-09 21:31:38.000000000 +0100
27546 ++++ linux-2.6.23.15-grsec/include/asm-parisc/a.out.h 2008-02-11 10:37:44.000000000 +0000
27547 +@@ -22,7 +22,7 @@ struct exec
27548 + /* XXX: STACK_TOP actually should be STACK_BOTTOM for parisc.
27549 + * prumpf */
27550 +
27551 +-#define STACK_TOP TASK_SIZE
27552 ++#define __STACK_TOP TASK_SIZE
27553 + #define STACK_TOP_MAX DEFAULT_TASK_SIZE
27554 +
27555 + #endif
27556 +diff -Nurp linux-2.6.23.15/include/asm-parisc/elf.h linux-2.6.23.15-grsec/include/asm-parisc/elf.h
27557 +--- linux-2.6.23.15/include/asm-parisc/elf.h 2007-10-09 21:31:38.000000000 +0100
27558 ++++ linux-2.6.23.15-grsec/include/asm-parisc/elf.h 2008-02-11 10:37:44.000000000 +0000
27559 +@@ -337,6 +337,13 @@ struct pt_regs; /* forward declaration..
27560 +
27561 + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
27562 +
27563 ++#ifdef CONFIG_PAX_ASLR
27564 ++#define PAX_ELF_ET_DYN_BASE 0x10000UL
27565 ++
27566 ++#define PAX_DELTA_MMAP_LEN 16
27567 ++#define PAX_DELTA_STACK_LEN 16
27568 ++#endif
27569 ++
27570 + /* This yields a mask that user programs can use to figure out what
27571 + instruction set this CPU supports. This could be done in user space,
27572 + but it's not easy, and we've already done it here. */
27573 +diff -Nurp linux-2.6.23.15/include/asm-parisc/kmap_types.h linux-2.6.23.15-grsec/include/asm-parisc/kmap_types.h
27574 +--- linux-2.6.23.15/include/asm-parisc/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27575 ++++ linux-2.6.23.15-grsec/include/asm-parisc/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27576 +@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
27577 + D(10) KM_IRQ1,
27578 + D(11) KM_SOFTIRQ0,
27579 + D(12) KM_SOFTIRQ1,
27580 +-D(13) KM_TYPE_NR
27581 ++D(13) KM_CLEARPAGE,
27582 ++D(14) KM_TYPE_NR
27583 + };
27584 +
27585 + #undef D
27586 +diff -Nurp linux-2.6.23.15/include/asm-parisc/pgtable.h linux-2.6.23.15-grsec/include/asm-parisc/pgtable.h
27587 +--- linux-2.6.23.15/include/asm-parisc/pgtable.h 2007-10-09 21:31:38.000000000 +0100
27588 ++++ linux-2.6.23.15-grsec/include/asm-parisc/pgtable.h 2008-02-11 10:37:44.000000000 +0000
27589 +@@ -218,6 +218,17 @@ extern void *vmalloc_start;
27590 + #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
27591 + #define PAGE_COPY PAGE_EXECREAD
27592 + #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
27593 ++
27594 ++#ifdef CONFIG_PAX_PAGEEXEC
27595 ++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
27596 ++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
27597 ++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
27598 ++#else
27599 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
27600 ++# define PAGE_COPY_NOEXEC PAGE_COPY
27601 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
27602 ++#endif
27603 ++
27604 + #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
27605 + #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
27606 + #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
27607 +diff -Nurp linux-2.6.23.15/include/asm-powerpc/a.out.h linux-2.6.23.15-grsec/include/asm-powerpc/a.out.h
27608 +--- linux-2.6.23.15/include/asm-powerpc/a.out.h 2007-10-09 21:31:38.000000000 +0100
27609 ++++ linux-2.6.23.15-grsec/include/asm-powerpc/a.out.h 2008-02-11 10:37:44.000000000 +0000
27610 +@@ -23,15 +23,15 @@ struct exec
27611 + #define STACK_TOP_USER64 TASK_SIZE_USER64
27612 + #define STACK_TOP_USER32 TASK_SIZE_USER32
27613 +
27614 +-#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
27615 ++#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
27616 + STACK_TOP_USER32 : STACK_TOP_USER64)
27617 +
27618 + #define STACK_TOP_MAX STACK_TOP_USER64
27619 +
27620 + #else /* __powerpc64__ */
27621 +
27622 +-#define STACK_TOP TASK_SIZE
27623 +-#define STACK_TOP_MAX STACK_TOP
27624 ++#define __STACK_TOP TASK_SIZE
27625 ++#define STACK_TOP_MAX __STACK_TOP
27626 +
27627 + #endif /* __powerpc64__ */
27628 + #endif /* __KERNEL__ */
27629 +diff -Nurp linux-2.6.23.15/include/asm-powerpc/elf.h linux-2.6.23.15-grsec/include/asm-powerpc/elf.h
27630 +--- linux-2.6.23.15/include/asm-powerpc/elf.h 2007-10-09 21:31:38.000000000 +0100
27631 ++++ linux-2.6.23.15-grsec/include/asm-powerpc/elf.h 2008-02-11 10:37:44.000000000 +0000
27632 +@@ -159,6 +159,18 @@ typedef elf_vrreg_t elf_vrregset_t[ELF_N
27633 + typedef elf_vrreg_t elf_vrregset_t32[ELF_NVRREG32];
27634 + #endif
27635 +
27636 ++#ifdef CONFIG_PAX_ASLR
27637 ++#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
27638 ++
27639 ++#ifdef __powerpc64__
27640 ++#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
27641 ++#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
27642 ++#else
27643 ++#define PAX_DELTA_MMAP_LEN 15
27644 ++#define PAX_DELTA_STACK_LEN 15
27645 ++#endif
27646 ++#endif
27647 ++
27648 + #ifdef __KERNEL__
27649 + /*
27650 + * This is used to ensure we don't load something for the wrong architecture.
27651 +diff -Nurp linux-2.6.23.15/include/asm-powerpc/kmap_types.h linux-2.6.23.15-grsec/include/asm-powerpc/kmap_types.h
27652 +--- linux-2.6.23.15/include/asm-powerpc/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27653 ++++ linux-2.6.23.15-grsec/include/asm-powerpc/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27654 +@@ -26,6 +26,7 @@ enum km_type {
27655 + KM_SOFTIRQ1,
27656 + KM_PPC_SYNC_PAGE,
27657 + KM_PPC_SYNC_ICACHE,
27658 ++ KM_CLEARPAGE,
27659 + KM_TYPE_NR
27660 + };
27661 +
27662 +diff -Nurp linux-2.6.23.15/include/asm-powerpc/page.h linux-2.6.23.15-grsec/include/asm-powerpc/page.h
27663 +--- linux-2.6.23.15/include/asm-powerpc/page.h 2007-10-09 21:31:38.000000000 +0100
27664 ++++ linux-2.6.23.15-grsec/include/asm-powerpc/page.h 2008-02-11 10:37:44.000000000 +0000
27665 +@@ -71,8 +71,9 @@
27666 + * and needs to be executable. This means the whole heap ends
27667 + * up being executable.
27668 + */
27669 +-#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
27670 +- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27671 ++#define VM_DATA_DEFAULT_FLAGS32 \
27672 ++ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
27673 ++ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27674 +
27675 + #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
27676 + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27677 +diff -Nurp linux-2.6.23.15/include/asm-powerpc/page_64.h linux-2.6.23.15-grsec/include/asm-powerpc/page_64.h
27678 +--- linux-2.6.23.15/include/asm-powerpc/page_64.h 2007-10-09 21:31:38.000000000 +0100
27679 ++++ linux-2.6.23.15-grsec/include/asm-powerpc/page_64.h 2008-02-11 10:37:44.000000000 +0000
27680 +@@ -158,15 +158,18 @@ extern int is_hugepage_only_range(struct
27681 + * stack by default, so in the absense of a PT_GNU_STACK program header
27682 + * we turn execute permission off.
27683 + */
27684 +-#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
27685 +- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27686 ++#define VM_STACK_DEFAULT_FLAGS32 \
27687 ++ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
27688 ++ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27689 +
27690 + #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
27691 + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27692 +
27693 ++#ifndef CONFIG_PAX_PAGEEXEC
27694 + #define VM_STACK_DEFAULT_FLAGS \
27695 + (test_thread_flag(TIF_32BIT) ? \
27696 + VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
27697 ++#endif
27698 +
27699 + #include <asm-generic/page.h>
27700 +
27701 +diff -Nurp linux-2.6.23.15/include/asm-ppc/mmu_context.h linux-2.6.23.15-grsec/include/asm-ppc/mmu_context.h
27702 +--- linux-2.6.23.15/include/asm-ppc/mmu_context.h 2007-10-09 21:31:38.000000000 +0100
27703 ++++ linux-2.6.23.15-grsec/include/asm-ppc/mmu_context.h 2008-02-11 10:37:44.000000000 +0000
27704 +@@ -145,7 +145,8 @@ static inline void get_mmu_context(struc
27705 + static inline int init_new_context(struct task_struct *t, struct mm_struct *mm)
27706 + {
27707 + mm->context.id = NO_CONTEXT;
27708 +- mm->context.vdso_base = 0;
27709 ++ if (t == current)
27710 ++ mm->context.vdso_base = ~0UL;
27711 + return 0;
27712 + }
27713 +
27714 +diff -Nurp linux-2.6.23.15/include/asm-ppc/pgtable.h linux-2.6.23.15-grsec/include/asm-ppc/pgtable.h
27715 +--- linux-2.6.23.15/include/asm-ppc/pgtable.h 2007-10-09 21:31:38.000000000 +0100
27716 ++++ linux-2.6.23.15-grsec/include/asm-ppc/pgtable.h 2008-02-11 10:37:44.000000000 +0000
27717 +@@ -440,11 +440,21 @@ extern unsigned long ioremap_bot, iorema
27718 +
27719 + #define PAGE_NONE __pgprot(_PAGE_BASE)
27720 + #define PAGE_READONLY __pgprot(_PAGE_BASE | _PAGE_USER)
27721 +-#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
27722 ++#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
27723 + #define PAGE_SHARED __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW)
27724 +-#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC)
27725 ++#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC | _PAGE_HWEXEC)
27726 + #define PAGE_COPY __pgprot(_PAGE_BASE | _PAGE_USER)
27727 +-#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
27728 ++#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
27729 ++
27730 ++#if defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_40x) && !defined(CONFIG_44x)
27731 ++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_GUARDED)
27732 ++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
27733 ++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
27734 ++#else
27735 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
27736 ++# define PAGE_COPY_NOEXEC PAGE_COPY
27737 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
27738 ++#endif
27739 +
27740 + #define PAGE_KERNEL __pgprot(_PAGE_RAM)
27741 + #define PAGE_KERNEL_NOCACHE __pgprot(_PAGE_IO)
27742 +@@ -456,21 +466,21 @@ extern unsigned long ioremap_bot, iorema
27743 + * This is the closest we can get..
27744 + */
27745 + #define __P000 PAGE_NONE
27746 +-#define __P001 PAGE_READONLY_X
27747 +-#define __P010 PAGE_COPY
27748 +-#define __P011 PAGE_COPY_X
27749 +-#define __P100 PAGE_READONLY
27750 ++#define __P001 PAGE_READONLY_NOEXEC
27751 ++#define __P010 PAGE_COPY_NOEXEC
27752 ++#define __P011 PAGE_COPY_NOEXEC
27753 ++#define __P100 PAGE_READONLY_X
27754 + #define __P101 PAGE_READONLY_X
27755 +-#define __P110 PAGE_COPY
27756 ++#define __P110 PAGE_COPY_X
27757 + #define __P111 PAGE_COPY_X
27758 +
27759 + #define __S000 PAGE_NONE
27760 +-#define __S001 PAGE_READONLY_X
27761 +-#define __S010 PAGE_SHARED
27762 +-#define __S011 PAGE_SHARED_X
27763 +-#define __S100 PAGE_READONLY
27764 ++#define __S001 PAGE_READONLY_NOEXEC
27765 ++#define __S010 PAGE_SHARED_NOEXEC
27766 ++#define __S011 PAGE_SHARED_NOEXEC
27767 ++#define __S100 PAGE_READONLY_X
27768 + #define __S101 PAGE_READONLY_X
27769 +-#define __S110 PAGE_SHARED
27770 ++#define __S110 PAGE_SHARED_X
27771 + #define __S111 PAGE_SHARED_X
27772 +
27773 + #ifndef __ASSEMBLY__
27774 +diff -Nurp linux-2.6.23.15/include/asm-s390/kmap_types.h linux-2.6.23.15-grsec/include/asm-s390/kmap_types.h
27775 +--- linux-2.6.23.15/include/asm-s390/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27776 ++++ linux-2.6.23.15-grsec/include/asm-s390/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27777 +@@ -16,6 +16,7 @@ enum km_type {
27778 + KM_IRQ1,
27779 + KM_SOFTIRQ0,
27780 + KM_SOFTIRQ1,
27781 ++ KM_CLEARPAGE,
27782 + KM_TYPE_NR
27783 + };
27784 +
27785 +diff -Nurp linux-2.6.23.15/include/asm-sh/kmap_types.h linux-2.6.23.15-grsec/include/asm-sh/kmap_types.h
27786 +--- linux-2.6.23.15/include/asm-sh/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27787 ++++ linux-2.6.23.15-grsec/include/asm-sh/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27788 +@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
27789 + D(10) KM_IRQ1,
27790 + D(11) KM_SOFTIRQ0,
27791 + D(12) KM_SOFTIRQ1,
27792 +-D(13) KM_TYPE_NR
27793 ++D(13) KM_CLEARPAGE,
27794 ++D(14) KM_TYPE_NR
27795 + };
27796 +
27797 + #undef D
27798 +diff -Nurp linux-2.6.23.15/include/asm-sparc/a.out.h linux-2.6.23.15-grsec/include/asm-sparc/a.out.h
27799 +--- linux-2.6.23.15/include/asm-sparc/a.out.h 2007-10-09 21:31:38.000000000 +0100
27800 ++++ linux-2.6.23.15-grsec/include/asm-sparc/a.out.h 2008-02-11 10:37:44.000000000 +0000
27801 +@@ -91,8 +91,8 @@ struct relocation_info /* used when head
27802 +
27803 + #include <asm/page.h>
27804 +
27805 +-#define STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
27806 +-#define STACK_TOP_MAX STACK_TOP
27807 ++#define __STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
27808 ++#define STACK_TOP_MAX __STACK_TOP
27809 +
27810 + #endif /* __KERNEL__ */
27811 +
27812 +diff -Nurp linux-2.6.23.15/include/asm-sparc/elf.h linux-2.6.23.15-grsec/include/asm-sparc/elf.h
27813 +--- linux-2.6.23.15/include/asm-sparc/elf.h 2007-10-09 21:31:38.000000000 +0100
27814 ++++ linux-2.6.23.15-grsec/include/asm-sparc/elf.h 2008-02-11 10:37:44.000000000 +0000
27815 +@@ -143,6 +143,13 @@ do { unsigned long *dest = &(__elf_regs[
27816 +
27817 + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
27818 +
27819 ++#ifdef CONFIG_PAX_ASLR
27820 ++#define PAX_ELF_ET_DYN_BASE 0x10000UL
27821 ++
27822 ++#define PAX_DELTA_MMAP_LEN 16
27823 ++#define PAX_DELTA_STACK_LEN 16
27824 ++#endif
27825 ++
27826 + /* This yields a mask that user programs can use to figure out what
27827 + instruction set this cpu supports. This can NOT be done in userspace
27828 + on Sparc. */
27829 +diff -Nurp linux-2.6.23.15/include/asm-sparc/kmap_types.h linux-2.6.23.15-grsec/include/asm-sparc/kmap_types.h
27830 +--- linux-2.6.23.15/include/asm-sparc/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27831 ++++ linux-2.6.23.15-grsec/include/asm-sparc/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27832 +@@ -15,6 +15,7 @@ enum km_type {
27833 + KM_IRQ1,
27834 + KM_SOFTIRQ0,
27835 + KM_SOFTIRQ1,
27836 ++ KM_CLEARPAGE,
27837 + KM_TYPE_NR
27838 + };
27839 +
27840 +diff -Nurp linux-2.6.23.15/include/asm-sparc/pgtable.h linux-2.6.23.15-grsec/include/asm-sparc/pgtable.h
27841 +--- linux-2.6.23.15/include/asm-sparc/pgtable.h 2007-10-09 21:31:38.000000000 +0100
27842 ++++ linux-2.6.23.15-grsec/include/asm-sparc/pgtable.h 2008-02-11 10:37:44.000000000 +0000
27843 +@@ -69,6 +69,16 @@ extern pgprot_t PAGE_SHARED;
27844 + #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
27845 + #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
27846 +
27847 ++#ifdef CONFIG_PAX_PAGEEXEC
27848 ++extern pgprot_t PAGE_SHARED_NOEXEC;
27849 ++# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
27850 ++# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
27851 ++#else
27852 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
27853 ++# define PAGE_COPY_NOEXEC PAGE_COPY
27854 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
27855 ++#endif
27856 ++
27857 + extern unsigned long page_kernel;
27858 +
27859 + #ifdef MODULE
27860 +diff -Nurp linux-2.6.23.15/include/asm-sparc/pgtsrmmu.h linux-2.6.23.15-grsec/include/asm-sparc/pgtsrmmu.h
27861 +--- linux-2.6.23.15/include/asm-sparc/pgtsrmmu.h 2007-10-09 21:31:38.000000000 +0100
27862 ++++ linux-2.6.23.15-grsec/include/asm-sparc/pgtsrmmu.h 2008-02-11 10:37:44.000000000 +0000
27863 +@@ -115,6 +115,16 @@
27864 + SRMMU_EXEC | SRMMU_REF)
27865 + #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
27866 + SRMMU_EXEC | SRMMU_REF)
27867 ++
27868 ++#ifdef CONFIG_PAX_PAGEEXEC
27869 ++#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
27870 ++ SRMMU_WRITE | SRMMU_REF)
27871 ++#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
27872 ++ SRMMU_REF)
27873 ++#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
27874 ++ SRMMU_REF)
27875 ++#endif
27876 ++
27877 + #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
27878 + SRMMU_DIRTY | SRMMU_REF)
27879 +
27880 +diff -Nurp linux-2.6.23.15/include/asm-sparc/uaccess.h linux-2.6.23.15-grsec/include/asm-sparc/uaccess.h
27881 +--- linux-2.6.23.15/include/asm-sparc/uaccess.h 2007-10-09 21:31:38.000000000 +0100
27882 ++++ linux-2.6.23.15-grsec/include/asm-sparc/uaccess.h 2008-02-11 10:37:44.000000000 +0000
27883 +@@ -41,7 +41,7 @@
27884 + * No one can read/write anything from userland in the kernel space by setting
27885 + * large size and address near to PAGE_OFFSET - a fault will break his intentions.
27886 + */
27887 +-#define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
27888 ++#define __user_ok(addr, size) ({ (void)(size); (addr) < __STACK_TOP; })
27889 + #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
27890 + #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size)))
27891 + #define access_ok(type, addr, size) \
27892 +diff -Nurp linux-2.6.23.15/include/asm-sparc64/a.out.h linux-2.6.23.15-grsec/include/asm-sparc64/a.out.h
27893 +--- linux-2.6.23.15/include/asm-sparc64/a.out.h 2007-10-09 21:31:38.000000000 +0100
27894 ++++ linux-2.6.23.15-grsec/include/asm-sparc64/a.out.h 2008-02-11 10:37:44.000000000 +0000
27895 +@@ -98,7 +98,7 @@ struct relocation_info /* used when head
27896 + #define STACK_TOP32 ((1UL << 32UL) - PAGE_SIZE)
27897 + #define STACK_TOP64 (0x0000080000000000UL - (1UL << 32UL))
27898 +
27899 +-#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
27900 ++#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
27901 + STACK_TOP32 : STACK_TOP64)
27902 +
27903 + #define STACK_TOP_MAX STACK_TOP64
27904 +diff -Nurp linux-2.6.23.15/include/asm-sparc64/elf.h linux-2.6.23.15-grsec/include/asm-sparc64/elf.h
27905 +--- linux-2.6.23.15/include/asm-sparc64/elf.h 2007-10-09 21:31:38.000000000 +0100
27906 ++++ linux-2.6.23.15-grsec/include/asm-sparc64/elf.h 2008-02-11 10:37:44.000000000 +0000
27907 +@@ -143,6 +143,12 @@ typedef struct {
27908 + #define ELF_ET_DYN_BASE 0x0000010000000000UL
27909 + #endif
27910 +
27911 ++#ifdef CONFIG_PAX_ASLR
27912 ++#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
27913 ++
27914 ++#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28 )
27915 ++#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29 )
27916 ++#endif
27917 +
27918 + /* This yields a mask that user programs can use to figure out what
27919 + instruction set this cpu supports. */
27920 +diff -Nurp linux-2.6.23.15/include/asm-sparc64/kmap_types.h linux-2.6.23.15-grsec/include/asm-sparc64/kmap_types.h
27921 +--- linux-2.6.23.15/include/asm-sparc64/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27922 ++++ linux-2.6.23.15-grsec/include/asm-sparc64/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27923 +@@ -19,6 +19,7 @@ enum km_type {
27924 + KM_IRQ1,
27925 + KM_SOFTIRQ0,
27926 + KM_SOFTIRQ1,
27927 ++ KM_CLEARPAGE,
27928 + KM_TYPE_NR
27929 + };
27930 +
27931 +diff -Nurp linux-2.6.23.15/include/asm-um/kmap_types.h linux-2.6.23.15-grsec/include/asm-um/kmap_types.h
27932 +--- linux-2.6.23.15/include/asm-um/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27933 ++++ linux-2.6.23.15-grsec/include/asm-um/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27934 +@@ -23,6 +23,7 @@ enum km_type {
27935 + KM_IRQ1,
27936 + KM_SOFTIRQ0,
27937 + KM_SOFTIRQ1,
27938 ++ KM_CLEARPAGE,
27939 + KM_TYPE_NR
27940 + };
27941 +
27942 +diff -Nurp linux-2.6.23.15/include/asm-v850/kmap_types.h linux-2.6.23.15-grsec/include/asm-v850/kmap_types.h
27943 +--- linux-2.6.23.15/include/asm-v850/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27944 ++++ linux-2.6.23.15-grsec/include/asm-v850/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27945 +@@ -13,6 +13,7 @@ enum km_type {
27946 + KM_PTE1,
27947 + KM_IRQ0,
27948 + KM_IRQ1,
27949 ++ KM_CLEARPAGE,
27950 + KM_TYPE_NR
27951 + };
27952 +
27953 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/a.out.h linux-2.6.23.15-grsec/include/asm-x86_64/a.out.h
27954 +--- linux-2.6.23.15/include/asm-x86_64/a.out.h 2007-10-09 21:31:38.000000000 +0100
27955 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/a.out.h 2008-02-11 10:37:45.000000000 +0000
27956 +@@ -21,7 +21,7 @@ struct exec
27957 +
27958 + #ifdef __KERNEL__
27959 + #include <linux/thread_info.h>
27960 +-#define STACK_TOP TASK_SIZE
27961 ++#define __STACK_TOP TASK_SIZE
27962 + #define STACK_TOP_MAX TASK_SIZE64
27963 + #endif
27964 +
27965 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/apic.h linux-2.6.23.15-grsec/include/asm-x86_64/apic.h
27966 +--- linux-2.6.23.15/include/asm-x86_64/apic.h 2007-10-09 21:31:38.000000000 +0100
27967 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/apic.h 2008-02-11 10:37:45.000000000 +0000
27968 +@@ -7,7 +7,7 @@
27969 + #include <asm/apicdef.h>
27970 + #include <asm/system.h>
27971 +
27972 +-#define Dprintk(x...)
27973 ++#define Dprintk(x...) do {} while (0)
27974 +
27975 + /*
27976 + * Debugging macros
27977 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/elf.h linux-2.6.23.15-grsec/include/asm-x86_64/elf.h
27978 +--- linux-2.6.23.15/include/asm-x86_64/elf.h 2007-10-09 21:31:38.000000000 +0100
27979 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/elf.h 2008-02-11 10:37:45.000000000 +0000
27980 +@@ -92,6 +92,13 @@ typedef struct user_i387_struct elf_fpre
27981 +
27982 + #define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
27983 +
27984 ++#ifdef CONFIG_PAX_ASLR
27985 ++#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_IA32) ? 0x08048000UL : 0x400000UL)
27986 ++
27987 ++#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_IA32) ? 16 : 32)
27988 ++#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_IA32) ? 16 : 32)
27989 ++#endif
27990 ++
27991 + /* regs is struct pt_regs, pr_reg is elf_gregset_t (which is
27992 + now struct_user_regs, they are different). Assumes current is the process
27993 + getting dumped. */
27994 +@@ -172,7 +179,7 @@ extern int vdso_enabled;
27995 +
27996 + #define ARCH_DLINFO \
27997 + do if (vdso_enabled) { \
27998 +- NEW_AUX_ENT(AT_SYSINFO_EHDR,(unsigned long)current->mm->context.vdso);\
27999 ++ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
28000 + } while (0)
28001 +
28002 + #endif
28003 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/futex.h linux-2.6.23.15-grsec/include/asm-x86_64/futex.h
28004 +--- linux-2.6.23.15/include/asm-x86_64/futex.h 2007-10-09 21:31:38.000000000 +0100
28005 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/futex.h 2008-02-11 10:37:45.000000000 +0000
28006 +@@ -42,7 +42,7 @@
28007 + : "r" (oparg), "i" (-EFAULT), "m" (*uaddr), "1" (0))
28008 +
28009 + static inline int
28010 +-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
28011 ++futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
28012 + {
28013 + int op = (encoded_op >> 28) & 7;
28014 + int cmp = (encoded_op >> 24) & 15;
28015 +@@ -95,7 +95,7 @@ futex_atomic_op_inuser (int encoded_op,
28016 + }
28017 +
28018 + static inline int
28019 +-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
28020 ++futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
28021 + {
28022 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
28023 + return -EFAULT;
28024 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/ia32.h linux-2.6.23.15-grsec/include/asm-x86_64/ia32.h
28025 +--- linux-2.6.23.15/include/asm-x86_64/ia32.h 2007-10-09 21:31:38.000000000 +0100
28026 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/ia32.h 2008-02-11 10:37:45.000000000 +0000
28027 +@@ -156,7 +156,13 @@ struct ustat32 {
28028 + char f_fpack[6];
28029 + };
28030 +
28031 +-#define IA32_STACK_TOP IA32_PAGE_OFFSET
28032 ++#ifdef CONFIG_PAX_RANDUSTACK
28033 ++#define IA32_DELTA_STACK (current->mm->delta_stack)
28034 ++#else
28035 ++#define IA32_DELTA_STACK 0UL
28036 ++#endif
28037 ++
28038 ++#define IA32_STACK_TOP (IA32_PAGE_OFFSET - IA32_DELTA_STACK)
28039 +
28040 + #ifdef __KERNEL__
28041 + struct user_desc;
28042 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/kmap_types.h linux-2.6.23.15-grsec/include/asm-x86_64/kmap_types.h
28043 +--- linux-2.6.23.15/include/asm-x86_64/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
28044 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/kmap_types.h 2008-02-11 10:37:45.000000000 +0000
28045 +@@ -13,6 +13,7 @@ enum km_type {
28046 + KM_IRQ1,
28047 + KM_SOFTIRQ0,
28048 + KM_SOFTIRQ1,
28049 ++ KM_CLEARPAGE,
28050 + KM_TYPE_NR
28051 + };
28052 +
28053 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/mmu.h linux-2.6.23.15-grsec/include/asm-x86_64/mmu.h
28054 +--- linux-2.6.23.15/include/asm-x86_64/mmu.h 2007-10-09 21:31:38.000000000 +0100
28055 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/mmu.h 2008-02-11 10:37:45.000000000 +0000
28056 +@@ -15,7 +15,7 @@ typedef struct {
28057 + rwlock_t ldtlock;
28058 + int size;
28059 + struct semaphore sem;
28060 +- void *vdso;
28061 ++ unsigned long vdso;
28062 + } mm_context_t;
28063 +
28064 + #endif
28065 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/page.h linux-2.6.23.15-grsec/include/asm-x86_64/page.h
28066 +--- linux-2.6.23.15/include/asm-x86_64/page.h 2007-10-09 21:31:38.000000000 +0100
28067 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/page.h 2008-02-11 10:37:45.000000000 +0000
28068 +@@ -94,6 +94,8 @@ extern unsigned long phys_base;
28069 + #define __START_KERNEL_map _AC(0xffffffff80000000, UL)
28070 + #define __PAGE_OFFSET _AC(0xffff810000000000, UL)
28071 +
28072 ++#define __KERNEL_TEXT_OFFSET (0)
28073 ++
28074 + /* to align the pointer to the (next) page boundary */
28075 + #define PAGE_ALIGN(addr) (((addr)+PAGE_SIZE-1)&PAGE_MASK)
28076 +
28077 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/pgalloc.h linux-2.6.23.15-grsec/include/asm-x86_64/pgalloc.h
28078 +--- linux-2.6.23.15/include/asm-x86_64/pgalloc.h 2007-10-09 21:31:38.000000000 +0100
28079 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/pgalloc.h 2008-02-11 10:37:45.000000000 +0000
28080 +@@ -6,7 +6,7 @@
28081 + #include <linux/mm.h>
28082 +
28083 + #define pmd_populate_kernel(mm, pmd, pte) \
28084 +- set_pmd(pmd, __pmd(_PAGE_TABLE | __pa(pte)))
28085 ++ set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(pte)))
28086 + #define pud_populate(mm, pud, pmd) \
28087 + set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd)))
28088 + #define pgd_populate(mm, pgd, pud) \
28089 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/pgtable.h linux-2.6.23.15-grsec/include/asm-x86_64/pgtable.h
28090 +--- linux-2.6.23.15/include/asm-x86_64/pgtable.h 2007-10-09 21:31:38.000000000 +0100
28091 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/pgtable.h 2008-02-11 10:37:45.000000000 +0000
28092 +@@ -179,6 +179,10 @@ static inline pte_t ptep_get_and_clear_f
28093 + #define PAGE_COPY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
28094 + #define PAGE_READONLY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
28095 + #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
28096 ++
28097 ++#define PAGE_READONLY_NOEXEC PAGE_READONLY
28098 ++#define PAGE_SHARED_NOEXEC PAGE_SHARED
28099 ++
28100 + #define __PAGE_KERNEL \
28101 + (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
28102 + #define __PAGE_KERNEL_EXEC \
28103 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/processor.h linux-2.6.23.15-grsec/include/asm-x86_64/processor.h
28104 +--- linux-2.6.23.15/include/asm-x86_64/processor.h 2007-10-09 21:31:38.000000000 +0100
28105 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/processor.h 2008-02-11 10:37:45.000000000 +0000
28106 +@@ -140,7 +140,7 @@ static inline void clear_in_cr4 (unsigne
28107 + /* This decides where the kernel will search for a free chunk of vm
28108 + * space during mmap's.
28109 + */
28110 +-#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFe000)
28111 ++#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFf000)
28112 +
28113 + #define TASK_SIZE (test_thread_flag(TIF_IA32) ? IA32_PAGE_OFFSET : TASK_SIZE64)
28114 + #define TASK_SIZE_OF(child) ((test_tsk_thread_flag(child, TIF_IA32)) ? IA32_PAGE_OFFSET : TASK_SIZE64)
28115 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/system.h linux-2.6.23.15-grsec/include/asm-x86_64/system.h
28116 +--- linux-2.6.23.15/include/asm-x86_64/system.h 2008-02-11 10:36:03.000000000 +0000
28117 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/system.h 2008-02-11 10:37:45.000000000 +0000
28118 +@@ -174,7 +174,7 @@ static inline void write_cr8(unsigned lo
28119 +
28120 + void cpu_idle_wait(void);
28121 +
28122 +-extern unsigned long arch_align_stack(unsigned long sp);
28123 ++#define arch_align_stack(x) (x)
28124 + extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
28125 +
28126 + #endif
28127 +diff -Nurp linux-2.6.23.15/include/asm-xtensa/kmap_types.h linux-2.6.23.15-grsec/include/asm-xtensa/kmap_types.h
28128 +--- linux-2.6.23.15/include/asm-xtensa/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
28129 ++++ linux-2.6.23.15-grsec/include/asm-xtensa/kmap_types.h 2008-02-11 10:37:45.000000000 +0000
28130 +@@ -25,6 +25,7 @@ enum km_type {
28131 + KM_IRQ1,
28132 + KM_SOFTIRQ0,
28133 + KM_SOFTIRQ1,
28134 ++ KM_CLEARPAGE,
28135 + KM_TYPE_NR
28136 + };
28137 +
28138 +diff -Nurp linux-2.6.23.15/include/linux/a.out.h linux-2.6.23.15-grsec/include/linux/a.out.h
28139 +--- linux-2.6.23.15/include/linux/a.out.h 2007-10-09 21:31:38.000000000 +0100
28140 ++++ linux-2.6.23.15-grsec/include/linux/a.out.h 2008-02-11 10:37:45.000000000 +0000
28141 +@@ -7,6 +7,16 @@
28142 +
28143 + #include <asm/a.out.h>
28144 +
28145 ++#ifdef CONFIG_PAX_RANDUSTACK
28146 ++#define __DELTA_STACK (current->mm->delta_stack)
28147 ++#else
28148 ++#define __DELTA_STACK 0UL
28149 ++#endif
28150 ++
28151 ++#ifndef STACK_TOP
28152 ++#define STACK_TOP (__STACK_TOP - __DELTA_STACK)
28153 ++#endif
28154 ++
28155 + #endif /* __STRUCT_EXEC_OVERRIDE__ */
28156 +
28157 + /* these go in the N_MACHTYPE field */
28158 +@@ -37,6 +47,14 @@ enum machine_type {
28159 + M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
28160 + };
28161 +
28162 ++/* Constants for the N_FLAGS field */
28163 ++#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
28164 ++#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
28165 ++#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
28166 ++#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
28167 ++/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
28168 ++#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
28169 ++
28170 + #if !defined (N_MAGIC)
28171 + #define N_MAGIC(exec) ((exec).a_info & 0xffff)
28172 + #endif
28173 +diff -Nurp linux-2.6.23.15/include/linux/binfmts.h linux-2.6.23.15-grsec/include/linux/binfmts.h
28174 +--- linux-2.6.23.15/include/linux/binfmts.h 2007-10-09 21:31:38.000000000 +0100
28175 ++++ linux-2.6.23.15-grsec/include/linux/binfmts.h 2008-02-11 10:37:45.000000000 +0000
28176 +@@ -48,6 +48,7 @@ struct linux_binprm{
28177 + unsigned interp_data;
28178 + unsigned long loader, exec;
28179 + unsigned long argv_len;
28180 ++ int misc;
28181 + };
28182 +
28183 + #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
28184 +@@ -99,5 +100,8 @@ extern void compute_creds(struct linux_b
28185 + extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
28186 + extern int set_binfmt(struct linux_binfmt *new);
28187 +
28188 ++void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
28189 ++void pax_report_insns(void *pc, void *sp);
28190 ++
28191 + #endif /* __KERNEL__ */
28192 + #endif /* _LINUX_BINFMTS_H */
28193 +diff -Nurp linux-2.6.23.15/include/linux/cache.h linux-2.6.23.15-grsec/include/linux/cache.h
28194 +--- linux-2.6.23.15/include/linux/cache.h 2007-10-09 21:31:38.000000000 +0100
28195 ++++ linux-2.6.23.15-grsec/include/linux/cache.h 2008-02-11 10:37:45.000000000 +0000
28196 +@@ -16,6 +16,10 @@
28197 + #define __read_mostly
28198 + #endif
28199 +
28200 ++#ifndef __read_only
28201 ++#define __read_only
28202 ++#endif
28203 ++
28204 + #ifndef ____cacheline_aligned
28205 + #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
28206 + #endif
28207 +diff -Nurp linux-2.6.23.15/include/linux/capability.h linux-2.6.23.15-grsec/include/linux/capability.h
28208 +--- linux-2.6.23.15/include/linux/capability.h 2007-10-09 21:31:38.000000000 +0100
28209 ++++ linux-2.6.23.15-grsec/include/linux/capability.h 2008-02-11 10:37:45.000000000 +0000
28210 +@@ -359,6 +359,7 @@ static inline kernel_cap_t cap_invert(ke
28211 + #define cap_is_fs_cap(c) (CAP_TO_MASK(c) & CAP_FS_MASK)
28212 +
28213 + int capable(int cap);
28214 ++int capable_nolog(int cap);
28215 + int __capable(struct task_struct *t, int cap);
28216 +
28217 + #endif /* __KERNEL__ */
28218 +diff -Nurp linux-2.6.23.15/include/linux/elf.h linux-2.6.23.15-grsec/include/linux/elf.h
28219 +--- linux-2.6.23.15/include/linux/elf.h 2007-10-09 21:31:38.000000000 +0100
28220 ++++ linux-2.6.23.15-grsec/include/linux/elf.h 2008-02-11 10:37:45.000000000 +0000
28221 +@@ -8,6 +8,10 @@
28222 +
28223 + struct file;
28224 +
28225 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28226 ++#undef elf_read_implies_exec
28227 ++#endif
28228 ++
28229 + #ifndef elf_read_implies_exec
28230 + /* Executables for which elf_read_implies_exec() returns TRUE will
28231 + have the READ_IMPLIES_EXEC personality flag set automatically.
28232 +@@ -49,6 +53,16 @@ typedef __s64 Elf64_Sxword;
28233 +
28234 + #define PT_GNU_STACK (PT_LOOS + 0x474e551)
28235 +
28236 ++#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
28237 ++
28238 ++/* Constants for the e_flags field */
28239 ++#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
28240 ++#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
28241 ++#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
28242 ++#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
28243 ++/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
28244 ++#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
28245 ++
28246 + /* These constants define the different elf file types */
28247 + #define ET_NONE 0
28248 + #define ET_REL 1
28249 +@@ -83,6 +97,8 @@ typedef __s64 Elf64_Sxword;
28250 + #define DT_DEBUG 21
28251 + #define DT_TEXTREL 22
28252 + #define DT_JMPREL 23
28253 ++#define DT_FLAGS 30
28254 ++ #define DF_TEXTREL 0x00000004
28255 + #define DT_ENCODING 32
28256 + #define OLD_DT_LOOS 0x60000000
28257 + #define DT_LOOS 0x6000000d
28258 +@@ -229,6 +245,19 @@ typedef struct elf64_hdr {
28259 + #define PF_W 0x2
28260 + #define PF_X 0x1
28261 +
28262 ++#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
28263 ++#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
28264 ++#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
28265 ++#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
28266 ++#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
28267 ++#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
28268 ++/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
28269 ++/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
28270 ++#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
28271 ++#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
28272 ++#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
28273 ++#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
28274 ++
28275 + typedef struct elf32_phdr{
28276 + Elf32_Word p_type;
28277 + Elf32_Off p_offset;
28278 +@@ -321,6 +350,8 @@ typedef struct elf64_shdr {
28279 + #define EI_OSABI 7
28280 + #define EI_PAD 8
28281 +
28282 ++#define EI_PAX 14
28283 ++
28284 + #define ELFMAG0 0x7f /* EI_MAG */
28285 + #define ELFMAG1 'E'
28286 + #define ELFMAG2 'L'
28287 +@@ -378,6 +409,7 @@ extern Elf32_Dyn _DYNAMIC [];
28288 + #define elf_phdr elf32_phdr
28289 + #define elf_note elf32_note
28290 + #define elf_addr_t Elf32_Off
28291 ++#define elf_dyn Elf32_Dyn
28292 +
28293 + #else
28294 +
28295 +@@ -386,6 +418,7 @@ extern Elf64_Dyn _DYNAMIC [];
28296 + #define elf_phdr elf64_phdr
28297 + #define elf_note elf64_note
28298 + #define elf_addr_t Elf64_Off
28299 ++#define elf_dyn Elf64_Dyn
28300 +
28301 + #endif
28302 +
28303 +diff -Nurp linux-2.6.23.15/include/linux/ext4_fs_extents.h linux-2.6.23.15-grsec/include/linux/ext4_fs_extents.h
28304 +--- linux-2.6.23.15/include/linux/ext4_fs_extents.h 2007-10-09 21:31:38.000000000 +0100
28305 ++++ linux-2.6.23.15-grsec/include/linux/ext4_fs_extents.h 2008-02-11 10:37:45.000000000 +0000
28306 +@@ -50,7 +50,7 @@
28307 + #ifdef EXT_DEBUG
28308 + #define ext_debug(a...) printk(a)
28309 + #else
28310 +-#define ext_debug(a...)
28311 ++#define ext_debug(a...) do {} while (0)
28312 + #endif
28313 +
28314 + /*
28315 +diff -Nurp linux-2.6.23.15/include/linux/gracl.h linux-2.6.23.15-grsec/include/linux/gracl.h
28316 +--- linux-2.6.23.15/include/linux/gracl.h 1970-01-01 01:00:00.000000000 +0100
28317 ++++ linux-2.6.23.15-grsec/include/linux/gracl.h 2008-02-11 10:37:45.000000000 +0000
28318 +@@ -0,0 +1,317 @@
28319 ++#ifndef GR_ACL_H
28320 ++#define GR_ACL_H
28321 ++
28322 ++#include <linux/grdefs.h>
28323 ++#include <linux/resource.h>
28324 ++#include <linux/dcache.h>
28325 ++#include <asm/resource.h>
28326 ++
28327 ++/* Major status information */
28328 ++
28329 ++#define GR_VERSION "grsecurity 2.1.11"
28330 ++#define GRSECURITY_VERSION 0x2111
28331 ++
28332 ++enum {
28333 ++
28334 ++ SHUTDOWN = 0,
28335 ++ ENABLE = 1,
28336 ++ SPROLE = 2,
28337 ++ RELOAD = 3,
28338 ++ SEGVMOD = 4,
28339 ++ STATUS = 5,
28340 ++ UNSPROLE = 6,
28341 ++ PASSSET = 7,
28342 ++ SPROLEPAM = 8
28343 ++};
28344 ++
28345 ++/* Password setup definitions
28346 ++ * kernel/grhash.c */
28347 ++enum {
28348 ++ GR_PW_LEN = 128,
28349 ++ GR_SALT_LEN = 16,
28350 ++ GR_SHA_LEN = 32,
28351 ++};
28352 ++
28353 ++enum {
28354 ++ GR_SPROLE_LEN = 64,
28355 ++};
28356 ++
28357 ++#define GR_NLIMITS (RLIMIT_LOCKS + 2)
28358 ++
28359 ++/* Begin Data Structures */
28360 ++
28361 ++struct sprole_pw {
28362 ++ unsigned char *rolename;
28363 ++ unsigned char salt[GR_SALT_LEN];
28364 ++ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
28365 ++};
28366 ++
28367 ++struct name_entry {
28368 ++ __u32 key;
28369 ++ ino_t inode;
28370 ++ dev_t device;
28371 ++ char *name;
28372 ++ __u16 len;
28373 ++ __u8 deleted;
28374 ++ struct name_entry *prev;
28375 ++ struct name_entry *next;
28376 ++};
28377 ++
28378 ++struct inodev_entry {
28379 ++ struct name_entry *nentry;
28380 ++ struct inodev_entry *prev;
28381 ++ struct inodev_entry *next;
28382 ++};
28383 ++
28384 ++struct acl_role_db {
28385 ++ struct acl_role_label **r_hash;
28386 ++ __u32 r_size;
28387 ++};
28388 ++
28389 ++struct inodev_db {
28390 ++ struct inodev_entry **i_hash;
28391 ++ __u32 i_size;
28392 ++};
28393 ++
28394 ++struct name_db {
28395 ++ struct name_entry **n_hash;
28396 ++ __u32 n_size;
28397 ++};
28398 ++
28399 ++struct crash_uid {
28400 ++ uid_t uid;
28401 ++ unsigned long expires;
28402 ++};
28403 ++
28404 ++struct gr_hash_struct {
28405 ++ void **table;
28406 ++ void **nametable;
28407 ++ void *first;
28408 ++ __u32 table_size;
28409 ++ __u32 used_size;
28410 ++ int type;
28411 ++};
28412 ++
28413 ++/* Userspace Grsecurity ACL data structures */
28414 ++
28415 ++struct acl_subject_label {
28416 ++ char *filename;
28417 ++ ino_t inode;
28418 ++ dev_t device;
28419 ++ __u32 mode;
28420 ++ __u32 cap_mask;
28421 ++ __u32 cap_lower;
28422 ++
28423 ++ struct rlimit res[GR_NLIMITS];
28424 ++ __u16 resmask;
28425 ++
28426 ++ __u8 user_trans_type;
28427 ++ __u8 group_trans_type;
28428 ++ uid_t *user_transitions;
28429 ++ gid_t *group_transitions;
28430 ++ __u16 user_trans_num;
28431 ++ __u16 group_trans_num;
28432 ++
28433 ++ __u32 ip_proto[8];
28434 ++ __u32 ip_type;
28435 ++ struct acl_ip_label **ips;
28436 ++ __u32 ip_num;
28437 ++
28438 ++ __u32 crashes;
28439 ++ unsigned long expires;
28440 ++
28441 ++ struct acl_subject_label *parent_subject;
28442 ++ struct gr_hash_struct *hash;
28443 ++ struct acl_subject_label *prev;
28444 ++ struct acl_subject_label *next;
28445 ++
28446 ++ struct acl_object_label **obj_hash;
28447 ++ __u32 obj_hash_size;
28448 ++ __u16 pax_flags;
28449 ++};
28450 ++
28451 ++struct role_allowed_ip {
28452 ++ __u32 addr;
28453 ++ __u32 netmask;
28454 ++
28455 ++ struct role_allowed_ip *prev;
28456 ++ struct role_allowed_ip *next;
28457 ++};
28458 ++
28459 ++struct role_transition {
28460 ++ char *rolename;
28461 ++
28462 ++ struct role_transition *prev;
28463 ++ struct role_transition *next;
28464 ++};
28465 ++
28466 ++struct acl_role_label {
28467 ++ char *rolename;
28468 ++ uid_t uidgid;
28469 ++ __u16 roletype;
28470 ++
28471 ++ __u16 auth_attempts;
28472 ++ unsigned long expires;
28473 ++
28474 ++ struct acl_subject_label *root_label;
28475 ++ struct gr_hash_struct *hash;
28476 ++
28477 ++ struct acl_role_label *prev;
28478 ++ struct acl_role_label *next;
28479 ++
28480 ++ struct role_transition *transitions;
28481 ++ struct role_allowed_ip *allowed_ips;
28482 ++ uid_t *domain_children;
28483 ++ __u16 domain_child_num;
28484 ++
28485 ++ struct acl_subject_label **subj_hash;
28486 ++ __u32 subj_hash_size;
28487 ++};
28488 ++
28489 ++struct user_acl_role_db {
28490 ++ struct acl_role_label **r_table;
28491 ++ __u32 num_pointers; /* Number of allocations to track */
28492 ++ __u32 num_roles; /* Number of roles */
28493 ++ __u32 num_domain_children; /* Number of domain children */
28494 ++ __u32 num_subjects; /* Number of subjects */
28495 ++ __u32 num_objects; /* Number of objects */
28496 ++};
28497 ++
28498 ++struct acl_object_label {
28499 ++ char *filename;
28500 ++ ino_t inode;
28501 ++ dev_t device;
28502 ++ __u32 mode;
28503 ++
28504 ++ struct acl_subject_label *nested;
28505 ++ struct acl_object_label *globbed;
28506 ++
28507 ++ /* next two structures not used */
28508 ++
28509 ++ struct acl_object_label *prev;
28510 ++ struct acl_object_label *next;
28511 ++};
28512 ++
28513 ++struct acl_ip_label {
28514 ++ char *iface;
28515 ++ __u32 addr;
28516 ++ __u32 netmask;
28517 ++ __u16 low, high;
28518 ++ __u8 mode;
28519 ++ __u32 type;
28520 ++ __u32 proto[8];
28521 ++
28522 ++ /* next two structures not used */
28523 ++
28524 ++ struct acl_ip_label *prev;
28525 ++ struct acl_ip_label *next;
28526 ++};
28527 ++
28528 ++struct gr_arg {
28529 ++ struct user_acl_role_db role_db;
28530 ++ unsigned char pw[GR_PW_LEN];
28531 ++ unsigned char salt[GR_SALT_LEN];
28532 ++ unsigned char sum[GR_SHA_LEN];
28533 ++ unsigned char sp_role[GR_SPROLE_LEN];
28534 ++ struct sprole_pw *sprole_pws;
28535 ++ dev_t segv_device;
28536 ++ ino_t segv_inode;
28537 ++ uid_t segv_uid;
28538 ++ __u16 num_sprole_pws;
28539 ++ __u16 mode;
28540 ++};
28541 ++
28542 ++struct gr_arg_wrapper {
28543 ++ struct gr_arg *arg;
28544 ++ __u32 version;
28545 ++ __u32 size;
28546 ++};
28547 ++
28548 ++struct subject_map {
28549 ++ struct acl_subject_label *user;
28550 ++ struct acl_subject_label *kernel;
28551 ++ struct subject_map *prev;
28552 ++ struct subject_map *next;
28553 ++};
28554 ++
28555 ++struct acl_subj_map_db {
28556 ++ struct subject_map **s_hash;
28557 ++ __u32 s_size;
28558 ++};
28559 ++
28560 ++/* End Data Structures Section */
28561 ++
28562 ++/* Hash functions generated by empirical testing by Brad Spengler
28563 ++ Makes good use of the low bits of the inode. Generally 0-1 times
28564 ++ in loop for successful match. 0-3 for unsuccessful match.
28565 ++ Shift/add algorithm with modulus of table size and an XOR*/
28566 ++
28567 ++static __inline__ unsigned int
28568 ++rhash(const uid_t uid, const __u16 type, const unsigned int sz)
28569 ++{
28570 ++ return (((uid << type) + (uid ^ type)) % sz);
28571 ++}
28572 ++
28573 ++ static __inline__ unsigned int
28574 ++shash(const struct acl_subject_label *userp, const unsigned int sz)
28575 ++{
28576 ++ return ((const unsigned long)userp % sz);
28577 ++}
28578 ++
28579 ++static __inline__ unsigned int
28580 ++fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
28581 ++{
28582 ++ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
28583 ++}
28584 ++
28585 ++static __inline__ unsigned int
28586 ++nhash(const char *name, const __u16 len, const unsigned int sz)
28587 ++{
28588 ++ return full_name_hash(name, len) % sz;
28589 ++}
28590 ++
28591 ++#define FOR_EACH_ROLE_START(role,iter) \
28592 ++ role = NULL; \
28593 ++ iter = 0; \
28594 ++ while (iter < acl_role_set.r_size) { \
28595 ++ if (role == NULL) \
28596 ++ role = acl_role_set.r_hash[iter]; \
28597 ++ if (role == NULL) { \
28598 ++ iter++; \
28599 ++ continue; \
28600 ++ }
28601 ++
28602 ++#define FOR_EACH_ROLE_END(role,iter) \
28603 ++ role = role->next; \
28604 ++ if (role == NULL) \
28605 ++ iter++; \
28606 ++ }
28607 ++
28608 ++#define FOR_EACH_SUBJECT_START(role,subj,iter) \
28609 ++ subj = NULL; \
28610 ++ iter = 0; \
28611 ++ while (iter < role->subj_hash_size) { \
28612 ++ if (subj == NULL) \
28613 ++ subj = role->subj_hash[iter]; \
28614 ++ if (subj == NULL) { \
28615 ++ iter++; \
28616 ++ continue; \
28617 ++ }
28618 ++
28619 ++#define FOR_EACH_SUBJECT_END(subj,iter) \
28620 ++ subj = subj->next; \
28621 ++ if (subj == NULL) \
28622 ++ iter++; \
28623 ++ }
28624 ++
28625 ++
28626 ++#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
28627 ++ subj = role->hash->first; \
28628 ++ while (subj != NULL) {
28629 ++
28630 ++#define FOR_EACH_NESTED_SUBJECT_END(subj) \
28631 ++ subj = subj->next; \
28632 ++ }
28633 ++
28634 ++#endif
28635 ++
28636 +diff -Nurp linux-2.6.23.15/include/linux/gralloc.h linux-2.6.23.15-grsec/include/linux/gralloc.h
28637 +--- linux-2.6.23.15/include/linux/gralloc.h 1970-01-01 01:00:00.000000000 +0100
28638 ++++ linux-2.6.23.15-grsec/include/linux/gralloc.h 2008-02-11 10:37:45.000000000 +0000
28639 +@@ -0,0 +1,8 @@
28640 ++#ifndef __GRALLOC_H
28641 ++#define __GRALLOC_H
28642 ++
28643 ++void acl_free_all(void);
28644 ++int acl_alloc_stack_init(unsigned long size);
28645 ++void *acl_alloc(unsigned long len);
28646 ++
28647 ++#endif
28648 +diff -Nurp linux-2.6.23.15/include/linux/grdefs.h linux-2.6.23.15-grsec/include/linux/grdefs.h
28649 +--- linux-2.6.23.15/include/linux/grdefs.h 1970-01-01 01:00:00.000000000 +0100
28650 ++++ linux-2.6.23.15-grsec/include/linux/grdefs.h 2008-02-11 10:37:45.000000000 +0000
28651 +@@ -0,0 +1,131 @@
28652 ++#ifndef GRDEFS_H
28653 ++#define GRDEFS_H
28654 ++
28655 ++/* Begin grsecurity status declarations */
28656 ++
28657 ++enum {
28658 ++ GR_READY = 0x01,
28659 ++ GR_STATUS_INIT = 0x00 // disabled state
28660 ++};
28661 ++
28662 ++/* Begin ACL declarations */
28663 ++
28664 ++/* Role flags */
28665 ++
28666 ++enum {
28667 ++ GR_ROLE_USER = 0x0001,
28668 ++ GR_ROLE_GROUP = 0x0002,
28669 ++ GR_ROLE_DEFAULT = 0x0004,
28670 ++ GR_ROLE_SPECIAL = 0x0008,
28671 ++ GR_ROLE_AUTH = 0x0010,
28672 ++ GR_ROLE_NOPW = 0x0020,
28673 ++ GR_ROLE_GOD = 0x0040,
28674 ++ GR_ROLE_LEARN = 0x0080,
28675 ++ GR_ROLE_TPE = 0x0100,
28676 ++ GR_ROLE_DOMAIN = 0x0200,
28677 ++ GR_ROLE_PAM = 0x0400
28678 ++};
28679 ++
28680 ++/* ACL Subject and Object mode flags */
28681 ++enum {
28682 ++ GR_DELETED = 0x80000000
28683 ++};
28684 ++
28685 ++/* ACL Object-only mode flags */
28686 ++enum {
28687 ++ GR_READ = 0x00000001,
28688 ++ GR_APPEND = 0x00000002,
28689 ++ GR_WRITE = 0x00000004,
28690 ++ GR_EXEC = 0x00000008,
28691 ++ GR_FIND = 0x00000010,
28692 ++ GR_INHERIT = 0x00000020,
28693 ++ GR_SETID = 0x00000040,
28694 ++ GR_CREATE = 0x00000080,
28695 ++ GR_DELETE = 0x00000100,
28696 ++ GR_LINK = 0x00000200,
28697 ++ GR_AUDIT_READ = 0x00000400,
28698 ++ GR_AUDIT_APPEND = 0x00000800,
28699 ++ GR_AUDIT_WRITE = 0x00001000,
28700 ++ GR_AUDIT_EXEC = 0x00002000,
28701 ++ GR_AUDIT_FIND = 0x00004000,
28702 ++ GR_AUDIT_INHERIT= 0x00008000,
28703 ++ GR_AUDIT_SETID = 0x00010000,
28704 ++ GR_AUDIT_CREATE = 0x00020000,
28705 ++ GR_AUDIT_DELETE = 0x00040000,
28706 ++ GR_AUDIT_LINK = 0x00080000,
28707 ++ GR_PTRACERD = 0x00100000,
28708 ++ GR_NOPTRACE = 0x00200000,
28709 ++ GR_SUPPRESS = 0x00400000,
28710 ++ GR_NOLEARN = 0x00800000
28711 ++};
28712 ++
28713 ++#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
28714 ++ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
28715 ++ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
28716 ++
28717 ++/* ACL subject-only mode flags */
28718 ++enum {
28719 ++ GR_KILL = 0x00000001,
28720 ++ GR_VIEW = 0x00000002,
28721 ++ GR_PROTECTED = 0x00000004,
28722 ++ GR_LEARN = 0x00000008,
28723 ++ GR_OVERRIDE = 0x00000010,
28724 ++ /* just a placeholder, this mode is only used in userspace */
28725 ++ GR_DUMMY = 0x00000020,
28726 ++ GR_PROTSHM = 0x00000040,
28727 ++ GR_KILLPROC = 0x00000080,
28728 ++ GR_KILLIPPROC = 0x00000100,
28729 ++ /* just a placeholder, this mode is only used in userspace */
28730 ++ GR_NOTROJAN = 0x00000200,
28731 ++ GR_PROTPROCFD = 0x00000400,
28732 ++ GR_PROCACCT = 0x00000800,
28733 ++ GR_RELAXPTRACE = 0x00001000,
28734 ++ GR_NESTED = 0x00002000,
28735 ++ GR_INHERITLEARN = 0x00004000,
28736 ++ GR_PROCFIND = 0x00008000,
28737 ++ GR_POVERRIDE = 0x00010000,
28738 ++ GR_KERNELAUTH = 0x00020000,
28739 ++};
28740 ++
28741 ++enum {
28742 ++ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
28743 ++ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
28744 ++ GR_PAX_ENABLE_MPROTECT = 0x0004,
28745 ++ GR_PAX_ENABLE_RANDMMAP = 0x0008,
28746 ++ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
28747 ++ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
28748 ++ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
28749 ++ GR_PAX_DISABLE_MPROTECT = 0x0400,
28750 ++ GR_PAX_DISABLE_RANDMMAP = 0x0800,
28751 ++ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
28752 ++};
28753 ++
28754 ++enum {
28755 ++ GR_ID_USER = 0x01,
28756 ++ GR_ID_GROUP = 0x02,
28757 ++};
28758 ++
28759 ++enum {
28760 ++ GR_ID_ALLOW = 0x01,
28761 ++ GR_ID_DENY = 0x02,
28762 ++};
28763 ++
28764 ++#define GR_CRASH_RES 11
28765 ++#define GR_UIDTABLE_MAX 500
28766 ++
28767 ++/* begin resource learning section */
28768 ++enum {
28769 ++ GR_RLIM_CPU_BUMP = 60,
28770 ++ GR_RLIM_FSIZE_BUMP = 50000,
28771 ++ GR_RLIM_DATA_BUMP = 10000,
28772 ++ GR_RLIM_STACK_BUMP = 1000,
28773 ++ GR_RLIM_CORE_BUMP = 10000,
28774 ++ GR_RLIM_RSS_BUMP = 500000,
28775 ++ GR_RLIM_NPROC_BUMP = 1,
28776 ++ GR_RLIM_NOFILE_BUMP = 5,
28777 ++ GR_RLIM_MEMLOCK_BUMP = 50000,
28778 ++ GR_RLIM_AS_BUMP = 500000,
28779 ++ GR_RLIM_LOCKS_BUMP = 2
28780 ++};
28781 ++
28782 ++#endif
28783 +diff -Nurp linux-2.6.23.15/include/linux/grinternal.h linux-2.6.23.15-grsec/include/linux/grinternal.h
28784 +--- linux-2.6.23.15/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100
28785 ++++ linux-2.6.23.15-grsec/include/linux/grinternal.h 2008-02-11 10:37:45.000000000 +0000
28786 +@@ -0,0 +1,210 @@
28787 ++#ifndef __GRINTERNAL_H
28788 ++#define __GRINTERNAL_H
28789 ++
28790 ++#ifdef CONFIG_GRKERNSEC
28791 ++
28792 ++#include <linux/fs.h>
28793 ++#include <linux/gracl.h>
28794 ++#include <linux/grdefs.h>
28795 ++#include <linux/grmsg.h>
28796 ++
28797 ++void gr_add_learn_entry(const char *fmt, ...);
28798 ++__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
28799 ++ const struct vfsmount *mnt);
28800 ++__u32 gr_check_create(const struct dentry *new_dentry,
28801 ++ const struct dentry *parent,
28802 ++ const struct vfsmount *mnt, const __u32 mode);
28803 ++int gr_check_protected_task(const struct task_struct *task);
28804 ++__u32 to_gr_audit(const __u32 reqmode);
28805 ++int gr_set_acls(const int type);
28806 ++
28807 ++int gr_acl_is_enabled(void);
28808 ++char gr_roletype_to_char(void);
28809 ++
28810 ++void gr_handle_alertkill(struct task_struct *task);
28811 ++char *gr_to_filename(const struct dentry *dentry,
28812 ++ const struct vfsmount *mnt);
28813 ++char *gr_to_filename1(const struct dentry *dentry,
28814 ++ const struct vfsmount *mnt);
28815 ++char *gr_to_filename2(const struct dentry *dentry,
28816 ++ const struct vfsmount *mnt);
28817 ++char *gr_to_filename3(const struct dentry *dentry,
28818 ++ const struct vfsmount *mnt);
28819 ++
28820 ++extern int grsec_enable_link;
28821 ++extern int grsec_enable_fifo;
28822 ++extern int grsec_enable_execve;
28823 ++extern int grsec_enable_shm;
28824 ++extern int grsec_enable_execlog;
28825 ++extern int grsec_enable_signal;
28826 ++extern int grsec_enable_forkfail;
28827 ++extern int grsec_enable_time;
28828 ++extern int grsec_enable_chroot_shmat;
28829 ++extern int grsec_enable_chroot_findtask;
28830 ++extern int grsec_enable_chroot_mount;
28831 ++extern int grsec_enable_chroot_double;
28832 ++extern int grsec_enable_chroot_pivot;
28833 ++extern int grsec_enable_chroot_chdir;
28834 ++extern int grsec_enable_chroot_chmod;
28835 ++extern int grsec_enable_chroot_mknod;
28836 ++extern int grsec_enable_chroot_fchdir;
28837 ++extern int grsec_enable_chroot_nice;
28838 ++extern int grsec_enable_chroot_execlog;
28839 ++extern int grsec_enable_chroot_caps;
28840 ++extern int grsec_enable_chroot_sysctl;
28841 ++extern int grsec_enable_chroot_unix;
28842 ++extern int grsec_enable_tpe;
28843 ++extern int grsec_tpe_gid;
28844 ++extern int grsec_enable_tpe_all;
28845 ++extern int grsec_enable_sidcaps;
28846 ++extern int grsec_enable_socket_all;
28847 ++extern int grsec_socket_all_gid;
28848 ++extern int grsec_enable_socket_client;
28849 ++extern int grsec_socket_client_gid;
28850 ++extern int grsec_enable_socket_server;
28851 ++extern int grsec_socket_server_gid;
28852 ++extern int grsec_audit_gid;
28853 ++extern int grsec_enable_group;
28854 ++extern int grsec_enable_audit_ipc;
28855 ++extern int grsec_enable_audit_textrel;
28856 ++extern int grsec_enable_mount;
28857 ++extern int grsec_enable_chdir;
28858 ++extern int grsec_resource_logging;
28859 ++extern int grsec_lock;
28860 ++
28861 ++extern spinlock_t grsec_alert_lock;
28862 ++extern unsigned long grsec_alert_wtime;
28863 ++extern unsigned long grsec_alert_fyet;
28864 ++
28865 ++extern spinlock_t grsec_audit_lock;
28866 ++
28867 ++extern rwlock_t grsec_exec_file_lock;
28868 ++
28869 ++#define gr_task_fullpath(tsk) (tsk->exec_file ? \
28870 ++ gr_to_filename2(tsk->exec_file->f_dentry, \
28871 ++ tsk->exec_file->f_vfsmnt) : "/")
28872 ++
28873 ++#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
28874 ++ gr_to_filename3(tsk->parent->exec_file->f_dentry, \
28875 ++ tsk->parent->exec_file->f_vfsmnt) : "/")
28876 ++
28877 ++#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
28878 ++ gr_to_filename(tsk->exec_file->f_dentry, \
28879 ++ tsk->exec_file->f_vfsmnt) : "/")
28880 ++
28881 ++#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
28882 ++ gr_to_filename1(tsk->parent->exec_file->f_dentry, \
28883 ++ tsk->parent->exec_file->f_vfsmnt) : "/")
28884 ++
28885 ++#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && (tsk_a->fs != NULL) && \
28886 ++ ((tsk_a->fs->root->d_inode->i_sb->s_dev != \
28887 ++ child_reaper(tsk_a)->fs->root->d_inode->i_sb->s_dev) || \
28888 ++ (tsk_a->fs->root->d_inode->i_ino != \
28889 ++ child_reaper(tsk_a)->fs->root->d_inode->i_ino)))
28890 ++
28891 ++#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs != NULL) && (tsk_b->fs != NULL) && \
28892 ++ (tsk_a->fs->root->d_inode->i_sb->s_dev == \
28893 ++ tsk_b->fs->root->d_inode->i_sb->s_dev) && \
28894 ++ (tsk_a->fs->root->d_inode->i_ino == \
28895 ++ tsk_b->fs->root->d_inode->i_ino))
28896 ++
28897 ++#define DEFAULTSECARGS(task) gr_task_fullpath(task), task->comm, \
28898 ++ task->pid, task->uid, \
28899 ++ task->euid, task->gid, task->egid, \
28900 ++ gr_parent_task_fullpath(task), \
28901 ++ task->parent->comm, task->parent->pid, \
28902 ++ task->parent->uid, task->parent->euid, \
28903 ++ task->parent->gid, task->parent->egid
28904 ++
28905 ++#define GR_CHROOT_CAPS ( \
28906 ++ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
28907 ++ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
28908 ++ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
28909 ++ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
28910 ++ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
28911 ++ CAP_TO_MASK(CAP_IPC_OWNER))
28912 ++
28913 ++#define security_learn(normal_msg,args...) \
28914 ++({ \
28915 ++ read_lock(&grsec_exec_file_lock); \
28916 ++ gr_add_learn_entry(normal_msg "\n", ## args); \
28917 ++ read_unlock(&grsec_exec_file_lock); \
28918 ++})
28919 ++
28920 ++enum {
28921 ++ GR_DO_AUDIT,
28922 ++ GR_DONT_AUDIT,
28923 ++ GR_DONT_AUDIT_GOOD
28924 ++};
28925 ++
28926 ++enum {
28927 ++ GR_TTYSNIFF,
28928 ++ GR_RBAC,
28929 ++ GR_RBAC_STR,
28930 ++ GR_STR_RBAC,
28931 ++ GR_RBAC_MODE2,
28932 ++ GR_RBAC_MODE3,
28933 ++ GR_FILENAME,
28934 ++ GR_SYSCTL_HIDDEN,
28935 ++ GR_NOARGS,
28936 ++ GR_ONE_INT,
28937 ++ GR_ONE_INT_TWO_STR,
28938 ++ GR_ONE_STR,
28939 ++ GR_STR_INT,
28940 ++ GR_TWO_INT,
28941 ++ GR_THREE_INT,
28942 ++ GR_FIVE_INT_TWO_STR,
28943 ++ GR_TWO_STR,
28944 ++ GR_THREE_STR,
28945 ++ GR_FOUR_STR,
28946 ++ GR_STR_FILENAME,
28947 ++ GR_FILENAME_STR,
28948 ++ GR_FILENAME_TWO_INT,
28949 ++ GR_FILENAME_TWO_INT_STR,
28950 ++ GR_TEXTREL,
28951 ++ GR_PTRACE,
28952 ++ GR_RESOURCE,
28953 ++ GR_CAP,
28954 ++ GR_SIG,
28955 ++ GR_CRASH1,
28956 ++ GR_CRASH2,
28957 ++ GR_PSACCT
28958 ++};
28959 ++
28960 ++#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
28961 ++#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
28962 ++#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
28963 ++#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
28964 ++#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
28965 ++#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
28966 ++#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
28967 ++#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
28968 ++#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
28969 ++#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
28970 ++#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
28971 ++#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
28972 ++#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
28973 ++#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
28974 ++#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
28975 ++#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
28976 ++#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
28977 ++#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
28978 ++#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
28979 ++#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
28980 ++#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
28981 ++#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
28982 ++#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
28983 ++#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
28984 ++#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
28985 ++#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
28986 ++#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
28987 ++#define gr_log_sig(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG, task, num)
28988 ++#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
28989 ++#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
28990 ++#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
28991 ++
28992 ++void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
28993 ++
28994 ++#endif
28995 ++
28996 ++#endif
28997 +diff -Nurp linux-2.6.23.15/include/linux/grmsg.h linux-2.6.23.15-grsec/include/linux/grmsg.h
28998 +--- linux-2.6.23.15/include/linux/grmsg.h 1970-01-01 01:00:00.000000000 +0100
28999 ++++ linux-2.6.23.15-grsec/include/linux/grmsg.h 2008-02-11 10:37:45.000000000 +0000
29000 +@@ -0,0 +1,108 @@
29001 ++#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
29002 ++#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
29003 ++#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
29004 ++#define GR_STOPMOD_MSG "denied modification of module state by "
29005 ++#define GR_IOPERM_MSG "denied use of ioperm() by "
29006 ++#define GR_IOPL_MSG "denied use of iopl() by "
29007 ++#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
29008 ++#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
29009 ++#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
29010 ++#define GR_KMEM_MSG "denied write of /dev/kmem by "
29011 ++#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
29012 ++#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
29013 ++#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
29014 ++#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
29015 ++#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u"
29016 ++#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%u.%u.%u.%u"
29017 ++#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
29018 ++#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
29019 ++#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
29020 ++#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
29021 ++#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
29022 ++#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
29023 ++#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
29024 ++#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%u.%u.%u.%u %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
29025 ++#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
29026 ++#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
29027 ++#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
29028 ++#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
29029 ++#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
29030 ++#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
29031 ++#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
29032 ++#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
29033 ++#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
29034 ++#define GR_NPROC_MSG "denied overstep of process limit by "
29035 ++#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
29036 ++#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
29037 ++#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
29038 ++#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
29039 ++#define GR_MOUNT_CHROOT_MSG "denied mount of %.30s as %.930s from chroot by "
29040 ++#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
29041 ++#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
29042 ++#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
29043 ++#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
29044 ++#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
29045 ++#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
29046 ++#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
29047 ++#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
29048 ++#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
29049 ++#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
29050 ++#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
29051 ++#define GR_INITF_ACL_MSG "init_variables() failed %s by "
29052 ++#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
29053 ++#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
29054 ++#define GR_SHUTS_ACL_MSG "shutdown auth success for "
29055 ++#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
29056 ++#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
29057 ++#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
29058 ++#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
29059 ++#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
29060 ++#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
29061 ++#define GR_ENABLEF_ACL_MSG "unable to load %s for "
29062 ++#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
29063 ++#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
29064 ++#define GR_RELOADF_ACL_MSG "failed reload of %s for "
29065 ++#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
29066 ++#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
29067 ++#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
29068 ++#define GR_SPROLEF_ACL_MSG "special role %s failure for "
29069 ++#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
29070 ++#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
29071 ++#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for "
29072 ++#define GR_INVMODE_ACL_MSG "invalid mode %d by "
29073 ++#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
29074 ++#define GR_FAILFORK_MSG "failed fork with errno %d by "
29075 ++#define GR_NICE_CHROOT_MSG "denied priority change by "
29076 ++#define GR_UNISIGLOG_MSG "signal %d sent to "
29077 ++#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
29078 ++#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
29079 ++#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
29080 ++#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
29081 ++#define GR_TIME_MSG "time set by "
29082 ++#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
29083 ++#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
29084 ++#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
29085 ++#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
29086 ++#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
29087 ++#define GR_BIND_MSG "denied bind() by "
29088 ++#define GR_CONNECT_MSG "denied connect() by "
29089 ++#define GR_BIND_ACL_MSG "denied bind() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
29090 ++#define GR_CONNECT_ACL_MSG "denied connect() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
29091 ++#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u"
29092 ++#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
29093 ++#define GR_CAP_ACL_MSG "use of %s denied for "
29094 ++#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
29095 ++#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
29096 ++#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by "
29097 ++#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by "
29098 ++#define GR_MOUNT_AUDIT_MSG "mount of %.30s to %.64s by "
29099 ++#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
29100 ++#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
29101 ++#define GR_MSGQ_AUDIT_MSG "message queue created by "
29102 ++#define GR_MSGQR_AUDIT_MSG "message queue of uid:%u euid:%u removed by "
29103 ++#define GR_SEM_AUDIT_MSG "semaphore created by "
29104 ++#define GR_SEMR_AUDIT_MSG "semaphore of uid:%u euid:%u removed by "
29105 ++#define GR_SHM_AUDIT_MSG "shared memory of size %d created by "
29106 ++#define GR_SHMR_AUDIT_MSG "shared memory of uid:%u euid:%u removed by "
29107 ++#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
29108 ++#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
29109 +diff -Nurp linux-2.6.23.15/include/linux/grsecurity.h linux-2.6.23.15-grsec/include/linux/grsecurity.h
29110 +--- linux-2.6.23.15/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100
29111 ++++ linux-2.6.23.15-grsec/include/linux/grsecurity.h 2008-02-11 10:37:45.000000000 +0000
29112 +@@ -0,0 +1,193 @@
29113 ++#ifndef GR_SECURITY_H
29114 ++#define GR_SECURITY_H
29115 ++#include <linux/fs.h>
29116 ++#include <linux/binfmts.h>
29117 ++#include <linux/gracl.h>
29118 ++
29119 ++void gr_handle_brute_attach(struct task_struct *p);
29120 ++void gr_handle_brute_check(void);
29121 ++
29122 ++char gr_roletype_to_char(void);
29123 ++
29124 ++int gr_check_user_change(int real, int effective, int fs);
29125 ++int gr_check_group_change(int real, int effective, int fs);
29126 ++
29127 ++void gr_del_task_from_ip_table(struct task_struct *p);
29128 ++
29129 ++int gr_pid_is_chrooted(struct task_struct *p);
29130 ++int gr_handle_chroot_nice(void);
29131 ++int gr_handle_chroot_sysctl(const int op);
29132 ++int gr_handle_chroot_setpriority(struct task_struct *p,
29133 ++ const int niceval);
29134 ++int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
29135 ++int gr_handle_chroot_chroot(const struct dentry *dentry,
29136 ++ const struct vfsmount *mnt);
29137 ++void gr_handle_chroot_caps(struct task_struct *task);
29138 ++void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt);
29139 ++int gr_handle_chroot_chmod(const struct dentry *dentry,
29140 ++ const struct vfsmount *mnt, const int mode);
29141 ++int gr_handle_chroot_mknod(const struct dentry *dentry,
29142 ++ const struct vfsmount *mnt, const int mode);
29143 ++int gr_handle_chroot_mount(const struct dentry *dentry,
29144 ++ const struct vfsmount *mnt,
29145 ++ const char *dev_name);
29146 ++int gr_handle_chroot_pivot(void);
29147 ++int gr_handle_chroot_unix(const pid_t pid);
29148 ++
29149 ++int gr_handle_rawio(const struct inode *inode);
29150 ++int gr_handle_nproc(void);
29151 ++
29152 ++void gr_handle_ioperm(void);
29153 ++void gr_handle_iopl(void);
29154 ++
29155 ++int gr_tpe_allow(const struct file *file);
29156 ++
29157 ++int gr_random_pid(void);
29158 ++
29159 ++void gr_log_forkfail(const int retval);
29160 ++void gr_log_timechange(void);
29161 ++void gr_log_signal(const int sig, const struct task_struct *t);
29162 ++void gr_log_chdir(const struct dentry *dentry,
29163 ++ const struct vfsmount *mnt);
29164 ++void gr_log_chroot_exec(const struct dentry *dentry,
29165 ++ const struct vfsmount *mnt);
29166 ++void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
29167 ++void gr_log_remount(const char *devname, const int retval);
29168 ++void gr_log_unmount(const char *devname, const int retval);
29169 ++void gr_log_mount(const char *from, const char *to, const int retval);
29170 ++void gr_log_msgget(const int ret, const int msgflg);
29171 ++void gr_log_msgrm(const uid_t uid, const uid_t cuid);
29172 ++void gr_log_semget(const int err, const int semflg);
29173 ++void gr_log_semrm(const uid_t uid, const uid_t cuid);
29174 ++void gr_log_shmget(const int err, const int shmflg, const size_t size);
29175 ++void gr_log_shmrm(const uid_t uid, const uid_t cuid);
29176 ++void gr_log_textrel(struct vm_area_struct *vma);
29177 ++
29178 ++int gr_handle_follow_link(const struct inode *parent,
29179 ++ const struct inode *inode,
29180 ++ const struct dentry *dentry,
29181 ++ const struct vfsmount *mnt);
29182 ++int gr_handle_fifo(const struct dentry *dentry,
29183 ++ const struct vfsmount *mnt,
29184 ++ const struct dentry *dir, const int flag,
29185 ++ const int acc_mode);
29186 ++int gr_handle_hardlink(const struct dentry *dentry,
29187 ++ const struct vfsmount *mnt,
29188 ++ struct inode *inode,
29189 ++ const int mode, const char *to);
29190 ++
29191 ++int gr_task_is_capable(struct task_struct *task, const int cap);
29192 ++int gr_is_capable_nolog(const int cap);
29193 ++void gr_learn_resource(const struct task_struct *task, const int limit,
29194 ++ const unsigned long wanted, const int gt);
29195 ++void gr_copy_label(struct task_struct *tsk);
29196 ++void gr_handle_crash(struct task_struct *task, const int sig);
29197 ++int gr_handle_signal(const struct task_struct *p, const int sig);
29198 ++int gr_check_crash_uid(const uid_t uid);
29199 ++int gr_check_protected_task(const struct task_struct *task);
29200 ++int gr_acl_handle_mmap(const struct file *file,
29201 ++ const unsigned long prot);
29202 ++int gr_acl_handle_mprotect(const struct file *file,
29203 ++ const unsigned long prot);
29204 ++int gr_check_hidden_task(const struct task_struct *tsk);
29205 ++__u32 gr_acl_handle_truncate(const struct dentry *dentry,
29206 ++ const struct vfsmount *mnt);
29207 ++__u32 gr_acl_handle_utime(const struct dentry *dentry,
29208 ++ const struct vfsmount *mnt);
29209 ++__u32 gr_acl_handle_access(const struct dentry *dentry,
29210 ++ const struct vfsmount *mnt, const int fmode);
29211 ++__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
29212 ++ const struct vfsmount *mnt, mode_t mode);
29213 ++__u32 gr_acl_handle_chmod(const struct dentry *dentry,
29214 ++ const struct vfsmount *mnt, mode_t mode);
29215 ++__u32 gr_acl_handle_chown(const struct dentry *dentry,
29216 ++ const struct vfsmount *mnt);
29217 ++int gr_handle_ptrace(struct task_struct *task, const long request);
29218 ++int gr_handle_proc_ptrace(struct task_struct *task);
29219 ++__u32 gr_acl_handle_execve(const struct dentry *dentry,
29220 ++ const struct vfsmount *mnt);
29221 ++int gr_check_crash_exec(const struct file *filp);
29222 ++int gr_acl_is_enabled(void);
29223 ++void gr_set_kernel_label(struct task_struct *task);
29224 ++void gr_set_role_label(struct task_struct *task, const uid_t uid,
29225 ++ const gid_t gid);
29226 ++int gr_set_proc_label(const struct dentry *dentry,
29227 ++ const struct vfsmount *mnt);
29228 ++__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
29229 ++ const struct vfsmount *mnt);
29230 ++__u32 gr_acl_handle_open(const struct dentry *dentry,
29231 ++ const struct vfsmount *mnt, const int fmode);
29232 ++__u32 gr_acl_handle_creat(const struct dentry *dentry,
29233 ++ const struct dentry *p_dentry,
29234 ++ const struct vfsmount *p_mnt, const int fmode,
29235 ++ const int imode);
29236 ++void gr_handle_create(const struct dentry *dentry,
29237 ++ const struct vfsmount *mnt);
29238 ++__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
29239 ++ const struct dentry *parent_dentry,
29240 ++ const struct vfsmount *parent_mnt,
29241 ++ const int mode);
29242 ++__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
29243 ++ const struct dentry *parent_dentry,
29244 ++ const struct vfsmount *parent_mnt);
29245 ++__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
29246 ++ const struct vfsmount *mnt);
29247 ++void gr_handle_delete(const ino_t ino, const dev_t dev);
29248 ++__u32 gr_acl_handle_unlink(const struct dentry *dentry,
29249 ++ const struct vfsmount *mnt);
29250 ++__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
29251 ++ const struct dentry *parent_dentry,
29252 ++ const struct vfsmount *parent_mnt,
29253 ++ const char *from);
29254 ++__u32 gr_acl_handle_link(const struct dentry *new_dentry,
29255 ++ const struct dentry *parent_dentry,
29256 ++ const struct vfsmount *parent_mnt,
29257 ++ const struct dentry *old_dentry,
29258 ++ const struct vfsmount *old_mnt, const char *to);
29259 ++int gr_acl_handle_rename(struct dentry *new_dentry,
29260 ++ struct dentry *parent_dentry,
29261 ++ const struct vfsmount *parent_mnt,
29262 ++ struct dentry *old_dentry,
29263 ++ struct inode *old_parent_inode,
29264 ++ struct vfsmount *old_mnt, const char *newname);
29265 ++void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
29266 ++ struct dentry *old_dentry,
29267 ++ struct dentry *new_dentry,
29268 ++ struct vfsmount *mnt, const __u8 replace);
29269 ++__u32 gr_check_link(const struct dentry *new_dentry,
29270 ++ const struct dentry *parent_dentry,
29271 ++ const struct vfsmount *parent_mnt,
29272 ++ const struct dentry *old_dentry,
29273 ++ const struct vfsmount *old_mnt);
29274 ++int gr_acl_handle_filldir(const struct file *file, const char *name,
29275 ++ const unsigned int namelen, const ino_t ino);
29276 ++
29277 ++__u32 gr_acl_handle_unix(const struct dentry *dentry,
29278 ++ const struct vfsmount *mnt);
29279 ++void gr_acl_handle_exit(void);
29280 ++void gr_acl_handle_psacct(struct task_struct *task, const long code);
29281 ++int gr_acl_handle_procpidmem(const struct task_struct *task);
29282 ++__u32 gr_cap_rtnetlink(void);
29283 ++
29284 ++#ifdef CONFIG_SYSVIPC
29285 ++void gr_shm_exit(struct task_struct *task);
29286 ++#else
29287 ++static inline void gr_shm_exit(struct task_struct *task)
29288 ++{
29289 ++ return;
29290 ++}
29291 ++#endif
29292 ++
29293 ++#ifdef CONFIG_GRKERNSEC
29294 ++void gr_handle_mem_write(void);
29295 ++void gr_handle_kmem_write(void);
29296 ++void gr_handle_open_port(void);
29297 ++int gr_handle_mem_mmap(const unsigned long offset,
29298 ++ struct vm_area_struct *vma);
29299 ++
29300 ++extern int grsec_enable_dmesg;
29301 ++extern int grsec_enable_randsrc;
29302 ++extern int grsec_enable_shm;
29303 ++#endif
29304 ++
29305 ++#endif
29306 +diff -Nurp linux-2.6.23.15/include/linux/highmem.h linux-2.6.23.15-grsec/include/linux/highmem.h
29307 +--- linux-2.6.23.15/include/linux/highmem.h 2007-10-09 21:31:38.000000000 +0100
29308 ++++ linux-2.6.23.15-grsec/include/linux/highmem.h 2008-02-11 10:37:45.000000000 +0000
29309 +@@ -124,6 +124,13 @@ static inline void clear_highpage(struct
29310 + kunmap_atomic(kaddr, KM_USER0);
29311 + }
29312 +
29313 ++static inline void sanitize_highpage(struct page *page)
29314 ++{
29315 ++ void *kaddr = kmap_atomic(page, KM_CLEARPAGE);
29316 ++ clear_page(kaddr);
29317 ++ kunmap_atomic(kaddr, KM_CLEARPAGE);
29318 ++}
29319 ++
29320 + /*
29321 + * Same but also flushes aliased cache contents to RAM.
29322 + *
29323 +@@ -132,14 +139,14 @@ static inline void clear_highpage(struct
29324 + */
29325 + #define zero_user_page(page, offset, size, km_type) \
29326 + do { \
29327 +- void *kaddr; \
29328 ++ void *__kaddr; \
29329 + \
29330 + BUG_ON((offset) + (size) > PAGE_SIZE); \
29331 + \
29332 +- kaddr = kmap_atomic(page, km_type); \
29333 +- memset((char *)kaddr + (offset), 0, (size)); \
29334 ++ __kaddr = kmap_atomic(page, km_type); \
29335 ++ memset((char *)__kaddr + (offset), 0, (size)); \
29336 + flush_dcache_page(page); \
29337 +- kunmap_atomic(kaddr, (km_type)); \
29338 ++ kunmap_atomic(__kaddr, (km_type)); \
29339 + } while (0)
29340 +
29341 + static inline void __deprecated memclear_highpage_flush(struct page *page,
29342 +diff -Nurp linux-2.6.23.15/include/linux/irqflags.h linux-2.6.23.15-grsec/include/linux/irqflags.h
29343 +--- linux-2.6.23.15/include/linux/irqflags.h 2007-10-09 21:31:38.000000000 +0100
29344 ++++ linux-2.6.23.15-grsec/include/linux/irqflags.h 2008-02-11 10:37:45.000000000 +0000
29345 +@@ -84,10 +84,10 @@
29346 +
29347 + #define irqs_disabled() \
29348 + ({ \
29349 +- unsigned long flags; \
29350 ++ unsigned long __flags; \
29351 + \
29352 +- raw_local_save_flags(flags); \
29353 +- raw_irqs_disabled_flags(flags); \
29354 ++ raw_local_save_flags(__flags); \
29355 ++ raw_irqs_disabled_flags(__flags); \
29356 + })
29357 +
29358 + #define irqs_disabled_flags(flags) raw_irqs_disabled_flags(flags)
29359 +diff -Nurp linux-2.6.23.15/include/linux/jbd.h linux-2.6.23.15-grsec/include/linux/jbd.h
29360 +--- linux-2.6.23.15/include/linux/jbd.h 2007-10-09 21:31:38.000000000 +0100
29361 ++++ linux-2.6.23.15-grsec/include/linux/jbd.h 2008-02-11 10:37:45.000000000 +0000
29362 +@@ -68,7 +68,7 @@ extern int journal_enable_debug;
29363 + } \
29364 + } while (0)
29365 + #else
29366 +-#define jbd_debug(f, a...) /**/
29367 ++#define jbd_debug(f, a...) do {} while (0)
29368 + #endif
29369 +
29370 + extern void * __jbd_kmalloc (const char *where, size_t size, gfp_t flags, int retry);
29371 +diff -Nurp linux-2.6.23.15/include/linux/jbd2.h linux-2.6.23.15-grsec/include/linux/jbd2.h
29372 +--- linux-2.6.23.15/include/linux/jbd2.h 2007-10-09 21:31:38.000000000 +0100
29373 ++++ linux-2.6.23.15-grsec/include/linux/jbd2.h 2008-02-11 10:37:45.000000000 +0000
29374 +@@ -68,7 +68,7 @@ extern u8 jbd2_journal_enable_debug;
29375 + } \
29376 + } while (0)
29377 + #else
29378 +-#define jbd_debug(f, a...) /**/
29379 ++#define jbd_debug(f, a...) do {} while (0)
29380 + #endif
29381 +
29382 + extern void * __jbd2_kmalloc (const char *where, size_t size, gfp_t flags, int retry);
29383 +diff -Nurp linux-2.6.23.15/include/linux/libata.h linux-2.6.23.15-grsec/include/linux/libata.h
29384 +--- linux-2.6.23.15/include/linux/libata.h 2008-02-11 10:36:03.000000000 +0000
29385 ++++ linux-2.6.23.15-grsec/include/linux/libata.h 2008-02-11 10:37:45.000000000 +0000
29386 +@@ -63,11 +63,11 @@
29387 + #ifdef ATA_VERBOSE_DEBUG
29388 + #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
29389 + #else
29390 +-#define VPRINTK(fmt, args...)
29391 ++#define VPRINTK(fmt, args...) do {} while (0)
29392 + #endif /* ATA_VERBOSE_DEBUG */
29393 + #else
29394 +-#define DPRINTK(fmt, args...)
29395 +-#define VPRINTK(fmt, args...)
29396 ++#define DPRINTK(fmt, args...) do {} while (0)
29397 ++#define VPRINTK(fmt, args...) do {} while (0)
29398 + #endif /* ATA_DEBUG */
29399 +
29400 + #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
29401 +diff -Nurp linux-2.6.23.15/include/linux/mm.h linux-2.6.23.15-grsec/include/linux/mm.h
29402 +--- linux-2.6.23.15/include/linux/mm.h 2007-10-09 21:31:38.000000000 +0100
29403 ++++ linux-2.6.23.15-grsec/include/linux/mm.h 2008-02-11 10:37:45.000000000 +0000
29404 +@@ -38,6 +38,7 @@ extern int sysctl_legacy_va_layout;
29405 + #include <asm/page.h>
29406 + #include <asm/pgtable.h>
29407 + #include <asm/processor.h>
29408 ++#include <asm/mman.h>
29409 +
29410 + #define nth_page(page,n) pfn_to_page(page_to_pfn((page)) + (n))
29411 +
29412 +@@ -111,6 +112,8 @@ struct vm_area_struct {
29413 + #ifdef CONFIG_NUMA
29414 + struct mempolicy *vm_policy; /* NUMA policy for the VMA */
29415 + #endif
29416 ++
29417 ++ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
29418 + };
29419 +
29420 + extern struct kmem_cache *vm_area_cachep;
29421 +@@ -171,6 +174,14 @@ extern unsigned int kobjsize(const void
29422 +
29423 + #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
29424 +
29425 ++#ifdef CONFIG_PAX_PAGEEXEC
29426 ++#define VM_PAGEEXEC 0x10000000 /* vma->vm_page_prot needs special handling */
29427 ++#endif
29428 ++
29429 ++#ifdef CONFIG_PAX_MPROTECT
29430 ++#define VM_MAYNOTWRITE 0x20000000 /* vma cannot be granted VM_WRITE any more */
29431 ++#endif
29432 ++
29433 + #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
29434 + #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
29435 + #endif
29436 +@@ -862,6 +873,8 @@ struct shrinker {
29437 + extern void register_shrinker(struct shrinker *);
29438 + extern void unregister_shrinker(struct shrinker *);
29439 +
29440 ++pgprot_t vm_get_page_prot(unsigned long vm_flags);
29441 ++
29442 + int vma_wants_writenotify(struct vm_area_struct *vma);
29443 +
29444 + extern pte_t *FASTCALL(get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl));
29445 +@@ -1088,6 +1101,7 @@ out:
29446 + }
29447 +
29448 + extern int do_munmap(struct mm_struct *, unsigned long, size_t);
29449 ++extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
29450 +
29451 + extern unsigned long do_brk(unsigned long, unsigned long);
29452 +
29453 +@@ -1142,6 +1156,10 @@ extern struct vm_area_struct * find_vma(
29454 + extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
29455 + struct vm_area_struct **pprev);
29456 +
29457 ++extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
29458 ++extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
29459 ++extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
29460 ++
29461 + /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
29462 + NULL if none. Assume start_addr < end_addr. */
29463 + static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
29464 +@@ -1158,7 +1176,6 @@ static inline unsigned long vma_pages(st
29465 + return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
29466 + }
29467 +
29468 +-pgprot_t vm_get_page_prot(unsigned long vm_flags);
29469 + struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
29470 + struct page *vmalloc_to_page(void *addr);
29471 + unsigned long vmalloc_to_pfn(void *addr);
29472 +@@ -1218,5 +1235,11 @@ extern int randomize_va_space;
29473 +
29474 + const char * arch_vma_name(struct vm_area_struct *vma);
29475 +
29476 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
29477 ++extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
29478 ++#else
29479 ++static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
29480 ++#endif
29481 ++
29482 + #endif /* __KERNEL__ */
29483 + #endif /* _LINUX_MM_H */
29484 +diff -Nurp linux-2.6.23.15/include/linux/module.h linux-2.6.23.15-grsec/include/linux/module.h
29485 +--- linux-2.6.23.15/include/linux/module.h 2007-10-09 21:31:38.000000000 +0100
29486 ++++ linux-2.6.23.15-grsec/include/linux/module.h 2008-02-11 10:37:45.000000000 +0000
29487 +@@ -295,16 +295,16 @@ struct module
29488 + int (*init)(void);
29489 +
29490 + /* If this is non-NULL, vfree after init() returns */
29491 +- void *module_init;
29492 ++ void *module_init_rx, *module_init_rw;
29493 +
29494 + /* Here is the actual code + data, vfree'd on unload. */
29495 +- void *module_core;
29496 ++ void *module_core_rx, *module_core_rw;
29497 +
29498 + /* Here are the sizes of the init and core sections */
29499 +- unsigned long init_size, core_size;
29500 ++ unsigned long init_size_rw, core_size_rw;
29501 +
29502 + /* The size of the executable code in each section. */
29503 +- unsigned long init_text_size, core_text_size;
29504 ++ unsigned long init_size_rx, core_size_rx;
29505 +
29506 + /* The handle returned from unwind_add_table. */
29507 + void *unwind_info;
29508 +diff -Nurp linux-2.6.23.15/include/linux/moduleloader.h linux-2.6.23.15-grsec/include/linux/moduleloader.h
29509 +--- linux-2.6.23.15/include/linux/moduleloader.h 2007-10-09 21:31:38.000000000 +0100
29510 ++++ linux-2.6.23.15-grsec/include/linux/moduleloader.h 2008-02-11 10:37:45.000000000 +0000
29511 +@@ -17,9 +17,21 @@ int module_frob_arch_sections(Elf_Ehdr *
29512 + sections. Returns NULL on failure. */
29513 + void *module_alloc(unsigned long size);
29514 +
29515 ++#ifdef CONFIG_PAX_KERNEXEC
29516 ++void *module_alloc_exec(unsigned long size);
29517 ++#else
29518 ++#define module_alloc_exec(x) module_alloc(x)
29519 ++#endif
29520 ++
29521 + /* Free memory returned from module_alloc. */
29522 + void module_free(struct module *mod, void *module_region);
29523 +
29524 ++#ifdef CONFIG_PAX_KERNEXEC
29525 ++void module_free_exec(struct module *mod, void *module_region);
29526 ++#else
29527 ++#define module_free_exec(x, y) module_free(x, y)
29528 ++#endif
29529 ++
29530 + /* Apply the given relocation to the (simplified) ELF. Return -error
29531 + or 0. */
29532 + int apply_relocate(Elf_Shdr *sechdrs,
29533 +diff -Nurp linux-2.6.23.15/include/linux/percpu.h linux-2.6.23.15-grsec/include/linux/percpu.h
29534 +--- linux-2.6.23.15/include/linux/percpu.h 2007-10-09 21:31:38.000000000 +0100
29535 ++++ linux-2.6.23.15-grsec/include/linux/percpu.h 2008-02-11 10:37:45.000000000 +0000
29536 +@@ -18,7 +18,7 @@
29537 + #endif
29538 +
29539 + #define PERCPU_ENOUGH_ROOM \
29540 +- (__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE)
29541 ++ ((unsigned long)(__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE))
29542 + #endif /* PERCPU_ENOUGH_ROOM */
29543 +
29544 + /*
29545 +diff -Nurp linux-2.6.23.15/include/linux/random.h linux-2.6.23.15-grsec/include/linux/random.h
29546 +--- linux-2.6.23.15/include/linux/random.h 2007-10-09 21:31:38.000000000 +0100
29547 ++++ linux-2.6.23.15-grsec/include/linux/random.h 2008-02-11 10:37:45.000000000 +0000
29548 +@@ -72,6 +72,11 @@ unsigned long randomize_range(unsigned l
29549 + u32 random32(void);
29550 + void srandom32(u32 seed);
29551 +
29552 ++static inline unsigned long pax_get_random_long(void)
29553 ++{
29554 ++ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
29555 ++}
29556 ++
29557 + #endif /* __KERNEL___ */
29558 +
29559 + #endif /* _LINUX_RANDOM_H */
29560 +diff -Nurp linux-2.6.23.15/include/linux/sched.h linux-2.6.23.15-grsec/include/linux/sched.h
29561 +--- linux-2.6.23.15/include/linux/sched.h 2008-02-11 10:36:03.000000000 +0000
29562 ++++ linux-2.6.23.15-grsec/include/linux/sched.h 2008-02-11 10:37:45.000000000 +0000
29563 +@@ -92,6 +92,7 @@ struct sched_param {
29564 + struct exec_domain;
29565 + struct futex_pi_state;
29566 + struct bio;
29567 ++struct linux_binprm;
29568 +
29569 + /*
29570 + * List of flags we want to share for kernel threads,
29571 +@@ -432,6 +433,24 @@ struct mm_struct {
29572 + /* aio bits */
29573 + rwlock_t ioctx_list_lock;
29574 + struct kioctx *ioctx_list;
29575 ++
29576 ++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29577 ++ unsigned long pax_flags;
29578 ++#endif
29579 ++
29580 ++#ifdef CONFIG_PAX_DLRESOLVE
29581 ++ unsigned long call_dl_resolve;
29582 ++#endif
29583 ++
29584 ++#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
29585 ++ unsigned long call_syscall;
29586 ++#endif
29587 ++
29588 ++#ifdef CONFIG_PAX_ASLR
29589 ++ unsigned long delta_mmap; /* randomized offset */
29590 ++ unsigned long delta_stack; /* randomized offset */
29591 ++#endif
29592 ++
29593 + };
29594 +
29595 + struct sighand_struct {
29596 +@@ -556,6 +575,15 @@ struct signal_struct {
29597 + unsigned audit_tty;
29598 + struct tty_audit_buf *tty_audit_buf;
29599 + #endif
29600 ++
29601 ++#ifdef CONFIG_GRKERNSEC
29602 ++ u32 curr_ip;
29603 ++ u32 gr_saddr;
29604 ++ u32 gr_daddr;
29605 ++ u16 gr_sport;
29606 ++ u16 gr_dport;
29607 ++ u8 used_accept:1;
29608 ++#endif
29609 + };
29610 +
29611 + /* Context switch must be unlocked if interrupts are to be enabled */
29612 +@@ -1017,8 +1045,8 @@ struct task_struct {
29613 + struct list_head thread_group;
29614 +
29615 + struct completion *vfork_done; /* for vfork() */
29616 +- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
29617 +- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
29618 ++ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
29619 ++ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
29620 +
29621 + unsigned int rt_priority;
29622 + cputime_t utime, stime;
29623 +@@ -1183,6 +1211,17 @@ struct task_struct {
29624 + struct list_head pi_state_list;
29625 + struct futex_pi_state *pi_state_cache;
29626 +
29627 ++#ifdef CONFIG_GRKERNSEC
29628 ++ /* grsecurity */
29629 ++ struct acl_subject_label *acl;
29630 ++ struct acl_role_label *role;
29631 ++ struct file *exec_file;
29632 ++ u16 acl_role_id;
29633 ++ u8 acl_sp_role:1;
29634 ++ u8 is_writable:1;
29635 ++ u8 brute:1;
29636 ++#endif
29637 ++
29638 + atomic_t fs_excl; /* holding fs exclusive resources */
29639 + struct rcu_head rcu;
29640 +
29641 +@@ -1198,6 +1237,46 @@ struct task_struct {
29642 + #endif
29643 + };
29644 +
29645 ++#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
29646 ++#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
29647 ++#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
29648 ++#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
29649 ++/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
29650 ++#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
29651 ++
29652 ++#ifdef CONFIG_PAX_SOFTMODE
29653 ++extern unsigned int pax_softmode;
29654 ++#endif
29655 ++
29656 ++extern int pax_check_flags(unsigned long *);
29657 ++
29658 ++/* if tsk != current then task_lock must be held on it */
29659 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29660 ++static inline unsigned long pax_get_flags(struct task_struct *tsk)
29661 ++{
29662 ++ if (likely(tsk->mm))
29663 ++ return tsk->mm->pax_flags;
29664 ++ else
29665 ++ return 0UL;
29666 ++}
29667 ++
29668 ++/* if tsk != current then task_lock must be held on it */
29669 ++static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
29670 ++{
29671 ++ if (likely(tsk->mm)) {
29672 ++ tsk->mm->pax_flags = flags;
29673 ++ return 0;
29674 ++ }
29675 ++ return -EINVAL;
29676 ++}
29677 ++#endif
29678 ++
29679 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
29680 ++extern void pax_set_initial_flags(struct linux_binprm *bprm);
29681 ++#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
29682 ++extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
29683 ++#endif
29684 ++
29685 + /*
29686 + * Priority of a process goes from 0..MAX_PRIO-1, valid RT
29687 + * priority is 0..MAX_RT_PRIO-1, and SCHED_NORMAL/SCHED_BATCH
29688 +@@ -1831,6 +1910,12 @@ extern void arch_pick_mmap_layout(struct
29689 + static inline void arch_pick_mmap_layout(struct mm_struct *mm)
29690 + {
29691 + mm->mmap_base = TASK_UNMAPPED_BASE;
29692 ++
29693 ++#ifdef CONFIG_PAX_RANDMMAP
29694 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
29695 ++ mm->mmap_base += mm->delta_mmap;
29696 ++#endif
29697 ++
29698 + mm->get_unmapped_area = arch_get_unmapped_area;
29699 + mm->unmap_area = arch_unmap_area;
29700 + }
29701 +diff -Nurp linux-2.6.23.15/include/linux/screen_info.h linux-2.6.23.15-grsec/include/linux/screen_info.h
29702 +--- linux-2.6.23.15/include/linux/screen_info.h 2007-10-09 21:31:38.000000000 +0100
29703 ++++ linux-2.6.23.15-grsec/include/linux/screen_info.h 2008-02-11 10:37:45.000000000 +0000
29704 +@@ -42,7 +42,8 @@ struct screen_info {
29705 + u16 pages; /* 0x32 */
29706 + u16 vesa_attributes; /* 0x34 */
29707 + u32 capabilities; /* 0x36 */
29708 +- u8 _reserved[6]; /* 0x3a */
29709 ++ u16 vesapm_size; /* 0x3a */
29710 ++ u8 _reserved[4]; /* 0x3c */
29711 + } __attribute__((packed));
29712 +
29713 + extern struct screen_info screen_info;
29714 +diff -Nurp linux-2.6.23.15/include/linux/security.h linux-2.6.23.15-grsec/include/linux/security.h
29715 +--- linux-2.6.23.15/include/linux/security.h 2007-10-09 21:31:38.000000000 +0100
29716 ++++ linux-2.6.23.15-grsec/include/linux/security.h 2008-02-11 10:37:45.000000000 +0000
29717 +@@ -2796,7 +2796,7 @@ static inline struct dentry *securityfs_
29718 + mode_t mode,
29719 + struct dentry *parent,
29720 + void *data,
29721 +- struct file_operations *fops)
29722 ++ const struct file_operations *fops)
29723 + {
29724 + return ERR_PTR(-ENODEV);
29725 + }
29726 +diff -Nurp linux-2.6.23.15/include/linux/shm.h linux-2.6.23.15-grsec/include/linux/shm.h
29727 +--- linux-2.6.23.15/include/linux/shm.h 2007-10-09 21:31:38.000000000 +0100
29728 ++++ linux-2.6.23.15-grsec/include/linux/shm.h 2008-02-11 10:37:45.000000000 +0000
29729 +@@ -86,6 +86,10 @@ struct shmid_kernel /* private to the ke
29730 + pid_t shm_cprid;
29731 + pid_t shm_lprid;
29732 + struct user_struct *mlock_user;
29733 ++#ifdef CONFIG_GRKERNSEC
29734 ++ time_t shm_createtime;
29735 ++ pid_t shm_lapid;
29736 ++#endif
29737 + };
29738 +
29739 + /* shm_mode upper byte flags */
29740 +diff -Nurp linux-2.6.23.15/include/linux/skbuff.h linux-2.6.23.15-grsec/include/linux/skbuff.h
29741 +--- linux-2.6.23.15/include/linux/skbuff.h 2008-02-11 10:36:03.000000000 +0000
29742 ++++ linux-2.6.23.15-grsec/include/linux/skbuff.h 2008-02-11 10:37:45.000000000 +0000
29743 +@@ -385,7 +385,7 @@ extern void skb_truesize_bug(struc
29744 +
29745 + static inline void skb_truesize_check(struct sk_buff *skb)
29746 + {
29747 +- if (unlikely((int)skb->truesize < sizeof(struct sk_buff) + skb->len))
29748 ++ if (unlikely(skb->truesize < sizeof(struct sk_buff) + skb->len))
29749 + skb_truesize_bug(skb);
29750 + }
29751 +
29752 +diff -Nurp linux-2.6.23.15/include/linux/sysctl.h linux-2.6.23.15-grsec/include/linux/sysctl.h
29753 +--- linux-2.6.23.15/include/linux/sysctl.h 2008-02-11 10:36:24.000000000 +0000
29754 ++++ linux-2.6.23.15-grsec/include/linux/sysctl.h 2008-02-11 10:37:45.000000000 +0000
29755 +@@ -168,9 +168,22 @@ enum
29756 + #ifdef CONFIG_ALPHA_UAC_SYSCTL
29757 + KERN_UAC_POLICY=78, /* int: Alpha unaligned access control policy flags */
29758 + #endif /* CONFIG_ALPHA_UAC_SYSCTL */
29759 +-};
29760 +
29761 ++#ifdef CONFIG_GRKERNSEC
29762 ++ KERN_GRSECURITY=98, /* grsecurity */
29763 ++#endif
29764 ++
29765 ++#ifdef CONFIG_PAX_SOFTMODE
29766 ++ KERN_PAX=99, /* PaX control */
29767 ++#endif
29768 ++
29769 ++};
29770 +
29771 ++#ifdef CONFIG_PAX_SOFTMODE
29772 ++enum {
29773 ++ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
29774 ++};
29775 ++#endif
29776 +
29777 + /* CTL_VM names: */
29778 + enum
29779 +diff -Nurp linux-2.6.23.15/include/linux/uaccess.h linux-2.6.23.15-grsec/include/linux/uaccess.h
29780 +--- linux-2.6.23.15/include/linux/uaccess.h 2007-10-09 21:31:38.000000000 +0100
29781 ++++ linux-2.6.23.15-grsec/include/linux/uaccess.h 2008-02-11 10:37:45.000000000 +0000
29782 +@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
29783 + long ret; \
29784 + mm_segment_t old_fs = get_fs(); \
29785 + \
29786 +- set_fs(KERNEL_DS); \
29787 + pagefault_disable(); \
29788 ++ set_fs(KERNEL_DS); \
29789 + ret = __get_user(retval, (__force typeof(retval) __user *)(addr)); \
29790 +- pagefault_enable(); \
29791 + set_fs(old_fs); \
29792 ++ pagefault_enable(); \
29793 + ret; \
29794 + })
29795 +
29796 +diff -Nurp linux-2.6.23.15/include/linux/udf_fs.h linux-2.6.23.15-grsec/include/linux/udf_fs.h
29797 +--- linux-2.6.23.15/include/linux/udf_fs.h 2007-10-09 21:31:38.000000000 +0100
29798 ++++ linux-2.6.23.15-grsec/include/linux/udf_fs.h 2008-02-11 10:37:45.000000000 +0000
29799 +@@ -45,7 +45,7 @@
29800 + printk (f, ##a); \
29801 + }
29802 + #else
29803 +-#define udf_debug(f, a...) /**/
29804 ++#define udf_debug(f, a...) do {} while (0)
29805 + #endif
29806 +
29807 + #define udf_info(f, a...) \
29808 +diff -Nurp linux-2.6.23.15/include/net/sctp/sctp.h linux-2.6.23.15-grsec/include/net/sctp/sctp.h
29809 +--- linux-2.6.23.15/include/net/sctp/sctp.h 2007-10-09 21:31:38.000000000 +0100
29810 ++++ linux-2.6.23.15-grsec/include/net/sctp/sctp.h 2008-02-11 10:37:45.000000000 +0000
29811 +@@ -317,8 +317,8 @@ extern int sctp_debug_flag;
29812 +
29813 + #else /* SCTP_DEBUG */
29814 +
29815 +-#define SCTP_DEBUG_PRINTK(whatever...)
29816 +-#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
29817 ++#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
29818 ++#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
29819 + #define SCTP_ENABLE_DEBUG
29820 + #define SCTP_DISABLE_DEBUG
29821 + #define SCTP_ASSERT(expr, str, func)
29822 +diff -Nurp linux-2.6.23.15/include/sound/core.h linux-2.6.23.15-grsec/include/sound/core.h
29823 +--- linux-2.6.23.15/include/sound/core.h 2007-10-09 21:31:38.000000000 +0100
29824 ++++ linux-2.6.23.15-grsec/include/sound/core.h 2008-02-11 10:37:45.000000000 +0000
29825 +@@ -396,9 +396,9 @@ void snd_verbose_printd(const char *file
29826 +
29827 + #else /* !CONFIG_SND_DEBUG */
29828 +
29829 +-#define snd_printd(fmt, args...) /* nothing */
29830 ++#define snd_printd(fmt, args...) do {} while (0)
29831 + #define snd_assert(expr, args...) (void)(expr)
29832 +-#define snd_BUG() /* nothing */
29833 ++#define snd_BUG() do {} while (0)
29834 +
29835 + #endif /* CONFIG_SND_DEBUG */
29836 +
29837 +@@ -412,7 +412,7 @@ void snd_verbose_printd(const char *file
29838 + */
29839 + #define snd_printdd(format, args...) snd_printk(format, ##args)
29840 + #else
29841 +-#define snd_printdd(format, args...) /* nothing */
29842 ++#define snd_printdd(format, args...) do {} while (0)
29843 + #endif
29844 +
29845 +
29846 +diff -Nurp linux-2.6.23.15/init/Kconfig linux-2.6.23.15-grsec/init/Kconfig
29847 +--- linux-2.6.23.15/init/Kconfig 2007-10-09 21:31:38.000000000 +0100
29848 ++++ linux-2.6.23.15-grsec/init/Kconfig 2008-02-11 10:37:45.000000000 +0000
29849 +@@ -384,6 +384,7 @@ config SYSCTL_SYSCALL
29850 + config KALLSYMS
29851 + bool "Load all symbols for debugging/ksymoops" if EMBEDDED
29852 + default y
29853 ++ depends on !GRKERNSEC_HIDESYM
29854 + help
29855 + Say Y here to let the kernel print out symbolic crash information and
29856 + symbolic stack backtraces. This increases the size of the kernel
29857 +diff -Nurp linux-2.6.23.15/init/do_mounts.c linux-2.6.23.15-grsec/init/do_mounts.c
29858 +--- linux-2.6.23.15/init/do_mounts.c 2007-10-09 21:31:38.000000000 +0100
29859 ++++ linux-2.6.23.15-grsec/init/do_mounts.c 2008-02-11 10:37:45.000000000 +0000
29860 +@@ -68,11 +68,12 @@ static dev_t try_name(char *name, int pa
29861 +
29862 + /* read device number from .../dev */
29863 +
29864 +- sprintf(path, "/sys/block/%s/dev", name);
29865 +- fd = sys_open(path, 0, 0);
29866 ++ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/dev", name))
29867 ++ goto fail;
29868 ++ fd = sys_open((char __user *)path, 0, 0);
29869 + if (fd < 0)
29870 + goto fail;
29871 +- len = sys_read(fd, buf, 32);
29872 ++ len = sys_read(fd, (char __user *)buf, 32);
29873 + sys_close(fd);
29874 + if (len <= 0 || len == 32 || buf[len - 1] != '\n')
29875 + goto fail;
29876 +@@ -98,11 +99,12 @@ static dev_t try_name(char *name, int pa
29877 + return res;
29878 +
29879 + /* otherwise read range from .../range */
29880 +- sprintf(path, "/sys/block/%s/range", name);
29881 +- fd = sys_open(path, 0, 0);
29882 ++ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/range", name))
29883 ++ goto fail;
29884 ++ fd = sys_open((char __user *)path, 0, 0);
29885 + if (fd < 0)
29886 + goto fail;
29887 +- len = sys_read(fd, buf, 32);
29888 ++ len = sys_read(fd, (char __user *)buf, 32);
29889 + sys_close(fd);
29890 + if (len <= 0 || len == 32 || buf[len - 1] != '\n')
29891 + goto fail;
29892 +@@ -145,8 +147,8 @@ dev_t name_to_dev_t(char *name)
29893 + int part;
29894 +
29895 + #ifdef CONFIG_SYSFS
29896 +- int mkdir_err = sys_mkdir("/sys", 0700);
29897 +- if (sys_mount("sysfs", "/sys", "sysfs", 0, NULL) < 0)
29898 ++ int mkdir_err = sys_mkdir((char __user *)"/sys", 0700);
29899 ++ if (sys_mount((char __user *)"sysfs", (char __user *)"/sys", (char __user *)"sysfs", 0, NULL) < 0)
29900 + goto out;
29901 + #endif
29902 +
29903 +@@ -198,10 +200,10 @@ dev_t name_to_dev_t(char *name)
29904 + res = try_name(s, part);
29905 + done:
29906 + #ifdef CONFIG_SYSFS
29907 +- sys_umount("/sys", 0);
29908 ++ sys_umount((char __user *)"/sys", 0);
29909 + out:
29910 + if (!mkdir_err)
29911 +- sys_rmdir("/sys");
29912 ++ sys_rmdir((char __user *)"/sys");
29913 + #endif
29914 + return res;
29915 + fail:
29916 +@@ -281,11 +283,11 @@ static void __init get_fs_names(char *pa
29917 +
29918 + static int __init do_mount_root(char *name, char *fs, int flags, void *data)
29919 + {
29920 +- int err = sys_mount(name, "/root", fs, flags, data);
29921 ++ int err = sys_mount((char __user *)name, (char __user *)"/root", (char __user *)fs, flags, (void __user *)data);
29922 + if (err)
29923 + return err;
29924 +
29925 +- sys_chdir("/root");
29926 ++ sys_chdir((char __user *)"/root");
29927 + ROOT_DEV = current->fs->pwdmnt->mnt_sb->s_dev;
29928 + printk("VFS: Mounted root (%s filesystem)%s.\n",
29929 + current->fs->pwdmnt->mnt_sb->s_type->name,
29930 +@@ -371,18 +373,18 @@ void __init change_floppy(char *fmt, ...
29931 + va_start(args, fmt);
29932 + vsprintf(buf, fmt, args);
29933 + va_end(args);
29934 +- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
29935 ++ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
29936 + if (fd >= 0) {
29937 + sys_ioctl(fd, FDEJECT, 0);
29938 + sys_close(fd);
29939 + }
29940 + printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
29941 +- fd = sys_open("/dev/console", O_RDWR, 0);
29942 ++ fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
29943 + if (fd >= 0) {
29944 + sys_ioctl(fd, TCGETS, (long)&termios);
29945 + termios.c_lflag &= ~ICANON;
29946 + sys_ioctl(fd, TCSETSF, (long)&termios);
29947 +- sys_read(fd, &c, 1);
29948 ++ sys_read(fd, (char __user *)&c, 1);
29949 + termios.c_lflag |= ICANON;
29950 + sys_ioctl(fd, TCSETSF, (long)&termios);
29951 + sys_close(fd);
29952 +@@ -468,8 +470,8 @@ void __init prepare_namespace(void)
29953 +
29954 + mount_root();
29955 + out:
29956 +- sys_mount(".", "/", NULL, MS_MOVE, NULL);
29957 +- sys_chroot(".");
29958 ++ sys_mount((char __user *)".", (char __user *)"/", NULL, MS_MOVE, NULL);
29959 ++ sys_chroot((char __user *)".");
29960 + security_sb_post_mountroot();
29961 + }
29962 +
29963 +diff -Nurp linux-2.6.23.15/init/do_mounts.h linux-2.6.23.15-grsec/init/do_mounts.h
29964 +--- linux-2.6.23.15/init/do_mounts.h 2007-10-09 21:31:38.000000000 +0100
29965 ++++ linux-2.6.23.15-grsec/init/do_mounts.h 2008-02-11 10:37:45.000000000 +0000
29966 +@@ -15,15 +15,15 @@ extern char *root_device_name;
29967 +
29968 + static inline int create_dev(char *name, dev_t dev)
29969 + {
29970 +- sys_unlink(name);
29971 +- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
29972 ++ sys_unlink((char __user *)name);
29973 ++ return sys_mknod((char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
29974 + }
29975 +
29976 + #if BITS_PER_LONG == 32
29977 + static inline u32 bstat(char *name)
29978 + {
29979 + struct stat64 stat;
29980 +- if (sys_stat64(name, &stat) != 0)
29981 ++ if (sys_stat64((char __user *)name, (struct stat64 __user *)&stat) != 0)
29982 + return 0;
29983 + if (!S_ISBLK(stat.st_mode))
29984 + return 0;
29985 +diff -Nurp linux-2.6.23.15/init/do_mounts_md.c linux-2.6.23.15-grsec/init/do_mounts_md.c
29986 +--- linux-2.6.23.15/init/do_mounts_md.c 2007-10-09 21:31:38.000000000 +0100
29987 ++++ linux-2.6.23.15-grsec/init/do_mounts_md.c 2008-02-11 10:37:45.000000000 +0000
29988 +@@ -167,7 +167,7 @@ static void __init md_setup_drive(void)
29989 + partitioned ? "_d" : "", minor,
29990 + md_setup_args[ent].device_names);
29991 +
29992 +- fd = sys_open(name, 0, 0);
29993 ++ fd = sys_open((char __user *)name, 0, 0);
29994 + if (fd < 0) {
29995 + printk(KERN_ERR "md: open failed - cannot start "
29996 + "array %s\n", name);
29997 +@@ -230,7 +230,7 @@ static void __init md_setup_drive(void)
29998 + * array without it
29999 + */
30000 + sys_close(fd);
30001 +- fd = sys_open(name, 0, 0);
30002 ++ fd = sys_open((char __user *)name, 0, 0);
30003 + sys_ioctl(fd, BLKRRPART, 0);
30004 + }
30005 + sys_close(fd);
30006 +@@ -271,7 +271,7 @@ void __init md_run_setup(void)
30007 + if (raid_noautodetect)
30008 + printk(KERN_INFO "md: Skipping autodetection of RAID arrays. (raid=noautodetect)\n");
30009 + else {
30010 +- int fd = sys_open("/dev/md0", 0, 0);
30011 ++ int fd = sys_open((char __user *)"/dev/md0", 0, 0);
30012 + if (fd >= 0) {
30013 + sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
30014 + sys_close(fd);
30015 +diff -Nurp linux-2.6.23.15/init/initramfs.c linux-2.6.23.15-grsec/init/initramfs.c
30016 +--- linux-2.6.23.15/init/initramfs.c 2007-10-09 21:31:38.000000000 +0100
30017 ++++ linux-2.6.23.15-grsec/init/initramfs.c 2008-02-11 10:37:45.000000000 +0000
30018 +@@ -240,7 +240,7 @@ static int __init maybe_link(void)
30019 + if (nlink >= 2) {
30020 + char *old = find_link(major, minor, ino, mode, collected);
30021 + if (old)
30022 +- return (sys_link(old, collected) < 0) ? -1 : 1;
30023 ++ return (sys_link((char __user *)old, (char __user *)collected) < 0) ? -1 : 1;
30024 + }
30025 + return 0;
30026 + }
30027 +@@ -249,11 +249,11 @@ static void __init clean_path(char *path
30028 + {
30029 + struct stat st;
30030 +
30031 +- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
30032 ++ if (!sys_newlstat((char __user *)path, (struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
30033 + if (S_ISDIR(st.st_mode))
30034 +- sys_rmdir(path);
30035 ++ sys_rmdir((char __user *)path);
30036 + else
30037 +- sys_unlink(path);
30038 ++ sys_unlink((char __user *)path);
30039 + }
30040 + }
30041 +
30042 +@@ -276,7 +276,7 @@ static int __init do_name(void)
30043 + int openflags = O_WRONLY|O_CREAT;
30044 + if (ml != 1)
30045 + openflags |= O_TRUNC;
30046 +- wfd = sys_open(collected, openflags, mode);
30047 ++ wfd = sys_open((char __user *)collected, openflags, mode);
30048 +
30049 + if (wfd >= 0) {
30050 + sys_fchown(wfd, uid, gid);
30051 +@@ -285,15 +285,15 @@ static int __init do_name(void)
30052 + }
30053 + }
30054 + } else if (S_ISDIR(mode)) {
30055 +- sys_mkdir(collected, mode);
30056 +- sys_chown(collected, uid, gid);
30057 +- sys_chmod(collected, mode);
30058 ++ sys_mkdir((char __user *)collected, mode);
30059 ++ sys_chown((char __user *)collected, uid, gid);
30060 ++ sys_chmod((char __user *)collected, mode);
30061 + } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
30062 + S_ISFIFO(mode) || S_ISSOCK(mode)) {
30063 + if (maybe_link() == 0) {
30064 +- sys_mknod(collected, mode, rdev);
30065 +- sys_chown(collected, uid, gid);
30066 +- sys_chmod(collected, mode);
30067 ++ sys_mknod((char __user *)collected, mode, rdev);
30068 ++ sys_chown((char __user *)collected, uid, gid);
30069 ++ sys_chmod((char __user *)collected, mode);
30070 + }
30071 + }
30072 + return 0;
30073 +@@ -302,13 +302,13 @@ static int __init do_name(void)
30074 + static int __init do_copy(void)
30075 + {
30076 + if (count >= body_len) {
30077 +- sys_write(wfd, victim, body_len);
30078 ++ sys_write(wfd, (char __user *)victim, body_len);
30079 + sys_close(wfd);
30080 + eat(body_len);
30081 + state = SkipIt;
30082 + return 0;
30083 + } else {
30084 +- sys_write(wfd, victim, count);
30085 ++ sys_write(wfd, (char __user *)victim, count);
30086 + body_len -= count;
30087 + eat(count);
30088 + return 1;
30089 +@@ -319,8 +319,8 @@ static int __init do_symlink(void)
30090 + {
30091 + collected[N_ALIGN(name_len) + body_len] = '\0';
30092 + clean_path(collected, 0);
30093 +- sys_symlink(collected + N_ALIGN(name_len), collected);
30094 +- sys_lchown(collected, uid, gid);
30095 ++ sys_symlink((char __user *)collected + N_ALIGN(name_len), (char __user *)collected);
30096 ++ sys_lchown((char __user *)collected, uid, gid);
30097 + state = SkipIt;
30098 + next_state = Reset;
30099 + return 0;
30100 +diff -Nurp linux-2.6.23.15/init/main.c linux-2.6.23.15-grsec/init/main.c
30101 +--- linux-2.6.23.15/init/main.c 2007-10-09 21:31:38.000000000 +0100
30102 ++++ linux-2.6.23.15-grsec/init/main.c 2008-02-11 10:37:45.000000000 +0000
30103 +@@ -107,6 +107,7 @@ static inline void mark_rodata_ro(void)
30104 + #ifdef CONFIG_TC
30105 + extern void tc_init(void);
30106 + #endif
30107 ++extern void grsecurity_init(void);
30108 +
30109 + enum system_states system_state;
30110 + EXPORT_SYMBOL(system_state);
30111 +@@ -193,6 +194,17 @@ static int __init set_reset_devices(char
30112 +
30113 + __setup("reset_devices", set_reset_devices);
30114 +
30115 ++#ifdef CONFIG_PAX_SOFTMODE
30116 ++unsigned int pax_softmode;
30117 ++
30118 ++static int __init setup_pax_softmode(char *str)
30119 ++{
30120 ++ get_option(&str, &pax_softmode);
30121 ++ return 1;
30122 ++}
30123 ++__setup("pax_softmode=", setup_pax_softmode);
30124 ++#endif
30125 ++
30126 + static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
30127 + char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
30128 + static const char *panic_later, *panic_param;
30129 +@@ -854,6 +866,8 @@ static int __init kernel_init(void * unu
30130 + prepare_namespace();
30131 + }
30132 +
30133 ++ grsecurity_init();
30134 ++
30135 + /*
30136 + * Ok, we have completed the initial bootup, and
30137 + * we're essentially up and running. Get rid of the
30138 +diff -Nurp linux-2.6.23.15/init/noinitramfs.c linux-2.6.23.15-grsec/init/noinitramfs.c
30139 +--- linux-2.6.23.15/init/noinitramfs.c 2007-10-09 21:31:38.000000000 +0100
30140 ++++ linux-2.6.23.15-grsec/init/noinitramfs.c 2008-02-11 10:37:45.000000000 +0000
30141 +@@ -29,7 +29,7 @@ static int __init default_rootfs(void)
30142 + {
30143 + int err;
30144 +
30145 +- err = sys_mkdir("/dev", 0755);
30146 ++ err = sys_mkdir((const char __user *)"/dev", 0755);
30147 + if (err < 0)
30148 + goto out;
30149 +
30150 +@@ -39,7 +39,7 @@ static int __init default_rootfs(void)
30151 + if (err < 0)
30152 + goto out;
30153 +
30154 +- err = sys_mkdir("/root", 0700);
30155 ++ err = sys_mkdir((const char __user *)"/root", 0700);
30156 + if (err < 0)
30157 + goto out;
30158 +
30159 +diff -Nurp linux-2.6.23.15/ipc/ipc_sysctl.c linux-2.6.23.15-grsec/ipc/ipc_sysctl.c
30160 +--- linux-2.6.23.15/ipc/ipc_sysctl.c 2007-10-09 21:31:38.000000000 +0100
30161 ++++ linux-2.6.23.15-grsec/ipc/ipc_sysctl.c 2008-02-11 10:37:45.000000000 +0000
30162 +@@ -161,7 +161,7 @@ static struct ctl_table ipc_kern_table[]
30163 + .proc_handler = proc_ipc_dointvec,
30164 + .strategy = sysctl_ipc_data,
30165 + },
30166 +- {}
30167 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
30168 + };
30169 +
30170 + static struct ctl_table ipc_root_table[] = {
30171 +@@ -171,7 +171,7 @@ static struct ctl_table ipc_root_table[]
30172 + .mode = 0555,
30173 + .child = ipc_kern_table,
30174 + },
30175 +- {}
30176 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
30177 + };
30178 +
30179 + static int __init ipc_sysctl_init(void)
30180 +diff -Nurp linux-2.6.23.15/ipc/msg.c linux-2.6.23.15-grsec/ipc/msg.c
30181 +--- linux-2.6.23.15/ipc/msg.c 2007-10-09 21:31:38.000000000 +0100
30182 ++++ linux-2.6.23.15-grsec/ipc/msg.c 2008-02-11 10:37:45.000000000 +0000
30183 +@@ -36,6 +36,7 @@
30184 + #include <linux/seq_file.h>
30185 + #include <linux/mutex.h>
30186 + #include <linux/nsproxy.h>
30187 ++#include <linux/grsecurity.h>
30188 +
30189 + #include <asm/current.h>
30190 + #include <asm/uaccess.h>
30191 +@@ -286,6 +287,8 @@ asmlinkage long sys_msgget(key_t key, in
30192 + }
30193 + mutex_unlock(&msg_ids(ns).mutex);
30194 +
30195 ++ gr_log_msgget(ret, msgflg);
30196 ++
30197 + return ret;
30198 + }
30199 +
30200 +@@ -552,6 +555,7 @@ asmlinkage long sys_msgctl(int msqid, in
30201 + break;
30202 + }
30203 + case IPC_RMID:
30204 ++ gr_log_msgrm(ipcp->uid, ipcp->cuid);
30205 + freeque(ns, msq, msqid);
30206 + break;
30207 + }
30208 +diff -Nurp linux-2.6.23.15/ipc/sem.c linux-2.6.23.15-grsec/ipc/sem.c
30209 +--- linux-2.6.23.15/ipc/sem.c 2007-10-09 21:31:38.000000000 +0100
30210 ++++ linux-2.6.23.15-grsec/ipc/sem.c 2008-02-11 10:37:45.000000000 +0000
30211 +@@ -82,6 +82,7 @@
30212 + #include <linux/seq_file.h>
30213 + #include <linux/mutex.h>
30214 + #include <linux/nsproxy.h>
30215 ++#include <linux/grsecurity.h>
30216 +
30217 + #include <asm/uaccess.h>
30218 + #include "util.h"
30219 +@@ -293,6 +294,9 @@ asmlinkage long sys_semget (key_t key, i
30220 + }
30221 +
30222 + mutex_unlock(&sem_ids(ns).mutex);
30223 ++
30224 ++ gr_log_semget(err, semflg);
30225 ++
30226 + return err;
30227 + }
30228 +
30229 +@@ -894,6 +898,7 @@ static int semctl_down(struct ipc_namesp
30230 +
30231 + switch(cmd){
30232 + case IPC_RMID:
30233 ++ gr_log_semrm(ipcp->uid, ipcp->cuid);
30234 + freeary(ns, sma, semid);
30235 + err = 0;
30236 + break;
30237 +diff -Nurp linux-2.6.23.15/ipc/shm.c linux-2.6.23.15-grsec/ipc/shm.c
30238 +--- linux-2.6.23.15/ipc/shm.c 2007-10-09 21:31:38.000000000 +0100
30239 ++++ linux-2.6.23.15-grsec/ipc/shm.c 2008-02-11 10:37:45.000000000 +0000
30240 +@@ -38,6 +38,7 @@
30241 + #include <linux/mutex.h>
30242 + #include <linux/nsproxy.h>
30243 + #include <linux/mount.h>
30244 ++#include <linux/grsecurity.h>
30245 +
30246 + #include <asm/uaccess.h>
30247 +
30248 +@@ -77,6 +78,14 @@ static void shm_destroy (struct ipc_name
30249 + static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
30250 + #endif
30251 +
30252 ++#ifdef CONFIG_GRKERNSEC
30253 ++extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
30254 ++ const time_t shm_createtime, const uid_t cuid,
30255 ++ const int shmid);
30256 ++extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
30257 ++ const time_t shm_createtime);
30258 ++#endif
30259 ++
30260 + static void __shm_init_ns(struct ipc_namespace *ns, struct ipc_ids *ids)
30261 + {
30262 + ns->ids[IPC_SHM_IDS] = ids;
30263 +@@ -89,6 +98,8 @@ static void __shm_init_ns(struct ipc_nam
30264 +
30265 + static void do_shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *shp)
30266 + {
30267 ++ gr_log_shmrm(shp->shm_perm.uid, shp->shm_perm.cuid);
30268 ++
30269 + if (shp->shm_nattch){
30270 + shp->shm_perm.mode |= SHM_DEST;
30271 + /* Do not find it any more */
30272 +@@ -216,6 +227,17 @@ static void shm_close(struct vm_area_str
30273 + shp->shm_lprid = current->tgid;
30274 + shp->shm_dtim = get_seconds();
30275 + shp->shm_nattch--;
30276 ++#ifdef CONFIG_GRKERNSEC_SHM
30277 ++ if (grsec_enable_shm) {
30278 ++ if (shp->shm_nattch == 0) {
30279 ++ shp->shm_perm.mode |= SHM_DEST;
30280 ++ shm_destroy(ns, shp);
30281 ++ } else
30282 ++ shm_unlock(shp);
30283 ++ mutex_unlock(&shm_ids(ns).mutex);
30284 ++ return;
30285 ++ }
30286 ++#endif
30287 + if(shp->shm_nattch == 0 &&
30288 + shp->shm_perm.mode & SHM_DEST)
30289 + shm_destroy(ns, shp);
30290 +@@ -395,6 +417,9 @@ static int newseg (struct ipc_namespace
30291 + shp->shm_lprid = 0;
30292 + shp->shm_atim = shp->shm_dtim = 0;
30293 + shp->shm_ctim = get_seconds();
30294 ++#ifdef CONFIG_GRKERNSEC
30295 ++ shp->shm_createtime = get_seconds();
30296 ++#endif
30297 + shp->shm_segsz = size;
30298 + shp->shm_nattch = 0;
30299 + shp->id = shm_buildid(ns, id, shp->shm_perm.seq);
30300 +@@ -452,6 +477,8 @@ asmlinkage long sys_shmget (key_t key, s
30301 + }
30302 + mutex_unlock(&shm_ids(ns).mutex);
30303 +
30304 ++ gr_log_shmget(err, shmflg, size);
30305 ++
30306 + return err;
30307 + }
30308 +
30309 +@@ -905,9 +932,21 @@ long do_shmat(int shmid, char __user *sh
30310 + if (err)
30311 + goto out_unlock;
30312 +
30313 ++#ifdef CONFIG_GRKERNSEC
30314 ++ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
30315 ++ shp->shm_perm.cuid, shmid) ||
30316 ++ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
30317 ++ err = -EACCES;
30318 ++ goto out_unlock;
30319 ++ }
30320 ++#endif
30321 ++
30322 + path.dentry = dget(shp->shm_file->f_path.dentry);
30323 + path.mnt = mntget(shp->shm_file->f_path.mnt);
30324 + shp->shm_nattch++;
30325 ++#ifdef CONFIG_GRKERNSEC
30326 ++ shp->shm_lapid = current->pid;
30327 ++#endif
30328 + size = i_size_read(path.dentry->d_inode);
30329 + shm_unlock(shp);
30330 +
30331 +@@ -1111,3 +1150,27 @@ static int sysvipc_shm_proc_show(struct
30332 + shp->shm_ctim);
30333 + }
30334 + #endif
30335 ++
30336 ++void gr_shm_exit(struct task_struct *task)
30337 ++{
30338 ++#ifdef CONFIG_GRKERNSEC_SHM
30339 ++ int i;
30340 ++ struct shmid_kernel *shp;
30341 ++ struct ipc_namespace *ns;
30342 ++
30343 ++ ns = current->nsproxy->ipc_ns;
30344 ++
30345 ++ if (!grsec_enable_shm)
30346 ++ return;
30347 ++
30348 ++ for (i = 0; i <= shm_ids(ns).max_id; i++) {
30349 ++ shp = shm_get(ns, i);
30350 ++ if (shp && (shp->shm_cprid == task->pid) &&
30351 ++ (shp->shm_nattch <= 0)) {
30352 ++ shp->shm_perm.mode |= SHM_DEST;
30353 ++ shm_destroy(ns, shp);
30354 ++ }
30355 ++ }
30356 ++#endif
30357 ++ return;
30358 ++}
30359 +diff -Nurp linux-2.6.23.15/kernel/acct.c linux-2.6.23.15-grsec/kernel/acct.c
30360 +--- linux-2.6.23.15/kernel/acct.c 2007-10-09 21:31:38.000000000 +0100
30361 ++++ linux-2.6.23.15-grsec/kernel/acct.c 2008-02-11 10:37:45.000000000 +0000
30362 +@@ -511,7 +511,7 @@ static void do_acct_process(struct file
30363 + */
30364 + flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
30365 + current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
30366 +- file->f_op->write(file, (char *)&ac,
30367 ++ file->f_op->write(file, (char __user *)&ac,
30368 + sizeof(acct_t), &file->f_pos);
30369 + current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
30370 + set_fs(fs);
30371 +diff -Nurp linux-2.6.23.15/kernel/capability.c linux-2.6.23.15-grsec/kernel/capability.c
30372 +--- linux-2.6.23.15/kernel/capability.c 2007-10-09 21:31:38.000000000 +0100
30373 ++++ linux-2.6.23.15-grsec/kernel/capability.c 2008-02-11 10:37:45.000000000 +0000
30374 +@@ -12,6 +12,7 @@
30375 + #include <linux/module.h>
30376 + #include <linux/security.h>
30377 + #include <linux/syscalls.h>
30378 ++#include <linux/grsecurity.h>
30379 + #include <asm/uaccess.h>
30380 +
30381 + unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
30382 +@@ -236,14 +237,25 @@ out:
30383 + return ret;
30384 + }
30385 +
30386 ++extern int gr_task_is_capable(struct task_struct *task, const int cap);
30387 ++extern int gr_is_capable_nolog(const int cap);
30388 ++
30389 + int __capable(struct task_struct *t, int cap)
30390 + {
30391 +- if (security_capable(t, cap) == 0) {
30392 ++ if ((security_capable(t, cap) == 0) && gr_task_is_capable(t, cap)) {
30393 + t->flags |= PF_SUPERPRIV;
30394 + return 1;
30395 + }
30396 + return 0;
30397 + }
30398 ++int capable_nolog(int cap)
30399 ++{
30400 ++ if ((security_capable(current, cap) == 0) && gr_is_capable_nolog(cap)) {
30401 ++ current->flags |= PF_SUPERPRIV;
30402 ++ return 1;
30403 ++ }
30404 ++ return 0;
30405 ++}
30406 + EXPORT_SYMBOL(__capable);
30407 +
30408 + int capable(int cap)
30409 +@@ -251,3 +263,4 @@ int capable(int cap)
30410 + return __capable(current, cap);
30411 + }
30412 + EXPORT_SYMBOL(capable);
30413 ++EXPORT_SYMBOL(capable_nolog);
30414 +diff -Nurp linux-2.6.23.15/kernel/configs.c linux-2.6.23.15-grsec/kernel/configs.c
30415 +--- linux-2.6.23.15/kernel/configs.c 2007-10-09 21:31:38.000000000 +0100
30416 ++++ linux-2.6.23.15-grsec/kernel/configs.c 2008-02-11 10:37:45.000000000 +0000
30417 +@@ -79,8 +79,16 @@ static int __init ikconfig_init(void)
30418 + struct proc_dir_entry *entry;
30419 +
30420 + /* create the current config file */
30421 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
30422 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
30423 ++ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
30424 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
30425 ++ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
30426 ++#endif
30427 ++#else
30428 + entry = create_proc_entry("config.gz", S_IFREG | S_IRUGO,
30429 + &proc_root);
30430 ++#endif
30431 + if (!entry)
30432 + return -ENOMEM;
30433 +
30434 +diff -Nurp linux-2.6.23.15/kernel/exit.c linux-2.6.23.15-grsec/kernel/exit.c
30435 +--- linux-2.6.23.15/kernel/exit.c 2008-02-11 10:36:03.000000000 +0000
30436 ++++ linux-2.6.23.15-grsec/kernel/exit.c 2008-02-11 10:37:45.000000000 +0000
30437 +@@ -45,6 +45,11 @@
30438 + #include <linux/blkdev.h>
30439 + #include <linux/task_io_accounting_ops.h>
30440 + #include <linux/freezer.h>
30441 ++#include <linux/grsecurity.h>
30442 ++
30443 ++#ifdef CONFIG_GRKERNSEC
30444 ++extern rwlock_t grsec_exec_file_lock;
30445 ++#endif
30446 +
30447 + #include <asm/uaccess.h>
30448 + #include <asm/unistd.h>
30449 +@@ -123,6 +128,7 @@ static void __exit_signal(struct task_st
30450 +
30451 + __unhash_process(tsk);
30452 +
30453 ++ gr_del_task_from_ip_table(tsk);
30454 + tsk->signal = NULL;
30455 + tsk->sighand = NULL;
30456 + spin_unlock(&sighand->siglock);
30457 +@@ -274,12 +280,23 @@ static void reparent_to_kthreadd(void)
30458 + {
30459 + write_lock_irq(&tasklist_lock);
30460 +
30461 ++#ifdef CONFIG_GRKERNSEC
30462 ++ write_lock(&grsec_exec_file_lock);
30463 ++ if (current->exec_file) {
30464 ++ fput(current->exec_file);
30465 ++ current->exec_file = NULL;
30466 ++ }
30467 ++ write_unlock(&grsec_exec_file_lock);
30468 ++#endif
30469 ++
30470 + ptrace_unlink(current);
30471 + /* Reparent to init */
30472 + remove_parent(current);
30473 + current->real_parent = current->parent = kthreadd_task;
30474 + add_parent(current);
30475 +
30476 ++ gr_set_kernel_label(current);
30477 ++
30478 + /* Set the exit signal to SIGCHLD so we signal init on exit */
30479 + current->exit_signal = SIGCHLD;
30480 +
30481 +@@ -374,6 +391,17 @@ void daemonize(const char *name, ...)
30482 + vsnprintf(current->comm, sizeof(current->comm), name, args);
30483 + va_end(args);
30484 +
30485 ++#ifdef CONFIG_GRKERNSEC
30486 ++ write_lock(&grsec_exec_file_lock);
30487 ++ if (current->exec_file) {
30488 ++ fput(current->exec_file);
30489 ++ current->exec_file = NULL;
30490 ++ }
30491 ++ write_unlock(&grsec_exec_file_lock);
30492 ++#endif
30493 ++
30494 ++ gr_set_kernel_label(current);
30495 ++
30496 + /*
30497 + * If we were started as result of loading a module, close all of the
30498 + * user space pages. We don't need them, and if we didn't close them
30499 +@@ -969,11 +997,15 @@ fastcall NORET_TYPE void do_exit(long co
30500 + tsk->exit_code = code;
30501 + taskstats_exit(tsk, group_dead);
30502 +
30503 ++ gr_acl_handle_psacct(tsk, code);
30504 ++ gr_acl_handle_exit();
30505 ++
30506 + exit_mm(tsk);
30507 +
30508 + if (group_dead)
30509 + acct_process();
30510 + exit_sem(tsk);
30511 ++ gr_shm_exit(tsk);
30512 + __exit_files(tsk);
30513 + __exit_fs(tsk);
30514 + check_stack_usage();
30515 +@@ -1174,7 +1206,7 @@ static int wait_task_zombie(struct task_
30516 + pid_t pid = p->pid;
30517 + uid_t uid = p->uid;
30518 + int exit_code = p->exit_code;
30519 +- int why, status;
30520 ++ int why;
30521 +
30522 + if (unlikely(p->exit_state != EXIT_ZOMBIE))
30523 + return 0;
30524 +diff -Nurp linux-2.6.23.15/kernel/fork.c linux-2.6.23.15-grsec/kernel/fork.c
30525 +--- linux-2.6.23.15/kernel/fork.c 2008-02-11 10:36:03.000000000 +0000
30526 ++++ linux-2.6.23.15-grsec/kernel/fork.c 2008-02-11 10:37:45.000000000 +0000
30527 +@@ -50,6 +50,7 @@
30528 + #include <linux/taskstats_kern.h>
30529 + #include <linux/random.h>
30530 + #include <linux/tty.h>
30531 ++#include <linux/grsecurity.h>
30532 +
30533 + #include <asm/pgtable.h>
30534 + #include <asm/pgalloc.h>
30535 +@@ -181,7 +182,7 @@ static struct task_struct *dup_task_stru
30536 + setup_thread_stack(tsk, orig);
30537 +
30538 + #ifdef CONFIG_CC_STACKPROTECTOR
30539 +- tsk->stack_canary = get_random_int();
30540 ++ tsk->stack_canary = pax_get_random_long();
30541 + #endif
30542 +
30543 + /* One for us, one for whoever does the "release_task()" (usually parent) */
30544 +@@ -203,6 +204,10 @@ static inline int dup_mmap(struct mm_str
30545 + unsigned long charge;
30546 + struct mempolicy *pol;
30547 +
30548 ++#ifdef CONFIG_PAX_SEGMEXEC
30549 ++ struct vm_area_struct *mpnt_m;
30550 ++#endif
30551 ++
30552 + down_write(&oldmm->mmap_sem);
30553 + flush_cache_dup_mm(oldmm);
30554 + /*
30555 +@@ -213,8 +218,8 @@ static inline int dup_mmap(struct mm_str
30556 + mm->locked_vm = 0;
30557 + mm->mmap = NULL;
30558 + mm->mmap_cache = NULL;
30559 +- mm->free_area_cache = oldmm->mmap_base;
30560 +- mm->cached_hole_size = ~0UL;
30561 ++ mm->free_area_cache = oldmm->free_area_cache;
30562 ++ mm->cached_hole_size = oldmm->cached_hole_size;
30563 + mm->map_count = 0;
30564 + cpus_clear(mm->cpu_vm_mask);
30565 + mm->mm_rb = RB_ROOT;
30566 +@@ -233,6 +238,7 @@ static inline int dup_mmap(struct mm_str
30567 + continue;
30568 + }
30569 + charge = 0;
30570 ++
30571 + if (mpnt->vm_flags & VM_ACCOUNT) {
30572 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
30573 + if (security_vm_enough_memory(len))
30574 +@@ -251,6 +257,7 @@ static inline int dup_mmap(struct mm_str
30575 + tmp->vm_flags &= ~VM_LOCKED;
30576 + tmp->vm_mm = mm;
30577 + tmp->vm_next = NULL;
30578 ++ tmp->vm_mirror = NULL;
30579 + anon_vma_link(tmp);
30580 + file = tmp->vm_file;
30581 + if (file) {
30582 +@@ -287,6 +294,29 @@ static inline int dup_mmap(struct mm_str
30583 + if (retval)
30584 + goto out;
30585 + }
30586 ++
30587 ++#ifdef CONFIG_PAX_SEGMEXEC
30588 ++ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
30589 ++ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
30590 ++ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
30591 ++
30592 ++ if (!mpnt->vm_mirror)
30593 ++ continue;
30594 ++
30595 ++ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
30596 ++ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
30597 ++ mpnt->vm_mirror = mpnt_m;
30598 ++ } else {
30599 ++ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
30600 ++ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
30601 ++ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
30602 ++ mpnt->vm_mirror->vm_mirror = mpnt;
30603 ++ }
30604 ++ }
30605 ++ BUG_ON(mpnt_m);
30606 ++ }
30607 ++#endif
30608 ++
30609 + /* a new mm has just been created */
30610 + arch_dup_mmap(oldmm, mm);
30611 + retval = 0;
30612 +@@ -464,7 +494,7 @@ void mm_release(struct task_struct *tsk,
30613 + if (tsk->clear_child_tid
30614 + && !(tsk->flags & PF_SIGNALED)
30615 + && atomic_read(&mm->mm_users) > 1) {
30616 +- u32 __user * tidptr = tsk->clear_child_tid;
30617 ++ pid_t __user * tidptr = tsk->clear_child_tid;
30618 + tsk->clear_child_tid = NULL;
30619 +
30620 + /*
30621 +@@ -472,7 +502,7 @@ void mm_release(struct task_struct *tsk,
30622 + * not set up a proper pointer then tough luck.
30623 + */
30624 + put_user(0, tidptr);
30625 +- sys_futex(tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
30626 ++ sys_futex((u32 __user *)tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
30627 + }
30628 + }
30629 +
30630 +@@ -1001,6 +1031,9 @@ static struct task_struct *copy_process(
30631 + DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
30632 + #endif
30633 + retval = -EAGAIN;
30634 ++
30635 ++ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
30636 ++
30637 + if (atomic_read(&p->user->processes) >=
30638 + p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
30639 + if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
30640 +@@ -1140,6 +1173,8 @@ static struct task_struct *copy_process(
30641 + if (retval)
30642 + goto bad_fork_cleanup_namespaces;
30643 +
30644 ++ gr_copy_label(p);
30645 ++
30646 + p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
30647 + /*
30648 + * Clear TID on mm_release()?
30649 +@@ -1318,6 +1353,8 @@ bad_fork_cleanup_count:
30650 + bad_fork_free:
30651 + free_task(p);
30652 + fork_out:
30653 ++ gr_log_forkfail(retval);
30654 ++
30655 + return ERR_PTR(retval);
30656 + }
30657 +
30658 +@@ -1391,6 +1428,8 @@ long do_fork(unsigned long clone_flags,
30659 + if (!IS_ERR(p)) {
30660 + struct completion vfork;
30661 +
30662 ++ gr_handle_brute_check();
30663 ++
30664 + if (clone_flags & CLONE_VFORK) {
30665 + p->vfork_done = &vfork;
30666 + init_completion(&vfork);
30667 +diff -Nurp linux-2.6.23.15/kernel/futex.c linux-2.6.23.15-grsec/kernel/futex.c
30668 +--- linux-2.6.23.15/kernel/futex.c 2008-02-11 10:36:03.000000000 +0000
30669 ++++ linux-2.6.23.15-grsec/kernel/futex.c 2008-02-11 10:37:45.000000000 +0000
30670 +@@ -186,6 +186,11 @@ int get_futex_key(u32 __user *uaddr, str
30671 + struct page *page;
30672 + int err;
30673 +
30674 ++#ifdef CONFIG_PAX_SEGMEXEC
30675 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
30676 ++ return -EFAULT;
30677 ++#endif
30678 ++
30679 + /*
30680 + * The futex address must be "naturally" aligned.
30681 + */
30682 +@@ -212,8 +217,8 @@ int get_futex_key(u32 __user *uaddr, str
30683 + * The futex is hashed differently depending on whether
30684 + * it's in a shared or private mapping. So check vma first.
30685 + */
30686 +- vma = find_extend_vma(mm, address);
30687 +- if (unlikely(!vma))
30688 ++ vma = find_vma(mm, address);
30689 ++ if (unlikely(!vma || address < vma->vm_start))
30690 + return -EFAULT;
30691 +
30692 + /*
30693 +@@ -1922,7 +1927,7 @@ retry:
30694 + */
30695 + static inline int fetch_robust_entry(struct robust_list __user **entry,
30696 + struct robust_list __user * __user *head,
30697 +- int *pi)
30698 ++ unsigned int *pi)
30699 + {
30700 + unsigned long uentry;
30701 +
30702 +diff -Nurp linux-2.6.23.15/kernel/irq/handle.c linux-2.6.23.15-grsec/kernel/irq/handle.c
30703 +--- linux-2.6.23.15/kernel/irq/handle.c 2007-10-09 21:31:38.000000000 +0100
30704 ++++ linux-2.6.23.15-grsec/kernel/irq/handle.c 2008-02-11 10:37:45.000000000 +0000
30705 +@@ -55,7 +55,8 @@ struct irq_desc irq_desc[NR_IRQS] __cach
30706 + .depth = 1,
30707 + .lock = __SPIN_LOCK_UNLOCKED(irq_desc->lock),
30708 + #ifdef CONFIG_SMP
30709 +- .affinity = CPU_MASK_ALL
30710 ++ .affinity = CPU_MASK_ALL,
30711 ++ .cpu = 0,
30712 + #endif
30713 + }
30714 + };
30715 +diff -Nurp linux-2.6.23.15/kernel/kallsyms.c linux-2.6.23.15-grsec/kernel/kallsyms.c
30716 +--- linux-2.6.23.15/kernel/kallsyms.c 2007-10-09 21:31:38.000000000 +0100
30717 ++++ linux-2.6.23.15-grsec/kernel/kallsyms.c 2008-02-11 10:37:45.000000000 +0000
30718 +@@ -65,6 +65,19 @@ static inline int is_kernel_text(unsigne
30719 +
30720 + static inline int is_kernel(unsigned long addr)
30721 + {
30722 ++
30723 ++#ifdef CONFIG_PAX_KERNEXEC
30724 ++
30725 ++#ifdef CONFIG_MODULES
30726 ++ if ((unsigned long)MODULES_VADDR <= addr + __KERNEL_TEXT_OFFSET &&
30727 ++ addr + __KERNEL_TEXT_OFFSET < (unsigned long)MODULES_END)
30728 ++ return 0;
30729 ++#endif
30730 ++
30731 ++ if (is_kernel_inittext(addr))
30732 ++ return 1;
30733 ++#endif
30734 ++
30735 + if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
30736 + return 1;
30737 + return in_gate_area_no_task(addr);
30738 +@@ -373,7 +386,6 @@ static unsigned long get_ksymbol_core(st
30739 +
30740 + static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
30741 + {
30742 +- iter->name[0] = '\0';
30743 + iter->nameoff = get_symbol_offset(new_pos);
30744 + iter->pos = new_pos;
30745 + }
30746 +@@ -457,7 +469,7 @@ static int kallsyms_open(struct inode *i
30747 + struct kallsym_iter *iter;
30748 + int ret;
30749 +
30750 +- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
30751 ++ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
30752 + if (!iter)
30753 + return -ENOMEM;
30754 + reset_iter(iter, 0);
30755 +@@ -481,7 +493,15 @@ static int __init kallsyms_init(void)
30756 + {
30757 + struct proc_dir_entry *entry;
30758 +
30759 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
30760 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
30761 ++ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
30762 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
30763 ++ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
30764 ++#endif
30765 ++#else
30766 + entry = create_proc_entry("kallsyms", 0444, NULL);
30767 ++#endif
30768 + if (entry)
30769 + entry->proc_fops = &kallsyms_operations;
30770 + return 0;
30771 +diff -Nurp linux-2.6.23.15/kernel/kprobes.c linux-2.6.23.15-grsec/kernel/kprobes.c
30772 +--- linux-2.6.23.15/kernel/kprobes.c 2007-10-09 21:31:38.000000000 +0100
30773 ++++ linux-2.6.23.15-grsec/kernel/kprobes.c 2008-02-11 10:37:45.000000000 +0000
30774 +@@ -168,7 +168,7 @@ kprobe_opcode_t __kprobes *get_insn_slot
30775 + * kernel image and loaded module images reside. This is required
30776 + * so x86_64 can correctly handle the %rip-relative fixups.
30777 + */
30778 +- kip->insns = module_alloc(PAGE_SIZE);
30779 ++ kip->insns = module_alloc_exec(PAGE_SIZE);
30780 + if (!kip->insns) {
30781 + kfree(kip);
30782 + return NULL;
30783 +@@ -200,7 +200,7 @@ static int __kprobes collect_one_slot(st
30784 + hlist_add_head(&kip->hlist,
30785 + &kprobe_insn_pages);
30786 + } else {
30787 +- module_free(NULL, kip->insns);
30788 ++ module_free_exec(NULL, kip->insns);
30789 + kfree(kip);
30790 + }
30791 + return 1;
30792 +diff -Nurp linux-2.6.23.15/kernel/module.c linux-2.6.23.15-grsec/kernel/module.c
30793 +--- linux-2.6.23.15/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
30794 ++++ linux-2.6.23.15-grsec/kernel/module.c 2008-02-11 10:37:45.000000000 +0000
30795 +@@ -44,6 +44,11 @@
30796 + #include <asm/uaccess.h>
30797 + #include <asm/semaphore.h>
30798 + #include <asm/cacheflush.h>
30799 ++
30800 ++#ifdef CONFIG_PAX_KERNEXEC
30801 ++#include <asm/desc.h>
30802 ++#endif
30803 ++
30804 + #include <linux/license.h>
30805 +
30806 + extern int module_sysfs_initialized;
30807 +@@ -68,6 +73,8 @@ static LIST_HEAD(modules);
30808 +
30809 + static BLOCKING_NOTIFIER_HEAD(module_notify_list);
30810 +
30811 ++extern int gr_check_modstop(void);
30812 ++
30813 + int register_module_notifier(struct notifier_block * nb)
30814 + {
30815 + return blocking_notifier_chain_register(&module_notify_list, nb);
30816 +@@ -347,7 +354,7 @@ static void *percpu_modalloc(unsigned lo
30817 + unsigned int i;
30818 + void *ptr;
30819 +
30820 +- if (align > PAGE_SIZE) {
30821 ++ if (align-1 >= PAGE_SIZE) {
30822 + printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
30823 + name, align, PAGE_SIZE);
30824 + align = PAGE_SIZE;
30825 +@@ -660,6 +667,9 @@ sys_delete_module(const char __user *nam
30826 + char name[MODULE_NAME_LEN];
30827 + int ret, forced = 0;
30828 +
30829 ++ if (gr_check_modstop())
30830 ++ return -EPERM;
30831 ++
30832 + if (!capable(CAP_SYS_MODULE))
30833 + return -EPERM;
30834 +
30835 +@@ -1209,16 +1219,19 @@ static void free_module(struct module *m
30836 + module_unload_free(mod);
30837 +
30838 + /* This may be NULL, but that's OK */
30839 +- module_free(mod, mod->module_init);
30840 ++ module_free(mod, mod->module_init_rw);
30841 ++ module_free_exec(mod, mod->module_init_rx);
30842 + kfree(mod->args);
30843 + if (mod->percpu)
30844 + percpu_modfree(mod->percpu);
30845 +
30846 + /* Free lock-classes: */
30847 +- lockdep_free_key_range(mod->module_core, mod->core_size);
30848 ++ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
30849 ++ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
30850 +
30851 + /* Finally, free the core (containing the module structure) */
30852 +- module_free(mod, mod->module_core);
30853 ++ module_free_exec(mod, mod->module_core_rx);
30854 ++ module_free(mod, mod->module_core_rw);
30855 + }
30856 +
30857 + void *__symbol_get(const char *symbol)
30858 +@@ -1279,10 +1292,14 @@ static int simplify_symbols(Elf_Shdr *se
30859 + struct module *mod)
30860 + {
30861 + Elf_Sym *sym = (void *)sechdrs[symindex].sh_addr;
30862 +- unsigned long secbase;
30863 ++ unsigned long secbase, symbol;
30864 + unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
30865 + int ret = 0;
30866 +
30867 ++#ifdef CONFIG_PAX_KERNEXEC
30868 ++ unsigned long cr0;
30869 ++#endif
30870 ++
30871 + for (i = 1; i < n; i++) {
30872 + switch (sym[i].st_shndx) {
30873 + case SHN_COMMON:
30874 +@@ -1301,10 +1318,19 @@ static int simplify_symbols(Elf_Shdr *se
30875 + break;
30876 +
30877 + case SHN_UNDEF:
30878 +- sym[i].st_value
30879 +- = resolve_symbol(sechdrs, versindex,
30880 ++ symbol = resolve_symbol(sechdrs, versindex,
30881 + strtab + sym[i].st_name, mod);
30882 +
30883 ++#ifdef CONFIG_PAX_KERNEXEC
30884 ++ pax_open_kernel(cr0);
30885 ++#endif
30886 ++
30887 ++ sym[i].st_value = symbol;
30888 ++
30889 ++#ifdef CONFIG_PAX_KERNEXEC
30890 ++ pax_close_kernel(cr0);
30891 ++#endif
30892 ++
30893 + /* Ok if resolved. */
30894 + if (sym[i].st_value != 0)
30895 + break;
30896 +@@ -1319,11 +1345,27 @@ static int simplify_symbols(Elf_Shdr *se
30897 +
30898 + default:
30899 + /* Divert to percpu allocation if a percpu var. */
30900 +- if (sym[i].st_shndx == pcpuindex)
30901 ++ if (sym[i].st_shndx == pcpuindex) {
30902 ++
30903 ++#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
30904 ++ secbase = (unsigned long)mod->percpu - (unsigned long)__per_cpu_start;
30905 ++#else
30906 + secbase = (unsigned long)mod->percpu;
30907 +- else
30908 ++#endif
30909 ++
30910 ++ } else
30911 + secbase = sechdrs[sym[i].st_shndx].sh_addr;
30912 ++
30913 ++#ifdef CONFIG_PAX_KERNEXEC
30914 ++ pax_open_kernel(cr0);
30915 ++#endif
30916 ++
30917 + sym[i].st_value += secbase;
30918 ++
30919 ++#ifdef CONFIG_PAX_KERNEXEC
30920 ++ pax_close_kernel(cr0);
30921 ++#endif
30922 ++
30923 + break;
30924 + }
30925 + }
30926 +@@ -1375,11 +1417,14 @@ static void layout_sections(struct modul
30927 + || strncmp(secstrings + s->sh_name,
30928 + ".init", 5) == 0)
30929 + continue;
30930 +- s->sh_entsize = get_offset(&mod->core_size, s);
30931 ++ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
30932 ++ s->sh_entsize = get_offset(&mod->core_size_rw, s);
30933 ++ else
30934 ++ s->sh_entsize = get_offset(&mod->core_size_rx, s);
30935 + DEBUGP("\t%s\n", secstrings + s->sh_name);
30936 + }
30937 + if (m == 0)
30938 +- mod->core_text_size = mod->core_size;
30939 ++ mod->core_size_rx = mod->core_size_rx;
30940 + }
30941 +
30942 + DEBUGP("Init section allocation order:\n");
30943 +@@ -1393,12 +1438,15 @@ static void layout_sections(struct modul
30944 + || strncmp(secstrings + s->sh_name,
30945 + ".init", 5) != 0)
30946 + continue;
30947 +- s->sh_entsize = (get_offset(&mod->init_size, s)
30948 +- | INIT_OFFSET_MASK);
30949 ++ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
30950 ++ s->sh_entsize = get_offset(&mod->init_size_rw, s);
30951 ++ else
30952 ++ s->sh_entsize = get_offset(&mod->init_size_rx, s);
30953 ++ s->sh_entsize |= INIT_OFFSET_MASK;
30954 + DEBUGP("\t%s\n", secstrings + s->sh_name);
30955 + }
30956 + if (m == 0)
30957 +- mod->init_text_size = mod->init_size;
30958 ++ mod->init_size_rx = mod->init_size_rx;
30959 + }
30960 + }
30961 +
30962 +@@ -1525,14 +1573,31 @@ static void add_kallsyms(struct module *
30963 + {
30964 + unsigned int i;
30965 +
30966 ++#ifdef CONFIG_PAX_KERNEXEC
30967 ++ unsigned long cr0;
30968 ++#endif
30969 ++
30970 + mod->symtab = (void *)sechdrs[symindex].sh_addr;
30971 + mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
30972 + mod->strtab = (void *)sechdrs[strindex].sh_addr;
30973 +
30974 + /* Set types up while we still have access to sections. */
30975 +- for (i = 0; i < mod->num_symtab; i++)
30976 +- mod->symtab[i].st_info
30977 +- = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
30978 ++
30979 ++ for (i = 0; i < mod->num_symtab; i++) {
30980 ++ char type = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
30981 ++
30982 ++#ifdef CONFIG_PAX_KERNEXEC
30983 ++ pax_open_kernel(cr0);
30984 ++#endif
30985 ++
30986 ++ mod->symtab[i].st_info = type;
30987 ++
30988 ++#ifdef CONFIG_PAX_KERNEXEC
30989 ++ pax_close_kernel(cr0);
30990 ++#endif
30991 ++
30992 ++ }
30993 ++
30994 + }
30995 + #else
30996 + static inline void add_kallsyms(struct module *mod,
30997 +@@ -1580,6 +1645,10 @@ static struct module *load_module(void _
30998 + struct exception_table_entry *extable;
30999 + mm_segment_t old_fs;
31000 +
31001 ++#ifdef CONFIG_PAX_KERNEXEC
31002 ++ unsigned long cr0;
31003 ++#endif
31004 ++
31005 + DEBUGP("load_module: umod=%p, len=%lu, uargs=%p\n",
31006 + umod, len, uargs);
31007 + if (len < sizeof(*hdr))
31008 +@@ -1738,21 +1807,57 @@ static struct module *load_module(void _
31009 + layout_sections(mod, hdr, sechdrs, secstrings);
31010 +
31011 + /* Do the allocs. */
31012 +- ptr = module_alloc(mod->core_size);
31013 ++ ptr = module_alloc(mod->core_size_rw);
31014 + if (!ptr) {
31015 + err = -ENOMEM;
31016 + goto free_percpu;
31017 + }
31018 +- memset(ptr, 0, mod->core_size);
31019 +- mod->module_core = ptr;
31020 ++ memset(ptr, 0, mod->core_size_rw);
31021 ++ mod->module_core_rw = ptr;
31022 ++
31023 ++ ptr = module_alloc(mod->init_size_rw);
31024 ++ if (!ptr && mod->init_size_rw) {
31025 ++ err = -ENOMEM;
31026 ++ goto free_core_rw;
31027 ++ }
31028 ++ memset(ptr, 0, mod->init_size_rw);
31029 ++ mod->module_init_rw = ptr;
31030 ++
31031 ++ ptr = module_alloc_exec(mod->core_size_rx);
31032 ++ if (!ptr) {
31033 ++ err = -ENOMEM;
31034 ++ goto free_init_rw;
31035 ++ }
31036 ++
31037 ++#ifdef CONFIG_PAX_KERNEXEC
31038 ++ pax_open_kernel(cr0);
31039 ++#endif
31040 +
31041 +- ptr = module_alloc(mod->init_size);
31042 +- if (!ptr && mod->init_size) {
31043 ++ memset(ptr, 0, mod->core_size_rx);
31044 ++
31045 ++#ifdef CONFIG_PAX_KERNEXEC
31046 ++ pax_close_kernel(cr0);
31047 ++#endif
31048 ++
31049 ++ mod->module_core_rx = ptr;
31050 ++
31051 ++ ptr = module_alloc_exec(mod->init_size_rx);
31052 ++ if (!ptr && mod->init_size_rx) {
31053 + err = -ENOMEM;
31054 +- goto free_core;
31055 ++ goto free_core_rx;
31056 + }
31057 +- memset(ptr, 0, mod->init_size);
31058 +- mod->module_init = ptr;
31059 ++
31060 ++#ifdef CONFIG_PAX_KERNEXEC
31061 ++ pax_open_kernel(cr0);
31062 ++#endif
31063 ++
31064 ++ memset(ptr, 0, mod->init_size_rx);
31065 ++
31066 ++#ifdef CONFIG_PAX_KERNEXEC
31067 ++ pax_close_kernel(cr0);
31068 ++#endif
31069 ++
31070 ++ mod->module_init_rx = ptr;
31071 +
31072 + /* Transfer each section which specifies SHF_ALLOC */
31073 + DEBUGP("final section addresses:\n");
31074 +@@ -1762,17 +1867,41 @@ static struct module *load_module(void _
31075 + if (!(sechdrs[i].sh_flags & SHF_ALLOC))
31076 + continue;
31077 +
31078 +- if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
31079 +- dest = mod->module_init
31080 +- + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
31081 +- else
31082 +- dest = mod->module_core + sechdrs[i].sh_entsize;
31083 ++ if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
31084 ++ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
31085 ++ dest = mod->module_init_rw
31086 ++ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
31087 ++ else
31088 ++ dest = mod->module_init_rx
31089 ++ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
31090 ++ } else {
31091 ++ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
31092 ++ dest = mod->module_core_rw + sechdrs[i].sh_entsize;
31093 ++ else
31094 ++ dest = mod->module_core_rx + sechdrs[i].sh_entsize;
31095 ++ }
31096 ++
31097 ++ if (sechdrs[i].sh_type != SHT_NOBITS) {
31098 +
31099 +- if (sechdrs[i].sh_type != SHT_NOBITS)
31100 +- memcpy(dest, (void *)sechdrs[i].sh_addr,
31101 +- sechdrs[i].sh_size);
31102 ++#ifdef CONFIG_PAX_KERNEXEC
31103 ++ if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
31104 ++ pax_open_kernel(cr0);
31105 ++ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
31106 ++ pax_close_kernel(cr0);
31107 ++ } else
31108 ++#endif
31109 ++
31110 ++ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
31111 ++ }
31112 + /* Update sh_addr to point to copy in image. */
31113 +- sechdrs[i].sh_addr = (unsigned long)dest;
31114 ++
31115 ++#ifdef CONFIG_PAX_KERNEXEC
31116 ++ if (sechdrs[i].sh_flags & SHF_EXECINSTR)
31117 ++ sechdrs[i].sh_addr = (unsigned long)dest - __KERNEL_TEXT_OFFSET;
31118 ++ else
31119 ++#endif
31120 ++
31121 ++ sechdrs[i].sh_addr = (unsigned long)dest;
31122 + DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
31123 + }
31124 + /* Module has been moved. */
31125 +@@ -1892,12 +2021,12 @@ static struct module *load_module(void _
31126 + * Do it before processing of module parameters, so the module
31127 + * can provide parameter accessor functions of its own.
31128 + */
31129 +- if (mod->module_init)
31130 +- flush_icache_range((unsigned long)mod->module_init,
31131 +- (unsigned long)mod->module_init
31132 +- + mod->init_size);
31133 +- flush_icache_range((unsigned long)mod->module_core,
31134 +- (unsigned long)mod->module_core + mod->core_size);
31135 ++ if (mod->module_init_rx)
31136 ++ flush_icache_range((unsigned long)mod->module_init_rx,
31137 ++ (unsigned long)mod->module_init_rx
31138 ++ + mod->init_size_rx);
31139 ++ flush_icache_range((unsigned long)mod->module_core_rx,
31140 ++ (unsigned long)mod->module_core_rx + mod->core_size_rx);
31141 +
31142 + set_fs(old_fs);
31143 +
31144 +@@ -1940,9 +2069,13 @@ static struct module *load_module(void _
31145 + module_arch_cleanup(mod);
31146 + cleanup:
31147 + module_unload_free(mod);
31148 +- module_free(mod, mod->module_init);
31149 +- free_core:
31150 +- module_free(mod, mod->module_core);
31151 ++ module_free_exec(mod, mod->module_init_rx);
31152 ++ free_core_rx:
31153 ++ module_free_exec(mod, mod->module_core_rx);
31154 ++ free_init_rw:
31155 ++ module_free(mod, mod->module_init_rw);
31156 ++ free_core_rw:
31157 ++ module_free(mod, mod->module_core_rw);
31158 + free_percpu:
31159 + if (percpu)
31160 + percpu_modfree(percpu);
31161 +@@ -1978,6 +2111,9 @@ sys_init_module(void __user *umod,
31162 + struct module *mod;
31163 + int ret = 0;
31164 +
31165 ++ if (gr_check_modstop())
31166 ++ return -EPERM;
31167 ++
31168 + /* Must have permission */
31169 + if (!capable(CAP_SYS_MODULE))
31170 + return -EPERM;
31171 +@@ -2029,10 +2165,12 @@ sys_init_module(void __user *umod,
31172 + /* Drop initial reference. */
31173 + module_put(mod);
31174 + unwind_remove_table(mod->unwind_info, 1);
31175 +- module_free(mod, mod->module_init);
31176 +- mod->module_init = NULL;
31177 +- mod->init_size = 0;
31178 +- mod->init_text_size = 0;
31179 ++ module_free(mod, mod->module_init_rw);
31180 ++ module_free_exec(mod, mod->module_init_rx);
31181 ++ mod->module_init_rw = NULL;
31182 ++ mod->module_init_rx = NULL;
31183 ++ mod->init_size_rw = 0;
31184 ++ mod->init_size_rx = 0;
31185 + mutex_unlock(&module_mutex);
31186 +
31187 + return 0;
31188 +@@ -2040,6 +2178,13 @@ sys_init_module(void __user *umod,
31189 +
31190 + static inline int within(unsigned long addr, void *start, unsigned long size)
31191 + {
31192 ++
31193 ++#ifdef CONFIG_PAX_KERNEXEC
31194 ++ if (addr + __KERNEL_TEXT_OFFSET >= (unsigned long)start &&
31195 ++ addr + __KERNEL_TEXT_OFFSET < (unsigned long)start + size)
31196 ++ return 1;
31197 ++#endif
31198 ++
31199 + return ((void *)addr >= start && (void *)addr < start + size);
31200 + }
31201 +
31202 +@@ -2063,10 +2208,14 @@ static const char *get_ksymbol(struct mo
31203 + unsigned long nextval;
31204 +
31205 + /* At worse, next value is at end of module */
31206 +- if (within(addr, mod->module_init, mod->init_size))
31207 +- nextval = (unsigned long)mod->module_init+mod->init_text_size;
31208 +- else
31209 +- nextval = (unsigned long)mod->module_core+mod->core_text_size;
31210 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx))
31211 ++ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
31212 ++ else if (within(addr, mod->module_init_rw, mod->init_size_rw))
31213 ++ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
31214 ++ else if (within(addr, mod->module_core_rx, mod->core_size_rx))
31215 ++ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
31216 ++ else
31217 ++ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
31218 +
31219 + /* Scan for closest preceeding symbol, and next symbol. (ELF
31220 + starts real symbols at 1). */
31221 +@@ -2109,8 +2258,10 @@ const char *module_address_lookup(unsign
31222 + struct module *mod;
31223 +
31224 + list_for_each_entry(mod, &modules, list) {
31225 +- if (within(addr, mod->module_init, mod->init_size)
31226 +- || within(addr, mod->module_core, mod->core_size)) {
31227 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
31228 ++ within(addr, mod->module_init_rw, mod->init_size_rw) ||
31229 ++ within(addr, mod->module_core_rx, mod->core_size_rx) ||
31230 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
31231 + if (modname)
31232 + *modname = mod->name;
31233 + return get_ksymbol(mod, addr, size, offset);
31234 +@@ -2125,8 +2276,10 @@ int lookup_module_symbol_name(unsigned l
31235 +
31236 + mutex_lock(&module_mutex);
31237 + list_for_each_entry(mod, &modules, list) {
31238 +- if (within(addr, mod->module_init, mod->init_size) ||
31239 +- within(addr, mod->module_core, mod->core_size)) {
31240 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
31241 ++ within(addr, mod->module_init_rw, mod->init_size_rw) ||
31242 ++ within(addr, mod->module_core_rx, mod->core_size_rx) ||
31243 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
31244 + const char *sym;
31245 +
31246 + sym = get_ksymbol(mod, addr, NULL, NULL);
31247 +@@ -2149,8 +2302,10 @@ int lookup_module_symbol_attrs(unsigned
31248 +
31249 + mutex_lock(&module_mutex);
31250 + list_for_each_entry(mod, &modules, list) {
31251 +- if (within(addr, mod->module_init, mod->init_size) ||
31252 +- within(addr, mod->module_core, mod->core_size)) {
31253 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
31254 ++ within(addr, mod->module_init_rw, mod->init_size_rw) ||
31255 ++ within(addr, mod->module_core_rx, mod->core_size_rx) ||
31256 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
31257 + const char *sym;
31258 +
31259 + sym = get_ksymbol(mod, addr, size, offset);
31260 +@@ -2270,7 +2425,7 @@ static int m_show(struct seq_file *m, vo
31261 + char buf[8];
31262 +
31263 + seq_printf(m, "%s %lu",
31264 +- mod->name, mod->init_size + mod->core_size);
31265 ++ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
31266 + print_unload_info(m, mod);
31267 +
31268 + /* Informative for users. */
31269 +@@ -2279,7 +2434,7 @@ static int m_show(struct seq_file *m, vo
31270 + mod->state == MODULE_STATE_COMING ? "Loading":
31271 + "Live");
31272 + /* Used by oprofile and other similar tools. */
31273 +- seq_printf(m, " 0x%p", mod->module_core);
31274 ++ seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
31275 +
31276 + /* Taints info */
31277 + if (mod->taints)
31278 +@@ -2335,7 +2490,8 @@ int is_module_address(unsigned long addr
31279 + preempt_disable();
31280 +
31281 + list_for_each_entry(mod, &modules, list) {
31282 +- if (within(addr, mod->module_core, mod->core_size)) {
31283 ++ if (within(addr, mod->module_core_rx, mod->core_size_rx) ||
31284 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
31285 + preempt_enable();
31286 + return 1;
31287 + }
31288 +@@ -2353,8 +2509,8 @@ struct module *__module_text_address(uns
31289 + struct module *mod;
31290 +
31291 + list_for_each_entry(mod, &modules, list)
31292 +- if (within(addr, mod->module_init, mod->init_text_size)
31293 +- || within(addr, mod->module_core, mod->core_text_size))
31294 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx)
31295 ++ || within(addr, mod->module_core_rx, mod->core_size_rx))
31296 + return mod;
31297 + return NULL;
31298 + }
31299 +diff -Nurp linux-2.6.23.15/kernel/mutex.c linux-2.6.23.15-grsec/kernel/mutex.c
31300 +--- linux-2.6.23.15/kernel/mutex.c 2007-10-09 21:31:38.000000000 +0100
31301 ++++ linux-2.6.23.15-grsec/kernel/mutex.c 2008-02-11 10:37:45.000000000 +0000
31302 +@@ -81,7 +81,7 @@ __mutex_lock_slowpath(atomic_t *lock_cou
31303 + *
31304 + * This function is similar to (but not equivalent to) down().
31305 + */
31306 +-void inline fastcall __sched mutex_lock(struct mutex *lock)
31307 ++inline void fastcall __sched mutex_lock(struct mutex *lock)
31308 + {
31309 + might_sleep();
31310 + /*
31311 +diff -Nurp linux-2.6.23.15/kernel/params.c linux-2.6.23.15-grsec/kernel/params.c
31312 +--- linux-2.6.23.15/kernel/params.c 2008-02-11 10:36:03.000000000 +0000
31313 ++++ linux-2.6.23.15-grsec/kernel/params.c 2008-02-11 10:37:45.000000000 +0000
31314 +@@ -275,7 +275,7 @@ static int param_array(const char *name,
31315 + unsigned int min, unsigned int max,
31316 + void *elem, int elemsize,
31317 + int (*set)(const char *, struct kernel_param *kp),
31318 +- int *num)
31319 ++ unsigned int *num)
31320 + {
31321 + int ret;
31322 + struct kernel_param kp;
31323 +diff -Nurp linux-2.6.23.15/kernel/pid.c linux-2.6.23.15-grsec/kernel/pid.c
31324 +--- linux-2.6.23.15/kernel/pid.c 2007-10-09 21:31:38.000000000 +0100
31325 ++++ linux-2.6.23.15-grsec/kernel/pid.c 2008-02-11 10:37:45.000000000 +0000
31326 +@@ -28,6 +28,7 @@
31327 + #include <linux/hash.h>
31328 + #include <linux/pid_namespace.h>
31329 + #include <linux/init_task.h>
31330 ++#include <linux/grsecurity.h>
31331 +
31332 + #define pid_hashfn(nr) hash_long((unsigned long)nr, pidhash_shift)
31333 + static struct hlist_head *pid_hash;
31334 +@@ -37,7 +38,7 @@ struct pid init_struct_pid = INIT_STRUCT
31335 +
31336 + int pid_max = PID_MAX_DEFAULT;
31337 +
31338 +-#define RESERVED_PIDS 300
31339 ++#define RESERVED_PIDS 500
31340 +
31341 + int pid_max_min = RESERVED_PIDS + 1;
31342 + int pid_max_max = PID_MAX_LIMIT;
31343 +@@ -309,7 +310,14 @@ struct task_struct * fastcall pid_task(s
31344 + */
31345 + struct task_struct *find_task_by_pid_type(int type, int nr)
31346 + {
31347 +- return pid_task(find_pid(nr), type);
31348 ++ struct task_struct *task;
31349 ++
31350 ++ task = pid_task(find_pid(nr), type);
31351 ++
31352 ++ if (gr_pid_is_chrooted(task))
31353 ++ return NULL;
31354 ++
31355 ++ return task;
31356 + }
31357 +
31358 + EXPORT_SYMBOL(find_task_by_pid_type);
31359 +diff -Nurp linux-2.6.23.15/kernel/posix-cpu-timers.c linux-2.6.23.15-grsec/kernel/posix-cpu-timers.c
31360 +--- linux-2.6.23.15/kernel/posix-cpu-timers.c 2007-10-09 21:31:38.000000000 +0100
31361 ++++ linux-2.6.23.15-grsec/kernel/posix-cpu-timers.c 2008-02-11 10:37:45.000000000 +0000
31362 +@@ -6,6 +6,7 @@
31363 + #include <linux/posix-timers.h>
31364 + #include <asm/uaccess.h>
31365 + #include <linux/errno.h>
31366 ++#include <linux/grsecurity.h>
31367 +
31368 + static int check_clock(const clockid_t which_clock)
31369 + {
31370 +@@ -1144,6 +1145,7 @@ static void check_process_timers(struct
31371 + __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
31372 + return;
31373 + }
31374 ++ gr_learn_resource(tsk, RLIMIT_CPU, psecs, 1);
31375 + if (psecs >= sig->rlim[RLIMIT_CPU].rlim_cur) {
31376 + /*
31377 + * At the soft limit, send a SIGXCPU every second.
31378 +diff -Nurp linux-2.6.23.15/kernel/power/poweroff.c linux-2.6.23.15-grsec/kernel/power/poweroff.c
31379 +--- linux-2.6.23.15/kernel/power/poweroff.c 2007-10-09 21:31:38.000000000 +0100
31380 ++++ linux-2.6.23.15-grsec/kernel/power/poweroff.c 2008-02-11 10:37:45.000000000 +0000
31381 +@@ -35,7 +35,7 @@ static struct sysrq_key_op sysrq_powerof
31382 + .enable_mask = SYSRQ_ENABLE_BOOT,
31383 + };
31384 +
31385 +-static int pm_sysrq_init(void)
31386 ++static int __init pm_sysrq_init(void)
31387 + {
31388 + register_sysrq_key('o', &sysrq_poweroff_op);
31389 + return 0;
31390 +diff -Nurp linux-2.6.23.15/kernel/printk.c linux-2.6.23.15-grsec/kernel/printk.c
31391 +--- linux-2.6.23.15/kernel/printk.c 2007-10-09 21:31:38.000000000 +0100
31392 ++++ linux-2.6.23.15-grsec/kernel/printk.c 2008-02-11 10:37:45.000000000 +0000
31393 +@@ -31,6 +31,7 @@
31394 + #include <linux/bootmem.h>
31395 + #include <linux/syscalls.h>
31396 + #include <linux/jiffies.h>
31397 ++#include <linux/grsecurity.h>
31398 +
31399 + #include <asm/uaccess.h>
31400 +
31401 +@@ -184,6 +185,11 @@ int do_syslog(int type, char __user *buf
31402 + char c;
31403 + int error = 0;
31404 +
31405 ++#ifdef CONFIG_GRKERNSEC_DMESG
31406 ++ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
31407 ++ return -EPERM;
31408 ++#endif
31409 ++
31410 + error = security_syslog(type);
31411 + if (error)
31412 + return error;
31413 +diff -Nurp linux-2.6.23.15/kernel/ptrace.c linux-2.6.23.15-grsec/kernel/ptrace.c
31414 +--- linux-2.6.23.15/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
31415 ++++ linux-2.6.23.15-grsec/kernel/ptrace.c 2008-02-11 10:37:45.000000000 +0000
31416 +@@ -19,6 +19,7 @@
31417 + #include <linux/security.h>
31418 + #include <linux/signal.h>
31419 + #include <linux/audit.h>
31420 ++#include <linux/grsecurity.h>
31421 +
31422 + #include <asm/pgtable.h>
31423 + #include <asm/uaccess.h>
31424 +@@ -138,12 +139,12 @@ static int may_attach(struct task_struct
31425 + (current->uid != task->uid) ||
31426 + (current->gid != task->egid) ||
31427 + (current->gid != task->sgid) ||
31428 +- (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))
31429 ++ (current->gid != task->gid)) && !capable_nolog(CAP_SYS_PTRACE))
31430 + return -EPERM;
31431 + smp_rmb();
31432 + if (task->mm)
31433 + dumpable = get_dumpable(task->mm);
31434 +- if (!dumpable && !capable(CAP_SYS_PTRACE))
31435 ++ if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
31436 + return -EPERM;
31437 +
31438 + return security_ptrace(current, task);
31439 +@@ -480,6 +481,11 @@ asmlinkage long sys_ptrace(long request,
31440 + if (ret < 0)
31441 + goto out_put_task_struct;
31442 +
31443 ++ if (gr_handle_ptrace(child, request)) {
31444 ++ ret = -EPERM;
31445 ++ goto out_put_task_struct;
31446 ++ }
31447 ++
31448 + ret = arch_ptrace(child, request, addr, data);
31449 + if (ret < 0)
31450 + goto out_put_task_struct;
31451 +diff -Nurp linux-2.6.23.15/kernel/rcupdate.c linux-2.6.23.15-grsec/kernel/rcupdate.c
31452 +--- linux-2.6.23.15/kernel/rcupdate.c 2007-10-09 21:31:38.000000000 +0100
31453 ++++ linux-2.6.23.15-grsec/kernel/rcupdate.c 2008-02-11 10:37:45.000000000 +0000
31454 +@@ -63,11 +63,11 @@ static struct rcu_ctrlblk rcu_bh_ctrlblk
31455 + .cpumask = CPU_MASK_NONE,
31456 + };
31457 +
31458 +-DEFINE_PER_CPU(struct rcu_data, rcu_data) = { 0L };
31459 +-DEFINE_PER_CPU(struct rcu_data, rcu_bh_data) = { 0L };
31460 ++DEFINE_PER_CPU(struct rcu_data, rcu_data);
31461 ++DEFINE_PER_CPU(struct rcu_data, rcu_bh_data);
31462 +
31463 + /* Fake initialization required by compiler */
31464 +-static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet) = {NULL};
31465 ++static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet);
31466 + static int blimit = 10;
31467 + static int qhimark = 10000;
31468 + static int qlowmark = 100;
31469 +diff -Nurp linux-2.6.23.15/kernel/relay.c linux-2.6.23.15-grsec/kernel/relay.c
31470 +--- linux-2.6.23.15/kernel/relay.c 2008-02-11 10:36:03.000000000 +0000
31471 ++++ linux-2.6.23.15-grsec/kernel/relay.c 2008-02-11 10:37:45.000000000 +0000
31472 +@@ -1140,7 +1140,7 @@ static int subbuf_splice_actor(struct fi
31473 + return 0;
31474 +
31475 + ret = *nonpad_ret = splice_to_pipe(pipe, &spd);
31476 +- if (ret < 0 || ret < total_len)
31477 ++ if ((int)ret < 0 || ret < total_len)
31478 + return ret;
31479 +
31480 + if (read_start + ret == nonpad_end)
31481 +diff -Nurp linux-2.6.23.15/kernel/resource.c linux-2.6.23.15-grsec/kernel/resource.c
31482 +--- linux-2.6.23.15/kernel/resource.c 2007-10-09 21:31:38.000000000 +0100
31483 ++++ linux-2.6.23.15-grsec/kernel/resource.c 2008-02-11 10:37:45.000000000 +0000
31484 +@@ -133,10 +133,27 @@ static int __init ioresources_init(void)
31485 + {
31486 + struct proc_dir_entry *entry;
31487 +
31488 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
31489 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
31490 ++ entry = create_proc_entry("ioports", S_IRUSR, NULL);
31491 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
31492 ++ entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
31493 ++#endif
31494 ++#else
31495 + entry = create_proc_entry("ioports", 0, NULL);
31496 ++#endif
31497 + if (entry)
31498 + entry->proc_fops = &proc_ioports_operations;
31499 ++
31500 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
31501 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
31502 ++ entry = create_proc_entry("iomem", S_IRUSR, NULL);
31503 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
31504 ++ entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
31505 ++#endif
31506 ++#else
31507 + entry = create_proc_entry("iomem", 0, NULL);
31508 ++#endif
31509 + if (entry)
31510 + entry->proc_fops = &proc_iomem_operations;
31511 + return 0;
31512 +diff -Nurp linux-2.6.23.15/kernel/sched.c linux-2.6.23.15-grsec/kernel/sched.c
31513 +--- linux-2.6.23.15/kernel/sched.c 2008-02-11 10:36:03.000000000 +0000
31514 ++++ linux-2.6.23.15-grsec/kernel/sched.c 2008-02-11 10:37:45.000000000 +0000
31515 +@@ -61,6 +61,7 @@
31516 + #include <linux/delayacct.h>
31517 + #include <linux/reciprocal_div.h>
31518 + #include <linux/unistd.h>
31519 ++#include <linux/grsecurity.h>
31520 +
31521 + #include <asm/tlb.h>
31522 +
31523 +@@ -3470,7 +3471,7 @@ pick_next_task(struct rq *rq, struct tas
31524 + asmlinkage void __sched schedule(void)
31525 + {
31526 + struct task_struct *prev, *next;
31527 +- long *switch_count;
31528 ++ unsigned long *switch_count;
31529 + struct rq *rq;
31530 + int cpu;
31531 +
31532 +@@ -4079,7 +4080,8 @@ asmlinkage long sys_nice(int increment)
31533 + if (nice > 19)
31534 + nice = 19;
31535 +
31536 +- if (increment < 0 && !can_nice(current, nice))
31537 ++ if (increment < 0 && (!can_nice(current, nice) ||
31538 ++ gr_handle_chroot_nice()))
31539 + return -EPERM;
31540 +
31541 + retval = security_task_setnice(current, nice);
31542 +@@ -5267,7 +5269,7 @@ static struct ctl_table sd_ctl_dir[] = {
31543 + .procname = "sched_domain",
31544 + .mode = 0555,
31545 + },
31546 +- {0,},
31547 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
31548 + };
31549 +
31550 + static struct ctl_table sd_ctl_root[] = {
31551 +@@ -5277,7 +5279,7 @@ static struct ctl_table sd_ctl_root[] =
31552 + .mode = 0555,
31553 + .child = sd_ctl_dir,
31554 + },
31555 +- {0,},
31556 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
31557 + };
31558 +
31559 + static struct ctl_table *sd_alloc_ctl_entry(int n)
31560 +diff -Nurp linux-2.6.23.15/kernel/signal.c linux-2.6.23.15-grsec/kernel/signal.c
31561 +--- linux-2.6.23.15/kernel/signal.c 2007-10-09 21:31:38.000000000 +0100
31562 ++++ linux-2.6.23.15-grsec/kernel/signal.c 2008-02-11 10:37:45.000000000 +0000
31563 +@@ -25,6 +25,7 @@
31564 + #include <linux/capability.h>
31565 + #include <linux/freezer.h>
31566 + #include <linux/pid_namespace.h>
31567 ++#include <linux/grsecurity.h>
31568 + #include <linux/nsproxy.h>
31569 +
31570 + #include <asm/param.h>
31571 +@@ -541,7 +542,9 @@ static int check_kill_permission(int sig
31572 + && (current->euid ^ t->suid) && (current->euid ^ t->uid)
31573 + && (current->uid ^ t->suid) && (current->uid ^ t->uid)
31574 + && !capable(CAP_KILL))
31575 +- return error;
31576 ++ return error;
31577 ++ if (gr_handle_signal(t, sig))
31578 ++ return error;
31579 + }
31580 +
31581 + return security_task_kill(t, info, sig, 0);
31582 +@@ -758,7 +761,7 @@ static int __init setup_print_fatal_sign
31583 +
31584 + __setup("print-fatal-signals=", setup_print_fatal_signals);
31585 +
31586 +-static int
31587 ++int
31588 + specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
31589 + {
31590 + int ret = 0;
31591 +@@ -812,8 +815,12 @@ force_sig_info(int sig, struct siginfo *
31592 + }
31593 + }
31594 + ret = specific_send_sig_info(sig, info, t);
31595 ++
31596 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
31597 +
31598 ++ gr_log_signal(sig, t);
31599 ++ gr_handle_crash(t, sig);
31600 ++
31601 + return ret;
31602 + }
31603 +
31604 +diff -Nurp linux-2.6.23.15/kernel/softirq.c linux-2.6.23.15-grsec/kernel/softirq.c
31605 +--- linux-2.6.23.15/kernel/softirq.c 2007-10-09 21:31:38.000000000 +0100
31606 ++++ linux-2.6.23.15-grsec/kernel/softirq.c 2008-02-11 10:37:45.000000000 +0000
31607 +@@ -471,9 +471,9 @@ void tasklet_kill(struct tasklet_struct
31608 + printk("Attempt to kill tasklet from interrupt\n");
31609 +
31610 + while (test_and_set_bit(TASKLET_STATE_SCHED, &t->state)) {
31611 +- do
31612 ++ do {
31613 + yield();
31614 +- while (test_bit(TASKLET_STATE_SCHED, &t->state));
31615 ++ } while (test_bit(TASKLET_STATE_SCHED, &t->state));
31616 + }
31617 + tasklet_unlock_wait(t);
31618 + clear_bit(TASKLET_STATE_SCHED, &t->state);
31619 +diff -Nurp linux-2.6.23.15/kernel/sys.c linux-2.6.23.15-grsec/kernel/sys.c
31620 +--- linux-2.6.23.15/kernel/sys.c 2007-10-09 21:31:38.000000000 +0100
31621 ++++ linux-2.6.23.15-grsec/kernel/sys.c 2008-02-11 10:37:45.000000000 +0000
31622 +@@ -33,6 +33,7 @@
31623 + #include <linux/task_io_accounting_ops.h>
31624 + #include <linux/seccomp.h>
31625 + #include <linux/cpu.h>
31626 ++#include <linux/grsecurity.h>
31627 +
31628 + #include <linux/compat.h>
31629 + #include <linux/syscalls.h>
31630 +@@ -651,6 +652,12 @@ static int set_one_prio(struct task_stru
31631 + error = -EACCES;
31632 + goto out;
31633 + }
31634 ++
31635 ++ if (gr_handle_chroot_setpriority(p, niceval)) {
31636 ++ error = -EACCES;
31637 ++ goto out;
31638 ++ }
31639 ++
31640 + no_nice = security_task_setnice(p, niceval);
31641 + if (no_nice) {
31642 + error = no_nice;
31643 +@@ -707,10 +714,10 @@ asmlinkage long sys_setpriority(int whic
31644 + if ((who != current->uid) && !(user = find_user(who)))
31645 + goto out_unlock; /* No processes for this user */
31646 +
31647 +- do_each_thread(g, p)
31648 ++ do_each_thread(g, p) {
31649 + if (p->uid == who)
31650 + error = set_one_prio(p, niceval, error);
31651 +- while_each_thread(g, p);
31652 ++ } while_each_thread(g, p);
31653 + if (who != current->uid)
31654 + free_uid(user); /* For find_user() */
31655 + break;
31656 +@@ -769,13 +776,13 @@ asmlinkage long sys_getpriority(int whic
31657 + if ((who != current->uid) && !(user = find_user(who)))
31658 + goto out_unlock; /* No processes for this user */
31659 +
31660 +- do_each_thread(g, p)
31661 ++ do_each_thread(g, p) {
31662 + if (p->uid == who) {
31663 + niceval = 20 - task_nice(p);
31664 + if (niceval > retval)
31665 + retval = niceval;
31666 + }
31667 +- while_each_thread(g, p);
31668 ++ } while_each_thread(g, p);
31669 + if (who != current->uid)
31670 + free_uid(user); /* for find_user() */
31671 + break;
31672 +@@ -1047,6 +1054,9 @@ asmlinkage long sys_setregid(gid_t rgid,
31673 + if (rgid != (gid_t) -1 ||
31674 + (egid != (gid_t) -1 && egid != old_rgid))
31675 + current->sgid = new_egid;
31676 ++
31677 ++ gr_set_role_label(current, current->uid, new_rgid);
31678 ++
31679 + current->fsgid = new_egid;
31680 + current->egid = new_egid;
31681 + current->gid = new_rgid;
31682 +@@ -1074,6 +1084,9 @@ asmlinkage long sys_setgid(gid_t gid)
31683 + set_dumpable(current->mm, suid_dumpable);
31684 + smp_wmb();
31685 + }
31686 ++
31687 ++ gr_set_role_label(current, current->uid, gid);
31688 ++
31689 + current->gid = current->egid = current->sgid = current->fsgid = gid;
31690 + } else if ((gid == current->gid) || (gid == current->sgid)) {
31691 + if (old_egid != gid) {
31692 +@@ -1111,6 +1124,9 @@ static int set_user(uid_t new_ruid, int
31693 + set_dumpable(current->mm, suid_dumpable);
31694 + smp_wmb();
31695 + }
31696 ++
31697 ++ gr_set_role_label(current, new_ruid, current->gid);
31698 ++
31699 + current->uid = new_ruid;
31700 + return 0;
31701 + }
31702 +@@ -1213,6 +1229,9 @@ asmlinkage long sys_setuid(uid_t uid)
31703 + } else if ((uid != current->uid) && (uid != new_suid))
31704 + return -EPERM;
31705 +
31706 ++ if (gr_check_crash_uid(uid))
31707 ++ return -EPERM;
31708 ++
31709 + if (old_euid != uid) {
31710 + set_dumpable(current->mm, suid_dumpable);
31711 + smp_wmb();
31712 +@@ -1315,8 +1334,10 @@ asmlinkage long sys_setresgid(gid_t rgid
31713 + current->egid = egid;
31714 + }
31715 + current->fsgid = current->egid;
31716 +- if (rgid != (gid_t) -1)
31717 ++ if (rgid != (gid_t) -1) {
31718 ++ gr_set_role_label(current, current->uid, rgid);
31719 + current->gid = rgid;
31720 ++ }
31721 + if (sgid != (gid_t) -1)
31722 + current->sgid = sgid;
31723 +
31724 +@@ -1463,7 +1484,10 @@ asmlinkage long sys_setpgid(pid_t pid, p
31725 + write_lock_irq(&tasklist_lock);
31726 +
31727 + err = -ESRCH;
31728 +- p = find_task_by_pid(pid);
31729 ++ /* grsec: replaced find_task_by_pid with equivalent call
31730 ++ which lacks the chroot restriction
31731 ++ */
31732 ++ p = pid_task(find_pid(pid), PIDTYPE_PID);
31733 + if (!p)
31734 + goto out;
31735 +
31736 +@@ -2183,7 +2207,7 @@ asmlinkage long sys_prctl(int option, un
31737 + error = get_dumpable(current->mm);
31738 + break;
31739 + case PR_SET_DUMPABLE:
31740 +- if (arg2 < 0 || arg2 > 1) {
31741 ++ if (arg2 > 1) {
31742 + error = -EINVAL;
31743 + break;
31744 + }
31745 +diff -Nurp linux-2.6.23.15/kernel/sysctl.c linux-2.6.23.15-grsec/kernel/sysctl.c
31746 +--- linux-2.6.23.15/kernel/sysctl.c 2008-02-11 10:36:24.000000000 +0000
31747 ++++ linux-2.6.23.15-grsec/kernel/sysctl.c 2008-02-11 10:37:45.000000000 +0000
31748 +@@ -56,6 +56,13 @@
31749 + #endif
31750 +
31751 + #if defined(CONFIG_SYSCTL)
31752 ++#include <linux/grsecurity.h>
31753 ++#include <linux/grinternal.h>
31754 ++
31755 ++extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
31756 ++extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
31757 ++ const int op);
31758 ++extern int gr_handle_chroot_sysctl(const int op);
31759 +
31760 + /* External variables not in a header file. */
31761 + extern int C_A_D;
31762 +@@ -141,7 +148,7 @@ static int proc_dointvec_taint(ctl_table
31763 +
31764 + static ctl_table root_table[];
31765 + static struct ctl_table_header root_table_header =
31766 +- { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry) };
31767 ++ { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry), 0, NULL };
31768 +
31769 + static ctl_table kern_table[];
31770 + static ctl_table vm_table[];
31771 +@@ -158,11 +165,27 @@ extern ctl_table inotify_table[];
31772 + #ifdef CONFIG_ALPHA_UAC_SYSCTL
31773 + extern ctl_table uac_table[];
31774 + #endif
31775 ++extern ctl_table grsecurity_table[];
31776 +
31777 + #ifdef HAVE_ARCH_PICK_MMAP_LAYOUT
31778 + int sysctl_legacy_va_layout;
31779 + #endif
31780 +
31781 ++#ifdef CONFIG_PAX_SOFTMODE
31782 ++static ctl_table pax_table[] = {
31783 ++ {
31784 ++ .ctl_name = CTL_UNNUMBERED,
31785 ++ .procname = "softmode",
31786 ++ .data = &pax_softmode,
31787 ++ .maxlen = sizeof(unsigned int),
31788 ++ .mode = 0600,
31789 ++ .proc_handler = &proc_dointvec,
31790 ++ },
31791 ++
31792 ++ { .ctl_name = 0 }
31793 ++};
31794 ++#endif
31795 ++
31796 + extern int prove_locking;
31797 + extern int lock_stat;
31798 +
31799 +@@ -207,6 +230,16 @@ static ctl_table root_table[] = {
31800 + .mode = 0555,
31801 + .child = dev_table,
31802 + },
31803 ++
31804 ++#ifdef CONFIG_PAX_SOFTMODE
31805 ++ {
31806 ++ .ctl_name = CTL_UNNUMBERED,
31807 ++ .procname = "pax",
31808 ++ .mode = 0500,
31809 ++ .child = pax_table,
31810 ++ },
31811 ++#endif
31812 ++
31813 + /*
31814 + * NOTE: do not add new entries to this table unless you have read
31815 + * Documentation/sysctl/ctl_unnumbered.txt
31816 +@@ -777,6 +810,14 @@ static ctl_table kern_table[] = {
31817 + .proc_handler = &proc_dostring,
31818 + .strategy = &sysctl_string,
31819 + },
31820 ++#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
31821 ++ {
31822 ++ .ctl_name = KERN_GRSECURITY,
31823 ++ .procname = "grsecurity",
31824 ++ .mode = 0500,
31825 ++ .child = grsecurity_table,
31826 ++ },
31827 ++#endif
31828 + /*
31829 + * NOTE: do not add new entries to this table unless you have read
31830 + * Documentation/sysctl/ctl_unnumbered.txt
31831 +@@ -1388,6 +1429,25 @@ static int test_perm(int mode, int op)
31832 + int sysctl_perm(ctl_table *table, int op)
31833 + {
31834 + int error;
31835 ++ if (table->parent != NULL && table->parent->procname != NULL &&
31836 ++ table->procname != NULL &&
31837 ++ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
31838 ++ return -EACCES;
31839 ++ if (gr_handle_chroot_sysctl(op))
31840 ++ return -EACCES;
31841 ++ error = gr_handle_sysctl(table, op);
31842 ++ if (error)
31843 ++ return error;
31844 ++ error = security_sysctl(table, op);
31845 ++ if (error)
31846 ++ return error;
31847 ++ return test_perm(table->mode, op);
31848 ++}
31849 ++
31850 ++int sysctl_perm_nochk(ctl_table *table, int op)
31851 ++{
31852 ++ int error;
31853 ++
31854 + error = security_sysctl(table, op);
31855 + if (error)
31856 + return error;
31857 +@@ -1412,13 +1472,14 @@ repeat:
31858 + if (n == table->ctl_name) {
31859 + int error;
31860 + if (table->child) {
31861 +- if (sysctl_perm(table, 001))
31862 ++ if (sysctl_perm_nochk(table, 001))
31863 + return -EPERM;
31864 + name++;
31865 + nlen--;
31866 + table = table->child;
31867 + goto repeat;
31868 + }
31869 ++
31870 + error = do_sysctl_strategy(table, name, nlen,
31871 + oldval, oldlenp,
31872 + newval, newlen);
31873 +diff -Nurp linux-2.6.23.15/kernel/time.c linux-2.6.23.15-grsec/kernel/time.c
31874 +--- linux-2.6.23.15/kernel/time.c 2007-10-09 21:31:38.000000000 +0100
31875 ++++ linux-2.6.23.15-grsec/kernel/time.c 2008-02-11 10:37:45.000000000 +0000
31876 +@@ -35,6 +35,7 @@
31877 + #include <linux/security.h>
31878 + #include <linux/fs.h>
31879 + #include <linux/module.h>
31880 ++#include <linux/grsecurity.h>
31881 +
31882 + #include <asm/uaccess.h>
31883 + #include <asm/unistd.h>
31884 +@@ -92,6 +93,9 @@ asmlinkage long sys_stime(time_t __user
31885 + return err;
31886 +
31887 + do_settimeofday(&tv);
31888 ++
31889 ++ gr_log_timechange();
31890 ++
31891 + return 0;
31892 + }
31893 +
31894 +@@ -197,6 +201,8 @@ asmlinkage long sys_settimeofday(struct
31895 + return -EFAULT;
31896 + }
31897 +
31898 ++ gr_log_timechange();
31899 ++
31900 + return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
31901 + }
31902 +
31903 +@@ -235,7 +241,7 @@ EXPORT_SYMBOL(current_fs_time);
31904 + * Avoid unnecessary multiplications/divisions in the
31905 + * two most common HZ cases:
31906 + */
31907 +-unsigned int inline jiffies_to_msecs(const unsigned long j)
31908 ++inline unsigned int jiffies_to_msecs(const unsigned long j)
31909 + {
31910 + #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
31911 + return (MSEC_PER_SEC / HZ) * j;
31912 +@@ -247,7 +253,7 @@ unsigned int inline jiffies_to_msecs(con
31913 + }
31914 + EXPORT_SYMBOL(jiffies_to_msecs);
31915 +
31916 +-unsigned int inline jiffies_to_usecs(const unsigned long j)
31917 ++inline unsigned int jiffies_to_usecs(const unsigned long j)
31918 + {
31919 + #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
31920 + return (USEC_PER_SEC / HZ) * j;
31921 +diff -Nurp linux-2.6.23.15/kernel/utsname_sysctl.c linux-2.6.23.15-grsec/kernel/utsname_sysctl.c
31922 +--- linux-2.6.23.15/kernel/utsname_sysctl.c 2007-10-09 21:31:38.000000000 +0100
31923 ++++ linux-2.6.23.15-grsec/kernel/utsname_sysctl.c 2008-02-11 10:37:45.000000000 +0000
31924 +@@ -121,7 +121,7 @@ static struct ctl_table uts_kern_table[]
31925 + .proc_handler = proc_do_uts_string,
31926 + .strategy = sysctl_uts_string,
31927 + },
31928 +- {}
31929 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
31930 + };
31931 +
31932 + static struct ctl_table uts_root_table[] = {
31933 +@@ -131,7 +131,7 @@ static struct ctl_table uts_root_table[]
31934 + .mode = 0555,
31935 + .child = uts_kern_table,
31936 + },
31937 +- {}
31938 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
31939 + };
31940 +
31941 + static int __init utsname_sysctl_init(void)
31942 +diff -Nurp linux-2.6.23.15/lib/radix-tree.c linux-2.6.23.15-grsec/lib/radix-tree.c
31943 +--- linux-2.6.23.15/lib/radix-tree.c 2007-10-09 21:31:38.000000000 +0100
31944 ++++ linux-2.6.23.15-grsec/lib/radix-tree.c 2008-02-11 10:37:45.000000000 +0000
31945 +@@ -76,7 +76,7 @@ struct radix_tree_preload {
31946 + int nr;
31947 + struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
31948 + };
31949 +-DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
31950 ++DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, {NULL} };
31951 +
31952 + static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
31953 + {
31954 +diff -Nurp linux-2.6.23.15/mm/filemap.c linux-2.6.23.15-grsec/mm/filemap.c
31955 +--- linux-2.6.23.15/mm/filemap.c 2008-02-11 10:36:03.000000000 +0000
31956 ++++ linux-2.6.23.15-grsec/mm/filemap.c 2008-02-11 10:37:45.000000000 +0000
31957 +@@ -30,6 +30,7 @@
31958 + #include <linux/security.h>
31959 + #include <linux/syscalls.h>
31960 + #include <linux/cpuset.h>
31961 ++#include <linux/grsecurity.h>
31962 + #include "filemap.h"
31963 + #include "internal.h"
31964 +
31965 +@@ -1461,7 +1462,7 @@ int generic_file_mmap(struct file * file
31966 + struct address_space *mapping = file->f_mapping;
31967 +
31968 + if (!mapping->a_ops->readpage)
31969 +- return -ENOEXEC;
31970 ++ return -ENODEV;
31971 + file_accessed(file);
31972 + vma->vm_ops = &generic_file_vm_ops;
31973 + vma->vm_flags |= VM_CAN_NONLINEAR;
31974 +@@ -1726,6 +1727,7 @@ inline int generic_write_checks(struct f
31975 + *pos = i_size_read(inode);
31976 +
31977 + if (limit != RLIM_INFINITY) {
31978 ++ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
31979 + if (*pos >= limit) {
31980 + send_sig(SIGXFSZ, current, 0);
31981 + return -EFBIG;
31982 +diff -Nurp linux-2.6.23.15/mm/fremap.c linux-2.6.23.15-grsec/mm/fremap.c
31983 +--- linux-2.6.23.15/mm/fremap.c 2007-10-09 21:31:38.000000000 +0100
31984 ++++ linux-2.6.23.15-grsec/mm/fremap.c 2008-02-11 10:37:45.000000000 +0000
31985 +@@ -148,6 +148,13 @@ asmlinkage long sys_remap_file_pages(uns
31986 + retry:
31987 + vma = find_vma(mm, start);
31988 +
31989 ++#ifdef CONFIG_PAX_SEGMEXEC
31990 ++ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC)) {
31991 ++ up_read(&mm->mmap_sem);
31992 ++ return err;
31993 ++ }
31994 ++#endif
31995 ++
31996 + /*
31997 + * Make sure the vma is shared, that it supports prefaulting,
31998 + * and that the remapped range is valid and fully within
31999 +diff -Nurp linux-2.6.23.15/mm/hugetlb.c linux-2.6.23.15-grsec/mm/hugetlb.c
32000 +--- linux-2.6.23.15/mm/hugetlb.c 2007-10-09 21:31:38.000000000 +0100
32001 ++++ linux-2.6.23.15-grsec/mm/hugetlb.c 2008-02-11 10:37:45.000000000 +0000
32002 +@@ -460,6 +460,26 @@ void unmap_hugepage_range(struct vm_area
32003 + }
32004 + }
32005 +
32006 ++#ifdef CONFIG_PAX_SEGMEXEC
32007 ++static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
32008 ++{
32009 ++ struct mm_struct *mm = vma->vm_mm;
32010 ++ struct vm_area_struct *vma_m;
32011 ++ unsigned long address_m;
32012 ++ pte_t *ptep_m;
32013 ++
32014 ++ vma_m = pax_find_mirror_vma(vma);
32015 ++ if (!vma_m)
32016 ++ return;
32017 ++
32018 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
32019 ++ address_m = address + SEGMEXEC_TASK_SIZE;
32020 ++ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
32021 ++ get_page(page_m);
32022 ++ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
32023 ++}
32024 ++#endif
32025 ++
32026 + static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
32027 + unsigned long address, pte_t *ptep, pte_t pte)
32028 + {
32029 +@@ -493,6 +513,11 @@ static int hugetlb_cow(struct mm_struct
32030 + /* Break COW */
32031 + set_huge_pte_at(mm, address, ptep,
32032 + make_huge_pte(vma, new_page, 1));
32033 ++
32034 ++#ifdef CONFIG_PAX_SEGMEXEC
32035 ++ pax_mirror_huge_pte(vma, address, new_page);
32036 ++#endif
32037 ++
32038 + /* Make the old page be freed below */
32039 + new_page = old_page;
32040 + }
32041 +@@ -563,6 +588,10 @@ retry:
32042 + && (vma->vm_flags & VM_SHARED)));
32043 + set_huge_pte_at(mm, address, ptep, new_pte);
32044 +
32045 ++#ifdef CONFIG_PAX_SEGMEXEC
32046 ++ pax_mirror_huge_pte(vma, address, page);
32047 ++#endif
32048 ++
32049 + if (write_access && !(vma->vm_flags & VM_SHARED)) {
32050 + /* Optimization, do the COW without a second fault */
32051 + ret = hugetlb_cow(mm, vma, address, ptep, new_pte);
32052 +@@ -589,6 +618,27 @@ int hugetlb_fault(struct mm_struct *mm,
32053 + int ret;
32054 + static DEFINE_MUTEX(hugetlb_instantiation_mutex);
32055 +
32056 ++#ifdef CONFIG_PAX_SEGMEXEC
32057 ++ struct vm_area_struct *vma_m;
32058 ++
32059 ++ vma_m = pax_find_mirror_vma(vma);
32060 ++ if (vma_m) {
32061 ++ unsigned long address_m;
32062 ++
32063 ++ if (vma->vm_start > vma_m->vm_start) {
32064 ++ address_m = address;
32065 ++ address -= SEGMEXEC_TASK_SIZE;
32066 ++ vma = vma_m;
32067 ++ } else
32068 ++ address_m = address + SEGMEXEC_TASK_SIZE;
32069 ++
32070 ++ if (!huge_pte_alloc(mm, address_m))
32071 ++ return VM_FAULT_OOM;
32072 ++ address_m &= HPAGE_MASK;
32073 ++ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE);
32074 ++ }
32075 ++#endif
32076 ++
32077 + ptep = huge_pte_alloc(mm, address);
32078 + if (!ptep)
32079 + return VM_FAULT_OOM;
32080 +diff -Nurp linux-2.6.23.15/mm/madvise.c linux-2.6.23.15-grsec/mm/madvise.c
32081 +--- linux-2.6.23.15/mm/madvise.c 2007-10-09 21:31:38.000000000 +0100
32082 ++++ linux-2.6.23.15-grsec/mm/madvise.c 2008-02-11 10:37:45.000000000 +0000
32083 +@@ -43,6 +43,10 @@ static long madvise_behavior(struct vm_a
32084 + pgoff_t pgoff;
32085 + int new_flags = vma->vm_flags;
32086 +
32087 ++#ifdef CONFIG_PAX_SEGMEXEC
32088 ++ struct vm_area_struct *vma_m;
32089 ++#endif
32090 ++
32091 + switch (behavior) {
32092 + case MADV_NORMAL:
32093 + new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
32094 +@@ -92,6 +96,13 @@ success:
32095 + /*
32096 + * vm_flags is protected by the mmap_sem held in write mode.
32097 + */
32098 ++
32099 ++#ifdef CONFIG_PAX_SEGMEXEC
32100 ++ vma_m = pax_find_mirror_vma(vma);
32101 ++ if (vma_m)
32102 ++ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
32103 ++#endif
32104 ++
32105 + vma->vm_flags = new_flags;
32106 +
32107 + out:
32108 +@@ -236,6 +247,17 @@ madvise_vma(struct vm_area_struct *vma,
32109 +
32110 + case MADV_DONTNEED:
32111 + error = madvise_dontneed(vma, prev, start, end);
32112 ++
32113 ++#ifdef CONFIG_PAX_SEGMEXEC
32114 ++ if (!error) {
32115 ++ struct vm_area_struct *vma_m, *prev_m;
32116 ++
32117 ++ vma_m = pax_find_mirror_vma(vma);
32118 ++ if (vma_m)
32119 ++ error = madvise_dontneed(vma_m, &prev_m, start + SEGMEXEC_TASK_SIZE, end + SEGMEXEC_TASK_SIZE);
32120 ++ }
32121 ++#endif
32122 ++
32123 + break;
32124 +
32125 + default:
32126 +@@ -308,6 +330,16 @@ asmlinkage long sys_madvise(unsigned lon
32127 + if (end < start)
32128 + goto out;
32129 +
32130 ++#ifdef CONFIG_PAX_SEGMEXEC
32131 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
32132 ++ if (end > SEGMEXEC_TASK_SIZE)
32133 ++ goto out;
32134 ++ } else
32135 ++#endif
32136 ++
32137 ++ if (end > TASK_SIZE)
32138 ++ goto out;
32139 ++
32140 + error = 0;
32141 + if (end == start)
32142 + goto out;
32143 +diff -Nurp linux-2.6.23.15/mm/memory.c linux-2.6.23.15-grsec/mm/memory.c
32144 +--- linux-2.6.23.15/mm/memory.c 2007-10-09 21:31:38.000000000 +0100
32145 ++++ linux-2.6.23.15-grsec/mm/memory.c 2008-02-11 10:37:45.000000000 +0000
32146 +@@ -50,6 +50,7 @@
32147 + #include <linux/delayacct.h>
32148 + #include <linux/init.h>
32149 + #include <linux/writeback.h>
32150 ++#include <linux/grsecurity.h>
32151 +
32152 + #include <asm/pgalloc.h>
32153 + #include <asm/uaccess.h>
32154 +@@ -993,7 +994,7 @@ int get_user_pages(struct task_struct *t
32155 + struct vm_area_struct *vma;
32156 + unsigned int foll_flags;
32157 +
32158 +- vma = find_extend_vma(mm, start);
32159 ++ vma = find_vma(mm, start);
32160 + if (!vma && in_gate_area(tsk, start)) {
32161 + unsigned long pg = start & PAGE_MASK;
32162 + struct vm_area_struct *gate_vma = get_gate_vma(tsk);
32163 +@@ -1033,7 +1034,7 @@ int get_user_pages(struct task_struct *t
32164 + continue;
32165 + }
32166 +
32167 +- if (!vma || (vma->vm_flags & (VM_IO | VM_PFNMAP))
32168 ++ if (!vma || start < vma->vm_start || (vma->vm_flags & (VM_IO | VM_PFNMAP))
32169 + || !(vm_flags & vma->vm_flags))
32170 + return i ? : -EFAULT;
32171 +
32172 +@@ -1614,6 +1615,195 @@ static inline void cow_user_page(struct
32173 + copy_user_highpage(dst, src, va, vma);
32174 + }
32175 +
32176 ++#ifdef CONFIG_PAX_SEGMEXEC
32177 ++static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
32178 ++{
32179 ++ struct mm_struct *mm = vma->vm_mm;
32180 ++ spinlock_t *ptl;
32181 ++ pte_t *pte, entry;
32182 ++
32183 ++ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
32184 ++ entry = *pte;
32185 ++ if (!pte_present(entry)) {
32186 ++ if (!pte_none(entry)) {
32187 ++ BUG_ON(pte_file(entry));
32188 ++ free_swap_and_cache(pte_to_swp_entry(entry));
32189 ++ pte_clear_not_present_full(mm, address, pte, 0);
32190 ++ }
32191 ++ } else {
32192 ++ struct page *page;
32193 ++
32194 ++ page = vm_normal_page(vma, address, entry);
32195 ++ if (page) {
32196 ++ flush_cache_page(vma, address, pte_pfn(entry));
32197 ++ flush_icache_page(vma, page);
32198 ++ }
32199 ++ ptep_clear_flush(vma, address, pte);
32200 ++ BUG_ON(pte_dirty(entry));
32201 ++ if (page) {
32202 ++ update_hiwater_rss(mm);
32203 ++ if (PageAnon(page))
32204 ++ dec_mm_counter(mm, anon_rss);
32205 ++ else
32206 ++ dec_mm_counter(mm, file_rss);
32207 ++ page_remove_rmap(page, vma);
32208 ++ page_cache_release(page);
32209 ++ }
32210 ++ }
32211 ++ pte_unmap_unlock(pte, ptl);
32212 ++}
32213 ++
32214 ++/* PaX: if vma is mirrored, synchronize the mirror's PTE
32215 ++ *
32216 ++ * the ptl of the lower mapped page is held on entry and is not released on exit
32217 ++ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
32218 ++ */
32219 ++static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
32220 ++{
32221 ++ struct mm_struct *mm = vma->vm_mm;
32222 ++ unsigned long address_m;
32223 ++ spinlock_t *ptl_m;
32224 ++ struct vm_area_struct *vma_m;
32225 ++ pmd_t *pmd_m;
32226 ++ pte_t *pte_m, entry_m;
32227 ++
32228 ++ BUG_ON(!page_m || !PageAnon(page_m));
32229 ++
32230 ++ vma_m = pax_find_mirror_vma(vma);
32231 ++ if (!vma_m)
32232 ++ return;
32233 ++
32234 ++ BUG_ON(!PageLocked(page_m));
32235 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
32236 ++ address_m = address + SEGMEXEC_TASK_SIZE;
32237 ++ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
32238 ++ pte_m = pte_offset_map_nested(pmd_m, address_m);
32239 ++ ptl_m = pte_lockptr(mm, pmd_m);
32240 ++ if (ptl != ptl_m) {
32241 ++ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
32242 ++ if (!pte_none(*pte_m)) {
32243 ++ spin_unlock(ptl_m);
32244 ++ pte_unmap_nested(pte_m);
32245 ++ unlock_page(page_m);
32246 ++ return;
32247 ++ }
32248 ++ }
32249 ++
32250 ++ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
32251 ++ page_cache_get(page_m);
32252 ++ page_add_anon_rmap(page_m, vma_m, address_m);
32253 ++ inc_mm_counter(mm, anon_rss);
32254 ++ set_pte_at(mm, address_m, pte_m, entry_m);
32255 ++ update_mmu_cache(vma_m, address_m, entry_m);
32256 ++ lazy_mmu_prot_update(entry_m);
32257 ++ if (ptl != ptl_m)
32258 ++ spin_unlock(ptl_m);
32259 ++ pte_unmap_nested(pte_m);
32260 ++ unlock_page(page_m);
32261 ++}
32262 ++
32263 ++void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
32264 ++{
32265 ++ struct mm_struct *mm = vma->vm_mm;
32266 ++ unsigned long address_m;
32267 ++ spinlock_t *ptl_m;
32268 ++ struct vm_area_struct *vma_m;
32269 ++ pmd_t *pmd_m;
32270 ++ pte_t *pte_m, entry_m;
32271 ++
32272 ++ BUG_ON(!page_m || PageAnon(page_m));
32273 ++
32274 ++ vma_m = pax_find_mirror_vma(vma);
32275 ++ if (!vma_m)
32276 ++ return;
32277 ++
32278 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
32279 ++ address_m = address + SEGMEXEC_TASK_SIZE;
32280 ++ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
32281 ++ pte_m = pte_offset_map_nested(pmd_m, address_m);
32282 ++ ptl_m = pte_lockptr(mm, pmd_m);
32283 ++ if (ptl != ptl_m) {
32284 ++ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
32285 ++ if (!pte_none(*pte_m)) {
32286 ++ spin_unlock(ptl_m);
32287 ++ pte_unmap_nested(pte_m);
32288 ++ return;
32289 ++ }
32290 ++ }
32291 ++
32292 ++ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
32293 ++ page_cache_get(page_m);
32294 ++ page_add_file_rmap(page_m);
32295 ++ inc_mm_counter(mm, file_rss);
32296 ++ set_pte_at(mm, address_m, pte_m, entry_m);
32297 ++ update_mmu_cache(vma_m, address_m, entry_m);
32298 ++ lazy_mmu_prot_update(entry_m);
32299 ++ if (ptl != ptl_m)
32300 ++ spin_unlock(ptl_m);
32301 ++ pte_unmap_nested(pte_m);
32302 ++}
32303 ++
32304 ++static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
32305 ++{
32306 ++ struct mm_struct *mm = vma->vm_mm;
32307 ++ unsigned long address_m;
32308 ++ spinlock_t *ptl_m;
32309 ++ struct vm_area_struct *vma_m;
32310 ++ pmd_t *pmd_m;
32311 ++ pte_t *pte_m, entry_m;
32312 ++
32313 ++ vma_m = pax_find_mirror_vma(vma);
32314 ++ if (!vma_m)
32315 ++ return;
32316 ++
32317 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
32318 ++ address_m = address + SEGMEXEC_TASK_SIZE;
32319 ++ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
32320 ++ pte_m = pte_offset_map_nested(pmd_m, address_m);
32321 ++ ptl_m = pte_lockptr(mm, pmd_m);
32322 ++ if (ptl != ptl_m) {
32323 ++ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
32324 ++ if (!pte_none(*pte_m)) {
32325 ++ spin_unlock(ptl_m);
32326 ++ pte_unmap_nested(pte_m);
32327 ++ return;
32328 ++ }
32329 ++ }
32330 ++
32331 ++ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
32332 ++ set_pte_at(mm, address_m, pte_m, entry_m);
32333 ++ if (ptl != ptl_m)
32334 ++ spin_unlock(ptl_m);
32335 ++ pte_unmap_nested(pte_m);
32336 ++}
32337 ++
32338 ++static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, spinlock_t *ptl)
32339 ++{
32340 ++ struct page *page_m;
32341 ++ pte_t entry;
32342 ++
32343 ++ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
32344 ++ return;
32345 ++
32346 ++ entry = *pte;
32347 ++ page_m = vm_normal_page(vma, address, entry);
32348 ++ if (!page_m)
32349 ++ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
32350 ++ else if (PageAnon(page_m)) {
32351 ++ if (pax_find_mirror_vma(vma)) {
32352 ++ spin_unlock(ptl);
32353 ++ lock_page(page_m);
32354 ++ spin_lock(ptl);
32355 ++ if (pte_same(entry, *pte))
32356 ++ pax_mirror_anon_pte(vma, address, page_m, ptl);
32357 ++ else
32358 ++ unlock_page(page_m);
32359 ++ }
32360 ++ } else
32361 ++ pax_mirror_file_pte(vma, address, page_m, ptl);
32362 ++}
32363 ++#endif
32364 ++
32365 + /*
32366 + * This routine handles present pages, when users try to write
32367 + * to a shared page. It is done by copying the page to a new address
32368 +@@ -1733,6 +1923,12 @@ gotten:
32369 + */
32370 + page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
32371 + if (likely(pte_same(*page_table, orig_pte))) {
32372 ++
32373 ++#ifdef CONFIG_PAX_SEGMEXEC
32374 ++ if (pax_find_mirror_vma(vma))
32375 ++ BUG_ON(TestSetPageLocked(new_page));
32376 ++#endif
32377 ++
32378 + if (old_page) {
32379 + page_remove_rmap(old_page, vma);
32380 + if (!PageAnon(old_page)) {
32381 +@@ -1757,6 +1953,10 @@ gotten:
32382 + lru_cache_add_active(new_page);
32383 + page_add_new_anon_rmap(new_page, vma, address);
32384 +
32385 ++#ifdef CONFIG_PAX_SEGMEXEC
32386 ++ pax_mirror_anon_pte(vma, address, new_page, ptl);
32387 ++#endif
32388 ++
32389 + /* Free the old page.. */
32390 + new_page = old_page;
32391 + ret |= VM_FAULT_WRITE;
32392 +@@ -2034,6 +2234,7 @@ int vmtruncate(struct inode * inode, lof
32393 +
32394 + do_expand:
32395 + limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
32396 ++ gr_learn_resource(current, RLIMIT_FSIZE, offset, 1);
32397 + if (limit != RLIM_INFINITY && offset > limit)
32398 + goto out_sig;
32399 + if (offset > inode->i_sb->s_maxbytes)
32400 +@@ -2216,6 +2417,11 @@ static int do_swap_page(struct mm_struct
32401 + swap_free(entry);
32402 + if (vm_swap_full())
32403 + remove_exclusive_swap_page(page);
32404 ++
32405 ++#ifdef CONFIG_PAX_SEGMEXEC
32406 ++ if (write_access || !pax_find_mirror_vma(vma))
32407 ++#endif
32408 ++
32409 + unlock_page(page);
32410 +
32411 + if (write_access) {
32412 +@@ -2228,6 +2434,11 @@ static int do_swap_page(struct mm_struct
32413 +
32414 + /* No need to invalidate - it was non-present before */
32415 + update_mmu_cache(vma, address, pte);
32416 ++
32417 ++#ifdef CONFIG_PAX_SEGMEXEC
32418 ++ pax_mirror_anon_pte(vma, address, page, ptl);
32419 ++#endif
32420 ++
32421 + unlock:
32422 + pte_unmap_unlock(page_table, ptl);
32423 + out:
32424 +@@ -2268,6 +2479,12 @@ static int do_anonymous_page(struct mm_s
32425 + page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
32426 + if (!pte_none(*page_table))
32427 + goto release;
32428 ++
32429 ++#ifdef CONFIG_PAX_SEGMEXEC
32430 ++ if (pax_find_mirror_vma(vma))
32431 ++ BUG_ON(TestSetPageLocked(page));
32432 ++#endif
32433 ++
32434 + inc_mm_counter(mm, anon_rss);
32435 + lru_cache_add_active(page);
32436 + page_add_new_anon_rmap(page, vma, address);
32437 +@@ -2290,6 +2507,14 @@ static int do_anonymous_page(struct mm_s
32438 + /* No need to invalidate - it was non-present before */
32439 + update_mmu_cache(vma, address, entry);
32440 + lazy_mmu_prot_update(entry);
32441 ++
32442 ++#ifdef CONFIG_PAX_SEGMEXEC
32443 ++ if (write_access)
32444 ++ pax_mirror_anon_pte(vma, address, page, ptl);
32445 ++ else
32446 ++ pax_mirror_file_pte(vma, address, page, ptl);
32447 ++#endif
32448 ++
32449 + unlock:
32450 + pte_unmap_unlock(page_table, ptl);
32451 + return 0;
32452 +@@ -2422,6 +2647,12 @@ static int __do_fault(struct mm_struct *
32453 + */
32454 + /* Only go through if we didn't race with anybody else... */
32455 + if (likely(pte_same(*page_table, orig_pte))) {
32456 ++
32457 ++#ifdef CONFIG_PAX_SEGMEXEC
32458 ++ if (anon && pax_find_mirror_vma(vma))
32459 ++ BUG_ON(TestSetPageLocked(page));
32460 ++#endif
32461 ++
32462 + flush_icache_page(vma, page);
32463 + entry = mk_pte(page, vma->vm_page_prot);
32464 + if (flags & FAULT_FLAG_WRITE)
32465 +@@ -2443,6 +2674,14 @@ static int __do_fault(struct mm_struct *
32466 + /* no need to invalidate: a not-present page won't be cached */
32467 + update_mmu_cache(vma, address, entry);
32468 + lazy_mmu_prot_update(entry);
32469 ++
32470 ++#ifdef CONFIG_PAX_SEGMEXEC
32471 ++ if (anon)
32472 ++ pax_mirror_anon_pte(vma, address, page, ptl);
32473 ++ else
32474 ++ pax_mirror_file_pte(vma, address, page, ptl);
32475 ++#endif
32476 ++
32477 + } else {
32478 + if (anon)
32479 + page_cache_release(page);
32480 +@@ -2522,6 +2761,11 @@ static noinline int do_no_pfn(struct mm_
32481 + if (write_access)
32482 + entry = maybe_mkwrite(pte_mkdirty(entry), vma);
32483 + set_pte_at(mm, address, page_table, entry);
32484 ++
32485 ++#ifdef CONFIG_PAX_SEGMEXEC
32486 ++ pax_mirror_pfn_pte(vma, address, pfn, ptl);
32487 ++#endif
32488 ++
32489 + }
32490 + pte_unmap_unlock(page_table, ptl);
32491 + return 0;
32492 +@@ -2625,6 +2869,11 @@ static inline int handle_pte_fault(struc
32493 + if (write_access)
32494 + flush_tlb_page(vma, address);
32495 + }
32496 ++
32497 ++#ifdef CONFIG_PAX_SEGMEXEC
32498 ++ pax_mirror_pte(vma, address, pte, ptl);
32499 ++#endif
32500 ++
32501 + unlock:
32502 + pte_unmap_unlock(pte, ptl);
32503 + return 0;
32504 +@@ -2641,6 +2890,10 @@ int handle_mm_fault(struct mm_struct *mm
32505 + pmd_t *pmd;
32506 + pte_t *pte;
32507 +
32508 ++#ifdef CONFIG_PAX_SEGMEXEC
32509 ++ struct vm_area_struct *vma_m;
32510 ++#endif
32511 ++
32512 + __set_current_state(TASK_RUNNING);
32513 +
32514 + count_vm_event(PGFAULT);
32515 +@@ -2648,6 +2901,34 @@ int handle_mm_fault(struct mm_struct *mm
32516 + if (unlikely(is_vm_hugetlb_page(vma)))
32517 + return hugetlb_fault(mm, vma, address, write_access);
32518 +
32519 ++#ifdef CONFIG_PAX_SEGMEXEC
32520 ++ vma_m = pax_find_mirror_vma(vma);
32521 ++ if (vma_m) {
32522 ++ unsigned long address_m;
32523 ++ pgd_t *pgd_m;
32524 ++ pud_t *pud_m;
32525 ++ pmd_t *pmd_m;
32526 ++
32527 ++ if (vma->vm_start > vma_m->vm_start) {
32528 ++ address_m = address;
32529 ++ address -= SEGMEXEC_TASK_SIZE;
32530 ++ vma = vma_m;
32531 ++ } else
32532 ++ address_m = address + SEGMEXEC_TASK_SIZE;
32533 ++
32534 ++ pgd_m = pgd_offset(mm, address_m);
32535 ++ pud_m = pud_alloc(mm, pgd_m, address_m);
32536 ++ if (!pud_m)
32537 ++ return VM_FAULT_OOM;
32538 ++ pmd_m = pmd_alloc(mm, pud_m, address_m);
32539 ++ if (!pmd_m)
32540 ++ return VM_FAULT_OOM;
32541 ++ if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
32542 ++ return VM_FAULT_OOM;
32543 ++ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
32544 ++ }
32545 ++#endif
32546 ++
32547 + pgd = pgd_offset(mm, address);
32548 + pud = pud_alloc(mm, pgd, address);
32549 + if (!pud)
32550 +@@ -2781,7 +3062,7 @@ static int __init gate_vma_init(void)
32551 + gate_vma.vm_start = FIXADDR_USER_START;
32552 + gate_vma.vm_end = FIXADDR_USER_END;
32553 + gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
32554 +- gate_vma.vm_page_prot = __P101;
32555 ++ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
32556 + /*
32557 + * Make sure the vDSO gets into every core dump.
32558 + * Dumping its contents makes post-mortem fully interpretable later
32559 +diff -Nurp linux-2.6.23.15/mm/mempolicy.c linux-2.6.23.15-grsec/mm/mempolicy.c
32560 +--- linux-2.6.23.15/mm/mempolicy.c 2007-10-09 21:31:38.000000000 +0100
32561 ++++ linux-2.6.23.15-grsec/mm/mempolicy.c 2008-02-11 10:37:45.000000000 +0000
32562 +@@ -401,6 +401,10 @@ static int mbind_range(struct vm_area_st
32563 + struct vm_area_struct *next;
32564 + int err;
32565 +
32566 ++#ifdef CONFIG_PAX_SEGMEXEC
32567 ++ struct vm_area_struct *vma_m;
32568 ++#endif
32569 ++
32570 + err = 0;
32571 + for (; vma && vma->vm_start < end; vma = next) {
32572 + next = vma->vm_next;
32573 +@@ -412,6 +416,16 @@ static int mbind_range(struct vm_area_st
32574 + err = policy_vma(vma, new);
32575 + if (err)
32576 + break;
32577 ++
32578 ++#ifdef CONFIG_PAX_SEGMEXEC
32579 ++ vma_m = pax_find_mirror_vma(vma);
32580 ++ if (vma_m) {
32581 ++ err = policy_vma(vma_m, new);
32582 ++ if (err)
32583 ++ break;
32584 ++ }
32585 ++#endif
32586 ++
32587 + }
32588 + return err;
32589 + }
32590 +@@ -732,7 +746,7 @@ static struct page *new_vma_page(struct
32591 + }
32592 + #endif
32593 +
32594 +-long do_mbind(unsigned long start, unsigned long len,
32595 ++static long do_mbind(unsigned long start, unsigned long len,
32596 + unsigned long mode, nodemask_t *nmask, unsigned long flags)
32597 + {
32598 + struct vm_area_struct *vma;
32599 +@@ -760,6 +774,17 @@ long do_mbind(unsigned long start, unsig
32600 +
32601 + if (end < start)
32602 + return -EINVAL;
32603 ++
32604 ++#ifdef CONFIG_PAX_SEGMEXEC
32605 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
32606 ++ if (end > SEGMEXEC_TASK_SIZE)
32607 ++ return -EINVAL;
32608 ++ } else
32609 ++#endif
32610 ++
32611 ++ if (end > TASK_SIZE)
32612 ++ return -EINVAL;
32613 ++
32614 + if (end == start)
32615 + return 0;
32616 +
32617 +diff -Nurp linux-2.6.23.15/mm/mlock.c linux-2.6.23.15-grsec/mm/mlock.c
32618 +--- linux-2.6.23.15/mm/mlock.c 2007-10-09 21:31:38.000000000 +0100
32619 ++++ linux-2.6.23.15-grsec/mm/mlock.c 2008-02-11 10:37:45.000000000 +0000
32620 +@@ -12,6 +12,7 @@
32621 + #include <linux/syscalls.h>
32622 + #include <linux/sched.h>
32623 + #include <linux/module.h>
32624 ++#include <linux/grsecurity.h>
32625 +
32626 + int can_do_mlock(void)
32627 + {
32628 +@@ -95,6 +96,17 @@ static int do_mlock(unsigned long start,
32629 + return -EINVAL;
32630 + if (end == start)
32631 + return 0;
32632 ++
32633 ++#ifdef CONFIG_PAX_SEGMEXEC
32634 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
32635 ++ if (end > SEGMEXEC_TASK_SIZE)
32636 ++ return -EINVAL;
32637 ++ } else
32638 ++#endif
32639 ++
32640 ++ if (end > TASK_SIZE)
32641 ++ return -EINVAL;
32642 ++
32643 + vma = find_vma_prev(current->mm, start, &prev);
32644 + if (!vma || vma->vm_start > start)
32645 + return -ENOMEM;
32646 +@@ -152,6 +164,7 @@ asmlinkage long sys_mlock(unsigned long
32647 + lock_limit >>= PAGE_SHIFT;
32648 +
32649 + /* check against resource limits */
32650 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
32651 + if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
32652 + error = do_mlock(start, len, 1);
32653 + up_write(&current->mm->mmap_sem);
32654 +@@ -173,10 +186,10 @@ asmlinkage long sys_munlock(unsigned lon
32655 + static int do_mlockall(int flags)
32656 + {
32657 + struct vm_area_struct * vma, * prev = NULL;
32658 +- unsigned int def_flags = 0;
32659 ++ unsigned int def_flags = current->mm->def_flags & ~VM_LOCKED;
32660 +
32661 + if (flags & MCL_FUTURE)
32662 +- def_flags = VM_LOCKED;
32663 ++ def_flags |= VM_LOCKED;
32664 + current->mm->def_flags = def_flags;
32665 + if (flags == MCL_FUTURE)
32666 + goto out;
32667 +@@ -184,6 +197,12 @@ static int do_mlockall(int flags)
32668 + for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
32669 + unsigned int newflags;
32670 +
32671 ++#ifdef CONFIG_PAX_SEGMEXEC
32672 ++ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
32673 ++ break;
32674 ++#endif
32675 ++
32676 ++ BUG_ON(vma->vm_end > TASK_SIZE);
32677 + newflags = vma->vm_flags | VM_LOCKED;
32678 + if (!(flags & MCL_CURRENT))
32679 + newflags &= ~VM_LOCKED;
32680 +@@ -213,6 +232,7 @@ asmlinkage long sys_mlockall(int flags)
32681 + lock_limit >>= PAGE_SHIFT;
32682 +
32683 + ret = -ENOMEM;
32684 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
32685 + if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
32686 + capable(CAP_IPC_LOCK))
32687 + ret = do_mlockall(flags);
32688 +diff -Nurp linux-2.6.23.15/mm/mmap.c linux-2.6.23.15-grsec/mm/mmap.c
32689 +--- linux-2.6.23.15/mm/mmap.c 2008-02-11 10:36:03.000000000 +0000
32690 ++++ linux-2.6.23.15-grsec/mm/mmap.c 2008-02-11 10:43:32.000000000 +0000
32691 +@@ -25,6 +25,7 @@
32692 + #include <linux/mount.h>
32693 + #include <linux/mempolicy.h>
32694 + #include <linux/rmap.h>
32695 ++#include <linux/grsecurity.h>
32696 +
32697 + #include <asm/uaccess.h>
32698 + #include <asm/cacheflush.h>
32699 +@@ -35,6 +36,16 @@
32700 + #define arch_mmap_check(addr, len, flags) (0)
32701 + #endif
32702 +
32703 ++static inline void verify_mm_writelocked(struct mm_struct *mm)
32704 ++{
32705 ++#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
32706 ++ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
32707 ++ up_read(&mm->mmap_sem);
32708 ++ BUG();
32709 ++ }
32710 ++#endif
32711 ++}
32712 ++
32713 + static void unmap_region(struct mm_struct *mm,
32714 + struct vm_area_struct *vma, struct vm_area_struct *prev,
32715 + unsigned long start, unsigned long end);
32716 +@@ -60,15 +71,23 @@ static void unmap_region(struct mm_struc
32717 + * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
32718 + *
32719 + */
32720 +-pgprot_t protection_map[16] = {
32721 ++pgprot_t protection_map[16] __read_only = {
32722 + __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
32723 + __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
32724 + };
32725 +
32726 + pgprot_t vm_get_page_prot(unsigned long vm_flags)
32727 + {
32728 +- return protection_map[vm_flags &
32729 +- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
32730 ++ pgprot_t prot = protection_map[vm_flags & (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
32731 ++
32732 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
32733 ++ if (!nx_enabled &&
32734 ++ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
32735 ++ (vm_flags & (VM_READ | VM_WRITE)))
32736 ++ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
32737 ++#endif
32738 ++
32739 ++ return prot;
32740 + }
32741 + EXPORT_SYMBOL(vm_get_page_prot);
32742 +
32743 +@@ -225,6 +244,7 @@ static struct vm_area_struct *remove_vma
32744 + struct vm_area_struct *next = vma->vm_next;
32745 +
32746 + might_sleep();
32747 ++ BUG_ON(vma->vm_mirror);
32748 + if (vma->vm_ops && vma->vm_ops->close)
32749 + vma->vm_ops->close(vma);
32750 + if (vma->vm_file)
32751 +@@ -252,6 +272,7 @@ asmlinkage unsigned long sys_brk(unsigne
32752 + * not page aligned -Ram Gupta
32753 + */
32754 + rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
32755 ++ gr_learn_resource(current, RLIMIT_DATA, brk - mm->start_data, 1);
32756 + if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim)
32757 + goto out;
32758 +
32759 +@@ -352,8 +373,12 @@ find_vma_prepare(struct mm_struct *mm, u
32760 +
32761 + if (vma_tmp->vm_end > addr) {
32762 + vma = vma_tmp;
32763 +- if (vma_tmp->vm_start <= addr)
32764 +- return vma;
32765 ++ if (vma_tmp->vm_start <= addr) {
32766 ++//printk("PAX: prep: %08lx-%08lx %08lx pr:%p l:%p pa:%p ",
32767 ++//vma->vm_start, vma->vm_end, addr, *pprev, *rb_link, *rb_parent);
32768 ++//__print_symbol("%s\n", __builtin_extract_return_addr(__builtin_return_address(0)));
32769 ++ break;
32770 ++ }
32771 + __rb_link = &__rb_parent->rb_left;
32772 + } else {
32773 + rb_prev = __rb_parent;
32774 +@@ -677,6 +702,12 @@ static int
32775 + can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
32776 + struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
32777 + {
32778 ++
32779 ++#ifdef CONFIG_PAX_SEGMEXEC
32780 ++ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
32781 ++ return 0;
32782 ++#endif
32783 ++
32784 + if (is_mergeable_vma(vma, file, vm_flags) &&
32785 + is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
32786 + if (vma->vm_pgoff == vm_pgoff)
32787 +@@ -696,6 +727,12 @@ static int
32788 + can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
32789 + struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
32790 + {
32791 ++
32792 ++#ifdef CONFIG_PAX_SEGMEXEC
32793 ++ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
32794 ++ return 0;
32795 ++#endif
32796 ++
32797 + if (is_mergeable_vma(vma, file, vm_flags) &&
32798 + is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
32799 + pgoff_t vm_pglen;
32800 +@@ -738,12 +775,19 @@ can_vma_merge_after(struct vm_area_struc
32801 + struct vm_area_struct *vma_merge(struct mm_struct *mm,
32802 + struct vm_area_struct *prev, unsigned long addr,
32803 + unsigned long end, unsigned long vm_flags,
32804 +- struct anon_vma *anon_vma, struct file *file,
32805 ++ struct anon_vma *anon_vma, struct file *file,
32806 + pgoff_t pgoff, struct mempolicy *policy)
32807 + {
32808 + pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
32809 + struct vm_area_struct *area, *next;
32810 +
32811 ++#ifdef CONFIG_PAX_SEGMEXEC
32812 ++ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
32813 ++ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
32814 ++
32815 ++ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
32816 ++#endif
32817 ++
32818 + /*
32819 + * We later require that vma->vm_flags == vm_flags,
32820 + * so this tests vma->vm_flags & VM_SPECIAL, too.
32821 +@@ -759,6 +803,15 @@ struct vm_area_struct *vma_merge(struct
32822 + if (next && next->vm_end == end) /* cases 6, 7, 8 */
32823 + next = next->vm_next;
32824 +
32825 ++#ifdef CONFIG_PAX_SEGMEXEC
32826 ++ if (prev)
32827 ++ prev_m = pax_find_mirror_vma(prev);
32828 ++ if (area)
32829 ++ area_m = pax_find_mirror_vma(area);
32830 ++ if (next)
32831 ++ next_m = pax_find_mirror_vma(next);
32832 ++#endif
32833 ++
32834 + /*
32835 + * Can it merge with the predecessor?
32836 + */
32837 +@@ -778,9 +831,24 @@ struct vm_area_struct *vma_merge(struct
32838 + /* cases 1, 6 */
32839 + vma_adjust(prev, prev->vm_start,
32840 + next->vm_end, prev->vm_pgoff, NULL);
32841 +- } else /* cases 2, 5, 7 */
32842 ++
32843 ++#ifdef CONFIG_PAX_SEGMEXEC
32844 ++ if (prev_m)
32845 ++ vma_adjust(prev_m, prev_m->vm_start,
32846 ++ next_m->vm_end, prev_m->vm_pgoff, NULL);
32847 ++#endif
32848 ++
32849 ++ } else { /* cases 2, 5, 7 */
32850 + vma_adjust(prev, prev->vm_start,
32851 + end, prev->vm_pgoff, NULL);
32852 ++
32853 ++#ifdef CONFIG_PAX_SEGMEXEC
32854 ++ if (prev_m)
32855 ++ vma_adjust(prev_m, prev_m->vm_start,
32856 ++ end_m, prev_m->vm_pgoff, NULL);
32857 ++#endif
32858 ++
32859 ++ }
32860 + return prev;
32861 + }
32862 +
32863 +@@ -791,12 +859,27 @@ struct vm_area_struct *vma_merge(struct
32864 + mpol_equal(policy, vma_policy(next)) &&
32865 + can_vma_merge_before(next, vm_flags,
32866 + anon_vma, file, pgoff+pglen)) {
32867 +- if (prev && addr < prev->vm_end) /* case 4 */
32868 ++ if (prev && addr < prev->vm_end) { /* case 4 */
32869 + vma_adjust(prev, prev->vm_start,
32870 + addr, prev->vm_pgoff, NULL);
32871 +- else /* cases 3, 8 */
32872 ++
32873 ++#ifdef CONFIG_PAX_SEGMEXEC
32874 ++ if (prev_m)
32875 ++ vma_adjust(prev_m, prev_m->vm_start,
32876 ++ addr_m, prev_m->vm_pgoff, NULL);
32877 ++#endif
32878 ++
32879 ++ } else { /* cases 3, 8 */
32880 + vma_adjust(area, addr, next->vm_end,
32881 + next->vm_pgoff - pglen, NULL);
32882 ++
32883 ++#ifdef CONFIG_PAX_SEGMEXEC
32884 ++ if (area_m)
32885 ++ vma_adjust(area_m, addr_m, next_m->vm_end,
32886 ++ next_m->vm_pgoff - pglen, NULL);
32887 ++#endif
32888 ++
32889 ++ }
32890 + return area;
32891 + }
32892 +
32893 +@@ -871,14 +954,11 @@ none:
32894 + void vm_stat_account(struct mm_struct *mm, unsigned long flags,
32895 + struct file *file, long pages)
32896 + {
32897 +- const unsigned long stack_flags
32898 +- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
32899 +-
32900 + if (file) {
32901 + mm->shared_vm += pages;
32902 + if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
32903 + mm->exec_vm += pages;
32904 +- } else if (flags & stack_flags)
32905 ++ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
32906 + mm->stack_vm += pages;
32907 + if (flags & (VM_RESERVED|VM_IO))
32908 + mm->reserved_vm += pages;
32909 +@@ -906,22 +986,22 @@ unsigned long do_mmap_pgoff(struct file
32910 + * (the exception is when the underlying filesystem is noexec
32911 + * mounted, in which case we dont add PROT_EXEC.)
32912 + */
32913 +- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
32914 ++ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
32915 + if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
32916 + prot |= PROT_EXEC;
32917 +
32918 + if (!len)
32919 + return -EINVAL;
32920 +
32921 +- error = arch_mmap_check(addr, len, flags);
32922 +- if (error)
32923 +- return error;
32924 +-
32925 + /* Careful about overflows.. */
32926 + len = PAGE_ALIGN(len);
32927 + if (!len || len > TASK_SIZE)
32928 + return -ENOMEM;
32929 +
32930 ++ error = arch_mmap_check(addr, len, flags);
32931 ++ if (error)
32932 ++ return error;
32933 ++
32934 + /* offset overflow? */
32935 + if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
32936 + return -EOVERFLOW;
32937 +@@ -933,7 +1013,7 @@ unsigned long do_mmap_pgoff(struct file
32938 + /* Obtain the address to map to. we verify (or select) it and ensure
32939 + * that it represents a valid section of the address space.
32940 + */
32941 +- addr = get_unmapped_area(file, addr, len, pgoff, flags);
32942 ++ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
32943 + if (addr & ~PAGE_MASK)
32944 + return addr;
32945 +
32946 +@@ -944,6 +1024,26 @@ unsigned long do_mmap_pgoff(struct file
32947 + vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
32948 + mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
32949 +
32950 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
32951 ++ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
32952 ++
32953 ++#ifdef CONFIG_PAX_MPROTECT
32954 ++ if (mm->pax_flags & MF_PAX_MPROTECT) {
32955 ++ if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
32956 ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
32957 ++ else
32958 ++ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
32959 ++ }
32960 ++#endif
32961 ++
32962 ++ }
32963 ++#endif
32964 ++
32965 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
32966 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
32967 ++ vm_flags &= ~VM_PAGEEXEC;
32968 ++#endif
32969 ++
32970 + if (flags & MAP_LOCKED) {
32971 + if (!can_do_mlock())
32972 + return -EPERM;
32973 +@@ -956,6 +1056,7 @@ unsigned long do_mmap_pgoff(struct file
32974 + locked += mm->locked_vm;
32975 + lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
32976 + lock_limit >>= PAGE_SHIFT;
32977 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
32978 + if (locked > lock_limit && !capable(CAP_IPC_LOCK))
32979 + return -EAGAIN;
32980 + }
32981 +@@ -1024,6 +1125,9 @@ unsigned long do_mmap_pgoff(struct file
32982 + if (error)
32983 + return error;
32984 +
32985 ++ if (!gr_acl_handle_mmap(file, prot))
32986 ++ return -EACCES;
32987 ++
32988 + return mmap_region(file, addr, len, flags, vm_flags, pgoff,
32989 + accountable);
32990 + }
32991 +@@ -1037,10 +1141,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
32992 + */
32993 + int vma_wants_writenotify(struct vm_area_struct *vma)
32994 + {
32995 +- unsigned int vm_flags = vma->vm_flags;
32996 ++ unsigned long vm_flags = vma->vm_flags;
32997 +
32998 + /* If it was private or non-writable, the write bit is already clear */
32999 +- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
33000 ++ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
33001 + return 0;
33002 +
33003 + /* The backer wishes to know when pages are first written to? */
33004 +@@ -1049,8 +1153,7 @@ int vma_wants_writenotify(struct vm_area
33005 +
33006 + /* The open routine did something to the protections already? */
33007 + if (pgprot_val(vma->vm_page_prot) !=
33008 +- pgprot_val(protection_map[vm_flags &
33009 +- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]))
33010 ++ pgprot_val(vm_get_page_prot(vm_flags)))
33011 + return 0;
33012 +
33013 + /* Specialty mapping? */
33014 +@@ -1076,14 +1179,24 @@ unsigned long mmap_region(struct file *f
33015 + unsigned long charged = 0;
33016 + struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
33017 +
33018 ++#ifdef CONFIG_PAX_SEGMEXEC
33019 ++ struct vm_area_struct *vma_m = NULL;
33020 ++#endif
33021 ++
33022 ++ /*
33023 ++ * mm->mmap_sem is required to protect against another thread
33024 ++ * changing the mappings in case we sleep.
33025 ++ */
33026 ++ verify_mm_writelocked(mm);
33027 ++
33028 + /* Clear old maps */
33029 + error = -ENOMEM;
33030 +-munmap_back:
33031 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
33032 + if (vma && vma->vm_start < addr + len) {
33033 + if (do_munmap(mm, addr, len))
33034 + return -ENOMEM;
33035 +- goto munmap_back;
33036 ++ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
33037 ++ BUG_ON(vma && vma->vm_start < addr + len);
33038 + }
33039 +
33040 + /* Check against address space limit. */
33041 +@@ -1127,12 +1240,22 @@ munmap_back:
33042 + goto unacct_error;
33043 + }
33044 +
33045 ++#ifdef CONFIG_PAX_SEGMEXEC
33046 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
33047 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
33048 ++ if (!vma_m) {
33049 ++ kmem_cache_free(vm_area_cachep, vma);
33050 ++ error = -ENOMEM;
33051 ++ goto unacct_error;
33052 ++ }
33053 ++ }
33054 ++#endif
33055 ++
33056 + vma->vm_mm = mm;
33057 + vma->vm_start = addr;
33058 + vma->vm_end = addr + len;
33059 + vma->vm_flags = vm_flags;
33060 +- vma->vm_page_prot = protection_map[vm_flags &
33061 +- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
33062 ++ vma->vm_page_prot = vm_get_page_prot(vm_flags);
33063 + vma->vm_pgoff = pgoff;
33064 +
33065 + if (file) {
33066 +@@ -1150,6 +1273,14 @@ munmap_back:
33067 + error = file->f_op->mmap(file, vma);
33068 + if (error)
33069 + goto unmap_and_free_vma;
33070 ++
33071 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
33072 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
33073 ++ vma->vm_flags |= VM_PAGEEXEC;
33074 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
33075 ++ }
33076 ++#endif
33077 ++
33078 + } else if (vm_flags & VM_SHARED) {
33079 + error = shmem_zero_setup(vma);
33080 + if (error)
33081 +@@ -1174,13 +1305,18 @@ munmap_back:
33082 + vm_flags = vma->vm_flags;
33083 +
33084 + if (vma_wants_writenotify(vma))
33085 +- vma->vm_page_prot =
33086 +- protection_map[vm_flags & (VM_READ|VM_WRITE|VM_EXEC)];
33087 ++ vma->vm_page_prot = vm_get_page_prot(vm_flags & ~VM_SHARED);
33088 +
33089 + if (!file || !vma_merge(mm, prev, addr, vma->vm_end,
33090 + vma->vm_flags, NULL, file, pgoff, vma_policy(vma))) {
33091 + file = vma->vm_file;
33092 + vma_link(mm, vma, prev, rb_link, rb_parent);
33093 ++
33094 ++#ifdef CONFIG_PAX_SEGMEXEC
33095 ++ if (vma_m)
33096 ++ pax_mirror_vma(vma_m, vma);
33097 ++#endif
33098 ++
33099 + if (correct_wcount)
33100 + atomic_inc(&inode->i_writecount);
33101 + } else {
33102 +@@ -1191,10 +1327,12 @@ munmap_back:
33103 + }
33104 + mpol_free(vma_policy(vma));
33105 + kmem_cache_free(vm_area_cachep, vma);
33106 ++ vma = NULL;
33107 + }
33108 + out:
33109 + mm->total_vm += len >> PAGE_SHIFT;
33110 + vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
33111 ++ track_exec_limit(mm, addr, addr + len, vm_flags);
33112 + if (vm_flags & VM_LOCKED) {
33113 + mm->locked_vm += len >> PAGE_SHIFT;
33114 + make_pages_present(addr, addr + len);
33115 +@@ -1213,6 +1351,12 @@ unmap_and_free_vma:
33116 + unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
33117 + charged = 0;
33118 + free_vma:
33119 ++
33120 ++#ifdef CONFIG_PAX_SEGMEXEC
33121 ++ if (vma_m)
33122 ++ kmem_cache_free(vm_area_cachep, vma_m);
33123 ++#endif
33124 ++
33125 + kmem_cache_free(vm_area_cachep, vma);
33126 + unacct_error:
33127 + if (charged)
33128 +@@ -1246,6 +1390,10 @@ arch_get_unmapped_area(struct file *filp
33129 + if (flags & MAP_FIXED)
33130 + return addr;
33131 +
33132 ++#ifdef CONFIG_PAX_RANDMMAP
33133 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
33134 ++#endif
33135 ++
33136 + if (addr) {
33137 + addr = PAGE_ALIGN(addr);
33138 + vma = find_vma(mm, addr);
33139 +@@ -1254,10 +1402,10 @@ arch_get_unmapped_area(struct file *filp
33140 + return addr;
33141 + }
33142 + if (len > mm->cached_hole_size) {
33143 +- start_addr = addr = mm->free_area_cache;
33144 ++ start_addr = addr = mm->free_area_cache;
33145 + } else {
33146 +- start_addr = addr = TASK_UNMAPPED_BASE;
33147 +- mm->cached_hole_size = 0;
33148 ++ start_addr = addr = mm->mmap_base;
33149 ++ mm->cached_hole_size = 0;
33150 + }
33151 +
33152 + full_search:
33153 +@@ -1268,9 +1416,8 @@ full_search:
33154 + * Start a new search - just in case we missed
33155 + * some holes.
33156 + */
33157 +- if (start_addr != TASK_UNMAPPED_BASE) {
33158 +- addr = TASK_UNMAPPED_BASE;
33159 +- start_addr = addr;
33160 ++ if (start_addr != mm->mmap_base) {
33161 ++ start_addr = addr = mm->mmap_base;
33162 + mm->cached_hole_size = 0;
33163 + goto full_search;
33164 + }
33165 +@@ -1292,10 +1439,16 @@ full_search:
33166 +
33167 + void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
33168 + {
33169 ++
33170 ++#ifdef CONFIG_PAX_SEGMEXEC
33171 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
33172 ++ return;
33173 ++#endif
33174 ++
33175 + /*
33176 + * Is this a new hole at the lowest possible address?
33177 + */
33178 +- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
33179 ++ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
33180 + mm->free_area_cache = addr;
33181 + mm->cached_hole_size = ~0UL;
33182 + }
33183 +@@ -1313,7 +1466,7 @@ arch_get_unmapped_area_topdown(struct fi
33184 + {
33185 + struct vm_area_struct *vma;
33186 + struct mm_struct *mm = current->mm;
33187 +- unsigned long addr = addr0;
33188 ++ unsigned long base = mm->mmap_base, addr = addr0;
33189 +
33190 + /* requested length too big for entire address space */
33191 + if (len > TASK_SIZE)
33192 +@@ -1322,6 +1475,10 @@ arch_get_unmapped_area_topdown(struct fi
33193 + if (flags & MAP_FIXED)
33194 + return addr;
33195 +
33196 ++#ifdef CONFIG_PAX_RANDMMAP
33197 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
33198 ++#endif
33199 ++
33200 + /* requesting a specific address */
33201 + if (addr) {
33202 + addr = PAGE_ALIGN(addr);
33203 +@@ -1379,13 +1536,21 @@ bottomup:
33204 + * can happen with large stack limits and large mmap()
33205 + * allocations.
33206 + */
33207 ++ mm->mmap_base = TASK_UNMAPPED_BASE;
33208 ++
33209 ++#ifdef CONFIG_PAX_RANDMMAP
33210 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
33211 ++ mm->mmap_base += mm->delta_mmap;
33212 ++#endif
33213 ++
33214 ++ mm->free_area_cache = mm->mmap_base;
33215 + mm->cached_hole_size = ~0UL;
33216 +- mm->free_area_cache = TASK_UNMAPPED_BASE;
33217 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
33218 + /*
33219 + * Restore the topdown base:
33220 + */
33221 +- mm->free_area_cache = mm->mmap_base;
33222 ++ mm->mmap_base = base;
33223 ++ mm->free_area_cache = base;
33224 + mm->cached_hole_size = ~0UL;
33225 +
33226 + return addr;
33227 +@@ -1394,6 +1559,12 @@ bottomup:
33228 +
33229 + void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
33230 + {
33231 ++
33232 ++#ifdef CONFIG_PAX_SEGMEXEC
33233 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
33234 ++ return;
33235 ++#endif
33236 ++
33237 + /*
33238 + * Is this a new hole at the highest possible address?
33239 + */
33240 +@@ -1401,8 +1572,10 @@ void arch_unmap_area_topdown(struct mm_s
33241 + mm->free_area_cache = addr;
33242 +
33243 + /* dont allow allocations above current base */
33244 +- if (mm->free_area_cache > mm->mmap_base)
33245 ++ if (mm->free_area_cache > mm->mmap_base) {
33246 + mm->free_area_cache = mm->mmap_base;
33247 ++ mm->cached_hole_size = ~0UL;
33248 ++ }
33249 + }
33250 +
33251 + unsigned long
33252 +@@ -1502,6 +1675,32 @@ out:
33253 + return prev ? prev->vm_next : vma;
33254 + }
33255 +
33256 ++#ifdef CONFIG_PAX_SEGMEXEC
33257 ++struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
33258 ++{
33259 ++ struct vm_area_struct *vma_m;
33260 ++
33261 ++ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
33262 ++ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
33263 ++ BUG_ON(vma->vm_mirror);
33264 ++ return NULL;
33265 ++ }
33266 ++ BUG_ON(vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < vma->vm_start - SEGMEXEC_TASK_SIZE - 1);
33267 ++ vma_m = vma->vm_mirror;
33268 ++ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
33269 ++ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
33270 ++ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
33271 ++
33272 ++#ifdef CONFIG_PAX_MPROTECT
33273 ++ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_MAYNOTWRITE));
33274 ++#else
33275 ++ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
33276 ++#endif
33277 ++
33278 ++ return vma_m;
33279 ++}
33280 ++#endif
33281 ++
33282 + /*
33283 + * Verify that the stack growth is acceptable and
33284 + * update accounting. This is shared with both the
33285 +@@ -1518,6 +1717,7 @@ static int acct_stack_growth(struct vm_a
33286 + return -ENOMEM;
33287 +
33288 + /* Stack limit test */
33289 ++ gr_learn_resource(current, RLIMIT_STACK, size, 1);
33290 + if (size > rlim[RLIMIT_STACK].rlim_cur)
33291 + return -ENOMEM;
33292 +
33293 +@@ -1527,6 +1727,7 @@ static int acct_stack_growth(struct vm_a
33294 + unsigned long limit;
33295 + locked = mm->locked_vm + grow;
33296 + limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
33297 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
33298 + if (locked > limit && !capable(CAP_IPC_LOCK))
33299 + return -ENOMEM;
33300 + }
33301 +@@ -1562,35 +1763,40 @@ static inline
33302 + #endif
33303 + int expand_upwards(struct vm_area_struct *vma, unsigned long address)
33304 + {
33305 +- int error;
33306 ++ int error, locknext;
33307 +
33308 + if (!(vma->vm_flags & VM_GROWSUP))
33309 + return -EFAULT;
33310 +
33311 ++ /* Also guard against wrapping around to address 0. */
33312 ++ if (address < PAGE_ALIGN(address+1))
33313 ++ address = PAGE_ALIGN(address+1);
33314 ++ else
33315 ++ return -ENOMEM;
33316 ++
33317 + /*
33318 + * We must make sure the anon_vma is allocated
33319 + * so that the anon_vma locking is not a noop.
33320 + */
33321 + if (unlikely(anon_vma_prepare(vma)))
33322 + return -ENOMEM;
33323 ++ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
33324 ++ if (locknext && unlikely(anon_vma_prepare(vma->vm_next)))
33325 ++ return -ENOMEM;
33326 + anon_vma_lock(vma);
33327 ++ if (locknext)
33328 ++ anon_vma_lock(vma->vm_next);
33329 +
33330 + /*
33331 + * vma->vm_start/vm_end cannot change under us because the caller
33332 + * is required to hold the mmap_sem in read mode. We need the
33333 +- * anon_vma lock to serialize against concurrent expand_stacks.
33334 +- * Also guard against wrapping around to address 0.
33335 ++ * anon_vma locks to serialize against concurrent expand_stacks
33336 ++ * and expand_upwards.
33337 + */
33338 +- if (address < PAGE_ALIGN(address+4))
33339 +- address = PAGE_ALIGN(address+4);
33340 +- else {
33341 +- anon_vma_unlock(vma);
33342 +- return -ENOMEM;
33343 +- }
33344 + error = 0;
33345 +
33346 + /* Somebody else might have raced and expanded it already */
33347 +- if (address > vma->vm_end) {
33348 ++ if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
33349 + unsigned long size, grow;
33350 +
33351 + size = address - vma->vm_start;
33352 +@@ -1600,6 +1806,8 @@ int expand_upwards(struct vm_area_struct
33353 + if (!error)
33354 + vma->vm_end = address;
33355 + }
33356 ++ if (locknext)
33357 ++ anon_vma_unlock(vma->vm_next);
33358 + anon_vma_unlock(vma);
33359 + return error;
33360 + }
33361 +@@ -1611,7 +1819,8 @@ int expand_upwards(struct vm_area_struct
33362 + static inline int expand_downwards(struct vm_area_struct *vma,
33363 + unsigned long address)
33364 + {
33365 +- int error;
33366 ++ int error, lockprev = 0;
33367 ++ struct vm_area_struct *prev = NULL;
33368 +
33369 + /*
33370 + * We must make sure the anon_vma is allocated
33371 +@@ -1625,6 +1834,15 @@ static inline int expand_downwards(struc
33372 + if (error)
33373 + return error;
33374 +
33375 ++#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
33376 ++ find_vma_prev(address, &prev);
33377 ++ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
33378 ++#endif
33379 ++ if (lockprev && unlikely(anon_vma_prepare(prev)))
33380 ++ return -ENOMEM;
33381 ++ if (lockprev)
33382 ++ anon_vma_lock(prev);
33383 ++
33384 + anon_vma_lock(vma);
33385 +
33386 + /*
33387 +@@ -1634,9 +1852,15 @@ static inline int expand_downwards(struc
33388 + */
33389 +
33390 + /* Somebody else might have raced and expanded it already */
33391 +- if (address < vma->vm_start) {
33392 ++ if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
33393 + unsigned long size, grow;
33394 +
33395 ++#ifdef CONFIG_PAX_SEGMEXEC
33396 ++ struct vm_area_struct *vma_m;
33397 ++
33398 ++ vma_m = pax_find_mirror_vma(vma);
33399 ++#endif
33400 ++
33401 + size = vma->vm_end - address;
33402 + grow = (vma->vm_start - address) >> PAGE_SHIFT;
33403 +
33404 +@@ -1644,9 +1868,20 @@ static inline int expand_downwards(struc
33405 + if (!error) {
33406 + vma->vm_start = address;
33407 + vma->vm_pgoff -= grow;
33408 ++ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
33409 ++
33410 ++#ifdef CONFIG_PAX_SEGMEXEC
33411 ++ if (vma_m) {
33412 ++ vma_m->vm_start -= grow << PAGE_SHIFT;
33413 ++ vma_m->vm_pgoff -= grow;
33414 ++ }
33415 ++#endif
33416 ++
33417 + }
33418 + }
33419 + anon_vma_unlock(vma);
33420 ++ if (lockprev)
33421 ++ anon_vma_unlock(prev);
33422 + return error;
33423 + }
33424 +
33425 +@@ -1718,6 +1953,13 @@ static void remove_vma_list(struct mm_st
33426 + do {
33427 + long nrpages = vma_pages(vma);
33428 +
33429 ++#ifdef CONFIG_PAX_SEGMEXEC
33430 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
33431 ++ vma = remove_vma(vma);
33432 ++ continue;
33433 ++ }
33434 ++#endif
33435 ++
33436 + mm->total_vm -= nrpages;
33437 + if (vma->vm_flags & VM_LOCKED)
33438 + mm->locked_vm -= nrpages;
33439 +@@ -1764,6 +2006,16 @@ detach_vmas_to_be_unmapped(struct mm_str
33440 +
33441 + insertion_point = (prev ? &prev->vm_next : &mm->mmap);
33442 + do {
33443 ++
33444 ++#ifdef CONFIG_PAX_SEGMEXEC
33445 ++ if (vma->vm_mirror) {
33446 ++ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
33447 ++ vma->vm_mirror->vm_mirror = NULL;
33448 ++ vma->vm_mirror->vm_flags &= ~VM_EXEC;
33449 ++ vma->vm_mirror = NULL;
33450 ++ }
33451 ++#endif
33452 ++
33453 + rb_erase(&vma->vm_rb, &mm->mm_rb);
33454 + mm->map_count--;
33455 + tail_vma = vma;
33456 +@@ -1783,6 +2035,112 @@ detach_vmas_to_be_unmapped(struct mm_str
33457 + * Split a vma into two pieces at address 'addr', a new vma is allocated
33458 + * either for the first part or the tail.
33459 + */
33460 ++
33461 ++#ifdef CONFIG_PAX_SEGMEXEC
33462 ++int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
33463 ++ unsigned long addr, int new_below)
33464 ++{
33465 ++ struct mempolicy *pol, *pol_m;
33466 ++ struct vm_area_struct *new, *vma_m, *new_m = NULL;
33467 ++ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
33468 ++
33469 ++ if (is_vm_hugetlb_page(vma) && (addr & ~HPAGE_MASK))
33470 ++ return -EINVAL;
33471 ++
33472 ++ vma_m = pax_find_mirror_vma(vma);
33473 ++ if (vma_m) {
33474 ++ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
33475 ++ if (mm->map_count >= sysctl_max_map_count-1)
33476 ++ return -ENOMEM;
33477 ++ } else if (mm->map_count >= sysctl_max_map_count)
33478 ++ return -ENOMEM;
33479 ++
33480 ++ new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
33481 ++ if (!new)
33482 ++ return -ENOMEM;
33483 ++
33484 ++ if (vma_m) {
33485 ++ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
33486 ++ if (!new_m) {
33487 ++ kmem_cache_free(vm_area_cachep, new);
33488 ++ return -ENOMEM;
33489 ++ }
33490 ++ }
33491 ++
33492 ++ /* most fields are the same, copy all, and then fixup */
33493 ++ *new = *vma;
33494 ++
33495 ++ if (new_below)
33496 ++ new->vm_end = addr;
33497 ++ else {
33498 ++ new->vm_start = addr;
33499 ++ new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
33500 ++ }
33501 ++
33502 ++ if (vma_m) {
33503 ++ *new_m = *vma_m;
33504 ++ new_m->vm_mirror = new;
33505 ++ new->vm_mirror = new_m;
33506 ++
33507 ++ if (new_below)
33508 ++ new_m->vm_end = addr_m;
33509 ++ else {
33510 ++ new_m->vm_start = addr_m;
33511 ++ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
33512 ++ }
33513 ++ }
33514 ++
33515 ++ pol = mpol_copy(vma_policy(vma));
33516 ++ if (IS_ERR(pol)) {
33517 ++ if (new_m)
33518 ++ kmem_cache_free(vm_area_cachep, new_m);
33519 ++ kmem_cache_free(vm_area_cachep, new);
33520 ++ return PTR_ERR(pol);
33521 ++ }
33522 ++
33523 ++ if (vma_m) {
33524 ++ pol_m = mpol_copy(vma_policy(vma_m));
33525 ++ if (IS_ERR(pol_m)) {
33526 ++ mpol_free(pol);
33527 ++ kmem_cache_free(vm_area_cachep, new_m);
33528 ++ kmem_cache_free(vm_area_cachep, new);
33529 ++ return PTR_ERR(pol);
33530 ++ }
33531 ++ }
33532 ++
33533 ++ vma_set_policy(new, pol);
33534 ++
33535 ++ if (new->vm_file)
33536 ++ get_file(new->vm_file);
33537 ++
33538 ++ if (new->vm_ops && new->vm_ops->open)
33539 ++ new->vm_ops->open(new);
33540 ++
33541 ++ if (new_below)
33542 ++ vma_adjust(vma, addr, vma->vm_end, vma->vm_pgoff +
33543 ++ ((addr - new->vm_start) >> PAGE_SHIFT), new);
33544 ++ else
33545 ++ vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
33546 ++
33547 ++ if (vma_m) {
33548 ++ vma_set_policy(new_m, pol_m);
33549 ++
33550 ++ if (new_m->vm_file)
33551 ++ get_file(new_m->vm_file);
33552 ++
33553 ++ if (new_m->vm_ops && new_m->vm_ops->open)
33554 ++ new_m->vm_ops->open(new_m);
33555 ++
33556 ++ if (new_below)
33557 ++ vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
33558 ++ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
33559 ++ else
33560 ++ vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
33561 ++ }
33562 ++
33563 ++ return 0;
33564 ++}
33565 ++#else
33566 + int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
33567 + unsigned long addr, int new_below)
33568 + {
33569 +@@ -1830,17 +2188,37 @@ int split_vma(struct mm_struct * mm, str
33570 +
33571 + return 0;
33572 + }
33573 ++#endif
33574 +
33575 + /* Munmap is split into 2 main parts -- this part which finds
33576 + * what needs doing, and the areas themselves, which do the
33577 + * work. This now handles partial unmappings.
33578 + * Jeremy Fitzhardinge <jeremy@××××.org>
33579 + */
33580 ++#ifdef CONFIG_PAX_SEGMEXEC
33581 + int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
33582 + {
33583 ++ int ret = __do_munmap(mm, start, len);
33584 ++ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
33585 ++ return ret;
33586 ++
33587 ++ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
33588 ++}
33589 ++
33590 ++int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
33591 ++#else
33592 ++int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
33593 ++#endif
33594 ++{
33595 + unsigned long end;
33596 + struct vm_area_struct *vma, *prev, *last;
33597 +
33598 ++ /*
33599 ++ * mm->mmap_sem is required to protect against another thread
33600 ++ * changing the mappings in case we sleep.
33601 ++ */
33602 ++ verify_mm_writelocked(mm);
33603 ++
33604 + if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
33605 + return -EINVAL;
33606 +
33607 +@@ -1890,6 +2268,8 @@ int do_munmap(struct mm_struct *mm, unsi
33608 + /* Fix up all other VM information */
33609 + remove_vma_list(mm, vma);
33610 +
33611 ++ track_exec_limit(mm, start, end, 0UL);
33612 ++
33613 + return 0;
33614 + }
33615 +
33616 +@@ -1902,22 +2282,18 @@ asmlinkage long sys_munmap(unsigned long
33617 +
33618 + profile_munmap(addr);
33619 +
33620 ++#ifdef CONFIG_PAX_SEGMEXEC
33621 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
33622 ++ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
33623 ++ return -EINVAL;
33624 ++#endif
33625 ++
33626 + down_write(&mm->mmap_sem);
33627 + ret = do_munmap(mm, addr, len);
33628 + up_write(&mm->mmap_sem);
33629 + return ret;
33630 + }
33631 +
33632 +-static inline void verify_mm_writelocked(struct mm_struct *mm)
33633 +-{
33634 +-#ifdef CONFIG_DEBUG_VM
33635 +- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
33636 +- WARN_ON(1);
33637 +- up_read(&mm->mmap_sem);
33638 +- }
33639 +-#endif
33640 +-}
33641 +-
33642 + /*
33643 + * this is really a simplified "do_mmap". it only handles
33644 + * anonymous maps. eventually we may be able to do some
33645 +@@ -1931,6 +2307,11 @@ unsigned long do_brk(unsigned long addr,
33646 + struct rb_node ** rb_link, * rb_parent;
33647 + pgoff_t pgoff = addr >> PAGE_SHIFT;
33648 + int error;
33649 ++ unsigned long charged;
33650 ++
33651 ++#ifdef CONFIG_PAX_SEGMEXEC
33652 ++ struct vm_area_struct *vma_m = NULL;
33653 ++#endif
33654 +
33655 + len = PAGE_ALIGN(len);
33656 + if (!len)
33657 +@@ -1948,19 +2329,34 @@ unsigned long do_brk(unsigned long addr,
33658 +
33659 + flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
33660 +
33661 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
33662 ++ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
33663 ++ flags &= ~VM_EXEC;
33664 ++
33665 ++#ifdef CONFIG_PAX_MPROTECT
33666 ++ if (mm->pax_flags & MF_PAX_MPROTECT)
33667 ++ flags &= ~VM_MAYEXEC;
33668 ++#endif
33669 ++
33670 ++ }
33671 ++#endif
33672 ++
33673 + error = arch_mmap_check(addr, len, flags);
33674 + if (error)
33675 + return error;
33676 +
33677 ++ charged = len >> PAGE_SHIFT;
33678 ++
33679 + /*
33680 + * mlock MCL_FUTURE?
33681 + */
33682 + if (mm->def_flags & VM_LOCKED) {
33683 + unsigned long locked, lock_limit;
33684 +- locked = len >> PAGE_SHIFT;
33685 ++ locked = charged;
33686 + locked += mm->locked_vm;
33687 + lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
33688 + lock_limit >>= PAGE_SHIFT;
33689 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
33690 + if (locked > lock_limit && !capable(CAP_IPC_LOCK))
33691 + return -EAGAIN;
33692 + }
33693 +@@ -1974,22 +2370,22 @@ unsigned long do_brk(unsigned long addr,
33694 + /*
33695 + * Clear old maps. this also does some error checking for us
33696 + */
33697 +- munmap_back:
33698 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
33699 + if (vma && vma->vm_start < addr + len) {
33700 + if (do_munmap(mm, addr, len))
33701 + return -ENOMEM;
33702 +- goto munmap_back;
33703 ++ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
33704 ++ BUG_ON(vma && vma->vm_start < addr + len);
33705 + }
33706 +
33707 + /* Check against address space limits *after* clearing old maps... */
33708 +- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
33709 ++ if (!may_expand_vm(mm, charged))
33710 + return -ENOMEM;
33711 +
33712 + if (mm->map_count > sysctl_max_map_count)
33713 + return -ENOMEM;
33714 +
33715 +- if (security_vm_enough_memory(len >> PAGE_SHIFT))
33716 ++ if (security_vm_enough_memory(charged))
33717 + return -ENOMEM;
33718 +
33719 + /* Can we just expand an old private anonymous mapping? */
33720 +@@ -2002,24 +2398,41 @@ unsigned long do_brk(unsigned long addr,
33721 + */
33722 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
33723 + if (!vma) {
33724 +- vm_unacct_memory(len >> PAGE_SHIFT);
33725 ++ vm_unacct_memory(charged);
33726 + return -ENOMEM;
33727 + }
33728 +
33729 ++#ifdef CONFIG_PAX_SEGMEXEC
33730 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (flags & VM_EXEC)) {
33731 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
33732 ++ if (!vma_m) {
33733 ++ kmem_cache_free(vm_area_cachep, vma);
33734 ++ vm_unacct_memory(charged);
33735 ++ return -ENOMEM;
33736 ++ }
33737 ++ }
33738 ++#endif
33739 ++
33740 + vma->vm_mm = mm;
33741 + vma->vm_start = addr;
33742 + vma->vm_end = addr + len;
33743 + vma->vm_pgoff = pgoff;
33744 + vma->vm_flags = flags;
33745 +- vma->vm_page_prot = protection_map[flags &
33746 +- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
33747 ++ vma->vm_page_prot = vm_get_page_prot(flags);
33748 + vma_link(mm, vma, prev, rb_link, rb_parent);
33749 ++
33750 ++#ifdef CONFIG_PAX_SEGMEXEC
33751 ++ if (vma_m)
33752 ++ pax_mirror_vma(vma_m, vma);
33753 ++#endif
33754 ++
33755 + out:
33756 +- mm->total_vm += len >> PAGE_SHIFT;
33757 ++ mm->total_vm += charged;
33758 + if (flags & VM_LOCKED) {
33759 +- mm->locked_vm += len >> PAGE_SHIFT;
33760 ++ mm->locked_vm += charged;
33761 + make_pages_present(addr, addr + len);
33762 + }
33763 ++ track_exec_limit(mm, addr, addr + len, flags);
33764 + return addr;
33765 + }
33766 +
33767 +@@ -2050,8 +2463,10 @@ void exit_mmap(struct mm_struct *mm)
33768 + * Walk the list again, actually closing and freeing it,
33769 + * with preemption enabled, without holding any MM locks.
33770 + */
33771 +- while (vma)
33772 ++ while (vma) {
33773 ++ vma->vm_mirror = NULL;
33774 + vma = remove_vma(vma);
33775 ++ }
33776 +
33777 + BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
33778 + }
33779 +@@ -2065,6 +2480,10 @@ int insert_vm_struct(struct mm_struct *
33780 + struct vm_area_struct * __vma, * prev;
33781 + struct rb_node ** rb_link, * rb_parent;
33782 +
33783 ++#ifdef CONFIG_PAX_SEGMEXEC
33784 ++ struct vm_area_struct *vma_m = NULL;
33785 ++#endif
33786 ++
33787 + /*
33788 + * The vm_pgoff of a purely anonymous vma should be irrelevant
33789 + * until its first write fault, when page's anon_vma and index
33790 +@@ -2087,7 +2506,22 @@ int insert_vm_struct(struct mm_struct *
33791 + if ((vma->vm_flags & VM_ACCOUNT) &&
33792 + security_vm_enough_memory_mm(mm, vma_pages(vma)))
33793 + return -ENOMEM;
33794 ++
33795 ++#ifdef CONFIG_PAX_SEGMEXEC
33796 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
33797 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
33798 ++ if (!vma_m)
33799 ++ return -ENOMEM;
33800 ++ }
33801 ++#endif
33802 ++
33803 + vma_link(mm, vma, prev, rb_link, rb_parent);
33804 ++
33805 ++#ifdef CONFIG_PAX_SEGMEXEC
33806 ++ if (vma_m)
33807 ++ pax_mirror_vma(vma_m, vma);
33808 ++#endif
33809 ++
33810 + return 0;
33811 + }
33812 +
33813 +@@ -2145,6 +2579,30 @@ struct vm_area_struct *copy_vma(struct v
33814 + return new_vma;
33815 + }
33816 +
33817 ++#ifdef CONFIG_PAX_SEGMEXEC
33818 ++void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
33819 ++{
33820 ++ struct vm_area_struct *prev_m;
33821 ++ struct rb_node **rb_link_m, *rb_parent_m;
33822 ++
33823 ++ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
33824 ++ BUG_ON(vma->vm_mirror || vma_m->vm_mirror || vma_policy(vma));
33825 ++ *vma_m = *vma;
33826 ++ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
33827 ++ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
33828 ++ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
33829 ++ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
33830 ++ if (vma_m->vm_file)
33831 ++ get_file(vma_m->vm_file);
33832 ++ if (vma_m->vm_ops && vma_m->vm_ops->open)
33833 ++ vma_m->vm_ops->open(vma_m);
33834 ++ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
33835 ++ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
33836 ++ vma_m->vm_mirror = vma;
33837 ++ vma->vm_mirror = vma_m;
33838 ++}
33839 ++#endif
33840 ++
33841 + /*
33842 + * Return true if the calling process may expand its vm space by the passed
33843 + * number of pages
33844 +@@ -2155,7 +2613,7 @@ int may_expand_vm(struct mm_struct *mm,
33845 + unsigned long lim;
33846 +
33847 + lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
33848 +-
33849 ++ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
33850 + if (cur + npages > lim)
33851 + return 0;
33852 + return 1;
33853 +@@ -2167,7 +2625,7 @@ static struct page *special_mapping_nopa
33854 + {
33855 + struct page **pages;
33856 +
33857 +- BUG_ON(address < vma->vm_start || address >= vma->vm_end);
33858 ++ BUG_ON(address < vma->vm_start || address >= vma->vm_end || (address & ~PAGE_MASK));
33859 +
33860 + address -= vma->vm_start;
33861 + for (pages = vma->vm_private_data; address > 0 && *pages; ++pages)
33862 +@@ -2217,8 +2675,17 @@ int install_special_mapping(struct mm_st
33863 + vma->vm_start = addr;
33864 + vma->vm_end = addr + len;
33865 +
33866 ++#ifdef CONFIG_PAX_MPROTECT
33867 ++ if (mm->pax_flags & MF_PAX_MPROTECT) {
33868 ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
33869 ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
33870 ++ else
33871 ++ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
33872 ++ }
33873 ++#endif
33874 ++
33875 + vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
33876 +- vma->vm_page_prot = protection_map[vma->vm_flags & 7];
33877 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
33878 +
33879 + vma->vm_ops = &special_mapping_vmops;
33880 + vma->vm_private_data = pages;
33881 +diff -Nurp linux-2.6.23.15/mm/mprotect.c linux-2.6.23.15-grsec/mm/mprotect.c
33882 +--- linux-2.6.23.15/mm/mprotect.c 2007-10-09 21:31:38.000000000 +0100
33883 ++++ linux-2.6.23.15-grsec/mm/mprotect.c 2008-02-11 10:37:45.000000000 +0000
33884 +@@ -21,10 +21,17 @@
33885 + #include <linux/syscalls.h>
33886 + #include <linux/swap.h>
33887 + #include <linux/swapops.h>
33888 ++#include <linux/grsecurity.h>
33889 ++
33890 ++#ifdef CONFIG_PAX_MPROTECT
33891 ++#include <linux/elf.h>
33892 ++#endif
33893 ++
33894 + #include <asm/uaccess.h>
33895 + #include <asm/pgtable.h>
33896 + #include <asm/cacheflush.h>
33897 + #include <asm/tlbflush.h>
33898 ++#include <asm/mmu_context.h>
33899 +
33900 + static void change_pte_range(struct mm_struct *mm, pmd_t *pmd,
33901 + unsigned long addr, unsigned long end, pgprot_t newprot,
33902 +@@ -128,6 +135,48 @@ static void change_protection(struct vm_
33903 + flush_tlb_range(vma, start, end);
33904 + }
33905 +
33906 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33907 ++/* called while holding the mmap semaphor for writing except stack expansion */
33908 ++void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
33909 ++{
33910 ++ unsigned long oldlimit, newlimit = 0UL;
33911 ++
33912 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
33913 ++ return;
33914 ++
33915 ++ spin_lock(&mm->page_table_lock);
33916 ++ oldlimit = mm->context.user_cs_limit;
33917 ++ if ((prot & VM_EXEC) && oldlimit < end)
33918 ++ /* USER_CS limit moved up */
33919 ++ newlimit = end;
33920 ++ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
33921 ++ /* USER_CS limit moved down */
33922 ++ newlimit = start;
33923 ++
33924 ++ if (newlimit) {
33925 ++ mm->context.user_cs_limit = newlimit;
33926 ++
33927 ++#ifdef CONFIG_SMP
33928 ++ wmb();
33929 ++ cpus_clear(mm->context.cpu_user_cs_mask);
33930 ++ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
33931 ++#endif
33932 ++
33933 ++ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
33934 ++ }
33935 ++ spin_unlock(&mm->page_table_lock);
33936 ++ if (newlimit == end) {
33937 ++ struct vm_area_struct *vma = find_vma(mm, oldlimit);
33938 ++
33939 ++ for (; vma && vma->vm_start < end; vma = vma->vm_next)
33940 ++ if (is_vm_hugetlb_page(vma))
33941 ++ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
33942 ++ else
33943 ++ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
33944 ++ }
33945 ++}
33946 ++#endif
33947 ++
33948 + int
33949 + mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
33950 + unsigned long start, unsigned long end, unsigned long newflags)
33951 +@@ -140,11 +189,39 @@ mprotect_fixup(struct vm_area_struct *vm
33952 + int error;
33953 + int dirty_accountable = 0;
33954 +
33955 ++#ifdef CONFIG_PAX_SEGMEXEC
33956 ++ struct vm_area_struct *vma_m = NULL;
33957 ++ unsigned long start_m, end_m;
33958 ++
33959 ++ start_m = start + SEGMEXEC_TASK_SIZE;
33960 ++ end_m = end + SEGMEXEC_TASK_SIZE;
33961 ++#endif
33962 ++
33963 + if (newflags == oldflags) {
33964 + *pprev = vma;
33965 + return 0;
33966 + }
33967 +
33968 ++#ifdef CONFIG_PAX_SEGMEXEC
33969 ++ if (pax_find_mirror_vma(vma) && !(newflags & VM_EXEC)) {
33970 ++ if (start != vma->vm_start) {
33971 ++ error = split_vma(mm, vma, start, 1);
33972 ++ if (error)
33973 ++ return -ENOMEM;
33974 ++ }
33975 ++
33976 ++ if (end != vma->vm_end) {
33977 ++ error = split_vma(mm, vma, end, 0);
33978 ++ if (error)
33979 ++ return -ENOMEM;
33980 ++ }
33981 ++
33982 ++ error = __do_munmap(mm, start_m, end_m - start_m);
33983 ++ if (error)
33984 ++ return -ENOMEM;
33985 ++ }
33986 ++#endif
33987 ++
33988 + /*
33989 + * If we make a private mapping writable we increase our commit;
33990 + * but (without finer accounting) cannot reduce our commit if we
33991 +@@ -187,17 +264,25 @@ mprotect_fixup(struct vm_area_struct *vm
33992 + goto fail;
33993 + }
33994 +
33995 ++#ifdef CONFIG_PAX_SEGMEXEC
33996 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(oldflags & VM_EXEC) && (newflags & VM_EXEC)) {
33997 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
33998 ++ if (!vma_m) {
33999 ++ error = -ENOMEM;
34000 ++ goto fail;
34001 ++ }
34002 ++ }
34003 ++#endif
34004 ++
34005 + success:
34006 + /*
34007 + * vm_flags and vm_page_prot are protected by the mmap_sem
34008 + * held in write mode.
34009 + */
34010 + vma->vm_flags = newflags;
34011 +- vma->vm_page_prot = protection_map[newflags &
34012 +- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
34013 ++ vma->vm_page_prot = vm_get_page_prot(newflags);
34014 + if (vma_wants_writenotify(vma)) {
34015 +- vma->vm_page_prot = protection_map[newflags &
34016 +- (VM_READ|VM_WRITE|VM_EXEC)];
34017 ++ vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
34018 + dirty_accountable = 1;
34019 + }
34020 +
34021 +@@ -205,6 +290,12 @@ success:
34022 + hugetlb_change_protection(vma, start, end, vma->vm_page_prot);
34023 + else
34024 + change_protection(vma, start, end, vma->vm_page_prot, dirty_accountable);
34025 ++
34026 ++#ifdef CONFIG_PAX_SEGMEXEC
34027 ++ if (vma_m)
34028 ++ pax_mirror_vma(vma_m, vma);
34029 ++#endif
34030 ++
34031 + vm_stat_account(mm, oldflags, vma->vm_file, -nrpages);
34032 + vm_stat_account(mm, newflags, vma->vm_file, nrpages);
34033 + return 0;
34034 +@@ -214,6 +305,70 @@ fail:
34035 + return error;
34036 + }
34037 +
34038 ++#ifdef CONFIG_PAX_MPROTECT
34039 ++/* PaX: non-PIC ELF libraries need relocations on their executable segments
34040 ++ * therefore we'll grant them VM_MAYWRITE once during their life.
34041 ++ *
34042 ++ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
34043 ++ * basis because we want to allow the common case and not the special ones.
34044 ++ */
34045 ++static inline void pax_handle_maywrite(struct vm_area_struct *vma, unsigned long start)
34046 ++{
34047 ++ struct elfhdr elf_h;
34048 ++ struct elf_phdr elf_p;
34049 ++ elf_addr_t dyn_offset = 0UL;
34050 ++ elf_dyn dyn;
34051 ++ unsigned long i, j = 65536UL / sizeof(struct elf_phdr);
34052 ++
34053 ++#ifndef CONFIG_PAX_NOELFRELOCS
34054 ++ if ((vma->vm_start != start) ||
34055 ++ !vma->vm_file ||
34056 ++ !(vma->vm_flags & VM_MAYEXEC) ||
34057 ++ (vma->vm_flags & VM_MAYNOTWRITE))
34058 ++#endif
34059 ++
34060 ++ return;
34061 ++
34062 ++ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
34063 ++ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
34064 ++
34065 ++#ifdef CONFIG_PAX_ETEXECRELOCS
34066 ++ (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) ||
34067 ++#else
34068 ++ elf_h.e_type != ET_DYN ||
34069 ++#endif
34070 ++
34071 ++ !elf_check_arch(&elf_h) ||
34072 ++ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
34073 ++ elf_h.e_phnum > j)
34074 ++ return;
34075 ++
34076 ++ for (i = 0UL; i < elf_h.e_phnum; i++) {
34077 ++ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
34078 ++ return;
34079 ++ if (elf_p.p_type == PT_DYNAMIC) {
34080 ++ dyn_offset = elf_p.p_offset;
34081 ++ j = i;
34082 ++ }
34083 ++ }
34084 ++ if (elf_h.e_phnum <= j)
34085 ++ return;
34086 ++
34087 ++ i = 0UL;
34088 ++ do {
34089 ++ if (sizeof(dyn) != kernel_read(vma->vm_file, dyn_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
34090 ++ return;
34091 ++ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
34092 ++ vma->vm_flags |= VM_MAYWRITE | VM_MAYNOTWRITE;
34093 ++ gr_log_textrel(vma);
34094 ++ return;
34095 ++ }
34096 ++ i++;
34097 ++ } while (dyn.d_tag != DT_NULL);
34098 ++ return;
34099 ++}
34100 ++#endif
34101 ++
34102 + asmlinkage long
34103 + sys_mprotect(unsigned long start, size_t len, unsigned long prot)
34104 + {
34105 +@@ -233,6 +388,17 @@ sys_mprotect(unsigned long start, size_t
34106 + end = start + len;
34107 + if (end <= start)
34108 + return -ENOMEM;
34109 ++
34110 ++#ifdef CONFIG_PAX_SEGMEXEC
34111 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
34112 ++ if (end > SEGMEXEC_TASK_SIZE)
34113 ++ return -EINVAL;
34114 ++ } else
34115 ++#endif
34116 ++
34117 ++ if (end > TASK_SIZE)
34118 ++ return -EINVAL;
34119 ++
34120 + if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC | PROT_SEM))
34121 + return -EINVAL;
34122 +
34123 +@@ -240,7 +406,7 @@ sys_mprotect(unsigned long start, size_t
34124 + /*
34125 + * Does the application expect PROT_READ to imply PROT_EXEC:
34126 + */
34127 +- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
34128 ++ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
34129 + prot |= PROT_EXEC;
34130 +
34131 + vm_flags = calc_vm_prot_bits(prot);
34132 +@@ -272,6 +438,16 @@ sys_mprotect(unsigned long start, size_t
34133 + if (start > vma->vm_start)
34134 + prev = vma;
34135 +
34136 ++ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
34137 ++ error = -EACCES;
34138 ++ goto out;
34139 ++ }
34140 ++
34141 ++#ifdef CONFIG_PAX_MPROTECT
34142 ++ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && (prot & PROT_WRITE))
34143 ++ pax_handle_maywrite(vma, start);
34144 ++#endif
34145 ++
34146 + for (nstart = start ; ; ) {
34147 + unsigned long newflags;
34148 +
34149 +@@ -285,6 +461,12 @@ sys_mprotect(unsigned long start, size_t
34150 + goto out;
34151 + }
34152 +
34153 ++#ifdef CONFIG_PAX_MPROTECT
34154 ++ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
34155 ++ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && !(prot & PROT_WRITE) && (vma->vm_flags & VM_MAYNOTWRITE))
34156 ++ newflags &= ~VM_MAYWRITE;
34157 ++#endif
34158 ++
34159 + error = security_file_mprotect(vma, reqprot, prot);
34160 + if (error)
34161 + goto out;
34162 +@@ -295,6 +477,9 @@ sys_mprotect(unsigned long start, size_t
34163 + error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
34164 + if (error)
34165 + goto out;
34166 ++
34167 ++ track_exec_limit(current->mm, nstart, tmp, vm_flags);
34168 ++
34169 + nstart = tmp;
34170 +
34171 + if (nstart < prev->vm_end)
34172 +diff -Nurp linux-2.6.23.15/mm/mremap.c linux-2.6.23.15-grsec/mm/mremap.c
34173 +--- linux-2.6.23.15/mm/mremap.c 2007-10-09 21:31:38.000000000 +0100
34174 ++++ linux-2.6.23.15-grsec/mm/mremap.c 2008-02-11 10:37:45.000000000 +0000
34175 +@@ -106,6 +106,12 @@ static void move_ptes(struct vm_area_str
34176 + continue;
34177 + pte = ptep_clear_flush(vma, old_addr, old_pte);
34178 + pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
34179 ++
34180 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
34181 ++ if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
34182 ++ pte = pte_exprotect(pte);
34183 ++#endif
34184 ++
34185 + set_pte_at(mm, new_addr, new_pte, pte);
34186 + }
34187 +
34188 +@@ -254,6 +260,7 @@ unsigned long do_mremap(unsigned long ad
34189 + struct vm_area_struct *vma;
34190 + unsigned long ret = -EINVAL;
34191 + unsigned long charged = 0;
34192 ++ unsigned long task_size = TASK_SIZE;
34193 +
34194 + if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
34195 + goto out;
34196 +@@ -272,6 +279,15 @@ unsigned long do_mremap(unsigned long ad
34197 + if (!new_len)
34198 + goto out;
34199 +
34200 ++#ifdef CONFIG_PAX_SEGMEXEC
34201 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
34202 ++ task_size = SEGMEXEC_TASK_SIZE;
34203 ++#endif
34204 ++
34205 ++ if (new_len > task_size || addr > task_size-new_len ||
34206 ++ old_len > task_size || addr > task_size-old_len)
34207 ++ goto out;
34208 ++
34209 + /* new_addr is only valid if MREMAP_FIXED is specified */
34210 + if (flags & MREMAP_FIXED) {
34211 + if (new_addr & ~PAGE_MASK)
34212 +@@ -279,16 +295,13 @@ unsigned long do_mremap(unsigned long ad
34213 + if (!(flags & MREMAP_MAYMOVE))
34214 + goto out;
34215 +
34216 +- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
34217 ++ if (new_addr > task_size - new_len)
34218 + goto out;
34219 +
34220 + /* Check if the location we're moving into overlaps the
34221 + * old location at all, and fail if it does.
34222 + */
34223 +- if ((new_addr <= addr) && (new_addr+new_len) > addr)
34224 +- goto out;
34225 +-
34226 +- if ((addr <= new_addr) && (addr+old_len) > new_addr)
34227 ++ if (addr + old_len > new_addr && new_addr + new_len > addr)
34228 + goto out;
34229 +
34230 + ret = security_file_mmap(0, 0, 0, 0, new_addr, 1);
34231 +@@ -326,6 +339,14 @@ unsigned long do_mremap(unsigned long ad
34232 + ret = -EINVAL;
34233 + goto out;
34234 + }
34235 ++
34236 ++#ifdef CONFIG_PAX_SEGMEXEC
34237 ++ if (pax_find_mirror_vma(vma)) {
34238 ++ ret = -EINVAL;
34239 ++ goto out;
34240 ++ }
34241 ++#endif
34242 ++
34243 + /* We can't remap across vm area boundaries */
34244 + if (old_len > vma->vm_end - addr)
34245 + goto out;
34246 +@@ -359,7 +380,7 @@ unsigned long do_mremap(unsigned long ad
34247 + if (old_len == vma->vm_end - addr &&
34248 + !((flags & MREMAP_FIXED) && (addr != new_addr)) &&
34249 + (old_len != new_len || !(flags & MREMAP_MAYMOVE))) {
34250 +- unsigned long max_addr = TASK_SIZE;
34251 ++ unsigned long max_addr = task_size;
34252 + if (vma->vm_next)
34253 + max_addr = vma->vm_next->vm_start;
34254 + /* can we just expand the current mapping? */
34255 +@@ -377,6 +398,7 @@ unsigned long do_mremap(unsigned long ad
34256 + addr + new_len);
34257 + }
34258 + ret = addr;
34259 ++ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
34260 + goto out;
34261 + }
34262 + }
34263 +@@ -387,8 +409,8 @@ unsigned long do_mremap(unsigned long ad
34264 + */
34265 + ret = -ENOMEM;
34266 + if (flags & MREMAP_MAYMOVE) {
34267 ++ unsigned long map_flags = 0;
34268 + if (!(flags & MREMAP_FIXED)) {
34269 +- unsigned long map_flags = 0;
34270 + if (vma->vm_flags & VM_MAYSHARE)
34271 + map_flags |= MAP_SHARED;
34272 +
34273 +@@ -403,7 +425,12 @@ unsigned long do_mremap(unsigned long ad
34274 + if (ret)
34275 + goto out;
34276 + }
34277 ++ map_flags = vma->vm_flags;
34278 + ret = move_vma(vma, addr, old_len, new_len, new_addr);
34279 ++ if (!(ret & ~PAGE_MASK)) {
34280 ++ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
34281 ++ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
34282 ++ }
34283 + }
34284 + out:
34285 + if (ret & ~PAGE_MASK)
34286 +diff -Nurp linux-2.6.23.15/mm/nommu.c linux-2.6.23.15-grsec/mm/nommu.c
34287 +--- linux-2.6.23.15/mm/nommu.c 2007-10-09 21:31:38.000000000 +0100
34288 ++++ linux-2.6.23.15-grsec/mm/nommu.c 2008-02-11 10:37:45.000000000 +0000
34289 +@@ -376,15 +376,6 @@ struct vm_area_struct *find_vma(struct m
34290 + }
34291 + EXPORT_SYMBOL(find_vma);
34292 +
34293 +-/*
34294 +- * find a VMA
34295 +- * - we don't extend stack VMAs under NOMMU conditions
34296 +- */
34297 +-struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
34298 +-{
34299 +- return find_vma(mm, addr);
34300 +-}
34301 +-
34302 + int expand_stack(struct vm_area_struct *vma, unsigned long address)
34303 + {
34304 + return -ENOMEM;
34305 +diff -Nurp linux-2.6.23.15/mm/page_alloc.c linux-2.6.23.15-grsec/mm/page_alloc.c
34306 +--- linux-2.6.23.15/mm/page_alloc.c 2007-10-09 21:31:38.000000000 +0100
34307 ++++ linux-2.6.23.15-grsec/mm/page_alloc.c 2008-02-11 10:37:45.000000000 +0000
34308 +@@ -402,7 +402,7 @@ static inline int page_is_buddy(struct p
34309 + static inline void __free_one_page(struct page *page,
34310 + struct zone *zone, unsigned int order)
34311 + {
34312 +- unsigned long page_idx;
34313 ++ unsigned long page_idx, index;
34314 + int order_size = 1 << order;
34315 +
34316 + if (unlikely(PageCompound(page)))
34317 +@@ -413,6 +413,11 @@ static inline void __free_one_page(struc
34318 + VM_BUG_ON(page_idx & (order_size - 1));
34319 + VM_BUG_ON(bad_range(zone, page));
34320 +
34321 ++#ifdef CONFIG_PAX_MEMORY_SANITIZE
34322 ++ for (index = order_size; index; --index)
34323 ++ sanitize_highpage(page + index - 1);
34324 ++#endif
34325 ++
34326 + __mod_zone_page_state(zone, NR_FREE_PAGES, order_size);
34327 + while (order < MAX_ORDER-1) {
34328 + unsigned long combined_idx;
34329 +diff -Nurp linux-2.6.23.15/mm/rmap.c linux-2.6.23.15-grsec/mm/rmap.c
34330 +--- linux-2.6.23.15/mm/rmap.c 2007-10-09 21:31:38.000000000 +0100
34331 ++++ linux-2.6.23.15-grsec/mm/rmap.c 2008-02-11 10:37:45.000000000 +0000
34332 +@@ -63,6 +63,10 @@ int anon_vma_prepare(struct vm_area_stru
34333 + struct mm_struct *mm = vma->vm_mm;
34334 + struct anon_vma *allocated, *locked;
34335 +
34336 ++#ifdef CONFIG_PAX_SEGMEXEC
34337 ++ struct vm_area_struct *vma_m;
34338 ++#endif
34339 ++
34340 + anon_vma = find_mergeable_anon_vma(vma);
34341 + if (anon_vma) {
34342 + allocated = NULL;
34343 +@@ -79,6 +83,15 @@ int anon_vma_prepare(struct vm_area_stru
34344 + /* page_table_lock to protect against threads */
34345 + spin_lock(&mm->page_table_lock);
34346 + if (likely(!vma->anon_vma)) {
34347 ++
34348 ++#ifdef CONFIG_PAX_SEGMEXEC
34349 ++ vma_m = pax_find_mirror_vma(vma);
34350 ++ if (vma_m) {
34351 ++ vma_m->anon_vma = anon_vma;
34352 ++ __anon_vma_link(vma_m);
34353 ++ }
34354 ++#endif
34355 ++
34356 + vma->anon_vma = anon_vma;
34357 + list_add_tail(&vma->anon_vma_node, &anon_vma->head);
34358 + allocated = NULL;
34359 +diff -Nurp linux-2.6.23.15/mm/shmem.c linux-2.6.23.15-grsec/mm/shmem.c
34360 +--- linux-2.6.23.15/mm/shmem.c 2008-02-11 10:36:03.000000000 +0000
34361 ++++ linux-2.6.23.15-grsec/mm/shmem.c 2008-02-11 10:37:45.000000000 +0000
34362 +@@ -2452,7 +2452,7 @@ static struct file_system_type tmpfs_fs_
34363 + .get_sb = shmem_get_sb,
34364 + .kill_sb = kill_litter_super,
34365 + };
34366 +-static struct vfsmount *shm_mnt;
34367 ++struct vfsmount *shm_mnt;
34368 +
34369 + static int __init init_tmpfs(void)
34370 + {
34371 +diff -Nurp linux-2.6.23.15/mm/slab.c linux-2.6.23.15-grsec/mm/slab.c
34372 +--- linux-2.6.23.15/mm/slab.c 2007-10-09 21:31:38.000000000 +0100
34373 ++++ linux-2.6.23.15-grsec/mm/slab.c 2008-02-11 10:37:45.000000000 +0000
34374 +@@ -306,7 +306,7 @@ struct kmem_list3 {
34375 + * Need this for bootstrapping a per node allocator.
34376 + */
34377 + #define NUM_INIT_LISTS (2 * MAX_NUMNODES + 1)
34378 +-struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
34379 ++struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
34380 + #define CACHE_CACHE 0
34381 + #define SIZE_AC 1
34382 + #define SIZE_L3 (1 + MAX_NUMNODES)
34383 +@@ -655,14 +655,14 @@ struct cache_names {
34384 + static struct cache_names __initdata cache_names[] = {
34385 + #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
34386 + #include <linux/kmalloc_sizes.h>
34387 +- {NULL,}
34388 ++ {NULL, NULL}
34389 + #undef CACHE
34390 + };
34391 +
34392 + static struct arraycache_init initarray_cache __initdata =
34393 +- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
34394 ++ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
34395 + static struct arraycache_init initarray_generic =
34396 +- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
34397 ++ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
34398 +
34399 + /* internal cache of cache description objs */
34400 + static struct kmem_cache cache_cache = {
34401 +@@ -2980,7 +2980,7 @@ retry:
34402 + * there must be at least one object available for
34403 + * allocation.
34404 + */
34405 +- BUG_ON(slabp->inuse < 0 || slabp->inuse >= cachep->num);
34406 ++ BUG_ON(slabp->inuse >= cachep->num);
34407 +
34408 + while (slabp->inuse < cachep->num && batchcount--) {
34409 + STATS_INC_ALLOCED(cachep);
34410 +diff -Nurp linux-2.6.23.15/mm/slub.c linux-2.6.23.15-grsec/mm/slub.c
34411 +--- linux-2.6.23.15/mm/slub.c 2008-02-11 10:36:03.000000000 +0000
34412 ++++ linux-2.6.23.15-grsec/mm/slub.c 2008-02-11 10:37:45.000000000 +0000
34413 +@@ -1530,7 +1530,7 @@ debug:
34414 + *
34415 + * Otherwise we can simply pick the next object from the lockless free list.
34416 + */
34417 +-static void __always_inline *slab_alloc(struct kmem_cache *s,
34418 ++static __always_inline void *slab_alloc(struct kmem_cache *s,
34419 + gfp_t gfpflags, int node, void *addr)
34420 + {
34421 + struct page *page;
34422 +@@ -1639,7 +1639,7 @@ debug:
34423 + * If fastpath is not possible then fall back to __slab_free where we deal
34424 + * with all sorts of special processing.
34425 + */
34426 +-static void __always_inline slab_free(struct kmem_cache *s,
34427 ++static __always_inline void slab_free(struct kmem_cache *s,
34428 + struct page *page, void *x, void *addr)
34429 + {
34430 + void **object = (void *)x;
34431 +diff -Nurp linux-2.6.23.15/mm/swap.c linux-2.6.23.15-grsec/mm/swap.c
34432 +--- linux-2.6.23.15/mm/swap.c 2007-10-09 21:31:38.000000000 +0100
34433 ++++ linux-2.6.23.15-grsec/mm/swap.c 2008-02-11 10:37:45.000000000 +0000
34434 +@@ -174,8 +174,8 @@ EXPORT_SYMBOL(mark_page_accessed);
34435 + * lru_cache_add: add a page to the page lists
34436 + * @page: the page to add
34437 + */
34438 +-static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, };
34439 +-static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, };
34440 ++static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, 0, {NULL} };
34441 ++static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, 0, {NULL} };
34442 +
34443 + void fastcall lru_cache_add(struct page *page)
34444 + {
34445 +diff -Nurp linux-2.6.23.15/mm/tiny-shmem.c linux-2.6.23.15-grsec/mm/tiny-shmem.c
34446 +--- linux-2.6.23.15/mm/tiny-shmem.c 2007-10-09 21:31:38.000000000 +0100
34447 ++++ linux-2.6.23.15-grsec/mm/tiny-shmem.c 2008-02-11 10:37:45.000000000 +0000
34448 +@@ -26,7 +26,7 @@ static struct file_system_type tmpfs_fs_
34449 + .kill_sb = kill_litter_super,
34450 + };
34451 +
34452 +-static struct vfsmount *shm_mnt;
34453 ++struct vfsmount *shm_mnt;
34454 +
34455 + static int __init init_tmpfs(void)
34456 + {
34457 +diff -Nurp linux-2.6.23.15/mm/vmalloc.c linux-2.6.23.15-grsec/mm/vmalloc.c
34458 +--- linux-2.6.23.15/mm/vmalloc.c 2007-10-09 21:31:38.000000000 +0100
34459 ++++ linux-2.6.23.15-grsec/mm/vmalloc.c 2008-02-11 10:37:45.000000000 +0000
34460 +@@ -201,6 +201,8 @@ static struct vm_struct *__get_vm_area_n
34461 +
34462 + write_lock(&vmlist_lock);
34463 + for (p = &vmlist; (tmp = *p) != NULL ;p = &tmp->next) {
34464 ++ if (addr > end - size)
34465 ++ goto out;
34466 + if ((unsigned long)tmp->addr < addr) {
34467 + if((unsigned long)tmp->addr + tmp->size >= addr)
34468 + addr = ALIGN(tmp->size +
34469 +@@ -212,8 +214,6 @@ static struct vm_struct *__get_vm_area_n
34470 + if (size + addr <= (unsigned long)tmp->addr)
34471 + goto found;
34472 + addr = ALIGN(tmp->size + (unsigned long)tmp->addr, align);
34473 +- if (addr > end - size)
34474 +- goto out;
34475 + }
34476 +
34477 + found:
34478 +diff -Nurp linux-2.6.23.15/net/core/flow.c linux-2.6.23.15-grsec/net/core/flow.c
34479 +--- linux-2.6.23.15/net/core/flow.c 2007-10-09 21:31:38.000000000 +0100
34480 ++++ linux-2.6.23.15-grsec/net/core/flow.c 2008-02-11 10:37:45.000000000 +0000
34481 +@@ -40,7 +40,7 @@ atomic_t flow_cache_genid = ATOMIC_INIT(
34482 +
34483 + static u32 flow_hash_shift;
34484 + #define flow_hash_size (1 << flow_hash_shift)
34485 +-static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
34486 ++static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
34487 +
34488 + #define flow_table(cpu) (per_cpu(flow_tables, cpu))
34489 +
34490 +@@ -53,7 +53,7 @@ struct flow_percpu_info {
34491 + u32 hash_rnd;
34492 + int count;
34493 + } ____cacheline_aligned;
34494 +-static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
34495 ++static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
34496 +
34497 + #define flow_hash_rnd_recalc(cpu) \
34498 + (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
34499 +@@ -70,7 +70,7 @@ struct flow_flush_info {
34500 + atomic_t cpuleft;
34501 + struct completion completion;
34502 + };
34503 +-static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
34504 ++static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
34505 +
34506 + #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
34507 +
34508 +diff -Nurp linux-2.6.23.15/net/dccp/ccids/ccid3.c linux-2.6.23.15-grsec/net/dccp/ccids/ccid3.c
34509 +--- linux-2.6.23.15/net/dccp/ccids/ccid3.c 2007-10-09 21:31:38.000000000 +0100
34510 ++++ linux-2.6.23.15-grsec/net/dccp/ccids/ccid3.c 2008-02-11 10:37:45.000000000 +0000
34511 +@@ -44,7 +44,7 @@
34512 + static int ccid3_debug;
34513 + #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
34514 + #else
34515 +-#define ccid3_pr_debug(format, a...)
34516 ++#define ccid3_pr_debug(format, a...) do {} while (0)
34517 + #endif
34518 +
34519 + static struct dccp_tx_hist *ccid3_tx_hist;
34520 +diff -Nurp linux-2.6.23.15/net/dccp/dccp.h linux-2.6.23.15-grsec/net/dccp/dccp.h
34521 +--- linux-2.6.23.15/net/dccp/dccp.h 2007-10-09 21:31:38.000000000 +0100
34522 ++++ linux-2.6.23.15-grsec/net/dccp/dccp.h 2008-02-11 10:37:45.000000000 +0000
34523 +@@ -42,8 +42,8 @@ extern int dccp_debug;
34524 + #define dccp_pr_debug(format, a...) DCCP_PR_DEBUG(dccp_debug, format, ##a)
34525 + #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
34526 + #else
34527 +-#define dccp_pr_debug(format, a...)
34528 +-#define dccp_pr_debug_cat(format, a...)
34529 ++#define dccp_pr_debug(format, a...) do {} while (0)
34530 ++#define dccp_pr_debug_cat(format, a...) do {} while (0)
34531 + #endif
34532 +
34533 + extern struct inet_hashinfo dccp_hashinfo;
34534 +diff -Nurp linux-2.6.23.15/net/ipv4/inet_connection_sock.c linux-2.6.23.15-grsec/net/ipv4/inet_connection_sock.c
34535 +--- linux-2.6.23.15/net/ipv4/inet_connection_sock.c 2007-10-09 21:31:38.000000000 +0100
34536 ++++ linux-2.6.23.15-grsec/net/ipv4/inet_connection_sock.c 2008-02-11 10:37:45.000000000 +0000
34537 +@@ -15,6 +15,7 @@
34538 +
34539 + #include <linux/module.h>
34540 + #include <linux/jhash.h>
34541 ++#include <linux/grsecurity.h>
34542 +
34543 + #include <net/inet_connection_sock.h>
34544 + #include <net/inet_hashtables.h>
34545 +diff -Nurp linux-2.6.23.15/net/ipv4/inet_hashtables.c linux-2.6.23.15-grsec/net/ipv4/inet_hashtables.c
34546 +--- linux-2.6.23.15/net/ipv4/inet_hashtables.c 2007-10-09 21:31:38.000000000 +0100
34547 ++++ linux-2.6.23.15-grsec/net/ipv4/inet_hashtables.c 2008-02-11 10:37:45.000000000 +0000
34548 +@@ -18,11 +18,14 @@
34549 + #include <linux/sched.h>
34550 + #include <linux/slab.h>
34551 + #include <linux/wait.h>
34552 ++#include <linux/grsecurity.h>
34553 +
34554 + #include <net/inet_connection_sock.h>
34555 + #include <net/inet_hashtables.h>
34556 + #include <net/ip.h>
34557 +
34558 ++extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
34559 ++
34560 + /*
34561 + * Allocate and initialize a new local port bind bucket.
34562 + * The bindhash mutex for snum's hash chain must be held here.
34563 +@@ -338,6 +341,8 @@ ok:
34564 + }
34565 + spin_unlock(&head->lock);
34566 +
34567 ++ gr_update_task_in_ip_table(current, inet_sk(sk));
34568 ++
34569 + if (tw) {
34570 + inet_twsk_deschedule(tw, death_row);
34571 + inet_twsk_put(tw);
34572 +diff -Nurp linux-2.6.23.15/net/ipv4/netfilter/Kconfig linux-2.6.23.15-grsec/net/ipv4/netfilter/Kconfig
34573 +--- linux-2.6.23.15/net/ipv4/netfilter/Kconfig 2007-10-09 21:31:38.000000000 +0100
34574 ++++ linux-2.6.23.15-grsec/net/ipv4/netfilter/Kconfig 2008-02-11 10:37:45.000000000 +0000
34575 +@@ -130,6 +130,21 @@ config IP_NF_MATCH_ADDRTYPE
34576 + If you want to compile it as a module, say M here and read
34577 + <file:Documentation/modules.txt>. If unsure, say `N'.
34578 +
34579 ++config IP_NF_MATCH_STEALTH
34580 ++ tristate "stealth match support"
34581 ++ depends on IP_NF_IPTABLES
34582 ++ help
34583 ++ Enabling this option will drop all syn packets coming to unserved tcp
34584 ++ ports as well as all packets coming to unserved udp ports. If you
34585 ++ are using your system to route any type of packets (ie. via NAT)
34586 ++ you should put this module at the end of your ruleset, since it will
34587 ++ drop packets that aren't going to ports that are listening on your
34588 ++ machine itself, it doesn't take into account that the packet might be
34589 ++ destined for someone on your internal network if you're using NAT for
34590 ++ instance.
34591 ++
34592 ++ To compile it as a module, choose M here. If unsure, say N.
34593 ++
34594 + # `filter', generic and specific targets
34595 + config IP_NF_FILTER
34596 + tristate "Packet filtering"
34597 +@@ -403,4 +418,3 @@ config IP_NF_ARP_MANGLE
34598 + hardware and network addresses.
34599 +
34600 + endmenu
34601 +-
34602 +diff -Nurp linux-2.6.23.15/net/ipv4/netfilter/Makefile linux-2.6.23.15-grsec/net/ipv4/netfilter/Makefile
34603 +--- linux-2.6.23.15/net/ipv4/netfilter/Makefile 2007-10-09 21:31:38.000000000 +0100
34604 ++++ linux-2.6.23.15-grsec/net/ipv4/netfilter/Makefile 2008-02-11 10:37:45.000000000 +0000
34605 +@@ -49,6 +49,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
34606 + obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
34607 + obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
34608 + obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
34609 ++obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
34610 +
34611 + # targets
34612 + obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
34613 +diff -Nurp linux-2.6.23.15/net/ipv4/netfilter/ipt_stealth.c linux-2.6.23.15-grsec/net/ipv4/netfilter/ipt_stealth.c
34614 +--- linux-2.6.23.15/net/ipv4/netfilter/ipt_stealth.c 1970-01-01 01:00:00.000000000 +0100
34615 ++++ linux-2.6.23.15-grsec/net/ipv4/netfilter/ipt_stealth.c 2008-02-11 10:37:45.000000000 +0000
34616 +@@ -0,0 +1,114 @@
34617 ++/* Kernel module to add stealth support.
34618 ++ *
34619 ++ * Copyright (C) 2002-2006 Brad Spengler <spender@××××××××××.net>
34620 ++ *
34621 ++ */
34622 ++
34623 ++#include <linux/kernel.h>
34624 ++#include <linux/module.h>
34625 ++#include <linux/skbuff.h>
34626 ++#include <linux/net.h>
34627 ++#include <linux/sched.h>
34628 ++#include <linux/inet.h>
34629 ++#include <linux/stddef.h>
34630 ++
34631 ++#include <net/ip.h>
34632 ++#include <net/sock.h>
34633 ++#include <net/tcp.h>
34634 ++#include <net/udp.h>
34635 ++#include <net/route.h>
34636 ++#include <net/inet_common.h>
34637 ++
34638 ++#include <linux/netfilter_ipv4/ip_tables.h>
34639 ++
34640 ++MODULE_LICENSE("GPL");
34641 ++
34642 ++extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
34643 ++
34644 ++static int
34645 ++match(const struct sk_buff *skb,
34646 ++ const struct net_device *in,
34647 ++ const struct net_device *out,
34648 ++ const struct xt_match *match,
34649 ++ const void *matchinfo,
34650 ++ int offset,
34651 ++ unsigned int protoff,
34652 ++ int *hotdrop)
34653 ++{
34654 ++ struct iphdr *ip = ip_hdr(skb);
34655 ++ struct tcphdr th;
34656 ++ struct udphdr uh;
34657 ++ struct sock *sk = NULL;
34658 ++
34659 ++ if (!ip || offset) return 0;
34660 ++
34661 ++ switch(ip->protocol) {
34662 ++ case IPPROTO_TCP:
34663 ++ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &th, sizeof(th)) < 0) {
34664 ++ *hotdrop = 1;
34665 ++ return 0;
34666 ++ }
34667 ++ if (!(th.syn && !th.ack)) return 0;
34668 ++ sk = inet_lookup_listener(&tcp_hashinfo, ip->daddr, th.dest, inet_iif(skb));
34669 ++ break;
34670 ++ case IPPROTO_UDP:
34671 ++ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &uh, sizeof(uh)) < 0) {
34672 ++ *hotdrop = 1;
34673 ++ return 0;
34674 ++ }
34675 ++ sk = udp_v4_lookup(ip->saddr, uh.source, ip->daddr, uh.dest, skb->dev->ifindex);
34676 ++ break;
34677 ++ default:
34678 ++ return 0;
34679 ++ }
34680 ++
34681 ++ if(!sk) // port is being listened on, match this
34682 ++ return 1;
34683 ++ else {
34684 ++ sock_put(sk);
34685 ++ return 0;
34686 ++ }
34687 ++}
34688 ++
34689 ++/* Called when user tries to insert an entry of this type. */
34690 ++static int
34691 ++checkentry(const char *tablename,
34692 ++ const void *nip,
34693 ++ const struct xt_match *match,
34694 ++ void *matchinfo,
34695 ++ unsigned int hook_mask)
34696 ++{
34697 ++ const struct ipt_ip *ip = (const struct ipt_ip *)nip;
34698 ++
34699 ++ if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) ||
34700 ++ ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO)))
34701 ++ && (hook_mask & (1 << NF_IP_LOCAL_IN)))
34702 ++ return 1;
34703 ++
34704 ++ printk("stealth: Only works on TCP and UDP for the INPUT chain.\n");
34705 ++
34706 ++ return 0;
34707 ++}
34708 ++
34709 ++
34710 ++static struct xt_match stealth_match = {
34711 ++ .name = "stealth",
34712 ++ .family = AF_INET,
34713 ++ .match = match,
34714 ++ .checkentry = checkentry,
34715 ++ .destroy = NULL,
34716 ++ .me = THIS_MODULE
34717 ++};
34718 ++
34719 ++static int __init init(void)
34720 ++{
34721 ++ return xt_register_match(&stealth_match);
34722 ++}
34723 ++
34724 ++static void __exit fini(void)
34725 ++{
34726 ++ xt_unregister_match(&stealth_match);
34727 ++}
34728 ++
34729 ++module_init(init);
34730 ++module_exit(fini);
34731 +diff -Nurp linux-2.6.23.15/net/ipv4/tcp.c linux-2.6.23.15-grsec/net/ipv4/tcp.c
34732 +--- linux-2.6.23.15/net/ipv4/tcp.c 2007-10-09 21:31:38.000000000 +0100
34733 ++++ linux-2.6.23.15-grsec/net/ipv4/tcp.c 2008-02-11 10:37:45.000000000 +0000
34734 +@@ -1053,7 +1053,8 @@ int tcp_read_sock(struct sock *sk, read_
34735 + return -ENOTCONN;
34736 + while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) {
34737 + if (offset < skb->len) {
34738 +- size_t used, len;
34739 ++ int used;
34740 ++ size_t len;
34741 +
34742 + len = skb->len - offset;
34743 + /* Stop reading if we hit a patch of urgent data */
34744 +diff -Nurp linux-2.6.23.15/net/ipv4/tcp_ipv4.c linux-2.6.23.15-grsec/net/ipv4/tcp_ipv4.c
34745 +--- linux-2.6.23.15/net/ipv4/tcp_ipv4.c 2007-10-09 21:31:38.000000000 +0100
34746 ++++ linux-2.6.23.15-grsec/net/ipv4/tcp_ipv4.c 2008-02-11 10:37:45.000000000 +0000
34747 +@@ -61,6 +61,7 @@
34748 + #include <linux/jhash.h>
34749 + #include <linux/init.h>
34750 + #include <linux/times.h>
34751 ++#include <linux/grsecurity.h>
34752 +
34753 + #include <net/icmp.h>
34754 + #include <net/inet_hashtables.h>
34755 +diff -Nurp linux-2.6.23.15/net/ipv4/udp.c linux-2.6.23.15-grsec/net/ipv4/udp.c
34756 +--- linux-2.6.23.15/net/ipv4/udp.c 2007-10-09 21:31:38.000000000 +0100
34757 ++++ linux-2.6.23.15-grsec/net/ipv4/udp.c 2008-02-11 10:37:45.000000000 +0000
34758 +@@ -98,12 +98,19 @@
34759 + #include <linux/skbuff.h>
34760 + #include <linux/proc_fs.h>
34761 + #include <linux/seq_file.h>
34762 ++#include <linux/grsecurity.h>
34763 + #include <net/icmp.h>
34764 + #include <net/route.h>
34765 + #include <net/checksum.h>
34766 + #include <net/xfrm.h>
34767 + #include "udp_impl.h"
34768 +
34769 ++extern int gr_search_udp_recvmsg(const struct sock *sk,
34770 ++ const struct sk_buff *skb);
34771 ++extern int gr_search_udp_sendmsg(const struct sock *sk,
34772 ++ const struct sockaddr_in *addr);
34773 ++
34774 ++
34775 + /*
34776 + * Snmp MIB for the UDP layer
34777 + */
34778 +@@ -287,6 +294,13 @@ static struct sock *__udp4_lib_lookup(__
34779 + return result;
34780 + }
34781 +
34782 ++struct sock *udp_v4_lookup(__be32 saddr, __be16 sport,
34783 ++ __be32 daddr, __be16 dport, int dif)
34784 ++{
34785 ++ return __udp4_lib_lookup(saddr, sport, daddr, dport, dif, udp_hash);
34786 ++}
34787 ++
34788 ++
34789 + static inline struct sock *udp_v4_mcast_next(struct sock *sk,
34790 + __be16 loc_port, __be32 loc_addr,
34791 + __be16 rmt_port, __be32 rmt_addr,
34792 +@@ -572,9 +586,16 @@ int udp_sendmsg(struct kiocb *iocb, stru
34793 + dport = usin->sin_port;
34794 + if (dport == 0)
34795 + return -EINVAL;
34796 ++
34797 ++ if (!gr_search_udp_sendmsg(sk, usin))
34798 ++ return -EPERM;
34799 + } else {
34800 + if (sk->sk_state != TCP_ESTABLISHED)
34801 + return -EDESTADDRREQ;
34802 ++
34803 ++ if (!gr_search_udp_sendmsg(sk, NULL))
34804 ++ return -EPERM;
34805 ++
34806 + daddr = inet->daddr;
34807 + dport = inet->dport;
34808 + /* Open fast path for connected socket.
34809 +@@ -834,6 +855,11 @@ try_again:
34810 + if (!skb)
34811 + goto out;
34812 +
34813 ++ if (!gr_search_udp_recvmsg(sk, skb)) {
34814 ++ err = -EPERM;
34815 ++ goto out_free;
34816 ++ }
34817 ++
34818 + ulen = skb->len - sizeof(struct udphdr);
34819 + copied = len;
34820 + if (copied > ulen)
34821 +diff -Nurp linux-2.6.23.15/net/ipv6/exthdrs.c linux-2.6.23.15-grsec/net/ipv6/exthdrs.c
34822 +--- linux-2.6.23.15/net/ipv6/exthdrs.c 2007-10-09 21:31:38.000000000 +0100
34823 ++++ linux-2.6.23.15-grsec/net/ipv6/exthdrs.c 2008-02-11 10:37:45.000000000 +0000
34824 +@@ -645,7 +645,7 @@ static struct tlvtype_proc tlvprochopopt
34825 + .type = IPV6_TLV_JUMBO,
34826 + .func = ipv6_hop_jumbo,
34827 + },
34828 +- { -1, }
34829 ++ { -1, NULL }
34830 + };
34831 +
34832 + int ipv6_parse_hopopts(struct sk_buff **skbp)
34833 +diff -Nurp linux-2.6.23.15/net/ipv6/raw.c linux-2.6.23.15-grsec/net/ipv6/raw.c
34834 +--- linux-2.6.23.15/net/ipv6/raw.c 2007-10-09 21:31:38.000000000 +0100
34835 ++++ linux-2.6.23.15-grsec/net/ipv6/raw.c 2008-02-11 10:37:45.000000000 +0000
34836 +@@ -577,7 +577,7 @@ out:
34837 + return err;
34838 + }
34839 +
34840 +-static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
34841 ++static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
34842 + struct flowi *fl, struct rt6_info *rt,
34843 + unsigned int flags)
34844 + {
34845 +diff -Nurp linux-2.6.23.15/net/irda/ircomm/ircomm_tty.c linux-2.6.23.15-grsec/net/irda/ircomm/ircomm_tty.c
34846 +--- linux-2.6.23.15/net/irda/ircomm/ircomm_tty.c 2007-10-09 21:31:38.000000000 +0100
34847 ++++ linux-2.6.23.15-grsec/net/irda/ircomm/ircomm_tty.c 2008-02-11 10:37:45.000000000 +0000
34848 +@@ -371,7 +371,7 @@ static int ircomm_tty_open(struct tty_st
34849 + IRDA_DEBUG(2, "%s()\n", __FUNCTION__ );
34850 +
34851 + line = tty->index;
34852 +- if ((line < 0) || (line >= IRCOMM_TTY_PORTS)) {
34853 ++ if (line >= IRCOMM_TTY_PORTS) {
34854 + return -ENODEV;
34855 + }
34856 +
34857 +diff -Nurp linux-2.6.23.15/net/mac80211/ieee80211.c linux-2.6.23.15-grsec/net/mac80211/ieee80211.c
34858 +--- linux-2.6.23.15/net/mac80211/ieee80211.c 2008-02-11 10:36:03.000000000 +0000
34859 ++++ linux-2.6.23.15-grsec/net/mac80211/ieee80211.c 2008-02-11 10:37:45.000000000 +0000
34860 +@@ -1260,7 +1260,7 @@ __ieee80211_parse_tx_radiotap(
34861 + }
34862 +
34863 +
34864 +-static ieee80211_txrx_result inline
34865 ++static inline ieee80211_txrx_result
34866 + __ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
34867 + struct sk_buff *skb,
34868 + struct net_device *dev,
34869 +@@ -1332,7 +1332,7 @@ __ieee80211_tx_prepare(struct ieee80211_
34870 + return res;
34871 + }
34872 +
34873 +-static int inline is_ieee80211_device(struct net_device *dev,
34874 ++static inline int is_ieee80211_device(struct net_device *dev,
34875 + struct net_device *master)
34876 + {
34877 + return (wdev_priv(dev->ieee80211_ptr) ==
34878 +@@ -1341,7 +1341,7 @@ static int inline is_ieee80211_device(st
34879 +
34880 + /* Device in tx->dev has a reference added; use dev_put(tx->dev) when
34881 + * finished with it. */
34882 +-static int inline ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
34883 ++static inline int ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
34884 + struct sk_buff *skb,
34885 + struct net_device *mdev,
34886 + struct ieee80211_tx_control *control)
34887 +diff -Nurp linux-2.6.23.15/net/mac80211/regdomain.c linux-2.6.23.15-grsec/net/mac80211/regdomain.c
34888 +--- linux-2.6.23.15/net/mac80211/regdomain.c 2007-10-09 21:31:38.000000000 +0100
34889 ++++ linux-2.6.23.15-grsec/net/mac80211/regdomain.c 2008-02-11 10:37:45.000000000 +0000
34890 +@@ -61,14 +61,14 @@ static const struct ieee80211_channel_ra
34891 + { 5180, 5240, 17, 6 } /* IEEE 802.11a, channels 36..48 */,
34892 + { 5260, 5320, 23, 6 } /* IEEE 802.11a, channels 52..64 */,
34893 + { 5745, 5825, 30, 6 } /* IEEE 802.11a, channels 149..165, outdoor */,
34894 +- { 0 }
34895 ++ { 0, 0, 0, 0 }
34896 + };
34897 +
34898 + static const struct ieee80211_channel_range ieee80211_mkk_channels[] = {
34899 + { 2412, 2472, 20, 6 } /* IEEE 802.11b/g, channels 1..13 */,
34900 + { 5170, 5240, 20, 6 } /* IEEE 802.11a, channels 34..48 */,
34901 + { 5260, 5320, 20, 6 } /* IEEE 802.11a, channels 52..64 */,
34902 +- { 0 }
34903 ++ { 0, 0, 0, 0 }
34904 + };
34905 +
34906 +
34907 +diff -Nurp linux-2.6.23.15/net/sctp/socket.c linux-2.6.23.15-grsec/net/sctp/socket.c
34908 +--- linux-2.6.23.15/net/sctp/socket.c 2007-10-09 21:31:38.000000000 +0100
34909 ++++ linux-2.6.23.15-grsec/net/sctp/socket.c 2008-02-11 10:37:45.000000000 +0000
34910 +@@ -1370,7 +1370,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
34911 + struct sctp_sndrcvinfo *sinfo;
34912 + struct sctp_initmsg *sinit;
34913 + sctp_assoc_t associd = 0;
34914 +- sctp_cmsgs_t cmsgs = { NULL };
34915 ++ sctp_cmsgs_t cmsgs = { NULL, NULL };
34916 + int err;
34917 + sctp_scope_t scope;
34918 + long timeo;
34919 +diff -Nurp linux-2.6.23.15/net/socket.c linux-2.6.23.15-grsec/net/socket.c
34920 +--- linux-2.6.23.15/net/socket.c 2008-02-11 10:36:03.000000000 +0000
34921 ++++ linux-2.6.23.15-grsec/net/socket.c 2008-02-11 10:37:45.000000000 +0000
34922 +@@ -84,6 +84,7 @@
34923 + #include <linux/kmod.h>
34924 + #include <linux/audit.h>
34925 + #include <linux/wireless.h>
34926 ++#include <linux/in.h>
34927 +
34928 + #include <asm/uaccess.h>
34929 + #include <asm/unistd.h>
34930 +@@ -93,6 +94,21 @@
34931 + #include <net/sock.h>
34932 + #include <linux/netfilter.h>
34933 +
34934 ++extern void gr_attach_curr_ip(const struct sock *sk);
34935 ++extern int gr_handle_sock_all(const int family, const int type,
34936 ++ const int protocol);
34937 ++extern int gr_handle_sock_server(const struct sockaddr *sck);
34938 ++extern int gr_handle_sock_server_other(const struct socket *sck);
34939 ++extern int gr_handle_sock_client(const struct sockaddr *sck);
34940 ++extern int gr_search_connect(const struct socket * sock,
34941 ++ const struct sockaddr_in * addr);
34942 ++extern int gr_search_bind(const struct socket * sock,
34943 ++ const struct sockaddr_in * addr);
34944 ++extern int gr_search_listen(const struct socket * sock);
34945 ++extern int gr_search_accept(const struct socket * sock);
34946 ++extern int gr_search_socket(const int domain, const int type,
34947 ++ const int protocol);
34948 ++
34949 + static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
34950 + static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
34951 + unsigned long nr_segs, loff_t pos);
34952 +@@ -292,7 +308,7 @@ static int sockfs_get_sb(struct file_sys
34953 + mnt);
34954 + }
34955 +
34956 +-static struct vfsmount *sock_mnt __read_mostly;
34957 ++struct vfsmount *sock_mnt __read_mostly;
34958 +
34959 + static struct file_system_type sock_fs_type = {
34960 + .name = "sockfs",
34961 +@@ -1199,6 +1215,16 @@ asmlinkage long sys_socket(int family, i
34962 + int retval;
34963 + struct socket *sock;
34964 +
34965 ++ if(!gr_search_socket(family, type, protocol)) {
34966 ++ retval = -EACCES;
34967 ++ goto out;
34968 ++ }
34969 ++
34970 ++ if (gr_handle_sock_all(family, type, protocol)) {
34971 ++ retval = -EACCES;
34972 ++ goto out;
34973 ++ }
34974 ++
34975 + retval = sock_create(family, type, protocol, &sock);
34976 + if (retval < 0)
34977 + goto out;
34978 +@@ -1329,6 +1355,12 @@ asmlinkage long sys_bind(int fd, struct
34979 + if (sock) {
34980 + err = move_addr_to_kernel(umyaddr, addrlen, address);
34981 + if (err >= 0) {
34982 ++ if (!gr_search_bind(sock, (struct sockaddr_in *)address) ||
34983 ++ gr_handle_sock_server((struct sockaddr *)address)) {
34984 ++ err = -EACCES;
34985 ++ goto error;
34986 ++ }
34987 ++
34988 + err = security_socket_bind(sock,
34989 + (struct sockaddr *)address,
34990 + addrlen);
34991 +@@ -1337,6 +1369,7 @@ asmlinkage long sys_bind(int fd, struct
34992 + (struct sockaddr *)
34993 + address, addrlen);
34994 + }
34995 ++error:
34996 + fput_light(sock->file, fput_needed);
34997 + }
34998 + return err;
34999 +@@ -1360,10 +1393,17 @@ asmlinkage long sys_listen(int fd, int b
35000 + if ((unsigned)backlog > sysctl_somaxconn)
35001 + backlog = sysctl_somaxconn;
35002 +
35003 ++ if (gr_handle_sock_server_other(sock) ||
35004 ++ !gr_search_listen(sock)) {
35005 ++ err = -EPERM;
35006 ++ goto error;
35007 ++ }
35008 ++
35009 + err = security_socket_listen(sock, backlog);
35010 + if (!err)
35011 + err = sock->ops->listen(sock, backlog);
35012 +
35013 ++error:
35014 + fput_light(sock->file, fput_needed);
35015 + }
35016 + return err;
35017 +@@ -1400,6 +1440,13 @@ asmlinkage long sys_accept(int fd, struc
35018 + newsock->type = sock->type;
35019 + newsock->ops = sock->ops;
35020 +
35021 ++ if (gr_handle_sock_server_other(sock) ||
35022 ++ !gr_search_accept(sock)) {
35023 ++ err = -EPERM;
35024 ++ sock_release(newsock);
35025 ++ goto out_put;
35026 ++ }
35027 ++
35028 + /*
35029 + * We don't need try_module_get here, as the listening socket (sock)
35030 + * has the protocol module (sock->ops->owner) held.
35031 +@@ -1443,6 +1490,7 @@ asmlinkage long sys_accept(int fd, struc
35032 + err = newfd;
35033 +
35034 + security_socket_post_accept(sock, newsock);
35035 ++ gr_attach_curr_ip(newsock->sk);
35036 +
35037 + out_put:
35038 + fput_light(sock->file, fput_needed);
35039 +@@ -1476,6 +1524,7 @@ asmlinkage long sys_connect(int fd, stru
35040 + {
35041 + struct socket *sock;
35042 + char address[MAX_SOCK_ADDR];
35043 ++ struct sockaddr *sck;
35044 + int err, fput_needed;
35045 +
35046 + sock = sockfd_lookup_light(fd, &err, &fput_needed);
35047 +@@ -1485,6 +1534,13 @@ asmlinkage long sys_connect(int fd, stru
35048 + if (err < 0)
35049 + goto out_put;
35050 +
35051 ++ sck = (struct sockaddr *)address;
35052 ++ if (!gr_search_connect(sock, (struct sockaddr_in *)sck) ||
35053 ++ gr_handle_sock_client(sck)) {
35054 ++ err = -EACCES;
35055 ++ goto out_put;
35056 ++ }
35057 ++
35058 + err =
35059 + security_socket_connect(sock, (struct sockaddr *)address, addrlen);
35060 + if (err)
35061 +@@ -1762,6 +1818,7 @@ asmlinkage long sys_shutdown(int fd, int
35062 + err = sock->ops->shutdown(sock, how);
35063 + fput_light(sock->file, fput_needed);
35064 + }
35065 ++
35066 + return err;
35067 + }
35068 +
35069 +diff -Nurp linux-2.6.23.15/net/unix/af_unix.c linux-2.6.23.15-grsec/net/unix/af_unix.c
35070 +--- linux-2.6.23.15/net/unix/af_unix.c 2008-02-11 10:36:03.000000000 +0000
35071 ++++ linux-2.6.23.15-grsec/net/unix/af_unix.c 2008-02-11 10:37:45.000000000 +0000
35072 +@@ -115,6 +115,7 @@
35073 + #include <linux/mount.h>
35074 + #include <net/checksum.h>
35075 + #include <linux/security.h>
35076 ++#include <linux/grsecurity.h>
35077 +
35078 + int sysctl_unix_max_dgram_qlen __read_mostly = 10;
35079 +
35080 +@@ -733,6 +734,11 @@ static struct sock *unix_find_other(stru
35081 + if (err)
35082 + goto put_fail;
35083 +
35084 ++ if (!gr_acl_handle_unix(nd.dentry, nd.mnt)) {
35085 ++ err = -EACCES;
35086 ++ goto put_fail;
35087 ++ }
35088 ++
35089 + err = -ECONNREFUSED;
35090 + if (!S_ISSOCK(nd.dentry->d_inode->i_mode))
35091 + goto put_fail;
35092 +@@ -756,6 +762,13 @@ static struct sock *unix_find_other(stru
35093 + if (u) {
35094 + struct dentry *dentry;
35095 + dentry = unix_sk(u)->dentry;
35096 ++
35097 ++ if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
35098 ++ err = -EPERM;
35099 ++ sock_put(u);
35100 ++ goto fail;
35101 ++ }
35102 ++
35103 + if (dentry)
35104 + touch_atime(unix_sk(u)->mnt, dentry);
35105 + } else
35106 +@@ -834,9 +847,18 @@ static int unix_bind(struct socket *sock
35107 + */
35108 + mode = S_IFSOCK |
35109 + (SOCK_INODE(sock)->i_mode & ~current->fs->umask);
35110 ++
35111 ++ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
35112 ++ err = -EACCES;
35113 ++ goto out_mknod_dput;
35114 ++ }
35115 ++
35116 + err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
35117 + if (err)
35118 + goto out_mknod_dput;
35119 ++
35120 ++ gr_handle_create(dentry, nd.mnt);
35121 ++
35122 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
35123 + dput(nd.dentry);
35124 + nd.dentry = dentry;
35125 +@@ -854,6 +876,10 @@ static int unix_bind(struct socket *sock
35126 + goto out_unlock;
35127 + }
35128 +
35129 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
35130 ++ sk->sk_peercred.pid = current->pid;
35131 ++#endif
35132 ++
35133 + list = &unix_socket_table[addr->hash];
35134 + } else {
35135 + list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
35136 +diff -Nurp linux-2.6.23.15/scripts/pnmtologo.c linux-2.6.23.15-grsec/scripts/pnmtologo.c
35137 +--- linux-2.6.23.15/scripts/pnmtologo.c 2007-10-09 21:31:38.000000000 +0100
35138 ++++ linux-2.6.23.15-grsec/scripts/pnmtologo.c 2008-02-11 10:37:45.000000000 +0000
35139 +@@ -237,14 +237,14 @@ static void write_header(void)
35140 + fprintf(out, " * Linux logo %s\n", logoname);
35141 + fputs(" */\n\n", out);
35142 + fputs("#include <linux/linux_logo.h>\n\n", out);
35143 +- fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
35144 ++ fprintf(out, "static unsigned char %s_data[] = {\n",
35145 + logoname);
35146 + }
35147 +
35148 + static void write_footer(void)
35149 + {
35150 + fputs("\n};\n\n", out);
35151 +- fprintf(out, "struct linux_logo %s __initdata = {\n", logoname);
35152 ++ fprintf(out, "struct linux_logo %s = {\n", logoname);
35153 + fprintf(out, " .type\t= %s,\n", logo_types[logo_type]);
35154 + fprintf(out, " .width\t= %d,\n", logo_width);
35155 + fprintf(out, " .height\t= %d,\n", logo_height);
35156 +@@ -374,7 +374,7 @@ static void write_logo_clut224(void)
35157 + fputs("\n};\n\n", out);
35158 +
35159 + /* write logo clut */
35160 +- fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
35161 ++ fprintf(out, "static unsigned char %s_clut[] = {\n",
35162 + logoname);
35163 + write_hex_cnt = 0;
35164 + for (i = 0; i < logo_clutsize; i++) {
35165 +diff -Nurp linux-2.6.23.15/security/Kconfig linux-2.6.23.15-grsec/security/Kconfig
35166 +--- linux-2.6.23.15/security/Kconfig 2007-10-09 21:31:38.000000000 +0100
35167 ++++ linux-2.6.23.15-grsec/security/Kconfig 2008-02-11 10:37:45.000000000 +0000
35168 +@@ -4,6 +4,429 @@
35169 +
35170 + menu "Security options"
35171 +
35172 ++source grsecurity/Kconfig
35173 ++
35174 ++menu "PaX"
35175 ++
35176 ++config PAX
35177 ++ bool "Enable various PaX features"
35178 ++ depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
35179 ++ help
35180 ++ This allows you to enable various PaX features. PaX adds
35181 ++ intrusion prevention mechanisms to the kernel that reduce
35182 ++ the risks posed by exploitable memory corruption bugs.
35183 ++
35184 ++menu "PaX Control"
35185 ++ depends on PAX
35186 ++
35187 ++config PAX_SOFTMODE
35188 ++ bool 'Support soft mode'
35189 ++ help
35190 ++ Enabling this option will allow you to run PaX in soft mode, that
35191 ++ is, PaX features will not be enforced by default, only on executables
35192 ++ marked explicitly. You must also enable PT_PAX_FLAGS support as it
35193 ++ is the only way to mark executables for soft mode use.
35194 ++
35195 ++ Soft mode can be activated by using the "pax_softmode=1" kernel command
35196 ++ line option on boot. Furthermore you can control various PaX features
35197 ++ at runtime via the entries in /proc/sys/kernel/pax.
35198 ++
35199 ++config PAX_EI_PAX
35200 ++ bool 'Use legacy ELF header marking'
35201 ++ help
35202 ++ Enabling this option will allow you to control PaX features on
35203 ++ a per executable basis via the 'chpax' utility available at
35204 ++ http://pax.grsecurity.net/. The control flags will be read from
35205 ++ an otherwise reserved part of the ELF header. This marking has
35206 ++ numerous drawbacks (no support for soft-mode, toolchain does not
35207 ++ know about the non-standard use of the ELF header) therefore it
35208 ++ has been deprecated in favour of PT_PAX_FLAGS support.
35209 ++
35210 ++ If you have applications not marked by the PT_PAX_FLAGS ELF
35211 ++ program header then you MUST enable this option otherwise they
35212 ++ will not get any protection.
35213 ++
35214 ++ Note that if you enable PT_PAX_FLAGS marking support as well,
35215 ++ the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
35216 ++
35217 ++config PAX_PT_PAX_FLAGS
35218 ++ bool 'Use ELF program header marking'
35219 ++ help
35220 ++ Enabling this option will allow you to control PaX features on
35221 ++ a per executable basis via the 'paxctl' utility available at
35222 ++ http://pax.grsecurity.net/. The control flags will be read from
35223 ++ a PaX specific ELF program header (PT_PAX_FLAGS). This marking
35224 ++ has the benefits of supporting both soft mode and being fully
35225 ++ integrated into the toolchain (the binutils patch is available
35226 ++ from http://pax.grsecurity.net).
35227 ++
35228 ++ If you have applications not marked by the PT_PAX_FLAGS ELF
35229 ++ program header then you MUST enable the EI_PAX marking support
35230 ++ otherwise they will not get any protection.
35231 ++
35232 ++ Note that if you enable the legacy EI_PAX marking support as well,
35233 ++ the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
35234 ++
35235 ++choice
35236 ++ prompt 'MAC system integration'
35237 ++ default PAX_HAVE_ACL_FLAGS
35238 ++ help
35239 ++ Mandatory Access Control systems have the option of controlling
35240 ++ PaX flags on a per executable basis, choose the method supported
35241 ++ by your particular system.
35242 ++
35243 ++ - "none": if your MAC system does not interact with PaX,
35244 ++ - "direct": if your MAC system defines pax_set_initial_flags() itself,
35245 ++ - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
35246 ++
35247 ++ NOTE: this option is for developers/integrators only.
35248 ++
35249 ++ config PAX_NO_ACL_FLAGS
35250 ++ bool 'none'
35251 ++
35252 ++ config PAX_HAVE_ACL_FLAGS
35253 ++ bool 'direct'
35254 ++
35255 ++ config PAX_HOOK_ACL_FLAGS
35256 ++ bool 'hook'
35257 ++endchoice
35258 ++
35259 ++endmenu
35260 ++
35261 ++menu "Non-executable pages"
35262 ++ depends on PAX
35263 ++
35264 ++config PAX_NOEXEC
35265 ++ bool "Enforce non-executable pages"
35266 ++ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
35267 ++ help
35268 ++ By design some architectures do not allow for protecting memory
35269 ++ pages against execution or even if they do, Linux does not make
35270 ++ use of this feature. In practice this means that if a page is
35271 ++ readable (such as the stack or heap) it is also executable.
35272 ++
35273 ++ There is a well known exploit technique that makes use of this
35274 ++ fact and a common programming mistake where an attacker can
35275 ++ introduce code of his choice somewhere in the attacked program's
35276 ++ memory (typically the stack or the heap) and then execute it.
35277 ++
35278 ++ If the attacked program was running with different (typically
35279 ++ higher) privileges than that of the attacker, then he can elevate
35280 ++ his own privilege level (e.g. get a root shell, write to files for
35281 ++ which he does not have write access to, etc).
35282 ++
35283 ++ Enabling this option will let you choose from various features
35284 ++ that prevent the injection and execution of 'foreign' code in
35285 ++ a program.
35286 ++
35287 ++ This will also break programs that rely on the old behaviour and
35288 ++ expect that dynamically allocated memory via the malloc() family
35289 ++ of functions is executable (which it is not). Notable examples
35290 ++ are the XFree86 4.x server, the java runtime and wine.
35291 ++
35292 ++config PAX_PAGEEXEC
35293 ++ bool "Paging based non-executable pages"
35294 ++ depends on !COMPAT_VDSO && PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MPENTIUM4 || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2)
35295 ++ help
35296 ++ This implementation is based on the paging feature of the CPU.
35297 ++ On i386 without hardware non-executable bit support there is a
35298 ++ variable but usually low performance impact, however on Intel's
35299 ++ P4 core based CPUs it is very high so you should not enable this
35300 ++ for kernels meant to be used on such CPUs.
35301 ++
35302 ++ On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
35303 ++ with hardware non-executable bit support there is no performance
35304 ++ impact, on ppc the impact is negligible.
35305 ++
35306 ++ Note that several architectures require various emulations due to
35307 ++ badly designed userland ABIs, this will cause a performance impact
35308 ++ but will disappear as soon as userland is fixed (e.g., ppc users
35309 ++ can make use of the secure-plt feature found in binutils).
35310 ++
35311 ++config PAX_SEGMEXEC
35312 ++ bool "Segmentation based non-executable pages"
35313 ++ depends on !COMPAT_VDSO && PAX_NOEXEC && X86_32
35314 ++ help
35315 ++ This implementation is based on the segmentation feature of the
35316 ++ CPU and has a very small performance impact, however applications
35317 ++ will be limited to a 1.5 GB address space instead of the normal
35318 ++ 3 GB.
35319 ++
35320 ++config PAX_EMUTRAMP
35321 ++ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86)
35322 ++ default y if PARISC || PPC32
35323 ++ help
35324 ++ There are some programs and libraries that for one reason or
35325 ++ another attempt to execute special small code snippets from
35326 ++ non-executable memory pages. Most notable examples are the
35327 ++ signal handler return code generated by the kernel itself and
35328 ++ the GCC trampolines.
35329 ++
35330 ++ If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
35331 ++ such programs will no longer work under your kernel.
35332 ++
35333 ++ As a remedy you can say Y here and use the 'chpax' or 'paxctl'
35334 ++ utilities to enable trampoline emulation for the affected programs
35335 ++ yet still have the protection provided by the non-executable pages.
35336 ++
35337 ++ On parisc and ppc you MUST enable this option and EMUSIGRT as
35338 ++ well, otherwise your system will not even boot.
35339 ++
35340 ++ Alternatively you can say N here and use the 'chpax' or 'paxctl'
35341 ++ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
35342 ++ for the affected files.
35343 ++
35344 ++ NOTE: enabling this feature *may* open up a loophole in the
35345 ++ protection provided by non-executable pages that an attacker
35346 ++ could abuse. Therefore the best solution is to not have any
35347 ++ files on your system that would require this option. This can
35348 ++ be achieved by not using libc5 (which relies on the kernel
35349 ++ signal handler return code) and not using or rewriting programs
35350 ++ that make use of the nested function implementation of GCC.
35351 ++ Skilled users can just fix GCC itself so that it implements
35352 ++ nested function calls in a way that does not interfere with PaX.
35353 ++
35354 ++config PAX_EMUSIGRT
35355 ++ bool "Automatically emulate sigreturn trampolines"
35356 ++ depends on PAX_EMUTRAMP && (PARISC || PPC32)
35357 ++ default y
35358 ++ help
35359 ++ Enabling this option will have the kernel automatically detect
35360 ++ and emulate signal return trampolines executing on the stack
35361 ++ that would otherwise lead to task termination.
35362 ++
35363 ++ This solution is intended as a temporary one for users with
35364 ++ legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
35365 ++ Modula-3 runtime, etc) or executables linked to such, basically
35366 ++ everything that does not specify its own SA_RESTORER function in
35367 ++ normal executable memory like glibc 2.1+ does.
35368 ++
35369 ++ On parisc and ppc you MUST enable this option, otherwise your
35370 ++ system will not even boot.
35371 ++
35372 ++ NOTE: this feature cannot be disabled on a per executable basis
35373 ++ and since it *does* open up a loophole in the protection provided
35374 ++ by non-executable pages, the best solution is to not have any
35375 ++ files on your system that would require this option.
35376 ++
35377 ++config PAX_MPROTECT
35378 ++ bool "Restrict mprotect()"
35379 ++ depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && !PPC64
35380 ++ help
35381 ++ Enabling this option will prevent programs from
35382 ++ - changing the executable status of memory pages that were
35383 ++ not originally created as executable,
35384 ++ - making read-only executable pages writable again,
35385 ++ - creating executable pages from anonymous memory.
35386 ++
35387 ++ You should say Y here to complete the protection provided by
35388 ++ the enforcement of non-executable pages.
35389 ++
35390 ++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
35391 ++ this feature on a per file basis.
35392 ++
35393 ++config PAX_NOELFRELOCS
35394 ++ bool "Disallow ELF text relocations"
35395 ++ depends on PAX_MPROTECT && !PAX_ETEXECRELOCS && (IA64 || X86 || X86_64)
35396 ++ help
35397 ++ Non-executable pages and mprotect() restrictions are effective
35398 ++ in preventing the introduction of new executable code into an
35399 ++ attacked task's address space. There remain only two venues
35400 ++ for this kind of attack: if the attacker can execute already
35401 ++ existing code in the attacked task then he can either have it
35402 ++ create and mmap() a file containing his code or have it mmap()
35403 ++ an already existing ELF library that does not have position
35404 ++ independent code in it and use mprotect() on it to make it
35405 ++ writable and copy his code there. While protecting against
35406 ++ the former approach is beyond PaX, the latter can be prevented
35407 ++ by having only PIC ELF libraries on one's system (which do not
35408 ++ need to relocate their code). If you are sure this is your case,
35409 ++ then enable this option otherwise be careful as you may not even
35410 ++ be able to boot or log on your system (for example, some PAM
35411 ++ modules are erroneously compiled as non-PIC by default).
35412 ++
35413 ++ NOTE: if you are using dynamic ELF executables (as suggested
35414 ++ when using ASLR) then you must have made sure that you linked
35415 ++ your files using the PIC version of crt1 (the et_dyn.tar.gz package
35416 ++ referenced there has already been updated to support this).
35417 ++
35418 ++config PAX_ETEXECRELOCS
35419 ++ bool "Allow ELF ET_EXEC text relocations"
35420 ++ depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
35421 ++ default y
35422 ++ help
35423 ++ On some architectures there are incorrectly created applications
35424 ++ that require text relocations and would not work without enabling
35425 ++ this option. If you are an alpha, ia64 or parisc user, you should
35426 ++ enable this option and disable it once you have made sure that
35427 ++ none of your applications need it.
35428 ++
35429 ++config PAX_EMUPLT
35430 ++ bool "Automatically emulate ELF PLT"
35431 ++ depends on PAX_MPROTECT && (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
35432 ++ default y
35433 ++ help
35434 ++ Enabling this option will have the kernel automatically detect
35435 ++ and emulate the Procedure Linkage Table entries in ELF files.
35436 ++ On some architectures such entries are in writable memory, and
35437 ++ become non-executable leading to task termination. Therefore
35438 ++ it is mandatory that you enable this option on alpha, parisc,
35439 ++ ppc (if secure-plt is not used throughout in userland), sparc
35440 ++ and sparc64, otherwise your system would not even boot.
35441 ++
35442 ++ NOTE: this feature *does* open up a loophole in the protection
35443 ++ provided by the non-executable pages, therefore the proper
35444 ++ solution is to modify the toolchain to produce a PLT that does
35445 ++ not need to be writable.
35446 ++
35447 ++config PAX_DLRESOLVE
35448 ++ bool
35449 ++ depends on PAX_EMUPLT && (SPARC32 || SPARC64)
35450 ++ default y
35451 ++
35452 ++config PAX_SYSCALL
35453 ++ bool
35454 ++ depends on PAX_PAGEEXEC && PPC32
35455 ++ default y
35456 ++
35457 ++config PAX_KERNEXEC
35458 ++ bool "Enforce non-executable kernel pages"
35459 ++ depends on PAX_NOEXEC && X86_32 && !EFI && !COMPAT_VDSO && X86_WP_WORKS_OK && !PARAVIRT
35460 ++ help
35461 ++ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
35462 ++ that is, enabling this option will make it harder to inject
35463 ++ and execute 'foreign' code in kernel memory itself.
35464 ++
35465 ++endmenu
35466 ++
35467 ++menu "Address Space Layout Randomization"
35468 ++ depends on PAX
35469 ++
35470 ++config PAX_ASLR
35471 ++ bool "Address Space Layout Randomization"
35472 ++ depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
35473 ++ help
35474 ++ Many if not most exploit techniques rely on the knowledge of
35475 ++ certain addresses in the attacked program. The following options
35476 ++ will allow the kernel to apply a certain amount of randomization
35477 ++ to specific parts of the program thereby forcing an attacker to
35478 ++ guess them in most cases. Any failed guess will most likely crash
35479 ++ the attacked program which allows the kernel to detect such attempts
35480 ++ and react on them. PaX itself provides no reaction mechanisms,
35481 ++ instead it is strongly encouraged that you make use of Nergal's
35482 ++ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
35483 ++ (http://www.grsecurity.net/) built-in crash detection features or
35484 ++ develop one yourself.
35485 ++
35486 ++ By saying Y here you can choose to randomize the following areas:
35487 ++ - top of the task's kernel stack
35488 ++ - top of the task's userland stack
35489 ++ - base address for mmap() requests that do not specify one
35490 ++ (this includes all libraries)
35491 ++ - base address of the main executable
35492 ++
35493 ++ It is strongly recommended to say Y here as address space layout
35494 ++ randomization has negligible impact on performance yet it provides
35495 ++ a very effective protection.
35496 ++
35497 ++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
35498 ++ this feature on a per file basis.
35499 ++
35500 ++config PAX_RANDKSTACK
35501 ++ bool "Randomize kernel stack base"
35502 ++ depends on PAX_ASLR && X86_TSC && X86_32
35503 ++ help
35504 ++ By saying Y here the kernel will randomize every task's kernel
35505 ++ stack on every system call. This will not only force an attacker
35506 ++ to guess it but also prevent him from making use of possible
35507 ++ leaked information about it.
35508 ++
35509 ++ Since the kernel stack is a rather scarce resource, randomization
35510 ++ may cause unexpected stack overflows, therefore you should very
35511 ++ carefully test your system. Note that once enabled in the kernel
35512 ++ configuration, this feature cannot be disabled on a per file basis.
35513 ++
35514 ++config PAX_RANDUSTACK
35515 ++ bool "Randomize user stack base"
35516 ++ depends on PAX_ASLR
35517 ++ help
35518 ++ By saying Y here the kernel will randomize every task's userland
35519 ++ stack. The randomization is done in two steps where the second
35520 ++ one may apply a big amount of shift to the top of the stack and
35521 ++ cause problems for programs that want to use lots of memory (more
35522 ++ than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
35523 ++ For this reason the second step can be controlled by 'chpax' or
35524 ++ 'paxctl' on a per file basis.
35525 ++
35526 ++config PAX_RANDMMAP
35527 ++ bool "Randomize mmap() base"
35528 ++ depends on PAX_ASLR
35529 ++ help
35530 ++ By saying Y here the kernel will use a randomized base address for
35531 ++ mmap() requests that do not specify one themselves. As a result
35532 ++ all dynamically loaded libraries will appear at random addresses
35533 ++ and therefore be harder to exploit by a technique where an attacker
35534 ++ attempts to execute library code for his purposes (e.g. spawn a
35535 ++ shell from an exploited program that is running at an elevated
35536 ++ privilege level).
35537 ++
35538 ++ Furthermore, if a program is relinked as a dynamic ELF file, its
35539 ++ base address will be randomized as well, completing the full
35540 ++ randomization of the address space layout. Attacking such programs
35541 ++ becomes a guess game. You can find an example of doing this at
35542 ++ http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
35543 ++ http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
35544 ++
35545 ++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
35546 ++ feature on a per file basis.
35547 ++
35548 ++endmenu
35549 ++
35550 ++menu "Miscellaneous hardening features"
35551 ++
35552 ++config PAX_MEMORY_SANITIZE
35553 ++ bool "Sanitize all freed memory"
35554 ++ help
35555 ++ By saying Y here the kernel will erase memory pages as soon as they
35556 ++ are freed. This in turn reduces the lifetime of data stored in the
35557 ++ pages, making it less likely that sensitive information such as
35558 ++ passwords, cryptographic secrets, etc stay in memory for too long.
35559 ++
35560 ++ This is especially useful for programs whose runtime is short, long
35561 ++ lived processes and the kernel itself benefit from this as long as
35562 ++ they operate on whole memory pages and ensure timely freeing of pages
35563 ++ that may hold sensitive information.
35564 ++
35565 ++ The tradeoff is performance impact, on a single CPU system kernel
35566 ++ compilation sees a 3% slowdown, other systems and workloads may vary
35567 ++ and you are advised to test this feature on your expected workload
35568 ++ before deploying it.
35569 ++
35570 ++ Note that this feature does not protect data stored in live pages,
35571 ++ e.g., process memory swapped to disk may stay there for a long time.
35572 ++
35573 ++config PAX_MEMORY_UDEREF
35574 ++ bool "Prevent invalid userland pointer dereference"
35575 ++ depends on X86_32 && !COMPAT_VDSO
35576 ++ help
35577 ++ By saying Y here the kernel will be prevented from dereferencing
35578 ++ userland pointers in contexts where the kernel expects only kernel
35579 ++ pointers. This is both a useful runtime debugging feature and a
35580 ++ security measure that prevents exploiting a class of kernel bugs.
35581 ++
35582 ++ The tradeoff is that some virtualization solutions may experience
35583 ++ a huge slowdown and therefore you should not enable this feature
35584 ++ for kernels meant to run in such environments. Whether a given VM
35585 ++ solution is affected or not is best determined by simply trying it
35586 ++ out, the performance impact will be obvious right on boot as this
35587 ++ mechanism engages from very early on. A good rule of thumb is that
35588 ++ VMs running on CPUs without hardware virtualization support (i.e.,
35589 ++ the majority of IA-32 CPUs) will likely experience the slowdown.
35590 ++
35591 ++endmenu
35592 ++
35593 ++endmenu
35594 ++
35595 + config KEYS
35596 + bool "Enable access key retention support"
35597 + help
35598 +diff -Nurp linux-2.6.23.15/security/commoncap.c linux-2.6.23.15-grsec/security/commoncap.c
35599 +--- linux-2.6.23.15/security/commoncap.c 2007-10-09 21:31:38.000000000 +0100
35600 ++++ linux-2.6.23.15-grsec/security/commoncap.c 2008-02-11 10:37:45.000000000 +0000
35601 +@@ -22,10 +22,11 @@
35602 + #include <linux/ptrace.h>
35603 + #include <linux/xattr.h>
35604 + #include <linux/hugetlb.h>
35605 ++#include <linux/grsecurity.h>
35606 +
35607 + int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
35608 + {
35609 +- NETLINK_CB(skb).eff_cap = current->cap_effective;
35610 ++ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink();
35611 + return 0;
35612 + }
35613 +
35614 +@@ -43,7 +44,15 @@ EXPORT_SYMBOL(cap_netlink_recv);
35615 + int cap_capable (struct task_struct *tsk, int cap)
35616 + {
35617 + /* Derived from include/linux/sched.h:capable. */
35618 +- if (cap_raised(tsk->cap_effective, cap))
35619 ++ if (cap_raised (tsk->cap_effective, cap))
35620 ++ return 0;
35621 ++ return -EPERM;
35622 ++}
35623 ++
35624 ++int cap_capable_nolog (struct task_struct *tsk, int cap)
35625 ++{
35626 ++ /* tsk = current for all callers */
35627 ++ if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
35628 + return 0;
35629 + return -EPERM;
35630 + }
35631 +@@ -162,8 +171,11 @@ void cap_bprm_apply_creds (struct linux_
35632 + }
35633 + }
35634 +
35635 +- current->suid = current->euid = current->fsuid = bprm->e_uid;
35636 +- current->sgid = current->egid = current->fsgid = bprm->e_gid;
35637 ++ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
35638 ++ current->suid = current->euid = current->fsuid = bprm->e_uid;
35639 ++
35640 ++ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
35641 ++ current->sgid = current->egid = current->fsgid = bprm->e_gid;
35642 +
35643 + /* For init, we want to retain the capabilities set
35644 + * in the init_task struct. Thus we skip the usual
35645 +@@ -174,6 +186,8 @@ void cap_bprm_apply_creds (struct linux_
35646 + cap_intersect (new_permitted, bprm->cap_effective);
35647 + }
35648 +
35649 ++ gr_handle_chroot_caps(current);
35650 ++
35651 + /* AUD: Audit candidate if current->cap_effective is set */
35652 +
35653 + current->keep_capabilities = 0;
35654 +@@ -319,12 +333,13 @@ int cap_vm_enough_memory(struct mm_struc
35655 + {
35656 + int cap_sys_admin = 0;
35657 +
35658 +- if (cap_capable(current, CAP_SYS_ADMIN) == 0)
35659 ++ if (cap_capable_nolog(current, CAP_SYS_ADMIN) == 0)
35660 + cap_sys_admin = 1;
35661 + return __vm_enough_memory(mm, pages, cap_sys_admin);
35662 + }
35663 +
35664 + EXPORT_SYMBOL(cap_capable);
35665 ++EXPORT_SYMBOL(cap_capable_nolog);
35666 + EXPORT_SYMBOL(cap_settime);
35667 + EXPORT_SYMBOL(cap_ptrace);
35668 + EXPORT_SYMBOL(cap_capget);
35669 +diff -Nurp linux-2.6.23.15/security/dummy.c linux-2.6.23.15-grsec/security/dummy.c
35670 +--- linux-2.6.23.15/security/dummy.c 2007-10-09 21:31:38.000000000 +0100
35671 ++++ linux-2.6.23.15-grsec/security/dummy.c 2008-02-11 10:37:45.000000000 +0000
35672 +@@ -28,6 +28,7 @@
35673 + #include <linux/hugetlb.h>
35674 + #include <linux/ptrace.h>
35675 + #include <linux/file.h>
35676 ++#include <linux/grsecurity.h>
35677 +
35678 + static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
35679 + {
35680 +@@ -138,8 +139,11 @@ static void dummy_bprm_apply_creds (stru
35681 + }
35682 + }
35683 +
35684 +- current->suid = current->euid = current->fsuid = bprm->e_uid;
35685 +- current->sgid = current->egid = current->fsgid = bprm->e_gid;
35686 ++ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
35687 ++ current->suid = current->euid = current->fsuid = bprm->e_uid;
35688 ++
35689 ++ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
35690 ++ current->sgid = current->egid = current->fsgid = bprm->e_gid;
35691 +
35692 + dummy_capget(current, &current->cap_effective, &current->cap_inheritable, &current->cap_permitted);
35693 + }
35694 +diff -Nurp linux-2.6.23.15/sound/core/oss/pcm_oss.c linux-2.6.23.15-grsec/sound/core/oss/pcm_oss.c
35695 +--- linux-2.6.23.15/sound/core/oss/pcm_oss.c 2007-10-09 21:31:38.000000000 +0100
35696 ++++ linux-2.6.23.15-grsec/sound/core/oss/pcm_oss.c 2008-02-11 10:37:45.000000000 +0000
35697 +@@ -2880,8 +2880,8 @@ static void snd_pcm_oss_proc_done(struct
35698 + }
35699 + }
35700 + #else /* !CONFIG_SND_VERBOSE_PROCFS */
35701 +-#define snd_pcm_oss_proc_init(pcm)
35702 +-#define snd_pcm_oss_proc_done(pcm)
35703 ++#define snd_pcm_oss_proc_init(pcm) do {} while (0)
35704 ++#define snd_pcm_oss_proc_done(pcm) do {} while (0)
35705 + #endif /* CONFIG_SND_VERBOSE_PROCFS */
35706 +
35707 + /*
35708 +diff -Nurp linux-2.6.23.15/sound/core/seq/seq_lock.h linux-2.6.23.15-grsec/sound/core/seq/seq_lock.h
35709 +--- linux-2.6.23.15/sound/core/seq/seq_lock.h 2007-10-09 21:31:38.000000000 +0100
35710 ++++ linux-2.6.23.15-grsec/sound/core/seq/seq_lock.h 2008-02-11 10:37:45.000000000 +0000
35711 +@@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
35712 + #else /* SMP || CONFIG_SND_DEBUG */
35713 +
35714 + typedef spinlock_t snd_use_lock_t; /* dummy */
35715 +-#define snd_use_lock_init(lockp) /**/
35716 +-#define snd_use_lock_use(lockp) /**/
35717 +-#define snd_use_lock_free(lockp) /**/
35718 +-#define snd_use_lock_sync(lockp) /**/
35719 ++#define snd_use_lock_init(lockp) do {} while (0)
35720 ++#define snd_use_lock_use(lockp) do {} while (0)
35721 ++#define snd_use_lock_free(lockp) do {} while (0)
35722 ++#define snd_use_lock_sync(lockp) do {} while (0)
35723 +
35724 + #endif /* SMP || CONFIG_SND_DEBUG */
35725 +
35726 +diff -Nurp linux-2.6.23.15/sound/pci/ac97/ac97_patch.c linux-2.6.23.15-grsec/sound/pci/ac97/ac97_patch.c
35727 +--- linux-2.6.23.15/sound/pci/ac97/ac97_patch.c 2007-10-09 21:31:38.000000000 +0100
35728 ++++ linux-2.6.23.15-grsec/sound/pci/ac97/ac97_patch.c 2008-02-11 10:37:45.000000000 +0000
35729 +@@ -1415,7 +1415,7 @@ static const struct snd_ac97_res_table a
35730 + { AC97_VIDEO, 0x9f1f },
35731 + { AC97_AUX, 0x9f1f },
35732 + { AC97_PCM, 0x9f1f },
35733 +- { } /* terminator */
35734 ++ { 0, 0 } /* terminator */
35735 + };
35736 +
35737 + static int patch_ad1819(struct snd_ac97 * ac97)
35738 +@@ -3489,7 +3489,7 @@ static struct snd_ac97_res_table lm4550_
35739 + { AC97_AUX, 0x1f1f },
35740 + { AC97_PCM, 0x1f1f },
35741 + { AC97_REC_GAIN, 0x0f0f },
35742 +- { } /* terminator */
35743 ++ { 0, 0 } /* terminator */
35744 + };
35745 +
35746 + static int patch_lm4550(struct snd_ac97 *ac97)
35747 +diff -Nurp linux-2.6.23.15/sound/pci/ens1370.c linux-2.6.23.15-grsec/sound/pci/ens1370.c
35748 +--- linux-2.6.23.15/sound/pci/ens1370.c 2007-10-09 21:31:38.000000000 +0100
35749 ++++ linux-2.6.23.15-grsec/sound/pci/ens1370.c 2008-02-11 10:37:45.000000000 +0000
35750 +@@ -453,7 +453,7 @@ static struct pci_device_id snd_audiopci
35751 + { 0x1274, 0x5880, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* ES1373 - CT5880 */
35752 + { 0x1102, 0x8938, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* Ectiva EV1938 */
35753 + #endif
35754 +- { 0, }
35755 ++ { 0, 0, 0, 0, 0, 0, 0 }
35756 + };
35757 +
35758 + MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
35759 +diff -Nurp linux-2.6.23.15/sound/pci/intel8x0.c linux-2.6.23.15-grsec/sound/pci/intel8x0.c
35760 +--- linux-2.6.23.15/sound/pci/intel8x0.c 2007-10-09 21:31:38.000000000 +0100
35761 ++++ linux-2.6.23.15-grsec/sound/pci/intel8x0.c 2008-02-11 10:37:45.000000000 +0000
35762 +@@ -436,7 +436,7 @@ static struct pci_device_id snd_intel8x0
35763 + { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
35764 + { 0x1022, 0x7445, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD768 */
35765 + { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
35766 +- { 0, }
35767 ++ { 0, 0, 0, 0, 0, 0, 0 }
35768 + };
35769 +
35770 + MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
35771 +@@ -2044,7 +2044,7 @@ static struct ac97_quirk ac97_quirks[] _
35772 + .type = AC97_TUNE_HP_ONLY
35773 + },
35774 + #endif
35775 +- { } /* terminator */
35776 ++ { 0, 0, 0, 0, NULL, 0 } /* terminator */
35777 + };
35778 +
35779 + static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
35780 +diff -Nurp linux-2.6.23.15/sound/pci/intel8x0m.c linux-2.6.23.15-grsec/sound/pci/intel8x0m.c
35781 +--- linux-2.6.23.15/sound/pci/intel8x0m.c 2007-10-09 21:31:38.000000000 +0100
35782 ++++ linux-2.6.23.15-grsec/sound/pci/intel8x0m.c 2008-02-11 10:37:45.000000000 +0000
35783 +@@ -240,7 +240,7 @@ static struct pci_device_id snd_intel8x0
35784 + { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
35785 + { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
35786 + #endif
35787 +- { 0, }
35788 ++ { 0, 0, 0, 0, 0, 0, 0 }
35789 + };
35790 +
35791 + MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
35792 +@@ -1261,7 +1261,7 @@ static struct shortname_table {
35793 + { 0x5455, "ALi M5455" },
35794 + { 0x746d, "AMD AMD8111" },
35795 + #endif
35796 +- { 0 },
35797 ++ { 0, NULL },
35798 + };
35799 +
35800 + static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
35801
35802 Copied: hardened-sources/2.6/tags/2.6.23-8/4425_grsec-2.1.10-mute-warnings.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4425_grsec-2.1.10-mute-warnings.patch)
35803 ===================================================================
35804 --- hardened-sources/2.6/tags/2.6.23-8/4425_grsec-2.1.10-mute-warnings.patch (rev 0)
35805 +++ hardened-sources/2.6/tags/2.6.23-8/4425_grsec-2.1.10-mute-warnings.patch 2008-04-30 11:33:52 UTC (rev 91)
35806 @@ -0,0 +1,23 @@
35807 +From: Alexander Gabert <gaberta@××××××××.de>
35808 +
35809 +This patch removes the warnings introduced by grsec patch 2.1.9 and later.
35810 +It removes the -W options added by the patch and restores the original
35811 +warning flags of vanilla kernel versions.
35812 +
35813 +Acked-by: Christian Heim <phreak@g.o>
35814 +
35815 +---
35816 + Makefile | 5 +++--
35817 + 1 file changed, 3 insertions(+), 2 deletions(-)
35818 +
35819 +--- a/Makefile
35820 ++++ b/Makefile
35821 +@@ -312,7 +312,7 @@ LINUXINCLUDE := -Iinclude \
35822 +
35823 + CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
35824 +
35825 +-CFLAGS := -Wall -W -Wno-unused -Wno-sign-compare -Wundef -Wstrict-prototypes -Wno-trigraphs \
35826 ++CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
35827 + -fno-strict-aliasing -fno-common \
35828 + -Werror-implicit-function-declaration
35829 + AFLAGS := -D__ASSEMBLY__
35830
35831 Copied: hardened-sources/2.6/tags/2.6.23-8/4430_grsec-2.1.10-pax_curr_ip-fixes.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4430_grsec-2.1.10-pax_curr_ip-fixes.patch)
35832 ===================================================================
35833 --- hardened-sources/2.6/tags/2.6.23-8/4430_grsec-2.1.10-pax_curr_ip-fixes.patch (rev 0)
35834 +++ hardened-sources/2.6/tags/2.6.23-8/4430_grsec-2.1.10-pax_curr_ip-fixes.patch 2008-04-30 11:33:52 UTC (rev 91)
35835 @@ -0,0 +1,46 @@
35836 +---
35837 + arch/i386/mm/fault.c | 2 ++
35838 + fs/exec.c | 2 ++
35839 + security/Kconfig | 2 +-
35840 + 3 files changed, 5 insertions(+), 1 deletion(-)
35841 +
35842 +--- a/arch/i386/mm/fault.c
35843 ++++ b/arch/i386/mm/fault.c
35844 +@@ -722,10 +722,12 @@ no_context:
35845 + #else
35846 + else if (init_mm.start_code <= address && address < init_mm.end_code)
35847 + #endif
35848 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
35849 + if (tsk->signal->curr_ip)
35850 + printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
35851 + NIPQUAD(tsk->signal->curr_ip), tsk->comm, tsk->pid, tsk->uid, tsk->euid);
35852 + else
35853 ++#endif
35854 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
35855 + tsk->comm, tsk->pid, tsk->uid, tsk->euid);
35856 + #endif
35857 +--- a/fs/exec.c
35858 ++++ b/fs/exec.c
35859 +@@ -1733,9 +1733,11 @@ void pax_report_fault(struct pt_regs *re
35860 + }
35861 + up_read(&mm->mmap_sem);
35862 + }
35863 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
35864 + if (tsk->signal->curr_ip)
35865 + printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
35866 + else
35867 ++#endif
35868 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
35869 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
35870 + "PC: %p, SP: %p\n", path_exec, tsk->comm, tsk->pid,
35871 +--- a/security/Kconfig
35872 ++++ b/security/Kconfig
35873 +@@ -10,7 +10,7 @@ menu "PaX"
35874 +
35875 + config PAX
35876 + bool "Enable various PaX features"
35877 +- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
35878 ++ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
35879 + help
35880 + This allows you to enable various PaX features. PaX adds
35881 + intrusion prevention mechanisms to the kernel that reduce
35882
35883 Deleted: hardened-sources/2.6/tags/2.6.23-8/4430_grsec-2.1.11-2.6.23.15-20080210.patch
35884 ===================================================================
35885 --- hardened-sources/2.6/trunk/2.6.23/4430_grsec-2.1.11-2.6.23.15-20080210.patch 2008-03-30 17:39:03 UTC (rev 86)
35886 +++ hardened-sources/2.6/tags/2.6.23-8/4430_grsec-2.1.11-2.6.23.15-20080210.patch 2008-04-30 11:33:52 UTC (rev 91)
35887 @@ -1,35665 +0,0 @@
35888 -From: Kerin Millar <kerframil@×××××.com>
35889 -
35890 -grsecurity-2.1.11-2.6.23.14-200801231800 forward ported to 2.6.23.15 for
35891 -the Hardened Gentoo project. Thanks to pipacs for some advice concerning
35892 -mmap.c changes.
35893 -
35894 -diff -Nurp linux-2.6.23.15/Documentation/dontdiff linux-2.6.23.15-grsec/Documentation/dontdiff
35895 ---- linux-2.6.23.15/Documentation/dontdiff 2007-10-09 21:31:38.000000000 +0100
35896 -+++ linux-2.6.23.15-grsec/Documentation/dontdiff 2008-02-11 10:37:44.000000000 +0000
35897 -@@ -176,14 +176,18 @@ times.h*
35898 - tkparse
35899 - trix_boot.h
35900 - utsrelease.h*
35901 -+vdso.lds
35902 - version.h*
35903 - vmlinux
35904 - vmlinux-*
35905 - vmlinux.aout
35906 -+vmlinux.bin.all
35907 - vmlinux.lds
35908 -+vmlinux.relocs
35909 - vsyscall.lds
35910 - wanxlfw.inc
35911 - uImage
35912 - unifdef
35913 -+utsrelease.h
35914 - zImage*
35915 - zconf.hash.c
35916 -diff -Nurp linux-2.6.23.15/Makefile linux-2.6.23.15-grsec/Makefile
35917 ---- linux-2.6.23.15/Makefile 2008-02-11 10:36:03.000000000 +0000
35918 -+++ linux-2.6.23.15-grsec/Makefile 2008-02-11 10:37:44.000000000 +0000
35919 -@@ -312,7 +312,7 @@ LINUXINCLUDE := -Iinclude \
35920 -
35921 - CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
35922 -
35923 --CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
35924 -+CFLAGS := -Wall -W -Wno-unused -Wno-sign-compare -Wundef -Wstrict-prototypes -Wno-trigraphs \
35925 - -fno-strict-aliasing -fno-common \
35926 - -Werror-implicit-function-declaration
35927 - AFLAGS := -D__ASSEMBLY__
35928 -@@ -560,7 +560,7 @@ export mod_strip_cmd
35929 -
35930 -
35931 - ifeq ($(KBUILD_EXTMOD),)
35932 --core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
35933 -+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
35934 -
35935 - vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
35936 - $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
35937 -diff -Nurp linux-2.6.23.15/arch/alpha/kernel/module.c linux-2.6.23.15-grsec/arch/alpha/kernel/module.c
35938 ---- linux-2.6.23.15/arch/alpha/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
35939 -+++ linux-2.6.23.15-grsec/arch/alpha/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
35940 -@@ -176,7 +176,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
35941 -
35942 - /* The small sections were sorted to the end of the segment.
35943 - The following should definitely cover them. */
35944 -- gp = (u64)me->module_core + me->core_size - 0x8000;
35945 -+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
35946 - got = sechdrs[me->arch.gotsecindex].sh_addr;
35947 -
35948 - for (i = 0; i < n; i++) {
35949 -diff -Nurp linux-2.6.23.15/arch/alpha/kernel/osf_sys.c linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c
35950 ---- linux-2.6.23.15/arch/alpha/kernel/osf_sys.c 2007-10-09 21:31:38.000000000 +0100
35951 -+++ linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c 2008-02-11 10:37:44.000000000 +0000
35952 -@@ -1288,6 +1288,10 @@ arch_get_unmapped_area(struct file *filp
35953 - merely specific addresses, but regions of memory -- perhaps
35954 - this feature should be incorporated into all ports? */
35955 -
35956 -+#ifdef CONFIG_PAX_RANDMMAP
35957 -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
35958 -+#endif
35959 -+
35960 - if (addr) {
35961 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
35962 - if (addr != (unsigned long) -ENOMEM)
35963 -@@ -1295,8 +1299,8 @@ arch_get_unmapped_area(struct file *filp
35964 - }
35965 -
35966 - /* Next, try allocating at TASK_UNMAPPED_BASE. */
35967 -- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
35968 -- len, limit);
35969 -+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
35970 -+
35971 - if (addr != (unsigned long) -ENOMEM)
35972 - return addr;
35973 -
35974 -diff -Nurp linux-2.6.23.15/arch/alpha/kernel/ptrace.c linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c
35975 ---- linux-2.6.23.15/arch/alpha/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
35976 -+++ linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
35977 -@@ -15,6 +15,7 @@
35978 - #include <linux/slab.h>
35979 - #include <linux/security.h>
35980 - #include <linux/signal.h>
35981 -+#include <linux/grsecurity.h>
35982 -
35983 - #include <asm/uaccess.h>
35984 - #include <asm/pgtable.h>
35985 -@@ -283,6 +284,11 @@ do_sys_ptrace(long request, long pid, lo
35986 - goto out_notsk;
35987 - }
35988 -
35989 -+ if (gr_handle_ptrace(child, request)) {
35990 -+ ret = -EPERM;
35991 -+ goto out;
35992 -+ }
35993 -+
35994 - if (request == PTRACE_ATTACH) {
35995 - ret = ptrace_attach(child);
35996 - goto out;
35997 -diff -Nurp linux-2.6.23.15/arch/alpha/mm/fault.c linux-2.6.23.15-grsec/arch/alpha/mm/fault.c
35998 ---- linux-2.6.23.15/arch/alpha/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
35999 -+++ linux-2.6.23.15-grsec/arch/alpha/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
36000 -@@ -23,6 +23,7 @@
36001 - #include <linux/smp.h>
36002 - #include <linux/interrupt.h>
36003 - #include <linux/module.h>
36004 -+#include <linux/binfmts.h>
36005 -
36006 - #include <asm/system.h>
36007 - #include <asm/uaccess.h>
36008 -@@ -54,6 +55,124 @@ __load_new_mm_context(struct mm_struct *
36009 - __reload_thread(pcb);
36010 - }
36011 -
36012 -+#ifdef CONFIG_PAX_PAGEEXEC
36013 -+/*
36014 -+ * PaX: decide what to do with offenders (regs->pc = fault address)
36015 -+ *
36016 -+ * returns 1 when task should be killed
36017 -+ * 2 when patched PLT trampoline was detected
36018 -+ * 3 when unpatched PLT trampoline was detected
36019 -+ */
36020 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
36021 -+{
36022 -+
36023 -+#ifdef CONFIG_PAX_EMUPLT
36024 -+ int err;
36025 -+
36026 -+ do { /* PaX: patched PLT emulation #1 */
36027 -+ unsigned int ldah, ldq, jmp;
36028 -+
36029 -+ err = get_user(ldah, (unsigned int *)regs->pc);
36030 -+ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
36031 -+ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
36032 -+
36033 -+ if (err)
36034 -+ break;
36035 -+
36036 -+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
36037 -+ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
36038 -+ jmp == 0x6BFB0000U)
36039 -+ {
36040 -+ unsigned long r27, addr;
36041 -+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
36042 -+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
36043 -+
36044 -+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
36045 -+ err = get_user(r27, (unsigned long *)addr);
36046 -+ if (err)
36047 -+ break;
36048 -+
36049 -+ regs->r27 = r27;
36050 -+ regs->pc = r27;
36051 -+ return 2;
36052 -+ }
36053 -+ } while (0);
36054 -+
36055 -+ do { /* PaX: patched PLT emulation #2 */
36056 -+ unsigned int ldah, lda, br;
36057 -+
36058 -+ err = get_user(ldah, (unsigned int *)regs->pc);
36059 -+ err |= get_user(lda, (unsigned int *)(regs->pc+4));
36060 -+ err |= get_user(br, (unsigned int *)(regs->pc+8));
36061 -+
36062 -+ if (err)
36063 -+ break;
36064 -+
36065 -+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
36066 -+ (lda & 0xFFFF0000U) == 0xA77B0000U &&
36067 -+ (br & 0xFFE00000U) == 0xC3E00000U)
36068 -+ {
36069 -+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
36070 -+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
36071 -+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
36072 -+
36073 -+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
36074 -+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
36075 -+ return 2;
36076 -+ }
36077 -+ } while (0);
36078 -+
36079 -+ do { /* PaX: unpatched PLT emulation */
36080 -+ unsigned int br;
36081 -+
36082 -+ err = get_user(br, (unsigned int *)regs->pc);
36083 -+
36084 -+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
36085 -+ unsigned int br2, ldq, nop, jmp;
36086 -+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
36087 -+
36088 -+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
36089 -+ err = get_user(br2, (unsigned int *)addr);
36090 -+ err |= get_user(ldq, (unsigned int *)(addr+4));
36091 -+ err |= get_user(nop, (unsigned int *)(addr+8));
36092 -+ err |= get_user(jmp, (unsigned int *)(addr+12));
36093 -+ err |= get_user(resolver, (unsigned long *)(addr+16));
36094 -+
36095 -+ if (err)
36096 -+ break;
36097 -+
36098 -+ if (br2 == 0xC3600000U &&
36099 -+ ldq == 0xA77B000CU &&
36100 -+ nop == 0x47FF041FU &&
36101 -+ jmp == 0x6B7B0000U)
36102 -+ {
36103 -+ regs->r28 = regs->pc+4;
36104 -+ regs->r27 = addr+16;
36105 -+ regs->pc = resolver;
36106 -+ return 3;
36107 -+ }
36108 -+ }
36109 -+ } while (0);
36110 -+#endif
36111 -+
36112 -+ return 1;
36113 -+}
36114 -+
36115 -+void pax_report_insns(void *pc, void *sp)
36116 -+{
36117 -+ unsigned long i;
36118 -+
36119 -+ printk(KERN_ERR "PAX: bytes at PC: ");
36120 -+ for (i = 0; i < 5; i++) {
36121 -+ unsigned int c;
36122 -+ if (get_user(c, (unsigned int *)pc+i))
36123 -+ printk("???????? ");
36124 -+ else
36125 -+ printk("%08x ", c);
36126 -+ }
36127 -+ printk("\n");
36128 -+}
36129 -+#endif
36130 -
36131 - /*
36132 - * This routine handles page faults. It determines the address,
36133 -@@ -131,8 +250,29 @@ do_page_fault(unsigned long address, uns
36134 - good_area:
36135 - si_code = SEGV_ACCERR;
36136 - if (cause < 0) {
36137 -- if (!(vma->vm_flags & VM_EXEC))
36138 -+ if (!(vma->vm_flags & VM_EXEC)) {
36139 -+
36140 -+#ifdef CONFIG_PAX_PAGEEXEC
36141 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
36142 -+ goto bad_area;
36143 -+
36144 -+ up_read(&mm->mmap_sem);
36145 -+ switch (pax_handle_fetch_fault(regs)) {
36146 -+
36147 -+#ifdef CONFIG_PAX_EMUPLT
36148 -+ case 2:
36149 -+ case 3:
36150 -+ return;
36151 -+#endif
36152 -+
36153 -+ }
36154 -+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
36155 -+ do_exit(SIGKILL);
36156 -+#else
36157 - goto bad_area;
36158 -+#endif
36159 -+
36160 -+ }
36161 - } else if (!cause) {
36162 - /* Allow reads even for write-only mappings */
36163 - if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
36164 -diff -Nurp linux-2.6.23.15/arch/arm/mm/mmap.c linux-2.6.23.15-grsec/arch/arm/mm/mmap.c
36165 ---- linux-2.6.23.15/arch/arm/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
36166 -+++ linux-2.6.23.15-grsec/arch/arm/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
36167 -@@ -60,6 +60,10 @@ arch_get_unmapped_area(struct file *filp
36168 - if (len > TASK_SIZE)
36169 - return -ENOMEM;
36170 -
36171 -+#ifdef CONFIG_PAX_RANDMMAP
36172 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
36173 -+#endif
36174 -+
36175 - if (addr) {
36176 - if (do_align)
36177 - addr = COLOUR_ALIGN(addr, pgoff);
36178 -@@ -72,10 +76,10 @@ arch_get_unmapped_area(struct file *filp
36179 - return addr;
36180 - }
36181 - if (len > mm->cached_hole_size) {
36182 -- start_addr = addr = mm->free_area_cache;
36183 -+ start_addr = addr = mm->free_area_cache;
36184 - } else {
36185 -- start_addr = addr = TASK_UNMAPPED_BASE;
36186 -- mm->cached_hole_size = 0;
36187 -+ start_addr = addr = mm->mmap_base;
36188 -+ mm->cached_hole_size = 0;
36189 - }
36190 -
36191 - full_search:
36192 -@@ -91,8 +95,8 @@ full_search:
36193 - * Start a new search - just in case we missed
36194 - * some holes.
36195 - */
36196 -- if (start_addr != TASK_UNMAPPED_BASE) {
36197 -- start_addr = addr = TASK_UNMAPPED_BASE;
36198 -+ if (start_addr != mm->mmap_base) {
36199 -+ start_addr = addr = mm->mmap_base;
36200 - mm->cached_hole_size = 0;
36201 - goto full_search;
36202 - }
36203 -diff -Nurp linux-2.6.23.15/arch/avr32/mm/fault.c linux-2.6.23.15-grsec/arch/avr32/mm/fault.c
36204 ---- linux-2.6.23.15/arch/avr32/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
36205 -+++ linux-2.6.23.15-grsec/arch/avr32/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
36206 -@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
36207 -
36208 - int exception_trace = 1;
36209 -
36210 -+#ifdef CONFIG_PAX_PAGEEXEC
36211 -+void pax_report_insns(void *pc, void *sp)
36212 -+{
36213 -+ unsigned long i;
36214 -+
36215 -+ printk(KERN_ERR "PAX: bytes at PC: ");
36216 -+ for (i = 0; i < 20; i++) {
36217 -+ unsigned char c;
36218 -+ if (get_user(c, (unsigned char *)pc+i))
36219 -+ printk("???????? ");
36220 -+ else
36221 -+ printk("%02x ", c);
36222 -+ }
36223 -+ printk("\n");
36224 -+}
36225 -+#endif
36226 -+
36227 - /*
36228 - * This routine handles page faults. It determines the address and the
36229 - * problem, and then passes it off to one of the appropriate routines.
36230 -@@ -157,6 +174,16 @@ bad_area:
36231 - up_read(&mm->mmap_sem);
36232 -
36233 - if (user_mode(regs)) {
36234 -+
36235 -+#ifdef CONFIG_PAX_PAGEEXEC
36236 -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
36237 -+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
36238 -+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
36239 -+ do_exit(SIGKILL);
36240 -+ }
36241 -+ }
36242 -+#endif
36243 -+
36244 - if (exception_trace && printk_ratelimit())
36245 - printk("%s%s[%d]: segfault at %08lx pc %08lx "
36246 - "sp %08lx ecr %lu\n",
36247 -diff -Nurp linux-2.6.23.15/arch/i386/Kconfig linux-2.6.23.15-grsec/arch/i386/Kconfig
36248 ---- linux-2.6.23.15/arch/i386/Kconfig 2007-10-09 21:31:38.000000000 +0100
36249 -+++ linux-2.6.23.15-grsec/arch/i386/Kconfig 2008-02-11 10:37:44.000000000 +0000
36250 -@@ -592,7 +592,7 @@ config PAGE_OFFSET
36251 - hex
36252 - default 0xB0000000 if VMSPLIT_3G_OPT
36253 - default 0x80000000 if VMSPLIT_2G
36254 -- default 0x78000000 if VMSPLIT_2G_OPT
36255 -+ default 0x70000000 if VMSPLIT_2G_OPT
36256 - default 0x40000000 if VMSPLIT_1G
36257 - default 0xC0000000
36258 -
36259 -@@ -831,7 +831,7 @@ config CRASH_DUMP
36260 - config PHYSICAL_START
36261 - hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
36262 - default "0x1000000" if X86_NUMAQ
36263 -- default "0x100000"
36264 -+ default "0x200000"
36265 - help
36266 - This gives the physical address where the kernel is loaded.
36267 -
36268 -@@ -916,7 +916,7 @@ config HOTPLUG_CPU
36269 -
36270 - config COMPAT_VDSO
36271 - bool "Compat VDSO support"
36272 -- default y
36273 -+ default n
36274 - help
36275 - Map the VDSO to the predictable old-style address too.
36276 - ---help---
36277 -@@ -1092,7 +1092,7 @@ config PCI
36278 - choice
36279 - prompt "PCI access mode"
36280 - depends on PCI && !X86_VISWS
36281 -- default PCI_GOANY
36282 -+ default PCI_GODIRECT
36283 - ---help---
36284 - On PCI systems, the BIOS can be used to detect the PCI devices and
36285 - determine their configuration. However, some old PCI motherboards
36286 -diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.cpu linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu
36287 ---- linux-2.6.23.15/arch/i386/Kconfig.cpu 2007-10-09 21:31:38.000000000 +0100
36288 -+++ linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu 2008-02-11 10:37:44.000000000 +0000
36289 -@@ -274,7 +274,7 @@ config X86_PPRO_FENCE
36290 -
36291 - config X86_F00F_BUG
36292 - bool
36293 -- depends on M586MMX || M586TSC || M586 || M486 || M386
36294 -+ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
36295 - default y
36296 -
36297 - config X86_WP_WORKS_OK
36298 -@@ -299,7 +299,7 @@ config X86_POPAD_OK
36299 -
36300 - config X86_ALIGNMENT_16
36301 - bool
36302 -- depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
36303 -+ depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
36304 - default y
36305 -
36306 - config X86_GOOD_APIC
36307 -diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.debug linux-2.6.23.15-grsec/arch/i386/Kconfig.debug
36308 ---- linux-2.6.23.15/arch/i386/Kconfig.debug 2007-10-09 21:31:38.000000000 +0100
36309 -+++ linux-2.6.23.15-grsec/arch/i386/Kconfig.debug 2008-02-11 10:37:44.000000000 +0000
36310 -@@ -46,16 +46,6 @@ config DEBUG_PAGEALLOC
36311 - This results in a large slowdown, but helps to find certain types
36312 - of memory corruptions.
36313 -
36314 --config DEBUG_RODATA
36315 -- bool "Write protect kernel read-only data structures"
36316 -- depends on DEBUG_KERNEL
36317 -- help
36318 -- Mark the kernel read-only data as write-protected in the pagetables,
36319 -- in order to catch accidental (and incorrect) writes to such const
36320 -- data. This option may have a slight performance impact because a
36321 -- portion of the kernel code won't be covered by a 2MB TLB anymore.
36322 -- If in doubt, say "N".
36323 --
36324 - config 4KSTACKS
36325 - bool "Use 4Kb for kernel stacks instead of 8Kb"
36326 - depends on DEBUG_KERNEL
36327 -diff -Nurp linux-2.6.23.15/arch/i386/boot/bitops.h linux-2.6.23.15-grsec/arch/i386/boot/bitops.h
36328 ---- linux-2.6.23.15/arch/i386/boot/bitops.h 2007-10-09 21:31:38.000000000 +0100
36329 -+++ linux-2.6.23.15-grsec/arch/i386/boot/bitops.h 2008-02-11 10:37:44.000000000 +0000
36330 -@@ -28,7 +28,7 @@ static inline int variable_test_bit(int
36331 - u8 v;
36332 - const u32 *p = (const u32 *)addr;
36333 -
36334 -- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
36335 -+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
36336 - return v;
36337 - }
36338 -
36339 -@@ -39,7 +39,7 @@ static inline int variable_test_bit(int
36340 -
36341 - static inline void set_bit(int nr, void *addr)
36342 - {
36343 -- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
36344 -+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
36345 - }
36346 -
36347 - #endif /* BOOT_BITOPS_H */
36348 -diff -Nurp linux-2.6.23.15/arch/i386/boot/boot.h linux-2.6.23.15-grsec/arch/i386/boot/boot.h
36349 ---- linux-2.6.23.15/arch/i386/boot/boot.h 2008-02-11 10:36:03.000000000 +0000
36350 -+++ linux-2.6.23.15-grsec/arch/i386/boot/boot.h 2008-02-11 10:37:44.000000000 +0000
36351 -@@ -78,7 +78,7 @@ static inline void io_delay(void)
36352 - static inline u16 ds(void)
36353 - {
36354 - u16 seg;
36355 -- asm("movw %%ds,%0" : "=rm" (seg));
36356 -+ asm volatile("movw %%ds,%0" : "=rm" (seg));
36357 - return seg;
36358 - }
36359 -
36360 -@@ -174,7 +174,7 @@ static inline void wrgs32(u32 v, addr_t
36361 - static inline int memcmp(const void *s1, const void *s2, size_t len)
36362 - {
36363 - u8 diff;
36364 -- asm("repe; cmpsb; setnz %0"
36365 -+ asm volatile("repe; cmpsb; setnz %0"
36366 - : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
36367 - return diff;
36368 - }
36369 -diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/head.S linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S
36370 ---- linux-2.6.23.15/arch/i386/boot/compressed/head.S 2007-10-09 21:31:38.000000000 +0100
36371 -+++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S 2008-02-11 10:37:44.000000000 +0000
36372 -@@ -159,9 +159,8 @@ relocated:
36373 - */
36374 -
36375 - 1: subl $4, %edi
36376 -- movl 0(%edi), %ecx
36377 -- testl %ecx, %ecx
36378 -- jz 2f
36379 -+ movl (%edi), %ecx
36380 -+ jecxz 2f
36381 - addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
36382 - jmp 1b
36383 - 2:
36384 -diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/relocs.c linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c
36385 ---- linux-2.6.23.15/arch/i386/boot/compressed/relocs.c 2007-10-09 21:31:38.000000000 +0100
36386 -+++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c 2008-02-11 10:37:44.000000000 +0000
36387 -@@ -10,9 +10,13 @@
36388 - #define USE_BSD
36389 - #include <endian.h>
36390 -
36391 -+#include "../../../../include/linux/autoconf.h"
36392 -+
36393 -+#define MAX_PHDRS 100
36394 - #define MAX_SHDRS 100
36395 - #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
36396 - static Elf32_Ehdr ehdr;
36397 -+static Elf32_Phdr phdr[MAX_PHDRS];
36398 - static Elf32_Shdr shdr[MAX_SHDRS];
36399 - static Elf32_Sym *symtab[MAX_SHDRS];
36400 - static Elf32_Rel *reltab[MAX_SHDRS];
36401 -@@ -246,6 +250,34 @@ static void read_ehdr(FILE *fp)
36402 - }
36403 - }
36404 -
36405 -+static void read_phdrs(FILE *fp)
36406 -+{
36407 -+ int i;
36408 -+ if (ehdr.e_phnum > MAX_PHDRS) {
36409 -+ die("%d program headers supported: %d\n",
36410 -+ ehdr.e_phnum, MAX_PHDRS);
36411 -+ }
36412 -+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
36413 -+ die("Seek to %d failed: %s\n",
36414 -+ ehdr.e_phoff, strerror(errno));
36415 -+ }
36416 -+ if (fread(&phdr, sizeof(phdr[0]), ehdr.e_phnum, fp) != ehdr.e_phnum) {
36417 -+ die("Cannot read ELF program headers: %s\n",
36418 -+ strerror(errno));
36419 -+ }
36420 -+ for(i = 0; i < ehdr.e_phnum; i++) {
36421 -+ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
36422 -+ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
36423 -+ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
36424 -+ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
36425 -+ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
36426 -+ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
36427 -+ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
36428 -+ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
36429 -+ }
36430 -+
36431 -+}
36432 -+
36433 - static void read_shdrs(FILE *fp)
36434 - {
36435 - int i;
36436 -@@ -332,6 +364,8 @@ static void read_symtabs(FILE *fp)
36437 - static void read_relocs(FILE *fp)
36438 - {
36439 - int i,j;
36440 -+ uint32_t base;
36441 -+
36442 - for(i = 0; i < ehdr.e_shnum; i++) {
36443 - if (shdr[i].sh_type != SHT_REL) {
36444 - continue;
36445 -@@ -349,8 +383,17 @@ static void read_relocs(FILE *fp)
36446 - die("Cannot read symbol table: %s\n",
36447 - strerror(errno));
36448 - }
36449 -+ base = 0;
36450 -+ for (j = 0; j < ehdr.e_phnum; j++) {
36451 -+ if (phdr[j].p_type != PT_LOAD )
36452 -+ continue;
36453 -+ if (shdr[shdr[i].sh_info].sh_offset < phdr[j].p_offset || shdr[shdr[i].sh_info].sh_offset > phdr[j].p_offset + phdr[j].p_filesz)
36454 -+ continue;
36455 -+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
36456 -+ break;
36457 -+ }
36458 - for(j = 0; j < shdr[i].sh_size/sizeof(reltab[0][0]); j++) {
36459 -- reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset);
36460 -+ reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset) + base;
36461 - reltab[i][j].r_info = elf32_to_cpu(reltab[i][j].r_info);
36462 - }
36463 - }
36464 -@@ -487,6 +530,27 @@ static void walk_relocs(void (*visit)(El
36465 - if (sym->st_shndx == SHN_ABS) {
36466 - continue;
36467 - }
36468 -+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
36469 -+ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strncmp(sym_name(sym_strtab, sym), "__per_cpu_", 10)) {
36470 -+ continue;
36471 -+ }
36472 -+#ifdef CONFIG_PAX_KERNEXEC
36473 -+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
36474 -+ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) {
36475 -+ continue;
36476 -+ }
36477 -+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) {
36478 -+ continue;
36479 -+ }
36480 -+ if (!strcmp(sec_name(sym->st_shndx), ".text.head"))
36481 -+ if (strcmp(sym_name(sym_strtab, sym), "__init_end") &&
36482 -+ strcmp(sym_name(sym_strtab, sym), "KERNEL_TEXT_OFFSET")) {
36483 -+ continue;
36484 -+ }
36485 -+ if (!strcmp(sec_name(sym->st_shndx), ".text")) {
36486 -+ continue;
36487 -+ }
36488 -+#endif
36489 - if (r_type == R_386_PC32) {
36490 - /* PC relative relocations don't need to be adjusted */
36491 - }
36492 -@@ -614,6 +678,7 @@ int main(int argc, char **argv)
36493 - fname, strerror(errno));
36494 - }
36495 - read_ehdr(fp);
36496 -+ read_phdrs(fp);
36497 - read_shdrs(fp);
36498 - read_strtabs(fp);
36499 - read_symtabs(fp);
36500 -diff -Nurp linux-2.6.23.15/arch/i386/boot/cpucheck.c linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c
36501 ---- linux-2.6.23.15/arch/i386/boot/cpucheck.c 2007-10-09 21:31:38.000000000 +0100
36502 -+++ linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c 2008-02-11 10:37:44.000000000 +0000
36503 -@@ -90,7 +90,7 @@ static int has_fpu(void)
36504 - u16 fcw = -1, fsw = -1;
36505 - u32 cr0;
36506 -
36507 -- asm("movl %%cr0,%0" : "=r" (cr0));
36508 -+ asm volatile("movl %%cr0,%0" : "=r" (cr0));
36509 - if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
36510 - cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
36511 - asm volatile("movl %0,%%cr0" : : "r" (cr0));
36512 -@@ -106,7 +106,7 @@ static int has_eflag(u32 mask)
36513 - {
36514 - u32 f0, f1;
36515 -
36516 -- asm("pushfl ; "
36517 -+ asm volatile("pushfl ; "
36518 - "pushfl ; "
36519 - "popl %0 ; "
36520 - "movl %0,%1 ; "
36521 -@@ -131,7 +131,7 @@ static void get_flags(void)
36522 - set_bit(X86_FEATURE_FPU, cpu.flags);
36523 -
36524 - if (has_eflag(X86_EFLAGS_ID)) {
36525 -- asm("cpuid"
36526 -+ asm volatile("cpuid"
36527 - : "=a" (max_intel_level),
36528 - "=b" (cpu_vendor[0]),
36529 - "=d" (cpu_vendor[1]),
36530 -@@ -140,7 +140,7 @@ static void get_flags(void)
36531 -
36532 - if (max_intel_level >= 0x00000001 &&
36533 - max_intel_level <= 0x0000ffff) {
36534 -- asm("cpuid"
36535 -+ asm volatile("cpuid"
36536 - : "=a" (tfms),
36537 - "=c" (cpu.flags[4]),
36538 - "=d" (cpu.flags[0])
36539 -@@ -152,7 +152,7 @@ static void get_flags(void)
36540 - cpu.model += ((tfms >> 16) & 0xf) << 4;
36541 - }
36542 -
36543 -- asm("cpuid"
36544 -+ asm volatile("cpuid"
36545 - : "=a" (max_amd_level)
36546 - : "a" (0x80000000)
36547 - : "ebx", "ecx", "edx");
36548 -@@ -160,7 +160,7 @@ static void get_flags(void)
36549 - if (max_amd_level >= 0x80000001 &&
36550 - max_amd_level <= 0x8000ffff) {
36551 - u32 eax = 0x80000001;
36552 -- asm("cpuid"
36553 -+ asm volatile("cpuid"
36554 - : "+a" (eax),
36555 - "=c" (cpu.flags[6]),
36556 - "=d" (cpu.flags[1])
36557 -@@ -219,9 +219,9 @@ int check_cpu(int *cpu_level_ptr, int *r
36558 - u32 ecx = MSR_K7_HWCR;
36559 - u32 eax, edx;
36560 -
36561 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
36562 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
36563 - eax &= ~(1 << 15);
36564 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
36565 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
36566 -
36567 - get_flags(); /* Make sure it really did something */
36568 - err = check_flags();
36569 -@@ -234,9 +234,9 @@ int check_cpu(int *cpu_level_ptr, int *r
36570 - u32 ecx = MSR_VIA_FCR;
36571 - u32 eax, edx;
36572 -
36573 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
36574 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
36575 - eax |= (1<<1)|(1<<7);
36576 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
36577 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
36578 -
36579 - set_bit(X86_FEATURE_CX8, cpu.flags);
36580 - err = check_flags();
36581 -@@ -247,12 +247,12 @@ int check_cpu(int *cpu_level_ptr, int *r
36582 - u32 eax, edx;
36583 - u32 level = 1;
36584 -
36585 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
36586 -- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
36587 -- asm("cpuid"
36588 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
36589 -+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
36590 -+ asm volatile("cpuid"
36591 - : "+a" (level), "=d" (cpu.flags[0])
36592 - : : "ecx", "ebx");
36593 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
36594 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
36595 -
36596 - err = check_flags();
36597 - }
36598 -diff -Nurp linux-2.6.23.15/arch/i386/boot/edd.c linux-2.6.23.15-grsec/arch/i386/boot/edd.c
36599 ---- linux-2.6.23.15/arch/i386/boot/edd.c 2007-10-09 21:31:38.000000000 +0100
36600 -+++ linux-2.6.23.15-grsec/arch/i386/boot/edd.c 2008-02-11 10:37:44.000000000 +0000
36601 -@@ -78,7 +78,7 @@ static int get_edd_info(u8 devno, struct
36602 - ax = 0x4100;
36603 - bx = EDDMAGIC1;
36604 - dx = devno;
36605 -- asm("pushfl; stc; int $0x13; setc %%al; popfl"
36606 -+ asm volatile("pushfl; stc; int $0x13; setc %%al; popfl"
36607 - : "+a" (ax), "+b" (bx), "=c" (cx), "+d" (dx)
36608 - : : "esi", "edi");
36609 -
36610 -@@ -97,7 +97,7 @@ static int get_edd_info(u8 devno, struct
36611 - ei->params.length = sizeof(ei->params);
36612 - ax = 0x4800;
36613 - dx = devno;
36614 -- asm("pushfl; int $0x13; popfl"
36615 -+ asm volatile("pushfl; int $0x13; popfl"
36616 - : "+a" (ax), "+d" (dx), "=m" (ei->params)
36617 - : "S" (&ei->params)
36618 - : "ebx", "ecx", "edi");
36619 -@@ -108,7 +108,7 @@ static int get_edd_info(u8 devno, struct
36620 - ax = 0x0800;
36621 - dx = devno;
36622 - di = 0;
36623 -- asm("pushw %%es; "
36624 -+ asm volatile("pushw %%es; "
36625 - "movw %%di,%%es; "
36626 - "pushfl; stc; int $0x13; setc %%al; popfl; "
36627 - "popw %%es"
36628 -diff -Nurp linux-2.6.23.15/arch/i386/boot/main.c linux-2.6.23.15-grsec/arch/i386/boot/main.c
36629 ---- linux-2.6.23.15/arch/i386/boot/main.c 2007-10-09 21:31:38.000000000 +0100
36630 -+++ linux-2.6.23.15-grsec/arch/i386/boot/main.c 2008-02-11 10:37:44.000000000 +0000
36631 -@@ -77,7 +77,7 @@ static void keyboard_set_repeat(void)
36632 - */
36633 - static void query_ist(void)
36634 - {
36635 -- asm("int $0x15"
36636 -+ asm volatile("int $0x15"
36637 - : "=a" (boot_params.ist_info.signature),
36638 - "=b" (boot_params.ist_info.command),
36639 - "=c" (boot_params.ist_info.event),
36640 -diff -Nurp linux-2.6.23.15/arch/i386/boot/mca.c linux-2.6.23.15-grsec/arch/i386/boot/mca.c
36641 ---- linux-2.6.23.15/arch/i386/boot/mca.c 2007-10-09 21:31:38.000000000 +0100
36642 -+++ linux-2.6.23.15-grsec/arch/i386/boot/mca.c 2008-02-11 10:37:44.000000000 +0000
36643 -@@ -21,7 +21,7 @@ int query_mca(void)
36644 - u8 err;
36645 - u16 es, bx, len;
36646 -
36647 -- asm("pushw %%es ; "
36648 -+ asm volatile("pushw %%es ; "
36649 - "int $0x15 ; "
36650 - "setc %0 ; "
36651 - "movw %%es, %1 ; "
36652 -diff -Nurp linux-2.6.23.15/arch/i386/boot/memory.c linux-2.6.23.15-grsec/arch/i386/boot/memory.c
36653 ---- linux-2.6.23.15/arch/i386/boot/memory.c 2007-10-09 21:31:38.000000000 +0100
36654 -+++ linux-2.6.23.15-grsec/arch/i386/boot/memory.c 2008-02-11 10:37:44.000000000 +0000
36655 -@@ -32,7 +32,7 @@ static int detect_memory_e820(void)
36656 - /* Important: %edx is clobbered by some BIOSes,
36657 - so it must be either used for the error output
36658 - or explicitly marked clobbered. */
36659 -- asm("int $0x15; setc %0"
36660 -+ asm volatile("int $0x15; setc %0"
36661 - : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
36662 - "=m" (*desc)
36663 - : "D" (desc), "d" (SMAP), "a" (0xe820));
36664 -@@ -64,7 +64,7 @@ static int detect_memory_e801(void)
36665 -
36666 - bx = cx = dx = 0;
36667 - ax = 0xe801;
36668 -- asm("stc; int $0x15; setc %0"
36669 -+ asm volatile("stc; int $0x15; setc %0"
36670 - : "=m" (err), "+a" (ax), "+b" (bx), "+c" (cx), "+d" (dx));
36671 -
36672 - if (err)
36673 -@@ -94,7 +94,7 @@ static int detect_memory_88(void)
36674 - u8 err;
36675 -
36676 - ax = 0x8800;
36677 -- asm("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
36678 -+ asm volatile("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
36679 -
36680 - boot_params.screen_info.ext_mem_k = ax;
36681 -
36682 -diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vesa.c linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c
36683 ---- linux-2.6.23.15/arch/i386/boot/video-vesa.c 2008-02-11 10:36:03.000000000 +0000
36684 -+++ linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c 2008-02-11 10:37:44.000000000 +0000
36685 -@@ -41,7 +41,7 @@ static int vesa_probe(void)
36686 -
36687 - ax = 0x4f00;
36688 - di = (size_t)&vginfo;
36689 -- asm(INT10
36690 -+ asm volatile(INT10
36691 - : "+a" (ax), "+D" (di), "=m" (vginfo)
36692 - : : "ebx", "ecx", "edx", "esi");
36693 -
36694 -@@ -68,7 +68,7 @@ static int vesa_probe(void)
36695 - ax = 0x4f01;
36696 - cx = mode;
36697 - di = (size_t)&vminfo;
36698 -- asm(INT10
36699 -+ asm volatile(INT10
36700 - : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
36701 - : : "ebx", "edx", "esi");
36702 -
36703 -@@ -115,7 +115,7 @@ static int vesa_set_mode(struct mode_inf
36704 - ax = 0x4f01;
36705 - cx = vesa_mode;
36706 - di = (size_t)&vminfo;
36707 -- asm(INT10
36708 -+ asm volatile(INT10
36709 - : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
36710 - : : "ebx", "edx", "esi");
36711 -
36712 -@@ -193,19 +193,20 @@ static void vesa_dac_set_8bits(void)
36713 - /* Save the VESA protected mode info */
36714 - static void vesa_store_pm_info(void)
36715 - {
36716 -- u16 ax, bx, di, es;
36717 -+ u16 ax, bx, cx, di, es;
36718 -
36719 - ax = 0x4f0a;
36720 -- bx = di = 0;
36721 -- asm("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
36722 -- : "=d" (es), "+a" (ax), "+b" (bx), "+D" (di)
36723 -- : : "ecx", "esi");
36724 -+ bx = cx = di = 0;
36725 -+ asm volatile("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
36726 -+ : "=d" (es), "+a" (ax), "+b" (bx), "+c" (cx), "+D" (di)
36727 -+ : : "esi");
36728 -
36729 - if (ax != 0x004f)
36730 - return;
36731 -
36732 - boot_params.screen_info.vesapm_seg = es;
36733 - boot_params.screen_info.vesapm_off = di;
36734 -+ boot_params.screen_info.vesapm_size = cx;
36735 - }
36736 -
36737 - /*
36738 -@@ -259,7 +260,7 @@ void vesa_store_edid(void)
36739 - /* Note: The VBE DDC spec is different from the main VESA spec;
36740 - we genuinely have to assume all registers are destroyed here. */
36741 -
36742 -- asm("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
36743 -+ asm volatile("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
36744 - : "+a" (ax), "+b" (bx)
36745 - : "c" (cx), "D" (di)
36746 - : "esi");
36747 -@@ -275,7 +276,7 @@ void vesa_store_edid(void)
36748 - cx = 0; /* Controller 0 */
36749 - dx = 0; /* EDID block number */
36750 - di =(size_t) &boot_params.edid_info; /* (ES:)Pointer to block */
36751 -- asm(INT10
36752 -+ asm volatile(INT10
36753 - : "+a" (ax), "+b" (bx), "+d" (dx), "=m" (boot_params.edid_info)
36754 - : "c" (cx), "D" (di)
36755 - : "esi");
36756 -diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vga.c linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c
36757 ---- linux-2.6.23.15/arch/i386/boot/video-vga.c 2007-10-09 21:31:38.000000000 +0100
36758 -+++ linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c 2008-02-11 10:37:44.000000000 +0000
36759 -@@ -225,7 +225,7 @@ static int vga_probe(void)
36760 - };
36761 - u8 vga_flag;
36762 -
36763 -- asm(INT10
36764 -+ asm volatile(INT10
36765 - : "=b" (boot_params.screen_info.orig_video_ega_bx)
36766 - : "a" (0x1200), "b" (0x10) /* Check EGA/VGA */
36767 - : "ecx", "edx", "esi", "edi");
36768 -@@ -233,7 +233,7 @@ static int vga_probe(void)
36769 - /* If we have MDA/CGA/HGC then BL will be unchanged at 0x10 */
36770 - if ((u8)boot_params.screen_info.orig_video_ega_bx != 0x10) {
36771 - /* EGA/VGA */
36772 -- asm(INT10
36773 -+ asm volatile(INT10
36774 - : "=a" (vga_flag)
36775 - : "a" (0x1a00)
36776 - : "ebx", "ecx", "edx", "esi", "edi");
36777 -diff -Nurp linux-2.6.23.15/arch/i386/boot/video.c linux-2.6.23.15-grsec/arch/i386/boot/video.c
36778 ---- linux-2.6.23.15/arch/i386/boot/video.c 2008-02-11 10:36:03.000000000 +0000
36779 -+++ linux-2.6.23.15-grsec/arch/i386/boot/video.c 2008-02-11 10:37:44.000000000 +0000
36780 -@@ -40,7 +40,7 @@ static void store_cursor_position(void)
36781 -
36782 - ax = 0x0300;
36783 - bx = 0;
36784 -- asm(INT10
36785 -+ asm volatile(INT10
36786 - : "=d" (curpos), "+a" (ax), "+b" (bx)
36787 - : : "ecx", "esi", "edi");
36788 -
36789 -@@ -55,7 +55,7 @@ static void store_video_mode(void)
36790 - /* N.B.: the saving of the video page here is a bit silly,
36791 - since we pretty much assume page 0 everywhere. */
36792 - ax = 0x0f00;
36793 -- asm(INT10
36794 -+ asm volatile(INT10
36795 - : "+a" (ax), "=b" (page)
36796 - : : "ecx", "edx", "esi", "edi");
36797 -
36798 -diff -Nurp linux-2.6.23.15/arch/i386/boot/voyager.c linux-2.6.23.15-grsec/arch/i386/boot/voyager.c
36799 ---- linux-2.6.23.15/arch/i386/boot/voyager.c 2007-10-09 21:31:38.000000000 +0100
36800 -+++ linux-2.6.23.15-grsec/arch/i386/boot/voyager.c 2008-02-11 10:37:44.000000000 +0000
36801 -@@ -27,7 +27,7 @@ int query_voyager(void)
36802 -
36803 - data_ptr[0] = 0xff; /* Flag on config not found(?) */
36804 -
36805 -- asm("pushw %%es ; "
36806 -+ asm volatile("pushw %%es ; "
36807 - "int $0x15 ; "
36808 - "setc %0 ; "
36809 - "movw %%es, %1 ; "
36810 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/boot.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c
36811 ---- linux-2.6.23.15/arch/i386/kernel/acpi/boot.c 2007-10-09 21:31:38.000000000 +0100
36812 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c 2008-02-11 10:37:44.000000000 +0000
36813 -@@ -1123,7 +1123,7 @@ static struct dmi_system_id __initdata a
36814 - DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
36815 - },
36816 - },
36817 -- {}
36818 -+ { NULL, NULL, {{0, NULL}}, NULL}
36819 - };
36820 -
36821 - #endif /* __i386__ */
36822 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c
36823 ---- linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c 2007-10-09 21:31:38.000000000 +0100
36824 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c 2008-02-11 10:37:44.000000000 +0000
36825 -@@ -98,7 +98,7 @@ static __initdata struct dmi_system_id a
36826 - DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),
36827 - },
36828 - },
36829 -- {}
36830 -+ { NULL, NULL, {{0, NULL}}, NULL}
36831 - };
36832 -
36833 - static int __init acpisleep_dmi_init(void)
36834 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S
36835 ---- linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S 2007-10-09 21:31:38.000000000 +0100
36836 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S 2008-02-11 10:37:44.000000000 +0000
36837 -@@ -2,6 +2,7 @@
36838 - #include <linux/linkage.h>
36839 - #include <asm/segment.h>
36840 - #include <asm/page.h>
36841 -+#include <asm/msr-index.h>
36842 -
36843 - #
36844 - # wakeup_code runs in real mode, and at unknown address (determined at run-time).
36845 -@@ -84,7 +85,7 @@ wakeup_code:
36846 - # restore efer setting
36847 - movl real_save_efer_edx - wakeup_code, %edx
36848 - movl real_save_efer_eax - wakeup_code, %eax
36849 -- mov $0xc0000080, %ecx
36850 -+ mov $MSR_EFER, %ecx
36851 - wrmsr
36852 - 4:
36853 - # make sure %cr4 is set correctly (features, etc)
36854 -@@ -209,13 +210,11 @@ wakeup_pmode_return:
36855 - # and restore the stack ... but you need gdt for this to work
36856 - movl saved_context_esp, %esp
36857 -
36858 -- movl %cs:saved_magic, %eax
36859 -- cmpl $0x12345678, %eax
36860 -+ cmpl $0x12345678, saved_magic
36861 - jne bogus_magic
36862 -
36863 - # jump to place where we left off
36864 -- movl saved_eip,%eax
36865 -- jmp *%eax
36866 -+ jmp *(saved_eip)
36867 -
36868 - bogus_magic:
36869 - movw $0x0e00 + 'B', 0xb8018
36870 -@@ -247,7 +246,7 @@ ENTRY(acpi_copy_wakeup_routine)
36871 - # save efer setting
36872 - pushl %eax
36873 - movl %eax, %ebx
36874 -- mov $0xc0000080, %ecx
36875 -+ mov $MSR_EFER, %ecx
36876 - rdmsr
36877 - movl %edx, real_save_efer_edx - wakeup_start (%ebx)
36878 - movl %eax, real_save_efer_eax - wakeup_start (%ebx)
36879 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/alternative.c linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c
36880 ---- linux-2.6.23.15/arch/i386/kernel/alternative.c 2007-10-09 21:31:38.000000000 +0100
36881 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c 2008-02-11 10:37:44.000000000 +0000
36882 -@@ -443,7 +443,20 @@ void __init alternative_instructions(voi
36883 - */
36884 - void __kprobes text_poke(void *addr, unsigned char *opcode, int len)
36885 - {
36886 -+
36887 -+#ifdef CONFIG_PAX_KERNEXEC
36888 -+ unsigned long cr0;
36889 -+
36890 -+ pax_open_kernel(cr0);
36891 -+#endif
36892 -+
36893 -+ addr += __KERNEL_TEXT_OFFSET;
36894 - memcpy(addr, opcode, len);
36895 -+
36896 -+#ifdef CONFIG_PAX_KERNEXEC
36897 -+ pax_close_kernel(cr0);
36898 -+#endif
36899 -+
36900 - sync_core();
36901 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
36902 - that causes hangs on some VIA CPUs. */
36903 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/apm.c linux-2.6.23.15-grsec/arch/i386/kernel/apm.c
36904 ---- linux-2.6.23.15/arch/i386/kernel/apm.c 2008-02-11 10:36:03.000000000 +0000
36905 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/apm.c 2008-02-11 10:37:44.000000000 +0000
36906 -@@ -407,7 +407,7 @@ static DECLARE_WAIT_QUEUE_HEAD(apm_waitq
36907 - static DECLARE_WAIT_QUEUE_HEAD(apm_suspend_waitqueue);
36908 - static struct apm_user * user_list;
36909 - static DEFINE_SPINLOCK(user_list_lock);
36910 --static const struct desc_struct bad_bios_desc = { 0, 0x00409200 };
36911 -+static const struct desc_struct bad_bios_desc = { 0, 0x00409300 };
36912 -
36913 - static const char driver_version[] = "1.16ac"; /* no spaces */
36914 -
36915 -@@ -601,19 +601,42 @@ static u8 apm_bios_call(u32 func, u32 eb
36916 - struct desc_struct save_desc_40;
36917 - struct desc_struct *gdt;
36918 -
36919 -+#ifdef CONFIG_PAX_KERNEXEC
36920 -+ unsigned long cr0;
36921 -+#endif
36922 -+
36923 - cpus = apm_save_cpus();
36924 -
36925 - cpu = get_cpu();
36926 - gdt = get_cpu_gdt_table(cpu);
36927 - save_desc_40 = gdt[0x40 / 8];
36928 -+
36929 -+#ifdef CONFIG_PAX_KERNEXEC
36930 -+ pax_open_kernel(cr0);
36931 -+#endif
36932 -+
36933 - gdt[0x40 / 8] = bad_bios_desc;
36934 -
36935 -+#ifdef CONFIG_PAX_KERNEXEC
36936 -+ pax_close_kernel(cr0);
36937 -+#endif
36938 -+
36939 - apm_irq_save(flags);
36940 - APM_DO_SAVE_SEGS;
36941 - apm_bios_call_asm(func, ebx_in, ecx_in, eax, ebx, ecx, edx, esi);
36942 - APM_DO_RESTORE_SEGS;
36943 - apm_irq_restore(flags);
36944 -+
36945 -+#ifdef CONFIG_PAX_KERNEXEC
36946 -+ pax_open_kernel(cr0);
36947 -+#endif
36948 -+
36949 - gdt[0x40 / 8] = save_desc_40;
36950 -+
36951 -+#ifdef CONFIG_PAX_KERNEXEC
36952 -+ pax_close_kernel(cr0);
36953 -+#endif
36954 -+
36955 - put_cpu();
36956 - apm_restore_cpus(cpus);
36957 -
36958 -@@ -644,19 +667,42 @@ static u8 apm_bios_call_simple(u32 func,
36959 - struct desc_struct save_desc_40;
36960 - struct desc_struct *gdt;
36961 -
36962 -+#ifdef CONFIG_PAX_KERNEXEC
36963 -+ unsigned long cr0;
36964 -+#endif
36965 -+
36966 - cpus = apm_save_cpus();
36967 -
36968 - cpu = get_cpu();
36969 - gdt = get_cpu_gdt_table(cpu);
36970 - save_desc_40 = gdt[0x40 / 8];
36971 -+
36972 -+#ifdef CONFIG_PAX_KERNEXEC
36973 -+ pax_open_kernel(cr0);
36974 -+#endif
36975 -+
36976 - gdt[0x40 / 8] = bad_bios_desc;
36977 -
36978 -+#ifdef CONFIG_PAX_KERNEXEC
36979 -+ pax_close_kernel(cr0);
36980 -+#endif
36981 -+
36982 - apm_irq_save(flags);
36983 - APM_DO_SAVE_SEGS;
36984 - error = apm_bios_call_simple_asm(func, ebx_in, ecx_in, eax);
36985 - APM_DO_RESTORE_SEGS;
36986 - apm_irq_restore(flags);
36987 -+
36988 -+#ifdef CONFIG_PAX_KERNEXEC
36989 -+ pax_open_kernel(cr0);
36990 -+#endif
36991 -+
36992 - gdt[0x40 / 8] = save_desc_40;
36993 -+
36994 -+#ifdef CONFIG_PAX_KERNEXEC
36995 -+ pax_close_kernel(cr0);
36996 -+#endif
36997 -+
36998 - put_cpu();
36999 - apm_restore_cpus(cpus);
37000 - return error;
37001 -@@ -924,7 +970,7 @@ recalc:
37002 -
37003 - static void apm_power_off(void)
37004 - {
37005 -- unsigned char po_bios_call[] = {
37006 -+ const unsigned char po_bios_call[] = {
37007 - 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
37008 - 0x8e, 0xd0, /* movw ax,ss */
37009 - 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
37010 -@@ -1864,7 +1910,10 @@ static const struct file_operations apm_
37011 - static struct miscdevice apm_device = {
37012 - APM_MINOR_DEV,
37013 - "apm_bios",
37014 -- &apm_bios_fops
37015 -+ &apm_bios_fops,
37016 -+ {NULL, NULL},
37017 -+ NULL,
37018 -+ NULL
37019 - };
37020 -
37021 -
37022 -@@ -1974,210 +2023,210 @@ static struct dmi_system_id __initdata a
37023 - print_if_true,
37024 - KERN_WARNING "IBM T23 - BIOS 1.03b+ and controller firmware 1.02+ may be needed for Linux APM.",
37025 - { DMI_MATCH(DMI_SYS_VENDOR, "IBM"),
37026 -- DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), },
37027 -+ DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), }, NULL
37028 - },
37029 - { /* Handle problems with APM on the C600 */
37030 - broken_ps2_resume, "Dell Latitude C600",
37031 - { DMI_MATCH(DMI_SYS_VENDOR, "Dell"),
37032 -- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), },
37033 -+ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), }, NULL
37034 - },
37035 - { /* Allow interrupts during suspend on Dell Latitude laptops*/
37036 - set_apm_ints, "Dell Latitude",
37037 - { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
37038 -- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }
37039 -+ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }, NULL
37040 - },
37041 - { /* APM crashes */
37042 - apm_is_horked, "Dell Inspiron 2500",
37043 - { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
37044 - DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
37045 - DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
37046 -- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
37047 -+ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
37048 - },
37049 - { /* Allow interrupts during suspend on Dell Inspiron laptops*/
37050 - set_apm_ints, "Dell Inspiron", {
37051 - DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
37052 -- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), },
37053 -+ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), }, NULL
37054 - },
37055 - { /* Handle problems with APM on Inspiron 5000e */
37056 - broken_apm_power, "Dell Inspiron 5000e",
37057 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37058 - DMI_MATCH(DMI_BIOS_VERSION, "A04"),
37059 -- DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), },
37060 -+ DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), }, NULL
37061 - },
37062 - { /* Handle problems with APM on Inspiron 2500 */
37063 - broken_apm_power, "Dell Inspiron 2500",
37064 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37065 - DMI_MATCH(DMI_BIOS_VERSION, "A12"),
37066 -- DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), },
37067 -+ DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), }, NULL
37068 - },
37069 - { /* APM crashes */
37070 - apm_is_horked, "Dell Dimension 4100",
37071 - { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
37072 - DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"),
37073 - DMI_MATCH(DMI_BIOS_VENDOR,"Intel Corp."),
37074 -- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
37075 -+ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
37076 - },
37077 - { /* Allow interrupts during suspend on Compaq Laptops*/
37078 - set_apm_ints, "Compaq 12XL125",
37079 - { DMI_MATCH(DMI_SYS_VENDOR, "Compaq"),
37080 - DMI_MATCH(DMI_PRODUCT_NAME, "Compaq PC"),
37081 - DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37082 -- DMI_MATCH(DMI_BIOS_VERSION,"4.06"), },
37083 -+ DMI_MATCH(DMI_BIOS_VERSION,"4.06"), }, NULL
37084 - },
37085 - { /* Allow interrupts during APM or the clock goes slow */
37086 - set_apm_ints, "ASUSTeK",
37087 - { DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
37088 -- DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), },
37089 -+ DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), }, NULL
37090 - },
37091 - { /* APM blows on shutdown */
37092 - apm_is_horked, "ABIT KX7-333[R]",
37093 - { DMI_MATCH(DMI_BOARD_VENDOR, "ABIT"),
37094 -- DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), },
37095 -+ DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), }, NULL
37096 - },
37097 - { /* APM crashes */
37098 - apm_is_horked, "Trigem Delhi3",
37099 - { DMI_MATCH(DMI_SYS_VENDOR, "TriGem Computer, Inc"),
37100 -- DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), },
37101 -+ DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), }, NULL
37102 - },
37103 - { /* APM crashes */
37104 - apm_is_horked, "Fujitsu-Siemens",
37105 - { DMI_MATCH(DMI_BIOS_VENDOR, "hoenix/FUJITSU SIEMENS"),
37106 -- DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), },
37107 -+ DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), }, NULL
37108 - },
37109 - { /* APM crashes */
37110 - apm_is_horked_d850md, "Intel D850MD",
37111 - { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
37112 -- DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), },
37113 -+ DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), }, NULL
37114 - },
37115 - { /* APM crashes */
37116 - apm_is_horked, "Intel D810EMO",
37117 - { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
37118 -- DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), },
37119 -+ DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), }, NULL
37120 - },
37121 - { /* APM crashes */
37122 - apm_is_horked, "Dell XPS-Z",
37123 - { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
37124 - DMI_MATCH(DMI_BIOS_VERSION, "A11"),
37125 -- DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), },
37126 -+ DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), }, NULL
37127 - },
37128 - { /* APM crashes */
37129 - apm_is_horked, "Sharp PC-PJ/AX",
37130 - { DMI_MATCH(DMI_SYS_VENDOR, "SHARP"),
37131 - DMI_MATCH(DMI_PRODUCT_NAME, "PC-PJ/AX"),
37132 - DMI_MATCH(DMI_BIOS_VENDOR,"SystemSoft"),
37133 -- DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), },
37134 -+ DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), }, NULL
37135 - },
37136 - { /* APM crashes */
37137 - apm_is_horked, "Dell Inspiron 2500",
37138 - { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
37139 - DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
37140 - DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
37141 -- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
37142 -+ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
37143 - },
37144 - { /* APM idle hangs */
37145 - apm_likes_to_melt, "Jabil AMD",
37146 - { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
37147 -- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), },
37148 -+ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), }, NULL
37149 - },
37150 - { /* APM idle hangs */
37151 - apm_likes_to_melt, "AMI Bios",
37152 - { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
37153 -- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), },
37154 -+ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), }, NULL
37155 - },
37156 - { /* Handle problems with APM on Sony Vaio PCG-N505X(DE) */
37157 - swab_apm_power_in_minutes, "Sony VAIO",
37158 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37159 - DMI_MATCH(DMI_BIOS_VERSION, "R0206H"),
37160 -- DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), },
37161 -+ DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), }, NULL
37162 - },
37163 - { /* Handle problems with APM on Sony Vaio PCG-N505VX */
37164 - swab_apm_power_in_minutes, "Sony VAIO",
37165 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37166 - DMI_MATCH(DMI_BIOS_VERSION, "W2K06H0"),
37167 -- DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), },
37168 -+ DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), }, NULL
37169 - },
37170 - { /* Handle problems with APM on Sony Vaio PCG-XG29 */
37171 - swab_apm_power_in_minutes, "Sony VAIO",
37172 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37173 - DMI_MATCH(DMI_BIOS_VERSION, "R0117A0"),
37174 -- DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), },
37175 -+ DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), }, NULL
37176 - },
37177 - { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
37178 - swab_apm_power_in_minutes, "Sony VAIO",
37179 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37180 - DMI_MATCH(DMI_BIOS_VERSION, "R0121Z1"),
37181 -- DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), },
37182 -+ DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), }, NULL
37183 - },
37184 - { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
37185 - swab_apm_power_in_minutes, "Sony VAIO",
37186 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37187 - DMI_MATCH(DMI_BIOS_VERSION, "WME01Z1"),
37188 -- DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), },
37189 -+ DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), }, NULL
37190 - },
37191 - { /* Handle problems with APM on Sony Vaio PCG-Z600LEK(DE) */
37192 - swab_apm_power_in_minutes, "Sony VAIO",
37193 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37194 - DMI_MATCH(DMI_BIOS_VERSION, "R0206Z3"),
37195 -- DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), },
37196 -+ DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), }, NULL
37197 - },
37198 - { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
37199 - swab_apm_power_in_minutes, "Sony VAIO",
37200 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37201 - DMI_MATCH(DMI_BIOS_VERSION, "R0203D0"),
37202 -- DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), },
37203 -+ DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), }, NULL
37204 - },
37205 - { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
37206 - swab_apm_power_in_minutes, "Sony VAIO",
37207 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37208 - DMI_MATCH(DMI_BIOS_VERSION, "R0203Z3"),
37209 -- DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), },
37210 -+ DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), }, NULL
37211 - },
37212 - { /* Handle problems with APM on Sony Vaio PCG-Z505LS (with updated BIOS) */
37213 - swab_apm_power_in_minutes, "Sony VAIO",
37214 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37215 - DMI_MATCH(DMI_BIOS_VERSION, "R0209Z3"),
37216 -- DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), },
37217 -+ DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), }, NULL
37218 - },
37219 - { /* Handle problems with APM on Sony Vaio PCG-F104K */
37220 - swab_apm_power_in_minutes, "Sony VAIO",
37221 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37222 - DMI_MATCH(DMI_BIOS_VERSION, "R0204K2"),
37223 -- DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), },
37224 -+ DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), }, NULL
37225 - },
37226 -
37227 - { /* Handle problems with APM on Sony Vaio PCG-C1VN/C1VE */
37228 - swab_apm_power_in_minutes, "Sony VAIO",
37229 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37230 - DMI_MATCH(DMI_BIOS_VERSION, "R0208P1"),
37231 -- DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), },
37232 -+ DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), }, NULL
37233 - },
37234 - { /* Handle problems with APM on Sony Vaio PCG-C1VE */
37235 - swab_apm_power_in_minutes, "Sony VAIO",
37236 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37237 - DMI_MATCH(DMI_BIOS_VERSION, "R0204P1"),
37238 -- DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), },
37239 -+ DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), }, NULL
37240 - },
37241 - { /* Handle problems with APM on Sony Vaio PCG-C1VE */
37242 - swab_apm_power_in_minutes, "Sony VAIO",
37243 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37244 - DMI_MATCH(DMI_BIOS_VERSION, "WXPO1Z3"),
37245 -- DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), },
37246 -+ DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), }, NULL
37247 - },
37248 - { /* broken PM poweroff bios */
37249 - set_realmode_power_off, "Award Software v4.60 PGMA",
37250 - { DMI_MATCH(DMI_BIOS_VENDOR, "Award Software International, Inc."),
37251 - DMI_MATCH(DMI_BIOS_VERSION, "4.60 PGMA"),
37252 -- DMI_MATCH(DMI_BIOS_DATE, "134526184"), },
37253 -+ DMI_MATCH(DMI_BIOS_DATE, "134526184"), }, NULL
37254 - },
37255 -
37256 - /* Generic per vendor APM settings */
37257 -
37258 - { /* Allow interrupts during suspend on IBM laptops */
37259 - set_apm_ints, "IBM",
37260 -- { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
37261 -+ { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), }, NULL
37262 - },
37263 -
37264 -- { }
37265 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
37266 - };
37267 -
37268 - /*
37269 -@@ -2196,6 +2245,10 @@ static int __init apm_init(void)
37270 - struct desc_struct *gdt;
37271 - int err;
37272 -
37273 -+#ifdef CONFIG_PAX_KERNEXEC
37274 -+ unsigned long cr0;
37275 -+#endif
37276 -+
37277 - dmi_check_system(apm_dmi_table);
37278 -
37279 - if (apm_info.bios.version == 0 || paravirt_enabled()) {
37280 -@@ -2269,9 +2322,18 @@ static int __init apm_init(void)
37281 - * This is for buggy BIOS's that refer to (real mode) segment 0x40
37282 - * even though they are called in protected mode.
37283 - */
37284 -+
37285 -+#ifdef CONFIG_PAX_KERNEXEC
37286 -+ pax_open_kernel(cr0);
37287 -+#endif
37288 -+
37289 - set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
37290 - _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
37291 -
37292 -+#ifdef CONFIG_PAX_KERNEXEC
37293 -+ pax_close_kernel(cr0);
37294 -+#endif
37295 -+
37296 - /*
37297 - * Set up the long jump entry point to the APM BIOS, which is called
37298 - * from inline assembly.
37299 -@@ -2290,6 +2352,11 @@ static int __init apm_init(void)
37300 - * code to that CPU.
37301 - */
37302 - gdt = get_cpu_gdt_table(0);
37303 -+
37304 -+#ifdef CONFIG_PAX_KERNEXEC
37305 -+ pax_open_kernel(cr0);
37306 -+#endif
37307 -+
37308 - set_base(gdt[APM_CS >> 3],
37309 - __va((unsigned long)apm_info.bios.cseg << 4));
37310 - set_base(gdt[APM_CS_16 >> 3],
37311 -@@ -2297,6 +2364,10 @@ static int __init apm_init(void)
37312 - set_base(gdt[APM_DS >> 3],
37313 - __va((unsigned long)apm_info.bios.dseg << 4));
37314 -
37315 -+#ifdef CONFIG_PAX_KERNEXEC
37316 -+ pax_close_kernel(cr0);
37317 -+#endif
37318 -+
37319 - apm_proc = create_proc_entry("apm", 0, NULL);
37320 - if (apm_proc)
37321 - apm_proc->proc_fops = &apm_file_ops;
37322 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/asm-offsets.c linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c
37323 ---- linux-2.6.23.15/arch/i386/kernel/asm-offsets.c 2007-10-09 21:31:38.000000000 +0100
37324 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c 2008-02-11 10:37:44.000000000 +0000
37325 -@@ -109,6 +109,7 @@ void foo(void)
37326 - DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
37327 - DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
37328 - DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
37329 -+ DEFINE(PERCPU_MODULE_RESERVE, PERCPU_MODULE_RESERVE);
37330 -
37331 - DEFINE(VDSO_PRELINK_asm, VDSO_PRELINK);
37332 -
37333 -@@ -122,6 +123,7 @@ void foo(void)
37334 - OFFSET(PARAVIRT_irq_enable_sysexit, paravirt_ops, irq_enable_sysexit);
37335 - OFFSET(PARAVIRT_iret, paravirt_ops, iret);
37336 - OFFSET(PARAVIRT_read_cr0, paravirt_ops, read_cr0);
37337 -+ OFFSET(PARAVIRT_write_cr0, paravirt_ops, write_cr0);
37338 - #endif
37339 -
37340 - #ifdef CONFIG_XEN
37341 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/common.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c
37342 ---- linux-2.6.23.15/arch/i386/kernel/cpu/common.c 2007-10-09 21:31:38.000000000 +0100
37343 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c 2008-02-11 10:37:44.000000000 +0000
37344 -@@ -4,7 +4,6 @@
37345 - #include <linux/smp.h>
37346 - #include <linux/module.h>
37347 - #include <linux/percpu.h>
37348 --#include <linux/bootmem.h>
37349 - #include <asm/semaphore.h>
37350 - #include <asm/processor.h>
37351 - #include <asm/i387.h>
37352 -@@ -21,39 +20,15 @@
37353 -
37354 - #include "cpu.h"
37355 -
37356 --DEFINE_PER_CPU(struct gdt_page, gdt_page) = { .gdt = {
37357 -- [GDT_ENTRY_KERNEL_CS] = { 0x0000ffff, 0x00cf9a00 },
37358 -- [GDT_ENTRY_KERNEL_DS] = { 0x0000ffff, 0x00cf9200 },
37359 -- [GDT_ENTRY_DEFAULT_USER_CS] = { 0x0000ffff, 0x00cffa00 },
37360 -- [GDT_ENTRY_DEFAULT_USER_DS] = { 0x0000ffff, 0x00cff200 },
37361 -- /*
37362 -- * Segments used for calling PnP BIOS have byte granularity.
37363 -- * They code segments and data segments have fixed 64k limits,
37364 -- * the transfer segment sizes are set at run time.
37365 -- */
37366 -- [GDT_ENTRY_PNPBIOS_CS32] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
37367 -- [GDT_ENTRY_PNPBIOS_CS16] = { 0x0000ffff, 0x00009a00 },/* 16-bit code */
37368 -- [GDT_ENTRY_PNPBIOS_DS] = { 0x0000ffff, 0x00009200 }, /* 16-bit data */
37369 -- [GDT_ENTRY_PNPBIOS_TS1] = { 0x00000000, 0x00009200 },/* 16-bit data */
37370 -- [GDT_ENTRY_PNPBIOS_TS2] = { 0x00000000, 0x00009200 },/* 16-bit data */
37371 -- /*
37372 -- * The APM segments have byte granularity and their bases
37373 -- * are set at run time. All have 64k limits.
37374 -- */
37375 -- [GDT_ENTRY_APMBIOS_BASE] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
37376 -- /* 16-bit code */
37377 -- [GDT_ENTRY_APMBIOS_BASE+1] = { 0x0000ffff, 0x00009a00 },
37378 -- [GDT_ENTRY_APMBIOS_BASE+2] = { 0x0000ffff, 0x00409200 }, /* data */
37379 --
37380 -- [GDT_ENTRY_ESPFIX_SS] = { 0x00000000, 0x00c09200 },
37381 -- [GDT_ENTRY_PERCPU] = { 0x00000000, 0x00000000 },
37382 --} };
37383 --EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
37384 --
37385 - static int cachesize_override __cpuinitdata = -1;
37386 - static int disable_x86_fxsr __cpuinitdata;
37387 - static int disable_x86_serial_nr __cpuinitdata = 1;
37388 --static int disable_x86_sep __cpuinitdata;
37389 -+
37390 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
37391 -+int disable_x86_sep __cpuinitdata = 1;
37392 -+#else
37393 -+int disable_x86_sep __cpuinitdata;
37394 -+#endif
37395 -
37396 - struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {};
37397 -
37398 -@@ -261,10 +236,10 @@ static int __cpuinit have_cpuid_p(void)
37399 - void __init cpu_detect(struct cpuinfo_x86 *c)
37400 - {
37401 - /* Get vendor name */
37402 -- cpuid(0x00000000, &c->cpuid_level,
37403 -- (int *)&c->x86_vendor_id[0],
37404 -- (int *)&c->x86_vendor_id[8],
37405 -- (int *)&c->x86_vendor_id[4]);
37406 -+ cpuid(0x00000000, (unsigned int *)&c->cpuid_level,
37407 -+ (unsigned int *)&c->x86_vendor_id[0],
37408 -+ (unsigned int *)&c->x86_vendor_id[8],
37409 -+ (unsigned int *)&c->x86_vendor_id[4]);
37410 -
37411 - c->x86 = 4;
37412 - if (c->cpuid_level >= 0x00000001) {
37413 -@@ -304,15 +279,14 @@ static void __init early_cpu_detect(void
37414 -
37415 - static void __cpuinit generic_identify(struct cpuinfo_x86 * c)
37416 - {
37417 -- u32 tfms, xlvl;
37418 -- int ebx;
37419 -+ u32 tfms, xlvl, ebx;
37420 -
37421 - if (have_cpuid_p()) {
37422 - /* Get vendor name */
37423 -- cpuid(0x00000000, &c->cpuid_level,
37424 -- (int *)&c->x86_vendor_id[0],
37425 -- (int *)&c->x86_vendor_id[8],
37426 -- (int *)&c->x86_vendor_id[4]);
37427 -+ cpuid(0x00000000, (unsigned int *)&c->cpuid_level,
37428 -+ (unsigned int *)&c->x86_vendor_id[0],
37429 -+ (unsigned int *)&c->x86_vendor_id[8],
37430 -+ (unsigned int *)&c->x86_vendor_id[4]);
37431 -
37432 - get_cpu_vendor(c, 0);
37433 - /* Initialize the standard set of capabilities */
37434 -@@ -644,7 +618,7 @@ void switch_to_new_gdt(void)
37435 - {
37436 - struct Xgt_desc_struct gdt_descr;
37437 -
37438 -- gdt_descr.address = (long)get_cpu_gdt_table(smp_processor_id());
37439 -+ gdt_descr.address = get_cpu_gdt_table(smp_processor_id());
37440 - gdt_descr.size = GDT_SIZE - 1;
37441 - load_gdt(&gdt_descr);
37442 - asm("mov %0, %%fs" : : "r" (__KERNEL_PERCPU) : "memory");
37443 -@@ -660,7 +634,7 @@ void __cpuinit cpu_init(void)
37444 - {
37445 - int cpu = smp_processor_id();
37446 - struct task_struct *curr = current;
37447 -- struct tss_struct * t = &per_cpu(init_tss, cpu);
37448 -+ struct tss_struct *t = init_tss + cpu;
37449 - struct thread_struct *thread = &curr->thread;
37450 -
37451 - if (cpu_test_and_set(cpu, cpu_initialized)) {
37452 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c
37453 ---- linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c 2007-10-09 21:31:38.000000000 +0100
37454 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-02-11 10:37:44.000000000 +0000
37455 -@@ -549,7 +549,7 @@ static struct dmi_system_id sw_any_bug_d
37456 - DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
37457 - },
37458 - },
37459 -- { }
37460 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
37461 - };
37462 - #endif
37463 -
37464 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c
37465 ---- linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2007-10-09 21:31:38.000000000 +0100
37466 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2008-02-11 10:37:44.000000000 +0000
37467 -@@ -223,7 +223,7 @@ static struct cpu_model models[] =
37468 - { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
37469 - { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
37470 -
37471 -- { NULL, }
37472 -+ { NULL, NULL, 0, NULL}
37473 - };
37474 - #undef _BANIAS
37475 - #undef BANIAS
37476 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/intel_cacheinfo.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/intel_cacheinfo.c
37477 ---- linux-2.6.23.15/arch/i386/kernel/cpu/intel_cacheinfo.c 2007-10-09 21:31:38.000000000 +0100
37478 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/intel_cacheinfo.c 2008-02-11 10:37:44.000000000 +0000
37479 -@@ -351,8 +351,8 @@ unsigned int __cpuinit init_intel_cachei
37480 - */
37481 - if ((num_cache_leaves == 0 || c->x86 == 15) && c->cpuid_level > 1) {
37482 - /* supports eax=2 call */
37483 -- int i, j, n;
37484 -- int regs[4];
37485 -+ int j, n;
37486 -+ unsigned int regs[4];
37487 - unsigned char *dp = (unsigned char *)regs;
37488 - int only_trace = 0;
37489 -
37490 -@@ -367,7 +367,7 @@ unsigned int __cpuinit init_intel_cachei
37491 -
37492 - /* If bit 31 is set, this is an unknown format */
37493 - for ( j = 0 ; j < 3 ; j++ ) {
37494 -- if ( regs[j] < 0 ) regs[j] = 0;
37495 -+ if ( (int)regs[j] < 0 ) regs[j] = 0;
37496 - }
37497 -
37498 - /* Byte 0 is level count, not a descriptor */
37499 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/mcheck/therm_throt.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mcheck/therm_throt.c
37500 ---- linux-2.6.23.15/arch/i386/kernel/cpu/mcheck/therm_throt.c 2007-10-09 21:31:38.000000000 +0100
37501 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mcheck/therm_throt.c 2008-02-11 10:37:44.000000000 +0000
37502 -@@ -152,7 +152,7 @@ static __cpuinit int thermal_throttle_cp
37503 - return NOTIFY_OK;
37504 - }
37505 -
37506 --static struct notifier_block thermal_throttle_cpu_notifier =
37507 -+static __cpuinitdata struct notifier_block thermal_throttle_cpu_notifier =
37508 - {
37509 - .notifier_call = thermal_throttle_cpu_callback,
37510 - };
37511 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/mtrr/generic.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mtrr/generic.c
37512 ---- linux-2.6.23.15/arch/i386/kernel/cpu/mtrr/generic.c 2007-10-09 21:31:38.000000000 +0100
37513 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mtrr/generic.c 2008-02-11 10:37:44.000000000 +0000
37514 -@@ -29,11 +29,11 @@ static struct fixed_range_block fixed_ra
37515 - { MTRRfix64K_00000_MSR, 1 }, /* one 64k MTRR */
37516 - { MTRRfix16K_80000_MSR, 2 }, /* two 16k MTRRs */
37517 - { MTRRfix4K_C0000_MSR, 8 }, /* eight 4k MTRRs */
37518 -- {}
37519 -+ { 0, 0 }
37520 - };
37521 -
37522 - static unsigned long smp_changes_mask;
37523 --static struct mtrr_state mtrr_state = {};
37524 -+static struct mtrr_state mtrr_state;
37525 -
37526 - #undef MODULE_PARAM_PREFIX
37527 - #define MODULE_PARAM_PREFIX "mtrr."
37528 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/crash.c linux-2.6.23.15-grsec/arch/i386/kernel/crash.c
37529 ---- linux-2.6.23.15/arch/i386/kernel/crash.c 2007-10-09 21:31:38.000000000 +0100
37530 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/crash.c 2008-02-11 10:37:44.000000000 +0000
37531 -@@ -55,7 +55,7 @@ static int crash_nmi_callback(struct not
37532 - return NOTIFY_STOP;
37533 - local_irq_disable();
37534 -
37535 -- if (!user_mode_vm(regs)) {
37536 -+ if (!user_mode(regs)) {
37537 - crash_fixup_ss_esp(&fixed_regs, regs);
37538 - regs = &fixed_regs;
37539 - }
37540 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/doublefault.c linux-2.6.23.15-grsec/arch/i386/kernel/doublefault.c
37541 ---- linux-2.6.23.15/arch/i386/kernel/doublefault.c 2007-10-09 21:31:38.000000000 +0100
37542 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/doublefault.c 2008-02-11 10:37:44.000000000 +0000
37543 -@@ -11,17 +11,17 @@
37544 -
37545 - #define DOUBLEFAULT_STACKSIZE (1024)
37546 - static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
37547 --#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
37548 -+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
37549 -
37550 - #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
37551 -
37552 - static void doublefault_fn(void)
37553 - {
37554 -- struct Xgt_desc_struct gdt_desc = {0, 0};
37555 -+ struct Xgt_desc_struct gdt_desc = {0, NULL, 0};
37556 - unsigned long gdt, tss;
37557 -
37558 - store_gdt(&gdt_desc);
37559 -- gdt = gdt_desc.address;
37560 -+ gdt = (unsigned long)gdt_desc.address;
37561 -
37562 - printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
37563 -
37564 -@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cach
37565 - /* 0x2 bit is always set */
37566 - .eflags = X86_EFLAGS_SF | 0x2,
37567 - .esp = STACK_START,
37568 -- .es = __USER_DS,
37569 -+ .es = __KERNEL_DS,
37570 - .cs = __KERNEL_CS,
37571 - .ss = __KERNEL_DS,
37572 -- .ds = __USER_DS,
37573 -+ .ds = __KERNEL_DS,
37574 - .fs = __KERNEL_PERCPU,
37575 -
37576 - .__cr3 = __pa(swapper_pg_dir)
37577 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/efi.c linux-2.6.23.15-grsec/arch/i386/kernel/efi.c
37578 ---- linux-2.6.23.15/arch/i386/kernel/efi.c 2007-10-09 21:31:38.000000000 +0100
37579 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/efi.c 2008-02-11 10:37:44.000000000 +0000
37580 -@@ -63,45 +63,23 @@ extern void * boot_ioremap(unsigned long
37581 -
37582 - static unsigned long efi_rt_eflags;
37583 - static DEFINE_SPINLOCK(efi_rt_lock);
37584 --static pgd_t efi_bak_pg_dir_pointer[2];
37585 -+static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS] __attribute__ ((aligned (4096)));
37586 -
37587 - static void efi_call_phys_prelog(void) __acquires(efi_rt_lock)
37588 - {
37589 -- unsigned long cr4;
37590 -- unsigned long temp;
37591 - struct Xgt_desc_struct gdt_descr;
37592 -
37593 - spin_lock(&efi_rt_lock);
37594 - local_irq_save(efi_rt_eflags);
37595 -
37596 -- /*
37597 -- * If I don't have PSE, I should just duplicate two entries in page
37598 -- * directory. If I have PSE, I just need to duplicate one entry in
37599 -- * page directory.
37600 -- */
37601 -- cr4 = read_cr4();
37602 --
37603 -- if (cr4 & X86_CR4_PSE) {
37604 -- efi_bak_pg_dir_pointer[0].pgd =
37605 -- swapper_pg_dir[pgd_index(0)].pgd;
37606 -- swapper_pg_dir[0].pgd =
37607 -- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
37608 -- } else {
37609 -- efi_bak_pg_dir_pointer[0].pgd =
37610 -- swapper_pg_dir[pgd_index(0)].pgd;
37611 -- efi_bak_pg_dir_pointer[1].pgd =
37612 -- swapper_pg_dir[pgd_index(0x400000)].pgd;
37613 -- swapper_pg_dir[pgd_index(0)].pgd =
37614 -- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
37615 -- temp = PAGE_OFFSET + 0x400000;
37616 -- swapper_pg_dir[pgd_index(0x400000)].pgd =
37617 -- swapper_pg_dir[pgd_index(temp)].pgd;
37618 -- }
37619 -+ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
37620 -+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
37621 -+ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
37622 -
37623 - /*
37624 - * After the lock is released, the original page table is restored.
37625 - */
37626 -- local_flush_tlb();
37627 -+ __flush_tlb_all();
37628 -
37629 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
37630 - gdt_descr.size = GDT_SIZE - 1;
37631 -@@ -110,35 +88,23 @@ static void efi_call_phys_prelog(void) _
37632 -
37633 - static void efi_call_phys_epilog(void) __releases(efi_rt_lock)
37634 - {
37635 -- unsigned long cr4;
37636 - struct Xgt_desc_struct gdt_descr;
37637 -
37638 -- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
37639 -+ gdt_descr.address = get_cpu_gdt_table(0);
37640 - gdt_descr.size = GDT_SIZE - 1;
37641 - load_gdt(&gdt_descr);
37642 --
37643 -- cr4 = read_cr4();
37644 --
37645 -- if (cr4 & X86_CR4_PSE) {
37646 -- swapper_pg_dir[pgd_index(0)].pgd =
37647 -- efi_bak_pg_dir_pointer[0].pgd;
37648 -- } else {
37649 -- swapper_pg_dir[pgd_index(0)].pgd =
37650 -- efi_bak_pg_dir_pointer[0].pgd;
37651 -- swapper_pg_dir[pgd_index(0x400000)].pgd =
37652 -- efi_bak_pg_dir_pointer[1].pgd;
37653 -- }
37654 -+ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
37655 -
37656 - /*
37657 - * After the lock is released, the original page table is restored.
37658 - */
37659 -- local_flush_tlb();
37660 -+ __flush_tlb_all();
37661 -
37662 - local_irq_restore(efi_rt_eflags);
37663 - spin_unlock(&efi_rt_lock);
37664 - }
37665 -
37666 --static efi_status_t
37667 -+static efi_status_t __init
37668 - phys_efi_set_virtual_address_map(unsigned long memory_map_size,
37669 - unsigned long descriptor_size,
37670 - u32 descriptor_version,
37671 -@@ -154,7 +120,7 @@ phys_efi_set_virtual_address_map(unsigne
37672 - return status;
37673 - }
37674 -
37675 --static efi_status_t
37676 -+static efi_status_t __init
37677 - phys_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)
37678 - {
37679 - efi_status_t status;
37680 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/efi_stub.S linux-2.6.23.15-grsec/arch/i386/kernel/efi_stub.S
37681 ---- linux-2.6.23.15/arch/i386/kernel/efi_stub.S 2007-10-09 21:31:38.000000000 +0100
37682 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/efi_stub.S 2008-02-11 10:37:44.000000000 +0000
37683 -@@ -6,6 +6,7 @@
37684 - */
37685 -
37686 - #include <linux/linkage.h>
37687 -+#include <linux/init.h>
37688 - #include <asm/page.h>
37689 -
37690 - /*
37691 -@@ -20,7 +21,7 @@
37692 - * service functions will comply with gcc calling convention, too.
37693 - */
37694 -
37695 --.text
37696 -+__INIT
37697 - ENTRY(efi_call_phys)
37698 - /*
37699 - * 0. The function can only be called in Linux kernel. So CS has been
37700 -@@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
37701 - * The mapping of lower virtual memory has been created in prelog and
37702 - * epilog.
37703 - */
37704 -- movl $1f, %edx
37705 -- subl $__PAGE_OFFSET, %edx
37706 -- jmp *%edx
37707 -+ jmp 1f-__PAGE_OFFSET
37708 - 1:
37709 -
37710 - /*
37711 -@@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
37712 - * parameter 2, ..., param n. To make things easy, we save the return
37713 - * address of efi_call_phys in a global variable.
37714 - */
37715 -- popl %edx
37716 -- movl %edx, saved_return_addr
37717 -- /* get the function pointer into ECX*/
37718 -- popl %ecx
37719 -- movl %ecx, efi_rt_function_ptr
37720 -- movl $2f, %edx
37721 -- subl $__PAGE_OFFSET, %edx
37722 -- pushl %edx
37723 -+ popl (saved_return_addr)
37724 -+ popl (efi_rt_function_ptr)
37725 -
37726 - /*
37727 - * 3. Clear PG bit in %CR0.
37728 -@@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
37729 - /*
37730 - * 5. Call the physical function.
37731 - */
37732 -- jmp *%ecx
37733 -+ call *(efi_rt_function_ptr-__PAGE_OFFSET)
37734 -
37735 --2:
37736 - /*
37737 - * 6. After EFI runtime service returns, control will return to
37738 - * following instruction. We'd better readjust stack pointer first.
37739 -@@ -88,34 +80,27 @@ ENTRY(efi_call_phys)
37740 - movl %cr0, %edx
37741 - orl $0x80000000, %edx
37742 - movl %edx, %cr0
37743 -- jmp 1f
37744 --1:
37745 -+
37746 - /*
37747 - * 8. Now restore the virtual mode from flat mode by
37748 - * adding EIP with PAGE_OFFSET.
37749 - */
37750 -- movl $1f, %edx
37751 -- jmp *%edx
37752 -+ jmp 1f+__PAGE_OFFSET
37753 - 1:
37754 -
37755 - /*
37756 - * 9. Balance the stack. And because EAX contain the return value,
37757 - * we'd better not clobber it.
37758 - */
37759 -- leal efi_rt_function_ptr, %edx
37760 -- movl (%edx), %ecx
37761 -- pushl %ecx
37762 -+ pushl (efi_rt_function_ptr)
37763 -
37764 - /*
37765 -- * 10. Push the saved return address onto the stack and return.
37766 -+ * 10. Return to the saved return address.
37767 - */
37768 -- leal saved_return_addr, %edx
37769 -- movl (%edx), %ecx
37770 -- pushl %ecx
37771 -- ret
37772 -+ jmpl *(saved_return_addr)
37773 - .previous
37774 -
37775 --.data
37776 -+__INITDATA
37777 - saved_return_addr:
37778 - .long 0
37779 - efi_rt_function_ptr:
37780 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/entry.S linux-2.6.23.15-grsec/arch/i386/kernel/entry.S
37781 ---- linux-2.6.23.15/arch/i386/kernel/entry.S 2007-10-09 21:31:38.000000000 +0100
37782 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/entry.S 2008-02-11 10:37:44.000000000 +0000
37783 -@@ -97,7 +97,7 @@ VM_MASK = 0x00020000
37784 - #define resume_userspace_sig resume_userspace
37785 - #endif
37786 -
37787 --#define SAVE_ALL \
37788 -+#define __SAVE_ALL(_DS) \
37789 - cld; \
37790 - pushl %fs; \
37791 - CFI_ADJUST_CFA_OFFSET 4;\
37792 -@@ -129,12 +129,26 @@ VM_MASK = 0x00020000
37793 - pushl %ebx; \
37794 - CFI_ADJUST_CFA_OFFSET 4;\
37795 - CFI_REL_OFFSET ebx, 0;\
37796 -- movl $(__USER_DS), %edx; \
37797 -+ movl $(_DS), %edx; \
37798 - movl %edx, %ds; \
37799 - movl %edx, %es; \
37800 - movl $(__KERNEL_PERCPU), %edx; \
37801 - movl %edx, %fs
37802 -
37803 -+#ifdef CONFIG_PAX_KERNEXEC
37804 -+#define SAVE_ALL \
37805 -+ __SAVE_ALL(__KERNEL_DS); \
37806 -+ GET_CR0_INTO_EDX; \
37807 -+ movl %edx, %esi; \
37808 -+ orl $X86_CR0_WP, %edx; \
37809 -+ xorl %edx, %esi; \
37810 -+ SET_CR0_FROM_EDX
37811 -+#elif defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
37812 -+#define SAVE_ALL __SAVE_ALL(__KERNEL_DS)
37813 -+#else
37814 -+#define SAVE_ALL __SAVE_ALL(__USER_DS)
37815 -+#endif
37816 -+
37817 - #define RESTORE_INT_REGS \
37818 - popl %ebx; \
37819 - CFI_ADJUST_CFA_OFFSET -4;\
37820 -@@ -248,7 +262,17 @@ check_userspace:
37821 - movb PT_CS(%esp), %al
37822 - andl $(VM_MASK | SEGMENT_RPL_MASK), %eax
37823 - cmpl $USER_RPL, %eax
37824 -+
37825 -+#ifdef CONFIG_PAX_KERNEXEC
37826 -+ jae resume_userspace
37827 -+
37828 -+ GET_CR0_INTO_EDX
37829 -+ xorl %esi, %edx
37830 -+ SET_CR0_FROM_EDX
37831 -+ jmp resume_kernel
37832 -+#else
37833 - jb resume_kernel # not returning to v8086 or userspace
37834 -+#endif
37835 -
37836 - ENTRY(resume_userspace)
37837 - DISABLE_INTERRUPTS(CLBR_ANY) # make sure we don't miss an interrupt
37838 -@@ -307,10 +331,9 @@ sysenter_past_esp:
37839 - /*CFI_REL_OFFSET cs, 0*/
37840 - /*
37841 - * Push current_thread_info()->sysenter_return to the stack.
37842 -- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
37843 -- * pushed above; +8 corresponds to copy_thread's esp0 setting.
37844 - */
37845 -- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
37846 -+ GET_THREAD_INFO(%ebp)
37847 -+ pushl TI_sysenter_return(%ebp)
37848 - CFI_ADJUST_CFA_OFFSET 4
37849 - CFI_REL_OFFSET eip, 0
37850 -
37851 -@@ -318,9 +341,17 @@ sysenter_past_esp:
37852 - * Load the potential sixth argument from user stack.
37853 - * Careful about security.
37854 - */
37855 -+ movl 12(%esp),%ebp
37856 -+
37857 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
37858 -+ mov 16(%esp),%ds
37859 -+1: movl %ds:(%ebp),%ebp
37860 -+#else
37861 - cmpl $__PAGE_OFFSET-3,%ebp
37862 - jae syscall_fault
37863 - 1: movl (%ebp),%ebp
37864 -+#endif
37865 -+
37866 - .section __ex_table,"a"
37867 - .align 4
37868 - .long 1b,syscall_fault
37869 -@@ -343,20 +374,37 @@ sysenter_past_esp:
37870 - movl TI_flags(%ebp), %ecx
37871 - testw $_TIF_ALLWORK_MASK, %cx
37872 - jne syscall_exit_work
37873 -+
37874 -+#ifdef CONFIG_PAX_RANDKSTACK
37875 -+ pushl %eax
37876 -+ CFI_ADJUST_CFA_OFFSET 4
37877 -+ call pax_randomize_kstack
37878 -+ popl %eax
37879 -+ CFI_ADJUST_CFA_OFFSET -4
37880 -+#endif
37881 -+
37882 - /* if something modifies registers it must also disable sysexit */
37883 - movl PT_EIP(%esp), %edx
37884 - movl PT_OLDESP(%esp), %ecx
37885 - xorl %ebp,%ebp
37886 - TRACE_IRQS_ON
37887 - 1: mov PT_FS(%esp), %fs
37888 -+2: mov PT_DS(%esp), %ds
37889 -+3: mov PT_ES(%esp), %es
37890 - ENABLE_INTERRUPTS_SYSEXIT
37891 - CFI_ENDPROC
37892 - .pushsection .fixup,"ax"
37893 --2: movl $0,PT_FS(%esp)
37894 -+4: movl $0,PT_FS(%esp)
37895 - jmp 1b
37896 -+5: movl $0,PT_DS(%esp)
37897 -+ jmp 2b
37898 -+6: movl $0,PT_ES(%esp)
37899 -+ jmp 3b
37900 - .section __ex_table,"a"
37901 - .align 4
37902 -- .long 1b,2b
37903 -+ .long 1b,4b
37904 -+ .long 2b,5b
37905 -+ .long 3b,6b
37906 - .popsection
37907 - ENDPROC(sysenter_entry)
37908 -
37909 -@@ -389,6 +437,10 @@ no_singlestep:
37910 - testw $_TIF_ALLWORK_MASK, %cx # current->work
37911 - jne syscall_exit_work
37912 -
37913 -+#ifdef CONFIG_PAX_RANDKSTACK
37914 -+ call pax_randomize_kstack
37915 -+#endif
37916 -+
37917 - restore_all:
37918 - movl PT_EFLAGS(%esp), %eax # mix EFLAGS, SS and CS
37919 - # Warning: PT_OLDSS(%esp) contains the wrong/random values if we
37920 -@@ -552,17 +604,24 @@ syscall_badsys:
37921 - END(syscall_badsys)
37922 - CFI_ENDPROC
37923 -
37924 --#define FIXUP_ESPFIX_STACK \
37925 -- /* since we are on a wrong stack, we cant make it a C code :( */ \
37926 -- PER_CPU(gdt_page, %ebx); \
37927 -- GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah); \
37928 -- addl %esp, %eax; \
37929 -- pushl $__KERNEL_DS; \
37930 -- CFI_ADJUST_CFA_OFFSET 4; \
37931 -- pushl %eax; \
37932 -- CFI_ADJUST_CFA_OFFSET 4; \
37933 -- lss (%esp), %esp; \
37934 -+.macro FIXUP_ESPFIX_STACK
37935 -+ /* since we are on a wrong stack, we cant make it a C code :( */
37936 -+#ifdef CONFIG_SMP
37937 -+ movl PER_CPU_VAR(cpu_number), %ebx;
37938 -+ shll $PAGE_SHIFT_asm, %ebx;
37939 -+ addl $cpu_gdt_table, %ebx;
37940 -+#else
37941 -+ movl $cpu_gdt_table, %ebx;
37942 -+#endif
37943 -+ GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah);
37944 -+ addl %esp, %eax;
37945 -+ pushl $__KERNEL_DS;
37946 -+ CFI_ADJUST_CFA_OFFSET 4;
37947 -+ pushl %eax;
37948 -+ CFI_ADJUST_CFA_OFFSET 4;
37949 -+ lss (%esp), %esp;
37950 - CFI_ADJUST_CFA_OFFSET -8;
37951 -+.endm
37952 - #define UNWIND_ESPFIX_STACK \
37953 - movl %ss, %eax; \
37954 - /* see if on espfix stack */ \
37955 -@@ -579,7 +638,7 @@ END(syscall_badsys)
37956 - * Build the entry stubs and pointer table with
37957 - * some assembler magic.
37958 - */
37959 --.data
37960 -+.section .rodata,"a",@progbits
37961 - ENTRY(interrupt)
37962 - .text
37963 -
37964 -@@ -679,12 +738,21 @@ error_code:
37965 - popl %ecx
37966 - CFI_ADJUST_CFA_OFFSET -4
37967 - /*CFI_REGISTER es, ecx*/
37968 -+
37969 -+#ifdef CONFIG_PAX_KERNEXEC
37970 -+ GET_CR0_INTO_EDX
37971 -+ movl %edx, %esi
37972 -+ orl $X86_CR0_WP, %edx
37973 -+ xorl %edx, %esi
37974 -+ SET_CR0_FROM_EDX
37975 -+#endif
37976 -+
37977 - movl PT_FS(%esp), %edi # get the function address
37978 - movl PT_ORIG_EAX(%esp), %edx # get the error code
37979 - movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
37980 - mov %ecx, PT_FS(%esp)
37981 - /*CFI_REL_OFFSET fs, ES*/
37982 -- movl $(__USER_DS), %ecx
37983 -+ movl $(__KERNEL_DS), %ecx
37984 - movl %ecx, %ds
37985 - movl %ecx, %es
37986 - movl %esp,%eax # pt_regs pointer
37987 -@@ -818,6 +886,13 @@ nmi_stack_correct:
37988 - xorl %edx,%edx # zero error code
37989 - movl %esp,%eax # pt_regs pointer
37990 - call do_nmi
37991 -+
37992 -+#ifdef CONFIG_PAX_KERNEXEC
37993 -+ GET_CR0_INTO_EDX
37994 -+ xorl %esi, %edx
37995 -+ SET_CR0_FROM_EDX
37996 -+#endif
37997 -+
37998 - jmp restore_nocheck_notrace
37999 - CFI_ENDPROC
38000 -
38001 -@@ -858,6 +933,13 @@ nmi_espfix_stack:
38002 - FIXUP_ESPFIX_STACK # %eax == %esp
38003 - xorl %edx,%edx # zero error code
38004 - call do_nmi
38005 -+
38006 -+#ifdef CONFIG_PAX_KERNEXEC
38007 -+ GET_CR0_INTO_EDX
38008 -+ xorl %esi, %edx
38009 -+ SET_CR0_FROM_EDX
38010 -+#endif
38011 -+
38012 - RESTORE_REGS
38013 - lss 12+4(%esp), %esp # back to espfix stack
38014 - CFI_ADJUST_CFA_OFFSET -24
38015 -@@ -1106,7 +1188,6 @@ ENDPROC(xen_failsafe_callback)
38016 -
38017 - #endif /* CONFIG_XEN */
38018 -
38019 --.section .rodata,"a"
38020 - #include "syscall_table.S"
38021 -
38022 - syscall_table_size=(.-sys_call_table)
38023 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/head.S linux-2.6.23.15-grsec/arch/i386/kernel/head.S
38024 ---- linux-2.6.23.15/arch/i386/kernel/head.S 2007-10-09 21:31:38.000000000 +0100
38025 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/head.S 2008-02-11 10:37:44.000000000 +0000
38026 -@@ -18,6 +18,7 @@
38027 - #include <asm/thread_info.h>
38028 - #include <asm/asm-offsets.h>
38029 - #include <asm/setup.h>
38030 -+#include <asm/msr-index.h>
38031 -
38032 - /*
38033 - * References to members of the new_cpu_data structure.
38034 -@@ -51,17 +52,22 @@
38035 - */
38036 - LOW_PAGES = 1<<(32-PAGE_SHIFT_asm)
38037 -
38038 --#if PTRS_PER_PMD > 1
38039 --PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PMD) + PTRS_PER_PGD
38040 --#else
38041 --PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PGD)
38042 --#endif
38043 -+PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PTE)
38044 - BOOTBITMAP_SIZE = LOW_PAGES / 8
38045 - ALLOCATOR_SLOP = 4
38046 -
38047 - INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE + (PAGE_TABLE_SIZE + ALLOCATOR_SLOP)*PAGE_SIZE_asm
38048 -
38049 - /*
38050 -+ * Real beginning of normal "text" segment
38051 -+ */
38052 -+ENTRY(stext)
38053 -+ENTRY(_stext)
38054 -+
38055 -+.section .text.startup,"ax",@progbits
38056 -+ ljmp $(__BOOT_CS),$phys_startup_32
38057 -+
38058 -+/*
38059 - * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
38060 - * %esi points to the real-mode code as a 32-bit pointer.
38061 - * CS and DS must be 4 GB flat segments, but we don't depend on
38062 -@@ -69,6 +75,12 @@ INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE +
38063 - * can.
38064 - */
38065 - .section .text.head,"ax",@progbits
38066 -+
38067 -+#ifdef CONFIG_PAX_KERNEXEC
38068 -+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
38069 -+.fill 4096,1,0xcc
38070 -+#endif
38071 -+
38072 - ENTRY(startup_32)
38073 -
38074 - /*
38075 -@@ -82,6 +94,43 @@ ENTRY(startup_32)
38076 - movl %eax,%fs
38077 - movl %eax,%gs
38078 -
38079 -+ movl $__per_cpu_start,%eax
38080 -+ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 2)
38081 -+ rorl $16,%eax
38082 -+ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 4)
38083 -+ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 7)
38084 -+ movl $__per_cpu_end + PERCPU_MODULE_RESERVE,%eax
38085 -+ subl $__per_cpu_start,%eax
38086 -+ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 0)
38087 -+
38088 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
38089 -+ /* check for VMware */
38090 -+ movl $0x564d5868,%eax
38091 -+ xorl %ebx,%ebx
38092 -+ movl $0xa,%ecx
38093 -+ movl $0x5658,%edx
38094 -+ in (%dx),%eax
38095 -+ cmpl $0x564d5868,%ebx
38096 -+ jz 1f
38097 -+
38098 -+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),%eax
38099 -+ movl %eax,(cpu_gdt_table - __PAGE_OFFSET + GDT_ENTRY_KERNEL_DS * 8 + 4)
38100 -+1:
38101 -+#endif
38102 -+
38103 -+#ifdef CONFIG_PAX_KERNEXEC
38104 -+ movl $KERNEL_TEXT_OFFSET,%eax
38105 -+ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 2)
38106 -+ rorl $16,%eax
38107 -+ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 4)
38108 -+ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 7)
38109 -+
38110 -+ movb %al,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 4)
38111 -+ movb %ah,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 7)
38112 -+ rorl $16,%eax
38113 -+ movw %ax,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 2)
38114 -+#endif
38115 -+
38116 - /*
38117 - * Clear BSS first so that there are no surprises...
38118 - * No need to cld as DF is already clear from cld above...
38119 -@@ -129,24 +178,42 @@ ENTRY(startup_32)
38120 - * Warning: don't use %esi or the stack in this code. However, %esp
38121 - * can be used as a GPR if you really need it...
38122 - */
38123 --page_pde_offset = (__PAGE_OFFSET >> 20);
38124 --
38125 -+#ifdef CONFIG_X86_PAE
38126 -+page_pde_offset = ((__PAGE_OFFSET >> 21) * (PAGE_SIZE_asm / PTRS_PER_PTE));
38127 -+#else
38128 -+page_pde_offset = ((__PAGE_OFFSET >> 22) * (PAGE_SIZE_asm / PTRS_PER_PTE));
38129 -+#endif
38130 - movl $(pg0 - __PAGE_OFFSET), %edi
38131 -+#ifdef CONFIG_X86_PAE
38132 -+ movl $(swapper_pm_dir - __PAGE_OFFSET), %edx
38133 -+#else
38134 - movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
38135 -- movl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
38136 -+#endif
38137 -+ movl $0x063, %eax /* 0x063 = PRESENT+RW+ACCESSED+DIRTY */
38138 - 10:
38139 -- leal 0x007(%edi),%ecx /* Create PDE entry */
38140 -+ leal 0x063(%edi),%ecx /* Create PDE entry */
38141 - movl %ecx,(%edx) /* Store identity PDE entry */
38142 - movl %ecx,page_pde_offset(%edx) /* Store kernel PDE entry */
38143 -+#ifdef CONFIG_X86_PAE
38144 -+ movl $0,4(%edx)
38145 -+ movl $0,page_pde_offset+4(%edx)
38146 -+ addl $8,%edx
38147 -+ movl $512, %ecx
38148 -+#else
38149 - addl $4,%edx
38150 - movl $1024, %ecx
38151 -+#endif
38152 - 11:
38153 - stosl
38154 -+#ifdef CONFIG_X86_PAE
38155 -+ movl $0,(%edi)
38156 -+ addl $4,%edi
38157 -+#endif
38158 - addl $0x1000,%eax
38159 - loop 11b
38160 - /* End condition: we must map up to and including INIT_MAP_BEYOND_END */
38161 -- /* bytes beyond the end of our own page tables; the +0x007 is the attribute bits */
38162 -- leal (INIT_MAP_BEYOND_END+0x007)(%edi),%ebp
38163 -+ /* bytes beyond the end of our own page tables; the +0x063 is the attribute bits */
38164 -+ leal (INIT_MAP_BEYOND_END+0x063)(%edi),%ebp
38165 - cmpl %ebp,%eax
38166 - jb 10b
38167 - movl %edi,(init_pg_tables_end - __PAGE_OFFSET)
38168 -@@ -167,10 +234,12 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
38169 - #endif
38170 -
38171 - /* Do an early initialization of the fixmap area */
38172 -- movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
38173 -- movl $(swapper_pg_pmd - __PAGE_OFFSET), %eax
38174 -- addl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
38175 -- movl %eax, 4092(%edx)
38176 -+ /* 0x067 = PRESENT+RW+USER+ACCESSED+DIRTY */
38177 -+#ifdef CONFIG_X86_PAE
38178 -+ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pm_dir - __PAGE_OFFSET + 4096 - 8)
38179 -+#else
38180 -+ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pg_dir - __PAGE_OFFSET + 4096 - 4)
38181 -+#endif
38182 -
38183 - #ifdef CONFIG_SMP
38184 - ENTRY(startup_32_smp)
38185 -@@ -181,6 +250,11 @@ ENTRY(startup_32_smp)
38186 - movl %eax,%fs
38187 - movl %eax,%gs
38188 -
38189 -+ /* This is a secondary processor (AP) */
38190 -+ xorl %ebx,%ebx
38191 -+ incl %ebx
38192 -+#endif /* CONFIG_SMP */
38193 -+
38194 - /*
38195 - * New page tables may be in 4Mbyte page mode and may
38196 - * be using the global pages.
38197 -@@ -196,42 +270,47 @@ ENTRY(startup_32_smp)
38198 - * not yet offset PAGE_OFFSET..
38199 - */
38200 - #define cr4_bits mmu_cr4_features-__PAGE_OFFSET
38201 -+3:
38202 - movl cr4_bits,%edx
38203 - andl %edx,%edx
38204 -- jz 6f
38205 -+ jz 5f
38206 - movl %cr4,%eax # Turn on paging options (PSE,PAE,..)
38207 - orl %edx,%eax
38208 - movl %eax,%cr4
38209 -
38210 -- btl $5, %eax # check if PAE is enabled
38211 -- jnc 6f
38212 -+#ifdef CONFIG_X86_PAE
38213 -+ movl %ebx,%edi
38214 -
38215 - /* Check if extended functions are implemented */
38216 - movl $0x80000000, %eax
38217 - cpuid
38218 - cmpl $0x80000000, %eax
38219 -- jbe 6f
38220 -+ jbe 4f
38221 - mov $0x80000001, %eax
38222 - cpuid
38223 - /* Execute Disable bit supported? */
38224 - btl $20, %edx
38225 -- jnc 6f
38226 -+ jnc 4f
38227 -
38228 - /* Setup EFER (Extended Feature Enable Register) */
38229 -- movl $0xc0000080, %ecx
38230 -+ movl $MSR_EFER, %ecx
38231 - rdmsr
38232 -
38233 - btsl $11, %eax
38234 - /* Make changes effective */
38235 - wrmsr
38236 -
38237 --6:
38238 -- /* This is a secondary processor (AP) */
38239 -- xorl %ebx,%ebx
38240 -- incl %ebx
38241 -+ btsl $63-32,__supported_pte_mask+4-__PAGE_OFFSET
38242 -+ movl $1,nx_enabled-__PAGE_OFFSET
38243 -
38244 --#endif /* CONFIG_SMP */
38245 --3:
38246 -+#if !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
38247 -+ movl $0,disable_x86_sep-__PAGE_OFFSET
38248 -+#endif
38249 -+
38250 -+4:
38251 -+ movl %edi,%ebx
38252 -+#endif
38253 -+5:
38254 -
38255 - /*
38256 - * Enable paging
38257 -@@ -256,9 +335,7 @@ ENTRY(startup_32_smp)
38258 -
38259 - #ifdef CONFIG_SMP
38260 - andl %ebx,%ebx
38261 -- jz 1f /* Initial CPU cleans BSS */
38262 -- jmp checkCPUtype
38263 --1:
38264 -+ jnz checkCPUtype /* Initial CPU cleans BSS */
38265 - #endif /* CONFIG_SMP */
38266 -
38267 - /*
38268 -@@ -335,12 +412,12 @@ is386: movl $2,%ecx # set MP
38269 - ljmp $(__KERNEL_CS),$1f
38270 - 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
38271 - movl %eax,%ss # after changing gdt.
38272 -- movl %eax,%fs # gets reset once there's real percpu
38273 --
38274 -- movl $(__USER_DS),%eax # DS/ES contains default USER segment
38275 - movl %eax,%ds
38276 - movl %eax,%es
38277 -
38278 -+ movl $(__KERNEL_PERCPU), %eax
38279 -+ movl %eax,%fs # set this cpu's percpu
38280 -+
38281 - xorl %eax,%eax # Clear GS and LDT
38282 - movl %eax,%gs
38283 - lldt %ax
38284 -@@ -351,11 +428,7 @@ is386: movl $2,%ecx # set MP
38285 - movb ready, %cl
38286 - movb $1, ready
38287 - cmpb $0,%cl # the first CPU calls start_kernel
38288 -- je 1f
38289 -- movl $(__KERNEL_PERCPU), %eax
38290 -- movl %eax,%fs # set this cpu's percpu
38291 -- jmp initialize_secondary # all other CPUs call initialize_secondary
38292 --1:
38293 -+ jne initialize_secondary # all other CPUs call initialize_secondary
38294 - #endif /* CONFIG_SMP */
38295 - jmp start_kernel
38296 -
38297 -@@ -441,8 +514,8 @@ early_page_fault:
38298 - jmp early_fault
38299 -
38300 - early_fault:
38301 -- cld
38302 - #ifdef CONFIG_PRINTK
38303 -+ cld
38304 - movl $(__KERNEL_DS),%eax
38305 - movl %eax,%ds
38306 - movl %eax,%es
38307 -@@ -466,8 +539,8 @@ hlt_loop:
38308 - /* This is the default interrupt "handler" :-) */
38309 - ALIGN
38310 - ignore_int:
38311 -- cld
38312 - #ifdef CONFIG_PRINTK
38313 -+ cld
38314 - pushl %eax
38315 - pushl %ecx
38316 - pushl %edx
38317 -@@ -498,31 +571,58 @@ ignore_int:
38318 - #endif
38319 - iret
38320 -
38321 --.section .text
38322 --/*
38323 -- * Real beginning of normal "text" segment
38324 -- */
38325 --ENTRY(stext)
38326 --ENTRY(_stext)
38327 --
38328 - /*
38329 - * BSS section
38330 - */
38331 --.section ".bss.page_aligned","wa"
38332 -+.section .swapper_pg_dir,"a",@progbits
38333 - .align PAGE_SIZE_asm
38334 - ENTRY(swapper_pg_dir)
38335 -+#ifdef CONFIG_X86_PAE
38336 -+ .long swapper_pm_dir-__PAGE_OFFSET+1
38337 -+ .long 0
38338 -+ .long swapper_pm_dir+512*8-__PAGE_OFFSET+1
38339 -+ .long 0
38340 -+ .long swapper_pm_dir+512*16-__PAGE_OFFSET+1
38341 -+ .long 0
38342 -+ .long swapper_pm_dir+512*24-__PAGE_OFFSET+1
38343 -+ .long 0
38344 -+#else
38345 - .fill 1024,4,0
38346 -+#endif
38347 -+
38348 -+.section .swapper_pm_dir,"a",@progbits
38349 -+#ifdef CONFIG_X86_PAE
38350 -+ENTRY(swapper_pm_dir)
38351 -+ .fill 512,8,0
38352 -+ .fill 512,8,0
38353 -+ .fill 512,8,0
38354 -+ .fill 512,8,0
38355 -+#endif
38356 -+
38357 - ENTRY(swapper_pg_pmd)
38358 - .fill 1024,4,0
38359 -+
38360 -+.section .empty_zero_page,"a",@progbits
38361 - ENTRY(empty_zero_page)
38362 - .fill 4096,1,0
38363 -
38364 - /*
38365 -+ * The IDT has to be page-aligned to simplify the Pentium
38366 -+ * F0 0F bug workaround.. We have a special link segment
38367 -+ * for this.
38368 -+ */
38369 -+.section .idt,"a",@progbits
38370 -+ENTRY(idt_table)
38371 -+ .fill 256,8,0
38372 -+
38373 -+/*
38374 - * This starts the data section.
38375 - */
38376 - .data
38377 -+
38378 -+.section .rodata,"a",@progbits
38379 - ENTRY(stack_start)
38380 -- .long init_thread_union+THREAD_SIZE
38381 -+ .long init_thread_union+THREAD_SIZE-8
38382 - .long __BOOT_DS
38383 -
38384 - ready: .byte 0
38385 -@@ -565,7 +665,7 @@ idt_descr:
38386 - .word 0 # 32 bit align gdt_desc.address
38387 - ENTRY(early_gdt_descr)
38388 - .word GDT_ENTRIES*8-1
38389 -- .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
38390 -+ .long cpu_gdt_table /* Overwritten for secondary CPUs */
38391 -
38392 - /*
38393 - * The boot_gdt must mirror the equivalent in setup.S and is
38394 -@@ -574,5 +674,61 @@ ENTRY(early_gdt_descr)
38395 - .align L1_CACHE_BYTES
38396 - ENTRY(boot_gdt)
38397 - .fill GDT_ENTRY_BOOT_CS,8,0
38398 -- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
38399 -- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
38400 -+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
38401 -+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
38402 -+
38403 -+ .align PAGE_SIZE_asm
38404 -+ENTRY(cpu_gdt_table)
38405 -+ .quad 0x0000000000000000 /* NULL descriptor */
38406 -+ .quad 0x0000000000000000 /* 0x0b reserved */
38407 -+ .quad 0x0000000000000000 /* 0x13 reserved */
38408 -+ .quad 0x0000000000000000 /* 0x1b reserved */
38409 -+ .quad 0x0000000000000000 /* 0x20 unused */
38410 -+ .quad 0x0000000000000000 /* 0x28 unused */
38411 -+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
38412 -+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
38413 -+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
38414 -+ .quad 0x0000000000000000 /* 0x4b reserved */
38415 -+ .quad 0x0000000000000000 /* 0x53 reserved */
38416 -+ .quad 0x0000000000000000 /* 0x5b reserved */
38417 -+
38418 -+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
38419 -+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
38420 -+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
38421 -+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
38422 -+
38423 -+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
38424 -+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
38425 -+
38426 -+ /*
38427 -+ * Segments used for calling PnP BIOS have byte granularity.
38428 -+ * The code segments and data segments have fixed 64k limits,
38429 -+ * the transfer segment sizes are set at run time.
38430 -+ */
38431 -+ .quad 0x00409b000000ffff /* 0x90 32-bit code */
38432 -+ .quad 0x00009b000000ffff /* 0x98 16-bit code */
38433 -+ .quad 0x000093000000ffff /* 0xa0 16-bit data */
38434 -+ .quad 0x0000930000000000 /* 0xa8 16-bit data */
38435 -+ .quad 0x0000930000000000 /* 0xb0 16-bit data */
38436 -+
38437 -+ /*
38438 -+ * The APM segments have byte granularity and their bases
38439 -+ * are set at run time. All have 64k limits.
38440 -+ */
38441 -+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
38442 -+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
38443 -+ .quad 0x004093000000ffff /* 0xc8 APM DS data */
38444 -+
38445 -+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
38446 -+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
38447 -+ .quad 0x0000000000000000 /* 0xe0 - PCIBIOS_CS */
38448 -+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_DS */
38449 -+ .quad 0x0000000000000000 /* 0xf0 - unused */
38450 -+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
38451 -+
38452 -+ /* Be sure this is zeroed to avoid false validations in Xen */
38453 -+ .fill PAGE_SIZE_asm - GDT_ENTRIES,1,0
38454 -+
38455 -+#ifdef CONFIG_SMP
38456 -+ .fill (NR_CPUS-1) * (PAGE_SIZE_asm),1,0 /* other CPU's GDT */
38457 -+#endif
38458 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/hpet.c linux-2.6.23.15-grsec/arch/i386/kernel/hpet.c
38459 ---- linux-2.6.23.15/arch/i386/kernel/hpet.c 2007-10-09 21:31:38.000000000 +0100
38460 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/hpet.c 2008-02-11 10:37:44.000000000 +0000
38461 -@@ -96,7 +96,7 @@ static void hpet_reserve_platform_timers
38462 - hd.hd_irq[1] = HPET_LEGACY_RTC;
38463 -
38464 - for (i = 2; i < nrtimers; timer++, i++)
38465 -- hd.hd_irq[i] = (timer->hpet_config & Tn_INT_ROUTE_CNF_MASK) >>
38466 -+ hd.hd_irq[i] = (readl(&timer->hpet_config) & Tn_INT_ROUTE_CNF_MASK) >>
38467 - Tn_INT_ROUTE_CNF_SHIFT;
38468 -
38469 - hpet_alloc(&hd);
38470 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/i386_ksyms.c linux-2.6.23.15-grsec/arch/i386/kernel/i386_ksyms.c
38471 ---- linux-2.6.23.15/arch/i386/kernel/i386_ksyms.c 2007-10-09 21:31:38.000000000 +0100
38472 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/i386_ksyms.c 2008-02-11 10:37:44.000000000 +0000
38473 -@@ -2,12 +2,16 @@
38474 - #include <asm/checksum.h>
38475 - #include <asm/desc.h>
38476 -
38477 -+EXPORT_SYMBOL_GPL(cpu_gdt_table);
38478 -+
38479 - EXPORT_SYMBOL(__down_failed);
38480 - EXPORT_SYMBOL(__down_failed_interruptible);
38481 - EXPORT_SYMBOL(__down_failed_trylock);
38482 - EXPORT_SYMBOL(__up_wakeup);
38483 - /* Networking helper routines. */
38484 - EXPORT_SYMBOL(csum_partial_copy_generic);
38485 -+EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
38486 -+EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
38487 -
38488 - EXPORT_SYMBOL(__get_user_1);
38489 - EXPORT_SYMBOL(__get_user_2);
38490 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/i8259.c linux-2.6.23.15-grsec/arch/i386/kernel/i8259.c
38491 ---- linux-2.6.23.15/arch/i386/kernel/i8259.c 2007-10-09 21:31:38.000000000 +0100
38492 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/i8259.c 2008-02-11 10:37:44.000000000 +0000
38493 -@@ -350,7 +350,7 @@ static irqreturn_t math_error_irq(int cp
38494 - * New motherboards sometimes make IRQ 13 be a PCI interrupt,
38495 - * so allow interrupt sharing.
38496 - */
38497 --static struct irqaction fpu_irq = { math_error_irq, 0, CPU_MASK_NONE, "fpu", NULL, NULL };
38498 -+static struct irqaction fpu_irq = { math_error_irq, 0, CPU_MASK_NONE, "fpu", NULL, NULL, 0, NULL };
38499 -
38500 - void __init init_ISA_irqs (void)
38501 - {
38502 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/init_task.c linux-2.6.23.15-grsec/arch/i386/kernel/init_task.c
38503 ---- linux-2.6.23.15/arch/i386/kernel/init_task.c 2007-10-09 21:31:38.000000000 +0100
38504 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/init_task.c 2008-02-11 10:37:44.000000000 +0000
38505 -@@ -42,5 +42,5 @@ EXPORT_SYMBOL(init_task);
38506 - * per-CPU TSS segments. Threads are completely 'soft' on Linux,
38507 - * no more per-task TSS's.
38508 - */
38509 --DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
38510 -+struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
38511 -
38512 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/ioport.c linux-2.6.23.15-grsec/arch/i386/kernel/ioport.c
38513 ---- linux-2.6.23.15/arch/i386/kernel/ioport.c 2007-10-09 21:31:38.000000000 +0100
38514 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/ioport.c 2008-02-11 10:37:44.000000000 +0000
38515 -@@ -16,6 +16,7 @@
38516 - #include <linux/slab.h>
38517 - #include <linux/thread_info.h>
38518 - #include <linux/syscalls.h>
38519 -+#include <linux/grsecurity.h>
38520 -
38521 - /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
38522 - static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
38523 -@@ -64,9 +65,16 @@ asmlinkage long sys_ioperm(unsigned long
38524 -
38525 - if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
38526 - return -EINVAL;
38527 -+#ifdef CONFIG_GRKERNSEC_IO
38528 -+ if (turn_on) {
38529 -+ gr_handle_ioperm();
38530 -+#else
38531 - if (turn_on && !capable(CAP_SYS_RAWIO))
38532 -+#endif
38533 - return -EPERM;
38534 --
38535 -+#ifdef CONFIG_GRKERNSEC_IO
38536 -+ }
38537 -+#endif
38538 - /*
38539 - * If it's the first ioperm() call in this thread's lifetime, set the
38540 - * IO bitmap up. ioperm() is much less timing critical than clone(),
38541 -@@ -89,7 +97,7 @@ asmlinkage long sys_ioperm(unsigned long
38542 - * because the ->io_bitmap_max value must match the bitmap
38543 - * contents:
38544 - */
38545 -- tss = &per_cpu(init_tss, get_cpu());
38546 -+ tss = init_tss + get_cpu();
38547 -
38548 - set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
38549 -
38550 -@@ -143,8 +151,13 @@ asmlinkage long sys_iopl(unsigned long u
38551 - return -EINVAL;
38552 - /* Trying to gain more privileges? */
38553 - if (level > old) {
38554 -+#ifdef CONFIG_GRKERNSEC_IO
38555 -+ gr_handle_iopl();
38556 -+ return -EPERM;
38557 -+#else
38558 - if (!capable(CAP_SYS_RAWIO))
38559 - return -EPERM;
38560 -+#endif
38561 - }
38562 - t->iopl = level << 12;
38563 - regs->eflags = (regs->eflags & ~X86_EFLAGS_IOPL) | t->iopl;
38564 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/irq.c linux-2.6.23.15-grsec/arch/i386/kernel/irq.c
38565 ---- linux-2.6.23.15/arch/i386/kernel/irq.c 2007-10-09 21:31:38.000000000 +0100
38566 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/irq.c 2008-02-11 10:37:44.000000000 +0000
38567 -@@ -117,7 +117,7 @@ fastcall unsigned int do_IRQ(struct pt_r
38568 - int arg1, arg2, ebx;
38569 -
38570 - /* build the stack frame on the IRQ stack */
38571 -- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
38572 -+ isp = (u32*) ((char*)irqctx + sizeof(*irqctx)) - 2;
38573 - irqctx->tinfo.task = curctx->tinfo.task;
38574 - irqctx->tinfo.previous_esp = current_stack_pointer;
38575 -
38576 -@@ -213,7 +213,7 @@ asmlinkage void do_softirq(void)
38577 - irqctx->tinfo.previous_esp = current_stack_pointer;
38578 -
38579 - /* build the stack frame on the softirq stack */
38580 -- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
38581 -+ isp = (u32*) ((char*)irqctx + sizeof(*irqctx)) - 2;
38582 -
38583 - asm volatile(
38584 - " xchgl %%ebx,%%esp \n"
38585 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/kprobes.c linux-2.6.23.15-grsec/arch/i386/kernel/kprobes.c
38586 ---- linux-2.6.23.15/arch/i386/kernel/kprobes.c 2007-10-09 21:31:38.000000000 +0100
38587 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/kprobes.c 2008-02-11 10:37:44.000000000 +0000
38588 -@@ -49,9 +49,24 @@ static __always_inline void set_jmp_op(v
38589 - char op;
38590 - long raddr;
38591 - } __attribute__((packed)) *jop;
38592 -- jop = (struct __arch_jmp_op *)from;
38593 -+
38594 -+#ifdef CONFIG_PAX_KERNEXEC
38595 -+ unsigned long cr0;
38596 -+#endif
38597 -+
38598 -+ jop = (struct __arch_jmp_op *)(from + __KERNEL_TEXT_OFFSET);
38599 -+
38600 -+#ifdef CONFIG_PAX_KERNEXEC
38601 -+ pax_open_kernel(cr0);
38602 -+#endif
38603 -+
38604 - jop->raddr = (long)(to) - ((long)(from) + 5);
38605 - jop->op = RELATIVEJUMP_INSTRUCTION;
38606 -+
38607 -+#ifdef CONFIG_PAX_KERNEXEC
38608 -+ pax_close_kernel(cr0);
38609 -+#endif
38610 -+
38611 - }
38612 -
38613 - /*
38614 -@@ -153,14 +168,28 @@ static int __kprobes is_IF_modifier(kpro
38615 -
38616 - int __kprobes arch_prepare_kprobe(struct kprobe *p)
38617 - {
38618 -+
38619 -+#ifdef CONFIG_PAX_KERNEXEC
38620 -+ unsigned long cr0;
38621 -+#endif
38622 -+
38623 - /* insn: must be on special executable page on i386. */
38624 - p->ainsn.insn = get_insn_slot();
38625 - if (!p->ainsn.insn)
38626 - return -ENOMEM;
38627 -
38628 -- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
38629 -- p->opcode = *p->addr;
38630 -- if (can_boost(p->addr)) {
38631 -+#ifdef CONFIG_PAX_KERNEXEC
38632 -+ pax_open_kernel(cr0);
38633 -+#endif
38634 -+
38635 -+ memcpy(p->ainsn.insn, p->addr + __KERNEL_TEXT_OFFSET, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
38636 -+
38637 -+#ifdef CONFIG_PAX_KERNEXEC
38638 -+ pax_close_kernel(cr0);
38639 -+#endif
38640 -+
38641 -+ p->opcode = *(p->addr + __KERNEL_TEXT_OFFSET);
38642 -+ if (can_boost(p->addr + __KERNEL_TEXT_OFFSET)) {
38643 - p->ainsn.boostable = 0;
38644 - } else {
38645 - p->ainsn.boostable = -1;
38646 -@@ -219,7 +248,7 @@ static void __kprobes prepare_singlestep
38647 - if (p->opcode == BREAKPOINT_INSTRUCTION)
38648 - regs->eip = (unsigned long)p->addr;
38649 - else
38650 -- regs->eip = (unsigned long)p->ainsn.insn;
38651 -+ regs->eip = (unsigned long)p->ainsn.insn - __KERNEL_TEXT_OFFSET;
38652 - }
38653 -
38654 - /* Called with kretprobe_lock held */
38655 -@@ -325,7 +354,7 @@ ss_probe:
38656 - if (p->ainsn.boostable == 1 && !p->post_handler){
38657 - /* Boost up -- we can execute copied instructions directly */
38658 - reset_current_kprobe();
38659 -- regs->eip = (unsigned long)p->ainsn.insn;
38660 -+ regs->eip = (unsigned long)p->ainsn.insn - __KERNEL_TEXT_OFFSET;
38661 - preempt_enable_no_resched();
38662 - return 1;
38663 - }
38664 -@@ -475,7 +504,7 @@ static void __kprobes resume_execution(s
38665 - struct pt_regs *regs, struct kprobe_ctlblk *kcb)
38666 - {
38667 - unsigned long *tos = (unsigned long *)&regs->esp;
38668 -- unsigned long copy_eip = (unsigned long)p->ainsn.insn;
38669 -+ unsigned long copy_eip = (unsigned long)p->ainsn.insn - __KERNEL_TEXT_OFFSET;
38670 - unsigned long orig_eip = (unsigned long)p->addr;
38671 -
38672 - regs->eflags &= ~TF_MASK;
38673 -@@ -648,7 +677,7 @@ int __kprobes kprobe_exceptions_notify(s
38674 - struct die_args *args = (struct die_args *)data;
38675 - int ret = NOTIFY_DONE;
38676 -
38677 -- if (args->regs && user_mode_vm(args->regs))
38678 -+ if (args->regs && user_mode(args->regs))
38679 - return ret;
38680 -
38681 - switch (val) {
38682 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/ldt.c linux-2.6.23.15-grsec/arch/i386/kernel/ldt.c
38683 ---- linux-2.6.23.15/arch/i386/kernel/ldt.c 2007-10-09 21:31:38.000000000 +0100
38684 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/ldt.c 2008-02-11 10:37:44.000000000 +0000
38685 -@@ -58,7 +58,7 @@ static int alloc_ldt(mm_context_t *pc, i
38686 - #ifdef CONFIG_SMP
38687 - cpumask_t mask;
38688 - preempt_disable();
38689 -- load_LDT(pc);
38690 -+ load_LDT_nolock(pc);
38691 - mask = cpumask_of_cpu(smp_processor_id());
38692 - if (!cpus_equal(current->mm->cpu_vm_mask, mask))
38693 - smp_call_function(flush_ldt, NULL, 1, 1);
38694 -@@ -102,6 +102,22 @@ int init_new_context(struct task_struct
38695 - retval = copy_ldt(&mm->context, &old_mm->context);
38696 - up(&old_mm->context.sem);
38697 - }
38698 -+
38699 -+ if (tsk == current) {
38700 -+ mm->context.vdso = ~0UL;
38701 -+
38702 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
38703 -+ mm->context.user_cs_base = 0UL;
38704 -+ mm->context.user_cs_limit = ~0UL;
38705 -+
38706 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
38707 -+ cpus_clear(mm->context.cpu_user_cs_mask);
38708 -+#endif
38709 -+
38710 -+#endif
38711 -+
38712 -+ }
38713 -+
38714 - return retval;
38715 - }
38716 -
38717 -@@ -212,6 +228,13 @@ static int write_ldt(void __user * ptr,
38718 - }
38719 - }
38720 -
38721 -+#ifdef CONFIG_PAX_SEGMEXEC
38722 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
38723 -+ error = -EINVAL;
38724 -+ goto out_unlock;
38725 -+ }
38726 -+#endif
38727 -+
38728 - entry_1 = LDT_entry_a(&ldt_info);
38729 - entry_2 = LDT_entry_b(&ldt_info);
38730 - if (oldmode)
38731 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/machine_kexec.c linux-2.6.23.15-grsec/arch/i386/kernel/machine_kexec.c
38732 ---- linux-2.6.23.15/arch/i386/kernel/machine_kexec.c 2007-10-09 21:31:38.000000000 +0100
38733 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/machine_kexec.c 2008-02-11 10:37:44.000000000 +0000
38734 -@@ -29,25 +29,25 @@ static u32 kexec_pmd1[1024] PAGE_ALIGNED
38735 - static u32 kexec_pte0[1024] PAGE_ALIGNED;
38736 - static u32 kexec_pte1[1024] PAGE_ALIGNED;
38737 -
38738 --static void set_idt(void *newidt, __u16 limit)
38739 -+static void set_idt(struct desc_struct *newidt, __u16 limit)
38740 - {
38741 - struct Xgt_desc_struct curidt;
38742 -
38743 - /* ia32 supports unaliged loads & stores */
38744 - curidt.size = limit;
38745 -- curidt.address = (unsigned long)newidt;
38746 -+ curidt.address = newidt;
38747 -
38748 - load_idt(&curidt);
38749 - };
38750 -
38751 -
38752 --static void set_gdt(void *newgdt, __u16 limit)
38753 -+static void set_gdt(struct desc_struct *newgdt, __u16 limit)
38754 - {
38755 - struct Xgt_desc_struct curgdt;
38756 -
38757 - /* ia32 supports unaligned loads & stores */
38758 - curgdt.size = limit;
38759 -- curgdt.address = (unsigned long)newgdt;
38760 -+ curgdt.address = newgdt;
38761 -
38762 - load_gdt(&curgdt);
38763 - };
38764 -@@ -110,10 +110,10 @@ NORET_TYPE void machine_kexec(struct kim
38765 - local_irq_disable();
38766 -
38767 - control_page = page_address(image->control_code_page);
38768 -- memcpy(control_page, relocate_kernel, PAGE_SIZE);
38769 -+ memcpy(control_page, relocate_kernel + __KERNEL_TEXT_OFFSET, PAGE_SIZE);
38770 -
38771 - page_list[PA_CONTROL_PAGE] = __pa(control_page);
38772 -- page_list[VA_CONTROL_PAGE] = (unsigned long)relocate_kernel;
38773 -+ page_list[VA_CONTROL_PAGE] = (unsigned long)relocate_kernel + __KERNEL_TEXT_OFFSET;
38774 - page_list[PA_PGD] = __pa(kexec_pgd);
38775 - page_list[VA_PGD] = (unsigned long)kexec_pgd;
38776 - #ifdef CONFIG_X86_PAE
38777 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/module.c linux-2.6.23.15-grsec/arch/i386/kernel/module.c
38778 ---- linux-2.6.23.15/arch/i386/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
38779 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
38780 -@@ -23,6 +23,8 @@
38781 - #include <linux/kernel.h>
38782 - #include <linux/bug.h>
38783 -
38784 -+#include <asm/desc.h>
38785 -+
38786 - #if 0
38787 - #define DEBUGP printk
38788 - #else
38789 -@@ -33,9 +35,30 @@ void *module_alloc(unsigned long size)
38790 - {
38791 - if (size == 0)
38792 - return NULL;
38793 -+
38794 -+#ifdef CONFIG_PAX_KERNEXEC
38795 -+ return vmalloc(size);
38796 -+#else
38797 - return vmalloc_exec(size);
38798 -+#endif
38799 -+
38800 - }
38801 -
38802 -+#ifdef CONFIG_PAX_KERNEXEC
38803 -+void *module_alloc_exec(unsigned long size)
38804 -+{
38805 -+ struct vm_struct *area;
38806 -+
38807 -+ if (size == 0)
38808 -+ return NULL;
38809 -+
38810 -+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_VADDR, (unsigned long)&MODULES_END);
38811 -+ if (area)
38812 -+ return area->addr;
38813 -+
38814 -+ return NULL;
38815 -+}
38816 -+#endif
38817 -
38818 - /* Free memory returned from module_alloc */
38819 - void module_free(struct module *mod, void *module_region)
38820 -@@ -45,6 +68,45 @@ void module_free(struct module *mod, voi
38821 - table entries. */
38822 - }
38823 -
38824 -+#ifdef CONFIG_PAX_KERNEXEC
38825 -+void module_free_exec(struct module *mod, void *module_region)
38826 -+{
38827 -+ struct vm_struct **p, *tmp;
38828 -+
38829 -+ if (!module_region)
38830 -+ return;
38831 -+
38832 -+ if ((PAGE_SIZE-1) & (unsigned long)module_region) {
38833 -+ printk(KERN_ERR "Trying to module_free_exec() bad address (%p)\n", module_region);
38834 -+ WARN_ON(1);
38835 -+ return;
38836 -+ }
38837 -+
38838 -+ write_lock(&vmlist_lock);
38839 -+ for (p = &vmlist; (tmp = *p) != NULL; p = &tmp->next)
38840 -+ if (tmp->addr == module_region)
38841 -+ break;
38842 -+
38843 -+ if (tmp) {
38844 -+ unsigned long cr0;
38845 -+
38846 -+ pax_open_kernel(cr0);
38847 -+ memset(tmp->addr, 0xCC, tmp->size);
38848 -+ pax_close_kernel(cr0);
38849 -+
38850 -+ *p = tmp->next;
38851 -+ kfree(tmp);
38852 -+ }
38853 -+ write_unlock(&vmlist_lock);
38854 -+
38855 -+ if (!tmp) {
38856 -+ printk(KERN_ERR "Trying to module_free_exec() nonexistent vm area (%p)\n",
38857 -+ module_region);
38858 -+ WARN_ON(1);
38859 -+ }
38860 -+}
38861 -+#endif
38862 -+
38863 - /* We don't need anything special. */
38864 - int module_frob_arch_sections(Elf_Ehdr *hdr,
38865 - Elf_Shdr *sechdrs,
38866 -@@ -63,14 +125,20 @@ int apply_relocate(Elf32_Shdr *sechdrs,
38867 - unsigned int i;
38868 - Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
38869 - Elf32_Sym *sym;
38870 -- uint32_t *location;
38871 -+ uint32_t *plocation, location;
38872 -+
38873 -+#ifdef CONFIG_PAX_KERNEXEC
38874 -+ unsigned long cr0;
38875 -+#endif
38876 -
38877 - DEBUGP("Applying relocate section %u to %u\n", relsec,
38878 - sechdrs[relsec].sh_info);
38879 - for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
38880 - /* This is where to make the change */
38881 -- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
38882 -- + rel[i].r_offset;
38883 -+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
38884 -+ location = (uint32_t)plocation;
38885 -+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
38886 -+ plocation = (void *)plocation + __KERNEL_TEXT_OFFSET;
38887 - /* This is the symbol it is referring to. Note that all
38888 - undefined symbols have been resolved. */
38889 - sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
38890 -@@ -78,12 +146,32 @@ int apply_relocate(Elf32_Shdr *sechdrs,
38891 -
38892 - switch (ELF32_R_TYPE(rel[i].r_info)) {
38893 - case R_386_32:
38894 -+
38895 -+#ifdef CONFIG_PAX_KERNEXEC
38896 -+ pax_open_kernel(cr0);
38897 -+#endif
38898 -+
38899 - /* We add the value into the location given */
38900 -- *location += sym->st_value;
38901 -+ *plocation += sym->st_value;
38902 -+
38903 -+#ifdef CONFIG_PAX_KERNEXEC
38904 -+ pax_close_kernel(cr0);
38905 -+#endif
38906 -+
38907 - break;
38908 - case R_386_PC32:
38909 -+
38910 -+#ifdef CONFIG_PAX_KERNEXEC
38911 -+ pax_open_kernel(cr0);
38912 -+#endif
38913 -+
38914 - /* Add the value, subtract its postition */
38915 -- *location += sym->st_value - (uint32_t)location;
38916 -+ *plocation += sym->st_value - location;
38917 -+
38918 -+#ifdef CONFIG_PAX_KERNEXEC
38919 -+ pax_close_kernel(cr0);
38920 -+#endif
38921 -+
38922 - break;
38923 - default:
38924 - printk(KERN_ERR "module %s: Unknown relocation: %u\n",
38925 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/paravirt.c linux-2.6.23.15-grsec/arch/i386/kernel/paravirt.c
38926 ---- linux-2.6.23.15/arch/i386/kernel/paravirt.c 2007-10-09 21:31:38.000000000 +0100
38927 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/paravirt.c 2008-02-11 10:37:44.000000000 +0000
38928 -@@ -198,7 +198,7 @@ unsigned paravirt_patch_insns(void *insn
38929 - if (insn_len > len || start == NULL)
38930 - insn_len = len;
38931 - else
38932 -- memcpy(insnbuf, start, insn_len);
38933 -+ memcpy(insnbuf, start + __KERNEL_TEXT_OFFSET, insn_len);
38934 -
38935 - return insn_len;
38936 - }
38937 -@@ -273,7 +273,7 @@ int paravirt_disable_iospace(void)
38938 - return ret;
38939 - }
38940 -
38941 --struct paravirt_ops paravirt_ops = {
38942 -+struct paravirt_ops paravirt_ops __read_only = {
38943 - .name = "bare hardware",
38944 - .paravirt_enabled = 0,
38945 - .kernel_rpl = 0,
38946 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/process.c linux-2.6.23.15-grsec/arch/i386/kernel/process.c
38947 ---- linux-2.6.23.15/arch/i386/kernel/process.c 2007-10-09 21:31:38.000000000 +0100
38948 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/process.c 2008-02-11 10:37:44.000000000 +0000
38949 -@@ -68,15 +68,17 @@ EXPORT_SYMBOL(boot_option_idle_override)
38950 - DEFINE_PER_CPU(struct task_struct *, current_task) = &init_task;
38951 - EXPORT_PER_CPU_SYMBOL(current_task);
38952 -
38953 -+#ifdef CONFIG_SMP
38954 - DEFINE_PER_CPU(int, cpu_number);
38955 - EXPORT_PER_CPU_SYMBOL(cpu_number);
38956 -+#endif
38957 -
38958 - /*
38959 - * Return saved PC of a blocked thread.
38960 - */
38961 - unsigned long thread_saved_pc(struct task_struct *tsk)
38962 - {
38963 -- return ((unsigned long *)tsk->thread.esp)[3];
38964 -+ return tsk->thread.eip;
38965 - }
38966 -
38967 - /*
38968 -@@ -307,7 +309,7 @@ void show_regs(struct pt_regs * regs)
38969 - printk("EIP: %04x:[<%08lx>] CPU: %d\n",0xffff & regs->xcs,regs->eip, smp_processor_id());
38970 - print_symbol("EIP is at %s\n", regs->eip);
38971 -
38972 -- if (user_mode_vm(regs))
38973 -+ if (user_mode(regs))
38974 - printk(" ESP: %04x:%08lx",0xffff & regs->xss,regs->esp);
38975 - printk(" EFLAGS: %08lx %s (%s %.*s)\n",
38976 - regs->eflags, print_tainted(), init_utsname()->release,
38977 -@@ -358,8 +360,8 @@ int kernel_thread(int (*fn)(void *), voi
38978 - regs.ebx = (unsigned long) fn;
38979 - regs.edx = (unsigned long) arg;
38980 -
38981 -- regs.xds = __USER_DS;
38982 -- regs.xes = __USER_DS;
38983 -+ regs.xds = __KERNEL_DS;
38984 -+ regs.xes = __KERNEL_DS;
38985 - regs.xfs = __KERNEL_PERCPU;
38986 - regs.orig_eax = -1;
38987 - regs.eip = (unsigned long) kernel_thread_helper;
38988 -@@ -381,7 +383,7 @@ void exit_thread(void)
38989 - struct task_struct *tsk = current;
38990 - struct thread_struct *t = &tsk->thread;
38991 - int cpu = get_cpu();
38992 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
38993 -+ struct tss_struct *tss = init_tss + cpu;
38994 -
38995 - kfree(t->io_bitmap_ptr);
38996 - t->io_bitmap_ptr = NULL;
38997 -@@ -402,6 +404,7 @@ void flush_thread(void)
38998 - {
38999 - struct task_struct *tsk = current;
39000 -
39001 -+ __asm__("mov %0,%%gs\n" : : "r" (0) : "memory");
39002 - memset(tsk->thread.debugreg, 0, sizeof(unsigned long)*8);
39003 - memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
39004 - clear_tsk_thread_flag(tsk, TIF_DEBUG);
39005 -@@ -435,7 +438,7 @@ int copy_thread(int nr, unsigned long cl
39006 - struct task_struct *tsk;
39007 - int err;
39008 -
39009 -- childregs = task_pt_regs(p);
39010 -+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
39011 - *childregs = *regs;
39012 - childregs->eax = 0;
39013 - childregs->esp = esp;
39014 -@@ -477,6 +480,11 @@ int copy_thread(int nr, unsigned long cl
39015 - if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
39016 - goto out;
39017 -
39018 -+#ifdef CONFIG_PAX_SEGMEXEC
39019 -+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
39020 -+ goto out;
39021 -+#endif
39022 -+
39023 - desc = p->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
39024 - desc->a = LDT_entry_a(&info);
39025 - desc->b = LDT_entry_b(&info);
39026 -@@ -663,7 +671,7 @@ struct task_struct fastcall * __switch_t
39027 - struct thread_struct *prev = &prev_p->thread,
39028 - *next = &next_p->thread;
39029 - int cpu = smp_processor_id();
39030 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
39031 -+ struct tss_struct *tss = init_tss + cpu;
39032 -
39033 - /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
39034 -
39035 -@@ -691,6 +699,11 @@ struct task_struct fastcall * __switch_t
39036 - */
39037 - savesegment(gs, prev->gs);
39038 -
39039 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
39040 -+ if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
39041 -+ __set_fs(task_thread_info(next_p)->addr_limit, cpu);
39042 -+#endif
39043 -+
39044 - /*
39045 - * Load the per-thread Thread-Local Storage descriptor.
39046 - */
39047 -@@ -855,6 +868,12 @@ asmlinkage int sys_set_thread_area(struc
39048 -
39049 - if (copy_from_user(&info, u_info, sizeof(info)))
39050 - return -EFAULT;
39051 -+
39052 -+#ifdef CONFIG_PAX_SEGMEXEC
39053 -+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
39054 -+ return -EINVAL;
39055 -+#endif
39056 -+
39057 - idx = info.entry_number;
39058 -
39059 - /*
39060 -@@ -943,9 +962,28 @@ asmlinkage int sys_get_thread_area(struc
39061 - return 0;
39062 - }
39063 -
39064 --unsigned long arch_align_stack(unsigned long sp)
39065 -+#ifdef CONFIG_PAX_RANDKSTACK
39066 -+asmlinkage void pax_randomize_kstack(void)
39067 - {
39068 -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
39069 -- sp -= get_random_int() % 8192;
39070 -- return sp & ~0xf;
39071 -+ struct tss_struct *tss;
39072 -+ unsigned long time;
39073 -+
39074 -+ if (!randomize_va_space)
39075 -+ return;
39076 -+
39077 -+ tss = init_tss + smp_processor_id();
39078 -+ rdtscl(time);
39079 -+
39080 -+ /* P4 seems to return a 0 LSB, ignore it */
39081 -+#ifdef CONFIG_MPENTIUM4
39082 -+ time &= 0x1EUL;
39083 -+ time <<= 2;
39084 -+#else
39085 -+ time &= 0xFUL;
39086 -+ time <<= 3;
39087 -+#endif
39088 -+
39089 -+ tss->x86_tss.esp0 ^= time;
39090 -+ current->thread.esp0 = tss->x86_tss.esp0;
39091 - }
39092 -+#endif
39093 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/ptrace.c linux-2.6.23.15-grsec/arch/i386/kernel/ptrace.c
39094 ---- linux-2.6.23.15/arch/i386/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
39095 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
39096 -@@ -161,22 +161,20 @@ static unsigned long convert_eip_to_line
39097 - * and APM bios ones we just ignore here.
39098 - */
39099 - if (seg & LDT_SEGMENT) {
39100 -- u32 *desc;
39101 -+ struct desc_struct *desc;
39102 - unsigned long base;
39103 -
39104 - seg &= ~7UL;
39105 -
39106 - down(&child->mm->context.sem);
39107 - if (unlikely((seg >> 3) >= child->mm->context.size))
39108 -- addr = -1L; /* bogus selector, access would fault */
39109 -+ addr = -EINVAL;
39110 - else {
39111 -- desc = child->mm->context.ldt + seg;
39112 -- base = ((desc[0] >> 16) |
39113 -- ((desc[1] & 0xff) << 16) |
39114 -- (desc[1] & 0xff000000));
39115 -+ desc = &child->mm->context.ldt[seg >> 3];
39116 -+ base = (desc->a >> 16) | ((desc->b & 0xff) << 16) | (desc->b & 0xff000000);
39117 -
39118 - /* 16-bit code segment? */
39119 -- if (!((desc[1] >> 22) & 1))
39120 -+ if (!((desc->b >> 22) & 1))
39121 - addr &= 0xffff;
39122 - addr += base;
39123 - }
39124 -@@ -191,6 +189,9 @@ static inline int is_setting_trap_flag(s
39125 - unsigned char opcode[15];
39126 - unsigned long addr = convert_eip_to_linear(child, regs);
39127 -
39128 -+ if (addr == -EINVAL)
39129 -+ return 0;
39130 -+
39131 - copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
39132 - for (i = 0; i < copied; i++) {
39133 - switch (opcode[i]) {
39134 -@@ -341,6 +342,11 @@ ptrace_set_thread_area(struct task_struc
39135 - if (copy_from_user(&info, user_desc, sizeof(info)))
39136 - return -EFAULT;
39137 -
39138 -+#ifdef CONFIG_PAX_SEGMEXEC
39139 -+ if ((child->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
39140 -+ return -EINVAL;
39141 -+#endif
39142 -+
39143 - if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
39144 - return -EINVAL;
39145 -
39146 -@@ -420,6 +426,17 @@ long arch_ptrace(struct task_struct *chi
39147 - if(addr == (long) &dummy->u_debugreg[5]) break;
39148 - if(addr < (long) &dummy->u_debugreg[4] &&
39149 - ((unsigned long) data) >= TASK_SIZE-3) break;
39150 -+
39151 -+#ifdef CONFIG_GRKERNSEC
39152 -+ if(addr >= (long) &dummy->u_debugreg[0] &&
39153 -+ addr <= (long) &dummy->u_debugreg[3]){
39154 -+ long reg = (addr - (long) &dummy->u_debugreg[0]) >> 2;
39155 -+ long type = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 4*reg)) & 3;
39156 -+ long align = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 2 + 4*reg)) & 3;
39157 -+ if((type & 1) && (data & align))
39158 -+ break;
39159 -+ }
39160 -+#endif
39161 -
39162 - /* Sanity-check data. Take one half-byte at once with
39163 - * check = (val >> (16 + 4*i)) & 0xf. It contains the
39164 -@@ -636,7 +653,7 @@ void send_sigtrap(struct task_struct *ts
39165 - info.si_code = TRAP_BRKPT;
39166 -
39167 - /* User-mode eip? */
39168 -- info.si_addr = user_mode_vm(regs) ? (void __user *) regs->eip : NULL;
39169 -+ info.si_addr = user_mode(regs) ? (void __user *) regs->eip : NULL;
39170 -
39171 - /* Send us the fakey SIGTRAP */
39172 - force_sig_info(SIGTRAP, &info, tsk);
39173 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/reboot.c linux-2.6.23.15-grsec/arch/i386/kernel/reboot.c
39174 ---- linux-2.6.23.15/arch/i386/kernel/reboot.c 2007-10-09 21:31:38.000000000 +0100
39175 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/reboot.c 2008-02-11 10:37:44.000000000 +0000
39176 -@@ -26,7 +26,7 @@
39177 - void (*pm_power_off)(void);
39178 - EXPORT_SYMBOL(pm_power_off);
39179 -
39180 --static int reboot_mode;
39181 -+static unsigned short reboot_mode;
39182 - static int reboot_thru_bios;
39183 -
39184 - #ifdef CONFIG_SMP
39185 -@@ -138,7 +138,7 @@ static struct dmi_system_id __initdata r
39186 - DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq"),
39187 - },
39188 - },
39189 -- { }
39190 -+ { NULL, NULL, {{0, NULL}}, NULL}
39191 - };
39192 -
39193 - static int __init reboot_init(void)
39194 -@@ -156,18 +156,18 @@ core_initcall(reboot_init);
39195 - doesn't work with at least one type of 486 motherboard. It is easy
39196 - to stop this code working; hence the copious comments. */
39197 -
39198 --static unsigned long long
39199 --real_mode_gdt_entries [3] =
39200 -+static struct desc_struct
39201 -+real_mode_gdt_entries [3] __read_only =
39202 - {
39203 -- 0x0000000000000000ULL, /* Null descriptor */
39204 -- 0x00009a000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
39205 -- 0x000092000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
39206 -+ {0x00000000, 0x00000000}, /* Null descriptor */
39207 -+ {0x0000ffff, 0x00009b00}, /* 16-bit real-mode 64k code at 0x00000000 */
39208 -+ {0x0100ffff, 0x00009300} /* 16-bit real-mode 64k data at 0x00000100 */
39209 - };
39210 -
39211 --static struct Xgt_desc_struct
39212 --real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (long)real_mode_gdt_entries },
39213 --real_mode_idt = { 0x3ff, 0 },
39214 --no_idt = { 0, 0 };
39215 -+static const struct Xgt_desc_struct
39216 -+real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (struct desc_struct *)__pa(real_mode_gdt_entries), 0 },
39217 -+real_mode_idt = { 0x3ff, NULL, 0 },
39218 -+no_idt = { 0, NULL, 0 };
39219 -
39220 -
39221 - /* This is 16-bit protected mode code to disable paging and the cache,
39222 -@@ -189,7 +189,7 @@ no_idt = { 0, 0 };
39223 - More could be done here to set up the registers as if a CPU reset had
39224 - occurred; hopefully real BIOSs don't assume much. */
39225 -
39226 --static unsigned char real_mode_switch [] =
39227 -+static const unsigned char real_mode_switch [] =
39228 - {
39229 - 0x66, 0x0f, 0x20, 0xc0, /* movl %cr0,%eax */
39230 - 0x66, 0x83, 0xe0, 0x11, /* andl $0x00000011,%eax */
39231 -@@ -203,7 +203,7 @@ static unsigned char real_mode_switch []
39232 - 0x24, 0x10, /* f: andb $0x10,al */
39233 - 0x66, 0x0f, 0x22, 0xc0 /* movl %eax,%cr0 */
39234 - };
39235 --static unsigned char jump_to_bios [] =
39236 -+static const unsigned char jump_to_bios [] =
39237 - {
39238 - 0xea, 0x00, 0x00, 0xff, 0xff /* ljmp $0xffff,$0x0000 */
39239 - };
39240 -@@ -213,7 +213,7 @@ static unsigned char jump_to_bios [] =
39241 - * specified by the code and length parameters.
39242 - * We assume that length will aways be less that 100!
39243 - */
39244 --void machine_real_restart(unsigned char *code, int length)
39245 -+void machine_real_restart(const unsigned char *code, unsigned int length)
39246 - {
39247 - local_irq_disable();
39248 -
39249 -@@ -234,9 +234,8 @@ void machine_real_restart(unsigned char
39250 - /* Remap the kernel at virtual address zero, as well as offset zero
39251 - from the kernel segment. This assumes the kernel segment starts at
39252 - virtual address PAGE_OFFSET. */
39253 --
39254 -- memcpy (swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
39255 -- sizeof (swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
39256 -+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
39257 -+ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
39258 -
39259 - /*
39260 - * Use `swapper_pg_dir' as our page directory.
39261 -@@ -249,7 +248,7 @@ void machine_real_restart(unsigned char
39262 - REBOOT.COM programs, and the previous reset routine did this
39263 - too. */
39264 -
39265 -- *((unsigned short *)0x472) = reboot_mode;
39266 -+ *(unsigned short *)(__va(0x472)) = reboot_mode;
39267 -
39268 - /* For the switch to real mode, copy some code to low memory. It has
39269 - to be in the first 64k because it is running in 16-bit mode, and it
39270 -@@ -257,9 +256,8 @@ void machine_real_restart(unsigned char
39271 - off paging. Copy it near the end of the first page, out of the way
39272 - of BIOS variables. */
39273 -
39274 -- memcpy ((void *) (0x1000 - sizeof (real_mode_switch) - 100),
39275 -- real_mode_switch, sizeof (real_mode_switch));
39276 -- memcpy ((void *) (0x1000 - 100), code, length);
39277 -+ memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
39278 -+ memcpy(__va(0x1000 - 100), code, length);
39279 -
39280 - /* Set up the IDT for real mode. */
39281 -
39282 -@@ -345,7 +343,7 @@ static void native_machine_emergency_res
39283 - __asm__ __volatile__("int3");
39284 - }
39285 - /* rebooting needs to touch the page at absolute addr 0 */
39286 -- *((unsigned short *)__va(0x472)) = reboot_mode;
39287 -+ *(unsigned short *)(__va(0x472)) = reboot_mode;
39288 - for (;;) {
39289 - mach_reboot_fixups(); /* for board specific fixups */
39290 - mach_reboot();
39291 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/setup.c linux-2.6.23.15-grsec/arch/i386/kernel/setup.c
39292 ---- linux-2.6.23.15/arch/i386/kernel/setup.c 2007-10-09 21:31:38.000000000 +0100
39293 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/setup.c 2008-02-11 10:37:44.000000000 +0000
39294 -@@ -82,7 +82,11 @@ struct cpuinfo_x86 new_cpu_data __cpuini
39295 - struct cpuinfo_x86 boot_cpu_data __read_mostly = { 0, 0, 0, 0, -1, 1, 0, 0, -1 };
39296 - EXPORT_SYMBOL(boot_cpu_data);
39297 -
39298 -+#ifdef CONFIG_X86_PAE
39299 -+unsigned long mmu_cr4_features = X86_CR4_PAE;
39300 -+#else
39301 - unsigned long mmu_cr4_features;
39302 -+#endif
39303 -
39304 - /* for MCA, but anyone else can use it if they want */
39305 - unsigned int machine_id;
39306 -@@ -395,8 +399,8 @@ void __init setup_bootmem_allocator(void
39307 - * the (very unlikely) case of us accidentally initializing the
39308 - * bootmem allocator with an invalid RAM area.
39309 - */
39310 -- reserve_bootmem(__pa_symbol(_text), (PFN_PHYS(min_low_pfn) +
39311 -- bootmap_size + PAGE_SIZE-1) - __pa_symbol(_text));
39312 -+ reserve_bootmem(LOAD_PHYSICAL_ADDR, (PFN_PHYS(min_low_pfn) +
39313 -+ bootmap_size + PAGE_SIZE-1) - LOAD_PHYSICAL_ADDR);
39314 -
39315 - /*
39316 - * reserve physical page 0 - it's a special BIOS page on many boxes,
39317 -@@ -549,14 +553,14 @@ void __init setup_arch(char **cmdline_p)
39318 -
39319 - if (!MOUNT_ROOT_RDONLY)
39320 - root_mountflags &= ~MS_RDONLY;
39321 -- init_mm.start_code = (unsigned long) _text;
39322 -- init_mm.end_code = (unsigned long) _etext;
39323 -+ init_mm.start_code = (unsigned long) _text + __KERNEL_TEXT_OFFSET;
39324 -+ init_mm.end_code = (unsigned long) _etext + __KERNEL_TEXT_OFFSET;
39325 - init_mm.end_data = (unsigned long) _edata;
39326 - init_mm.brk = init_pg_tables_end + PAGE_OFFSET;
39327 -
39328 -- code_resource.start = virt_to_phys(_text);
39329 -- code_resource.end = virt_to_phys(_etext)-1;
39330 -- data_resource.start = virt_to_phys(_etext);
39331 -+ code_resource.start = virt_to_phys(_text + __KERNEL_TEXT_OFFSET);
39332 -+ code_resource.end = virt_to_phys(_etext + __KERNEL_TEXT_OFFSET)-1;
39333 -+ data_resource.start = virt_to_phys(_data);
39334 - data_resource.end = virt_to_phys(_edata)-1;
39335 -
39336 - parse_early_param();
39337 -@@ -651,3 +655,23 @@ void __init setup_arch(char **cmdline_p)
39338 - #endif
39339 - #endif
39340 - }
39341 -+
39342 -+unsigned long __per_cpu_offset[NR_CPUS] __read_only;
39343 -+
39344 -+EXPORT_SYMBOL(__per_cpu_offset);
39345 -+
39346 -+void __init setup_per_cpu_areas(void)
39347 -+{
39348 -+ unsigned long size, i;
39349 -+ char *ptr;
39350 -+
39351 -+ /* Copy section for each CPU (we discard the original) */
39352 -+ size = ALIGN(PERCPU_ENOUGH_ROOM, PAGE_SIZE);
39353 -+ ptr = alloc_bootmem_pages(size * num_possible_cpus());
39354 -+
39355 -+ for_each_possible_cpu(i) {
39356 -+ __per_cpu_offset[i] = (unsigned long)ptr;
39357 -+ memcpy(ptr, __per_cpu_start, __per_cpu_end - __per_cpu_start);
39358 -+ ptr += size;
39359 -+ }
39360 -+}
39361 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/signal.c linux-2.6.23.15-grsec/arch/i386/kernel/signal.c
39362 ---- linux-2.6.23.15/arch/i386/kernel/signal.c 2007-10-09 21:31:38.000000000 +0100
39363 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/signal.c 2008-02-11 10:37:44.000000000 +0000
39364 -@@ -357,9 +357,9 @@ static int setup_frame(int sig, struct k
39365 - }
39366 -
39367 - if (current->binfmt->hasvdso)
39368 -- restorer = (void *)VDSO_SYM(&__kernel_sigreturn);
39369 -+ restorer = (void __user *)VDSO_SYM(&__kernel_sigreturn);
39370 - else
39371 -- restorer = (void *)&frame->retcode;
39372 -+ restorer = (void __user *)&frame->retcode;
39373 - if (ka->sa.sa_flags & SA_RESTORER)
39374 - restorer = ka->sa.sa_restorer;
39375 -
39376 -@@ -455,7 +455,8 @@ static int setup_rt_frame(int sig, struc
39377 - goto give_sigsegv;
39378 -
39379 - /* Set up to return from userspace. */
39380 -- restorer = (void *)VDSO_SYM(&__kernel_rt_sigreturn);
39381 -+
39382 -+ restorer = (void __user *)VDSO_SYM(&__kernel_rt_sigreturn);
39383 - if (ka->sa.sa_flags & SA_RESTORER)
39384 - restorer = ka->sa.sa_restorer;
39385 - err |= __put_user(restorer, &frame->pretcode);
39386 -@@ -588,7 +589,7 @@ static void fastcall do_signal(struct pt
39387 - * before reaching here, so testing against kernel
39388 - * CS suffices.
39389 - */
39390 -- if (!user_mode(regs))
39391 -+ if (!user_mode_novm(regs))
39392 - return;
39393 -
39394 - if (test_thread_flag(TIF_RESTORE_SIGMASK))
39395 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/smp.c linux-2.6.23.15-grsec/arch/i386/kernel/smp.c
39396 ---- linux-2.6.23.15/arch/i386/kernel/smp.c 2007-10-09 21:31:38.000000000 +0100
39397 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/smp.c 2008-02-11 10:37:44.000000000 +0000
39398 -@@ -104,7 +104,7 @@
39399 - * about nothing of note with C stepping upwards.
39400 - */
39401 -
39402 --DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, };
39403 -+DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, {0} };
39404 -
39405 - /*
39406 - * the following functions deal with sending IPIs between CPUs.
39407 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/smpboot.c linux-2.6.23.15-grsec/arch/i386/kernel/smpboot.c
39408 ---- linux-2.6.23.15/arch/i386/kernel/smpboot.c 2007-10-09 21:31:38.000000000 +0100
39409 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/smpboot.c 2008-02-11 10:37:44.000000000 +0000
39410 -@@ -118,7 +118,7 @@ DEFINE_PER_CPU(int, cpu_state) = { 0 };
39411 - * has made sure it's suitably aligned.
39412 - */
39413 -
39414 --static unsigned long __devinit setup_trampoline(void)
39415 -+static unsigned long __cpuinit setup_trampoline(void)
39416 - {
39417 - memcpy(trampoline_base, trampoline_data, trampoline_end - trampoline_data);
39418 - return virt_to_phys(trampoline_base);
39419 -@@ -772,6 +772,10 @@ static int __cpuinit do_boot_cpu(int api
39420 - unsigned long start_eip;
39421 - unsigned short nmi_high = 0, nmi_low = 0;
39422 -
39423 -+#ifdef CONFIG_PAX_KERNEXEC
39424 -+ unsigned long cr0;
39425 -+#endif
39426 -+
39427 - /*
39428 - * Save current MTRR state in case it was changed since early boot
39429 - * (e.g. by the ACPI SMI) to initialize new CPUs with MTRRs in sync:
39430 -@@ -788,7 +792,16 @@ static int __cpuinit do_boot_cpu(int api
39431 -
39432 - init_gdt(cpu);
39433 - per_cpu(current_task, cpu) = idle;
39434 -- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
39435 -+
39436 -+#ifdef CONFIG_PAX_KERNEXEC
39437 -+ pax_open_kernel(cr0);
39438 -+#endif
39439 -+
39440 -+ early_gdt_descr.address = get_cpu_gdt_table(cpu);
39441 -+
39442 -+#ifdef CONFIG_PAX_KERNEXEC
39443 -+ pax_close_kernel(cr0);
39444 -+#endif
39445 -
39446 - idle->thread.eip = (unsigned long) start_secondary;
39447 - /* start_eip had better be page-aligned! */
39448 -@@ -1105,7 +1118,7 @@ static void __init smp_boot_cpus(unsigne
39449 - * construct cpu_sibling_map[], so that we can tell sibling CPUs
39450 - * efficiently.
39451 - */
39452 -- for (cpu = 0; cpu < NR_CPUS; cpu++) {
39453 -+ for_each_possible_cpu(cpu) {
39454 - cpus_clear(cpu_sibling_map[cpu]);
39455 - cpus_clear(cpu_core_map[cpu]);
39456 - }
39457 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/smpcommon.c linux-2.6.23.15-grsec/arch/i386/kernel/smpcommon.c
39458 ---- linux-2.6.23.15/arch/i386/kernel/smpcommon.c 2007-10-09 21:31:38.000000000 +0100
39459 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/smpcommon.c 2008-02-11 10:37:44.000000000 +0000
39460 -@@ -3,6 +3,7 @@
39461 - */
39462 - #include <linux/module.h>
39463 - #include <asm/smp.h>
39464 -+#include <asm/sections.h>
39465 -
39466 - DEFINE_PER_CPU(unsigned long, this_cpu_off);
39467 - EXPORT_PER_CPU_SYMBOL(this_cpu_off);
39468 -@@ -14,10 +15,29 @@ __cpuinit void init_gdt(int cpu)
39469 - {
39470 - struct desc_struct *gdt = get_cpu_gdt_table(cpu);
39471 -
39472 -- pack_descriptor((u32 *)&gdt[GDT_ENTRY_PERCPU].a,
39473 -- (u32 *)&gdt[GDT_ENTRY_PERCPU].b,
39474 -- __per_cpu_offset[cpu], 0xFFFFF,
39475 -- 0x80 | DESCTYPE_S | 0x2, 0x8);
39476 -+#ifdef CONFIG_PAX_KERNEXEC
39477 -+ unsigned long cr0;
39478 -+
39479 -+ pax_open_kernel(cr0);
39480 -+#endif
39481 -+
39482 -+ if (cpu)
39483 -+ memcpy(gdt, cpu_gdt_table, GDT_SIZE);
39484 -+
39485 -+ if (PERCPU_ENOUGH_ROOM <= 64*1024*1024)
39486 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
39487 -+ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
39488 -+ __per_cpu_offset[cpu], PERCPU_ENOUGH_ROOM-1,
39489 -+ 0x80 | DESCTYPE_S | 0x3, 0x4);
39490 -+ else
39491 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
39492 -+ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
39493 -+ __per_cpu_offset[cpu], ((PERCPU_ENOUGH_ROOM-1) >> PAGE_SHIFT),
39494 -+ 0x80 | DESCTYPE_S | 0x3, 0xC);
39495 -+
39496 -+#ifdef CONFIG_PAX_KERNEXEC
39497 -+ pax_close_kernel(cr0);
39498 -+#endif
39499 -
39500 - per_cpu(this_cpu_off, cpu) = __per_cpu_offset[cpu];
39501 - per_cpu(cpu_number, cpu) = cpu;
39502 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/sys_i386.c linux-2.6.23.15-grsec/arch/i386/kernel/sys_i386.c
39503 ---- linux-2.6.23.15/arch/i386/kernel/sys_i386.c 2007-10-09 21:31:38.000000000 +0100
39504 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/sys_i386.c 2008-02-11 10:37:44.000000000 +0000
39505 -@@ -41,6 +41,21 @@ asmlinkage int sys_pipe(unsigned long __
39506 - return error;
39507 - }
39508 -
39509 -+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
39510 -+{
39511 -+ unsigned long task_size = TASK_SIZE;
39512 -+
39513 -+#ifdef CONFIG_PAX_SEGMEXEC
39514 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
39515 -+ task_size = SEGMEXEC_TASK_SIZE;
39516 -+#endif
39517 -+
39518 -+ if (len > task_size || addr > task_size - len)
39519 -+ return -EINVAL;
39520 -+
39521 -+ return 0;
39522 -+}
39523 -+
39524 - asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
39525 - unsigned long prot, unsigned long flags,
39526 - unsigned long fd, unsigned long pgoff)
39527 -@@ -100,6 +115,205 @@ out:
39528 - return err;
39529 - }
39530 -
39531 -+unsigned long
39532 -+arch_get_unmapped_area(struct file *filp, unsigned long addr,
39533 -+ unsigned long len, unsigned long pgoff, unsigned long flags)
39534 -+{
39535 -+ struct mm_struct *mm = current->mm;
39536 -+ struct vm_area_struct *vma;
39537 -+ unsigned long start_addr, task_size = TASK_SIZE;
39538 -+
39539 -+#ifdef CONFIG_PAX_SEGMEXEC
39540 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
39541 -+ task_size = SEGMEXEC_TASK_SIZE;
39542 -+#endif
39543 -+
39544 -+ if (len > task_size)
39545 -+ return -ENOMEM;
39546 -+
39547 -+ if (flags & MAP_FIXED)
39548 -+ return addr;
39549 -+
39550 -+#ifdef CONFIG_PAX_RANDMMAP
39551 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
39552 -+#endif
39553 -+
39554 -+ if (addr) {
39555 -+ addr = PAGE_ALIGN(addr);
39556 -+ vma = find_vma(mm, addr);
39557 -+ if (task_size - len >= addr &&
39558 -+ (!vma || addr + len <= vma->vm_start))
39559 -+ return addr;
39560 -+ }
39561 -+ if (len > mm->cached_hole_size) {
39562 -+ start_addr = addr = mm->free_area_cache;
39563 -+ } else {
39564 -+ start_addr = addr = mm->mmap_base;
39565 -+ mm->cached_hole_size = 0;
39566 -+ }
39567 -+
39568 -+#ifdef CONFIG_PAX_PAGEEXEC
39569 -+ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
39570 -+ start_addr = 0x00110000UL;
39571 -+
39572 -+#ifdef CONFIG_PAX_RANDMMAP
39573 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
39574 -+ start_addr += mm->delta_mmap & 0x03FFF000UL;
39575 -+#endif
39576 -+
39577 -+ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
39578 -+ start_addr = addr = mm->mmap_base;
39579 -+ else
39580 -+ addr = start_addr;
39581 -+ }
39582 -+#endif
39583 -+
39584 -+full_search:
39585 -+ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
39586 -+ /* At this point: (!vma || addr < vma->vm_end). */
39587 -+ if (task_size - len < addr) {
39588 -+ /*
39589 -+ * Start a new search - just in case we missed
39590 -+ * some holes.
39591 -+ */
39592 -+ if (start_addr != mm->mmap_base) {
39593 -+ start_addr = addr = mm->mmap_base;
39594 -+ mm->cached_hole_size = 0;
39595 -+ goto full_search;
39596 -+ }
39597 -+ return -ENOMEM;
39598 -+ }
39599 -+ if (!vma || addr + len <= vma->vm_start) {
39600 -+ /*
39601 -+ * Remember the place where we stopped the search:
39602 -+ */
39603 -+ mm->free_area_cache = addr + len;
39604 -+ return addr;
39605 -+ }
39606 -+ if (addr + mm->cached_hole_size < vma->vm_start)
39607 -+ mm->cached_hole_size = vma->vm_start - addr;
39608 -+ addr = vma->vm_end;
39609 -+ if (mm->start_brk <= addr && addr < mm->mmap_base) {
39610 -+ start_addr = addr = mm->mmap_base;
39611 -+ mm->cached_hole_size = 0;
39612 -+ goto full_search;
39613 -+ }
39614 -+ }
39615 -+}
39616 -+
39617 -+unsigned long
39618 -+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
39619 -+ const unsigned long len, const unsigned long pgoff,
39620 -+ const unsigned long flags)
39621 -+{
39622 -+ struct vm_area_struct *vma;
39623 -+ struct mm_struct *mm = current->mm;
39624 -+ unsigned long base = mm->mmap_base, addr = addr0, task_size = TASK_SIZE;
39625 -+
39626 -+#ifdef CONFIG_PAX_SEGMEXEC
39627 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
39628 -+ task_size = SEGMEXEC_TASK_SIZE;
39629 -+#endif
39630 -+
39631 -+ /* requested length too big for entire address space */
39632 -+ if (len > task_size)
39633 -+ return -ENOMEM;
39634 -+
39635 -+ if (flags & MAP_FIXED)
39636 -+ return addr;
39637 -+
39638 -+#ifdef CONFIG_PAX_PAGEEXEC
39639 -+ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
39640 -+ goto bottomup;
39641 -+#endif
39642 -+
39643 -+#ifdef CONFIG_PAX_RANDMMAP
39644 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
39645 -+#endif
39646 -+
39647 -+ /* requesting a specific address */
39648 -+ if (addr) {
39649 -+ addr = PAGE_ALIGN(addr);
39650 -+ vma = find_vma(mm, addr);
39651 -+ if (task_size - len >= addr &&
39652 -+ (!vma || addr + len <= vma->vm_start))
39653 -+ return addr;
39654 -+ }
39655 -+
39656 -+ /* check if free_area_cache is useful for us */
39657 -+ if (len <= mm->cached_hole_size) {
39658 -+ mm->cached_hole_size = 0;
39659 -+ mm->free_area_cache = mm->mmap_base;
39660 -+ }
39661 -+
39662 -+ /* either no address requested or can't fit in requested address hole */
39663 -+ addr = mm->free_area_cache;
39664 -+
39665 -+ /* make sure it can fit in the remaining address space */
39666 -+ if (addr > len) {
39667 -+ vma = find_vma(mm, addr-len);
39668 -+ if (!vma || addr <= vma->vm_start)
39669 -+ /* remember the address as a hint for next time */
39670 -+ return (mm->free_area_cache = addr-len);
39671 -+ }
39672 -+
39673 -+ if (mm->mmap_base < len)
39674 -+ goto bottomup;
39675 -+
39676 -+ addr = mm->mmap_base-len;
39677 -+
39678 -+ do {
39679 -+ /*
39680 -+ * Lookup failure means no vma is above this address,
39681 -+ * else if new region fits below vma->vm_start,
39682 -+ * return with success:
39683 -+ */
39684 -+ vma = find_vma(mm, addr);
39685 -+ if (!vma || addr+len <= vma->vm_start)
39686 -+ /* remember the address as a hint for next time */
39687 -+ return (mm->free_area_cache = addr);
39688 -+
39689 -+ /* remember the largest hole we saw so far */
39690 -+ if (addr + mm->cached_hole_size < vma->vm_start)
39691 -+ mm->cached_hole_size = vma->vm_start - addr;
39692 -+
39693 -+ /* try just below the current vma->vm_start */
39694 -+ addr = vma->vm_start-len;
39695 -+ } while (len < vma->vm_start);
39696 -+
39697 -+bottomup:
39698 -+ /*
39699 -+ * A failed mmap() very likely causes application failure,
39700 -+ * so fall back to the bottom-up function here. This scenario
39701 -+ * can happen with large stack limits and large mmap()
39702 -+ * allocations.
39703 -+ */
39704 -+
39705 -+#ifdef CONFIG_PAX_SEGMEXEC
39706 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
39707 -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
39708 -+ else
39709 -+#endif
39710 -+
39711 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
39712 -+
39713 -+#ifdef CONFIG_PAX_RANDMMAP
39714 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
39715 -+ mm->mmap_base += mm->delta_mmap;
39716 -+#endif
39717 -+
39718 -+ mm->free_area_cache = mm->mmap_base;
39719 -+ mm->cached_hole_size = ~0UL;
39720 -+ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
39721 -+ /*
39722 -+ * Restore the topdown base:
39723 -+ */
39724 -+ mm->mmap_base = base;
39725 -+ mm->free_area_cache = base;
39726 -+ mm->cached_hole_size = ~0UL;
39727 -+
39728 -+ return addr;
39729 -+}
39730 -
39731 - struct sel_arg_struct {
39732 - unsigned long n;
39733 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/syscall_table.S linux-2.6.23.15-grsec/arch/i386/kernel/syscall_table.S
39734 ---- linux-2.6.23.15/arch/i386/kernel/syscall_table.S 2007-10-09 21:31:38.000000000 +0100
39735 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/syscall_table.S 2008-02-11 10:37:44.000000000 +0000
39736 -@@ -1,3 +1,4 @@
39737 -+.section .rodata,"a",@progbits
39738 - ENTRY(sys_call_table)
39739 - .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
39740 - .long sys_exit
39741 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/sysenter.c linux-2.6.23.15-grsec/arch/i386/kernel/sysenter.c
39742 ---- linux-2.6.23.15/arch/i386/kernel/sysenter.c 2007-10-09 21:31:38.000000000 +0100
39743 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/sysenter.c 2008-02-11 10:37:44.000000000 +0000
39744 -@@ -177,7 +177,7 @@ static __init void relocate_vdso(Elf32_E
39745 - void enable_sep_cpu(void)
39746 - {
39747 - int cpu = get_cpu();
39748 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
39749 -+ struct tss_struct *tss = init_tss + cpu;
39750 -
39751 - if (!boot_cpu_has(X86_FEATURE_SEP)) {
39752 - put_cpu();
39753 -@@ -200,7 +200,7 @@ static int __init gate_vma_init(void)
39754 - gate_vma.vm_start = FIXADDR_USER_START;
39755 - gate_vma.vm_end = FIXADDR_USER_END;
39756 - gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
39757 -- gate_vma.vm_page_prot = __P101;
39758 -+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
39759 - /*
39760 - * Make sure the vDSO gets into every core dump.
39761 - * Dumping its contents makes post-mortem fully interpretable later
39762 -@@ -283,7 +283,7 @@ int arch_setup_additional_pages(struct l
39763 - if (compat)
39764 - addr = VDSO_HIGH_BASE;
39765 - else {
39766 -- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
39767 -+ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
39768 - if (IS_ERR_VALUE(addr)) {
39769 - ret = addr;
39770 - goto up_fail;
39771 -@@ -308,7 +308,7 @@ int arch_setup_additional_pages(struct l
39772 - goto up_fail;
39773 - }
39774 -
39775 -- current->mm->context.vdso = (void *)addr;
39776 -+ current->mm->context.vdso = addr;
39777 - current_thread_info()->sysenter_return =
39778 - (void *)VDSO_SYM(&SYSENTER_RETURN);
39779 -
39780 -@@ -320,8 +320,14 @@ int arch_setup_additional_pages(struct l
39781 -
39782 - const char *arch_vma_name(struct vm_area_struct *vma)
39783 - {
39784 -- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
39785 -+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
39786 - return "[vdso]";
39787 -+
39788 -+#ifdef CONFIG_PAX_SEGMEXEC
39789 -+ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
39790 -+ return "[vdso]";
39791 -+#endif
39792 -+
39793 - return NULL;
39794 - }
39795 -
39796 -@@ -330,7 +336,7 @@ struct vm_area_struct *get_gate_vma(stru
39797 - struct mm_struct *mm = tsk->mm;
39798 -
39799 - /* Check to see if this task was created in compat vdso mode */
39800 -- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
39801 -+ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
39802 - return &gate_vma;
39803 - return NULL;
39804 - }
39805 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/time.c linux-2.6.23.15-grsec/arch/i386/kernel/time.c
39806 ---- linux-2.6.23.15/arch/i386/kernel/time.c 2007-10-09 21:31:38.000000000 +0100
39807 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/time.c 2008-02-11 10:37:44.000000000 +0000
39808 -@@ -132,20 +132,30 @@ unsigned long profile_pc(struct pt_regs
39809 - if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs) &&
39810 - in_lock_functions(pc)) {
39811 - #ifdef CONFIG_FRAME_POINTER
39812 -- return *(unsigned long *)(regs->ebp + 4);
39813 -+ return *(unsigned long *)(regs->ebp + 4) + __KERNEL_TEXT_OFFSET;
39814 - #else
39815 - unsigned long *sp = (unsigned long *)&regs->esp;
39816 -
39817 - /* Return address is either directly at stack pointer
39818 - or above a saved eflags. Eflags has bits 22-31 zero,
39819 - kernel addresses don't. */
39820 -+
39821 -+#ifdef CONFIG_PAX_KERNEXEC
39822 -+ return sp[0] + __KERNEL_TEXT_OFFSET;
39823 -+#else
39824 - if (sp[0] >> 22)
39825 - return sp[0];
39826 - if (sp[1] >> 22)
39827 - return sp[1];
39828 - #endif
39829 -+
39830 -+#endif
39831 - }
39832 - #endif
39833 -+
39834 -+ if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs))
39835 -+ pc += __KERNEL_TEXT_OFFSET;
39836 -+
39837 - return pc;
39838 - }
39839 - EXPORT_SYMBOL(profile_pc);
39840 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/traps.c linux-2.6.23.15-grsec/arch/i386/kernel/traps.c
39841 ---- linux-2.6.23.15/arch/i386/kernel/traps.c 2007-10-09 21:31:38.000000000 +0100
39842 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/traps.c 2008-02-11 10:37:44.000000000 +0000
39843 -@@ -31,6 +31,7 @@
39844 - #include <linux/uaccess.h>
39845 - #include <linux/nmi.h>
39846 - #include <linux/bug.h>
39847 -+#include <linux/binfmts.h>
39848 -
39849 - #ifdef CONFIG_EISA
39850 - #include <linux/ioport.h>
39851 -@@ -70,12 +71,7 @@ asmlinkage int system_call(void);
39852 - /* Do we ignore FPU interrupts ? */
39853 - char ignore_fpu_irq = 0;
39854 -
39855 --/*
39856 -- * The IDT has to be page-aligned to simplify the Pentium
39857 -- * F0 0F bug workaround.. We have a special link segment
39858 -- * for this.
39859 -- */
39860 --struct desc_struct idt_table[256] __attribute__((__section__(".data.idt"))) = { {0, 0}, };
39861 -+extern struct desc_struct idt_table[256];
39862 -
39863 - asmlinkage void divide_error(void);
39864 - asmlinkage void debug(void);
39865 -@@ -297,7 +293,7 @@ void show_registers(struct pt_regs *regs
39866 - esp = (unsigned long) (&regs->esp);
39867 - savesegment(ss, ss);
39868 - savesegment(gs, gs);
39869 -- if (user_mode_vm(regs)) {
39870 -+ if (user_mode(regs)) {
39871 - in_kernel = 0;
39872 - esp = regs->esp;
39873 - ss = regs->xss & 0xffff;
39874 -@@ -329,17 +325,18 @@ void show_registers(struct pt_regs *regs
39875 - unsigned int code_prologue = code_bytes * 43 / 64;
39876 - unsigned int code_len = code_bytes;
39877 - unsigned char c;
39878 -+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->xcs) >> 3]);
39879 -
39880 - printk("\n" KERN_EMERG "Stack: ");
39881 - show_stack_log_lvl(NULL, regs, (unsigned long *)esp, KERN_EMERG);
39882 -
39883 - printk(KERN_EMERG "Code: ");
39884 -
39885 -- eip = (u8 *)regs->eip - code_prologue;
39886 -+ eip = (u8 *)regs->eip - code_prologue + cs_base;
39887 - if (eip < (u8 *)PAGE_OFFSET ||
39888 - probe_kernel_address(eip, c)) {
39889 - /* try starting at EIP */
39890 -- eip = (u8 *)regs->eip;
39891 -+ eip = (u8 *)regs->eip + cs_base;
39892 - code_len = code_len - code_prologue + 1;
39893 - }
39894 - for (i = 0; i < code_len; i++, eip++) {
39895 -@@ -348,7 +345,7 @@ void show_registers(struct pt_regs *regs
39896 - printk(" Bad EIP value.");
39897 - break;
39898 - }
39899 -- if (eip == (u8 *)regs->eip)
39900 -+ if (eip == (u8 *)regs->eip + cs_base)
39901 - printk("<%02x> ", c);
39902 - else
39903 - printk("%02x ", c);
39904 -@@ -361,6 +358,7 @@ int is_valid_bugaddr(unsigned long eip)
39905 - {
39906 - unsigned short ud2;
39907 -
39908 -+ eip += __KERNEL_TEXT_OFFSET;
39909 - if (eip < PAGE_OFFSET)
39910 - return 0;
39911 - if (probe_kernel_address((unsigned short *)eip, ud2))
39912 -@@ -468,7 +466,7 @@ void die(const char * str, struct pt_reg
39913 -
39914 - static inline void die_if_kernel(const char * str, struct pt_regs * regs, long err)
39915 - {
39916 -- if (!user_mode_vm(regs))
39917 -+ if (!user_mode(regs))
39918 - die(str, regs, err);
39919 - }
39920 -
39921 -@@ -484,7 +482,7 @@ static void __kprobes do_trap(int trapnr
39922 - goto trap_signal;
39923 - }
39924 -
39925 -- if (!user_mode(regs))
39926 -+ if (!user_mode_novm(regs))
39927 - goto kernel_trap;
39928 -
39929 - trap_signal: {
39930 -@@ -589,7 +587,7 @@ fastcall void __kprobes do_general_prote
39931 - long error_code)
39932 - {
39933 - int cpu = get_cpu();
39934 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
39935 -+ struct tss_struct *tss = &init_tss[cpu];
39936 - struct thread_struct *thread = &current->thread;
39937 -
39938 - /*
39939 -@@ -622,9 +620,25 @@ fastcall void __kprobes do_general_prote
39940 - if (regs->eflags & VM_MASK)
39941 - goto gp_in_vm86;
39942 -
39943 -- if (!user_mode(regs))
39944 -+ if (!user_mode_novm(regs))
39945 - goto gp_in_kernel;
39946 -
39947 -+#ifdef CONFIG_PAX_PAGEEXEC
39948 -+ if (!nx_enabled && current->mm && (current->mm->pax_flags & MF_PAX_PAGEEXEC)) {
39949 -+ struct mm_struct *mm = current->mm;
39950 -+ unsigned long limit;
39951 -+
39952 -+ down_write(&mm->mmap_sem);
39953 -+ limit = mm->context.user_cs_limit;
39954 -+ if (limit < TASK_SIZE) {
39955 -+ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
39956 -+ up_write(&mm->mmap_sem);
39957 -+ return;
39958 -+ }
39959 -+ up_write(&mm->mmap_sem);
39960 -+ }
39961 -+#endif
39962 -+
39963 - current->thread.error_code = error_code;
39964 - current->thread.trap_no = 13;
39965 - if (show_unhandled_signals && unhandled_signal(current, SIGSEGV) &&
39966 -@@ -649,6 +663,13 @@ gp_in_kernel:
39967 - if (notify_die(DIE_GPF, "general protection fault", regs,
39968 - error_code, 13, SIGSEGV) == NOTIFY_STOP)
39969 - return;
39970 -+
39971 -+#ifdef CONFIG_PAX_KERNEXEC
39972 -+ if ((regs->xcs & 0xFFFF) == __KERNEL_CS)
39973 -+ die("PAX: suspicious general protection fault", regs, error_code);
39974 -+ else
39975 -+#endif
39976 -+
39977 - die("general protection fault", regs, error_code);
39978 - }
39979 - }
39980 -@@ -738,7 +759,7 @@ void __kprobes die_nmi(struct pt_regs *r
39981 - /* If we are in kernel we are probably nested up pretty bad
39982 - * and might aswell get out now while we still can.
39983 - */
39984 -- if (!user_mode_vm(regs)) {
39985 -+ if (!user_mode(regs)) {
39986 - current->thread.trap_no = 2;
39987 - crash_kexec(regs);
39988 - }
39989 -@@ -885,7 +906,7 @@ fastcall void __kprobes do_debug(struct
39990 - * check for kernel mode by just checking the CPL
39991 - * of CS.
39992 - */
39993 -- if (!user_mode(regs))
39994 -+ if (!user_mode_novm(regs))
39995 - goto clear_TF_reenable;
39996 - }
39997 -
39998 -@@ -1063,18 +1084,14 @@ fastcall void do_spurious_interrupt_bug(
39999 - fastcall unsigned long patch_espfix_desc(unsigned long uesp,
40000 - unsigned long kesp)
40001 - {
40002 -- struct desc_struct *gdt = __get_cpu_var(gdt_page).gdt;
40003 - unsigned long base = (kesp - uesp) & -THREAD_SIZE;
40004 - unsigned long new_kesp = kesp - base;
40005 - unsigned long lim_pages = (new_kesp | (THREAD_SIZE - 1)) >> PAGE_SHIFT;
40006 -- __u64 desc = *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS];
40007 -+ __u32 a, b;
40008 -+
40009 - /* Set up base for espfix segment */
40010 -- desc &= 0x00f0ff0000000000ULL;
40011 -- desc |= ((((__u64)base) << 16) & 0x000000ffffff0000ULL) |
40012 -- ((((__u64)base) << 32) & 0xff00000000000000ULL) |
40013 -- ((((__u64)lim_pages) << 32) & 0x000f000000000000ULL) |
40014 -- (lim_pages & 0xffff);
40015 -- *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS] = desc;
40016 -+ pack_descriptor(&a, &b, base, lim_pages, 0x93, 0xC);
40017 -+ write_gdt_entry(get_cpu_gdt_table(smp_processor_id()), GDT_ENTRY_ESPFIX_SS, a, b);
40018 - return new_kesp;
40019 - }
40020 -
40021 -@@ -1123,7 +1140,7 @@ void __init trap_init_f00f_bug(void)
40022 - * Update the IDT descriptor and reload the IDT so that
40023 - * it uses the read-only mapped virtual address.
40024 - */
40025 -- idt_descr.address = fix_to_virt(FIX_F00F_IDT);
40026 -+ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
40027 - load_idt(&idt_descr);
40028 - }
40029 - #endif
40030 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/tsc.c linux-2.6.23.15-grsec/arch/i386/kernel/tsc.c
40031 ---- linux-2.6.23.15/arch/i386/kernel/tsc.c 2008-02-11 10:36:03.000000000 +0000
40032 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/tsc.c 2008-02-11 10:37:44.000000000 +0000
40033 -@@ -322,7 +322,7 @@ static struct dmi_system_id __initdata b
40034 - DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
40035 - },
40036 - },
40037 -- {}
40038 -+ { NULL, NULL, {{0, NULL}}, NULL}
40039 - };
40040 -
40041 - /*
40042 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/vm86.c linux-2.6.23.15-grsec/arch/i386/kernel/vm86.c
40043 ---- linux-2.6.23.15/arch/i386/kernel/vm86.c 2007-10-09 21:31:38.000000000 +0100
40044 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/vm86.c 2008-02-11 10:37:44.000000000 +0000
40045 -@@ -148,7 +148,7 @@ struct pt_regs * fastcall save_v86_state
40046 - do_exit(SIGSEGV);
40047 - }
40048 -
40049 -- tss = &per_cpu(init_tss, get_cpu());
40050 -+ tss = init_tss + get_cpu();
40051 - current->thread.esp0 = current->thread.saved_esp0;
40052 - current->thread.sysenter_cs = __KERNEL_CS;
40053 - load_esp0(tss, &current->thread);
40054 -@@ -324,7 +324,7 @@ static void do_sys_vm86(struct kernel_vm
40055 - tsk->thread.saved_fs = info->regs32->xfs;
40056 - savesegment(gs, tsk->thread.saved_gs);
40057 -
40058 -- tss = &per_cpu(init_tss, get_cpu());
40059 -+ tss = init_tss + get_cpu();
40060 - tsk->thread.esp0 = (unsigned long) &info->VM86_TSS_ESP0;
40061 - if (cpu_has_sep)
40062 - tsk->thread.sysenter_cs = 0;
40063 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/vmi.c linux-2.6.23.15-grsec/arch/i386/kernel/vmi.c
40064 ---- linux-2.6.23.15/arch/i386/kernel/vmi.c 2007-10-09 21:31:38.000000000 +0100
40065 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/vmi.c 2008-02-11 10:37:44.000000000 +0000
40066 -@@ -98,18 +98,43 @@ static unsigned patch_internal(int call,
40067 - {
40068 - u64 reloc;
40069 - struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
40070 -+
40071 -+#ifdef CONFIG_PAX_KERNEXEC
40072 -+ unsigned long cr0;
40073 -+#endif
40074 -+
40075 - reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
40076 - switch(rel->type) {
40077 - case VMI_RELOCATION_CALL_REL:
40078 - BUG_ON(len < 5);
40079 -+
40080 -+#ifdef CONFIG_PAX_KERNEXEC
40081 -+ pax_open_kernel(cr0);
40082 -+#endif
40083 -+
40084 - *(char *)insnbuf = MNEM_CALL;
40085 - patch_offset(insnbuf, eip, (unsigned long)rel->eip);
40086 -+
40087 -+#ifdef CONFIG_PAX_KERNEXEC
40088 -+ pax_close_kernel(cr0);
40089 -+#endif
40090 -+
40091 - return 5;
40092 -
40093 - case VMI_RELOCATION_JUMP_REL:
40094 - BUG_ON(len < 5);
40095 -+
40096 -+#ifdef CONFIG_PAX_KERNEXEC
40097 -+ pax_open_kernel(cr0);
40098 -+#endif
40099 -+
40100 - *(char *)insnbuf = MNEM_JMP;
40101 - patch_offset(insnbuf, eip, (unsigned long)rel->eip);
40102 -+
40103 -+#ifdef CONFIG_PAX_KERNEXEC
40104 -+ pax_close_kernel(cr0);
40105 -+#endif
40106 -+
40107 - return 5;
40108 -
40109 - case VMI_RELOCATION_NOP:
40110 -@@ -492,14 +517,14 @@ static void vmi_set_pud(pud_t *pudp, pud
40111 -
40112 - static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
40113 - {
40114 -- const pte_t pte = { 0 };
40115 -+ const pte_t pte = __pte(0ULL);
40116 - vmi_check_page_type(__pa(ptep) >> PAGE_SHIFT, VMI_PAGE_PTE);
40117 - vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
40118 - }
40119 -
40120 - static void vmi_pmd_clear(pmd_t *pmd)
40121 - {
40122 -- const pte_t pte = { 0 };
40123 -+ const pte_t pte = __pte(0ULL);
40124 - vmi_check_page_type(__pa(pmd) >> PAGE_SHIFT, VMI_PAGE_PMD);
40125 - vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
40126 - }
40127 -@@ -528,8 +553,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
40128 - ap.ss = __KERNEL_DS;
40129 - ap.esp = (unsigned long) start_esp;
40130 -
40131 -- ap.ds = __USER_DS;
40132 -- ap.es = __USER_DS;
40133 -+ ap.ds = __KERNEL_DS;
40134 -+ ap.es = __KERNEL_DS;
40135 - ap.fs = __KERNEL_PERCPU;
40136 - ap.gs = 0;
40137 -
40138 -@@ -726,12 +751,20 @@ static inline int __init activate_vmi(vo
40139 - u64 reloc;
40140 - const struct vmi_relocation_info *rel = (struct vmi_relocation_info *)&reloc;
40141 -
40142 -+#ifdef CONFIG_PAX_KERNEXEC
40143 -+ unsigned long cr0;
40144 -+#endif
40145 -+
40146 - if (call_vrom_func(vmi_rom, vmi_init) != 0) {
40147 - printk(KERN_ERR "VMI ROM failed to initialize!");
40148 - return 0;
40149 - }
40150 - savesegment(cs, kernel_cs);
40151 -
40152 -+#ifdef CONFIG_PAX_KERNEXEC
40153 -+ pax_open_kernel(cr0);
40154 -+#endif
40155 -+
40156 - paravirt_ops.paravirt_enabled = 1;
40157 - paravirt_ops.kernel_rpl = kernel_cs & SEGMENT_RPL_MASK;
40158 -
40159 -@@ -910,6 +943,10 @@ static inline int __init activate_vmi(vo
40160 -
40161 - para_fill(safe_halt, Halt);
40162 -
40163 -+#ifdef CONFIG_PAX_KERNEXEC
40164 -+ pax_close_kernel(cr0);
40165 -+#endif
40166 -+
40167 - /*
40168 - * Alternative instruction rewriting doesn't happen soon enough
40169 - * to convert VMI_IRET to a call instead of a jump; so we have
40170 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/vmlinux.lds.S linux-2.6.23.15-grsec/arch/i386/kernel/vmlinux.lds.S
40171 ---- linux-2.6.23.15/arch/i386/kernel/vmlinux.lds.S 2007-10-09 21:31:38.000000000 +0100
40172 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/vmlinux.lds.S 2008-02-11 10:37:44.000000000 +0000
40173 -@@ -21,6 +21,13 @@
40174 - #include <asm/page.h>
40175 - #include <asm/cache.h>
40176 - #include <asm/boot.h>
40177 -+#include <asm/segment.h>
40178 -+
40179 -+#ifdef CONFIG_X86_PAE
40180 -+#define PMD_SHIFT 21
40181 -+#else
40182 -+#define PMD_SHIFT 22
40183 -+#endif
40184 -
40185 - OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
40186 - OUTPUT_ARCH(i386)
40187 -@@ -28,22 +35,124 @@ ENTRY(phys_startup_32)
40188 - jiffies = jiffies_64;
40189 -
40190 - PHDRS {
40191 -- text PT_LOAD FLAGS(5); /* R_E */
40192 -- data PT_LOAD FLAGS(7); /* RWE */
40193 -- note PT_NOTE FLAGS(0); /* ___ */
40194 -+ initdata PT_LOAD FLAGS(6); /* RW_ */
40195 -+ percpu PT_LOAD FLAGS(6); /* RW_ */
40196 -+ inittext PT_LOAD FLAGS(5); /* R_E */
40197 -+ text PT_LOAD FLAGS(5); /* R_E */
40198 -+ rodata PT_LOAD FLAGS(4); /* R__ */
40199 -+ data PT_LOAD FLAGS(6); /* RW_ */
40200 -+ note PT_NOTE FLAGS(0); /* ___ */
40201 - }
40202 - SECTIONS
40203 - {
40204 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
40205 -- phys_startup_32 = startup_32 - LOAD_OFFSET;
40206 -
40207 -- .text.head : AT(ADDR(.text.head) - LOAD_OFFSET) {
40208 -- _text = .; /* Text and read-only data */
40209 -+ .text.startup : AT(ADDR(.text.startup) - LOAD_OFFSET) {
40210 -+ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
40211 -+ *(.text.startup)
40212 -+ } :initdata
40213 -+
40214 -+ /* might get freed after init */
40215 -+ . = ALIGN(4096);
40216 -+ .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
40217 -+ __smp_locks = .;
40218 -+ *(.smp_locks)
40219 -+ __smp_locks_end = .;
40220 -+ }
40221 -+ /* will be freed after init
40222 -+ * Following ALIGN() is required to make sure no other data falls on the
40223 -+ * same page where __smp_alt_end is pointing as that page might be freed
40224 -+ * after boot. Always make sure that ALIGN() directive is present after
40225 -+ * the section which contains __smp_alt_end.
40226 -+ */
40227 -+ . = ALIGN(4096);
40228 -+
40229 -+ /* will be freed after init */
40230 -+ .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) {
40231 -+ __init_begin = .;
40232 -+ *(.init.data)
40233 -+ }
40234 -+ . = ALIGN(16);
40235 -+ .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
40236 -+ __setup_start = .;
40237 -+ *(.init.setup)
40238 -+ __setup_end = .;
40239 -+ }
40240 -+ .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
40241 -+ __initcall_start = .;
40242 -+ INITCALLS
40243 -+ __initcall_end = .;
40244 -+ }
40245 -+ .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
40246 -+ __con_initcall_start = .;
40247 -+ *(.con_initcall.init)
40248 -+ __con_initcall_end = .;
40249 -+ }
40250 -+ SECURITY_INIT
40251 -+ . = ALIGN(4);
40252 -+ .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
40253 -+ __alt_instructions = .;
40254 -+ *(.altinstructions)
40255 -+ __alt_instructions_end = .;
40256 -+ }
40257 -+ .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
40258 -+ *(.altinstr_replacement)
40259 -+ }
40260 -+ . = ALIGN(4);
40261 -+ .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
40262 -+ __parainstructions = .;
40263 -+ *(.parainstructions)
40264 -+ __parainstructions_end = .;
40265 -+ }
40266 -+ .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
40267 -+#if defined(CONFIG_BLK_DEV_INITRD)
40268 -+ . = ALIGN(4096);
40269 -+ .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
40270 -+ __initramfs_start = .;
40271 -+ *(.init.ramfs)
40272 -+ __initramfs_end = .;
40273 -+ }
40274 -+#endif
40275 -+ . = ALIGN(4096);
40276 -+ per_cpu_start = .;
40277 -+ .data.percpu (0) : AT(ADDR(.data.percpu) - LOAD_OFFSET + per_cpu_start) {
40278 -+ __per_cpu_start = . + per_cpu_start;
40279 -+ LONG(0)
40280 -+ *(.data.percpu)
40281 -+ *(.data.percpu.shared_aligned)
40282 -+ __per_cpu_end = . + per_cpu_start;
40283 -+ } :percpu
40284 -+ . += per_cpu_start;
40285 -+
40286 -+ /* read-only */
40287 -+
40288 -+ . = ALIGN(4096); /* Init code and data */
40289 -+ .init.text (. - __KERNEL_TEXT_OFFSET) : AT(ADDR(.init.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
40290 -+ _sinittext = .;
40291 -+ *(.init.text)
40292 -+ _einittext = .;
40293 -+ } :inittext
40294 -+
40295 -+ /* .exit.text is discard at runtime, not link time, to deal with references
40296 -+ from .altinstructions and .eh_frame */
40297 -+ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) { *(.exit.text) }
40298 -+
40299 -+ .filler : AT(ADDR(.filler) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
40300 -+ BYTE(0)
40301 -+ . = ALIGN(4*1024*1024) - 1;
40302 -+ }
40303 -+
40304 -+ /* freed after init ends here */
40305 -+
40306 -+ .text.head : AT(ADDR(.text.head) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
40307 -+ __init_end = . + __KERNEL_TEXT_OFFSET;
40308 -+ KERNEL_TEXT_OFFSET = . + __KERNEL_TEXT_OFFSET;
40309 -+ _text = .; /* Text and read-only data */
40310 - *(.text.head)
40311 - } :text = 0x9090
40312 -
40313 - /* read-only */
40314 -- .text : AT(ADDR(.text) - LOAD_OFFSET) {
40315 -+ .text : AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
40316 - TEXT_TEXT
40317 - SCHED_TEXT
40318 - LOCK_TEXT
40319 -@@ -53,16 +162,17 @@ SECTIONS
40320 - _etext = .; /* End of text section */
40321 - } :text = 0x9090
40322 -
40323 -- . = ALIGN(16); /* Exception table */
40324 -+ . += __KERNEL_TEXT_OFFSET;
40325 -+ . = ALIGN(4096); /* Exception table */
40326 - __ex_table : AT(ADDR(__ex_table) - LOAD_OFFSET) {
40327 - __start___ex_table = .;
40328 - *(__ex_table)
40329 - __stop___ex_table = .;
40330 -- }
40331 -+ } :rodata
40332 -
40333 -- NOTES :text :note
40334 -+ NOTES :rodata :note
40335 -
40336 -- BUG_TABLE :text
40337 -+ BUG_TABLE :rodata
40338 -
40339 - . = ALIGN(4);
40340 - .tracedata : AT(ADDR(.tracedata) - LOAD_OFFSET) {
40341 -@@ -73,9 +183,36 @@ SECTIONS
40342 -
40343 - RODATA
40344 -
40345 -+ . = ALIGN(4096);
40346 -+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
40347 -+ *(.idt)
40348 -+ . = ALIGN(4096);
40349 -+ *(.empty_zero_page)
40350 -+ *(.swapper_pm_dir)
40351 -+ *(.swapper_pg_dir)
40352 -+ }
40353 -+
40354 -+#ifdef CONFIG_PAX_KERNEXEC
40355 -+
40356 -+#ifdef CONFIG_MODULES
40357 -+ . = ALIGN(4096);
40358 -+ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
40359 -+ MODULES_VADDR = .;
40360 -+ BYTE(0)
40361 -+ . += (6 * 1024 * 1024);
40362 -+ . = ALIGN(1 << PMD_SHIFT) - 1;
40363 -+ MODULES_END = .;
40364 -+ }
40365 -+#else
40366 -+ . = ALIGN(1 << PMD_SHIFT) - 1;
40367 -+#endif
40368 -+
40369 -+#endif
40370 -+
40371 - /* writeable */
40372 - . = ALIGN(4096);
40373 - .data : AT(ADDR(.data) - LOAD_OFFSET) { /* Data */
40374 -+ _data = .;
40375 - DATA_DATA
40376 - CONSTRUCTORS
40377 - } :data
40378 -@@ -91,7 +228,6 @@ SECTIONS
40379 - . = ALIGN(4096);
40380 - .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
40381 - *(.data.page_aligned)
40382 -- *(.data.idt)
40383 - }
40384 -
40385 - . = ALIGN(32);
40386 -@@ -111,86 +247,7 @@ SECTIONS
40387 - *(.data.init_task)
40388 - }
40389 -
40390 -- /* might get freed after init */
40391 -- . = ALIGN(4096);
40392 -- .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
40393 -- __smp_locks = .;
40394 -- *(.smp_locks)
40395 -- __smp_locks_end = .;
40396 -- }
40397 -- /* will be freed after init
40398 -- * Following ALIGN() is required to make sure no other data falls on the
40399 -- * same page where __smp_alt_end is pointing as that page might be freed
40400 -- * after boot. Always make sure that ALIGN() directive is present after
40401 -- * the section which contains __smp_alt_end.
40402 -- */
40403 -- . = ALIGN(4096);
40404 --
40405 -- /* will be freed after init */
40406 -- . = ALIGN(4096); /* Init code and data */
40407 -- .init.text : AT(ADDR(.init.text) - LOAD_OFFSET) {
40408 -- __init_begin = .;
40409 -- _sinittext = .;
40410 -- *(.init.text)
40411 -- _einittext = .;
40412 -- }
40413 -- .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) { *(.init.data) }
40414 -- . = ALIGN(16);
40415 -- .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
40416 -- __setup_start = .;
40417 -- *(.init.setup)
40418 -- __setup_end = .;
40419 -- }
40420 -- .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
40421 -- __initcall_start = .;
40422 -- INITCALLS
40423 -- __initcall_end = .;
40424 -- }
40425 -- .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
40426 -- __con_initcall_start = .;
40427 -- *(.con_initcall.init)
40428 -- __con_initcall_end = .;
40429 -- }
40430 -- SECURITY_INIT
40431 -- . = ALIGN(4);
40432 -- .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
40433 -- __alt_instructions = .;
40434 -- *(.altinstructions)
40435 -- __alt_instructions_end = .;
40436 -- }
40437 -- .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
40438 -- *(.altinstr_replacement)
40439 -- }
40440 -- . = ALIGN(4);
40441 -- .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
40442 -- __parainstructions = .;
40443 -- *(.parainstructions)
40444 -- __parainstructions_end = .;
40445 -- }
40446 -- /* .exit.text is discard at runtime, not link time, to deal with references
40447 -- from .altinstructions and .eh_frame */
40448 -- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) { *(.exit.text) }
40449 -- .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
40450 --#if defined(CONFIG_BLK_DEV_INITRD)
40451 -- . = ALIGN(4096);
40452 -- .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
40453 -- __initramfs_start = .;
40454 -- *(.init.ramfs)
40455 -- __initramfs_end = .;
40456 -- }
40457 --#endif
40458 -- . = ALIGN(4096);
40459 -- .data.percpu : AT(ADDR(.data.percpu) - LOAD_OFFSET) {
40460 -- __per_cpu_start = .;
40461 -- *(.data.percpu)
40462 -- *(.data.percpu.shared_aligned)
40463 -- __per_cpu_end = .;
40464 -- }
40465 -- . = ALIGN(4096);
40466 -- /* freed after init ends here */
40467 --
40468 - .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
40469 -- __init_end = .;
40470 - __bss_start = .; /* BSS */
40471 - *(.bss.page_aligned)
40472 - *(.bss)
40473 -diff -Nurp linux-2.6.23.15/arch/i386/lib/checksum.S linux-2.6.23.15-grsec/arch/i386/lib/checksum.S
40474 ---- linux-2.6.23.15/arch/i386/lib/checksum.S 2007-10-09 21:31:38.000000000 +0100
40475 -+++ linux-2.6.23.15-grsec/arch/i386/lib/checksum.S 2008-02-11 10:37:44.000000000 +0000
40476 -@@ -28,7 +28,8 @@
40477 - #include <linux/linkage.h>
40478 - #include <asm/dwarf2.h>
40479 - #include <asm/errno.h>
40480 --
40481 -+#include <asm/segment.h>
40482 -+
40483 - /*
40484 - * computes a partial checksum, e.g. for TCP/UDP fragments
40485 - */
40486 -@@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
40487 -
40488 - #define ARGBASE 16
40489 - #define FP 12
40490 --
40491 --ENTRY(csum_partial_copy_generic)
40492 -+
40493 -+ENTRY(csum_partial_copy_generic_to_user)
40494 - CFI_STARTPROC
40495 -+ pushl $(__USER_DS)
40496 -+ CFI_ADJUST_CFA_OFFSET 4
40497 -+ popl %es
40498 -+ CFI_ADJUST_CFA_OFFSET -4
40499 -+ jmp csum_partial_copy_generic
40500 -+
40501 -+ENTRY(csum_partial_copy_generic_from_user)
40502 -+ pushl $(__USER_DS)
40503 -+ CFI_ADJUST_CFA_OFFSET 4
40504 -+ popl %ds
40505 -+ CFI_ADJUST_CFA_OFFSET -4
40506 -+
40507 -+ENTRY(csum_partial_copy_generic)
40508 - subl $4,%esp
40509 - CFI_ADJUST_CFA_OFFSET 4
40510 - pushl %edi
40511 -@@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
40512 - jmp 4f
40513 - SRC(1: movw (%esi), %bx )
40514 - addl $2, %esi
40515 --DST( movw %bx, (%edi) )
40516 -+DST( movw %bx, %es:(%edi) )
40517 - addl $2, %edi
40518 - addw %bx, %ax
40519 - adcl $0, %eax
40520 -@@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
40521 - SRC(1: movl (%esi), %ebx )
40522 - SRC( movl 4(%esi), %edx )
40523 - adcl %ebx, %eax
40524 --DST( movl %ebx, (%edi) )
40525 -+DST( movl %ebx, %es:(%edi) )
40526 - adcl %edx, %eax
40527 --DST( movl %edx, 4(%edi) )
40528 -+DST( movl %edx, %es:4(%edi) )
40529 -
40530 - SRC( movl 8(%esi), %ebx )
40531 - SRC( movl 12(%esi), %edx )
40532 - adcl %ebx, %eax
40533 --DST( movl %ebx, 8(%edi) )
40534 -+DST( movl %ebx, %es:8(%edi) )
40535 - adcl %edx, %eax
40536 --DST( movl %edx, 12(%edi) )
40537 -+DST( movl %edx, %es:12(%edi) )
40538 -
40539 - SRC( movl 16(%esi), %ebx )
40540 - SRC( movl 20(%esi), %edx )
40541 - adcl %ebx, %eax
40542 --DST( movl %ebx, 16(%edi) )
40543 -+DST( movl %ebx, %es:16(%edi) )
40544 - adcl %edx, %eax
40545 --DST( movl %edx, 20(%edi) )
40546 -+DST( movl %edx, %es:20(%edi) )
40547 -
40548 - SRC( movl 24(%esi), %ebx )
40549 - SRC( movl 28(%esi), %edx )
40550 - adcl %ebx, %eax
40551 --DST( movl %ebx, 24(%edi) )
40552 -+DST( movl %ebx, %es:24(%edi) )
40553 - adcl %edx, %eax
40554 --DST( movl %edx, 28(%edi) )
40555 -+DST( movl %edx, %es:28(%edi) )
40556 -
40557 - lea 32(%esi), %esi
40558 - lea 32(%edi), %edi
40559 -@@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
40560 - shrl $2, %edx # This clears CF
40561 - SRC(3: movl (%esi), %ebx )
40562 - adcl %ebx, %eax
40563 --DST( movl %ebx, (%edi) )
40564 -+DST( movl %ebx, %es:(%edi) )
40565 - lea 4(%esi), %esi
40566 - lea 4(%edi), %edi
40567 - dec %edx
40568 -@@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
40569 - jb 5f
40570 - SRC( movw (%esi), %cx )
40571 - leal 2(%esi), %esi
40572 --DST( movw %cx, (%edi) )
40573 -+DST( movw %cx, %es:(%edi) )
40574 - leal 2(%edi), %edi
40575 - je 6f
40576 - shll $16,%ecx
40577 - SRC(5: movb (%esi), %cl )
40578 --DST( movb %cl, (%edi) )
40579 -+DST( movb %cl, %es:(%edi) )
40580 - 6: addl %ecx, %eax
40581 - adcl $0, %eax
40582 - 7:
40583 -@@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
40584 -
40585 - 6001:
40586 - movl ARGBASE+20(%esp), %ebx # src_err_ptr
40587 -- movl $-EFAULT, (%ebx)
40588 -+ movl $-EFAULT, %ss:(%ebx)
40589 -
40590 - # zero the complete destination - computing the rest
40591 - # is too much work
40592 -@@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
40593 -
40594 - 6002:
40595 - movl ARGBASE+24(%esp), %ebx # dst_err_ptr
40596 -- movl $-EFAULT,(%ebx)
40597 -+ movl $-EFAULT,%ss:(%ebx)
40598 - jmp 5000b
40599 -
40600 - .previous
40601 -
40602 -+ pushl %ss
40603 -+ CFI_ADJUST_CFA_OFFSET 4
40604 -+ popl %ds
40605 -+ CFI_ADJUST_CFA_OFFSET -4
40606 -+ pushl %ss
40607 -+ CFI_ADJUST_CFA_OFFSET 4
40608 -+ popl %es
40609 -+ CFI_ADJUST_CFA_OFFSET -4
40610 - popl %ebx
40611 - CFI_ADJUST_CFA_OFFSET -4
40612 - CFI_RESTORE ebx
40613 -@@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
40614 - CFI_ADJUST_CFA_OFFSET -4
40615 - ret
40616 - CFI_ENDPROC
40617 --ENDPROC(csum_partial_copy_generic)
40618 -+ENDPROC(csum_partial_copy_generic_to_user)
40619 -
40620 - #else
40621 -
40622 - /* Version for PentiumII/PPro */
40623 -
40624 - #define ROUND1(x) \
40625 -+ nop; nop; nop; \
40626 - SRC(movl x(%esi), %ebx ) ; \
40627 - addl %ebx, %eax ; \
40628 -- DST(movl %ebx, x(%edi) ) ;
40629 -+ DST(movl %ebx, %es:x(%edi)) ;
40630 -
40631 - #define ROUND(x) \
40632 -+ nop; nop; nop; \
40633 - SRC(movl x(%esi), %ebx ) ; \
40634 - adcl %ebx, %eax ; \
40635 -- DST(movl %ebx, x(%edi) ) ;
40636 -+ DST(movl %ebx, %es:x(%edi)) ;
40637 -
40638 - #define ARGBASE 12
40639 --
40640 --ENTRY(csum_partial_copy_generic)
40641 -+
40642 -+ENTRY(csum_partial_copy_generic_to_user)
40643 - CFI_STARTPROC
40644 -+ pushl $(__USER_DS)
40645 -+ CFI_ADJUST_CFA_OFFSET 4
40646 -+ popl %es
40647 -+ CFI_ADJUST_CFA_OFFSET -4
40648 -+ jmp csum_partial_copy_generic
40649 -+
40650 -+ENTRY(csum_partial_copy_generic_from_user)
40651 -+ pushl $(__USER_DS)
40652 -+ CFI_ADJUST_CFA_OFFSET 4
40653 -+ popl %ds
40654 -+ CFI_ADJUST_CFA_OFFSET -4
40655 -+
40656 -+ENTRY(csum_partial_copy_generic)
40657 - pushl %ebx
40658 - CFI_ADJUST_CFA_OFFSET 4
40659 - CFI_REL_OFFSET ebx, 0
40660 -@@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
40661 - subl %ebx, %edi
40662 - lea -1(%esi),%edx
40663 - andl $-32,%edx
40664 -- lea 3f(%ebx,%ebx), %ebx
40665 -+ lea 3f(%ebx,%ebx,2), %ebx
40666 - testl %esi, %esi
40667 - jmp *%ebx
40668 - 1: addl $64,%esi
40669 -@@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
40670 - jb 5f
40671 - SRC( movw (%esi), %dx )
40672 - leal 2(%esi), %esi
40673 --DST( movw %dx, (%edi) )
40674 -+DST( movw %dx, %es:(%edi) )
40675 - leal 2(%edi), %edi
40676 - je 6f
40677 - shll $16,%edx
40678 - 5:
40679 - SRC( movb (%esi), %dl )
40680 --DST( movb %dl, (%edi) )
40681 -+DST( movb %dl, %es:(%edi) )
40682 - 6: addl %edx, %eax
40683 - adcl $0, %eax
40684 - 7:
40685 - .section .fixup, "ax"
40686 - 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
40687 -- movl $-EFAULT, (%ebx)
40688 -+ movl $-EFAULT, %ss:(%ebx)
40689 - # zero the complete destination (computing the rest is too much work)
40690 - movl ARGBASE+8(%esp),%edi # dst
40691 - movl ARGBASE+12(%esp),%ecx # len
40692 -@@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
40693 - rep; stosb
40694 - jmp 7b
40695 - 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
40696 -- movl $-EFAULT, (%ebx)
40697 -+ movl $-EFAULT, %ss:(%ebx)
40698 - jmp 7b
40699 - .previous
40700 -
40701 -+ pushl %ss
40702 -+ CFI_ADJUST_CFA_OFFSET 4
40703 -+ popl %ds
40704 -+ CFI_ADJUST_CFA_OFFSET -4
40705 -+ pushl %ss
40706 -+ CFI_ADJUST_CFA_OFFSET 4
40707 -+ popl %es
40708 -+ CFI_ADJUST_CFA_OFFSET -4
40709 - popl %esi
40710 - CFI_ADJUST_CFA_OFFSET -4
40711 - CFI_RESTORE esi
40712 -@@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
40713 - CFI_RESTORE ebx
40714 - ret
40715 - CFI_ENDPROC
40716 --ENDPROC(csum_partial_copy_generic)
40717 -+ENDPROC(csum_partial_copy_generic_to_user)
40718 -
40719 - #undef ROUND
40720 - #undef ROUND1
40721 -diff -Nurp linux-2.6.23.15/arch/i386/lib/getuser.S linux-2.6.23.15-grsec/arch/i386/lib/getuser.S
40722 ---- linux-2.6.23.15/arch/i386/lib/getuser.S 2007-10-09 21:31:38.000000000 +0100
40723 -+++ linux-2.6.23.15-grsec/arch/i386/lib/getuser.S 2008-02-11 10:37:44.000000000 +0000
40724 -@@ -11,7 +11,7 @@
40725 - #include <linux/linkage.h>
40726 - #include <asm/dwarf2.h>
40727 - #include <asm/thread_info.h>
40728 --
40729 -+#include <asm/segment.h>
40730 -
40731 - /*
40732 - * __get_user_X
40733 -@@ -31,7 +31,11 @@ ENTRY(__get_user_1)
40734 - GET_THREAD_INFO(%edx)
40735 - cmpl TI_addr_limit(%edx),%eax
40736 - jae bad_get_user
40737 -+ pushl $(__USER_DS)
40738 -+ popl %ds
40739 - 1: movzbl (%eax),%edx
40740 -+ pushl %ss
40741 -+ pop %ds
40742 - xorl %eax,%eax
40743 - ret
40744 - CFI_ENDPROC
40745 -@@ -44,7 +48,11 @@ ENTRY(__get_user_2)
40746 - GET_THREAD_INFO(%edx)
40747 - cmpl TI_addr_limit(%edx),%eax
40748 - jae bad_get_user
40749 -+ pushl $(__USER_DS)
40750 -+ popl %ds
40751 - 2: movzwl -1(%eax),%edx
40752 -+ pushl %ss
40753 -+ pop %ds
40754 - xorl %eax,%eax
40755 - ret
40756 - CFI_ENDPROC
40757 -@@ -57,7 +65,11 @@ ENTRY(__get_user_4)
40758 - GET_THREAD_INFO(%edx)
40759 - cmpl TI_addr_limit(%edx),%eax
40760 - jae bad_get_user
40761 -+ pushl $(__USER_DS)
40762 -+ popl %ds
40763 - 3: movl -3(%eax),%edx
40764 -+ pushl %ss
40765 -+ pop %ds
40766 - xorl %eax,%eax
40767 - ret
40768 - CFI_ENDPROC
40769 -@@ -65,6 +77,8 @@ ENDPROC(__get_user_4)
40770 -
40771 - bad_get_user:
40772 - CFI_STARTPROC
40773 -+ pushl %ss
40774 -+ pop %ds
40775 - xorl %edx,%edx
40776 - movl $-14,%eax
40777 - ret
40778 -diff -Nurp linux-2.6.23.15/arch/i386/lib/mmx.c linux-2.6.23.15-grsec/arch/i386/lib/mmx.c
40779 ---- linux-2.6.23.15/arch/i386/lib/mmx.c 2007-10-09 21:31:38.000000000 +0100
40780 -+++ linux-2.6.23.15-grsec/arch/i386/lib/mmx.c 2008-02-11 10:37:44.000000000 +0000
40781 -@@ -30,6 +30,7 @@ void *_mmx_memcpy(void *to, const void *
40782 - {
40783 - void *p;
40784 - int i;
40785 -+ unsigned long cr0;
40786 -
40787 - if (unlikely(in_interrupt()))
40788 - return __memcpy(to, from, len);
40789 -@@ -40,52 +41,80 @@ void *_mmx_memcpy(void *to, const void *
40790 - kernel_fpu_begin();
40791 -
40792 - __asm__ __volatile__ (
40793 -- "1: prefetch (%0)\n" /* This set is 28 bytes */
40794 -- " prefetch 64(%0)\n"
40795 -- " prefetch 128(%0)\n"
40796 -- " prefetch 192(%0)\n"
40797 -- " prefetch 256(%0)\n"
40798 -+ "1: prefetch (%1)\n" /* This set is 28 bytes */
40799 -+ " prefetch 64(%1)\n"
40800 -+ " prefetch 128(%1)\n"
40801 -+ " prefetch 192(%1)\n"
40802 -+ " prefetch 256(%1)\n"
40803 - "2: \n"
40804 - ".section .fixup, \"ax\"\n"
40805 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
40806 -+ "3: \n"
40807 -+
40808 -+#ifdef CONFIG_PAX_KERNEXEC
40809 -+ " movl %%cr0, %0\n"
40810 -+ " movl %0, %%eax\n"
40811 -+ " andl $0xFFFEFFFF, %%eax\n"
40812 -+ " movl %%eax, %%cr0\n"
40813 -+#endif
40814 -+
40815 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
40816 -+
40817 -+#ifdef CONFIG_PAX_KERNEXEC
40818 -+ " movl %0, %%cr0\n"
40819 -+#endif
40820 -+
40821 - " jmp 2b\n"
40822 - ".previous\n"
40823 - ".section __ex_table,\"a\"\n"
40824 - " .align 4\n"
40825 - " .long 1b, 3b\n"
40826 - ".previous"
40827 -- : : "r" (from) );
40828 -+ : "=&r" (cr0) : "r" (from) : "ax");
40829 -
40830 -
40831 - for(; i>5; i--)
40832 - {
40833 - __asm__ __volatile__ (
40834 -- "1: prefetch 320(%0)\n"
40835 -- "2: movq (%0), %%mm0\n"
40836 -- " movq 8(%0), %%mm1\n"
40837 -- " movq 16(%0), %%mm2\n"
40838 -- " movq 24(%0), %%mm3\n"
40839 -- " movq %%mm0, (%1)\n"
40840 -- " movq %%mm1, 8(%1)\n"
40841 -- " movq %%mm2, 16(%1)\n"
40842 -- " movq %%mm3, 24(%1)\n"
40843 -- " movq 32(%0), %%mm0\n"
40844 -- " movq 40(%0), %%mm1\n"
40845 -- " movq 48(%0), %%mm2\n"
40846 -- " movq 56(%0), %%mm3\n"
40847 -- " movq %%mm0, 32(%1)\n"
40848 -- " movq %%mm1, 40(%1)\n"
40849 -- " movq %%mm2, 48(%1)\n"
40850 -- " movq %%mm3, 56(%1)\n"
40851 -+ "1: prefetch 320(%1)\n"
40852 -+ "2: movq (%1), %%mm0\n"
40853 -+ " movq 8(%1), %%mm1\n"
40854 -+ " movq 16(%1), %%mm2\n"
40855 -+ " movq 24(%1), %%mm3\n"
40856 -+ " movq %%mm0, (%2)\n"
40857 -+ " movq %%mm1, 8(%2)\n"
40858 -+ " movq %%mm2, 16(%2)\n"
40859 -+ " movq %%mm3, 24(%2)\n"
40860 -+ " movq 32(%1), %%mm0\n"
40861 -+ " movq 40(%1), %%mm1\n"
40862 -+ " movq 48(%1), %%mm2\n"
40863 -+ " movq 56(%1), %%mm3\n"
40864 -+ " movq %%mm0, 32(%2)\n"
40865 -+ " movq %%mm1, 40(%2)\n"
40866 -+ " movq %%mm2, 48(%2)\n"
40867 -+ " movq %%mm3, 56(%2)\n"
40868 - ".section .fixup, \"ax\"\n"
40869 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
40870 -+ "3:\n"
40871 -+
40872 -+#ifdef CONFIG_PAX_KERNEXEC
40873 -+ " movl %%cr0, %0\n"
40874 -+ " movl %0, %%eax\n"
40875 -+ " andl $0xFFFEFFFF, %%eax\n"
40876 -+ " movl %%eax, %%cr0\n"
40877 -+#endif
40878 -+
40879 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
40880 -+
40881 -+#ifdef CONFIG_PAX_KERNEXEC
40882 -+ " movl %0, %%cr0\n"
40883 -+#endif
40884 -+
40885 - " jmp 2b\n"
40886 - ".previous\n"
40887 - ".section __ex_table,\"a\"\n"
40888 - " .align 4\n"
40889 - " .long 1b, 3b\n"
40890 - ".previous"
40891 -- : : "r" (from), "r" (to) : "memory");
40892 -+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
40893 - from+=64;
40894 - to+=64;
40895 - }
40896 -@@ -164,6 +193,7 @@ static void fast_clear_page(void *page)
40897 - static void fast_copy_page(void *to, void *from)
40898 - {
40899 - int i;
40900 -+ unsigned long cr0;
40901 -
40902 - kernel_fpu_begin();
40903 -
40904 -@@ -171,51 +201,79 @@ static void fast_copy_page(void *to, voi
40905 - * but that is for later. -AV
40906 - */
40907 - __asm__ __volatile__ (
40908 -- "1: prefetch (%0)\n"
40909 -- " prefetch 64(%0)\n"
40910 -- " prefetch 128(%0)\n"
40911 -- " prefetch 192(%0)\n"
40912 -- " prefetch 256(%0)\n"
40913 -+ "1: prefetch (%1)\n"
40914 -+ " prefetch 64(%1)\n"
40915 -+ " prefetch 128(%1)\n"
40916 -+ " prefetch 192(%1)\n"
40917 -+ " prefetch 256(%1)\n"
40918 - "2: \n"
40919 - ".section .fixup, \"ax\"\n"
40920 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
40921 -+ "3: \n"
40922 -+
40923 -+#ifdef CONFIG_PAX_KERNEXEC
40924 -+ " movl %%cr0, %0\n"
40925 -+ " movl %0, %%eax\n"
40926 -+ " andl $0xFFFEFFFF, %%eax\n"
40927 -+ " movl %%eax, %%cr0\n"
40928 -+#endif
40929 -+
40930 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
40931 -+
40932 -+#ifdef CONFIG_PAX_KERNEXEC
40933 -+ " movl %0, %%cr0\n"
40934 -+#endif
40935 -+
40936 - " jmp 2b\n"
40937 - ".previous\n"
40938 - ".section __ex_table,\"a\"\n"
40939 - " .align 4\n"
40940 - " .long 1b, 3b\n"
40941 - ".previous"
40942 -- : : "r" (from) );
40943 -+ : "=&r" (cr0) : "r" (from) : "ax");
40944 -
40945 - for(i=0; i<(4096-320)/64; i++)
40946 - {
40947 - __asm__ __volatile__ (
40948 -- "1: prefetch 320(%0)\n"
40949 -- "2: movq (%0), %%mm0\n"
40950 -- " movntq %%mm0, (%1)\n"
40951 -- " movq 8(%0), %%mm1\n"
40952 -- " movntq %%mm1, 8(%1)\n"
40953 -- " movq 16(%0), %%mm2\n"
40954 -- " movntq %%mm2, 16(%1)\n"
40955 -- " movq 24(%0), %%mm3\n"
40956 -- " movntq %%mm3, 24(%1)\n"
40957 -- " movq 32(%0), %%mm4\n"
40958 -- " movntq %%mm4, 32(%1)\n"
40959 -- " movq 40(%0), %%mm5\n"
40960 -- " movntq %%mm5, 40(%1)\n"
40961 -- " movq 48(%0), %%mm6\n"
40962 -- " movntq %%mm6, 48(%1)\n"
40963 -- " movq 56(%0), %%mm7\n"
40964 -- " movntq %%mm7, 56(%1)\n"
40965 -+ "1: prefetch 320(%1)\n"
40966 -+ "2: movq (%1), %%mm0\n"
40967 -+ " movntq %%mm0, (%2)\n"
40968 -+ " movq 8(%1), %%mm1\n"
40969 -+ " movntq %%mm1, 8(%2)\n"
40970 -+ " movq 16(%1), %%mm2\n"
40971 -+ " movntq %%mm2, 16(%2)\n"
40972 -+ " movq 24(%1), %%mm3\n"
40973 -+ " movntq %%mm3, 24(%2)\n"
40974 -+ " movq 32(%1), %%mm4\n"
40975 -+ " movntq %%mm4, 32(%2)\n"
40976 -+ " movq 40(%1), %%mm5\n"
40977 -+ " movntq %%mm5, 40(%2)\n"
40978 -+ " movq 48(%1), %%mm6\n"
40979 -+ " movntq %%mm6, 48(%2)\n"
40980 -+ " movq 56(%1), %%mm7\n"
40981 -+ " movntq %%mm7, 56(%2)\n"
40982 - ".section .fixup, \"ax\"\n"
40983 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
40984 -+ "3:\n"
40985 -+
40986 -+#ifdef CONFIG_PAX_KERNEXEC
40987 -+ " movl %%cr0, %0\n"
40988 -+ " movl %0, %%eax\n"
40989 -+ " andl $0xFFFEFFFF, %%eax\n"
40990 -+ " movl %%eax, %%cr0\n"
40991 -+#endif
40992 -+
40993 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
40994 -+
40995 -+#ifdef CONFIG_PAX_KERNEXEC
40996 -+ " movl %0, %%cr0\n"
40997 -+#endif
40998 -+
40999 - " jmp 2b\n"
41000 - ".previous\n"
41001 - ".section __ex_table,\"a\"\n"
41002 - " .align 4\n"
41003 - " .long 1b, 3b\n"
41004 - ".previous"
41005 -- : : "r" (from), "r" (to) : "memory");
41006 -+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
41007 - from+=64;
41008 - to+=64;
41009 - }
41010 -@@ -296,56 +354,84 @@ static void fast_clear_page(void *page)
41011 - static void fast_copy_page(void *to, void *from)
41012 - {
41013 - int i;
41014 --
41015 --
41016 -+ unsigned long cr0;
41017 -+
41018 - kernel_fpu_begin();
41019 -
41020 - __asm__ __volatile__ (
41021 -- "1: prefetch (%0)\n"
41022 -- " prefetch 64(%0)\n"
41023 -- " prefetch 128(%0)\n"
41024 -- " prefetch 192(%0)\n"
41025 -- " prefetch 256(%0)\n"
41026 -+ "1: prefetch (%1)\n"
41027 -+ " prefetch 64(%1)\n"
41028 -+ " prefetch 128(%1)\n"
41029 -+ " prefetch 192(%1)\n"
41030 -+ " prefetch 256(%1)\n"
41031 - "2: \n"
41032 - ".section .fixup, \"ax\"\n"
41033 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
41034 -+ "3: \n"
41035 -+
41036 -+#ifdef CONFIG_PAX_KERNEXEC
41037 -+ " movl %%cr0, %0\n"
41038 -+ " movl %0, %%eax\n"
41039 -+ " andl $0xFFFEFFFF, %%eax\n"
41040 -+ " movl %%eax, %%cr0\n"
41041 -+#endif
41042 -+
41043 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
41044 -+
41045 -+#ifdef CONFIG_PAX_KERNEXEC
41046 -+ " movl %0, %%cr0\n"
41047 -+#endif
41048 -+
41049 - " jmp 2b\n"
41050 - ".previous\n"
41051 - ".section __ex_table,\"a\"\n"
41052 - " .align 4\n"
41053 - " .long 1b, 3b\n"
41054 - ".previous"
41055 -- : : "r" (from) );
41056 -+ : "=&r" (cr0) : "r" (from) : "ax");
41057 -
41058 - for(i=0; i<4096/64; i++)
41059 - {
41060 - __asm__ __volatile__ (
41061 -- "1: prefetch 320(%0)\n"
41062 -- "2: movq (%0), %%mm0\n"
41063 -- " movq 8(%0), %%mm1\n"
41064 -- " movq 16(%0), %%mm2\n"
41065 -- " movq 24(%0), %%mm3\n"
41066 -- " movq %%mm0, (%1)\n"
41067 -- " movq %%mm1, 8(%1)\n"
41068 -- " movq %%mm2, 16(%1)\n"
41069 -- " movq %%mm3, 24(%1)\n"
41070 -- " movq 32(%0), %%mm0\n"
41071 -- " movq 40(%0), %%mm1\n"
41072 -- " movq 48(%0), %%mm2\n"
41073 -- " movq 56(%0), %%mm3\n"
41074 -- " movq %%mm0, 32(%1)\n"
41075 -- " movq %%mm1, 40(%1)\n"
41076 -- " movq %%mm2, 48(%1)\n"
41077 -- " movq %%mm3, 56(%1)\n"
41078 -+ "1: prefetch 320(%1)\n"
41079 -+ "2: movq (%1), %%mm0\n"
41080 -+ " movq 8(%1), %%mm1\n"
41081 -+ " movq 16(%1), %%mm2\n"
41082 -+ " movq 24(%1), %%mm3\n"
41083 -+ " movq %%mm0, (%2)\n"
41084 -+ " movq %%mm1, 8(%2)\n"
41085 -+ " movq %%mm2, 16(%2)\n"
41086 -+ " movq %%mm3, 24(%2)\n"
41087 -+ " movq 32(%1), %%mm0\n"
41088 -+ " movq 40(%1), %%mm1\n"
41089 -+ " movq 48(%1), %%mm2\n"
41090 -+ " movq 56(%1), %%mm3\n"
41091 -+ " movq %%mm0, 32(%2)\n"
41092 -+ " movq %%mm1, 40(%2)\n"
41093 -+ " movq %%mm2, 48(%2)\n"
41094 -+ " movq %%mm3, 56(%2)\n"
41095 - ".section .fixup, \"ax\"\n"
41096 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
41097 -+ "3:\n"
41098 -+
41099 -+#ifdef CONFIG_PAX_KERNEXEC
41100 -+ " movl %%cr0, %0\n"
41101 -+ " movl %0, %%eax\n"
41102 -+ " andl $0xFFFEFFFF, %%eax\n"
41103 -+ " movl %%eax, %%cr0\n"
41104 -+#endif
41105 -+
41106 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
41107 -+
41108 -+#ifdef CONFIG_PAX_KERNEXEC
41109 -+ " movl %0, %%cr0\n"
41110 -+#endif
41111 -+
41112 - " jmp 2b\n"
41113 - ".previous\n"
41114 - ".section __ex_table,\"a\"\n"
41115 - " .align 4\n"
41116 - " .long 1b, 3b\n"
41117 - ".previous"
41118 -- : : "r" (from), "r" (to) : "memory");
41119 -+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
41120 - from+=64;
41121 - to+=64;
41122 - }
41123 -diff -Nurp linux-2.6.23.15/arch/i386/lib/putuser.S linux-2.6.23.15-grsec/arch/i386/lib/putuser.S
41124 ---- linux-2.6.23.15/arch/i386/lib/putuser.S 2007-10-09 21:31:38.000000000 +0100
41125 -+++ linux-2.6.23.15-grsec/arch/i386/lib/putuser.S 2008-02-11 10:37:44.000000000 +0000
41126 -@@ -11,7 +11,7 @@
41127 - #include <linux/linkage.h>
41128 - #include <asm/dwarf2.h>
41129 - #include <asm/thread_info.h>
41130 --
41131 -+#include <asm/segment.h>
41132 -
41133 - /*
41134 - * __put_user_X
41135 -@@ -41,7 +41,11 @@ ENTRY(__put_user_1)
41136 - ENTER
41137 - cmpl TI_addr_limit(%ebx),%ecx
41138 - jae bad_put_user
41139 -+ pushl $(__USER_DS)
41140 -+ popl %ds
41141 - 1: movb %al,(%ecx)
41142 -+ pushl %ss
41143 -+ popl %ds
41144 - xorl %eax,%eax
41145 - EXIT
41146 - ENDPROC(__put_user_1)
41147 -@@ -52,7 +56,11 @@ ENTRY(__put_user_2)
41148 - subl $1,%ebx
41149 - cmpl %ebx,%ecx
41150 - jae bad_put_user
41151 -+ pushl $(__USER_DS)
41152 -+ popl %ds
41153 - 2: movw %ax,(%ecx)
41154 -+ pushl %ss
41155 -+ popl %ds
41156 - xorl %eax,%eax
41157 - EXIT
41158 - ENDPROC(__put_user_2)
41159 -@@ -63,7 +71,11 @@ ENTRY(__put_user_4)
41160 - subl $3,%ebx
41161 - cmpl %ebx,%ecx
41162 - jae bad_put_user
41163 -+ pushl $(__USER_DS)
41164 -+ popl %ds
41165 - 3: movl %eax,(%ecx)
41166 -+ pushl %ss
41167 -+ popl %ds
41168 - xorl %eax,%eax
41169 - EXIT
41170 - ENDPROC(__put_user_4)
41171 -@@ -74,8 +86,12 @@ ENTRY(__put_user_8)
41172 - subl $7,%ebx
41173 - cmpl %ebx,%ecx
41174 - jae bad_put_user
41175 -+ pushl $(__USER_DS)
41176 -+ popl %ds
41177 - 4: movl %eax,(%ecx)
41178 - 5: movl %edx,4(%ecx)
41179 -+ pushl %ss
41180 -+ popl %ds
41181 - xorl %eax,%eax
41182 - EXIT
41183 - ENDPROC(__put_user_8)
41184 -@@ -85,6 +101,10 @@ bad_put_user:
41185 - CFI_DEF_CFA esp, 2*4
41186 - CFI_OFFSET eip, -1*4
41187 - CFI_OFFSET ebx, -2*4
41188 -+ pushl %ss
41189 -+ CFI_ADJUST_CFA_OFFSET 4
41190 -+ popl %ds
41191 -+ CFI_ADJUST_CFA_OFFSET -4
41192 - movl $-14,%eax
41193 - EXIT
41194 - END(bad_put_user)
41195 -diff -Nurp linux-2.6.23.15/arch/i386/lib/usercopy.c linux-2.6.23.15-grsec/arch/i386/lib/usercopy.c
41196 ---- linux-2.6.23.15/arch/i386/lib/usercopy.c 2007-10-09 21:31:38.000000000 +0100
41197 -+++ linux-2.6.23.15-grsec/arch/i386/lib/usercopy.c 2008-02-11 10:37:44.000000000 +0000
41198 -@@ -29,34 +29,41 @@ static inline int __movsl_is_ok(unsigned
41199 - * Copy a null terminated string from userspace.
41200 - */
41201 -
41202 --#define __do_strncpy_from_user(dst,src,count,res) \
41203 --do { \
41204 -- int __d0, __d1, __d2; \
41205 -- might_sleep(); \
41206 -- __asm__ __volatile__( \
41207 -- " testl %1,%1\n" \
41208 -- " jz 2f\n" \
41209 -- "0: lodsb\n" \
41210 -- " stosb\n" \
41211 -- " testb %%al,%%al\n" \
41212 -- " jz 1f\n" \
41213 -- " decl %1\n" \
41214 -- " jnz 0b\n" \
41215 -- "1: subl %1,%0\n" \
41216 -- "2:\n" \
41217 -- ".section .fixup,\"ax\"\n" \
41218 -- "3: movl %5,%0\n" \
41219 -- " jmp 2b\n" \
41220 -- ".previous\n" \
41221 -- ".section __ex_table,\"a\"\n" \
41222 -- " .align 4\n" \
41223 -- " .long 0b,3b\n" \
41224 -- ".previous" \
41225 -- : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1), \
41226 -- "=&D" (__d2) \
41227 -- : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
41228 -- : "memory"); \
41229 --} while (0)
41230 -+static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
41231 -+{
41232 -+ int __d0, __d1, __d2;
41233 -+ long res = -EFAULT;
41234 -+
41235 -+ might_sleep();
41236 -+ __asm__ __volatile__(
41237 -+ " movw %w10,%%ds\n"
41238 -+ " testl %1,%1\n"
41239 -+ " jz 2f\n"
41240 -+ "0: lodsb\n"
41241 -+ " stosb\n"
41242 -+ " testb %%al,%%al\n"
41243 -+ " jz 1f\n"
41244 -+ " decl %1\n"
41245 -+ " jnz 0b\n"
41246 -+ "1: subl %1,%0\n"
41247 -+ "2:\n"
41248 -+ " pushl %%ss\n"
41249 -+ " popl %%ds\n"
41250 -+ ".section .fixup,\"ax\"\n"
41251 -+ "3: movl %5,%0\n"
41252 -+ " jmp 2b\n"
41253 -+ ".previous\n"
41254 -+ ".section __ex_table,\"a\"\n"
41255 -+ " .align 4\n"
41256 -+ " .long 0b,3b\n"
41257 -+ ".previous"
41258 -+ : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1),
41259 -+ "=&D" (__d2)
41260 -+ : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
41261 -+ "r"(__USER_DS)
41262 -+ : "memory");
41263 -+ return res;
41264 -+}
41265 -
41266 - /**
41267 - * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
41268 -@@ -81,9 +88,7 @@ do { \
41269 - long
41270 - __strncpy_from_user(char *dst, const char __user *src, long count)
41271 - {
41272 -- long res;
41273 -- __do_strncpy_from_user(dst, src, count, res);
41274 -- return res;
41275 -+ return __do_strncpy_from_user(dst, src, count);
41276 - }
41277 - EXPORT_SYMBOL(__strncpy_from_user);
41278 -
41279 -@@ -110,7 +115,7 @@ strncpy_from_user(char *dst, const char
41280 - {
41281 - long res = -EFAULT;
41282 - if (access_ok(VERIFY_READ, src, 1))
41283 -- __do_strncpy_from_user(dst, src, count, res);
41284 -+ res = __do_strncpy_from_user(dst, src, count);
41285 - return res;
41286 - }
41287 - EXPORT_SYMBOL(strncpy_from_user);
41288 -@@ -119,27 +124,33 @@ EXPORT_SYMBOL(strncpy_from_user);
41289 - * Zero Userspace
41290 - */
41291 -
41292 --#define __do_clear_user(addr,size) \
41293 --do { \
41294 -- int __d0; \
41295 -- might_sleep(); \
41296 -- __asm__ __volatile__( \
41297 -- "0: rep; stosl\n" \
41298 -- " movl %2,%0\n" \
41299 -- "1: rep; stosb\n" \
41300 -- "2:\n" \
41301 -- ".section .fixup,\"ax\"\n" \
41302 -- "3: lea 0(%2,%0,4),%0\n" \
41303 -- " jmp 2b\n" \
41304 -- ".previous\n" \
41305 -- ".section __ex_table,\"a\"\n" \
41306 -- " .align 4\n" \
41307 -- " .long 0b,3b\n" \
41308 -- " .long 1b,2b\n" \
41309 -- ".previous" \
41310 -- : "=&c"(size), "=&D" (__d0) \
41311 -- : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
41312 --} while (0)
41313 -+static unsigned long __do_clear_user(void __user *addr, unsigned long size)
41314 -+{
41315 -+ int __d0;
41316 -+
41317 -+ might_sleep();
41318 -+ __asm__ __volatile__(
41319 -+ " movw %w6,%%es\n"
41320 -+ "0: rep; stosl\n"
41321 -+ " movl %2,%0\n"
41322 -+ "1: rep; stosb\n"
41323 -+ "2:\n"
41324 -+ " pushl %%ss\n"
41325 -+ " popl %%es\n"
41326 -+ ".section .fixup,\"ax\"\n"
41327 -+ "3: lea 0(%2,%0,4),%0\n"
41328 -+ " jmp 2b\n"
41329 -+ ".previous\n"
41330 -+ ".section __ex_table,\"a\"\n"
41331 -+ " .align 4\n"
41332 -+ " .long 0b,3b\n"
41333 -+ " .long 1b,2b\n"
41334 -+ ".previous"
41335 -+ : "=&c"(size), "=&D" (__d0)
41336 -+ : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
41337 -+ "r"(__USER_DS));
41338 -+ return size;
41339 -+}
41340 -
41341 - /**
41342 - * clear_user: - Zero a block of memory in user space.
41343 -@@ -156,7 +167,7 @@ clear_user(void __user *to, unsigned lon
41344 - {
41345 - might_sleep();
41346 - if (access_ok(VERIFY_WRITE, to, n))
41347 -- __do_clear_user(to, n);
41348 -+ n = __do_clear_user(to, n);
41349 - return n;
41350 - }
41351 - EXPORT_SYMBOL(clear_user);
41352 -@@ -175,8 +186,7 @@ EXPORT_SYMBOL(clear_user);
41353 - unsigned long
41354 - __clear_user(void __user *to, unsigned long n)
41355 - {
41356 -- __do_clear_user(to, n);
41357 -- return n;
41358 -+ return __do_clear_user(to, n);
41359 - }
41360 - EXPORT_SYMBOL(__clear_user);
41361 -
41362 -@@ -199,14 +209,17 @@ long strnlen_user(const char __user *s,
41363 - might_sleep();
41364 -
41365 - __asm__ __volatile__(
41366 -+ " movw %w8,%%es\n"
41367 - " testl %0, %0\n"
41368 - " jz 3f\n"
41369 -- " andl %0,%%ecx\n"
41370 -+ " movl %0,%%ecx\n"
41371 - "0: repne; scasb\n"
41372 - " setne %%al\n"
41373 - " subl %%ecx,%0\n"
41374 - " addl %0,%%eax\n"
41375 - "1:\n"
41376 -+ " pushl %%ss\n"
41377 -+ " popl %%es\n"
41378 - ".section .fixup,\"ax\"\n"
41379 - "2: xorl %%eax,%%eax\n"
41380 - " jmp 1b\n"
41381 -@@ -218,7 +231,7 @@ long strnlen_user(const char __user *s,
41382 - " .long 0b,2b\n"
41383 - ".previous"
41384 - :"=r" (n), "=D" (s), "=a" (res), "=c" (tmp)
41385 -- :"0" (n), "1" (s), "2" (0), "3" (mask)
41386 -+ :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
41387 - :"cc");
41388 - return res & mask;
41389 - }
41390 -@@ -226,10 +239,121 @@ EXPORT_SYMBOL(strnlen_user);
41391 -
41392 - #ifdef CONFIG_X86_INTEL_USERCOPY
41393 - static unsigned long
41394 --__copy_user_intel(void __user *to, const void *from, unsigned long size)
41395 -+__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
41396 -+{
41397 -+ int d0, d1;
41398 -+ __asm__ __volatile__(
41399 -+ " movw %w6, %%es\n"
41400 -+ " .align 2,0x90\n"
41401 -+ "1: movl 32(%4), %%eax\n"
41402 -+ " cmpl $67, %0\n"
41403 -+ " jbe 3f\n"
41404 -+ "2: movl 64(%4), %%eax\n"
41405 -+ " .align 2,0x90\n"
41406 -+ "3: movl 0(%4), %%eax\n"
41407 -+ "4: movl 4(%4), %%edx\n"
41408 -+ "5: movl %%eax, %%es:0(%3)\n"
41409 -+ "6: movl %%edx, %%es:4(%3)\n"
41410 -+ "7: movl 8(%4), %%eax\n"
41411 -+ "8: movl 12(%4),%%edx\n"
41412 -+ "9: movl %%eax, %%es:8(%3)\n"
41413 -+ "10: movl %%edx, %%es:12(%3)\n"
41414 -+ "11: movl 16(%4), %%eax\n"
41415 -+ "12: movl 20(%4), %%edx\n"
41416 -+ "13: movl %%eax, %%es:16(%3)\n"
41417 -+ "14: movl %%edx, %%es:20(%3)\n"
41418 -+ "15: movl 24(%4), %%eax\n"
41419 -+ "16: movl 28(%4), %%edx\n"
41420 -+ "17: movl %%eax, %%es:24(%3)\n"
41421 -+ "18: movl %%edx, %%es:28(%3)\n"
41422 -+ "19: movl 32(%4), %%eax\n"
41423 -+ "20: movl 36(%4), %%edx\n"
41424 -+ "21: movl %%eax, %%es:32(%3)\n"
41425 -+ "22: movl %%edx, %%es:36(%3)\n"
41426 -+ "23: movl 40(%4), %%eax\n"
41427 -+ "24: movl 44(%4), %%edx\n"
41428 -+ "25: movl %%eax, %%es:40(%3)\n"
41429 -+ "26: movl %%edx, %%es:44(%3)\n"
41430 -+ "27: movl 48(%4), %%eax\n"
41431 -+ "28: movl 52(%4), %%edx\n"
41432 -+ "29: movl %%eax, %%es:48(%3)\n"
41433 -+ "30: movl %%edx, %%es:52(%3)\n"
41434 -+ "31: movl 56(%4), %%eax\n"
41435 -+ "32: movl 60(%4), %%edx\n"
41436 -+ "33: movl %%eax, %%es:56(%3)\n"
41437 -+ "34: movl %%edx, %%es:60(%3)\n"
41438 -+ " addl $-64, %0\n"
41439 -+ " addl $64, %4\n"
41440 -+ " addl $64, %3\n"
41441 -+ " cmpl $63, %0\n"
41442 -+ " ja 1b\n"
41443 -+ "35: movl %0, %%eax\n"
41444 -+ " shrl $2, %0\n"
41445 -+ " andl $3, %%eax\n"
41446 -+ " cld\n"
41447 -+ "99: rep; movsl\n"
41448 -+ "36: movl %%eax, %0\n"
41449 -+ "37: rep; movsb\n"
41450 -+ "100:\n"
41451 -+ " pushl %%ss\n"
41452 -+ " popl %%es\n"
41453 -+ ".section .fixup,\"ax\"\n"
41454 -+ "101: lea 0(%%eax,%0,4),%0\n"
41455 -+ " jmp 100b\n"
41456 -+ ".previous\n"
41457 -+ ".section __ex_table,\"a\"\n"
41458 -+ " .align 4\n"
41459 -+ " .long 1b,100b\n"
41460 -+ " .long 2b,100b\n"
41461 -+ " .long 3b,100b\n"
41462 -+ " .long 4b,100b\n"
41463 -+ " .long 5b,100b\n"
41464 -+ " .long 6b,100b\n"
41465 -+ " .long 7b,100b\n"
41466 -+ " .long 8b,100b\n"
41467 -+ " .long 9b,100b\n"
41468 -+ " .long 10b,100b\n"
41469 -+ " .long 11b,100b\n"
41470 -+ " .long 12b,100b\n"
41471 -+ " .long 13b,100b\n"
41472 -+ " .long 14b,100b\n"
41473 -+ " .long 15b,100b\n"
41474 -+ " .long 16b,100b\n"
41475 -+ " .long 17b,100b\n"
41476 -+ " .long 18b,100b\n"
41477 -+ " .long 19b,100b\n"
41478 -+ " .long 20b,100b\n"
41479 -+ " .long 21b,100b\n"
41480 -+ " .long 22b,100b\n"
41481 -+ " .long 23b,100b\n"
41482 -+ " .long 24b,100b\n"
41483 -+ " .long 25b,100b\n"
41484 -+ " .long 26b,100b\n"
41485 -+ " .long 27b,100b\n"
41486 -+ " .long 28b,100b\n"
41487 -+ " .long 29b,100b\n"
41488 -+ " .long 30b,100b\n"
41489 -+ " .long 31b,100b\n"
41490 -+ " .long 32b,100b\n"
41491 -+ " .long 33b,100b\n"
41492 -+ " .long 34b,100b\n"
41493 -+ " .long 35b,100b\n"
41494 -+ " .long 36b,100b\n"
41495 -+ " .long 37b,100b\n"
41496 -+ " .long 99b,101b\n"
41497 -+ ".previous"
41498 -+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
41499 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
41500 -+ : "eax", "edx", "memory");
41501 -+ return size;
41502 -+}
41503 -+
41504 -+static unsigned long
41505 -+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
41506 - {
41507 - int d0, d1;
41508 - __asm__ __volatile__(
41509 -+ " movw %w6, %%ds\n"
41510 - " .align 2,0x90\n"
41511 - "1: movl 32(%4), %%eax\n"
41512 - " cmpl $67, %0\n"
41513 -@@ -238,36 +362,36 @@ __copy_user_intel(void __user *to, const
41514 - " .align 2,0x90\n"
41515 - "3: movl 0(%4), %%eax\n"
41516 - "4: movl 4(%4), %%edx\n"
41517 -- "5: movl %%eax, 0(%3)\n"
41518 -- "6: movl %%edx, 4(%3)\n"
41519 -+ "5: movl %%eax, %%es:0(%3)\n"
41520 -+ "6: movl %%edx, %%es:4(%3)\n"
41521 - "7: movl 8(%4), %%eax\n"
41522 - "8: movl 12(%4),%%edx\n"
41523 -- "9: movl %%eax, 8(%3)\n"
41524 -- "10: movl %%edx, 12(%3)\n"
41525 -+ "9: movl %%eax, %%es:8(%3)\n"
41526 -+ "10: movl %%edx, %%es:12(%3)\n"
41527 - "11: movl 16(%4), %%eax\n"
41528 - "12: movl 20(%4), %%edx\n"
41529 -- "13: movl %%eax, 16(%3)\n"
41530 -- "14: movl %%edx, 20(%3)\n"
41531 -+ "13: movl %%eax, %%es:16(%3)\n"
41532 -+ "14: movl %%edx, %%es:20(%3)\n"
41533 - "15: movl 24(%4), %%eax\n"
41534 - "16: movl 28(%4), %%edx\n"
41535 -- "17: movl %%eax, 24(%3)\n"
41536 -- "18: movl %%edx, 28(%3)\n"
41537 -+ "17: movl %%eax, %%es:24(%3)\n"
41538 -+ "18: movl %%edx, %%es:28(%3)\n"
41539 - "19: movl 32(%4), %%eax\n"
41540 - "20: movl 36(%4), %%edx\n"
41541 -- "21: movl %%eax, 32(%3)\n"
41542 -- "22: movl %%edx, 36(%3)\n"
41543 -+ "21: movl %%eax, %%es:32(%3)\n"
41544 -+ "22: movl %%edx, %%es:36(%3)\n"
41545 - "23: movl 40(%4), %%eax\n"
41546 - "24: movl 44(%4), %%edx\n"
41547 -- "25: movl %%eax, 40(%3)\n"
41548 -- "26: movl %%edx, 44(%3)\n"
41549 -+ "25: movl %%eax, %%es:40(%3)\n"
41550 -+ "26: movl %%edx, %%es:44(%3)\n"
41551 - "27: movl 48(%4), %%eax\n"
41552 - "28: movl 52(%4), %%edx\n"
41553 -- "29: movl %%eax, 48(%3)\n"
41554 -- "30: movl %%edx, 52(%3)\n"
41555 -+ "29: movl %%eax, %%es:48(%3)\n"
41556 -+ "30: movl %%edx, %%es:52(%3)\n"
41557 - "31: movl 56(%4), %%eax\n"
41558 - "32: movl 60(%4), %%edx\n"
41559 -- "33: movl %%eax, 56(%3)\n"
41560 -- "34: movl %%edx, 60(%3)\n"
41561 -+ "33: movl %%eax, %%es:56(%3)\n"
41562 -+ "34: movl %%edx, %%es:60(%3)\n"
41563 - " addl $-64, %0\n"
41564 - " addl $64, %4\n"
41565 - " addl $64, %3\n"
41566 -@@ -281,6 +405,8 @@ __copy_user_intel(void __user *to, const
41567 - "36: movl %%eax, %0\n"
41568 - "37: rep; movsb\n"
41569 - "100:\n"
41570 -+ " pushl %%ss\n"
41571 -+ " popl %%ds\n"
41572 - ".section .fixup,\"ax\"\n"
41573 - "101: lea 0(%%eax,%0,4),%0\n"
41574 - " jmp 100b\n"
41575 -@@ -327,7 +453,7 @@ __copy_user_intel(void __user *to, const
41576 - " .long 99b,101b\n"
41577 - ".previous"
41578 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
41579 -- : "1"(to), "2"(from), "0"(size)
41580 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
41581 - : "eax", "edx", "memory");
41582 - return size;
41583 - }
41584 -@@ -337,6 +463,7 @@ __copy_user_zeroing_intel(void *to, cons
41585 - {
41586 - int d0, d1;
41587 - __asm__ __volatile__(
41588 -+ " movw %w6, %%ds\n"
41589 - " .align 2,0x90\n"
41590 - "0: movl 32(%4), %%eax\n"
41591 - " cmpl $67, %0\n"
41592 -@@ -345,36 +472,36 @@ __copy_user_zeroing_intel(void *to, cons
41593 - " .align 2,0x90\n"
41594 - "2: movl 0(%4), %%eax\n"
41595 - "21: movl 4(%4), %%edx\n"
41596 -- " movl %%eax, 0(%3)\n"
41597 -- " movl %%edx, 4(%3)\n"
41598 -+ " movl %%eax, %%es:0(%3)\n"
41599 -+ " movl %%edx, %%es:4(%3)\n"
41600 - "3: movl 8(%4), %%eax\n"
41601 - "31: movl 12(%4),%%edx\n"
41602 -- " movl %%eax, 8(%3)\n"
41603 -- " movl %%edx, 12(%3)\n"
41604 -+ " movl %%eax, %%es:8(%3)\n"
41605 -+ " movl %%edx, %%es:12(%3)\n"
41606 - "4: movl 16(%4), %%eax\n"
41607 - "41: movl 20(%4), %%edx\n"
41608 -- " movl %%eax, 16(%3)\n"
41609 -- " movl %%edx, 20(%3)\n"
41610 -+ " movl %%eax, %%es:16(%3)\n"
41611 -+ " movl %%edx, %%es:20(%3)\n"
41612 - "10: movl 24(%4), %%eax\n"
41613 - "51: movl 28(%4), %%edx\n"
41614 -- " movl %%eax, 24(%3)\n"
41615 -- " movl %%edx, 28(%3)\n"
41616 -+ " movl %%eax, %%es:24(%3)\n"
41617 -+ " movl %%edx, %%es:28(%3)\n"
41618 - "11: movl 32(%4), %%eax\n"
41619 - "61: movl 36(%4), %%edx\n"
41620 -- " movl %%eax, 32(%3)\n"
41621 -- " movl %%edx, 36(%3)\n"
41622 -+ " movl %%eax, %%es:32(%3)\n"
41623 -+ " movl %%edx, %%es:36(%3)\n"
41624 - "12: movl 40(%4), %%eax\n"
41625 - "71: movl 44(%4), %%edx\n"
41626 -- " movl %%eax, 40(%3)\n"
41627 -- " movl %%edx, 44(%3)\n"
41628 -+ " movl %%eax, %%es:40(%3)\n"
41629 -+ " movl %%edx, %%es:44(%3)\n"
41630 - "13: movl 48(%4), %%eax\n"
41631 - "81: movl 52(%4), %%edx\n"
41632 -- " movl %%eax, 48(%3)\n"
41633 -- " movl %%edx, 52(%3)\n"
41634 -+ " movl %%eax, %%es:48(%3)\n"
41635 -+ " movl %%edx, %%es:52(%3)\n"
41636 - "14: movl 56(%4), %%eax\n"
41637 - "91: movl 60(%4), %%edx\n"
41638 -- " movl %%eax, 56(%3)\n"
41639 -- " movl %%edx, 60(%3)\n"
41640 -+ " movl %%eax, %%es:56(%3)\n"
41641 -+ " movl %%edx, %%es:60(%3)\n"
41642 - " addl $-64, %0\n"
41643 - " addl $64, %4\n"
41644 - " addl $64, %3\n"
41645 -@@ -388,6 +515,8 @@ __copy_user_zeroing_intel(void *to, cons
41646 - " movl %%eax,%0\n"
41647 - "7: rep; movsb\n"
41648 - "8:\n"
41649 -+ " pushl %%ss\n"
41650 -+ " popl %%ds\n"
41651 - ".section .fixup,\"ax\"\n"
41652 - "9: lea 0(%%eax,%0,4),%0\n"
41653 - "16: pushl %0\n"
41654 -@@ -422,7 +551,7 @@ __copy_user_zeroing_intel(void *to, cons
41655 - " .long 7b,16b\n"
41656 - ".previous"
41657 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
41658 -- : "1"(to), "2"(from), "0"(size)
41659 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
41660 - : "eax", "edx", "memory");
41661 - return size;
41662 - }
41663 -@@ -438,6 +567,7 @@ static unsigned long __copy_user_zeroing
41664 - int d0, d1;
41665 -
41666 - __asm__ __volatile__(
41667 -+ " movw %w6, %%ds\n"
41668 - " .align 2,0x90\n"
41669 - "0: movl 32(%4), %%eax\n"
41670 - " cmpl $67, %0\n"
41671 -@@ -446,36 +576,36 @@ static unsigned long __copy_user_zeroing
41672 - " .align 2,0x90\n"
41673 - "2: movl 0(%4), %%eax\n"
41674 - "21: movl 4(%4), %%edx\n"
41675 -- " movnti %%eax, 0(%3)\n"
41676 -- " movnti %%edx, 4(%3)\n"
41677 -+ " movnti %%eax, %%es:0(%3)\n"
41678 -+ " movnti %%edx, %%es:4(%3)\n"
41679 - "3: movl 8(%4), %%eax\n"
41680 - "31: movl 12(%4),%%edx\n"
41681 -- " movnti %%eax, 8(%3)\n"
41682 -- " movnti %%edx, 12(%3)\n"
41683 -+ " movnti %%eax, %%es:8(%3)\n"
41684 -+ " movnti %%edx, %%es:12(%3)\n"
41685 - "4: movl 16(%4), %%eax\n"
41686 - "41: movl 20(%4), %%edx\n"
41687 -- " movnti %%eax, 16(%3)\n"
41688 -- " movnti %%edx, 20(%3)\n"
41689 -+ " movnti %%eax, %%es:16(%3)\n"
41690 -+ " movnti %%edx, %%es:20(%3)\n"
41691 - "10: movl 24(%4), %%eax\n"
41692 - "51: movl 28(%4), %%edx\n"
41693 -- " movnti %%eax, 24(%3)\n"
41694 -- " movnti %%edx, 28(%3)\n"
41695 -+ " movnti %%eax, %%es:24(%3)\n"
41696 -+ " movnti %%edx, %%es:28(%3)\n"
41697 - "11: movl 32(%4), %%eax\n"
41698 - "61: movl 36(%4), %%edx\n"
41699 -- " movnti %%eax, 32(%3)\n"
41700 -- " movnti %%edx, 36(%3)\n"
41701 -+ " movnti %%eax, %%es:32(%3)\n"
41702 -+ " movnti %%edx, %%es:36(%3)\n"
41703 - "12: movl 40(%4), %%eax\n"
41704 - "71: movl 44(%4), %%edx\n"
41705 -- " movnti %%eax, 40(%3)\n"
41706 -- " movnti %%edx, 44(%3)\n"
41707 -+ " movnti %%eax, %%es:40(%3)\n"
41708 -+ " movnti %%edx, %%es:44(%3)\n"
41709 - "13: movl 48(%4), %%eax\n"
41710 - "81: movl 52(%4), %%edx\n"
41711 -- " movnti %%eax, 48(%3)\n"
41712 -- " movnti %%edx, 52(%3)\n"
41713 -+ " movnti %%eax, %%es:48(%3)\n"
41714 -+ " movnti %%edx, %%es:52(%3)\n"
41715 - "14: movl 56(%4), %%eax\n"
41716 - "91: movl 60(%4), %%edx\n"
41717 -- " movnti %%eax, 56(%3)\n"
41718 -- " movnti %%edx, 60(%3)\n"
41719 -+ " movnti %%eax, %%es:56(%3)\n"
41720 -+ " movnti %%edx, %%es:60(%3)\n"
41721 - " addl $-64, %0\n"
41722 - " addl $64, %4\n"
41723 - " addl $64, %3\n"
41724 -@@ -490,6 +620,8 @@ static unsigned long __copy_user_zeroing
41725 - " movl %%eax,%0\n"
41726 - "7: rep; movsb\n"
41727 - "8:\n"
41728 -+ " pushl %%ss\n"
41729 -+ " popl %%ds\n"
41730 - ".section .fixup,\"ax\"\n"
41731 - "9: lea 0(%%eax,%0,4),%0\n"
41732 - "16: pushl %0\n"
41733 -@@ -524,7 +656,7 @@ static unsigned long __copy_user_zeroing
41734 - " .long 7b,16b\n"
41735 - ".previous"
41736 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
41737 -- : "1"(to), "2"(from), "0"(size)
41738 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
41739 - : "eax", "edx", "memory");
41740 - return size;
41741 - }
41742 -@@ -535,6 +667,7 @@ static unsigned long __copy_user_intel_n
41743 - int d0, d1;
41744 -
41745 - __asm__ __volatile__(
41746 -+ " movw %w6, %%ds\n"
41747 - " .align 2,0x90\n"
41748 - "0: movl 32(%4), %%eax\n"
41749 - " cmpl $67, %0\n"
41750 -@@ -543,36 +676,36 @@ static unsigned long __copy_user_intel_n
41751 - " .align 2,0x90\n"
41752 - "2: movl 0(%4), %%eax\n"
41753 - "21: movl 4(%4), %%edx\n"
41754 -- " movnti %%eax, 0(%3)\n"
41755 -- " movnti %%edx, 4(%3)\n"
41756 -+ " movnti %%eax, %%es:0(%3)\n"
41757 -+ " movnti %%edx, %%es:4(%3)\n"
41758 - "3: movl 8(%4), %%eax\n"
41759 - "31: movl 12(%4),%%edx\n"
41760 -- " movnti %%eax, 8(%3)\n"
41761 -- " movnti %%edx, 12(%3)\n"
41762 -+ " movnti %%eax, %%es:8(%3)\n"
41763 -+ " movnti %%edx, %%es:12(%3)\n"
41764 - "4: movl 16(%4), %%eax\n"
41765 - "41: movl 20(%4), %%edx\n"
41766 -- " movnti %%eax, 16(%3)\n"
41767 -- " movnti %%edx, 20(%3)\n"
41768 -+ " movnti %%eax, %%es:16(%3)\n"
41769 -+ " movnti %%edx, %%es:20(%3)\n"
41770 - "10: movl 24(%4), %%eax\n"
41771 - "51: movl 28(%4), %%edx\n"
41772 -- " movnti %%eax, 24(%3)\n"
41773 -- " movnti %%edx, 28(%3)\n"
41774 -+ " movnti %%eax, %%es:24(%3)\n"
41775 -+ " movnti %%edx, %%es:28(%3)\n"
41776 - "11: movl 32(%4), %%eax\n"
41777 - "61: movl 36(%4), %%edx\n"
41778 -- " movnti %%eax, 32(%3)\n"
41779 -- " movnti %%edx, 36(%3)\n"
41780 -+ " movnti %%eax, %%es:32(%3)\n"
41781 -+ " movnti %%edx, %%es:36(%3)\n"
41782 - "12: movl 40(%4), %%eax\n"
41783 - "71: movl 44(%4), %%edx\n"
41784 -- " movnti %%eax, 40(%3)\n"
41785 -- " movnti %%edx, 44(%3)\n"
41786 -+ " movnti %%eax, %%es:40(%3)\n"
41787 -+ " movnti %%edx, %%es:44(%3)\n"
41788 - "13: movl 48(%4), %%eax\n"
41789 - "81: movl 52(%4), %%edx\n"
41790 -- " movnti %%eax, 48(%3)\n"
41791 -- " movnti %%edx, 52(%3)\n"
41792 -+ " movnti %%eax, %%es:48(%3)\n"
41793 -+ " movnti %%edx, %%es:52(%3)\n"
41794 - "14: movl 56(%4), %%eax\n"
41795 - "91: movl 60(%4), %%edx\n"
41796 -- " movnti %%eax, 56(%3)\n"
41797 -- " movnti %%edx, 60(%3)\n"
41798 -+ " movnti %%eax, %%es:56(%3)\n"
41799 -+ " movnti %%edx, %%es:60(%3)\n"
41800 - " addl $-64, %0\n"
41801 - " addl $64, %4\n"
41802 - " addl $64, %3\n"
41803 -@@ -587,6 +720,8 @@ static unsigned long __copy_user_intel_n
41804 - " movl %%eax,%0\n"
41805 - "7: rep; movsb\n"
41806 - "8:\n"
41807 -+ " pushl %%ss\n"
41808 -+ " popl %%ds\n"
41809 - ".section .fixup,\"ax\"\n"
41810 - "9: lea 0(%%eax,%0,4),%0\n"
41811 - "16: jmp 8b\n"
41812 -@@ -615,7 +750,7 @@ static unsigned long __copy_user_intel_n
41813 - " .long 7b,16b\n"
41814 - ".previous"
41815 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
41816 -- : "1"(to), "2"(from), "0"(size)
41817 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
41818 - : "eax", "edx", "memory");
41819 - return size;
41820 - }
41821 -@@ -628,90 +763,146 @@ static unsigned long __copy_user_intel_n
41822 - */
41823 - unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
41824 - unsigned long size);
41825 --unsigned long __copy_user_intel(void __user *to, const void *from,
41826 -+unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
41827 -+ unsigned long size);
41828 -+unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
41829 - unsigned long size);
41830 - unsigned long __copy_user_zeroing_intel_nocache(void *to,
41831 - const void __user *from, unsigned long size);
41832 - #endif /* CONFIG_X86_INTEL_USERCOPY */
41833 -
41834 - /* Generic arbitrary sized copy. */
41835 --#define __copy_user(to,from,size) \
41836 --do { \
41837 -- int __d0, __d1, __d2; \
41838 -- __asm__ __volatile__( \
41839 -- " cmp $7,%0\n" \
41840 -- " jbe 1f\n" \
41841 -- " movl %1,%0\n" \
41842 -- " negl %0\n" \
41843 -- " andl $7,%0\n" \
41844 -- " subl %0,%3\n" \
41845 -- "4: rep; movsb\n" \
41846 -- " movl %3,%0\n" \
41847 -- " shrl $2,%0\n" \
41848 -- " andl $3,%3\n" \
41849 -- " .align 2,0x90\n" \
41850 -- "0: rep; movsl\n" \
41851 -- " movl %3,%0\n" \
41852 -- "1: rep; movsb\n" \
41853 -- "2:\n" \
41854 -- ".section .fixup,\"ax\"\n" \
41855 -- "5: addl %3,%0\n" \
41856 -- " jmp 2b\n" \
41857 -- "3: lea 0(%3,%0,4),%0\n" \
41858 -- " jmp 2b\n" \
41859 -- ".previous\n" \
41860 -- ".section __ex_table,\"a\"\n" \
41861 -- " .align 4\n" \
41862 -- " .long 4b,5b\n" \
41863 -- " .long 0b,3b\n" \
41864 -- " .long 1b,2b\n" \
41865 -- ".previous" \
41866 -- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
41867 -- : "3"(size), "0"(size), "1"(to), "2"(from) \
41868 -- : "memory"); \
41869 --} while (0)
41870 --
41871 --#define __copy_user_zeroing(to,from,size) \
41872 --do { \
41873 -- int __d0, __d1, __d2; \
41874 -- __asm__ __volatile__( \
41875 -- " cmp $7,%0\n" \
41876 -- " jbe 1f\n" \
41877 -- " movl %1,%0\n" \
41878 -- " negl %0\n" \
41879 -- " andl $7,%0\n" \
41880 -- " subl %0,%3\n" \
41881 -- "4: rep; movsb\n" \
41882 -- " movl %3,%0\n" \
41883 -- " shrl $2,%0\n" \
41884 -- " andl $3,%3\n" \
41885 -- " .align 2,0x90\n" \
41886 -- "0: rep; movsl\n" \
41887 -- " movl %3,%0\n" \
41888 -- "1: rep; movsb\n" \
41889 -- "2:\n" \
41890 -- ".section .fixup,\"ax\"\n" \
41891 -- "5: addl %3,%0\n" \
41892 -- " jmp 6f\n" \
41893 -- "3: lea 0(%3,%0,4),%0\n" \
41894 -- "6: pushl %0\n" \
41895 -- " pushl %%eax\n" \
41896 -- " xorl %%eax,%%eax\n" \
41897 -- " rep; stosb\n" \
41898 -- " popl %%eax\n" \
41899 -- " popl %0\n" \
41900 -- " jmp 2b\n" \
41901 -- ".previous\n" \
41902 -- ".section __ex_table,\"a\"\n" \
41903 -- " .align 4\n" \
41904 -- " .long 4b,5b\n" \
41905 -- " .long 0b,3b\n" \
41906 -- " .long 1b,6b\n" \
41907 -- ".previous" \
41908 -- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
41909 -- : "3"(size), "0"(size), "1"(to), "2"(from) \
41910 -- : "memory"); \
41911 --} while (0)
41912 -+static unsigned long
41913 -+__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
41914 -+{
41915 -+ int __d0, __d1, __d2;
41916 -+
41917 -+ __asm__ __volatile__(
41918 -+ " movw %w8,%%es\n"
41919 -+ " cmp $7,%0\n"
41920 -+ " jbe 1f\n"
41921 -+ " movl %1,%0\n"
41922 -+ " negl %0\n"
41923 -+ " andl $7,%0\n"
41924 -+ " subl %0,%3\n"
41925 -+ "4: rep; movsb\n"
41926 -+ " movl %3,%0\n"
41927 -+ " shrl $2,%0\n"
41928 -+ " andl $3,%3\n"
41929 -+ " .align 2,0x90\n"
41930 -+ "0: rep; movsl\n"
41931 -+ " movl %3,%0\n"
41932 -+ "1: rep; movsb\n"
41933 -+ "2:\n"
41934 -+ " pushl %%ss\n"
41935 -+ " popl %%es\n"
41936 -+ ".section .fixup,\"ax\"\n"
41937 -+ "5: addl %3,%0\n"
41938 -+ " jmp 2b\n"
41939 -+ "3: lea 0(%3,%0,4),%0\n"
41940 -+ " jmp 2b\n"
41941 -+ ".previous\n"
41942 -+ ".section __ex_table,\"a\"\n"
41943 -+ " .align 4\n"
41944 -+ " .long 4b,5b\n"
41945 -+ " .long 0b,3b\n"
41946 -+ " .long 1b,2b\n"
41947 -+ ".previous"
41948 -+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
41949 -+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
41950 -+ : "memory");
41951 -+ return size;
41952 -+}
41953 -+
41954 -+static unsigned long
41955 -+__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
41956 -+{
41957 -+ int __d0, __d1, __d2;
41958 -+
41959 -+ __asm__ __volatile__(
41960 -+ " movw %w8,%%ds\n"
41961 -+ " cmp $7,%0\n"
41962 -+ " jbe 1f\n"
41963 -+ " movl %1,%0\n"
41964 -+ " negl %0\n"
41965 -+ " andl $7,%0\n"
41966 -+ " subl %0,%3\n"
41967 -+ "4: rep; movsb\n"
41968 -+ " movl %3,%0\n"
41969 -+ " shrl $2,%0\n"
41970 -+ " andl $3,%3\n"
41971 -+ " .align 2,0x90\n"
41972 -+ "0: rep; movsl\n"
41973 -+ " movl %3,%0\n"
41974 -+ "1: rep; movsb\n"
41975 -+ "2:\n"
41976 -+ " pushl %%ss\n"
41977 -+ " popl %%ds\n"
41978 -+ ".section .fixup,\"ax\"\n"
41979 -+ "5: addl %3,%0\n"
41980 -+ " jmp 2b\n"
41981 -+ "3: lea 0(%3,%0,4),%0\n"
41982 -+ " jmp 2b\n"
41983 -+ ".previous\n"
41984 -+ ".section __ex_table,\"a\"\n"
41985 -+ " .align 4\n"
41986 -+ " .long 4b,5b\n"
41987 -+ " .long 0b,3b\n"
41988 -+ " .long 1b,2b\n"
41989 -+ ".previous"
41990 -+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
41991 -+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
41992 -+ : "memory");
41993 -+ return size;
41994 -+}
41995 -+
41996 -+static unsigned long
41997 -+__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
41998 -+{
41999 -+ int __d0, __d1, __d2;
42000 -+
42001 -+ __asm__ __volatile__(
42002 -+ " movw %w8,%%ds\n"
42003 -+ " cmp $7,%0\n"
42004 -+ " jbe 1f\n"
42005 -+ " movl %1,%0\n"
42006 -+ " negl %0\n"
42007 -+ " andl $7,%0\n"
42008 -+ " subl %0,%3\n"
42009 -+ "4: rep; movsb\n"
42010 -+ " movl %3,%0\n"
42011 -+ " shrl $2,%0\n"
42012 -+ " andl $3,%3\n"
42013 -+ " .align 2,0x90\n"
42014 -+ "0: rep; movsl\n"
42015 -+ " movl %3,%0\n"
42016 -+ "1: rep; movsb\n"
42017 -+ "2:\n"
42018 -+ " pushl %%ss\n"
42019 -+ " popl %%ds\n"
42020 -+ ".section .fixup,\"ax\"\n"
42021 -+ "5: addl %3,%0\n"
42022 -+ " jmp 6f\n"
42023 -+ "3: lea 0(%3,%0,4),%0\n"
42024 -+ "6: pushl %0\n"
42025 -+ " pushl %%eax\n"
42026 -+ " xorl %%eax,%%eax\n"
42027 -+ " rep; stosb\n"
42028 -+ " popl %%eax\n"
42029 -+ " popl %0\n"
42030 -+ " jmp 2b\n"
42031 -+ ".previous\n"
42032 -+ ".section __ex_table,\"a\"\n"
42033 -+ " .align 4\n"
42034 -+ " .long 4b,5b\n"
42035 -+ " .long 0b,3b\n"
42036 -+ " .long 1b,6b\n"
42037 -+ ".previous"
42038 -+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
42039 -+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
42040 -+ : "memory");
42041 -+ return size;
42042 -+}
42043 -
42044 - unsigned long __copy_to_user_ll(void __user *to, const void *from,
42045 - unsigned long n)
42046 -@@ -774,9 +965,9 @@ survive:
42047 - }
42048 - #endif
42049 - if (movsl_is_ok(to, from, n))
42050 -- __copy_user(to, from, n);
42051 -+ n = __generic_copy_to_user(to, from, n);
42052 - else
42053 -- n = __copy_user_intel(to, from, n);
42054 -+ n = __generic_copy_to_user_intel(to, from, n);
42055 - return n;
42056 - }
42057 - EXPORT_SYMBOL(__copy_to_user_ll);
42058 -@@ -785,7 +976,7 @@ unsigned long __copy_from_user_ll(void *
42059 - unsigned long n)
42060 - {
42061 - if (movsl_is_ok(to, from, n))
42062 -- __copy_user_zeroing(to, from, n);
42063 -+ n = __copy_user_zeroing(to, from, n);
42064 - else
42065 - n = __copy_user_zeroing_intel(to, from, n);
42066 - return n;
42067 -@@ -796,9 +987,9 @@ unsigned long __copy_from_user_ll_nozero
42068 - unsigned long n)
42069 - {
42070 - if (movsl_is_ok(to, from, n))
42071 -- __copy_user(to, from, n);
42072 -+ n = __generic_copy_from_user(to, from, n);
42073 - else
42074 -- n = __copy_user_intel((void __user *)to,
42075 -+ n = __generic_copy_from_user_intel((void __user *)to,
42076 - (const void *)from, n);
42077 - return n;
42078 - }
42079 -@@ -809,11 +1000,11 @@ unsigned long __copy_from_user_ll_nocach
42080 - {
42081 - #ifdef CONFIG_X86_INTEL_USERCOPY
42082 - if ( n > 64 && cpu_has_xmm2)
42083 -- n = __copy_user_zeroing_intel_nocache(to, from, n);
42084 -+ n = __copy_user_zeroing_intel_nocache(to, from, n);
42085 - else
42086 -- __copy_user_zeroing(to, from, n);
42087 -+ n = __copy_user_zeroing(to, from, n);
42088 - #else
42089 -- __copy_user_zeroing(to, from, n);
42090 -+ n = __copy_user_zeroing(to, from, n);
42091 - #endif
42092 - return n;
42093 - }
42094 -@@ -823,11 +1014,11 @@ unsigned long __copy_from_user_ll_nocach
42095 - {
42096 - #ifdef CONFIG_X86_INTEL_USERCOPY
42097 - if ( n > 64 && cpu_has_xmm2)
42098 -- n = __copy_user_intel_nocache(to, from, n);
42099 -+ n = __copy_user_intel_nocache(to, from, n);
42100 - else
42101 -- __copy_user(to, from, n);
42102 -+ n = __generic_copy_from_user(to, from, n);
42103 - #else
42104 -- __copy_user(to, from, n);
42105 -+ n = __generic_copy_from_user(to, from, n);
42106 - #endif
42107 - return n;
42108 - }
42109 -@@ -880,3 +1071,30 @@ copy_from_user(void *to, const void __us
42110 - return n;
42111 - }
42112 - EXPORT_SYMBOL(copy_from_user);
42113 -+
42114 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
42115 -+void __set_fs(mm_segment_t x, int cpu)
42116 -+{
42117 -+ unsigned long limit = x.seg;
42118 -+ __u32 a, b;
42119 -+
42120 -+ current_thread_info()->addr_limit = x;
42121 -+ if (likely(limit))
42122 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
42123 -+ pack_descriptor(&a, &b, 0UL, limit, 0xF3, 0xC);
42124 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, a, b);
42125 -+}
42126 -+
42127 -+void set_fs(mm_segment_t x)
42128 -+{
42129 -+ __set_fs(x, get_cpu());
42130 -+ put_cpu_no_resched();
42131 -+}
42132 -+#else
42133 -+void set_fs(mm_segment_t x)
42134 -+{
42135 -+ current_thread_info()->addr_limit = x;
42136 -+}
42137 -+#endif
42138 -+
42139 -+EXPORT_SYMBOL(set_fs);
42140 -diff -Nurp linux-2.6.23.15/arch/i386/mach-default/setup.c linux-2.6.23.15-grsec/arch/i386/mach-default/setup.c
42141 ---- linux-2.6.23.15/arch/i386/mach-default/setup.c 2007-10-09 21:31:38.000000000 +0100
42142 -+++ linux-2.6.23.15-grsec/arch/i386/mach-default/setup.c 2008-02-11 10:37:44.000000000 +0000
42143 -@@ -35,7 +35,7 @@ void __init pre_intr_init_hook(void)
42144 - /*
42145 - * IRQ2 is cascade interrupt to second interrupt controller
42146 - */
42147 --static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL};
42148 -+static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL, 0, NULL};
42149 -
42150 - /**
42151 - * intr_init_hook - post gate setup interrupt initialisation
42152 -diff -Nurp linux-2.6.23.15/arch/i386/mach-voyager/voyager_basic.c linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_basic.c
42153 ---- linux-2.6.23.15/arch/i386/mach-voyager/voyager_basic.c 2007-10-09 21:31:38.000000000 +0100
42154 -+++ linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_basic.c 2008-02-11 10:37:44.000000000 +0000
42155 -@@ -130,7 +130,7 @@ voyager_memory_detect(int region, __u32
42156 - __u8 cmos[4];
42157 - ClickMap_t *map;
42158 - unsigned long map_addr;
42159 -- unsigned long old;
42160 -+ pte_t old;
42161 -
42162 - if(region >= CLICK_ENTRIES) {
42163 - printk("Voyager: Illegal ClickMap region %d\n", region);
42164 -@@ -144,7 +144,7 @@ voyager_memory_detect(int region, __u32
42165 -
42166 - /* steal page 0 for this */
42167 - old = pg0[0];
42168 -- pg0[0] = ((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
42169 -+ pg0[0] = __pte((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
42170 - local_flush_tlb();
42171 - /* now clear everything out but page 0 */
42172 - map = (ClickMap_t *)(map_addr & (~PAGE_MASK));
42173 -diff -Nurp linux-2.6.23.15/arch/i386/mach-voyager/voyager_smp.c linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_smp.c
42174 ---- linux-2.6.23.15/arch/i386/mach-voyager/voyager_smp.c 2007-10-09 21:31:38.000000000 +0100
42175 -+++ linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_smp.c 2008-02-11 10:37:44.000000000 +0000
42176 -@@ -554,6 +554,10 @@ do_boot_cpu(__u8 cpu)
42177 - __u32 *hijack_vector;
42178 - __u32 start_phys_address = setup_trampoline();
42179 -
42180 -+#ifdef CONFIG_PAX_KERNEXEC
42181 -+ unsigned long cr0;
42182 -+#endif
42183 -+
42184 - /* There's a clever trick to this: The linux trampoline is
42185 - * compiled to begin at absolute location zero, so make the
42186 - * address zero but have the data segment selector compensate
42187 -@@ -573,7 +577,17 @@ do_boot_cpu(__u8 cpu)
42188 -
42189 - init_gdt(cpu);
42190 - per_cpu(current_task, cpu) = idle;
42191 -- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
42192 -+
42193 -+#ifdef CONFIG_PAX_KERNEXEC
42194 -+ pax_open_kernel(cr0);
42195 -+#endif
42196 -+
42197 -+ early_gdt_descr.address = get_cpu_gdt_table(cpu);
42198 -+
42199 -+#ifdef CONFIG_PAX_KERNEXEC
42200 -+ pax_close_kernel(cr0);
42201 -+#endif
42202 -+
42203 - irq_ctx_init(cpu);
42204 -
42205 - /* Note: Don't modify initial ss override */
42206 -@@ -1276,7 +1290,7 @@ smp_local_timer_interrupt(void)
42207 - per_cpu(prof_counter, cpu);
42208 - }
42209 -
42210 -- update_process_times(user_mode_vm(get_irq_regs()));
42211 -+ update_process_times(user_mode(get_irq_regs()));
42212 - }
42213 -
42214 - if( ((1<<cpu) & voyager_extended_vic_processors) == 0)
42215 -diff -Nurp linux-2.6.23.15/arch/i386/mm/boot_ioremap.c linux-2.6.23.15-grsec/arch/i386/mm/boot_ioremap.c
42216 ---- linux-2.6.23.15/arch/i386/mm/boot_ioremap.c 2007-10-09 21:31:38.000000000 +0100
42217 -+++ linux-2.6.23.15-grsec/arch/i386/mm/boot_ioremap.c 2008-02-11 10:37:44.000000000 +0000
42218 -@@ -7,57 +7,37 @@
42219 - * Written by Dave Hansen <haveblue@××××××.com>
42220 - */
42221 -
42222 --
42223 --/*
42224 -- * We need to use the 2-level pagetable functions, but CONFIG_X86_PAE
42225 -- * keeps that from happenning. If anyone has a better way, I'm listening.
42226 -- *
42227 -- * boot_pte_t is defined only if this all works correctly
42228 -- */
42229 --
42230 --#undef CONFIG_X86_PAE
42231 - #undef CONFIG_PARAVIRT
42232 - #include <asm/page.h>
42233 - #include <asm/pgtable.h>
42234 - #include <asm/tlbflush.h>
42235 - #include <linux/init.h>
42236 - #include <linux/stddef.h>
42237 --
42238 --/*
42239 -- * I'm cheating here. It is known that the two boot PTE pages are
42240 -- * allocated next to each other. I'm pretending that they're just
42241 -- * one big array.
42242 -- */
42243 --
42244 --#define BOOT_PTE_PTRS (PTRS_PER_PTE*2)
42245 --
42246 --static unsigned long boot_pte_index(unsigned long vaddr)
42247 --{
42248 -- return __pa(vaddr) >> PAGE_SHIFT;
42249 --}
42250 --
42251 --static inline boot_pte_t* boot_vaddr_to_pte(void *address)
42252 --{
42253 -- boot_pte_t* boot_pg = (boot_pte_t*)pg0;
42254 -- return &boot_pg[boot_pte_index((unsigned long)address)];
42255 --}
42256 -+#include <linux/sched.h>
42257 -
42258 - /*
42259 - * This is only for a caller who is clever enough to page-align
42260 - * phys_addr and virtual_source, and who also has a preference
42261 - * about which virtual address from which to steal ptes
42262 - */
42263 --static void __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
42264 -- void* virtual_source)
42265 -+static void __init __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
42266 -+ char* virtual_source)
42267 - {
42268 -- boot_pte_t* pte;
42269 -- int i;
42270 -- char *vaddr = virtual_source;
42271 -+ pgd_t *pgd;
42272 -+ pud_t *pud;
42273 -+ pmd_t *pmd;
42274 -+ pte_t* pte;
42275 -+ unsigned int i;
42276 -+ unsigned long vaddr = (unsigned long)virtual_source;
42277 -+
42278 -+ pgd = pgd_offset_k(vaddr);
42279 -+ pud = pud_offset(pgd, vaddr);
42280 -+ pmd = pmd_offset(pud, vaddr);
42281 -+ pte = pte_offset_kernel(pmd, vaddr);
42282 -
42283 -- pte = boot_vaddr_to_pte(virtual_source);
42284 - for (i=0; i < nrpages; i++, phys_addr += PAGE_SIZE, pte++) {
42285 - set_pte(pte, pfn_pte(phys_addr>>PAGE_SHIFT, PAGE_KERNEL));
42286 -- __flush_tlb_one(&vaddr[i*PAGE_SIZE]);
42287 -+ __flush_tlb_one(&virtual_source[i*PAGE_SIZE]);
42288 - }
42289 - }
42290 -
42291 -diff -Nurp linux-2.6.23.15/arch/i386/mm/extable.c linux-2.6.23.15-grsec/arch/i386/mm/extable.c
42292 ---- linux-2.6.23.15/arch/i386/mm/extable.c 2007-10-09 21:31:38.000000000 +0100
42293 -+++ linux-2.6.23.15-grsec/arch/i386/mm/extable.c 2008-02-11 10:37:44.000000000 +0000
42294 -@@ -4,14 +4,63 @@
42295 -
42296 - #include <linux/module.h>
42297 - #include <linux/spinlock.h>
42298 -+#include <linux/sort.h>
42299 - #include <asm/uaccess.h>
42300 -
42301 -+/*
42302 -+ * The exception table needs to be sorted so that the binary
42303 -+ * search that we use to find entries in it works properly.
42304 -+ * This is used both for the kernel exception table and for
42305 -+ * the exception tables of modules that get loaded.
42306 -+ */
42307 -+static int cmp_ex(const void *a, const void *b)
42308 -+{
42309 -+ const struct exception_table_entry *x = a, *y = b;
42310 -+
42311 -+ /* avoid overflow */
42312 -+ if (x->insn > y->insn)
42313 -+ return 1;
42314 -+ if (x->insn < y->insn)
42315 -+ return -1;
42316 -+ return 0;
42317 -+}
42318 -+
42319 -+static void swap_ex(void *a, void *b, int size)
42320 -+{
42321 -+ struct exception_table_entry t, *x = a, *y = b;
42322 -+
42323 -+#ifdef CONFIG_PAX_KERNEXEC
42324 -+ unsigned long cr0;
42325 -+#endif
42326 -+
42327 -+ t = *x;
42328 -+
42329 -+#ifdef CONFIG_PAX_KERNEXEC
42330 -+ pax_open_kernel(cr0);
42331 -+#endif
42332 -+
42333 -+ *x = *y;
42334 -+ *y = t;
42335 -+
42336 -+#ifdef CONFIG_PAX_KERNEXEC
42337 -+ pax_close_kernel(cr0);
42338 -+#endif
42339 -+
42340 -+}
42341 -+
42342 -+void sort_extable(struct exception_table_entry *start,
42343 -+ struct exception_table_entry *finish)
42344 -+{
42345 -+ sort(start, finish - start, sizeof(struct exception_table_entry),
42346 -+ cmp_ex, swap_ex);
42347 -+}
42348 -+
42349 - int fixup_exception(struct pt_regs *regs)
42350 - {
42351 - const struct exception_table_entry *fixup;
42352 -
42353 - #ifdef CONFIG_PNPBIOS
42354 -- if (unlikely(SEGMENT_IS_PNP_CODE(regs->xcs)))
42355 -+ if (unlikely(!(regs->eflags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->xcs)))
42356 - {
42357 - extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
42358 - extern u32 pnp_bios_is_utter_crap;
42359 -diff -Nurp linux-2.6.23.15/arch/i386/mm/fault.c linux-2.6.23.15-grsec/arch/i386/mm/fault.c
42360 ---- linux-2.6.23.15/arch/i386/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
42361 -+++ linux-2.6.23.15-grsec/arch/i386/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
42362 -@@ -25,10 +25,14 @@
42363 - #include <linux/kprobes.h>
42364 - #include <linux/uaccess.h>
42365 - #include <linux/kdebug.h>
42366 -+#include <linux/unistd.h>
42367 -+#include <linux/compiler.h>
42368 -+#include <linux/binfmts.h>
42369 -
42370 - #include <asm/system.h>
42371 - #include <asm/desc.h>
42372 - #include <asm/segment.h>
42373 -+#include <asm/tlbflush.h>
42374 -
42375 - extern void die(const char *,struct pt_regs *,long);
42376 -
42377 -@@ -79,7 +83,8 @@ static inline unsigned long get_segment_
42378 - {
42379 - unsigned long eip = regs->eip;
42380 - unsigned seg = regs->xcs & 0xffff;
42381 -- u32 seg_ar, seg_limit, base, *desc;
42382 -+ u32 seg_ar, seg_limit, base;
42383 -+ struct desc_struct *desc;
42384 -
42385 - /* Unlikely, but must come before segment checks. */
42386 - if (unlikely(regs->eflags & VM_MASK)) {
42387 -@@ -93,7 +98,7 @@ static inline unsigned long get_segment_
42388 -
42389 - /* By far the most common cases. */
42390 - if (likely(SEGMENT_IS_FLAT_CODE(seg)))
42391 -- return eip;
42392 -+ return eip + (seg == __KERNEL_CS ? __KERNEL_TEXT_OFFSET : 0);
42393 -
42394 - /* Check the segment exists, is within the current LDT/GDT size,
42395 - that kernel/user (ring 0..3) has the appropriate privilege,
42396 -@@ -111,16 +116,19 @@ static inline unsigned long get_segment_
42397 - if (seg & (1<<2)) {
42398 - /* Must lock the LDT while reading it. */
42399 - down(&current->mm->context.sem);
42400 -- desc = current->mm->context.ldt;
42401 -- desc = (void *)desc + (seg & ~7);
42402 -+ if ((seg >> 3) >= current->mm->context.size) {
42403 -+ up(&current->mm->context.sem);
42404 -+ *eip_limit = 0;
42405 -+ return 1; /* So that returned eip > *eip_limit. */
42406 -+ }
42407 -+ desc = &current->mm->context.ldt[seg >> 3];
42408 - } else {
42409 - /* Must disable preemption while reading the GDT. */
42410 -- desc = (u32 *)get_cpu_gdt_table(get_cpu());
42411 -- desc = (void *)desc + (seg & ~7);
42412 -+ desc = &get_cpu_gdt_table(get_cpu())[seg >> 3];
42413 - }
42414 -
42415 - /* Decode the code segment base from the descriptor */
42416 -- base = get_desc_base((unsigned long *)desc);
42417 -+ base = get_desc_base(desc);
42418 -
42419 - if (seg & (1<<2)) {
42420 - up(&current->mm->context.sem);
42421 -@@ -221,6 +229,30 @@ static noinline void force_sig_info_faul
42422 -
42423 - fastcall void do_invalid_op(struct pt_regs *, unsigned long);
42424 -
42425 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
42426 -+static int pax_handle_fetch_fault(struct pt_regs *regs);
42427 -+#endif
42428 -+
42429 -+#ifdef CONFIG_PAX_PAGEEXEC
42430 -+static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
42431 -+{
42432 -+ pgd_t *pgd;
42433 -+ pud_t *pud;
42434 -+ pmd_t *pmd;
42435 -+
42436 -+ pgd = pgd_offset(mm, address);
42437 -+ if (!pgd_present(*pgd))
42438 -+ return NULL;
42439 -+ pud = pud_offset(pgd, address);
42440 -+ if (!pud_present(*pud))
42441 -+ return NULL;
42442 -+ pmd = pmd_offset(pud, address);
42443 -+ if (!pmd_present(*pmd))
42444 -+ return NULL;
42445 -+ return pmd;
42446 -+}
42447 -+#endif
42448 -+
42449 - static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address)
42450 - {
42451 - unsigned index = pgd_index(address);
42452 -@@ -304,14 +336,21 @@ fastcall void __kprobes do_page_fault(st
42453 - struct task_struct *tsk;
42454 - struct mm_struct *mm;
42455 - struct vm_area_struct * vma;
42456 -- unsigned long address;
42457 - int write, si_code;
42458 - int fault;
42459 -+ pte_t *pte;
42460 -+
42461 -+#ifdef CONFIG_PAX_PAGEEXEC
42462 -+ pmd_t *pmd;
42463 -+ spinlock_t *ptl;
42464 -+ unsigned char pte_mask;
42465 -+#endif
42466 -
42467 - /* get the address */
42468 -- address = read_cr2();
42469 -+ const unsigned long address = read_cr2();
42470 -
42471 - tsk = current;
42472 -+ mm = tsk->mm;
42473 -
42474 - si_code = SEGV_MAPERR;
42475 -
42476 -@@ -348,14 +387,12 @@ fastcall void __kprobes do_page_fault(st
42477 - if (regs->eflags & (X86_EFLAGS_IF|VM_MASK))
42478 - local_irq_enable();
42479 -
42480 -- mm = tsk->mm;
42481 --
42482 - /*
42483 - * If we're in an interrupt, have no user context or are running in an
42484 - * atomic region then we must not take the fault..
42485 - */
42486 - if (in_atomic() || !mm)
42487 -- goto bad_area_nosemaphore;
42488 -+ goto bad_area_nopax;
42489 -
42490 - /* When running in the kernel we expect faults to occur only to
42491 - * addresses in user space. All other faults represent errors in the
42492 -@@ -375,10 +412,104 @@ fastcall void __kprobes do_page_fault(st
42493 - if (!down_read_trylock(&mm->mmap_sem)) {
42494 - if ((error_code & 4) == 0 &&
42495 - !search_exception_tables(regs->eip))
42496 -- goto bad_area_nosemaphore;
42497 -+ goto bad_area_nopax;
42498 - down_read(&mm->mmap_sem);
42499 - }
42500 -
42501 -+#ifdef CONFIG_PAX_PAGEEXEC
42502 -+ if (nx_enabled || (error_code & 5) != 5 || (regs->eflags & X86_EFLAGS_VM) ||
42503 -+ !(mm->pax_flags & MF_PAX_PAGEEXEC))
42504 -+ goto not_pax_fault;
42505 -+
42506 -+ /* PaX: it's our fault, let's handle it if we can */
42507 -+
42508 -+ /* PaX: take a look at read faults before acquiring any locks */
42509 -+ if (unlikely(!(error_code & 2) && (regs->eip == address))) {
42510 -+ /* instruction fetch attempt from a protected page in user mode */
42511 -+ up_read(&mm->mmap_sem);
42512 -+
42513 -+#ifdef CONFIG_PAX_EMUTRAMP
42514 -+ switch (pax_handle_fetch_fault(regs)) {
42515 -+ case 2:
42516 -+ return;
42517 -+ }
42518 -+#endif
42519 -+
42520 -+ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
42521 -+ do_exit(SIGKILL);
42522 -+ }
42523 -+
42524 -+ pmd = pax_get_pmd(mm, address);
42525 -+ if (unlikely(!pmd))
42526 -+ goto not_pax_fault;
42527 -+
42528 -+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
42529 -+ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
42530 -+ pte_unmap_unlock(pte, ptl);
42531 -+ goto not_pax_fault;
42532 -+ }
42533 -+
42534 -+ if (unlikely((error_code & 2) && !pte_write(*pte))) {
42535 -+ /* write attempt to a protected page in user mode */
42536 -+ pte_unmap_unlock(pte, ptl);
42537 -+ goto not_pax_fault;
42538 -+ }
42539 -+
42540 -+#ifdef CONFIG_SMP
42541 -+ if (likely(address > get_limit(regs->xcs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
42542 -+#else
42543 -+ if (likely(address > get_limit(regs->xcs)))
42544 -+#endif
42545 -+ {
42546 -+ set_pte(pte, pte_mkread(*pte));
42547 -+ __flush_tlb_one(address);
42548 -+ pte_unmap_unlock(pte, ptl);
42549 -+ up_read(&mm->mmap_sem);
42550 -+ return;
42551 -+ }
42552 -+
42553 -+ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & 2) << (_PAGE_BIT_DIRTY-1));
42554 -+
42555 -+ /*
42556 -+ * PaX: fill DTLB with user rights and retry
42557 -+ */
42558 -+ __asm__ __volatile__ (
42559 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
42560 -+ "movw %w4,%%es\n"
42561 -+#endif
42562 -+ "orb %2,(%1)\n"
42563 -+#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
42564 -+/*
42565 -+ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
42566 -+ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
42567 -+ * page fault when examined during a TLB load attempt. this is true not only
42568 -+ * for PTEs holding a non-present entry but also present entries that will
42569 -+ * raise a page fault (such as those set up by PaX, or the copy-on-write
42570 -+ * mechanism). in effect it means that we do *not* need to flush the TLBs
42571 -+ * for our target pages since their PTEs are simply not in the TLBs at all.
42572 -+
42573 -+ * the best thing in omitting it is that we gain around 15-20% speed in the
42574 -+ * fast path of the page fault handler and can get rid of tracing since we
42575 -+ * can no longer flush unintended entries.
42576 -+ */
42577 -+ "invlpg (%0)\n"
42578 -+#endif
42579 -+ "testb $0,%%es:(%0)\n"
42580 -+ "xorb %3,(%1)\n"
42581 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
42582 -+ "pushl %%ss\n"
42583 -+ "popl %%es\n"
42584 -+#endif
42585 -+ :
42586 -+ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
42587 -+ : "memory", "cc");
42588 -+ pte_unmap_unlock(pte, ptl);
42589 -+ up_read(&mm->mmap_sem);
42590 -+ return;
42591 -+
42592 -+not_pax_fault:
42593 -+#endif
42594 -+
42595 - vma = find_vma(mm, address);
42596 - if (!vma)
42597 - goto bad_area;
42598 -@@ -396,6 +527,12 @@ fastcall void __kprobes do_page_fault(st
42599 - if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp)
42600 - goto bad_area;
42601 - }
42602 -+
42603 -+#ifdef CONFIG_PAX_SEGMEXEC
42604 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)
42605 -+ goto bad_area;
42606 -+#endif
42607 -+
42608 - if (expand_stack(vma, address))
42609 - goto bad_area;
42610 - /*
42611 -@@ -405,6 +542,8 @@ fastcall void __kprobes do_page_fault(st
42612 - good_area:
42613 - si_code = SEGV_ACCERR;
42614 - write = 0;
42615 -+ if (nx_enabled && (error_code & 16) && !(vma->vm_flags & VM_EXEC))
42616 -+ goto bad_area;
42617 - switch (error_code & 3) {
42618 - default: /* 3: write, present */
42619 - /* fall through */
42620 -@@ -458,6 +597,41 @@ bad_area:
42621 - up_read(&mm->mmap_sem);
42622 -
42623 - bad_area_nosemaphore:
42624 -+
42625 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
42626 -+ if (mm && (error_code & 4) && !(regs->eflags & X86_EFLAGS_VM)) {
42627 -+ /*
42628 -+ * It's possible to have interrupts off here.
42629 -+ */
42630 -+ local_irq_enable();
42631 -+
42632 -+#ifdef CONFIG_PAX_PAGEEXEC
42633 -+ if ((nx_enabled && (error_code & 16)) ||
42634 -+ ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(error_code & 3) && (regs->eip == address))) {
42635 -+ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
42636 -+ do_exit(SIGKILL);
42637 -+ }
42638 -+#endif
42639 -+
42640 -+#ifdef CONFIG_PAX_SEGMEXEC
42641 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & 3) && (regs->eip + SEGMEXEC_TASK_SIZE == address)) {
42642 -+
42643 -+#ifdef CONFIG_PAX_EMUTRAMP
42644 -+ switch (pax_handle_fetch_fault(regs)) {
42645 -+ case 2:
42646 -+ return;
42647 -+ }
42648 -+#endif
42649 -+
42650 -+ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
42651 -+ do_exit(SIGKILL);
42652 -+ }
42653 -+#endif
42654 -+
42655 -+ }
42656 -+#endif
42657 -+
42658 -+bad_area_nopax:
42659 - /* User mode accesses just cause a SIGSEGV */
42660 - if (error_code & 4) {
42661 - /*
42662 -@@ -495,7 +669,7 @@ bad_area_nosemaphore:
42663 - if (boot_cpu_data.f00f_bug) {
42664 - unsigned long nr;
42665 -
42666 -- nr = (address - idt_descr.address) >> 3;
42667 -+ nr = (address - (unsigned long)idt_descr.address) >> 3;
42668 -
42669 - if (nr == 6) {
42670 - do_invalid_op(regs, 0);
42671 -@@ -528,18 +702,34 @@ no_context:
42672 - __typeof__(pte_val(__pte(0))) page;
42673 -
42674 - #ifdef CONFIG_X86_PAE
42675 -- if (error_code & 16) {
42676 -- pte_t *pte = lookup_address(address);
42677 -+ if (nx_enabled && (error_code & 16)) {
42678 -+ pte = lookup_address(address);
42679 -
42680 - if (pte && pte_present(*pte) && !pte_exec_kernel(*pte))
42681 - printk(KERN_CRIT "kernel tried to execute "
42682 - "NX-protected page - exploit attempt? "
42683 -- "(uid: %d)\n", current->uid);
42684 -+ "(uid: %d, task: %s, pid: %d)\n",
42685 -+ current->uid, current->comm, current->pid);
42686 - }
42687 - #endif
42688 - if (address < PAGE_SIZE)
42689 - printk(KERN_ALERT "BUG: unable to handle kernel NULL "
42690 - "pointer dereference");
42691 -+
42692 -+#ifdef CONFIG_PAX_KERNEXEC
42693 -+#ifdef CONFIG_MODULES
42694 -+ else if (init_mm.start_code <= address && address < (unsigned long)MODULES_END)
42695 -+#else
42696 -+ else if (init_mm.start_code <= address && address < init_mm.end_code)
42697 -+#endif
42698 -+ if (tsk->signal->curr_ip)
42699 -+ printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
42700 -+ NIPQUAD(tsk->signal->curr_ip), tsk->comm, tsk->pid, tsk->uid, tsk->euid);
42701 -+ else
42702 -+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
42703 -+ tsk->comm, tsk->pid, tsk->uid, tsk->euid);
42704 -+#endif
42705 -+
42706 - else
42707 - printk(KERN_ALERT "BUG: unable to handle kernel paging"
42708 - " request");
42709 -@@ -570,7 +760,7 @@ no_context:
42710 - * it's allocated already.
42711 - */
42712 - if ((page >> PAGE_SHIFT) < max_low_pfn
42713 -- && (page & _PAGE_PRESENT)) {
42714 -+ && (page & (_PAGE_PRESENT | _PAGE_PSE)) == _PAGE_PRESENT) {
42715 - page &= PAGE_MASK;
42716 - page = ((__typeof__(page) *) __va(page))[(address >> PAGE_SHIFT)
42717 - & (PTRS_PER_PTE - 1)];
42718 -@@ -655,3 +845,92 @@ void vmalloc_sync_all(void)
42719 - start = address + PGDIR_SIZE;
42720 - }
42721 - }
42722 -+
42723 -+#ifdef CONFIG_PAX_EMUTRAMP
42724 -+/*
42725 -+ * PaX: decide what to do with offenders (regs->eip = fault address)
42726 -+ *
42727 -+ * returns 1 when task should be killed
42728 -+ * 2 when gcc trampoline was detected
42729 -+ */
42730 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
42731 -+{
42732 -+ int err;
42733 -+
42734 -+ if (regs->eflags & X86_EFLAGS_VM)
42735 -+ return 1;
42736 -+
42737 -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
42738 -+ return 1;
42739 -+
42740 -+ do { /* PaX: gcc trampoline emulation #1 */
42741 -+ unsigned char mov1, mov2;
42742 -+ unsigned short jmp;
42743 -+ unsigned long addr1, addr2;
42744 -+
42745 -+ err = get_user(mov1, (unsigned char __user *)regs->eip);
42746 -+ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
42747 -+ err |= get_user(mov2, (unsigned char __user *)(regs->eip + 5));
42748 -+ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
42749 -+ err |= get_user(jmp, (unsigned short __user *)(regs->eip + 10));
42750 -+
42751 -+ if (err)
42752 -+ break;
42753 -+
42754 -+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
42755 -+ regs->ecx = addr1;
42756 -+ regs->eax = addr2;
42757 -+ regs->eip = addr2;
42758 -+ return 2;
42759 -+ }
42760 -+ } while (0);
42761 -+
42762 -+ do { /* PaX: gcc trampoline emulation #2 */
42763 -+ unsigned char mov, jmp;
42764 -+ unsigned long addr1, addr2;
42765 -+
42766 -+ err = get_user(mov, (unsigned char __user *)regs->eip);
42767 -+ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
42768 -+ err |= get_user(jmp, (unsigned char __user *)(regs->eip + 5));
42769 -+ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
42770 -+
42771 -+ if (err)
42772 -+ break;
42773 -+
42774 -+ if (mov == 0xB9 && jmp == 0xE9) {
42775 -+ regs->ecx = addr1;
42776 -+ regs->eip += addr2 + 10;
42777 -+ return 2;
42778 -+ }
42779 -+ } while (0);
42780 -+
42781 -+ return 1; /* PaX in action */
42782 -+}
42783 -+#endif
42784 -+
42785 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
42786 -+void pax_report_insns(void *pc, void *sp)
42787 -+{
42788 -+ long i;
42789 -+
42790 -+ printk(KERN_ERR "PAX: bytes at PC: ");
42791 -+ for (i = 0; i < 20; i++) {
42792 -+ unsigned char c;
42793 -+ if (get_user(c, (unsigned char __user *)pc+i))
42794 -+ printk("?? ");
42795 -+ else
42796 -+ printk("%02x ", c);
42797 -+ }
42798 -+ printk("\n");
42799 -+
42800 -+ printk(KERN_ERR "PAX: bytes at SP-4: ");
42801 -+ for (i = -1; i < 20; i++) {
42802 -+ unsigned long c;
42803 -+ if (get_user(c, (unsigned long __user *)sp+i))
42804 -+ printk("???????? ");
42805 -+ else
42806 -+ printk("%08lx ", c);
42807 -+ }
42808 -+ printk("\n");
42809 -+}
42810 -+#endif
42811 -diff -Nurp linux-2.6.23.15/arch/i386/mm/hugetlbpage.c linux-2.6.23.15-grsec/arch/i386/mm/hugetlbpage.c
42812 ---- linux-2.6.23.15/arch/i386/mm/hugetlbpage.c 2007-10-09 21:31:38.000000000 +0100
42813 -+++ linux-2.6.23.15-grsec/arch/i386/mm/hugetlbpage.c 2008-02-11 10:37:44.000000000 +0000
42814 -@@ -229,13 +229,18 @@ static unsigned long hugetlb_get_unmappe
42815 - {
42816 - struct mm_struct *mm = current->mm;
42817 - struct vm_area_struct *vma;
42818 -- unsigned long start_addr;
42819 -+ unsigned long start_addr, task_size = TASK_SIZE;
42820 -+
42821 -+#ifdef CONFIG_PAX_SEGMEXEC
42822 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
42823 -+ task_size = SEGMEXEC_TASK_SIZE;
42824 -+#endif
42825 -
42826 - if (len > mm->cached_hole_size) {
42827 -- start_addr = mm->free_area_cache;
42828 -+ start_addr = mm->free_area_cache;
42829 - } else {
42830 -- start_addr = TASK_UNMAPPED_BASE;
42831 -- mm->cached_hole_size = 0;
42832 -+ start_addr = mm->mmap_base;
42833 -+ mm->cached_hole_size = 0;
42834 - }
42835 -
42836 - full_search:
42837 -@@ -243,13 +248,13 @@ full_search:
42838 -
42839 - for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
42840 - /* At this point: (!vma || addr < vma->vm_end). */
42841 -- if (TASK_SIZE - len < addr) {
42842 -+ if (task_size - len < addr) {
42843 - /*
42844 - * Start a new search - just in case we missed
42845 - * some holes.
42846 - */
42847 -- if (start_addr != TASK_UNMAPPED_BASE) {
42848 -- start_addr = TASK_UNMAPPED_BASE;
42849 -+ if (start_addr != mm->mmap_base) {
42850 -+ start_addr = mm->mmap_base;
42851 - mm->cached_hole_size = 0;
42852 - goto full_search;
42853 - }
42854 -@@ -271,9 +276,8 @@ static unsigned long hugetlb_get_unmappe
42855 - {
42856 - struct mm_struct *mm = current->mm;
42857 - struct vm_area_struct *vma, *prev_vma;
42858 -- unsigned long base = mm->mmap_base, addr = addr0;
42859 -+ unsigned long base = mm->mmap_base, addr;
42860 - unsigned long largest_hole = mm->cached_hole_size;
42861 -- int first_time = 1;
42862 -
42863 - /* don't allow allocations above current base */
42864 - if (mm->free_area_cache > base)
42865 -@@ -283,7 +287,7 @@ static unsigned long hugetlb_get_unmappe
42866 - largest_hole = 0;
42867 - mm->free_area_cache = base;
42868 - }
42869 --try_again:
42870 -+
42871 - /* make sure it can fit in the remaining address space */
42872 - if (mm->free_area_cache < len)
42873 - goto fail;
42874 -@@ -325,22 +329,26 @@ try_again:
42875 -
42876 - fail:
42877 - /*
42878 -- * if hint left us with no space for the requested
42879 -- * mapping then try again:
42880 -- */
42881 -- if (first_time) {
42882 -- mm->free_area_cache = base;
42883 -- largest_hole = 0;
42884 -- first_time = 0;
42885 -- goto try_again;
42886 -- }
42887 -- /*
42888 - * A failed mmap() very likely causes application failure,
42889 - * so fall back to the bottom-up function here. This scenario
42890 - * can happen with large stack limits and large mmap()
42891 - * allocations.
42892 - */
42893 -- mm->free_area_cache = TASK_UNMAPPED_BASE;
42894 -+
42895 -+#ifdef CONFIG_PAX_SEGMEXEC
42896 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
42897 -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
42898 -+ else
42899 -+#endif
42900 -+
42901 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
42902 -+
42903 -+#ifdef CONFIG_PAX_RANDMMAP
42904 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
42905 -+ mm->mmap_base += mm->delta_mmap;
42906 -+#endif
42907 -+
42908 -+ mm->free_area_cache = mm->mmap_base;
42909 - mm->cached_hole_size = ~0UL;
42910 - addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
42911 - len, pgoff, flags);
42912 -@@ -348,6 +356,7 @@ fail:
42913 - /*
42914 - * Restore the topdown base:
42915 - */
42916 -+ mm->mmap_base = base;
42917 - mm->free_area_cache = base;
42918 - mm->cached_hole_size = ~0UL;
42919 -
42920 -@@ -360,10 +369,17 @@ hugetlb_get_unmapped_area(struct file *f
42921 - {
42922 - struct mm_struct *mm = current->mm;
42923 - struct vm_area_struct *vma;
42924 -+ unsigned long task_size = TASK_SIZE;
42925 -
42926 - if (len & ~HPAGE_MASK)
42927 - return -EINVAL;
42928 -- if (len > TASK_SIZE)
42929 -+
42930 -+#ifdef CONFIG_PAX_SEGMEXEC
42931 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
42932 -+ task_size = SEGMEXEC_TASK_SIZE;
42933 -+#endif
42934 -+
42935 -+ if (len > task_size)
42936 - return -ENOMEM;
42937 -
42938 - if (flags & MAP_FIXED) {
42939 -@@ -375,7 +391,7 @@ hugetlb_get_unmapped_area(struct file *f
42940 - if (addr) {
42941 - addr = ALIGN(addr, HPAGE_SIZE);
42942 - vma = find_vma(mm, addr);
42943 -- if (TASK_SIZE - len >= addr &&
42944 -+ if (task_size - len >= addr &&
42945 - (!vma || addr + len <= vma->vm_start))
42946 - return addr;
42947 - }
42948 -diff -Nurp linux-2.6.23.15/arch/i386/mm/init.c linux-2.6.23.15-grsec/arch/i386/mm/init.c
42949 ---- linux-2.6.23.15/arch/i386/mm/init.c 2007-10-09 21:31:38.000000000 +0100
42950 -+++ linux-2.6.23.15-grsec/arch/i386/mm/init.c 2008-02-11 10:37:44.000000000 +0000
42951 -@@ -44,6 +44,7 @@
42952 - #include <asm/tlbflush.h>
42953 - #include <asm/sections.h>
42954 - #include <asm/paravirt.h>
42955 -+#include <asm/desc.h>
42956 -
42957 - unsigned int __VMALLOC_RESERVE = 128 << 20;
42958 -
42959 -@@ -53,32 +54,6 @@ unsigned long highstart_pfn, highend_pfn
42960 - static int noinline do_test_wp_bit(void);
42961 -
42962 - /*
42963 -- * Creates a middle page table and puts a pointer to it in the
42964 -- * given global directory entry. This only returns the gd entry
42965 -- * in non-PAE compilation mode, since the middle layer is folded.
42966 -- */
42967 --static pmd_t * __init one_md_table_init(pgd_t *pgd)
42968 --{
42969 -- pud_t *pud;
42970 -- pmd_t *pmd_table;
42971 --
42972 --#ifdef CONFIG_X86_PAE
42973 -- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
42974 -- pmd_table = (pmd_t *) alloc_bootmem_low_pages(PAGE_SIZE);
42975 --
42976 -- paravirt_alloc_pd(__pa(pmd_table) >> PAGE_SHIFT);
42977 -- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
42978 -- pud = pud_offset(pgd, 0);
42979 -- if (pmd_table != pmd_offset(pud, 0))
42980 -- BUG();
42981 -- }
42982 --#endif
42983 -- pud = pud_offset(pgd, 0);
42984 -- pmd_table = pmd_offset(pud, 0);
42985 -- return pmd_table;
42986 --}
42987 --
42988 --/*
42989 - * Create a page table and place a pointer to it in a middle page
42990 - * directory entry.
42991 - */
42992 -@@ -88,7 +63,11 @@ static pte_t * __init one_page_table_ini
42993 - pte_t *page_table = (pte_t *) alloc_bootmem_low_pages(PAGE_SIZE);
42994 -
42995 - paravirt_alloc_pt(&init_mm, __pa(page_table) >> PAGE_SHIFT);
42996 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
42997 -+ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
42998 -+#else
42999 - set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
43000 -+#endif
43001 - BUG_ON(page_table != pte_offset_kernel(pmd, 0));
43002 - }
43003 -
43004 -@@ -109,6 +88,7 @@ static pte_t * __init one_page_table_ini
43005 - static void __init page_table_range_init (unsigned long start, unsigned long end, pgd_t *pgd_base)
43006 - {
43007 - pgd_t *pgd;
43008 -+ pud_t *pud;
43009 - pmd_t *pmd;
43010 - int pgd_idx, pmd_idx;
43011 - unsigned long vaddr;
43012 -@@ -119,8 +99,13 @@ static void __init page_table_range_init
43013 - pgd = pgd_base + pgd_idx;
43014 -
43015 - for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
43016 -- pmd = one_md_table_init(pgd);
43017 -- pmd = pmd + pmd_index(vaddr);
43018 -+ pud = pud_offset(pgd, vaddr);
43019 -+ pmd = pmd_offset(pud, vaddr);
43020 -+
43021 -+#ifdef CONFIG_X86_PAE
43022 -+ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
43023 -+#endif
43024 -+
43025 - for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end); pmd++, pmd_idx++) {
43026 - one_page_table_init(pmd);
43027 -
43028 -@@ -130,11 +115,23 @@ static void __init page_table_range_init
43029 - }
43030 - }
43031 -
43032 --static inline int is_kernel_text(unsigned long addr)
43033 -+static inline int is_kernel_text(unsigned long start, unsigned long end)
43034 - {
43035 -- if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
43036 -- return 1;
43037 -- return 0;
43038 -+ unsigned long etext;
43039 -+
43040 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43041 -+ etext = (unsigned long)&MODULES_END - __KERNEL_TEXT_OFFSET;
43042 -+#else
43043 -+ etext = (unsigned long)&_etext;
43044 -+#endif
43045 -+
43046 -+ if ((start > etext + __KERNEL_TEXT_OFFSET ||
43047 -+ end <= (unsigned long)_stext + __KERNEL_TEXT_OFFSET) &&
43048 -+ (start > (unsigned long)_einittext + __KERNEL_TEXT_OFFSET ||
43049 -+ end <= (unsigned long)_sinittext + __KERNEL_TEXT_OFFSET) &&
43050 -+ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
43051 -+ return 0;
43052 -+ return 1;
43053 - }
43054 -
43055 - /*
43056 -@@ -146,25 +143,29 @@ static void __init kernel_physical_mappi
43057 - {
43058 - unsigned long pfn;
43059 - pgd_t *pgd;
43060 -+ pud_t *pud;
43061 - pmd_t *pmd;
43062 - pte_t *pte;
43063 -- int pgd_idx, pmd_idx, pte_ofs;
43064 -+ unsigned int pgd_idx, pmd_idx, pte_ofs;
43065 -
43066 - pgd_idx = pgd_index(PAGE_OFFSET);
43067 - pgd = pgd_base + pgd_idx;
43068 - pfn = 0;
43069 -
43070 -- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
43071 -- pmd = one_md_table_init(pgd);
43072 -- if (pfn >= max_low_pfn)
43073 -- continue;
43074 -+ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
43075 -+ pud = pud_offset(pgd, 0);
43076 -+ pmd = pmd_offset(pud, 0);
43077 -+
43078 -+#ifdef CONFIG_X86_PAE
43079 -+ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
43080 -+#endif
43081 -+
43082 - for (pmd_idx = 0; pmd_idx < PTRS_PER_PMD && pfn < max_low_pfn; pmd++, pmd_idx++) {
43083 -- unsigned int address = pfn * PAGE_SIZE + PAGE_OFFSET;
43084 -+ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
43085 -
43086 - /* Map with big pages if possible, otherwise create normal page tables. */
43087 -- if (cpu_has_pse) {
43088 -- unsigned int address2 = (pfn + PTRS_PER_PTE - 1) * PAGE_SIZE + PAGE_OFFSET + PAGE_SIZE-1;
43089 -- if (is_kernel_text(address) || is_kernel_text(address2))
43090 -+ if (cpu_has_pse && address >= (unsigned long)__va(0x100000)) {
43091 -+ if (is_kernel_text(address, address + PMD_SIZE))
43092 - set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE_EXEC));
43093 - else
43094 - set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE));
43095 -@@ -176,7 +177,7 @@ static void __init kernel_physical_mappi
43096 - for (pte_ofs = 0;
43097 - pte_ofs < PTRS_PER_PTE && pfn < max_low_pfn;
43098 - pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
43099 -- if (is_kernel_text(address))
43100 -+ if (is_kernel_text(address, address + PAGE_SIZE))
43101 - set_pte(pte, pfn_pte(pfn, PAGE_KERNEL_EXEC));
43102 - else
43103 - set_pte(pte, pfn_pte(pfn, PAGE_KERNEL));
43104 -@@ -326,9 +327,9 @@ static void __init set_highmem_pages_ini
43105 - #define set_highmem_pages_init(bad_ppro) do { } while (0)
43106 - #endif /* CONFIG_HIGHMEM */
43107 -
43108 --unsigned long long __PAGE_KERNEL = _PAGE_KERNEL;
43109 -+unsigned long long __PAGE_KERNEL __read_only = _PAGE_KERNEL;
43110 - EXPORT_SYMBOL(__PAGE_KERNEL);
43111 --unsigned long long __PAGE_KERNEL_EXEC = _PAGE_KERNEL_EXEC;
43112 -+unsigned long long __PAGE_KERNEL_EXEC __read_only = _PAGE_KERNEL_EXEC;
43113 -
43114 - #ifdef CONFIG_NUMA
43115 - extern void __init remap_numa_kva(void);
43116 -@@ -339,26 +340,10 @@ extern void __init remap_numa_kva(void);
43117 - void __init native_pagetable_setup_start(pgd_t *base)
43118 - {
43119 - #ifdef CONFIG_X86_PAE
43120 -- int i;
43121 -+ unsigned int i;
43122 -
43123 -- /*
43124 -- * Init entries of the first-level page table to the
43125 -- * zero page, if they haven't already been set up.
43126 -- *
43127 -- * In a normal native boot, we'll be running on a
43128 -- * pagetable rooted in swapper_pg_dir, but not in PAE
43129 -- * mode, so this will end up clobbering the mappings
43130 -- * for the lower 24Mbytes of the address space,
43131 -- * without affecting the kernel address space.
43132 -- */
43133 -- for (i = 0; i < USER_PTRS_PER_PGD; i++)
43134 -- set_pgd(&base[i],
43135 -- __pgd(__pa(empty_zero_page) | _PAGE_PRESENT));
43136 --
43137 -- /* Make sure kernel address space is empty so that a pagetable
43138 -- will be allocated for it. */
43139 -- memset(&base[USER_PTRS_PER_PGD], 0,
43140 -- KERNEL_PGD_PTRS * sizeof(pgd_t));
43141 -+ for (i = 0; i < PTRS_PER_PGD; i++)
43142 -+ paravirt_alloc_pd(__pa(swapper_pm_dir + i) >> PAGE_SHIFT);
43143 - #else
43144 - paravirt_alloc_pd(__pa(swapper_pg_dir) >> PAGE_SHIFT);
43145 - #endif
43146 -@@ -366,16 +351,6 @@ void __init native_pagetable_setup_start
43147 -
43148 - void __init native_pagetable_setup_done(pgd_t *base)
43149 - {
43150 --#ifdef CONFIG_X86_PAE
43151 -- /*
43152 -- * Add low memory identity-mappings - SMP needs it when
43153 -- * starting up on an AP from real-mode. In the non-PAE
43154 -- * case we already have these mappings through head.S.
43155 -- * All user-space mappings are explicitly cleared after
43156 -- * SMP startup.
43157 -- */
43158 -- set_pgd(&base[0], base[USER_PTRS_PER_PGD]);
43159 --#endif
43160 - }
43161 -
43162 - /*
43163 -@@ -437,12 +412,12 @@ static void __init pagetable_init (void)
43164 - * Swap suspend & friends need this for resume because things like the intel-agp
43165 - * driver might have split up a kernel 4MB mapping.
43166 - */
43167 --char __nosavedata swsusp_pg_dir[PAGE_SIZE]
43168 -+pgd_t __nosavedata swsusp_pg_dir[PTRS_PER_PGD]
43169 - __attribute__ ((aligned (PAGE_SIZE)));
43170 -
43171 - static inline void save_pg_dir(void)
43172 - {
43173 -- memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
43174 -+ clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
43175 - }
43176 - #else
43177 - static inline void save_pg_dir(void)
43178 -@@ -471,12 +446,11 @@ void zap_low_mappings (void)
43179 - flush_tlb_all();
43180 - }
43181 -
43182 --int nx_enabled = 0;
43183 -+int nx_enabled;
43184 -
43185 - #ifdef CONFIG_X86_PAE
43186 -
43187 --static int disable_nx __initdata = 0;
43188 --u64 __supported_pte_mask __read_mostly = ~_PAGE_NX;
43189 -+u64 __supported_pte_mask __read_only = ~_PAGE_NX;
43190 - EXPORT_SYMBOL_GPL(__supported_pte_mask);
43191 -
43192 - /*
43193 -@@ -487,36 +461,31 @@ EXPORT_SYMBOL_GPL(__supported_pte_mask);
43194 - * on Enable
43195 - * off Disable
43196 - */
43197 -+#if !defined(CONFIG_PAX_PAGEEXEC)
43198 - static int __init noexec_setup(char *str)
43199 - {
43200 - if (!str || !strcmp(str, "on")) {
43201 -- if (cpu_has_nx) {
43202 -- __supported_pte_mask |= _PAGE_NX;
43203 -- disable_nx = 0;
43204 -- }
43205 -+ if (cpu_has_nx)
43206 -+ nx_enabled = 1;
43207 - } else if (!strcmp(str,"off")) {
43208 -- disable_nx = 1;
43209 -- __supported_pte_mask &= ~_PAGE_NX;
43210 -+ nx_enabled = 0;
43211 - } else
43212 - return -EINVAL;
43213 -
43214 - return 0;
43215 - }
43216 - early_param("noexec", noexec_setup);
43217 -+#endif
43218 -
43219 - static void __init set_nx(void)
43220 - {
43221 -- unsigned int v[4], l, h;
43222 -+ if (!nx_enabled && cpu_has_nx) {
43223 -+ unsigned l, h;
43224 -
43225 -- if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
43226 -- cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
43227 -- if ((v[3] & (1 << 20)) && !disable_nx) {
43228 -- rdmsr(MSR_EFER, l, h);
43229 -- l |= EFER_NX;
43230 -- wrmsr(MSR_EFER, l, h);
43231 -- nx_enabled = 1;
43232 -- __supported_pte_mask |= _PAGE_NX;
43233 -- }
43234 -+ __supported_pte_mask &= ~_PAGE_NX;
43235 -+ rdmsr(MSR_EFER, l, h);
43236 -+ l &= ~EFER_NX;
43237 -+ wrmsr(MSR_EFER, l, h);
43238 - }
43239 - }
43240 -
43241 -@@ -569,14 +538,6 @@ void __init paging_init(void)
43242 -
43243 - load_cr3(swapper_pg_dir);
43244 -
43245 --#ifdef CONFIG_X86_PAE
43246 -- /*
43247 -- * We will bail out later - printk doesn't work right now so
43248 -- * the user would just see a hanging kernel.
43249 -- */
43250 -- if (cpu_has_pae)
43251 -- set_in_cr4(X86_CR4_PAE);
43252 --#endif
43253 - __flush_tlb_all();
43254 -
43255 - kmap_init();
43256 -@@ -647,7 +608,7 @@ void __init mem_init(void)
43257 - set_highmem_pages_init(bad_ppro);
43258 -
43259 - codesize = (unsigned long) &_etext - (unsigned long) &_text;
43260 -- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
43261 -+ datasize = (unsigned long) &_edata - (unsigned long) &_data;
43262 - initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
43263 -
43264 - kclist_add(&kcore_mem, __va(0), max_low_pfn << PAGE_SHIFT);
43265 -@@ -692,10 +653,10 @@ void __init mem_init(void)
43266 - (unsigned long)&__init_begin, (unsigned long)&__init_end,
43267 - ((unsigned long)&__init_end - (unsigned long)&__init_begin) >> 10,
43268 -
43269 -- (unsigned long)&_etext, (unsigned long)&_edata,
43270 -- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
43271 -+ (unsigned long)&_data, (unsigned long)&_edata,
43272 -+ ((unsigned long)&_edata - (unsigned long)&_data) >> 10,
43273 -
43274 -- (unsigned long)&_text, (unsigned long)&_etext,
43275 -+ (unsigned long)&_text + __KERNEL_TEXT_OFFSET, (unsigned long)&_etext + __KERNEL_TEXT_OFFSET,
43276 - ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
43277 -
43278 - #ifdef CONFIG_HIGHMEM
43279 -@@ -706,10 +667,6 @@ void __init mem_init(void)
43280 - BUG_ON((unsigned long)high_memory > VMALLOC_START);
43281 - #endif /* double-sanity-check paranoia */
43282 -
43283 --#ifdef CONFIG_X86_PAE
43284 -- if (!cpu_has_pae)
43285 -- panic("cannot execute a PAE-enabled kernel on a PAE-less CPU!");
43286 --#endif
43287 - if (boot_cpu_data.wp_works_ok < 0)
43288 - test_wp_bit();
43289 -
43290 -@@ -844,6 +801,38 @@ void free_init_pages(char *what, unsigne
43291 -
43292 - void free_initmem(void)
43293 - {
43294 -+
43295 -+#ifdef CONFIG_PAX_KERNEXEC
43296 -+ /* PaX: limit KERNEL_CS to actual size */
43297 -+ unsigned long addr, limit;
43298 -+ __u32 a, b;
43299 -+ int cpu;
43300 -+ pgd_t *pgd;
43301 -+ pud_t *pud;
43302 -+ pmd_t *pmd;
43303 -+
43304 -+#ifdef CONFIG_MODULES
43305 -+ limit = (unsigned long)&MODULES_END - __KERNEL_TEXT_OFFSET;
43306 -+#else
43307 -+ limit = (unsigned long)&_etext;
43308 -+#endif
43309 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
43310 -+
43311 -+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
43312 -+ pack_descriptor(&a, &b, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
43313 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, a, b);
43314 -+ }
43315 -+
43316 -+ /* PaX: make KERNEL_CS read-only */
43317 -+ for (addr = __KERNEL_TEXT_OFFSET; addr < (unsigned long)&_data; addr += PMD_SIZE) {
43318 -+ pgd = pgd_offset_k(addr);
43319 -+ pud = pud_offset(pgd, addr);
43320 -+ pmd = pmd_offset(pud, addr);
43321 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
43322 -+ }
43323 -+ flush_tlb_all();
43324 -+#endif
43325 -+
43326 - free_init_pages("unused kernel memory",
43327 - (unsigned long)(&__init_begin),
43328 - (unsigned long)(&__init_end));
43329 -diff -Nurp linux-2.6.23.15/arch/i386/mm/mmap.c linux-2.6.23.15-grsec/arch/i386/mm/mmap.c
43330 ---- linux-2.6.23.15/arch/i386/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
43331 -+++ linux-2.6.23.15-grsec/arch/i386/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
43332 -@@ -35,12 +35,18 @@
43333 - * Leave an at least ~128 MB hole.
43334 - */
43335 - #define MIN_GAP (128*1024*1024)
43336 --#define MAX_GAP (TASK_SIZE/6*5)
43337 -+#define MAX_GAP (task_size/6*5)
43338 -
43339 - static inline unsigned long mmap_base(struct mm_struct *mm)
43340 - {
43341 - unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
43342 - unsigned long random_factor = 0;
43343 -+ unsigned long task_size = TASK_SIZE;
43344 -+
43345 -+#ifdef CONFIG_PAX_SEGMEXEC
43346 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
43347 -+ task_size = SEGMEXEC_TASK_SIZE;
43348 -+#endif
43349 -
43350 - if (current->flags & PF_RANDOMIZE)
43351 - random_factor = get_random_int() % (1024*1024);
43352 -@@ -50,7 +56,7 @@ static inline unsigned long mmap_base(st
43353 - else if (gap > MAX_GAP)
43354 - gap = MAX_GAP;
43355 -
43356 -- return PAGE_ALIGN(TASK_SIZE - gap - random_factor);
43357 -+ return PAGE_ALIGN(task_size - gap - random_factor);
43358 - }
43359 -
43360 - /*
43361 -@@ -66,11 +72,30 @@ void arch_pick_mmap_layout(struct mm_str
43362 - if (sysctl_legacy_va_layout ||
43363 - (current->personality & ADDR_COMPAT_LAYOUT) ||
43364 - current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
43365 -+
43366 -+#ifdef CONFIG_PAX_SEGMEXEC
43367 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
43368 -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
43369 -+ else
43370 -+#endif
43371 -+
43372 - mm->mmap_base = TASK_UNMAPPED_BASE;
43373 -+
43374 -+#ifdef CONFIG_PAX_RANDMMAP
43375 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
43376 -+ mm->mmap_base += mm->delta_mmap;
43377 -+#endif
43378 -+
43379 - mm->get_unmapped_area = arch_get_unmapped_area;
43380 - mm->unmap_area = arch_unmap_area;
43381 - } else {
43382 - mm->mmap_base = mmap_base(mm);
43383 -+
43384 -+#ifdef CONFIG_PAX_RANDMMAP
43385 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
43386 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
43387 -+#endif
43388 -+
43389 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
43390 - mm->unmap_area = arch_unmap_area_topdown;
43391 - }
43392 -diff -Nurp linux-2.6.23.15/arch/i386/mm/pageattr.c linux-2.6.23.15-grsec/arch/i386/mm/pageattr.c
43393 ---- linux-2.6.23.15/arch/i386/mm/pageattr.c 2007-10-09 21:31:38.000000000 +0100
43394 -+++ linux-2.6.23.15-grsec/arch/i386/mm/pageattr.c 2008-02-11 10:37:44.000000000 +0000
43395 -@@ -13,6 +13,7 @@
43396 - #include <asm/tlbflush.h>
43397 - #include <asm/pgalloc.h>
43398 - #include <asm/sections.h>
43399 -+#include <asm/desc.h>
43400 -
43401 - static DEFINE_SPINLOCK(cpa_lock);
43402 - static struct list_head df_list = LIST_HEAD_INIT(df_list);
43403 -@@ -37,16 +38,16 @@ pte_t *lookup_address(unsigned long addr
43404 - }
43405 -
43406 - static struct page *split_large_page(unsigned long address, pgprot_t prot,
43407 -- pgprot_t ref_prot)
43408 -+ pgprot_t ref_prot, unsigned long flags)
43409 - {
43410 - int i;
43411 - unsigned long addr;
43412 - struct page *base;
43413 - pte_t *pbase;
43414 -
43415 -- spin_unlock_irq(&cpa_lock);
43416 -+ spin_unlock_irqrestore(&cpa_lock, flags);
43417 - base = alloc_pages(GFP_KERNEL, 0);
43418 -- spin_lock_irq(&cpa_lock);
43419 -+ spin_lock_irqsave(&cpa_lock, flags);
43420 - if (!base)
43421 - return NULL;
43422 -
43423 -@@ -99,7 +100,18 @@ static void set_pmd_pte(pte_t *kpte, uns
43424 - struct page *page;
43425 - unsigned long flags;
43426 -
43427 -+#ifdef CONFIG_PAX_KERNEXEC
43428 -+ unsigned long cr0;
43429 -+
43430 -+ pax_open_kernel(cr0);
43431 -+#endif
43432 -+
43433 - set_pte_atomic(kpte, pte); /* change init_mm */
43434 -+
43435 -+#ifdef CONFIG_PAX_KERNEXEC
43436 -+ pax_close_kernel(cr0);
43437 -+#endif
43438 -+
43439 - if (SHARED_KERNEL_PMD)
43440 - return;
43441 -
43442 -@@ -126,7 +138,7 @@ static inline void revert_page(struct pa
43443 - pte_t *linear;
43444 -
43445 - ref_prot =
43446 -- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
43447 -+ ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext + __KERNEL_TEXT_OFFSET)
43448 - ? PAGE_KERNEL_LARGE_EXEC : PAGE_KERNEL_LARGE;
43449 -
43450 - linear = (pte_t *)
43451 -@@ -143,7 +155,7 @@ static inline void save_page(struct page
43452 - }
43453 -
43454 - static int
43455 --__change_page_attr(struct page *page, pgprot_t prot)
43456 -+__change_page_attr(struct page *page, pgprot_t prot, unsigned long flags)
43457 - {
43458 - pte_t *kpte;
43459 - unsigned long address;
43460 -@@ -167,13 +179,20 @@ __change_page_attr(struct page *page, pg
43461 - struct page *split;
43462 -
43463 - ref_prot =
43464 -- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
43465 -+ ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext + __KERNEL_TEXT_OFFSET)
43466 - ? PAGE_KERNEL_EXEC : PAGE_KERNEL;
43467 -- split = split_large_page(address, prot, ref_prot);
43468 -+ split = split_large_page(address, prot, ref_prot, flags);
43469 - if (!split)
43470 - return -ENOMEM;
43471 -- set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
43472 -- kpte_page = split;
43473 -+ if (pte_huge(*kpte)) {
43474 -+ set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
43475 -+ kpte_page = split;
43476 -+ } else {
43477 -+ __free_pages(split, 0);
43478 -+ kpte = lookup_address(address);
43479 -+ kpte_page = virt_to_page(kpte);
43480 -+ set_pte_atomic(kpte, mk_pte(page, prot));
43481 -+ }
43482 - }
43483 - page_private(kpte_page)++;
43484 - } else if (!pte_huge(*kpte)) {
43485 -@@ -225,7 +244,7 @@ int change_page_attr(struct page *page,
43486 -
43487 - spin_lock_irqsave(&cpa_lock, flags);
43488 - for (i = 0; i < numpages; i++, page++) {
43489 -- err = __change_page_attr(page, prot);
43490 -+ err = __change_page_attr(page, prot, flags);
43491 - if (err)
43492 - break;
43493 - }
43494 -diff -Nurp linux-2.6.23.15/arch/i386/oprofile/backtrace.c linux-2.6.23.15-grsec/arch/i386/oprofile/backtrace.c
43495 ---- linux-2.6.23.15/arch/i386/oprofile/backtrace.c 2007-10-09 21:31:38.000000000 +0100
43496 -+++ linux-2.6.23.15-grsec/arch/i386/oprofile/backtrace.c 2008-02-11 10:37:44.000000000 +0000
43497 -@@ -22,7 +22,7 @@ struct frame_head {
43498 - static struct frame_head *
43499 - dump_kernel_backtrace(struct frame_head * head)
43500 - {
43501 -- oprofile_add_trace(head->ret);
43502 -+ oprofile_add_trace(head->ret + __KERNEL_TEXT_OFFSET);
43503 -
43504 - /* frame pointers should strictly progress back up the stack
43505 - * (towards higher addresses) */
43506 -@@ -116,7 +116,7 @@ x86_backtrace(struct pt_regs * const reg
43507 - head = (struct frame_head *)regs->ebp;
43508 - #endif
43509 -
43510 -- if (!user_mode_vm(regs)) {
43511 -+ if (!user_mode(regs)) {
43512 - while (depth-- && valid_kernel_stack(head, regs))
43513 - head = dump_kernel_backtrace(head);
43514 - return;
43515 -diff -Nurp linux-2.6.23.15/arch/i386/oprofile/op_model_p4.c linux-2.6.23.15-grsec/arch/i386/oprofile/op_model_p4.c
43516 ---- linux-2.6.23.15/arch/i386/oprofile/op_model_p4.c 2007-10-09 21:31:38.000000000 +0100
43517 -+++ linux-2.6.23.15-grsec/arch/i386/oprofile/op_model_p4.c 2008-02-11 10:37:44.000000000 +0000
43518 -@@ -47,7 +47,7 @@ static inline void setup_num_counters(vo
43519 - #endif
43520 - }
43521 -
43522 --static int inline addr_increment(void)
43523 -+static inline int addr_increment(void)
43524 - {
43525 - #ifdef CONFIG_SMP
43526 - return smp_num_siblings == 2 ? 2 : 1;
43527 -diff -Nurp linux-2.6.23.15/arch/i386/pci/common.c linux-2.6.23.15-grsec/arch/i386/pci/common.c
43528 ---- linux-2.6.23.15/arch/i386/pci/common.c 2007-10-09 21:31:38.000000000 +0100
43529 -+++ linux-2.6.23.15-grsec/arch/i386/pci/common.c 2008-02-11 10:37:44.000000000 +0000
43530 -@@ -287,7 +287,7 @@ static struct dmi_system_id __devinitdat
43531 - DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant BL685c G1"),
43532 - },
43533 - },
43534 -- {}
43535 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
43536 - };
43537 -
43538 - struct pci_bus * __devinit pcibios_scan_root(int busnum)
43539 -diff -Nurp linux-2.6.23.15/arch/i386/pci/early.c linux-2.6.23.15-grsec/arch/i386/pci/early.c
43540 ---- linux-2.6.23.15/arch/i386/pci/early.c 2007-10-09 21:31:38.000000000 +0100
43541 -+++ linux-2.6.23.15-grsec/arch/i386/pci/early.c 2008-02-11 10:37:44.000000000 +0000
43542 -@@ -7,7 +7,7 @@
43543 - /* Direct PCI access. This is used for PCI accesses in early boot before
43544 - the PCI subsystem works. */
43545 -
43546 --#define PDprintk(x...)
43547 -+#define PDprintk(x...) do {} while (0)
43548 -
43549 - u32 read_pci_config(u8 bus, u8 slot, u8 func, u8 offset)
43550 - {
43551 -diff -Nurp linux-2.6.23.15/arch/i386/pci/fixup.c linux-2.6.23.15-grsec/arch/i386/pci/fixup.c
43552 ---- linux-2.6.23.15/arch/i386/pci/fixup.c 2007-10-09 21:31:38.000000000 +0100
43553 -+++ linux-2.6.23.15-grsec/arch/i386/pci/fixup.c 2008-02-11 10:37:44.000000000 +0000
43554 -@@ -386,7 +386,7 @@ static struct dmi_system_id __devinitdat
43555 - DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
43556 - },
43557 - },
43558 -- { }
43559 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
43560 - };
43561 -
43562 - static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
43563 -diff -Nurp linux-2.6.23.15/arch/i386/pci/irq.c linux-2.6.23.15-grsec/arch/i386/pci/irq.c
43564 ---- linux-2.6.23.15/arch/i386/pci/irq.c 2007-10-09 21:31:38.000000000 +0100
43565 -+++ linux-2.6.23.15-grsec/arch/i386/pci/irq.c 2008-02-11 10:37:44.000000000 +0000
43566 -@@ -508,7 +508,7 @@ static __init int intel_router_probe(str
43567 - static struct pci_device_id __initdata pirq_440gx[] = {
43568 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
43569 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
43570 -- { },
43571 -+ { PCI_DEVICE(0, 0) }
43572 - };
43573 -
43574 - /* 440GX has a proprietary PIRQ router -- don't use it */
43575 -@@ -1051,7 +1051,7 @@ static struct dmi_system_id __initdata p
43576 - DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
43577 - },
43578 - },
43579 -- { }
43580 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
43581 - };
43582 -
43583 - static int __init pcibios_irq_init(void)
43584 -diff -Nurp linux-2.6.23.15/arch/i386/pci/pcbios.c linux-2.6.23.15-grsec/arch/i386/pci/pcbios.c
43585 ---- linux-2.6.23.15/arch/i386/pci/pcbios.c 2007-10-09 21:31:38.000000000 +0100
43586 -+++ linux-2.6.23.15-grsec/arch/i386/pci/pcbios.c 2008-02-11 10:37:44.000000000 +0000
43587 -@@ -57,50 +57,124 @@ union bios32 {
43588 - static struct {
43589 - unsigned long address;
43590 - unsigned short segment;
43591 --} bios32_indirect = { 0, __KERNEL_CS };
43592 -+} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
43593 -
43594 - /*
43595 - * Returns the entry point for the given service, NULL on error
43596 - */
43597 -
43598 --static unsigned long bios32_service(unsigned long service)
43599 -+static unsigned long __devinit bios32_service(unsigned long service)
43600 - {
43601 - unsigned char return_code; /* %al */
43602 - unsigned long address; /* %ebx */
43603 - unsigned long length; /* %ecx */
43604 - unsigned long entry; /* %edx */
43605 - unsigned long flags;
43606 -+ struct desc_struct *gdt;
43607 -+
43608 -+#ifdef CONFIG_PAX_KERNEXEC
43609 -+ unsigned long cr0;
43610 -+#endif
43611 -
43612 - local_irq_save(flags);
43613 -- __asm__("lcall *(%%edi); cld"
43614 -+
43615 -+ gdt = get_cpu_gdt_table(smp_processor_id());
43616 -+
43617 -+#ifdef CONFIG_PAX_KERNEXEC
43618 -+ pax_open_kernel(cr0);
43619 -+#endif
43620 -+
43621 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
43622 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
43623 -+ 0UL, 0xFFFFFUL, 0x9B, 0xC);
43624 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
43625 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
43626 -+ 0UL, 0xFFFFFUL, 0x93, 0xC);
43627 -+
43628 -+#ifdef CONFIG_PAX_KERNEXEC
43629 -+ pax_close_kernel(cr0);
43630 -+#endif
43631 -+
43632 -+ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
43633 - : "=a" (return_code),
43634 - "=b" (address),
43635 - "=c" (length),
43636 - "=d" (entry)
43637 - : "0" (service),
43638 - "1" (0),
43639 -- "D" (&bios32_indirect));
43640 -+ "D" (&bios32_indirect),
43641 -+ "r"(__PCIBIOS_DS)
43642 -+ : "memory");
43643 -+
43644 -+#ifdef CONFIG_PAX_KERNEXEC
43645 -+ pax_open_kernel(cr0);
43646 -+#endif
43647 -+
43648 -+ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
43649 -+ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
43650 -+ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
43651 -+ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
43652 -+
43653 -+#ifdef CONFIG_PAX_KERNEXEC
43654 -+ pax_close_kernel(cr0);
43655 -+#endif
43656 -+
43657 - local_irq_restore(flags);
43658 -
43659 - switch (return_code) {
43660 -- case 0:
43661 -- return address + entry;
43662 -- case 0x80: /* Not present */
43663 -- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
43664 -- return 0;
43665 -- default: /* Shouldn't happen */
43666 -- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
43667 -- service, return_code);
43668 -+ case 0: {
43669 -+ int cpu;
43670 -+ unsigned char flags;
43671 -+
43672 -+ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
43673 -+ if (address >= 0xFFFF0 || length >= 0xFFFF0 - address || length <= entry) {
43674 -+ printk(KERN_WARNING "bios32_service: not valid\n");
43675 - return 0;
43676 -+ }
43677 -+ address = address + PAGE_OFFSET;
43678 -+ length += 16UL; /* some BIOSs underreport this... */
43679 -+ flags = 4;
43680 -+ if (length >= 64*1024*1024) {
43681 -+ length >>= PAGE_SHIFT;
43682 -+ flags |= 8;
43683 -+ }
43684 -+
43685 -+#ifdef CONFIG_PAX_KERNEXEC
43686 -+ pax_open_kernel(cr0);
43687 -+#endif
43688 -+
43689 -+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
43690 -+ gdt = get_cpu_gdt_table(cpu);
43691 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
43692 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
43693 -+ address, length, 0x9b, flags);
43694 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
43695 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
43696 -+ address, length, 0x93, flags);
43697 -+ }
43698 -+
43699 -+#ifdef CONFIG_PAX_KERNEXEC
43700 -+ pax_close_kernel(cr0);
43701 -+#endif
43702 -+
43703 -+ return entry;
43704 -+ }
43705 -+ case 0x80: /* Not present */
43706 -+ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
43707 -+ return 0;
43708 -+ default: /* Shouldn't happen */
43709 -+ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
43710 -+ service, return_code);
43711 -+ return 0;
43712 - }
43713 - }
43714 -
43715 - static struct {
43716 - unsigned long address;
43717 - unsigned short segment;
43718 --} pci_indirect = { 0, __KERNEL_CS };
43719 -+} pci_indirect __read_only = { 0, __PCIBIOS_CS };
43720 -
43721 --static int pci_bios_present;
43722 -+static int pci_bios_present __read_only;
43723 -
43724 - static int __devinit check_pcibios(void)
43725 - {
43726 -@@ -109,11 +183,13 @@ static int __devinit check_pcibios(void)
43727 - unsigned long flags, pcibios_entry;
43728 -
43729 - if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
43730 -- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
43731 -+ pci_indirect.address = pcibios_entry;
43732 -
43733 - local_irq_save(flags);
43734 -- __asm__(
43735 -- "lcall *(%%edi); cld\n\t"
43736 -+ __asm__("movw %w6, %%ds\n\t"
43737 -+ "lcall *%%ss:(%%edi); cld\n\t"
43738 -+ "push %%ss\n\t"
43739 -+ "pop %%ds\n\t"
43740 - "jc 1f\n\t"
43741 - "xor %%ah, %%ah\n"
43742 - "1:"
43743 -@@ -122,7 +198,8 @@ static int __devinit check_pcibios(void)
43744 - "=b" (ebx),
43745 - "=c" (ecx)
43746 - : "1" (PCIBIOS_PCI_BIOS_PRESENT),
43747 -- "D" (&pci_indirect)
43748 -+ "D" (&pci_indirect),
43749 -+ "r" (__PCIBIOS_DS)
43750 - : "memory");
43751 - local_irq_restore(flags);
43752 -
43753 -@@ -158,7 +235,10 @@ static int __devinit pci_bios_find_devic
43754 - unsigned short bx;
43755 - unsigned short ret;
43756 -
43757 -- __asm__("lcall *(%%edi); cld\n\t"
43758 -+ __asm__("movw %w7, %%ds\n\t"
43759 -+ "lcall *%%ss:(%%edi); cld\n\t"
43760 -+ "push %%ss\n\t"
43761 -+ "pop %%ds\n\t"
43762 - "jc 1f\n\t"
43763 - "xor %%ah, %%ah\n"
43764 - "1:"
43765 -@@ -168,7 +248,8 @@ static int __devinit pci_bios_find_devic
43766 - "c" (device_id),
43767 - "d" (vendor),
43768 - "S" ((int) index),
43769 -- "D" (&pci_indirect));
43770 -+ "D" (&pci_indirect),
43771 -+ "r" (__PCIBIOS_DS));
43772 - *bus = (bx >> 8) & 0xff;
43773 - *device_fn = bx & 0xff;
43774 - return (int) (ret & 0xff00) >> 8;
43775 -@@ -188,7 +269,10 @@ static int pci_bios_read(unsigned int se
43776 -
43777 - switch (len) {
43778 - case 1:
43779 -- __asm__("lcall *(%%esi); cld\n\t"
43780 -+ __asm__("movw %w6, %%ds\n\t"
43781 -+ "lcall *%%ss:(%%esi); cld\n\t"
43782 -+ "push %%ss\n\t"
43783 -+ "pop %%ds\n\t"
43784 - "jc 1f\n\t"
43785 - "xor %%ah, %%ah\n"
43786 - "1:"
43787 -@@ -197,10 +281,14 @@ static int pci_bios_read(unsigned int se
43788 - : "1" (PCIBIOS_READ_CONFIG_BYTE),
43789 - "b" (bx),
43790 - "D" ((long)reg),
43791 -- "S" (&pci_indirect));
43792 -+ "S" (&pci_indirect),
43793 -+ "r" (__PCIBIOS_DS));
43794 - break;
43795 - case 2:
43796 -- __asm__("lcall *(%%esi); cld\n\t"
43797 -+ __asm__("movw %w6, %%ds\n\t"
43798 -+ "lcall *%%ss:(%%esi); cld\n\t"
43799 -+ "push %%ss\n\t"
43800 -+ "pop %%ds\n\t"
43801 - "jc 1f\n\t"
43802 - "xor %%ah, %%ah\n"
43803 - "1:"
43804 -@@ -209,10 +297,14 @@ static int pci_bios_read(unsigned int se
43805 - : "1" (PCIBIOS_READ_CONFIG_WORD),
43806 - "b" (bx),
43807 - "D" ((long)reg),
43808 -- "S" (&pci_indirect));
43809 -+ "S" (&pci_indirect),
43810 -+ "r" (__PCIBIOS_DS));
43811 - break;
43812 - case 4:
43813 -- __asm__("lcall *(%%esi); cld\n\t"
43814 -+ __asm__("movw %w6, %%ds\n\t"
43815 -+ "lcall *%%ss:(%%esi); cld\n\t"
43816 -+ "push %%ss\n\t"
43817 -+ "pop %%ds\n\t"
43818 - "jc 1f\n\t"
43819 - "xor %%ah, %%ah\n"
43820 - "1:"
43821 -@@ -221,7 +313,8 @@ static int pci_bios_read(unsigned int se
43822 - : "1" (PCIBIOS_READ_CONFIG_DWORD),
43823 - "b" (bx),
43824 - "D" ((long)reg),
43825 -- "S" (&pci_indirect));
43826 -+ "S" (&pci_indirect),
43827 -+ "r" (__PCIBIOS_DS));
43828 - break;
43829 - }
43830 -
43831 -@@ -244,7 +337,10 @@ static int pci_bios_write(unsigned int s
43832 -
43833 - switch (len) {
43834 - case 1:
43835 -- __asm__("lcall *(%%esi); cld\n\t"
43836 -+ __asm__("movw %w6, %%ds\n\t"
43837 -+ "lcall *%%ss:(%%esi); cld\n\t"
43838 -+ "push %%ss\n\t"
43839 -+ "pop %%ds\n\t"
43840 - "jc 1f\n\t"
43841 - "xor %%ah, %%ah\n"
43842 - "1:"
43843 -@@ -253,10 +349,14 @@ static int pci_bios_write(unsigned int s
43844 - "c" (value),
43845 - "b" (bx),
43846 - "D" ((long)reg),
43847 -- "S" (&pci_indirect));
43848 -+ "S" (&pci_indirect),
43849 -+ "r" (__PCIBIOS_DS));
43850 - break;
43851 - case 2:
43852 -- __asm__("lcall *(%%esi); cld\n\t"
43853 -+ __asm__("movw %w6, %%ds\n\t"
43854 -+ "lcall *%%ss:(%%esi); cld\n\t"
43855 -+ "push %%ss\n\t"
43856 -+ "pop %%ds\n\t"
43857 - "jc 1f\n\t"
43858 - "xor %%ah, %%ah\n"
43859 - "1:"
43860 -@@ -265,10 +365,14 @@ static int pci_bios_write(unsigned int s
43861 - "c" (value),
43862 - "b" (bx),
43863 - "D" ((long)reg),
43864 -- "S" (&pci_indirect));
43865 -+ "S" (&pci_indirect),
43866 -+ "r" (__PCIBIOS_DS));
43867 - break;
43868 - case 4:
43869 -- __asm__("lcall *(%%esi); cld\n\t"
43870 -+ __asm__("movw %w6, %%ds\n\t"
43871 -+ "lcall *%%ss:(%%esi); cld\n\t"
43872 -+ "push %%ss\n\t"
43873 -+ "pop %%ds\n\t"
43874 - "jc 1f\n\t"
43875 - "xor %%ah, %%ah\n"
43876 - "1:"
43877 -@@ -277,7 +381,8 @@ static int pci_bios_write(unsigned int s
43878 - "c" (value),
43879 - "b" (bx),
43880 - "D" ((long)reg),
43881 -- "S" (&pci_indirect));
43882 -+ "S" (&pci_indirect),
43883 -+ "r" (__PCIBIOS_DS));
43884 - break;
43885 - }
43886 -
43887 -@@ -430,10 +535,13 @@ struct irq_routing_table * pcibios_get_i
43888 -
43889 - DBG("PCI: Fetching IRQ routing table... ");
43890 - __asm__("push %%es\n\t"
43891 -+ "movw %w8, %%ds\n\t"
43892 - "push %%ds\n\t"
43893 - "pop %%es\n\t"
43894 -- "lcall *(%%esi); cld\n\t"
43895 -+ "lcall *%%ss:(%%esi); cld\n\t"
43896 - "pop %%es\n\t"
43897 -+ "push %%ss\n\t"
43898 -+ "pop %%ds\n"
43899 - "jc 1f\n\t"
43900 - "xor %%ah, %%ah\n"
43901 - "1:"
43902 -@@ -444,7 +552,8 @@ struct irq_routing_table * pcibios_get_i
43903 - "1" (0),
43904 - "D" ((long) &opt),
43905 - "S" (&pci_indirect),
43906 -- "m" (opt)
43907 -+ "m" (opt),
43908 -+ "r" (__PCIBIOS_DS)
43909 - : "memory");
43910 - DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
43911 - if (ret & 0xff00)
43912 -@@ -468,7 +577,10 @@ int pcibios_set_irq_routing(struct pci_d
43913 - {
43914 - int ret;
43915 -
43916 -- __asm__("lcall *(%%esi); cld\n\t"
43917 -+ __asm__("movw %w5, %%ds\n\t"
43918 -+ "lcall *%%ss:(%%esi); cld\n\t"
43919 -+ "push %%ss\n\t"
43920 -+ "pop %%ds\n"
43921 - "jc 1f\n\t"
43922 - "xor %%ah, %%ah\n"
43923 - "1:"
43924 -@@ -476,7 +588,8 @@ int pcibios_set_irq_routing(struct pci_d
43925 - : "0" (PCIBIOS_SET_PCI_HW_INT),
43926 - "b" ((dev->bus->number << 8) | dev->devfn),
43927 - "c" ((irq << 8) | (pin + 10)),
43928 -- "S" (&pci_indirect));
43929 -+ "S" (&pci_indirect),
43930 -+ "r" (__PCIBIOS_DS));
43931 - return !(ret & 0xff00);
43932 - }
43933 - EXPORT_SYMBOL(pcibios_set_irq_routing);
43934 -diff -Nurp linux-2.6.23.15/arch/i386/power/cpu.c linux-2.6.23.15-grsec/arch/i386/power/cpu.c
43935 ---- linux-2.6.23.15/arch/i386/power/cpu.c 2007-10-09 21:31:38.000000000 +0100
43936 -+++ linux-2.6.23.15-grsec/arch/i386/power/cpu.c 2008-02-11 10:37:44.000000000 +0000
43937 -@@ -64,7 +64,7 @@ static void do_fpu_end(void)
43938 - static void fix_processor_context(void)
43939 - {
43940 - int cpu = smp_processor_id();
43941 -- struct tss_struct * t = &per_cpu(init_tss, cpu);
43942 -+ struct tss_struct *t = init_tss + cpu;
43943 -
43944 - set_tss_desc(cpu,t); /* This just modifies memory; should not be necessary. But... This is necessary, because 386 hardware has concept of busy TSS or some similar stupidity. */
43945 -
43946 -diff -Nurp linux-2.6.23.15/arch/i386/xen/enlighten.c linux-2.6.23.15-grsec/arch/i386/xen/enlighten.c
43947 ---- linux-2.6.23.15/arch/i386/xen/enlighten.c 2008-02-11 10:36:03.000000000 +0000
43948 -+++ linux-2.6.23.15-grsec/arch/i386/xen/enlighten.c 2008-02-11 10:37:44.000000000 +0000
43949 -@@ -320,7 +320,7 @@ static void xen_set_ldt(const void *addr
43950 - static void xen_load_gdt(const struct Xgt_desc_struct *dtr)
43951 - {
43952 - unsigned long *frames;
43953 -- unsigned long va = dtr->address;
43954 -+ unsigned long va = (unsigned long)dtr->address;
43955 - unsigned int size = dtr->size + 1;
43956 - unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
43957 - int f;
43958 -@@ -335,7 +335,7 @@ static void xen_load_gdt(const struct Xg
43959 - mcs = xen_mc_entry(sizeof(*frames) * pages);
43960 - frames = mcs.args;
43961 -
43962 -- for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
43963 -+ for (f = 0; va < (unsigned long)dtr->address + size; va += PAGE_SIZE, f++) {
43964 - frames[f] = virt_to_mfn(va);
43965 - make_lowmem_page_readonly((void *)va);
43966 - }
43967 -@@ -429,7 +429,7 @@ static void xen_write_idt_entry(struct d
43968 -
43969 - preempt_disable();
43970 -
43971 -- start = __get_cpu_var(idt_desc).address;
43972 -+ start = (unsigned long)__get_cpu_var(idt_desc).address;
43973 - end = start + __get_cpu_var(idt_desc).size + 1;
43974 -
43975 - xen_mc_flush();
43976 -diff -Nurp linux-2.6.23.15/arch/i386/xen/smp.c linux-2.6.23.15-grsec/arch/i386/xen/smp.c
43977 ---- linux-2.6.23.15/arch/i386/xen/smp.c 2007-10-09 21:31:38.000000000 +0100
43978 -+++ linux-2.6.23.15-grsec/arch/i386/xen/smp.c 2008-02-11 10:37:44.000000000 +0000
43979 -@@ -144,7 +144,7 @@ void __init xen_smp_prepare_boot_cpu(voi
43980 -
43981 - /* We've switched to the "real" per-cpu gdt, so make sure the
43982 - old memory can be recycled */
43983 -- make_lowmem_page_readwrite(&per_cpu__gdt_page);
43984 -+ make_lowmem_page_readwrite(get_cpu_gdt_table(smp_processor_id()));
43985 -
43986 - for (cpu = 0; cpu < NR_CPUS; cpu++) {
43987 - cpus_clear(cpu_sibling_map[cpu]);
43988 -@@ -198,7 +198,7 @@ static __cpuinit int
43989 - cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
43990 - {
43991 - struct vcpu_guest_context *ctxt;
43992 -- struct gdt_page *gdt = &per_cpu(gdt_page, cpu);
43993 -+ struct desc_struct *gdt = get_cpu_gdt_table(cpu);
43994 -
43995 - if (cpu_test_and_set(cpu, cpu_initialized_map))
43996 - return 0;
43997 -@@ -222,11 +222,11 @@ cpu_initialize_context(unsigned int cpu,
43998 -
43999 - ctxt->ldt_ents = 0;
44000 -
44001 -- BUG_ON((unsigned long)gdt->gdt & ~PAGE_MASK);
44002 -- make_lowmem_page_readonly(gdt->gdt);
44003 -+ BUG_ON((unsigned long)gdt & ~PAGE_MASK);
44004 -+ make_lowmem_page_readonly(gdt);
44005 -
44006 -- ctxt->gdt_frames[0] = virt_to_mfn(gdt->gdt);
44007 -- ctxt->gdt_ents = ARRAY_SIZE(gdt->gdt);
44008 -+ ctxt->gdt_frames[0] = virt_to_mfn(gdt);
44009 -+ ctxt->gdt_ents = GDT_ENTRIES;
44010 -
44011 - ctxt->user_regs.cs = __KERNEL_CS;
44012 - ctxt->user_regs.esp = idle->thread.esp0 - sizeof(struct pt_regs);
44013 -diff -Nurp linux-2.6.23.15/arch/ia64/ia32/binfmt_elf32.c linux-2.6.23.15-grsec/arch/ia64/ia32/binfmt_elf32.c
44014 ---- linux-2.6.23.15/arch/ia64/ia32/binfmt_elf32.c 2007-10-09 21:31:38.000000000 +0100
44015 -+++ linux-2.6.23.15-grsec/arch/ia64/ia32/binfmt_elf32.c 2008-02-11 10:37:44.000000000 +0000
44016 -@@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
44017 -
44018 - #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
44019 -
44020 -+#ifdef CONFIG_PAX_ASLR
44021 -+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
44022 -+
44023 -+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
44024 -+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
44025 -+#endif
44026 -+
44027 - /* Ugly but avoids duplication */
44028 - #include "../../../fs/binfmt_elf.c"
44029 -
44030 -diff -Nurp linux-2.6.23.15/arch/ia64/ia32/ia32priv.h linux-2.6.23.15-grsec/arch/ia64/ia32/ia32priv.h
44031 ---- linux-2.6.23.15/arch/ia64/ia32/ia32priv.h 2007-10-09 21:31:38.000000000 +0100
44032 -+++ linux-2.6.23.15-grsec/arch/ia64/ia32/ia32priv.h 2008-02-11 10:37:44.000000000 +0000
44033 -@@ -304,7 +304,14 @@ struct old_linux32_dirent {
44034 - #define ELF_DATA ELFDATA2LSB
44035 - #define ELF_ARCH EM_386
44036 -
44037 --#define IA32_STACK_TOP IA32_PAGE_OFFSET
44038 -+#ifdef CONFIG_PAX_RANDUSTACK
44039 -+#define __IA32_DELTA_STACK (current->mm->delta_stack)
44040 -+#else
44041 -+#define __IA32_DELTA_STACK 0UL
44042 -+#endif
44043 -+
44044 -+#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
44045 -+
44046 - #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
44047 - #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
44048 -
44049 -diff -Nurp linux-2.6.23.15/arch/ia64/kernel/module.c linux-2.6.23.15-grsec/arch/ia64/kernel/module.c
44050 ---- linux-2.6.23.15/arch/ia64/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
44051 -+++ linux-2.6.23.15-grsec/arch/ia64/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
44052 -@@ -321,7 +321,7 @@ module_alloc (unsigned long size)
44053 - void
44054 - module_free (struct module *mod, void *module_region)
44055 - {
44056 -- if (mod->arch.init_unw_table && module_region == mod->module_init) {
44057 -+ if (mod->arch.init_unw_table && module_region == mod->module_init_rx) {
44058 - unw_remove_unwind_table(mod->arch.init_unw_table);
44059 - mod->arch.init_unw_table = NULL;
44060 - }
44061 -@@ -499,15 +499,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
44062 - }
44063 -
44064 - static inline int
44065 -+in_init_rx (const struct module *mod, uint64_t addr)
44066 -+{
44067 -+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
44068 -+}
44069 -+
44070 -+static inline int
44071 -+in_init_rw (const struct module *mod, uint64_t addr)
44072 -+{
44073 -+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
44074 -+}
44075 -+
44076 -+static inline int
44077 - in_init (const struct module *mod, uint64_t addr)
44078 - {
44079 -- return addr - (uint64_t) mod->module_init < mod->init_size;
44080 -+ return in_init_rx(mod, value) || in_init_rw(mod, value);
44081 -+}
44082 -+
44083 -+static inline int
44084 -+in_core_rx (const struct module *mod, uint64_t addr)
44085 -+{
44086 -+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
44087 -+}
44088 -+
44089 -+static inline int
44090 -+in_core_rw (const struct module *mod, uint64_t addr)
44091 -+{
44092 -+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
44093 - }
44094 -
44095 - static inline int
44096 - in_core (const struct module *mod, uint64_t addr)
44097 - {
44098 -- return addr - (uint64_t) mod->module_core < mod->core_size;
44099 -+ return in_core_rx(mod, value) || in_core_rw(mod, value);
44100 - }
44101 -
44102 - static inline int
44103 -@@ -691,7 +715,14 @@ do_reloc (struct module *mod, uint8_t r_
44104 - break;
44105 -
44106 - case RV_BDREL:
44107 -- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
44108 -+ if (in_init_rx(mod, val))
44109 -+ val -= (uint64_t) mod->module_init_rx;
44110 -+ else if (in_init_rw(mod, val))
44111 -+ val -= (uint64_t) mod->module_init_rw;
44112 -+ else if (in_core_rx(mod, val))
44113 -+ val -= (uint64_t) mod->module_core_rx;
44114 -+ else if (in_core_rw(mod, val))
44115 -+ val -= (uint64_t) mod->module_core_rw;
44116 - break;
44117 -
44118 - case RV_LTV:
44119 -@@ -825,15 +856,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
44120 - * addresses have been selected...
44121 - */
44122 - uint64_t gp;
44123 -- if (mod->core_size > MAX_LTOFF)
44124 -+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
44125 - /*
44126 - * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
44127 - * at the end of the module.
44128 - */
44129 -- gp = mod->core_size - MAX_LTOFF / 2;
44130 -+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
44131 - else
44132 -- gp = mod->core_size / 2;
44133 -- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
44134 -+ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
44135 -+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
44136 - mod->arch.gp = gp;
44137 - DEBUGP("%s: placing gp at 0x%lx\n", __FUNCTION__, gp);
44138 - }
44139 -diff -Nurp linux-2.6.23.15/arch/ia64/kernel/ptrace.c linux-2.6.23.15-grsec/arch/ia64/kernel/ptrace.c
44140 ---- linux-2.6.23.15/arch/ia64/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
44141 -+++ linux-2.6.23.15-grsec/arch/ia64/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
44142 -@@ -17,6 +17,7 @@
44143 - #include <linux/security.h>
44144 - #include <linux/audit.h>
44145 - #include <linux/signal.h>
44146 -+#include <linux/grsecurity.h>
44147 -
44148 - #include <asm/pgtable.h>
44149 - #include <asm/processor.h>
44150 -@@ -1451,6 +1452,9 @@ sys_ptrace (long request, pid_t pid, uns
44151 - if (pid == 1) /* no messing around with init! */
44152 - goto out_tsk;
44153 -
44154 -+ if (gr_handle_ptrace(child, request))
44155 -+ goto out_tsk;
44156 -+
44157 - if (request == PTRACE_ATTACH) {
44158 - ret = ptrace_attach(child);
44159 - goto out_tsk;
44160 -diff -Nurp linux-2.6.23.15/arch/ia64/kernel/sys_ia64.c linux-2.6.23.15-grsec/arch/ia64/kernel/sys_ia64.c
44161 ---- linux-2.6.23.15/arch/ia64/kernel/sys_ia64.c 2007-10-09 21:31:38.000000000 +0100
44162 -+++ linux-2.6.23.15-grsec/arch/ia64/kernel/sys_ia64.c 2008-02-11 10:37:44.000000000 +0000
44163 -@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
44164 - if (REGION_NUMBER(addr) == RGN_HPAGE)
44165 - addr = 0;
44166 - #endif
44167 -+
44168 -+#ifdef CONFIG_PAX_RANDMMAP
44169 -+ if ((mm->pax_flags & MF_PAX_RANDMMAP) && addr && filp)
44170 -+ addr = mm->free_area_cache;
44171 -+ else
44172 -+#endif
44173 -+
44174 - if (!addr)
44175 - addr = mm->free_area_cache;
44176 -
44177 -@@ -61,9 +68,9 @@ arch_get_unmapped_area (struct file *fil
44178 - for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
44179 - /* At this point: (!vma || addr < vma->vm_end). */
44180 - if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
44181 -- if (start_addr != TASK_UNMAPPED_BASE) {
44182 -+ if (start_addr != mm->mmap_base) {
44183 - /* Start a new search --- just in case we missed some holes. */
44184 -- addr = TASK_UNMAPPED_BASE;
44185 -+ addr = mm->mmap_base;
44186 - goto full_search;
44187 - }
44188 - return -ENOMEM;
44189 -diff -Nurp linux-2.6.23.15/arch/ia64/mm/fault.c linux-2.6.23.15-grsec/arch/ia64/mm/fault.c
44190 ---- linux-2.6.23.15/arch/ia64/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
44191 -+++ linux-2.6.23.15-grsec/arch/ia64/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
44192 -@@ -10,6 +10,7 @@
44193 - #include <linux/interrupt.h>
44194 - #include <linux/kprobes.h>
44195 - #include <linux/kdebug.h>
44196 -+#include <linux/binfmts.h>
44197 -
44198 - #include <asm/pgtable.h>
44199 - #include <asm/processor.h>
44200 -@@ -72,6 +73,23 @@ mapped_kernel_page_is_present (unsigned
44201 - return pte_present(pte);
44202 - }
44203 -
44204 -+#ifdef CONFIG_PAX_PAGEEXEC
44205 -+void pax_report_insns(void *pc, void *sp)
44206 -+{
44207 -+ unsigned long i;
44208 -+
44209 -+ printk(KERN_ERR "PAX: bytes at PC: ");
44210 -+ for (i = 0; i < 8; i++) {
44211 -+ unsigned int c;
44212 -+ if (get_user(c, (unsigned int *)pc+i))
44213 -+ printk("???????? ");
44214 -+ else
44215 -+ printk("%08x ", c);
44216 -+ }
44217 -+ printk("\n");
44218 -+}
44219 -+#endif
44220 -+
44221 - void __kprobes
44222 - ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
44223 - {
44224 -@@ -145,9 +163,23 @@ ia64_do_page_fault (unsigned long addres
44225 - mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
44226 - | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
44227 -
44228 -- if ((vma->vm_flags & mask) != mask)
44229 -+ if ((vma->vm_flags & mask) != mask) {
44230 -+
44231 -+#ifdef CONFIG_PAX_PAGEEXEC
44232 -+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
44233 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
44234 -+ goto bad_area;
44235 -+
44236 -+ up_read(&mm->mmap_sem);
44237 -+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
44238 -+ do_exit(SIGKILL);
44239 -+ }
44240 -+#endif
44241 -+
44242 - goto bad_area;
44243 -
44244 -+ }
44245 -+
44246 - survive:
44247 - /*
44248 - * If for any reason at all we couldn't handle the fault, make
44249 -diff -Nurp linux-2.6.23.15/arch/ia64/mm/init.c linux-2.6.23.15-grsec/arch/ia64/mm/init.c
44250 ---- linux-2.6.23.15/arch/ia64/mm/init.c 2007-10-09 21:31:38.000000000 +0100
44251 -+++ linux-2.6.23.15-grsec/arch/ia64/mm/init.c 2008-02-11 10:37:44.000000000 +0000
44252 -@@ -20,8 +20,8 @@
44253 - #include <linux/proc_fs.h>
44254 - #include <linux/bitops.h>
44255 - #include <linux/kexec.h>
44256 -+#include <linux/a.out.h>
44257 -
44258 --#include <asm/a.out.h>
44259 - #include <asm/dma.h>
44260 - #include <asm/ia32.h>
44261 - #include <asm/io.h>
44262 -@@ -130,8 +130,21 @@ ia64_init_addr_space (void)
44263 - vma->vm_mm = current->mm;
44264 - vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
44265 - vma->vm_end = vma->vm_start + PAGE_SIZE;
44266 -- vma->vm_page_prot = protection_map[VM_DATA_DEFAULT_FLAGS & 0x7];
44267 - vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
44268 -+
44269 -+#ifdef CONFIG_PAX_PAGEEXEC
44270 -+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
44271 -+ vm->vm_flags &= ~VM_EXEC;
44272 -+
44273 -+#ifdef CONFIG_PAX_MPROTECT
44274 -+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
44275 -+ vma->vm_flags &= ~VM_MAYEXEC;
44276 -+#endif
44277 -+
44278 -+ }
44279 -+#endif
44280 -+
44281 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
44282 - down_write(&current->mm->mmap_sem);
44283 - if (insert_vm_struct(current->mm, vma)) {
44284 - up_write(&current->mm->mmap_sem);
44285 -diff -Nurp linux-2.6.23.15/arch/mips/kernel/binfmt_elfn32.c linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfn32.c
44286 ---- linux-2.6.23.15/arch/mips/kernel/binfmt_elfn32.c 2007-10-09 21:31:38.000000000 +0100
44287 -+++ linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfn32.c 2008-02-11 10:37:44.000000000 +0000
44288 -@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
44289 - #undef ELF_ET_DYN_BASE
44290 - #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
44291 -
44292 -+#ifdef CONFIG_PAX_ASLR
44293 -+#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
44294 -+
44295 -+#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
44296 -+#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
44297 -+#endif
44298 -+
44299 - #include <asm/processor.h>
44300 - #include <linux/module.h>
44301 - #include <linux/elfcore.h>
44302 -diff -Nurp linux-2.6.23.15/arch/mips/kernel/binfmt_elfo32.c linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfo32.c
44303 ---- linux-2.6.23.15/arch/mips/kernel/binfmt_elfo32.c 2007-10-09 21:31:38.000000000 +0100
44304 -+++ linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfo32.c 2008-02-11 10:37:44.000000000 +0000
44305 -@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
44306 - #undef ELF_ET_DYN_BASE
44307 - #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
44308 -
44309 -+#ifdef CONFIG_PAX_ASLR
44310 -+#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
44311 -+
44312 -+#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
44313 -+#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
44314 -+#endif
44315 -+
44316 - #include <asm/processor.h>
44317 - #include <linux/module.h>
44318 - #include <linux/elfcore.h>
44319 -diff -Nurp linux-2.6.23.15/arch/mips/kernel/syscall.c linux-2.6.23.15-grsec/arch/mips/kernel/syscall.c
44320 ---- linux-2.6.23.15/arch/mips/kernel/syscall.c 2007-10-09 21:31:38.000000000 +0100
44321 -+++ linux-2.6.23.15-grsec/arch/mips/kernel/syscall.c 2008-02-11 10:37:44.000000000 +0000
44322 -@@ -88,6 +88,11 @@ unsigned long arch_get_unmapped_area(str
44323 - do_color_align = 0;
44324 - if (filp || (flags & MAP_SHARED))
44325 - do_color_align = 1;
44326 -+
44327 -+#ifdef CONFIG_PAX_RANDMMAP
44328 -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
44329 -+#endif
44330 -+
44331 - if (addr) {
44332 - if (do_color_align)
44333 - addr = COLOUR_ALIGN(addr, pgoff);
44334 -@@ -98,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
44335 - (!vmm || addr + len <= vmm->vm_start))
44336 - return addr;
44337 - }
44338 -- addr = TASK_UNMAPPED_BASE;
44339 -+ addr = current->mm->mmap_base;
44340 - if (do_color_align)
44341 - addr = COLOUR_ALIGN(addr, pgoff);
44342 - else
44343 -diff -Nurp linux-2.6.23.15/arch/mips/mm/fault.c linux-2.6.23.15-grsec/arch/mips/mm/fault.c
44344 ---- linux-2.6.23.15/arch/mips/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
44345 -+++ linux-2.6.23.15-grsec/arch/mips/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
44346 -@@ -26,6 +26,23 @@
44347 - #include <asm/ptrace.h>
44348 - #include <asm/highmem.h> /* For VMALLOC_END */
44349 -
44350 -+#ifdef CONFIG_PAX_PAGEEXEC
44351 -+void pax_report_insns(void *pc)
44352 -+{
44353 -+ unsigned long i;
44354 -+
44355 -+ printk(KERN_ERR "PAX: bytes at PC: ");
44356 -+ for (i = 0; i < 5; i++) {
44357 -+ unsigned int c;
44358 -+ if (get_user(c, (unsigned int *)pc+i))
44359 -+ printk("???????? ");
44360 -+ else
44361 -+ printk("%08x ", c);
44362 -+ }
44363 -+ printk("\n");
44364 -+}
44365 -+#endif
44366 -+
44367 - /*
44368 - * This routine handles page faults. It determines the address,
44369 - * and the problem, and then passes it off to one of the appropriate
44370 -diff -Nurp linux-2.6.23.15/arch/parisc/kernel/module.c linux-2.6.23.15-grsec/arch/parisc/kernel/module.c
44371 ---- linux-2.6.23.15/arch/parisc/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
44372 -+++ linux-2.6.23.15-grsec/arch/parisc/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
44373 -@@ -73,16 +73,38 @@
44374 -
44375 - /* three functions to determine where in the module core
44376 - * or init pieces the location is */
44377 -+static inline int in_init_rx(struct module *me, void *loc)
44378 -+{
44379 -+ return (loc >= me->module_init_rx &&
44380 -+ loc < (me->module_init_rx + me->init_size_rx));
44381 -+}
44382 -+
44383 -+static inline int in_init_rw(struct module *me, void *loc)
44384 -+{
44385 -+ return (loc >= me->module_init_rw &&
44386 -+ loc < (me->module_init_rw + me->init_size_rw));
44387 -+}
44388 -+
44389 - static inline int in_init(struct module *me, void *loc)
44390 - {
44391 -- return (loc >= me->module_init &&
44392 -- loc <= (me->module_init + me->init_size));
44393 -+ return in_init_rx(me, loc) || in_init_rw(me, loc);
44394 -+}
44395 -+
44396 -+static inline int in_core_rx(struct module *me, void *loc)
44397 -+{
44398 -+ return (loc >= me->module_core_rx &&
44399 -+ loc < (me->module_core_rx + me->core_size_rx));
44400 -+}
44401 -+
44402 -+static inline int in_core_rw(struct module *me, void *loc)
44403 -+{
44404 -+ return (loc >= me->module_core_rw &&
44405 -+ loc < (me->module_core_rw + me->core_size_rw));
44406 - }
44407 -
44408 - static inline int in_core(struct module *me, void *loc)
44409 - {
44410 -- return (loc >= me->module_core &&
44411 -- loc <= (me->module_core + me->core_size));
44412 -+ return in_core_rx(me, loc) || in_core_rw(me, loc);
44413 - }
44414 -
44415 - static inline int in_local(struct module *me, void *loc)
44416 -@@ -296,21 +318,21 @@ int module_frob_arch_sections(CONST Elf_
44417 - }
44418 -
44419 - /* align things a bit */
44420 -- me->core_size = ALIGN(me->core_size, 16);
44421 -- me->arch.got_offset = me->core_size;
44422 -- me->core_size += gots * sizeof(struct got_entry);
44423 --
44424 -- me->core_size = ALIGN(me->core_size, 16);
44425 -- me->arch.fdesc_offset = me->core_size;
44426 -- me->core_size += fdescs * sizeof(Elf_Fdesc);
44427 --
44428 -- me->core_size = ALIGN(me->core_size, 16);
44429 -- me->arch.stub_offset = me->core_size;
44430 -- me->core_size += stubs * sizeof(struct stub_entry);
44431 --
44432 -- me->init_size = ALIGN(me->init_size, 16);
44433 -- me->arch.init_stub_offset = me->init_size;
44434 -- me->init_size += init_stubs * sizeof(struct stub_entry);
44435 -+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
44436 -+ me->arch.got_offset = me->core_size_rw;
44437 -+ me->core_size_rw += gots * sizeof(struct got_entry);
44438 -+
44439 -+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
44440 -+ me->arch.fdesc_offset = me->core_size_rw;
44441 -+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
44442 -+
44443 -+ me->core_size_rx = ALIGN(me->core_size_rx, 16);
44444 -+ me->arch.stub_offset = me->core_size_rx;
44445 -+ me->core_size_rx += stubs * sizeof(struct stub_entry);
44446 -+
44447 -+ me->init_size_rx = ALIGN(me->init_size_rx, 16);
44448 -+ me->arch.init_stub_offset = me->init_size_rx;
44449 -+ me->init_size_rx += init_stubs * sizeof(struct stub_entry);
44450 -
44451 - me->arch.got_max = gots;
44452 - me->arch.fdesc_max = fdescs;
44453 -@@ -330,7 +352,7 @@ static Elf64_Word get_got(struct module
44454 -
44455 - BUG_ON(value == 0);
44456 -
44457 -- got = me->module_core + me->arch.got_offset;
44458 -+ got = me->module_core_rw + me->arch.got_offset;
44459 - for (i = 0; got[i].addr; i++)
44460 - if (got[i].addr == value)
44461 - goto out;
44462 -@@ -348,7 +370,7 @@ static Elf64_Word get_got(struct module
44463 - #ifdef CONFIG_64BIT
44464 - static Elf_Addr get_fdesc(struct module *me, unsigned long value)
44465 - {
44466 -- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
44467 -+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
44468 -
44469 - if (!value) {
44470 - printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
44471 -@@ -366,7 +388,7 @@ static Elf_Addr get_fdesc(struct module
44472 -
44473 - /* Create new one */
44474 - fdesc->addr = value;
44475 -- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
44476 -+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
44477 - return (Elf_Addr)fdesc;
44478 - }
44479 - #endif /* CONFIG_64BIT */
44480 -@@ -386,12 +408,12 @@ static Elf_Addr get_stub(struct module *
44481 - if(init_section) {
44482 - i = me->arch.init_stub_count++;
44483 - BUG_ON(me->arch.init_stub_count > me->arch.init_stub_max);
44484 -- stub = me->module_init + me->arch.init_stub_offset +
44485 -+ stub = me->module_init_rx + me->arch.init_stub_offset +
44486 - i * sizeof(struct stub_entry);
44487 - } else {
44488 - i = me->arch.stub_count++;
44489 - BUG_ON(me->arch.stub_count > me->arch.stub_max);
44490 -- stub = me->module_core + me->arch.stub_offset +
44491 -+ stub = me->module_core_rx + me->arch.stub_offset +
44492 - i * sizeof(struct stub_entry);
44493 - }
44494 -
44495 -@@ -759,7 +781,7 @@ register_unwind_table(struct module *me,
44496 -
44497 - table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
44498 - end = table + sechdrs[me->arch.unwind_section].sh_size;
44499 -- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
44500 -+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
44501 -
44502 - DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
44503 - me->arch.unwind_section, table, end, gp);
44504 -diff -Nurp linux-2.6.23.15/arch/parisc/kernel/sys_parisc.c linux-2.6.23.15-grsec/arch/parisc/kernel/sys_parisc.c
44505 ---- linux-2.6.23.15/arch/parisc/kernel/sys_parisc.c 2007-10-09 21:31:38.000000000 +0100
44506 -+++ linux-2.6.23.15-grsec/arch/parisc/kernel/sys_parisc.c 2008-02-11 10:37:44.000000000 +0000
44507 -@@ -111,7 +111,7 @@ unsigned long arch_get_unmapped_area(str
44508 - if (flags & MAP_FIXED)
44509 - return addr;
44510 - if (!addr)
44511 -- addr = TASK_UNMAPPED_BASE;
44512 -+ addr = current->mm->mmap_base;
44513 -
44514 - if (filp) {
44515 - addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
44516 -diff -Nurp linux-2.6.23.15/arch/parisc/kernel/traps.c linux-2.6.23.15-grsec/arch/parisc/kernel/traps.c
44517 ---- linux-2.6.23.15/arch/parisc/kernel/traps.c 2007-10-09 21:31:38.000000000 +0100
44518 -+++ linux-2.6.23.15-grsec/arch/parisc/kernel/traps.c 2008-02-11 10:37:44.000000000 +0000
44519 -@@ -713,9 +713,7 @@ void handle_interruption(int code, struc
44520 -
44521 - down_read(&current->mm->mmap_sem);
44522 - vma = find_vma(current->mm,regs->iaoq[0]);
44523 -- if (vma && (regs->iaoq[0] >= vma->vm_start)
44524 -- && (vma->vm_flags & VM_EXEC)) {
44525 --
44526 -+ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
44527 - fault_address = regs->iaoq[0];
44528 - fault_space = regs->iasq[0];
44529 -
44530 -diff -Nurp linux-2.6.23.15/arch/parisc/mm/fault.c linux-2.6.23.15-grsec/arch/parisc/mm/fault.c
44531 ---- linux-2.6.23.15/arch/parisc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
44532 -+++ linux-2.6.23.15-grsec/arch/parisc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
44533 -@@ -16,6 +16,8 @@
44534 - #include <linux/sched.h>
44535 - #include <linux/interrupt.h>
44536 - #include <linux/module.h>
44537 -+#include <linux/unistd.h>
44538 -+#include <linux/binfmts.h>
44539 -
44540 - #include <asm/uaccess.h>
44541 - #include <asm/traps.h>
44542 -@@ -53,7 +55,7 @@ DEFINE_PER_CPU(struct exception_data, ex
44543 - static unsigned long
44544 - parisc_acctyp(unsigned long code, unsigned int inst)
44545 - {
44546 -- if (code == 6 || code == 16)
44547 -+ if (code == 6 || code == 7 || code == 16)
44548 - return VM_EXEC;
44549 -
44550 - switch (inst & 0xf0000000) {
44551 -@@ -139,6 +141,116 @@ parisc_acctyp(unsigned long code, unsign
44552 - }
44553 - #endif
44554 -
44555 -+#ifdef CONFIG_PAX_PAGEEXEC
44556 -+/*
44557 -+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
44558 -+ *
44559 -+ * returns 1 when task should be killed
44560 -+ * 2 when rt_sigreturn trampoline was detected
44561 -+ * 3 when unpatched PLT trampoline was detected
44562 -+ */
44563 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
44564 -+{
44565 -+
44566 -+#ifdef CONFIG_PAX_EMUPLT
44567 -+ int err;
44568 -+
44569 -+ do { /* PaX: unpatched PLT emulation */
44570 -+ unsigned int bl, depwi;
44571 -+
44572 -+ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
44573 -+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
44574 -+
44575 -+ if (err)
44576 -+ break;
44577 -+
44578 -+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
44579 -+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
44580 -+
44581 -+ err = get_user(ldw, (unsigned int *)addr);
44582 -+ err |= get_user(bv, (unsigned int *)(addr+4));
44583 -+ err |= get_user(ldw2, (unsigned int *)(addr+8));
44584 -+
44585 -+ if (err)
44586 -+ break;
44587 -+
44588 -+ if (ldw == 0x0E801096U &&
44589 -+ bv == 0xEAC0C000U &&
44590 -+ ldw2 == 0x0E881095U)
44591 -+ {
44592 -+ unsigned int resolver, map;
44593 -+
44594 -+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
44595 -+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
44596 -+ if (err)
44597 -+ break;
44598 -+
44599 -+ regs->gr[20] = instruction_pointer(regs)+8;
44600 -+ regs->gr[21] = map;
44601 -+ regs->gr[22] = resolver;
44602 -+ regs->iaoq[0] = resolver | 3UL;
44603 -+ regs->iaoq[1] = regs->iaoq[0] + 4;
44604 -+ return 3;
44605 -+ }
44606 -+ }
44607 -+ } while (0);
44608 -+#endif
44609 -+
44610 -+#ifdef CONFIG_PAX_EMUTRAMP
44611 -+
44612 -+#ifndef CONFIG_PAX_EMUSIGRT
44613 -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
44614 -+ return 1;
44615 -+#endif
44616 -+
44617 -+ do { /* PaX: rt_sigreturn emulation */
44618 -+ unsigned int ldi1, ldi2, bel, nop;
44619 -+
44620 -+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
44621 -+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
44622 -+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
44623 -+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
44624 -+
44625 -+ if (err)
44626 -+ break;
44627 -+
44628 -+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
44629 -+ ldi2 == 0x3414015AU &&
44630 -+ bel == 0xE4008200U &&
44631 -+ nop == 0x08000240U)
44632 -+ {
44633 -+ regs->gr[25] = (ldi1 & 2) >> 1;
44634 -+ regs->gr[20] = __NR_rt_sigreturn;
44635 -+ regs->gr[31] = regs->iaoq[1] + 16;
44636 -+ regs->sr[0] = regs->iasq[1];
44637 -+ regs->iaoq[0] = 0x100UL;
44638 -+ regs->iaoq[1] = regs->iaoq[0] + 4;
44639 -+ regs->iasq[0] = regs->sr[2];
44640 -+ regs->iasq[1] = regs->sr[2];
44641 -+ return 2;
44642 -+ }
44643 -+ } while (0);
44644 -+#endif
44645 -+
44646 -+ return 1;
44647 -+}
44648 -+
44649 -+void pax_report_insns(void *pc, void *sp)
44650 -+{
44651 -+ unsigned long i;
44652 -+
44653 -+ printk(KERN_ERR "PAX: bytes at PC: ");
44654 -+ for (i = 0; i < 5; i++) {
44655 -+ unsigned int c;
44656 -+ if (get_user(c, (unsigned int *)pc+i))
44657 -+ printk("???????? ");
44658 -+ else
44659 -+ printk("%08x ", c);
44660 -+ }
44661 -+ printk("\n");
44662 -+}
44663 -+#endif
44664 -+
44665 - void do_page_fault(struct pt_regs *regs, unsigned long code,
44666 - unsigned long address)
44667 - {
44668 -@@ -165,8 +277,33 @@ good_area:
44669 -
44670 - acc_type = parisc_acctyp(code,regs->iir);
44671 -
44672 -- if ((vma->vm_flags & acc_type) != acc_type)
44673 -+ if ((vma->vm_flags & acc_type) != acc_type) {
44674 -+
44675 -+#ifdef CONFIG_PAX_PAGEEXEC
44676 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
44677 -+ (address & ~3UL) == instruction_pointer(regs))
44678 -+ {
44679 -+ up_read(&mm->mmap_sem);
44680 -+ switch (pax_handle_fetch_fault(regs)) {
44681 -+
44682 -+#ifdef CONFIG_PAX_EMUPLT
44683 -+ case 3:
44684 -+ return;
44685 -+#endif
44686 -+
44687 -+#ifdef CONFIG_PAX_EMUTRAMP
44688 -+ case 2:
44689 -+ return;
44690 -+#endif
44691 -+
44692 -+ }
44693 -+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
44694 -+ do_exit(SIGKILL);
44695 -+ }
44696 -+#endif
44697 -+
44698 - goto bad_area;
44699 -+ }
44700 -
44701 - /*
44702 - * If for any reason at all we couldn't handle the fault, make
44703 -diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/module_32.c linux-2.6.23.15-grsec/arch/powerpc/kernel/module_32.c
44704 ---- linux-2.6.23.15/arch/powerpc/kernel/module_32.c 2007-10-09 21:31:38.000000000 +0100
44705 -+++ linux-2.6.23.15-grsec/arch/powerpc/kernel/module_32.c 2008-02-11 10:37:44.000000000 +0000
44706 -@@ -126,7 +126,7 @@ int module_frob_arch_sections(Elf32_Ehdr
44707 - me->arch.core_plt_section = i;
44708 - }
44709 - if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
44710 -- printk("Module doesn't contain .plt or .init.plt sections.\n");
44711 -+ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
44712 - return -ENOEXEC;
44713 - }
44714 -
44715 -@@ -167,11 +167,16 @@ static uint32_t do_plt_call(void *locati
44716 -
44717 - DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
44718 - /* Init, or core PLT? */
44719 -- if (location >= mod->module_core
44720 -- && location < mod->module_core + mod->core_size)
44721 -+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
44722 -+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
44723 - entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
44724 -- else
44725 -+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
44726 -+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
44727 - entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
44728 -+ else {
44729 -+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
44730 -+ return ~0UL;
44731 -+ }
44732 -
44733 - /* Find this entry, or if that fails, the next avail. entry */
44734 - while (entry->jump[0]) {
44735 -diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/signal_32.c linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_32.c
44736 ---- linux-2.6.23.15/arch/powerpc/kernel/signal_32.c 2007-10-09 21:31:38.000000000 +0100
44737 -+++ linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_32.c 2008-02-11 10:37:44.000000000 +0000
44738 -@@ -728,7 +728,7 @@ int handle_rt_signal32(unsigned long sig
44739 -
44740 - /* Save user registers on the stack */
44741 - frame = &rt_sf->uc.uc_mcontext;
44742 -- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
44743 -+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
44744 - if (save_user_regs(regs, frame, 0))
44745 - goto badframe;
44746 - regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
44747 -diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/signal_64.c linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_64.c
44748 ---- linux-2.6.23.15/arch/powerpc/kernel/signal_64.c 2007-10-09 21:31:38.000000000 +0100
44749 -+++ linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_64.c 2008-02-11 10:37:44.000000000 +0000
44750 -@@ -359,7 +359,7 @@ int handle_rt_signal64(int signr, struct
44751 - current->thread.fpscr.val = 0;
44752 -
44753 - /* Set up to return from userspace. */
44754 -- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
44755 -+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
44756 - regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
44757 - } else {
44758 - err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
44759 -diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/vdso.c linux-2.6.23.15-grsec/arch/powerpc/kernel/vdso.c
44760 ---- linux-2.6.23.15/arch/powerpc/kernel/vdso.c 2007-10-09 21:31:38.000000000 +0100
44761 -+++ linux-2.6.23.15-grsec/arch/powerpc/kernel/vdso.c 2008-02-11 10:37:44.000000000 +0000
44762 -@@ -211,7 +211,7 @@ int arch_setup_additional_pages(struct l
44763 - vdso_base = VDSO32_MBASE;
44764 - #endif
44765 -
44766 -- current->mm->context.vdso_base = 0;
44767 -+ current->mm->context.vdso_base = ~0UL;
44768 -
44769 - /* vDSO has a problem and was disabled, just don't "enable" it for the
44770 - * process
44771 -@@ -228,7 +228,7 @@ int arch_setup_additional_pages(struct l
44772 - */
44773 - down_write(&mm->mmap_sem);
44774 - vdso_base = get_unmapped_area(NULL, vdso_base,
44775 -- vdso_pages << PAGE_SHIFT, 0, 0);
44776 -+ vdso_pages << PAGE_SHIFT, 0, MAP_PRIVATE | MAP_EXECUTABLE);
44777 - if (IS_ERR_VALUE(vdso_base)) {
44778 - rc = vdso_base;
44779 - goto fail_mmapsem;
44780 -diff -Nurp linux-2.6.23.15/arch/powerpc/mm/fault.c linux-2.6.23.15-grsec/arch/powerpc/mm/fault.c
44781 ---- linux-2.6.23.15/arch/powerpc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
44782 -+++ linux-2.6.23.15-grsec/arch/powerpc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
44783 -@@ -29,6 +29,12 @@
44784 - #include <linux/module.h>
44785 - #include <linux/kprobes.h>
44786 - #include <linux/kdebug.h>
44787 -+#include <linux/binfmts.h>
44788 -+#include <linux/slab.h>
44789 -+#include <linux/pagemap.h>
44790 -+#include <linux/compiler.h>
44791 -+#include <linux/binfmts.h>
44792 -+#include <linux/unistd.h>
44793 -
44794 - #include <asm/page.h>
44795 - #include <asm/pgtable.h>
44796 -@@ -62,6 +68,364 @@ static inline int notify_page_fault(stru
44797 - }
44798 - #endif
44799 -
44800 -+#ifdef CONFIG_PAX_EMUSIGRT
44801 -+void pax_syscall_close(struct vm_area_struct *vma)
44802 -+{
44803 -+ vma->vm_mm->call_syscall = 0UL;
44804 -+}
44805 -+
44806 -+static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
44807 -+{
44808 -+ struct page *page;
44809 -+ unsigned int *kaddr;
44810 -+
44811 -+ page = alloc_page(GFP_HIGHUSER);
44812 -+ if (!page)
44813 -+ return NOPAGE_OOM;
44814 -+
44815 -+ kaddr = kmap(page);
44816 -+ memset(kaddr, 0, PAGE_SIZE);
44817 -+ kaddr[0] = 0x44000002U; /* sc */
44818 -+ __flush_dcache_icache(kaddr);
44819 -+ kunmap(page);
44820 -+ if (type)
44821 -+ *type = VM_FAULT_MAJOR;
44822 -+ return page;
44823 -+}
44824 -+
44825 -+static struct vm_operations_struct pax_vm_ops = {
44826 -+ .close = pax_syscall_close,
44827 -+ .nopage = pax_syscall_nopage,
44828 -+};
44829 -+
44830 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
44831 -+{
44832 -+ int ret;
44833 -+
44834 -+ memset(vma, 0, sizeof(*vma));
44835 -+ vma->vm_mm = current->mm;
44836 -+ vma->vm_start = addr;
44837 -+ vma->vm_end = addr + PAGE_SIZE;
44838 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
44839 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
44840 -+ vma->vm_ops = &pax_vm_ops;
44841 -+
44842 -+ ret = insert_vm_struct(current->mm, vma);
44843 -+ if (ret)
44844 -+ return ret;
44845 -+
44846 -+ ++current->mm->total_vm;
44847 -+ return 0;
44848 -+}
44849 -+#endif
44850 -+
44851 -+#ifdef CONFIG_PAX_PAGEEXEC
44852 -+/*
44853 -+ * PaX: decide what to do with offenders (regs->nip = fault address)
44854 -+ *
44855 -+ * returns 1 when task should be killed
44856 -+ * 2 when patched GOT trampoline was detected
44857 -+ * 3 when patched PLT trampoline was detected
44858 -+ * 4 when unpatched PLT trampoline was detected
44859 -+ * 5 when sigreturn trampoline was detected
44860 -+ * 6 when rt_sigreturn trampoline was detected
44861 -+ */
44862 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
44863 -+{
44864 -+
44865 -+#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
44866 -+ int err;
44867 -+#endif
44868 -+
44869 -+#ifdef CONFIG_PAX_EMUPLT
44870 -+ do { /* PaX: patched GOT emulation */
44871 -+ unsigned int blrl;
44872 -+
44873 -+ err = get_user(blrl, (unsigned int *)regs->nip);
44874 -+
44875 -+ if (!err && blrl == 0x4E800021U) {
44876 -+ unsigned long temp = regs->nip;
44877 -+
44878 -+ regs->nip = regs->link & 0xFFFFFFFCUL;
44879 -+ regs->link = temp + 4UL;
44880 -+ return 2;
44881 -+ }
44882 -+ } while (0);
44883 -+
44884 -+ do { /* PaX: patched PLT emulation #1 */
44885 -+ unsigned int b;
44886 -+
44887 -+ err = get_user(b, (unsigned int *)regs->nip);
44888 -+
44889 -+ if (!err && (b & 0xFC000003U) == 0x48000000U) {
44890 -+ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
44891 -+ return 3;
44892 -+ }
44893 -+ } while (0);
44894 -+
44895 -+ do { /* PaX: unpatched PLT emulation #1 */
44896 -+ unsigned int li, b;
44897 -+
44898 -+ err = get_user(li, (unsigned int *)regs->nip);
44899 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
44900 -+
44901 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
44902 -+ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
44903 -+ unsigned long addr = b | 0xFC000000UL;
44904 -+
44905 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
44906 -+ err = get_user(rlwinm, (unsigned int *)addr);
44907 -+ err |= get_user(add, (unsigned int *)(addr+4));
44908 -+ err |= get_user(li2, (unsigned int *)(addr+8));
44909 -+ err |= get_user(addis2, (unsigned int *)(addr+12));
44910 -+ err |= get_user(mtctr, (unsigned int *)(addr+16));
44911 -+ err |= get_user(li3, (unsigned int *)(addr+20));
44912 -+ err |= get_user(addis3, (unsigned int *)(addr+24));
44913 -+ err |= get_user(bctr, (unsigned int *)(addr+28));
44914 -+
44915 -+ if (err)
44916 -+ break;
44917 -+
44918 -+ if (rlwinm == 0x556C083CU &&
44919 -+ add == 0x7D6C5A14U &&
44920 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
44921 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
44922 -+ mtctr == 0x7D8903A6U &&
44923 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
44924 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
44925 -+ bctr == 0x4E800420U)
44926 -+ {
44927 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
44928 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
44929 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
44930 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
44931 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
44932 -+ regs->nip = regs->ctr;
44933 -+ return 4;
44934 -+ }
44935 -+ }
44936 -+ } while (0);
44937 -+
44938 -+#if 0
44939 -+ do { /* PaX: unpatched PLT emulation #2 */
44940 -+ unsigned int lis, lwzu, b, bctr;
44941 -+
44942 -+ err = get_user(lis, (unsigned int *)regs->nip);
44943 -+ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
44944 -+ err |= get_user(b, (unsigned int *)(regs->nip+8));
44945 -+ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
44946 -+
44947 -+ if (err)
44948 -+ break;
44949 -+
44950 -+ if ((lis & 0xFFFF0000U) == 0x39600000U &&
44951 -+ (lwzu & 0xU) == 0xU &&
44952 -+ (b & 0xFC000003U) == 0x48000000U &&
44953 -+ bctr == 0x4E800420U)
44954 -+ {
44955 -+ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
44956 -+ unsigned long addr = b | 0xFC000000UL;
44957 -+
44958 -+ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
44959 -+ err = get_user(addis, (unsigned int*)addr);
44960 -+ err |= get_user(addi, (unsigned int*)(addr+4));
44961 -+ err |= get_user(rlwinm, (unsigned int*)(addr+8));
44962 -+ err |= get_user(add, (unsigned int*)(addr+12));
44963 -+ err |= get_user(li2, (unsigned int*)(addr+16));
44964 -+ err |= get_user(addis2, (unsigned int*)(addr+20));
44965 -+ err |= get_user(mtctr, (unsigned int*)(addr+24));
44966 -+ err |= get_user(li3, (unsigned int*)(addr+28));
44967 -+ err |= get_user(addis3, (unsigned int*)(addr+32));
44968 -+ err |= get_user(bctr, (unsigned int*)(addr+36));
44969 -+
44970 -+ if (err)
44971 -+ break;
44972 -+
44973 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
44974 -+ (addi & 0xFFFF0000U) == 0x396B0000U &&
44975 -+ rlwinm == 0x556C083CU &&
44976 -+ add == 0x7D6C5A14U &&
44977 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
44978 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
44979 -+ mtctr == 0x7D8903A6U &&
44980 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
44981 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
44982 -+ bctr == 0x4E800420U)
44983 -+ {
44984 -+ regs->gpr[PT_R11] =
44985 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
44986 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
44987 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
44988 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
44989 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
44990 -+ regs->nip = regs->ctr;
44991 -+ return 4;
44992 -+ }
44993 -+ }
44994 -+ } while (0);
44995 -+#endif
44996 -+
44997 -+ do { /* PaX: unpatched PLT emulation #3 */
44998 -+ unsigned int li, b;
44999 -+
45000 -+ err = get_user(li, (unsigned int *)regs->nip);
45001 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
45002 -+
45003 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
45004 -+ unsigned int addis, lwz, mtctr, bctr;
45005 -+ unsigned long addr = b | 0xFC000000UL;
45006 -+
45007 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
45008 -+ err = get_user(addis, (unsigned int *)addr);
45009 -+ err |= get_user(lwz, (unsigned int *)(addr+4));
45010 -+ err |= get_user(mtctr, (unsigned int *)(addr+8));
45011 -+ err |= get_user(bctr, (unsigned int *)(addr+12));
45012 -+
45013 -+ if (err)
45014 -+ break;
45015 -+
45016 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
45017 -+ (lwz & 0xFFFF0000U) == 0x816B0000U &&
45018 -+ mtctr == 0x7D6903A6U &&
45019 -+ bctr == 0x4E800420U)
45020 -+ {
45021 -+ unsigned int r11;
45022 -+
45023 -+ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45024 -+ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45025 -+
45026 -+ err = get_user(r11, (unsigned int *)addr);
45027 -+ if (err)
45028 -+ break;
45029 -+
45030 -+ regs->gpr[PT_R11] = r11;
45031 -+ regs->ctr = r11;
45032 -+ regs->nip = r11;
45033 -+ return 4;
45034 -+ }
45035 -+ }
45036 -+ } while (0);
45037 -+#endif
45038 -+
45039 -+#ifdef CONFIG_PAX_EMUSIGRT
45040 -+ do { /* PaX: sigreturn emulation */
45041 -+ unsigned int li, sc;
45042 -+
45043 -+ err = get_user(li, (unsigned int *)regs->nip);
45044 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
45045 -+
45046 -+ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
45047 -+ struct vm_area_struct *vma;
45048 -+ unsigned long call_syscall;
45049 -+
45050 -+ down_read(&current->mm->mmap_sem);
45051 -+ call_syscall = current->mm->call_syscall;
45052 -+ up_read(&current->mm->mmap_sem);
45053 -+ if (likely(call_syscall))
45054 -+ goto emulate;
45055 -+
45056 -+ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
45057 -+
45058 -+ down_write(&current->mm->mmap_sem);
45059 -+ if (current->mm->call_syscall) {
45060 -+ call_syscall = current->mm->call_syscall;
45061 -+ up_write(&current->mm->mmap_sem);
45062 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45063 -+ goto emulate;
45064 -+ }
45065 -+
45066 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
45067 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
45068 -+ up_write(&current->mm->mmap_sem);
45069 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45070 -+ return 1;
45071 -+ }
45072 -+
45073 -+ if (pax_insert_vma(vma, call_syscall)) {
45074 -+ up_write(&current->mm->mmap_sem);
45075 -+ kmem_cache_free(vm_area_cachep, vma);
45076 -+ return 1;
45077 -+ }
45078 -+
45079 -+ current->mm->call_syscall = call_syscall;
45080 -+ up_write(&current->mm->mmap_sem);
45081 -+
45082 -+emulate:
45083 -+ regs->gpr[PT_R0] = __NR_sigreturn;
45084 -+ regs->nip = call_syscall;
45085 -+ return 5;
45086 -+ }
45087 -+ } while (0);
45088 -+
45089 -+ do { /* PaX: rt_sigreturn emulation */
45090 -+ unsigned int li, sc;
45091 -+
45092 -+ err = get_user(li, (unsigned int *)regs->nip);
45093 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
45094 -+
45095 -+ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
45096 -+ struct vm_area_struct *vma;
45097 -+ unsigned int call_syscall;
45098 -+
45099 -+ down_read(&current->mm->mmap_sem);
45100 -+ call_syscall = current->mm->call_syscall;
45101 -+ up_read(&current->mm->mmap_sem);
45102 -+ if (likely(call_syscall))
45103 -+ goto rt_emulate;
45104 -+
45105 -+ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
45106 -+
45107 -+ down_write(&current->mm->mmap_sem);
45108 -+ if (current->mm->call_syscall) {
45109 -+ call_syscall = current->mm->call_syscall;
45110 -+ up_write(&current->mm->mmap_sem);
45111 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45112 -+ goto rt_emulate;
45113 -+ }
45114 -+
45115 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
45116 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
45117 -+ up_write(&current->mm->mmap_sem);
45118 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45119 -+ return 1;
45120 -+ }
45121 -+
45122 -+ if (pax_insert_vma(vma, call_syscall)) {
45123 -+ up_write(&current->mm->mmap_sem);
45124 -+ kmem_cache_free(vm_area_cachep, vma);
45125 -+ return 1;
45126 -+ }
45127 -+
45128 -+ current->mm->call_syscall = call_syscall;
45129 -+ up_write(&current->mm->mmap_sem);
45130 -+
45131 -+rt_emulate:
45132 -+ regs->gpr[PT_R0] = __NR_rt_sigreturn;
45133 -+ regs->nip = call_syscall;
45134 -+ return 6;
45135 -+ }
45136 -+ } while (0);
45137 -+#endif
45138 -+
45139 -+ return 1;
45140 -+}
45141 -+
45142 -+void pax_report_insns(void *pc, void *sp)
45143 -+{
45144 -+ unsigned long i;
45145 -+
45146 -+ printk(KERN_ERR "PAX: bytes at PC: ");
45147 -+ for (i = 0; i < 5; i++) {
45148 -+ unsigned int c;
45149 -+ if (get_user(c, (unsigned int *)pc+i))
45150 -+ printk("???????? ");
45151 -+ else
45152 -+ printk("%08x ", c);
45153 -+ }
45154 -+ printk("\n");
45155 -+}
45156 -+#endif
45157 -+
45158 - /*
45159 - * Check whether the instruction at regs->nip is a store using
45160 - * an update addressing form which will update r1.
45161 -@@ -157,7 +521,7 @@ int __kprobes do_page_fault(struct pt_re
45162 - * indicate errors in DSISR but can validly be set in SRR1.
45163 - */
45164 - if (trap == 0x400)
45165 -- error_code &= 0x48200000;
45166 -+ error_code &= 0x58200000;
45167 - else
45168 - is_write = error_code & DSISR_ISSTORE;
45169 - #else
45170 -@@ -357,6 +721,37 @@ bad_area:
45171 - bad_area_nosemaphore:
45172 - /* User mode accesses cause a SIGSEGV */
45173 - if (user_mode(regs)) {
45174 -+
45175 -+#ifdef CONFIG_PAX_PAGEEXEC
45176 -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
45177 -+#ifdef CONFIG_PPC64
45178 -+ if (is_exec && (error_code & DSISR_PROTFAULT)) {
45179 -+#else
45180 -+ if (is_exec && regs->nip == address) {
45181 -+#endif
45182 -+ switch (pax_handle_fetch_fault(regs)) {
45183 -+
45184 -+#ifdef CONFIG_PAX_EMUPLT
45185 -+ case 2:
45186 -+ case 3:
45187 -+ case 4:
45188 -+ return 0;
45189 -+#endif
45190 -+
45191 -+#ifdef CONFIG_PAX_EMUSIGRT
45192 -+ case 5:
45193 -+ case 6:
45194 -+ return 0;
45195 -+#endif
45196 -+
45197 -+ }
45198 -+
45199 -+ pax_report_fault(regs, (void*)regs->nip, (void*)regs->gpr[PT_R1]);
45200 -+ do_exit(SIGKILL);
45201 -+ }
45202 -+ }
45203 -+#endif
45204 -+
45205 - _exception(SIGSEGV, regs, code, address);
45206 - return 0;
45207 - }
45208 -diff -Nurp linux-2.6.23.15/arch/powerpc/mm/mmap.c linux-2.6.23.15-grsec/arch/powerpc/mm/mmap.c
45209 ---- linux-2.6.23.15/arch/powerpc/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
45210 -+++ linux-2.6.23.15-grsec/arch/powerpc/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
45211 -@@ -75,10 +75,22 @@ void arch_pick_mmap_layout(struct mm_str
45212 - */
45213 - if (mmap_is_legacy()) {
45214 - mm->mmap_base = TASK_UNMAPPED_BASE;
45215 -+
45216 -+#ifdef CONFIG_PAX_RANDMMAP
45217 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
45218 -+ mm->mmap_base += mm->delta_mmap;
45219 -+#endif
45220 -+
45221 - mm->get_unmapped_area = arch_get_unmapped_area;
45222 - mm->unmap_area = arch_unmap_area;
45223 - } else {
45224 - mm->mmap_base = mmap_base();
45225 -+
45226 -+#ifdef CONFIG_PAX_RANDMMAP
45227 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
45228 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
45229 -+#endif
45230 -+
45231 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
45232 - mm->unmap_area = arch_unmap_area_topdown;
45233 - }
45234 -diff -Nurp linux-2.6.23.15/arch/ppc/mm/fault.c linux-2.6.23.15-grsec/arch/ppc/mm/fault.c
45235 ---- linux-2.6.23.15/arch/ppc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
45236 -+++ linux-2.6.23.15-grsec/arch/ppc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
45237 -@@ -25,6 +25,11 @@
45238 - #include <linux/interrupt.h>
45239 - #include <linux/highmem.h>
45240 - #include <linux/module.h>
45241 -+#include <linux/slab.h>
45242 -+#include <linux/pagemap.h>
45243 -+#include <linux/compiler.h>
45244 -+#include <linux/binfmts.h>
45245 -+#include <linux/unistd.h>
45246 -
45247 - #include <asm/page.h>
45248 - #include <asm/pgtable.h>
45249 -@@ -48,6 +53,364 @@ unsigned long pte_misses; /* updated by
45250 - unsigned long pte_errors; /* updated by do_page_fault() */
45251 - unsigned int probingmem;
45252 -
45253 -+#ifdef CONFIG_PAX_EMUSIGRT
45254 -+void pax_syscall_close(struct vm_area_struct *vma)
45255 -+{
45256 -+ vma->vm_mm->call_syscall = 0UL;
45257 -+}
45258 -+
45259 -+static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
45260 -+{
45261 -+ struct page *page;
45262 -+ unsigned int *kaddr;
45263 -+
45264 -+ page = alloc_page(GFP_HIGHUSER);
45265 -+ if (!page)
45266 -+ return NOPAGE_OOM;
45267 -+
45268 -+ kaddr = kmap(page);
45269 -+ memset(kaddr, 0, PAGE_SIZE);
45270 -+ kaddr[0] = 0x44000002U; /* sc */
45271 -+ __flush_dcache_icache(kaddr);
45272 -+ kunmap(page);
45273 -+ if (type)
45274 -+ *type = VM_FAULT_MAJOR;
45275 -+ return page;
45276 -+}
45277 -+
45278 -+static struct vm_operations_struct pax_vm_ops = {
45279 -+ .close = pax_syscall_close,
45280 -+ .nopage = pax_syscall_nopage,
45281 -+};
45282 -+
45283 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
45284 -+{
45285 -+ int ret;
45286 -+
45287 -+ memset(vma, 0, sizeof(*vma));
45288 -+ vma->vm_mm = current->mm;
45289 -+ vma->vm_start = addr;
45290 -+ vma->vm_end = addr + PAGE_SIZE;
45291 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
45292 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
45293 -+ vma->vm_ops = &pax_vm_ops;
45294 -+
45295 -+ ret = insert_vm_struct(current->mm, vma);
45296 -+ if (ret)
45297 -+ return ret;
45298 -+
45299 -+ ++current->mm->total_vm;
45300 -+ return 0;
45301 -+}
45302 -+#endif
45303 -+
45304 -+#ifdef CONFIG_PAX_PAGEEXEC
45305 -+/*
45306 -+ * PaX: decide what to do with offenders (regs->nip = fault address)
45307 -+ *
45308 -+ * returns 1 when task should be killed
45309 -+ * 2 when patched GOT trampoline was detected
45310 -+ * 3 when patched PLT trampoline was detected
45311 -+ * 4 when unpatched PLT trampoline was detected
45312 -+ * 5 when sigreturn trampoline was detected
45313 -+ * 6 when rt_sigreturn trampoline was detected
45314 -+ */
45315 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
45316 -+{
45317 -+
45318 -+#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
45319 -+ int err;
45320 -+#endif
45321 -+
45322 -+#ifdef CONFIG_PAX_EMUPLT
45323 -+ do { /* PaX: patched GOT emulation */
45324 -+ unsigned int blrl;
45325 -+
45326 -+ err = get_user(blrl, (unsigned int *)regs->nip);
45327 -+
45328 -+ if (!err && blrl == 0x4E800021U) {
45329 -+ unsigned long temp = regs->nip;
45330 -+
45331 -+ regs->nip = regs->link & 0xFFFFFFFCUL;
45332 -+ regs->link = temp + 4UL;
45333 -+ return 2;
45334 -+ }
45335 -+ } while (0);
45336 -+
45337 -+ do { /* PaX: patched PLT emulation #1 */
45338 -+ unsigned int b;
45339 -+
45340 -+ err = get_user(b, (unsigned int *)regs->nip);
45341 -+
45342 -+ if (!err && (b & 0xFC000003U) == 0x48000000U) {
45343 -+ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
45344 -+ return 3;
45345 -+ }
45346 -+ } while (0);
45347 -+
45348 -+ do { /* PaX: unpatched PLT emulation #1 */
45349 -+ unsigned int li, b;
45350 -+
45351 -+ err = get_user(li, (unsigned int *)regs->nip);
45352 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
45353 -+
45354 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
45355 -+ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
45356 -+ unsigned long addr = b | 0xFC000000UL;
45357 -+
45358 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
45359 -+ err = get_user(rlwinm, (unsigned int *)addr);
45360 -+ err |= get_user(add, (unsigned int *)(addr+4));
45361 -+ err |= get_user(li2, (unsigned int *)(addr+8));
45362 -+ err |= get_user(addis2, (unsigned int *)(addr+12));
45363 -+ err |= get_user(mtctr, (unsigned int *)(addr+16));
45364 -+ err |= get_user(li3, (unsigned int *)(addr+20));
45365 -+ err |= get_user(addis3, (unsigned int *)(addr+24));
45366 -+ err |= get_user(bctr, (unsigned int *)(addr+28));
45367 -+
45368 -+ if (err)
45369 -+ break;
45370 -+
45371 -+ if (rlwinm == 0x556C083CU &&
45372 -+ add == 0x7D6C5A14U &&
45373 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
45374 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
45375 -+ mtctr == 0x7D8903A6U &&
45376 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
45377 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
45378 -+ bctr == 0x4E800420U)
45379 -+ {
45380 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45381 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45382 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
45383 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45384 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
45385 -+ regs->nip = regs->ctr;
45386 -+ return 4;
45387 -+ }
45388 -+ }
45389 -+ } while (0);
45390 -+
45391 -+#if 0
45392 -+ do { /* PaX: unpatched PLT emulation #2 */
45393 -+ unsigned int lis, lwzu, b, bctr;
45394 -+
45395 -+ err = get_user(lis, (unsigned int *)regs->nip);
45396 -+ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
45397 -+ err |= get_user(b, (unsigned int *)(regs->nip+8));
45398 -+ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
45399 -+
45400 -+ if (err)
45401 -+ break;
45402 -+
45403 -+ if ((lis & 0xFFFF0000U) == 0x39600000U &&
45404 -+ (lwzu & 0xU) == 0xU &&
45405 -+ (b & 0xFC000003U) == 0x48000000U &&
45406 -+ bctr == 0x4E800420U)
45407 -+ {
45408 -+ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
45409 -+ unsigned long addr = b | 0xFC000000UL;
45410 -+
45411 -+ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
45412 -+ err = get_user(addis, (unsigned int*)addr);
45413 -+ err |= get_user(addi, (unsigned int*)(addr+4));
45414 -+ err |= get_user(rlwinm, (unsigned int*)(addr+8));
45415 -+ err |= get_user(add, (unsigned int*)(addr+12));
45416 -+ err |= get_user(li2, (unsigned int*)(addr+16));
45417 -+ err |= get_user(addis2, (unsigned int*)(addr+20));
45418 -+ err |= get_user(mtctr, (unsigned int*)(addr+24));
45419 -+ err |= get_user(li3, (unsigned int*)(addr+28));
45420 -+ err |= get_user(addis3, (unsigned int*)(addr+32));
45421 -+ err |= get_user(bctr, (unsigned int*)(addr+36));
45422 -+
45423 -+ if (err)
45424 -+ break;
45425 -+
45426 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
45427 -+ (addi & 0xFFFF0000U) == 0x396B0000U &&
45428 -+ rlwinm == 0x556C083CU &&
45429 -+ add == 0x7D6C5A14U &&
45430 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
45431 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
45432 -+ mtctr == 0x7D8903A6U &&
45433 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
45434 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
45435 -+ bctr == 0x4E800420U)
45436 -+ {
45437 -+ regs->gpr[PT_R11] =
45438 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45439 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45440 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
45441 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45442 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
45443 -+ regs->nip = regs->ctr;
45444 -+ return 4;
45445 -+ }
45446 -+ }
45447 -+ } while (0);
45448 -+#endif
45449 -+
45450 -+ do { /* PaX: unpatched PLT emulation #3 */
45451 -+ unsigned int li, b;
45452 -+
45453 -+ err = get_user(li, (unsigned int *)regs->nip);
45454 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
45455 -+
45456 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
45457 -+ unsigned int addis, lwz, mtctr, bctr;
45458 -+ unsigned long addr = b | 0xFC000000UL;
45459 -+
45460 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
45461 -+ err = get_user(addis, (unsigned int *)addr);
45462 -+ err |= get_user(lwz, (unsigned int *)(addr+4));
45463 -+ err |= get_user(mtctr, (unsigned int *)(addr+8));
45464 -+ err |= get_user(bctr, (unsigned int *)(addr+12));
45465 -+
45466 -+ if (err)
45467 -+ break;
45468 -+
45469 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
45470 -+ (lwz & 0xFFFF0000U) == 0x816B0000U &&
45471 -+ mtctr == 0x7D6903A6U &&
45472 -+ bctr == 0x4E800420U)
45473 -+ {
45474 -+ unsigned int r11;
45475 -+
45476 -+ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45477 -+ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45478 -+
45479 -+ err = get_user(r11, (unsigned int *)addr);
45480 -+ if (err)
45481 -+ break;
45482 -+
45483 -+ regs->gpr[PT_R11] = r11;
45484 -+ regs->ctr = r11;
45485 -+ regs->nip = r11;
45486 -+ return 4;
45487 -+ }
45488 -+ }
45489 -+ } while (0);
45490 -+#endif
45491 -+
45492 -+#ifdef CONFIG_PAX_EMUSIGRT
45493 -+ do { /* PaX: sigreturn emulation */
45494 -+ unsigned int li, sc;
45495 -+
45496 -+ err = get_user(li, (unsigned int *)regs->nip);
45497 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
45498 -+
45499 -+ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
45500 -+ struct vm_area_struct *vma;
45501 -+ unsigned long call_syscall;
45502 -+
45503 -+ down_read(&current->mm->mmap_sem);
45504 -+ call_syscall = current->mm->call_syscall;
45505 -+ up_read(&current->mm->mmap_sem);
45506 -+ if (likely(call_syscall))
45507 -+ goto emulate;
45508 -+
45509 -+ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
45510 -+
45511 -+ down_write(&current->mm->mmap_sem);
45512 -+ if (current->mm->call_syscall) {
45513 -+ call_syscall = current->mm->call_syscall;
45514 -+ up_write(&current->mm->mmap_sem);
45515 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45516 -+ goto emulate;
45517 -+ }
45518 -+
45519 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
45520 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
45521 -+ up_write(&current->mm->mmap_sem);
45522 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45523 -+ return 1;
45524 -+ }
45525 -+
45526 -+ if (pax_insert_vma(vma, call_syscall)) {
45527 -+ up_write(&current->mm->mmap_sem);
45528 -+ kmem_cache_free(vm_area_cachep, vma);
45529 -+ return 1;
45530 -+ }
45531 -+
45532 -+ current->mm->call_syscall = call_syscall;
45533 -+ up_write(&current->mm->mmap_sem);
45534 -+
45535 -+emulate:
45536 -+ regs->gpr[PT_R0] = __NR_sigreturn;
45537 -+ regs->nip = call_syscall;
45538 -+ return 5;
45539 -+ }
45540 -+ } while (0);
45541 -+
45542 -+ do { /* PaX: rt_sigreturn emulation */
45543 -+ unsigned int li, sc;
45544 -+
45545 -+ err = get_user(li, (unsigned int *)regs->nip);
45546 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
45547 -+
45548 -+ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
45549 -+ struct vm_area_struct *vma;
45550 -+ unsigned int call_syscall;
45551 -+
45552 -+ down_read(&current->mm->mmap_sem);
45553 -+ call_syscall = current->mm->call_syscall;
45554 -+ up_read(&current->mm->mmap_sem);
45555 -+ if (likely(call_syscall))
45556 -+ goto rt_emulate;
45557 -+
45558 -+ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
45559 -+
45560 -+ down_write(&current->mm->mmap_sem);
45561 -+ if (current->mm->call_syscall) {
45562 -+ call_syscall = current->mm->call_syscall;
45563 -+ up_write(&current->mm->mmap_sem);
45564 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45565 -+ goto rt_emulate;
45566 -+ }
45567 -+
45568 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
45569 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
45570 -+ up_write(&current->mm->mmap_sem);
45571 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45572 -+ return 1;
45573 -+ }
45574 -+
45575 -+ if (pax_insert_vma(vma, call_syscall)) {
45576 -+ up_write(&current->mm->mmap_sem);
45577 -+ kmem_cache_free(vm_area_cachep, vma);
45578 -+ return 1;
45579 -+ }
45580 -+
45581 -+ current->mm->call_syscall = call_syscall;
45582 -+ up_write(&current->mm->mmap_sem);
45583 -+
45584 -+rt_emulate:
45585 -+ regs->gpr[PT_R0] = __NR_rt_sigreturn;
45586 -+ regs->nip = call_syscall;
45587 -+ return 6;
45588 -+ }
45589 -+ } while (0);
45590 -+#endif
45591 -+
45592 -+ return 1;
45593 -+}
45594 -+
45595 -+void pax_report_insns(void *pc, void *sp)
45596 -+{
45597 -+ unsigned long i;
45598 -+
45599 -+ printk(KERN_ERR "PAX: bytes at PC: ");
45600 -+ for (i = 0; i < 5; i++) {
45601 -+ unsigned int c;
45602 -+ if (get_user(c, (unsigned int *)pc+i))
45603 -+ printk("???????? ");
45604 -+ else
45605 -+ printk("%08x ", c);
45606 -+ }
45607 -+ printk("\n");
45608 -+}
45609 -+#endif
45610 -+
45611 - /*
45612 - * Check whether the instruction at regs->nip is a store using
45613 - * an update addressing form which will update r1.
45614 -@@ -109,7 +472,7 @@ int do_page_fault(struct pt_regs *regs,
45615 - * indicate errors in DSISR but can validly be set in SRR1.
45616 - */
45617 - if (TRAP(regs) == 0x400)
45618 -- error_code &= 0x48200000;
45619 -+ error_code &= 0x58200000;
45620 - else
45621 - is_write = error_code & 0x02000000;
45622 - #endif /* CONFIG_4xx || CONFIG_BOOKE */
45623 -@@ -204,15 +567,14 @@ good_area:
45624 - pte_t *ptep;
45625 - pmd_t *pmdp;
45626 -
45627 --#if 0
45628 -+#if 1
45629 - /* It would be nice to actually enforce the VM execute
45630 - permission on CPUs which can do so, but far too
45631 - much stuff in userspace doesn't get the permissions
45632 - right, so we let any page be executed for now. */
45633 - if (! (vma->vm_flags & VM_EXEC))
45634 - goto bad_area;
45635 --#endif
45636 --
45637 -+#else
45638 - /* Since 4xx/Book-E supports per-page execute permission,
45639 - * we lazily flush dcache to icache. */
45640 - ptep = NULL;
45641 -@@ -235,6 +597,7 @@ good_area:
45642 - pte_unmap_unlock(ptep, ptl);
45643 - }
45644 - #endif
45645 -+#endif
45646 - /* a read */
45647 - } else {
45648 - /* protection fault */
45649 -@@ -278,6 +641,33 @@ bad_area:
45650 -
45651 - /* User mode accesses cause a SIGSEGV */
45652 - if (user_mode(regs)) {
45653 -+
45654 -+#ifdef CONFIG_PAX_PAGEEXEC
45655 -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
45656 -+ if ((TRAP(regs) == 0x400) && (regs->nip == address)) {
45657 -+ switch (pax_handle_fetch_fault(regs)) {
45658 -+
45659 -+#ifdef CONFIG_PAX_EMUPLT
45660 -+ case 2:
45661 -+ case 3:
45662 -+ case 4:
45663 -+ return 0;
45664 -+#endif
45665 -+
45666 -+#ifdef CONFIG_PAX_EMUSIGRT
45667 -+ case 5:
45668 -+ case 6:
45669 -+ return 0;
45670 -+#endif
45671 -+
45672 -+ }
45673 -+
45674 -+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[1]);
45675 -+ do_exit(SIGKILL);
45676 -+ }
45677 -+ }
45678 -+#endif
45679 -+
45680 - _exception(SIGSEGV, regs, code, address);
45681 - return 0;
45682 - }
45683 -diff -Nurp linux-2.6.23.15/arch/s390/kernel/module.c linux-2.6.23.15-grsec/arch/s390/kernel/module.c
45684 ---- linux-2.6.23.15/arch/s390/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
45685 -+++ linux-2.6.23.15-grsec/arch/s390/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
45686 -@@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
45687 -
45688 - /* Increase core size by size of got & plt and set start
45689 - offsets for got and plt. */
45690 -- me->core_size = ALIGN(me->core_size, 4);
45691 -- me->arch.got_offset = me->core_size;
45692 -- me->core_size += me->arch.got_size;
45693 -- me->arch.plt_offset = me->core_size;
45694 -- me->core_size += me->arch.plt_size;
45695 -+ me->core_size_rw = ALIGN(me->core_size_rw, 4);
45696 -+ me->arch.got_offset = me->core_size_rw;
45697 -+ me->core_size_rw += me->arch.got_size;
45698 -+ me->arch.plt_offset = me->core_size_rx;
45699 -+ me->core_size_rx += me->arch.plt_size;
45700 - return 0;
45701 - }
45702 -
45703 -@@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
45704 - if (info->got_initialized == 0) {
45705 - Elf_Addr *gotent;
45706 -
45707 -- gotent = me->module_core + me->arch.got_offset +
45708 -+ gotent = me->module_core_rw + me->arch.got_offset +
45709 - info->got_offset;
45710 - *gotent = val;
45711 - info->got_initialized = 1;
45712 -@@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
45713 - else if (r_type == R_390_GOTENT ||
45714 - r_type == R_390_GOTPLTENT)
45715 - *(unsigned int *) loc =
45716 -- (val + (Elf_Addr) me->module_core - loc) >> 1;
45717 -+ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
45718 - else if (r_type == R_390_GOT64 ||
45719 - r_type == R_390_GOTPLT64)
45720 - *(unsigned long *) loc = val;
45721 -@@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
45722 - case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
45723 - if (info->plt_initialized == 0) {
45724 - unsigned int *ip;
45725 -- ip = me->module_core + me->arch.plt_offset +
45726 -+ ip = me->module_core_rx + me->arch.plt_offset +
45727 - info->plt_offset;
45728 - #ifndef CONFIG_64BIT
45729 - ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
45730 -@@ -316,7 +316,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
45731 - val = me->arch.plt_offset - me->arch.got_offset +
45732 - info->plt_offset + rela->r_addend;
45733 - else
45734 -- val = (Elf_Addr) me->module_core +
45735 -+ val = (Elf_Addr) me->module_core_rx +
45736 - me->arch.plt_offset + info->plt_offset +
45737 - rela->r_addend - loc;
45738 - if (r_type == R_390_PLT16DBL)
45739 -@@ -336,7 +336,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
45740 - case R_390_GOTOFF32: /* 32 bit offset to GOT. */
45741 - case R_390_GOTOFF64: /* 64 bit offset to GOT. */
45742 - val = val + rela->r_addend -
45743 -- ((Elf_Addr) me->module_core + me->arch.got_offset);
45744 -+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
45745 - if (r_type == R_390_GOTOFF16)
45746 - *(unsigned short *) loc = val;
45747 - else if (r_type == R_390_GOTOFF32)
45748 -@@ -346,7 +346,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
45749 - break;
45750 - case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
45751 - case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
45752 -- val = (Elf_Addr) me->module_core + me->arch.got_offset +
45753 -+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
45754 - rela->r_addend - loc;
45755 - if (r_type == R_390_GOTPC)
45756 - *(unsigned int *) loc = val;
45757 -diff -Nurp linux-2.6.23.15/arch/sparc/Makefile linux-2.6.23.15-grsec/arch/sparc/Makefile
45758 ---- linux-2.6.23.15/arch/sparc/Makefile 2007-10-09 21:31:38.000000000 +0100
45759 -+++ linux-2.6.23.15-grsec/arch/sparc/Makefile 2008-02-11 10:37:44.000000000 +0000
45760 -@@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
45761 - # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
45762 - INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
45763 - CORE_Y := $(core-y)
45764 --CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
45765 -+CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
45766 - CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
45767 - DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
45768 - NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
45769 -diff -Nurp linux-2.6.23.15/arch/sparc/kernel/ptrace.c linux-2.6.23.15-grsec/arch/sparc/kernel/ptrace.c
45770 ---- linux-2.6.23.15/arch/sparc/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
45771 -+++ linux-2.6.23.15-grsec/arch/sparc/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
45772 -@@ -19,6 +19,7 @@
45773 - #include <linux/smp_lock.h>
45774 - #include <linux/security.h>
45775 - #include <linux/signal.h>
45776 -+#include <linux/grsecurity.h>
45777 -
45778 - #include <asm/pgtable.h>
45779 - #include <asm/system.h>
45780 -@@ -303,6 +304,11 @@ asmlinkage void do_ptrace(struct pt_regs
45781 - goto out;
45782 - }
45783 -
45784 -+ if (gr_handle_ptrace(child, request)) {
45785 -+ pt_error_return(regs, EPERM);
45786 -+ goto out_tsk;
45787 -+ }
45788 -+
45789 - if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
45790 - || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
45791 - if (ptrace_attach(child)) {
45792 -diff -Nurp linux-2.6.23.15/arch/sparc/kernel/sys_sparc.c linux-2.6.23.15-grsec/arch/sparc/kernel/sys_sparc.c
45793 ---- linux-2.6.23.15/arch/sparc/kernel/sys_sparc.c 2007-10-09 21:31:38.000000000 +0100
45794 -+++ linux-2.6.23.15-grsec/arch/sparc/kernel/sys_sparc.c 2008-02-11 10:37:44.000000000 +0000
45795 -@@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
45796 - if (ARCH_SUN4C_SUN4 && len > 0x20000000)
45797 - return -ENOMEM;
45798 - if (!addr)
45799 -- addr = TASK_UNMAPPED_BASE;
45800 -+ addr = current->mm->mmap_base;
45801 -
45802 - if (flags & MAP_SHARED)
45803 - addr = COLOUR_ALIGN(addr);
45804 -diff -Nurp linux-2.6.23.15/arch/sparc/mm/fault.c linux-2.6.23.15-grsec/arch/sparc/mm/fault.c
45805 ---- linux-2.6.23.15/arch/sparc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
45806 -+++ linux-2.6.23.15-grsec/arch/sparc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
45807 -@@ -21,6 +21,10 @@
45808 - #include <linux/interrupt.h>
45809 - #include <linux/module.h>
45810 - #include <linux/kdebug.h>
45811 -+#include <linux/slab.h>
45812 -+#include <linux/pagemap.h>
45813 -+#include <linux/compiler.h>
45814 -+#include <linux/binfmts.h>
45815 -
45816 - #include <asm/system.h>
45817 - #include <asm/page.h>
45818 -@@ -216,6 +220,252 @@ static unsigned long compute_si_addr(str
45819 - return safe_compute_effective_address(regs, insn);
45820 - }
45821 -
45822 -+#ifdef CONFIG_PAX_PAGEEXEC
45823 -+void pax_emuplt_close(struct vm_area_struct *vma)
45824 -+{
45825 -+ vma->vm_mm->call_dl_resolve = 0UL;
45826 -+}
45827 -+
45828 -+static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
45829 -+{
45830 -+ struct page *page;
45831 -+ unsigned int *kaddr;
45832 -+
45833 -+ page = alloc_page(GFP_HIGHUSER);
45834 -+ if (!page)
45835 -+ return NOPAGE_OOM;
45836 -+
45837 -+ kaddr = kmap(page);
45838 -+ memset(kaddr, 0, PAGE_SIZE);
45839 -+ kaddr[0] = 0x9DE3BFA8U; /* save */
45840 -+ flush_dcache_page(page);
45841 -+ kunmap(page);
45842 -+ if (type)
45843 -+ *type = VM_FAULT_MAJOR;
45844 -+
45845 -+ return page;
45846 -+}
45847 -+
45848 -+static struct vm_operations_struct pax_vm_ops = {
45849 -+ .close = pax_emuplt_close,
45850 -+ .nopage = pax_emuplt_nopage,
45851 -+};
45852 -+
45853 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
45854 -+{
45855 -+ int ret;
45856 -+
45857 -+ memset(vma, 0, sizeof(*vma));
45858 -+ vma->vm_mm = current->mm;
45859 -+ vma->vm_start = addr;
45860 -+ vma->vm_end = addr + PAGE_SIZE;
45861 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
45862 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
45863 -+ vma->vm_ops = &pax_vm_ops;
45864 -+
45865 -+ ret = insert_vm_struct(current->mm, vma);
45866 -+ if (ret)
45867 -+ return ret;
45868 -+
45869 -+ ++current->mm->total_vm;
45870 -+ return 0;
45871 -+}
45872 -+
45873 -+/*
45874 -+ * PaX: decide what to do with offenders (regs->pc = fault address)
45875 -+ *
45876 -+ * returns 1 when task should be killed
45877 -+ * 2 when patched PLT trampoline was detected
45878 -+ * 3 when unpatched PLT trampoline was detected
45879 -+ */
45880 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
45881 -+{
45882 -+
45883 -+#ifdef CONFIG_PAX_EMUPLT
45884 -+ int err;
45885 -+
45886 -+ do { /* PaX: patched PLT emulation #1 */
45887 -+ unsigned int sethi1, sethi2, jmpl;
45888 -+
45889 -+ err = get_user(sethi1, (unsigned int *)regs->pc);
45890 -+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
45891 -+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
45892 -+
45893 -+ if (err)
45894 -+ break;
45895 -+
45896 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
45897 -+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
45898 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
45899 -+ {
45900 -+ unsigned int addr;
45901 -+
45902 -+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
45903 -+ addr = regs->u_regs[UREG_G1];
45904 -+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
45905 -+ regs->pc = addr;
45906 -+ regs->npc = addr+4;
45907 -+ return 2;
45908 -+ }
45909 -+ } while (0);
45910 -+
45911 -+ { /* PaX: patched PLT emulation #2 */
45912 -+ unsigned int ba;
45913 -+
45914 -+ err = get_user(ba, (unsigned int *)regs->pc);
45915 -+
45916 -+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
45917 -+ unsigned int addr;
45918 -+
45919 -+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
45920 -+ regs->pc = addr;
45921 -+ regs->npc = addr+4;
45922 -+ return 2;
45923 -+ }
45924 -+ }
45925 -+
45926 -+ do { /* PaX: patched PLT emulation #3 */
45927 -+ unsigned int sethi, jmpl, nop;
45928 -+
45929 -+ err = get_user(sethi, (unsigned int *)regs->pc);
45930 -+ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
45931 -+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
45932 -+
45933 -+ if (err)
45934 -+ break;
45935 -+
45936 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
45937 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
45938 -+ nop == 0x01000000U)
45939 -+ {
45940 -+ unsigned int addr;
45941 -+
45942 -+ addr = (sethi & 0x003FFFFFU) << 10;
45943 -+ regs->u_regs[UREG_G1] = addr;
45944 -+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
45945 -+ regs->pc = addr;
45946 -+ regs->npc = addr+4;
45947 -+ return 2;
45948 -+ }
45949 -+ } while (0);
45950 -+
45951 -+ do { /* PaX: unpatched PLT emulation step 1 */
45952 -+ unsigned int sethi, ba, nop;
45953 -+
45954 -+ err = get_user(sethi, (unsigned int *)regs->pc);
45955 -+ err |= get_user(ba, (unsigned int *)(regs->pc+4));
45956 -+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
45957 -+
45958 -+ if (err)
45959 -+ break;
45960 -+
45961 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
45962 -+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
45963 -+ nop == 0x01000000U)
45964 -+ {
45965 -+ unsigned int addr, save, call;
45966 -+
45967 -+ if ((ba & 0xFFC00000U) == 0x30800000U)
45968 -+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
45969 -+ else
45970 -+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
45971 -+
45972 -+ err = get_user(save, (unsigned int *)addr);
45973 -+ err |= get_user(call, (unsigned int *)(addr+4));
45974 -+ err |= get_user(nop, (unsigned int *)(addr+8));
45975 -+ if (err)
45976 -+ break;
45977 -+
45978 -+ if (save == 0x9DE3BFA8U &&
45979 -+ (call & 0xC0000000U) == 0x40000000U &&
45980 -+ nop == 0x01000000U)
45981 -+ {
45982 -+ struct vm_area_struct *vma;
45983 -+ unsigned long call_dl_resolve;
45984 -+
45985 -+ down_read(&current->mm->mmap_sem);
45986 -+ call_dl_resolve = current->mm->call_dl_resolve;
45987 -+ up_read(&current->mm->mmap_sem);
45988 -+ if (likely(call_dl_resolve))
45989 -+ goto emulate;
45990 -+
45991 -+ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
45992 -+
45993 -+ down_write(&current->mm->mmap_sem);
45994 -+ if (current->mm->call_dl_resolve) {
45995 -+ call_dl_resolve = current->mm->call_dl_resolve;
45996 -+ up_write(&current->mm->mmap_sem);
45997 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45998 -+ goto emulate;
45999 -+ }
46000 -+
46001 -+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
46002 -+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
46003 -+ up_write(&current->mm->mmap_sem);
46004 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
46005 -+ return 1;
46006 -+ }
46007 -+
46008 -+ if (pax_insert_vma(vma, call_dl_resolve)) {
46009 -+ up_write(&current->mm->mmap_sem);
46010 -+ kmem_cache_free(vm_area_cachep, vma);
46011 -+ return 1;
46012 -+ }
46013 -+
46014 -+ current->mm->call_dl_resolve = call_dl_resolve;
46015 -+ up_write(&current->mm->mmap_sem);
46016 -+
46017 -+emulate:
46018 -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
46019 -+ regs->pc = call_dl_resolve;
46020 -+ regs->npc = addr+4;
46021 -+ return 3;
46022 -+ }
46023 -+ }
46024 -+ } while (0);
46025 -+
46026 -+ do { /* PaX: unpatched PLT emulation step 2 */
46027 -+ unsigned int save, call, nop;
46028 -+
46029 -+ err = get_user(save, (unsigned int *)(regs->pc-4));
46030 -+ err |= get_user(call, (unsigned int *)regs->pc);
46031 -+ err |= get_user(nop, (unsigned int *)(regs->pc+4));
46032 -+ if (err)
46033 -+ break;
46034 -+
46035 -+ if (save == 0x9DE3BFA8U &&
46036 -+ (call & 0xC0000000U) == 0x40000000U &&
46037 -+ nop == 0x01000000U)
46038 -+ {
46039 -+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
46040 -+
46041 -+ regs->u_regs[UREG_RETPC] = regs->pc;
46042 -+ regs->pc = dl_resolve;
46043 -+ regs->npc = dl_resolve+4;
46044 -+ return 3;
46045 -+ }
46046 -+ } while (0);
46047 -+#endif
46048 -+
46049 -+ return 1;
46050 -+}
46051 -+
46052 -+void pax_report_insns(void *pc, void *sp)
46053 -+{
46054 -+ unsigned long i;
46055 -+
46056 -+ printk(KERN_ERR "PAX: bytes at PC: ");
46057 -+ for (i = 0; i < 5; i++) {
46058 -+ unsigned int c;
46059 -+ if (get_user(c, (unsigned int *)pc+i))
46060 -+ printk("???????? ");
46061 -+ else
46062 -+ printk("%08x ", c);
46063 -+ }
46064 -+ printk("\n");
46065 -+}
46066 -+#endif
46067 -+
46068 - asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
46069 - unsigned long address)
46070 - {
46071 -@@ -280,6 +530,24 @@ good_area:
46072 - if(!(vma->vm_flags & VM_WRITE))
46073 - goto bad_area;
46074 - } else {
46075 -+
46076 -+#ifdef CONFIG_PAX_PAGEEXEC
46077 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
46078 -+ up_read(&mm->mmap_sem);
46079 -+ switch (pax_handle_fetch_fault(regs)) {
46080 -+
46081 -+#ifdef CONFIG_PAX_EMUPLT
46082 -+ case 2:
46083 -+ case 3:
46084 -+ return;
46085 -+#endif
46086 -+
46087 -+ }
46088 -+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
46089 -+ do_exit(SIGKILL);
46090 -+ }
46091 -+#endif
46092 -+
46093 - /* Allow reads even for write-only mappings */
46094 - if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
46095 - goto bad_area;
46096 -diff -Nurp linux-2.6.23.15/arch/sparc/mm/init.c linux-2.6.23.15-grsec/arch/sparc/mm/init.c
46097 ---- linux-2.6.23.15/arch/sparc/mm/init.c 2007-10-09 21:31:38.000000000 +0100
46098 -+++ linux-2.6.23.15-grsec/arch/sparc/mm/init.c 2008-02-11 10:37:44.000000000 +0000
46099 -@@ -336,17 +336,17 @@ void __init paging_init(void)
46100 -
46101 - /* Initialize the protection map with non-constant, MMU dependent values. */
46102 - protection_map[0] = PAGE_NONE;
46103 -- protection_map[1] = PAGE_READONLY;
46104 -- protection_map[2] = PAGE_COPY;
46105 -- protection_map[3] = PAGE_COPY;
46106 -+ protection_map[1] = PAGE_READONLY_NOEXEC;
46107 -+ protection_map[2] = PAGE_COPY_NOEXEC;
46108 -+ protection_map[3] = PAGE_COPY_NOEXEC;
46109 - protection_map[4] = PAGE_READONLY;
46110 - protection_map[5] = PAGE_READONLY;
46111 - protection_map[6] = PAGE_COPY;
46112 - protection_map[7] = PAGE_COPY;
46113 - protection_map[8] = PAGE_NONE;
46114 -- protection_map[9] = PAGE_READONLY;
46115 -- protection_map[10] = PAGE_SHARED;
46116 -- protection_map[11] = PAGE_SHARED;
46117 -+ protection_map[9] = PAGE_READONLY_NOEXEC;
46118 -+ protection_map[10] = PAGE_SHARED_NOEXEC;
46119 -+ protection_map[11] = PAGE_SHARED_NOEXEC;
46120 - protection_map[12] = PAGE_READONLY;
46121 - protection_map[13] = PAGE_READONLY;
46122 - protection_map[14] = PAGE_SHARED;
46123 -diff -Nurp linux-2.6.23.15/arch/sparc/mm/srmmu.c linux-2.6.23.15-grsec/arch/sparc/mm/srmmu.c
46124 ---- linux-2.6.23.15/arch/sparc/mm/srmmu.c 2007-10-09 21:31:38.000000000 +0100
46125 -+++ linux-2.6.23.15-grsec/arch/sparc/mm/srmmu.c 2008-02-11 10:37:44.000000000 +0000
46126 -@@ -2157,6 +2157,13 @@ void __init ld_mmu_srmmu(void)
46127 - PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
46128 - BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
46129 - BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
46130 -+
46131 -+#ifdef CONFIG_PAX_PAGEEXEC
46132 -+ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
46133 -+ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
46134 -+ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
46135 -+#endif
46136 -+
46137 - BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
46138 - page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
46139 -
46140 -diff -Nurp linux-2.6.23.15/arch/sparc64/kernel/Makefile linux-2.6.23.15-grsec/arch/sparc64/kernel/Makefile
46141 ---- linux-2.6.23.15/arch/sparc64/kernel/Makefile 2007-10-09 21:31:38.000000000 +0100
46142 -+++ linux-2.6.23.15-grsec/arch/sparc64/kernel/Makefile 2008-02-11 10:37:44.000000000 +0000
46143 -@@ -3,7 +3,7 @@
46144 - #
46145 -
46146 - EXTRA_AFLAGS := -ansi
46147 --EXTRA_CFLAGS := -Werror
46148 -+#EXTRA_CFLAGS := -Werror
46149 -
46150 - extra-y := head.o init_task.o vmlinux.lds
46151 -
46152 -diff -Nurp linux-2.6.23.15/arch/sparc64/kernel/ptrace.c linux-2.6.23.15-grsec/arch/sparc64/kernel/ptrace.c
46153 ---- linux-2.6.23.15/arch/sparc64/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
46154 -+++ linux-2.6.23.15-grsec/arch/sparc64/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
46155 -@@ -22,6 +22,7 @@
46156 - #include <linux/seccomp.h>
46157 - #include <linux/audit.h>
46158 - #include <linux/signal.h>
46159 -+#include <linux/grsecurity.h>
46160 -
46161 - #include <asm/asi.h>
46162 - #include <asm/pgtable.h>
46163 -@@ -216,6 +217,11 @@ asmlinkage void do_ptrace(struct pt_regs
46164 - goto out;
46165 - }
46166 -
46167 -+ if (gr_handle_ptrace(child, (long)request)) {
46168 -+ pt_error_return(regs, EPERM);
46169 -+ goto out_tsk;
46170 -+ }
46171 -+
46172 - if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
46173 - || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
46174 - if (ptrace_attach(child)) {
46175 -diff -Nurp linux-2.6.23.15/arch/sparc64/kernel/sys_sparc.c linux-2.6.23.15-grsec/arch/sparc64/kernel/sys_sparc.c
46176 ---- linux-2.6.23.15/arch/sparc64/kernel/sys_sparc.c 2008-02-11 10:36:03.000000000 +0000
46177 -+++ linux-2.6.23.15-grsec/arch/sparc64/kernel/sys_sparc.c 2008-02-11 10:37:44.000000000 +0000
46178 -@@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
46179 - /* We do not accept a shared mapping if it would violate
46180 - * cache aliasing constraints.
46181 - */
46182 -- if ((flags & MAP_SHARED) &&
46183 -+ if ((filp || (flags & MAP_SHARED)) &&
46184 - ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
46185 - return -EINVAL;
46186 - return addr;
46187 -@@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
46188 - if (filp || (flags & MAP_SHARED))
46189 - do_color_align = 1;
46190 -
46191 -+#ifdef CONFIG_PAX_RANDMMAP
46192 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
46193 -+#endif
46194 -+
46195 - if (addr) {
46196 - if (do_color_align)
46197 - addr = COLOUR_ALIGN(addr, pgoff);
46198 -@@ -152,9 +156,9 @@ unsigned long arch_get_unmapped_area(str
46199 - }
46200 -
46201 - if (len > mm->cached_hole_size) {
46202 -- start_addr = addr = mm->free_area_cache;
46203 -+ start_addr = addr = mm->free_area_cache;
46204 - } else {
46205 -- start_addr = addr = TASK_UNMAPPED_BASE;
46206 -+ start_addr = addr = mm->mmap_base;
46207 - mm->cached_hole_size = 0;
46208 - }
46209 -
46210 -@@ -174,8 +178,8 @@ full_search:
46211 - vma = find_vma(mm, VA_EXCLUDE_END);
46212 - }
46213 - if (unlikely(task_size < addr)) {
46214 -- if (start_addr != TASK_UNMAPPED_BASE) {
46215 -- start_addr = addr = TASK_UNMAPPED_BASE;
46216 -+ if (start_addr != mm->mmap_base) {
46217 -+ start_addr = addr = mm->mmap_base;
46218 - mm->cached_hole_size = 0;
46219 - goto full_search;
46220 - }
46221 -@@ -215,7 +219,7 @@ arch_get_unmapped_area_topdown(struct fi
46222 - /* We do not accept a shared mapping if it would violate
46223 - * cache aliasing constraints.
46224 - */
46225 -- if ((flags & MAP_SHARED) &&
46226 -+ if ((filp || (flags & MAP_SHARED)) &&
46227 - ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
46228 - return -EINVAL;
46229 - return addr;
46230 -@@ -378,6 +382,12 @@ void arch_pick_mmap_layout(struct mm_str
46231 - current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
46232 - sysctl_legacy_va_layout) {
46233 - mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
46234 -+
46235 -+#ifdef CONFIG_PAX_RANDMMAP
46236 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
46237 -+ mm->mmap_base += mm->delta_mmap;
46238 -+#endif
46239 -+
46240 - mm->get_unmapped_area = arch_get_unmapped_area;
46241 - mm->unmap_area = arch_unmap_area;
46242 - } else {
46243 -@@ -392,6 +402,12 @@ void arch_pick_mmap_layout(struct mm_str
46244 - gap = (task_size / 6 * 5);
46245 -
46246 - mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
46247 -+
46248 -+#ifdef CONFIG_PAX_RANDMMAP
46249 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
46250 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
46251 -+#endif
46252 -+
46253 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
46254 - mm->unmap_area = arch_unmap_area_topdown;
46255 - }
46256 -diff -Nurp linux-2.6.23.15/arch/sparc64/mm/Makefile linux-2.6.23.15-grsec/arch/sparc64/mm/Makefile
46257 ---- linux-2.6.23.15/arch/sparc64/mm/Makefile 2007-10-09 21:31:38.000000000 +0100
46258 -+++ linux-2.6.23.15-grsec/arch/sparc64/mm/Makefile 2008-02-11 10:37:44.000000000 +0000
46259 -@@ -3,7 +3,7 @@
46260 - #
46261 -
46262 - EXTRA_AFLAGS := -ansi
46263 --EXTRA_CFLAGS := -Werror
46264 -+#EXTRA_CFLAGS := -Werror
46265 -
46266 - obj-y := ultra.o tlb.o tsb.o fault.o init.o generic.o
46267 -
46268 -diff -Nurp linux-2.6.23.15/arch/sparc64/mm/fault.c linux-2.6.23.15-grsec/arch/sparc64/mm/fault.c
46269 ---- linux-2.6.23.15/arch/sparc64/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
46270 -+++ linux-2.6.23.15-grsec/arch/sparc64/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
46271 -@@ -20,6 +20,10 @@
46272 - #include <linux/kprobes.h>
46273 - #include <linux/kallsyms.h>
46274 - #include <linux/kdebug.h>
46275 -+#include <linux/slab.h>
46276 -+#include <linux/pagemap.h>
46277 -+#include <linux/compiler.h>
46278 -+#include <linux/binfmts.h>
46279 -
46280 - #include <asm/page.h>
46281 - #include <asm/pgtable.h>
46282 -@@ -270,6 +274,369 @@ cannot_handle:
46283 - unhandled_fault (address, current, regs);
46284 - }
46285 -
46286 -+#ifdef CONFIG_PAX_PAGEEXEC
46287 -+#ifdef CONFIG_PAX_EMUPLT
46288 -+static void pax_emuplt_close(struct vm_area_struct *vma)
46289 -+{
46290 -+ vma->vm_mm->call_dl_resolve = 0UL;
46291 -+}
46292 -+
46293 -+static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
46294 -+{
46295 -+ struct page *page;
46296 -+ unsigned int *kaddr;
46297 -+
46298 -+ page = alloc_page(GFP_HIGHUSER);
46299 -+ if (!page)
46300 -+ return NOPAGE_OOM;
46301 -+
46302 -+ kaddr = kmap(page);
46303 -+ memset(kaddr, 0, PAGE_SIZE);
46304 -+ kaddr[0] = 0x9DE3BFA8U; /* save */
46305 -+ flush_dcache_page(page);
46306 -+ kunmap(page);
46307 -+ if (type)
46308 -+ *type = VM_FAULT_MAJOR;
46309 -+ return page;
46310 -+}
46311 -+
46312 -+static struct vm_operations_struct pax_vm_ops = {
46313 -+ .close = pax_emuplt_close,
46314 -+ .nopage = pax_emuplt_nopage,
46315 -+};
46316 -+
46317 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
46318 -+{
46319 -+ int ret;
46320 -+
46321 -+ memset(vma, 0, sizeof(*vma));
46322 -+ vma->vm_mm = current->mm;
46323 -+ vma->vm_start = addr;
46324 -+ vma->vm_end = addr + PAGE_SIZE;
46325 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
46326 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
46327 -+ vma->vm_ops = &pax_vm_ops;
46328 -+
46329 -+ ret = insert_vm_struct(current->mm, vma);
46330 -+ if (ret)
46331 -+ return ret;
46332 -+
46333 -+ ++current->mm->total_vm;
46334 -+ return 0;
46335 -+}
46336 -+#endif
46337 -+
46338 -+/*
46339 -+ * PaX: decide what to do with offenders (regs->tpc = fault address)
46340 -+ *
46341 -+ * returns 1 when task should be killed
46342 -+ * 2 when patched PLT trampoline was detected
46343 -+ * 3 when unpatched PLT trampoline was detected
46344 -+ */
46345 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
46346 -+{
46347 -+
46348 -+#ifdef CONFIG_PAX_EMUPLT
46349 -+ int err;
46350 -+
46351 -+ do { /* PaX: patched PLT emulation #1 */
46352 -+ unsigned int sethi1, sethi2, jmpl;
46353 -+
46354 -+ err = get_user(sethi1, (unsigned int *)regs->tpc);
46355 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
46356 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
46357 -+
46358 -+ if (err)
46359 -+ break;
46360 -+
46361 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
46362 -+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
46363 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
46364 -+ {
46365 -+ unsigned long addr;
46366 -+
46367 -+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
46368 -+ addr = regs->u_regs[UREG_G1];
46369 -+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
46370 -+ regs->tpc = addr;
46371 -+ regs->tnpc = addr+4;
46372 -+ return 2;
46373 -+ }
46374 -+ } while (0);
46375 -+
46376 -+ { /* PaX: patched PLT emulation #2 */
46377 -+ unsigned int ba;
46378 -+
46379 -+ err = get_user(ba, (unsigned int *)regs->tpc);
46380 -+
46381 -+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
46382 -+ unsigned long addr;
46383 -+
46384 -+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
46385 -+ regs->tpc = addr;
46386 -+ regs->tnpc = addr+4;
46387 -+ return 2;
46388 -+ }
46389 -+ }
46390 -+
46391 -+ do { /* PaX: patched PLT emulation #3 */
46392 -+ unsigned int sethi, jmpl, nop;
46393 -+
46394 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
46395 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
46396 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
46397 -+
46398 -+ if (err)
46399 -+ break;
46400 -+
46401 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
46402 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
46403 -+ nop == 0x01000000U)
46404 -+ {
46405 -+ unsigned long addr;
46406 -+
46407 -+ addr = (sethi & 0x003FFFFFU) << 10;
46408 -+ regs->u_regs[UREG_G1] = addr;
46409 -+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
46410 -+ regs->tpc = addr;
46411 -+ regs->tnpc = addr+4;
46412 -+ return 2;
46413 -+ }
46414 -+ } while (0);
46415 -+
46416 -+ do { /* PaX: patched PLT emulation #4 */
46417 -+ unsigned int mov1, call, mov2;
46418 -+
46419 -+ err = get_user(mov1, (unsigned int *)regs->tpc);
46420 -+ err |= get_user(call, (unsigned int *)(regs->tpc+4));
46421 -+ err |= get_user(mov2, (unsigned int *)(regs->tpc+8));
46422 -+
46423 -+ if (err)
46424 -+ break;
46425 -+
46426 -+ if (mov1 == 0x8210000FU &&
46427 -+ (call & 0xC0000000U) == 0x40000000U &&
46428 -+ mov2 == 0x9E100001U)
46429 -+ {
46430 -+ unsigned long addr;
46431 -+
46432 -+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
46433 -+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
46434 -+ regs->tpc = addr;
46435 -+ regs->tnpc = addr+4;
46436 -+ return 2;
46437 -+ }
46438 -+ } while (0);
46439 -+
46440 -+ do { /* PaX: patched PLT emulation #5 */
46441 -+ unsigned int sethi1, sethi2, or1, or2, sllx, jmpl, nop;
46442 -+
46443 -+ err = get_user(sethi1, (unsigned int *)regs->tpc);
46444 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
46445 -+ err |= get_user(or1, (unsigned int *)(regs->tpc+8));
46446 -+ err |= get_user(or2, (unsigned int *)(regs->tpc+12));
46447 -+ err |= get_user(sllx, (unsigned int *)(regs->tpc+16));
46448 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
46449 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
46450 -+
46451 -+ if (err)
46452 -+ break;
46453 -+
46454 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
46455 -+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
46456 -+ (or1 & 0xFFFFE000U) == 0x82106000U &&
46457 -+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
46458 -+ sllx == 0x83287020 &&
46459 -+ jmpl == 0x81C04005U &&
46460 -+ nop == 0x01000000U)
46461 -+ {
46462 -+ unsigned long addr;
46463 -+
46464 -+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
46465 -+ regs->u_regs[UREG_G1] <<= 32;
46466 -+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
46467 -+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
46468 -+ regs->tpc = addr;
46469 -+ regs->tnpc = addr+4;
46470 -+ return 2;
46471 -+ }
46472 -+ } while (0);
46473 -+
46474 -+ do { /* PaX: patched PLT emulation #6 */
46475 -+ unsigned int sethi1, sethi2, sllx, or, jmpl, nop;
46476 -+
46477 -+ err = get_user(sethi1, (unsigned int *)regs->tpc);
46478 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
46479 -+ err |= get_user(sllx, (unsigned int *)(regs->tpc+8));
46480 -+ err |= get_user(or, (unsigned int *)(regs->tpc+12));
46481 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+16));
46482 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+20));
46483 -+
46484 -+ if (err)
46485 -+ break;
46486 -+
46487 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
46488 -+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
46489 -+ sllx == 0x83287020 &&
46490 -+ (or & 0xFFFFE000U) == 0x8A116000U &&
46491 -+ jmpl == 0x81C04005U &&
46492 -+ nop == 0x01000000U)
46493 -+ {
46494 -+ unsigned long addr;
46495 -+
46496 -+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
46497 -+ regs->u_regs[UREG_G1] <<= 32;
46498 -+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
46499 -+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
46500 -+ regs->tpc = addr;
46501 -+ regs->tnpc = addr+4;
46502 -+ return 2;
46503 -+ }
46504 -+ } while (0);
46505 -+
46506 -+ do { /* PaX: patched PLT emulation #7 */
46507 -+ unsigned int sethi, ba, nop;
46508 -+
46509 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
46510 -+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
46511 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
46512 -+
46513 -+ if (err)
46514 -+ break;
46515 -+
46516 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
46517 -+ (ba & 0xFFF00000U) == 0x30600000U &&
46518 -+ nop == 0x01000000U)
46519 -+ {
46520 -+ unsigned long addr;
46521 -+
46522 -+ addr = (sethi & 0x003FFFFFU) << 10;
46523 -+ regs->u_regs[UREG_G1] = addr;
46524 -+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
46525 -+ regs->tpc = addr;
46526 -+ regs->tnpc = addr+4;
46527 -+ return 2;
46528 -+ }
46529 -+ } while (0);
46530 -+
46531 -+ do { /* PaX: unpatched PLT emulation step 1 */
46532 -+ unsigned int sethi, ba, nop;
46533 -+
46534 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
46535 -+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
46536 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
46537 -+
46538 -+ if (err)
46539 -+ break;
46540 -+
46541 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
46542 -+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
46543 -+ nop == 0x01000000U)
46544 -+ {
46545 -+ unsigned long addr;
46546 -+ unsigned int save, call;
46547 -+
46548 -+ if ((ba & 0xFFC00000U) == 0x30800000U)
46549 -+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
46550 -+ else
46551 -+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
46552 -+
46553 -+ err = get_user(save, (unsigned int *)addr);
46554 -+ err |= get_user(call, (unsigned int *)(addr+4));
46555 -+ err |= get_user(nop, (unsigned int *)(addr+8));
46556 -+ if (err)
46557 -+ break;
46558 -+
46559 -+ if (save == 0x9DE3BFA8U &&
46560 -+ (call & 0xC0000000U) == 0x40000000U &&
46561 -+ nop == 0x01000000U)
46562 -+ {
46563 -+ struct vm_area_struct *vma;
46564 -+ unsigned long call_dl_resolve;
46565 -+
46566 -+ down_read(&current->mm->mmap_sem);
46567 -+ call_dl_resolve = current->mm->call_dl_resolve;
46568 -+ up_read(&current->mm->mmap_sem);
46569 -+ if (likely(call_dl_resolve))
46570 -+ goto emulate;
46571 -+
46572 -+ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
46573 -+
46574 -+ down_write(&current->mm->mmap_sem);
46575 -+ if (current->mm->call_dl_resolve) {
46576 -+ call_dl_resolve = current->mm->call_dl_resolve;
46577 -+ up_write(&current->mm->mmap_sem);
46578 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
46579 -+ goto emulate;
46580 -+ }
46581 -+
46582 -+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
46583 -+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
46584 -+ up_write(&current->mm->mmap_sem);
46585 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
46586 -+ return 1;
46587 -+ }
46588 -+
46589 -+ if (pax_insert_vma(vma, call_dl_resolve)) {
46590 -+ up_write(&current->mm->mmap_sem);
46591 -+ kmem_cache_free(vm_area_cachep, vma);
46592 -+ return 1;
46593 -+ }
46594 -+
46595 -+ current->mm->call_dl_resolve = call_dl_resolve;
46596 -+ up_write(&current->mm->mmap_sem);
46597 -+
46598 -+emulate:
46599 -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
46600 -+ regs->tpc = call_dl_resolve;
46601 -+ regs->tnpc = addr+4;
46602 -+ return 3;
46603 -+ }
46604 -+ }
46605 -+ } while (0);
46606 -+
46607 -+ do { /* PaX: unpatched PLT emulation step 2 */
46608 -+ unsigned int save, call, nop;
46609 -+
46610 -+ err = get_user(save, (unsigned int *)(regs->tpc-4));
46611 -+ err |= get_user(call, (unsigned int *)regs->tpc);
46612 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
46613 -+ if (err)
46614 -+ break;
46615 -+
46616 -+ if (save == 0x9DE3BFA8U &&
46617 -+ (call & 0xC0000000U) == 0x40000000U &&
46618 -+ nop == 0x01000000U)
46619 -+ {
46620 -+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
46621 -+
46622 -+ regs->u_regs[UREG_RETPC] = regs->tpc;
46623 -+ regs->tpc = dl_resolve;
46624 -+ regs->tnpc = dl_resolve+4;
46625 -+ return 3;
46626 -+ }
46627 -+ } while (0);
46628 -+#endif
46629 -+
46630 -+ return 1;
46631 -+}
46632 -+
46633 -+void pax_report_insns(void *pc, void *sp)
46634 -+{
46635 -+ unsigned long i;
46636 -+
46637 -+ printk(KERN_ERR "PAX: bytes at PC: ");
46638 -+ for (i = 0; i < 5; i++) {
46639 -+ unsigned int c;
46640 -+ if (get_user(c, (unsigned int *)pc+i))
46641 -+ printk("???????? ");
46642 -+ else
46643 -+ printk("%08x ", c);
46644 -+ }
46645 -+ printk("\n");
46646 -+}
46647 -+#endif
46648 -+
46649 - asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
46650 - {
46651 - struct mm_struct *mm = current->mm;
46652 -@@ -311,8 +678,10 @@ asmlinkage void __kprobes do_sparc64_fau
46653 - goto intr_or_no_mm;
46654 -
46655 - if (test_thread_flag(TIF_32BIT)) {
46656 -- if (!(regs->tstate & TSTATE_PRIV))
46657 -+ if (!(regs->tstate & TSTATE_PRIV)) {
46658 - regs->tpc &= 0xffffffff;
46659 -+ regs->tnpc &= 0xffffffff;
46660 -+ }
46661 - address &= 0xffffffff;
46662 - }
46663 -
46664 -@@ -329,6 +698,29 @@ asmlinkage void __kprobes do_sparc64_fau
46665 - if (!vma)
46666 - goto bad_area;
46667 -
46668 -+#ifdef CONFIG_PAX_PAGEEXEC
46669 -+ /* PaX: detect ITLB misses on non-exec pages */
46670 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
46671 -+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
46672 -+ {
46673 -+ if (address != regs->tpc)
46674 -+ goto good_area;
46675 -+
46676 -+ up_read(&mm->mmap_sem);
46677 -+ switch (pax_handle_fetch_fault(regs)) {
46678 -+
46679 -+#ifdef CONFIG_PAX_EMUPLT
46680 -+ case 2:
46681 -+ case 3:
46682 -+ return;
46683 -+#endif
46684 -+
46685 -+ }
46686 -+ pax_report_fault(regs, (void*)regs->tpc, (void*)(regs->u_regs[UREG_FP] + STACK_BIAS));
46687 -+ do_exit(SIGKILL);
46688 -+ }
46689 -+#endif
46690 -+
46691 - /* Pure DTLB misses do not tell us whether the fault causing
46692 - * load/store/atomic was a write or not, it only says that there
46693 - * was no match. So in such a case we (carefully) read the
46694 -diff -Nurp linux-2.6.23.15/arch/v850/kernel/module.c linux-2.6.23.15-grsec/arch/v850/kernel/module.c
46695 ---- linux-2.6.23.15/arch/v850/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
46696 -+++ linux-2.6.23.15-grsec/arch/v850/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
46697 -@@ -150,8 +150,8 @@ static uint32_t do_plt_call (void *locat
46698 - tramp[1] = ((val >> 16) & 0xffff) + 0x610000; /* ...; jmp r1 */
46699 -
46700 - /* Init, or core PLT? */
46701 -- if (location >= mod->module_core
46702 -- && location < mod->module_core + mod->core_size)
46703 -+ if (location >= mod->module_core_rx
46704 -+ && location < mod->module_core_rx + mod->core_size_rx)
46705 - entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
46706 - else
46707 - entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
46708 -diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/ia32_binfmt.c linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_binfmt.c
46709 ---- linux-2.6.23.15/arch/x86_64/ia32/ia32_binfmt.c 2007-10-09 21:31:38.000000000 +0100
46710 -+++ linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_binfmt.c 2008-02-11 10:37:44.000000000 +0000
46711 -@@ -36,12 +36,12 @@
46712 - #define AT_SYSINFO 32
46713 - #define AT_SYSINFO_EHDR 33
46714 -
46715 --int sysctl_vsyscall32 = 1;
46716 -+int sysctl_vsyscall32;
46717 -
46718 - #undef ARCH_DLINFO
46719 - #define ARCH_DLINFO do { \
46720 - if (sysctl_vsyscall32) { \
46721 -- current->mm->context.vdso = (void *)VSYSCALL32_BASE; \
46722 -+ current->mm->context.vdso = VSYSCALL32_BASE; \
46723 - NEW_AUX_ENT(AT_SYSINFO, (u32)(u64)VSYSCALL32_VSYSCALL); \
46724 - NEW_AUX_ENT(AT_SYSINFO_EHDR, VSYSCALL32_BASE); \
46725 - } \
46726 -@@ -145,6 +145,13 @@ struct elf_prpsinfo
46727 - //#include <asm/ia32.h>
46728 - #include <linux/elf.h>
46729 -
46730 -+#ifdef CONFIG_PAX_ASLR
46731 -+#define PAX_ELF_ET_DYN_BASE 0x08048000UL
46732 -+
46733 -+#define PAX_DELTA_MMAP_LEN 16
46734 -+#define PAX_DELTA_STACK_LEN 16
46735 -+#endif
46736 -+
46737 - typedef struct user_i387_ia32_struct elf_fpregset_t;
46738 - typedef struct user32_fxsr_struct elf_fpxregset_t;
46739 -
46740 -@@ -298,7 +305,7 @@ static ctl_table abi_table2[] = {
46741 - .mode = 0644,
46742 - .proc_handler = proc_dointvec
46743 - },
46744 -- {}
46745 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
46746 - };
46747 -
46748 - static ctl_table abi_root_table2[] = {
46749 -@@ -308,7 +315,7 @@ static ctl_table abi_root_table2[] = {
46750 - .mode = 0555,
46751 - .child = abi_table2
46752 - },
46753 -- {}
46754 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
46755 - };
46756 -
46757 - static __init int ia32_binfmt_init(void)
46758 -diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/ia32_signal.c linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_signal.c
46759 ---- linux-2.6.23.15/arch/x86_64/ia32/ia32_signal.c 2007-10-09 21:31:38.000000000 +0100
46760 -+++ linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_signal.c 2008-02-11 10:37:44.000000000 +0000
46761 -@@ -573,6 +573,7 @@ int ia32_setup_rt_frame(int sig, struct
46762 - __NR_ia32_rt_sigreturn,
46763 - 0x80cd,
46764 - 0,
46765 -+ 0
46766 - };
46767 - err |= __copy_to_user(frame->retcode, &code, 8);
46768 - }
46769 -diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/mmap32.c linux-2.6.23.15-grsec/arch/x86_64/ia32/mmap32.c
46770 ---- linux-2.6.23.15/arch/x86_64/ia32/mmap32.c 2007-10-09 21:31:38.000000000 +0100
46771 -+++ linux-2.6.23.15-grsec/arch/x86_64/ia32/mmap32.c 2008-02-11 10:37:44.000000000 +0000
46772 -@@ -69,10 +69,22 @@ void ia32_pick_mmap_layout(struct mm_str
46773 - (current->personality & ADDR_COMPAT_LAYOUT) ||
46774 - current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
46775 - mm->mmap_base = TASK_UNMAPPED_BASE;
46776 -+
46777 -+#ifdef CONFIG_PAX_RANDMMAP
46778 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
46779 -+ mm->mmap_base += mm->delta_mmap;
46780 -+#endif
46781 -+
46782 - mm->get_unmapped_area = arch_get_unmapped_area;
46783 - mm->unmap_area = arch_unmap_area;
46784 - } else {
46785 - mm->mmap_base = mmap_base(mm);
46786 -+
46787 -+#ifdef CONFIG_PAX_RANDMMAP
46788 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
46789 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
46790 -+#endif
46791 -+
46792 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
46793 - mm->unmap_area = arch_unmap_area_topdown;
46794 - }
46795 -diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/ptrace32.c linux-2.6.23.15-grsec/arch/x86_64/ia32/ptrace32.c
46796 ---- linux-2.6.23.15/arch/x86_64/ia32/ptrace32.c 2007-10-09 21:31:38.000000000 +0100
46797 -+++ linux-2.6.23.15-grsec/arch/x86_64/ia32/ptrace32.c 2008-02-11 10:37:44.000000000 +0000
46798 -@@ -382,7 +382,7 @@ asmlinkage long sys32_ptrace(long reques
46799 - /* no checking to be bug-to-bug compatible with i386. */
46800 - /* but silence warning */
46801 - if (__copy_from_user(&child->thread.i387.fxsave, u, sizeof(*u)))
46802 -- ;
46803 -+ {}
46804 - set_stopped_child_used_math(child);
46805 - child->thread.i387.fxsave.mxcsr &= mxcsr_feature_mask;
46806 - ret = 0;
46807 -diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/syscall32.c linux-2.6.23.15-grsec/arch/x86_64/ia32/syscall32.c
46808 ---- linux-2.6.23.15/arch/x86_64/ia32/syscall32.c 2007-10-09 21:31:38.000000000 +0100
46809 -+++ linux-2.6.23.15-grsec/arch/x86_64/ia32/syscall32.c 2008-02-11 10:37:44.000000000 +0000
46810 -@@ -30,6 +30,9 @@ int syscall32_setup_pages(struct linux_b
46811 - struct mm_struct *mm = current->mm;
46812 - int ret;
46813 -
46814 -+ if (!sysctl_vsyscall32)
46815 -+ return 0;
46816 -+
46817 - down_write(&mm->mmap_sem);
46818 - /*
46819 - * MAYWRITE to allow gdb to COW and set breakpoints
46820 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/hpet.c linux-2.6.23.15-grsec/arch/x86_64/kernel/hpet.c
46821 ---- linux-2.6.23.15/arch/x86_64/kernel/hpet.c 2007-10-09 21:31:38.000000000 +0100
46822 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/hpet.c 2008-02-11 10:37:44.000000000 +0000
46823 -@@ -65,7 +65,7 @@ static __init int late_hpet_init(void)
46824 - hpet = (struct hpet *) fix_to_virt(FIX_HPET_BASE);
46825 - timer = &hpet->hpet_timers[2];
46826 - for (i = 2; i < ntimer; timer++, i++)
46827 -- hd.hd_irq[i] = (timer->hpet_config &
46828 -+ hd.hd_irq[i] = (readl(&timer->hpet_config) &
46829 - Tn_INT_ROUTE_CNF_MASK) >>
46830 - Tn_INT_ROUTE_CNF_SHIFT;
46831 -
46832 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/i8259.c linux-2.6.23.15-grsec/arch/x86_64/kernel/i8259.c
46833 ---- linux-2.6.23.15/arch/x86_64/kernel/i8259.c 2007-10-09 21:31:38.000000000 +0100
46834 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/i8259.c 2008-02-11 10:37:44.000000000 +0000
46835 -@@ -395,7 +395,7 @@ device_initcall(i8259A_init_sysfs);
46836 - * IRQ2 is cascade interrupt to second interrupt controller
46837 - */
46838 -
46839 --static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL};
46840 -+static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL, 0, NULL};
46841 - DEFINE_PER_CPU(vector_irq_t, vector_irq) = {
46842 - [0 ... IRQ0_VECTOR - 1] = -1,
46843 - [IRQ0_VECTOR] = 0,
46844 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/ioport.c linux-2.6.23.15-grsec/arch/x86_64/kernel/ioport.c
46845 ---- linux-2.6.23.15/arch/x86_64/kernel/ioport.c 2007-10-09 21:31:38.000000000 +0100
46846 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/ioport.c 2008-02-11 10:37:44.000000000 +0000
46847 -@@ -16,6 +16,7 @@
46848 - #include <linux/slab.h>
46849 - #include <linux/thread_info.h>
46850 - #include <linux/syscalls.h>
46851 -+#include <linux/grsecurity.h>
46852 -
46853 - /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
46854 - static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
46855 -@@ -41,8 +42,16 @@ asmlinkage long sys_ioperm(unsigned long
46856 -
46857 - if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
46858 - return -EINVAL;
46859 -+
46860 -+#ifdef CONFIG_GRKERNSEC_IO
46861 -+ if (turn_on) {
46862 -+ gr_handle_ioperm();
46863 -+ return -EPERM;
46864 -+ }
46865 -+#else
46866 - if (turn_on && !capable(CAP_SYS_RAWIO))
46867 - return -EPERM;
46868 -+#endif
46869 -
46870 - /*
46871 - * If it's the first ioperm() call in this thread's lifetime, set the
46872 -@@ -111,8 +120,13 @@ asmlinkage long sys_iopl(unsigned int le
46873 - return -EINVAL;
46874 - /* Trying to gain more privileges? */
46875 - if (level > old) {
46876 -+#ifdef CONFIG_GRKERNSEC_IO
46877 -+ gr_handle_iopl();
46878 -+ return -EPERM;
46879 -+#else
46880 - if (!capable(CAP_SYS_RAWIO))
46881 - return -EPERM;
46882 -+#endif
46883 - }
46884 - regs->eflags = (regs->eflags &~ X86_EFLAGS_IOPL) | (level << 12);
46885 - return 0;
46886 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/mce.c linux-2.6.23.15-grsec/arch/x86_64/kernel/mce.c
46887 ---- linux-2.6.23.15/arch/x86_64/kernel/mce.c 2007-10-09 21:31:38.000000000 +0100
46888 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/mce.c 2008-02-11 10:37:44.000000000 +0000
46889 -@@ -665,6 +665,7 @@ static struct miscdevice mce_log_device
46890 - MISC_MCELOG_MINOR,
46891 - "mcelog",
46892 - &mce_chrdev_ops,
46893 -+ {NULL, NULL}, NULL, NULL
46894 - };
46895 -
46896 - static unsigned long old_cr4 __initdata;
46897 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/process.c linux-2.6.23.15-grsec/arch/x86_64/kernel/process.c
46898 ---- linux-2.6.23.15/arch/x86_64/kernel/process.c 2007-10-09 21:31:38.000000000 +0100
46899 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/process.c 2008-02-11 10:37:44.000000000 +0000
46900 -@@ -894,10 +894,3 @@ int dump_task_regs(struct task_struct *t
46901 -
46902 - return 1;
46903 - }
46904 --
46905 --unsigned long arch_align_stack(unsigned long sp)
46906 --{
46907 -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
46908 -- sp -= get_random_int() % 8192;
46909 -- return sp & ~0xf;
46910 --}
46911 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/setup64.c linux-2.6.23.15-grsec/arch/x86_64/kernel/setup64.c
46912 ---- linux-2.6.23.15/arch/x86_64/kernel/setup64.c 2007-10-09 21:31:38.000000000 +0100
46913 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/setup64.c 2008-02-11 10:37:44.000000000 +0000
46914 -@@ -37,7 +37,7 @@ struct desc_ptr idt_descr = { 256 * 16 -
46915 - char boot_cpu_stack[IRQSTACKSIZE] __attribute__((section(".bss.page_aligned")));
46916 -
46917 - unsigned long __supported_pte_mask __read_mostly = ~0UL;
46918 --static int do_not_nx __cpuinitdata = 0;
46919 -+EXPORT_SYMBOL(__supported_pte_mask);
46920 -
46921 - /* noexec=on|off
46922 - Control non executable mappings for 64bit processes.
46923 -@@ -51,16 +51,14 @@ static int __init nonx_setup(char *str)
46924 - return -EINVAL;
46925 - if (!strncmp(str, "on", 2)) {
46926 - __supported_pte_mask |= _PAGE_NX;
46927 -- do_not_nx = 0;
46928 - } else if (!strncmp(str, "off", 3)) {
46929 -- do_not_nx = 1;
46930 - __supported_pte_mask &= ~_PAGE_NX;
46931 - }
46932 - return 0;
46933 - }
46934 - early_param("noexec", nonx_setup);
46935 -
46936 --int force_personality32 = 0;
46937 -+int force_personality32;
46938 -
46939 - /* noexec32=on|off
46940 - Control non executable heap for 32bit processes.
46941 -@@ -177,7 +175,7 @@ void __cpuinit check_efer(void)
46942 - unsigned long efer;
46943 -
46944 - rdmsrl(MSR_EFER, efer);
46945 -- if (!(efer & EFER_NX) || do_not_nx) {
46946 -+ if (!(efer & EFER_NX)) {
46947 - __supported_pte_mask &= ~_PAGE_NX;
46948 - }
46949 - }
46950 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/signal.c linux-2.6.23.15-grsec/arch/x86_64/kernel/signal.c
46951 ---- linux-2.6.23.15/arch/x86_64/kernel/signal.c 2007-10-09 21:31:38.000000000 +0100
46952 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/signal.c 2008-02-11 10:37:44.000000000 +0000
46953 -@@ -254,8 +254,8 @@ static int setup_rt_frame(int sig, struc
46954 - err |= setup_sigcontext(&frame->uc.uc_mcontext, regs, set->sig[0], me);
46955 - err |= __put_user(fp, &frame->uc.uc_mcontext.fpstate);
46956 - if (sizeof(*set) == 16) {
46957 -- __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
46958 -- __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
46959 -+ err |= __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
46960 -+ err |= __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
46961 - } else
46962 - err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
46963 -
46964 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/sys_x86_64.c linux-2.6.23.15-grsec/arch/x86_64/kernel/sys_x86_64.c
46965 ---- linux-2.6.23.15/arch/x86_64/kernel/sys_x86_64.c 2007-10-09 21:31:38.000000000 +0100
46966 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/sys_x86_64.c 2008-02-11 10:37:44.000000000 +0000
46967 -@@ -65,8 +65,8 @@ out:
46968 - return error;
46969 - }
46970 -
46971 --static void find_start_end(unsigned long flags, unsigned long *begin,
46972 -- unsigned long *end)
46973 -+static void find_start_end(struct mm_struct *mm, unsigned long flags,
46974 -+ unsigned long *begin, unsigned long *end)
46975 - {
46976 - if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
46977 - /* This is usually used needed to map code in small
46978 -@@ -79,7 +79,7 @@ static void find_start_end(unsigned long
46979 - *begin = 0x40000000;
46980 - *end = 0x80000000;
46981 - } else {
46982 -- *begin = TASK_UNMAPPED_BASE;
46983 -+ *begin = mm->mmap_base;
46984 - *end = TASK_SIZE;
46985 - }
46986 - }
46987 -@@ -96,11 +96,15 @@ arch_get_unmapped_area(struct file *filp
46988 - if (flags & MAP_FIXED)
46989 - return addr;
46990 -
46991 -- find_start_end(flags, &begin, &end);
46992 -+ find_start_end(mm, flags, &begin, &end);
46993 -
46994 - if (len > end)
46995 - return -ENOMEM;
46996 -
46997 -+#ifdef CONFIG_PAX_RANDMMAP
46998 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
46999 -+#endif
47000 -+
47001 - if (addr) {
47002 - addr = PAGE_ALIGN(addr);
47003 - vma = find_vma(mm, addr);
47004 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/vsyscall.c linux-2.6.23.15-grsec/arch/x86_64/kernel/vsyscall.c
47005 ---- linux-2.6.23.15/arch/x86_64/kernel/vsyscall.c 2007-10-09 21:31:38.000000000 +0100
47006 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/vsyscall.c 2008-02-11 10:37:44.000000000 +0000
47007 -@@ -273,13 +273,13 @@ static ctl_table kernel_table2[] = {
47008 - .mode = 0644,
47009 - .strategy = vsyscall_sysctl_nostrat,
47010 - .proc_handler = vsyscall_sysctl_change },
47011 -- {}
47012 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
47013 - };
47014 -
47015 - static ctl_table kernel_root_table2[] = {
47016 - { .ctl_name = CTL_KERN, .procname = "kernel", .mode = 0555,
47017 - .child = kernel_table2 },
47018 -- {}
47019 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
47020 - };
47021 -
47022 - #endif
47023 -diff -Nurp linux-2.6.23.15/arch/x86_64/mm/fault.c linux-2.6.23.15-grsec/arch/x86_64/mm/fault.c
47024 ---- linux-2.6.23.15/arch/x86_64/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
47025 -+++ linux-2.6.23.15-grsec/arch/x86_64/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
47026 -@@ -25,6 +25,7 @@
47027 - #include <linux/kprobes.h>
47028 - #include <linux/uaccess.h>
47029 - #include <linux/kdebug.h>
47030 -+#include <linux/binfmts.h>
47031 -
47032 - #include <asm/system.h>
47033 - #include <asm/pgalloc.h>
47034 -@@ -291,6 +292,163 @@ static int vmalloc_fault(unsigned long a
47035 - return 0;
47036 - }
47037 -
47038 -+#ifdef CONFIG_PAX_EMUTRAMP
47039 -+static int pax_handle_fetch_fault_32(struct pt_regs *regs)
47040 -+{
47041 -+ int err;
47042 -+
47043 -+ do { /* PaX: gcc trampoline emulation #1 */
47044 -+ unsigned char mov1, mov2;
47045 -+ unsigned short jmp;
47046 -+ unsigned int addr1, addr2;
47047 -+
47048 -+ if ((regs->rip + 11) >> 32)
47049 -+ break;
47050 -+
47051 -+ err = get_user(mov1, (unsigned char __user *)regs->rip);
47052 -+ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
47053 -+ err |= get_user(mov2, (unsigned char __user *)(regs->rip + 5));
47054 -+ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
47055 -+ err |= get_user(jmp, (unsigned short __user *)(regs->rip + 10));
47056 -+
47057 -+ if (err)
47058 -+ break;
47059 -+
47060 -+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
47061 -+ regs->rcx = addr1;
47062 -+ regs->rax = addr2;
47063 -+ regs->rip = addr2;
47064 -+ return 2;
47065 -+ }
47066 -+ } while (0);
47067 -+
47068 -+ do { /* PaX: gcc trampoline emulation #2 */
47069 -+ unsigned char mov, jmp;
47070 -+ unsigned int addr1, addr2;
47071 -+
47072 -+ if ((regs->rip + 9) >> 32)
47073 -+ break;
47074 -+
47075 -+ err = get_user(mov, (unsigned char __user *)regs->rip);
47076 -+ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
47077 -+ err |= get_user(jmp, (unsigned char __user *)(regs->rip + 5));
47078 -+ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
47079 -+
47080 -+ if (err)
47081 -+ break;
47082 -+
47083 -+ if (mov == 0xB9 && jmp == 0xE9) {
47084 -+ regs->rcx = addr1;
47085 -+ regs->rip = (unsigned int)(regs->rip + addr2 + 10);
47086 -+ return 2;
47087 -+ }
47088 -+ } while (0);
47089 -+
47090 -+ return 1; /* PaX in action */
47091 -+}
47092 -+
47093 -+static int pax_handle_fetch_fault_64(struct pt_regs *regs)
47094 -+{
47095 -+ int err;
47096 -+
47097 -+ do { /* PaX: gcc trampoline emulation #1 */
47098 -+ unsigned short mov1, mov2, jmp1;
47099 -+ unsigned char jmp2;
47100 -+ unsigned int addr1;
47101 -+ unsigned long addr2;
47102 -+
47103 -+ err = get_user(mov1, (unsigned short __user *)regs->rip);
47104 -+ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 2));
47105 -+ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 6));
47106 -+ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 8));
47107 -+ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 16));
47108 -+ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 18));
47109 -+
47110 -+ if (err)
47111 -+ break;
47112 -+
47113 -+ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
47114 -+ regs->r11 = addr1;
47115 -+ regs->r10 = addr2;
47116 -+ regs->rip = addr1;
47117 -+ return 2;
47118 -+ }
47119 -+ } while (0);
47120 -+
47121 -+ do { /* PaX: gcc trampoline emulation #2 */
47122 -+ unsigned short mov1, mov2, jmp1;
47123 -+ unsigned char jmp2;
47124 -+ unsigned long addr1, addr2;
47125 -+
47126 -+ err = get_user(mov1, (unsigned short __user *)regs->rip);
47127 -+ err |= get_user(addr1, (unsigned long __user *)(regs->rip + 2));
47128 -+ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 10));
47129 -+ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 12));
47130 -+ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 20));
47131 -+ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 22));
47132 -+
47133 -+ if (err)
47134 -+ break;
47135 -+
47136 -+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
47137 -+ regs->r11 = addr1;
47138 -+ regs->r10 = addr2;
47139 -+ regs->rip = addr1;
47140 -+ return 2;
47141 -+ }
47142 -+ } while (0);
47143 -+
47144 -+ return 1; /* PaX in action */
47145 -+}
47146 -+
47147 -+/*
47148 -+ * PaX: decide what to do with offenders (regs->rip = fault address)
47149 -+ *
47150 -+ * returns 1 when task should be killed
47151 -+ * 2 when gcc trampoline was detected
47152 -+ */
47153 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
47154 -+{
47155 -+ if (regs->eflags & X86_EFLAGS_VM)
47156 -+ return 1;
47157 -+
47158 -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
47159 -+ return 1;
47160 -+
47161 -+ if (regs->cs == __USER32_CS || (regs->cs & (1<<2)))
47162 -+ return pax_handle_fetch_fault_32(regs);
47163 -+ else
47164 -+ return pax_handle_fetch_fault_64(regs);
47165 -+}
47166 -+#endif
47167 -+
47168 -+#ifdef CONFIG_PAX_PAGEEXEC
47169 -+void pax_report_insns(void *pc, void *sp)
47170 -+{
47171 -+ long i;
47172 -+
47173 -+ printk(KERN_ERR "PAX: bytes at PC: ");
47174 -+ for (i = 0; i < 20; i++) {
47175 -+ unsigned char c;
47176 -+ if (get_user(c, (unsigned char __user *)pc+i))
47177 -+ printk("?? ");
47178 -+ else
47179 -+ printk("%02x ", c);
47180 -+ }
47181 -+ printk("\n");
47182 -+
47183 -+ printk(KERN_ERR "PAX: bytes at SP-8: ");
47184 -+ for (i = -1; i < 10; i++) {
47185 -+ unsigned long c;
47186 -+ if (get_user(c, (unsigned long __user *)sp+i))
47187 -+ printk("???????????????? ");
47188 -+ else
47189 -+ printk("%016lx ", c);
47190 -+ }
47191 -+ printk("\n");
47192 -+}
47193 -+#endif
47194 -+
47195 - static int page_fault_trace;
47196 - int show_unhandled_signals = 1;
47197 -
47198 -@@ -427,6 +585,8 @@ asmlinkage void __kprobes do_page_fault(
47199 - good_area:
47200 - info.si_code = SEGV_ACCERR;
47201 - write = 0;
47202 -+ if ((error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
47203 -+ goto bad_area;
47204 - switch (error_code & (PF_PROT|PF_WRITE)) {
47205 - default: /* 3: write, present */
47206 - /* fall through */
47207 -@@ -478,6 +638,21 @@ bad_area_nosemaphore:
47208 - */
47209 - local_irq_enable();
47210 -
47211 -+#ifdef CONFIG_PAX_PAGEEXEC
47212 -+ if (mm && (mm->pax_flags & MF_PAX_PAGEEXEC) && (error_code & 16)) {
47213 -+
47214 -+#ifdef CONFIG_PAX_EMUTRAMP
47215 -+ switch (pax_handle_fetch_fault(regs)) {
47216 -+ case 2:
47217 -+ return;
47218 -+ }
47219 -+#endif
47220 -+
47221 -+ pax_report_fault(regs, (void*)regs->rip, (void*)regs->rsp);
47222 -+ do_exit(SIGKILL);
47223 -+ }
47224 -+#endif
47225 -+
47226 - if (is_prefetch(regs, address, error_code))
47227 - return;
47228 -
47229 -@@ -499,7 +674,7 @@ bad_area_nosemaphore:
47230 - tsk->comm, tsk->pid, address, regs->rip,
47231 - regs->rsp, error_code);
47232 - }
47233 --
47234 -+
47235 - tsk->thread.cr2 = address;
47236 - /* Kernel addresses are always protection faults */
47237 - tsk->thread.error_code = error_code | (address >= TASK_SIZE);
47238 -diff -Nurp linux-2.6.23.15/arch/x86_64/mm/init.c linux-2.6.23.15-grsec/arch/x86_64/mm/init.c
47239 ---- linux-2.6.23.15/arch/x86_64/mm/init.c 2008-02-11 10:36:03.000000000 +0000
47240 -+++ linux-2.6.23.15-grsec/arch/x86_64/mm/init.c 2008-02-11 10:37:44.000000000 +0000
47241 -@@ -45,7 +45,7 @@
47242 - #include <asm/sections.h>
47243 -
47244 - #ifndef Dprintk
47245 --#define Dprintk(x...)
47246 -+#define Dprintk(x...) do {} while (0)
47247 - #endif
47248 -
47249 - const struct dma_mapping_ops* dma_ops;
47250 -@@ -736,7 +736,7 @@ int in_gate_area_no_task(unsigned long a
47251 -
47252 - const char *arch_vma_name(struct vm_area_struct *vma)
47253 - {
47254 -- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
47255 -+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
47256 - return "[vdso]";
47257 - if (vma == &gate_vma)
47258 - return "[vsyscall]";
47259 -diff -Nurp linux-2.6.23.15/arch/x86_64/mm/mmap.c linux-2.6.23.15-grsec/arch/x86_64/mm/mmap.c
47260 ---- linux-2.6.23.15/arch/x86_64/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
47261 -+++ linux-2.6.23.15-grsec/arch/x86_64/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
47262 -@@ -23,6 +23,12 @@ void arch_pick_mmap_layout(struct mm_str
47263 - unsigned rnd = get_random_int() & 0xfffffff;
47264 - mm->mmap_base += ((unsigned long)rnd) << PAGE_SHIFT;
47265 - }
47266 -+
47267 -+#ifdef CONFIG_PAX_RANDMMAP
47268 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
47269 -+ mm->mmap_base += mm->delta_mmap;
47270 -+#endif
47271 -+
47272 - mm->get_unmapped_area = arch_get_unmapped_area;
47273 - mm->unmap_area = arch_unmap_area;
47274 - }
47275 -diff -Nurp linux-2.6.23.15/arch/x86_64/mm/numa.c linux-2.6.23.15-grsec/arch/x86_64/mm/numa.c
47276 ---- linux-2.6.23.15/arch/x86_64/mm/numa.c 2007-10-09 21:31:38.000000000 +0100
47277 -+++ linux-2.6.23.15-grsec/arch/x86_64/mm/numa.c 2008-02-11 10:37:44.000000000 +0000
47278 -@@ -19,7 +19,7 @@
47279 - #include <asm/acpi.h>
47280 -
47281 - #ifndef Dprintk
47282 --#define Dprintk(x...)
47283 -+#define Dprintk(x...) do {} while (0)
47284 - #endif
47285 -
47286 - struct pglist_data *node_data[MAX_NUMNODES] __read_mostly;
47287 -diff -Nurp linux-2.6.23.15/arch/x86_64/vdso/vma.c linux-2.6.23.15-grsec/arch/x86_64/vdso/vma.c
47288 ---- linux-2.6.23.15/arch/x86_64/vdso/vma.c 2007-10-09 21:31:38.000000000 +0100
47289 -+++ linux-2.6.23.15-grsec/arch/x86_64/vdso/vma.c 2008-02-11 10:37:44.000000000 +0000
47290 -@@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
47291 - if (ret)
47292 - goto up_fail;
47293 -
47294 -- current->mm->context.vdso = (void *)addr;
47295 -+ current->mm->context.vdso = addr;
47296 - up_fail:
47297 - up_write(&mm->mmap_sem);
47298 - return ret;
47299 -diff -Nurp linux-2.6.23.15/crypto/async_tx/async_tx.c linux-2.6.23.15-grsec/crypto/async_tx/async_tx.c
47300 ---- linux-2.6.23.15/crypto/async_tx/async_tx.c 2007-10-09 21:31:38.000000000 +0100
47301 -+++ linux-2.6.23.15-grsec/crypto/async_tx/async_tx.c 2008-02-11 10:37:44.000000000 +0000
47302 -@@ -342,8 +342,8 @@ async_tx_init(void)
47303 - err:
47304 - printk(KERN_ERR "async_tx: initialization failure\n");
47305 -
47306 -- while (--cap >= 0)
47307 -- free_percpu(channel_table[cap]);
47308 -+ while (cap)
47309 -+ free_percpu(channel_table[--cap]);
47310 -
47311 - return 1;
47312 - }
47313 -diff -Nurp linux-2.6.23.15/crypto/lrw.c linux-2.6.23.15-grsec/crypto/lrw.c
47314 ---- linux-2.6.23.15/crypto/lrw.c 2007-10-09 21:31:38.000000000 +0100
47315 -+++ linux-2.6.23.15-grsec/crypto/lrw.c 2008-02-11 10:37:44.000000000 +0000
47316 -@@ -54,7 +54,7 @@ static int setkey(struct crypto_tfm *par
47317 - struct priv *ctx = crypto_tfm_ctx(parent);
47318 - struct crypto_cipher *child = ctx->child;
47319 - int err, i;
47320 -- be128 tmp = { 0 };
47321 -+ be128 tmp = { 0, 0 };
47322 - int bsize = crypto_cipher_blocksize(child);
47323 -
47324 - crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
47325 -diff -Nurp linux-2.6.23.15/drivers/acpi/blacklist.c linux-2.6.23.15-grsec/drivers/acpi/blacklist.c
47326 ---- linux-2.6.23.15/drivers/acpi/blacklist.c 2008-02-11 10:36:03.000000000 +0000
47327 -+++ linux-2.6.23.15-grsec/drivers/acpi/blacklist.c 2008-02-11 10:37:44.000000000 +0000
47328 -@@ -71,7 +71,7 @@ static struct acpi_blacklist_item acpi_b
47329 - {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
47330 - "Incorrect _ADR", 1},
47331 -
47332 -- {""}
47333 -+ {"", "", 0, 0, 0, all_versions, 0}
47334 - };
47335 -
47336 - #if CONFIG_ACPI_BLACKLIST_YEAR
47337 -diff -Nurp linux-2.6.23.15/drivers/acpi/processor_core.c linux-2.6.23.15-grsec/drivers/acpi/processor_core.c
47338 ---- linux-2.6.23.15/drivers/acpi/processor_core.c 2007-10-09 21:31:38.000000000 +0100
47339 -+++ linux-2.6.23.15-grsec/drivers/acpi/processor_core.c 2008-02-11 10:37:44.000000000 +0000
47340 -@@ -643,7 +643,7 @@ static int __cpuinit acpi_processor_star
47341 - return 0;
47342 - }
47343 -
47344 -- BUG_ON((pr->id >= NR_CPUS) || (pr->id < 0));
47345 -+ BUG_ON(pr->id >= NR_CPUS);
47346 -
47347 - /*
47348 - * Buggy BIOS check
47349 -diff -Nurp linux-2.6.23.15/drivers/acpi/processor_idle.c linux-2.6.23.15-grsec/drivers/acpi/processor_idle.c
47350 ---- linux-2.6.23.15/drivers/acpi/processor_idle.c 2007-10-09 21:31:38.000000000 +0100
47351 -+++ linux-2.6.23.15-grsec/drivers/acpi/processor_idle.c 2008-02-11 10:37:44.000000000 +0000
47352 -@@ -164,7 +164,7 @@ static struct dmi_system_id __cpuinitdat
47353 - DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
47354 - DMI_MATCH(DMI_BIOS_VERSION,"SHE845M0.86C.0013.D.0302131307")},
47355 - (void *)2},
47356 -- {},
47357 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
47358 - };
47359 -
47360 - static inline u32 ticks_elapsed(u32 t1, u32 t2)
47361 -diff -Nurp linux-2.6.23.15/drivers/acpi/sleep/main.c linux-2.6.23.15-grsec/drivers/acpi/sleep/main.c
47362 ---- linux-2.6.23.15/drivers/acpi/sleep/main.c 2008-02-11 10:36:03.000000000 +0000
47363 -+++ linux-2.6.23.15-grsec/drivers/acpi/sleep/main.c 2008-02-11 10:37:44.000000000 +0000
47364 -@@ -228,7 +228,7 @@ static struct dmi_system_id __initdata a
47365 - .ident = "Toshiba Satellite 4030cdt",
47366 - .matches = {DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),},
47367 - },
47368 -- {},
47369 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
47370 - };
47371 - #endif /* CONFIG_SUSPEND */
47372 -
47373 -diff -Nurp linux-2.6.23.15/drivers/acpi/tables/tbfadt.c linux-2.6.23.15-grsec/drivers/acpi/tables/tbfadt.c
47374 ---- linux-2.6.23.15/drivers/acpi/tables/tbfadt.c 2007-10-09 21:31:38.000000000 +0100
47375 -+++ linux-2.6.23.15-grsec/drivers/acpi/tables/tbfadt.c 2008-02-11 10:37:44.000000000 +0000
47376 -@@ -48,7 +48,7 @@
47377 - ACPI_MODULE_NAME("tbfadt")
47378 -
47379 - /* Local prototypes */
47380 --static void inline
47381 -+static inline void
47382 - acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
47383 - u8 bit_width, u64 address);
47384 -
47385 -@@ -122,7 +122,7 @@ static struct acpi_fadt_info fadt_info_t
47386 - *
47387 - ******************************************************************************/
47388 -
47389 --static void inline
47390 -+static inline void
47391 - acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
47392 - u8 bit_width, u64 address)
47393 - {
47394 -diff -Nurp linux-2.6.23.15/drivers/ata/ahci.c linux-2.6.23.15-grsec/drivers/ata/ahci.c
47395 ---- linux-2.6.23.15/drivers/ata/ahci.c 2008-02-11 10:36:03.000000000 +0000
47396 -+++ linux-2.6.23.15-grsec/drivers/ata/ahci.c 2008-02-11 10:37:44.000000000 +0000
47397 -@@ -523,7 +523,7 @@ static const struct pci_device_id ahci_p
47398 - { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
47399 - PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
47400 -
47401 -- { } /* terminate list */
47402 -+ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
47403 - };
47404 -
47405 -
47406 -diff -Nurp linux-2.6.23.15/drivers/ata/ata_piix.c linux-2.6.23.15-grsec/drivers/ata/ata_piix.c
47407 ---- linux-2.6.23.15/drivers/ata/ata_piix.c 2007-10-09 21:31:38.000000000 +0100
47408 -+++ linux-2.6.23.15-grsec/drivers/ata/ata_piix.c 2008-02-11 10:37:44.000000000 +0000
47409 -@@ -257,7 +257,7 @@ static const struct pci_device_id piix_p
47410 - /* SATA Controller IDE (Tolapai) */
47411 - { 0x8086, 0x5028, PCI_ANY_ID, PCI_ANY_ID, 0, 0, tolapai_sata_ahci },
47412 -
47413 -- { } /* terminate list */
47414 -+ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
47415 - };
47416 -
47417 - static struct pci_driver piix_pci_driver = {
47418 -@@ -617,7 +617,7 @@ static const struct ich_laptop ich_lapto
47419 - { 0x27DF, 0x1043, 0x1267 }, /* ICH7 on Asus W5F */
47420 - { 0x24CA, 0x1025, 0x0061 }, /* ICH4 on ACER Aspire 2023WLMi */
47421 - /* end marker */
47422 -- { 0, }
47423 -+ { 0, 0, 0 }
47424 - };
47425 -
47426 - /**
47427 -@@ -963,7 +963,7 @@ static int piix_broken_suspend(void)
47428 - },
47429 - },
47430 -
47431 -- { } /* terminate list */
47432 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL } /* terminate list */
47433 - };
47434 - static const char *oemstrs[] = {
47435 - "Tecra M3,",
47436 -diff -Nurp linux-2.6.23.15/drivers/ata/libata-core.c linux-2.6.23.15-grsec/drivers/ata/libata-core.c
47437 ---- linux-2.6.23.15/drivers/ata/libata-core.c 2008-02-11 10:36:03.000000000 +0000
47438 -+++ linux-2.6.23.15-grsec/drivers/ata/libata-core.c 2008-02-11 10:37:44.000000000 +0000
47439 -@@ -472,7 +472,7 @@ static const struct ata_xfer_ent {
47440 - { ATA_SHIFT_PIO, ATA_BITS_PIO, XFER_PIO_0 },
47441 - { ATA_SHIFT_MWDMA, ATA_BITS_MWDMA, XFER_MW_DMA_0 },
47442 - { ATA_SHIFT_UDMA, ATA_BITS_UDMA, XFER_UDMA_0 },
47443 -- { -1, },
47444 -+ { -1, 0, 0 },
47445 - };
47446 -
47447 - /**
47448 -@@ -2546,7 +2546,7 @@ static const struct ata_timing ata_timin
47449 -
47450 - /* { XFER_PIO_SLOW, 120, 290, 240, 960, 290, 240, 960, 0 }, */
47451 -
47452 -- { 0xFF }
47453 -+ { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
47454 - };
47455 -
47456 - #define ENOUGH(v,unit) (((v)-1)/(unit)+1)
47457 -@@ -3799,7 +3799,7 @@ static const struct ata_blacklist_entry
47458 - { "MAXTOR 6L080L4", "A93.0500", ATA_HORKAGE_BROKEN_HPA },
47459 -
47460 - /* End Marker */
47461 -- { }
47462 -+ { NULL, NULL, 0 }
47463 - };
47464 -
47465 - static unsigned long ata_dev_blacklisted(const struct ata_device *dev)
47466 -diff -Nurp linux-2.6.23.15/drivers/char/agp/frontend.c linux-2.6.23.15-grsec/drivers/char/agp/frontend.c
47467 ---- linux-2.6.23.15/drivers/char/agp/frontend.c 2007-10-09 21:31:38.000000000 +0100
47468 -+++ linux-2.6.23.15-grsec/drivers/char/agp/frontend.c 2008-02-11 10:37:44.000000000 +0000
47469 -@@ -820,7 +820,7 @@ static int agpioc_reserve_wrap(struct ag
47470 - if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
47471 - return -EFAULT;
47472 -
47473 -- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
47474 -+ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
47475 - return -EFAULT;
47476 -
47477 - client = agp_find_client_by_pid(reserve.pid);
47478 -diff -Nurp linux-2.6.23.15/drivers/char/agp/intel-agp.c linux-2.6.23.15-grsec/drivers/char/agp/intel-agp.c
47479 ---- linux-2.6.23.15/drivers/char/agp/intel-agp.c 2007-10-09 21:31:38.000000000 +0100
47480 -+++ linux-2.6.23.15-grsec/drivers/char/agp/intel-agp.c 2008-02-11 10:37:44.000000000 +0000
47481 -@@ -2071,7 +2071,7 @@ static struct pci_device_id agp_intel_pc
47482 - ID(PCI_DEVICE_ID_INTEL_G33_HB),
47483 - ID(PCI_DEVICE_ID_INTEL_Q35_HB),
47484 - ID(PCI_DEVICE_ID_INTEL_Q33_HB),
47485 -- { }
47486 -+ { 0, 0, 0, 0, 0, 0, 0 }
47487 - };
47488 -
47489 - MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
47490 -diff -Nurp linux-2.6.23.15/drivers/char/drm/drm_pciids.h linux-2.6.23.15-grsec/drivers/char/drm/drm_pciids.h
47491 ---- linux-2.6.23.15/drivers/char/drm/drm_pciids.h 2007-10-09 21:31:38.000000000 +0100
47492 -+++ linux-2.6.23.15-grsec/drivers/char/drm/drm_pciids.h 2008-02-11 10:37:44.000000000 +0000
47493 -@@ -251,7 +251,7 @@
47494 - {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
47495 - {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
47496 - {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
47497 -- {0, 0, 0}
47498 -+ {0, 0, 0, 0, 0, 0, 0 }
47499 -
47500 - #define i830_PCI_IDS \
47501 - {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
47502 -diff -Nurp linux-2.6.23.15/drivers/char/hpet.c linux-2.6.23.15-grsec/drivers/char/hpet.c
47503 ---- linux-2.6.23.15/drivers/char/hpet.c 2007-10-09 21:31:38.000000000 +0100
47504 -+++ linux-2.6.23.15-grsec/drivers/char/hpet.c 2008-02-11 10:37:44.000000000 +0000
47505 -@@ -1028,7 +1028,7 @@ static struct acpi_driver hpet_acpi_driv
47506 - },
47507 - };
47508 -
47509 --static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
47510 -+static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
47511 -
47512 - static int __init hpet_init(void)
47513 - {
47514 -diff -Nurp linux-2.6.23.15/drivers/char/keyboard.c linux-2.6.23.15-grsec/drivers/char/keyboard.c
47515 ---- linux-2.6.23.15/drivers/char/keyboard.c 2007-10-09 21:31:38.000000000 +0100
47516 -+++ linux-2.6.23.15-grsec/drivers/char/keyboard.c 2008-02-11 10:37:44.000000000 +0000
47517 -@@ -605,6 +605,16 @@ static void k_spec(struct vc_data *vc, u
47518 - kbd->kbdmode == VC_MEDIUMRAW) &&
47519 - value != KVAL(K_SAK))
47520 - return; /* SAK is allowed even in raw mode */
47521 -+
47522 -+#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
47523 -+ {
47524 -+ void *func = fn_handler[value];
47525 -+ if (func == fn_show_state || func == fn_show_ptregs ||
47526 -+ func == fn_show_mem)
47527 -+ return;
47528 -+ }
47529 -+#endif
47530 -+
47531 - fn_handler[value](vc);
47532 - }
47533 -
47534 -@@ -1340,7 +1350,7 @@ static const struct input_device_id kbd_
47535 - .evbit = { BIT(EV_SND) },
47536 - },
47537 -
47538 -- { }, /* Terminating entry */
47539 -+ { 0 }, /* Terminating entry */
47540 - };
47541 -
47542 - MODULE_DEVICE_TABLE(input, kbd_ids);
47543 -diff -Nurp linux-2.6.23.15/drivers/char/mem.c linux-2.6.23.15-grsec/drivers/char/mem.c
47544 ---- linux-2.6.23.15/drivers/char/mem.c 2007-10-09 21:31:38.000000000 +0100
47545 -+++ linux-2.6.23.15-grsec/drivers/char/mem.c 2008-02-11 10:37:44.000000000 +0000
47546 -@@ -26,6 +26,7 @@
47547 - #include <linux/bootmem.h>
47548 - #include <linux/splice.h>
47549 - #include <linux/pfn.h>
47550 -+#include <linux/grsecurity.h>
47551 -
47552 - #include <asm/uaccess.h>
47553 - #include <asm/io.h>
47554 -@@ -34,6 +35,10 @@
47555 - # include <linux/efi.h>
47556 - #endif
47557 -
47558 -+#ifdef CONFIG_GRKERNSEC
47559 -+extern struct file_operations grsec_fops;
47560 -+#endif
47561 -+
47562 - /*
47563 - * Architectures vary in how they handle caching for addresses
47564 - * outside of main memory.
47565 -@@ -180,6 +185,11 @@ static ssize_t write_mem(struct file * f
47566 - if (!valid_phys_addr_range(p, count))
47567 - return -EFAULT;
47568 -
47569 -+#ifdef CONFIG_GRKERNSEC_KMEM
47570 -+ gr_handle_mem_write();
47571 -+ return -EPERM;
47572 -+#endif
47573 -+
47574 - written = 0;
47575 -
47576 - #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
47577 -@@ -281,6 +291,11 @@ static int mmap_mem(struct file * file,
47578 - if (!private_mapping_ok(vma))
47579 - return -ENOSYS;
47580 -
47581 -+#ifdef CONFIG_GRKERNSEC_KMEM
47582 -+ if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
47583 -+ return -EPERM;
47584 -+#endif
47585 -+
47586 - vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
47587 - size,
47588 - vma->vm_page_prot);
47589 -@@ -512,6 +527,11 @@ static ssize_t write_kmem(struct file *
47590 - ssize_t written;
47591 - char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
47592 -
47593 -+#ifdef CONFIG_GRKERNSEC_KMEM
47594 -+ gr_handle_kmem_write();
47595 -+ return -EPERM;
47596 -+#endif
47597 -+
47598 - if (p < (unsigned long) high_memory) {
47599 -
47600 - wrote = count;
47601 -@@ -635,6 +655,10 @@ static inline size_t read_zero_pagealign
47602 - struct vm_area_struct * vma;
47603 - unsigned long addr=(unsigned long)buf;
47604 -
47605 -+#ifdef CONFIG_PAX_SEGMEXEC
47606 -+ struct vm_area_struct *vma_m;
47607 -+#endif
47608 -+
47609 - mm = current->mm;
47610 - /* Oops, this was forgotten before. -ben */
47611 - down_read(&mm->mmap_sem);
47612 -@@ -651,8 +675,14 @@ static inline size_t read_zero_pagealign
47613 - if (count > size)
47614 - count = size;
47615 -
47616 -+#ifdef CONFIG_PAX_SEGMEXEC
47617 -+ vma_m = pax_find_mirror_vma(vma);
47618 -+ if (vma_m)
47619 -+ zap_page_range(vma_m, addr + SEGMEXEC_TASK_SIZE, count, NULL);
47620 -+#endif
47621 -+
47622 - zap_page_range(vma, addr, count, NULL);
47623 -- if (zeromap_page_range(vma, addr, count, PAGE_COPY))
47624 -+ if (zeromap_page_range(vma, addr, count, vma->vm_page_prot))
47625 - break;
47626 -
47627 - size -= count;
47628 -@@ -805,6 +835,16 @@ static loff_t memory_lseek(struct file *
47629 -
47630 - static int open_port(struct inode * inode, struct file * filp)
47631 - {
47632 -+#ifdef CONFIG_GRKERNSEC_KMEM
47633 -+ gr_handle_open_port();
47634 -+ return -EPERM;
47635 -+#endif
47636 -+
47637 -+ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
47638 -+}
47639 -+
47640 -+static int open_mem(struct inode * inode, struct file * filp)
47641 -+{
47642 - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
47643 - }
47644 -
47645 -@@ -812,7 +852,6 @@ static int open_port(struct inode * inod
47646 - #define full_lseek null_lseek
47647 - #define write_zero write_null
47648 - #define read_full read_zero
47649 --#define open_mem open_port
47650 - #define open_kmem open_mem
47651 - #define open_oldmem open_mem
47652 -
47653 -@@ -945,6 +984,11 @@ static int memory_open(struct inode * in
47654 - filp->f_op = &oldmem_fops;
47655 - break;
47656 - #endif
47657 -+#ifdef CONFIG_GRKERNSEC
47658 -+ case 13:
47659 -+ filp->f_op = &grsec_fops;
47660 -+ break;
47661 -+#endif
47662 - default:
47663 - return -ENXIO;
47664 - }
47665 -@@ -977,6 +1021,9 @@ static const struct {
47666 - #ifdef CONFIG_CRASH_DUMP
47667 - {12,"oldmem", S_IRUSR | S_IWUSR | S_IRGRP, &oldmem_fops},
47668 - #endif
47669 -+#ifdef CONFIG_GRKERNSEC
47670 -+ {13,"grsec", S_IRUSR | S_IWUGO, &grsec_fops},
47671 -+#endif
47672 - };
47673 -
47674 - static struct class *mem_class;
47675 -diff -Nurp linux-2.6.23.15/drivers/char/nvram.c linux-2.6.23.15-grsec/drivers/char/nvram.c
47676 ---- linux-2.6.23.15/drivers/char/nvram.c 2007-10-09 21:31:38.000000000 +0100
47677 -+++ linux-2.6.23.15-grsec/drivers/char/nvram.c 2008-02-11 10:37:44.000000000 +0000
47678 -@@ -430,7 +430,10 @@ static const struct file_operations nvra
47679 - static struct miscdevice nvram_dev = {
47680 - NVRAM_MINOR,
47681 - "nvram",
47682 -- &nvram_fops
47683 -+ &nvram_fops,
47684 -+ {NULL, NULL},
47685 -+ NULL,
47686 -+ NULL
47687 - };
47688 -
47689 - static int __init
47690 -diff -Nurp linux-2.6.23.15/drivers/char/random.c linux-2.6.23.15-grsec/drivers/char/random.c
47691 ---- linux-2.6.23.15/drivers/char/random.c 2008-02-11 10:36:03.000000000 +0000
47692 -+++ linux-2.6.23.15-grsec/drivers/char/random.c 2008-02-11 10:37:44.000000000 +0000
47693 -@@ -248,8 +248,13 @@
47694 - /*
47695 - * Configuration information
47696 - */
47697 -+#ifdef CONFIG_GRKERNSEC_RANDNET
47698 -+#define INPUT_POOL_WORDS 512
47699 -+#define OUTPUT_POOL_WORDS 128
47700 -+#else
47701 - #define INPUT_POOL_WORDS 128
47702 - #define OUTPUT_POOL_WORDS 32
47703 -+#endif
47704 - #define SEC_XFER_SIZE 512
47705 -
47706 - /*
47707 -@@ -286,10 +291,17 @@ static struct poolinfo {
47708 - int poolwords;
47709 - int tap1, tap2, tap3, tap4, tap5;
47710 - } poolinfo_table[] = {
47711 -+#ifdef CONFIG_GRKERNSEC_RANDNET
47712 -+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
47713 -+ { 512, 411, 308, 208, 104, 1 },
47714 -+ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
47715 -+ { 128, 103, 76, 51, 25, 1 },
47716 -+#else
47717 - /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
47718 - { 128, 103, 76, 51, 25, 1 },
47719 - /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
47720 - { 32, 26, 20, 14, 7, 1 },
47721 -+#endif
47722 - #if 0
47723 - /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
47724 - { 2048, 1638, 1231, 819, 411, 1 },
47725 -@@ -1172,7 +1184,7 @@ EXPORT_SYMBOL(generate_random_uuid);
47726 - #include <linux/sysctl.h>
47727 -
47728 - static int min_read_thresh = 8, min_write_thresh;
47729 --static int max_read_thresh = INPUT_POOL_WORDS * 32;
47730 -+static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
47731 - static int max_write_thresh = INPUT_POOL_WORDS * 32;
47732 - static char sysctl_bootid[16];
47733 -
47734 -diff -Nurp linux-2.6.23.15/drivers/char/vt_ioctl.c linux-2.6.23.15-grsec/drivers/char/vt_ioctl.c
47735 ---- linux-2.6.23.15/drivers/char/vt_ioctl.c 2007-10-09 21:31:38.000000000 +0100
47736 -+++ linux-2.6.23.15-grsec/drivers/char/vt_ioctl.c 2008-02-11 10:37:44.000000000 +0000
47737 -@@ -95,6 +95,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
47738 - case KDSKBENT:
47739 - if (!perm)
47740 - return -EPERM;
47741 -+
47742 -+#ifdef CONFIG_GRKERNSEC
47743 -+ if (!capable(CAP_SYS_TTY_CONFIG))
47744 -+ return -EPERM;
47745 -+#endif
47746 -+
47747 - if (!i && v == K_NOSUCHMAP) {
47748 - /* deallocate map */
47749 - key_map = key_maps[s];
47750 -@@ -235,6 +241,13 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
47751 - goto reterr;
47752 - }
47753 -
47754 -+#ifdef CONFIG_GRKERNSEC
47755 -+ if (!capable(CAP_SYS_TTY_CONFIG)) {
47756 -+ ret = -EPERM;
47757 -+ goto reterr;
47758 -+ }
47759 -+#endif
47760 -+
47761 - q = func_table[i];
47762 - first_free = funcbufptr + (funcbufsize - funcbufleft);
47763 - for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
47764 -diff -Nurp linux-2.6.23.15/drivers/dma/ioatdma.c linux-2.6.23.15-grsec/drivers/dma/ioatdma.c
47765 ---- linux-2.6.23.15/drivers/dma/ioatdma.c 2007-10-09 21:31:38.000000000 +0100
47766 -+++ linux-2.6.23.15-grsec/drivers/dma/ioatdma.c 2008-02-11 10:37:44.000000000 +0000
47767 -@@ -244,7 +244,6 @@ static void ioat_dma_free_chan_resources
47768 - struct ioat_dma_chan *ioat_chan = to_ioat_chan(chan);
47769 - struct ioat_device *ioat_device = to_ioat_device(chan->device);
47770 - struct ioat_desc_sw *desc, *_desc;
47771 -- u16 chanctrl;
47772 - int in_use_descs = 0;
47773 -
47774 - ioat_dma_memcpy_cleanup(ioat_chan);
47775 -diff -Nurp linux-2.6.23.15/drivers/edac/edac_core.h linux-2.6.23.15-grsec/drivers/edac/edac_core.h
47776 ---- linux-2.6.23.15/drivers/edac/edac_core.h 2007-10-09 21:31:38.000000000 +0100
47777 -+++ linux-2.6.23.15-grsec/drivers/edac/edac_core.h 2008-02-11 10:37:44.000000000 +0000
47778 -@@ -86,11 +86,11 @@ extern int edac_debug_level;
47779 -
47780 - #else /* !CONFIG_EDAC_DEBUG */
47781 -
47782 --#define debugf0( ... )
47783 --#define debugf1( ... )
47784 --#define debugf2( ... )
47785 --#define debugf3( ... )
47786 --#define debugf4( ... )
47787 -+#define debugf0( ... ) do {} while (0)
47788 -+#define debugf1( ... ) do {} while (0)
47789 -+#define debugf2( ... ) do {} while (0)
47790 -+#define debugf3( ... ) do {} while (0)
47791 -+#define debugf4( ... ) do {} while (0)
47792 -
47793 - #endif /* !CONFIG_EDAC_DEBUG */
47794 -
47795 -diff -Nurp linux-2.6.23.15/drivers/hwmon/fscpos.c linux-2.6.23.15-grsec/drivers/hwmon/fscpos.c
47796 ---- linux-2.6.23.15/drivers/hwmon/fscpos.c 2007-10-09 21:31:38.000000000 +0100
47797 -+++ linux-2.6.23.15-grsec/drivers/hwmon/fscpos.c 2008-02-11 10:37:44.000000000 +0000
47798 -@@ -231,7 +231,6 @@ static ssize_t set_pwm(struct i2c_client
47799 - unsigned long v = simple_strtoul(buf, NULL, 10);
47800 -
47801 - /* Range: 0..255 */
47802 -- if (v < 0) v = 0;
47803 - if (v > 255) v = 255;
47804 -
47805 - mutex_lock(&data->update_lock);
47806 -diff -Nurp linux-2.6.23.15/drivers/hwmon/k8temp.c linux-2.6.23.15-grsec/drivers/hwmon/k8temp.c
47807 ---- linux-2.6.23.15/drivers/hwmon/k8temp.c 2007-10-09 21:31:38.000000000 +0100
47808 -+++ linux-2.6.23.15-grsec/drivers/hwmon/k8temp.c 2008-02-11 10:37:44.000000000 +0000
47809 -@@ -130,7 +130,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
47810 -
47811 - static struct pci_device_id k8temp_ids[] = {
47812 - { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
47813 -- { 0 },
47814 -+ { 0, 0, 0, 0, 0, 0, 0 },
47815 - };
47816 -
47817 - MODULE_DEVICE_TABLE(pci, k8temp_ids);
47818 -diff -Nurp linux-2.6.23.15/drivers/hwmon/sis5595.c linux-2.6.23.15-grsec/drivers/hwmon/sis5595.c
47819 ---- linux-2.6.23.15/drivers/hwmon/sis5595.c 2007-10-09 21:31:38.000000000 +0100
47820 -+++ linux-2.6.23.15-grsec/drivers/hwmon/sis5595.c 2008-02-11 10:37:44.000000000 +0000
47821 -@@ -673,7 +673,7 @@ static struct sis5595_data *sis5595_upda
47822 -
47823 - static struct pci_device_id sis5595_pci_ids[] = {
47824 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
47825 -- { 0, }
47826 -+ { 0, 0, 0, 0, 0, 0, 0 }
47827 - };
47828 -
47829 - MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
47830 -diff -Nurp linux-2.6.23.15/drivers/hwmon/thmc50.c linux-2.6.23.15-grsec/drivers/hwmon/thmc50.c
47831 ---- linux-2.6.23.15/drivers/hwmon/thmc50.c 2007-10-09 21:31:38.000000000 +0100
47832 -+++ linux-2.6.23.15-grsec/drivers/hwmon/thmc50.c 2008-02-11 10:37:44.000000000 +0000
47833 -@@ -47,9 +47,9 @@ I2C_CLIENT_MODULE_PARM(adm1022_temp3, "L
47834 - #define THMC50_REG_DIE_CODE 0x3F
47835 - #define THMC50_REG_ANALOG_OUT 0x19
47836 -
47837 --const static u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
47838 --const static u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
47839 --const static u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
47840 -+static const u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
47841 -+static const u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
47842 -+static const u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
47843 -
47844 - #define THMC50_REG_CONF_nFANOFF 0x20
47845 -
47846 -diff -Nurp linux-2.6.23.15/drivers/hwmon/via686a.c linux-2.6.23.15-grsec/drivers/hwmon/via686a.c
47847 ---- linux-2.6.23.15/drivers/hwmon/via686a.c 2007-10-09 21:31:38.000000000 +0100
47848 -+++ linux-2.6.23.15-grsec/drivers/hwmon/via686a.c 2008-02-11 10:37:44.000000000 +0000
47849 -@@ -740,7 +740,7 @@ static struct via686a_data *via686a_upda
47850 -
47851 - static struct pci_device_id via686a_pci_ids[] = {
47852 - { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
47853 -- { 0, }
47854 -+ { 0, 0, 0, 0, 0, 0, 0 }
47855 - };
47856 -
47857 - MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
47858 -diff -Nurp linux-2.6.23.15/drivers/hwmon/vt8231.c linux-2.6.23.15-grsec/drivers/hwmon/vt8231.c
47859 ---- linux-2.6.23.15/drivers/hwmon/vt8231.c 2007-10-09 21:31:38.000000000 +0100
47860 -+++ linux-2.6.23.15-grsec/drivers/hwmon/vt8231.c 2008-02-11 10:37:44.000000000 +0000
47861 -@@ -662,7 +662,7 @@ static struct platform_driver vt8231_dri
47862 -
47863 - static struct pci_device_id vt8231_pci_ids[] = {
47864 - { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
47865 -- { 0, }
47866 -+ { 0, 0, 0, 0, 0, 0, 0 }
47867 - };
47868 -
47869 - MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
47870 -diff -Nurp linux-2.6.23.15/drivers/hwmon/w83791d.c linux-2.6.23.15-grsec/drivers/hwmon/w83791d.c
47871 ---- linux-2.6.23.15/drivers/hwmon/w83791d.c 2007-10-09 21:31:38.000000000 +0100
47872 -+++ linux-2.6.23.15-grsec/drivers/hwmon/w83791d.c 2008-02-11 10:37:44.000000000 +0000
47873 -@@ -289,8 +289,8 @@ static int w83791d_attach_adapter(struct
47874 - static int w83791d_detect(struct i2c_adapter *adapter, int address, int kind);
47875 - static int w83791d_detach_client(struct i2c_client *client);
47876 -
47877 --static int w83791d_read(struct i2c_client *client, u8 register);
47878 --static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
47879 -+static int w83791d_read(struct i2c_client *client, u8 reg);
47880 -+static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
47881 - static struct w83791d_data *w83791d_update_device(struct device *dev);
47882 -
47883 - #ifdef DEBUG
47884 -diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-i801.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i801.c
47885 ---- linux-2.6.23.15/drivers/i2c/busses/i2c-i801.c 2007-10-09 21:31:38.000000000 +0100
47886 -+++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i801.c 2008-02-11 10:37:44.000000000 +0000
47887 -@@ -543,7 +543,7 @@ static struct pci_device_id i801_ids[] =
47888 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ESB2_17) },
47889 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH8_5) },
47890 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH9_6) },
47891 -- { 0, }
47892 -+ { 0, 0, 0, 0, 0, 0, 0 }
47893 - };
47894 -
47895 - MODULE_DEVICE_TABLE (pci, i801_ids);
47896 -diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-i810.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i810.c
47897 ---- linux-2.6.23.15/drivers/i2c/busses/i2c-i810.c 2007-10-09 21:31:38.000000000 +0100
47898 -+++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i810.c 2008-02-11 10:37:44.000000000 +0000
47899 -@@ -198,7 +198,7 @@ static struct pci_device_id i810_ids[] _
47900 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82810E_IG) },
47901 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC) },
47902 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82845G_IG) },
47903 -- { 0, },
47904 -+ { 0, 0, 0, 0, 0, 0, 0 },
47905 - };
47906 -
47907 - MODULE_DEVICE_TABLE (pci, i810_ids);
47908 -diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-piix4.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-piix4.c
47909 ---- linux-2.6.23.15/drivers/i2c/busses/i2c-piix4.c 2007-10-09 21:31:38.000000000 +0100
47910 -+++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-piix4.c 2008-02-11 10:37:44.000000000 +0000
47911 -@@ -113,7 +113,7 @@ static struct dmi_system_id __devinitdat
47912 - .ident = "IBM",
47913 - .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
47914 - },
47915 -- { },
47916 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL },
47917 - };
47918 -
47919 - static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
47920 -@@ -411,7 +411,7 @@ static struct pci_device_id piix4_ids[]
47921 - .driver_data = 3 },
47922 - { PCI_DEVICE(PCI_VENDOR_ID_EFAR, PCI_DEVICE_ID_EFAR_SLC90E66_3),
47923 - .driver_data = 0 },
47924 -- { 0, }
47925 -+ { 0, 0, 0, 0, 0, 0, 0 }
47926 - };
47927 -
47928 - MODULE_DEVICE_TABLE (pci, piix4_ids);
47929 -diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-sis630.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis630.c
47930 ---- linux-2.6.23.15/drivers/i2c/busses/i2c-sis630.c 2007-10-09 21:31:38.000000000 +0100
47931 -+++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis630.c 2008-02-11 10:37:44.000000000 +0000
47932 -@@ -465,7 +465,7 @@ static struct i2c_adapter sis630_adapter
47933 - static struct pci_device_id sis630_ids[] __devinitdata = {
47934 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
47935 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
47936 -- { 0, }
47937 -+ { PCI_DEVICE(0, 0) }
47938 - };
47939 -
47940 - MODULE_DEVICE_TABLE (pci, sis630_ids);
47941 -diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-sis96x.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis96x.c
47942 ---- linux-2.6.23.15/drivers/i2c/busses/i2c-sis96x.c 2007-10-09 21:31:38.000000000 +0100
47943 -+++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis96x.c 2008-02-11 10:37:44.000000000 +0000
47944 -@@ -255,7 +255,7 @@ static struct i2c_adapter sis96x_adapter
47945 -
47946 - static struct pci_device_id sis96x_ids[] = {
47947 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
47948 -- { 0, }
47949 -+ { PCI_DEVICE(0, 0) }
47950 - };
47951 -
47952 - MODULE_DEVICE_TABLE (pci, sis96x_ids);
47953 -diff -Nurp linux-2.6.23.15/drivers/ide/ide-cd.c linux-2.6.23.15-grsec/drivers/ide/ide-cd.c
47954 ---- linux-2.6.23.15/drivers/ide/ide-cd.c 2007-10-09 21:31:38.000000000 +0100
47955 -+++ linux-2.6.23.15-grsec/drivers/ide/ide-cd.c 2008-02-11 10:37:44.000000000 +0000
47956 -@@ -457,8 +457,6 @@ void cdrom_analyze_sense_data(ide_drive_
47957 - sector &= ~(bio_sectors -1);
47958 - valid = (sector - failed_command->sector) << 9;
47959 -
47960 -- if (valid < 0)
47961 -- valid = 0;
47962 - if (sector < get_capacity(info->disk) &&
47963 - drive->probed_capacity - sector < 4 * 75) {
47964 - set_capacity(info->disk, sector);
47965 -diff -Nurp linux-2.6.23.15/drivers/ieee1394/dv1394.c linux-2.6.23.15-grsec/drivers/ieee1394/dv1394.c
47966 ---- linux-2.6.23.15/drivers/ieee1394/dv1394.c 2007-10-09 21:31:38.000000000 +0100
47967 -+++ linux-2.6.23.15-grsec/drivers/ieee1394/dv1394.c 2008-02-11 10:37:44.000000000 +0000
47968 -@@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
47969 - based upon DIF section and sequence
47970 - */
47971 -
47972 --static void inline
47973 -+static inline void
47974 - frame_put_packet (struct frame *f, struct packet *p)
47975 - {
47976 - int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
47977 -@@ -918,7 +918,7 @@ static int do_dv1394_init(struct video_c
47978 - /* default SYT offset is 3 cycles */
47979 - init->syt_offset = 3;
47980 -
47981 -- if ( (init->channel > 63) || (init->channel < 0) )
47982 -+ if (init->channel > 63)
47983 - init->channel = 63;
47984 -
47985 - chan_mask = (u64)1 << init->channel;
47986 -@@ -2173,7 +2173,7 @@ static struct ieee1394_device_id dv1394_
47987 - .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
47988 - .version = AVC_SW_VERSION_ENTRY & 0xffffff
47989 - },
47990 -- { }
47991 -+ { 0, 0, 0, 0, 0, 0 }
47992 - };
47993 -
47994 - MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
47995 -diff -Nurp linux-2.6.23.15/drivers/ieee1394/eth1394.c linux-2.6.23.15-grsec/drivers/ieee1394/eth1394.c
47996 ---- linux-2.6.23.15/drivers/ieee1394/eth1394.c 2007-10-09 21:31:38.000000000 +0100
47997 -+++ linux-2.6.23.15-grsec/drivers/ieee1394/eth1394.c 2008-02-11 10:37:44.000000000 +0000
47998 -@@ -449,7 +449,7 @@ static struct ieee1394_device_id eth1394
47999 - .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
48000 - .version = ETHER1394_GASP_VERSION,
48001 - },
48002 -- {}
48003 -+ { 0, 0, 0, 0, 0, 0 }
48004 - };
48005 -
48006 - MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
48007 -diff -Nurp linux-2.6.23.15/drivers/ieee1394/hosts.c linux-2.6.23.15-grsec/drivers/ieee1394/hosts.c
48008 ---- linux-2.6.23.15/drivers/ieee1394/hosts.c 2007-10-09 21:31:38.000000000 +0100
48009 -+++ linux-2.6.23.15-grsec/drivers/ieee1394/hosts.c 2008-02-11 10:37:44.000000000 +0000
48010 -@@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
48011 - }
48012 -
48013 - static struct hpsb_host_driver dummy_driver = {
48014 -+ .name = "dummy",
48015 - .transmit_packet = dummy_transmit_packet,
48016 - .devctl = dummy_devctl,
48017 - .isoctl = dummy_isoctl
48018 -diff -Nurp linux-2.6.23.15/drivers/ieee1394/ohci1394.c linux-2.6.23.15-grsec/drivers/ieee1394/ohci1394.c
48019 ---- linux-2.6.23.15/drivers/ieee1394/ohci1394.c 2007-10-09 21:31:38.000000000 +0100
48020 -+++ linux-2.6.23.15-grsec/drivers/ieee1394/ohci1394.c 2008-02-11 10:37:44.000000000 +0000
48021 -@@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
48022 - printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
48023 -
48024 - /* Module Parameters */
48025 --static int phys_dma = 1;
48026 -+static int phys_dma;
48027 - module_param(phys_dma, int, 0444);
48028 --MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 1).");
48029 -+MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 0).");
48030 -
48031 - static void dma_trm_tasklet(unsigned long data);
48032 - static void dma_trm_reset(struct dma_trm_ctx *d);
48033 -@@ -3396,7 +3396,7 @@ static struct pci_device_id ohci1394_pci
48034 - .subvendor = PCI_ANY_ID,
48035 - .subdevice = PCI_ANY_ID,
48036 - },
48037 -- { 0, },
48038 -+ { 0, 0, 0, 0, 0, 0, 0 },
48039 - };
48040 -
48041 - MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
48042 -diff -Nurp linux-2.6.23.15/drivers/ieee1394/raw1394.c linux-2.6.23.15-grsec/drivers/ieee1394/raw1394.c
48043 ---- linux-2.6.23.15/drivers/ieee1394/raw1394.c 2007-10-09 21:31:38.000000000 +0100
48044 -+++ linux-2.6.23.15-grsec/drivers/ieee1394/raw1394.c 2008-02-11 10:37:44.000000000 +0000
48045 -@@ -2952,7 +2952,7 @@ static struct ieee1394_device_id raw1394
48046 - .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
48047 - .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
48048 - .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
48049 -- {}
48050 -+ { 0, 0, 0, 0, 0, 0 }
48051 - };
48052 -
48053 - MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
48054 -diff -Nurp linux-2.6.23.15/drivers/ieee1394/sbp2.c linux-2.6.23.15-grsec/drivers/ieee1394/sbp2.c
48055 ---- linux-2.6.23.15/drivers/ieee1394/sbp2.c 2007-10-09 21:31:38.000000000 +0100
48056 -+++ linux-2.6.23.15-grsec/drivers/ieee1394/sbp2.c 2008-02-11 10:37:44.000000000 +0000
48057 -@@ -272,7 +272,7 @@ static struct ieee1394_device_id sbp2_id
48058 - .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
48059 - .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
48060 - .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
48061 -- {}
48062 -+ { 0, 0, 0, 0, 0, 0 }
48063 - };
48064 - MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
48065 -
48066 -@@ -2063,7 +2063,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
48067 - MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
48068 - MODULE_LICENSE("GPL");
48069 -
48070 --static int sbp2_module_init(void)
48071 -+static int __init sbp2_module_init(void)
48072 - {
48073 - int ret;
48074 -
48075 -diff -Nurp linux-2.6.23.15/drivers/ieee1394/video1394.c linux-2.6.23.15-grsec/drivers/ieee1394/video1394.c
48076 ---- linux-2.6.23.15/drivers/ieee1394/video1394.c 2007-10-09 21:31:38.000000000 +0100
48077 -+++ linux-2.6.23.15-grsec/drivers/ieee1394/video1394.c 2008-02-11 10:37:44.000000000 +0000
48078 -@@ -893,7 +893,7 @@ static long video1394_ioctl(struct file
48079 - if (unlikely(d == NULL))
48080 - return -EFAULT;
48081 -
48082 -- if (unlikely((v.buffer<0) || (v.buffer>=d->num_desc - 1))) {
48083 -+ if (unlikely(v.buffer>=d->num_desc - 1)) {
48084 - PRINT(KERN_ERR, ohci->host->id,
48085 - "Buffer %d out of range",v.buffer);
48086 - return -EINVAL;
48087 -@@ -959,7 +959,7 @@ static long video1394_ioctl(struct file
48088 - if (unlikely(d == NULL))
48089 - return -EFAULT;
48090 -
48091 -- if (unlikely((v.buffer<0) || (v.buffer>d->num_desc - 1))) {
48092 -+ if (unlikely(v.buffer>d->num_desc - 1)) {
48093 - PRINT(KERN_ERR, ohci->host->id,
48094 - "Buffer %d out of range",v.buffer);
48095 - return -EINVAL;
48096 -@@ -1030,7 +1030,7 @@ static long video1394_ioctl(struct file
48097 - d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
48098 - if (d == NULL) return -EFAULT;
48099 -
48100 -- if ((v.buffer<0) || (v.buffer>=d->num_desc - 1)) {
48101 -+ if (v.buffer>=d->num_desc - 1) {
48102 - PRINT(KERN_ERR, ohci->host->id,
48103 - "Buffer %d out of range",v.buffer);
48104 - return -EINVAL;
48105 -@@ -1137,7 +1137,7 @@ static long video1394_ioctl(struct file
48106 - d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
48107 - if (d == NULL) return -EFAULT;
48108 -
48109 -- if ((v.buffer<0) || (v.buffer>=d->num_desc-1)) {
48110 -+ if (v.buffer>=d->num_desc-1) {
48111 - PRINT(KERN_ERR, ohci->host->id,
48112 - "Buffer %d out of range",v.buffer);
48113 - return -EINVAL;
48114 -@@ -1309,7 +1309,7 @@ static struct ieee1394_device_id video13
48115 - .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
48116 - .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
48117 - },
48118 -- { }
48119 -+ { 0, 0, 0, 0, 0, 0 }
48120 - };
48121 -
48122 - MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
48123 -diff -Nurp linux-2.6.23.15/drivers/input/keyboard/atkbd.c linux-2.6.23.15-grsec/drivers/input/keyboard/atkbd.c
48124 ---- linux-2.6.23.15/drivers/input/keyboard/atkbd.c 2007-10-09 21:31:38.000000000 +0100
48125 -+++ linux-2.6.23.15-grsec/drivers/input/keyboard/atkbd.c 2008-02-11 10:37:44.000000000 +0000
48126 -@@ -1075,7 +1075,7 @@ static struct serio_device_id atkbd_seri
48127 - .id = SERIO_ANY,
48128 - .extra = SERIO_ANY,
48129 - },
48130 -- { 0 }
48131 -+ { 0, 0, 0, 0 }
48132 - };
48133 -
48134 - MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
48135 -diff -Nurp linux-2.6.23.15/drivers/input/mouse/lifebook.c linux-2.6.23.15-grsec/drivers/input/mouse/lifebook.c
48136 ---- linux-2.6.23.15/drivers/input/mouse/lifebook.c 2007-10-09 21:31:38.000000000 +0100
48137 -+++ linux-2.6.23.15-grsec/drivers/input/mouse/lifebook.c 2008-02-11 10:37:44.000000000 +0000
48138 -@@ -102,7 +102,7 @@ static struct dmi_system_id lifebook_dmi
48139 - DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
48140 - },
48141 - },
48142 -- { }
48143 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
48144 - };
48145 -
48146 - static psmouse_ret_t lifebook_process_byte(struct psmouse *psmouse)
48147 -diff -Nurp linux-2.6.23.15/drivers/input/mouse/psmouse-base.c linux-2.6.23.15-grsec/drivers/input/mouse/psmouse-base.c
48148 ---- linux-2.6.23.15/drivers/input/mouse/psmouse-base.c 2007-10-09 21:31:38.000000000 +0100
48149 -+++ linux-2.6.23.15-grsec/drivers/input/mouse/psmouse-base.c 2008-02-11 10:37:44.000000000 +0000
48150 -@@ -1325,7 +1325,7 @@ static struct serio_device_id psmouse_se
48151 - .id = SERIO_ANY,
48152 - .extra = SERIO_ANY,
48153 - },
48154 -- { 0 }
48155 -+ { 0, 0, 0, 0 }
48156 - };
48157 -
48158 - MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
48159 -diff -Nurp linux-2.6.23.15/drivers/input/mouse/synaptics.c linux-2.6.23.15-grsec/drivers/input/mouse/synaptics.c
48160 ---- linux-2.6.23.15/drivers/input/mouse/synaptics.c 2007-10-09 21:31:38.000000000 +0100
48161 -+++ linux-2.6.23.15-grsec/drivers/input/mouse/synaptics.c 2008-02-11 10:37:44.000000000 +0000
48162 -@@ -417,7 +417,7 @@ static void synaptics_process_packet(str
48163 - break;
48164 - case 2:
48165 - if (SYN_MODEL_PEN(priv->model_id))
48166 -- ; /* Nothing, treat a pen as a single finger */
48167 -+ break; /* Nothing, treat a pen as a single finger */
48168 - break;
48169 - case 4 ... 15:
48170 - if (SYN_CAP_PALMDETECT(priv->capabilities))
48171 -@@ -624,7 +624,7 @@ static struct dmi_system_id toshiba_dmi_
48172 - DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
48173 - },
48174 - },
48175 -- { }
48176 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
48177 - };
48178 - #endif
48179 -
48180 -diff -Nurp linux-2.6.23.15/drivers/input/mousedev.c linux-2.6.23.15-grsec/drivers/input/mousedev.c
48181 ---- linux-2.6.23.15/drivers/input/mousedev.c 2008-02-11 10:36:03.000000000 +0000
48182 -+++ linux-2.6.23.15-grsec/drivers/input/mousedev.c 2008-02-11 10:37:44.000000000 +0000
48183 -@@ -1048,7 +1048,7 @@ static struct input_handler mousedev_han
48184 -
48185 - #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
48186 - static struct miscdevice psaux_mouse = {
48187 -- PSMOUSE_MINOR, "psaux", &mousedev_fops
48188 -+ PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
48189 - };
48190 - static int psaux_registered;
48191 - #endif
48192 -diff -Nurp linux-2.6.23.15/drivers/input/serio/i8042-x86ia64io.h linux-2.6.23.15-grsec/drivers/input/serio/i8042-x86ia64io.h
48193 ---- linux-2.6.23.15/drivers/input/serio/i8042-x86ia64io.h 2007-10-09 21:31:38.000000000 +0100
48194 -+++ linux-2.6.23.15-grsec/drivers/input/serio/i8042-x86ia64io.h 2008-02-11 10:37:44.000000000 +0000
48195 -@@ -110,7 +110,7 @@ static struct dmi_system_id __initdata i
48196 - DMI_MATCH(DMI_PRODUCT_VERSION, "5a"),
48197 - },
48198 - },
48199 -- { }
48200 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
48201 - };
48202 -
48203 - /*
48204 -@@ -262,7 +262,7 @@ static struct dmi_system_id __initdata i
48205 - DMI_MATCH(DMI_PRODUCT_NAME, "M636/A737 platform"),
48206 - },
48207 - },
48208 -- { }
48209 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
48210 - };
48211 -
48212 -
48213 -diff -Nurp linux-2.6.23.15/drivers/input/serio/serio_raw.c linux-2.6.23.15-grsec/drivers/input/serio/serio_raw.c
48214 ---- linux-2.6.23.15/drivers/input/serio/serio_raw.c 2007-10-09 21:31:38.000000000 +0100
48215 -+++ linux-2.6.23.15-grsec/drivers/input/serio/serio_raw.c 2008-02-11 10:37:44.000000000 +0000
48216 -@@ -369,7 +369,7 @@ static struct serio_device_id serio_raw_
48217 - .id = SERIO_ANY,
48218 - .extra = SERIO_ANY,
48219 - },
48220 -- { 0 }
48221 -+ { 0, 0, 0, 0 }
48222 - };
48223 -
48224 - MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
48225 -diff -Nurp linux-2.6.23.15/drivers/kvm/kvm_main.c linux-2.6.23.15-grsec/drivers/kvm/kvm_main.c
48226 ---- linux-2.6.23.15/drivers/kvm/kvm_main.c 2008-02-11 10:36:03.000000000 +0000
48227 -+++ linux-2.6.23.15-grsec/drivers/kvm/kvm_main.c 2008-02-11 10:37:44.000000000 +0000
48228 -@@ -63,21 +63,21 @@ static struct kvm_stats_debugfs_item {
48229 - int offset;
48230 - struct dentry *dentry;
48231 - } debugfs_entries[] = {
48232 -- { "pf_fixed", STAT_OFFSET(pf_fixed) },
48233 -- { "pf_guest", STAT_OFFSET(pf_guest) },
48234 -- { "tlb_flush", STAT_OFFSET(tlb_flush) },
48235 -- { "invlpg", STAT_OFFSET(invlpg) },
48236 -- { "exits", STAT_OFFSET(exits) },
48237 -- { "io_exits", STAT_OFFSET(io_exits) },
48238 -- { "mmio_exits", STAT_OFFSET(mmio_exits) },
48239 -- { "signal_exits", STAT_OFFSET(signal_exits) },
48240 -- { "irq_window", STAT_OFFSET(irq_window_exits) },
48241 -- { "halt_exits", STAT_OFFSET(halt_exits) },
48242 -- { "request_irq", STAT_OFFSET(request_irq_exits) },
48243 -- { "irq_exits", STAT_OFFSET(irq_exits) },
48244 -- { "light_exits", STAT_OFFSET(light_exits) },
48245 -- { "efer_reload", STAT_OFFSET(efer_reload) },
48246 -- { NULL }
48247 -+ { "pf_fixed", STAT_OFFSET(pf_fixed), NULL },
48248 -+ { "pf_guest", STAT_OFFSET(pf_guest), NULL },
48249 -+ { "tlb_flush", STAT_OFFSET(tlb_flush), NULL },
48250 -+ { "invlpg", STAT_OFFSET(invlpg), NULL },
48251 -+ { "exits", STAT_OFFSET(exits), NULL },
48252 -+ { "io_exits", STAT_OFFSET(io_exits), NULL },
48253 -+ { "mmio_exits", STAT_OFFSET(mmio_exits), NULL },
48254 -+ { "signal_exits", STAT_OFFSET(signal_exits), NULL },
48255 -+ { "irq_window", STAT_OFFSET(irq_window_exits), NULL },
48256 -+ { "halt_exits", STAT_OFFSET(halt_exits), NULL },
48257 -+ { "request_irq", STAT_OFFSET(request_irq_exits), NULL },
48258 -+ { "irq_exits", STAT_OFFSET(irq_exits), NULL },
48259 -+ { "light_exits", STAT_OFFSET(light_exits), NULL },
48260 -+ { "efer_reload", STAT_OFFSET(efer_reload), NULL },
48261 -+ { NULL, 0, NULL }
48262 - };
48263 -
48264 - static struct dentry *debugfs_dir;
48265 -@@ -2255,7 +2255,7 @@ static int kvm_vcpu_ioctl_translate(stru
48266 - static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
48267 - struct kvm_interrupt *irq)
48268 - {
48269 -- if (irq->irq < 0 || irq->irq >= 256)
48270 -+ if (irq->irq >= 256)
48271 - return -EINVAL;
48272 - vcpu_load(vcpu);
48273 -
48274 -@@ -2895,6 +2895,9 @@ static struct miscdevice kvm_dev = {
48275 - KVM_MINOR,
48276 - "kvm",
48277 - &kvm_chardev_ops,
48278 -+ {NULL, NULL},
48279 -+ NULL,
48280 -+ NULL
48281 - };
48282 -
48283 - static int kvm_reboot(struct notifier_block *notifier, unsigned long val,
48284 -diff -Nurp linux-2.6.23.15/drivers/kvm/vmx.c linux-2.6.23.15-grsec/drivers/kvm/vmx.c
48285 ---- linux-2.6.23.15/drivers/kvm/vmx.c 2008-02-11 10:36:03.000000000 +0000
48286 -+++ linux-2.6.23.15-grsec/drivers/kvm/vmx.c 2008-02-11 10:37:44.000000000 +0000
48287 -@@ -2148,7 +2148,7 @@ again:
48288 -
48289 - vcpu->interrupt_window_open = (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & 3) == 0;
48290 -
48291 -- asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
48292 -+ asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
48293 -
48294 - if (unlikely(fail)) {
48295 - kvm_run->exit_reason = KVM_EXIT_FAIL_ENTRY;
48296 -diff -Nurp linux-2.6.23.15/drivers/kvm/x86_emulate.c linux-2.6.23.15-grsec/drivers/kvm/x86_emulate.c
48297 ---- linux-2.6.23.15/drivers/kvm/x86_emulate.c 2008-02-11 10:36:03.000000000 +0000
48298 -+++ linux-2.6.23.15-grsec/drivers/kvm/x86_emulate.c 2008-02-11 10:37:44.000000000 +0000
48299 -@@ -823,7 +823,7 @@ done_prefixes:
48300 - case DstReg:
48301 - dst.type = OP_REG;
48302 - if ((d & ByteOp)
48303 -- && !(twobyte_table && (b == 0xb6 || b == 0xb7))) {
48304 -+ && !(twobyte && (b == 0xb6 || b == 0xb7))) {
48305 - dst.ptr = decode_register(modrm_reg, _regs,
48306 - (rex_prefix == 0));
48307 - dst.val = *(u8 *) dst.ptr;
48308 -diff -Nurp linux-2.6.23.15/drivers/md/bitmap.c linux-2.6.23.15-grsec/drivers/md/bitmap.c
48309 ---- linux-2.6.23.15/drivers/md/bitmap.c 2008-02-11 10:36:03.000000000 +0000
48310 -+++ linux-2.6.23.15-grsec/drivers/md/bitmap.c 2008-02-11 10:37:44.000000000 +0000
48311 -@@ -57,7 +57,7 @@
48312 - # if DEBUG > 0
48313 - # define PRINTK(x...) printk(KERN_DEBUG x)
48314 - # else
48315 --# define PRINTK(x...)
48316 -+# define PRINTK(x...) do {} while (0)
48317 - # endif
48318 - #endif
48319 -
48320 -diff -Nurp linux-2.6.23.15/drivers/mtd/devices/doc2000.c linux-2.6.23.15-grsec/drivers/mtd/devices/doc2000.c
48321 ---- linux-2.6.23.15/drivers/mtd/devices/doc2000.c 2007-10-09 21:31:38.000000000 +0100
48322 -+++ linux-2.6.23.15-grsec/drivers/mtd/devices/doc2000.c 2008-02-11 10:37:44.000000000 +0000
48323 -@@ -632,7 +632,7 @@ static int doc_read(struct mtd_info *mtd
48324 - len = ((from | 0x1ff) + 1) - from;
48325 -
48326 - /* The ECC will not be calculated correctly if less than 512 is read */
48327 -- if (len != 0x200 && eccbuf)
48328 -+ if (len != 0x200)
48329 - printk(KERN_WARNING
48330 - "ECC needs a full sector read (adr: %lx size %lx)\n",
48331 - (long) from, (long) len);
48332 -diff -Nurp linux-2.6.23.15/drivers/mtd/devices/doc2001.c linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001.c
48333 ---- linux-2.6.23.15/drivers/mtd/devices/doc2001.c 2007-10-09 21:31:38.000000000 +0100
48334 -+++ linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001.c 2008-02-11 10:37:44.000000000 +0000
48335 -@@ -398,6 +398,8 @@ static int doc_read (struct mtd_info *mt
48336 - /* Don't allow read past end of device */
48337 - if (from >= this->totlen)
48338 - return -EINVAL;
48339 -+ if (!len)
48340 -+ return -EINVAL;
48341 -
48342 - /* Don't allow a single read to cross a 512-byte block boundary */
48343 - if (from + len > ((from | 0x1ff) + 1))
48344 -diff -Nurp linux-2.6.23.15/drivers/mtd/devices/doc2001plus.c linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001plus.c
48345 ---- linux-2.6.23.15/drivers/mtd/devices/doc2001plus.c 2007-10-09 21:31:38.000000000 +0100
48346 -+++ linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001plus.c 2008-02-11 10:37:44.000000000 +0000
48347 -@@ -748,7 +748,7 @@ static int doc_write(struct mtd_info *mt
48348 - WriteDOC(DoC_GetDataOffset(mtd, &fto), docptr, Mplus_FlashCmd);
48349 -
48350 - /* On interleaved devices the flags for 2nd half 512 are before data */
48351 -- if (eccbuf && before)
48352 -+ if (before)
48353 - fto -= 2;
48354 -
48355 - /* issue the Serial Data In command to initial the Page Program process */
48356 -diff -Nurp linux-2.6.23.15/drivers/mtd/devices/slram.c linux-2.6.23.15-grsec/drivers/mtd/devices/slram.c
48357 ---- linux-2.6.23.15/drivers/mtd/devices/slram.c 2007-10-09 21:31:38.000000000 +0100
48358 -+++ linux-2.6.23.15-grsec/drivers/mtd/devices/slram.c 2008-02-11 10:37:44.000000000 +0000
48359 -@@ -270,7 +270,7 @@ static int parse_cmdline(char *devname,
48360 - }
48361 - T("slram: devname=%s, devstart=0x%lx, devlength=0x%lx\n",
48362 - devname, devstart, devlength);
48363 -- if ((devstart < 0) || (devlength < 0) || (devlength % SLRAM_BLK_SZ != 0)) {
48364 -+ if (devlength % SLRAM_BLK_SZ != 0) {
48365 - E("slram: Illegal start / length parameter.\n");
48366 - return(-EINVAL);
48367 - }
48368 -diff -Nurp linux-2.6.23.15/drivers/mtd/ubi/build.c linux-2.6.23.15-grsec/drivers/mtd/ubi/build.c
48369 ---- linux-2.6.23.15/drivers/mtd/ubi/build.c 2007-10-09 21:31:38.000000000 +0100
48370 -+++ linux-2.6.23.15-grsec/drivers/mtd/ubi/build.c 2008-02-11 10:37:44.000000000 +0000
48371 -@@ -727,7 +727,7 @@ static int __init bytes_str_to_int(const
48372 - unsigned long result;
48373 -
48374 - result = simple_strtoul(str, &endp, 0);
48375 -- if (str == endp || result < 0) {
48376 -+ if (str == endp) {
48377 - printk("UBI error: incorrect bytes count: \"%s\"\n", str);
48378 - return -EINVAL;
48379 - }
48380 -diff -Nurp linux-2.6.23.15/drivers/net/eepro100.c linux-2.6.23.15-grsec/drivers/net/eepro100.c
48381 ---- linux-2.6.23.15/drivers/net/eepro100.c 2007-10-09 21:31:38.000000000 +0100
48382 -+++ linux-2.6.23.15-grsec/drivers/net/eepro100.c 2008-02-11 10:37:44.000000000 +0000
48383 -@@ -47,7 +47,7 @@ static int rxdmacount /* = 0 */;
48384 - # define rx_align(skb) skb_reserve((skb), 2)
48385 - # define RxFD_ALIGNMENT __attribute__ ((aligned (2), packed))
48386 - #else
48387 --# define rx_align(skb)
48388 -+# define rx_align(skb) do {} while (0)
48389 - # define RxFD_ALIGNMENT
48390 - #endif
48391 -
48392 -@@ -2344,33 +2344,33 @@ static void __devexit eepro100_remove_on
48393 - }
48394 -
48395 - static struct pci_device_id eepro100_pci_tbl[] = {
48396 -- { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, },
48397 -- { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, },
48398 -- { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, },
48399 -- { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, },
48400 -- { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, },
48401 -- { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, },
48402 -- { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, },
48403 -- { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, },
48404 -- { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, },
48405 -- { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, },
48406 -- { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, },
48407 -- { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, },
48408 -- { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, },
48409 -- { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, },
48410 -- { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, },
48411 -- { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, },
48412 -- { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, },
48413 -- { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, },
48414 -- { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, },
48415 -- { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, },
48416 -- { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, },
48417 -- { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, },
48418 -- { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, },
48419 -- { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, },
48420 -- { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, },
48421 -- { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, },
48422 -- { 0,}
48423 -+ { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48424 -+ { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48425 -+ { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48426 -+ { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48427 -+ { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48428 -+ { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48429 -+ { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48430 -+ { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48431 -+ { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48432 -+ { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48433 -+ { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48434 -+ { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48435 -+ { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48436 -+ { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48437 -+ { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48438 -+ { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48439 -+ { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48440 -+ { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48441 -+ { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48442 -+ { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48443 -+ { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48444 -+ { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48445 -+ { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48446 -+ { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48447 -+ { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48448 -+ { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48449 -+ { 0, 0, 0, 0, 0, 0, 0 }
48450 - };
48451 - MODULE_DEVICE_TABLE(pci, eepro100_pci_tbl);
48452 -
48453 -diff -Nurp linux-2.6.23.15/drivers/net/irda/vlsi_ir.c linux-2.6.23.15-grsec/drivers/net/irda/vlsi_ir.c
48454 ---- linux-2.6.23.15/drivers/net/irda/vlsi_ir.c 2007-10-09 21:31:38.000000000 +0100
48455 -+++ linux-2.6.23.15-grsec/drivers/net/irda/vlsi_ir.c 2008-02-11 10:37:44.000000000 +0000
48456 -@@ -906,13 +906,12 @@ static int vlsi_hard_start_xmit(struct s
48457 - /* no race - tx-ring already empty */
48458 - vlsi_set_baud(idev, iobase);
48459 - netif_wake_queue(ndev);
48460 -- }
48461 -- else
48462 -- ;
48463 -+ } else {
48464 - /* keep the speed change pending like it would
48465 - * for any len>0 packet. tx completion interrupt
48466 - * will apply it when the tx ring becomes empty.
48467 - */
48468 -+ }
48469 - spin_unlock_irqrestore(&idev->lock, flags);
48470 - dev_kfree_skb_any(skb);
48471 - return 0;
48472 -diff -Nurp linux-2.6.23.15/drivers/net/pcnet32.c linux-2.6.23.15-grsec/drivers/net/pcnet32.c
48473 ---- linux-2.6.23.15/drivers/net/pcnet32.c 2007-10-09 21:31:38.000000000 +0100
48474 -+++ linux-2.6.23.15-grsec/drivers/net/pcnet32.c 2008-02-11 10:37:44.000000000 +0000
48475 -@@ -82,7 +82,7 @@ static int cards_found;
48476 - /*
48477 - * VLB I/O addresses
48478 - */
48479 --static unsigned int pcnet32_portlist[] __initdata =
48480 -+static unsigned int pcnet32_portlist[] __devinitdata =
48481 - { 0x300, 0x320, 0x340, 0x360, 0 };
48482 -
48483 - static int pcnet32_debug = 0;
48484 -diff -Nurp linux-2.6.23.15/drivers/net/tg3.h linux-2.6.23.15-grsec/drivers/net/tg3.h
48485 ---- linux-2.6.23.15/drivers/net/tg3.h 2007-10-09 21:31:38.000000000 +0100
48486 -+++ linux-2.6.23.15-grsec/drivers/net/tg3.h 2008-02-11 10:37:44.000000000 +0000
48487 -@@ -127,6 +127,7 @@
48488 - #define CHIPREV_ID_5750_A0 0x4000
48489 - #define CHIPREV_ID_5750_A1 0x4001
48490 - #define CHIPREV_ID_5750_A3 0x4003
48491 -+#define CHIPREV_ID_5750_C1 0x4201
48492 - #define CHIPREV_ID_5750_C2 0x4202
48493 - #define CHIPREV_ID_5752_A0_HW 0x5000
48494 - #define CHIPREV_ID_5752_A0 0x6000
48495 -diff -Nurp linux-2.6.23.15/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.23.15-grsec/drivers/pci/hotplug/cpqphp_nvram.c
48496 ---- linux-2.6.23.15/drivers/pci/hotplug/cpqphp_nvram.c 2007-10-09 21:31:38.000000000 +0100
48497 -+++ linux-2.6.23.15-grsec/drivers/pci/hotplug/cpqphp_nvram.c 2008-02-11 10:37:44.000000000 +0000
48498 -@@ -425,9 +425,13 @@ static u32 store_HRT (void __iomem *rom_
48499 -
48500 - void compaq_nvram_init (void __iomem *rom_start)
48501 - {
48502 -+
48503 -+#ifndef CONFIG_PAX_KERNEXEC
48504 - if (rom_start) {
48505 - compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
48506 - }
48507 -+#endif
48508 -+
48509 - dbg("int15 entry = %p\n", compaq_int15_entry_point);
48510 -
48511 - /* initialize our int15 lock */
48512 -diff -Nurp linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv.c linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv.c
48513 ---- linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv.c 2007-10-09 21:31:38.000000000 +0100
48514 -+++ linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv.c 2008-02-11 10:37:44.000000000 +0000
48515 -@@ -58,7 +58,7 @@ static struct pcie_port_service_id aer_i
48516 - .port_type = PCIE_RC_PORT,
48517 - .service_type = PCIE_PORT_SERVICE_AER,
48518 - },
48519 -- { /* end: all zeroes */ }
48520 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0 }
48521 - };
48522 -
48523 - static struct pci_error_handlers aer_error_handlers = {
48524 -diff -Nurp linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv_core.c linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv_core.c
48525 ---- linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv_core.c 2007-10-09 21:31:38.000000000 +0100
48526 -+++ linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv_core.c 2008-02-11 10:37:44.000000000 +0000
48527 -@@ -660,7 +660,7 @@ static void aer_isr_one_error(struct pci
48528 - struct aer_err_source *e_src)
48529 - {
48530 - struct device *s_device;
48531 -- struct aer_err_info e_info = {0, 0, 0,};
48532 -+ struct aer_err_info e_info = {0, 0, 0, {0, 0, 0, 0}};
48533 - int i;
48534 - u16 id;
48535 -
48536 -diff -Nurp linux-2.6.23.15/drivers/pci/pcie/portdrv_pci.c linux-2.6.23.15-grsec/drivers/pci/pcie/portdrv_pci.c
48537 ---- linux-2.6.23.15/drivers/pci/pcie/portdrv_pci.c 2007-10-09 21:31:38.000000000 +0100
48538 -+++ linux-2.6.23.15-grsec/drivers/pci/pcie/portdrv_pci.c 2008-02-11 10:37:44.000000000 +0000
48539 -@@ -265,7 +265,7 @@ static void pcie_portdrv_err_resume(stru
48540 - static const struct pci_device_id port_pci_ids[] = { {
48541 - /* handle any PCI-Express port */
48542 - PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
48543 -- }, { /* end: all zeroes */ }
48544 -+ }, { 0, 0, 0, 0, 0, 0, 0 }
48545 - };
48546 - MODULE_DEVICE_TABLE(pci, port_pci_ids);
48547 -
48548 -diff -Nurp linux-2.6.23.15/drivers/pci/proc.c linux-2.6.23.15-grsec/drivers/pci/proc.c
48549 ---- linux-2.6.23.15/drivers/pci/proc.c 2007-10-09 21:31:38.000000000 +0100
48550 -+++ linux-2.6.23.15-grsec/drivers/pci/proc.c 2008-02-11 10:37:44.000000000 +0000
48551 -@@ -466,7 +466,15 @@ static int __init pci_proc_init(void)
48552 - {
48553 - struct proc_dir_entry *entry;
48554 - struct pci_dev *dev = NULL;
48555 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
48556 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
48557 -+ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
48558 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
48559 -+ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
48560 -+#endif
48561 -+#else
48562 - proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
48563 -+#endif
48564 - entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
48565 - if (entry)
48566 - entry->proc_fops = &proc_bus_pci_dev_operations;
48567 -diff -Nurp linux-2.6.23.15/drivers/pcmcia/ti113x.h linux-2.6.23.15-grsec/drivers/pcmcia/ti113x.h
48568 ---- linux-2.6.23.15/drivers/pcmcia/ti113x.h 2007-10-09 21:31:38.000000000 +0100
48569 -+++ linux-2.6.23.15-grsec/drivers/pcmcia/ti113x.h 2008-02-11 10:37:44.000000000 +0000
48570 -@@ -897,7 +897,7 @@ static struct pci_device_id ene_tune_tbl
48571 - DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
48572 - ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
48573 -
48574 -- {}
48575 -+ { 0, 0, 0, 0, 0, 0, 0 }
48576 - };
48577 -
48578 - static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
48579 -diff -Nurp linux-2.6.23.15/drivers/pcmcia/yenta_socket.c linux-2.6.23.15-grsec/drivers/pcmcia/yenta_socket.c
48580 ---- linux-2.6.23.15/drivers/pcmcia/yenta_socket.c 2007-10-09 21:31:38.000000000 +0100
48581 -+++ linux-2.6.23.15-grsec/drivers/pcmcia/yenta_socket.c 2008-02-11 10:37:44.000000000 +0000
48582 -@@ -1358,7 +1358,7 @@ static struct pci_device_id yenta_table
48583 -
48584 - /* match any cardbus bridge */
48585 - CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
48586 -- { /* all zeroes */ }
48587 -+ { 0, 0, 0, 0, 0, 0, 0 }
48588 - };
48589 - MODULE_DEVICE_TABLE(pci, yenta_table);
48590 -
48591 -diff -Nurp linux-2.6.23.15/drivers/pnp/pnpbios/bioscalls.c linux-2.6.23.15-grsec/drivers/pnp/pnpbios/bioscalls.c
48592 ---- linux-2.6.23.15/drivers/pnp/pnpbios/bioscalls.c 2007-10-09 21:31:38.000000000 +0100
48593 -+++ linux-2.6.23.15-grsec/drivers/pnp/pnpbios/bioscalls.c 2008-02-11 10:37:44.000000000 +0000
48594 -@@ -61,7 +61,7 @@ set_base(gdt[(selname) >> 3], (u32)(addr
48595 - set_limit(gdt[(selname) >> 3], size); \
48596 - } while(0)
48597 -
48598 --static struct desc_struct bad_bios_desc = { 0, 0x00409200 };
48599 -+static struct desc_struct bad_bios_desc __read_only = { 0, 0x00409300 };
48600 -
48601 - /*
48602 - * At some point we want to use this stack frame pointer to unwind
48603 -@@ -88,6 +88,10 @@ static inline u16 call_pnp_bios(u16 func
48604 - struct desc_struct save_desc_40;
48605 - int cpu;
48606 -
48607 -+#ifdef CONFIG_PAX_KERNEXEC
48608 -+ unsigned long cr0;
48609 -+#endif
48610 -+
48611 - /*
48612 - * PnP BIOSes are generally not terribly re-entrant.
48613 - * Also, don't rely on them to save everything correctly.
48614 -@@ -97,8 +101,17 @@ static inline u16 call_pnp_bios(u16 func
48615 -
48616 - cpu = get_cpu();
48617 - save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
48618 -+
48619 -+#ifdef CONFIG_PAX_KERNEXEC
48620 -+ pax_open_kernel(cr0);
48621 -+#endif
48622 -+
48623 - get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
48624 -
48625 -+#ifdef CONFIG_PAX_KERNEXEC
48626 -+ pax_close_kernel(cr0);
48627 -+#endif
48628 -+
48629 - /* On some boxes IRQ's during PnP BIOS calls are deadly. */
48630 - spin_lock_irqsave(&pnp_bios_lock, flags);
48631 -
48632 -@@ -135,7 +148,16 @@ static inline u16 call_pnp_bios(u16 func
48633 - :"memory");
48634 - spin_unlock_irqrestore(&pnp_bios_lock, flags);
48635 -
48636 -+#ifdef CONFIG_PAX_KERNEXEC
48637 -+ pax_open_kernel(cr0);
48638 -+#endif
48639 -+
48640 - get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
48641 -+
48642 -+#ifdef CONFIG_PAX_KERNEXEC
48643 -+ pax_close_kernel(cr0);
48644 -+#endif
48645 -+
48646 - put_cpu();
48647 -
48648 - /* If we get here and this is set then the PnP BIOS faulted on us. */
48649 -@@ -469,16 +491,25 @@ int pnp_bios_read_escd(char *data, u32 n
48650 - return status;
48651 - }
48652 -
48653 --void pnpbios_calls_init(union pnp_bios_install_struct *header)
48654 -+void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
48655 - {
48656 - int i;
48657 -
48658 -+#ifdef CONFIG_PAX_KERNEXEC
48659 -+ unsigned long cr0;
48660 -+#endif
48661 -+
48662 - spin_lock_init(&pnp_bios_lock);
48663 - pnp_bios_callpoint.offset = header->fields.pm16offset;
48664 - pnp_bios_callpoint.segment = PNP_CS16;
48665 -
48666 - set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
48667 - _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
48668 -+
48669 -+#ifdef CONFIG_PAX_KERNEXEC
48670 -+ pax_open_kernel(cr0);
48671 -+#endif
48672 -+
48673 - for (i = 0; i < NR_CPUS; i++) {
48674 - struct desc_struct *gdt = get_cpu_gdt_table(i);
48675 - if (!gdt)
48676 -@@ -489,4 +520,9 @@ void pnpbios_calls_init(union pnp_bios_i
48677 - set_base(gdt[GDT_ENTRY_PNPBIOS_DS],
48678 - __va(header->fields.pm16dseg));
48679 - }
48680 -+
48681 -+#ifdef CONFIG_PAX_KERNEXEC
48682 -+ pax_close_kernel(cr0);
48683 -+#endif
48684 -+
48685 - }
48686 -diff -Nurp linux-2.6.23.15/drivers/pnp/quirks.c linux-2.6.23.15-grsec/drivers/pnp/quirks.c
48687 ---- linux-2.6.23.15/drivers/pnp/quirks.c 2007-10-09 21:31:38.000000000 +0100
48688 -+++ linux-2.6.23.15-grsec/drivers/pnp/quirks.c 2008-02-11 10:37:44.000000000 +0000
48689 -@@ -127,7 +127,7 @@ static struct pnp_fixup pnp_fixups[] = {
48690 - {"CTL0043", quirk_sb16audio_resources},
48691 - {"CTL0044", quirk_sb16audio_resources},
48692 - {"CTL0045", quirk_sb16audio_resources},
48693 -- {""}
48694 -+ {"", NULL}
48695 - };
48696 -
48697 - void pnp_fixup_device(struct pnp_dev *dev)
48698 -diff -Nurp linux-2.6.23.15/drivers/pnp/resource.c linux-2.6.23.15-grsec/drivers/pnp/resource.c
48699 ---- linux-2.6.23.15/drivers/pnp/resource.c 2007-10-09 21:31:38.000000000 +0100
48700 -+++ linux-2.6.23.15-grsec/drivers/pnp/resource.c 2008-02-11 10:37:44.000000000 +0000
48701 -@@ -345,7 +345,7 @@ int pnp_check_irq(struct pnp_dev *dev, i
48702 - return 1;
48703 -
48704 - /* check if the resource is valid */
48705 -- if (*irq < 0 || *irq > 15)
48706 -+ if (*irq > 15)
48707 - return 0;
48708 -
48709 - /* check if the resource is reserved */
48710 -@@ -412,7 +412,7 @@ int pnp_check_dma(struct pnp_dev *dev, i
48711 - return 1;
48712 -
48713 - /* check if the resource is valid */
48714 -- if (*dma < 0 || *dma == 4 || *dma > 7)
48715 -+ if (*dma == 4 || *dma > 7)
48716 - return 0;
48717 -
48718 - /* check if the resource is reserved */
48719 -diff -Nurp linux-2.6.23.15/drivers/scsi/scsi_lib.c linux-2.6.23.15-grsec/drivers/scsi/scsi_lib.c
48720 ---- linux-2.6.23.15/drivers/scsi/scsi_lib.c 2007-10-09 21:31:38.000000000 +0100
48721 -+++ linux-2.6.23.15-grsec/drivers/scsi/scsi_lib.c 2008-02-11 10:37:44.000000000 +0000
48722 -@@ -44,7 +44,7 @@ struct scsi_host_sg_pool {
48723 - #error SCSI_MAX_PHYS_SEGMENTS is too small
48724 - #endif
48725 -
48726 --#define SP(x) { x, "sgpool-" #x }
48727 -+#define SP(x) { x, "sgpool-" #x, NULL, NULL }
48728 - static struct scsi_host_sg_pool scsi_sg_pools[] = {
48729 - SP(8),
48730 - SP(16),
48731 -diff -Nurp linux-2.6.23.15/drivers/scsi/scsi_logging.h linux-2.6.23.15-grsec/drivers/scsi/scsi_logging.h
48732 ---- linux-2.6.23.15/drivers/scsi/scsi_logging.h 2007-10-09 21:31:38.000000000 +0100
48733 -+++ linux-2.6.23.15-grsec/drivers/scsi/scsi_logging.h 2008-02-11 10:37:44.000000000 +0000
48734 -@@ -51,7 +51,7 @@ do { \
48735 - } while (0); \
48736 - } while (0)
48737 - #else
48738 --#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
48739 -+#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
48740 - #endif /* CONFIG_SCSI_LOGGING */
48741 -
48742 - /*
48743 -diff -Nurp linux-2.6.23.15/drivers/serial/8250_pci.c linux-2.6.23.15-grsec/drivers/serial/8250_pci.c
48744 ---- linux-2.6.23.15/drivers/serial/8250_pci.c 2007-10-09 21:31:38.000000000 +0100
48745 -+++ linux-2.6.23.15-grsec/drivers/serial/8250_pci.c 2008-02-11 10:37:44.000000000 +0000
48746 -@@ -2589,7 +2589,7 @@ static struct pci_device_id serial_pci_t
48747 - PCI_ANY_ID, PCI_ANY_ID,
48748 - PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
48749 - 0xffff00, pbn_default },
48750 -- { 0, }
48751 -+ { 0, 0, 0, 0, 0, 0, 0 }
48752 - };
48753 -
48754 - static struct pci_driver serial_pci_driver = {
48755 -diff -Nurp linux-2.6.23.15/drivers/usb/class/cdc-acm.c linux-2.6.23.15-grsec/drivers/usb/class/cdc-acm.c
48756 ---- linux-2.6.23.15/drivers/usb/class/cdc-acm.c 2007-10-09 21:31:38.000000000 +0100
48757 -+++ linux-2.6.23.15-grsec/drivers/usb/class/cdc-acm.c 2008-02-11 10:37:44.000000000 +0000
48758 -@@ -1199,7 +1199,7 @@ static struct usb_device_id acm_ids[] =
48759 - USB_CDC_ACM_PROTO_AT_CDMA) },
48760 -
48761 - /* NOTE: COMM/ACM/0xff is likely MSFT RNDIS ... NOT a modem!! */
48762 -- { }
48763 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
48764 - };
48765 -
48766 - MODULE_DEVICE_TABLE (usb, acm_ids);
48767 -diff -Nurp linux-2.6.23.15/drivers/usb/class/usblp.c linux-2.6.23.15-grsec/drivers/usb/class/usblp.c
48768 ---- linux-2.6.23.15/drivers/usb/class/usblp.c 2007-10-09 21:31:38.000000000 +0100
48769 -+++ linux-2.6.23.15-grsec/drivers/usb/class/usblp.c 2008-02-11 10:37:44.000000000 +0000
48770 -@@ -225,7 +225,7 @@ static const struct quirk_printer_struct
48771 - { 0x0409, 0xf1be, USBLP_QUIRK_BIDIR }, /* NEC Picty800 (HP OEM) */
48772 - { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@×××.de> */
48773 - { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
48774 -- { 0, 0 }
48775 -+ { 0, 0, 0 }
48776 - };
48777 -
48778 - static int usblp_wwait(struct usblp *usblp, int nonblock);
48779 -@@ -1376,7 +1376,7 @@ static struct usb_device_id usblp_ids []
48780 - { USB_INTERFACE_INFO(7, 1, 2) },
48781 - { USB_INTERFACE_INFO(7, 1, 3) },
48782 - { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
48783 -- { } /* Terminating entry */
48784 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
48785 - };
48786 -
48787 - MODULE_DEVICE_TABLE (usb, usblp_ids);
48788 -diff -Nurp linux-2.6.23.15/drivers/usb/core/hub.c linux-2.6.23.15-grsec/drivers/usb/core/hub.c
48789 ---- linux-2.6.23.15/drivers/usb/core/hub.c 2008-02-11 10:36:03.000000000 +0000
48790 -+++ linux-2.6.23.15-grsec/drivers/usb/core/hub.c 2008-02-11 10:37:44.000000000 +0000
48791 -@@ -2762,7 +2762,7 @@ static struct usb_device_id hub_id_table
48792 - .bDeviceClass = USB_CLASS_HUB},
48793 - { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
48794 - .bInterfaceClass = USB_CLASS_HUB},
48795 -- { } /* Terminating entry */
48796 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
48797 - };
48798 -
48799 - MODULE_DEVICE_TABLE (usb, hub_id_table);
48800 -diff -Nurp linux-2.6.23.15/drivers/usb/host/ehci-pci.c linux-2.6.23.15-grsec/drivers/usb/host/ehci-pci.c
48801 ---- linux-2.6.23.15/drivers/usb/host/ehci-pci.c 2007-10-09 21:31:38.000000000 +0100
48802 -+++ linux-2.6.23.15-grsec/drivers/usb/host/ehci-pci.c 2008-02-11 10:37:44.000000000 +0000
48803 -@@ -377,7 +377,7 @@ static const struct pci_device_id pci_id
48804 - PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
48805 - .driver_data = (unsigned long) &ehci_pci_hc_driver,
48806 - },
48807 -- { /* end: all zeroes */ }
48808 -+ { 0, 0, 0, 0, 0, 0, 0 }
48809 - };
48810 - MODULE_DEVICE_TABLE(pci, pci_ids);
48811 -
48812 -diff -Nurp linux-2.6.23.15/drivers/usb/host/uhci-hcd.c linux-2.6.23.15-grsec/drivers/usb/host/uhci-hcd.c
48813 ---- linux-2.6.23.15/drivers/usb/host/uhci-hcd.c 2007-10-09 21:31:38.000000000 +0100
48814 -+++ linux-2.6.23.15-grsec/drivers/usb/host/uhci-hcd.c 2008-02-11 10:37:44.000000000 +0000
48815 -@@ -894,7 +894,7 @@ static const struct pci_device_id uhci_p
48816 - /* handle any USB UHCI controller */
48817 - PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
48818 - .driver_data = (unsigned long) &uhci_driver,
48819 -- }, { /* end: all zeroes */ }
48820 -+ }, { 0, 0, 0, 0, 0, 0, 0 }
48821 - };
48822 -
48823 - MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
48824 -diff -Nurp linux-2.6.23.15/drivers/usb/storage/debug.h linux-2.6.23.15-grsec/drivers/usb/storage/debug.h
48825 ---- linux-2.6.23.15/drivers/usb/storage/debug.h 2007-10-09 21:31:38.000000000 +0100
48826 -+++ linux-2.6.23.15-grsec/drivers/usb/storage/debug.h 2008-02-11 10:37:44.000000000 +0000
48827 -@@ -56,9 +56,9 @@ void usb_stor_show_sense( unsigned char
48828 - #define US_DEBUGPX(x...) printk( x )
48829 - #define US_DEBUG(x) x
48830 - #else
48831 --#define US_DEBUGP(x...)
48832 --#define US_DEBUGPX(x...)
48833 --#define US_DEBUG(x)
48834 -+#define US_DEBUGP(x...) do {} while (0)
48835 -+#define US_DEBUGPX(x...) do {} while (0)
48836 -+#define US_DEBUG(x) do {} while (0)
48837 - #endif
48838 -
48839 - #endif
48840 -diff -Nurp linux-2.6.23.15/drivers/usb/storage/usb.c linux-2.6.23.15-grsec/drivers/usb/storage/usb.c
48841 ---- linux-2.6.23.15/drivers/usb/storage/usb.c 2007-10-09 21:31:38.000000000 +0100
48842 -+++ linux-2.6.23.15-grsec/drivers/usb/storage/usb.c 2008-02-11 10:37:44.000000000 +0000
48843 -@@ -134,7 +134,7 @@ static struct usb_device_id storage_usb_
48844 - #undef UNUSUAL_DEV
48845 - #undef USUAL_DEV
48846 - /* Terminating entry */
48847 -- { }
48848 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
48849 - };
48850 -
48851 - MODULE_DEVICE_TABLE (usb, storage_usb_ids);
48852 -@@ -174,7 +174,7 @@ static struct us_unusual_dev us_unusual_
48853 - # undef USUAL_DEV
48854 -
48855 - /* Terminating entry */
48856 -- { NULL }
48857 -+ { NULL, NULL, 0, 0, NULL }
48858 - };
48859 -
48860 -
48861 -diff -Nurp linux-2.6.23.15/drivers/video/fbcmap.c linux-2.6.23.15-grsec/drivers/video/fbcmap.c
48862 ---- linux-2.6.23.15/drivers/video/fbcmap.c 2007-10-09 21:31:38.000000000 +0100
48863 -+++ linux-2.6.23.15-grsec/drivers/video/fbcmap.c 2008-02-11 10:37:44.000000000 +0000
48864 -@@ -251,8 +251,7 @@ int fb_set_user_cmap(struct fb_cmap_user
48865 - int rc, size = cmap->len * sizeof(u16);
48866 - struct fb_cmap umap;
48867 -
48868 -- if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
48869 -- !info->fbops->fb_setcmap))
48870 -+ if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap)
48871 - return -EINVAL;
48872 -
48873 - memset(&umap, 0, sizeof(struct fb_cmap));
48874 -diff -Nurp linux-2.6.23.15/drivers/video/fbmem.c linux-2.6.23.15-grsec/drivers/video/fbmem.c
48875 ---- linux-2.6.23.15/drivers/video/fbmem.c 2007-10-09 21:31:38.000000000 +0100
48876 -+++ linux-2.6.23.15-grsec/drivers/video/fbmem.c 2008-02-11 10:37:44.000000000 +0000
48877 -@@ -394,7 +394,7 @@ static void fb_do_show_logo(struct fb_in
48878 - image->dx += image->width + 8;
48879 - }
48880 - } else if (rotate == FB_ROTATE_UD) {
48881 -- for (x = 0; x < num && image->dx >= 0; x++) {
48882 -+ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
48883 - info->fbops->fb_imageblit(info, image);
48884 - image->dx -= image->width + 8;
48885 - }
48886 -@@ -406,7 +406,7 @@ static void fb_do_show_logo(struct fb_in
48887 - image->dy += image->height + 8;
48888 - }
48889 - } else if (rotate == FB_ROTATE_CCW) {
48890 -- for (x = 0; x < num && image->dy >= 0; x++) {
48891 -+ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
48892 - info->fbops->fb_imageblit(info, image);
48893 - image->dy -= image->height + 8;
48894 - }
48895 -@@ -1057,9 +1057,9 @@ fb_ioctl(struct inode *inode, struct fil
48896 - case FBIOPUT_CON2FBMAP:
48897 - if (copy_from_user(&con2fb, argp, sizeof(con2fb)))
48898 - return - EFAULT;
48899 -- if (con2fb.console < 0 || con2fb.console > MAX_NR_CONSOLES)
48900 -+ if (con2fb.console > MAX_NR_CONSOLES)
48901 - return -EINVAL;
48902 -- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
48903 -+ if (con2fb.framebuffer >= FB_MAX)
48904 - return -EINVAL;
48905 - #ifdef CONFIG_KMOD
48906 - if (!registered_fb[con2fb.framebuffer])
48907 -diff -Nurp linux-2.6.23.15/drivers/video/fbmon.c linux-2.6.23.15-grsec/drivers/video/fbmon.c
48908 ---- linux-2.6.23.15/drivers/video/fbmon.c 2007-10-09 21:31:38.000000000 +0100
48909 -+++ linux-2.6.23.15-grsec/drivers/video/fbmon.c 2008-02-11 10:37:44.000000000 +0000
48910 -@@ -45,7 +45,7 @@
48911 - #ifdef DEBUG
48912 - #define DPRINTK(fmt, args...) printk(fmt,## args)
48913 - #else
48914 --#define DPRINTK(fmt, args...)
48915 -+#define DPRINTK(fmt, args...) do {} while (0)
48916 - #endif
48917 -
48918 - #define FBMON_FIX_HEADER 1
48919 -diff -Nurp linux-2.6.23.15/drivers/video/i810/i810_accel.c linux-2.6.23.15-grsec/drivers/video/i810/i810_accel.c
48920 ---- linux-2.6.23.15/drivers/video/i810/i810_accel.c 2007-10-09 21:31:38.000000000 +0100
48921 -+++ linux-2.6.23.15-grsec/drivers/video/i810/i810_accel.c 2008-02-11 10:37:44.000000000 +0000
48922 -@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
48923 - }
48924 - }
48925 - printk("ringbuffer lockup!!!\n");
48926 -+ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
48927 - i810_report_error(mmio);
48928 - par->dev_flags |= LOCKUP;
48929 - info->pixmap.scan_align = 1;
48930 -diff -Nurp linux-2.6.23.15/drivers/video/i810/i810_main.c linux-2.6.23.15-grsec/drivers/video/i810/i810_main.c
48931 ---- linux-2.6.23.15/drivers/video/i810/i810_main.c 2007-10-09 21:31:38.000000000 +0100
48932 -+++ linux-2.6.23.15-grsec/drivers/video/i810/i810_main.c 2008-02-11 10:37:44.000000000 +0000
48933 -@@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
48934 - PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
48935 - { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
48936 - PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
48937 -- { 0 },
48938 -+ { 0, 0, 0, 0, 0, 0, 0 },
48939 - };
48940 -
48941 - static struct pci_driver i810fb_driver = {
48942 -@@ -1509,7 +1509,7 @@ static int i810fb_cursor(struct fb_info
48943 - int size = ((cursor->image.width + 7) >> 3) *
48944 - cursor->image.height;
48945 - int i;
48946 -- u8 *data = kmalloc(64 * 8, GFP_ATOMIC);
48947 -+ u8 *data = kmalloc(64 * 8, GFP_KERNEL);
48948 -
48949 - if (data == NULL)
48950 - return -ENOMEM;
48951 -diff -Nurp linux-2.6.23.15/drivers/video/modedb.c linux-2.6.23.15-grsec/drivers/video/modedb.c
48952 ---- linux-2.6.23.15/drivers/video/modedb.c 2007-10-09 21:31:38.000000000 +0100
48953 -+++ linux-2.6.23.15-grsec/drivers/video/modedb.c 2008-02-11 10:37:44.000000000 +0000
48954 -@@ -37,228 +37,228 @@ static const struct fb_videomode modedb[
48955 - {
48956 - /* 640x400 @ 70 Hz, 31.5 kHz hsync */
48957 - NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
48958 -- 0, FB_VMODE_NONINTERLACED
48959 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48960 - }, {
48961 - /* 640x480 @ 60 Hz, 31.5 kHz hsync */
48962 - NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
48963 -- 0, FB_VMODE_NONINTERLACED
48964 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48965 - }, {
48966 - /* 800x600 @ 56 Hz, 35.15 kHz hsync */
48967 - NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
48968 -- 0, FB_VMODE_NONINTERLACED
48969 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48970 - }, {
48971 - /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
48972 - NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
48973 -- 0, FB_VMODE_INTERLACED
48974 -+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
48975 - }, {
48976 - /* 640x400 @ 85 Hz, 37.86 kHz hsync */
48977 - NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
48978 -- FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
48979 -+ FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48980 - }, {
48981 - /* 640x480 @ 72 Hz, 36.5 kHz hsync */
48982 - NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
48983 -- 0, FB_VMODE_NONINTERLACED
48984 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48985 - }, {
48986 - /* 640x480 @ 75 Hz, 37.50 kHz hsync */
48987 - NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
48988 -- 0, FB_VMODE_NONINTERLACED
48989 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48990 - }, {
48991 - /* 800x600 @ 60 Hz, 37.8 kHz hsync */
48992 - NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
48993 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
48994 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48995 - }, {
48996 - /* 640x480 @ 85 Hz, 43.27 kHz hsync */
48997 - NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
48998 -- 0, FB_VMODE_NONINTERLACED
48999 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49000 - }, {
49001 - /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
49002 - NULL, 69, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
49003 -- 0, FB_VMODE_INTERLACED
49004 -+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
49005 - }, {
49006 - /* 800x600 @ 72 Hz, 48.0 kHz hsync */
49007 - NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
49008 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49009 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49010 - }, {
49011 - /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
49012 - NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
49013 -- 0, FB_VMODE_NONINTERLACED
49014 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49015 - }, {
49016 - /* 640x480 @ 100 Hz, 53.01 kHz hsync */
49017 - NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
49018 -- 0, FB_VMODE_NONINTERLACED
49019 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49020 - }, {
49021 - /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
49022 - NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
49023 -- 0, FB_VMODE_NONINTERLACED
49024 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49025 - }, {
49026 - /* 800x600 @ 85 Hz, 55.84 kHz hsync */
49027 - NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
49028 -- 0, FB_VMODE_NONINTERLACED
49029 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49030 - }, {
49031 - /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
49032 - NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
49033 -- 0, FB_VMODE_NONINTERLACED
49034 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49035 - }, {
49036 - /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
49037 - NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
49038 -- 0, FB_VMODE_INTERLACED
49039 -+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
49040 - }, {
49041 - /* 800x600 @ 100 Hz, 64.02 kHz hsync */
49042 - NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
49043 -- 0, FB_VMODE_NONINTERLACED
49044 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49045 - }, {
49046 - /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
49047 - NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
49048 -- 0, FB_VMODE_NONINTERLACED
49049 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49050 - }, {
49051 - /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
49052 - NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
49053 -- 0, FB_VMODE_NONINTERLACED
49054 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49055 - }, {
49056 - /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
49057 - NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
49058 -- 0, FB_VMODE_NONINTERLACED
49059 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49060 - }, {
49061 - /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
49062 - NULL, 68, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
49063 -- 0, FB_VMODE_NONINTERLACED
49064 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49065 - }, {
49066 - /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
49067 - NULL, 75, 1400, 1050, 9271, 120, 56, 13, 0, 112, 3,
49068 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49069 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49070 - }, {
49071 - /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
49072 - NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
49073 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49074 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49075 - }, {
49076 - /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
49077 - NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
49078 -- 0, FB_VMODE_NONINTERLACED
49079 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49080 - }, {
49081 - /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
49082 - NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
49083 -- 0, FB_VMODE_NONINTERLACED
49084 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49085 - }, {
49086 - /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
49087 - NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
49088 -- 0, FB_VMODE_NONINTERLACED
49089 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49090 - }, {
49091 - /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
49092 - NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
49093 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49094 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49095 - }, {
49096 - /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
49097 - NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
49098 -- 0, FB_VMODE_NONINTERLACED
49099 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49100 - }, {
49101 - /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
49102 - NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
49103 -- 0, FB_VMODE_NONINTERLACED
49104 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49105 - }, {
49106 - /* 1024x768 @ 100Hz, 80.21 kHz hsync */
49107 - NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
49108 -- 0, FB_VMODE_NONINTERLACED
49109 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49110 - }, {
49111 - /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
49112 - NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
49113 -- 0, FB_VMODE_NONINTERLACED
49114 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49115 - }, {
49116 - /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
49117 - NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
49118 -- 0, FB_VMODE_NONINTERLACED
49119 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49120 - }, {
49121 - /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
49122 - NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
49123 -- 0, FB_VMODE_NONINTERLACED
49124 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49125 - }, {
49126 - /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
49127 - NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
49128 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49129 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49130 - }, {
49131 - /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
49132 - NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
49133 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49134 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49135 - }, {
49136 - /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
49137 - NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
49138 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49139 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49140 - }, {
49141 - /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
49142 - NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
49143 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49144 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49145 - }, {
49146 - /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
49147 - NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
49148 -- 0, FB_VMODE_NONINTERLACED
49149 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49150 - }, {
49151 - /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
49152 - NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
49153 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49154 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49155 - }, {
49156 - /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
49157 - NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
49158 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49159 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49160 - }, {
49161 - /* 512x384 @ 78 Hz, 31.50 kHz hsync */
49162 - NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
49163 -- 0, FB_VMODE_NONINTERLACED
49164 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49165 - }, {
49166 - /* 512x384 @ 85 Hz, 34.38 kHz hsync */
49167 - NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
49168 -- 0, FB_VMODE_NONINTERLACED
49169 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49170 - }, {
49171 - /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
49172 - NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
49173 -- 0, FB_VMODE_DOUBLE
49174 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49175 - }, {
49176 - /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
49177 - NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
49178 -- 0, FB_VMODE_DOUBLE
49179 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49180 - }, {
49181 - /* 320x240 @ 72 Hz, 36.5 kHz hsync */
49182 - NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
49183 -- 0, FB_VMODE_DOUBLE
49184 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49185 - }, {
49186 - /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
49187 - NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
49188 -- 0, FB_VMODE_DOUBLE
49189 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49190 - }, {
49191 - /* 400x300 @ 60 Hz, 37.8 kHz hsync */
49192 - NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
49193 -- 0, FB_VMODE_DOUBLE
49194 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49195 - }, {
49196 - /* 400x300 @ 72 Hz, 48.0 kHz hsync */
49197 - NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
49198 -- 0, FB_VMODE_DOUBLE
49199 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49200 - }, {
49201 - /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
49202 - NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
49203 -- 0, FB_VMODE_DOUBLE
49204 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49205 - }, {
49206 - /* 480x300 @ 60 Hz, 37.8 kHz hsync */
49207 - NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
49208 -- 0, FB_VMODE_DOUBLE
49209 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49210 - }, {
49211 - /* 480x300 @ 63 Hz, 39.6 kHz hsync */
49212 - NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
49213 -- 0, FB_VMODE_DOUBLE
49214 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49215 - }, {
49216 - /* 480x300 @ 72 Hz, 48.0 kHz hsync */
49217 - NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
49218 -- 0, FB_VMODE_DOUBLE
49219 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49220 - }, {
49221 - /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
49222 - NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
49223 - FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
49224 -- FB_VMODE_NONINTERLACED
49225 -+ FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49226 - }, {
49227 - /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
49228 - NULL, 60, 1152, 768, 15386, 158, 26, 29, 3, 136, 6,
49229 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49230 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49231 - }, {
49232 - /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
49233 - NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
49234 -- 0, FB_VMODE_NONINTERLACED
49235 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49236 - },
49237 - };
49238 -
49239 -diff -Nurp linux-2.6.23.15/drivers/video/vesafb.c linux-2.6.23.15-grsec/drivers/video/vesafb.c
49240 ---- linux-2.6.23.15/drivers/video/vesafb.c 2007-10-09 21:31:38.000000000 +0100
49241 -+++ linux-2.6.23.15-grsec/drivers/video/vesafb.c 2008-02-11 10:37:44.000000000 +0000
49242 -@@ -9,6 +9,7 @@
49243 - */
49244 -
49245 - #include <linux/module.h>
49246 -+#include <linux/moduleloader.h>
49247 - #include <linux/kernel.h>
49248 - #include <linux/errno.h>
49249 - #include <linux/string.h>
49250 -@@ -224,6 +225,7 @@ static int __init vesafb_probe(struct pl
49251 - unsigned int size_vmode;
49252 - unsigned int size_remap;
49253 - unsigned int size_total;
49254 -+ void *pmi_code = NULL;
49255 -
49256 - if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
49257 - return -ENODEV;
49258 -@@ -266,10 +268,6 @@ static int __init vesafb_probe(struct pl
49259 - size_remap = size_total;
49260 - vesafb_fix.smem_len = size_remap;
49261 -
49262 --#ifndef __i386__
49263 -- screen_info.vesapm_seg = 0;
49264 --#endif
49265 --
49266 - if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
49267 - printk(KERN_WARNING
49268 - "vesafb: cannot reserve video memory at 0x%lx\n",
49269 -@@ -302,9 +300,21 @@ static int __init vesafb_probe(struct pl
49270 - printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
49271 - vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
49272 -
49273 -+#ifdef __i386__
49274 -+
49275 -+#ifdef CONFIG_PAX_KERNEXEC
49276 -+ pmi_code = module_alloc_exec(screen_info.vesapm_size);
49277 -+ if (!pmi_code)
49278 -+#else
49279 -+ if (0)
49280 -+#endif
49281 -+
49282 -+#endif
49283 -+ screen_info.vesapm_seg = 0;
49284 -+
49285 - if (screen_info.vesapm_seg) {
49286 -- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
49287 -- screen_info.vesapm_seg,screen_info.vesapm_off);
49288 -+ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
49289 -+ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
49290 - }
49291 -
49292 - if (screen_info.vesapm_seg < 0xc000)
49293 -@@ -312,9 +322,29 @@ static int __init vesafb_probe(struct pl
49294 -
49295 - if (ypan || pmi_setpal) {
49296 - unsigned short *pmi_base;
49297 -- pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
49298 -- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
49299 -- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
49300 -+
49301 -+#ifdef CONFIG_PAX_KERNEXEC
49302 -+ unsigned long cr0;
49303 -+#endif
49304 -+
49305 -+ pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
49306 -+
49307 -+#ifdef CONFIG_PAX_KERNEXEC
49308 -+ pax_open_kernel(cr0);
49309 -+ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
49310 -+ pax_close_kernel(cr0);
49311 -+#else
49312 -+ pmi_code = pmi_base;
49313 -+#endif
49314 -+
49315 -+ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
49316 -+ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
49317 -+
49318 -+#ifdef CONFIG_PAX_KERNEXEC
49319 -+ pmi_start -= __KERNEL_TEXT_OFFSET;
49320 -+ pmi_pal -= __KERNEL_TEXT_OFFSET;
49321 -+#endif
49322 -+
49323 - printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
49324 - if (pmi_base[3]) {
49325 - printk(KERN_INFO "vesafb: pmi: ports = ");
49326 -@@ -456,6 +486,11 @@ static int __init vesafb_probe(struct pl
49327 - info->node, info->fix.id);
49328 - return 0;
49329 - err:
49330 -+
49331 -+#ifdef CONFIG_PAX_KERNEXEC
49332 -+ module_free_exec(NULL, pmi_code);
49333 -+#endif
49334 -+
49335 - if (info->screen_base)
49336 - iounmap(info->screen_base);
49337 - framebuffer_release(info);
49338 -diff -Nurp linux-2.6.23.15/fs/Kconfig linux-2.6.23.15-grsec/fs/Kconfig
49339 ---- linux-2.6.23.15/fs/Kconfig 2007-10-09 21:31:38.000000000 +0100
49340 -+++ linux-2.6.23.15-grsec/fs/Kconfig 2008-02-11 10:37:44.000000000 +0000
49341 -@@ -909,7 +909,7 @@ config PROC_FS
49342 -
49343 - config PROC_KCORE
49344 - bool "/proc/kcore support" if !ARM
49345 -- depends on PROC_FS && MMU
49346 -+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
49347 -
49348 - config PROC_VMCORE
49349 - bool "/proc/vmcore support (EXPERIMENTAL)"
49350 -diff -Nurp linux-2.6.23.15/fs/binfmt_aout.c linux-2.6.23.15-grsec/fs/binfmt_aout.c
49351 ---- linux-2.6.23.15/fs/binfmt_aout.c 2007-10-09 21:31:38.000000000 +0100
49352 -+++ linux-2.6.23.15-grsec/fs/binfmt_aout.c 2008-02-11 10:37:44.000000000 +0000
49353 -@@ -24,6 +24,7 @@
49354 - #include <linux/binfmts.h>
49355 - #include <linux/personality.h>
49356 - #include <linux/init.h>
49357 -+#include <linux/grsecurity.h>
49358 -
49359 - #include <asm/system.h>
49360 - #include <asm/uaccess.h>
49361 -@@ -123,10 +124,12 @@ static int aout_core_dump(long signr, st
49362 - /* If the size of the dump file exceeds the rlimit, then see what would happen
49363 - if we wrote the stack, but not the data area. */
49364 - #ifdef __sparc__
49365 -+ gr_learn_resource(current, RLIMIT_CORE, dump.u_dsize+dump.u_ssize, 1);
49366 - if ((dump.u_dsize+dump.u_ssize) >
49367 - current->signal->rlim[RLIMIT_CORE].rlim_cur)
49368 - dump.u_dsize = 0;
49369 - #else
49370 -+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE, 1);
49371 - if ((dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE >
49372 - current->signal->rlim[RLIMIT_CORE].rlim_cur)
49373 - dump.u_dsize = 0;
49374 -@@ -134,10 +137,12 @@ static int aout_core_dump(long signr, st
49375 -
49376 - /* Make sure we have enough room to write the stack and data areas. */
49377 - #ifdef __sparc__
49378 -+ gr_learn_resource(current, RLIMIT_CORE, dump.u_ssize, 1);
49379 - if ((dump.u_ssize) >
49380 - current->signal->rlim[RLIMIT_CORE].rlim_cur)
49381 - dump.u_ssize = 0;
49382 - #else
49383 -+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize+1) * PAGE_SIZE, 1);
49384 - if ((dump.u_ssize+1) * PAGE_SIZE >
49385 - current->signal->rlim[RLIMIT_CORE].rlim_cur)
49386 - dump.u_ssize = 0;
49387 -@@ -294,6 +299,8 @@ static int load_aout_binary(struct linux
49388 - rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
49389 - if (rlim >= RLIM_INFINITY)
49390 - rlim = ~0;
49391 -+
49392 -+ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
49393 - if (ex.a_data + ex.a_bss > rlim)
49394 - return -ENOMEM;
49395 -
49396 -@@ -326,6 +333,28 @@ static int load_aout_binary(struct linux
49397 - current->mm->mmap = NULL;
49398 - compute_creds(bprm);
49399 - current->flags &= ~PF_FORKNOEXEC;
49400 -+
49401 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49402 -+ current->mm->pax_flags = 0UL;
49403 -+#endif
49404 -+
49405 -+#ifdef CONFIG_PAX_PAGEEXEC
49406 -+ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
49407 -+ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
49408 -+
49409 -+#ifdef CONFIG_PAX_EMUTRAMP
49410 -+ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
49411 -+ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
49412 -+#endif
49413 -+
49414 -+#ifdef CONFIG_PAX_MPROTECT
49415 -+ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
49416 -+ current->mm->pax_flags |= MF_PAX_MPROTECT;
49417 -+#endif
49418 -+
49419 -+ }
49420 -+#endif
49421 -+
49422 - #ifdef __sparc__
49423 - if (N_MAGIC(ex) == NMAGIC) {
49424 - loff_t pos = fd_offset;
49425 -@@ -421,7 +450,7 @@ static int load_aout_binary(struct linux
49426 -
49427 - down_write(&current->mm->mmap_sem);
49428 - error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
49429 -- PROT_READ | PROT_WRITE | PROT_EXEC,
49430 -+ PROT_READ | PROT_WRITE,
49431 - MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
49432 - fd_offset + ex.a_text);
49433 - up_write(&current->mm->mmap_sem);
49434 -diff -Nurp linux-2.6.23.15/fs/binfmt_elf.c linux-2.6.23.15-grsec/fs/binfmt_elf.c
49435 ---- linux-2.6.23.15/fs/binfmt_elf.c 2007-10-09 21:31:38.000000000 +0100
49436 -+++ linux-2.6.23.15-grsec/fs/binfmt_elf.c 2008-02-11 10:37:44.000000000 +0000
49437 -@@ -39,10 +39,21 @@
49438 - #include <linux/random.h>
49439 - #include <linux/elf.h>
49440 - #include <linux/utsname.h>
49441 -+#include <linux/grsecurity.h>
49442 -+
49443 - #include <asm/uaccess.h>
49444 - #include <asm/param.h>
49445 - #include <asm/page.h>
49446 -
49447 -+#ifdef CONFIG_PAX_SEGMEXEC
49448 -+#include <asm/desc.h>
49449 -+#endif
49450 -+
49451 -+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
49452 -+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
49453 -+EXPORT_SYMBOL(pax_set_initial_flags_func);
49454 -+#endif
49455 -+
49456 - static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs);
49457 - static int load_elf_library(struct file *);
49458 - static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int);
49459 -@@ -84,6 +95,8 @@ static struct linux_binfmt elf_format =
49460 -
49461 - static int set_brk(unsigned long start, unsigned long end)
49462 - {
49463 -+ unsigned long e = end;
49464 -+
49465 - start = ELF_PAGEALIGN(start);
49466 - end = ELF_PAGEALIGN(end);
49467 - if (end > start) {
49468 -@@ -94,7 +107,7 @@ static int set_brk(unsigned long start,
49469 - if (BAD_ADDR(addr))
49470 - return addr;
49471 - }
49472 -- current->mm->start_brk = current->mm->brk = end;
49473 -+ current->mm->start_brk = current->mm->brk = e;
49474 - return 0;
49475 - }
49476 -
49477 -@@ -325,10 +338,9 @@ static unsigned long load_elf_interp(str
49478 - {
49479 - struct elf_phdr *elf_phdata;
49480 - struct elf_phdr *eppnt;
49481 -- unsigned long load_addr = 0;
49482 -- int load_addr_set = 0;
49483 -+ unsigned long load_addr = 0, min_addr, max_addr, task_size = TASK_SIZE;
49484 - unsigned long last_bss = 0, elf_bss = 0;
49485 -- unsigned long error = ~0UL;
49486 -+ unsigned long error = -EINVAL;
49487 - int retval, i, size;
49488 -
49489 - /* First of all, some simple consistency checks */
49490 -@@ -367,66 +379,86 @@ static unsigned long load_elf_interp(str
49491 - goto out_close;
49492 - }
49493 -
49494 -+#ifdef CONFIG_PAX_SEGMEXEC
49495 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
49496 -+ task_size = SEGMEXEC_TASK_SIZE;
49497 -+#endif
49498 -+
49499 - eppnt = elf_phdata;
49500 -+ min_addr = task_size;
49501 -+ max_addr = 0;
49502 -+ error = -ENOMEM;
49503 -+
49504 - for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
49505 -- if (eppnt->p_type == PT_LOAD) {
49506 -- int elf_type = MAP_PRIVATE | MAP_DENYWRITE;
49507 -- int elf_prot = 0;
49508 -- unsigned long vaddr = 0;
49509 -- unsigned long k, map_addr;
49510 --
49511 -- if (eppnt->p_flags & PF_R)
49512 -- elf_prot = PROT_READ;
49513 -- if (eppnt->p_flags & PF_W)
49514 -- elf_prot |= PROT_WRITE;
49515 -- if (eppnt->p_flags & PF_X)
49516 -- elf_prot |= PROT_EXEC;
49517 -- vaddr = eppnt->p_vaddr;
49518 -- if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
49519 -- elf_type |= MAP_FIXED;
49520 --
49521 -- map_addr = elf_map(interpreter, load_addr + vaddr,
49522 -- eppnt, elf_prot, elf_type);
49523 -- error = map_addr;
49524 -- if (BAD_ADDR(map_addr))
49525 -- goto out_close;
49526 --
49527 -- if (!load_addr_set &&
49528 -- interp_elf_ex->e_type == ET_DYN) {
49529 -- load_addr = map_addr - ELF_PAGESTART(vaddr);
49530 -- load_addr_set = 1;
49531 -- }
49532 -+ if (eppnt->p_type != PT_LOAD)
49533 -+ continue;
49534 -
49535 -- /*
49536 -- * Check to see if the section's size will overflow the
49537 -- * allowed task size. Note that p_filesz must always be
49538 -- * <= p_memsize so it's only necessary to check p_memsz.
49539 -- */
49540 -- k = load_addr + eppnt->p_vaddr;
49541 -- if (BAD_ADDR(k) ||
49542 -- eppnt->p_filesz > eppnt->p_memsz ||
49543 -- eppnt->p_memsz > TASK_SIZE ||
49544 -- TASK_SIZE - eppnt->p_memsz < k) {
49545 -- error = -ENOMEM;
49546 -- goto out_close;
49547 -- }
49548 -+ /*
49549 -+ * Check to see if the section's size will overflow the
49550 -+ * allowed task size. Note that p_filesz must always be
49551 -+ * <= p_memsize so it is only necessary to check p_memsz.
49552 -+ */
49553 -+ if (eppnt->p_filesz > eppnt->p_memsz || eppnt->p_vaddr >= eppnt->p_vaddr + eppnt->p_memsz)
49554 -+ goto out_close;
49555 -
49556 -- /*
49557 -- * Find the end of the file mapping for this phdr, and
49558 -- * keep track of the largest address we see for this.
49559 -- */
49560 -- k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
49561 -- if (k > elf_bss)
49562 -- elf_bss = k;
49563 -+ if (min_addr > ELF_PAGESTART(eppnt->p_vaddr))
49564 -+ min_addr = ELF_PAGESTART(eppnt->p_vaddr);
49565 -+ if (max_addr < ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz))
49566 -+ max_addr = ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz);
49567 -+ }
49568 -+ if (min_addr >= max_addr || max_addr > task_size)
49569 -+ goto out_close;
49570 -
49571 -- /*
49572 -- * Do the same thing for the memory mapping - between
49573 -- * elf_bss and last_bss is the bss section.
49574 -- */
49575 -- k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
49576 -- if (k > last_bss)
49577 -- last_bss = k;
49578 -- }
49579 -+ if (interp_elf_ex->e_type == ET_DYN) {
49580 -+ load_addr = get_unmapped_area(interpreter, 0, max_addr - min_addr, 0, MAP_PRIVATE | MAP_EXECUTABLE);
49581 -+
49582 -+ if (load_addr >= task_size)
49583 -+ goto out_close;
49584 -+
49585 -+ load_addr -= min_addr;
49586 -+ }
49587 -+
49588 -+ eppnt = elf_phdata;
49589 -+ for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
49590 -+ int elf_type = MAP_PRIVATE | MAP_DENYWRITE | MAP_FIXED;
49591 -+ int elf_prot = 0;
49592 -+ unsigned long vaddr = 0;
49593 -+ unsigned long k, map_addr;
49594 -+
49595 -+ if (eppnt->p_type != PT_LOAD)
49596 -+ continue;
49597 -+
49598 -+ if (eppnt->p_flags & PF_R)
49599 -+ elf_prot = PROT_READ;
49600 -+ if (eppnt->p_flags & PF_W)
49601 -+ elf_prot |= PROT_WRITE;
49602 -+ if (eppnt->p_flags & PF_X)
49603 -+ elf_prot |= PROT_EXEC;
49604 -+ vaddr = eppnt->p_vaddr;
49605 -+
49606 -+ map_addr = elf_map(interpreter, load_addr + vaddr,
49607 -+ eppnt, elf_prot, elf_type);
49608 -+ error = map_addr;
49609 -+ if (BAD_ADDR(map_addr))
49610 -+ goto out_close;
49611 -+
49612 -+ k = load_addr + eppnt->p_vaddr;
49613 -+
49614 -+ /*
49615 -+ * Find the end of the file mapping for this phdr, and
49616 -+ * keep track of the largest address we see for this.
49617 -+ */
49618 -+ k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
49619 -+ if (k > elf_bss)
49620 -+ elf_bss = k;
49621 -+
49622 -+ /*
49623 -+ * Do the same thing for the memory mapping - between
49624 -+ * elf_bss and last_bss is the bss section.
49625 -+ */
49626 -+ k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
49627 -+ if (k > last_bss)
49628 -+ last_bss = k;
49629 - }
49630 -
49631 - /*
49632 -@@ -454,6 +486,8 @@ static unsigned long load_elf_interp(str
49633 -
49634 - *interp_load_addr = load_addr;
49635 - error = ((unsigned long)interp_elf_ex->e_entry) + load_addr;
49636 -+ if (BAD_ADDR(error))
49637 -+ error = -EFAULT;
49638 -
49639 - out_close:
49640 - kfree(elf_phdata);
49641 -@@ -464,7 +498,7 @@ out:
49642 - static unsigned long load_aout_interp(struct exec *interp_ex,
49643 - struct file *interpreter)
49644 - {
49645 -- unsigned long text_data, elf_entry = ~0UL;
49646 -+ unsigned long text_data, elf_entry = -EINVAL;
49647 - char __user * addr;
49648 - loff_t offset;
49649 -
49650 -@@ -507,6 +541,177 @@ out:
49651 - return elf_entry;
49652 - }
49653 -
49654 -+#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
49655 -+static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
49656 -+{
49657 -+ unsigned long pax_flags = 0UL;
49658 -+
49659 -+#ifdef CONFIG_PAX_PAGEEXEC
49660 -+ if (elf_phdata->p_flags & PF_PAGEEXEC)
49661 -+ pax_flags |= MF_PAX_PAGEEXEC;
49662 -+#endif
49663 -+
49664 -+#ifdef CONFIG_PAX_SEGMEXEC
49665 -+ if (elf_phdata->p_flags & PF_SEGMEXEC)
49666 -+ pax_flags |= MF_PAX_SEGMEXEC;
49667 -+#endif
49668 -+
49669 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
49670 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
49671 -+ if (nx_enabled)
49672 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
49673 -+ else
49674 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
49675 -+ }
49676 -+#endif
49677 -+
49678 -+#ifdef CONFIG_PAX_EMUTRAMP
49679 -+ if (elf_phdata->p_flags & PF_EMUTRAMP)
49680 -+ pax_flags |= MF_PAX_EMUTRAMP;
49681 -+#endif
49682 -+
49683 -+#ifdef CONFIG_PAX_MPROTECT
49684 -+ if (elf_phdata->p_flags & PF_MPROTECT)
49685 -+ pax_flags |= MF_PAX_MPROTECT;
49686 -+#endif
49687 -+
49688 -+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
49689 -+ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
49690 -+ pax_flags |= MF_PAX_RANDMMAP;
49691 -+#endif
49692 -+
49693 -+ return pax_flags;
49694 -+}
49695 -+#endif
49696 -+
49697 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
49698 -+static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
49699 -+{
49700 -+ unsigned long pax_flags = 0UL;
49701 -+
49702 -+#ifdef CONFIG_PAX_PAGEEXEC
49703 -+ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
49704 -+ pax_flags |= MF_PAX_PAGEEXEC;
49705 -+#endif
49706 -+
49707 -+#ifdef CONFIG_PAX_SEGMEXEC
49708 -+ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
49709 -+ pax_flags |= MF_PAX_SEGMEXEC;
49710 -+#endif
49711 -+
49712 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
49713 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
49714 -+ if (nx_enabled)
49715 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
49716 -+ else
49717 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
49718 -+ }
49719 -+#endif
49720 -+
49721 -+#ifdef CONFIG_PAX_EMUTRAMP
49722 -+ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
49723 -+ pax_flags |= MF_PAX_EMUTRAMP;
49724 -+#endif
49725 -+
49726 -+#ifdef CONFIG_PAX_MPROTECT
49727 -+ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
49728 -+ pax_flags |= MF_PAX_MPROTECT;
49729 -+#endif
49730 -+
49731 -+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
49732 -+ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
49733 -+ pax_flags |= MF_PAX_RANDMMAP;
49734 -+#endif
49735 -+
49736 -+ return pax_flags;
49737 -+}
49738 -+#endif
49739 -+
49740 -+#ifdef CONFIG_PAX_EI_PAX
49741 -+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
49742 -+{
49743 -+ unsigned long pax_flags = 0UL;
49744 -+
49745 -+#ifdef CONFIG_PAX_PAGEEXEC
49746 -+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
49747 -+ pax_flags |= MF_PAX_PAGEEXEC;
49748 -+#endif
49749 -+
49750 -+#ifdef CONFIG_PAX_SEGMEXEC
49751 -+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
49752 -+ pax_flags |= MF_PAX_SEGMEXEC;
49753 -+#endif
49754 -+
49755 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
49756 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
49757 -+ if (nx_enabled)
49758 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
49759 -+ else
49760 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
49761 -+ }
49762 -+#endif
49763 -+
49764 -+#ifdef CONFIG_PAX_EMUTRAMP
49765 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
49766 -+ pax_flags |= MF_PAX_EMUTRAMP;
49767 -+#endif
49768 -+
49769 -+#ifdef CONFIG_PAX_MPROTECT
49770 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
49771 -+ pax_flags |= MF_PAX_MPROTECT;
49772 -+#endif
49773 -+
49774 -+#ifdef CONFIG_PAX_ASLR
49775 -+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
49776 -+ pax_flags |= MF_PAX_RANDMMAP;
49777 -+#endif
49778 -+
49779 -+ return pax_flags;
49780 -+}
49781 -+#endif
49782 -+
49783 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
49784 -+static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
49785 -+{
49786 -+ unsigned long pax_flags = 0UL;
49787 -+
49788 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
49789 -+ unsigned long i;
49790 -+#endif
49791 -+
49792 -+#ifdef CONFIG_PAX_EI_PAX
49793 -+ pax_flags = pax_parse_ei_pax(elf_ex);
49794 -+#endif
49795 -+
49796 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
49797 -+ for (i = 0UL; i < elf_ex->e_phnum; i++)
49798 -+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
49799 -+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
49800 -+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
49801 -+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
49802 -+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
49803 -+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
49804 -+ return -EINVAL;
49805 -+
49806 -+#ifdef CONFIG_PAX_SOFTMODE
49807 -+ if (pax_softmode)
49808 -+ pax_flags = pax_parse_softmode(&elf_phdata[i]);
49809 -+ else
49810 -+#endif
49811 -+
49812 -+ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
49813 -+ break;
49814 -+ }
49815 -+#endif
49816 -+
49817 -+ if (0 > pax_check_flags(&pax_flags))
49818 -+ return -EINVAL;
49819 -+
49820 -+ current->mm->pax_flags = pax_flags;
49821 -+ return 0;
49822 -+}
49823 -+#endif
49824 -+
49825 - /*
49826 - * These are the functions used to load ELF style executables and shared
49827 - * libraries. There is no binary dependent code anywhere else.
49828 -@@ -544,7 +749,7 @@ static int load_elf_binary(struct linux_
49829 - char * elf_interpreter = NULL;
49830 - unsigned int interpreter_type = INTERPRETER_NONE;
49831 - unsigned char ibcs2_interpreter = 0;
49832 -- unsigned long error;
49833 -+ unsigned long error = 0;
49834 - struct elf_phdr *elf_ppnt, *elf_phdata;
49835 - unsigned long elf_bss, elf_brk;
49836 - int elf_exec_fileno;
49837 -@@ -556,12 +761,12 @@ static int load_elf_binary(struct linux_
49838 - char passed_fileno[6];
49839 - struct files_struct *files;
49840 - int executable_stack = EXSTACK_DEFAULT;
49841 -- unsigned long def_flags = 0;
49842 - struct {
49843 - struct elfhdr elf_ex;
49844 - struct elfhdr interp_elf_ex;
49845 - struct exec interp_ex;
49846 - } *loc;
49847 -+ unsigned long task_size = TASK_SIZE;
49848 -
49849 - loc = kmalloc(sizeof(*loc), GFP_KERNEL);
49850 - if (!loc) {
49851 -@@ -788,14 +993,89 @@ static int load_elf_binary(struct linux_
49852 -
49853 - /* OK, This is the point of no return */
49854 - current->flags &= ~PF_FORKNOEXEC;
49855 -- current->mm->def_flags = def_flags;
49856 -+
49857 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49858 -+ current->mm->pax_flags = 0UL;
49859 -+#endif
49860 -+
49861 -+#ifdef CONFIG_PAX_DLRESOLVE
49862 -+ current->mm->call_dl_resolve = 0UL;
49863 -+#endif
49864 -+
49865 -+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
49866 -+ current->mm->call_syscall = 0UL;
49867 -+#endif
49868 -+
49869 -+#ifdef CONFIG_PAX_ASLR
49870 -+ current->mm->delta_mmap = 0UL;
49871 -+ current->mm->delta_stack = 0UL;
49872 -+#endif
49873 -+
49874 -+ current->mm->def_flags = 0;
49875 -+
49876 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
49877 -+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
49878 -+ send_sig(SIGKILL, current, 0);
49879 -+ goto out_free_dentry;
49880 -+ }
49881 -+#endif
49882 -+
49883 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
49884 -+ pax_set_initial_flags(bprm);
49885 -+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
49886 -+ if (pax_set_initial_flags_func)
49887 -+ (pax_set_initial_flags_func)(bprm);
49888 -+#endif
49889 -+
49890 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
49891 -+ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
49892 -+ current->mm->context.user_cs_limit = PAGE_SIZE;
49893 -+ current->mm->def_flags |= VM_PAGEEXEC;
49894 -+ }
49895 -+#endif
49896 -+
49897 -+#ifdef CONFIG_PAX_SEGMEXEC
49898 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
49899 -+ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
49900 -+ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
49901 -+ task_size = SEGMEXEC_TASK_SIZE;
49902 -+ }
49903 -+#endif
49904 -+
49905 -+#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
49906 -+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
49907 -+ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
49908 -+ put_cpu_no_resched();
49909 -+ }
49910 -+#endif
49911 -+
49912 -+#ifdef CONFIG_PAX_ASLR
49913 -+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
49914 -+ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
49915 -+ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
49916 -+ }
49917 -+#endif
49918 -+
49919 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
49920 -+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
49921 -+ executable_stack = EXSTACK_DEFAULT;
49922 -+#endif
49923 -
49924 - /* Do this immediately, since STACK_TOP as used in setup_arg_pages
49925 - may depend on the personality. */
49926 - SET_PERSONALITY(loc->elf_ex, ibcs2_interpreter);
49927 -+
49928 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
49929 -+ if (!(current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
49930 -+#endif
49931 -+
49932 - if (elf_read_implies_exec(loc->elf_ex, executable_stack))
49933 - current->personality |= READ_IMPLIES_EXEC;
49934 -
49935 -+#ifdef CONFIG_PAX_ASLR
49936 -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
49937 -+#endif
49938 -+
49939 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
49940 - current->flags |= PF_RANDOMIZE;
49941 - arch_pick_mmap_layout(current->mm);
49942 -@@ -871,6 +1151,20 @@ static int load_elf_binary(struct linux_
49943 - * might try to exec. This is because the brk will
49944 - * follow the loader, and is not movable. */
49945 - load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
49946 -+
49947 -+#ifdef CONFIG_PAX_RANDMMAP
49948 -+ /* PaX: randomize base address at the default exe base if requested */
49949 -+ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
49950 -+#ifdef CONFIG_SPARC64
49951 -+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
49952 -+#else
49953 -+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
49954 -+#endif
49955 -+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
49956 -+ elf_flags |= MAP_FIXED;
49957 -+ }
49958 -+#endif
49959 -+
49960 - }
49961 -
49962 - error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
49963 -@@ -903,9 +1197,9 @@ static int load_elf_binary(struct linux_
49964 - * allowed task size. Note that p_filesz must always be
49965 - * <= p_memsz so it is only necessary to check p_memsz.
49966 - */
49967 -- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
49968 -- elf_ppnt->p_memsz > TASK_SIZE ||
49969 -- TASK_SIZE - elf_ppnt->p_memsz < k) {
49970 -+ if (k >= task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
49971 -+ elf_ppnt->p_memsz > task_size ||
49972 -+ task_size - elf_ppnt->p_memsz < k) {
49973 - /* set_brk can never work. Avoid overflows. */
49974 - send_sig(SIGKILL, current, 0);
49975 - retval = -EINVAL;
49976 -@@ -933,6 +1227,11 @@ static int load_elf_binary(struct linux_
49977 - start_data += load_bias;
49978 - end_data += load_bias;
49979 -
49980 -+#ifdef CONFIG_PAX_RANDMMAP
49981 -+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
49982 -+ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
49983 -+#endif
49984 -+
49985 - /* Calling set_brk effectively mmaps the pages that we need
49986 - * for the bss and break sections. We must do this before
49987 - * mapping in the interpreter, to make sure it doesn't wind
49988 -@@ -944,9 +1243,11 @@ static int load_elf_binary(struct linux_
49989 - goto out_free_dentry;
49990 - }
49991 - if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
49992 -- send_sig(SIGSEGV, current, 0);
49993 -- retval = -EFAULT; /* Nobody gets to see this, but.. */
49994 -- goto out_free_dentry;
49995 -+ /*
49996 -+ * This bss-zeroing can fail if the ELF
49997 -+ * file specifies odd protections. So
49998 -+ * we don't check the return value
49999 -+ */
50000 - }
50001 -
50002 - if (elf_interpreter) {
50003 -@@ -1183,8 +1484,10 @@ static int dump_seek(struct file *file,
50004 - unsigned long n = off;
50005 - if (n > PAGE_SIZE)
50006 - n = PAGE_SIZE;
50007 -- if (!dump_write(file, buf, n))
50008 -+ if (!dump_write(file, buf, n)) {
50009 -+ free_page((unsigned long)buf);
50010 - return 0;
50011 -+ }
50012 - off -= n;
50013 - }
50014 - free_page((unsigned long)buf);
50015 -@@ -1199,7 +1502,7 @@ static int dump_seek(struct file *file,
50016 - *
50017 - * I think we should skip something. But I am not sure how. H.J.
50018 - */
50019 --static int maydump(struct vm_area_struct *vma, unsigned long mm_flags)
50020 -+static int maydump(struct vm_area_struct *vma, unsigned long mm_flags, long signr)
50021 - {
50022 - /* The vma can be set up to tell us the answer directly. */
50023 - if (vma->vm_flags & VM_ALWAYSDUMP)
50024 -@@ -1218,7 +1521,7 @@ static int maydump(struct vm_area_struct
50025 - }
50026 -
50027 - /* By default, if it hasn't been written to, don't write it out. */
50028 -- if (!vma->anon_vma)
50029 -+ if (signr != SIGKILL && !vma->anon_vma)
50030 - return test_bit(MMF_DUMP_MAPPED_PRIVATE, &mm_flags);
50031 -
50032 - return test_bit(MMF_DUMP_ANON_PRIVATE, &mm_flags);
50033 -@@ -1275,8 +1578,11 @@ static int writenote(struct memelfnote *
50034 - #undef DUMP_WRITE
50035 -
50036 - #define DUMP_WRITE(addr, nr) \
50037 -+ do { \
50038 -+ gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
50039 - if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
50040 -- goto end_coredump;
50041 -+ goto end_coredump; \
50042 -+ } while (0);
50043 - #define DUMP_SEEK(off) \
50044 - if (!dump_seek(file, (off))) \
50045 - goto end_coredump;
50046 -@@ -1676,7 +1982,7 @@ static int elf_core_dump(long signr, str
50047 - phdr.p_offset = offset;
50048 - phdr.p_vaddr = vma->vm_start;
50049 - phdr.p_paddr = 0;
50050 -- phdr.p_filesz = maydump(vma, mm_flags) ? sz : 0;
50051 -+ phdr.p_filesz = maydump(vma, mm_flags, signr) ? sz : 0;
50052 - phdr.p_memsz = sz;
50053 - offset += phdr.p_filesz;
50054 - phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
50055 -@@ -1720,7 +2026,7 @@ static int elf_core_dump(long signr, str
50056 - vma = next_vma(vma, gate_vma)) {
50057 - unsigned long addr;
50058 -
50059 -- if (!maydump(vma, mm_flags))
50060 -+ if (!maydump(vma, mm_flags, signr))
50061 - continue;
50062 -
50063 - for (addr = vma->vm_start;
50064 -@@ -1743,6 +2049,7 @@ static int elf_core_dump(long signr, str
50065 - flush_cache_page(vma, addr,
50066 - page_to_pfn(page));
50067 - kaddr = kmap(page);
50068 -+ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
50069 - if ((size += PAGE_SIZE) > limit ||
50070 - !dump_write(file, kaddr,
50071 - PAGE_SIZE)) {
50072 -diff -Nurp linux-2.6.23.15/fs/binfmt_flat.c linux-2.6.23.15-grsec/fs/binfmt_flat.c
50073 ---- linux-2.6.23.15/fs/binfmt_flat.c 2007-10-09 21:31:38.000000000 +0100
50074 -+++ linux-2.6.23.15-grsec/fs/binfmt_flat.c 2008-02-11 10:37:44.000000000 +0000
50075 -@@ -559,7 +559,9 @@ static int load_flat_file(struct linux_b
50076 - realdatastart = (unsigned long) -ENOMEM;
50077 - printk("Unable to allocate RAM for process data, errno %d\n",
50078 - (int)-realdatastart);
50079 -+ down_write(&current->mm->mmap_sem);
50080 - do_munmap(current->mm, textpos, text_len);
50081 -+ up_write(&current->mm->mmap_sem);
50082 - ret = realdatastart;
50083 - goto err;
50084 - }
50085 -@@ -581,8 +583,10 @@ static int load_flat_file(struct linux_b
50086 - }
50087 - if (result >= (unsigned long)-4096) {
50088 - printk("Unable to read data+bss, errno %d\n", (int)-result);
50089 -+ down_write(&current->mm->mmap_sem);
50090 - do_munmap(current->mm, textpos, text_len);
50091 - do_munmap(current->mm, realdatastart, data_len + extra);
50092 -+ up_write(&current->mm->mmap_sem);
50093 - ret = result;
50094 - goto err;
50095 - }
50096 -@@ -655,8 +659,10 @@ static int load_flat_file(struct linux_b
50097 - }
50098 - if (result >= (unsigned long)-4096) {
50099 - printk("Unable to read code+data+bss, errno %d\n",(int)-result);
50100 -+ down_write(&current->mm->mmap_sem);
50101 - do_munmap(current->mm, textpos, text_len + data_len + extra +
50102 - MAX_SHARED_LIBS * sizeof(unsigned long));
50103 -+ up_write(&current->mm->mmap_sem);
50104 - ret = result;
50105 - goto err;
50106 - }
50107 -diff -Nurp linux-2.6.23.15/fs/binfmt_misc.c linux-2.6.23.15-grsec/fs/binfmt_misc.c
50108 ---- linux-2.6.23.15/fs/binfmt_misc.c 2007-10-09 21:31:38.000000000 +0100
50109 -+++ linux-2.6.23.15-grsec/fs/binfmt_misc.c 2008-02-11 10:37:44.000000000 +0000
50110 -@@ -113,9 +113,11 @@ static int load_misc_binary(struct linux
50111 - struct files_struct *files = NULL;
50112 -
50113 - retval = -ENOEXEC;
50114 -- if (!enabled)
50115 -+ if (!enabled || bprm->misc)
50116 - goto _ret;
50117 -
50118 -+ bprm->misc++;
50119 -+
50120 - /* to keep locking time low, we copy the interpreter string */
50121 - read_lock(&entries_lock);
50122 - fmt = check_file(bprm);
50123 -@@ -720,7 +722,7 @@ static int bm_fill_super(struct super_bl
50124 - static struct tree_descr bm_files[] = {
50125 - [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
50126 - [3] = {"register", &bm_register_operations, S_IWUSR},
50127 -- /* last one */ {""}
50128 -+ /* last one */ {"", NULL, 0}
50129 - };
50130 - int err = simple_fill_super(sb, 0x42494e4d, bm_files);
50131 - if (!err)
50132 -diff -Nurp linux-2.6.23.15/fs/buffer.c linux-2.6.23.15-grsec/fs/buffer.c
50133 ---- linux-2.6.23.15/fs/buffer.c 2007-10-09 21:31:38.000000000 +0100
50134 -+++ linux-2.6.23.15-grsec/fs/buffer.c 2008-02-11 10:37:44.000000000 +0000
50135 -@@ -41,6 +41,7 @@
50136 - #include <linux/bitops.h>
50137 - #include <linux/mpage.h>
50138 - #include <linux/bit_spinlock.h>
50139 -+#include <linux/grsecurity.h>
50140 -
50141 - static int fsync_buffers_list(spinlock_t *lock, struct list_head *list);
50142 -
50143 -@@ -2017,6 +2018,7 @@ static int __generic_cont_expand(struct
50144 -
50145 - err = -EFBIG;
50146 - limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
50147 -+ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long) size, 1);
50148 - if (limit != RLIM_INFINITY && size > (loff_t)limit) {
50149 - send_sig(SIGXFSZ, current, 0);
50150 - goto out;
50151 -diff -Nurp linux-2.6.23.15/fs/cifs/cifs_uniupr.h linux-2.6.23.15-grsec/fs/cifs/cifs_uniupr.h
50152 ---- linux-2.6.23.15/fs/cifs/cifs_uniupr.h 2007-10-09 21:31:38.000000000 +0100
50153 -+++ linux-2.6.23.15-grsec/fs/cifs/cifs_uniupr.h 2008-02-11 10:37:44.000000000 +0000
50154 -@@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
50155 - {0x0490, 0x04cc, UniCaseRangeU0490},
50156 - {0x1e00, 0x1ffc, UniCaseRangeU1e00},
50157 - {0xff40, 0xff5a, UniCaseRangeUff40},
50158 -- {0}
50159 -+ {0, 0, NULL}
50160 - };
50161 - #endif
50162 -
50163 -diff -Nurp linux-2.6.23.15/fs/cifs/dir.c linux-2.6.23.15-grsec/fs/cifs/dir.c
50164 ---- linux-2.6.23.15/fs/cifs/dir.c 2007-10-09 21:31:38.000000000 +0100
50165 -+++ linux-2.6.23.15-grsec/fs/cifs/dir.c 2008-02-11 10:37:44.000000000 +0000
50166 -@@ -397,7 +397,7 @@ int cifs_mknod(struct inode *inode, stru
50167 - /* BB Do not bother to decode buf since no
50168 - local inode yet to put timestamps in,
50169 - but we can reuse it safely */
50170 -- int bytes_written;
50171 -+ unsigned int bytes_written;
50172 - struct win_dev *pdev;
50173 - pdev = (struct win_dev *)buf;
50174 - if (S_ISCHR(mode)) {
50175 -diff -Nurp linux-2.6.23.15/fs/cifs/inode.c linux-2.6.23.15-grsec/fs/cifs/inode.c
50176 ---- linux-2.6.23.15/fs/cifs/inode.c 2008-02-11 10:36:03.000000000 +0000
50177 -+++ linux-2.6.23.15-grsec/fs/cifs/inode.c 2008-02-11 10:37:44.000000000 +0000
50178 -@@ -1470,7 +1470,7 @@ int cifs_setattr(struct dentry *direntry
50179 - atomic_dec(&open_file->wrtPending);
50180 - cFYI(1, ("SetFSize for attrs rc = %d", rc));
50181 - if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) {
50182 -- int bytes_written;
50183 -+ unsigned int bytes_written;
50184 - rc = CIFSSMBWrite(xid, pTcon,
50185 - nfid, 0, attrs->ia_size,
50186 - &bytes_written, NULL, NULL,
50187 -@@ -1503,7 +1503,7 @@ int cifs_setattr(struct dentry *direntry
50188 - cifs_sb->mnt_cifs_flags &
50189 - CIFS_MOUNT_MAP_SPECIAL_CHR);
50190 - if (rc == 0) {
50191 -- int bytes_written;
50192 -+ unsigned int bytes_written;
50193 - rc = CIFSSMBWrite(xid, pTcon,
50194 - netfid, 0,
50195 - attrs->ia_size,
50196 -diff -Nurp linux-2.6.23.15/fs/compat.c linux-2.6.23.15-grsec/fs/compat.c
50197 ---- linux-2.6.23.15/fs/compat.c 2007-10-09 21:31:38.000000000 +0100
50198 -+++ linux-2.6.23.15-grsec/fs/compat.c 2008-02-11 10:37:44.000000000 +0000
50199 -@@ -50,6 +50,7 @@
50200 - #include <linux/poll.h>
50201 - #include <linux/mm.h>
50202 - #include <linux/eventpoll.h>
50203 -+#include <linux/grsecurity.h>
50204 -
50205 - #include <asm/uaccess.h>
50206 - #include <asm/mmu_context.h>
50207 -@@ -1300,14 +1301,12 @@ static int compat_copy_strings(int argc,
50208 - if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
50209 - struct page *page;
50210 -
50211 --#ifdef CONFIG_STACK_GROWSUP
50212 - ret = expand_stack_downwards(bprm->vma, pos);
50213 - if (ret < 0) {
50214 - /* We've exceed the stack rlimit. */
50215 - ret = -E2BIG;
50216 - goto out;
50217 - }
50218 --#endif
50219 - ret = get_user_pages(current, bprm->mm, pos,
50220 - 1, 1, 1, &page, NULL);
50221 - if (ret <= 0) {
50222 -@@ -1353,6 +1352,11 @@ int compat_do_execve(char * filename,
50223 - compat_uptr_t __user *envp,
50224 - struct pt_regs * regs)
50225 - {
50226 -+#ifdef CONFIG_GRKERNSEC
50227 -+ struct file *old_exec_file;
50228 -+ struct acl_subject_label *old_acl;
50229 -+ struct rlimit old_rlim[RLIM_NLIMITS];
50230 -+#endif
50231 - struct linux_binprm *bprm;
50232 - struct file *file;
50233 - int retval;
50234 -@@ -1373,6 +1377,14 @@ int compat_do_execve(char * filename,
50235 - bprm->filename = filename;
50236 - bprm->interp = filename;
50237 -
50238 -+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
50239 -+ retval = -EAGAIN;
50240 -+ if (gr_handle_nproc())
50241 -+ goto out_file;
50242 -+ retval = -EACCES;
50243 -+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
50244 -+ goto out_file;
50245 -+
50246 - retval = bprm_mm_init(bprm);
50247 - if (retval)
50248 - goto out_file;
50249 -@@ -1406,8 +1418,36 @@ int compat_do_execve(char * filename,
50250 - if (retval < 0)
50251 - goto out;
50252 -
50253 -+ if (!gr_tpe_allow(file)) {
50254 -+ retval = -EACCES;
50255 -+ goto out;
50256 -+ }
50257 -+
50258 -+ if (gr_check_crash_exec(file)) {
50259 -+ retval = -EACCES;
50260 -+ goto out;
50261 -+ }
50262 -+
50263 -+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
50264 -+
50265 -+ gr_handle_exec_args(bprm, (char __user * __user *)argv);
50266 -+
50267 -+#ifdef CONFIG_GRKERNSEC
50268 -+ old_acl = current->acl;
50269 -+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
50270 -+ old_exec_file = current->exec_file;
50271 -+ get_file(file);
50272 -+ current->exec_file = file;
50273 -+#endif
50274 -+
50275 -+ gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
50276 -+
50277 - retval = search_binary_handler(bprm, regs);
50278 - if (retval >= 0) {
50279 -+#ifdef CONFIG_GRKERNSEC
50280 -+ if (old_exec_file)
50281 -+ fput(old_exec_file);
50282 -+#endif
50283 - /* execve success */
50284 - security_bprm_free(bprm);
50285 - acct_update_integrals(current);
50286 -@@ -1415,6 +1455,13 @@ int compat_do_execve(char * filename,
50287 - return retval;
50288 - }
50289 -
50290 -+#ifdef CONFIG_GRKERNSEC
50291 -+ current->acl = old_acl;
50292 -+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
50293 -+ fput(current->exec_file);
50294 -+ current->exec_file = old_exec_file;
50295 -+#endif
50296 -+
50297 - out:
50298 - if (bprm->security)
50299 - security_bprm_free(bprm);
50300 -diff -Nurp linux-2.6.23.15/fs/compat_ioctl.c linux-2.6.23.15-grsec/fs/compat_ioctl.c
50301 ---- linux-2.6.23.15/fs/compat_ioctl.c 2007-10-09 21:31:38.000000000 +0100
50302 -+++ linux-2.6.23.15-grsec/fs/compat_ioctl.c 2008-02-11 10:37:44.000000000 +0000
50303 -@@ -2431,15 +2431,15 @@ struct ioctl_trans {
50304 - };
50305 -
50306 - #define HANDLE_IOCTL(cmd,handler) \
50307 -- { (cmd), (ioctl_trans_handler_t)(handler) },
50308 -+ { (cmd), (ioctl_trans_handler_t)(handler), NULL },
50309 -
50310 - /* pointer to compatible structure or no argument */
50311 - #define COMPATIBLE_IOCTL(cmd) \
50312 -- { (cmd), do_ioctl32_pointer },
50313 -+ { (cmd), do_ioctl32_pointer, NULL },
50314 -
50315 - /* argument is an unsigned long integer, not a pointer */
50316 - #define ULONG_IOCTL(cmd) \
50317 -- { (cmd), (ioctl_trans_handler_t)sys_ioctl },
50318 -+ { (cmd), (ioctl_trans_handler_t)sys_ioctl, NULL },
50319 -
50320 - /* ioctl should not be warned about even if it's not implemented.
50321 - Valid reasons to use this:
50322 -diff -Nurp linux-2.6.23.15/fs/debugfs/inode.c linux-2.6.23.15-grsec/fs/debugfs/inode.c
50323 ---- linux-2.6.23.15/fs/debugfs/inode.c 2007-10-09 21:31:38.000000000 +0100
50324 -+++ linux-2.6.23.15-grsec/fs/debugfs/inode.c 2008-02-11 10:37:44.000000000 +0000
50325 -@@ -125,7 +125,7 @@ static inline int debugfs_positive(struc
50326 -
50327 - static int debug_fill_super(struct super_block *sb, void *data, int silent)
50328 - {
50329 -- static struct tree_descr debug_files[] = {{""}};
50330 -+ static struct tree_descr debug_files[] = {{"", NULL, 0}};
50331 -
50332 - return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
50333 - }
50334 -diff -Nurp linux-2.6.23.15/fs/exec.c linux-2.6.23.15-grsec/fs/exec.c
50335 ---- linux-2.6.23.15/fs/exec.c 2008-02-11 10:36:03.000000000 +0000
50336 -+++ linux-2.6.23.15-grsec/fs/exec.c 2008-02-11 10:37:44.000000000 +0000
50337 -@@ -50,6 +50,8 @@
50338 - #include <linux/tsacct_kern.h>
50339 - #include <linux/cn_proc.h>
50340 - #include <linux/audit.h>
50341 -+#include <linux/random.h>
50342 -+#include <linux/grsecurity.h>
50343 -
50344 - #include <asm/uaccess.h>
50345 - #include <asm/mmu_context.h>
50346 -@@ -184,18 +186,10 @@ static struct page *get_arg_page(struct
50347 - int write)
50348 - {
50349 - struct page *page;
50350 -- int ret;
50351 -
50352 --#ifdef CONFIG_STACK_GROWSUP
50353 -- if (write) {
50354 -- ret = expand_stack_downwards(bprm->vma, pos);
50355 -- if (ret < 0)
50356 -- return NULL;
50357 -- }
50358 --#endif
50359 -- ret = get_user_pages(current, bprm->mm, pos,
50360 -- 1, write, 1, &page, NULL);
50361 -- if (ret <= 0)
50362 -+ if (0 > expand_stack_downwards(bprm->vma, pos))
50363 -+ return NULL;
50364 -+ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
50365 - return NULL;
50366 -
50367 - if (write) {
50368 -@@ -260,7 +254,12 @@ static int __bprm_mm_init(struct linux_b
50369 - vma->vm_start = vma->vm_end - PAGE_SIZE;
50370 -
50371 - vma->vm_flags = VM_STACK_FLAGS;
50372 -- vma->vm_page_prot = protection_map[vma->vm_flags & 0x7];
50373 -+
50374 -+#ifdef CONFIG_PAX_SEGMEXEC
50375 -+ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
50376 -+#endif
50377 -+
50378 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
50379 - err = insert_vm_struct(mm, vma);
50380 - if (err) {
50381 - up_write(&mm->mmap_sem);
50382 -@@ -272,6 +271,11 @@ static int __bprm_mm_init(struct linux_b
50383 -
50384 - bprm->p = vma->vm_end - sizeof(void *);
50385 -
50386 -+#ifdef CONFIG_PAX_RANDUSTACK
50387 -+ if (randomize_va_space)
50388 -+ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
50389 -+#endif
50390 -+
50391 - return 0;
50392 -
50393 - err:
50394 -@@ -395,7 +399,7 @@ static int count(char __user * __user *
50395 - if (!p)
50396 - break;
50397 - argv++;
50398 -- if(++i > max)
50399 -+ if (++i > max)
50400 - return -E2BIG;
50401 - cond_resched();
50402 - }
50403 -@@ -535,6 +539,10 @@ static int shift_arg_pages(struct vm_are
50404 - if (vma != find_vma(mm, new_start))
50405 - return -EFAULT;
50406 -
50407 -+#ifdef CONFIG_PAX_SEGMEXEC
50408 -+ BUG_ON(pax_find_mirror_vma(vma));
50409 -+#endif
50410 -+
50411 - /*
50412 - * cover the whole range: [new_start, old_end)
50413 - */
50414 -@@ -623,6 +631,14 @@ int setup_arg_pages(struct linux_binprm
50415 - bprm->exec -= stack_shift;
50416 -
50417 - down_write(&mm->mmap_sem);
50418 -+
50419 -+ /* Move stack pages down in memory. */
50420 -+ if (stack_shift) {
50421 -+ ret = shift_arg_pages(vma, stack_shift);
50422 -+ if (ret)
50423 -+ goto out_unlock;
50424 -+ }
50425 -+
50426 - vm_flags = vma->vm_flags;
50427 -
50428 - /*
50429 -@@ -634,23 +650,28 @@ int setup_arg_pages(struct linux_binprm
50430 - vm_flags |= VM_EXEC;
50431 - else if (executable_stack == EXSTACK_DISABLE_X)
50432 - vm_flags &= ~VM_EXEC;
50433 -+ else
50434 -+ vm_flags = VM_STACK_FLAGS;
50435 - vm_flags |= mm->def_flags;
50436 -
50437 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
50438 -+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
50439 -+ vm_flags &= ~VM_EXEC;
50440 -+
50441 -+#ifdef CONFIG_PAX_MPROTECT
50442 -+ if (mm->pax_flags & MF_PAX_MPROTECT)
50443 -+ vm_flags &= ~VM_MAYEXEC;
50444 -+#endif
50445 -+
50446 -+ }
50447 -+#endif
50448 -+
50449 - ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
50450 - vm_flags);
50451 - if (ret)
50452 - goto out_unlock;
50453 - BUG_ON(prev != vma);
50454 -
50455 -- /* Move stack pages down in memory. */
50456 -- if (stack_shift) {
50457 -- ret = shift_arg_pages(vma, stack_shift);
50458 -- if (ret) {
50459 -- up_write(&mm->mmap_sem);
50460 -- return ret;
50461 -- }
50462 -- }
50463 --
50464 - #ifdef CONFIG_STACK_GROWSUP
50465 - stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE;
50466 - #else
50467 -@@ -662,7 +683,7 @@ int setup_arg_pages(struct linux_binprm
50468 -
50469 - out_unlock:
50470 - up_write(&mm->mmap_sem);
50471 -- return 0;
50472 -+ return ret;
50473 - }
50474 - EXPORT_SYMBOL(setup_arg_pages);
50475 -
50476 -@@ -682,7 +703,7 @@ struct file *open_exec(const char *name)
50477 - file = ERR_PTR(-EACCES);
50478 - if (!(nd.mnt->mnt_flags & MNT_NOEXEC) &&
50479 - S_ISREG(inode->i_mode)) {
50480 -- int err = vfs_permission(&nd, MAY_EXEC);
50481 -+ err = vfs_permission(&nd, MAY_EXEC);
50482 - file = ERR_PTR(err);
50483 - if (!err) {
50484 - file = nameidata_to_filp(&nd, O_RDONLY);
50485 -@@ -1339,6 +1360,11 @@ int do_execve(char * filename,
50486 - char __user *__user *envp,
50487 - struct pt_regs * regs)
50488 - {
50489 -+#ifdef CONFIG_GRKERNSEC
50490 -+ struct file *old_exec_file;
50491 -+ struct acl_subject_label *old_acl;
50492 -+ struct rlimit old_rlim[RLIM_NLIMITS];
50493 -+#endif
50494 - struct linux_binprm *bprm;
50495 - struct file *file;
50496 - unsigned long env_p;
50497 -@@ -1354,6 +1380,20 @@ int do_execve(char * filename,
50498 - if (IS_ERR(file))
50499 - goto out_kfree;
50500 -
50501 -+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
50502 -+
50503 -+ if (gr_handle_nproc()) {
50504 -+ allow_write_access(file);
50505 -+ fput(file);
50506 -+ return -EAGAIN;
50507 -+ }
50508 -+
50509 -+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
50510 -+ allow_write_access(file);
50511 -+ fput(file);
50512 -+ return -EACCES;
50513 -+ }
50514 -+
50515 - sched_exec();
50516 -
50517 - bprm->file = file;
50518 -@@ -1395,8 +1435,38 @@ int do_execve(char * filename,
50519 - goto out;
50520 - bprm->argv_len = env_p - bprm->p;
50521 -
50522 -+ if (!gr_tpe_allow(file)) {
50523 -+ retval = -EACCES;
50524 -+ goto out;
50525 -+ }
50526 -+
50527 -+ if (gr_check_crash_exec(file)) {
50528 -+ retval = -EACCES;
50529 -+ goto out;
50530 -+ }
50531 -+
50532 -+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
50533 -+
50534 -+ gr_handle_exec_args(bprm, argv);
50535 -+
50536 -+#ifdef CONFIG_GRKERNSEC
50537 -+ old_acl = current->acl;
50538 -+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
50539 -+ old_exec_file = current->exec_file;
50540 -+ get_file(file);
50541 -+ current->exec_file = file;
50542 -+#endif
50543 -+
50544 -+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
50545 -+ if (retval < 0)
50546 -+ goto out_fail;
50547 -+
50548 - retval = search_binary_handler(bprm,regs);
50549 - if (retval >= 0) {
50550 -+#ifdef CONFIG_GRKERNSEC
50551 -+ if (old_exec_file)
50552 -+ fput(old_exec_file);
50553 -+#endif
50554 - /* execve success */
50555 - free_arg_pages(bprm);
50556 - security_bprm_free(bprm);
50557 -@@ -1405,6 +1475,14 @@ int do_execve(char * filename,
50558 - return retval;
50559 - }
50560 -
50561 -+out_fail:
50562 -+#ifdef CONFIG_GRKERNSEC
50563 -+ current->acl = old_acl;
50564 -+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
50565 -+ fput(current->exec_file);
50566 -+ current->exec_file = old_exec_file;
50567 -+#endif
50568 -+
50569 - out:
50570 - free_arg_pages(bprm);
50571 - if (bprm->security)
50572 -@@ -1561,6 +1639,114 @@ out:
50573 - return ispipe;
50574 - }
50575 -
50576 -+int pax_check_flags(unsigned long *flags)
50577 -+{
50578 -+ int retval = 0;
50579 -+
50580 -+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
50581 -+ if (*flags & MF_PAX_SEGMEXEC)
50582 -+ {
50583 -+ *flags &= ~MF_PAX_SEGMEXEC;
50584 -+ retval = -EINVAL;
50585 -+ }
50586 -+#endif
50587 -+
50588 -+ if ((*flags & MF_PAX_PAGEEXEC)
50589 -+
50590 -+#ifdef CONFIG_PAX_PAGEEXEC
50591 -+ && (*flags & MF_PAX_SEGMEXEC)
50592 -+#endif
50593 -+
50594 -+ )
50595 -+ {
50596 -+ *flags &= ~MF_PAX_PAGEEXEC;
50597 -+ retval = -EINVAL;
50598 -+ }
50599 -+
50600 -+ if ((*flags & MF_PAX_MPROTECT)
50601 -+
50602 -+#ifdef CONFIG_PAX_MPROTECT
50603 -+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
50604 -+#endif
50605 -+
50606 -+ )
50607 -+ {
50608 -+ *flags &= ~MF_PAX_MPROTECT;
50609 -+ retval = -EINVAL;
50610 -+ }
50611 -+
50612 -+ if ((*flags & MF_PAX_EMUTRAMP)
50613 -+
50614 -+#ifdef CONFIG_PAX_EMUTRAMP
50615 -+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
50616 -+#endif
50617 -+
50618 -+ )
50619 -+ {
50620 -+ *flags &= ~MF_PAX_EMUTRAMP;
50621 -+ retval = -EINVAL;
50622 -+ }
50623 -+
50624 -+ return retval;
50625 -+}
50626 -+
50627 -+EXPORT_SYMBOL(pax_check_flags);
50628 -+
50629 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
50630 -+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
50631 -+{
50632 -+ struct task_struct *tsk = current;
50633 -+ struct mm_struct *mm = current->mm;
50634 -+ char *buffer_exec = (char *)__get_free_page(GFP_ATOMIC);
50635 -+ char *buffer_fault = (char *)__get_free_page(GFP_ATOMIC);
50636 -+ char *path_exec = NULL;
50637 -+ char *path_fault = NULL;
50638 -+ unsigned long start = 0UL, end = 0UL, offset = 0UL;
50639 -+
50640 -+ if (buffer_exec && buffer_fault) {
50641 -+ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
50642 -+
50643 -+ down_read(&mm->mmap_sem);
50644 -+ vma = mm->mmap;
50645 -+ while (vma && (!vma_exec || !vma_fault)) {
50646 -+ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
50647 -+ vma_exec = vma;
50648 -+ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
50649 -+ vma_fault = vma;
50650 -+ vma = vma->vm_next;
50651 -+ }
50652 -+ if (vma_exec) {
50653 -+ path_exec = d_path(vma_exec->vm_file->f_path.dentry, vma_exec->vm_file->f_path.mnt, buffer_exec, PAGE_SIZE);
50654 -+ if (IS_ERR(path_exec))
50655 -+ path_exec = "<path too long>";
50656 -+ }
50657 -+ if (vma_fault) {
50658 -+ start = vma_fault->vm_start;
50659 -+ end = vma_fault->vm_end;
50660 -+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
50661 -+ if (vma_fault->vm_file) {
50662 -+ path_fault = d_path(vma_fault->vm_file->f_path.dentry, vma_fault->vm_file->f_path.mnt, buffer_fault, PAGE_SIZE);
50663 -+ if (IS_ERR(path_fault))
50664 -+ path_fault = "<path too long>";
50665 -+ } else
50666 -+ path_fault = "<anonymous mapping>";
50667 -+ }
50668 -+ up_read(&mm->mmap_sem);
50669 -+ }
50670 -+ if (tsk->signal->curr_ip)
50671 -+ printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
50672 -+ else
50673 -+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
50674 -+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
50675 -+ "PC: %p, SP: %p\n", path_exec, tsk->comm, tsk->pid,
50676 -+ tsk->uid, tsk->euid, pc, sp);
50677 -+ free_page((unsigned long)buffer_exec);
50678 -+ free_page((unsigned long)buffer_fault);
50679 -+ pax_report_insns(pc, sp);
50680 -+ do_coredump(SIGKILL, SIGKILL, regs);
50681 -+}
50682 -+#endif
50683 -+
50684 - static void zap_process(struct task_struct *start)
50685 - {
50686 - struct task_struct *t;
50687 -@@ -1753,6 +1939,10 @@ int do_coredump(long signr, int exit_cod
50688 - */
50689 - clear_thread_flag(TIF_SIGPENDING);
50690 -
50691 -+ if (signr == SIGKILL || signr == SIGILL)
50692 -+ gr_handle_brute_attach(current);
50693 -+
50694 -+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
50695 - if (current->signal->rlim[RLIMIT_CORE].rlim_cur < binfmt->min_coredump)
50696 - goto fail_unlock;
50697 -
50698 -diff -Nurp linux-2.6.23.15/fs/ext2/balloc.c linux-2.6.23.15-grsec/fs/ext2/balloc.c
50699 ---- linux-2.6.23.15/fs/ext2/balloc.c 2007-10-09 21:31:38.000000000 +0100
50700 -+++ linux-2.6.23.15-grsec/fs/ext2/balloc.c 2008-02-11 10:37:44.000000000 +0000
50701 -@@ -111,7 +111,7 @@ static int reserve_blocks(struct super_b
50702 - if (free_blocks < count)
50703 - count = free_blocks;
50704 -
50705 -- if (free_blocks < root_blocks + count && !capable(CAP_SYS_RESOURCE) &&
50706 -+ if (free_blocks < root_blocks + count && !capable_nolog(CAP_SYS_RESOURCE) &&
50707 - sbi->s_resuid != current->fsuid &&
50708 - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
50709 - /*
50710 -diff -Nurp linux-2.6.23.15/fs/ext3/balloc.c linux-2.6.23.15-grsec/fs/ext3/balloc.c
50711 ---- linux-2.6.23.15/fs/ext3/balloc.c 2007-10-09 21:31:38.000000000 +0100
50712 -+++ linux-2.6.23.15-grsec/fs/ext3/balloc.c 2008-02-11 10:37:44.000000000 +0000
50713 -@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
50714 -
50715 - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
50716 - root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
50717 -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
50718 -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
50719 - sbi->s_resuid != current->fsuid &&
50720 - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
50721 - return 0;
50722 -diff -Nurp linux-2.6.23.15/fs/ext3/namei.c linux-2.6.23.15-grsec/fs/ext3/namei.c
50723 ---- linux-2.6.23.15/fs/ext3/namei.c 2007-10-09 21:31:38.000000000 +0100
50724 -+++ linux-2.6.23.15-grsec/fs/ext3/namei.c 2008-02-11 10:37:44.000000000 +0000
50725 -@@ -1188,9 +1188,9 @@ static struct ext3_dir_entry_2 *do_split
50726 - u32 hash2;
50727 - struct dx_map_entry *map;
50728 - char *data1 = (*bh)->b_data, *data2;
50729 -- unsigned split, move, size, i;
50730 -+ unsigned split, move, size;
50731 - struct ext3_dir_entry_2 *de = NULL, *de2;
50732 -- int err = 0;
50733 -+ int i, err = 0;
50734 -
50735 - bh2 = ext3_append (handle, dir, &newblock, &err);
50736 - if (!(bh2)) {
50737 -diff -Nurp linux-2.6.23.15/fs/ext3/xattr.c linux-2.6.23.15-grsec/fs/ext3/xattr.c
50738 ---- linux-2.6.23.15/fs/ext3/xattr.c 2007-10-09 21:31:38.000000000 +0100
50739 -+++ linux-2.6.23.15-grsec/fs/ext3/xattr.c 2008-02-11 10:37:44.000000000 +0000
50740 -@@ -89,8 +89,8 @@
50741 - printk("\n"); \
50742 - } while (0)
50743 - #else
50744 --# define ea_idebug(f...)
50745 --# define ea_bdebug(f...)
50746 -+# define ea_idebug(f...) do {} while (0)
50747 -+# define ea_bdebug(f...) do {} while (0)
50748 - #endif
50749 -
50750 - static void ext3_xattr_cache_insert(struct buffer_head *);
50751 -diff -Nurp linux-2.6.23.15/fs/ext4/balloc.c linux-2.6.23.15-grsec/fs/ext4/balloc.c
50752 ---- linux-2.6.23.15/fs/ext4/balloc.c 2007-10-09 21:31:38.000000000 +0100
50753 -+++ linux-2.6.23.15-grsec/fs/ext4/balloc.c 2008-02-11 10:37:44.000000000 +0000
50754 -@@ -1376,7 +1376,7 @@ static int ext4_has_free_blocks(struct e
50755 -
50756 - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
50757 - root_blocks = ext4_r_blocks_count(sbi->s_es);
50758 -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
50759 -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
50760 - sbi->s_resuid != current->fsuid &&
50761 - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
50762 - return 0;
50763 -diff -Nurp linux-2.6.23.15/fs/ext4/namei.c linux-2.6.23.15-grsec/fs/ext4/namei.c
50764 ---- linux-2.6.23.15/fs/ext4/namei.c 2007-10-09 21:31:38.000000000 +0100
50765 -+++ linux-2.6.23.15-grsec/fs/ext4/namei.c 2008-02-11 10:37:44.000000000 +0000
50766 -@@ -1186,9 +1186,9 @@ static struct ext4_dir_entry_2 *do_split
50767 - u32 hash2;
50768 - struct dx_map_entry *map;
50769 - char *data1 = (*bh)->b_data, *data2;
50770 -- unsigned split, move, size, i;
50771 -+ unsigned split, move, size;
50772 - struct ext4_dir_entry_2 *de = NULL, *de2;
50773 -- int err = 0;
50774 -+ int i, err = 0;
50775 -
50776 - bh2 = ext4_append (handle, dir, &newblock, &err);
50777 - if (!(bh2)) {
50778 -diff -Nurp linux-2.6.23.15/fs/fcntl.c linux-2.6.23.15-grsec/fs/fcntl.c
50779 ---- linux-2.6.23.15/fs/fcntl.c 2007-10-09 21:31:38.000000000 +0100
50780 -+++ linux-2.6.23.15-grsec/fs/fcntl.c 2008-02-11 10:37:44.000000000 +0000
50781 -@@ -18,6 +18,7 @@
50782 - #include <linux/ptrace.h>
50783 - #include <linux/signal.h>
50784 - #include <linux/rcupdate.h>
50785 -+#include <linux/grsecurity.h>
50786 -
50787 - #include <asm/poll.h>
50788 - #include <asm/siginfo.h>
50789 -@@ -63,6 +64,7 @@ static int locate_fd(struct files_struct
50790 - struct fdtable *fdt;
50791 -
50792 - error = -EINVAL;
50793 -+ gr_learn_resource(current, RLIMIT_NOFILE, orig_start, 0);
50794 - if (orig_start >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
50795 - goto out;
50796 -
50797 -@@ -82,6 +84,7 @@ repeat:
50798 - fdt->max_fds, start);
50799 -
50800 - error = -EMFILE;
50801 -+ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
50802 - if (newfd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
50803 - goto out;
50804 -
50805 -@@ -140,6 +143,8 @@ asmlinkage long sys_dup2(unsigned int ol
50806 - struct files_struct * files = current->files;
50807 - struct fdtable *fdt;
50808 -
50809 -+ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
50810 -+
50811 - spin_lock(&files->file_lock);
50812 - if (!(file = fcheck(oldfd)))
50813 - goto out_unlock;
50814 -@@ -458,7 +463,8 @@ static inline int sigio_perm(struct task
50815 - return (((fown->euid == 0) ||
50816 - (fown->euid == p->suid) || (fown->euid == p->uid) ||
50817 - (fown->uid == p->suid) || (fown->uid == p->uid)) &&
50818 -- !security_file_send_sigiotask(p, fown, sig));
50819 -+ !security_file_send_sigiotask(p, fown, sig) &&
50820 -+ !gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
50821 - }
50822 -
50823 - static void send_sigio_to_task(struct task_struct *p,
50824 -diff -Nurp linux-2.6.23.15/fs/fuse/control.c linux-2.6.23.15-grsec/fs/fuse/control.c
50825 ---- linux-2.6.23.15/fs/fuse/control.c 2007-10-09 21:31:38.000000000 +0100
50826 -+++ linux-2.6.23.15-grsec/fs/fuse/control.c 2008-02-11 10:37:44.000000000 +0000
50827 -@@ -159,7 +159,7 @@ void fuse_ctl_remove_conn(struct fuse_co
50828 -
50829 - static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
50830 - {
50831 -- struct tree_descr empty_descr = {""};
50832 -+ struct tree_descr empty_descr = {"", NULL, 0};
50833 - struct fuse_conn *fc;
50834 - int err;
50835 -
50836 -diff -Nurp linux-2.6.23.15/fs/hfs/inode.c linux-2.6.23.15-grsec/fs/hfs/inode.c
50837 ---- linux-2.6.23.15/fs/hfs/inode.c 2007-10-09 21:31:38.000000000 +0100
50838 -+++ linux-2.6.23.15-grsec/fs/hfs/inode.c 2008-02-11 10:37:44.000000000 +0000
50839 -@@ -415,7 +415,7 @@ int hfs_write_inode(struct inode *inode,
50840 -
50841 - if (S_ISDIR(main_inode->i_mode)) {
50842 - if (fd.entrylength < sizeof(struct hfs_cat_dir))
50843 -- /* panic? */;
50844 -+ {/* panic? */}
50845 - hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
50846 - sizeof(struct hfs_cat_dir));
50847 - if (rec.type != HFS_CDR_DIR ||
50848 -@@ -436,7 +436,7 @@ int hfs_write_inode(struct inode *inode,
50849 - sizeof(struct hfs_cat_file));
50850 - } else {
50851 - if (fd.entrylength < sizeof(struct hfs_cat_file))
50852 -- /* panic? */;
50853 -+ {/* panic? */}
50854 - hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
50855 - sizeof(struct hfs_cat_file));
50856 - if (rec.type != HFS_CDR_FIL ||
50857 -diff -Nurp linux-2.6.23.15/fs/hfsplus/inode.c linux-2.6.23.15-grsec/fs/hfsplus/inode.c
50858 ---- linux-2.6.23.15/fs/hfsplus/inode.c 2007-10-09 21:31:38.000000000 +0100
50859 -+++ linux-2.6.23.15-grsec/fs/hfsplus/inode.c 2008-02-11 10:37:44.000000000 +0000
50860 -@@ -418,7 +418,7 @@ int hfsplus_cat_read_inode(struct inode
50861 - struct hfsplus_cat_folder *folder = &entry.folder;
50862 -
50863 - if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
50864 -- /* panic? */;
50865 -+ {/* panic? */}
50866 - hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
50867 - sizeof(struct hfsplus_cat_folder));
50868 - hfsplus_get_perms(inode, &folder->permissions, 1);
50869 -@@ -435,7 +435,7 @@ int hfsplus_cat_read_inode(struct inode
50870 - struct hfsplus_cat_file *file = &entry.file;
50871 -
50872 - if (fd->entrylength < sizeof(struct hfsplus_cat_file))
50873 -- /* panic? */;
50874 -+ {/* panic? */}
50875 - hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
50876 - sizeof(struct hfsplus_cat_file));
50877 -
50878 -@@ -491,7 +491,7 @@ int hfsplus_cat_write_inode(struct inode
50879 - struct hfsplus_cat_folder *folder = &entry.folder;
50880 -
50881 - if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
50882 -- /* panic? */;
50883 -+ {/* panic? */}
50884 - hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
50885 - sizeof(struct hfsplus_cat_folder));
50886 - /* simple node checks? */
50887 -@@ -513,7 +513,7 @@ int hfsplus_cat_write_inode(struct inode
50888 - struct hfsplus_cat_file *file = &entry.file;
50889 -
50890 - if (fd.entrylength < sizeof(struct hfsplus_cat_file))
50891 -- /* panic? */;
50892 -+ {/* panic? */}
50893 - hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
50894 - sizeof(struct hfsplus_cat_file));
50895 - hfsplus_inode_write_fork(inode, &file->data_fork);
50896 -diff -Nurp linux-2.6.23.15/fs/jffs2/debug.h linux-2.6.23.15-grsec/fs/jffs2/debug.h
50897 ---- linux-2.6.23.15/fs/jffs2/debug.h 2007-10-09 21:31:38.000000000 +0100
50898 -+++ linux-2.6.23.15-grsec/fs/jffs2/debug.h 2008-02-11 10:37:44.000000000 +0000
50899 -@@ -51,13 +51,13 @@
50900 - #if CONFIG_JFFS2_FS_DEBUG > 0
50901 - #define D1(x) x
50902 - #else
50903 --#define D1(x)
50904 -+#define D1(x) do {} while (0);
50905 - #endif
50906 -
50907 - #if CONFIG_JFFS2_FS_DEBUG > 1
50908 - #define D2(x) x
50909 - #else
50910 --#define D2(x)
50911 -+#define D2(x) do {} while (0);
50912 - #endif
50913 -
50914 - /* The prefixes of JFFS2 messages */
50915 -@@ -113,68 +113,68 @@
50916 - #ifdef JFFS2_DBG_READINODE_MESSAGES
50917 - #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50918 - #else
50919 --#define dbg_readinode(fmt, ...)
50920 -+#define dbg_readinode(fmt, ...) do {} while (0)
50921 - #endif
50922 -
50923 - /* Fragtree build debugging messages */
50924 - #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
50925 - #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50926 - #else
50927 --#define dbg_fragtree(fmt, ...)
50928 -+#define dbg_fragtree(fmt, ...) do {} while (0)
50929 - #endif
50930 - #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
50931 - #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50932 - #else
50933 --#define dbg_fragtree2(fmt, ...)
50934 -+#define dbg_fragtree2(fmt, ...) do {} while (0)
50935 - #endif
50936 -
50937 - /* Directory entry list manilulation debugging messages */
50938 - #ifdef JFFS2_DBG_DENTLIST_MESSAGES
50939 - #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50940 - #else
50941 --#define dbg_dentlist(fmt, ...)
50942 -+#define dbg_dentlist(fmt, ...) do {} while (0)
50943 - #endif
50944 -
50945 - /* Print the messages about manipulating node_refs */
50946 - #ifdef JFFS2_DBG_NODEREF_MESSAGES
50947 - #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50948 - #else
50949 --#define dbg_noderef(fmt, ...)
50950 -+#define dbg_noderef(fmt, ...) do {} while (0)
50951 - #endif
50952 -
50953 - /* Manipulations with the list of inodes (JFFS2 inocache) */
50954 - #ifdef JFFS2_DBG_INOCACHE_MESSAGES
50955 - #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50956 - #else
50957 --#define dbg_inocache(fmt, ...)
50958 -+#define dbg_inocache(fmt, ...) do {} while (0)
50959 - #endif
50960 -
50961 - /* Summary debugging messages */
50962 - #ifdef JFFS2_DBG_SUMMARY_MESSAGES
50963 - #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50964 - #else
50965 --#define dbg_summary(fmt, ...)
50966 -+#define dbg_summary(fmt, ...) do {} while (0)
50967 - #endif
50968 -
50969 - /* File system build messages */
50970 - #ifdef JFFS2_DBG_FSBUILD_MESSAGES
50971 - #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50972 - #else
50973 --#define dbg_fsbuild(fmt, ...)
50974 -+#define dbg_fsbuild(fmt, ...) do {} while (0)
50975 - #endif
50976 -
50977 - /* Watch the object allocations */
50978 - #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
50979 - #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50980 - #else
50981 --#define dbg_memalloc(fmt, ...)
50982 -+#define dbg_memalloc(fmt, ...) do {} while (0)
50983 - #endif
50984 -
50985 - /* Watch the XATTR subsystem */
50986 - #ifdef JFFS2_DBG_XATTR_MESSAGES
50987 - #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50988 - #else
50989 --#define dbg_xattr(fmt, ...)
50990 -+#define dbg_xattr(fmt, ...) do {} while (0)
50991 - #endif
50992 -
50993 - /* "Sanity" checks */
50994 -diff -Nurp linux-2.6.23.15/fs/jffs2/erase.c linux-2.6.23.15-grsec/fs/jffs2/erase.c
50995 ---- linux-2.6.23.15/fs/jffs2/erase.c 2007-10-09 21:31:38.000000000 +0100
50996 -+++ linux-2.6.23.15-grsec/fs/jffs2/erase.c 2008-02-11 10:37:44.000000000 +0000
50997 -@@ -389,7 +389,8 @@ static void jffs2_mark_erased_block(stru
50998 - struct jffs2_unknown_node marker = {
50999 - .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
51000 - .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
51001 -- .totlen = cpu_to_je32(c->cleanmarker_size)
51002 -+ .totlen = cpu_to_je32(c->cleanmarker_size),
51003 -+ .hdr_crc = cpu_to_je32(0)
51004 - };
51005 -
51006 - jffs2_prealloc_raw_node_refs(c, jeb, 1);
51007 -diff -Nurp linux-2.6.23.15/fs/jffs2/summary.h linux-2.6.23.15-grsec/fs/jffs2/summary.h
51008 ---- linux-2.6.23.15/fs/jffs2/summary.h 2007-10-09 21:31:38.000000000 +0100
51009 -+++ linux-2.6.23.15-grsec/fs/jffs2/summary.h 2008-02-11 10:37:44.000000000 +0000
51010 -@@ -188,18 +188,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
51011 -
51012 - #define jffs2_sum_active() (0)
51013 - #define jffs2_sum_init(a) (0)
51014 --#define jffs2_sum_exit(a)
51015 --#define jffs2_sum_disable_collecting(a)
51016 -+#define jffs2_sum_exit(a) do {} while (0)
51017 -+#define jffs2_sum_disable_collecting(a) do {} while (0)
51018 - #define jffs2_sum_is_disabled(a) (0)
51019 --#define jffs2_sum_reset_collected(a)
51020 -+#define jffs2_sum_reset_collected(a) do {} while (0)
51021 - #define jffs2_sum_add_kvec(a,b,c,d) (0)
51022 --#define jffs2_sum_move_collected(a,b)
51023 -+#define jffs2_sum_move_collected(a,b) do {} while (0)
51024 - #define jffs2_sum_write_sumnode(a) (0)
51025 --#define jffs2_sum_add_padding_mem(a,b)
51026 --#define jffs2_sum_add_inode_mem(a,b,c)
51027 --#define jffs2_sum_add_dirent_mem(a,b,c)
51028 --#define jffs2_sum_add_xattr_mem(a,b,c)
51029 --#define jffs2_sum_add_xref_mem(a,b,c)
51030 -+#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
51031 -+#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
51032 -+#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
51033 -+#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
51034 -+#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
51035 - #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
51036 -
51037 - #endif /* CONFIG_JFFS2_SUMMARY */
51038 -diff -Nurp linux-2.6.23.15/fs/jffs2/wbuf.c linux-2.6.23.15-grsec/fs/jffs2/wbuf.c
51039 ---- linux-2.6.23.15/fs/jffs2/wbuf.c 2007-10-09 21:31:38.000000000 +0100
51040 -+++ linux-2.6.23.15-grsec/fs/jffs2/wbuf.c 2008-02-11 10:37:44.000000000 +0000
51041 -@@ -973,7 +973,8 @@ static const struct jffs2_unknown_node o
51042 - {
51043 - .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
51044 - .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
51045 -- .totlen = constant_cpu_to_je32(8)
51046 -+ .totlen = constant_cpu_to_je32(8),
51047 -+ .hdr_crc = constant_cpu_to_je32(0)
51048 - };
51049 -
51050 - /*
51051 -diff -Nurp linux-2.6.23.15/fs/namei.c linux-2.6.23.15-grsec/fs/namei.c
51052 ---- linux-2.6.23.15/fs/namei.c 2008-02-11 10:36:03.000000000 +0000
51053 -+++ linux-2.6.23.15-grsec/fs/namei.c 2008-02-11 10:37:44.000000000 +0000
51054 -@@ -31,6 +31,7 @@
51055 - #include <linux/file.h>
51056 - #include <linux/fcntl.h>
51057 - #include <linux/namei.h>
51058 -+#include <linux/grsecurity.h>
51059 - #include <asm/namei.h>
51060 - #include <asm/uaccess.h>
51061 -
51062 -@@ -638,6 +639,13 @@ static inline int do_follow_link(struct
51063 - err = security_inode_follow_link(path->dentry, nd);
51064 - if (err)
51065 - goto loop;
51066 -+
51067 -+ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
51068 -+ path->dentry->d_inode, path->dentry, nd->mnt)) {
51069 -+ err = -EACCES;
51070 -+ goto loop;
51071 -+ }
51072 -+
51073 - current->link_count++;
51074 - current->total_link_count++;
51075 - nd->depth++;
51076 -@@ -983,11 +991,18 @@ return_reval:
51077 - break;
51078 - }
51079 - return_base:
51080 -+ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt)) {
51081 -+ path_release(nd);
51082 -+ return -ENOENT;
51083 -+ }
51084 - return 0;
51085 - out_dput:
51086 - dput_path(&next, nd);
51087 - break;
51088 - }
51089 -+ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt))
51090 -+ err = -ENOENT;
51091 -+
51092 - path_release(nd);
51093 - return_err:
51094 - return err;
51095 -@@ -1649,9 +1664,17 @@ static int open_namei_create(struct name
51096 - int error;
51097 - struct dentry *dir = nd->dentry;
51098 -
51099 -+ if (!gr_acl_handle_creat(path->dentry, nd->dentry, nd->mnt, flag, mode)) {
51100 -+ error = -EACCES;
51101 -+ goto out_unlock_dput;
51102 -+ }
51103 -+
51104 - if (!IS_POSIXACL(dir->d_inode))
51105 - mode &= ~current->fs->umask;
51106 - error = vfs_create(dir->d_inode, path->dentry, mode, nd);
51107 -+ if (!error)
51108 -+ gr_handle_create(path->dentry, nd->mnt);
51109 -+out_unlock_dput:
51110 - mutex_unlock(&dir->d_inode->i_mutex);
51111 - dput(nd->dentry);
51112 - nd->dentry = path->dentry;
51113 -@@ -1702,6 +1725,17 @@ int open_namei(int dfd, const char *path
51114 - nd, flag);
51115 - if (error)
51116 - return error;
51117 -+
51118 -+ if (gr_handle_rawio(nd->dentry->d_inode)) {
51119 -+ error = -EPERM;
51120 -+ goto exit;
51121 -+ }
51122 -+
51123 -+ if (!gr_acl_handle_open(nd->dentry, nd->mnt, flag)) {
51124 -+ error = -EACCES;
51125 -+ goto exit;
51126 -+ }
51127 -+
51128 - goto ok;
51129 - }
51130 -
51131 -@@ -1751,6 +1785,23 @@ do_last:
51132 - /*
51133 - * It already exists.
51134 - */
51135 -+
51136 -+ if (gr_handle_rawio(path.dentry->d_inode)) {
51137 -+ mutex_unlock(&dir->d_inode->i_mutex);
51138 -+ error = -EPERM;
51139 -+ goto exit_dput;
51140 -+ }
51141 -+ if (!gr_acl_handle_open(path.dentry, nd->mnt, flag)) {
51142 -+ mutex_unlock(&dir->d_inode->i_mutex);
51143 -+ error = -EACCES;
51144 -+ goto exit_dput;
51145 -+ }
51146 -+ if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) {
51147 -+ mutex_unlock(&dir->d_inode->i_mutex);
51148 -+ error = -EACCES;
51149 -+ goto exit_dput;
51150 -+ }
51151 -+
51152 - mutex_unlock(&dir->d_inode->i_mutex);
51153 - audit_inode(pathname, path.dentry->d_inode);
51154 -
51155 -@@ -1806,6 +1857,13 @@ do_link:
51156 - error = security_inode_follow_link(path.dentry, nd);
51157 - if (error)
51158 - goto exit_dput;
51159 -+
51160 -+ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
51161 -+ path.dentry, nd->mnt)) {
51162 -+ error = -EACCES;
51163 -+ goto exit_dput;
51164 -+ }
51165 -+
51166 - error = __do_follow_link(&path, nd);
51167 - if (error) {
51168 - /* Does someone understand code flow here? Or it is only
51169 -@@ -1934,6 +1992,22 @@ asmlinkage long sys_mknodat(int dfd, con
51170 - if (!IS_POSIXACL(nd.dentry->d_inode))
51171 - mode &= ~current->fs->umask;
51172 - if (!IS_ERR(dentry)) {
51173 -+ if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) {
51174 -+ error = -EPERM;
51175 -+ dput(dentry);
51176 -+ mutex_unlock(&nd.dentry->d_inode->i_mutex);
51177 -+ path_release(&nd);
51178 -+ goto out;
51179 -+ }
51180 -+
51181 -+ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
51182 -+ error = -EACCES;
51183 -+ dput(dentry);
51184 -+ mutex_unlock(&nd.dentry->d_inode->i_mutex);
51185 -+ path_release(&nd);
51186 -+ goto out;
51187 -+ }
51188 -+
51189 - switch (mode & S_IFMT) {
51190 - case 0: case S_IFREG:
51191 - error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd);
51192 -@@ -1951,6 +2025,10 @@ asmlinkage long sys_mknodat(int dfd, con
51193 - default:
51194 - error = -EINVAL;
51195 - }
51196 -+
51197 -+ if (!error)
51198 -+ gr_handle_create(dentry, nd.mnt);
51199 -+
51200 - dput(dentry);
51201 - }
51202 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
51203 -@@ -2008,9 +2086,18 @@ asmlinkage long sys_mkdirat(int dfd, con
51204 - if (IS_ERR(dentry))
51205 - goto out_unlock;
51206 -
51207 -+ if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt)) {
51208 -+ error = -EACCES;
51209 -+ goto out_unlock_dput;
51210 -+ }
51211 -+
51212 - if (!IS_POSIXACL(nd.dentry->d_inode))
51213 - mode &= ~current->fs->umask;
51214 - error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
51215 -+
51216 -+ if (!error)
51217 -+ gr_handle_create(dentry, nd.mnt);
51218 -+out_unlock_dput:
51219 - dput(dentry);
51220 - out_unlock:
51221 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
51222 -@@ -2092,6 +2179,8 @@ static long do_rmdir(int dfd, const char
51223 - char * name;
51224 - struct dentry *dentry;
51225 - struct nameidata nd;
51226 -+ ino_t saved_ino = 0;
51227 -+ dev_t saved_dev = 0;
51228 -
51229 - name = getname(pathname);
51230 - if(IS_ERR(name))
51231 -@@ -2117,7 +2206,22 @@ static long do_rmdir(int dfd, const char
51232 - error = PTR_ERR(dentry);
51233 - if (IS_ERR(dentry))
51234 - goto exit2;
51235 -+
51236 -+ if (dentry->d_inode != NULL) {
51237 -+ if (dentry->d_inode->i_nlink <= 1) {
51238 -+ saved_ino = dentry->d_inode->i_ino;
51239 -+ saved_dev = dentry->d_inode->i_sb->s_dev;
51240 -+ }
51241 -+
51242 -+ if (!gr_acl_handle_rmdir(dentry, nd.mnt)) {
51243 -+ error = -EACCES;
51244 -+ goto dput_exit2;
51245 -+ }
51246 -+ }
51247 - error = vfs_rmdir(nd.dentry->d_inode, dentry);
51248 -+ if (!error && (saved_dev || saved_ino))
51249 -+ gr_handle_delete(saved_ino, saved_dev);
51250 -+dput_exit2:
51251 - dput(dentry);
51252 - exit2:
51253 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
51254 -@@ -2176,6 +2280,8 @@ static long do_unlinkat(int dfd, const c
51255 - struct dentry *dentry;
51256 - struct nameidata nd;
51257 - struct inode *inode = NULL;
51258 -+ ino_t saved_ino = 0;
51259 -+ dev_t saved_dev = 0;
51260 -
51261 - name = getname(pathname);
51262 - if(IS_ERR(name))
51263 -@@ -2191,13 +2297,26 @@ static long do_unlinkat(int dfd, const c
51264 - dentry = lookup_hash(&nd);
51265 - error = PTR_ERR(dentry);
51266 - if (!IS_ERR(dentry)) {
51267 -+ error = 0;
51268 - /* Why not before? Because we want correct error value */
51269 - if (nd.last.name[nd.last.len])
51270 - goto slashes;
51271 - inode = dentry->d_inode;
51272 -- if (inode)
51273 -+ if (inode) {
51274 -+ if (inode->i_nlink <= 1) {
51275 -+ saved_ino = inode->i_ino;
51276 -+ saved_dev = inode->i_sb->s_dev;
51277 -+ }
51278 -+
51279 -+ if (!gr_acl_handle_unlink(dentry, nd.mnt))
51280 -+ error = -EACCES;
51281 -+
51282 - atomic_inc(&inode->i_count);
51283 -- error = vfs_unlink(nd.dentry->d_inode, dentry);
51284 -+ }
51285 -+ if (!error)
51286 -+ error = vfs_unlink(nd.dentry->d_inode, dentry);
51287 -+ if (!error && (saved_ino || saved_dev))
51288 -+ gr_handle_delete(saved_ino, saved_dev);
51289 - exit2:
51290 - dput(dentry);
51291 - }
51292 -@@ -2278,7 +2397,16 @@ asmlinkage long sys_symlinkat(const char
51293 - if (IS_ERR(dentry))
51294 - goto out_unlock;
51295 -
51296 -+ if (!gr_acl_handle_symlink(dentry, nd.dentry, nd.mnt, from)) {
51297 -+ error = -EACCES;
51298 -+ goto out_dput_unlock;
51299 -+ }
51300 -+
51301 - error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
51302 -+
51303 -+ if (!error)
51304 -+ gr_handle_create(dentry, nd.mnt);
51305 -+out_dput_unlock:
51306 - dput(dentry);
51307 - out_unlock:
51308 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
51309 -@@ -2373,7 +2501,25 @@ asmlinkage long sys_linkat(int olddfd, c
51310 - error = PTR_ERR(new_dentry);
51311 - if (IS_ERR(new_dentry))
51312 - goto out_unlock;
51313 -+
51314 -+ if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
51315 -+ old_nd.dentry->d_inode,
51316 -+ old_nd.dentry->d_inode->i_mode, to)) {
51317 -+ error = -EACCES;
51318 -+ goto out_unlock_dput;
51319 -+ }
51320 -+
51321 -+ if (!gr_acl_handle_link(new_dentry, nd.dentry, nd.mnt,
51322 -+ old_nd.dentry, old_nd.mnt, to)) {
51323 -+ error = -EACCES;
51324 -+ goto out_unlock_dput;
51325 -+ }
51326 -+
51327 - error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
51328 -+
51329 -+ if (!error)
51330 -+ gr_handle_create(new_dentry, nd.mnt);
51331 -+out_unlock_dput:
51332 - dput(new_dentry);
51333 - out_unlock:
51334 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
51335 -@@ -2599,8 +2745,16 @@ static int do_rename(int olddfd, const c
51336 - if (new_dentry == trap)
51337 - goto exit5;
51338 -
51339 -- error = vfs_rename(old_dir->d_inode, old_dentry,
51340 -+ error = gr_acl_handle_rename(new_dentry, newnd.dentry, newnd.mnt,
51341 -+ old_dentry, old_dir->d_inode, oldnd.mnt,
51342 -+ newname);
51343 -+
51344 -+ if (!error)
51345 -+ error = vfs_rename(old_dir->d_inode, old_dentry,
51346 - new_dir->d_inode, new_dentry);
51347 -+ if (!error)
51348 -+ gr_handle_rename(old_dir->d_inode, newnd.dentry->d_inode, old_dentry,
51349 -+ new_dentry, oldnd.mnt, new_dentry->d_inode ? 1 : 0);
51350 - exit5:
51351 - dput(new_dentry);
51352 - exit4:
51353 -diff -Nurp linux-2.6.23.15/fs/namespace.c linux-2.6.23.15-grsec/fs/namespace.c
51354 ---- linux-2.6.23.15/fs/namespace.c 2007-10-09 21:31:38.000000000 +0100
51355 -+++ linux-2.6.23.15-grsec/fs/namespace.c 2008-02-11 10:37:44.000000000 +0000
51356 -@@ -25,6 +25,7 @@
51357 - #include <linux/security.h>
51358 - #include <linux/mount.h>
51359 - #include <linux/ramfs.h>
51360 -+#include <linux/grsecurity.h>
51361 - #include <asm/uaccess.h>
51362 - #include <asm/unistd.h>
51363 - #include "pnode.h"
51364 -@@ -597,6 +598,8 @@ static int do_umount(struct vfsmount *mn
51365 - DQUOT_OFF(sb);
51366 - retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
51367 - unlock_kernel();
51368 -+
51369 -+ gr_log_remount(mnt->mnt_devname, retval);
51370 - }
51371 - up_write(&sb->s_umount);
51372 - return retval;
51373 -@@ -617,6 +620,9 @@ static int do_umount(struct vfsmount *mn
51374 - security_sb_umount_busy(mnt);
51375 - up_write(&namespace_sem);
51376 - release_mounts(&umount_list);
51377 -+
51378 -+ gr_log_unmount(mnt->mnt_devname, retval);
51379 -+
51380 - return retval;
51381 - }
51382 -
51383 -@@ -1422,6 +1428,11 @@ long do_mount(char *dev_name, char *dir_
51384 - if (retval)
51385 - goto dput_out;
51386 -
51387 -+ if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) {
51388 -+ retval = -EPERM;
51389 -+ goto dput_out;
51390 -+ }
51391 -+
51392 - if (flags & MS_REMOUNT)
51393 - retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
51394 - data_page);
51395 -@@ -1436,6 +1447,9 @@ long do_mount(char *dev_name, char *dir_
51396 - dev_name, data_page);
51397 - dput_out:
51398 - path_release(&nd);
51399 -+
51400 -+ gr_log_mount(dev_name, dir_name, retval);
51401 -+
51402 - return retval;
51403 - }
51404 -
51405 -@@ -1673,6 +1687,9 @@ asmlinkage long sys_pivot_root(const cha
51406 - if (!capable(CAP_SYS_ADMIN))
51407 - return -EPERM;
51408 -
51409 -+ if (gr_handle_chroot_pivot())
51410 -+ return -EPERM;
51411 -+
51412 - lock_kernel();
51413 -
51414 - error = __user_walk(new_root, LOOKUP_FOLLOW | LOOKUP_DIRECTORY,
51415 -diff -Nurp linux-2.6.23.15/fs/nfs/callback_xdr.c linux-2.6.23.15-grsec/fs/nfs/callback_xdr.c
51416 ---- linux-2.6.23.15/fs/nfs/callback_xdr.c 2007-10-09 21:31:38.000000000 +0100
51417 -+++ linux-2.6.23.15-grsec/fs/nfs/callback_xdr.c 2008-02-11 10:37:44.000000000 +0000
51418 -@@ -139,7 +139,7 @@ static __be32 decode_compound_hdr_arg(st
51419 - if (unlikely(status != 0))
51420 - return status;
51421 - /* We do not like overly long tags! */
51422 -- if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12 || hdr->taglen < 0) {
51423 -+ if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12) {
51424 - printk("NFSv4 CALLBACK %s: client sent tag of length %u\n",
51425 - __FUNCTION__, hdr->taglen);
51426 - return htonl(NFS4ERR_RESOURCE);
51427 -diff -Nurp linux-2.6.23.15/fs/nfs/nfs4proc.c linux-2.6.23.15-grsec/fs/nfs/nfs4proc.c
51428 ---- linux-2.6.23.15/fs/nfs/nfs4proc.c 2007-10-09 21:31:38.000000000 +0100
51429 -+++ linux-2.6.23.15-grsec/fs/nfs/nfs4proc.c 2008-02-11 10:37:44.000000000 +0000
51430 -@@ -657,7 +657,7 @@ static int _nfs4_do_open_reclaim(struct
51431 - static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
51432 - {
51433 - struct nfs_server *server = NFS_SERVER(state->inode);
51434 -- struct nfs4_exception exception = { };
51435 -+ struct nfs4_exception exception = {0, 0};
51436 - int err;
51437 - do {
51438 - err = _nfs4_do_open_reclaim(ctx, state);
51439 -@@ -699,7 +699,7 @@ static int _nfs4_open_delegation_recall(
51440 -
51441 - int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
51442 - {
51443 -- struct nfs4_exception exception = { };
51444 -+ struct nfs4_exception exception = {0, 0};
51445 - struct nfs_server *server = NFS_SERVER(state->inode);
51446 - int err;
51447 - do {
51448 -@@ -1020,7 +1020,7 @@ static int _nfs4_open_expired(struct nfs
51449 - static inline int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
51450 - {
51451 - struct nfs_server *server = NFS_SERVER(state->inode);
51452 -- struct nfs4_exception exception = { };
51453 -+ struct nfs4_exception exception = {0, 0};
51454 - int err;
51455 -
51456 - do {
51457 -@@ -1122,7 +1122,7 @@ out_err:
51458 -
51459 - static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, int flags, struct iattr *sattr, struct rpc_cred *cred)
51460 - {
51461 -- struct nfs4_exception exception = { };
51462 -+ struct nfs4_exception exception = {0, 0};
51463 - struct nfs4_state *res;
51464 - int status;
51465 -
51466 -@@ -1211,7 +1211,7 @@ static int nfs4_do_setattr(struct inode
51467 - struct iattr *sattr, struct nfs4_state *state)
51468 - {
51469 - struct nfs_server *server = NFS_SERVER(inode);
51470 -- struct nfs4_exception exception = { };
51471 -+ struct nfs4_exception exception = {0, 0};
51472 - int err;
51473 - do {
51474 - err = nfs4_handle_exception(server,
51475 -@@ -1504,7 +1504,7 @@ static int _nfs4_server_capabilities(str
51476 -
51477 - int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
51478 - {
51479 -- struct nfs4_exception exception = { };
51480 -+ struct nfs4_exception exception = {0, 0};
51481 - int err;
51482 - do {
51483 - err = nfs4_handle_exception(server,
51484 -@@ -1537,7 +1537,7 @@ static int _nfs4_lookup_root(struct nfs_
51485 - static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
51486 - struct nfs_fsinfo *info)
51487 - {
51488 -- struct nfs4_exception exception = { };
51489 -+ struct nfs4_exception exception = {0, 0};
51490 - int err;
51491 - do {
51492 - err = nfs4_handle_exception(server,
51493 -@@ -1626,7 +1626,7 @@ static int _nfs4_proc_getattr(struct nfs
51494 -
51495 - static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
51496 - {
51497 -- struct nfs4_exception exception = { };
51498 -+ struct nfs4_exception exception = {0, 0};
51499 - int err;
51500 - do {
51501 - err = nfs4_handle_exception(server,
51502 -@@ -1716,7 +1716,7 @@ static int nfs4_proc_lookupfh(struct nfs
51503 - struct qstr *name, struct nfs_fh *fhandle,
51504 - struct nfs_fattr *fattr)
51505 - {
51506 -- struct nfs4_exception exception = { };
51507 -+ struct nfs4_exception exception = {0, 0};
51508 - int err;
51509 - do {
51510 - err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
51511 -@@ -1745,7 +1745,7 @@ static int _nfs4_proc_lookup(struct inod
51512 -
51513 - static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
51514 - {
51515 -- struct nfs4_exception exception = { };
51516 -+ struct nfs4_exception exception = {0, 0};
51517 - int err;
51518 - do {
51519 - err = nfs4_handle_exception(NFS_SERVER(dir),
51520 -@@ -1801,7 +1801,7 @@ static int _nfs4_proc_access(struct inod
51521 -
51522 - static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
51523 - {
51524 -- struct nfs4_exception exception = { };
51525 -+ struct nfs4_exception exception = {0, 0};
51526 - int err;
51527 - do {
51528 - err = nfs4_handle_exception(NFS_SERVER(inode),
51529 -@@ -1856,7 +1856,7 @@ static int _nfs4_proc_readlink(struct in
51530 - static int nfs4_proc_readlink(struct inode *inode, struct page *page,
51531 - unsigned int pgbase, unsigned int pglen)
51532 - {
51533 -- struct nfs4_exception exception = { };
51534 -+ struct nfs4_exception exception = {0, 0};
51535 - int err;
51536 - do {
51537 - err = nfs4_handle_exception(NFS_SERVER(inode),
51538 -@@ -1950,7 +1950,7 @@ static int _nfs4_proc_remove(struct inod
51539 -
51540 - static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
51541 - {
51542 -- struct nfs4_exception exception = { };
51543 -+ struct nfs4_exception exception = {0, 0};
51544 - int err;
51545 - do {
51546 - err = nfs4_handle_exception(NFS_SERVER(dir),
51547 -@@ -2022,7 +2022,7 @@ static int _nfs4_proc_rename(struct inod
51548 - static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
51549 - struct inode *new_dir, struct qstr *new_name)
51550 - {
51551 -- struct nfs4_exception exception = { };
51552 -+ struct nfs4_exception exception = {0, 0};
51553 - int err;
51554 - do {
51555 - err = nfs4_handle_exception(NFS_SERVER(old_dir),
51556 -@@ -2069,7 +2069,7 @@ static int _nfs4_proc_link(struct inode
51557 -
51558 - static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
51559 - {
51560 -- struct nfs4_exception exception = { };
51561 -+ struct nfs4_exception exception = {0, 0};
51562 - int err;
51563 - do {
51564 - err = nfs4_handle_exception(NFS_SERVER(inode),
51565 -@@ -2126,7 +2126,7 @@ static int _nfs4_proc_symlink(struct ino
51566 - static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
51567 - struct page *page, unsigned int len, struct iattr *sattr)
51568 - {
51569 -- struct nfs4_exception exception = { };
51570 -+ struct nfs4_exception exception = {0, 0};
51571 - int err;
51572 - do {
51573 - err = nfs4_handle_exception(NFS_SERVER(dir),
51574 -@@ -2179,7 +2179,7 @@ static int _nfs4_proc_mkdir(struct inode
51575 - static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
51576 - struct iattr *sattr)
51577 - {
51578 -- struct nfs4_exception exception = { };
51579 -+ struct nfs4_exception exception = {0, 0};
51580 - int err;
51581 - do {
51582 - err = nfs4_handle_exception(NFS_SERVER(dir),
51583 -@@ -2225,7 +2225,7 @@ static int _nfs4_proc_readdir(struct den
51584 - static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
51585 - u64 cookie, struct page *page, unsigned int count, int plus)
51586 - {
51587 -- struct nfs4_exception exception = { };
51588 -+ struct nfs4_exception exception = {0, 0};
51589 - int err;
51590 - do {
51591 - err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
51592 -@@ -2295,7 +2295,7 @@ static int _nfs4_proc_mknod(struct inode
51593 - static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
51594 - struct iattr *sattr, dev_t rdev)
51595 - {
51596 -- struct nfs4_exception exception = { };
51597 -+ struct nfs4_exception exception = {0, 0};
51598 - int err;
51599 - do {
51600 - err = nfs4_handle_exception(NFS_SERVER(dir),
51601 -@@ -2324,7 +2324,7 @@ static int _nfs4_proc_statfs(struct nfs_
51602 -
51603 - static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
51604 - {
51605 -- struct nfs4_exception exception = { };
51606 -+ struct nfs4_exception exception = {0, 0};
51607 - int err;
51608 - do {
51609 - err = nfs4_handle_exception(server,
51610 -@@ -2352,7 +2352,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
51611 -
51612 - static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
51613 - {
51614 -- struct nfs4_exception exception = { };
51615 -+ struct nfs4_exception exception = {0, 0};
51616 - int err;
51617 -
51618 - do {
51619 -@@ -2395,7 +2395,7 @@ static int _nfs4_proc_pathconf(struct nf
51620 - static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
51621 - struct nfs_pathconf *pathconf)
51622 - {
51623 -- struct nfs4_exception exception = { };
51624 -+ struct nfs4_exception exception = {0, 0};
51625 - int err;
51626 -
51627 - do {
51628 -@@ -2714,7 +2714,7 @@ out_free:
51629 -
51630 - static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
51631 - {
51632 -- struct nfs4_exception exception = { };
51633 -+ struct nfs4_exception exception = {0, 0};
51634 - ssize_t ret;
51635 - do {
51636 - ret = __nfs4_get_acl_uncached(inode, buf, buflen);
51637 -@@ -2768,7 +2768,7 @@ static int __nfs4_proc_set_acl(struct in
51638 -
51639 - static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
51640 - {
51641 -- struct nfs4_exception exception = { };
51642 -+ struct nfs4_exception exception = {0, 0};
51643 - int err;
51644 - do {
51645 - err = nfs4_handle_exception(NFS_SERVER(inode),
51646 -@@ -3065,7 +3065,7 @@ static int _nfs4_proc_delegreturn(struct
51647 - int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid)
51648 - {
51649 - struct nfs_server *server = NFS_SERVER(inode);
51650 -- struct nfs4_exception exception = { };
51651 -+ struct nfs4_exception exception = {0, 0};
51652 - int err;
51653 - do {
51654 - err = _nfs4_proc_delegreturn(inode, cred, stateid);
51655 -@@ -3140,7 +3140,7 @@ out:
51656 -
51657 - static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
51658 - {
51659 -- struct nfs4_exception exception = { };
51660 -+ struct nfs4_exception exception = {0, 0};
51661 - int err;
51662 -
51663 - do {
51664 -@@ -3474,7 +3474,7 @@ static int _nfs4_do_setlk(struct nfs4_st
51665 - static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
51666 - {
51667 - struct nfs_server *server = NFS_SERVER(state->inode);
51668 -- struct nfs4_exception exception = { };
51669 -+ struct nfs4_exception exception = {0, 0};
51670 - int err;
51671 -
51672 - do {
51673 -@@ -3492,7 +3492,7 @@ static int nfs4_lock_reclaim(struct nfs4
51674 - static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
51675 - {
51676 - struct nfs_server *server = NFS_SERVER(state->inode);
51677 -- struct nfs4_exception exception = { };
51678 -+ struct nfs4_exception exception = {0, 0};
51679 - int err;
51680 -
51681 - err = nfs4_set_lock_state(state, request);
51682 -@@ -3553,7 +3553,7 @@ out:
51683 -
51684 - static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
51685 - {
51686 -- struct nfs4_exception exception = { };
51687 -+ struct nfs4_exception exception = {0, 0};
51688 - int err;
51689 -
51690 - do {
51691 -@@ -3603,7 +3603,7 @@ nfs4_proc_lock(struct file *filp, int cm
51692 - int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
51693 - {
51694 - struct nfs_server *server = NFS_SERVER(state->inode);
51695 -- struct nfs4_exception exception = { };
51696 -+ struct nfs4_exception exception = {0, 0};
51697 - int err;
51698 -
51699 - err = nfs4_set_lock_state(state, fl);
51700 -diff -Nurp linux-2.6.23.15/fs/nfsd/export.c linux-2.6.23.15-grsec/fs/nfsd/export.c
51701 ---- linux-2.6.23.15/fs/nfsd/export.c 2007-10-09 21:31:38.000000000 +0100
51702 -+++ linux-2.6.23.15-grsec/fs/nfsd/export.c 2008-02-11 10:37:44.000000000 +0000
51703 -@@ -478,7 +478,7 @@ static int secinfo_parse(char **mesg, ch
51704 - * probably discover the problem when someone fails to
51705 - * authenticate.
51706 - */
51707 -- if (f->pseudoflavor < 0)
51708 -+ if ((s32)f->pseudoflavor < 0)
51709 - return -EINVAL;
51710 - err = get_int(mesg, &f->flags);
51711 - if (err)
51712 -diff -Nurp linux-2.6.23.15/fs/nfsd/nfs4state.c linux-2.6.23.15-grsec/fs/nfsd/nfs4state.c
51713 ---- linux-2.6.23.15/fs/nfsd/nfs4state.c 2007-10-09 21:31:38.000000000 +0100
51714 -+++ linux-2.6.23.15-grsec/fs/nfsd/nfs4state.c 2008-02-11 10:37:44.000000000 +0000
51715 -@@ -1248,7 +1248,7 @@ static int access_valid(u32 x)
51716 -
51717 - static int deny_valid(u32 x)
51718 - {
51719 -- return (x >= 0 && x < 5);
51720 -+ return (x < 5);
51721 - }
51722 -
51723 - static void
51724 -diff -Nurp linux-2.6.23.15/fs/nls/nls_base.c linux-2.6.23.15-grsec/fs/nls/nls_base.c
51725 ---- linux-2.6.23.15/fs/nls/nls_base.c 2007-10-09 21:31:38.000000000 +0100
51726 -+++ linux-2.6.23.15-grsec/fs/nls/nls_base.c 2008-02-11 10:37:44.000000000 +0000
51727 -@@ -42,7 +42,7 @@ static struct utf8_table utf8_table[] =
51728 - {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
51729 - {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
51730 - {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
51731 -- {0, /* end of table */}
51732 -+ {0, 0, 0, 0, 0, /* end of table */}
51733 - };
51734 -
51735 - int
51736 -diff -Nurp linux-2.6.23.15/fs/ntfs/file.c linux-2.6.23.15-grsec/fs/ntfs/file.c
51737 ---- linux-2.6.23.15/fs/ntfs/file.c 2007-10-09 21:31:38.000000000 +0100
51738 -+++ linux-2.6.23.15-grsec/fs/ntfs/file.c 2008-02-11 10:37:44.000000000 +0000
51739 -@@ -2295,6 +2295,6 @@ const struct inode_operations ntfs_file_
51740 - #endif /* NTFS_RW */
51741 - };
51742 -
51743 --const struct file_operations ntfs_empty_file_ops = {};
51744 -+const struct file_operations ntfs_empty_file_ops;
51745 -
51746 --const struct inode_operations ntfs_empty_inode_ops = {};
51747 -+const struct inode_operations ntfs_empty_inode_ops;
51748 -diff -Nurp linux-2.6.23.15/fs/open.c linux-2.6.23.15-grsec/fs/open.c
51749 ---- linux-2.6.23.15/fs/open.c 2007-10-09 21:31:38.000000000 +0100
51750 -+++ linux-2.6.23.15-grsec/fs/open.c 2008-02-11 10:37:44.000000000 +0000
51751 -@@ -27,6 +27,7 @@
51752 - #include <linux/rcupdate.h>
51753 - #include <linux/audit.h>
51754 - #include <linux/falloc.h>
51755 -+#include <linux/grsecurity.h>
51756 -
51757 - int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
51758 - {
51759 -@@ -204,6 +205,9 @@ int do_truncate(struct dentry *dentry, l
51760 - if (length < 0)
51761 - return -EINVAL;
51762 -
51763 -+ if (filp && !gr_acl_handle_truncate(dentry, filp->f_vfsmnt))
51764 -+ return -EACCES;
51765 -+
51766 - newattrs.ia_size = length;
51767 - newattrs.ia_valid = ATTR_SIZE | time_attrs;
51768 - if (filp) {
51769 -@@ -461,6 +465,9 @@ asmlinkage long sys_faccessat(int dfd, c
51770 - if(IS_RDONLY(nd.dentry->d_inode))
51771 - res = -EROFS;
51772 -
51773 -+ if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode))
51774 -+ res = -EACCES;
51775 -+
51776 - out_path_release:
51777 - path_release(&nd);
51778 - out:
51779 -@@ -490,6 +497,8 @@ asmlinkage long sys_chdir(const char __u
51780 - if (error)
51781 - goto dput_and_out;
51782 -
51783 -+ gr_log_chdir(nd.dentry, nd.mnt);
51784 -+
51785 - set_fs_pwd(current->fs, nd.mnt, nd.dentry);
51786 -
51787 - dput_and_out:
51788 -@@ -520,6 +529,13 @@ asmlinkage long sys_fchdir(unsigned int
51789 - goto out_putf;
51790 -
51791 - error = file_permission(file, MAY_EXEC);
51792 -+
51793 -+ if (!error && !gr_chroot_fchdir(dentry, mnt))
51794 -+ error = -EPERM;
51795 -+
51796 -+ if (!error)
51797 -+ gr_log_chdir(dentry, mnt);
51798 -+
51799 - if (!error)
51800 - set_fs_pwd(current->fs, mnt, dentry);
51801 - out_putf:
51802 -@@ -545,8 +561,16 @@ asmlinkage long sys_chroot(const char __
51803 - if (!capable(CAP_SYS_CHROOT))
51804 - goto dput_and_out;
51805 -
51806 -+ if (gr_handle_chroot_chroot(nd.dentry, nd.mnt))
51807 -+ goto dput_and_out;
51808 -+
51809 - set_fs_root(current->fs, nd.mnt, nd.dentry);
51810 - set_fs_altroot();
51811 -+
51812 -+ gr_handle_chroot_caps(current);
51813 -+
51814 -+ gr_handle_chroot_chdir(nd.dentry, nd.mnt);
51815 -+
51816 - error = 0;
51817 - dput_and_out:
51818 - path_release(&nd);
51819 -@@ -577,9 +601,22 @@ asmlinkage long sys_fchmod(unsigned int
51820 - err = -EPERM;
51821 - if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
51822 - goto out_putf;
51823 -+
51824 -+ if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
51825 -+ err = -EACCES;
51826 -+ goto out_putf;
51827 -+ }
51828 -+
51829 - mutex_lock(&inode->i_mutex);
51830 - if (mode == (mode_t) -1)
51831 - mode = inode->i_mode;
51832 -+
51833 -+ if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
51834 -+ err = -EPERM;
51835 -+ mutex_unlock(&inode->i_mutex);
51836 -+ goto out_putf;
51837 -+ }
51838 -+
51839 - newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
51840 - newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
51841 - err = notify_change(dentry, &newattrs);
51842 -@@ -612,9 +649,21 @@ asmlinkage long sys_fchmodat(int dfd, co
51843 - if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
51844 - goto dput_and_out;
51845 -
51846 -+ if (!gr_acl_handle_chmod(nd.dentry, nd.mnt, mode)) {
51847 -+ error = -EACCES;
51848 -+ goto dput_and_out;
51849 -+ };
51850 -+
51851 - mutex_lock(&inode->i_mutex);
51852 - if (mode == (mode_t) -1)
51853 - mode = inode->i_mode;
51854 -+
51855 -+ if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) {
51856 -+ error = -EACCES;
51857 -+ mutex_unlock(&inode->i_mutex);
51858 -+ goto dput_and_out;
51859 -+ }
51860 -+
51861 - newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
51862 - newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
51863 - error = notify_change(nd.dentry, &newattrs);
51864 -@@ -631,7 +680,7 @@ asmlinkage long sys_chmod(const char __u
51865 - return sys_fchmodat(AT_FDCWD, filename, mode);
51866 - }
51867 -
51868 --static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
51869 -+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
51870 - {
51871 - struct inode * inode;
51872 - int error;
51873 -@@ -648,6 +697,12 @@ static int chown_common(struct dentry *
51874 - error = -EPERM;
51875 - if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
51876 - goto out;
51877 -+
51878 -+ if (!gr_acl_handle_chown(dentry, mnt)) {
51879 -+ error = -EACCES;
51880 -+ goto out;
51881 -+ }
51882 -+
51883 - newattrs.ia_valid = ATTR_CTIME;
51884 - if (user != (uid_t) -1) {
51885 - newattrs.ia_valid |= ATTR_UID;
51886 -@@ -674,7 +729,7 @@ asmlinkage long sys_chown(const char __u
51887 - error = user_path_walk(filename, &nd);
51888 - if (error)
51889 - goto out;
51890 -- error = chown_common(nd.dentry, user, group);
51891 -+ error = chown_common(nd.dentry, user, group, nd.mnt);
51892 - path_release(&nd);
51893 - out:
51894 - return error;
51895 -@@ -694,7 +749,7 @@ asmlinkage long sys_fchownat(int dfd, co
51896 - error = __user_walk_fd(dfd, filename, follow, &nd);
51897 - if (error)
51898 - goto out;
51899 -- error = chown_common(nd.dentry, user, group);
51900 -+ error = chown_common(nd.dentry, user, group, nd.mnt);
51901 - path_release(&nd);
51902 - out:
51903 - return error;
51904 -@@ -708,7 +763,7 @@ asmlinkage long sys_lchown(const char __
51905 - error = user_path_walk_link(filename, &nd);
51906 - if (error)
51907 - goto out;
51908 -- error = chown_common(nd.dentry, user, group);
51909 -+ error = chown_common(nd.dentry, user, group, nd.mnt);
51910 - path_release(&nd);
51911 - out:
51912 - return error;
51913 -@@ -727,7 +782,7 @@ asmlinkage long sys_fchown(unsigned int
51914 -
51915 - dentry = file->f_path.dentry;
51916 - audit_inode(NULL, dentry->d_inode);
51917 -- error = chown_common(dentry, user, group);
51918 -+ error = chown_common(dentry, user, group, file->f_vfsmnt);
51919 - fput(file);
51920 - out:
51921 - return error;
51922 -@@ -934,6 +989,7 @@ repeat:
51923 - * N.B. For clone tasks sharing a files structure, this test
51924 - * will limit the total number of files that can be opened.
51925 - */
51926 -+ gr_learn_resource(current, RLIMIT_NOFILE, fd, 0);
51927 - if (fd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
51928 - goto out;
51929 -
51930 -diff -Nurp linux-2.6.23.15/fs/partitions/efi.c linux-2.6.23.15-grsec/fs/partitions/efi.c
51931 ---- linux-2.6.23.15/fs/partitions/efi.c 2007-10-09 21:31:38.000000000 +0100
51932 -+++ linux-2.6.23.15-grsec/fs/partitions/efi.c 2008-02-11 10:37:44.000000000 +0000
51933 -@@ -99,7 +99,7 @@
51934 - #ifdef EFI_DEBUG
51935 - #define Dprintk(x...) printk(KERN_DEBUG x)
51936 - #else
51937 --#define Dprintk(x...)
51938 -+#define Dprintk(x...) do {} while (0)
51939 - #endif
51940 -
51941 - /* This allows a kernel command line option 'gpt' to override
51942 -diff -Nurp linux-2.6.23.15/fs/pipe.c linux-2.6.23.15-grsec/fs/pipe.c
51943 ---- linux-2.6.23.15/fs/pipe.c 2007-10-09 21:31:38.000000000 +0100
51944 -+++ linux-2.6.23.15-grsec/fs/pipe.c 2008-02-11 10:37:44.000000000 +0000
51945 -@@ -888,7 +888,7 @@ void free_pipe_info(struct inode *inode)
51946 - inode->i_pipe = NULL;
51947 - }
51948 -
51949 --static struct vfsmount *pipe_mnt __read_mostly;
51950 -+struct vfsmount *pipe_mnt __read_mostly;
51951 - static int pipefs_delete_dentry(struct dentry *dentry)
51952 - {
51953 - /*
51954 -diff -Nurp linux-2.6.23.15/fs/proc/array.c linux-2.6.23.15-grsec/fs/proc/array.c
51955 ---- linux-2.6.23.15/fs/proc/array.c 2008-02-11 10:36:03.000000000 +0000
51956 -+++ linux-2.6.23.15-grsec/fs/proc/array.c 2008-02-11 10:37:44.000000000 +0000
51957 -@@ -298,6 +298,21 @@ static inline char *task_context_switch_
51958 - p->nivcsw);
51959 - }
51960 -
51961 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
51962 -+static inline char *task_pax(struct task_struct *p, char *buffer)
51963 -+{
51964 -+ if (p->mm)
51965 -+ return buffer + sprintf(buffer, "PaX:\t%c%c%c%c%c\n",
51966 -+ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
51967 -+ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
51968 -+ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
51969 -+ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
51970 -+ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
51971 -+ else
51972 -+ return buffer + sprintf(buffer, "PaX:\t-----\n");
51973 -+}
51974 -+#endif
51975 -+
51976 - int proc_pid_status(struct task_struct *task, char *buffer)
51977 - {
51978 - char *orig = buffer;
51979 -@@ -317,6 +332,11 @@ int proc_pid_status(struct task_struct *
51980 - buffer = task_show_regs(task, buffer);
51981 - #endif
51982 - buffer = task_context_switch_counts(task, buffer);
51983 -+
51984 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
51985 -+ buffer = task_pax(task, buffer);
51986 -+#endif
51987 -+
51988 - return buffer - orig;
51989 - }
51990 -
51991 -@@ -372,6 +392,12 @@ static cputime_t task_stime(struct task_
51992 - }
51993 - #endif
51994 -
51995 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51996 -+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
51997 -+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
51998 -+ _mm->pax_flags & MF_PAX_SEGMEXEC))
51999 -+#endif
52000 -+
52001 - static int do_task_stat(struct task_struct *task, char *buffer, int whole)
52002 - {
52003 - unsigned long vsize, eip, esp, wchan = ~0UL;
52004 -@@ -458,6 +484,19 @@ static int do_task_stat(struct task_stru
52005 - stime = task_stime(task);
52006 - }
52007 -
52008 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52009 -+ if (PAX_RAND_FLAGS(mm)) {
52010 -+ eip = 0;
52011 -+ esp = 0;
52012 -+ wchan = 0;
52013 -+ }
52014 -+#endif
52015 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
52016 -+ wchan = 0;
52017 -+ eip =0;
52018 -+ esp =0;
52019 -+#endif
52020 -+
52021 - /* scale priority and nice values from timeslices to -20..20 */
52022 - /* to make it look like a "normal" Unix priority/nice value */
52023 - priority = task_prio(task);
52024 -@@ -498,9 +537,15 @@ static int do_task_stat(struct task_stru
52025 - vsize,
52026 - mm ? get_mm_rss(mm) : 0,
52027 - rsslim,
52028 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52029 -+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
52030 -+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
52031 -+ PAX_RAND_FLAGS(mm) ? 0 : (mm ? mm->start_stack : 0),
52032 -+#else
52033 - mm ? mm->start_code : 0,
52034 - mm ? mm->end_code : 0,
52035 - mm ? mm->start_stack : 0,
52036 -+#endif
52037 - esp,
52038 - eip,
52039 - /* The signal information here is obsolete.
52040 -@@ -547,3 +592,14 @@ int proc_pid_statm(struct task_struct *t
52041 - return sprintf(buffer, "%d %d %d %d %d %d %d\n",
52042 - size, resident, shared, text, lib, data, 0);
52043 - }
52044 -+
52045 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
52046 -+int proc_pid_ipaddr(struct task_struct *task, char * buffer)
52047 -+{
52048 -+ int len;
52049 -+
52050 -+ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
52051 -+ return len;
52052 -+}
52053 -+#endif
52054 -+
52055 -diff -Nurp linux-2.6.23.15/fs/proc/base.c linux-2.6.23.15-grsec/fs/proc/base.c
52056 ---- linux-2.6.23.15/fs/proc/base.c 2007-10-09 21:31:38.000000000 +0100
52057 -+++ linux-2.6.23.15-grsec/fs/proc/base.c 2008-02-11 10:37:44.000000000 +0000
52058 -@@ -73,6 +73,7 @@
52059 - #include <linux/nsproxy.h>
52060 - #include <linux/oom.h>
52061 - #include <linux/elf.h>
52062 -+#include <linux/grsecurity.h>
52063 - #include "internal.h"
52064 -
52065 - /* NOTE:
52066 -@@ -123,7 +124,7 @@ struct pid_entry {
52067 - NULL, &proc_info_file_operations, \
52068 - { .proc_read = &proc_##OTYPE } )
52069 -
52070 --int maps_protect;
52071 -+int maps_protect = 1;
52072 - EXPORT_SYMBOL(maps_protect);
52073 -
52074 - static struct fs_struct *get_fs_struct(struct task_struct *task)
52075 -@@ -197,7 +198,7 @@ static int proc_root_link(struct inode *
52076 - (task->parent == current && \
52077 - (task->ptrace & PT_PTRACED) && \
52078 - (task->state == TASK_STOPPED || task->state == TASK_TRACED) && \
52079 -- security_ptrace(current,task) == 0))
52080 -+ security_ptrace(current,task) == 0 && !gr_handle_proc_ptrace(task)))
52081 -
52082 - static int proc_pid_environ(struct task_struct *task, char * buffer)
52083 - {
52084 -@@ -263,9 +264,9 @@ static int proc_pid_auxv(struct task_str
52085 - struct mm_struct *mm = get_task_mm(task);
52086 - if (mm) {
52087 - unsigned int nwords = 0;
52088 -- do
52089 -+ do {
52090 - nwords += 2;
52091 -- while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
52092 -+ } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
52093 - res = nwords * sizeof(mm->saved_auxv[0]);
52094 - if (res > PAGE_SIZE)
52095 - res = PAGE_SIZE;
52096 -@@ -338,6 +339,8 @@ static int proc_fd_access_allowed(struct
52097 - task = get_proc_task(inode);
52098 - if (task) {
52099 - allowed = ptrace_may_attach(task);
52100 -+ if (allowed != 0)
52101 -+ allowed = !gr_acl_handle_procpidmem(task);
52102 - put_task_struct(task);
52103 - }
52104 - return allowed;
52105 -@@ -528,7 +531,7 @@ static ssize_t mem_read(struct file * fi
52106 - if (!task)
52107 - goto out_no_task;
52108 -
52109 -- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
52110 -+ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
52111 - goto out;
52112 -
52113 - ret = -ENOMEM;
52114 -@@ -598,7 +601,7 @@ static ssize_t mem_write(struct file * f
52115 - if (!task)
52116 - goto out_no_task;
52117 -
52118 -- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
52119 -+ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
52120 - goto out;
52121 -
52122 - copied = -ENOMEM;
52123 -@@ -1050,7 +1053,11 @@ static struct inode *proc_pid_make_inode
52124 - inode->i_gid = 0;
52125 - if (task_dumpable(task)) {
52126 - inode->i_uid = task->euid;
52127 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
52128 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
52129 -+#else
52130 - inode->i_gid = task->egid;
52131 -+#endif
52132 - }
52133 - security_task_to_inode(task, inode);
52134 -
52135 -@@ -1066,17 +1073,45 @@ static int pid_getattr(struct vfsmount *
52136 - {
52137 - struct inode *inode = dentry->d_inode;
52138 - struct task_struct *task;
52139 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52140 -+ struct task_struct *tmp = current;
52141 -+#endif
52142 -+
52143 - generic_fillattr(inode, stat);
52144 -
52145 - rcu_read_lock();
52146 - stat->uid = 0;
52147 - stat->gid = 0;
52148 - task = pid_task(proc_pid(inode), PIDTYPE_PID);
52149 -- if (task) {
52150 -+
52151 -+ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
52152 -+ rcu_read_unlock();
52153 -+ return -ENOENT;
52154 -+ }
52155 -+
52156 -+
52157 -+ if (task
52158 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52159 -+ && (!tmp->uid || (tmp->uid == task->uid)
52160 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
52161 -+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
52162 -+#endif
52163 -+ )
52164 -+#endif
52165 -+ ) {
52166 - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
52167 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
52168 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
52169 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
52170 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
52171 -+#endif
52172 - task_dumpable(task)) {
52173 - stat->uid = task->euid;
52174 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
52175 -+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
52176 -+#else
52177 - stat->gid = task->egid;
52178 -+#endif
52179 - }
52180 - }
52181 - rcu_read_unlock();
52182 -@@ -1104,11 +1139,21 @@ static int pid_revalidate(struct dentry
52183 - {
52184 - struct inode *inode = dentry->d_inode;
52185 - struct task_struct *task = get_proc_task(inode);
52186 -+
52187 - if (task) {
52188 - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
52189 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
52190 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
52191 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
52192 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
52193 -+#endif
52194 - task_dumpable(task)) {
52195 - inode->i_uid = task->euid;
52196 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
52197 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
52198 -+#else
52199 - inode->i_gid = task->egid;
52200 -+#endif
52201 - } else {
52202 - inode->i_uid = 0;
52203 - inode->i_gid = 0;
52204 -@@ -1118,6 +1163,7 @@ static int pid_revalidate(struct dentry
52205 - put_task_struct(task);
52206 - return 1;
52207 - }
52208 -+out:
52209 - d_drop(dentry);
52210 - return 0;
52211 - }
52212 -@@ -1374,6 +1420,9 @@ static struct dentry *proc_lookupfd_comm
52213 - if (fd == ~0U)
52214 - goto out;
52215 -
52216 -+ if (gr_acl_handle_procpidmem(task))
52217 -+ goto out;
52218 -+
52219 - result = instantiate(dir, dentry, task, &fd);
52220 - out:
52221 - put_task_struct(task);
52222 -@@ -1410,6 +1459,8 @@ static int proc_readfd_common(struct fil
52223 - goto out;
52224 - filp->f_pos++;
52225 - default:
52226 -+ if (gr_acl_handle_procpidmem(p))
52227 -+ goto out;
52228 - files = get_files_struct(p);
52229 - if (!files)
52230 - goto out;
52231 -@@ -1598,6 +1649,9 @@ static struct dentry *proc_pident_lookup
52232 - if (!task)
52233 - goto out_no_task;
52234 -
52235 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
52236 -+ goto out;
52237 -+
52238 - /*
52239 - * Yes, it does not scale. And it should not. Don't add
52240 - * new entries into /proc/<tgid>/ without very good reasons.
52241 -@@ -1643,6 +1697,9 @@ static int proc_pident_readdir(struct fi
52242 - if (!task)
52243 - goto out_no_task;
52244 -
52245 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
52246 -+ goto out;
52247 -+
52248 - ret = 0;
52249 - pid = task->pid;
52250 - i = filp->f_pos;
52251 -@@ -1998,6 +2055,9 @@ static struct dentry *proc_base_lookup(s
52252 - if (p > last)
52253 - goto out;
52254 -
52255 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
52256 -+ goto out;
52257 -+
52258 - error = proc_base_instantiate(dir, dentry, task, p);
52259 -
52260 - out:
52261 -@@ -2097,6 +2157,9 @@ static const struct pid_entry tgid_base_
52262 - #ifdef CONFIG_TASK_IO_ACCOUNTING
52263 - INF("io", S_IRUGO, pid_io_accounting),
52264 - #endif
52265 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
52266 -+ INF("ipaddr", S_IRUSR, pid_ipaddr),
52267 -+#endif
52268 - };
52269 -
52270 - static int proc_tgid_base_readdir(struct file * filp,
52271 -@@ -2200,7 +2263,14 @@ static struct dentry *proc_pid_instantia
52272 - if (!inode)
52273 - goto out;
52274 -
52275 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
52276 -+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
52277 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
52278 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
52279 -+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
52280 -+#else
52281 - inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
52282 -+#endif
52283 - inode->i_op = &proc_tgid_base_inode_operations;
52284 - inode->i_fop = &proc_tgid_base_operations;
52285 - inode->i_flags|=S_IMMUTABLE;
52286 -@@ -2241,7 +2311,11 @@ struct dentry *proc_pid_lookup(struct in
52287 - if (!task)
52288 - goto out;
52289 -
52290 -+ if (gr_check_hidden_task(task))
52291 -+ goto out_put_task;
52292 -+
52293 - result = proc_pid_instantiate(dir, dentry, task, NULL);
52294 -+out_put_task:
52295 - put_task_struct(task);
52296 - out:
52297 - return result;
52298 -@@ -2299,6 +2373,9 @@ int proc_pid_readdir(struct file * filp,
52299 - {
52300 - unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
52301 - struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
52302 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52303 -+ struct task_struct *tmp = current;
52304 -+#endif
52305 - struct task_struct *task;
52306 - int tgid;
52307 -
52308 -@@ -2316,6 +2393,18 @@ int proc_pid_readdir(struct file * filp,
52309 - task;
52310 - put_task_struct(task), task = next_tgid(tgid + 1)) {
52311 - tgid = task->pid;
52312 -+
52313 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task)
52314 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52315 -+ || (tmp->uid && (task->uid != tmp->uid)
52316 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
52317 -+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
52318 -+#endif
52319 -+ )
52320 -+#endif
52321 -+ )
52322 -+ continue;
52323 -+
52324 - filp->f_pos = tgid + TGID_OFFSET;
52325 - if (proc_pid_fill_cache(filp, dirent, filldir, task, tgid) < 0) {
52326 - put_task_struct(task);
52327 -diff -Nurp linux-2.6.23.15/fs/proc/inode.c linux-2.6.23.15-grsec/fs/proc/inode.c
52328 ---- linux-2.6.23.15/fs/proc/inode.c 2007-10-09 21:31:38.000000000 +0100
52329 -+++ linux-2.6.23.15-grsec/fs/proc/inode.c 2008-02-11 10:37:44.000000000 +0000
52330 -@@ -418,7 +418,11 @@ struct inode *proc_get_inode(struct supe
52331 - if (de->mode) {
52332 - inode->i_mode = de->mode;
52333 - inode->i_uid = de->uid;
52334 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
52335 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
52336 -+#else
52337 - inode->i_gid = de->gid;
52338 -+#endif
52339 - }
52340 - if (de->size)
52341 - inode->i_size = de->size;
52342 -diff -Nurp linux-2.6.23.15/fs/proc/internal.h linux-2.6.23.15-grsec/fs/proc/internal.h
52343 ---- linux-2.6.23.15/fs/proc/internal.h 2007-10-09 21:31:38.000000000 +0100
52344 -+++ linux-2.6.23.15-grsec/fs/proc/internal.h 2008-02-11 10:37:44.000000000 +0000
52345 -@@ -45,6 +45,9 @@ extern int proc_tid_stat(struct task_str
52346 - extern int proc_tgid_stat(struct task_struct *, char *);
52347 - extern int proc_pid_status(struct task_struct *, char *);
52348 - extern int proc_pid_statm(struct task_struct *, char *);
52349 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
52350 -+extern int proc_pid_ipaddr(struct task_struct*,char*);
52351 -+#endif
52352 -
52353 - extern const struct file_operations proc_maps_operations;
52354 - extern const struct file_operations proc_numa_maps_operations;
52355 -diff -Nurp linux-2.6.23.15/fs/proc/proc_misc.c linux-2.6.23.15-grsec/fs/proc/proc_misc.c
52356 ---- linux-2.6.23.15/fs/proc/proc_misc.c 2007-10-09 21:31:38.000000000 +0100
52357 -+++ linux-2.6.23.15-grsec/fs/proc/proc_misc.c 2008-02-11 10:37:44.000000000 +0000
52358 -@@ -668,6 +668,8 @@ void create_seq_entry(char *name, mode_t
52359 -
52360 - void __init proc_misc_init(void)
52361 - {
52362 -+ int gr_mode = 0;
52363 -+
52364 - static struct {
52365 - char *name;
52366 - int (*read_proc)(char*,char**,off_t,int,int*,void*);
52367 -@@ -683,7 +685,9 @@ void __init proc_misc_init(void)
52368 - {"stram", stram_read_proc},
52369 - #endif
52370 - {"filesystems", filesystems_read_proc},
52371 -+#ifndef CONFIG_GRKERNSEC_PROC_ADD
52372 - {"cmdline", cmdline_read_proc},
52373 -+#endif
52374 - {"locks", locks_read_proc},
52375 - {"execdomains", execdomains_read_proc},
52376 - {NULL,}
52377 -@@ -691,6 +695,15 @@ void __init proc_misc_init(void)
52378 - for (p = simple_ones; p->name; p++)
52379 - create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
52380 -
52381 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
52382 -+ gr_mode = S_IRUSR;
52383 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52384 -+ gr_mode = S_IRUSR | S_IRGRP;
52385 -+#endif
52386 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
52387 -+ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
52388 -+#endif
52389 -+
52390 - proc_symlink("mounts", NULL, "self/mounts");
52391 -
52392 - /* And now for trickier ones */
52393 -@@ -702,7 +715,11 @@ void __init proc_misc_init(void)
52394 - entry->proc_fops = &proc_kmsg_operations;
52395 - }
52396 - #endif
52397 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
52398 -+ create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
52399 -+#else
52400 - create_seq_entry("devices", 0, &proc_devinfo_operations);
52401 -+#endif
52402 - create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
52403 - #ifdef CONFIG_BLOCK
52404 - create_seq_entry("partitions", 0, &proc_partitions_operations);
52405 -@@ -710,7 +727,11 @@ void __init proc_misc_init(void)
52406 - create_seq_entry("stat", 0, &proc_stat_operations);
52407 - create_seq_entry("interrupts", 0, &proc_interrupts_operations);
52408 - #ifdef CONFIG_SLAB
52409 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
52410 -+ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
52411 -+#else
52412 - create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
52413 -+#endif
52414 - #ifdef CONFIG_DEBUG_SLAB_LEAK
52415 - create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
52416 - #endif
52417 -@@ -727,7 +748,7 @@ void __init proc_misc_init(void)
52418 - #ifdef CONFIG_SCHEDSTATS
52419 - create_seq_entry("schedstat", 0, &proc_schedstat_operations);
52420 - #endif
52421 --#ifdef CONFIG_PROC_KCORE
52422 -+#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
52423 - proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
52424 - if (proc_root_kcore) {
52425 - proc_root_kcore->proc_fops = &proc_kcore_operations;
52426 -diff -Nurp linux-2.6.23.15/fs/proc/proc_sysctl.c linux-2.6.23.15-grsec/fs/proc/proc_sysctl.c
52427 ---- linux-2.6.23.15/fs/proc/proc_sysctl.c 2007-10-09 21:31:38.000000000 +0100
52428 -+++ linux-2.6.23.15-grsec/fs/proc/proc_sysctl.c 2008-02-11 10:37:44.000000000 +0000
52429 -@@ -7,6 +7,8 @@
52430 - #include <linux/security.h>
52431 - #include "internal.h"
52432 -
52433 -+extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
52434 -+
52435 - static struct dentry_operations proc_sys_dentry_operations;
52436 - static const struct file_operations proc_sys_file_operations;
52437 - static struct inode_operations proc_sys_inode_operations;
52438 -@@ -151,6 +153,9 @@ static struct dentry *proc_sys_lookup(st
52439 - if (!table)
52440 - goto out;
52441 -
52442 -+ if (gr_handle_sysctl(table, 001))
52443 -+ goto out;
52444 -+
52445 - err = ERR_PTR(-ENOMEM);
52446 - inode = proc_sys_make_inode(dir, table);
52447 - if (!inode)
52448 -@@ -358,6 +363,9 @@ static int proc_sys_readdir(struct file
52449 - if (pos < filp->f_pos)
52450 - continue;
52451 -
52452 -+ if (gr_handle_sysctl(table, 0))
52453 -+ continue;
52454 -+
52455 - if (proc_sys_fill_cache(filp, dirent, filldir, table) < 0)
52456 - goto out;
52457 - filp->f_pos = pos + 1;
52458 -@@ -420,6 +428,30 @@ out:
52459 - return error;
52460 - }
52461 -
52462 -+/* Eric Biederman is to blame */
52463 -+static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
52464 -+{
52465 -+ int error = 0;
52466 -+ struct ctl_table_header *head;
52467 -+ struct ctl_table *table;
52468 -+
52469 -+ table = do_proc_sys_lookup(dentry->d_parent, &dentry->d_name, &head);
52470 -+ /* Has the sysctl entry disappeared on us? */
52471 -+ if (!table)
52472 -+ goto out;
52473 -+
52474 -+ if (gr_handle_sysctl(table, 001)) {
52475 -+ error = -ENOENT;
52476 -+ goto out;
52477 -+ }
52478 -+
52479 -+out:
52480 -+ sysctl_head_finish(head);
52481 -+
52482 -+ generic_fillattr(dentry->d_inode, stat);
52483 -+
52484 -+ return error;
52485 -+}
52486 - static int proc_sys_setattr(struct dentry *dentry, struct iattr *attr)
52487 - {
52488 - struct inode *inode = dentry->d_inode;
52489 -@@ -448,6 +480,7 @@ static struct inode_operations proc_sys_
52490 - .lookup = proc_sys_lookup,
52491 - .permission = proc_sys_permission,
52492 - .setattr = proc_sys_setattr,
52493 -+ .getattr = proc_sys_getattr,
52494 - };
52495 -
52496 - static int proc_sys_revalidate(struct dentry *dentry, struct nameidata *nd)
52497 -diff -Nurp linux-2.6.23.15/fs/proc/root.c linux-2.6.23.15-grsec/fs/proc/root.c
52498 ---- linux-2.6.23.15/fs/proc/root.c 2007-10-09 21:31:38.000000000 +0100
52499 -+++ linux-2.6.23.15-grsec/fs/proc/root.c 2008-02-11 10:37:44.000000000 +0000
52500 -@@ -61,7 +61,13 @@ void __init proc_root_init(void)
52501 - return;
52502 - }
52503 - proc_misc_init();
52504 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
52505 -+ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
52506 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52507 -+ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
52508 -+#else
52509 - proc_net = proc_mkdir("net", NULL);
52510 -+#endif
52511 - proc_net_stat = proc_mkdir("net/stat", NULL);
52512 -
52513 - #ifdef CONFIG_SYSVIPC
52514 -@@ -78,7 +84,15 @@ void __init proc_root_init(void)
52515 - #ifdef CONFIG_PROC_DEVICETREE
52516 - proc_device_tree_init();
52517 - #endif
52518 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
52519 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
52520 -+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
52521 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52522 -+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
52523 -+#endif
52524 -+#else
52525 - proc_bus = proc_mkdir("bus", NULL);
52526 -+#endif
52527 - proc_sys_init();
52528 - }
52529 -
52530 -diff -Nurp linux-2.6.23.15/fs/proc/task_mmu.c linux-2.6.23.15-grsec/fs/proc/task_mmu.c
52531 ---- linux-2.6.23.15/fs/proc/task_mmu.c 2007-10-09 21:31:38.000000000 +0100
52532 -+++ linux-2.6.23.15-grsec/fs/proc/task_mmu.c 2008-02-11 10:37:44.000000000 +0000
52533 -@@ -44,15 +44,27 @@ char *task_mem(struct mm_struct *mm, cha
52534 - "VmStk:\t%8lu kB\n"
52535 - "VmExe:\t%8lu kB\n"
52536 - "VmLib:\t%8lu kB\n"
52537 -- "VmPTE:\t%8lu kB\n",
52538 -- hiwater_vm << (PAGE_SHIFT-10),
52539 -+ "VmPTE:\t%8lu kB\n"
52540 -+
52541 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52542 -+ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
52543 -+#endif
52544 -+
52545 -+ ,hiwater_vm << (PAGE_SHIFT-10),
52546 - (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
52547 - mm->locked_vm << (PAGE_SHIFT-10),
52548 - hiwater_rss << (PAGE_SHIFT-10),
52549 - total_rss << (PAGE_SHIFT-10),
52550 - data << (PAGE_SHIFT-10),
52551 - mm->stack_vm << (PAGE_SHIFT-10), text, lib,
52552 -- (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
52553 -+ (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
52554 -+
52555 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52556 -+ , mm->context.user_cs_base, mm->context.user_cs_limit
52557 -+#endif
52558 -+
52559 -+ );
52560 -+
52561 - return buffer;
52562 - }
52563 -
52564 -@@ -131,6 +143,12 @@ struct pmd_walker {
52565 - unsigned long, void *);
52566 - };
52567 -
52568 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52569 -+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
52570 -+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
52571 -+ _mm->pax_flags & MF_PAX_SEGMEXEC))
52572 -+#endif
52573 -+
52574 - static int show_map_internal(struct seq_file *m, void *v, struct mem_size_stats *mss)
52575 - {
52576 - struct proc_maps_private *priv = m->private;
52577 -@@ -153,13 +171,22 @@ static int show_map_internal(struct seq_
52578 - }
52579 -
52580 - seq_printf(m, "%08lx-%08lx %c%c%c%c %08lx %02x:%02x %lu %n",
52581 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52582 -+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
52583 -+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
52584 -+#else
52585 - vma->vm_start,
52586 - vma->vm_end,
52587 -+#endif
52588 - flags & VM_READ ? 'r' : '-',
52589 - flags & VM_WRITE ? 'w' : '-',
52590 - flags & VM_EXEC ? 'x' : '-',
52591 - flags & VM_MAYSHARE ? 's' : 'p',
52592 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52593 -+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_pgoff << PAGE_SHIFT,
52594 -+#else
52595 - vma->vm_pgoff << PAGE_SHIFT,
52596 -+#endif
52597 - MAJOR(dev), MINOR(dev), ino, &len);
52598 -
52599 - /*
52600 -@@ -173,11 +200,11 @@ static int show_map_internal(struct seq_
52601 - const char *name = arch_vma_name(vma);
52602 - if (!name) {
52603 - if (mm) {
52604 -- if (vma->vm_start <= mm->start_brk &&
52605 -- vma->vm_end >= mm->brk) {
52606 -+ if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
52607 - name = "[heap]";
52608 -- } else if (vma->vm_start <= mm->start_stack &&
52609 -- vma->vm_end >= mm->start_stack) {
52610 -+ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
52611 -+ (vma->vm_start <= mm->start_stack &&
52612 -+ vma->vm_end >= mm->start_stack)) {
52613 - name = "[stack]";
52614 - }
52615 - } else {
52616 -@@ -191,7 +218,27 @@ static int show_map_internal(struct seq_
52617 - }
52618 - seq_putc(m, '\n');
52619 -
52620 -- if (mss)
52621 -+
52622 -+ if (mss) {
52623 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52624 -+ if (PAX_RAND_FLAGS(mm))
52625 -+ seq_printf(m,
52626 -+ "Size: %8lu kB\n"
52627 -+ "Rss: %8lu kB\n"
52628 -+ "Shared_Clean: %8lu kB\n"
52629 -+ "Shared_Dirty: %8lu kB\n"
52630 -+ "Private_Clean: %8lu kB\n"
52631 -+ "Private_Dirty: %8lu kB\n",
52632 -+ "Referenced: %8lu kB\n",
52633 -+ 0UL,
52634 -+ 0UL,
52635 -+ 0UL,
52636 -+ 0UL,
52637 -+ 0UL,
52638 -+ 0UL,
52639 -+ 0UL);
52640 -+ else
52641 -+#endif
52642 - seq_printf(m,
52643 - "Size: %8lu kB\n"
52644 - "Rss: %8lu kB\n"
52645 -@@ -207,6 +254,7 @@ static int show_map_internal(struct seq_
52646 - mss->private_clean >> 10,
52647 - mss->private_dirty >> 10,
52648 - mss->referenced >> 10);
52649 -+ }
52650 -
52651 - if (m->count < m->size) /* vma is copied successfully */
52652 - m->version = (vma != get_gate_vma(task))? vma->vm_start: 0;
52653 -diff -Nurp linux-2.6.23.15/fs/readdir.c linux-2.6.23.15-grsec/fs/readdir.c
52654 ---- linux-2.6.23.15/fs/readdir.c 2007-10-09 21:31:38.000000000 +0100
52655 -+++ linux-2.6.23.15-grsec/fs/readdir.c 2008-02-11 10:37:44.000000000 +0000
52656 -@@ -16,6 +16,8 @@
52657 - #include <linux/security.h>
52658 - #include <linux/syscalls.h>
52659 - #include <linux/unistd.h>
52660 -+#include <linux/namei.h>
52661 -+#include <linux/grsecurity.h>
52662 -
52663 - #include <asm/uaccess.h>
52664 -
52665 -@@ -64,6 +66,7 @@ struct old_linux_dirent {
52666 -
52667 - struct readdir_callback {
52668 - struct old_linux_dirent __user * dirent;
52669 -+ struct file * file;
52670 - int result;
52671 - };
52672 -
52673 -@@ -79,6 +82,10 @@ static int fillonedir(void * __buf, cons
52674 - d_ino = ino;
52675 - if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
52676 - return -EOVERFLOW;
52677 -+
52678 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
52679 -+ return 0;
52680 -+
52681 - buf->result++;
52682 - dirent = buf->dirent;
52683 - if (!access_ok(VERIFY_WRITE, dirent,
52684 -@@ -110,6 +117,7 @@ asmlinkage long old_readdir(unsigned int
52685 -
52686 - buf.result = 0;
52687 - buf.dirent = dirent;
52688 -+ buf.file = file;
52689 -
52690 - error = vfs_readdir(file, fillonedir, &buf);
52691 - if (error >= 0)
52692 -@@ -136,6 +144,7 @@ struct linux_dirent {
52693 - struct getdents_callback {
52694 - struct linux_dirent __user * current_dir;
52695 - struct linux_dirent __user * previous;
52696 -+ struct file * file;
52697 - int count;
52698 - int error;
52699 - };
52700 -@@ -154,6 +163,10 @@ static int filldir(void * __buf, const c
52701 - d_ino = ino;
52702 - if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
52703 - return -EOVERFLOW;
52704 -+
52705 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
52706 -+ return 0;
52707 -+
52708 - dirent = buf->previous;
52709 - if (dirent) {
52710 - if (__put_user(offset, &dirent->d_off))
52711 -@@ -200,6 +213,7 @@ asmlinkage long sys_getdents(unsigned in
52712 - buf.previous = NULL;
52713 - buf.count = count;
52714 - buf.error = 0;
52715 -+ buf.file = file;
52716 -
52717 - error = vfs_readdir(file, filldir, &buf);
52718 - if (error < 0)
52719 -@@ -222,6 +236,7 @@ out:
52720 - struct getdents_callback64 {
52721 - struct linux_dirent64 __user * current_dir;
52722 - struct linux_dirent64 __user * previous;
52723 -+ struct file *file;
52724 - int count;
52725 - int error;
52726 - };
52727 -@@ -236,6 +251,10 @@ static int filldir64(void * __buf, const
52728 - buf->error = -EINVAL; /* only used if we fail.. */
52729 - if (reclen > buf->count)
52730 - return -EINVAL;
52731 -+
52732 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
52733 -+ return 0;
52734 -+
52735 - dirent = buf->previous;
52736 - if (dirent) {
52737 - if (__put_user(offset, &dirent->d_off))
52738 -@@ -282,6 +301,7 @@ asmlinkage long sys_getdents64(unsigned
52739 -
52740 - buf.current_dir = dirent;
52741 - buf.previous = NULL;
52742 -+ buf.file = file;
52743 - buf.count = count;
52744 - buf.error = 0;
52745 -
52746 -diff -Nurp linux-2.6.23.15/fs/udf/balloc.c linux-2.6.23.15-grsec/fs/udf/balloc.c
52747 ---- linux-2.6.23.15/fs/udf/balloc.c 2007-10-09 21:31:38.000000000 +0100
52748 -+++ linux-2.6.23.15-grsec/fs/udf/balloc.c 2008-02-11 10:37:44.000000000 +0000
52749 -@@ -154,8 +154,7 @@ static void udf_bitmap_free_blocks(struc
52750 - unsigned long overflow;
52751 -
52752 - mutex_lock(&sbi->s_alloc_mutex);
52753 -- if (bloc.logicalBlockNum < 0 ||
52754 -- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
52755 -+ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
52756 - udf_debug("%d < %d || %d + %d > %d\n",
52757 - bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
52758 - UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
52759 -@@ -221,7 +220,7 @@ static int udf_bitmap_prealloc_blocks(st
52760 - struct buffer_head *bh;
52761 -
52762 - mutex_lock(&sbi->s_alloc_mutex);
52763 -- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
52764 -+ if (first_block >= UDF_SB_PARTLEN(sb, partition))
52765 - goto out;
52766 -
52767 - if (first_block + block_count > UDF_SB_PARTLEN(sb, partition))
52768 -@@ -287,7 +286,7 @@ static int udf_bitmap_new_block(struct s
52769 - mutex_lock(&sbi->s_alloc_mutex);
52770 -
52771 - repeat:
52772 -- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
52773 -+ if (goal >= UDF_SB_PARTLEN(sb, partition))
52774 - goal = 0;
52775 -
52776 - nr_groups = bitmap->s_nr_groups;
52777 -@@ -420,8 +419,7 @@ static void udf_table_free_blocks(struct
52778 - int i;
52779 -
52780 - mutex_lock(&sbi->s_alloc_mutex);
52781 -- if (bloc.logicalBlockNum < 0 ||
52782 -- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
52783 -+ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
52784 - udf_debug("%d < %d || %d + %d > %d\n",
52785 - bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
52786 - UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
52787 -@@ -627,7 +625,7 @@ static int udf_table_prealloc_blocks(str
52788 - struct extent_position epos;
52789 - int8_t etype = -1;
52790 -
52791 -- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
52792 -+ if (first_block >= UDF_SB_PARTLEN(sb, partition))
52793 - return 0;
52794 -
52795 - if (UDF_I_ALLOCTYPE(table) == ICBTAG_FLAG_AD_SHORT)
52796 -@@ -703,7 +701,7 @@ static int udf_table_new_block(struct su
52797 - return newblock;
52798 -
52799 - mutex_lock(&sbi->s_alloc_mutex);
52800 -- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
52801 -+ if (goal >= UDF_SB_PARTLEN(sb, partition))
52802 - goal = 0;
52803 -
52804 - /* We search for the closest matching block to goal. If we find a exact hit,
52805 -diff -Nurp linux-2.6.23.15/fs/udf/inode.c linux-2.6.23.15-grsec/fs/udf/inode.c
52806 ---- linux-2.6.23.15/fs/udf/inode.c 2007-10-09 21:31:38.000000000 +0100
52807 -+++ linux-2.6.23.15-grsec/fs/udf/inode.c 2008-02-11 10:37:44.000000000 +0000
52808 -@@ -308,9 +308,6 @@ static int udf_get_block(struct inode *i
52809 -
52810 - lock_kernel();
52811 -
52812 -- if (block < 0)
52813 -- goto abort_negative;
52814 --
52815 - if (block == UDF_I_NEXT_ALLOC_BLOCK(inode) + 1) {
52816 - UDF_I_NEXT_ALLOC_BLOCK(inode)++;
52817 - UDF_I_NEXT_ALLOC_GOAL(inode)++;
52818 -@@ -331,10 +328,6 @@ static int udf_get_block(struct inode *i
52819 - abort:
52820 - unlock_kernel();
52821 - return err;
52822 --
52823 --abort_negative:
52824 -- udf_warning(inode->i_sb, "udf_get_block", "block < 0");
52825 -- goto abort;
52826 - }
52827 -
52828 - static struct buffer_head *udf_getblk(struct inode *inode, long block,
52829 -diff -Nurp linux-2.6.23.15/fs/ufs/inode.c linux-2.6.23.15-grsec/fs/ufs/inode.c
52830 ---- linux-2.6.23.15/fs/ufs/inode.c 2007-10-09 21:31:38.000000000 +0100
52831 -+++ linux-2.6.23.15-grsec/fs/ufs/inode.c 2008-02-11 10:37:44.000000000 +0000
52832 -@@ -55,9 +55,7 @@ static int ufs_block_to_path(struct inod
52833 -
52834 -
52835 - UFSD("ptrs=uspi->s_apb = %d,double_blocks=%ld \n",ptrs,double_blocks);
52836 -- if (i_block < 0) {
52837 -- ufs_warning(inode->i_sb, "ufs_block_to_path", "block < 0");
52838 -- } else if (i_block < direct_blocks) {
52839 -+ if (i_block < direct_blocks) {
52840 - offsets[n++] = i_block;
52841 - } else if ((i_block -= direct_blocks) < indirect_blocks) {
52842 - offsets[n++] = UFS_IND_BLOCK;
52843 -@@ -439,8 +437,6 @@ int ufs_getfrag_block(struct inode *inod
52844 - lock_kernel();
52845 -
52846 - UFSD("ENTER, ino %lu, fragment %llu\n", inode->i_ino, (unsigned long long)fragment);
52847 -- if (fragment < 0)
52848 -- goto abort_negative;
52849 - if (fragment >
52850 - ((UFS_NDADDR + uspi->s_apb + uspi->s_2apb + uspi->s_3apb)
52851 - << uspi->s_fpbshift))
52852 -@@ -503,10 +499,6 @@ abort:
52853 - unlock_kernel();
52854 - return err;
52855 -
52856 --abort_negative:
52857 -- ufs_warning(sb, "ufs_get_block", "block < 0");
52858 -- goto abort;
52859 --
52860 - abort_too_big:
52861 - ufs_warning(sb, "ufs_get_block", "block > big");
52862 - goto abort;
52863 -diff -Nurp linux-2.6.23.15/fs/utimes.c linux-2.6.23.15-grsec/fs/utimes.c
52864 ---- linux-2.6.23.15/fs/utimes.c 2007-10-09 21:31:38.000000000 +0100
52865 -+++ linux-2.6.23.15-grsec/fs/utimes.c 2008-02-11 10:37:44.000000000 +0000
52866 -@@ -6,6 +6,7 @@
52867 - #include <linux/sched.h>
52868 - #include <linux/stat.h>
52869 - #include <linux/utime.h>
52870 -+#include <linux/grsecurity.h>
52871 - #include <asm/uaccess.h>
52872 - #include <asm/unistd.h>
52873 -
52874 -@@ -47,6 +48,7 @@ long do_utimes(int dfd, char __user *fil
52875 - int error;
52876 - struct nameidata nd;
52877 - struct dentry *dentry;
52878 -+ struct vfsmount *mnt;
52879 - struct inode *inode;
52880 - struct iattr newattrs;
52881 - struct file *f = NULL;
52882 -@@ -65,12 +67,14 @@ long do_utimes(int dfd, char __user *fil
52883 - if (!f)
52884 - goto out;
52885 - dentry = f->f_path.dentry;
52886 -+ mnt = f->f_path.mnt;
52887 - } else {
52888 - error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd);
52889 - if (error)
52890 - goto out;
52891 -
52892 - dentry = nd.dentry;
52893 -+ mnt = nd.mnt;
52894 - }
52895 -
52896 - inode = dentry->d_inode;
52897 -@@ -117,6 +121,12 @@ long do_utimes(int dfd, char __user *fil
52898 - }
52899 - }
52900 - }
52901 -+
52902 -+ if (!gr_acl_handle_utime(dentry, mnt)) {
52903 -+ error = -EACCES;
52904 -+ goto dput_and_out;
52905 -+ }
52906 -+
52907 - mutex_lock(&inode->i_mutex);
52908 - error = notify_change(dentry, &newattrs);
52909 - mutex_unlock(&inode->i_mutex);
52910 -diff -Nurp linux-2.6.23.15/fs/xfs/xfs_bmap.c linux-2.6.23.15-grsec/fs/xfs/xfs_bmap.c
52911 ---- linux-2.6.23.15/fs/xfs/xfs_bmap.c 2007-10-09 21:31:38.000000000 +0100
52912 -+++ linux-2.6.23.15-grsec/fs/xfs/xfs_bmap.c 2008-02-11 10:37:44.000000000 +0000
52913 -@@ -374,7 +374,7 @@ xfs_bmap_validate_ret(
52914 - int nmap,
52915 - int ret_nmap);
52916 - #else
52917 --#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
52918 -+#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
52919 - #endif /* DEBUG */
52920 -
52921 - #if defined(XFS_RW_TRACE)
52922 -diff -Nurp linux-2.6.23.15/grsecurity/Kconfig linux-2.6.23.15-grsec/grsecurity/Kconfig
52923 ---- linux-2.6.23.15/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100
52924 -+++ linux-2.6.23.15-grsec/grsecurity/Kconfig 2008-02-11 10:37:44.000000000 +0000
52925 -@@ -0,0 +1,873 @@
52926 -+#
52927 -+# grecurity configuration
52928 -+#
52929 -+
52930 -+menu "Grsecurity"
52931 -+
52932 -+config GRKERNSEC
52933 -+ bool "Grsecurity"
52934 -+ select CRYPTO
52935 -+ select CRYPTO_SHA256
52936 -+ help
52937 -+ If you say Y here, you will be able to configure many features
52938 -+ that will enhance the security of your system. It is highly
52939 -+ recommended that you say Y here and read through the help
52940 -+ for each option so that you fully understand the features and
52941 -+ can evaluate their usefulness for your machine.
52942 -+
52943 -+choice
52944 -+ prompt "Security Level"
52945 -+ depends GRKERNSEC
52946 -+ default GRKERNSEC_CUSTOM
52947 -+
52948 -+config GRKERNSEC_LOW
52949 -+ bool "Low"
52950 -+ select GRKERNSEC_LINK
52951 -+ select GRKERNSEC_FIFO
52952 -+ select GRKERNSEC_EXECVE
52953 -+ select GRKERNSEC_RANDNET
52954 -+ select GRKERNSEC_DMESG
52955 -+ select GRKERNSEC_CHROOT_CHDIR
52956 -+ select GRKERNSEC_MODSTOP if (MODULES)
52957 -+
52958 -+ help
52959 -+ If you choose this option, several of the grsecurity options will
52960 -+ be enabled that will give you greater protection against a number
52961 -+ of attacks, while assuring that none of your software will have any
52962 -+ conflicts with the additional security measures. If you run a lot
52963 -+ of unusual software, or you are having problems with the higher
52964 -+ security levels, you should say Y here. With this option, the
52965 -+ following features are enabled:
52966 -+
52967 -+ - Linking restrictions
52968 -+ - FIFO restrictions
52969 -+ - Enforcing RLIMIT_NPROC on execve
52970 -+ - Restricted dmesg
52971 -+ - Enforced chdir("/") on chroot
52972 -+ - Runtime module disabling
52973 -+
52974 -+config GRKERNSEC_MEDIUM
52975 -+ bool "Medium"
52976 -+ select PAX
52977 -+ select PAX_EI_PAX
52978 -+ select PAX_PT_PAX_FLAGS
52979 -+ select PAX_HAVE_ACL_FLAGS
52980 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
52981 -+ select GRKERNSEC_CHROOT_SYSCTL
52982 -+ select GRKERNSEC_LINK
52983 -+ select GRKERNSEC_FIFO
52984 -+ select GRKERNSEC_EXECVE
52985 -+ select GRKERNSEC_DMESG
52986 -+ select GRKERNSEC_RANDNET
52987 -+ select GRKERNSEC_FORKFAIL
52988 -+ select GRKERNSEC_TIME
52989 -+ select GRKERNSEC_SIGNAL
52990 -+ select GRKERNSEC_CHROOT
52991 -+ select GRKERNSEC_CHROOT_UNIX
52992 -+ select GRKERNSEC_CHROOT_MOUNT
52993 -+ select GRKERNSEC_CHROOT_PIVOT
52994 -+ select GRKERNSEC_CHROOT_DOUBLE
52995 -+ select GRKERNSEC_CHROOT_CHDIR
52996 -+ select GRKERNSEC_CHROOT_MKNOD
52997 -+ select GRKERNSEC_PROC
52998 -+ select GRKERNSEC_PROC_USERGROUP
52999 -+ select GRKERNSEC_MODSTOP if (MODULES)
53000 -+ select PAX_RANDUSTACK
53001 -+ select PAX_ASLR
53002 -+ select PAX_RANDMMAP
53003 -+
53004 -+ help
53005 -+ If you say Y here, several features in addition to those included
53006 -+ in the low additional security level will be enabled. These
53007 -+ features provide even more security to your system, though in rare
53008 -+ cases they may be incompatible with very old or poorly written
53009 -+ software. If you enable this option, make sure that your auth
53010 -+ service (identd) is running as gid 1001. With this option,
53011 -+ the following features (in addition to those provided in the
53012 -+ low additional security level) will be enabled:
53013 -+
53014 -+ - Randomized TCP source ports
53015 -+ - Failed fork logging
53016 -+ - Time change logging
53017 -+ - Signal logging
53018 -+ - Deny mounts in chroot
53019 -+ - Deny double chrooting
53020 -+ - Deny sysctl writes in chroot
53021 -+ - Deny mknod in chroot
53022 -+ - Deny access to abstract AF_UNIX sockets out of chroot
53023 -+ - Deny pivot_root in chroot
53024 -+ - Denied writes of /dev/kmem, /dev/mem, and /dev/port
53025 -+ - /proc restrictions with special GID set to 10 (usually wheel)
53026 -+ - Address Space Layout Randomization (ASLR)
53027 -+
53028 -+config GRKERNSEC_HIGH
53029 -+ bool "High"
53030 -+ select GRKERNSEC_LINK
53031 -+ select GRKERNSEC_FIFO
53032 -+ select GRKERNSEC_EXECVE
53033 -+ select GRKERNSEC_DMESG
53034 -+ select GRKERNSEC_FORKFAIL
53035 -+ select GRKERNSEC_TIME
53036 -+ select GRKERNSEC_SIGNAL
53037 -+ select GRKERNSEC_CHROOT_SHMAT
53038 -+ select GRKERNSEC_CHROOT_UNIX
53039 -+ select GRKERNSEC_CHROOT_MOUNT
53040 -+ select GRKERNSEC_CHROOT_FCHDIR
53041 -+ select GRKERNSEC_CHROOT_PIVOT
53042 -+ select GRKERNSEC_CHROOT_DOUBLE
53043 -+ select GRKERNSEC_CHROOT_CHDIR
53044 -+ select GRKERNSEC_CHROOT_MKNOD
53045 -+ select GRKERNSEC_CHROOT_CAPS
53046 -+ select GRKERNSEC_CHROOT_SYSCTL
53047 -+ select GRKERNSEC_CHROOT_FINDTASK
53048 -+ select GRKERNSEC_PROC
53049 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
53050 -+ select GRKERNSEC_HIDESYM
53051 -+ select GRKERNSEC_BRUTE
53052 -+ select GRKERNSEC_SHM if (SYSVIPC)
53053 -+ select GRKERNSEC_PROC_USERGROUP
53054 -+ select GRKERNSEC_KMEM
53055 -+ select GRKERNSEC_RESLOG
53056 -+ select GRKERNSEC_RANDNET
53057 -+ select GRKERNSEC_PROC_ADD
53058 -+ select GRKERNSEC_CHROOT_CHMOD
53059 -+ select GRKERNSEC_CHROOT_NICE
53060 -+ select GRKERNSEC_AUDIT_MOUNT
53061 -+ select GRKERNSEC_MODSTOP if (MODULES)
53062 -+ select PAX
53063 -+ select PAX_RANDUSTACK
53064 -+ select PAX_ASLR
53065 -+ select PAX_RANDMMAP
53066 -+ select PAX_NOEXEC
53067 -+ select PAX_MPROTECT
53068 -+ select PAX_EI_PAX
53069 -+ select PAX_PT_PAX_FLAGS
53070 -+ select PAX_HAVE_ACL_FLAGS
53071 -+ select PAX_KERNEXEC if (!X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
53072 -+ select PAX_MEMORY_UDEREF if (!X86_64 && !COMPAT_VDSO)
53073 -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
53074 -+ select PAX_SEGMEXEC if (X86 && !X86_64)
53075 -+ select PAX_PAGEEXEC if (!X86)
53076 -+ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
53077 -+ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
53078 -+ select PAX_SYSCALL if (PPC32)
53079 -+ select PAX_EMUTRAMP if (PARISC)
53080 -+ select PAX_EMUSIGRT if (PARISC)
53081 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
53082 -+ help
53083 -+ If you say Y here, many of the features of grsecurity will be
53084 -+ enabled, which will protect you against many kinds of attacks
53085 -+ against your system. The heightened security comes at a cost
53086 -+ of an increased chance of incompatibilities with rare software
53087 -+ on your machine. Since this security level enables PaX, you should
53088 -+ view <http://pax.grsecurity.net> and read about the PaX
53089 -+ project. While you are there, download chpax and run it on
53090 -+ binaries that cause problems with PaX. Also remember that
53091 -+ since the /proc restrictions are enabled, you must run your
53092 -+ identd as gid 1001. This security level enables the following
53093 -+ features in addition to those listed in the low and medium
53094 -+ security levels:
53095 -+
53096 -+ - Additional /proc restrictions
53097 -+ - Chmod restrictions in chroot
53098 -+ - No signals, ptrace, or viewing of processes outside of chroot
53099 -+ - Capability restrictions in chroot
53100 -+ - Deny fchdir out of chroot
53101 -+ - Priority restrictions in chroot
53102 -+ - Segmentation-based implementation of PaX
53103 -+ - Mprotect restrictions
53104 -+ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
53105 -+ - Kernel stack randomization
53106 -+ - Mount/unmount/remount logging
53107 -+ - Kernel symbol hiding
53108 -+ - Destroy unused shared memory
53109 -+ - Prevention of memory exhaustion-based exploits
53110 -+config GRKERNSEC_CUSTOM
53111 -+ bool "Custom"
53112 -+ help
53113 -+ If you say Y here, you will be able to configure every grsecurity
53114 -+ option, which allows you to enable many more features that aren't
53115 -+ covered in the basic security levels. These additional features
53116 -+ include TPE, socket restrictions, and the sysctl system for
53117 -+ grsecurity. It is advised that you read through the help for
53118 -+ each option to determine its usefulness in your situation.
53119 -+
53120 -+endchoice
53121 -+
53122 -+menu "Address Space Protection"
53123 -+depends on GRKERNSEC
53124 -+
53125 -+config GRKERNSEC_KMEM
53126 -+ bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
53127 -+ help
53128 -+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
53129 -+ be written to via mmap or otherwise to modify the running kernel.
53130 -+ /dev/port will also not be allowed to be opened. If you have module
53131 -+ support disabled, enabling this will close up four ways that are
53132 -+ currently used to insert malicious code into the running kernel.
53133 -+ Even with all these features enabled, we still highly recommend that
53134 -+ you use the RBAC system, as it is still possible for an attacker to
53135 -+ modify the running kernel through privileged I/O granted by ioperm/iopl.
53136 -+ If you are not using XFree86, you may be able to stop this additional
53137 -+ case by enabling the 'Disable privileged I/O' option. Though nothing
53138 -+ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
53139 -+ but only to video memory, which is the only writing we allow in this
53140 -+ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
53141 -+ not be allowed to mprotect it with PROT_WRITE later.
53142 -+ It is highly recommended that you say Y here if you meet all the
53143 -+ conditions above.
53144 -+
53145 -+config GRKERNSEC_IO
53146 -+ bool "Disable privileged I/O"
53147 -+ depends on X86
53148 -+ select RTC
53149 -+ help
53150 -+ If you say Y here, all ioperm and iopl calls will return an error.
53151 -+ Ioperm and iopl can be used to modify the running kernel.
53152 -+ Unfortunately, some programs need this access to operate properly,
53153 -+ the most notable of which are XFree86 and hwclock. hwclock can be
53154 -+ remedied by having RTC support in the kernel, so CONFIG_RTC is
53155 -+ enabled if this option is enabled, to ensure that hwclock operates
53156 -+ correctly. XFree86 still will not operate correctly with this option
53157 -+ enabled, so DO NOT CHOOSE Y IF YOU USE XFree86. If you use XFree86
53158 -+ and you still want to protect your kernel against modification,
53159 -+ use the RBAC system.
53160 -+
53161 -+config GRKERNSEC_PROC_MEMMAP
53162 -+ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
53163 -+ depends on PAX_NOEXEC || PAX_ASLR
53164 -+ help
53165 -+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
53166 -+ give no information about the addresses of its mappings if
53167 -+ PaX features that rely on random addresses are enabled on the task.
53168 -+ If you use PaX it is greatly recommended that you say Y here as it
53169 -+ closes up a hole that makes the full ASLR useless for suid
53170 -+ binaries.
53171 -+
53172 -+config GRKERNSEC_BRUTE
53173 -+ bool "Deter exploit bruteforcing"
53174 -+ help
53175 -+ If you say Y here, attempts to bruteforce exploits against forking
53176 -+ daemons such as apache or sshd will be deterred. When a child of a
53177 -+ forking daemon is killed by PaX or crashes due to an illegal
53178 -+ instruction, the parent process will be delayed 30 seconds upon every
53179 -+ subsequent fork until the administrator is able to assess the
53180 -+ situation and restart the daemon. It is recommended that you also
53181 -+ enable signal logging in the auditing section so that logs are
53182 -+ generated when a process performs an illegal instruction.
53183 -+
53184 -+config GRKERNSEC_MODSTOP
53185 -+ bool "Runtime module disabling"
53186 -+ depends on MODULES
53187 -+ help
53188 -+ If you say Y here, you will be able to disable the ability to (un)load
53189 -+ modules at runtime. This feature is useful if you need the ability
53190 -+ to load kernel modules at boot time, but do not want to allow an
53191 -+ attacker to load a rootkit kernel module into the system, or to remove
53192 -+ a loaded kernel module important to system functioning. You should
53193 -+ enable the /dev/mem protection feature as well, since rootkits can be
53194 -+ inserted into the kernel via other methods than kernel modules. Since
53195 -+ an untrusted module could still be loaded by modifying init scripts and
53196 -+ rebooting the system, it is also recommended that you enable the RBAC
53197 -+ system. If you enable this option, a sysctl option with name
53198 -+ "disable_modules" will be created. Setting this option to "1" disables
53199 -+ module loading. After this option is set, no further writes to it are
53200 -+ allowed until the system is rebooted.
53201 -+
53202 -+config GRKERNSEC_HIDESYM
53203 -+ bool "Hide kernel symbols"
53204 -+ help
53205 -+ If you say Y here, getting information on loaded modules, and
53206 -+ displaying all kernel symbols through a syscall will be restricted
53207 -+ to users with CAP_SYS_MODULE. This option is only effective
53208 -+ provided the following conditions are met:
53209 -+ 1) The kernel using grsecurity is not precompiled by some distribution
53210 -+ 2) You are using the RBAC system and hiding other files such as your
53211 -+ kernel image and System.map
53212 -+ 3) You have the additional /proc restrictions enabled, which removes
53213 -+ /proc/kcore
53214 -+ If the above conditions are met, this option will aid to provide a
53215 -+ useful protection against local and remote kernel exploitation of
53216 -+ overflows and arbitrary read/write vulnerabilities.
53217 -+
53218 -+endmenu
53219 -+menu "Role Based Access Control Options"
53220 -+depends on GRKERNSEC
53221 -+
53222 -+config GRKERNSEC_ACL_HIDEKERN
53223 -+ bool "Hide kernel processes"
53224 -+ help
53225 -+ If you say Y here, all kernel threads will be hidden to all
53226 -+ processes but those whose subject has the "view hidden processes"
53227 -+ flag.
53228 -+
53229 -+config GRKERNSEC_ACL_MAXTRIES
53230 -+ int "Maximum tries before password lockout"
53231 -+ default 3
53232 -+ help
53233 -+ This option enforces the maximum number of times a user can attempt
53234 -+ to authorize themselves with the grsecurity RBAC system before being
53235 -+ denied the ability to attempt authorization again for a specified time.
53236 -+ The lower the number, the harder it will be to brute-force a password.
53237 -+
53238 -+config GRKERNSEC_ACL_TIMEOUT
53239 -+ int "Time to wait after max password tries, in seconds"
53240 -+ default 30
53241 -+ help
53242 -+ This option specifies the time the user must wait after attempting to
53243 -+ authorize to the RBAC system with the maximum number of invalid
53244 -+ passwords. The higher the number, the harder it will be to brute-force
53245 -+ a password.
53246 -+
53247 -+endmenu
53248 -+menu "Filesystem Protections"
53249 -+depends on GRKERNSEC
53250 -+
53251 -+config GRKERNSEC_PROC
53252 -+ bool "Proc restrictions"
53253 -+ help
53254 -+ If you say Y here, the permissions of the /proc filesystem
53255 -+ will be altered to enhance system security and privacy. You MUST
53256 -+ choose either a user only restriction or a user and group restriction.
53257 -+ Depending upon the option you choose, you can either restrict users to
53258 -+ see only the processes they themselves run, or choose a group that can
53259 -+ view all processes and files normally restricted to root if you choose
53260 -+ the "restrict to user only" option. NOTE: If you're running identd as
53261 -+ a non-root user, you will have to run it as the group you specify here.
53262 -+
53263 -+config GRKERNSEC_PROC_USER
53264 -+ bool "Restrict /proc to user only"
53265 -+ depends on GRKERNSEC_PROC
53266 -+ help
53267 -+ If you say Y here, non-root users will only be able to view their own
53268 -+ processes, and restricts them from viewing network-related information,
53269 -+ and viewing kernel symbol and module information.
53270 -+
53271 -+config GRKERNSEC_PROC_USERGROUP
53272 -+ bool "Allow special group"
53273 -+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
53274 -+ help
53275 -+ If you say Y here, you will be able to select a group that will be
53276 -+ able to view all processes, network-related information, and
53277 -+ kernel and symbol information. This option is useful if you want
53278 -+ to run identd as a non-root user.
53279 -+
53280 -+config GRKERNSEC_PROC_GID
53281 -+ int "GID for special group"
53282 -+ depends on GRKERNSEC_PROC_USERGROUP
53283 -+ default 1001
53284 -+
53285 -+config GRKERNSEC_PROC_ADD
53286 -+ bool "Additional restrictions"
53287 -+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
53288 -+ help
53289 -+ If you say Y here, additional restrictions will be placed on
53290 -+ /proc that keep normal users from viewing device information and
53291 -+ slabinfo information that could be useful for exploits.
53292 -+
53293 -+config GRKERNSEC_LINK
53294 -+ bool "Linking restrictions"
53295 -+ help
53296 -+ If you say Y here, /tmp race exploits will be prevented, since users
53297 -+ will no longer be able to follow symlinks owned by other users in
53298 -+ world-writable +t directories (i.e. /tmp), unless the owner of the
53299 -+ symlink is the owner of the directory. users will also not be
53300 -+ able to hardlink to files they do not own. If the sysctl option is
53301 -+ enabled, a sysctl option with name "linking_restrictions" is created.
53302 -+
53303 -+config GRKERNSEC_FIFO
53304 -+ bool "FIFO restrictions"
53305 -+ help
53306 -+ If you say Y here, users will not be able to write to FIFOs they don't
53307 -+ own in world-writable +t directories (i.e. /tmp), unless the owner of
53308 -+ the FIFO is the same owner of the directory it's held in. If the sysctl
53309 -+ option is enabled, a sysctl option with name "fifo_restrictions" is
53310 -+ created.
53311 -+
53312 -+config GRKERNSEC_CHROOT
53313 -+ bool "Chroot jail restrictions"
53314 -+ help
53315 -+ If you say Y here, you will be able to choose several options that will
53316 -+ make breaking out of a chrooted jail much more difficult. If you
53317 -+ encounter no software incompatibilities with the following options, it
53318 -+ is recommended that you enable each one.
53319 -+
53320 -+config GRKERNSEC_CHROOT_MOUNT
53321 -+ bool "Deny mounts"
53322 -+ depends on GRKERNSEC_CHROOT
53323 -+ help
53324 -+ If you say Y here, processes inside a chroot will not be able to
53325 -+ mount or remount filesystems. If the sysctl option is enabled, a
53326 -+ sysctl option with name "chroot_deny_mount" is created.
53327 -+
53328 -+config GRKERNSEC_CHROOT_DOUBLE
53329 -+ bool "Deny double-chroots"
53330 -+ depends on GRKERNSEC_CHROOT
53331 -+ help
53332 -+ If you say Y here, processes inside a chroot will not be able to chroot
53333 -+ again outside the chroot. This is a widely used method of breaking
53334 -+ out of a chroot jail and should not be allowed. If the sysctl
53335 -+ option is enabled, a sysctl option with name
53336 -+ "chroot_deny_chroot" is created.
53337 -+
53338 -+config GRKERNSEC_CHROOT_PIVOT
53339 -+ bool "Deny pivot_root in chroot"
53340 -+ depends on GRKERNSEC_CHROOT
53341 -+ help
53342 -+ If you say Y here, processes inside a chroot will not be able to use
53343 -+ a function called pivot_root() that was introduced in Linux 2.3.41. It
53344 -+ works similar to chroot in that it changes the root filesystem. This
53345 -+ function could be misused in a chrooted process to attempt to break out
53346 -+ of the chroot, and therefore should not be allowed. If the sysctl
53347 -+ option is enabled, a sysctl option with name "chroot_deny_pivot" is
53348 -+ created.
53349 -+
53350 -+config GRKERNSEC_CHROOT_CHDIR
53351 -+ bool "Enforce chdir(\"/\") on all chroots"
53352 -+ depends on GRKERNSEC_CHROOT
53353 -+ help
53354 -+ If you say Y here, the current working directory of all newly-chrooted
53355 -+ applications will be set to the the root directory of the chroot.
53356 -+ The man page on chroot(2) states:
53357 -+ Note that this call does not change the current working
53358 -+ directory, so that `.' can be outside the tree rooted at
53359 -+ `/'. In particular, the super-user can escape from a
53360 -+ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
53361 -+
53362 -+ It is recommended that you say Y here, since it's not known to break
53363 -+ any software. If the sysctl option is enabled, a sysctl option with
53364 -+ name "chroot_enforce_chdir" is created.
53365 -+
53366 -+config GRKERNSEC_CHROOT_CHMOD
53367 -+ bool "Deny (f)chmod +s"
53368 -+ depends on GRKERNSEC_CHROOT
53369 -+ help
53370 -+ If you say Y here, processes inside a chroot will not be able to chmod
53371 -+ or fchmod files to make them have suid or sgid bits. This protects
53372 -+ against another published method of breaking a chroot. If the sysctl
53373 -+ option is enabled, a sysctl option with name "chroot_deny_chmod" is
53374 -+ created.
53375 -+
53376 -+config GRKERNSEC_CHROOT_FCHDIR
53377 -+ bool "Deny fchdir out of chroot"
53378 -+ depends on GRKERNSEC_CHROOT
53379 -+ help
53380 -+ If you say Y here, a well-known method of breaking chroots by fchdir'ing
53381 -+ to a file descriptor of the chrooting process that points to a directory
53382 -+ outside the filesystem will be stopped. If the sysctl option
53383 -+ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
53384 -+
53385 -+config GRKERNSEC_CHROOT_MKNOD
53386 -+ bool "Deny mknod"
53387 -+ depends on GRKERNSEC_CHROOT
53388 -+ help
53389 -+ If you say Y here, processes inside a chroot will not be allowed to
53390 -+ mknod. The problem with using mknod inside a chroot is that it
53391 -+ would allow an attacker to create a device entry that is the same
53392 -+ as one on the physical root of your system, which could range from
53393 -+ anything from the console device to a device for your harddrive (which
53394 -+ they could then use to wipe the drive or steal data). It is recommended
53395 -+ that you say Y here, unless you run into software incompatibilities.
53396 -+ If the sysctl option is enabled, a sysctl option with name
53397 -+ "chroot_deny_mknod" is created.
53398 -+
53399 -+config GRKERNSEC_CHROOT_SHMAT
53400 -+ bool "Deny shmat() out of chroot"
53401 -+ depends on GRKERNSEC_CHROOT
53402 -+ help
53403 -+ If you say Y here, processes inside a chroot will not be able to attach
53404 -+ to shared memory segments that were created outside of the chroot jail.
53405 -+ It is recommended that you say Y here. If the sysctl option is enabled,
53406 -+ a sysctl option with name "chroot_deny_shmat" is created.
53407 -+
53408 -+config GRKERNSEC_CHROOT_UNIX
53409 -+ bool "Deny access to abstract AF_UNIX sockets out of chroot"
53410 -+ depends on GRKERNSEC_CHROOT
53411 -+ help
53412 -+ If you say Y here, processes inside a chroot will not be able to
53413 -+ connect to abstract (meaning not belonging to a filesystem) Unix
53414 -+ domain sockets that were bound outside of a chroot. It is recommended
53415 -+ that you say Y here. If the sysctl option is enabled, a sysctl option
53416 -+ with name "chroot_deny_unix" is created.
53417 -+
53418 -+config GRKERNSEC_CHROOT_FINDTASK
53419 -+ bool "Protect outside processes"
53420 -+ depends on GRKERNSEC_CHROOT
53421 -+ help
53422 -+ If you say Y here, processes inside a chroot will not be able to
53423 -+ kill, send signals with fcntl, ptrace, capget, getpgid, getsid,
53424 -+ or view any process outside of the chroot. If the sysctl
53425 -+ option is enabled, a sysctl option with name "chroot_findtask" is
53426 -+ created.
53427 -+
53428 -+config GRKERNSEC_CHROOT_NICE
53429 -+ bool "Restrict priority changes"
53430 -+ depends on GRKERNSEC_CHROOT
53431 -+ help
53432 -+ If you say Y here, processes inside a chroot will not be able to raise
53433 -+ the priority of processes in the chroot, or alter the priority of
53434 -+ processes outside the chroot. This provides more security than simply
53435 -+ removing CAP_SYS_NICE from the process' capability set. If the
53436 -+ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
53437 -+ is created.
53438 -+
53439 -+config GRKERNSEC_CHROOT_SYSCTL
53440 -+ bool "Deny sysctl writes"
53441 -+ depends on GRKERNSEC_CHROOT
53442 -+ help
53443 -+ If you say Y here, an attacker in a chroot will not be able to
53444 -+ write to sysctl entries, either by sysctl(2) or through a /proc
53445 -+ interface. It is strongly recommended that you say Y here. If the
53446 -+ sysctl option is enabled, a sysctl option with name
53447 -+ "chroot_deny_sysctl" is created.
53448 -+
53449 -+config GRKERNSEC_CHROOT_CAPS
53450 -+ bool "Capability restrictions"
53451 -+ depends on GRKERNSEC_CHROOT
53452 -+ help
53453 -+ If you say Y here, the capabilities on all root processes within a
53454 -+ chroot jail will be lowered to stop module insertion, raw i/o,
53455 -+ system and net admin tasks, rebooting the system, modifying immutable
53456 -+ files, modifying IPC owned by another, and changing the system time.
53457 -+ This is left an option because it can break some apps. Disable this
53458 -+ if your chrooted apps are having problems performing those kinds of
53459 -+ tasks. If the sysctl option is enabled, a sysctl option with
53460 -+ name "chroot_caps" is created.
53461 -+
53462 -+endmenu
53463 -+menu "Kernel Auditing"
53464 -+depends on GRKERNSEC
53465 -+
53466 -+config GRKERNSEC_AUDIT_GROUP
53467 -+ bool "Single group for auditing"
53468 -+ help
53469 -+ If you say Y here, the exec, chdir, (un)mount, and ipc logging features
53470 -+ will only operate on a group you specify. This option is recommended
53471 -+ if you only want to watch certain users instead of having a large
53472 -+ amount of logs from the entire system. If the sysctl option is enabled,
53473 -+ a sysctl option with name "audit_group" is created.
53474 -+
53475 -+config GRKERNSEC_AUDIT_GID
53476 -+ int "GID for auditing"
53477 -+ depends on GRKERNSEC_AUDIT_GROUP
53478 -+ default 1007
53479 -+
53480 -+config GRKERNSEC_EXECLOG
53481 -+ bool "Exec logging"
53482 -+ help
53483 -+ If you say Y here, all execve() calls will be logged (since the
53484 -+ other exec*() calls are frontends to execve(), all execution
53485 -+ will be logged). Useful for shell-servers that like to keep track
53486 -+ of their users. If the sysctl option is enabled, a sysctl option with
53487 -+ name "exec_logging" is created.
53488 -+ WARNING: This option when enabled will produce a LOT of logs, especially
53489 -+ on an active system.
53490 -+
53491 -+config GRKERNSEC_RESLOG
53492 -+ bool "Resource logging"
53493 -+ help
53494 -+ If you say Y here, all attempts to overstep resource limits will
53495 -+ be logged with the resource name, the requested size, and the current
53496 -+ limit. It is highly recommended that you say Y here. If the sysctl
53497 -+ option is enabled, a sysctl option with name "resource_logging" is
53498 -+ created. If the RBAC system is enabled, the sysctl value is ignored.
53499 -+
53500 -+config GRKERNSEC_CHROOT_EXECLOG
53501 -+ bool "Log execs within chroot"
53502 -+ help
53503 -+ If you say Y here, all executions inside a chroot jail will be logged
53504 -+ to syslog. This can cause a large amount of logs if certain
53505 -+ applications (eg. djb's daemontools) are installed on the system, and
53506 -+ is therefore left as an option. If the sysctl option is enabled, a
53507 -+ sysctl option with name "chroot_execlog" is created.
53508 -+
53509 -+config GRKERNSEC_AUDIT_CHDIR
53510 -+ bool "Chdir logging"
53511 -+ help
53512 -+ If you say Y here, all chdir() calls will be logged. If the sysctl
53513 -+ option is enabled, a sysctl option with name "audit_chdir" is created.
53514 -+
53515 -+config GRKERNSEC_AUDIT_MOUNT
53516 -+ bool "(Un)Mount logging"
53517 -+ help
53518 -+ If you say Y here, all mounts and unmounts will be logged. If the
53519 -+ sysctl option is enabled, a sysctl option with name "audit_mount" is
53520 -+ created.
53521 -+
53522 -+config GRKERNSEC_AUDIT_IPC
53523 -+ bool "IPC logging"
53524 -+ help
53525 -+ If you say Y here, creation and removal of message queues, semaphores,
53526 -+ and shared memory will be logged. If the sysctl option is enabled, a
53527 -+ sysctl option with name "audit_ipc" is created.
53528 -+
53529 -+config GRKERNSEC_SIGNAL
53530 -+ bool "Signal logging"
53531 -+ help
53532 -+ If you say Y here, certain important signals will be logged, such as
53533 -+ SIGSEGV, which will as a result inform you of when a error in a program
53534 -+ occurred, which in some cases could mean a possible exploit attempt.
53535 -+ If the sysctl option is enabled, a sysctl option with name
53536 -+ "signal_logging" is created.
53537 -+
53538 -+config GRKERNSEC_FORKFAIL
53539 -+ bool "Fork failure logging"
53540 -+ help
53541 -+ If you say Y here, all failed fork() attempts will be logged.
53542 -+ This could suggest a fork bomb, or someone attempting to overstep
53543 -+ their process limit. If the sysctl option is enabled, a sysctl option
53544 -+ with name "forkfail_logging" is created.
53545 -+
53546 -+config GRKERNSEC_TIME
53547 -+ bool "Time change logging"
53548 -+ help
53549 -+ If you say Y here, any changes of the system clock will be logged.
53550 -+ If the sysctl option is enabled, a sysctl option with name
53551 -+ "timechange_logging" is created.
53552 -+
53553 -+config GRKERNSEC_PROC_IPADDR
53554 -+ bool "/proc/<pid>/ipaddr support"
53555 -+ help
53556 -+ If you say Y here, a new entry will be added to each /proc/<pid>
53557 -+ directory that contains the IP address of the person using the task.
53558 -+ The IP is carried across local TCP and AF_UNIX stream sockets.
53559 -+ This information can be useful for IDS/IPSes to perform remote response
53560 -+ to a local attack. The entry is readable by only the owner of the
53561 -+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
53562 -+ the RBAC system), and thus does not create privacy concerns.
53563 -+
53564 -+config GRKERNSEC_AUDIT_TEXTREL
53565 -+ bool 'ELF text relocations logging (READ HELP)'
53566 -+ depends on PAX_MPROTECT
53567 -+ help
53568 -+ If you say Y here, text relocations will be logged with the filename
53569 -+ of the offending library or binary. The purpose of the feature is
53570 -+ to help Linux distribution developers get rid of libraries and
53571 -+ binaries that need text relocations which hinder the future progress
53572 -+ of PaX. Only Linux distribution developers should say Y here, and
53573 -+ never on a production machine, as this option creates an information
53574 -+ leak that could aid an attacker in defeating the randomization of
53575 -+ a single memory region. If the sysctl option is enabled, a sysctl
53576 -+ option with name "audit_textrel" is created.
53577 -+
53578 -+endmenu
53579 -+
53580 -+menu "Executable Protections"
53581 -+depends on GRKERNSEC
53582 -+
53583 -+config GRKERNSEC_EXECVE
53584 -+ bool "Enforce RLIMIT_NPROC on execs"
53585 -+ help
53586 -+ If you say Y here, users with a resource limit on processes will
53587 -+ have the value checked during execve() calls. The current system
53588 -+ only checks the system limit during fork() calls. If the sysctl option
53589 -+ is enabled, a sysctl option with name "execve_limiting" is created.
53590 -+
53591 -+config GRKERNSEC_SHM
53592 -+ bool "Destroy unused shared memory"
53593 -+ depends on SYSVIPC
53594 -+ help
53595 -+ If you say Y here, shared memory will be destroyed when no one is
53596 -+ attached to it. Otherwise, resources involved with the shared
53597 -+ memory can be used up and not be associated with any process (as the
53598 -+ shared memory still exists, and the creating process has exited). If
53599 -+ the sysctl option is enabled, a sysctl option with name
53600 -+ "destroy_unused_shm" is created.
53601 -+
53602 -+config GRKERNSEC_DMESG
53603 -+ bool "Dmesg(8) restriction"
53604 -+ help
53605 -+ If you say Y here, non-root users will not be able to use dmesg(8)
53606 -+ to view up to the last 4kb of messages in the kernel's log buffer.
53607 -+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
53608 -+ created.
53609 -+
53610 -+config GRKERNSEC_TPE
53611 -+ bool "Trusted Path Execution (TPE)"
53612 -+ help
53613 -+ If you say Y here, you will be able to choose a gid to add to the
53614 -+ supplementary groups of users you want to mark as "untrusted."
53615 -+ These users will not be able to execute any files that are not in
53616 -+ root-owned directories writable only by root. If the sysctl option
53617 -+ is enabled, a sysctl option with name "tpe" is created.
53618 -+
53619 -+config GRKERNSEC_TPE_ALL
53620 -+ bool "Partially restrict non-root users"
53621 -+ depends on GRKERNSEC_TPE
53622 -+ help
53623 -+ If you say Y here, All non-root users other than the ones in the
53624 -+ group specified in the main TPE option will only be allowed to
53625 -+ execute files in directories they own that are not group or
53626 -+ world-writable, or in directories owned by root and writable only by
53627 -+ root. If the sysctl option is enabled, a sysctl option with name
53628 -+ "tpe_restrict_all" is created.
53629 -+
53630 -+config GRKERNSEC_TPE_INVERT
53631 -+ bool "Invert GID option"
53632 -+ depends on GRKERNSEC_TPE
53633 -+ help
53634 -+ If you say Y here, the group you specify in the TPE configuration will
53635 -+ decide what group TPE restrictions will be *disabled* for. This
53636 -+ option is useful if you want TPE restrictions to be applied to most
53637 -+ users on the system.
53638 -+
53639 -+config GRKERNSEC_TPE_GID
53640 -+ int "GID for untrusted users"
53641 -+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
53642 -+ default 1005
53643 -+ help
53644 -+ If you have selected the "Invert GID option" above, setting this
53645 -+ GID determines what group TPE restrictions will be *disabled* for.
53646 -+ If you have not selected the "Invert GID option" above, setting this
53647 -+ GID determines what group TPE restrictions will be *enabled* for.
53648 -+ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
53649 -+ is created.
53650 -+
53651 -+config GRKERNSEC_TPE_GID
53652 -+ int "GID for trusted users"
53653 -+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
53654 -+ default 1005
53655 -+ help
53656 -+ If you have selected the "Invert GID option" above, setting this
53657 -+ GID determines what group TPE restrictions will be *disabled* for.
53658 -+ If you have not selected the "Invert GID option" above, setting this
53659 -+ GID determines what group TPE restrictions will be *enabled* for.
53660 -+ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
53661 -+ is created.
53662 -+
53663 -+endmenu
53664 -+menu "Network Protections"
53665 -+depends on GRKERNSEC
53666 -+
53667 -+config GRKERNSEC_RANDNET
53668 -+ bool "Larger entropy pools"
53669 -+ help
53670 -+ If you say Y here, the entropy pools used for many features of Linux
53671 -+ and grsecurity will be doubled in size. Since several grsecurity
53672 -+ features use additional randomness, it is recommended that you say Y
53673 -+ here. Saying Y here has a similar effect as modifying
53674 -+ /proc/sys/kernel/random/poolsize.
53675 -+
53676 -+config GRKERNSEC_SOCKET
53677 -+ bool "Socket restrictions"
53678 -+ help
53679 -+ If you say Y here, you will be able to choose from several options.
53680 -+ If you assign a GID on your system and add it to the supplementary
53681 -+ groups of users you want to restrict socket access to, this patch
53682 -+ will perform up to three things, based on the option(s) you choose.
53683 -+
53684 -+config GRKERNSEC_SOCKET_ALL
53685 -+ bool "Deny any sockets to group"
53686 -+ depends on GRKERNSEC_SOCKET
53687 -+ help
53688 -+ If you say Y here, you will be able to choose a GID of whose users will
53689 -+ be unable to connect to other hosts from your machine or run server
53690 -+ applications from your machine. If the sysctl option is enabled, a
53691 -+ sysctl option with name "socket_all" is created.
53692 -+
53693 -+config GRKERNSEC_SOCKET_ALL_GID
53694 -+ int "GID to deny all sockets for"
53695 -+ depends on GRKERNSEC_SOCKET_ALL
53696 -+ default 1004
53697 -+ help
53698 -+ Here you can choose the GID to disable socket access for. Remember to
53699 -+ add the users you want socket access disabled for to the GID
53700 -+ specified here. If the sysctl option is enabled, a sysctl option
53701 -+ with name "socket_all_gid" is created.
53702 -+
53703 -+config GRKERNSEC_SOCKET_CLIENT
53704 -+ bool "Deny client sockets to group"
53705 -+ depends on GRKERNSEC_SOCKET
53706 -+ help
53707 -+ If you say Y here, you will be able to choose a GID of whose users will
53708 -+ be unable to connect to other hosts from your machine, but will be
53709 -+ able to run servers. If this option is enabled, all users in the group
53710 -+ you specify will have to use passive mode when initiating ftp transfers
53711 -+ from the shell on your machine. If the sysctl option is enabled, a
53712 -+ sysctl option with name "socket_client" is created.
53713 -+
53714 -+config GRKERNSEC_SOCKET_CLIENT_GID
53715 -+ int "GID to deny client sockets for"
53716 -+ depends on GRKERNSEC_SOCKET_CLIENT
53717 -+ default 1003
53718 -+ help
53719 -+ Here you can choose the GID to disable client socket access for.
53720 -+ Remember to add the users you want client socket access disabled for to
53721 -+ the GID specified here. If the sysctl option is enabled, a sysctl
53722 -+ option with name "socket_client_gid" is created.
53723 -+
53724 -+config GRKERNSEC_SOCKET_SERVER
53725 -+ bool "Deny server sockets to group"
53726 -+ depends on GRKERNSEC_SOCKET
53727 -+ help
53728 -+ If you say Y here, you will be able to choose a GID of whose users will
53729 -+ be unable to run server applications from your machine. If the sysctl
53730 -+ option is enabled, a sysctl option with name "socket_server" is created.
53731 -+
53732 -+config GRKERNSEC_SOCKET_SERVER_GID
53733 -+ int "GID to deny server sockets for"
53734 -+ depends on GRKERNSEC_SOCKET_SERVER
53735 -+ default 1002
53736 -+ help
53737 -+ Here you can choose the GID to disable server socket access for.
53738 -+ Remember to add the users you want server socket access disabled for to
53739 -+ the GID specified here. If the sysctl option is enabled, a sysctl
53740 -+ option with name "socket_server_gid" is created.
53741 -+
53742 -+endmenu
53743 -+menu "Sysctl support"
53744 -+depends on GRKERNSEC && SYSCTL
53745 -+
53746 -+config GRKERNSEC_SYSCTL
53747 -+ bool "Sysctl support"
53748 -+ help
53749 -+ If you say Y here, you will be able to change the options that
53750 -+ grsecurity runs with at bootup, without having to recompile your
53751 -+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
53752 -+ to enable (1) or disable (0) various features. All the sysctl entries
53753 -+ are mutable until the "grsec_lock" entry is set to a non-zero value.
53754 -+ All features enabled in the kernel configuration are disabled at boot
53755 -+ if you do not say Y to the "Turn on features by default" option.
53756 -+ All options should be set at startup, and the grsec_lock entry should
53757 -+ be set to a non-zero value after all the options are set.
53758 -+ *THIS IS EXTREMELY IMPORTANT*
53759 -+
53760 -+config GRKERNSEC_SYSCTL_ON
53761 -+ bool "Turn on features by default"
53762 -+ depends on GRKERNSEC_SYSCTL
53763 -+ help
53764 -+ If you say Y here, instead of having all features enabled in the
53765 -+ kernel configuration disabled at boot time, the features will be
53766 -+ enabled at boot time. It is recommended you say Y here unless
53767 -+ there is some reason you would want all sysctl-tunable features to
53768 -+ be disabled by default. As mentioned elsewhere, it is important
53769 -+ to enable the grsec_lock entry once you have finished modifying
53770 -+ the sysctl entries.
53771 -+
53772 -+endmenu
53773 -+menu "Logging Options"
53774 -+depends on GRKERNSEC
53775 -+
53776 -+config GRKERNSEC_FLOODTIME
53777 -+ int "Seconds in between log messages (minimum)"
53778 -+ default 10
53779 -+ help
53780 -+ This option allows you to enforce the number of seconds between
53781 -+ grsecurity log messages. The default should be suitable for most
53782 -+ people, however, if you choose to change it, choose a value small enough
53783 -+ to allow informative logs to be produced, but large enough to
53784 -+ prevent flooding.
53785 -+
53786 -+config GRKERNSEC_FLOODBURST
53787 -+ int "Number of messages in a burst (maximum)"
53788 -+ default 4
53789 -+ help
53790 -+ This option allows you to choose the maximum number of messages allowed
53791 -+ within the flood time interval you chose in a separate option. The
53792 -+ default should be suitable for most people, however if you find that
53793 -+ many of your logs are being interpreted as flooding, you may want to
53794 -+ raise this value.
53795 -+
53796 -+endmenu
53797 -+
53798 -+endmenu
53799 -diff -Nurp linux-2.6.23.15/grsecurity/Makefile linux-2.6.23.15-grsec/grsecurity/Makefile
53800 ---- linux-2.6.23.15/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100
53801 -+++ linux-2.6.23.15-grsec/grsecurity/Makefile 2008-02-11 10:37:44.000000000 +0000
53802 -@@ -0,0 +1,20 @@
53803 -+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
53804 -+# during 2001-2005 it has been completely redesigned by Brad Spengler
53805 -+# into an RBAC system
53806 -+#
53807 -+# All code in this directory and various hooks inserted throughout the kernel
53808 -+# are copyright Brad Spengler, and released under the GPL v2 or higher
53809 -+
53810 -+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
53811 -+ grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
53812 -+ grsec_time.o grsec_tpe.o grsec_ipc.o grsec_link.o grsec_textrel.o
53813 -+
53814 -+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
53815 -+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
53816 -+ gracl_learn.o grsec_log.o
53817 -+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
53818 -+
53819 -+ifndef CONFIG_GRKERNSEC
53820 -+obj-y += grsec_disabled.o
53821 -+endif
53822 -+
53823 -diff -Nurp linux-2.6.23.15/grsecurity/gracl.c linux-2.6.23.15-grsec/grsecurity/gracl.c
53824 ---- linux-2.6.23.15/grsecurity/gracl.c 1970-01-01 01:00:00.000000000 +0100
53825 -+++ linux-2.6.23.15-grsec/grsecurity/gracl.c 2008-02-11 10:37:44.000000000 +0000
53826 -@@ -0,0 +1,3722 @@
53827 -+#include <linux/kernel.h>
53828 -+#include <linux/module.h>
53829 -+#include <linux/sched.h>
53830 -+#include <linux/mm.h>
53831 -+#include <linux/file.h>
53832 -+#include <linux/fs.h>
53833 -+#include <linux/namei.h>
53834 -+#include <linux/mount.h>
53835 -+#include <linux/tty.h>
53836 -+#include <linux/proc_fs.h>
53837 -+#include <linux/smp_lock.h>
53838 -+#include <linux/slab.h>
53839 -+#include <linux/vmalloc.h>
53840 -+#include <linux/types.h>
53841 -+#include <linux/capability.h>
53842 -+#include <linux/sysctl.h>
53843 -+#include <linux/netdevice.h>
53844 -+#include <linux/ptrace.h>
53845 -+#include <linux/gracl.h>
53846 -+#include <linux/gralloc.h>
53847 -+#include <linux/grsecurity.h>
53848 -+#include <linux/grinternal.h>
53849 -+#include <linux/pid_namespace.h>
53850 -+#include <linux/percpu.h>
53851 -+
53852 -+#include <asm/uaccess.h>
53853 -+#include <asm/errno.h>
53854 -+#include <asm/mman.h>
53855 -+
53856 -+static struct acl_role_db acl_role_set;
53857 -+static struct name_db name_set;
53858 -+static struct inodev_db inodev_set;
53859 -+
53860 -+/* for keeping track of userspace pointers used for subjects, so we
53861 -+ can share references in the kernel as well
53862 -+*/
53863 -+
53864 -+static struct dentry *real_root;
53865 -+static struct vfsmount *real_root_mnt;
53866 -+
53867 -+static struct acl_subj_map_db subj_map_set;
53868 -+
53869 -+static struct acl_role_label *default_role;
53870 -+
53871 -+static u16 acl_sp_role_value;
53872 -+
53873 -+extern char *gr_shared_page[4];
53874 -+static DECLARE_MUTEX(gr_dev_sem);
53875 -+rwlock_t gr_inode_lock = RW_LOCK_UNLOCKED;
53876 -+
53877 -+struct gr_arg *gr_usermode;
53878 -+
53879 -+static unsigned int gr_status = GR_STATUS_INIT;
53880 -+
53881 -+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
53882 -+extern void gr_clear_learn_entries(void);
53883 -+
53884 -+#ifdef CONFIG_GRKERNSEC_RESLOG
53885 -+extern void gr_log_resource(const struct task_struct *task,
53886 -+ const int res, const unsigned long wanted, const int gt);
53887 -+#endif
53888 -+
53889 -+unsigned char *gr_system_salt;
53890 -+unsigned char *gr_system_sum;
53891 -+
53892 -+static struct sprole_pw **acl_special_roles = NULL;
53893 -+static __u16 num_sprole_pws = 0;
53894 -+
53895 -+static struct acl_role_label *kernel_role = NULL;
53896 -+
53897 -+static unsigned int gr_auth_attempts = 0;
53898 -+static unsigned long gr_auth_expires = 0UL;
53899 -+
53900 -+extern struct vfsmount *sock_mnt;
53901 -+extern struct vfsmount *pipe_mnt;
53902 -+extern struct vfsmount *shm_mnt;
53903 -+static struct acl_object_label *fakefs_obj;
53904 -+
53905 -+extern int gr_init_uidset(void);
53906 -+extern void gr_free_uidset(void);
53907 -+extern void gr_remove_uid(uid_t uid);
53908 -+extern int gr_find_uid(uid_t uid);
53909 -+
53910 -+__inline__ int
53911 -+gr_acl_is_enabled(void)
53912 -+{
53913 -+ return (gr_status & GR_READY);
53914 -+}
53915 -+
53916 -+char gr_roletype_to_char(void)
53917 -+{
53918 -+ switch (current->role->roletype &
53919 -+ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
53920 -+ GR_ROLE_SPECIAL)) {
53921 -+ case GR_ROLE_DEFAULT:
53922 -+ return 'D';
53923 -+ case GR_ROLE_USER:
53924 -+ return 'U';
53925 -+ case GR_ROLE_GROUP:
53926 -+ return 'G';
53927 -+ case GR_ROLE_SPECIAL:
53928 -+ return 'S';
53929 -+ }
53930 -+
53931 -+ return 'X';
53932 -+}
53933 -+
53934 -+__inline__ int
53935 -+gr_acl_tpe_check(void)
53936 -+{
53937 -+ if (unlikely(!(gr_status & GR_READY)))
53938 -+ return 0;
53939 -+ if (current->role->roletype & GR_ROLE_TPE)
53940 -+ return 1;
53941 -+ else
53942 -+ return 0;
53943 -+}
53944 -+
53945 -+int
53946 -+gr_handle_rawio(const struct inode *inode)
53947 -+{
53948 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
53949 -+ if (inode && S_ISBLK(inode->i_mode) &&
53950 -+ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
53951 -+ !capable(CAP_SYS_RAWIO))
53952 -+ return 1;
53953 -+#endif
53954 -+ return 0;
53955 -+}
53956 -+
53957 -+static int
53958 -+gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
53959 -+{
53960 -+ int i;
53961 -+ unsigned long *l1;
53962 -+ unsigned long *l2;
53963 -+ unsigned char *c1;
53964 -+ unsigned char *c2;
53965 -+ int num_longs;
53966 -+
53967 -+ if (likely(lena != lenb))
53968 -+ return 0;
53969 -+
53970 -+ l1 = (unsigned long *)a;
53971 -+ l2 = (unsigned long *)b;
53972 -+
53973 -+ num_longs = lena / sizeof(unsigned long);
53974 -+
53975 -+ for (i = num_longs; i--; l1++, l2++) {
53976 -+ if (unlikely(*l1 != *l2))
53977 -+ return 0;
53978 -+ }
53979 -+
53980 -+ c1 = (unsigned char *) l1;
53981 -+ c2 = (unsigned char *) l2;
53982 -+
53983 -+ i = lena - (num_longs * sizeof(unsigned long));
53984 -+
53985 -+ for (; i--; c1++, c2++) {
53986 -+ if (unlikely(*c1 != *c2))
53987 -+ return 0;
53988 -+ }
53989 -+
53990 -+ return 1;
53991 -+}
53992 -+
53993 -+static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
53994 -+ struct dentry *root, struct vfsmount *rootmnt,
53995 -+ char *buffer, int buflen)
53996 -+{
53997 -+ char * end = buffer+buflen;
53998 -+ char * retval;
53999 -+ int namelen;
54000 -+
54001 -+ *--end = '\0';
54002 -+ buflen--;
54003 -+
54004 -+ if (buflen < 1)
54005 -+ goto Elong;
54006 -+ /* Get '/' right */
54007 -+ retval = end-1;
54008 -+ *retval = '/';
54009 -+
54010 -+ for (;;) {
54011 -+ struct dentry * parent;
54012 -+
54013 -+ if (dentry == root && vfsmnt == rootmnt)
54014 -+ break;
54015 -+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
54016 -+ /* Global root? */
54017 -+ spin_lock(&vfsmount_lock);
54018 -+ if (vfsmnt->mnt_parent == vfsmnt) {
54019 -+ spin_unlock(&vfsmount_lock);
54020 -+ goto global_root;
54021 -+ }
54022 -+ dentry = vfsmnt->mnt_mountpoint;
54023 -+ vfsmnt = vfsmnt->mnt_parent;
54024 -+ spin_unlock(&vfsmount_lock);
54025 -+ continue;
54026 -+ }
54027 -+ parent = dentry->d_parent;
54028 -+ prefetch(parent);
54029 -+ namelen = dentry->d_name.len;
54030 -+ buflen -= namelen + 1;
54031 -+ if (buflen < 0)
54032 -+ goto Elong;
54033 -+ end -= namelen;
54034 -+ memcpy(end, dentry->d_name.name, namelen);
54035 -+ *--end = '/';
54036 -+ retval = end;
54037 -+ dentry = parent;
54038 -+ }
54039 -+
54040 -+ return retval;
54041 -+
54042 -+global_root:
54043 -+ namelen = dentry->d_name.len;
54044 -+ buflen -= namelen;
54045 -+ if (buflen < 0)
54046 -+ goto Elong;
54047 -+ retval -= namelen-1; /* hit the slash */
54048 -+ memcpy(retval, dentry->d_name.name, namelen);
54049 -+ return retval;
54050 -+Elong:
54051 -+ return ERR_PTR(-ENAMETOOLONG);
54052 -+}
54053 -+
54054 -+static char *
54055 -+gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
54056 -+ struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
54057 -+{
54058 -+ char *retval;
54059 -+
54060 -+ retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
54061 -+ if (unlikely(IS_ERR(retval)))
54062 -+ retval = strcpy(buf, "<path too long>");
54063 -+ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
54064 -+ retval[1] = '\0';
54065 -+
54066 -+ return retval;
54067 -+}
54068 -+
54069 -+static char *
54070 -+__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
54071 -+ char *buf, int buflen)
54072 -+{
54073 -+ char *res;
54074 -+
54075 -+ /* we can use real_root, real_root_mnt, because this is only called
54076 -+ by the RBAC system */
54077 -+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
54078 -+
54079 -+ return res;
54080 -+}
54081 -+
54082 -+static char *
54083 -+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
54084 -+ char *buf, int buflen)
54085 -+{
54086 -+ char *res;
54087 -+ struct dentry *root;
54088 -+ struct vfsmount *rootmnt;
54089 -+ struct task_struct *reaper = child_reaper(current);
54090 -+
54091 -+ /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
54092 -+ read_lock(&reaper->fs->lock);
54093 -+ root = dget(reaper->fs->root);
54094 -+ rootmnt = mntget(reaper->fs->rootmnt);
54095 -+ read_unlock(&reaper->fs->lock);
54096 -+
54097 -+ spin_lock(&dcache_lock);
54098 -+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
54099 -+ spin_unlock(&dcache_lock);
54100 -+
54101 -+ dput(root);
54102 -+ mntput(rootmnt);
54103 -+ return res;
54104 -+}
54105 -+
54106 -+static char *
54107 -+gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
54108 -+{
54109 -+ char *ret;
54110 -+ spin_lock(&dcache_lock);
54111 -+ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
54112 -+ PAGE_SIZE);
54113 -+ spin_unlock(&dcache_lock);
54114 -+ return ret;
54115 -+}
54116 -+
54117 -+char *
54118 -+gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
54119 -+{
54120 -+ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
54121 -+ PAGE_SIZE);
54122 -+}
54123 -+
54124 -+char *
54125 -+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
54126 -+{
54127 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
54128 -+ PAGE_SIZE);
54129 -+}
54130 -+
54131 -+char *
54132 -+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
54133 -+{
54134 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
54135 -+ PAGE_SIZE);
54136 -+}
54137 -+
54138 -+char *
54139 -+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
54140 -+{
54141 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
54142 -+ PAGE_SIZE);
54143 -+}
54144 -+
54145 -+char *
54146 -+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
54147 -+{
54148 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
54149 -+ PAGE_SIZE);
54150 -+}
54151 -+
54152 -+__inline__ __u32
54153 -+to_gr_audit(const __u32 reqmode)
54154 -+{
54155 -+ /* masks off auditable permission flags, then shifts them to create
54156 -+ auditing flags, and adds the special case of append auditing if
54157 -+ we're requesting write */
54158 -+ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
54159 -+}
54160 -+
54161 -+struct acl_subject_label *
54162 -+lookup_subject_map(const struct acl_subject_label *userp)
54163 -+{
54164 -+ unsigned int index = shash(userp, subj_map_set.s_size);
54165 -+ struct subject_map *match;
54166 -+
54167 -+ match = subj_map_set.s_hash[index];
54168 -+
54169 -+ while (match && match->user != userp)
54170 -+ match = match->next;
54171 -+
54172 -+ if (match != NULL)
54173 -+ return match->kernel;
54174 -+ else
54175 -+ return NULL;
54176 -+}
54177 -+
54178 -+static void
54179 -+insert_subj_map_entry(struct subject_map *subjmap)
54180 -+{
54181 -+ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
54182 -+ struct subject_map **curr;
54183 -+
54184 -+ subjmap->prev = NULL;
54185 -+
54186 -+ curr = &subj_map_set.s_hash[index];
54187 -+ if (*curr != NULL)
54188 -+ (*curr)->prev = subjmap;
54189 -+
54190 -+ subjmap->next = *curr;
54191 -+ *curr = subjmap;
54192 -+
54193 -+ return;
54194 -+}
54195 -+
54196 -+static struct acl_role_label *
54197 -+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
54198 -+ const gid_t gid)
54199 -+{
54200 -+ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
54201 -+ struct acl_role_label *match;
54202 -+ struct role_allowed_ip *ipp;
54203 -+ unsigned int x;
54204 -+
54205 -+ match = acl_role_set.r_hash[index];
54206 -+
54207 -+ while (match) {
54208 -+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
54209 -+ for (x = 0; x < match->domain_child_num; x++) {
54210 -+ if (match->domain_children[x] == uid)
54211 -+ goto found;
54212 -+ }
54213 -+ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
54214 -+ break;
54215 -+ match = match->next;
54216 -+ }
54217 -+found:
54218 -+ if (match == NULL) {
54219 -+ try_group:
54220 -+ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
54221 -+ match = acl_role_set.r_hash[index];
54222 -+
54223 -+ while (match) {
54224 -+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
54225 -+ for (x = 0; x < match->domain_child_num; x++) {
54226 -+ if (match->domain_children[x] == gid)
54227 -+ goto found2;
54228 -+ }
54229 -+ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
54230 -+ break;
54231 -+ match = match->next;
54232 -+ }
54233 -+found2:
54234 -+ if (match == NULL)
54235 -+ match = default_role;
54236 -+ if (match->allowed_ips == NULL)
54237 -+ return match;
54238 -+ else {
54239 -+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
54240 -+ if (likely
54241 -+ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
54242 -+ (ntohl(ipp->addr) & ipp->netmask)))
54243 -+ return match;
54244 -+ }
54245 -+ match = default_role;
54246 -+ }
54247 -+ } else if (match->allowed_ips == NULL) {
54248 -+ return match;
54249 -+ } else {
54250 -+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
54251 -+ if (likely
54252 -+ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
54253 -+ (ntohl(ipp->addr) & ipp->netmask)))
54254 -+ return match;
54255 -+ }
54256 -+ goto try_group;
54257 -+ }
54258 -+
54259 -+ return match;
54260 -+}
54261 -+
54262 -+struct acl_subject_label *
54263 -+lookup_acl_subj_label(const ino_t ino, const dev_t dev,
54264 -+ const struct acl_role_label *role)
54265 -+{
54266 -+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
54267 -+ struct acl_subject_label *match;
54268 -+
54269 -+ match = role->subj_hash[index];
54270 -+
54271 -+ while (match && (match->inode != ino || match->device != dev ||
54272 -+ (match->mode & GR_DELETED))) {
54273 -+ match = match->next;
54274 -+ }
54275 -+
54276 -+ if (match && !(match->mode & GR_DELETED))
54277 -+ return match;
54278 -+ else
54279 -+ return NULL;
54280 -+}
54281 -+
54282 -+static struct acl_object_label *
54283 -+lookup_acl_obj_label(const ino_t ino, const dev_t dev,
54284 -+ const struct acl_subject_label *subj)
54285 -+{
54286 -+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
54287 -+ struct acl_object_label *match;
54288 -+
54289 -+ match = subj->obj_hash[index];
54290 -+
54291 -+ while (match && (match->inode != ino || match->device != dev ||
54292 -+ (match->mode & GR_DELETED))) {
54293 -+ match = match->next;
54294 -+ }
54295 -+
54296 -+ if (match && !(match->mode & GR_DELETED))
54297 -+ return match;
54298 -+ else
54299 -+ return NULL;
54300 -+}
54301 -+
54302 -+static struct acl_object_label *
54303 -+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
54304 -+ const struct acl_subject_label *subj)
54305 -+{
54306 -+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
54307 -+ struct acl_object_label *match;
54308 -+
54309 -+ match = subj->obj_hash[index];
54310 -+
54311 -+ while (match && (match->inode != ino || match->device != dev ||
54312 -+ !(match->mode & GR_DELETED))) {
54313 -+ match = match->next;
54314 -+ }
54315 -+
54316 -+ if (match && (match->mode & GR_DELETED))
54317 -+ return match;
54318 -+
54319 -+ match = subj->obj_hash[index];
54320 -+
54321 -+ while (match && (match->inode != ino || match->device != dev ||
54322 -+ (match->mode & GR_DELETED))) {
54323 -+ match = match->next;
54324 -+ }
54325 -+
54326 -+ if (match && !(match->mode & GR_DELETED))
54327 -+ return match;
54328 -+ else
54329 -+ return NULL;
54330 -+}
54331 -+
54332 -+static struct name_entry *
54333 -+lookup_name_entry(const char *name)
54334 -+{
54335 -+ unsigned int len = strlen(name);
54336 -+ unsigned int key = full_name_hash(name, len);
54337 -+ unsigned int index = key % name_set.n_size;
54338 -+ struct name_entry *match;
54339 -+
54340 -+ match = name_set.n_hash[index];
54341 -+
54342 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
54343 -+ match = match->next;
54344 -+
54345 -+ return match;
54346 -+}
54347 -+
54348 -+static struct name_entry *
54349 -+lookup_name_entry_create(const char *name)
54350 -+{
54351 -+ unsigned int len = strlen(name);
54352 -+ unsigned int key = full_name_hash(name, len);
54353 -+ unsigned int index = key % name_set.n_size;
54354 -+ struct name_entry *match;
54355 -+
54356 -+ match = name_set.n_hash[index];
54357 -+
54358 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
54359 -+ !match->deleted))
54360 -+ match = match->next;
54361 -+
54362 -+ if (match && match->deleted)
54363 -+ return match;
54364 -+
54365 -+ match = name_set.n_hash[index];
54366 -+
54367 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
54368 -+ match->deleted))
54369 -+ match = match->next;
54370 -+
54371 -+ if (match && !match->deleted)
54372 -+ return match;
54373 -+ else
54374 -+ return NULL;
54375 -+}
54376 -+
54377 -+static struct inodev_entry *
54378 -+lookup_inodev_entry(const ino_t ino, const dev_t dev)
54379 -+{
54380 -+ unsigned int index = fhash(ino, dev, inodev_set.i_size);
54381 -+ struct inodev_entry *match;
54382 -+
54383 -+ match = inodev_set.i_hash[index];
54384 -+
54385 -+ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
54386 -+ match = match->next;
54387 -+
54388 -+ return match;
54389 -+}
54390 -+
54391 -+static void
54392 -+insert_inodev_entry(struct inodev_entry *entry)
54393 -+{
54394 -+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
54395 -+ inodev_set.i_size);
54396 -+ struct inodev_entry **curr;
54397 -+
54398 -+ entry->prev = NULL;
54399 -+
54400 -+ curr = &inodev_set.i_hash[index];
54401 -+ if (*curr != NULL)
54402 -+ (*curr)->prev = entry;
54403 -+
54404 -+ entry->next = *curr;
54405 -+ *curr = entry;
54406 -+
54407 -+ return;
54408 -+}
54409 -+
54410 -+static void
54411 -+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
54412 -+{
54413 -+ unsigned int index =
54414 -+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
54415 -+ struct acl_role_label **curr;
54416 -+
54417 -+ role->prev = NULL;
54418 -+
54419 -+ curr = &acl_role_set.r_hash[index];
54420 -+ if (*curr != NULL)
54421 -+ (*curr)->prev = role;
54422 -+
54423 -+ role->next = *curr;
54424 -+ *curr = role;
54425 -+
54426 -+ return;
54427 -+}
54428 -+
54429 -+static void
54430 -+insert_acl_role_label(struct acl_role_label *role)
54431 -+{
54432 -+ int i;
54433 -+
54434 -+ if (role->roletype & GR_ROLE_DOMAIN) {
54435 -+ for (i = 0; i < role->domain_child_num; i++)
54436 -+ __insert_acl_role_label(role, role->domain_children[i]);
54437 -+ } else
54438 -+ __insert_acl_role_label(role, role->uidgid);
54439 -+}
54440 -+
54441 -+static int
54442 -+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
54443 -+{
54444 -+ struct name_entry **curr, *nentry;
54445 -+ struct inodev_entry *ientry;
54446 -+ unsigned int len = strlen(name);
54447 -+ unsigned int key = full_name_hash(name, len);
54448 -+ unsigned int index = key % name_set.n_size;
54449 -+
54450 -+ curr = &name_set.n_hash[index];
54451 -+
54452 -+ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
54453 -+ curr = &((*curr)->next);
54454 -+
54455 -+ if (*curr != NULL)
54456 -+ return 1;
54457 -+
54458 -+ nentry = acl_alloc(sizeof (struct name_entry));
54459 -+ if (nentry == NULL)
54460 -+ return 0;
54461 -+ ientry = acl_alloc(sizeof (struct inodev_entry));
54462 -+ if (ientry == NULL)
54463 -+ return 0;
54464 -+ ientry->nentry = nentry;
54465 -+
54466 -+ nentry->key = key;
54467 -+ nentry->name = name;
54468 -+ nentry->inode = inode;
54469 -+ nentry->device = device;
54470 -+ nentry->len = len;
54471 -+ nentry->deleted = deleted;
54472 -+
54473 -+ nentry->prev = NULL;
54474 -+ curr = &name_set.n_hash[index];
54475 -+ if (*curr != NULL)
54476 -+ (*curr)->prev = nentry;
54477 -+ nentry->next = *curr;
54478 -+ *curr = nentry;
54479 -+
54480 -+ /* insert us into the table searchable by inode/dev */
54481 -+ insert_inodev_entry(ientry);
54482 -+
54483 -+ return 1;
54484 -+}
54485 -+
54486 -+static void
54487 -+insert_acl_obj_label(struct acl_object_label *obj,
54488 -+ struct acl_subject_label *subj)
54489 -+{
54490 -+ unsigned int index =
54491 -+ fhash(obj->inode, obj->device, subj->obj_hash_size);
54492 -+ struct acl_object_label **curr;
54493 -+
54494 -+
54495 -+ obj->prev = NULL;
54496 -+
54497 -+ curr = &subj->obj_hash[index];
54498 -+ if (*curr != NULL)
54499 -+ (*curr)->prev = obj;
54500 -+
54501 -+ obj->next = *curr;
54502 -+ *curr = obj;
54503 -+
54504 -+ return;
54505 -+}
54506 -+
54507 -+static void
54508 -+insert_acl_subj_label(struct acl_subject_label *obj,
54509 -+ struct acl_role_label *role)
54510 -+{
54511 -+ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
54512 -+ struct acl_subject_label **curr;
54513 -+
54514 -+ obj->prev = NULL;
54515 -+
54516 -+ curr = &role->subj_hash[index];
54517 -+ if (*curr != NULL)
54518 -+ (*curr)->prev = obj;
54519 -+
54520 -+ obj->next = *curr;
54521 -+ *curr = obj;
54522 -+
54523 -+ return;
54524 -+}
54525 -+
54526 -+/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
54527 -+
54528 -+static void *
54529 -+create_table(__u32 * len, int elementsize)
54530 -+{
54531 -+ unsigned int table_sizes[] = {
54532 -+ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
54533 -+ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
54534 -+ 4194301, 8388593, 16777213, 33554393, 67108859, 134217689,
54535 -+ 268435399, 536870909, 1073741789, 2147483647
54536 -+ };
54537 -+ void *newtable = NULL;
54538 -+ unsigned int pwr = 0;
54539 -+
54540 -+ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
54541 -+ table_sizes[pwr] <= *len)
54542 -+ pwr++;
54543 -+
54544 -+ if (table_sizes[pwr] <= *len)
54545 -+ return newtable;
54546 -+
54547 -+ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
54548 -+ newtable =
54549 -+ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
54550 -+ else
54551 -+ newtable = vmalloc(table_sizes[pwr] * elementsize);
54552 -+
54553 -+ *len = table_sizes[pwr];
54554 -+
54555 -+ return newtable;
54556 -+}
54557 -+
54558 -+static int
54559 -+init_variables(const struct gr_arg *arg)
54560 -+{
54561 -+ struct task_struct *reaper = child_reaper(current);
54562 -+ unsigned int stacksize;
54563 -+
54564 -+ subj_map_set.s_size = arg->role_db.num_subjects;
54565 -+ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
54566 -+ name_set.n_size = arg->role_db.num_objects;
54567 -+ inodev_set.i_size = arg->role_db.num_objects;
54568 -+
54569 -+ if (!subj_map_set.s_size || !acl_role_set.r_size ||
54570 -+ !name_set.n_size || !inodev_set.i_size)
54571 -+ return 1;
54572 -+
54573 -+ if (!gr_init_uidset())
54574 -+ return 1;
54575 -+
54576 -+ /* set up the stack that holds allocation info */
54577 -+
54578 -+ stacksize = arg->role_db.num_pointers + 5;
54579 -+
54580 -+ if (!acl_alloc_stack_init(stacksize))
54581 -+ return 1;
54582 -+
54583 -+ /* grab reference for the real root dentry and vfsmount */
54584 -+ read_lock(&reaper->fs->lock);
54585 -+ real_root_mnt = mntget(reaper->fs->rootmnt);
54586 -+ real_root = dget(reaper->fs->root);
54587 -+ read_unlock(&reaper->fs->lock);
54588 -+
54589 -+ fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
54590 -+ if (fakefs_obj == NULL)
54591 -+ return 1;
54592 -+ fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
54593 -+
54594 -+ subj_map_set.s_hash =
54595 -+ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
54596 -+ acl_role_set.r_hash =
54597 -+ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
54598 -+ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
54599 -+ inodev_set.i_hash =
54600 -+ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
54601 -+
54602 -+ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
54603 -+ !name_set.n_hash || !inodev_set.i_hash)
54604 -+ return 1;
54605 -+
54606 -+ memset(subj_map_set.s_hash, 0,
54607 -+ sizeof(struct subject_map *) * subj_map_set.s_size);
54608 -+ memset(acl_role_set.r_hash, 0,
54609 -+ sizeof (struct acl_role_label *) * acl_role_set.r_size);
54610 -+ memset(name_set.n_hash, 0,
54611 -+ sizeof (struct name_entry *) * name_set.n_size);
54612 -+ memset(inodev_set.i_hash, 0,
54613 -+ sizeof (struct inodev_entry *) * inodev_set.i_size);
54614 -+
54615 -+ return 0;
54616 -+}
54617 -+
54618 -+/* free information not needed after startup
54619 -+ currently contains user->kernel pointer mappings for subjects
54620 -+*/
54621 -+
54622 -+static void
54623 -+free_init_variables(void)
54624 -+{
54625 -+ __u32 i;
54626 -+
54627 -+ if (subj_map_set.s_hash) {
54628 -+ for (i = 0; i < subj_map_set.s_size; i++) {
54629 -+ if (subj_map_set.s_hash[i]) {
54630 -+ kfree(subj_map_set.s_hash[i]);
54631 -+ subj_map_set.s_hash[i] = NULL;
54632 -+ }
54633 -+ }
54634 -+
54635 -+ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
54636 -+ PAGE_SIZE)
54637 -+ kfree(subj_map_set.s_hash);
54638 -+ else
54639 -+ vfree(subj_map_set.s_hash);
54640 -+ }
54641 -+
54642 -+ return;
54643 -+}
54644 -+
54645 -+static void
54646 -+free_variables(void)
54647 -+{
54648 -+ struct acl_subject_label *s;
54649 -+ struct acl_role_label *r;
54650 -+ struct task_struct *task, *task2;
54651 -+ unsigned int i, x;
54652 -+
54653 -+ gr_clear_learn_entries();
54654 -+
54655 -+ read_lock(&tasklist_lock);
54656 -+ do_each_thread(task2, task) {
54657 -+ task->acl_sp_role = 0;
54658 -+ task->acl_role_id = 0;
54659 -+ task->acl = NULL;
54660 -+ task->role = NULL;
54661 -+ } while_each_thread(task2, task);
54662 -+ read_unlock(&tasklist_lock);
54663 -+
54664 -+ /* release the reference to the real root dentry and vfsmount */
54665 -+ if (real_root)
54666 -+ dput(real_root);
54667 -+ real_root = NULL;
54668 -+ if (real_root_mnt)
54669 -+ mntput(real_root_mnt);
54670 -+ real_root_mnt = NULL;
54671 -+
54672 -+ /* free all object hash tables */
54673 -+
54674 -+ FOR_EACH_ROLE_START(r, i)
54675 -+ if (r->subj_hash == NULL)
54676 -+ break;
54677 -+ FOR_EACH_SUBJECT_START(r, s, x)
54678 -+ if (s->obj_hash == NULL)
54679 -+ break;
54680 -+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
54681 -+ kfree(s->obj_hash);
54682 -+ else
54683 -+ vfree(s->obj_hash);
54684 -+ FOR_EACH_SUBJECT_END(s, x)
54685 -+ FOR_EACH_NESTED_SUBJECT_START(r, s)
54686 -+ if (s->obj_hash == NULL)
54687 -+ break;
54688 -+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
54689 -+ kfree(s->obj_hash);
54690 -+ else
54691 -+ vfree(s->obj_hash);
54692 -+ FOR_EACH_NESTED_SUBJECT_END(s)
54693 -+ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
54694 -+ kfree(r->subj_hash);
54695 -+ else
54696 -+ vfree(r->subj_hash);
54697 -+ r->subj_hash = NULL;
54698 -+ FOR_EACH_ROLE_END(r,i)
54699 -+
54700 -+ acl_free_all();
54701 -+
54702 -+ if (acl_role_set.r_hash) {
54703 -+ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
54704 -+ PAGE_SIZE)
54705 -+ kfree(acl_role_set.r_hash);
54706 -+ else
54707 -+ vfree(acl_role_set.r_hash);
54708 -+ }
54709 -+ if (name_set.n_hash) {
54710 -+ if ((name_set.n_size * sizeof (struct name_entry *)) <=
54711 -+ PAGE_SIZE)
54712 -+ kfree(name_set.n_hash);
54713 -+ else
54714 -+ vfree(name_set.n_hash);
54715 -+ }
54716 -+
54717 -+ if (inodev_set.i_hash) {
54718 -+ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
54719 -+ PAGE_SIZE)
54720 -+ kfree(inodev_set.i_hash);
54721 -+ else
54722 -+ vfree(inodev_set.i_hash);
54723 -+ }
54724 -+
54725 -+ gr_free_uidset();
54726 -+
54727 -+ memset(&name_set, 0, sizeof (struct name_db));
54728 -+ memset(&inodev_set, 0, sizeof (struct inodev_db));
54729 -+ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
54730 -+ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
54731 -+
54732 -+ default_role = NULL;
54733 -+
54734 -+ return;
54735 -+}
54736 -+
54737 -+static __u32
54738 -+count_user_objs(struct acl_object_label *userp)
54739 -+{
54740 -+ struct acl_object_label o_tmp;
54741 -+ __u32 num = 0;
54742 -+
54743 -+ while (userp) {
54744 -+ if (copy_from_user(&o_tmp, userp,
54745 -+ sizeof (struct acl_object_label)))
54746 -+ break;
54747 -+
54748 -+ userp = o_tmp.prev;
54749 -+ num++;
54750 -+ }
54751 -+
54752 -+ return num;
54753 -+}
54754 -+
54755 -+static struct acl_subject_label *
54756 -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
54757 -+
54758 -+static int
54759 -+copy_user_glob(struct acl_object_label *obj)
54760 -+{
54761 -+ struct acl_object_label *g_tmp, **guser;
54762 -+ unsigned int len;
54763 -+ char *tmp;
54764 -+
54765 -+ if (obj->globbed == NULL)
54766 -+ return 0;
54767 -+
54768 -+ guser = &obj->globbed;
54769 -+ while (*guser) {
54770 -+ g_tmp = (struct acl_object_label *)
54771 -+ acl_alloc(sizeof (struct acl_object_label));
54772 -+ if (g_tmp == NULL)
54773 -+ return -ENOMEM;
54774 -+
54775 -+ if (copy_from_user(g_tmp, *guser,
54776 -+ sizeof (struct acl_object_label)))
54777 -+ return -EFAULT;
54778 -+
54779 -+ len = strnlen_user(g_tmp->filename, PATH_MAX);
54780 -+
54781 -+ if (!len || len >= PATH_MAX)
54782 -+ return -EINVAL;
54783 -+
54784 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
54785 -+ return -ENOMEM;
54786 -+
54787 -+ if (copy_from_user(tmp, g_tmp->filename, len))
54788 -+ return -EFAULT;
54789 -+
54790 -+ g_tmp->filename = tmp;
54791 -+
54792 -+ *guser = g_tmp;
54793 -+ guser = &(g_tmp->next);
54794 -+ }
54795 -+
54796 -+ return 0;
54797 -+}
54798 -+
54799 -+static int
54800 -+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
54801 -+ struct acl_role_label *role)
54802 -+{
54803 -+ struct acl_object_label *o_tmp;
54804 -+ unsigned int len;
54805 -+ int ret;
54806 -+ char *tmp;
54807 -+
54808 -+ while (userp) {
54809 -+ if ((o_tmp = (struct acl_object_label *)
54810 -+ acl_alloc(sizeof (struct acl_object_label))) == NULL)
54811 -+ return -ENOMEM;
54812 -+
54813 -+ if (copy_from_user(o_tmp, userp,
54814 -+ sizeof (struct acl_object_label)))
54815 -+ return -EFAULT;
54816 -+
54817 -+ userp = o_tmp->prev;
54818 -+
54819 -+ len = strnlen_user(o_tmp->filename, PATH_MAX);
54820 -+
54821 -+ if (!len || len >= PATH_MAX)
54822 -+ return -EINVAL;
54823 -+
54824 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
54825 -+ return -ENOMEM;
54826 -+
54827 -+ if (copy_from_user(tmp, o_tmp->filename, len))
54828 -+ return -EFAULT;
54829 -+
54830 -+ o_tmp->filename = tmp;
54831 -+
54832 -+ insert_acl_obj_label(o_tmp, subj);
54833 -+ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
54834 -+ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
54835 -+ return -ENOMEM;
54836 -+
54837 -+ ret = copy_user_glob(o_tmp);
54838 -+ if (ret)
54839 -+ return ret;
54840 -+
54841 -+ if (o_tmp->nested) {
54842 -+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
54843 -+ if (IS_ERR(o_tmp->nested))
54844 -+ return PTR_ERR(o_tmp->nested);
54845 -+
54846 -+ /* insert into nested subject list */
54847 -+ o_tmp->nested->next = role->hash->first;
54848 -+ role->hash->first = o_tmp->nested;
54849 -+ }
54850 -+ }
54851 -+
54852 -+ return 0;
54853 -+}
54854 -+
54855 -+static __u32
54856 -+count_user_subjs(struct acl_subject_label *userp)
54857 -+{
54858 -+ struct acl_subject_label s_tmp;
54859 -+ __u32 num = 0;
54860 -+
54861 -+ while (userp) {
54862 -+ if (copy_from_user(&s_tmp, userp,
54863 -+ sizeof (struct acl_subject_label)))
54864 -+ break;
54865 -+
54866 -+ userp = s_tmp.prev;
54867 -+ /* do not count nested subjects against this count, since
54868 -+ they are not included in the hash table, but are
54869 -+ attached to objects. We have already counted
54870 -+ the subjects in userspace for the allocation
54871 -+ stack
54872 -+ */
54873 -+ if (!(s_tmp.mode & GR_NESTED))
54874 -+ num++;
54875 -+ }
54876 -+
54877 -+ return num;
54878 -+}
54879 -+
54880 -+static int
54881 -+copy_user_allowedips(struct acl_role_label *rolep)
54882 -+{
54883 -+ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
54884 -+
54885 -+ ruserip = rolep->allowed_ips;
54886 -+
54887 -+ while (ruserip) {
54888 -+ rlast = rtmp;
54889 -+
54890 -+ if ((rtmp = (struct role_allowed_ip *)
54891 -+ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
54892 -+ return -ENOMEM;
54893 -+
54894 -+ if (copy_from_user(rtmp, ruserip,
54895 -+ sizeof (struct role_allowed_ip)))
54896 -+ return -EFAULT;
54897 -+
54898 -+ ruserip = rtmp->prev;
54899 -+
54900 -+ if (!rlast) {
54901 -+ rtmp->prev = NULL;
54902 -+ rolep->allowed_ips = rtmp;
54903 -+ } else {
54904 -+ rlast->next = rtmp;
54905 -+ rtmp->prev = rlast;
54906 -+ }
54907 -+
54908 -+ if (!ruserip)
54909 -+ rtmp->next = NULL;
54910 -+ }
54911 -+
54912 -+ return 0;
54913 -+}
54914 -+
54915 -+static int
54916 -+copy_user_transitions(struct acl_role_label *rolep)
54917 -+{
54918 -+ struct role_transition *rusertp, *rtmp = NULL, *rlast;
54919 -+
54920 -+ unsigned int len;
54921 -+ char *tmp;
54922 -+
54923 -+ rusertp = rolep->transitions;
54924 -+
54925 -+ while (rusertp) {
54926 -+ rlast = rtmp;
54927 -+
54928 -+ if ((rtmp = (struct role_transition *)
54929 -+ acl_alloc(sizeof (struct role_transition))) == NULL)
54930 -+ return -ENOMEM;
54931 -+
54932 -+ if (copy_from_user(rtmp, rusertp,
54933 -+ sizeof (struct role_transition)))
54934 -+ return -EFAULT;
54935 -+
54936 -+ rusertp = rtmp->prev;
54937 -+
54938 -+ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
54939 -+
54940 -+ if (!len || len >= GR_SPROLE_LEN)
54941 -+ return -EINVAL;
54942 -+
54943 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
54944 -+ return -ENOMEM;
54945 -+
54946 -+ if (copy_from_user(tmp, rtmp->rolename, len))
54947 -+ return -EFAULT;
54948 -+
54949 -+ rtmp->rolename = tmp;
54950 -+
54951 -+ if (!rlast) {
54952 -+ rtmp->prev = NULL;
54953 -+ rolep->transitions = rtmp;
54954 -+ } else {
54955 -+ rlast->next = rtmp;
54956 -+ rtmp->prev = rlast;
54957 -+ }
54958 -+
54959 -+ if (!rusertp)
54960 -+ rtmp->next = NULL;
54961 -+ }
54962 -+
54963 -+ return 0;
54964 -+}
54965 -+
54966 -+static struct acl_subject_label *
54967 -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
54968 -+{
54969 -+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
54970 -+ unsigned int len;
54971 -+ char *tmp;
54972 -+ __u32 num_objs;
54973 -+ struct acl_ip_label **i_tmp, *i_utmp2;
54974 -+ struct gr_hash_struct ghash;
54975 -+ struct subject_map *subjmap;
54976 -+ unsigned int i_num;
54977 -+ int err;
54978 -+
54979 -+ s_tmp = lookup_subject_map(userp);
54980 -+
54981 -+ /* we've already copied this subject into the kernel, just return
54982 -+ the reference to it, and don't copy it over again
54983 -+ */
54984 -+ if (s_tmp)
54985 -+ return(s_tmp);
54986 -+
54987 -+ if ((s_tmp = (struct acl_subject_label *)
54988 -+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
54989 -+ return ERR_PTR(-ENOMEM);
54990 -+
54991 -+ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
54992 -+ if (subjmap == NULL)
54993 -+ return ERR_PTR(-ENOMEM);
54994 -+
54995 -+ subjmap->user = userp;
54996 -+ subjmap->kernel = s_tmp;
54997 -+ insert_subj_map_entry(subjmap);
54998 -+
54999 -+ if (copy_from_user(s_tmp, userp,
55000 -+ sizeof (struct acl_subject_label)))
55001 -+ return ERR_PTR(-EFAULT);
55002 -+
55003 -+ len = strnlen_user(s_tmp->filename, PATH_MAX);
55004 -+
55005 -+ if (!len || len >= PATH_MAX)
55006 -+ return ERR_PTR(-EINVAL);
55007 -+
55008 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
55009 -+ return ERR_PTR(-ENOMEM);
55010 -+
55011 -+ if (copy_from_user(tmp, s_tmp->filename, len))
55012 -+ return ERR_PTR(-EFAULT);
55013 -+
55014 -+ s_tmp->filename = tmp;
55015 -+
55016 -+ if (!strcmp(s_tmp->filename, "/"))
55017 -+ role->root_label = s_tmp;
55018 -+
55019 -+ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
55020 -+ return ERR_PTR(-EFAULT);
55021 -+
55022 -+ /* copy user and group transition tables */
55023 -+
55024 -+ if (s_tmp->user_trans_num) {
55025 -+ uid_t *uidlist;
55026 -+
55027 -+ uidlist = (uid_t *)acl_alloc(s_tmp->user_trans_num * sizeof(uid_t));
55028 -+ if (uidlist == NULL)
55029 -+ return ERR_PTR(-ENOMEM);
55030 -+ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
55031 -+ return ERR_PTR(-EFAULT);
55032 -+
55033 -+ s_tmp->user_transitions = uidlist;
55034 -+ }
55035 -+
55036 -+ if (s_tmp->group_trans_num) {
55037 -+ gid_t *gidlist;
55038 -+
55039 -+ gidlist = (gid_t *)acl_alloc(s_tmp->group_trans_num * sizeof(gid_t));
55040 -+ if (gidlist == NULL)
55041 -+ return ERR_PTR(-ENOMEM);
55042 -+ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
55043 -+ return ERR_PTR(-EFAULT);
55044 -+
55045 -+ s_tmp->group_transitions = gidlist;
55046 -+ }
55047 -+
55048 -+ /* set up object hash table */
55049 -+ num_objs = count_user_objs(ghash.first);
55050 -+
55051 -+ s_tmp->obj_hash_size = num_objs;
55052 -+ s_tmp->obj_hash =
55053 -+ (struct acl_object_label **)
55054 -+ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
55055 -+
55056 -+ if (!s_tmp->obj_hash)
55057 -+ return ERR_PTR(-ENOMEM);
55058 -+
55059 -+ memset(s_tmp->obj_hash, 0,
55060 -+ s_tmp->obj_hash_size *
55061 -+ sizeof (struct acl_object_label *));
55062 -+
55063 -+ /* add in objects */
55064 -+ err = copy_user_objs(ghash.first, s_tmp, role);
55065 -+
55066 -+ if (err)
55067 -+ return ERR_PTR(err);
55068 -+
55069 -+ /* set pointer for parent subject */
55070 -+ if (s_tmp->parent_subject) {
55071 -+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
55072 -+
55073 -+ if (IS_ERR(s_tmp2))
55074 -+ return s_tmp2;
55075 -+
55076 -+ s_tmp->parent_subject = s_tmp2;
55077 -+ }
55078 -+
55079 -+ /* add in ip acls */
55080 -+
55081 -+ if (!s_tmp->ip_num) {
55082 -+ s_tmp->ips = NULL;
55083 -+ goto insert;
55084 -+ }
55085 -+
55086 -+ i_tmp =
55087 -+ (struct acl_ip_label **) acl_alloc(s_tmp->ip_num *
55088 -+ sizeof (struct
55089 -+ acl_ip_label *));
55090 -+
55091 -+ if (!i_tmp)
55092 -+ return ERR_PTR(-ENOMEM);
55093 -+
55094 -+ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
55095 -+ *(i_tmp + i_num) =
55096 -+ (struct acl_ip_label *)
55097 -+ acl_alloc(sizeof (struct acl_ip_label));
55098 -+ if (!*(i_tmp + i_num))
55099 -+ return ERR_PTR(-ENOMEM);
55100 -+
55101 -+ if (copy_from_user
55102 -+ (&i_utmp2, s_tmp->ips + i_num,
55103 -+ sizeof (struct acl_ip_label *)))
55104 -+ return ERR_PTR(-EFAULT);
55105 -+
55106 -+ if (copy_from_user
55107 -+ (*(i_tmp + i_num), i_utmp2,
55108 -+ sizeof (struct acl_ip_label)))
55109 -+ return ERR_PTR(-EFAULT);
55110 -+
55111 -+ if ((*(i_tmp + i_num))->iface == NULL)
55112 -+ continue;
55113 -+
55114 -+ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
55115 -+ if (!len || len >= IFNAMSIZ)
55116 -+ return ERR_PTR(-EINVAL);
55117 -+ tmp = acl_alloc(len);
55118 -+ if (tmp == NULL)
55119 -+ return ERR_PTR(-ENOMEM);
55120 -+ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
55121 -+ return ERR_PTR(-EFAULT);
55122 -+ (*(i_tmp + i_num))->iface = tmp;
55123 -+ }
55124 -+
55125 -+ s_tmp->ips = i_tmp;
55126 -+
55127 -+insert:
55128 -+ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
55129 -+ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
55130 -+ return ERR_PTR(-ENOMEM);
55131 -+
55132 -+ return s_tmp;
55133 -+}
55134 -+
55135 -+static int
55136 -+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
55137 -+{
55138 -+ struct acl_subject_label s_pre;
55139 -+ struct acl_subject_label * ret;
55140 -+ int err;
55141 -+
55142 -+ while (userp) {
55143 -+ if (copy_from_user(&s_pre, userp,
55144 -+ sizeof (struct acl_subject_label)))
55145 -+ return -EFAULT;
55146 -+
55147 -+ /* do not add nested subjects here, add
55148 -+ while parsing objects
55149 -+ */
55150 -+
55151 -+ if (s_pre.mode & GR_NESTED) {
55152 -+ userp = s_pre.prev;
55153 -+ continue;
55154 -+ }
55155 -+
55156 -+ ret = do_copy_user_subj(userp, role);
55157 -+
55158 -+ err = PTR_ERR(ret);
55159 -+ if (IS_ERR(ret))
55160 -+ return err;
55161 -+
55162 -+ insert_acl_subj_label(ret, role);
55163 -+
55164 -+ userp = s_pre.prev;
55165 -+ }
55166 -+
55167 -+ return 0;
55168 -+}
55169 -+
55170 -+static int
55171 -+copy_user_acl(struct gr_arg *arg)
55172 -+{
55173 -+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
55174 -+ struct sprole_pw *sptmp;
55175 -+ struct gr_hash_struct *ghash;
55176 -+ uid_t *domainlist;
55177 -+ unsigned int r_num;
55178 -+ unsigned int len;
55179 -+ char *tmp;
55180 -+ int err = 0;
55181 -+ __u16 i;
55182 -+ __u32 num_subjs;
55183 -+
55184 -+ /* we need a default and kernel role */
55185 -+ if (arg->role_db.num_roles < 2)
55186 -+ return -EINVAL;
55187 -+
55188 -+ /* copy special role authentication info from userspace */
55189 -+
55190 -+ num_sprole_pws = arg->num_sprole_pws;
55191 -+ acl_special_roles = (struct sprole_pw **) acl_alloc(num_sprole_pws * sizeof(struct sprole_pw *));
55192 -+
55193 -+ if (!acl_special_roles) {
55194 -+ err = -ENOMEM;
55195 -+ goto cleanup;
55196 -+ }
55197 -+
55198 -+ for (i = 0; i < num_sprole_pws; i++) {
55199 -+ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
55200 -+ if (!sptmp) {
55201 -+ err = -ENOMEM;
55202 -+ goto cleanup;
55203 -+ }
55204 -+ if (copy_from_user(sptmp, arg->sprole_pws + i,
55205 -+ sizeof (struct sprole_pw))) {
55206 -+ err = -EFAULT;
55207 -+ goto cleanup;
55208 -+ }
55209 -+
55210 -+ len =
55211 -+ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
55212 -+
55213 -+ if (!len || len >= GR_SPROLE_LEN) {
55214 -+ err = -EINVAL;
55215 -+ goto cleanup;
55216 -+ }
55217 -+
55218 -+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
55219 -+ err = -ENOMEM;
55220 -+ goto cleanup;
55221 -+ }
55222 -+
55223 -+ if (copy_from_user(tmp, sptmp->rolename, len)) {
55224 -+ err = -EFAULT;
55225 -+ goto cleanup;
55226 -+ }
55227 -+
55228 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
55229 -+ printk(KERN_ALERT "Copying special role %s\n", tmp);
55230 -+#endif
55231 -+ sptmp->rolename = tmp;
55232 -+ acl_special_roles[i] = sptmp;
55233 -+ }
55234 -+
55235 -+ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
55236 -+
55237 -+ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
55238 -+ r_tmp = acl_alloc(sizeof (struct acl_role_label));
55239 -+
55240 -+ if (!r_tmp) {
55241 -+ err = -ENOMEM;
55242 -+ goto cleanup;
55243 -+ }
55244 -+
55245 -+ if (copy_from_user(&r_utmp2, r_utmp + r_num,
55246 -+ sizeof (struct acl_role_label *))) {
55247 -+ err = -EFAULT;
55248 -+ goto cleanup;
55249 -+ }
55250 -+
55251 -+ if (copy_from_user(r_tmp, r_utmp2,
55252 -+ sizeof (struct acl_role_label))) {
55253 -+ err = -EFAULT;
55254 -+ goto cleanup;
55255 -+ }
55256 -+
55257 -+ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
55258 -+
55259 -+ if (!len || len >= PATH_MAX) {
55260 -+ err = -EINVAL;
55261 -+ goto cleanup;
55262 -+ }
55263 -+
55264 -+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
55265 -+ err = -ENOMEM;
55266 -+ goto cleanup;
55267 -+ }
55268 -+ if (copy_from_user(tmp, r_tmp->rolename, len)) {
55269 -+ err = -EFAULT;
55270 -+ goto cleanup;
55271 -+ }
55272 -+ r_tmp->rolename = tmp;
55273 -+
55274 -+ if (!strcmp(r_tmp->rolename, "default")
55275 -+ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
55276 -+ default_role = r_tmp;
55277 -+ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
55278 -+ kernel_role = r_tmp;
55279 -+ }
55280 -+
55281 -+ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
55282 -+ err = -ENOMEM;
55283 -+ goto cleanup;
55284 -+ }
55285 -+ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
55286 -+ err = -EFAULT;
55287 -+ goto cleanup;
55288 -+ }
55289 -+
55290 -+ r_tmp->hash = ghash;
55291 -+
55292 -+ num_subjs = count_user_subjs(r_tmp->hash->first);
55293 -+
55294 -+ r_tmp->subj_hash_size = num_subjs;
55295 -+ r_tmp->subj_hash =
55296 -+ (struct acl_subject_label **)
55297 -+ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
55298 -+
55299 -+ if (!r_tmp->subj_hash) {
55300 -+ err = -ENOMEM;
55301 -+ goto cleanup;
55302 -+ }
55303 -+
55304 -+ err = copy_user_allowedips(r_tmp);
55305 -+ if (err)
55306 -+ goto cleanup;
55307 -+
55308 -+ /* copy domain info */
55309 -+ if (r_tmp->domain_children != NULL) {
55310 -+ domainlist = acl_alloc(r_tmp->domain_child_num * sizeof(uid_t));
55311 -+ if (domainlist == NULL) {
55312 -+ err = -ENOMEM;
55313 -+ goto cleanup;
55314 -+ }
55315 -+ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
55316 -+ err = -EFAULT;
55317 -+ goto cleanup;
55318 -+ }
55319 -+ r_tmp->domain_children = domainlist;
55320 -+ }
55321 -+
55322 -+ err = copy_user_transitions(r_tmp);
55323 -+ if (err)
55324 -+ goto cleanup;
55325 -+
55326 -+ memset(r_tmp->subj_hash, 0,
55327 -+ r_tmp->subj_hash_size *
55328 -+ sizeof (struct acl_subject_label *));
55329 -+
55330 -+ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
55331 -+
55332 -+ if (err)
55333 -+ goto cleanup;
55334 -+
55335 -+ /* set nested subject list to null */
55336 -+ r_tmp->hash->first = NULL;
55337 -+
55338 -+ insert_acl_role_label(r_tmp);
55339 -+ }
55340 -+
55341 -+ goto return_err;
55342 -+ cleanup:
55343 -+ free_variables();
55344 -+ return_err:
55345 -+ return err;
55346 -+
55347 -+}
55348 -+
55349 -+static int
55350 -+gracl_init(struct gr_arg *args)
55351 -+{
55352 -+ int error = 0;
55353 -+
55354 -+ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
55355 -+ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
55356 -+
55357 -+ if (init_variables(args)) {
55358 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
55359 -+ error = -ENOMEM;
55360 -+ free_variables();
55361 -+ goto out;
55362 -+ }
55363 -+
55364 -+ error = copy_user_acl(args);
55365 -+ free_init_variables();
55366 -+ if (error) {
55367 -+ free_variables();
55368 -+ goto out;
55369 -+ }
55370 -+
55371 -+ if ((error = gr_set_acls(0))) {
55372 -+ free_variables();
55373 -+ goto out;
55374 -+ }
55375 -+
55376 -+ gr_status |= GR_READY;
55377 -+ out:
55378 -+ return error;
55379 -+}
55380 -+
55381 -+/* derived from glibc fnmatch() 0: match, 1: no match*/
55382 -+
55383 -+static int
55384 -+glob_match(const char *p, const char *n)
55385 -+{
55386 -+ char c;
55387 -+
55388 -+ while ((c = *p++) != '\0') {
55389 -+ switch (c) {
55390 -+ case '?':
55391 -+ if (*n == '\0')
55392 -+ return 1;
55393 -+ else if (*n == '/')
55394 -+ return 1;
55395 -+ break;
55396 -+ case '\\':
55397 -+ if (*n != c)
55398 -+ return 1;
55399 -+ break;
55400 -+ case '*':
55401 -+ for (c = *p++; c == '?' || c == '*'; c = *p++) {
55402 -+ if (*n == '/')
55403 -+ return 1;
55404 -+ else if (c == '?') {
55405 -+ if (*n == '\0')
55406 -+ return 1;
55407 -+ else
55408 -+ ++n;
55409 -+ }
55410 -+ }
55411 -+ if (c == '\0') {
55412 -+ return 0;
55413 -+ } else {
55414 -+ const char *endp;
55415 -+
55416 -+ if ((endp = strchr(n, '/')) == NULL)
55417 -+ endp = n + strlen(n);
55418 -+
55419 -+ if (c == '[') {
55420 -+ for (--p; n < endp; ++n)
55421 -+ if (!glob_match(p, n))
55422 -+ return 0;
55423 -+ } else if (c == '/') {
55424 -+ while (*n != '\0' && *n != '/')
55425 -+ ++n;
55426 -+ if (*n == '/' && !glob_match(p, n + 1))
55427 -+ return 0;
55428 -+ } else {
55429 -+ for (--p; n < endp; ++n)
55430 -+ if (*n == c && !glob_match(p, n))
55431 -+ return 0;
55432 -+ }
55433 -+
55434 -+ return 1;
55435 -+ }
55436 -+ case '[':
55437 -+ {
55438 -+ int not;
55439 -+ char cold;
55440 -+
55441 -+ if (*n == '\0' || *n == '/')
55442 -+ return 1;
55443 -+
55444 -+ not = (*p == '!' || *p == '^');
55445 -+ if (not)
55446 -+ ++p;
55447 -+
55448 -+ c = *p++;
55449 -+ for (;;) {
55450 -+ unsigned char fn = (unsigned char)*n;
55451 -+
55452 -+ if (c == '\0')
55453 -+ return 1;
55454 -+ else {
55455 -+ if (c == fn)
55456 -+ goto matched;
55457 -+ cold = c;
55458 -+ c = *p++;
55459 -+
55460 -+ if (c == '-' && *p != ']') {
55461 -+ unsigned char cend = *p++;
55462 -+
55463 -+ if (cend == '\0')
55464 -+ return 1;
55465 -+
55466 -+ if (cold <= fn && fn <= cend)
55467 -+ goto matched;
55468 -+
55469 -+ c = *p++;
55470 -+ }
55471 -+ }
55472 -+
55473 -+ if (c == ']')
55474 -+ break;
55475 -+ }
55476 -+ if (!not)
55477 -+ return 1;
55478 -+ break;
55479 -+ matched:
55480 -+ while (c != ']') {
55481 -+ if (c == '\0')
55482 -+ return 1;
55483 -+
55484 -+ c = *p++;
55485 -+ }
55486 -+ if (not)
55487 -+ return 1;
55488 -+ }
55489 -+ break;
55490 -+ default:
55491 -+ if (c != *n)
55492 -+ return 1;
55493 -+ }
55494 -+
55495 -+ ++n;
55496 -+ }
55497 -+
55498 -+ if (*n == '\0')
55499 -+ return 0;
55500 -+
55501 -+ if (*n == '/')
55502 -+ return 0;
55503 -+
55504 -+ return 1;
55505 -+}
55506 -+
55507 -+static struct acl_object_label *
55508 -+chk_glob_label(struct acl_object_label *globbed,
55509 -+ struct dentry *dentry, struct vfsmount *mnt, char **path)
55510 -+{
55511 -+ struct acl_object_label *tmp;
55512 -+
55513 -+ if (*path == NULL)
55514 -+ *path = gr_to_filename_nolock(dentry, mnt);
55515 -+
55516 -+ tmp = globbed;
55517 -+
55518 -+ while (tmp) {
55519 -+ if (!glob_match(tmp->filename, *path))
55520 -+ return tmp;
55521 -+ tmp = tmp->next;
55522 -+ }
55523 -+
55524 -+ return NULL;
55525 -+}
55526 -+
55527 -+static struct acl_object_label *
55528 -+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
55529 -+ const ino_t curr_ino, const dev_t curr_dev,
55530 -+ const struct acl_subject_label *subj, char **path)
55531 -+{
55532 -+ struct acl_subject_label *tmpsubj;
55533 -+ struct acl_object_label *retval;
55534 -+ struct acl_object_label *retval2;
55535 -+
55536 -+ tmpsubj = (struct acl_subject_label *) subj;
55537 -+ read_lock(&gr_inode_lock);
55538 -+ do {
55539 -+ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
55540 -+ if (retval) {
55541 -+ if (retval->globbed) {
55542 -+ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
55543 -+ (struct vfsmount *)orig_mnt, path);
55544 -+ if (retval2)
55545 -+ retval = retval2;
55546 -+ }
55547 -+ break;
55548 -+ }
55549 -+ } while ((tmpsubj = tmpsubj->parent_subject));
55550 -+ read_unlock(&gr_inode_lock);
55551 -+
55552 -+ return retval;
55553 -+}
55554 -+
55555 -+static __inline__ struct acl_object_label *
55556 -+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
55557 -+ const struct dentry *curr_dentry,
55558 -+ const struct acl_subject_label *subj, char **path)
55559 -+{
55560 -+ return __full_lookup(orig_dentry, orig_mnt,
55561 -+ curr_dentry->d_inode->i_ino,
55562 -+ curr_dentry->d_inode->i_sb->s_dev, subj, path);
55563 -+}
55564 -+
55565 -+static struct acl_object_label *
55566 -+__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
55567 -+ const struct acl_subject_label *subj, char *path)
55568 -+{
55569 -+ struct dentry *dentry = (struct dentry *) l_dentry;
55570 -+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
55571 -+ struct acl_object_label *retval;
55572 -+
55573 -+ spin_lock(&dcache_lock);
55574 -+
55575 -+ if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
55576 -+ /* ignore Eric Biederman */
55577 -+ IS_PRIVATE(l_dentry->d_inode))) {
55578 -+ retval = fakefs_obj;
55579 -+ goto out;
55580 -+ }
55581 -+
55582 -+ for (;;) {
55583 -+ if (dentry == real_root && mnt == real_root_mnt)
55584 -+ break;
55585 -+
55586 -+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
55587 -+ if (mnt->mnt_parent == mnt)
55588 -+ break;
55589 -+
55590 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
55591 -+ if (retval != NULL)
55592 -+ goto out;
55593 -+
55594 -+ dentry = mnt->mnt_mountpoint;
55595 -+ mnt = mnt->mnt_parent;
55596 -+ continue;
55597 -+ }
55598 -+
55599 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
55600 -+ if (retval != NULL)
55601 -+ goto out;
55602 -+
55603 -+ dentry = dentry->d_parent;
55604 -+ }
55605 -+
55606 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
55607 -+
55608 -+ if (retval == NULL)
55609 -+ retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path);
55610 -+out:
55611 -+ spin_unlock(&dcache_lock);
55612 -+ return retval;
55613 -+}
55614 -+
55615 -+static __inline__ struct acl_object_label *
55616 -+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
55617 -+ const struct acl_subject_label *subj)
55618 -+{
55619 -+ char *path = NULL;
55620 -+ return __chk_obj_label(l_dentry, l_mnt, subj, path);
55621 -+}
55622 -+
55623 -+static __inline__ struct acl_object_label *
55624 -+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
55625 -+ const struct acl_subject_label *subj, char *path)
55626 -+{
55627 -+ return __chk_obj_label(l_dentry, l_mnt, subj, path);
55628 -+}
55629 -+
55630 -+static struct acl_subject_label *
55631 -+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
55632 -+ const struct acl_role_label *role)
55633 -+{
55634 -+ struct dentry *dentry = (struct dentry *) l_dentry;
55635 -+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
55636 -+ struct acl_subject_label *retval;
55637 -+
55638 -+ spin_lock(&dcache_lock);
55639 -+
55640 -+ for (;;) {
55641 -+ if (dentry == real_root && mnt == real_root_mnt)
55642 -+ break;
55643 -+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
55644 -+ if (mnt->mnt_parent == mnt)
55645 -+ break;
55646 -+
55647 -+ read_lock(&gr_inode_lock);
55648 -+ retval =
55649 -+ lookup_acl_subj_label(dentry->d_inode->i_ino,
55650 -+ dentry->d_inode->i_sb->s_dev, role);
55651 -+ read_unlock(&gr_inode_lock);
55652 -+ if (retval != NULL)
55653 -+ goto out;
55654 -+
55655 -+ dentry = mnt->mnt_mountpoint;
55656 -+ mnt = mnt->mnt_parent;
55657 -+ continue;
55658 -+ }
55659 -+
55660 -+ read_lock(&gr_inode_lock);
55661 -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
55662 -+ dentry->d_inode->i_sb->s_dev, role);
55663 -+ read_unlock(&gr_inode_lock);
55664 -+ if (retval != NULL)
55665 -+ goto out;
55666 -+
55667 -+ dentry = dentry->d_parent;
55668 -+ }
55669 -+
55670 -+ read_lock(&gr_inode_lock);
55671 -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
55672 -+ dentry->d_inode->i_sb->s_dev, role);
55673 -+ read_unlock(&gr_inode_lock);
55674 -+
55675 -+ if (unlikely(retval == NULL)) {
55676 -+ read_lock(&gr_inode_lock);
55677 -+ retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
55678 -+ real_root->d_inode->i_sb->s_dev, role);
55679 -+ read_unlock(&gr_inode_lock);
55680 -+ }
55681 -+out:
55682 -+ spin_unlock(&dcache_lock);
55683 -+
55684 -+ return retval;
55685 -+}
55686 -+
55687 -+static void
55688 -+gr_log_learn(const struct task_struct *task, const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
55689 -+{
55690 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
55691 -+ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
55692 -+ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
55693 -+ 1, 1, gr_to_filename(dentry, mnt), (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
55694 -+
55695 -+ return;
55696 -+}
55697 -+
55698 -+static void
55699 -+gr_log_learn_sysctl(const struct task_struct *task, const char *path, const __u32 mode)
55700 -+{
55701 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
55702 -+ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
55703 -+ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
55704 -+ 1, 1, path, (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
55705 -+
55706 -+ return;
55707 -+}
55708 -+
55709 -+static void
55710 -+gr_log_learn_id_change(const struct task_struct *task, const char type, const unsigned int real,
55711 -+ const unsigned int effective, const unsigned int fs)
55712 -+{
55713 -+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
55714 -+ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
55715 -+ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
55716 -+ type, real, effective, fs, NIPQUAD(task->signal->curr_ip));
55717 -+
55718 -+ return;
55719 -+}
55720 -+
55721 -+__u32
55722 -+gr_check_link(const struct dentry * new_dentry,
55723 -+ const struct dentry * parent_dentry,
55724 -+ const struct vfsmount * parent_mnt,
55725 -+ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
55726 -+{
55727 -+ struct acl_object_label *obj;
55728 -+ __u32 oldmode, newmode;
55729 -+ __u32 needmode;
55730 -+
55731 -+ if (unlikely(!(gr_status & GR_READY)))
55732 -+ return (GR_CREATE | GR_LINK);
55733 -+
55734 -+ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
55735 -+ oldmode = obj->mode;
55736 -+
55737 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
55738 -+ oldmode |= (GR_CREATE | GR_LINK);
55739 -+
55740 -+ needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
55741 -+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
55742 -+ needmode |= GR_SETID | GR_AUDIT_SETID;
55743 -+
55744 -+ newmode =
55745 -+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
55746 -+ oldmode | needmode);
55747 -+
55748 -+ needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
55749 -+ GR_SETID | GR_READ | GR_FIND | GR_DELETE |
55750 -+ GR_INHERIT | GR_AUDIT_INHERIT);
55751 -+
55752 -+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
55753 -+ goto bad;
55754 -+
55755 -+ if ((oldmode & needmode) != needmode)
55756 -+ goto bad;
55757 -+
55758 -+ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
55759 -+ if ((newmode & needmode) != needmode)
55760 -+ goto bad;
55761 -+
55762 -+ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
55763 -+ return newmode;
55764 -+bad:
55765 -+ needmode = oldmode;
55766 -+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
55767 -+ needmode |= GR_SETID;
55768 -+
55769 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
55770 -+ gr_log_learn(current, old_dentry, old_mnt, needmode);
55771 -+ return (GR_CREATE | GR_LINK);
55772 -+ } else if (newmode & GR_SUPPRESS)
55773 -+ return GR_SUPPRESS;
55774 -+ else
55775 -+ return 0;
55776 -+}
55777 -+
55778 -+__u32
55779 -+gr_search_file(const struct dentry * dentry, const __u32 mode,
55780 -+ const struct vfsmount * mnt)
55781 -+{
55782 -+ __u32 retval = mode;
55783 -+ struct acl_subject_label *curracl;
55784 -+ struct acl_object_label *currobj;
55785 -+
55786 -+ if (unlikely(!(gr_status & GR_READY)))
55787 -+ return (mode & ~GR_AUDITS);
55788 -+
55789 -+ curracl = current->acl;
55790 -+
55791 -+ currobj = chk_obj_label(dentry, mnt, curracl);
55792 -+ retval = currobj->mode & mode;
55793 -+
55794 -+ if (unlikely
55795 -+ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
55796 -+ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
55797 -+ __u32 new_mode = mode;
55798 -+
55799 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
55800 -+
55801 -+ retval = new_mode;
55802 -+
55803 -+ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
55804 -+ new_mode |= GR_INHERIT;
55805 -+
55806 -+ if (!(mode & GR_NOLEARN))
55807 -+ gr_log_learn(current, dentry, mnt, new_mode);
55808 -+ }
55809 -+
55810 -+ return retval;
55811 -+}
55812 -+
55813 -+__u32
55814 -+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
55815 -+ const struct vfsmount * mnt, const __u32 mode)
55816 -+{
55817 -+ struct name_entry *match;
55818 -+ struct acl_object_label *matchpo;
55819 -+ struct acl_subject_label *curracl;
55820 -+ char *path;
55821 -+ __u32 retval;
55822 -+
55823 -+ if (unlikely(!(gr_status & GR_READY)))
55824 -+ return (mode & ~GR_AUDITS);
55825 -+
55826 -+ preempt_disable();
55827 -+ path = gr_to_filename_rbac(new_dentry, mnt);
55828 -+ match = lookup_name_entry_create(path);
55829 -+
55830 -+ if (!match)
55831 -+ goto check_parent;
55832 -+
55833 -+ curracl = current->acl;
55834 -+
55835 -+ read_lock(&gr_inode_lock);
55836 -+ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
55837 -+ read_unlock(&gr_inode_lock);
55838 -+
55839 -+ if (matchpo) {
55840 -+ if ((matchpo->mode & mode) !=
55841 -+ (mode & ~(GR_AUDITS | GR_SUPPRESS))
55842 -+ && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
55843 -+ __u32 new_mode = mode;
55844 -+
55845 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
55846 -+
55847 -+ gr_log_learn(current, new_dentry, mnt, new_mode);
55848 -+
55849 -+ preempt_enable();
55850 -+ return new_mode;
55851 -+ }
55852 -+ preempt_enable();
55853 -+ return (matchpo->mode & mode);
55854 -+ }
55855 -+
55856 -+ check_parent:
55857 -+ curracl = current->acl;
55858 -+
55859 -+ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
55860 -+ retval = matchpo->mode & mode;
55861 -+
55862 -+ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
55863 -+ && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
55864 -+ __u32 new_mode = mode;
55865 -+
55866 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
55867 -+
55868 -+ gr_log_learn(current, new_dentry, mnt, new_mode);
55869 -+ preempt_enable();
55870 -+ return new_mode;
55871 -+ }
55872 -+
55873 -+ preempt_enable();
55874 -+ return retval;
55875 -+}
55876 -+
55877 -+int
55878 -+gr_check_hidden_task(const struct task_struct *task)
55879 -+{
55880 -+ if (unlikely(!(gr_status & GR_READY)))
55881 -+ return 0;
55882 -+
55883 -+ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
55884 -+ return 1;
55885 -+
55886 -+ return 0;
55887 -+}
55888 -+
55889 -+int
55890 -+gr_check_protected_task(const struct task_struct *task)
55891 -+{
55892 -+ if (unlikely(!(gr_status & GR_READY) || !task))
55893 -+ return 0;
55894 -+
55895 -+ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
55896 -+ task->acl != current->acl)
55897 -+ return 1;
55898 -+
55899 -+ return 0;
55900 -+}
55901 -+
55902 -+void
55903 -+gr_copy_label(struct task_struct *tsk)
55904 -+{
55905 -+ tsk->signal->used_accept = 0;
55906 -+ tsk->acl_sp_role = 0;
55907 -+ tsk->acl_role_id = current->acl_role_id;
55908 -+ tsk->acl = current->acl;
55909 -+ tsk->role = current->role;
55910 -+ tsk->signal->curr_ip = current->signal->curr_ip;
55911 -+ if (current->exec_file)
55912 -+ get_file(current->exec_file);
55913 -+ tsk->exec_file = current->exec_file;
55914 -+ tsk->is_writable = current->is_writable;
55915 -+ if (unlikely(current->signal->used_accept))
55916 -+ current->signal->curr_ip = 0;
55917 -+
55918 -+ return;
55919 -+}
55920 -+
55921 -+static void
55922 -+gr_set_proc_res(struct task_struct *task)
55923 -+{
55924 -+ struct acl_subject_label *proc;
55925 -+ unsigned short i;
55926 -+
55927 -+ proc = task->acl;
55928 -+
55929 -+ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
55930 -+ return;
55931 -+
55932 -+ for (i = 0; i < (GR_NLIMITS - 1); i++) {
55933 -+ if (!(proc->resmask & (1 << i)))
55934 -+ continue;
55935 -+
55936 -+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
55937 -+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
55938 -+ }
55939 -+
55940 -+ return;
55941 -+}
55942 -+
55943 -+int
55944 -+gr_check_user_change(int real, int effective, int fs)
55945 -+{
55946 -+ unsigned int i;
55947 -+ __u16 num;
55948 -+ uid_t *uidlist;
55949 -+ int curuid;
55950 -+ int realok = 0;
55951 -+ int effectiveok = 0;
55952 -+ int fsok = 0;
55953 -+
55954 -+ if (unlikely(!(gr_status & GR_READY)))
55955 -+ return 0;
55956 -+
55957 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
55958 -+ gr_log_learn_id_change(current, 'u', real, effective, fs);
55959 -+
55960 -+ num = current->acl->user_trans_num;
55961 -+ uidlist = current->acl->user_transitions;
55962 -+
55963 -+ if (uidlist == NULL)
55964 -+ return 0;
55965 -+
55966 -+ if (real == -1)
55967 -+ realok = 1;
55968 -+ if (effective == -1)
55969 -+ effectiveok = 1;
55970 -+ if (fs == -1)
55971 -+ fsok = 1;
55972 -+
55973 -+ if (current->acl->user_trans_type & GR_ID_ALLOW) {
55974 -+ for (i = 0; i < num; i++) {
55975 -+ curuid = (int)uidlist[i];
55976 -+ if (real == curuid)
55977 -+ realok = 1;
55978 -+ if (effective == curuid)
55979 -+ effectiveok = 1;
55980 -+ if (fs == curuid)
55981 -+ fsok = 1;
55982 -+ }
55983 -+ } else if (current->acl->user_trans_type & GR_ID_DENY) {
55984 -+ for (i = 0; i < num; i++) {
55985 -+ curuid = (int)uidlist[i];
55986 -+ if (real == curuid)
55987 -+ break;
55988 -+ if (effective == curuid)
55989 -+ break;
55990 -+ if (fs == curuid)
55991 -+ break;
55992 -+ }
55993 -+ /* not in deny list */
55994 -+ if (i == num) {
55995 -+ realok = 1;
55996 -+ effectiveok = 1;
55997 -+ fsok = 1;
55998 -+ }
55999 -+ }
56000 -+
56001 -+ if (realok && effectiveok && fsok)
56002 -+ return 0;
56003 -+ else {
56004 -+ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
56005 -+ return 1;
56006 -+ }
56007 -+}
56008 -+
56009 -+int
56010 -+gr_check_group_change(int real, int effective, int fs)
56011 -+{
56012 -+ unsigned int i;
56013 -+ __u16 num;
56014 -+ gid_t *gidlist;
56015 -+ int curgid;
56016 -+ int realok = 0;
56017 -+ int effectiveok = 0;
56018 -+ int fsok = 0;
56019 -+
56020 -+ if (unlikely(!(gr_status & GR_READY)))
56021 -+ return 0;
56022 -+
56023 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
56024 -+ gr_log_learn_id_change(current, 'g', real, effective, fs);
56025 -+
56026 -+ num = current->acl->group_trans_num;
56027 -+ gidlist = current->acl->group_transitions;
56028 -+
56029 -+ if (gidlist == NULL)
56030 -+ return 0;
56031 -+
56032 -+ if (real == -1)
56033 -+ realok = 1;
56034 -+ if (effective == -1)
56035 -+ effectiveok = 1;
56036 -+ if (fs == -1)
56037 -+ fsok = 1;
56038 -+
56039 -+ if (current->acl->group_trans_type & GR_ID_ALLOW) {
56040 -+ for (i = 0; i < num; i++) {
56041 -+ curgid = (int)gidlist[i];
56042 -+ if (real == curgid)
56043 -+ realok = 1;
56044 -+ if (effective == curgid)
56045 -+ effectiveok = 1;
56046 -+ if (fs == curgid)
56047 -+ fsok = 1;
56048 -+ }
56049 -+ } else if (current->acl->group_trans_type & GR_ID_DENY) {
56050 -+ for (i = 0; i < num; i++) {
56051 -+ curgid = (int)gidlist[i];
56052 -+ if (real == curgid)
56053 -+ break;
56054 -+ if (effective == curgid)
56055 -+ break;
56056 -+ if (fs == curgid)
56057 -+ break;
56058 -+ }
56059 -+ /* not in deny list */
56060 -+ if (i == num) {
56061 -+ realok = 1;
56062 -+ effectiveok = 1;
56063 -+ fsok = 1;
56064 -+ }
56065 -+ }
56066 -+
56067 -+ if (realok && effectiveok && fsok)
56068 -+ return 0;
56069 -+ else {
56070 -+ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
56071 -+ return 1;
56072 -+ }
56073 -+}
56074 -+
56075 -+void
56076 -+gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
56077 -+{
56078 -+ struct acl_role_label *role = task->role;
56079 -+ struct acl_subject_label *subj = NULL;
56080 -+ struct acl_object_label *obj;
56081 -+ struct file *filp;
56082 -+
56083 -+ if (unlikely(!(gr_status & GR_READY)))
56084 -+ return;
56085 -+
56086 -+ filp = task->exec_file;
56087 -+
56088 -+ /* kernel process, we'll give them the kernel role */
56089 -+ if (unlikely(!filp)) {
56090 -+ task->role = kernel_role;
56091 -+ task->acl = kernel_role->root_label;
56092 -+ return;
56093 -+ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
56094 -+ role = lookup_acl_role_label(task, uid, gid);
56095 -+
56096 -+ /* perform subject lookup in possibly new role
56097 -+ we can use this result below in the case where role == task->role
56098 -+ */
56099 -+ subj = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, role);
56100 -+
56101 -+ /* if we changed uid/gid, but result in the same role
56102 -+ and are using inheritance, don't lose the inherited subject
56103 -+ if current subject is other than what normal lookup
56104 -+ would result in, we arrived via inheritance, don't
56105 -+ lose subject
56106 -+ */
56107 -+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
56108 -+ (subj == task->acl)))
56109 -+ task->acl = subj;
56110 -+
56111 -+ task->role = role;
56112 -+
56113 -+ task->is_writable = 0;
56114 -+
56115 -+ /* ignore additional mmap checks for processes that are writable
56116 -+ by the default ACL */
56117 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
56118 -+ if (unlikely(obj->mode & GR_WRITE))
56119 -+ task->is_writable = 1;
56120 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
56121 -+ if (unlikely(obj->mode & GR_WRITE))
56122 -+ task->is_writable = 1;
56123 -+
56124 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
56125 -+ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
56126 -+#endif
56127 -+
56128 -+ gr_set_proc_res(task);
56129 -+
56130 -+ return;
56131 -+}
56132 -+
56133 -+int
56134 -+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
56135 -+{
56136 -+ struct task_struct *task = current;
56137 -+ struct acl_subject_label *newacl;
56138 -+ struct acl_object_label *obj;
56139 -+ __u32 retmode;
56140 -+
56141 -+ if (unlikely(!(gr_status & GR_READY)))
56142 -+ return 0;
56143 -+
56144 -+ newacl = chk_subj_label(dentry, mnt, task->role);
56145 -+
56146 -+ task_lock(task);
56147 -+ if (((task->ptrace & PT_PTRACED) && !(task->acl->mode &
56148 -+ GR_POVERRIDE) && (task->acl != newacl) &&
56149 -+ !(task->role->roletype & GR_ROLE_GOD) &&
56150 -+ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
56151 -+ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN))) ||
56152 -+ (atomic_read(&task->fs->count) > 1 ||
56153 -+ atomic_read(&task->files->count) > 1 ||
56154 -+ atomic_read(&task->sighand->count) > 1)) {
56155 -+ task_unlock(task);
56156 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
56157 -+ return -EACCES;
56158 -+ }
56159 -+ task_unlock(task);
56160 -+
56161 -+ obj = chk_obj_label(dentry, mnt, task->acl);
56162 -+ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
56163 -+
56164 -+ if (!(task->acl->mode & GR_INHERITLEARN) &&
56165 -+ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
56166 -+ if (obj->nested)
56167 -+ task->acl = obj->nested;
56168 -+ else
56169 -+ task->acl = newacl;
56170 -+ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
56171 -+ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
56172 -+
56173 -+ task->is_writable = 0;
56174 -+
56175 -+ /* ignore additional mmap checks for processes that are writable
56176 -+ by the default ACL */
56177 -+ obj = chk_obj_label(dentry, mnt, default_role->root_label);
56178 -+ if (unlikely(obj->mode & GR_WRITE))
56179 -+ task->is_writable = 1;
56180 -+ obj = chk_obj_label(dentry, mnt, task->role->root_label);
56181 -+ if (unlikely(obj->mode & GR_WRITE))
56182 -+ task->is_writable = 1;
56183 -+
56184 -+ gr_set_proc_res(task);
56185 -+
56186 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
56187 -+ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
56188 -+#endif
56189 -+ return 0;
56190 -+}
56191 -+
56192 -+/* always called with valid inodev ptr */
56193 -+static void
56194 -+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
56195 -+{
56196 -+ struct acl_object_label *matchpo;
56197 -+ struct acl_subject_label *matchps;
56198 -+ struct acl_subject_label *subj;
56199 -+ struct acl_role_label *role;
56200 -+ unsigned int i, x;
56201 -+
56202 -+ FOR_EACH_ROLE_START(role, i)
56203 -+ FOR_EACH_SUBJECT_START(role, subj, x)
56204 -+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
56205 -+ matchpo->mode |= GR_DELETED;
56206 -+ FOR_EACH_SUBJECT_END(subj,x)
56207 -+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
56208 -+ if (subj->inode == ino && subj->device == dev)
56209 -+ subj->mode |= GR_DELETED;
56210 -+ FOR_EACH_NESTED_SUBJECT_END(subj)
56211 -+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
56212 -+ matchps->mode |= GR_DELETED;
56213 -+ FOR_EACH_ROLE_END(role,i)
56214 -+
56215 -+ inodev->nentry->deleted = 1;
56216 -+
56217 -+ return;
56218 -+}
56219 -+
56220 -+void
56221 -+gr_handle_delete(const ino_t ino, const dev_t dev)
56222 -+{
56223 -+ struct inodev_entry *inodev;
56224 -+
56225 -+ if (unlikely(!(gr_status & GR_READY)))
56226 -+ return;
56227 -+
56228 -+ write_lock(&gr_inode_lock);
56229 -+ inodev = lookup_inodev_entry(ino, dev);
56230 -+ if (inodev != NULL)
56231 -+ do_handle_delete(inodev, ino, dev);
56232 -+ write_unlock(&gr_inode_lock);
56233 -+
56234 -+ return;
56235 -+}
56236 -+
56237 -+static void
56238 -+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
56239 -+ const ino_t newinode, const dev_t newdevice,
56240 -+ struct acl_subject_label *subj)
56241 -+{
56242 -+ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
56243 -+ struct acl_object_label *match;
56244 -+
56245 -+ match = subj->obj_hash[index];
56246 -+
56247 -+ while (match && (match->inode != oldinode ||
56248 -+ match->device != olddevice ||
56249 -+ !(match->mode & GR_DELETED)))
56250 -+ match = match->next;
56251 -+
56252 -+ if (match && (match->inode == oldinode)
56253 -+ && (match->device == olddevice)
56254 -+ && (match->mode & GR_DELETED)) {
56255 -+ if (match->prev == NULL) {
56256 -+ subj->obj_hash[index] = match->next;
56257 -+ if (match->next != NULL)
56258 -+ match->next->prev = NULL;
56259 -+ } else {
56260 -+ match->prev->next = match->next;
56261 -+ if (match->next != NULL)
56262 -+ match->next->prev = match->prev;
56263 -+ }
56264 -+ match->prev = NULL;
56265 -+ match->next = NULL;
56266 -+ match->inode = newinode;
56267 -+ match->device = newdevice;
56268 -+ match->mode &= ~GR_DELETED;
56269 -+
56270 -+ insert_acl_obj_label(match, subj);
56271 -+ }
56272 -+
56273 -+ return;
56274 -+}
56275 -+
56276 -+static void
56277 -+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
56278 -+ const ino_t newinode, const dev_t newdevice,
56279 -+ struct acl_role_label *role)
56280 -+{
56281 -+ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
56282 -+ struct acl_subject_label *match;
56283 -+
56284 -+ match = role->subj_hash[index];
56285 -+
56286 -+ while (match && (match->inode != oldinode ||
56287 -+ match->device != olddevice ||
56288 -+ !(match->mode & GR_DELETED)))
56289 -+ match = match->next;
56290 -+
56291 -+ if (match && (match->inode == oldinode)
56292 -+ && (match->device == olddevice)
56293 -+ && (match->mode & GR_DELETED)) {
56294 -+ if (match->prev == NULL) {
56295 -+ role->subj_hash[index] = match->next;
56296 -+ if (match->next != NULL)
56297 -+ match->next->prev = NULL;
56298 -+ } else {
56299 -+ match->prev->next = match->next;
56300 -+ if (match->next != NULL)
56301 -+ match->next->prev = match->prev;
56302 -+ }
56303 -+ match->prev = NULL;
56304 -+ match->next = NULL;
56305 -+ match->inode = newinode;
56306 -+ match->device = newdevice;
56307 -+ match->mode &= ~GR_DELETED;
56308 -+
56309 -+ insert_acl_subj_label(match, role);
56310 -+ }
56311 -+
56312 -+ return;
56313 -+}
56314 -+
56315 -+static void
56316 -+update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
56317 -+ const ino_t newinode, const dev_t newdevice)
56318 -+{
56319 -+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
56320 -+ struct inodev_entry *match;
56321 -+
56322 -+ match = inodev_set.i_hash[index];
56323 -+
56324 -+ while (match && (match->nentry->inode != oldinode ||
56325 -+ match->nentry->device != olddevice || !match->nentry->deleted))
56326 -+ match = match->next;
56327 -+
56328 -+ if (match && (match->nentry->inode == oldinode)
56329 -+ && (match->nentry->device == olddevice) &&
56330 -+ match->nentry->deleted) {
56331 -+ if (match->prev == NULL) {
56332 -+ inodev_set.i_hash[index] = match->next;
56333 -+ if (match->next != NULL)
56334 -+ match->next->prev = NULL;
56335 -+ } else {
56336 -+ match->prev->next = match->next;
56337 -+ if (match->next != NULL)
56338 -+ match->next->prev = match->prev;
56339 -+ }
56340 -+ match->prev = NULL;
56341 -+ match->next = NULL;
56342 -+ match->nentry->inode = newinode;
56343 -+ match->nentry->device = newdevice;
56344 -+ match->nentry->deleted = 0;
56345 -+
56346 -+ insert_inodev_entry(match);
56347 -+ }
56348 -+
56349 -+ return;
56350 -+}
56351 -+
56352 -+static void
56353 -+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
56354 -+ const struct vfsmount *mnt)
56355 -+{
56356 -+ struct acl_subject_label *subj;
56357 -+ struct acl_role_label *role;
56358 -+ unsigned int i, x;
56359 -+
56360 -+ FOR_EACH_ROLE_START(role, i)
56361 -+ update_acl_subj_label(matchn->inode, matchn->device,
56362 -+ dentry->d_inode->i_ino,
56363 -+ dentry->d_inode->i_sb->s_dev, role);
56364 -+
56365 -+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
56366 -+ if ((subj->inode == dentry->d_inode->i_ino) &&
56367 -+ (subj->device == dentry->d_inode->i_sb->s_dev)) {
56368 -+ subj->inode = dentry->d_inode->i_ino;
56369 -+ subj->device = dentry->d_inode->i_sb->s_dev;
56370 -+ }
56371 -+ FOR_EACH_NESTED_SUBJECT_END(subj)
56372 -+ FOR_EACH_SUBJECT_START(role, subj, x)
56373 -+ update_acl_obj_label(matchn->inode, matchn->device,
56374 -+ dentry->d_inode->i_ino,
56375 -+ dentry->d_inode->i_sb->s_dev, subj);
56376 -+ FOR_EACH_SUBJECT_END(subj,x)
56377 -+ FOR_EACH_ROLE_END(role,i)
56378 -+
56379 -+ update_inodev_entry(matchn->inode, matchn->device,
56380 -+ dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
56381 -+
56382 -+ return;
56383 -+}
56384 -+
56385 -+void
56386 -+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
56387 -+{
56388 -+ struct name_entry *matchn;
56389 -+
56390 -+ if (unlikely(!(gr_status & GR_READY)))
56391 -+ return;
56392 -+
56393 -+ preempt_disable();
56394 -+ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
56395 -+
56396 -+ if (unlikely((unsigned long)matchn)) {
56397 -+ write_lock(&gr_inode_lock);
56398 -+ do_handle_create(matchn, dentry, mnt);
56399 -+ write_unlock(&gr_inode_lock);
56400 -+ }
56401 -+ preempt_enable();
56402 -+
56403 -+ return;
56404 -+}
56405 -+
56406 -+void
56407 -+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
56408 -+ struct dentry *old_dentry,
56409 -+ struct dentry *new_dentry,
56410 -+ struct vfsmount *mnt, const __u8 replace)
56411 -+{
56412 -+ struct name_entry *matchn;
56413 -+ struct inodev_entry *inodev;
56414 -+
56415 -+ /* vfs_rename swaps the name and parent link for old_dentry and
56416 -+ new_dentry
56417 -+ at this point, old_dentry has the new name, parent link, and inode
56418 -+ for the renamed file
56419 -+ if a file is being replaced by a rename, new_dentry has the inode
56420 -+ and name for the replaced file
56421 -+ */
56422 -+
56423 -+ if (unlikely(!(gr_status & GR_READY)))
56424 -+ return;
56425 -+
56426 -+ preempt_disable();
56427 -+ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
56428 -+
56429 -+ /* we wouldn't have to check d_inode if it weren't for
56430 -+ NFS silly-renaming
56431 -+ */
56432 -+
56433 -+ write_lock(&gr_inode_lock);
56434 -+ if (unlikely(replace && new_dentry->d_inode)) {
56435 -+ inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
56436 -+ new_dentry->d_inode->i_sb->s_dev);
56437 -+ if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
56438 -+ do_handle_delete(inodev, new_dentry->d_inode->i_ino,
56439 -+ new_dentry->d_inode->i_sb->s_dev);
56440 -+ }
56441 -+
56442 -+ inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
56443 -+ old_dentry->d_inode->i_sb->s_dev);
56444 -+ if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
56445 -+ do_handle_delete(inodev, old_dentry->d_inode->i_ino,
56446 -+ old_dentry->d_inode->i_sb->s_dev);
56447 -+
56448 -+ if (unlikely((unsigned long)matchn))
56449 -+ do_handle_create(matchn, old_dentry, mnt);
56450 -+
56451 -+ write_unlock(&gr_inode_lock);
56452 -+ preempt_enable();
56453 -+
56454 -+ return;
56455 -+}
56456 -+
56457 -+static int
56458 -+lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
56459 -+ unsigned char **sum)
56460 -+{
56461 -+ struct acl_role_label *r;
56462 -+ struct role_allowed_ip *ipp;
56463 -+ struct role_transition *trans;
56464 -+ unsigned int i;
56465 -+ int found = 0;
56466 -+
56467 -+ /* check transition table */
56468 -+
56469 -+ for (trans = current->role->transitions; trans; trans = trans->next) {
56470 -+ if (!strcmp(rolename, trans->rolename)) {
56471 -+ found = 1;
56472 -+ break;
56473 -+ }
56474 -+ }
56475 -+
56476 -+ if (!found)
56477 -+ return 0;
56478 -+
56479 -+ /* handle special roles that do not require authentication
56480 -+ and check ip */
56481 -+
56482 -+ FOR_EACH_ROLE_START(r, i)
56483 -+ if (!strcmp(rolename, r->rolename) &&
56484 -+ (r->roletype & GR_ROLE_SPECIAL)) {
56485 -+ found = 0;
56486 -+ if (r->allowed_ips != NULL) {
56487 -+ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
56488 -+ if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
56489 -+ (ntohl(ipp->addr) & ipp->netmask))
56490 -+ found = 1;
56491 -+ }
56492 -+ } else
56493 -+ found = 2;
56494 -+ if (!found)
56495 -+ return 0;
56496 -+
56497 -+ if (((mode == SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
56498 -+ ((mode == SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
56499 -+ *salt = NULL;
56500 -+ *sum = NULL;
56501 -+ return 1;
56502 -+ }
56503 -+ }
56504 -+ FOR_EACH_ROLE_END(r,i)
56505 -+
56506 -+ for (i = 0; i < num_sprole_pws; i++) {
56507 -+ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
56508 -+ *salt = acl_special_roles[i]->salt;
56509 -+ *sum = acl_special_roles[i]->sum;
56510 -+ return 1;
56511 -+ }
56512 -+ }
56513 -+
56514 -+ return 0;
56515 -+}
56516 -+
56517 -+static void
56518 -+assign_special_role(char *rolename)
56519 -+{
56520 -+ struct acl_object_label *obj;
56521 -+ struct acl_role_label *r;
56522 -+ struct acl_role_label *assigned = NULL;
56523 -+ struct task_struct *tsk;
56524 -+ struct file *filp;
56525 -+ unsigned int i;
56526 -+
56527 -+ FOR_EACH_ROLE_START(r, i)
56528 -+ if (!strcmp(rolename, r->rolename) &&
56529 -+ (r->roletype & GR_ROLE_SPECIAL))
56530 -+ assigned = r;
56531 -+ FOR_EACH_ROLE_END(r,i)
56532 -+
56533 -+ if (!assigned)
56534 -+ return;
56535 -+
56536 -+ read_lock(&tasklist_lock);
56537 -+ read_lock(&grsec_exec_file_lock);
56538 -+
56539 -+ tsk = current->parent;
56540 -+ if (tsk == NULL)
56541 -+ goto out_unlock;
56542 -+
56543 -+ filp = tsk->exec_file;
56544 -+ if (filp == NULL)
56545 -+ goto out_unlock;
56546 -+
56547 -+ tsk->is_writable = 0;
56548 -+
56549 -+ tsk->acl_sp_role = 1;
56550 -+ tsk->acl_role_id = ++acl_sp_role_value;
56551 -+ tsk->role = assigned;
56552 -+ tsk->acl = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role);
56553 -+
56554 -+ /* ignore additional mmap checks for processes that are writable
56555 -+ by the default ACL */
56556 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
56557 -+ if (unlikely(obj->mode & GR_WRITE))
56558 -+ tsk->is_writable = 1;
56559 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role->root_label);
56560 -+ if (unlikely(obj->mode & GR_WRITE))
56561 -+ tsk->is_writable = 1;
56562 -+
56563 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
56564 -+ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
56565 -+#endif
56566 -+
56567 -+out_unlock:
56568 -+ read_unlock(&grsec_exec_file_lock);
56569 -+ read_unlock(&tasklist_lock);
56570 -+ return;
56571 -+}
56572 -+
56573 -+int gr_check_secure_terminal(struct task_struct *task)
56574 -+{
56575 -+ struct task_struct *p, *p2, *p3;
56576 -+ struct files_struct *files;
56577 -+ struct fdtable *fdt;
56578 -+ struct file *our_file = NULL, *file;
56579 -+ int i;
56580 -+
56581 -+ if (task->signal->tty == NULL)
56582 -+ return 1;
56583 -+
56584 -+ files = get_files_struct(task);
56585 -+ if (files != NULL) {
56586 -+ rcu_read_lock();
56587 -+ fdt = files_fdtable(files);
56588 -+ for (i=0; i < fdt->max_fds; i++) {
56589 -+ file = fcheck_files(files, i);
56590 -+ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
56591 -+ get_file(file);
56592 -+ our_file = file;
56593 -+ }
56594 -+ }
56595 -+ rcu_read_unlock();
56596 -+ put_files_struct(files);
56597 -+ }
56598 -+
56599 -+ if (our_file == NULL)
56600 -+ return 1;
56601 -+
56602 -+ read_lock(&tasklist_lock);
56603 -+ do_each_thread(p2, p) {
56604 -+ files = get_files_struct(p);
56605 -+ if (files == NULL ||
56606 -+ (p->signal && p->signal->tty == task->signal->tty)) {
56607 -+ if (files != NULL)
56608 -+ put_files_struct(files);
56609 -+ continue;
56610 -+ }
56611 -+ rcu_read_lock();
56612 -+ fdt = files_fdtable(files);
56613 -+ for (i=0; i < fdt->max_fds; i++) {
56614 -+ file = fcheck_files(files, i);
56615 -+ if (file && S_ISCHR(file->f_dentry->d_inode->i_mode) &&
56616 -+ file->f_dentry->d_inode->i_rdev == our_file->f_dentry->d_inode->i_rdev) {
56617 -+ p3 = task;
56618 -+ while (p3->pid > 0) {
56619 -+ if (p3 == p)
56620 -+ break;
56621 -+ p3 = p3->parent;
56622 -+ }
56623 -+ if (p3 == p)
56624 -+ break;
56625 -+ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
56626 -+ gr_handle_alertkill(p);
56627 -+ rcu_read_unlock();
56628 -+ put_files_struct(files);
56629 -+ read_unlock(&tasklist_lock);
56630 -+ fput(our_file);
56631 -+ return 0;
56632 -+ }
56633 -+ }
56634 -+ rcu_read_unlock();
56635 -+ put_files_struct(files);
56636 -+ } while_each_thread(p2, p);
56637 -+ read_unlock(&tasklist_lock);
56638 -+
56639 -+ fput(our_file);
56640 -+ return 1;
56641 -+}
56642 -+
56643 -+ssize_t
56644 -+write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
56645 -+{
56646 -+ struct gr_arg_wrapper uwrap;
56647 -+ unsigned char *sprole_salt;
56648 -+ unsigned char *sprole_sum;
56649 -+ int error = sizeof (struct gr_arg_wrapper);
56650 -+ int error2 = 0;
56651 -+
56652 -+ down(&gr_dev_sem);
56653 -+
56654 -+ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
56655 -+ error = -EPERM;
56656 -+ goto out;
56657 -+ }
56658 -+
56659 -+ if (count != sizeof (struct gr_arg_wrapper)) {
56660 -+ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
56661 -+ error = -EINVAL;
56662 -+ goto out;
56663 -+ }
56664 -+
56665 -+
56666 -+ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
56667 -+ gr_auth_expires = 0;
56668 -+ gr_auth_attempts = 0;
56669 -+ }
56670 -+
56671 -+ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
56672 -+ error = -EFAULT;
56673 -+ goto out;
56674 -+ }
56675 -+
56676 -+ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
56677 -+ error = -EINVAL;
56678 -+ goto out;
56679 -+ }
56680 -+
56681 -+ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
56682 -+ error = -EFAULT;
56683 -+ goto out;
56684 -+ }
56685 -+
56686 -+ if (gr_usermode->mode != SPROLE && gr_usermode->mode != SPROLEPAM &&
56687 -+ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
56688 -+ time_after(gr_auth_expires, get_seconds())) {
56689 -+ error = -EBUSY;
56690 -+ goto out;
56691 -+ }
56692 -+
56693 -+ /* if non-root trying to do anything other than use a special role,
56694 -+ do not attempt authentication, do not count towards authentication
56695 -+ locking
56696 -+ */
56697 -+
56698 -+ if (gr_usermode->mode != SPROLE && gr_usermode->mode != STATUS &&
56699 -+ gr_usermode->mode != UNSPROLE && gr_usermode->mode != SPROLEPAM &&
56700 -+ current->uid) {
56701 -+ error = -EPERM;
56702 -+ goto out;
56703 -+ }
56704 -+
56705 -+ /* ensure pw and special role name are null terminated */
56706 -+
56707 -+ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
56708 -+ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
56709 -+
56710 -+ /* Okay.
56711 -+ * We have our enough of the argument structure..(we have yet
56712 -+ * to copy_from_user the tables themselves) . Copy the tables
56713 -+ * only if we need them, i.e. for loading operations. */
56714 -+
56715 -+ switch (gr_usermode->mode) {
56716 -+ case STATUS:
56717 -+ if (gr_status & GR_READY) {
56718 -+ error = 1;
56719 -+ if (!gr_check_secure_terminal(current))
56720 -+ error = 3;
56721 -+ } else
56722 -+ error = 2;
56723 -+ goto out;
56724 -+ case SHUTDOWN:
56725 -+ if ((gr_status & GR_READY)
56726 -+ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
56727 -+ gr_status &= ~GR_READY;
56728 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
56729 -+ free_variables();
56730 -+ memset(gr_usermode, 0, sizeof (struct gr_arg));
56731 -+ memset(gr_system_salt, 0, GR_SALT_LEN);
56732 -+ memset(gr_system_sum, 0, GR_SHA_LEN);
56733 -+ } else if (gr_status & GR_READY) {
56734 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
56735 -+ error = -EPERM;
56736 -+ } else {
56737 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
56738 -+ error = -EAGAIN;
56739 -+ }
56740 -+ break;
56741 -+ case ENABLE:
56742 -+ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
56743 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
56744 -+ else {
56745 -+ if (gr_status & GR_READY)
56746 -+ error = -EAGAIN;
56747 -+ else
56748 -+ error = error2;
56749 -+ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
56750 -+ }
56751 -+ break;
56752 -+ case RELOAD:
56753 -+ if (!(gr_status & GR_READY)) {
56754 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
56755 -+ error = -EAGAIN;
56756 -+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
56757 -+ lock_kernel();
56758 -+ gr_status &= ~GR_READY;
56759 -+ free_variables();
56760 -+ if (!(error2 = gracl_init(gr_usermode))) {
56761 -+ unlock_kernel();
56762 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
56763 -+ } else {
56764 -+ unlock_kernel();
56765 -+ error = error2;
56766 -+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
56767 -+ }
56768 -+ } else {
56769 -+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
56770 -+ error = -EPERM;
56771 -+ }
56772 -+ break;
56773 -+ case SEGVMOD:
56774 -+ if (unlikely(!(gr_status & GR_READY))) {
56775 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
56776 -+ error = -EAGAIN;
56777 -+ break;
56778 -+ }
56779 -+
56780 -+ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
56781 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
56782 -+ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
56783 -+ struct acl_subject_label *segvacl;
56784 -+ segvacl =
56785 -+ lookup_acl_subj_label(gr_usermode->segv_inode,
56786 -+ gr_usermode->segv_device,
56787 -+ current->role);
56788 -+ if (segvacl) {
56789 -+ segvacl->crashes = 0;
56790 -+ segvacl->expires = 0;
56791 -+ }
56792 -+ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
56793 -+ gr_remove_uid(gr_usermode->segv_uid);
56794 -+ }
56795 -+ } else {
56796 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
56797 -+ error = -EPERM;
56798 -+ }
56799 -+ break;
56800 -+ case SPROLE:
56801 -+ case SPROLEPAM:
56802 -+ if (unlikely(!(gr_status & GR_READY))) {
56803 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
56804 -+ error = -EAGAIN;
56805 -+ break;
56806 -+ }
56807 -+
56808 -+ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
56809 -+ current->role->expires = 0;
56810 -+ current->role->auth_attempts = 0;
56811 -+ }
56812 -+
56813 -+ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
56814 -+ time_after(current->role->expires, get_seconds())) {
56815 -+ error = -EBUSY;
56816 -+ goto out;
56817 -+ }
56818 -+
56819 -+ if (lookup_special_role_auth
56820 -+ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
56821 -+ && ((!sprole_salt && !sprole_sum)
56822 -+ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
56823 -+ char *p = "";
56824 -+ assign_special_role(gr_usermode->sp_role);
56825 -+ read_lock(&tasklist_lock);
56826 -+ if (current->parent)
56827 -+ p = current->parent->role->rolename;
56828 -+ read_unlock(&tasklist_lock);
56829 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
56830 -+ p, acl_sp_role_value);
56831 -+ } else {
56832 -+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
56833 -+ error = -EPERM;
56834 -+ if(!(current->role->auth_attempts++))
56835 -+ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
56836 -+
56837 -+ goto out;
56838 -+ }
56839 -+ break;
56840 -+ case UNSPROLE:
56841 -+ if (unlikely(!(gr_status & GR_READY))) {
56842 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
56843 -+ error = -EAGAIN;
56844 -+ break;
56845 -+ }
56846 -+
56847 -+ if (current->role->roletype & GR_ROLE_SPECIAL) {
56848 -+ char *p = "";
56849 -+ int i = 0;
56850 -+
56851 -+ read_lock(&tasklist_lock);
56852 -+ if (current->parent) {
56853 -+ p = current->parent->role->rolename;
56854 -+ i = current->parent->acl_role_id;
56855 -+ }
56856 -+ read_unlock(&tasklist_lock);
56857 -+
56858 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
56859 -+ gr_set_acls(1);
56860 -+ } else {
56861 -+ gr_log_str(GR_DONT_AUDIT, GR_UNSPROLEF_ACL_MSG, current->role->rolename);
56862 -+ error = -EPERM;
56863 -+ goto out;
56864 -+ }
56865 -+ break;
56866 -+ default:
56867 -+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
56868 -+ error = -EINVAL;
56869 -+ break;
56870 -+ }
56871 -+
56872 -+ if (error != -EPERM)
56873 -+ goto out;
56874 -+
56875 -+ if(!(gr_auth_attempts++))
56876 -+ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
56877 -+
56878 -+ out:
56879 -+ up(&gr_dev_sem);
56880 -+ return error;
56881 -+}
56882 -+
56883 -+int
56884 -+gr_set_acls(const int type)
56885 -+{
56886 -+ struct acl_object_label *obj;
56887 -+ struct task_struct *task, *task2;
56888 -+ struct file *filp;
56889 -+ struct acl_role_label *role = current->role;
56890 -+ __u16 acl_role_id = current->acl_role_id;
56891 -+
56892 -+ read_lock(&tasklist_lock);
56893 -+ read_lock(&grsec_exec_file_lock);
56894 -+ do_each_thread(task2, task) {
56895 -+ /* check to see if we're called from the exit handler,
56896 -+ if so, only replace ACLs that have inherited the admin
56897 -+ ACL */
56898 -+
56899 -+ if (type && (task->role != role ||
56900 -+ task->acl_role_id != acl_role_id))
56901 -+ continue;
56902 -+
56903 -+ task->acl_role_id = 0;
56904 -+ task->acl_sp_role = 0;
56905 -+
56906 -+ if ((filp = task->exec_file)) {
56907 -+ task->role = lookup_acl_role_label(task, task->uid, task->gid);
56908 -+
56909 -+ task->acl =
56910 -+ chk_subj_label(filp->f_dentry, filp->f_vfsmnt,
56911 -+ task->role);
56912 -+ if (task->acl) {
56913 -+ struct acl_subject_label *curr;
56914 -+ curr = task->acl;
56915 -+
56916 -+ task->is_writable = 0;
56917 -+ /* ignore additional mmap checks for processes that are writable
56918 -+ by the default ACL */
56919 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
56920 -+ if (unlikely(obj->mode & GR_WRITE))
56921 -+ task->is_writable = 1;
56922 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
56923 -+ if (unlikely(obj->mode & GR_WRITE))
56924 -+ task->is_writable = 1;
56925 -+
56926 -+ gr_set_proc_res(task);
56927 -+
56928 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
56929 -+ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
56930 -+#endif
56931 -+ } else {
56932 -+ read_unlock(&grsec_exec_file_lock);
56933 -+ read_unlock(&tasklist_lock);
56934 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
56935 -+ return 1;
56936 -+ }
56937 -+ } else {
56938 -+ // it's a kernel process
56939 -+ task->role = kernel_role;
56940 -+ task->acl = kernel_role->root_label;
56941 -+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
56942 -+ task->acl->mode &= ~GR_PROCFIND;
56943 -+#endif
56944 -+ }
56945 -+ } while_each_thread(task2, task);
56946 -+ read_unlock(&grsec_exec_file_lock);
56947 -+ read_unlock(&tasklist_lock);
56948 -+ return 0;
56949 -+}
56950 -+
56951 -+void
56952 -+gr_learn_resource(const struct task_struct *task,
56953 -+ const int res, const unsigned long wanted, const int gt)
56954 -+{
56955 -+ struct acl_subject_label *acl;
56956 -+
56957 -+ if (unlikely((gr_status & GR_READY) &&
56958 -+ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
56959 -+ goto skip_reslog;
56960 -+
56961 -+#ifdef CONFIG_GRKERNSEC_RESLOG
56962 -+ gr_log_resource(task, res, wanted, gt);
56963 -+#endif
56964 -+ skip_reslog:
56965 -+
56966 -+ if (unlikely(!(gr_status & GR_READY) || !wanted))
56967 -+ return;
56968 -+
56969 -+ acl = task->acl;
56970 -+
56971 -+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
56972 -+ !(acl->resmask & (1 << (unsigned short) res))))
56973 -+ return;
56974 -+
56975 -+ if (wanted >= acl->res[res].rlim_cur) {
56976 -+ unsigned long res_add;
56977 -+
56978 -+ res_add = wanted;
56979 -+ switch (res) {
56980 -+ case RLIMIT_CPU:
56981 -+ res_add += GR_RLIM_CPU_BUMP;
56982 -+ break;
56983 -+ case RLIMIT_FSIZE:
56984 -+ res_add += GR_RLIM_FSIZE_BUMP;
56985 -+ break;
56986 -+ case RLIMIT_DATA:
56987 -+ res_add += GR_RLIM_DATA_BUMP;
56988 -+ break;
56989 -+ case RLIMIT_STACK:
56990 -+ res_add += GR_RLIM_STACK_BUMP;
56991 -+ break;
56992 -+ case RLIMIT_CORE:
56993 -+ res_add += GR_RLIM_CORE_BUMP;
56994 -+ break;
56995 -+ case RLIMIT_RSS:
56996 -+ res_add += GR_RLIM_RSS_BUMP;
56997 -+ break;
56998 -+ case RLIMIT_NPROC:
56999 -+ res_add += GR_RLIM_NPROC_BUMP;
57000 -+ break;
57001 -+ case RLIMIT_NOFILE:
57002 -+ res_add += GR_RLIM_NOFILE_BUMP;
57003 -+ break;
57004 -+ case RLIMIT_MEMLOCK:
57005 -+ res_add += GR_RLIM_MEMLOCK_BUMP;
57006 -+ break;
57007 -+ case RLIMIT_AS:
57008 -+ res_add += GR_RLIM_AS_BUMP;
57009 -+ break;
57010 -+ case RLIMIT_LOCKS:
57011 -+ res_add += GR_RLIM_LOCKS_BUMP;
57012 -+ break;
57013 -+ }
57014 -+
57015 -+ acl->res[res].rlim_cur = res_add;
57016 -+
57017 -+ if (wanted > acl->res[res].rlim_max)
57018 -+ acl->res[res].rlim_max = res_add;
57019 -+
57020 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
57021 -+ task->role->roletype, acl->filename,
57022 -+ acl->res[res].rlim_cur, acl->res[res].rlim_max,
57023 -+ "", (unsigned long) res);
57024 -+ }
57025 -+
57026 -+ return;
57027 -+}
57028 -+
57029 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
57030 -+void
57031 -+pax_set_initial_flags(struct linux_binprm *bprm)
57032 -+{
57033 -+ struct task_struct *task = current;
57034 -+ struct acl_subject_label *proc;
57035 -+ unsigned long flags;
57036 -+
57037 -+ if (unlikely(!(gr_status & GR_READY)))
57038 -+ return;
57039 -+
57040 -+ flags = pax_get_flags(task);
57041 -+
57042 -+ proc = task->acl;
57043 -+
57044 -+ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
57045 -+ flags &= ~MF_PAX_PAGEEXEC;
57046 -+ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
57047 -+ flags &= ~MF_PAX_SEGMEXEC;
57048 -+ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
57049 -+ flags &= ~MF_PAX_RANDMMAP;
57050 -+ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
57051 -+ flags &= ~MF_PAX_EMUTRAMP;
57052 -+ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
57053 -+ flags &= ~MF_PAX_MPROTECT;
57054 -+
57055 -+ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
57056 -+ flags |= MF_PAX_PAGEEXEC;
57057 -+ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
57058 -+ flags |= MF_PAX_SEGMEXEC;
57059 -+ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
57060 -+ flags |= MF_PAX_RANDMMAP;
57061 -+ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
57062 -+ flags |= MF_PAX_EMUTRAMP;
57063 -+ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
57064 -+ flags |= MF_PAX_MPROTECT;
57065 -+
57066 -+ pax_set_flags(task, flags);
57067 -+
57068 -+ return;
57069 -+}
57070 -+#endif
57071 -+
57072 -+#ifdef CONFIG_SYSCTL
57073 -+/* Eric Biederman likes breaking userland ABI and every inode-based security
57074 -+ system to save 35kb of memory */
57075 -+
57076 -+/* we modify the passed in filename, but adjust it back before returning */
57077 -+static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
57078 -+{
57079 -+ struct name_entry *nmatch;
57080 -+ char *p, *lastp = NULL;
57081 -+ struct acl_object_label *obj = NULL, *tmp;
57082 -+ struct acl_subject_label *tmpsubj;
57083 -+ int done = 0;
57084 -+ char c = '\0';
57085 -+
57086 -+ read_lock(&gr_inode_lock);
57087 -+
57088 -+ p = name + len - 1;
57089 -+ do {
57090 -+ nmatch = lookup_name_entry(name);
57091 -+ if (lastp != NULL)
57092 -+ *lastp = c;
57093 -+
57094 -+ if (nmatch == NULL)
57095 -+ goto next_component;
57096 -+ tmpsubj = current->acl;
57097 -+ do {
57098 -+ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
57099 -+ if (obj != NULL) {
57100 -+ tmp = obj->globbed;
57101 -+ while (tmp) {
57102 -+ if (!glob_match(tmp->filename, name)) {
57103 -+ obj = tmp;
57104 -+ goto found_obj;
57105 -+ }
57106 -+ tmp = tmp->next;
57107 -+ }
57108 -+ goto found_obj;
57109 -+ }
57110 -+ } while ((tmpsubj = tmpsubj->parent_subject));
57111 -+next_component:
57112 -+ /* end case */
57113 -+ if (p == name)
57114 -+ break;
57115 -+
57116 -+ while (*p != '/')
57117 -+ p--;
57118 -+ if (p == name)
57119 -+ lastp = p + 1;
57120 -+ else {
57121 -+ lastp = p;
57122 -+ p--;
57123 -+ }
57124 -+ c = *lastp;
57125 -+ *lastp = '\0';
57126 -+ } while (1);
57127 -+found_obj:
57128 -+ read_unlock(&gr_inode_lock);
57129 -+ /* obj returned will always be non-null */
57130 -+ return obj;
57131 -+}
57132 -+
57133 -+/* returns 0 when allowing, non-zero on error
57134 -+ op of 0 is used for readdir, so we don't log the names of hidden files
57135 -+*/
57136 -+__u32
57137 -+gr_handle_sysctl(const struct ctl_table *table, const int op)
57138 -+{
57139 -+ ctl_table *tmp;
57140 -+ struct nameidata nd;
57141 -+ const char *proc_sys = "/proc/sys";
57142 -+ char *path;
57143 -+ struct acl_object_label *obj;
57144 -+ unsigned short len = 0, pos = 0, depth = 0, i;
57145 -+ __u32 err = 0;
57146 -+ __u32 mode = 0;
57147 -+
57148 -+ if (unlikely(!(gr_status & GR_READY)))
57149 -+ return 0;
57150 -+
57151 -+ /* for now, ignore operations on non-sysctl entries if it's not a
57152 -+ readdir*/
57153 -+ if (table->child != NULL && op != 0)
57154 -+ return 0;
57155 -+
57156 -+ mode |= GR_FIND;
57157 -+ /* it's only a read if it's an entry, read on dirs is for readdir */
57158 -+ if (op & 004)
57159 -+ mode |= GR_READ;
57160 -+ if (op & 002)
57161 -+ mode |= GR_WRITE;
57162 -+
57163 -+ preempt_disable();
57164 -+
57165 -+ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
57166 -+
57167 -+ /* it's only a read/write if it's an actual entry, not a dir
57168 -+ (which are opened for readdir)
57169 -+ */
57170 -+
57171 -+ /* convert the requested sysctl entry into a pathname */
57172 -+
57173 -+ for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
57174 -+ len += strlen(tmp->procname);
57175 -+ len++;
57176 -+ depth++;
57177 -+ }
57178 -+
57179 -+ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
57180 -+ /* deny */
57181 -+ goto out;
57182 -+ }
57183 -+
57184 -+ memset(path, 0, PAGE_SIZE);
57185 -+
57186 -+ memcpy(path, proc_sys, strlen(proc_sys));
57187 -+
57188 -+ pos += strlen(proc_sys);
57189 -+
57190 -+ for (; depth > 0; depth--) {
57191 -+ path[pos] = '/';
57192 -+ pos++;
57193 -+ for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
57194 -+ if (depth == i) {
57195 -+ memcpy(path + pos, tmp->procname,
57196 -+ strlen(tmp->procname));
57197 -+ pos += strlen(tmp->procname);
57198 -+ }
57199 -+ i++;
57200 -+ }
57201 -+ }
57202 -+
57203 -+ obj = gr_lookup_by_name(path, pos);
57204 -+ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
57205 -+
57206 -+ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
57207 -+ ((err & mode) != mode))) {
57208 -+ __u32 new_mode = mode;
57209 -+
57210 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
57211 -+
57212 -+ err = 0;
57213 -+ gr_log_learn_sysctl(current, path, new_mode);
57214 -+ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
57215 -+ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
57216 -+ err = -ENOENT;
57217 -+ } else if (!(err & GR_FIND)) {
57218 -+ err = -ENOENT;
57219 -+ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
57220 -+ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
57221 -+ path, (mode & GR_READ) ? " reading" : "",
57222 -+ (mode & GR_WRITE) ? " writing" : "");
57223 -+ err = -EACCES;
57224 -+ } else if ((err & mode) != mode) {
57225 -+ err = -EACCES;
57226 -+ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
57227 -+ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
57228 -+ path, (mode & GR_READ) ? " reading" : "",
57229 -+ (mode & GR_WRITE) ? " writing" : "");
57230 -+ err = 0;
57231 -+ } else
57232 -+ err = 0;
57233 -+
57234 -+ out:
57235 -+ preempt_enable();
57236 -+
57237 -+ return err;
57238 -+}
57239 -+#endif
57240 -+
57241 -+int
57242 -+gr_handle_proc_ptrace(struct task_struct *task)
57243 -+{
57244 -+ struct file *filp;
57245 -+ struct task_struct *tmp = task;
57246 -+ struct task_struct *curtemp = current;
57247 -+ __u32 retmode;
57248 -+
57249 -+ if (unlikely(!(gr_status & GR_READY)))
57250 -+ return 0;
57251 -+
57252 -+ read_lock(&tasklist_lock);
57253 -+ read_lock(&grsec_exec_file_lock);
57254 -+ filp = task->exec_file;
57255 -+
57256 -+ while (tmp->pid > 0) {
57257 -+ if (tmp == curtemp)
57258 -+ break;
57259 -+ tmp = tmp->parent;
57260 -+ }
57261 -+
57262 -+ if (!filp || (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE))) {
57263 -+ read_unlock(&grsec_exec_file_lock);
57264 -+ read_unlock(&tasklist_lock);
57265 -+ return 1;
57266 -+ }
57267 -+
57268 -+ retmode = gr_search_file(filp->f_dentry, GR_NOPTRACE, filp->f_vfsmnt);
57269 -+ read_unlock(&grsec_exec_file_lock);
57270 -+ read_unlock(&tasklist_lock);
57271 -+
57272 -+ if (retmode & GR_NOPTRACE)
57273 -+ return 1;
57274 -+
57275 -+ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
57276 -+ && (current->acl != task->acl || (current->acl != current->role->root_label
57277 -+ && current->pid != task->pid)))
57278 -+ return 1;
57279 -+
57280 -+ return 0;
57281 -+}
57282 -+
57283 -+int
57284 -+gr_handle_ptrace(struct task_struct *task, const long request)
57285 -+{
57286 -+ struct task_struct *tmp = task;
57287 -+ struct task_struct *curtemp = current;
57288 -+ __u32 retmode;
57289 -+
57290 -+ if (unlikely(!(gr_status & GR_READY)))
57291 -+ return 0;
57292 -+
57293 -+ read_lock(&tasklist_lock);
57294 -+ while (tmp->pid > 0) {
57295 -+ if (tmp == curtemp)
57296 -+ break;
57297 -+ tmp = tmp->parent;
57298 -+ }
57299 -+
57300 -+ if (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE)) {
57301 -+ read_unlock(&tasklist_lock);
57302 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
57303 -+ return 1;
57304 -+ }
57305 -+ read_unlock(&tasklist_lock);
57306 -+
57307 -+ read_lock(&grsec_exec_file_lock);
57308 -+ if (unlikely(!task->exec_file)) {
57309 -+ read_unlock(&grsec_exec_file_lock);
57310 -+ return 0;
57311 -+ }
57312 -+
57313 -+ retmode = gr_search_file(task->exec_file->f_dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_vfsmnt);
57314 -+ read_unlock(&grsec_exec_file_lock);
57315 -+
57316 -+ if (retmode & GR_NOPTRACE) {
57317 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
57318 -+ return 1;
57319 -+ }
57320 -+
57321 -+ if (retmode & GR_PTRACERD) {
57322 -+ switch (request) {
57323 -+ case PTRACE_POKETEXT:
57324 -+ case PTRACE_POKEDATA:
57325 -+ case PTRACE_POKEUSR:
57326 -+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
57327 -+ case PTRACE_SETREGS:
57328 -+ case PTRACE_SETFPREGS:
57329 -+#endif
57330 -+#ifdef CONFIG_X86
57331 -+ case PTRACE_SETFPXREGS:
57332 -+#endif
57333 -+#ifdef CONFIG_ALTIVEC
57334 -+ case PTRACE_SETVRREGS:
57335 -+#endif
57336 -+ return 1;
57337 -+ default:
57338 -+ return 0;
57339 -+ }
57340 -+ } else if (!(current->acl->mode & GR_POVERRIDE) &&
57341 -+ !(current->role->roletype & GR_ROLE_GOD) &&
57342 -+ (current->acl != task->acl)) {
57343 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
57344 -+ return 1;
57345 -+ }
57346 -+
57347 -+ return 0;
57348 -+}
57349 -+
57350 -+static int is_writable_mmap(const struct file *filp)
57351 -+{
57352 -+ struct task_struct *task = current;
57353 -+ struct acl_object_label *obj, *obj2;
57354 -+
57355 -+ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
57356 -+ !task->is_writable && S_ISREG(filp->f_dentry->d_inode->i_mode)) {
57357 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
57358 -+ obj2 = chk_obj_label(filp->f_dentry, filp->f_vfsmnt,
57359 -+ task->role->root_label);
57360 -+ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
57361 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_dentry, filp->f_vfsmnt);
57362 -+ return 1;
57363 -+ }
57364 -+ }
57365 -+ return 0;
57366 -+}
57367 -+
57368 -+int
57369 -+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
57370 -+{
57371 -+ __u32 mode;
57372 -+
57373 -+ if (unlikely(!file || !(prot & PROT_EXEC)))
57374 -+ return 1;
57375 -+
57376 -+ if (is_writable_mmap(file))
57377 -+ return 0;
57378 -+
57379 -+ mode =
57380 -+ gr_search_file(file->f_dentry,
57381 -+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
57382 -+ file->f_vfsmnt);
57383 -+
57384 -+ if (!gr_tpe_allow(file))
57385 -+ return 0;
57386 -+
57387 -+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
57388 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
57389 -+ return 0;
57390 -+ } else if (unlikely(!(mode & GR_EXEC))) {
57391 -+ return 0;
57392 -+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
57393 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
57394 -+ return 1;
57395 -+ }
57396 -+
57397 -+ return 1;
57398 -+}
57399 -+
57400 -+int
57401 -+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
57402 -+{
57403 -+ __u32 mode;
57404 -+
57405 -+ if (unlikely(!file || !(prot & PROT_EXEC)))
57406 -+ return 1;
57407 -+
57408 -+ if (is_writable_mmap(file))
57409 -+ return 0;
57410 -+
57411 -+ mode =
57412 -+ gr_search_file(file->f_dentry,
57413 -+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
57414 -+ file->f_vfsmnt);
57415 -+
57416 -+ if (!gr_tpe_allow(file))
57417 -+ return 0;
57418 -+
57419 -+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
57420 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
57421 -+ return 0;
57422 -+ } else if (unlikely(!(mode & GR_EXEC))) {
57423 -+ return 0;
57424 -+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
57425 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
57426 -+ return 1;
57427 -+ }
57428 -+
57429 -+ return 1;
57430 -+}
57431 -+
57432 -+void
57433 -+gr_acl_handle_psacct(struct task_struct *task, const long code)
57434 -+{
57435 -+ unsigned long runtime;
57436 -+ unsigned long cputime;
57437 -+ unsigned int wday, cday;
57438 -+ __u8 whr, chr;
57439 -+ __u8 wmin, cmin;
57440 -+ __u8 wsec, csec;
57441 -+
57442 -+ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
57443 -+ !(task->acl->mode & GR_PROCACCT)))
57444 -+ return;
57445 -+
57446 -+ runtime = xtime.tv_sec - task->start_time.tv_sec;
57447 -+ wday = runtime / (3600 * 24);
57448 -+ runtime -= wday * (3600 * 24);
57449 -+ whr = runtime / 3600;
57450 -+ runtime -= whr * 3600;
57451 -+ wmin = runtime / 60;
57452 -+ runtime -= wmin * 60;
57453 -+ wsec = runtime;
57454 -+
57455 -+ cputime = (task->utime + task->stime) / HZ;
57456 -+ cday = cputime / (3600 * 24);
57457 -+ cputime -= cday * (3600 * 24);
57458 -+ chr = cputime / 3600;
57459 -+ cputime -= chr * 3600;
57460 -+ cmin = cputime / 60;
57461 -+ cputime -= cmin * 60;
57462 -+ csec = cputime;
57463 -+
57464 -+ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
57465 -+
57466 -+ return;
57467 -+}
57468 -+
57469 -+void gr_set_kernel_label(struct task_struct *task)
57470 -+{
57471 -+ if (gr_status & GR_READY) {
57472 -+ task->role = kernel_role;
57473 -+ task->acl = kernel_role->root_label;
57474 -+ }
57475 -+ return;
57476 -+}
57477 -+
57478 -+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
57479 -+{
57480 -+ struct task_struct *task = current;
57481 -+ struct dentry *dentry = file->f_dentry;
57482 -+ struct vfsmount *mnt = file->f_vfsmnt;
57483 -+ struct acl_object_label *obj, *tmp;
57484 -+ struct acl_subject_label *subj;
57485 -+ unsigned int bufsize;
57486 -+ int is_not_root;
57487 -+ char *path;
57488 -+
57489 -+ if (unlikely(!(gr_status & GR_READY)))
57490 -+ return 1;
57491 -+
57492 -+ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
57493 -+ return 1;
57494 -+
57495 -+ /* ignore Eric Biederman */
57496 -+ if (IS_PRIVATE(dentry->d_inode))
57497 -+ return 1;
57498 -+
57499 -+ subj = task->acl;
57500 -+ do {
57501 -+ obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
57502 -+ if (obj != NULL)
57503 -+ return (obj->mode & GR_FIND) ? 1 : 0;
57504 -+ } while ((subj = subj->parent_subject));
57505 -+
57506 -+ obj = chk_obj_label(dentry, mnt, task->acl);
57507 -+ if (obj->globbed == NULL)
57508 -+ return (obj->mode & GR_FIND) ? 1 : 0;
57509 -+
57510 -+ is_not_root = ((obj->filename[0] == '/') &&
57511 -+ (obj->filename[1] == '\0')) ? 0 : 1;
57512 -+ bufsize = PAGE_SIZE - namelen - is_not_root;
57513 -+
57514 -+ /* check bufsize > PAGE_SIZE || bufsize == 0 */
57515 -+ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
57516 -+ return 1;
57517 -+
57518 -+ preempt_disable();
57519 -+ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
57520 -+ bufsize);
57521 -+
57522 -+ bufsize = strlen(path);
57523 -+
57524 -+ /* if base is "/", don't append an additional slash */
57525 -+ if (is_not_root)
57526 -+ *(path + bufsize) = '/';
57527 -+ memcpy(path + bufsize + is_not_root, name, namelen);
57528 -+ *(path + bufsize + namelen + is_not_root) = '\0';
57529 -+
57530 -+ tmp = obj->globbed;
57531 -+ while (tmp) {
57532 -+ if (!glob_match(tmp->filename, path)) {
57533 -+ preempt_enable();
57534 -+ return (tmp->mode & GR_FIND) ? 1 : 0;
57535 -+ }
57536 -+ tmp = tmp->next;
57537 -+ }
57538 -+ preempt_enable();
57539 -+ return (obj->mode & GR_FIND) ? 1 : 0;
57540 -+}
57541 -+
57542 -+EXPORT_SYMBOL(gr_learn_resource);
57543 -+EXPORT_SYMBOL(gr_set_kernel_label);
57544 -+#ifdef CONFIG_SECURITY
57545 -+EXPORT_SYMBOL(gr_check_user_change);
57546 -+EXPORT_SYMBOL(gr_check_group_change);
57547 -+#endif
57548 -+
57549 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_alloc.c linux-2.6.23.15-grsec/grsecurity/gracl_alloc.c
57550 ---- linux-2.6.23.15/grsecurity/gracl_alloc.c 1970-01-01 01:00:00.000000000 +0100
57551 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_alloc.c 2008-02-11 10:37:44.000000000 +0000
57552 -@@ -0,0 +1,91 @@
57553 -+#include <linux/kernel.h>
57554 -+#include <linux/mm.h>
57555 -+#include <linux/slab.h>
57556 -+#include <linux/vmalloc.h>
57557 -+#include <linux/gracl.h>
57558 -+#include <linux/grsecurity.h>
57559 -+
57560 -+static unsigned long alloc_stack_next = 1;
57561 -+static unsigned long alloc_stack_size = 1;
57562 -+static void **alloc_stack;
57563 -+
57564 -+static __inline__ int
57565 -+alloc_pop(void)
57566 -+{
57567 -+ if (alloc_stack_next == 1)
57568 -+ return 0;
57569 -+
57570 -+ kfree(alloc_stack[alloc_stack_next - 2]);
57571 -+
57572 -+ alloc_stack_next--;
57573 -+
57574 -+ return 1;
57575 -+}
57576 -+
57577 -+static __inline__ void
57578 -+alloc_push(void *buf)
57579 -+{
57580 -+ if (alloc_stack_next >= alloc_stack_size)
57581 -+ BUG();
57582 -+
57583 -+ alloc_stack[alloc_stack_next - 1] = buf;
57584 -+
57585 -+ alloc_stack_next++;
57586 -+
57587 -+ return;
57588 -+}
57589 -+
57590 -+void *
57591 -+acl_alloc(unsigned long len)
57592 -+{
57593 -+ void *ret;
57594 -+
57595 -+ if (len > PAGE_SIZE)
57596 -+ BUG();
57597 -+
57598 -+ ret = kmalloc(len, GFP_KERNEL);
57599 -+
57600 -+ if (ret)
57601 -+ alloc_push(ret);
57602 -+
57603 -+ return ret;
57604 -+}
57605 -+
57606 -+void
57607 -+acl_free_all(void)
57608 -+{
57609 -+ if (gr_acl_is_enabled() || !alloc_stack)
57610 -+ return;
57611 -+
57612 -+ while (alloc_pop()) ;
57613 -+
57614 -+ if (alloc_stack) {
57615 -+ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
57616 -+ kfree(alloc_stack);
57617 -+ else
57618 -+ vfree(alloc_stack);
57619 -+ }
57620 -+
57621 -+ alloc_stack = NULL;
57622 -+ alloc_stack_size = 1;
57623 -+ alloc_stack_next = 1;
57624 -+
57625 -+ return;
57626 -+}
57627 -+
57628 -+int
57629 -+acl_alloc_stack_init(unsigned long size)
57630 -+{
57631 -+ if ((size * sizeof (void *)) <= PAGE_SIZE)
57632 -+ alloc_stack =
57633 -+ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
57634 -+ else
57635 -+ alloc_stack = (void **) vmalloc(size * sizeof (void *));
57636 -+
57637 -+ alloc_stack_size = size;
57638 -+
57639 -+ if (!alloc_stack)
57640 -+ return 0;
57641 -+ else
57642 -+ return 1;
57643 -+}
57644 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_cap.c linux-2.6.23.15-grsec/grsecurity/gracl_cap.c
57645 ---- linux-2.6.23.15/grsecurity/gracl_cap.c 1970-01-01 01:00:00.000000000 +0100
57646 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_cap.c 2008-02-11 10:37:44.000000000 +0000
57647 -@@ -0,0 +1,112 @@
57648 -+#include <linux/kernel.h>
57649 -+#include <linux/module.h>
57650 -+#include <linux/sched.h>
57651 -+#include <linux/capability.h>
57652 -+#include <linux/gracl.h>
57653 -+#include <linux/grsecurity.h>
57654 -+#include <linux/grinternal.h>
57655 -+
57656 -+static const char *captab_log[] = {
57657 -+ "CAP_CHOWN",
57658 -+ "CAP_DAC_OVERRIDE",
57659 -+ "CAP_DAC_READ_SEARCH",
57660 -+ "CAP_FOWNER",
57661 -+ "CAP_FSETID",
57662 -+ "CAP_KILL",
57663 -+ "CAP_SETGID",
57664 -+ "CAP_SETUID",
57665 -+ "CAP_SETPCAP",
57666 -+ "CAP_LINUX_IMMUTABLE",
57667 -+ "CAP_NET_BIND_SERVICE",
57668 -+ "CAP_NET_BROADCAST",
57669 -+ "CAP_NET_ADMIN",
57670 -+ "CAP_NET_RAW",
57671 -+ "CAP_IPC_LOCK",
57672 -+ "CAP_IPC_OWNER",
57673 -+ "CAP_SYS_MODULE",
57674 -+ "CAP_SYS_RAWIO",
57675 -+ "CAP_SYS_CHROOT",
57676 -+ "CAP_SYS_PTRACE",
57677 -+ "CAP_SYS_PACCT",
57678 -+ "CAP_SYS_ADMIN",
57679 -+ "CAP_SYS_BOOT",
57680 -+ "CAP_SYS_NICE",
57681 -+ "CAP_SYS_RESOURCE",
57682 -+ "CAP_SYS_TIME",
57683 -+ "CAP_SYS_TTY_CONFIG",
57684 -+ "CAP_MKNOD",
57685 -+ "CAP_LEASE",
57686 -+ "CAP_AUDIT_WRITE",
57687 -+ "CAP_AUDIT_CONTROL"
57688 -+};
57689 -+
57690 -+EXPORT_SYMBOL(gr_task_is_capable);
57691 -+EXPORT_SYMBOL(gr_is_capable_nolog);
57692 -+
57693 -+int
57694 -+gr_task_is_capable(struct task_struct *task, const int cap)
57695 -+{
57696 -+ struct acl_subject_label *curracl;
57697 -+ __u32 cap_drop = 0, cap_mask = 0;
57698 -+
57699 -+ if (!gr_acl_is_enabled())
57700 -+ return 1;
57701 -+
57702 -+ curracl = task->acl;
57703 -+
57704 -+ cap_drop = curracl->cap_lower;
57705 -+ cap_mask = curracl->cap_mask;
57706 -+
57707 -+ while ((curracl = curracl->parent_subject)) {
57708 -+ if (!(cap_mask & (1 << cap)) && (curracl->cap_mask & (1 << cap)))
57709 -+ cap_drop |= curracl->cap_lower & (1 << cap);
57710 -+ cap_mask |= curracl->cap_mask;
57711 -+ }
57712 -+
57713 -+ if (!cap_raised(cap_drop, cap))
57714 -+ return 1;
57715 -+
57716 -+ curracl = task->acl;
57717 -+
57718 -+ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
57719 -+ && cap_raised(task->cap_effective, cap)) {
57720 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
57721 -+ task->role->roletype, task->uid,
57722 -+ task->gid, task->exec_file ?
57723 -+ gr_to_filename(task->exec_file->f_dentry,
57724 -+ task->exec_file->f_vfsmnt) : curracl->filename,
57725 -+ curracl->filename, 0UL,
57726 -+ 0UL, "", (unsigned long) cap, NIPQUAD(task->signal->curr_ip));
57727 -+ return 1;
57728 -+ }
57729 -+
57730 -+ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(task->cap_effective, cap))
57731 -+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
57732 -+ return 0;
57733 -+}
57734 -+
57735 -+int
57736 -+gr_is_capable_nolog(const int cap)
57737 -+{
57738 -+ struct acl_subject_label *curracl;
57739 -+ __u32 cap_drop = 0, cap_mask = 0;
57740 -+
57741 -+ if (!gr_acl_is_enabled())
57742 -+ return 1;
57743 -+
57744 -+ curracl = current->acl;
57745 -+
57746 -+ cap_drop = curracl->cap_lower;
57747 -+ cap_mask = curracl->cap_mask;
57748 -+
57749 -+ while ((curracl = curracl->parent_subject)) {
57750 -+ cap_drop |= curracl->cap_lower & (cap_mask & ~curracl->cap_mask);
57751 -+ cap_mask |= curracl->cap_mask;
57752 -+ }
57753 -+
57754 -+ if (!cap_raised(cap_drop, cap))
57755 -+ return 1;
57756 -+
57757 -+ return 0;
57758 -+}
57759 -+
57760 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_fs.c linux-2.6.23.15-grsec/grsecurity/gracl_fs.c
57761 ---- linux-2.6.23.15/grsecurity/gracl_fs.c 1970-01-01 01:00:00.000000000 +0100
57762 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_fs.c 2008-02-11 10:37:44.000000000 +0000
57763 -@@ -0,0 +1,423 @@
57764 -+#include <linux/kernel.h>
57765 -+#include <linux/sched.h>
57766 -+#include <linux/types.h>
57767 -+#include <linux/fs.h>
57768 -+#include <linux/file.h>
57769 -+#include <linux/stat.h>
57770 -+#include <linux/grsecurity.h>
57771 -+#include <linux/grinternal.h>
57772 -+#include <linux/gracl.h>
57773 -+
57774 -+__u32
57775 -+gr_acl_handle_hidden_file(const struct dentry * dentry,
57776 -+ const struct vfsmount * mnt)
57777 -+{
57778 -+ __u32 mode;
57779 -+
57780 -+ if (unlikely(!dentry->d_inode))
57781 -+ return GR_FIND;
57782 -+
57783 -+ mode =
57784 -+ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
57785 -+
57786 -+ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
57787 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
57788 -+ return mode;
57789 -+ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
57790 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
57791 -+ return 0;
57792 -+ } else if (unlikely(!(mode & GR_FIND)))
57793 -+ return 0;
57794 -+
57795 -+ return GR_FIND;
57796 -+}
57797 -+
57798 -+__u32
57799 -+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
57800 -+ const int fmode)
57801 -+{
57802 -+ __u32 reqmode = GR_FIND;
57803 -+ __u32 mode;
57804 -+
57805 -+ if (unlikely(!dentry->d_inode))
57806 -+ return reqmode;
57807 -+
57808 -+ if (unlikely(fmode & O_APPEND))
57809 -+ reqmode |= GR_APPEND;
57810 -+ else if (unlikely(fmode & FMODE_WRITE))
57811 -+ reqmode |= GR_WRITE;
57812 -+ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
57813 -+ reqmode |= GR_READ;
57814 -+
57815 -+ mode =
57816 -+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
57817 -+ mnt);
57818 -+
57819 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
57820 -+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
57821 -+ reqmode & GR_READ ? " reading" : "",
57822 -+ reqmode & GR_WRITE ? " writing" : reqmode &
57823 -+ GR_APPEND ? " appending" : "");
57824 -+ return reqmode;
57825 -+ } else
57826 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
57827 -+ {
57828 -+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
57829 -+ reqmode & GR_READ ? " reading" : "",
57830 -+ reqmode & GR_WRITE ? " writing" : reqmode &
57831 -+ GR_APPEND ? " appending" : "");
57832 -+ return 0;
57833 -+ } else if (unlikely((mode & reqmode) != reqmode))
57834 -+ return 0;
57835 -+
57836 -+ return reqmode;
57837 -+}
57838 -+
57839 -+__u32
57840 -+gr_acl_handle_creat(const struct dentry * dentry,
57841 -+ const struct dentry * p_dentry,
57842 -+ const struct vfsmount * p_mnt, const int fmode,
57843 -+ const int imode)
57844 -+{
57845 -+ __u32 reqmode = GR_WRITE | GR_CREATE;
57846 -+ __u32 mode;
57847 -+
57848 -+ if (unlikely(fmode & O_APPEND))
57849 -+ reqmode |= GR_APPEND;
57850 -+ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
57851 -+ reqmode |= GR_READ;
57852 -+ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
57853 -+ reqmode |= GR_SETID;
57854 -+
57855 -+ mode =
57856 -+ gr_check_create(dentry, p_dentry, p_mnt,
57857 -+ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
57858 -+
57859 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
57860 -+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
57861 -+ reqmode & GR_READ ? " reading" : "",
57862 -+ reqmode & GR_WRITE ? " writing" : reqmode &
57863 -+ GR_APPEND ? " appending" : "");
57864 -+ return reqmode;
57865 -+ } else
57866 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
57867 -+ {
57868 -+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
57869 -+ reqmode & GR_READ ? " reading" : "",
57870 -+ reqmode & GR_WRITE ? " writing" : reqmode &
57871 -+ GR_APPEND ? " appending" : "");
57872 -+ return 0;
57873 -+ } else if (unlikely((mode & reqmode) != reqmode))
57874 -+ return 0;
57875 -+
57876 -+ return reqmode;
57877 -+}
57878 -+
57879 -+__u32
57880 -+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
57881 -+ const int fmode)
57882 -+{
57883 -+ __u32 mode, reqmode = GR_FIND;
57884 -+
57885 -+ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
57886 -+ reqmode |= GR_EXEC;
57887 -+ if (fmode & S_IWOTH)
57888 -+ reqmode |= GR_WRITE;
57889 -+ if (fmode & S_IROTH)
57890 -+ reqmode |= GR_READ;
57891 -+
57892 -+ mode =
57893 -+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
57894 -+ mnt);
57895 -+
57896 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
57897 -+ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
57898 -+ reqmode & GR_READ ? " reading" : "",
57899 -+ reqmode & GR_WRITE ? " writing" : "",
57900 -+ reqmode & GR_EXEC ? " executing" : "");
57901 -+ return reqmode;
57902 -+ } else
57903 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
57904 -+ {
57905 -+ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
57906 -+ reqmode & GR_READ ? " reading" : "",
57907 -+ reqmode & GR_WRITE ? " writing" : "",
57908 -+ reqmode & GR_EXEC ? " executing" : "");
57909 -+ return 0;
57910 -+ } else if (unlikely((mode & reqmode) != reqmode))
57911 -+ return 0;
57912 -+
57913 -+ return reqmode;
57914 -+}
57915 -+
57916 -+static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
57917 -+{
57918 -+ __u32 mode;
57919 -+
57920 -+ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
57921 -+
57922 -+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
57923 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
57924 -+ return mode;
57925 -+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
57926 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
57927 -+ return 0;
57928 -+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
57929 -+ return 0;
57930 -+
57931 -+ return (reqmode);
57932 -+}
57933 -+
57934 -+__u32
57935 -+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
57936 -+{
57937 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
57938 -+}
57939 -+
57940 -+__u32
57941 -+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
57942 -+{
57943 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
57944 -+}
57945 -+
57946 -+__u32
57947 -+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
57948 -+{
57949 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
57950 -+}
57951 -+
57952 -+__u32
57953 -+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
57954 -+{
57955 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
57956 -+}
57957 -+
57958 -+__u32
57959 -+gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
57960 -+ mode_t mode)
57961 -+{
57962 -+ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
57963 -+ return 1;
57964 -+
57965 -+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
57966 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
57967 -+ GR_FCHMOD_ACL_MSG);
57968 -+ } else {
57969 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
57970 -+ }
57971 -+}
57972 -+
57973 -+__u32
57974 -+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
57975 -+ mode_t mode)
57976 -+{
57977 -+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
57978 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
57979 -+ GR_CHMOD_ACL_MSG);
57980 -+ } else {
57981 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
57982 -+ }
57983 -+}
57984 -+
57985 -+__u32
57986 -+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
57987 -+{
57988 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
57989 -+}
57990 -+
57991 -+__u32
57992 -+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
57993 -+{
57994 -+ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
57995 -+}
57996 -+
57997 -+__u32
57998 -+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
57999 -+{
58000 -+ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
58001 -+ GR_UNIXCONNECT_ACL_MSG);
58002 -+}
58003 -+
58004 -+/* hardlinks require at minimum create permission,
58005 -+ any additional privilege required is based on the
58006 -+ privilege of the file being linked to
58007 -+*/
58008 -+__u32
58009 -+gr_acl_handle_link(const struct dentry * new_dentry,
58010 -+ const struct dentry * parent_dentry,
58011 -+ const struct vfsmount * parent_mnt,
58012 -+ const struct dentry * old_dentry,
58013 -+ const struct vfsmount * old_mnt, const char *to)
58014 -+{
58015 -+ __u32 mode;
58016 -+ __u32 needmode = GR_CREATE | GR_LINK;
58017 -+ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
58018 -+
58019 -+ mode =
58020 -+ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
58021 -+ old_mnt);
58022 -+
58023 -+ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
58024 -+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
58025 -+ return mode;
58026 -+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
58027 -+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
58028 -+ return 0;
58029 -+ } else if (unlikely((mode & needmode) != needmode))
58030 -+ return 0;
58031 -+
58032 -+ return 1;
58033 -+}
58034 -+
58035 -+__u32
58036 -+gr_acl_handle_symlink(const struct dentry * new_dentry,
58037 -+ const struct dentry * parent_dentry,
58038 -+ const struct vfsmount * parent_mnt, const char *from)
58039 -+{
58040 -+ __u32 needmode = GR_WRITE | GR_CREATE;
58041 -+ __u32 mode;
58042 -+
58043 -+ mode =
58044 -+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
58045 -+ GR_CREATE | GR_AUDIT_CREATE |
58046 -+ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
58047 -+
58048 -+ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
58049 -+ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
58050 -+ return mode;
58051 -+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
58052 -+ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
58053 -+ return 0;
58054 -+ } else if (unlikely((mode & needmode) != needmode))
58055 -+ return 0;
58056 -+
58057 -+ return (GR_WRITE | GR_CREATE);
58058 -+}
58059 -+
58060 -+static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
58061 -+{
58062 -+ __u32 mode;
58063 -+
58064 -+ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
58065 -+
58066 -+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
58067 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
58068 -+ return mode;
58069 -+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
58070 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
58071 -+ return 0;
58072 -+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
58073 -+ return 0;
58074 -+
58075 -+ return (reqmode);
58076 -+}
58077 -+
58078 -+__u32
58079 -+gr_acl_handle_mknod(const struct dentry * new_dentry,
58080 -+ const struct dentry * parent_dentry,
58081 -+ const struct vfsmount * parent_mnt,
58082 -+ const int mode)
58083 -+{
58084 -+ __u32 reqmode = GR_WRITE | GR_CREATE;
58085 -+ if (unlikely(mode & (S_ISUID | S_ISGID)))
58086 -+ reqmode |= GR_SETID;
58087 -+
58088 -+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
58089 -+ reqmode, GR_MKNOD_ACL_MSG);
58090 -+}
58091 -+
58092 -+__u32
58093 -+gr_acl_handle_mkdir(const struct dentry *new_dentry,
58094 -+ const struct dentry *parent_dentry,
58095 -+ const struct vfsmount *parent_mnt)
58096 -+{
58097 -+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
58098 -+ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
58099 -+}
58100 -+
58101 -+#define RENAME_CHECK_SUCCESS(old, new) \
58102 -+ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
58103 -+ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
58104 -+
58105 -+int
58106 -+gr_acl_handle_rename(struct dentry *new_dentry,
58107 -+ struct dentry *parent_dentry,
58108 -+ const struct vfsmount *parent_mnt,
58109 -+ struct dentry *old_dentry,
58110 -+ struct inode *old_parent_inode,
58111 -+ struct vfsmount *old_mnt, const char *newname)
58112 -+{
58113 -+ __u32 comp1, comp2;
58114 -+ int error = 0;
58115 -+
58116 -+ if (unlikely(!gr_acl_is_enabled()))
58117 -+ return 0;
58118 -+
58119 -+ if (!new_dentry->d_inode) {
58120 -+ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
58121 -+ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
58122 -+ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
58123 -+ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
58124 -+ GR_DELETE | GR_AUDIT_DELETE |
58125 -+ GR_AUDIT_READ | GR_AUDIT_WRITE |
58126 -+ GR_SUPPRESS, old_mnt);
58127 -+ } else {
58128 -+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
58129 -+ GR_CREATE | GR_DELETE |
58130 -+ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
58131 -+ GR_AUDIT_READ | GR_AUDIT_WRITE |
58132 -+ GR_SUPPRESS, parent_mnt);
58133 -+ comp2 =
58134 -+ gr_search_file(old_dentry,
58135 -+ GR_READ | GR_WRITE | GR_AUDIT_READ |
58136 -+ GR_DELETE | GR_AUDIT_DELETE |
58137 -+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
58138 -+ }
58139 -+
58140 -+ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
58141 -+ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
58142 -+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
58143 -+ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
58144 -+ && !(comp2 & GR_SUPPRESS)) {
58145 -+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
58146 -+ error = -EACCES;
58147 -+ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
58148 -+ error = -EACCES;
58149 -+
58150 -+ return error;
58151 -+}
58152 -+
58153 -+void
58154 -+gr_acl_handle_exit(void)
58155 -+{
58156 -+ u16 id;
58157 -+ char *rolename;
58158 -+ struct file *exec_file;
58159 -+
58160 -+ if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
58161 -+ id = current->acl_role_id;
58162 -+ rolename = current->role->rolename;
58163 -+ gr_set_acls(1);
58164 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
58165 -+ }
58166 -+
58167 -+ write_lock(&grsec_exec_file_lock);
58168 -+ exec_file = current->exec_file;
58169 -+ current->exec_file = NULL;
58170 -+ write_unlock(&grsec_exec_file_lock);
58171 -+
58172 -+ if (exec_file)
58173 -+ fput(exec_file);
58174 -+}
58175 -+
58176 -+int
58177 -+gr_acl_handle_procpidmem(const struct task_struct *task)
58178 -+{
58179 -+ if (unlikely(!gr_acl_is_enabled()))
58180 -+ return 0;
58181 -+
58182 -+ if (task->acl->mode & GR_PROTPROCFD)
58183 -+ return -EACCES;
58184 -+
58185 -+ return 0;
58186 -+}
58187 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_ip.c linux-2.6.23.15-grsec/grsecurity/gracl_ip.c
58188 ---- linux-2.6.23.15/grsecurity/gracl_ip.c 1970-01-01 01:00:00.000000000 +0100
58189 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_ip.c 2008-02-11 10:37:44.000000000 +0000
58190 -@@ -0,0 +1,313 @@
58191 -+#include <linux/kernel.h>
58192 -+#include <asm/uaccess.h>
58193 -+#include <asm/errno.h>
58194 -+#include <net/sock.h>
58195 -+#include <linux/file.h>
58196 -+#include <linux/fs.h>
58197 -+#include <linux/net.h>
58198 -+#include <linux/in.h>
58199 -+#include <linux/skbuff.h>
58200 -+#include <linux/ip.h>
58201 -+#include <linux/udp.h>
58202 -+#include <linux/smp_lock.h>
58203 -+#include <linux/types.h>
58204 -+#include <linux/sched.h>
58205 -+#include <linux/netdevice.h>
58206 -+#include <linux/inetdevice.h>
58207 -+#include <linux/gracl.h>
58208 -+#include <linux/grsecurity.h>
58209 -+#include <linux/grinternal.h>
58210 -+
58211 -+#define GR_BIND 0x01
58212 -+#define GR_CONNECT 0x02
58213 -+#define GR_INVERT 0x04
58214 -+
58215 -+static const char * gr_protocols[256] = {
58216 -+ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
58217 -+ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
58218 -+ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
58219 -+ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
58220 -+ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
58221 -+ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
58222 -+ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
58223 -+ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
58224 -+ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
58225 -+ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
58226 -+ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
58227 -+ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
58228 -+ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
58229 -+ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
58230 -+ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
58231 -+ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
58232 -+ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
58233 -+ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
58234 -+ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
58235 -+ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
58236 -+ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
58237 -+ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
58238 -+ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
58239 -+ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
58240 -+ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
58241 -+ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
58242 -+ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
58243 -+ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
58244 -+ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
58245 -+ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
58246 -+ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
58247 -+ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
58248 -+ };
58249 -+
58250 -+static const char * gr_socktypes[11] = {
58251 -+ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
58252 -+ "unknown:7", "unknown:8", "unknown:9", "packet"
58253 -+ };
58254 -+
58255 -+const char *
58256 -+gr_proto_to_name(unsigned char proto)
58257 -+{
58258 -+ return gr_protocols[proto];
58259 -+}
58260 -+
58261 -+const char *
58262 -+gr_socktype_to_name(unsigned char type)
58263 -+{
58264 -+ return gr_socktypes[type];
58265 -+}
58266 -+
58267 -+int
58268 -+gr_search_socket(const int domain, const int type, const int protocol)
58269 -+{
58270 -+ struct acl_subject_label *curr;
58271 -+
58272 -+ if (unlikely(!gr_acl_is_enabled()))
58273 -+ goto exit;
58274 -+
58275 -+ if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
58276 -+ || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
58277 -+ goto exit; // let the kernel handle it
58278 -+
58279 -+ curr = current->acl;
58280 -+
58281 -+ if (!curr->ips)
58282 -+ goto exit;
58283 -+
58284 -+ if ((curr->ip_type & (1 << type)) &&
58285 -+ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
58286 -+ goto exit;
58287 -+
58288 -+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
58289 -+ /* we don't place acls on raw sockets , and sometimes
58290 -+ dgram/ip sockets are opened for ioctl and not
58291 -+ bind/connect, so we'll fake a bind learn log */
58292 -+ if (type == SOCK_RAW || type == SOCK_PACKET) {
58293 -+ __u32 fakeip = 0;
58294 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
58295 -+ current->role->roletype, current->uid,
58296 -+ current->gid, current->exec_file ?
58297 -+ gr_to_filename(current->exec_file->f_dentry,
58298 -+ current->exec_file->f_vfsmnt) :
58299 -+ curr->filename, curr->filename,
58300 -+ NIPQUAD(fakeip), 0, type,
58301 -+ protocol, GR_CONNECT,
58302 -+NIPQUAD(current->signal->curr_ip));
58303 -+ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
58304 -+ __u32 fakeip = 0;
58305 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
58306 -+ current->role->roletype, current->uid,
58307 -+ current->gid, current->exec_file ?
58308 -+ gr_to_filename(current->exec_file->f_dentry,
58309 -+ current->exec_file->f_vfsmnt) :
58310 -+ curr->filename, curr->filename,
58311 -+ NIPQUAD(fakeip), 0, type,
58312 -+ protocol, GR_BIND, NIPQUAD(current->signal->curr_ip));
58313 -+ }
58314 -+ /* we'll log when they use connect or bind */
58315 -+ goto exit;
58316 -+ }
58317 -+
58318 -+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
58319 -+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
58320 -+
58321 -+ return 0;
58322 -+ exit:
58323 -+ return 1;
58324 -+}
58325 -+
58326 -+int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
58327 -+{
58328 -+ if ((ip->mode & mode) &&
58329 -+ (ip_port >= ip->low) &&
58330 -+ (ip_port <= ip->high) &&
58331 -+ ((ntohl(ip_addr) & our_netmask) ==
58332 -+ (ntohl(our_addr) & our_netmask))
58333 -+ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
58334 -+ && (ip->type & (1 << type))) {
58335 -+ if (ip->mode & GR_INVERT)
58336 -+ return 2; // specifically denied
58337 -+ else
58338 -+ return 1; // allowed
58339 -+ }
58340 -+
58341 -+ return 0; // not specifically allowed, may continue parsing
58342 -+}
58343 -+
58344 -+static int
58345 -+gr_search_connectbind(const int mode, const struct sock *sk,
58346 -+ const struct sockaddr_in *addr, const int type)
58347 -+{
58348 -+ char iface[IFNAMSIZ] = {0};
58349 -+ struct acl_subject_label *curr;
58350 -+ struct acl_ip_label *ip;
58351 -+ struct net_device *dev;
58352 -+ struct in_device *idev;
58353 -+ unsigned long i;
58354 -+ int ret;
58355 -+ __u32 ip_addr = 0;
58356 -+ __u32 our_addr;
58357 -+ __u32 our_netmask;
58358 -+ char *p;
58359 -+ __u16 ip_port = 0;
58360 -+
58361 -+ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
58362 -+ return 1;
58363 -+
58364 -+ curr = current->acl;
58365 -+
58366 -+ if (!curr->ips)
58367 -+ return 1;
58368 -+
58369 -+ ip_addr = addr->sin_addr.s_addr;
58370 -+ ip_port = ntohs(addr->sin_port);
58371 -+
58372 -+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
58373 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
58374 -+ current->role->roletype, current->uid,
58375 -+ current->gid, current->exec_file ?
58376 -+ gr_to_filename(current->exec_file->f_dentry,
58377 -+ current->exec_file->f_vfsmnt) :
58378 -+ curr->filename, curr->filename,
58379 -+ NIPQUAD(ip_addr), ip_port, type,
58380 -+ sk->sk_protocol, mode, NIPQUAD(current->signal->curr_ip));
58381 -+ return 1;
58382 -+ }
58383 -+
58384 -+ for (i = 0; i < curr->ip_num; i++) {
58385 -+ ip = *(curr->ips + i);
58386 -+ if (ip->iface != NULL) {
58387 -+ strncpy(iface, ip->iface, IFNAMSIZ - 1);
58388 -+ p = strchr(iface, ':');
58389 -+ if (p != NULL)
58390 -+ *p = '\0';
58391 -+ dev = dev_get_by_name(iface);
58392 -+ if (dev == NULL)
58393 -+ continue;
58394 -+ idev = in_dev_get(dev);
58395 -+ if (idev == NULL) {
58396 -+ dev_put(dev);
58397 -+ continue;
58398 -+ }
58399 -+ rcu_read_lock();
58400 -+ for_ifa(idev) {
58401 -+ if (!strcmp(ip->iface, ifa->ifa_label)) {
58402 -+ our_addr = ifa->ifa_address;
58403 -+ our_netmask = 0xffffffff;
58404 -+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
58405 -+ if (ret == 1) {
58406 -+ rcu_read_unlock();
58407 -+ in_dev_put(idev);
58408 -+ dev_put(dev);
58409 -+ return 1;
58410 -+ } else if (ret == 2) {
58411 -+ rcu_read_unlock();
58412 -+ in_dev_put(idev);
58413 -+ dev_put(dev);
58414 -+ goto denied;
58415 -+ }
58416 -+ }
58417 -+ } endfor_ifa(idev);
58418 -+ rcu_read_unlock();
58419 -+ in_dev_put(idev);
58420 -+ dev_put(dev);
58421 -+ } else {
58422 -+ our_addr = ip->addr;
58423 -+ our_netmask = ip->netmask;
58424 -+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
58425 -+ if (ret == 1)
58426 -+ return 1;
58427 -+ else if (ret == 2)
58428 -+ goto denied;
58429 -+ }
58430 -+ }
58431 -+
58432 -+denied:
58433 -+ if (mode == GR_BIND)
58434 -+ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
58435 -+ else if (mode == GR_CONNECT)
58436 -+ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
58437 -+
58438 -+ return 0;
58439 -+}
58440 -+
58441 -+int
58442 -+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
58443 -+{
58444 -+ return gr_search_connectbind(GR_CONNECT, sock->sk, addr, sock->type);
58445 -+}
58446 -+
58447 -+int
58448 -+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
58449 -+{
58450 -+ return gr_search_connectbind(GR_BIND, sock->sk, addr, sock->type);
58451 -+}
58452 -+
58453 -+int gr_search_listen(const struct socket *sock)
58454 -+{
58455 -+ struct sock *sk = sock->sk;
58456 -+ struct sockaddr_in addr;
58457 -+
58458 -+ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
58459 -+ addr.sin_port = inet_sk(sk)->sport;
58460 -+
58461 -+ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
58462 -+}
58463 -+
58464 -+int gr_search_accept(const struct socket *sock)
58465 -+{
58466 -+ struct sock *sk = sock->sk;
58467 -+ struct sockaddr_in addr;
58468 -+
58469 -+ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
58470 -+ addr.sin_port = inet_sk(sk)->sport;
58471 -+
58472 -+ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
58473 -+}
58474 -+
58475 -+int
58476 -+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
58477 -+{
58478 -+ if (addr)
58479 -+ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
58480 -+ else {
58481 -+ struct sockaddr_in sin;
58482 -+ const struct inet_sock *inet = inet_sk(sk);
58483 -+
58484 -+ sin.sin_addr.s_addr = inet->daddr;
58485 -+ sin.sin_port = inet->dport;
58486 -+
58487 -+ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
58488 -+ }
58489 -+}
58490 -+
58491 -+int
58492 -+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
58493 -+{
58494 -+ struct sockaddr_in sin;
58495 -+
58496 -+ if (unlikely(skb->len < sizeof (struct udphdr)))
58497 -+ return 1; // skip this packet
58498 -+
58499 -+ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
58500 -+ sin.sin_port = udp_hdr(skb)->source;
58501 -+
58502 -+ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
58503 -+}
58504 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_learn.c linux-2.6.23.15-grsec/grsecurity/gracl_learn.c
58505 ---- linux-2.6.23.15/grsecurity/gracl_learn.c 1970-01-01 01:00:00.000000000 +0100
58506 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_learn.c 2008-02-11 10:37:44.000000000 +0000
58507 -@@ -0,0 +1,211 @@
58508 -+#include <linux/kernel.h>
58509 -+#include <linux/mm.h>
58510 -+#include <linux/sched.h>
58511 -+#include <linux/poll.h>
58512 -+#include <linux/smp_lock.h>
58513 -+#include <linux/string.h>
58514 -+#include <linux/file.h>
58515 -+#include <linux/types.h>
58516 -+#include <linux/vmalloc.h>
58517 -+#include <linux/grinternal.h>
58518 -+
58519 -+extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
58520 -+ size_t count, loff_t *ppos);
58521 -+extern int gr_acl_is_enabled(void);
58522 -+
58523 -+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
58524 -+static int gr_learn_attached;
58525 -+
58526 -+/* use a 512k buffer */
58527 -+#define LEARN_BUFFER_SIZE (512 * 1024)
58528 -+
58529 -+static spinlock_t gr_learn_lock = SPIN_LOCK_UNLOCKED;
58530 -+static DECLARE_MUTEX(gr_learn_user_sem);
58531 -+
58532 -+/* we need to maintain two buffers, so that the kernel context of grlearn
58533 -+ uses a semaphore around the userspace copying, and the other kernel contexts
58534 -+ use a spinlock when copying into the buffer, since they cannot sleep
58535 -+*/
58536 -+static char *learn_buffer;
58537 -+static char *learn_buffer_user;
58538 -+static int learn_buffer_len;
58539 -+static int learn_buffer_user_len;
58540 -+
58541 -+static ssize_t
58542 -+read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
58543 -+{
58544 -+ DECLARE_WAITQUEUE(wait, current);
58545 -+ ssize_t retval = 0;
58546 -+
58547 -+ add_wait_queue(&learn_wait, &wait);
58548 -+ set_current_state(TASK_INTERRUPTIBLE);
58549 -+ do {
58550 -+ down(&gr_learn_user_sem);
58551 -+ spin_lock(&gr_learn_lock);
58552 -+ if (learn_buffer_len)
58553 -+ break;
58554 -+ spin_unlock(&gr_learn_lock);
58555 -+ up(&gr_learn_user_sem);
58556 -+ if (file->f_flags & O_NONBLOCK) {
58557 -+ retval = -EAGAIN;
58558 -+ goto out;
58559 -+ }
58560 -+ if (signal_pending(current)) {
58561 -+ retval = -ERESTARTSYS;
58562 -+ goto out;
58563 -+ }
58564 -+
58565 -+ schedule();
58566 -+ } while (1);
58567 -+
58568 -+ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
58569 -+ learn_buffer_user_len = learn_buffer_len;
58570 -+ retval = learn_buffer_len;
58571 -+ learn_buffer_len = 0;
58572 -+
58573 -+ spin_unlock(&gr_learn_lock);
58574 -+
58575 -+ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
58576 -+ retval = -EFAULT;
58577 -+
58578 -+ up(&gr_learn_user_sem);
58579 -+out:
58580 -+ set_current_state(TASK_RUNNING);
58581 -+ remove_wait_queue(&learn_wait, &wait);
58582 -+ return retval;
58583 -+}
58584 -+
58585 -+static unsigned int
58586 -+poll_learn(struct file * file, poll_table * wait)
58587 -+{
58588 -+ poll_wait(file, &learn_wait, wait);
58589 -+
58590 -+ if (learn_buffer_len)
58591 -+ return (POLLIN | POLLRDNORM);
58592 -+
58593 -+ return 0;
58594 -+}
58595 -+
58596 -+void
58597 -+gr_clear_learn_entries(void)
58598 -+{
58599 -+ char *tmp;
58600 -+
58601 -+ down(&gr_learn_user_sem);
58602 -+ if (learn_buffer != NULL) {
58603 -+ spin_lock(&gr_learn_lock);
58604 -+ tmp = learn_buffer;
58605 -+ learn_buffer = NULL;
58606 -+ spin_unlock(&gr_learn_lock);
58607 -+ vfree(learn_buffer);
58608 -+ }
58609 -+ if (learn_buffer_user != NULL) {
58610 -+ vfree(learn_buffer_user);
58611 -+ learn_buffer_user = NULL;
58612 -+ }
58613 -+ learn_buffer_len = 0;
58614 -+ up(&gr_learn_user_sem);
58615 -+
58616 -+ return;
58617 -+}
58618 -+
58619 -+void
58620 -+gr_add_learn_entry(const char *fmt, ...)
58621 -+{
58622 -+ va_list args;
58623 -+ unsigned int len;
58624 -+
58625 -+ if (!gr_learn_attached)
58626 -+ return;
58627 -+
58628 -+ spin_lock(&gr_learn_lock);
58629 -+
58630 -+ /* leave a gap at the end so we know when it's "full" but don't have to
58631 -+ compute the exact length of the string we're trying to append
58632 -+ */
58633 -+ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
58634 -+ spin_unlock(&gr_learn_lock);
58635 -+ wake_up_interruptible(&learn_wait);
58636 -+ return;
58637 -+ }
58638 -+ if (learn_buffer == NULL) {
58639 -+ spin_unlock(&gr_learn_lock);
58640 -+ return;
58641 -+ }
58642 -+
58643 -+ va_start(args, fmt);
58644 -+ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
58645 -+ va_end(args);
58646 -+
58647 -+ learn_buffer_len += len + 1;
58648 -+
58649 -+ spin_unlock(&gr_learn_lock);
58650 -+ wake_up_interruptible(&learn_wait);
58651 -+
58652 -+ return;
58653 -+}
58654 -+
58655 -+static int
58656 -+open_learn(struct inode *inode, struct file *file)
58657 -+{
58658 -+ if (file->f_mode & FMODE_READ && gr_learn_attached)
58659 -+ return -EBUSY;
58660 -+ if (file->f_mode & FMODE_READ) {
58661 -+ int retval = 0;
58662 -+ down(&gr_learn_user_sem);
58663 -+ if (learn_buffer == NULL)
58664 -+ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
58665 -+ if (learn_buffer_user == NULL)
58666 -+ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
58667 -+ if (learn_buffer == NULL) {
58668 -+ retval = -ENOMEM;
58669 -+ goto out_error;
58670 -+ }
58671 -+ if (learn_buffer_user == NULL) {
58672 -+ retval = -ENOMEM;
58673 -+ goto out_error;
58674 -+ }
58675 -+ learn_buffer_len = 0;
58676 -+ learn_buffer_user_len = 0;
58677 -+ gr_learn_attached = 1;
58678 -+out_error:
58679 -+ up(&gr_learn_user_sem);
58680 -+ return retval;
58681 -+ }
58682 -+ return 0;
58683 -+}
58684 -+
58685 -+static int
58686 -+close_learn(struct inode *inode, struct file *file)
58687 -+{
58688 -+ char *tmp;
58689 -+
58690 -+ if (file->f_mode & FMODE_READ) {
58691 -+ down(&gr_learn_user_sem);
58692 -+ if (learn_buffer != NULL) {
58693 -+ spin_lock(&gr_learn_lock);
58694 -+ tmp = learn_buffer;
58695 -+ learn_buffer = NULL;
58696 -+ spin_unlock(&gr_learn_lock);
58697 -+ vfree(tmp);
58698 -+ }
58699 -+ if (learn_buffer_user != NULL) {
58700 -+ vfree(learn_buffer_user);
58701 -+ learn_buffer_user = NULL;
58702 -+ }
58703 -+ learn_buffer_len = 0;
58704 -+ learn_buffer_user_len = 0;
58705 -+ gr_learn_attached = 0;
58706 -+ up(&gr_learn_user_sem);
58707 -+ }
58708 -+
58709 -+ return 0;
58710 -+}
58711 -+
58712 -+struct file_operations grsec_fops = {
58713 -+ .read = read_learn,
58714 -+ .write = write_grsec_handler,
58715 -+ .open = open_learn,
58716 -+ .release = close_learn,
58717 -+ .poll = poll_learn,
58718 -+};
58719 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_res.c linux-2.6.23.15-grsec/grsecurity/gracl_res.c
58720 ---- linux-2.6.23.15/grsecurity/gracl_res.c 1970-01-01 01:00:00.000000000 +0100
58721 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_res.c 2008-02-11 10:37:44.000000000 +0000
58722 -@@ -0,0 +1,45 @@
58723 -+#include <linux/kernel.h>
58724 -+#include <linux/sched.h>
58725 -+#include <linux/gracl.h>
58726 -+#include <linux/grinternal.h>
58727 -+
58728 -+static const char *restab_log[] = {
58729 -+ [RLIMIT_CPU] = "RLIMIT_CPU",
58730 -+ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
58731 -+ [RLIMIT_DATA] = "RLIMIT_DATA",
58732 -+ [RLIMIT_STACK] = "RLIMIT_STACK",
58733 -+ [RLIMIT_CORE] = "RLIMIT_CORE",
58734 -+ [RLIMIT_RSS] = "RLIMIT_RSS",
58735 -+ [RLIMIT_NPROC] = "RLIMIT_NPROC",
58736 -+ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
58737 -+ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
58738 -+ [RLIMIT_AS] = "RLIMIT_AS",
58739 -+ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
58740 -+ [RLIMIT_LOCKS + 1] = "RLIMIT_CRASH"
58741 -+};
58742 -+
58743 -+void
58744 -+gr_log_resource(const struct task_struct *task,
58745 -+ const int res, const unsigned long wanted, const int gt)
58746 -+{
58747 -+ if (res == RLIMIT_NPROC &&
58748 -+ (cap_raised(task->cap_effective, CAP_SYS_ADMIN) ||
58749 -+ cap_raised(task->cap_effective, CAP_SYS_RESOURCE)))
58750 -+ return;
58751 -+ else if (res == RLIMIT_MEMLOCK &&
58752 -+ cap_raised(task->cap_effective, CAP_IPC_LOCK))
58753 -+ return;
58754 -+
58755 -+ if (!gr_acl_is_enabled() && !grsec_resource_logging)
58756 -+ return;
58757 -+
58758 -+ preempt_disable();
58759 -+
58760 -+ if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
58761 -+ (!gt && wanted >= task->signal->rlim[res].rlim_cur)) &&
58762 -+ task->signal->rlim[res].rlim_cur != RLIM_INFINITY))
58763 -+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur);
58764 -+ preempt_enable_no_resched();
58765 -+
58766 -+ return;
58767 -+}
58768 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_segv.c linux-2.6.23.15-grsec/grsecurity/gracl_segv.c
58769 ---- linux-2.6.23.15/grsecurity/gracl_segv.c 1970-01-01 01:00:00.000000000 +0100
58770 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_segv.c 2008-02-11 10:37:44.000000000 +0000
58771 -@@ -0,0 +1,301 @@
58772 -+#include <linux/kernel.h>
58773 -+#include <linux/mm.h>
58774 -+#include <asm/uaccess.h>
58775 -+#include <asm/errno.h>
58776 -+#include <asm/mman.h>
58777 -+#include <net/sock.h>
58778 -+#include <linux/file.h>
58779 -+#include <linux/fs.h>
58780 -+#include <linux/net.h>
58781 -+#include <linux/in.h>
58782 -+#include <linux/smp_lock.h>
58783 -+#include <linux/slab.h>
58784 -+#include <linux/types.h>
58785 -+#include <linux/sched.h>
58786 -+#include <linux/timer.h>
58787 -+#include <linux/gracl.h>
58788 -+#include <linux/grsecurity.h>
58789 -+#include <linux/grinternal.h>
58790 -+
58791 -+static struct crash_uid *uid_set;
58792 -+static unsigned short uid_used;
58793 -+static spinlock_t gr_uid_lock = SPIN_LOCK_UNLOCKED;
58794 -+extern rwlock_t gr_inode_lock;
58795 -+extern struct acl_subject_label *
58796 -+ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
58797 -+ struct acl_role_label *role);
58798 -+extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
58799 -+
58800 -+int
58801 -+gr_init_uidset(void)
58802 -+{
58803 -+ uid_set =
58804 -+ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
58805 -+ uid_used = 0;
58806 -+
58807 -+ return uid_set ? 1 : 0;
58808 -+}
58809 -+
58810 -+void
58811 -+gr_free_uidset(void)
58812 -+{
58813 -+ if (uid_set)
58814 -+ kfree(uid_set);
58815 -+
58816 -+ return;
58817 -+}
58818 -+
58819 -+int
58820 -+gr_find_uid(const uid_t uid)
58821 -+{
58822 -+ struct crash_uid *tmp = uid_set;
58823 -+ uid_t buid;
58824 -+ int low = 0, high = uid_used - 1, mid;
58825 -+
58826 -+ while (high >= low) {
58827 -+ mid = (low + high) >> 1;
58828 -+ buid = tmp[mid].uid;
58829 -+ if (buid == uid)
58830 -+ return mid;
58831 -+ if (buid > uid)
58832 -+ high = mid - 1;
58833 -+ if (buid < uid)
58834 -+ low = mid + 1;
58835 -+ }
58836 -+
58837 -+ return -1;
58838 -+}
58839 -+
58840 -+static __inline__ void
58841 -+gr_insertsort(void)
58842 -+{
58843 -+ unsigned short i, j;
58844 -+ struct crash_uid index;
58845 -+
58846 -+ for (i = 1; i < uid_used; i++) {
58847 -+ index = uid_set[i];
58848 -+ j = i;
58849 -+ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
58850 -+ uid_set[j] = uid_set[j - 1];
58851 -+ j--;
58852 -+ }
58853 -+ uid_set[j] = index;
58854 -+ }
58855 -+
58856 -+ return;
58857 -+}
58858 -+
58859 -+static __inline__ void
58860 -+gr_insert_uid(const uid_t uid, const unsigned long expires)
58861 -+{
58862 -+ int loc;
58863 -+
58864 -+ if (uid_used == GR_UIDTABLE_MAX)
58865 -+ return;
58866 -+
58867 -+ loc = gr_find_uid(uid);
58868 -+
58869 -+ if (loc >= 0) {
58870 -+ uid_set[loc].expires = expires;
58871 -+ return;
58872 -+ }
58873 -+
58874 -+ uid_set[uid_used].uid = uid;
58875 -+ uid_set[uid_used].expires = expires;
58876 -+ uid_used++;
58877 -+
58878 -+ gr_insertsort();
58879 -+
58880 -+ return;
58881 -+}
58882 -+
58883 -+void
58884 -+gr_remove_uid(const unsigned short loc)
58885 -+{
58886 -+ unsigned short i;
58887 -+
58888 -+ for (i = loc + 1; i < uid_used; i++)
58889 -+ uid_set[i - 1] = uid_set[i];
58890 -+
58891 -+ uid_used--;
58892 -+
58893 -+ return;
58894 -+}
58895 -+
58896 -+int
58897 -+gr_check_crash_uid(const uid_t uid)
58898 -+{
58899 -+ int loc;
58900 -+ int ret = 0;
58901 -+
58902 -+ if (unlikely(!gr_acl_is_enabled()))
58903 -+ return 0;
58904 -+
58905 -+ spin_lock(&gr_uid_lock);
58906 -+ loc = gr_find_uid(uid);
58907 -+
58908 -+ if (loc < 0)
58909 -+ goto out_unlock;
58910 -+
58911 -+ if (time_before_eq(uid_set[loc].expires, get_seconds()))
58912 -+ gr_remove_uid(loc);
58913 -+ else
58914 -+ ret = 1;
58915 -+
58916 -+out_unlock:
58917 -+ spin_unlock(&gr_uid_lock);
58918 -+ return ret;
58919 -+}
58920 -+
58921 -+static __inline__ int
58922 -+proc_is_setxid(const struct task_struct *task)
58923 -+{
58924 -+ if (task->uid != task->euid || task->uid != task->suid ||
58925 -+ task->uid != task->fsuid)
58926 -+ return 1;
58927 -+ if (task->gid != task->egid || task->gid != task->sgid ||
58928 -+ task->gid != task->fsgid)
58929 -+ return 1;
58930 -+
58931 -+ return 0;
58932 -+}
58933 -+static __inline__ int
58934 -+gr_fake_force_sig(int sig, struct task_struct *t)
58935 -+{
58936 -+ unsigned long int flags;
58937 -+ int ret, blocked, ignored;
58938 -+ struct k_sigaction *action;
58939 -+
58940 -+ spin_lock_irqsave(&t->sighand->siglock, flags);
58941 -+ action = &t->sighand->action[sig-1];
58942 -+ ignored = action->sa.sa_handler == SIG_IGN;
58943 -+ blocked = sigismember(&t->blocked, sig);
58944 -+ if (blocked || ignored) {
58945 -+ action->sa.sa_handler = SIG_DFL;
58946 -+ if (blocked) {
58947 -+ sigdelset(&t->blocked, sig);
58948 -+ recalc_sigpending_and_wake(t);
58949 -+ }
58950 -+ }
58951 -+ ret = specific_send_sig_info(sig, (void*)1L, t);
58952 -+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
58953 -+
58954 -+ return ret;
58955 -+}
58956 -+
58957 -+void
58958 -+gr_handle_crash(struct task_struct *task, const int sig)
58959 -+{
58960 -+ struct acl_subject_label *curr;
58961 -+ struct acl_subject_label *curr2;
58962 -+ struct task_struct *tsk, *tsk2;
58963 -+
58964 -+ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
58965 -+ return;
58966 -+
58967 -+ if (unlikely(!gr_acl_is_enabled()))
58968 -+ return;
58969 -+
58970 -+ curr = task->acl;
58971 -+
58972 -+ if (!(curr->resmask & (1 << GR_CRASH_RES)))
58973 -+ return;
58974 -+
58975 -+ if (time_before_eq(curr->expires, get_seconds())) {
58976 -+ curr->expires = 0;
58977 -+ curr->crashes = 0;
58978 -+ }
58979 -+
58980 -+ curr->crashes++;
58981 -+
58982 -+ if (!curr->expires)
58983 -+ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
58984 -+
58985 -+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
58986 -+ time_after(curr->expires, get_seconds())) {
58987 -+ if (task->uid && proc_is_setxid(task)) {
58988 -+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
58989 -+ spin_lock(&gr_uid_lock);
58990 -+ gr_insert_uid(task->uid, curr->expires);
58991 -+ spin_unlock(&gr_uid_lock);
58992 -+ curr->expires = 0;
58993 -+ curr->crashes = 0;
58994 -+ read_lock(&tasklist_lock);
58995 -+ do_each_thread(tsk2, tsk) {
58996 -+ if (tsk != task && tsk->uid == task->uid)
58997 -+ gr_fake_force_sig(SIGKILL, tsk);
58998 -+ } while_each_thread(tsk2, tsk);
58999 -+ read_unlock(&tasklist_lock);
59000 -+ } else {
59001 -+ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
59002 -+ read_lock(&tasklist_lock);
59003 -+ do_each_thread(tsk2, tsk) {
59004 -+ if (likely(tsk != task)) {
59005 -+ curr2 = tsk->acl;
59006 -+
59007 -+ if (curr2->device == curr->device &&
59008 -+ curr2->inode == curr->inode)
59009 -+ gr_fake_force_sig(SIGKILL, tsk);
59010 -+ }
59011 -+ } while_each_thread(tsk2, tsk);
59012 -+ read_unlock(&tasklist_lock);
59013 -+ }
59014 -+ }
59015 -+
59016 -+ return;
59017 -+}
59018 -+
59019 -+int
59020 -+gr_check_crash_exec(const struct file *filp)
59021 -+{
59022 -+ struct acl_subject_label *curr;
59023 -+
59024 -+ if (unlikely(!gr_acl_is_enabled()))
59025 -+ return 0;
59026 -+
59027 -+ read_lock(&gr_inode_lock);
59028 -+ curr = lookup_acl_subj_label(filp->f_dentry->d_inode->i_ino,
59029 -+ filp->f_dentry->d_inode->i_sb->s_dev,
59030 -+ current->role);
59031 -+ read_unlock(&gr_inode_lock);
59032 -+
59033 -+ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
59034 -+ (!curr->crashes && !curr->expires))
59035 -+ return 0;
59036 -+
59037 -+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
59038 -+ time_after(curr->expires, get_seconds()))
59039 -+ return 1;
59040 -+ else if (time_before_eq(curr->expires, get_seconds())) {
59041 -+ curr->crashes = 0;
59042 -+ curr->expires = 0;
59043 -+ }
59044 -+
59045 -+ return 0;
59046 -+}
59047 -+
59048 -+void
59049 -+gr_handle_alertkill(struct task_struct *task)
59050 -+{
59051 -+ struct acl_subject_label *curracl;
59052 -+ __u32 curr_ip;
59053 -+ struct task_struct *p, *p2;
59054 -+
59055 -+ if (unlikely(!gr_acl_is_enabled()))
59056 -+ return;
59057 -+
59058 -+ curracl = task->acl;
59059 -+ curr_ip = task->signal->curr_ip;
59060 -+
59061 -+ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
59062 -+ read_lock(&tasklist_lock);
59063 -+ do_each_thread(p2, p) {
59064 -+ if (p->signal->curr_ip == curr_ip)
59065 -+ gr_fake_force_sig(SIGKILL, p);
59066 -+ } while_each_thread(p2, p);
59067 -+ read_unlock(&tasklist_lock);
59068 -+ } else if (curracl->mode & GR_KILLPROC)
59069 -+ gr_fake_force_sig(SIGKILL, task);
59070 -+
59071 -+ return;
59072 -+}
59073 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_shm.c linux-2.6.23.15-grsec/grsecurity/gracl_shm.c
59074 ---- linux-2.6.23.15/grsecurity/gracl_shm.c 1970-01-01 01:00:00.000000000 +0100
59075 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_shm.c 2008-02-11 10:37:44.000000000 +0000
59076 -@@ -0,0 +1,33 @@
59077 -+#include <linux/kernel.h>
59078 -+#include <linux/mm.h>
59079 -+#include <linux/sched.h>
59080 -+#include <linux/file.h>
59081 -+#include <linux/ipc.h>
59082 -+#include <linux/gracl.h>
59083 -+#include <linux/grsecurity.h>
59084 -+#include <linux/grinternal.h>
59085 -+
59086 -+int
59087 -+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
59088 -+ const time_t shm_createtime, const uid_t cuid, const int shmid)
59089 -+{
59090 -+ struct task_struct *task;
59091 -+
59092 -+ if (!gr_acl_is_enabled())
59093 -+ return 1;
59094 -+
59095 -+ task = find_task_by_pid(shm_cprid);
59096 -+
59097 -+ if (unlikely(!task))
59098 -+ task = find_task_by_pid(shm_lapid);
59099 -+
59100 -+ if (unlikely(task && (time_before((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
59101 -+ (task->pid == shm_lapid)) &&
59102 -+ (task->acl->mode & GR_PROTSHM) &&
59103 -+ (task->acl != current->acl))) {
59104 -+ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
59105 -+ return 0;
59106 -+ }
59107 -+
59108 -+ return 1;
59109 -+}
59110 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_chdir.c linux-2.6.23.15-grsec/grsecurity/grsec_chdir.c
59111 ---- linux-2.6.23.15/grsecurity/grsec_chdir.c 1970-01-01 01:00:00.000000000 +0100
59112 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_chdir.c 2008-02-11 10:37:44.000000000 +0000
59113 -@@ -0,0 +1,19 @@
59114 -+#include <linux/kernel.h>
59115 -+#include <linux/sched.h>
59116 -+#include <linux/fs.h>
59117 -+#include <linux/file.h>
59118 -+#include <linux/grsecurity.h>
59119 -+#include <linux/grinternal.h>
59120 -+
59121 -+void
59122 -+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
59123 -+{
59124 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
59125 -+ if ((grsec_enable_chdir && grsec_enable_group &&
59126 -+ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
59127 -+ !grsec_enable_group)) {
59128 -+ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
59129 -+ }
59130 -+#endif
59131 -+ return;
59132 -+}
59133 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_chroot.c linux-2.6.23.15-grsec/grsecurity/grsec_chroot.c
59134 ---- linux-2.6.23.15/grsecurity/grsec_chroot.c 1970-01-01 01:00:00.000000000 +0100
59135 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_chroot.c 2008-02-11 10:37:44.000000000 +0000
59136 -@@ -0,0 +1,335 @@
59137 -+#include <linux/kernel.h>
59138 -+#include <linux/module.h>
59139 -+#include <linux/sched.h>
59140 -+#include <linux/file.h>
59141 -+#include <linux/fs.h>
59142 -+#include <linux/mount.h>
59143 -+#include <linux/types.h>
59144 -+#include <linux/pid_namespace.h>
59145 -+#include <linux/grsecurity.h>
59146 -+#include <linux/grinternal.h>
59147 -+
59148 -+int
59149 -+gr_handle_chroot_unix(const pid_t pid)
59150 -+{
59151 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
59152 -+ struct pid *spid = NULL;
59153 -+
59154 -+ if (unlikely(!grsec_enable_chroot_unix))
59155 -+ return 1;
59156 -+
59157 -+ if (likely(!proc_is_chrooted(current)))
59158 -+ return 1;
59159 -+
59160 -+ read_lock(&tasklist_lock);
59161 -+
59162 -+ spid = find_pid(pid);
59163 -+ if (spid) {
59164 -+ struct task_struct *p;
59165 -+ p = pid_task(spid, PIDTYPE_PID);
59166 -+ task_lock(p);
59167 -+ if (unlikely(!have_same_root(current, p))) {
59168 -+ task_unlock(p);
59169 -+ read_unlock(&tasklist_lock);
59170 -+ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
59171 -+ return 0;
59172 -+ }
59173 -+ task_unlock(p);
59174 -+ }
59175 -+ read_unlock(&tasklist_lock);
59176 -+#endif
59177 -+ return 1;
59178 -+}
59179 -+
59180 -+int
59181 -+gr_handle_chroot_nice(void)
59182 -+{
59183 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
59184 -+ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
59185 -+ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
59186 -+ return -EPERM;
59187 -+ }
59188 -+#endif
59189 -+ return 0;
59190 -+}
59191 -+
59192 -+int
59193 -+gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
59194 -+{
59195 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
59196 -+ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
59197 -+ && proc_is_chrooted(current)) {
59198 -+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
59199 -+ return -EACCES;
59200 -+ }
59201 -+#endif
59202 -+ return 0;
59203 -+}
59204 -+
59205 -+int
59206 -+gr_handle_chroot_rawio(const struct inode *inode)
59207 -+{
59208 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
59209 -+ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
59210 -+ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
59211 -+ return 1;
59212 -+#endif
59213 -+ return 0;
59214 -+}
59215 -+
59216 -+int
59217 -+gr_pid_is_chrooted(struct task_struct *p)
59218 -+{
59219 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
59220 -+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
59221 -+ return 0;
59222 -+
59223 -+ task_lock(p);
59224 -+ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
59225 -+ !have_same_root(current, p)) {
59226 -+ task_unlock(p);
59227 -+ return 1;
59228 -+ }
59229 -+ task_unlock(p);
59230 -+#endif
59231 -+ return 0;
59232 -+}
59233 -+
59234 -+EXPORT_SYMBOL(gr_pid_is_chrooted);
59235 -+
59236 -+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
59237 -+int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
59238 -+{
59239 -+ struct dentry *dentry = (struct dentry *)u_dentry;
59240 -+ struct vfsmount *mnt = (struct vfsmount *)u_mnt;
59241 -+ struct dentry *realroot;
59242 -+ struct vfsmount *realrootmnt;
59243 -+ struct dentry *currentroot;
59244 -+ struct vfsmount *currentmnt;
59245 -+ struct task_struct *reaper = child_reaper(current);
59246 -+ int ret = 1;
59247 -+
59248 -+ read_lock(&reaper->fs->lock);
59249 -+ realrootmnt = mntget(reaper->fs->rootmnt);
59250 -+ realroot = dget(reaper->fs->root);
59251 -+ read_unlock(&reaper->fs->lock);
59252 -+
59253 -+ read_lock(&current->fs->lock);
59254 -+ currentmnt = mntget(current->fs->rootmnt);
59255 -+ currentroot = dget(current->fs->root);
59256 -+ read_unlock(&current->fs->lock);
59257 -+
59258 -+ spin_lock(&dcache_lock);
59259 -+ for (;;) {
59260 -+ if (unlikely((dentry == realroot && mnt == realrootmnt)
59261 -+ || (dentry == currentroot && mnt == currentmnt)))
59262 -+ break;
59263 -+ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
59264 -+ if (mnt->mnt_parent == mnt)
59265 -+ break;
59266 -+ dentry = mnt->mnt_mountpoint;
59267 -+ mnt = mnt->mnt_parent;
59268 -+ continue;
59269 -+ }
59270 -+ dentry = dentry->d_parent;
59271 -+ }
59272 -+ spin_unlock(&dcache_lock);
59273 -+
59274 -+ dput(currentroot);
59275 -+ mntput(currentmnt);
59276 -+
59277 -+ /* access is outside of chroot */
59278 -+ if (dentry == realroot && mnt == realrootmnt)
59279 -+ ret = 0;
59280 -+
59281 -+ dput(realroot);
59282 -+ mntput(realrootmnt);
59283 -+ return ret;
59284 -+}
59285 -+#endif
59286 -+
59287 -+int
59288 -+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
59289 -+{
59290 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
59291 -+ if (!grsec_enable_chroot_fchdir)
59292 -+ return 1;
59293 -+
59294 -+ if (!proc_is_chrooted(current))
59295 -+ return 1;
59296 -+ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
59297 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
59298 -+ return 0;
59299 -+ }
59300 -+#endif
59301 -+ return 1;
59302 -+}
59303 -+
59304 -+int
59305 -+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
59306 -+ const time_t shm_createtime)
59307 -+{
59308 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
59309 -+ struct pid *pid = NULL;
59310 -+ time_t starttime;
59311 -+
59312 -+ if (unlikely(!grsec_enable_chroot_shmat))
59313 -+ return 1;
59314 -+
59315 -+ if (likely(!proc_is_chrooted(current)))
59316 -+ return 1;
59317 -+
59318 -+ read_lock(&tasklist_lock);
59319 -+
59320 -+ pid = find_pid(shm_cprid);
59321 -+ if (pid) {
59322 -+ struct task_struct *p;
59323 -+ p = pid_task(pid, PIDTYPE_PID);
59324 -+ task_lock(p);
59325 -+ starttime = p->start_time.tv_sec;
59326 -+ if (unlikely(!have_same_root(current, p) &&
59327 -+ time_before((unsigned long)starttime, (unsigned long)shm_createtime))) {
59328 -+ task_unlock(p);
59329 -+ read_unlock(&tasklist_lock);
59330 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
59331 -+ return 0;
59332 -+ }
59333 -+ task_unlock(p);
59334 -+ } else {
59335 -+ pid = find_pid(shm_lapid);
59336 -+ if (pid) {
59337 -+ struct task_struct *p;
59338 -+ p = pid_task(pid, PIDTYPE_PID);
59339 -+ task_lock(p);
59340 -+ if (unlikely(!have_same_root(current, p))) {
59341 -+ task_unlock(p);
59342 -+ read_unlock(&tasklist_lock);
59343 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
59344 -+ return 0;
59345 -+ }
59346 -+ task_unlock(p);
59347 -+ }
59348 -+ }
59349 -+
59350 -+ read_unlock(&tasklist_lock);
59351 -+#endif
59352 -+ return 1;
59353 -+}
59354 -+
59355 -+void
59356 -+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
59357 -+{
59358 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
59359 -+ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
59360 -+ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
59361 -+#endif
59362 -+ return;
59363 -+}
59364 -+
59365 -+int
59366 -+gr_handle_chroot_mknod(const struct dentry *dentry,
59367 -+ const struct vfsmount *mnt, const int mode)
59368 -+{
59369 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
59370 -+ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
59371 -+ proc_is_chrooted(current)) {
59372 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
59373 -+ return -EPERM;
59374 -+ }
59375 -+#endif
59376 -+ return 0;
59377 -+}
59378 -+
59379 -+int
59380 -+gr_handle_chroot_mount(const struct dentry *dentry,
59381 -+ const struct vfsmount *mnt, const char *dev_name)
59382 -+{
59383 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
59384 -+ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
59385 -+ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
59386 -+ return -EPERM;
59387 -+ }
59388 -+#endif
59389 -+ return 0;
59390 -+}
59391 -+
59392 -+int
59393 -+gr_handle_chroot_pivot(void)
59394 -+{
59395 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
59396 -+ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
59397 -+ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
59398 -+ return -EPERM;
59399 -+ }
59400 -+#endif
59401 -+ return 0;
59402 -+}
59403 -+
59404 -+int
59405 -+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
59406 -+{
59407 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
59408 -+ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
59409 -+ !gr_is_outside_chroot(dentry, mnt)) {
59410 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
59411 -+ return -EPERM;
59412 -+ }
59413 -+#endif
59414 -+ return 0;
59415 -+}
59416 -+
59417 -+void
59418 -+gr_handle_chroot_caps(struct task_struct *task)
59419 -+{
59420 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
59421 -+ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
59422 -+ task->cap_permitted =
59423 -+ cap_drop(task->cap_permitted, GR_CHROOT_CAPS);
59424 -+ task->cap_inheritable =
59425 -+ cap_drop(task->cap_inheritable, GR_CHROOT_CAPS);
59426 -+ task->cap_effective =
59427 -+ cap_drop(task->cap_effective, GR_CHROOT_CAPS);
59428 -+ }
59429 -+#endif
59430 -+ return;
59431 -+}
59432 -+
59433 -+int
59434 -+gr_handle_chroot_sysctl(const int op)
59435 -+{
59436 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
59437 -+ if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
59438 -+ && (op & 002))
59439 -+ return -EACCES;
59440 -+#endif
59441 -+ return 0;
59442 -+}
59443 -+
59444 -+void
59445 -+gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt)
59446 -+{
59447 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
59448 -+ if (grsec_enable_chroot_chdir)
59449 -+ set_fs_pwd(current->fs, mnt, dentry);
59450 -+#endif
59451 -+ return;
59452 -+}
59453 -+
59454 -+int
59455 -+gr_handle_chroot_chmod(const struct dentry *dentry,
59456 -+ const struct vfsmount *mnt, const int mode)
59457 -+{
59458 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
59459 -+ if (grsec_enable_chroot_chmod &&
59460 -+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
59461 -+ proc_is_chrooted(current)) {
59462 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
59463 -+ return -EPERM;
59464 -+ }
59465 -+#endif
59466 -+ return 0;
59467 -+}
59468 -+
59469 -+#ifdef CONFIG_SECURITY
59470 -+EXPORT_SYMBOL(gr_handle_chroot_caps);
59471 -+#endif
59472 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_disabled.c linux-2.6.23.15-grsec/grsecurity/grsec_disabled.c
59473 ---- linux-2.6.23.15/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100
59474 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_disabled.c 2008-02-11 10:37:44.000000000 +0000
59475 -@@ -0,0 +1,418 @@
59476 -+#include <linux/kernel.h>
59477 -+#include <linux/module.h>
59478 -+#include <linux/sched.h>
59479 -+#include <linux/file.h>
59480 -+#include <linux/fs.h>
59481 -+#include <linux/kdev_t.h>
59482 -+#include <linux/net.h>
59483 -+#include <linux/in.h>
59484 -+#include <linux/ip.h>
59485 -+#include <linux/skbuff.h>
59486 -+#include <linux/sysctl.h>
59487 -+
59488 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
59489 -+void
59490 -+pax_set_initial_flags(struct linux_binprm *bprm)
59491 -+{
59492 -+ return;
59493 -+}
59494 -+#endif
59495 -+
59496 -+#ifdef CONFIG_SYSCTL
59497 -+__u32
59498 -+gr_handle_sysctl(const struct ctl_table * table, const int op)
59499 -+{
59500 -+ return 0;
59501 -+}
59502 -+#endif
59503 -+
59504 -+int
59505 -+gr_acl_is_enabled(void)
59506 -+{
59507 -+ return 0;
59508 -+}
59509 -+
59510 -+int
59511 -+gr_handle_rawio(const struct inode *inode)
59512 -+{
59513 -+ return 0;
59514 -+}
59515 -+
59516 -+void
59517 -+gr_acl_handle_psacct(struct task_struct *task, const long code)
59518 -+{
59519 -+ return;
59520 -+}
59521 -+
59522 -+int
59523 -+gr_handle_ptrace(struct task_struct *task, const long request)
59524 -+{
59525 -+ return 0;
59526 -+}
59527 -+
59528 -+int
59529 -+gr_handle_proc_ptrace(struct task_struct *task)
59530 -+{
59531 -+ return 0;
59532 -+}
59533 -+
59534 -+void
59535 -+gr_learn_resource(const struct task_struct *task,
59536 -+ const int res, const unsigned long wanted, const int gt)
59537 -+{
59538 -+ return;
59539 -+}
59540 -+
59541 -+int
59542 -+gr_set_acls(const int type)
59543 -+{
59544 -+ return 0;
59545 -+}
59546 -+
59547 -+int
59548 -+gr_check_hidden_task(const struct task_struct *tsk)
59549 -+{
59550 -+ return 0;
59551 -+}
59552 -+
59553 -+int
59554 -+gr_check_protected_task(const struct task_struct *task)
59555 -+{
59556 -+ return 0;
59557 -+}
59558 -+
59559 -+void
59560 -+gr_copy_label(struct task_struct *tsk)
59561 -+{
59562 -+ return;
59563 -+}
59564 -+
59565 -+void
59566 -+gr_set_pax_flags(struct task_struct *task)
59567 -+{
59568 -+ return;
59569 -+}
59570 -+
59571 -+int
59572 -+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
59573 -+{
59574 -+ return 0;
59575 -+}
59576 -+
59577 -+void
59578 -+gr_handle_delete(const ino_t ino, const dev_t dev)
59579 -+{
59580 -+ return;
59581 -+}
59582 -+
59583 -+void
59584 -+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
59585 -+{
59586 -+ return;
59587 -+}
59588 -+
59589 -+void
59590 -+gr_handle_crash(struct task_struct *task, const int sig)
59591 -+{
59592 -+ return;
59593 -+}
59594 -+
59595 -+int
59596 -+gr_check_crash_exec(const struct file *filp)
59597 -+{
59598 -+ return 0;
59599 -+}
59600 -+
59601 -+int
59602 -+gr_check_crash_uid(const uid_t uid)
59603 -+{
59604 -+ return 0;
59605 -+}
59606 -+
59607 -+void
59608 -+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
59609 -+ struct dentry *old_dentry,
59610 -+ struct dentry *new_dentry,
59611 -+ struct vfsmount *mnt, const __u8 replace)
59612 -+{
59613 -+ return;
59614 -+}
59615 -+
59616 -+int
59617 -+gr_search_socket(const int family, const int type, const int protocol)
59618 -+{
59619 -+ return 1;
59620 -+}
59621 -+
59622 -+int
59623 -+gr_search_connectbind(const int mode, const struct socket *sock,
59624 -+ const struct sockaddr_in *addr)
59625 -+{
59626 -+ return 1;
59627 -+}
59628 -+
59629 -+int
59630 -+gr_task_is_capable(struct task_struct *task, const int cap)
59631 -+{
59632 -+ return 1;
59633 -+}
59634 -+
59635 -+int
59636 -+gr_is_capable_nolog(const int cap)
59637 -+{
59638 -+ return 1;
59639 -+}
59640 -+
59641 -+void
59642 -+gr_handle_alertkill(struct task_struct *task)
59643 -+{
59644 -+ return;
59645 -+}
59646 -+
59647 -+__u32
59648 -+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
59649 -+{
59650 -+ return 1;
59651 -+}
59652 -+
59653 -+__u32
59654 -+gr_acl_handle_hidden_file(const struct dentry * dentry,
59655 -+ const struct vfsmount * mnt)
59656 -+{
59657 -+ return 1;
59658 -+}
59659 -+
59660 -+__u32
59661 -+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
59662 -+ const int fmode)
59663 -+{
59664 -+ return 1;
59665 -+}
59666 -+
59667 -+__u32
59668 -+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
59669 -+{
59670 -+ return 1;
59671 -+}
59672 -+
59673 -+__u32
59674 -+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
59675 -+{
59676 -+ return 1;
59677 -+}
59678 -+
59679 -+int
59680 -+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
59681 -+ unsigned int *vm_flags)
59682 -+{
59683 -+ return 1;
59684 -+}
59685 -+
59686 -+__u32
59687 -+gr_acl_handle_truncate(const struct dentry * dentry,
59688 -+ const struct vfsmount * mnt)
59689 -+{
59690 -+ return 1;
59691 -+}
59692 -+
59693 -+__u32
59694 -+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
59695 -+{
59696 -+ return 1;
59697 -+}
59698 -+
59699 -+__u32
59700 -+gr_acl_handle_access(const struct dentry * dentry,
59701 -+ const struct vfsmount * mnt, const int fmode)
59702 -+{
59703 -+ return 1;
59704 -+}
59705 -+
59706 -+__u32
59707 -+gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
59708 -+ mode_t mode)
59709 -+{
59710 -+ return 1;
59711 -+}
59712 -+
59713 -+__u32
59714 -+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
59715 -+ mode_t mode)
59716 -+{
59717 -+ return 1;
59718 -+}
59719 -+
59720 -+__u32
59721 -+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
59722 -+{
59723 -+ return 1;
59724 -+}
59725 -+
59726 -+void
59727 -+grsecurity_init(void)
59728 -+{
59729 -+ return;
59730 -+}
59731 -+
59732 -+__u32
59733 -+gr_acl_handle_mknod(const struct dentry * new_dentry,
59734 -+ const struct dentry * parent_dentry,
59735 -+ const struct vfsmount * parent_mnt,
59736 -+ const int mode)
59737 -+{
59738 -+ return 1;
59739 -+}
59740 -+
59741 -+__u32
59742 -+gr_acl_handle_mkdir(const struct dentry * new_dentry,
59743 -+ const struct dentry * parent_dentry,
59744 -+ const struct vfsmount * parent_mnt)
59745 -+{
59746 -+ return 1;
59747 -+}
59748 -+
59749 -+__u32
59750 -+gr_acl_handle_symlink(const struct dentry * new_dentry,
59751 -+ const struct dentry * parent_dentry,
59752 -+ const struct vfsmount * parent_mnt, const char *from)
59753 -+{
59754 -+ return 1;
59755 -+}
59756 -+
59757 -+__u32
59758 -+gr_acl_handle_link(const struct dentry * new_dentry,
59759 -+ const struct dentry * parent_dentry,
59760 -+ const struct vfsmount * parent_mnt,
59761 -+ const struct dentry * old_dentry,
59762 -+ const struct vfsmount * old_mnt, const char *to)
59763 -+{
59764 -+ return 1;
59765 -+}
59766 -+
59767 -+int
59768 -+gr_acl_handle_rename(const struct dentry *new_dentry,
59769 -+ const struct dentry *parent_dentry,
59770 -+ const struct vfsmount *parent_mnt,
59771 -+ const struct dentry *old_dentry,
59772 -+ const struct inode *old_parent_inode,
59773 -+ const struct vfsmount *old_mnt, const char *newname)
59774 -+{
59775 -+ return 0;
59776 -+}
59777 -+
59778 -+int
59779 -+gr_acl_handle_filldir(const struct file *file, const char *name,
59780 -+ const int namelen, const ino_t ino)
59781 -+{
59782 -+ return 1;
59783 -+}
59784 -+
59785 -+int
59786 -+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
59787 -+ const time_t shm_createtime, const uid_t cuid, const int shmid)
59788 -+{
59789 -+ return 1;
59790 -+}
59791 -+
59792 -+int
59793 -+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
59794 -+{
59795 -+ return 1;
59796 -+}
59797 -+
59798 -+int
59799 -+gr_search_accept(const struct socket *sock)
59800 -+{
59801 -+ return 1;
59802 -+}
59803 -+
59804 -+int
59805 -+gr_search_listen(const struct socket *sock)
59806 -+{
59807 -+ return 1;
59808 -+}
59809 -+
59810 -+int
59811 -+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
59812 -+{
59813 -+ return 1;
59814 -+}
59815 -+
59816 -+__u32
59817 -+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
59818 -+{
59819 -+ return 1;
59820 -+}
59821 -+
59822 -+__u32
59823 -+gr_acl_handle_creat(const struct dentry * dentry,
59824 -+ const struct dentry * p_dentry,
59825 -+ const struct vfsmount * p_mnt, const int fmode,
59826 -+ const int imode)
59827 -+{
59828 -+ return 1;
59829 -+}
59830 -+
59831 -+void
59832 -+gr_acl_handle_exit(void)
59833 -+{
59834 -+ return;
59835 -+}
59836 -+
59837 -+int
59838 -+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
59839 -+{
59840 -+ return 1;
59841 -+}
59842 -+
59843 -+void
59844 -+gr_set_role_label(const uid_t uid, const gid_t gid)
59845 -+{
59846 -+ return;
59847 -+}
59848 -+
59849 -+int
59850 -+gr_acl_handle_procpidmem(const struct task_struct *task)
59851 -+{
59852 -+ return 0;
59853 -+}
59854 -+
59855 -+int
59856 -+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
59857 -+{
59858 -+ return 1;
59859 -+}
59860 -+
59861 -+int
59862 -+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
59863 -+{
59864 -+ return 1;
59865 -+}
59866 -+
59867 -+void
59868 -+gr_set_kernel_label(struct task_struct *task)
59869 -+{
59870 -+ return;
59871 -+}
59872 -+
59873 -+int
59874 -+gr_check_user_change(int real, int effective, int fs)
59875 -+{
59876 -+ return 0;
59877 -+}
59878 -+
59879 -+int
59880 -+gr_check_group_change(int real, int effective, int fs)
59881 -+{
59882 -+ return 0;
59883 -+}
59884 -+
59885 -+
59886 -+EXPORT_SYMBOL(gr_task_is_capable);
59887 -+EXPORT_SYMBOL(gr_is_capable_nolog);
59888 -+EXPORT_SYMBOL(gr_learn_resource);
59889 -+EXPORT_SYMBOL(gr_set_kernel_label);
59890 -+#ifdef CONFIG_SECURITY
59891 -+EXPORT_SYMBOL(gr_check_user_change);
59892 -+EXPORT_SYMBOL(gr_check_group_change);
59893 -+#endif
59894 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_exec.c linux-2.6.23.15-grsec/grsecurity/grsec_exec.c
59895 ---- linux-2.6.23.15/grsecurity/grsec_exec.c 1970-01-01 01:00:00.000000000 +0100
59896 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_exec.c 2008-02-11 10:37:44.000000000 +0000
59897 -@@ -0,0 +1,88 @@
59898 -+#include <linux/kernel.h>
59899 -+#include <linux/sched.h>
59900 -+#include <linux/file.h>
59901 -+#include <linux/binfmts.h>
59902 -+#include <linux/smp_lock.h>
59903 -+#include <linux/fs.h>
59904 -+#include <linux/types.h>
59905 -+#include <linux/grdefs.h>
59906 -+#include <linux/grinternal.h>
59907 -+#include <linux/capability.h>
59908 -+
59909 -+#include <asm/uaccess.h>
59910 -+
59911 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
59912 -+static char gr_exec_arg_buf[132];
59913 -+static DECLARE_MUTEX(gr_exec_arg_sem);
59914 -+#endif
59915 -+
59916 -+int
59917 -+gr_handle_nproc(void)
59918 -+{
59919 -+#ifdef CONFIG_GRKERNSEC_EXECVE
59920 -+ if (grsec_enable_execve && current->user &&
59921 -+ (atomic_read(&current->user->processes) >
59922 -+ current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
59923 -+ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
59924 -+ gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
59925 -+ return -EAGAIN;
59926 -+ }
59927 -+#endif
59928 -+ return 0;
59929 -+}
59930 -+
59931 -+void
59932 -+gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
59933 -+{
59934 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
59935 -+ char *grarg = gr_exec_arg_buf;
59936 -+ unsigned int i, x, execlen = 0;
59937 -+ char c;
59938 -+
59939 -+ if (!((grsec_enable_execlog && grsec_enable_group &&
59940 -+ in_group_p(grsec_audit_gid))
59941 -+ || (grsec_enable_execlog && !grsec_enable_group)))
59942 -+ return;
59943 -+
59944 -+ down(&gr_exec_arg_sem);
59945 -+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
59946 -+
59947 -+ if (unlikely(argv == NULL))
59948 -+ goto log;
59949 -+
59950 -+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
59951 -+ const char __user *p;
59952 -+ unsigned int len;
59953 -+
59954 -+ if (copy_from_user(&p, argv + i, sizeof(p)))
59955 -+ goto log;
59956 -+ if (!p)
59957 -+ goto log;
59958 -+ len = strnlen_user(p, 128 - execlen);
59959 -+ if (len > 128 - execlen)
59960 -+ len = 128 - execlen;
59961 -+ else if (len > 0)
59962 -+ len--;
59963 -+ if (copy_from_user(grarg + execlen, p, len))
59964 -+ goto log;
59965 -+
59966 -+ /* rewrite unprintable characters */
59967 -+ for (x = 0; x < len; x++) {
59968 -+ c = *(grarg + execlen + x);
59969 -+ if (c < 32 || c > 126)
59970 -+ *(grarg + execlen + x) = ' ';
59971 -+ }
59972 -+
59973 -+ execlen += len;
59974 -+ *(grarg + execlen) = ' ';
59975 -+ *(grarg + execlen + 1) = '\0';
59976 -+ execlen++;
59977 -+ }
59978 -+
59979 -+ log:
59980 -+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_dentry,
59981 -+ bprm->file->f_vfsmnt, grarg);
59982 -+ up(&gr_exec_arg_sem);
59983 -+#endif
59984 -+ return;
59985 -+}
59986 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_fifo.c linux-2.6.23.15-grsec/grsecurity/grsec_fifo.c
59987 ---- linux-2.6.23.15/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100
59988 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_fifo.c 2008-02-11 10:37:44.000000000 +0000
59989 -@@ -0,0 +1,22 @@
59990 -+#include <linux/kernel.h>
59991 -+#include <linux/sched.h>
59992 -+#include <linux/fs.h>
59993 -+#include <linux/file.h>
59994 -+#include <linux/grinternal.h>
59995 -+
59996 -+int
59997 -+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
59998 -+ const struct dentry *dir, const int flag, const int acc_mode)
59999 -+{
60000 -+#ifdef CONFIG_GRKERNSEC_FIFO
60001 -+ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
60002 -+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
60003 -+ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
60004 -+ (current->fsuid != dentry->d_inode->i_uid)) {
60005 -+ if (!generic_permission(dentry->d_inode, acc_mode, NULL))
60006 -+ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
60007 -+ return -EACCES;
60008 -+ }
60009 -+#endif
60010 -+ return 0;
60011 -+}
60012 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_fork.c linux-2.6.23.15-grsec/grsecurity/grsec_fork.c
60013 ---- linux-2.6.23.15/grsecurity/grsec_fork.c 1970-01-01 01:00:00.000000000 +0100
60014 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_fork.c 2008-02-11 10:37:44.000000000 +0000
60015 -@@ -0,0 +1,15 @@
60016 -+#include <linux/kernel.h>
60017 -+#include <linux/sched.h>
60018 -+#include <linux/grsecurity.h>
60019 -+#include <linux/grinternal.h>
60020 -+#include <linux/errno.h>
60021 -+
60022 -+void
60023 -+gr_log_forkfail(const int retval)
60024 -+{
60025 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
60026 -+ if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
60027 -+ gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
60028 -+#endif
60029 -+ return;
60030 -+}
60031 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_init.c linux-2.6.23.15-grsec/grsecurity/grsec_init.c
60032 ---- linux-2.6.23.15/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100
60033 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_init.c 2008-02-11 10:37:44.000000000 +0000
60034 -@@ -0,0 +1,230 @@
60035 -+#include <linux/kernel.h>
60036 -+#include <linux/sched.h>
60037 -+#include <linux/mm.h>
60038 -+#include <linux/smp_lock.h>
60039 -+#include <linux/gracl.h>
60040 -+#include <linux/slab.h>
60041 -+#include <linux/vmalloc.h>
60042 -+#include <linux/percpu.h>
60043 -+
60044 -+int grsec_enable_shm;
60045 -+int grsec_enable_link;
60046 -+int grsec_enable_dmesg;
60047 -+int grsec_enable_fifo;
60048 -+int grsec_enable_execve;
60049 -+int grsec_enable_execlog;
60050 -+int grsec_enable_signal;
60051 -+int grsec_enable_forkfail;
60052 -+int grsec_enable_time;
60053 -+int grsec_enable_audit_textrel;
60054 -+int grsec_enable_group;
60055 -+int grsec_audit_gid;
60056 -+int grsec_enable_chdir;
60057 -+int grsec_enable_audit_ipc;
60058 -+int grsec_enable_mount;
60059 -+int grsec_enable_chroot_findtask;
60060 -+int grsec_enable_chroot_mount;
60061 -+int grsec_enable_chroot_shmat;
60062 -+int grsec_enable_chroot_fchdir;
60063 -+int grsec_enable_chroot_double;
60064 -+int grsec_enable_chroot_pivot;
60065 -+int grsec_enable_chroot_chdir;
60066 -+int grsec_enable_chroot_chmod;
60067 -+int grsec_enable_chroot_mknod;
60068 -+int grsec_enable_chroot_nice;
60069 -+int grsec_enable_chroot_execlog;
60070 -+int grsec_enable_chroot_caps;
60071 -+int grsec_enable_chroot_sysctl;
60072 -+int grsec_enable_chroot_unix;
60073 -+int grsec_enable_tpe;
60074 -+int grsec_tpe_gid;
60075 -+int grsec_enable_tpe_all;
60076 -+int grsec_enable_socket_all;
60077 -+int grsec_socket_all_gid;
60078 -+int grsec_enable_socket_client;
60079 -+int grsec_socket_client_gid;
60080 -+int grsec_enable_socket_server;
60081 -+int grsec_socket_server_gid;
60082 -+int grsec_resource_logging;
60083 -+int grsec_lock;
60084 -+
60085 -+spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED;
60086 -+unsigned long grsec_alert_wtime = 0;
60087 -+unsigned long grsec_alert_fyet = 0;
60088 -+
60089 -+spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED;
60090 -+
60091 -+rwlock_t grsec_exec_file_lock = RW_LOCK_UNLOCKED;
60092 -+
60093 -+char *gr_shared_page[4];
60094 -+
60095 -+char *gr_alert_log_fmt;
60096 -+char *gr_audit_log_fmt;
60097 -+char *gr_alert_log_buf;
60098 -+char *gr_audit_log_buf;
60099 -+
60100 -+extern struct gr_arg *gr_usermode;
60101 -+extern unsigned char *gr_system_salt;
60102 -+extern unsigned char *gr_system_sum;
60103 -+
60104 -+void
60105 -+grsecurity_init(void)
60106 -+{
60107 -+ int j;
60108 -+ /* create the per-cpu shared pages */
60109 -+
60110 -+ for (j = 0; j < 4; j++) {
60111 -+ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE);
60112 -+ if (gr_shared_page[j] == NULL) {
60113 -+ panic("Unable to allocate grsecurity shared page");
60114 -+ return;
60115 -+ }
60116 -+ }
60117 -+
60118 -+ /* allocate log buffers */
60119 -+ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
60120 -+ if (!gr_alert_log_fmt) {
60121 -+ panic("Unable to allocate grsecurity alert log format buffer");
60122 -+ return;
60123 -+ }
60124 -+ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
60125 -+ if (!gr_audit_log_fmt) {
60126 -+ panic("Unable to allocate grsecurity audit log format buffer");
60127 -+ return;
60128 -+ }
60129 -+ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
60130 -+ if (!gr_alert_log_buf) {
60131 -+ panic("Unable to allocate grsecurity alert log buffer");
60132 -+ return;
60133 -+ }
60134 -+ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
60135 -+ if (!gr_audit_log_buf) {
60136 -+ panic("Unable to allocate grsecurity audit log buffer");
60137 -+ return;
60138 -+ }
60139 -+
60140 -+ /* allocate memory for authentication structure */
60141 -+ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
60142 -+ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
60143 -+ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
60144 -+
60145 -+ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
60146 -+ panic("Unable to allocate grsecurity authentication structure");
60147 -+ return;
60148 -+ }
60149 -+
60150 -+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
60151 -+#ifndef CONFIG_GRKERNSEC_SYSCTL
60152 -+ grsec_lock = 1;
60153 -+#endif
60154 -+#ifdef CONFIG_GRKERNSEC_SHM
60155 -+ grsec_enable_shm = 1;
60156 -+#endif
60157 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
60158 -+ grsec_enable_audit_textrel = 1;
60159 -+#endif
60160 -+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
60161 -+ grsec_enable_group = 1;
60162 -+ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
60163 -+#endif
60164 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
60165 -+ grsec_enable_chdir = 1;
60166 -+#endif
60167 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
60168 -+ grsec_enable_audit_ipc = 1;
60169 -+#endif
60170 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
60171 -+ grsec_enable_mount = 1;
60172 -+#endif
60173 -+#ifdef CONFIG_GRKERNSEC_LINK
60174 -+ grsec_enable_link = 1;
60175 -+#endif
60176 -+#ifdef CONFIG_GRKERNSEC_DMESG
60177 -+ grsec_enable_dmesg = 1;
60178 -+#endif
60179 -+#ifdef CONFIG_GRKERNSEC_FIFO
60180 -+ grsec_enable_fifo = 1;
60181 -+#endif
60182 -+#ifdef CONFIG_GRKERNSEC_EXECVE
60183 -+ grsec_enable_execve = 1;
60184 -+#endif
60185 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
60186 -+ grsec_enable_execlog = 1;
60187 -+#endif
60188 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
60189 -+ grsec_enable_signal = 1;
60190 -+#endif
60191 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
60192 -+ grsec_enable_forkfail = 1;
60193 -+#endif
60194 -+#ifdef CONFIG_GRKERNSEC_TIME
60195 -+ grsec_enable_time = 1;
60196 -+#endif
60197 -+#ifdef CONFIG_GRKERNSEC_RESLOG
60198 -+ grsec_resource_logging = 1;
60199 -+#endif
60200 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
60201 -+ grsec_enable_chroot_findtask = 1;
60202 -+#endif
60203 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
60204 -+ grsec_enable_chroot_unix = 1;
60205 -+#endif
60206 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
60207 -+ grsec_enable_chroot_mount = 1;
60208 -+#endif
60209 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
60210 -+ grsec_enable_chroot_fchdir = 1;
60211 -+#endif
60212 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
60213 -+ grsec_enable_chroot_shmat = 1;
60214 -+#endif
60215 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
60216 -+ grsec_enable_chroot_double = 1;
60217 -+#endif
60218 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
60219 -+ grsec_enable_chroot_pivot = 1;
60220 -+#endif
60221 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
60222 -+ grsec_enable_chroot_chdir = 1;
60223 -+#endif
60224 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
60225 -+ grsec_enable_chroot_chmod = 1;
60226 -+#endif
60227 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
60228 -+ grsec_enable_chroot_mknod = 1;
60229 -+#endif
60230 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
60231 -+ grsec_enable_chroot_nice = 1;
60232 -+#endif
60233 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
60234 -+ grsec_enable_chroot_execlog = 1;
60235 -+#endif
60236 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
60237 -+ grsec_enable_chroot_caps = 1;
60238 -+#endif
60239 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
60240 -+ grsec_enable_chroot_sysctl = 1;
60241 -+#endif
60242 -+#ifdef CONFIG_GRKERNSEC_TPE
60243 -+ grsec_enable_tpe = 1;
60244 -+ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
60245 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
60246 -+ grsec_enable_tpe_all = 1;
60247 -+#endif
60248 -+#endif
60249 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
60250 -+ grsec_enable_socket_all = 1;
60251 -+ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
60252 -+#endif
60253 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
60254 -+ grsec_enable_socket_client = 1;
60255 -+ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
60256 -+#endif
60257 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
60258 -+ grsec_enable_socket_server = 1;
60259 -+ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
60260 -+#endif
60261 -+#endif
60262 -+
60263 -+ return;
60264 -+}
60265 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_ipc.c linux-2.6.23.15-grsec/grsecurity/grsec_ipc.c
60266 ---- linux-2.6.23.15/grsecurity/grsec_ipc.c 1970-01-01 01:00:00.000000000 +0100
60267 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_ipc.c 2008-02-11 10:37:44.000000000 +0000
60268 -@@ -0,0 +1,81 @@
60269 -+#include <linux/kernel.h>
60270 -+#include <linux/sched.h>
60271 -+#include <linux/types.h>
60272 -+#include <linux/ipc.h>
60273 -+#include <linux/grsecurity.h>
60274 -+#include <linux/grinternal.h>
60275 -+
60276 -+void
60277 -+gr_log_msgget(const int ret, const int msgflg)
60278 -+{
60279 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
60280 -+ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
60281 -+ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
60282 -+ !grsec_enable_group)) && (ret >= 0)
60283 -+ && (msgflg & IPC_CREAT))
60284 -+ gr_log_noargs(GR_DO_AUDIT, GR_MSGQ_AUDIT_MSG);
60285 -+#endif
60286 -+ return;
60287 -+}
60288 -+
60289 -+void
60290 -+gr_log_msgrm(const uid_t uid, const uid_t cuid)
60291 -+{
60292 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
60293 -+ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
60294 -+ grsec_enable_audit_ipc) ||
60295 -+ (grsec_enable_audit_ipc && !grsec_enable_group))
60296 -+ gr_log_int_int(GR_DO_AUDIT, GR_MSGQR_AUDIT_MSG, uid, cuid);
60297 -+#endif
60298 -+ return;
60299 -+}
60300 -+
60301 -+void
60302 -+gr_log_semget(const int err, const int semflg)
60303 -+{
60304 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
60305 -+ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
60306 -+ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
60307 -+ !grsec_enable_group)) && (err >= 0)
60308 -+ && (semflg & IPC_CREAT))
60309 -+ gr_log_noargs(GR_DO_AUDIT, GR_SEM_AUDIT_MSG);
60310 -+#endif
60311 -+ return;
60312 -+}
60313 -+
60314 -+void
60315 -+gr_log_semrm(const uid_t uid, const uid_t cuid)
60316 -+{
60317 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
60318 -+ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
60319 -+ grsec_enable_audit_ipc) ||
60320 -+ (grsec_enable_audit_ipc && !grsec_enable_group))
60321 -+ gr_log_int_int(GR_DO_AUDIT, GR_SEMR_AUDIT_MSG, uid, cuid);
60322 -+#endif
60323 -+ return;
60324 -+}
60325 -+
60326 -+void
60327 -+gr_log_shmget(const int err, const int shmflg, const size_t size)
60328 -+{
60329 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
60330 -+ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
60331 -+ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
60332 -+ !grsec_enable_group)) && (err >= 0)
60333 -+ && (shmflg & IPC_CREAT))
60334 -+ gr_log_int(GR_DO_AUDIT, GR_SHM_AUDIT_MSG, size);
60335 -+#endif
60336 -+ return;
60337 -+}
60338 -+
60339 -+void
60340 -+gr_log_shmrm(const uid_t uid, const uid_t cuid)
60341 -+{
60342 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
60343 -+ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
60344 -+ grsec_enable_audit_ipc) ||
60345 -+ (grsec_enable_audit_ipc && !grsec_enable_group))
60346 -+ gr_log_int_int(GR_DO_AUDIT, GR_SHMR_AUDIT_MSG, uid, cuid);
60347 -+#endif
60348 -+ return;
60349 -+}
60350 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_link.c linux-2.6.23.15-grsec/grsecurity/grsec_link.c
60351 ---- linux-2.6.23.15/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100
60352 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_link.c 2008-02-11 10:37:44.000000000 +0000
60353 -@@ -0,0 +1,39 @@
60354 -+#include <linux/kernel.h>
60355 -+#include <linux/sched.h>
60356 -+#include <linux/fs.h>
60357 -+#include <linux/file.h>
60358 -+#include <linux/grinternal.h>
60359 -+
60360 -+int
60361 -+gr_handle_follow_link(const struct inode *parent,
60362 -+ const struct inode *inode,
60363 -+ const struct dentry *dentry, const struct vfsmount *mnt)
60364 -+{
60365 -+#ifdef CONFIG_GRKERNSEC_LINK
60366 -+ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
60367 -+ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
60368 -+ (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
60369 -+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
60370 -+ return -EACCES;
60371 -+ }
60372 -+#endif
60373 -+ return 0;
60374 -+}
60375 -+
60376 -+int
60377 -+gr_handle_hardlink(const struct dentry *dentry,
60378 -+ const struct vfsmount *mnt,
60379 -+ struct inode *inode, const int mode, const char *to)
60380 -+{
60381 -+#ifdef CONFIG_GRKERNSEC_LINK
60382 -+ if (grsec_enable_link && current->fsuid != inode->i_uid &&
60383 -+ (!S_ISREG(mode) || (mode & S_ISUID) ||
60384 -+ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
60385 -+ (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
60386 -+ !capable(CAP_FOWNER) && current->uid) {
60387 -+ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
60388 -+ return -EPERM;
60389 -+ }
60390 -+#endif
60391 -+ return 0;
60392 -+}
60393 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_log.c linux-2.6.23.15-grsec/grsecurity/grsec_log.c
60394 ---- linux-2.6.23.15/grsecurity/grsec_log.c 1970-01-01 01:00:00.000000000 +0100
60395 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_log.c 2008-02-11 10:37:44.000000000 +0000
60396 -@@ -0,0 +1,269 @@
60397 -+#include <linux/kernel.h>
60398 -+#include <linux/sched.h>
60399 -+#include <linux/file.h>
60400 -+#include <linux/tty.h>
60401 -+#include <linux/fs.h>
60402 -+#include <linux/grinternal.h>
60403 -+
60404 -+#define BEGIN_LOCKS(x) \
60405 -+ read_lock(&tasklist_lock); \
60406 -+ read_lock(&grsec_exec_file_lock); \
60407 -+ if (x != GR_DO_AUDIT) \
60408 -+ spin_lock(&grsec_alert_lock); \
60409 -+ else \
60410 -+ spin_lock(&grsec_audit_lock)
60411 -+
60412 -+#define END_LOCKS(x) \
60413 -+ if (x != GR_DO_AUDIT) \
60414 -+ spin_unlock(&grsec_alert_lock); \
60415 -+ else \
60416 -+ spin_unlock(&grsec_audit_lock); \
60417 -+ read_unlock(&grsec_exec_file_lock); \
60418 -+ read_unlock(&tasklist_lock); \
60419 -+ if (x == GR_DONT_AUDIT) \
60420 -+ gr_handle_alertkill(current)
60421 -+
60422 -+enum {
60423 -+ FLOODING,
60424 -+ NO_FLOODING
60425 -+};
60426 -+
60427 -+extern char *gr_alert_log_fmt;
60428 -+extern char *gr_audit_log_fmt;
60429 -+extern char *gr_alert_log_buf;
60430 -+extern char *gr_audit_log_buf;
60431 -+
60432 -+static int gr_log_start(int audit)
60433 -+{
60434 -+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
60435 -+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
60436 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
60437 -+
60438 -+ if (audit == GR_DO_AUDIT)
60439 -+ goto set_fmt;
60440 -+
60441 -+ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
60442 -+ grsec_alert_wtime = jiffies;
60443 -+ grsec_alert_fyet = 0;
60444 -+ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
60445 -+ grsec_alert_fyet++;
60446 -+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
60447 -+ grsec_alert_wtime = jiffies;
60448 -+ grsec_alert_fyet++;
60449 -+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
60450 -+ return FLOODING;
60451 -+ } else return FLOODING;
60452 -+
60453 -+set_fmt:
60454 -+ memset(buf, 0, PAGE_SIZE);
60455 -+ if (current->signal->curr_ip && gr_acl_is_enabled()) {
60456 -+ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: (%.64s:%c:%.950s) ");
60457 -+ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip), current->role->rolename, gr_roletype_to_char(), current->acl->filename);
60458 -+ } else if (current->signal->curr_ip) {
60459 -+ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: ");
60460 -+ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip));
60461 -+ } else if (gr_acl_is_enabled()) {
60462 -+ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
60463 -+ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
60464 -+ } else {
60465 -+ sprintf(fmt, "%s%s", loglevel, "grsec: ");
60466 -+ strcpy(buf, fmt);
60467 -+ }
60468 -+
60469 -+ return NO_FLOODING;
60470 -+}
60471 -+
60472 -+static void gr_log_middle(int audit, const char *msg, va_list ap)
60473 -+{
60474 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
60475 -+ unsigned int len = strlen(buf);
60476 -+
60477 -+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
60478 -+
60479 -+ return;
60480 -+}
60481 -+
60482 -+static void gr_log_middle_varargs(int audit, const char *msg, ...)
60483 -+{
60484 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
60485 -+ unsigned int len = strlen(buf);
60486 -+ va_list ap;
60487 -+
60488 -+ va_start(ap, msg);
60489 -+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
60490 -+ va_end(ap);
60491 -+
60492 -+ return;
60493 -+}
60494 -+
60495 -+static void gr_log_end(int audit)
60496 -+{
60497 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
60498 -+ unsigned int len = strlen(buf);
60499 -+
60500 -+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current));
60501 -+ printk("%s\n", buf);
60502 -+
60503 -+ return;
60504 -+}
60505 -+
60506 -+void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
60507 -+{
60508 -+ int logtype;
60509 -+ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
60510 -+ char *str1, *str2, *str3;
60511 -+ int num1, num2;
60512 -+ unsigned long ulong1, ulong2;
60513 -+ struct dentry *dentry;
60514 -+ struct vfsmount *mnt;
60515 -+ struct file *file;
60516 -+ struct task_struct *task;
60517 -+ va_list ap;
60518 -+
60519 -+ BEGIN_LOCKS(audit);
60520 -+ logtype = gr_log_start(audit);
60521 -+ if (logtype == FLOODING) {
60522 -+ END_LOCKS(audit);
60523 -+ return;
60524 -+ }
60525 -+ va_start(ap, argtypes);
60526 -+ switch (argtypes) {
60527 -+ case GR_TTYSNIFF:
60528 -+ task = va_arg(ap, struct task_struct *);
60529 -+ gr_log_middle_varargs(audit, msg, NIPQUAD(task->signal->curr_ip), gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
60530 -+ break;
60531 -+ case GR_SYSCTL_HIDDEN:
60532 -+ str1 = va_arg(ap, char *);
60533 -+ gr_log_middle_varargs(audit, msg, result, str1);
60534 -+ break;
60535 -+ case GR_RBAC:
60536 -+ dentry = va_arg(ap, struct dentry *);
60537 -+ mnt = va_arg(ap, struct vfsmount *);
60538 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
60539 -+ break;
60540 -+ case GR_RBAC_STR:
60541 -+ dentry = va_arg(ap, struct dentry *);
60542 -+ mnt = va_arg(ap, struct vfsmount *);
60543 -+ str1 = va_arg(ap, char *);
60544 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
60545 -+ break;
60546 -+ case GR_STR_RBAC:
60547 -+ str1 = va_arg(ap, char *);
60548 -+ dentry = va_arg(ap, struct dentry *);
60549 -+ mnt = va_arg(ap, struct vfsmount *);
60550 -+ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
60551 -+ break;
60552 -+ case GR_RBAC_MODE2:
60553 -+ dentry = va_arg(ap, struct dentry *);
60554 -+ mnt = va_arg(ap, struct vfsmount *);
60555 -+ str1 = va_arg(ap, char *);
60556 -+ str2 = va_arg(ap, char *);
60557 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
60558 -+ break;
60559 -+ case GR_RBAC_MODE3:
60560 -+ dentry = va_arg(ap, struct dentry *);
60561 -+ mnt = va_arg(ap, struct vfsmount *);
60562 -+ str1 = va_arg(ap, char *);
60563 -+ str2 = va_arg(ap, char *);
60564 -+ str3 = va_arg(ap, char *);
60565 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
60566 -+ break;
60567 -+ case GR_FILENAME:
60568 -+ dentry = va_arg(ap, struct dentry *);
60569 -+ mnt = va_arg(ap, struct vfsmount *);
60570 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
60571 -+ break;
60572 -+ case GR_STR_FILENAME:
60573 -+ str1 = va_arg(ap, char *);
60574 -+ dentry = va_arg(ap, struct dentry *);
60575 -+ mnt = va_arg(ap, struct vfsmount *);
60576 -+ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
60577 -+ break;
60578 -+ case GR_FILENAME_STR:
60579 -+ dentry = va_arg(ap, struct dentry *);
60580 -+ mnt = va_arg(ap, struct vfsmount *);
60581 -+ str1 = va_arg(ap, char *);
60582 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
60583 -+ break;
60584 -+ case GR_FILENAME_TWO_INT:
60585 -+ dentry = va_arg(ap, struct dentry *);
60586 -+ mnt = va_arg(ap, struct vfsmount *);
60587 -+ num1 = va_arg(ap, int);
60588 -+ num2 = va_arg(ap, int);
60589 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
60590 -+ break;
60591 -+ case GR_FILENAME_TWO_INT_STR:
60592 -+ dentry = va_arg(ap, struct dentry *);
60593 -+ mnt = va_arg(ap, struct vfsmount *);
60594 -+ num1 = va_arg(ap, int);
60595 -+ num2 = va_arg(ap, int);
60596 -+ str1 = va_arg(ap, char *);
60597 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
60598 -+ break;
60599 -+ case GR_TEXTREL:
60600 -+ file = va_arg(ap, struct file *);
60601 -+ ulong1 = va_arg(ap, unsigned long);
60602 -+ ulong2 = va_arg(ap, unsigned long);
60603 -+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_dentry, file->f_vfsmnt) : "<anonymous mapping>", ulong1, ulong2);
60604 -+ break;
60605 -+ case GR_PTRACE:
60606 -+ task = va_arg(ap, struct task_struct *);
60607 -+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_dentry, task->exec_file->f_vfsmnt) : "(none)", task->comm, task->pid);
60608 -+ break;
60609 -+ case GR_RESOURCE:
60610 -+ task = va_arg(ap, struct task_struct *);
60611 -+ ulong1 = va_arg(ap, unsigned long);
60612 -+ str1 = va_arg(ap, char *);
60613 -+ ulong2 = va_arg(ap, unsigned long);
60614 -+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
60615 -+ break;
60616 -+ case GR_CAP:
60617 -+ task = va_arg(ap, struct task_struct *);
60618 -+ str1 = va_arg(ap, char *);
60619 -+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
60620 -+ break;
60621 -+ case GR_SIG:
60622 -+ task = va_arg(ap, struct task_struct *);
60623 -+ num1 = va_arg(ap, int);
60624 -+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
60625 -+ break;
60626 -+ case GR_CRASH1:
60627 -+ task = va_arg(ap, struct task_struct *);
60628 -+ ulong1 = va_arg(ap, unsigned long);
60629 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, task->uid, ulong1);
60630 -+ break;
60631 -+ case GR_CRASH2:
60632 -+ task = va_arg(ap, struct task_struct *);
60633 -+ ulong1 = va_arg(ap, unsigned long);
60634 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, ulong1);
60635 -+ break;
60636 -+ case GR_PSACCT:
60637 -+ {
60638 -+ unsigned int wday, cday;
60639 -+ __u8 whr, chr;
60640 -+ __u8 wmin, cmin;
60641 -+ __u8 wsec, csec;
60642 -+ char cur_tty[64] = { 0 };
60643 -+ char parent_tty[64] = { 0 };
60644 -+
60645 -+ task = va_arg(ap, struct task_struct *);
60646 -+ wday = va_arg(ap, unsigned int);
60647 -+ cday = va_arg(ap, unsigned int);
60648 -+ whr = va_arg(ap, int);
60649 -+ chr = va_arg(ap, int);
60650 -+ wmin = va_arg(ap, int);
60651 -+ cmin = va_arg(ap, int);
60652 -+ wsec = va_arg(ap, int);
60653 -+ csec = va_arg(ap, int);
60654 -+ ulong1 = va_arg(ap, unsigned long);
60655 -+
60656 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, NIPQUAD(task->signal->curr_ip), tty_name(task->signal->tty, cur_tty), task->uid, task->euid, task->gid, task->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, NIPQUAD(task->parent->signal->curr_ip), tty_name(task->parent->signal->tty, parent_tty), task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
60657 -+ }
60658 -+ break;
60659 -+ default:
60660 -+ gr_log_middle(audit, msg, ap);
60661 -+ }
60662 -+ va_end(ap);
60663 -+ gr_log_end(audit);
60664 -+ END_LOCKS(audit);
60665 -+}
60666 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_mem.c linux-2.6.23.15-grsec/grsecurity/grsec_mem.c
60667 ---- linux-2.6.23.15/grsecurity/grsec_mem.c 1970-01-01 01:00:00.000000000 +0100
60668 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_mem.c 2008-02-11 10:37:44.000000000 +0000
60669 -@@ -0,0 +1,71 @@
60670 -+#include <linux/kernel.h>
60671 -+#include <linux/sched.h>
60672 -+#include <linux/mm.h>
60673 -+#include <linux/mman.h>
60674 -+#include <linux/grinternal.h>
60675 -+
60676 -+void
60677 -+gr_handle_ioperm(void)
60678 -+{
60679 -+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
60680 -+ return;
60681 -+}
60682 -+
60683 -+void
60684 -+gr_handle_iopl(void)
60685 -+{
60686 -+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
60687 -+ return;
60688 -+}
60689 -+
60690 -+void
60691 -+gr_handle_mem_write(void)
60692 -+{
60693 -+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
60694 -+ return;
60695 -+}
60696 -+
60697 -+void
60698 -+gr_handle_kmem_write(void)
60699 -+{
60700 -+ gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
60701 -+ return;
60702 -+}
60703 -+
60704 -+void
60705 -+gr_handle_open_port(void)
60706 -+{
60707 -+ gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
60708 -+ return;
60709 -+}
60710 -+
60711 -+int
60712 -+gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
60713 -+{
60714 -+ unsigned long start, end;
60715 -+
60716 -+ start = offset;
60717 -+ end = start + vma->vm_end - vma->vm_start;
60718 -+
60719 -+ if (start > end) {
60720 -+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
60721 -+ return -EPERM;
60722 -+ }
60723 -+
60724 -+ /* allowed ranges : ISA I/O BIOS */
60725 -+ if ((start >= __pa(high_memory))
60726 -+#ifdef CONFIG_X86
60727 -+ || (start >= 0x000a0000 && end <= 0x00100000)
60728 -+ || (start >= 0x00000000 && end <= 0x00001000)
60729 -+#endif
60730 -+ )
60731 -+ return 0;
60732 -+
60733 -+ if (vma->vm_flags & VM_WRITE) {
60734 -+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
60735 -+ return -EPERM;
60736 -+ } else
60737 -+ vma->vm_flags &= ~VM_MAYWRITE;
60738 -+
60739 -+ return 0;
60740 -+}
60741 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_mount.c linux-2.6.23.15-grsec/grsecurity/grsec_mount.c
60742 ---- linux-2.6.23.15/grsecurity/grsec_mount.c 1970-01-01 01:00:00.000000000 +0100
60743 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_mount.c 2008-02-11 10:37:44.000000000 +0000
60744 -@@ -0,0 +1,34 @@
60745 -+#include <linux/kernel.h>
60746 -+#include <linux/sched.h>
60747 -+#include <linux/grsecurity.h>
60748 -+#include <linux/grinternal.h>
60749 -+
60750 -+void
60751 -+gr_log_remount(const char *devname, const int retval)
60752 -+{
60753 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
60754 -+ if (grsec_enable_mount && (retval >= 0))
60755 -+ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
60756 -+#endif
60757 -+ return;
60758 -+}
60759 -+
60760 -+void
60761 -+gr_log_unmount(const char *devname, const int retval)
60762 -+{
60763 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
60764 -+ if (grsec_enable_mount && (retval >= 0))
60765 -+ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
60766 -+#endif
60767 -+ return;
60768 -+}
60769 -+
60770 -+void
60771 -+gr_log_mount(const char *from, const char *to, const int retval)
60772 -+{
60773 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
60774 -+ if (grsec_enable_mount && (retval >= 0))
60775 -+ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
60776 -+#endif
60777 -+ return;
60778 -+}
60779 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_sig.c linux-2.6.23.15-grsec/grsecurity/grsec_sig.c
60780 ---- linux-2.6.23.15/grsecurity/grsec_sig.c 1970-01-01 01:00:00.000000000 +0100
60781 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_sig.c 2008-02-11 10:37:44.000000000 +0000
60782 -@@ -0,0 +1,59 @@
60783 -+#include <linux/kernel.h>
60784 -+#include <linux/sched.h>
60785 -+#include <linux/grsecurity.h>
60786 -+#include <linux/grinternal.h>
60787 -+
60788 -+void
60789 -+gr_log_signal(const int sig, const struct task_struct *t)
60790 -+{
60791 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
60792 -+ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
60793 -+ (sig == SIGABRT) || (sig == SIGBUS))) {
60794 -+ if (t->pid == current->pid) {
60795 -+ gr_log_int(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, sig);
60796 -+ } else {
60797 -+ gr_log_sig(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
60798 -+ }
60799 -+ }
60800 -+#endif
60801 -+ return;
60802 -+}
60803 -+
60804 -+int
60805 -+gr_handle_signal(const struct task_struct *p, const int sig)
60806 -+{
60807 -+#ifdef CONFIG_GRKERNSEC
60808 -+ if (current->pid > 1 && gr_check_protected_task(p)) {
60809 -+ gr_log_sig(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
60810 -+ return -EPERM;
60811 -+ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
60812 -+ return -EPERM;
60813 -+ }
60814 -+#endif
60815 -+ return 0;
60816 -+}
60817 -+
60818 -+void gr_handle_brute_attach(struct task_struct *p)
60819 -+{
60820 -+#ifdef CONFIG_GRKERNSEC_BRUTE
60821 -+ read_lock(&tasklist_lock);
60822 -+ read_lock(&grsec_exec_file_lock);
60823 -+ if (p->parent && p->parent->exec_file == p->exec_file)
60824 -+ p->parent->brute = 1;
60825 -+ read_unlock(&grsec_exec_file_lock);
60826 -+ read_unlock(&tasklist_lock);
60827 -+#endif
60828 -+ return;
60829 -+}
60830 -+
60831 -+void gr_handle_brute_check(void)
60832 -+{
60833 -+#ifdef CONFIG_GRKERNSEC_BRUTE
60834 -+ if (current->brute) {
60835 -+ set_current_state(TASK_UNINTERRUPTIBLE);
60836 -+ schedule_timeout(30 * HZ);
60837 -+ }
60838 -+#endif
60839 -+ return;
60840 -+}
60841 -+
60842 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_sock.c linux-2.6.23.15-grsec/grsecurity/grsec_sock.c
60843 ---- linux-2.6.23.15/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100
60844 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_sock.c 2008-02-11 10:37:44.000000000 +0000
60845 -@@ -0,0 +1,263 @@
60846 -+#include <linux/kernel.h>
60847 -+#include <linux/module.h>
60848 -+#include <linux/sched.h>
60849 -+#include <linux/file.h>
60850 -+#include <linux/net.h>
60851 -+#include <linux/in.h>
60852 -+#include <linux/ip.h>
60853 -+#include <net/sock.h>
60854 -+#include <net/inet_sock.h>
60855 -+#include <linux/grsecurity.h>
60856 -+#include <linux/grinternal.h>
60857 -+#include <linux/gracl.h>
60858 -+
60859 -+#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE)
60860 -+extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
60861 -+EXPORT_SYMBOL(udp_v4_lookup);
60862 -+#endif
60863 -+
60864 -+EXPORT_SYMBOL(gr_cap_rtnetlink);
60865 -+
60866 -+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
60867 -+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
60868 -+
60869 -+EXPORT_SYMBOL(gr_search_udp_recvmsg);
60870 -+EXPORT_SYMBOL(gr_search_udp_sendmsg);
60871 -+
60872 -+#ifdef CONFIG_UNIX_MODULE
60873 -+EXPORT_SYMBOL(gr_acl_handle_unix);
60874 -+EXPORT_SYMBOL(gr_acl_handle_mknod);
60875 -+EXPORT_SYMBOL(gr_handle_chroot_unix);
60876 -+EXPORT_SYMBOL(gr_handle_create);
60877 -+#endif
60878 -+
60879 -+#ifdef CONFIG_GRKERNSEC
60880 -+#define gr_conn_table_size 32749
60881 -+struct conn_table_entry {
60882 -+ struct conn_table_entry *next;
60883 -+ struct signal_struct *sig;
60884 -+};
60885 -+
60886 -+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
60887 -+spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
60888 -+
60889 -+extern const char * gr_socktype_to_name(unsigned char type);
60890 -+extern const char * gr_proto_to_name(unsigned char proto);
60891 -+
60892 -+static __inline__ int
60893 -+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
60894 -+{
60895 -+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
60896 -+}
60897 -+
60898 -+static __inline__ int
60899 -+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
60900 -+ __u16 sport, __u16 dport)
60901 -+{
60902 -+ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
60903 -+ sig->gr_sport == sport && sig->gr_dport == dport))
60904 -+ return 1;
60905 -+ else
60906 -+ return 0;
60907 -+}
60908 -+
60909 -+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
60910 -+{
60911 -+ struct conn_table_entry **match;
60912 -+ unsigned int index;
60913 -+
60914 -+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
60915 -+ sig->gr_sport, sig->gr_dport,
60916 -+ gr_conn_table_size);
60917 -+
60918 -+ newent->sig = sig;
60919 -+
60920 -+ match = &gr_conn_table[index];
60921 -+ newent->next = *match;
60922 -+ *match = newent;
60923 -+
60924 -+ return;
60925 -+}
60926 -+
60927 -+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
60928 -+{
60929 -+ struct conn_table_entry *match, *last = NULL;
60930 -+ unsigned int index;
60931 -+
60932 -+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
60933 -+ sig->gr_sport, sig->gr_dport,
60934 -+ gr_conn_table_size);
60935 -+
60936 -+ match = gr_conn_table[index];
60937 -+ while (match && !conn_match(match->sig,
60938 -+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
60939 -+ sig->gr_dport)) {
60940 -+ last = match;
60941 -+ match = match->next;
60942 -+ }
60943 -+
60944 -+ if (match) {
60945 -+ if (last)
60946 -+ last->next = match->next;
60947 -+ else
60948 -+ gr_conn_table[index] = NULL;
60949 -+ kfree(match);
60950 -+ }
60951 -+
60952 -+ return;
60953 -+}
60954 -+
60955 -+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
60956 -+ __u16 sport, __u16 dport)
60957 -+{
60958 -+ struct conn_table_entry *match;
60959 -+ unsigned int index;
60960 -+
60961 -+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
60962 -+
60963 -+ match = gr_conn_table[index];
60964 -+ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
60965 -+ match = match->next;
60966 -+
60967 -+ if (match)
60968 -+ return match->sig;
60969 -+ else
60970 -+ return NULL;
60971 -+}
60972 -+
60973 -+#endif
60974 -+
60975 -+void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
60976 -+{
60977 -+#ifdef CONFIG_GRKERNSEC
60978 -+ struct signal_struct *sig = task->signal;
60979 -+ struct conn_table_entry *newent;
60980 -+
60981 -+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
60982 -+ if (newent == NULL)
60983 -+ return;
60984 -+ /* no bh lock needed since we are called with bh disabled */
60985 -+ spin_lock(&gr_conn_table_lock);
60986 -+ gr_del_task_from_ip_table_nolock(sig);
60987 -+ sig->gr_saddr = inet->rcv_saddr;
60988 -+ sig->gr_daddr = inet->daddr;
60989 -+ sig->gr_sport = inet->sport;
60990 -+ sig->gr_dport = inet->dport;
60991 -+ gr_add_to_task_ip_table_nolock(sig, newent);
60992 -+ spin_unlock(&gr_conn_table_lock);
60993 -+#endif
60994 -+ return;
60995 -+}
60996 -+
60997 -+void gr_del_task_from_ip_table(struct task_struct *task)
60998 -+{
60999 -+#ifdef CONFIG_GRKERNSEC
61000 -+ spin_lock(&gr_conn_table_lock);
61001 -+ gr_del_task_from_ip_table_nolock(task->signal);
61002 -+ spin_unlock(&gr_conn_table_lock);
61003 -+#endif
61004 -+ return;
61005 -+}
61006 -+
61007 -+void
61008 -+gr_attach_curr_ip(const struct sock *sk)
61009 -+{
61010 -+#ifdef CONFIG_GRKERNSEC
61011 -+ struct signal_struct *p, *set;
61012 -+ const struct inet_sock *inet = inet_sk(sk);
61013 -+
61014 -+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
61015 -+ return;
61016 -+
61017 -+ set = current->signal;
61018 -+
61019 -+ spin_lock_bh(&gr_conn_table_lock);
61020 -+ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
61021 -+ inet->dport, inet->sport);
61022 -+ if (unlikely(p != NULL)) {
61023 -+ set->curr_ip = p->curr_ip;
61024 -+ set->used_accept = 1;
61025 -+ gr_del_task_from_ip_table_nolock(p);
61026 -+ spin_unlock_bh(&gr_conn_table_lock);
61027 -+ return;
61028 -+ }
61029 -+ spin_unlock_bh(&gr_conn_table_lock);
61030 -+
61031 -+ set->curr_ip = inet->daddr;
61032 -+ set->used_accept = 1;
61033 -+#endif
61034 -+ return;
61035 -+}
61036 -+
61037 -+int
61038 -+gr_handle_sock_all(const int family, const int type, const int protocol)
61039 -+{
61040 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
61041 -+ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
61042 -+ (family != AF_UNIX) && (family != AF_LOCAL)) {
61043 -+ gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
61044 -+ return -EACCES;
61045 -+ }
61046 -+#endif
61047 -+ return 0;
61048 -+}
61049 -+
61050 -+int
61051 -+gr_handle_sock_server(const struct sockaddr *sck)
61052 -+{
61053 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
61054 -+ if (grsec_enable_socket_server &&
61055 -+ in_group_p(grsec_socket_server_gid) &&
61056 -+ sck && (sck->sa_family != AF_UNIX) &&
61057 -+ (sck->sa_family != AF_LOCAL)) {
61058 -+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
61059 -+ return -EACCES;
61060 -+ }
61061 -+#endif
61062 -+ return 0;
61063 -+}
61064 -+
61065 -+int
61066 -+gr_handle_sock_server_other(const struct sock *sck)
61067 -+{
61068 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
61069 -+ if (grsec_enable_socket_server &&
61070 -+ in_group_p(grsec_socket_server_gid) &&
61071 -+ sck && (sck->sk_family != AF_UNIX) &&
61072 -+ (sck->sk_family != AF_LOCAL)) {
61073 -+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
61074 -+ return -EACCES;
61075 -+ }
61076 -+#endif
61077 -+ return 0;
61078 -+}
61079 -+
61080 -+int
61081 -+gr_handle_sock_client(const struct sockaddr *sck)
61082 -+{
61083 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
61084 -+ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
61085 -+ sck && (sck->sa_family != AF_UNIX) &&
61086 -+ (sck->sa_family != AF_LOCAL)) {
61087 -+ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
61088 -+ return -EACCES;
61089 -+ }
61090 -+#endif
61091 -+ return 0;
61092 -+}
61093 -+
61094 -+__u32
61095 -+gr_cap_rtnetlink(void)
61096 -+{
61097 -+#ifdef CONFIG_GRKERNSEC
61098 -+ if (!gr_acl_is_enabled())
61099 -+ return current->cap_effective;
61100 -+ else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
61101 -+ gr_task_is_capable(current, CAP_NET_ADMIN))
61102 -+ return current->cap_effective;
61103 -+ else
61104 -+ return 0;
61105 -+#else
61106 -+ return current->cap_effective;
61107 -+#endif
61108 -+}
61109 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_sysctl.c linux-2.6.23.15-grsec/grsecurity/grsec_sysctl.c
61110 ---- linux-2.6.23.15/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100
61111 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_sysctl.c 2008-02-11 10:37:44.000000000 +0000
61112 -@@ -0,0 +1,456 @@
61113 -+#include <linux/kernel.h>
61114 -+#include <linux/sched.h>
61115 -+#include <linux/sysctl.h>
61116 -+#include <linux/grsecurity.h>
61117 -+#include <linux/grinternal.h>
61118 -+
61119 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
61120 -+int grsec_modstop;
61121 -+#endif
61122 -+
61123 -+int
61124 -+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
61125 -+{
61126 -+#ifdef CONFIG_GRKERNSEC_SYSCTL
61127 -+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
61128 -+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
61129 -+ return -EACCES;
61130 -+ }
61131 -+#endif
61132 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
61133 -+ if (!strcmp(dirname, "grsecurity") && !strcmp(name, "disable_modules") &&
61134 -+ grsec_modstop && (op & 002)) {
61135 -+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
61136 -+ return -EACCES;
61137 -+ }
61138 -+#endif
61139 -+ return 0;
61140 -+}
61141 -+
61142 -+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
61143 -+enum {GS_LINK=1, GS_FIFO, GS_EXECVE, GS_EXECLOG, GS_SIGNAL,
61144 -+GS_FORKFAIL, GS_TIME, GS_CHROOT_SHMAT, GS_CHROOT_UNIX, GS_CHROOT_MNT,
61145 -+GS_CHROOT_FCHDIR, GS_CHROOT_DBL, GS_CHROOT_PVT, GS_CHROOT_CD, GS_CHROOT_CM,
61146 -+GS_CHROOT_MK, GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS,
61147 -+GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS_TPE_ALL, GS_SIDCAPS,
61148 -+GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
61149 -+GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID,
61150 -+GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG,
61151 -+GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_LOCK, GS_MODSTOP, GS_RESLOG};
61152 -+
61153 -+
61154 -+ctl_table grsecurity_table[] = {
61155 -+#ifdef CONFIG_GRKERNSEC_SYSCTL
61156 -+#ifdef CONFIG_GRKERNSEC_LINK
61157 -+ {
61158 -+ .ctl_name = GS_LINK,
61159 -+ .procname = "linking_restrictions",
61160 -+ .data = &grsec_enable_link,
61161 -+ .maxlen = sizeof(int),
61162 -+ .mode = 0600,
61163 -+ .proc_handler = &proc_dointvec,
61164 -+ },
61165 -+#endif
61166 -+#ifdef CONFIG_GRKERNSEC_FIFO
61167 -+ {
61168 -+ .ctl_name = GS_FIFO,
61169 -+ .procname = "fifo_restrictions",
61170 -+ .data = &grsec_enable_fifo,
61171 -+ .maxlen = sizeof(int),
61172 -+ .mode = 0600,
61173 -+ .proc_handler = &proc_dointvec,
61174 -+ },
61175 -+#endif
61176 -+#ifdef CONFIG_GRKERNSEC_EXECVE
61177 -+ {
61178 -+ .ctl_name = GS_EXECVE,
61179 -+ .procname = "execve_limiting",
61180 -+ .data = &grsec_enable_execve,
61181 -+ .maxlen = sizeof(int),
61182 -+ .mode = 0600,
61183 -+ .proc_handler = &proc_dointvec,
61184 -+ },
61185 -+#endif
61186 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
61187 -+ {
61188 -+ .ctl_name = GS_EXECLOG,
61189 -+ .procname = "exec_logging",
61190 -+ .data = &grsec_enable_execlog,
61191 -+ .maxlen = sizeof(int),
61192 -+ .mode = 0600,
61193 -+ .proc_handler = &proc_dointvec,
61194 -+ },
61195 -+#endif
61196 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
61197 -+ {
61198 -+ .ctl_name = GS_SIGNAL,
61199 -+ .procname = "signal_logging",
61200 -+ .data = &grsec_enable_signal,
61201 -+ .maxlen = sizeof(int),
61202 -+ .mode = 0600,
61203 -+ .proc_handler = &proc_dointvec,
61204 -+ },
61205 -+#endif
61206 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
61207 -+ {
61208 -+ .ctl_name = GS_FORKFAIL,
61209 -+ .procname = "forkfail_logging",
61210 -+ .data = &grsec_enable_forkfail,
61211 -+ .maxlen = sizeof(int),
61212 -+ .mode = 0600,
61213 -+ .proc_handler = &proc_dointvec,
61214 -+ },
61215 -+#endif
61216 -+#ifdef CONFIG_GRKERNSEC_TIME
61217 -+ {
61218 -+ .ctl_name = GS_TIME,
61219 -+ .procname = "timechange_logging",
61220 -+ .data = &grsec_enable_time,
61221 -+ .maxlen = sizeof(int),
61222 -+ .mode = 0600,
61223 -+ .proc_handler = &proc_dointvec,
61224 -+ },
61225 -+#endif
61226 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
61227 -+ {
61228 -+ .ctl_name = GS_CHROOT_SHMAT,
61229 -+ .procname = "chroot_deny_shmat",
61230 -+ .data = &grsec_enable_chroot_shmat,
61231 -+ .maxlen = sizeof(int),
61232 -+ .mode = 0600,
61233 -+ .proc_handler = &proc_dointvec,
61234 -+ },
61235 -+#endif
61236 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
61237 -+ {
61238 -+ .ctl_name = GS_CHROOT_UNIX,
61239 -+ .procname = "chroot_deny_unix",
61240 -+ .data = &grsec_enable_chroot_unix,
61241 -+ .maxlen = sizeof(int),
61242 -+ .mode = 0600,
61243 -+ .proc_handler = &proc_dointvec,
61244 -+ },
61245 -+#endif
61246 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
61247 -+ {
61248 -+ .ctl_name = GS_CHROOT_MNT,
61249 -+ .procname = "chroot_deny_mount",
61250 -+ .data = &grsec_enable_chroot_mount,
61251 -+ .maxlen = sizeof(int),
61252 -+ .mode = 0600,
61253 -+ .proc_handler = &proc_dointvec,
61254 -+ },
61255 -+#endif
61256 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
61257 -+ {
61258 -+ .ctl_name = GS_CHROOT_FCHDIR,
61259 -+ .procname = "chroot_deny_fchdir",
61260 -+ .data = &grsec_enable_chroot_fchdir,
61261 -+ .maxlen = sizeof(int),
61262 -+ .mode = 0600,
61263 -+ .proc_handler = &proc_dointvec,
61264 -+ },
61265 -+#endif
61266 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
61267 -+ {
61268 -+ .ctl_name = GS_CHROOT_DBL,
61269 -+ .procname = "chroot_deny_chroot",
61270 -+ .data = &grsec_enable_chroot_double,
61271 -+ .maxlen = sizeof(int),
61272 -+ .mode = 0600,
61273 -+ .proc_handler = &proc_dointvec,
61274 -+ },
61275 -+#endif
61276 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
61277 -+ {
61278 -+ .ctl_name = GS_CHROOT_PVT,
61279 -+ .procname = "chroot_deny_pivot",
61280 -+ .data = &grsec_enable_chroot_pivot,
61281 -+ .maxlen = sizeof(int),
61282 -+ .mode = 0600,
61283 -+ .proc_handler = &proc_dointvec,
61284 -+ },
61285 -+#endif
61286 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
61287 -+ {
61288 -+ .ctl_name = GS_CHROOT_CD,
61289 -+ .procname = "chroot_enforce_chdir",
61290 -+ .data = &grsec_enable_chroot_chdir,
61291 -+ .maxlen = sizeof(int),
61292 -+ .mode = 0600,
61293 -+ .proc_handler = &proc_dointvec,
61294 -+ },
61295 -+#endif
61296 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
61297 -+ {
61298 -+ .ctl_name = GS_CHROOT_CM,
61299 -+ .procname = "chroot_deny_chmod",
61300 -+ .data = &grsec_enable_chroot_chmod,
61301 -+ .maxlen = sizeof(int),
61302 -+ .mode = 0600,
61303 -+ .proc_handler = &proc_dointvec,
61304 -+ },
61305 -+#endif
61306 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
61307 -+ {
61308 -+ .ctl_name = GS_CHROOT_MK,
61309 -+ .procname = "chroot_deny_mknod",
61310 -+ .data = &grsec_enable_chroot_mknod,
61311 -+ .maxlen = sizeof(int),
61312 -+ .mode = 0600,
61313 -+ .proc_handler = &proc_dointvec,
61314 -+ },
61315 -+#endif
61316 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
61317 -+ {
61318 -+ .ctl_name = GS_CHROOT_NI,
61319 -+ .procname = "chroot_restrict_nice",
61320 -+ .data = &grsec_enable_chroot_nice,
61321 -+ .maxlen = sizeof(int),
61322 -+ .mode = 0600,
61323 -+ .proc_handler = &proc_dointvec,
61324 -+ },
61325 -+#endif
61326 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
61327 -+ {
61328 -+ .ctl_name = GS_CHROOT_EXECLOG,
61329 -+ .procname = "chroot_execlog",
61330 -+ .data = &grsec_enable_chroot_execlog,
61331 -+ .maxlen = sizeof(int),
61332 -+ .mode = 0600,
61333 -+ .proc_handler = &proc_dointvec,
61334 -+ },
61335 -+#endif
61336 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
61337 -+ {
61338 -+ .ctl_name = GS_CHROOT_CAPS,
61339 -+ .procname = "chroot_caps",
61340 -+ .data = &grsec_enable_chroot_caps,
61341 -+ .maxlen = sizeof(int),
61342 -+ .mode = 0600,
61343 -+ .proc_handler = &proc_dointvec,
61344 -+ },
61345 -+#endif
61346 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
61347 -+ {
61348 -+ .ctl_name = GS_CHROOT_SYSCTL,
61349 -+ .procname = "chroot_deny_sysctl",
61350 -+ .data = &grsec_enable_chroot_sysctl,
61351 -+ .maxlen = sizeof(int),
61352 -+ .mode = 0600,
61353 -+ .proc_handler = &proc_dointvec,
61354 -+ },
61355 -+#endif
61356 -+#ifdef CONFIG_GRKERNSEC_TPE
61357 -+ {
61358 -+ .ctl_name = GS_TPE,
61359 -+ .procname = "tpe",
61360 -+ .data = &grsec_enable_tpe,
61361 -+ .maxlen = sizeof(int),
61362 -+ .mode = 0600,
61363 -+ .proc_handler = &proc_dointvec,
61364 -+ },
61365 -+ {
61366 -+ .ctl_name = GS_TPE_GID,
61367 -+ .procname = "tpe_gid",
61368 -+ .data = &grsec_tpe_gid,
61369 -+ .maxlen = sizeof(int),
61370 -+ .mode = 0600,
61371 -+ .proc_handler = &proc_dointvec,
61372 -+ },
61373 -+#endif
61374 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
61375 -+ {
61376 -+ .ctl_name = GS_TPE_ALL,
61377 -+ .procname = "tpe_restrict_all",
61378 -+ .data = &grsec_enable_tpe_all,
61379 -+ .maxlen = sizeof(int),
61380 -+ .mode = 0600,
61381 -+ .proc_handler = &proc_dointvec,
61382 -+ },
61383 -+#endif
61384 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
61385 -+ {
61386 -+ .ctl_name = GS_SOCKET_ALL,
61387 -+ .procname = "socket_all",
61388 -+ .data = &grsec_enable_socket_all,
61389 -+ .maxlen = sizeof(int),
61390 -+ .mode = 0600,
61391 -+ .proc_handler = &proc_dointvec,
61392 -+ },
61393 -+ {
61394 -+ .ctl_name = GS_SOCKET_ALL_GID,
61395 -+ .procname = "socket_all_gid",
61396 -+ .data = &grsec_socket_all_gid,
61397 -+ .maxlen = sizeof(int),
61398 -+ .mode = 0600,
61399 -+ .proc_handler = &proc_dointvec,
61400 -+ },
61401 -+#endif
61402 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
61403 -+ {
61404 -+ .ctl_name = GS_SOCKET_CLIENT,
61405 -+ .procname = "socket_client",
61406 -+ .data = &grsec_enable_socket_client,
61407 -+ .maxlen = sizeof(int),
61408 -+ .mode = 0600,
61409 -+ .proc_handler = &proc_dointvec,
61410 -+ },
61411 -+ {
61412 -+ .ctl_name = GS_SOCKET_CLIENT_GID,
61413 -+ .procname = "socket_client_gid",
61414 -+ .data = &grsec_socket_client_gid,
61415 -+ .maxlen = sizeof(int),
61416 -+ .mode = 0600,
61417 -+ .proc_handler = &proc_dointvec,
61418 -+ },
61419 -+#endif
61420 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
61421 -+ {
61422 -+ .ctl_name = GS_SOCKET_SERVER,
61423 -+ .procname = "socket_server",
61424 -+ .data = &grsec_enable_socket_server,
61425 -+ .maxlen = sizeof(int),
61426 -+ .mode = 0600,
61427 -+ .proc_handler = &proc_dointvec,
61428 -+ },
61429 -+ {
61430 -+ .ctl_name = GS_SOCKET_SERVER_GID,
61431 -+ .procname = "socket_server_gid",
61432 -+ .data = &grsec_socket_server_gid,
61433 -+ .maxlen = sizeof(int),
61434 -+ .mode = 0600,
61435 -+ .proc_handler = &proc_dointvec,
61436 -+ },
61437 -+#endif
61438 -+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
61439 -+ {
61440 -+ .ctl_name = GS_GROUP,
61441 -+ .procname = "audit_group",
61442 -+ .data = &grsec_enable_group,
61443 -+ .maxlen = sizeof(int),
61444 -+ .mode = 0600,
61445 -+ .proc_handler = &proc_dointvec,
61446 -+ },
61447 -+ {
61448 -+ .ctl_name = GS_GID,
61449 -+ .procname = "audit_gid",
61450 -+ .data = &grsec_audit_gid,
61451 -+ .maxlen = sizeof(int),
61452 -+ .mode = 0600,
61453 -+ .proc_handler = &proc_dointvec,
61454 -+ },
61455 -+#endif
61456 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
61457 -+ {
61458 -+ .ctl_name = GS_ACHDIR,
61459 -+ .procname = "audit_chdir",
61460 -+ .data = &grsec_enable_chdir,
61461 -+ .maxlen = sizeof(int),
61462 -+ .mode = 0600,
61463 -+ .proc_handler = &proc_dointvec,
61464 -+ },
61465 -+#endif
61466 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
61467 -+ {
61468 -+ .ctl_name = GS_AMOUNT,
61469 -+ .procname = "audit_mount",
61470 -+ .data = &grsec_enable_mount,
61471 -+ .maxlen = sizeof(int),
61472 -+ .mode = 0600,
61473 -+ .proc_handler = &proc_dointvec,
61474 -+ },
61475 -+#endif
61476 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
61477 -+ {
61478 -+ .ctl_name = GS_AIPC,
61479 -+ .procname = "audit_ipc",
61480 -+ .data = &grsec_enable_audit_ipc,
61481 -+ .maxlen = sizeof(int),
61482 -+ .mode = 0600,
61483 -+ .proc_handler = &proc_dointvec,
61484 -+ },
61485 -+#endif
61486 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
61487 -+ {
61488 -+ .ctl_name = GS_TEXTREL,
61489 -+ .procname = "audit_textrel",
61490 -+ .data = &grsec_enable_audit_textrel,
61491 -+ .maxlen = sizeof(int),
61492 -+ .mode = 0600,
61493 -+ .proc_handler = &proc_dointvec,
61494 -+ },
61495 -+#endif
61496 -+#ifdef CONFIG_GRKERNSEC_DMESG
61497 -+ {
61498 -+ .ctl_name = GS_DMSG,
61499 -+ .procname = "dmesg",
61500 -+ .data = &grsec_enable_dmesg,
61501 -+ .maxlen = sizeof(int),
61502 -+ .mode = 0600,
61503 -+ .proc_handler = &proc_dointvec,
61504 -+ },
61505 -+#endif
61506 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
61507 -+ {
61508 -+ .ctl_name = GS_FINDTASK,
61509 -+ .procname = "chroot_findtask",
61510 -+ .data = &grsec_enable_chroot_findtask,
61511 -+ .maxlen = sizeof(int),
61512 -+ .mode = 0600,
61513 -+ .proc_handler = &proc_dointvec,
61514 -+ },
61515 -+#endif
61516 -+#ifdef CONFIG_GRKERNSEC_SHM
61517 -+ {
61518 -+ .ctl_name = GS_SHM,
61519 -+ .procname = "destroy_unused_shm",
61520 -+ .data = &grsec_enable_shm,
61521 -+ .maxlen = sizeof(int),
61522 -+ .mode = 0600,
61523 -+ .proc_handler = &proc_dointvec,
61524 -+ },
61525 -+#endif
61526 -+#ifdef CONFIG_GRKERNSEC_RESLOG
61527 -+ {
61528 -+ .ctl_name = GS_RESLOG,
61529 -+ .procname = "resource_logging",
61530 -+ .data = &grsec_resource_logging,
61531 -+ .maxlen = sizeof(int),
61532 -+ .mode = 0600,
61533 -+ .proc_handler = &proc_dointvec,
61534 -+ },
61535 -+#endif
61536 -+ {
61537 -+ .ctl_name = GS_LOCK,
61538 -+ .procname = "grsec_lock",
61539 -+ .data = &grsec_lock,
61540 -+ .maxlen = sizeof(int),
61541 -+ .mode = 0600,
61542 -+ .proc_handler = &proc_dointvec,
61543 -+ },
61544 -+#endif
61545 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
61546 -+ {
61547 -+ .ctl_name = GS_MODSTOP,
61548 -+ .procname = "disable_modules",
61549 -+ .data = &grsec_modstop,
61550 -+ .maxlen = sizeof(int),
61551 -+ .mode = 0600,
61552 -+ .proc_handler = &proc_dointvec,
61553 -+ },
61554 -+#endif
61555 -+ { .ctl_name = 0 }
61556 -+};
61557 -+#endif
61558 -+
61559 -+int gr_check_modstop(void)
61560 -+{
61561 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
61562 -+ if (grsec_modstop == 1) {
61563 -+ gr_log_noargs(GR_DONT_AUDIT, GR_STOPMOD_MSG);
61564 -+ return 1;
61565 -+ }
61566 -+#endif
61567 -+ return 0;
61568 -+}
61569 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_textrel.c linux-2.6.23.15-grsec/grsecurity/grsec_textrel.c
61570 ---- linux-2.6.23.15/grsecurity/grsec_textrel.c 1970-01-01 01:00:00.000000000 +0100
61571 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_textrel.c 2008-02-11 10:37:44.000000000 +0000
61572 -@@ -0,0 +1,16 @@
61573 -+#include <linux/kernel.h>
61574 -+#include <linux/sched.h>
61575 -+#include <linux/mm.h>
61576 -+#include <linux/file.h>
61577 -+#include <linux/grinternal.h>
61578 -+#include <linux/grsecurity.h>
61579 -+
61580 -+void
61581 -+gr_log_textrel(struct vm_area_struct * vma)
61582 -+{
61583 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
61584 -+ if (grsec_enable_audit_textrel)
61585 -+ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
61586 -+#endif
61587 -+ return;
61588 -+}
61589 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_time.c linux-2.6.23.15-grsec/grsecurity/grsec_time.c
61590 ---- linux-2.6.23.15/grsecurity/grsec_time.c 1970-01-01 01:00:00.000000000 +0100
61591 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_time.c 2008-02-11 10:37:44.000000000 +0000
61592 -@@ -0,0 +1,13 @@
61593 -+#include <linux/kernel.h>
61594 -+#include <linux/sched.h>
61595 -+#include <linux/grinternal.h>
61596 -+
61597 -+void
61598 -+gr_log_timechange(void)
61599 -+{
61600 -+#ifdef CONFIG_GRKERNSEC_TIME
61601 -+ if (grsec_enable_time)
61602 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
61603 -+#endif
61604 -+ return;
61605 -+}
61606 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_tpe.c linux-2.6.23.15-grsec/grsecurity/grsec_tpe.c
61607 ---- linux-2.6.23.15/grsecurity/grsec_tpe.c 1970-01-01 01:00:00.000000000 +0100
61608 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_tpe.c 2008-02-11 10:37:44.000000000 +0000
61609 -@@ -0,0 +1,37 @@
61610 -+#include <linux/kernel.h>
61611 -+#include <linux/sched.h>
61612 -+#include <linux/file.h>
61613 -+#include <linux/fs.h>
61614 -+#include <linux/grinternal.h>
61615 -+
61616 -+extern int gr_acl_tpe_check(void);
61617 -+
61618 -+int
61619 -+gr_tpe_allow(const struct file *file)
61620 -+{
61621 -+#ifdef CONFIG_GRKERNSEC
61622 -+ struct inode *inode = file->f_dentry->d_parent->d_inode;
61623 -+
61624 -+ if (current->uid && ((grsec_enable_tpe &&
61625 -+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
61626 -+ !in_group_p(grsec_tpe_gid)
61627 -+#else
61628 -+ in_group_p(grsec_tpe_gid)
61629 -+#endif
61630 -+ ) || gr_acl_tpe_check()) &&
61631 -+ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
61632 -+ (inode->i_mode & S_IWOTH))))) {
61633 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
61634 -+ return 0;
61635 -+ }
61636 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
61637 -+ if (current->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
61638 -+ ((inode->i_uid && (inode->i_uid != current->uid)) ||
61639 -+ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
61640 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
61641 -+ return 0;
61642 -+ }
61643 -+#endif
61644 -+#endif
61645 -+ return 1;
61646 -+}
61647 -diff -Nurp linux-2.6.23.15/grsecurity/grsum.c linux-2.6.23.15-grsec/grsecurity/grsum.c
61648 ---- linux-2.6.23.15/grsecurity/grsum.c 1970-01-01 01:00:00.000000000 +0100
61649 -+++ linux-2.6.23.15-grsec/grsecurity/grsum.c 2008-02-11 10:37:44.000000000 +0000
61650 -@@ -0,0 +1,59 @@
61651 -+#include <linux/err.h>
61652 -+#include <linux/kernel.h>
61653 -+#include <linux/sched.h>
61654 -+#include <linux/mm.h>
61655 -+#include <linux/scatterlist.h>
61656 -+#include <linux/crypto.h>
61657 -+#include <linux/gracl.h>
61658 -+
61659 -+
61660 -+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
61661 -+#error "crypto and sha256 must be built into the kernel"
61662 -+#endif
61663 -+
61664 -+int
61665 -+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
61666 -+{
61667 -+ char *p;
61668 -+ struct crypto_hash *tfm;
61669 -+ struct hash_desc desc;
61670 -+ struct scatterlist sg;
61671 -+ unsigned char temp_sum[GR_SHA_LEN];
61672 -+ volatile int retval = 0;
61673 -+ volatile int dummy = 0;
61674 -+ unsigned int i;
61675 -+
61676 -+ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
61677 -+ if (IS_ERR(tfm)) {
61678 -+ /* should never happen, since sha256 should be built in */
61679 -+ return 1;
61680 -+ }
61681 -+
61682 -+ desc.tfm = tfm;
61683 -+ desc.flags = 0;
61684 -+
61685 -+ crypto_hash_init(&desc);
61686 -+
61687 -+ p = salt;
61688 -+ sg_set_buf(&sg, p, GR_SALT_LEN);
61689 -+ crypto_hash_update(&desc, &sg, sg.length);
61690 -+
61691 -+ p = entry->pw;
61692 -+ sg_set_buf(&sg, p, strlen(p));
61693 -+
61694 -+ crypto_hash_update(&desc, &sg, sg.length);
61695 -+
61696 -+ crypto_hash_final(&desc, temp_sum);
61697 -+
61698 -+ memset(entry->pw, 0, GR_PW_LEN);
61699 -+
61700 -+ for (i = 0; i < GR_SHA_LEN; i++)
61701 -+ if (sum[i] != temp_sum[i])
61702 -+ retval = 1;
61703 -+ else
61704 -+ dummy = 1; // waste a cycle
61705 -+
61706 -+ crypto_free_hash(tfm);
61707 -+
61708 -+ return retval;
61709 -+}
61710 -diff -Nurp linux-2.6.23.15/include/asm-alpha/a.out.h linux-2.6.23.15-grsec/include/asm-alpha/a.out.h
61711 ---- linux-2.6.23.15/include/asm-alpha/a.out.h 2007-10-09 21:31:38.000000000 +0100
61712 -+++ linux-2.6.23.15-grsec/include/asm-alpha/a.out.h 2008-02-11 10:37:44.000000000 +0000
61713 -@@ -98,7 +98,7 @@ struct exec
61714 - set_personality (((BFPM->sh_bang || EX.ah.entry < 0x100000000L \
61715 - ? ADDR_LIMIT_32BIT : 0) | PER_OSF4))
61716 -
61717 --#define STACK_TOP \
61718 -+#define __STACK_TOP \
61719 - (current->personality & ADDR_LIMIT_32BIT ? 0x80000000 : 0x00120000000UL)
61720 -
61721 - #define STACK_TOP_MAX 0x00120000000UL
61722 -diff -Nurp linux-2.6.23.15/include/asm-alpha/elf.h linux-2.6.23.15-grsec/include/asm-alpha/elf.h
61723 ---- linux-2.6.23.15/include/asm-alpha/elf.h 2007-10-09 21:31:38.000000000 +0100
61724 -+++ linux-2.6.23.15-grsec/include/asm-alpha/elf.h 2008-02-11 10:37:44.000000000 +0000
61725 -@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
61726 -
61727 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
61728 -
61729 -+#ifdef CONFIG_PAX_ASLR
61730 -+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
61731 -+
61732 -+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
61733 -+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
61734 -+#endif
61735 -+
61736 - /* $0 is set by ld.so to a pointer to a function which might be
61737 - registered using atexit. This provides a mean for the dynamic
61738 - linker to call DT_FINI functions for shared libraries that have
61739 -diff -Nurp linux-2.6.23.15/include/asm-alpha/kmap_types.h linux-2.6.23.15-grsec/include/asm-alpha/kmap_types.h
61740 ---- linux-2.6.23.15/include/asm-alpha/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
61741 -+++ linux-2.6.23.15-grsec/include/asm-alpha/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
61742 -@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
61743 - D(10) KM_IRQ1,
61744 - D(11) KM_SOFTIRQ0,
61745 - D(12) KM_SOFTIRQ1,
61746 --D(13) KM_TYPE_NR
61747 -+D(13) KM_CLEARPAGE,
61748 -+D(14) KM_TYPE_NR
61749 - };
61750 -
61751 - #undef D
61752 -diff -Nurp linux-2.6.23.15/include/asm-alpha/pgtable.h linux-2.6.23.15-grsec/include/asm-alpha/pgtable.h
61753 ---- linux-2.6.23.15/include/asm-alpha/pgtable.h 2007-10-09 21:31:38.000000000 +0100
61754 -+++ linux-2.6.23.15-grsec/include/asm-alpha/pgtable.h 2008-02-11 10:37:44.000000000 +0000
61755 -@@ -101,6 +101,17 @@ struct vm_area_struct;
61756 - #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
61757 - #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
61758 - #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
61759 -+
61760 -+#ifdef CONFIG_PAX_PAGEEXEC
61761 -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
61762 -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
61763 -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
61764 -+#else
61765 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
61766 -+# define PAGE_COPY_NOEXEC PAGE_COPY
61767 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
61768 -+#endif
61769 -+
61770 - #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
61771 -
61772 - #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
61773 -diff -Nurp linux-2.6.23.15/include/asm-arm/a.out.h linux-2.6.23.15-grsec/include/asm-arm/a.out.h
61774 ---- linux-2.6.23.15/include/asm-arm/a.out.h 2007-10-09 21:31:38.000000000 +0100
61775 -+++ linux-2.6.23.15-grsec/include/asm-arm/a.out.h 2008-02-11 10:37:44.000000000 +0000
61776 -@@ -28,7 +28,7 @@ struct exec
61777 - #define M_ARM 103
61778 -
61779 - #ifdef __KERNEL__
61780 --#define STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
61781 -+#define __STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
61782 - TASK_SIZE : TASK_SIZE_26)
61783 - #define STACK_TOP_MAX TASK_SIZE
61784 - #endif
61785 -diff -Nurp linux-2.6.23.15/include/asm-arm/elf.h linux-2.6.23.15-grsec/include/asm-arm/elf.h
61786 ---- linux-2.6.23.15/include/asm-arm/elf.h 2007-10-09 21:31:38.000000000 +0100
61787 -+++ linux-2.6.23.15-grsec/include/asm-arm/elf.h 2008-02-11 10:37:44.000000000 +0000
61788 -@@ -90,6 +90,13 @@ extern char elf_platform[];
61789 -
61790 - #define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
61791 -
61792 -+#ifdef CONFIG_PAX_ASLR
61793 -+#define PAX_ELF_ET_DYN_BASE 0x00008000UL
61794 -+
61795 -+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
61796 -+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
61797 -+#endif
61798 -+
61799 - /* When the program starts, a1 contains a pointer to a function to be
61800 - registered with atexit, as per the SVR4 ABI. A value of 0 means we
61801 - have no such handler. */
61802 -diff -Nurp linux-2.6.23.15/include/asm-arm/kmap_types.h linux-2.6.23.15-grsec/include/asm-arm/kmap_types.h
61803 ---- linux-2.6.23.15/include/asm-arm/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
61804 -+++ linux-2.6.23.15-grsec/include/asm-arm/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
61805 -@@ -18,6 +18,7 @@ enum km_type {
61806 - KM_IRQ1,
61807 - KM_SOFTIRQ0,
61808 - KM_SOFTIRQ1,
61809 -+ KM_CLEARPAGE,
61810 - KM_TYPE_NR
61811 - };
61812 -
61813 -diff -Nurp linux-2.6.23.15/include/asm-avr32/a.out.h linux-2.6.23.15-grsec/include/asm-avr32/a.out.h
61814 ---- linux-2.6.23.15/include/asm-avr32/a.out.h 2007-10-09 21:31:38.000000000 +0100
61815 -+++ linux-2.6.23.15-grsec/include/asm-avr32/a.out.h 2008-02-11 10:37:44.000000000 +0000
61816 -@@ -19,8 +19,8 @@ struct exec
61817 -
61818 - #ifdef __KERNEL__
61819 -
61820 --#define STACK_TOP TASK_SIZE
61821 --#define STACK_TOP_MAX STACK_TOP
61822 -+#define __STACK_TOP TASK_SIZE
61823 -+#define STACK_TOP_MAX __STACK_TOP
61824 -
61825 - #endif
61826 -
61827 -diff -Nurp linux-2.6.23.15/include/asm-avr32/elf.h linux-2.6.23.15-grsec/include/asm-avr32/elf.h
61828 ---- linux-2.6.23.15/include/asm-avr32/elf.h 2007-10-09 21:31:38.000000000 +0100
61829 -+++ linux-2.6.23.15-grsec/include/asm-avr32/elf.h 2008-02-11 10:37:44.000000000 +0000
61830 -@@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
61831 - the loader. We need to make sure that it is out of the way of the program
61832 - that it will "exec", and that there is sufficient room for the brk. */
61833 -
61834 --#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
61835 -+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
61836 -
61837 -+#ifdef CONFIG_PAX_ASLR
61838 -+#define PAX_ELF_ET_DYN_BASE 0x00001000UL
61839 -+
61840 -+#define PAX_DELTA_MMAP_LEN 15
61841 -+#define PAX_DELTA_STACK_LEN 15
61842 -+#endif
61843 -
61844 - /* This yields a mask that user programs can use to figure out what
61845 - instruction set this CPU supports. This could be done in user space,
61846 -diff -Nurp linux-2.6.23.15/include/asm-avr32/kmap_types.h linux-2.6.23.15-grsec/include/asm-avr32/kmap_types.h
61847 ---- linux-2.6.23.15/include/asm-avr32/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
61848 -+++ linux-2.6.23.15-grsec/include/asm-avr32/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
61849 -@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
61850 - D(11) KM_IRQ1,
61851 - D(12) KM_SOFTIRQ0,
61852 - D(13) KM_SOFTIRQ1,
61853 --D(14) KM_TYPE_NR
61854 -+D(14) KM_CLEARPAGE,
61855 -+D(15) KM_TYPE_NR
61856 - };
61857 -
61858 - #undef D
61859 -diff -Nurp linux-2.6.23.15/include/asm-blackfin/kmap_types.h linux-2.6.23.15-grsec/include/asm-blackfin/kmap_types.h
61860 ---- linux-2.6.23.15/include/asm-blackfin/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
61861 -+++ linux-2.6.23.15-grsec/include/asm-blackfin/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
61862 -@@ -15,6 +15,7 @@ enum km_type {
61863 - KM_IRQ1,
61864 - KM_SOFTIRQ0,
61865 - KM_SOFTIRQ1,
61866 -+ KM_CLEARPAGE,
61867 - KM_TYPE_NR
61868 - };
61869 -
61870 -diff -Nurp linux-2.6.23.15/include/asm-cris/kmap_types.h linux-2.6.23.15-grsec/include/asm-cris/kmap_types.h
61871 ---- linux-2.6.23.15/include/asm-cris/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
61872 -+++ linux-2.6.23.15-grsec/include/asm-cris/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
61873 -@@ -19,6 +19,7 @@ enum km_type {
61874 - KM_IRQ1,
61875 - KM_SOFTIRQ0,
61876 - KM_SOFTIRQ1,
61877 -+ KM_CLEARPAGE,
61878 - KM_TYPE_NR
61879 - };
61880 -
61881 -diff -Nurp linux-2.6.23.15/include/asm-frv/kmap_types.h linux-2.6.23.15-grsec/include/asm-frv/kmap_types.h
61882 ---- linux-2.6.23.15/include/asm-frv/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
61883 -+++ linux-2.6.23.15-grsec/include/asm-frv/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
61884 -@@ -23,6 +23,7 @@ enum km_type {
61885 - KM_IRQ1,
61886 - KM_SOFTIRQ0,
61887 - KM_SOFTIRQ1,
61888 -+ KM_CLEARPAGE,
61889 - KM_TYPE_NR
61890 - };
61891 -
61892 -diff -Nurp linux-2.6.23.15/include/asm-generic/futex.h linux-2.6.23.15-grsec/include/asm-generic/futex.h
61893 ---- linux-2.6.23.15/include/asm-generic/futex.h 2007-10-09 21:31:38.000000000 +0100
61894 -+++ linux-2.6.23.15-grsec/include/asm-generic/futex.h 2008-02-11 10:37:44.000000000 +0000
61895 -@@ -8,7 +8,7 @@
61896 - #include <asm/uaccess.h>
61897 -
61898 - static inline int
61899 --futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
61900 -+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
61901 - {
61902 - int op = (encoded_op >> 28) & 7;
61903 - int cmp = (encoded_op >> 24) & 15;
61904 -@@ -50,7 +50,7 @@ futex_atomic_op_inuser (int encoded_op,
61905 - }
61906 -
61907 - static inline int
61908 --futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
61909 -+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
61910 - {
61911 - return -ENOSYS;
61912 - }
61913 -diff -Nurp linux-2.6.23.15/include/asm-generic/vmlinux.lds.h linux-2.6.23.15-grsec/include/asm-generic/vmlinux.lds.h
61914 ---- linux-2.6.23.15/include/asm-generic/vmlinux.lds.h 2007-10-09 21:31:38.000000000 +0100
61915 -+++ linux-2.6.23.15-grsec/include/asm-generic/vmlinux.lds.h 2008-02-11 10:37:44.000000000 +0000
61916 -@@ -19,6 +19,7 @@
61917 - .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
61918 - VMLINUX_SYMBOL(__start_rodata) = .; \
61919 - *(.rodata) *(.rodata.*) \
61920 -+ *(.data.read_only) \
61921 - *(__vermagic) /* Kernel version magic */ \
61922 - } \
61923 - \
61924 -diff -Nurp linux-2.6.23.15/include/asm-h8300/kmap_types.h linux-2.6.23.15-grsec/include/asm-h8300/kmap_types.h
61925 ---- linux-2.6.23.15/include/asm-h8300/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
61926 -+++ linux-2.6.23.15-grsec/include/asm-h8300/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
61927 -@@ -15,6 +15,7 @@ enum km_type {
61928 - KM_IRQ1,
61929 - KM_SOFTIRQ0,
61930 - KM_SOFTIRQ1,
61931 -+ KM_CLEARPAGE,
61932 - KM_TYPE_NR
61933 - };
61934 -
61935 -diff -Nurp linux-2.6.23.15/include/asm-i386/a.out.h linux-2.6.23.15-grsec/include/asm-i386/a.out.h
61936 ---- linux-2.6.23.15/include/asm-i386/a.out.h 2007-10-09 21:31:38.000000000 +0100
61937 -+++ linux-2.6.23.15-grsec/include/asm-i386/a.out.h 2008-02-11 10:37:44.000000000 +0000
61938 -@@ -19,8 +19,13 @@ struct exec
61939 -
61940 - #ifdef __KERNEL__
61941 -
61942 --#define STACK_TOP TASK_SIZE
61943 --#define STACK_TOP_MAX STACK_TOP
61944 -+#ifdef CONFIG_PAX_SEGMEXEC
61945 -+#define __STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?TASK_SIZE/2:TASK_SIZE)
61946 -+#else
61947 -+#define __STACK_TOP TASK_SIZE
61948 -+#endif
61949 -+
61950 -+#define STACK_TOP_MAX TASK_SIZE
61951 -
61952 - #endif
61953 -
61954 -diff -Nurp linux-2.6.23.15/include/asm-i386/alternative.h linux-2.6.23.15-grsec/include/asm-i386/alternative.h
61955 ---- linux-2.6.23.15/include/asm-i386/alternative.h 2007-10-09 21:31:38.000000000 +0100
61956 -+++ linux-2.6.23.15-grsec/include/asm-i386/alternative.h 2008-02-11 10:37:44.000000000 +0000
61957 -@@ -54,7 +54,7 @@ static inline void alternatives_smp_swit
61958 - " .byte 662b-661b\n" /* sourcelen */ \
61959 - " .byte 664f-663f\n" /* replacementlen */ \
61960 - ".previous\n" \
61961 -- ".section .altinstr_replacement,\"ax\"\n" \
61962 -+ ".section .altinstr_replacement,\"a\"\n" \
61963 - "663:\n\t" newinstr "\n664:\n" /* replacement */\
61964 - ".previous" :: "i" (feature) : "memory")
61965 -
61966 -@@ -78,7 +78,7 @@ static inline void alternatives_smp_swit
61967 - " .byte 662b-661b\n" /* sourcelen */ \
61968 - " .byte 664f-663f\n" /* replacementlen */ \
61969 - ".previous\n" \
61970 -- ".section .altinstr_replacement,\"ax\"\n" \
61971 -+ ".section .altinstr_replacement,\"a\"\n" \
61972 - "663:\n\t" newinstr "\n664:\n" /* replacement */\
61973 - ".previous" :: "i" (feature), ##input)
61974 -
61975 -@@ -93,7 +93,7 @@ static inline void alternatives_smp_swit
61976 - " .byte 662b-661b\n" /* sourcelen */ \
61977 - " .byte 664f-663f\n" /* replacementlen */ \
61978 - ".previous\n" \
61979 -- ".section .altinstr_replacement,\"ax\"\n" \
61980 -+ ".section .altinstr_replacement,\"a\"\n" \
61981 - "663:\n\t" newinstr "\n664:\n" /* replacement */ \
61982 - ".previous" : output : [feat] "i" (feature), ##input)
61983 -
61984 -diff -Nurp linux-2.6.23.15/include/asm-i386/apic.h linux-2.6.23.15-grsec/include/asm-i386/apic.h
61985 ---- linux-2.6.23.15/include/asm-i386/apic.h 2007-10-09 21:31:38.000000000 +0100
61986 -+++ linux-2.6.23.15-grsec/include/asm-i386/apic.h 2008-02-11 10:37:44.000000000 +0000
61987 -@@ -8,7 +8,7 @@
61988 - #include <asm/processor.h>
61989 - #include <asm/system.h>
61990 -
61991 --#define Dprintk(x...)
61992 -+#define Dprintk(x...) do {} while (0)
61993 -
61994 - /*
61995 - * Debugging macros
61996 -diff -Nurp linux-2.6.23.15/include/asm-i386/cache.h linux-2.6.23.15-grsec/include/asm-i386/cache.h
61997 ---- linux-2.6.23.15/include/asm-i386/cache.h 2007-10-09 21:31:38.000000000 +0100
61998 -+++ linux-2.6.23.15-grsec/include/asm-i386/cache.h 2008-02-11 10:37:44.000000000 +0000
61999 -@@ -10,5 +10,6 @@
62000 - #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
62001 -
62002 - #define __read_mostly __attribute__((__section__(".data.read_mostly")))
62003 -+#define __read_only __attribute__((__section__(".data.read_only")))
62004 -
62005 - #endif
62006 -diff -Nurp linux-2.6.23.15/include/asm-i386/checksum.h linux-2.6.23.15-grsec/include/asm-i386/checksum.h
62007 ---- linux-2.6.23.15/include/asm-i386/checksum.h 2007-10-09 21:31:38.000000000 +0100
62008 -+++ linux-2.6.23.15-grsec/include/asm-i386/checksum.h 2008-02-11 10:37:44.000000000 +0000
62009 -@@ -30,6 +30,12 @@ asmlinkage __wsum csum_partial(const voi
62010 - asmlinkage __wsum csum_partial_copy_generic(const void *src, void *dst,
62011 - int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
62012 -
62013 -+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
62014 -+ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
62015 -+
62016 -+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
62017 -+ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
62018 -+
62019 - /*
62020 - * Note: when you get a NULL pointer exception here this means someone
62021 - * passed in an incorrect kernel address to one of these functions.
62022 -@@ -49,7 +55,7 @@ __wsum csum_partial_copy_from_user(const
62023 - int len, __wsum sum, int *err_ptr)
62024 - {
62025 - might_sleep();
62026 -- return csum_partial_copy_generic((__force void *)src, dst,
62027 -+ return csum_partial_copy_generic_from_user((__force void *)src, dst,
62028 - len, sum, err_ptr, NULL);
62029 - }
62030 -
62031 -@@ -180,7 +186,7 @@ static __inline__ __wsum csum_and_copy_t
62032 - {
62033 - might_sleep();
62034 - if (access_ok(VERIFY_WRITE, dst, len))
62035 -- return csum_partial_copy_generic(src, (__force void *)dst, len, sum, NULL, err_ptr);
62036 -+ return csum_partial_copy_generic_to_user(src, (__force void *)dst, len, sum, NULL, err_ptr);
62037 -
62038 - if (len)
62039 - *err_ptr = -EFAULT;
62040 -diff -Nurp linux-2.6.23.15/include/asm-i386/desc.h linux-2.6.23.15-grsec/include/asm-i386/desc.h
62041 ---- linux-2.6.23.15/include/asm-i386/desc.h 2007-10-09 21:31:38.000000000 +0100
62042 -+++ linux-2.6.23.15-grsec/include/asm-i386/desc.h 2008-02-11 10:37:44.000000000 +0000
62043 -@@ -7,26 +7,22 @@
62044 - #ifndef __ASSEMBLY__
62045 -
62046 - #include <linux/preempt.h>
62047 --#include <linux/smp.h>
62048 - #include <linux/percpu.h>
62049 -+#include <linux/smp.h>
62050 -
62051 - #include <asm/mmu.h>
62052 -
62053 -+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
62054 -+
62055 - struct Xgt_desc_struct {
62056 - unsigned short size;
62057 -- unsigned long address __attribute__((packed));
62058 -+ struct desc_struct *address __attribute__((packed));
62059 - unsigned short pad;
62060 - } __attribute__ ((packed));
62061 -
62062 --struct gdt_page
62063 --{
62064 -- struct desc_struct gdt[GDT_ENTRIES];
62065 --} __attribute__((aligned(PAGE_SIZE)));
62066 --DECLARE_PER_CPU(struct gdt_page, gdt_page);
62067 --
62068 - static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
62069 - {
62070 -- return per_cpu(gdt_page, cpu).gdt;
62071 -+ return cpu_gdt_table[cpu];
62072 - }
62073 -
62074 - extern struct Xgt_desc_struct idt_descr;
62075 -@@ -81,8 +77,20 @@ static inline void pack_gate(__u32 *a, _
62076 - static inline void write_dt_entry(struct desc_struct *dt,
62077 - int entry, u32 entry_low, u32 entry_high)
62078 - {
62079 -+
62080 -+#ifdef CONFIG_PAX_KERNEXEC
62081 -+ unsigned long cr0;
62082 -+
62083 -+ pax_open_kernel(cr0);
62084 -+#endif
62085 -+
62086 - dt[entry].a = entry_low;
62087 - dt[entry].b = entry_high;
62088 -+
62089 -+#ifdef CONFIG_PAX_KERNEXEC
62090 -+ pax_close_kernel(cr0);
62091 -+#endif
62092 -+
62093 - }
62094 -
62095 - static inline void native_set_ldt(const void *addr, unsigned int entries)
62096 -@@ -139,8 +147,19 @@ static inline void native_load_tls(struc
62097 - unsigned int i;
62098 - struct desc_struct *gdt = get_cpu_gdt_table(cpu);
62099 -
62100 -+#ifdef CONFIG_PAX_KERNEXEC
62101 -+ unsigned long cr0;
62102 -+
62103 -+ pax_open_kernel(cr0);
62104 -+#endif
62105 -+
62106 - for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
62107 - gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
62108 -+
62109 -+#ifdef CONFIG_PAX_KERNEXEC
62110 -+ pax_close_kernel(cr0);
62111 -+#endif
62112 -+
62113 - }
62114 -
62115 - static inline void _set_gate(int gate, unsigned int type, void *addr, unsigned short seg)
62116 -@@ -175,7 +194,7 @@ static inline void __set_tss_desc(unsign
62117 - ((info)->seg_32bit << 22) | \
62118 - ((info)->limit_in_pages << 23) | \
62119 - ((info)->useable << 20) | \
62120 -- 0x7000)
62121 -+ 0x7100)
62122 -
62123 - #define LDT_empty(info) (\
62124 - (info)->base_addr == 0 && \
62125 -@@ -207,15 +226,25 @@ static inline void load_LDT(mm_context_t
62126 - preempt_enable();
62127 - }
62128 -
62129 --static inline unsigned long get_desc_base(unsigned long *desc)
62130 -+static inline unsigned long get_desc_base(struct desc_struct *desc)
62131 - {
62132 - unsigned long base;
62133 -- base = ((desc[0] >> 16) & 0x0000ffff) |
62134 -- ((desc[1] << 16) & 0x00ff0000) |
62135 -- (desc[1] & 0xff000000);
62136 -+ base = ((desc->a >> 16) & 0x0000ffff) |
62137 -+ ((desc->b << 16) & 0x00ff0000) |
62138 -+ (desc->b & 0xff000000);
62139 - return base;
62140 - }
62141 -
62142 -+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
62143 -+{
62144 -+ __u32 a, b;
62145 -+
62146 -+ if (likely(limit))
62147 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
62148 -+ pack_descriptor(&a, &b, base, limit, 0xFB, 0xC);
62149 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, a, b);
62150 -+}
62151 -+
62152 - #else /* __ASSEMBLY__ */
62153 -
62154 - /*
62155 -diff -Nurp linux-2.6.23.15/include/asm-i386/elf.h linux-2.6.23.15-grsec/include/asm-i386/elf.h
62156 ---- linux-2.6.23.15/include/asm-i386/elf.h 2007-10-09 21:31:38.000000000 +0100
62157 -+++ linux-2.6.23.15-grsec/include/asm-i386/elf.h 2008-02-11 10:37:44.000000000 +0000
62158 -@@ -73,7 +73,18 @@ typedef struct user_fxsr_struct elf_fpxr
62159 - the loader. We need to make sure that it is out of the way of the program
62160 - that it will "exec", and that there is sufficient room for the brk. */
62161 -
62162 -+#ifdef CONFIG_PAX_SEGMEXEC
62163 -+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
62164 -+#else
62165 - #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
62166 -+#endif
62167 -+
62168 -+#ifdef CONFIG_PAX_ASLR
62169 -+#define PAX_ELF_ET_DYN_BASE 0x10000000UL
62170 -+
62171 -+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
62172 -+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
62173 -+#endif
62174 -
62175 - /* regs is struct pt_regs, pr_reg is elf_gregset_t (which is
62176 - now struct_user_regs, they are different) */
62177 -@@ -131,7 +142,7 @@ extern int dump_task_extended_fpu (struc
62178 - #define ELF_CORE_COPY_XFPREGS(tsk, elf_xfpregs) dump_task_extended_fpu(tsk, elf_xfpregs)
62179 -
62180 - #define VDSO_HIGH_BASE (__fix_to_virt(FIX_VDSO))
62181 --#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
62182 -+#define VDSO_CURRENT_BASE (current->mm->context.vdso)
62183 - #define VDSO_PRELINK 0
62184 -
62185 - #define VDSO_SYM(x) \
62186 -diff -Nurp linux-2.6.23.15/include/asm-i386/futex.h linux-2.6.23.15-grsec/include/asm-i386/futex.h
62187 ---- linux-2.6.23.15/include/asm-i386/futex.h 2007-10-09 21:31:38.000000000 +0100
62188 -+++ linux-2.6.23.15-grsec/include/asm-i386/futex.h 2008-02-11 10:37:44.000000000 +0000
62189 -@@ -11,8 +11,11 @@
62190 -
62191 - #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
62192 - __asm__ __volatile ( \
62193 -+ "movw %w6, %%ds\n"\
62194 - "1: " insn "\n" \
62195 --"2: .section .fixup,\"ax\"\n\
62196 -+"2: pushl %%ss\n\
62197 -+ popl %%ds\n\
62198 -+ .section .fixup,\"ax\"\n\
62199 - 3: mov %3, %1\n\
62200 - jmp 2b\n\
62201 - .previous\n\
62202 -@@ -21,16 +24,19 @@
62203 - .long 1b,3b\n\
62204 - .previous" \
62205 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
62206 -- : "i" (-EFAULT), "0" (oparg), "1" (0))
62207 -+ : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
62208 -
62209 - #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
62210 - __asm__ __volatile ( \
62211 --"1: movl %2, %0\n\
62212 -+" movw %w7, %%es\n\
62213 -+1: movl %%es:%2, %0\n\
62214 - movl %0, %3\n" \
62215 - insn "\n" \
62216 --"2: " LOCK_PREFIX "cmpxchgl %3, %2\n\
62217 -+"2: " LOCK_PREFIX "cmpxchgl %3, %%es:%2\n\
62218 - jnz 1b\n\
62219 --3: .section .fixup,\"ax\"\n\
62220 -+3: pushl %%ss\n\
62221 -+ popl %%es\n\
62222 -+ .section .fixup,\"ax\"\n\
62223 - 4: mov %5, %1\n\
62224 - jmp 3b\n\
62225 - .previous\n\
62226 -@@ -40,10 +46,10 @@
62227 - .previous" \
62228 - : "=&a" (oldval), "=&r" (ret), "+m" (*uaddr), \
62229 - "=&r" (tem) \
62230 -- : "r" (oparg), "i" (-EFAULT), "1" (0))
62231 -+ : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
62232 -
62233 - static inline int
62234 --futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
62235 -+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
62236 - {
62237 - int op = (encoded_op >> 28) & 7;
62238 - int cmp = (encoded_op >> 24) & 15;
62239 -@@ -59,7 +65,7 @@ futex_atomic_op_inuser (int encoded_op,
62240 - pagefault_disable();
62241 -
62242 - if (op == FUTEX_OP_SET)
62243 -- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
62244 -+ __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
62245 - else {
62246 - #ifndef CONFIG_X86_BSWAP
62247 - if (boot_cpu_data.x86 == 3)
62248 -@@ -68,7 +74,7 @@ futex_atomic_op_inuser (int encoded_op,
62249 - #endif
62250 - switch (op) {
62251 - case FUTEX_OP_ADD:
62252 -- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret,
62253 -+ __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret,
62254 - oldval, uaddr, oparg);
62255 - break;
62256 - case FUTEX_OP_OR:
62257 -@@ -105,15 +111,17 @@ futex_atomic_op_inuser (int encoded_op,
62258 - }
62259 -
62260 - static inline int
62261 --futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
62262 -+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
62263 - {
62264 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
62265 - return -EFAULT;
62266 -
62267 - __asm__ __volatile__(
62268 -- "1: " LOCK_PREFIX "cmpxchgl %3, %1 \n"
62269 --
62270 -- "2: .section .fixup, \"ax\" \n"
62271 -+ " movw %w5, %%ds \n"
62272 -+ "1: " LOCK_PREFIX "cmpxchgl %3, %%ds:%1 \n"
62273 -+ "2: pushl %%ss \n"
62274 -+ " popl %%ds \n"
62275 -+ " .section .fixup, \"ax\" \n"
62276 - "3: mov %2, %0 \n"
62277 - " jmp 2b \n"
62278 - " .previous \n"
62279 -@@ -124,7 +132,7 @@ futex_atomic_cmpxchg_inatomic(int __user
62280 - " .previous \n"
62281 -
62282 - : "=a" (oldval), "+m" (*uaddr)
62283 -- : "i" (-EFAULT), "r" (newval), "0" (oldval)
62284 -+ : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
62285 - : "memory"
62286 - );
62287 -
62288 -diff -Nurp linux-2.6.23.15/include/asm-i386/i387.h linux-2.6.23.15-grsec/include/asm-i386/i387.h
62289 ---- linux-2.6.23.15/include/asm-i386/i387.h 2007-10-09 21:31:38.000000000 +0100
62290 -+++ linux-2.6.23.15-grsec/include/asm-i386/i387.h 2008-02-11 10:37:44.000000000 +0000
62291 -@@ -40,13 +40,8 @@ extern void kernel_fpu_begin(void);
62292 - #define kernel_fpu_end() do { stts(); preempt_enable(); } while(0)
62293 -
62294 - /* We need a safe address that is cheap to find and that is already
62295 -- in L1 during context switch. The best choices are unfortunately
62296 -- different for UP and SMP */
62297 --#ifdef CONFIG_SMP
62298 --#define safe_address (__per_cpu_offset[0])
62299 --#else
62300 --#define safe_address (kstat_cpu(0).cpustat.user)
62301 --#endif
62302 -+ in L1 during context switch. */
62303 -+#define safe_address (init_tss[smp_processor_id()].x86_tss.esp0)
62304 -
62305 - /*
62306 - * These must be called with preempt disabled
62307 -diff -Nurp linux-2.6.23.15/include/asm-i386/irqflags.h linux-2.6.23.15-grsec/include/asm-i386/irqflags.h
62308 ---- linux-2.6.23.15/include/asm-i386/irqflags.h 2007-10-09 21:31:38.000000000 +0100
62309 -+++ linux-2.6.23.15-grsec/include/asm-i386/irqflags.h 2008-02-11 10:37:44.000000000 +0000
62310 -@@ -108,6 +108,8 @@ static inline unsigned long __raw_local_
62311 - #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
62312 - #define INTERRUPT_RETURN iret
62313 - #define GET_CR0_INTO_EAX movl %cr0, %eax
62314 -+#define GET_CR0_INTO_EDX movl %cr0, %edx
62315 -+#define SET_CR0_FROM_EDX movl %edx, %cr0
62316 - #endif /* __ASSEMBLY__ */
62317 - #endif /* CONFIG_PARAVIRT */
62318 -
62319 -diff -Nurp linux-2.6.23.15/include/asm-i386/kmap_types.h linux-2.6.23.15-grsec/include/asm-i386/kmap_types.h
62320 ---- linux-2.6.23.15/include/asm-i386/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
62321 -+++ linux-2.6.23.15-grsec/include/asm-i386/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
62322 -@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
62323 - D(10) KM_IRQ1,
62324 - D(11) KM_SOFTIRQ0,
62325 - D(12) KM_SOFTIRQ1,
62326 --D(13) KM_TYPE_NR
62327 -+D(13) KM_CLEARPAGE,
62328 -+D(14) KM_TYPE_NR
62329 - };
62330 -
62331 - #undef D
62332 -diff -Nurp linux-2.6.23.15/include/asm-i386/mach-default/apm.h linux-2.6.23.15-grsec/include/asm-i386/mach-default/apm.h
62333 ---- linux-2.6.23.15/include/asm-i386/mach-default/apm.h 2007-10-09 21:31:38.000000000 +0100
62334 -+++ linux-2.6.23.15-grsec/include/asm-i386/mach-default/apm.h 2008-02-11 10:37:44.000000000 +0000
62335 -@@ -36,7 +36,7 @@ static inline void apm_bios_call_asm(u32
62336 - __asm__ __volatile__(APM_DO_ZERO_SEGS
62337 - "pushl %%edi\n\t"
62338 - "pushl %%ebp\n\t"
62339 -- "lcall *%%cs:apm_bios_entry\n\t"
62340 -+ "lcall *%%ss:apm_bios_entry\n\t"
62341 - "setc %%al\n\t"
62342 - "popl %%ebp\n\t"
62343 - "popl %%edi\n\t"
62344 -@@ -60,7 +60,7 @@ static inline u8 apm_bios_call_simple_as
62345 - __asm__ __volatile__(APM_DO_ZERO_SEGS
62346 - "pushl %%edi\n\t"
62347 - "pushl %%ebp\n\t"
62348 -- "lcall *%%cs:apm_bios_entry\n\t"
62349 -+ "lcall *%%ss:apm_bios_entry\n\t"
62350 - "setc %%bl\n\t"
62351 - "popl %%ebp\n\t"
62352 - "popl %%edi\n\t"
62353 -diff -Nurp linux-2.6.23.15/include/asm-i386/mman.h linux-2.6.23.15-grsec/include/asm-i386/mman.h
62354 ---- linux-2.6.23.15/include/asm-i386/mman.h 2007-10-09 21:31:38.000000000 +0100
62355 -+++ linux-2.6.23.15-grsec/include/asm-i386/mman.h 2008-02-11 10:37:44.000000000 +0000
62356 -@@ -14,4 +14,12 @@
62357 - #define MCL_CURRENT 1 /* lock all current mappings */
62358 - #define MCL_FUTURE 2 /* lock all future mappings */
62359 -
62360 -+#ifdef __KERNEL__
62361 -+#ifndef __ASSEMBLY__
62362 -+#define arch_mmap_check i386_mmap_check
62363 -+int i386_mmap_check(unsigned long addr, unsigned long len,
62364 -+ unsigned long flags);
62365 -+#endif
62366 -+#endif
62367 -+
62368 - #endif /* __I386_MMAN_H__ */
62369 -diff -Nurp linux-2.6.23.15/include/asm-i386/mmu.h linux-2.6.23.15-grsec/include/asm-i386/mmu.h
62370 ---- linux-2.6.23.15/include/asm-i386/mmu.h 2007-10-09 21:31:38.000000000 +0100
62371 -+++ linux-2.6.23.15-grsec/include/asm-i386/mmu.h 2008-02-11 10:37:44.000000000 +0000
62372 -@@ -11,8 +11,19 @@
62373 - typedef struct {
62374 - int size;
62375 - struct semaphore sem;
62376 -- void *ldt;
62377 -- void *vdso;
62378 -+ struct desc_struct *ldt;
62379 -+ unsigned long vdso;
62380 -+
62381 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
62382 -+ unsigned long user_cs_base;
62383 -+ unsigned long user_cs_limit;
62384 -+
62385 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
62386 -+ cpumask_t cpu_user_cs_mask;
62387 -+#endif
62388 -+
62389 -+#endif
62390 -+
62391 - } mm_context_t;
62392 -
62393 - #endif
62394 -diff -Nurp linux-2.6.23.15/include/asm-i386/mmu_context.h linux-2.6.23.15-grsec/include/asm-i386/mmu_context.h
62395 ---- linux-2.6.23.15/include/asm-i386/mmu_context.h 2007-10-09 21:31:38.000000000 +0100
62396 -+++ linux-2.6.23.15-grsec/include/asm-i386/mmu_context.h 2008-02-11 10:37:44.000000000 +0000
62397 -@@ -57,6 +57,22 @@ static inline void switch_mm(struct mm_s
62398 - */
62399 - if (unlikely(prev->context.ldt != next->context.ldt))
62400 - load_LDT_nolock(&next->context);
62401 -+
62402 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
62403 -+ if (!nx_enabled) {
62404 -+ smp_mb__before_clear_bit();
62405 -+ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
62406 -+ smp_mb__after_clear_bit();
62407 -+ cpu_set(cpu, next->context.cpu_user_cs_mask);
62408 -+ }
62409 -+#endif
62410 -+
62411 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
62412 -+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
62413 -+ prev->context.user_cs_limit != next->context.user_cs_limit))
62414 -+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
62415 -+#endif
62416 -+
62417 - }
62418 - #ifdef CONFIG_SMP
62419 - else {
62420 -@@ -69,6 +85,19 @@ static inline void switch_mm(struct mm_s
62421 - */
62422 - load_cr3(next->pgd);
62423 - load_LDT_nolock(&next->context);
62424 -+
62425 -+#ifdef CONFIG_PAX_PAGEEXEC
62426 -+ if (!nx_enabled)
62427 -+ cpu_set(cpu, next->context.cpu_user_cs_mask);
62428 -+#endif
62429 -+
62430 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
62431 -+#ifdef CONFIG_PAX_PAGEEXEC
62432 -+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
62433 -+#endif
62434 -+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
62435 -+#endif
62436 -+
62437 - }
62438 - }
62439 - #endif
62440 -diff -Nurp linux-2.6.23.15/include/asm-i386/module.h linux-2.6.23.15-grsec/include/asm-i386/module.h
62441 ---- linux-2.6.23.15/include/asm-i386/module.h 2007-10-09 21:31:38.000000000 +0100
62442 -+++ linux-2.6.23.15-grsec/include/asm-i386/module.h 2008-02-11 10:37:44.000000000 +0000
62443 -@@ -70,6 +70,12 @@ struct mod_arch_specific
62444 - #define MODULE_STACKSIZE ""
62445 - #endif
62446 -
62447 --#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
62448 -+#ifdef CONFIG_GRKERNSEC
62449 -+#define MODULE_GRSEC "GRSECURTY "
62450 -+#else
62451 -+#define MODULE_GRSEC ""
62452 -+#endif
62453 -+
62454 -+#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC
62455 -
62456 - #endif /* _ASM_I386_MODULE_H */
62457 -diff -Nurp linux-2.6.23.15/include/asm-i386/page.h linux-2.6.23.15-grsec/include/asm-i386/page.h
62458 ---- linux-2.6.23.15/include/asm-i386/page.h 2007-10-09 21:31:38.000000000 +0100
62459 -+++ linux-2.6.23.15-grsec/include/asm-i386/page.h 2008-02-11 10:37:44.000000000 +0000
62460 -@@ -10,6 +10,7 @@
62461 - #define LARGE_PAGE_SIZE (1UL << PMD_SHIFT)
62462 -
62463 - #ifdef __KERNEL__
62464 -+#include <asm/boot.h>
62465 - #ifndef __ASSEMBLY__
62466 -
62467 - #ifdef CONFIG_X86_USE_3DNOW
62468 -@@ -90,7 +91,6 @@ static inline pte_t native_make_pte(unsi
62469 - typedef struct { unsigned long pte_low; } pte_t;
62470 - typedef struct { unsigned long pgd; } pgd_t;
62471 - typedef struct { unsigned long pgprot; } pgprot_t;
62472 --#define boot_pte_t pte_t /* or would you rather have a typedef */
62473 -
62474 - static inline unsigned long native_pgd_val(pgd_t pgd)
62475 - {
62476 -@@ -175,6 +175,18 @@ extern int page_is_ram(unsigned long pag
62477 - #define __PAGE_OFFSET ((unsigned long)CONFIG_PAGE_OFFSET)
62478 - #endif
62479 -
62480 -+#ifdef CONFIG_PAX_KERNEXEC
62481 -+#ifdef __ASSEMBLY__
62482 -+#define __KERNEL_TEXT_OFFSET (__PAGE_OFFSET + ((LOAD_PHYSICAL_ADDR + 6*1024*1024 - 1) & ~(4*1024*1024 - 1)))
62483 -+#else
62484 -+extern unsigned char KERNEL_TEXT_OFFSET[];
62485 -+#define __KERNEL_TEXT_OFFSET ((unsigned long)KERNEL_TEXT_OFFSET)
62486 -+extern unsigned char MODULES_VADDR[];
62487 -+extern unsigned char MODULES_END[];
62488 -+#endif
62489 -+#else
62490 -+#define __KERNEL_TEXT_OFFSET (0)
62491 -+#endif
62492 -
62493 - #define PAGE_OFFSET ((unsigned long)__PAGE_OFFSET)
62494 - #define VMALLOC_RESERVE ((unsigned long)__VMALLOC_RESERVE)
62495 -@@ -197,6 +209,10 @@ extern int page_is_ram(unsigned long pag
62496 - ((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
62497 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
62498 -
62499 -+#ifdef CONFIG_PAX_PAGEEXEC
62500 -+#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
62501 -+#endif
62502 -+
62503 - #include <asm-generic/memory_model.h>
62504 - #include <asm-generic/page.h>
62505 -
62506 -diff -Nurp linux-2.6.23.15/include/asm-i386/paravirt.h linux-2.6.23.15-grsec/include/asm-i386/paravirt.h
62507 ---- linux-2.6.23.15/include/asm-i386/paravirt.h 2007-10-09 21:31:38.000000000 +0100
62508 -+++ linux-2.6.23.15-grsec/include/asm-i386/paravirt.h 2008-02-11 10:37:44.000000000 +0000
62509 -@@ -1057,23 +1057,23 @@ static inline unsigned long __raw_local_
62510 -
62511 - #define INTERRUPT_RETURN \
62512 - PARA_SITE(PARA_PATCH(PARAVIRT_iret), CLBR_NONE, \
62513 -- jmp *%cs:paravirt_ops+PARAVIRT_iret)
62514 -+ jmp *%ss:paravirt_ops+PARAVIRT_iret)
62515 -
62516 - #define DISABLE_INTERRUPTS(clobbers) \
62517 - PARA_SITE(PARA_PATCH(PARAVIRT_irq_disable), clobbers, \
62518 - pushl %eax; pushl %ecx; pushl %edx; \
62519 -- call *%cs:paravirt_ops+PARAVIRT_irq_disable; \
62520 -+ call *%ss:paravirt_ops+PARAVIRT_irq_disable; \
62521 - popl %edx; popl %ecx; popl %eax) \
62522 -
62523 - #define ENABLE_INTERRUPTS(clobbers) \
62524 - PARA_SITE(PARA_PATCH(PARAVIRT_irq_enable), clobbers, \
62525 - pushl %eax; pushl %ecx; pushl %edx; \
62526 -- call *%cs:paravirt_ops+PARAVIRT_irq_enable; \
62527 -+ call *%ss:paravirt_ops+PARAVIRT_irq_enable; \
62528 - popl %edx; popl %ecx; popl %eax)
62529 -
62530 - #define ENABLE_INTERRUPTS_SYSEXIT \
62531 - PARA_SITE(PARA_PATCH(PARAVIRT_irq_enable_sysexit), CLBR_NONE, \
62532 -- jmp *%cs:paravirt_ops+PARAVIRT_irq_enable_sysexit)
62533 -+ jmp *%ss:paravirt_ops+PARAVIRT_irq_enable_sysexit)
62534 -
62535 - #define GET_CR0_INTO_EAX \
62536 - push %ecx; push %edx; \
62537 -diff -Nurp linux-2.6.23.15/include/asm-i386/percpu.h linux-2.6.23.15-grsec/include/asm-i386/percpu.h
62538 ---- linux-2.6.23.15/include/asm-i386/percpu.h 2007-10-09 21:31:38.000000000 +0100
62539 -+++ linux-2.6.23.15-grsec/include/asm-i386/percpu.h 2008-02-11 10:37:44.000000000 +0000
62540 -@@ -22,7 +22,7 @@
62541 - #define PER_CPU_VAR(var) %fs:per_cpu__##var
62542 - #else /* ! SMP */
62543 - #define PER_CPU(var, reg) \
62544 -- movl $per_cpu__##var, reg
62545 -+ movl per_cpu__##var, reg
62546 - #define PER_CPU_VAR(var) per_cpu__##var
62547 - #endif /* SMP */
62548 -
62549 -@@ -42,12 +42,12 @@
62550 - */
62551 - #ifdef CONFIG_SMP
62552 - /* Same as generic implementation except for optimized local access. */
62553 --#define __GENERIC_PER_CPU
62554 -
62555 - /* This is used for other cpus to find our section. */
62556 - extern unsigned long __per_cpu_offset[];
62557 -+extern void setup_per_cpu_areas(void);
62558 -
62559 --#define per_cpu_offset(x) (__per_cpu_offset[x])
62560 -+#define per_cpu_offset(x) (__per_cpu_offset[x] - (unsigned long)__per_cpu_start)
62561 -
62562 - /* Separate out the type, so (int[3], foo) works. */
62563 - #define DECLARE_PER_CPU(type, name) extern __typeof__(type) per_cpu__##name
62564 -@@ -64,11 +64,11 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
62565 -
62566 - /* var is in discarded region: offset to particular copy we want */
62567 - #define per_cpu(var, cpu) (*({ \
62568 -- extern int simple_indentifier_##var(void); \
62569 -+ extern int simple_identifier_##var(void); \
62570 - RELOC_HIDE(&per_cpu__##var, __per_cpu_offset[cpu]); }))
62571 -
62572 - #define __raw_get_cpu_var(var) (*({ \
62573 -- extern int simple_indentifier_##var(void); \
62574 -+ extern int simple_identifier_##var(void); \
62575 - RELOC_HIDE(&per_cpu__##var, x86_read_percpu(this_cpu_off)); \
62576 - }))
62577 -
62578 -@@ -79,7 +79,7 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
62579 - do { \
62580 - unsigned int __i; \
62581 - for_each_possible_cpu(__i) \
62582 -- memcpy((pcpudst)+__per_cpu_offset[__i], \
62583 -+ memcpy((pcpudst)+per_cpu_offset(__i), \
62584 - (src), (size)); \
62585 - } while (0)
62586 -
62587 -diff -Nurp linux-2.6.23.15/include/asm-i386/pgalloc.h linux-2.6.23.15-grsec/include/asm-i386/pgalloc.h
62588 ---- linux-2.6.23.15/include/asm-i386/pgalloc.h 2007-10-09 21:31:38.000000000 +0100
62589 -+++ linux-2.6.23.15-grsec/include/asm-i386/pgalloc.h 2008-02-11 10:37:44.000000000 +0000
62590 -@@ -15,11 +15,19 @@
62591 - #define paravirt_release_pd(pfn) do { } while (0)
62592 - #endif
62593 -
62594 -+#ifdef CONFIG_COMPAT_VDSO
62595 - #define pmd_populate_kernel(mm, pmd, pte) \
62596 - do { \
62597 - paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
62598 - set_pmd(pmd, __pmd(_PAGE_TABLE + __pa(pte))); \
62599 - } while (0)
62600 -+#else
62601 -+#define pmd_populate_kernel(mm, pmd, pte) \
62602 -+do { \
62603 -+ paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
62604 -+ set_pmd(pmd, __pmd(_KERNPG_TABLE + __pa(pte))); \
62605 -+} while (0)
62606 -+#endif
62607 -
62608 - #define pmd_populate(mm, pmd, pte) \
62609 - do { \
62610 -diff -Nurp linux-2.6.23.15/include/asm-i386/pgtable-2level.h linux-2.6.23.15-grsec/include/asm-i386/pgtable-2level.h
62611 ---- linux-2.6.23.15/include/asm-i386/pgtable-2level.h 2007-10-09 21:31:38.000000000 +0100
62612 -+++ linux-2.6.23.15-grsec/include/asm-i386/pgtable-2level.h 2008-02-11 10:37:44.000000000 +0000
62613 -@@ -22,7 +22,19 @@ static inline void native_set_pte_at(str
62614 - }
62615 - static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
62616 - {
62617 -+
62618 -+#ifdef CONFIG_PAX_KERNEXEC
62619 -+ unsigned long cr0;
62620 -+
62621 -+ pax_open_kernel(cr0);
62622 -+#endif
62623 -+
62624 - *pmdp = pmd;
62625 -+
62626 -+#ifdef CONFIG_PAX_KERNEXEC
62627 -+ pax_close_kernel(cr0);
62628 -+#endif
62629 -+
62630 - }
62631 - #ifndef CONFIG_PARAVIRT
62632 - #define set_pte(pteptr, pteval) native_set_pte(pteptr, pteval)
62633 -diff -Nurp linux-2.6.23.15/include/asm-i386/pgtable-3level.h linux-2.6.23.15-grsec/include/asm-i386/pgtable-3level.h
62634 ---- linux-2.6.23.15/include/asm-i386/pgtable-3level.h 2007-10-09 21:31:38.000000000 +0100
62635 -+++ linux-2.6.23.15-grsec/include/asm-i386/pgtable-3level.h 2008-02-11 10:37:44.000000000 +0000
62636 -@@ -67,11 +67,35 @@ static inline void native_set_pte_atomic
62637 - }
62638 - static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
62639 - {
62640 -+
62641 -+#ifdef CONFIG_PAX_KERNEXEC
62642 -+ unsigned long cr0;
62643 -+
62644 -+ pax_open_kernel(cr0);
62645 -+#endif
62646 -+
62647 - set_64bit((unsigned long long *)(pmdp),native_pmd_val(pmd));
62648 -+
62649 -+#ifdef CONFIG_PAX_KERNEXEC
62650 -+ pax_close_kernel(cr0);
62651 -+#endif
62652 -+
62653 - }
62654 - static inline void native_set_pud(pud_t *pudp, pud_t pud)
62655 - {
62656 -+
62657 -+#ifdef CONFIG_PAX_KERNEXEC
62658 -+ unsigned long cr0;
62659 -+
62660 -+ pax_open_kernel(cr0);
62661 -+#endif
62662 -+
62663 - *pudp = pud;
62664 -+
62665 -+#ifdef CONFIG_PAX_KERNEXEC
62666 -+ pax_close_kernel(cr0);
62667 -+#endif
62668 -+
62669 - }
62670 -
62671 - /*
62672 -diff -Nurp linux-2.6.23.15/include/asm-i386/pgtable.h linux-2.6.23.15-grsec/include/asm-i386/pgtable.h
62673 ---- linux-2.6.23.15/include/asm-i386/pgtable.h 2007-10-09 21:31:38.000000000 +0100
62674 -+++ linux-2.6.23.15-grsec/include/asm-i386/pgtable.h 2008-02-11 10:37:44.000000000 +0000
62675 -@@ -34,7 +34,6 @@ struct vm_area_struct;
62676 - */
62677 - #define ZERO_PAGE(vaddr) (virt_to_page(empty_zero_page))
62678 - extern unsigned long empty_zero_page[1024];
62679 --extern pgd_t swapper_pg_dir[1024];
62680 - extern struct kmem_cache *pmd_cache;
62681 - extern spinlock_t pgd_lock;
62682 - extern struct page *pgd_list;
62683 -@@ -58,6 +57,11 @@ void paging_init(void);
62684 - # include <asm/pgtable-2level-defs.h>
62685 - #endif
62686 -
62687 -+extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
62688 -+#ifdef CONFIG_X86_PAE
62689 -+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
62690 -+#endif
62691 -+
62692 - #define PGDIR_SIZE (1UL << PGDIR_SHIFT)
62693 - #define PGDIR_MASK (~(PGDIR_SIZE-1))
62694 -
62695 -@@ -67,9 +71,11 @@ void paging_init(void);
62696 - #define USER_PGD_PTRS (PAGE_OFFSET >> PGDIR_SHIFT)
62697 - #define KERNEL_PGD_PTRS (PTRS_PER_PGD-USER_PGD_PTRS)
62698 -
62699 -+#ifndef CONFIG_X86_PAE
62700 - #define TWOLEVEL_PGDIR_SHIFT 22
62701 - #define BOOT_USER_PGD_PTRS (__PAGE_OFFSET >> TWOLEVEL_PGDIR_SHIFT)
62702 - #define BOOT_KERNEL_PGD_PTRS (1024-BOOT_USER_PGD_PTRS)
62703 -+#endif
62704 -
62705 - /* Just any arbitrary offset to the start of the vmalloc VM area: the
62706 - * current 8MB value just means that there will be a 8MB "hole" after the
62707 -@@ -136,7 +142,7 @@ void paging_init(void);
62708 - #define PAGE_NONE \
62709 - __pgprot(_PAGE_PROTNONE | _PAGE_ACCESSED)
62710 - #define PAGE_SHARED \
62711 -- __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
62712 -+ __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
62713 -
62714 - #define PAGE_SHARED_EXEC \
62715 - __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
62716 -@@ -202,7 +208,7 @@ extern unsigned long long __PAGE_KERNEL,
62717 - #undef TEST_ACCESS_OK
62718 -
62719 - /* The boot page tables (all created as a single array) */
62720 --extern unsigned long pg0[];
62721 -+extern pte_t pg0[];
62722 -
62723 - #define pte_present(x) ((x).pte_low & (_PAGE_PRESENT | _PAGE_PROTNONE))
62724 -
62725 -@@ -218,30 +224,55 @@ extern unsigned long pg0[];
62726 - * The following only work if pte_present() is true.
62727 - * Undefined behaviour if not..
62728 - */
62729 -+static inline int pte_user(pte_t pte) { return (pte).pte_low & _PAGE_USER; }
62730 - static inline int pte_dirty(pte_t pte) { return (pte).pte_low & _PAGE_DIRTY; }
62731 - static inline int pte_young(pte_t pte) { return (pte).pte_low & _PAGE_ACCESSED; }
62732 - static inline int pte_write(pte_t pte) { return (pte).pte_low & _PAGE_RW; }
62733 - static inline int pte_huge(pte_t pte) { return (pte).pte_low & _PAGE_PSE; }
62734 -
62735 -+#ifdef CONFIG_X86_PAE
62736 -+# include <asm/pgtable-3level.h>
62737 -+#else
62738 -+# include <asm/pgtable-2level.h>
62739 -+#endif
62740 -+
62741 - /*
62742 - * The following only works if pte_present() is not true.
62743 - */
62744 - static inline int pte_file(pte_t pte) { return (pte).pte_low & _PAGE_FILE; }
62745 -
62746 -+static inline pte_t pte_exprotect(pte_t pte)
62747 -+{
62748 -+#ifdef CONFIG_X86_PAE
62749 -+ if (__supported_pte_mask & _PAGE_NX)
62750 -+ set_pte(&pte, __pte(pte_val(pte) | _PAGE_NX));
62751 -+ else
62752 -+#endif
62753 -+ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_USER));
62754 -+ return pte;
62755 -+}
62756 -+
62757 - static inline pte_t pte_mkclean(pte_t pte) { (pte).pte_low &= ~_PAGE_DIRTY; return pte; }
62758 - static inline pte_t pte_mkold(pte_t pte) { (pte).pte_low &= ~_PAGE_ACCESSED; return pte; }
62759 - static inline pte_t pte_wrprotect(pte_t pte) { (pte).pte_low &= ~_PAGE_RW; return pte; }
62760 -+static inline pte_t pte_mkread(pte_t pte) { (pte).pte_low |= _PAGE_USER; return pte; }
62761 -+
62762 -+static inline pte_t pte_mkexec(pte_t pte)
62763 -+{
62764 -+#ifdef CONFIG_X86_PAE
62765 -+ if (__supported_pte_mask & _PAGE_NX)
62766 -+ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_NX));
62767 -+ else
62768 -+#endif
62769 -+ set_pte(&pte, __pte(pte_val(pte) | _PAGE_USER));
62770 -+ return pte;
62771 -+}
62772 -+
62773 - static inline pte_t pte_mkdirty(pte_t pte) { (pte).pte_low |= _PAGE_DIRTY; return pte; }
62774 - static inline pte_t pte_mkyoung(pte_t pte) { (pte).pte_low |= _PAGE_ACCESSED; return pte; }
62775 - static inline pte_t pte_mkwrite(pte_t pte) { (pte).pte_low |= _PAGE_RW; return pte; }
62776 - static inline pte_t pte_mkhuge(pte_t pte) { (pte).pte_low |= _PAGE_PSE; return pte; }
62777 -
62778 --#ifdef CONFIG_X86_PAE
62779 --# include <asm/pgtable-3level.h>
62780 --#else
62781 --# include <asm/pgtable-2level.h>
62782 --#endif
62783 --
62784 - #ifndef CONFIG_PARAVIRT
62785 - /*
62786 - * Rules for using pte_update - it must be called after any PTE update which
62787 -@@ -353,7 +384,19 @@ static inline void ptep_set_wrprotect(st
62788 - */
62789 - static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
62790 - {
62791 -- memcpy(dst, src, count * sizeof(pgd_t));
62792 -+
62793 -+#ifdef CONFIG_PAX_KERNEXEC
62794 -+ unsigned long cr0;
62795 -+
62796 -+ pax_open_kernel(cr0);
62797 -+#endif
62798 -+
62799 -+ memcpy(dst, src, count * sizeof(pgd_t));
62800 -+
62801 -+#ifdef CONFIG_PAX_KERNEXEC
62802 -+ pax_close_kernel(cr0);
62803 -+#endif
62804 -+
62805 - }
62806 -
62807 - /*
62808 -@@ -500,6 +543,9 @@ static inline void paravirt_pagetable_se
62809 -
62810 - #endif /* !__ASSEMBLY__ */
62811 -
62812 -+#define HAVE_ARCH_UNMAPPED_AREA
62813 -+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
62814 -+
62815 - #ifdef CONFIG_FLATMEM
62816 - #define kern_addr_valid(addr) (1)
62817 - #endif /* CONFIG_FLATMEM */
62818 -diff -Nurp linux-2.6.23.15/include/asm-i386/processor.h linux-2.6.23.15-grsec/include/asm-i386/processor.h
62819 ---- linux-2.6.23.15/include/asm-i386/processor.h 2007-10-09 21:31:38.000000000 +0100
62820 -+++ linux-2.6.23.15-grsec/include/asm-i386/processor.h 2008-02-11 10:37:44.000000000 +0000
62821 -@@ -99,8 +99,6 @@ struct cpuinfo_x86 {
62822 -
62823 - extern struct cpuinfo_x86 boot_cpu_data;
62824 - extern struct cpuinfo_x86 new_cpu_data;
62825 --extern struct tss_struct doublefault_tss;
62826 --DECLARE_PER_CPU(struct tss_struct, init_tss);
62827 -
62828 - #ifdef CONFIG_SMP
62829 - extern struct cpuinfo_x86 cpu_data[];
62830 -@@ -209,11 +207,19 @@ extern int bootloader_type;
62831 - */
62832 - #define TASK_SIZE (PAGE_OFFSET)
62833 -
62834 -+#ifdef CONFIG_PAX_SEGMEXEC
62835 -+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
62836 -+#endif
62837 -+
62838 - /* This decides where the kernel will search for a free chunk of vm
62839 - * space during mmap's.
62840 - */
62841 - #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
62842 -
62843 -+#ifdef CONFIG_PAX_SEGMEXEC
62844 -+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
62845 -+#endif
62846 -+
62847 - #define HAVE_ARCH_PICK_MMAP_LAYOUT
62848 -
62849 - extern void hard_disable_TSC(void);
62850 -@@ -338,6 +344,9 @@ struct tss_struct {
62851 -
62852 - #define ARCH_MIN_TASKALIGN 16
62853 -
62854 -+extern struct tss_struct doublefault_tss;
62855 -+extern struct tss_struct init_tss[NR_CPUS];
62856 -+
62857 - struct thread_struct {
62858 - /* cached TLS descriptors. */
62859 - struct desc_struct tls_array[GDT_ENTRY_TLS_ENTRIES];
62860 -@@ -366,7 +375,7 @@ struct thread_struct {
62861 - };
62862 -
62863 - #define INIT_THREAD { \
62864 -- .esp0 = sizeof(init_stack) + (long)&init_stack, \
62865 -+ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
62866 - .vm86_info = NULL, \
62867 - .sysenter_cs = __KERNEL_CS, \
62868 - .io_bitmap_ptr = NULL, \
62869 -@@ -381,7 +390,7 @@ struct thread_struct {
62870 - */
62871 - #define INIT_TSS { \
62872 - .x86_tss = { \
62873 -- .esp0 = sizeof(init_stack) + (long)&init_stack, \
62874 -+ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
62875 - .ss0 = __KERNEL_DS, \
62876 - .ss1 = __KERNEL_CS, \
62877 - .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
62878 -@@ -422,11 +431,7 @@ void show_trace(struct task_struct *task
62879 - unsigned long get_wchan(struct task_struct *p);
62880 -
62881 - #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
62882 --#define KSTK_TOP(info) \
62883 --({ \
62884 -- unsigned long *__ptr = (unsigned long *)(info); \
62885 -- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
62886 --})
62887 -+#define KSTK_TOP(info) ((info)->task.thread.esp0)
62888 -
62889 - /*
62890 - * The below -8 is to reserve 8 bytes on top of the ring0 stack.
62891 -@@ -441,7 +446,7 @@ unsigned long get_wchan(struct task_stru
62892 - #define task_pt_regs(task) \
62893 - ({ \
62894 - struct pt_regs *__regs__; \
62895 -- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
62896 -+ __regs__ = (struct pt_regs *)((task)->thread.esp0); \
62897 - __regs__ - 1; \
62898 - })
62899 -
62900 -@@ -603,8 +608,8 @@ static inline void cpuid(unsigned int op
62901 - }
62902 -
62903 - /* Some CPUID calls want 'count' to be placed in ecx */
62904 --static inline void cpuid_count(int op, int count, int *eax, int *ebx, int *ecx,
62905 -- int *edx)
62906 -+static inline void cpuid_count(unsigned int op, unsigned int count, unsigned int *eax, unsigned int *ebx, unsigned int *ecx,
62907 -+ unsigned int *edx)
62908 - {
62909 - *eax = op;
62910 - *ecx = count;
62911 -diff -Nurp linux-2.6.23.15/include/asm-i386/ptrace.h linux-2.6.23.15-grsec/include/asm-i386/ptrace.h
62912 ---- linux-2.6.23.15/include/asm-i386/ptrace.h 2007-10-09 21:31:38.000000000 +0100
62913 -+++ linux-2.6.23.15-grsec/include/asm-i386/ptrace.h 2008-02-11 10:37:44.000000000 +0000
62914 -@@ -35,17 +35,18 @@ struct task_struct;
62915 - extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, int error_code);
62916 -
62917 - /*
62918 -- * user_mode_vm(regs) determines whether a register set came from user mode.
62919 -+ * user_mode(regs) determines whether a register set came from user mode.
62920 - * This is true if V8086 mode was enabled OR if the register set was from
62921 - * protected mode with RPL-3 CS value. This tricky test checks that with
62922 - * one comparison. Many places in the kernel can bypass this full check
62923 -- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
62924 -+ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
62925 -+ * be used.
62926 - */
62927 --static inline int user_mode(struct pt_regs *regs)
62928 -+static inline int user_mode_novm(struct pt_regs *regs)
62929 - {
62930 - return (regs->xcs & SEGMENT_RPL_MASK) == USER_RPL;
62931 - }
62932 --static inline int user_mode_vm(struct pt_regs *regs)
62933 -+static inline int user_mode(struct pt_regs *regs)
62934 - {
62935 - return ((regs->xcs & SEGMENT_RPL_MASK) | (regs->eflags & VM_MASK)) >= USER_RPL;
62936 - }
62937 -diff -Nurp linux-2.6.23.15/include/asm-i386/reboot.h linux-2.6.23.15-grsec/include/asm-i386/reboot.h
62938 ---- linux-2.6.23.15/include/asm-i386/reboot.h 2007-10-09 21:31:38.000000000 +0100
62939 -+++ linux-2.6.23.15-grsec/include/asm-i386/reboot.h 2008-02-11 10:37:44.000000000 +0000
62940 -@@ -15,6 +15,6 @@ struct machine_ops
62941 -
62942 - extern struct machine_ops machine_ops;
62943 -
62944 --void machine_real_restart(unsigned char *code, int length);
62945 -+void machine_real_restart(const unsigned char *code, unsigned int length);
62946 -
62947 - #endif /* _ASM_REBOOT_H */
62948 -diff -Nurp linux-2.6.23.15/include/asm-i386/segment.h linux-2.6.23.15-grsec/include/asm-i386/segment.h
62949 ---- linux-2.6.23.15/include/asm-i386/segment.h 2007-10-09 21:31:38.000000000 +0100
62950 -+++ linux-2.6.23.15-grsec/include/asm-i386/segment.h 2008-02-11 10:37:44.000000000 +0000
62951 -@@ -81,6 +81,12 @@
62952 - #define __KERNEL_PERCPU 0
62953 - #endif
62954 -
62955 -+#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 16)
62956 -+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
62957 -+
62958 -+#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 17)
62959 -+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
62960 -+
62961 - #define GDT_ENTRY_DOUBLEFAULT_TSS 31
62962 -
62963 - /*
62964 -@@ -140,9 +146,9 @@
62965 - #define SEGMENT_IS_KERNEL_CODE(x) (((x) & 0xfc) == GDT_ENTRY_KERNEL_CS * 8)
62966 -
62967 - /* Matches __KERNEL_CS and __USER_CS (they must be 2 entries apart) */
62968 --#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xec) == GDT_ENTRY_KERNEL_CS * 8)
62969 -+#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xFFFCU) == __KERNEL_CS || ((x) & 0xFFFCU) == __USER_CS)
62970 -
62971 - /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
62972 --#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
62973 -+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
62974 -
62975 - #endif
62976 -diff -Nurp linux-2.6.23.15/include/asm-i386/system.h linux-2.6.23.15-grsec/include/asm-i386/system.h
62977 ---- linux-2.6.23.15/include/asm-i386/system.h 2008-02-11 10:36:03.000000000 +0000
62978 -+++ linux-2.6.23.15-grsec/include/asm-i386/system.h 2008-02-11 10:37:44.000000000 +0000
62979 -@@ -183,6 +183,21 @@ static inline void native_wbinvd(void)
62980 - /* Set the 'TS' bit */
62981 - #define stts() write_cr0(8 | read_cr0())
62982 -
62983 -+#define pax_open_kernel(cr0) \
62984 -+do { \
62985 -+ typecheck(unsigned long, cr0); \
62986 -+ preempt_disable(); \
62987 -+ cr0 = read_cr0(); \
62988 -+ write_cr0(cr0 & ~X86_CR0_WP); \
62989 -+} while (0)
62990 -+
62991 -+#define pax_close_kernel(cr0) \
62992 -+do { \
62993 -+ typecheck(unsigned long, cr0); \
62994 -+ write_cr0(cr0); \
62995 -+ preempt_enable_no_resched(); \
62996 -+} while (0)
62997 -+
62998 - #endif /* __KERNEL__ */
62999 -
63000 - static inline unsigned long get_limit(unsigned long segment)
63001 -@@ -190,7 +205,7 @@ static inline unsigned long get_limit(un
63002 - unsigned long __limit;
63003 - __asm__("lsll %1,%0"
63004 - :"=r" (__limit):"r" (segment));
63005 -- return __limit+1;
63006 -+ return __limit;
63007 - }
63008 -
63009 - #define nop() __asm__ __volatile__ ("nop")
63010 -@@ -305,7 +320,7 @@ void enable_hlt(void);
63011 - extern int es7000_plat;
63012 - void cpu_idle_wait(void);
63013 -
63014 --extern unsigned long arch_align_stack(unsigned long sp);
63015 -+#define arch_align_stack(x) (x)
63016 - extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
63017 -
63018 - void default_idle(void);
63019 -diff -Nurp linux-2.6.23.15/include/asm-i386/uaccess.h linux-2.6.23.15-grsec/include/asm-i386/uaccess.h
63020 ---- linux-2.6.23.15/include/asm-i386/uaccess.h 2007-10-09 21:31:38.000000000 +0100
63021 -+++ linux-2.6.23.15-grsec/include/asm-i386/uaccess.h 2008-02-11 10:37:44.000000000 +0000
63022 -@@ -9,6 +9,7 @@
63023 - #include <linux/prefetch.h>
63024 - #include <linux/string.h>
63025 - #include <asm/page.h>
63026 -+#include <asm/segment.h>
63027 -
63028 - #define VERIFY_READ 0
63029 - #define VERIFY_WRITE 1
63030 -@@ -29,7 +30,8 @@
63031 -
63032 - #define get_ds() (KERNEL_DS)
63033 - #define get_fs() (current_thread_info()->addr_limit)
63034 --#define set_fs(x) (current_thread_info()->addr_limit = (x))
63035 -+void __set_fs(mm_segment_t x, int cpu);
63036 -+void set_fs(mm_segment_t x);
63037 -
63038 - #define segment_eq(a,b) ((a).seg == (b).seg)
63039 -
63040 -@@ -101,6 +103,7 @@ struct exception_table_entry
63041 - };
63042 -
63043 - extern int fixup_exception(struct pt_regs *regs);
63044 -+#define ARCH_HAS_SORT_EXTABLE
63045 -
63046 - /*
63047 - * These are the main single-value transfer routines. They automatically
63048 -@@ -280,9 +283,12 @@ extern void __put_user_8(void);
63049 -
63050 - #define __put_user_u64(x, addr, err) \
63051 - __asm__ __volatile__( \
63052 -- "1: movl %%eax,0(%2)\n" \
63053 -- "2: movl %%edx,4(%2)\n" \
63054 -+ " movw %w5,%%ds\n" \
63055 -+ "1: movl %%eax,%%ds:0(%2)\n" \
63056 -+ "2: movl %%edx,%%ds:4(%2)\n" \
63057 - "3:\n" \
63058 -+ " pushl %%ss\n" \
63059 -+ " popl %%ds\n" \
63060 - ".section .fixup,\"ax\"\n" \
63061 - "4: movl %3,%0\n" \
63062 - " jmp 3b\n" \
63063 -@@ -293,7 +299,8 @@ extern void __put_user_8(void);
63064 - " .long 2b,4b\n" \
63065 - ".previous" \
63066 - : "=r"(err) \
63067 -- : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err))
63068 -+ : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err), \
63069 -+ "r"(__USER_DS))
63070 -
63071 - #ifdef CONFIG_X86_WP_WORKS_OK
63072 -
63073 -@@ -332,8 +339,11 @@ struct __large_struct { unsigned long bu
63074 - */
63075 - #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
63076 - __asm__ __volatile__( \
63077 -- "1: mov"itype" %"rtype"1,%2\n" \
63078 -+ " movw %w5,%%ds\n" \
63079 -+ "1: mov"itype" %"rtype"1,%%ds:%2\n" \
63080 - "2:\n" \
63081 -+ " pushl %%ss\n" \
63082 -+ " popl %%ds\n" \
63083 - ".section .fixup,\"ax\"\n" \
63084 - "3: movl %3,%0\n" \
63085 - " jmp 2b\n" \
63086 -@@ -343,7 +353,8 @@ struct __large_struct { unsigned long bu
63087 - " .long 1b,3b\n" \
63088 - ".previous" \
63089 - : "=r"(err) \
63090 -- : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err))
63091 -+ : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err), \
63092 -+ "r"(__USER_DS))
63093 -
63094 -
63095 - #define __get_user_nocheck(x,ptr,size) \
63096 -@@ -371,8 +382,11 @@ do { \
63097 -
63098 - #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
63099 - __asm__ __volatile__( \
63100 -- "1: mov"itype" %2,%"rtype"1\n" \
63101 -+ " movw %w5,%%ds\n" \
63102 -+ "1: mov"itype" %%ds:%2,%"rtype"1\n" \
63103 - "2:\n" \
63104 -+ " pushl %%ss\n" \
63105 -+ " popl %%ds\n" \
63106 - ".section .fixup,\"ax\"\n" \
63107 - "3: movl %3,%0\n" \
63108 - " xor"itype" %"rtype"1,%"rtype"1\n" \
63109 -@@ -383,7 +397,7 @@ do { \
63110 - " .long 1b,3b\n" \
63111 - ".previous" \
63112 - : "=r"(err), ltype (x) \
63113 -- : "m"(__m(addr)), "i"(errret), "0"(err))
63114 -+ : "m"(__m(addr)), "i"(errret), "0"(err), "r"(__USER_DS))
63115 -
63116 -
63117 - unsigned long __must_check __copy_to_user_ll(void __user *to,
63118 -diff -Nurp linux-2.6.23.15/include/asm-ia64/elf.h linux-2.6.23.15-grsec/include/asm-ia64/elf.h
63119 ---- linux-2.6.23.15/include/asm-ia64/elf.h 2007-10-09 21:31:38.000000000 +0100
63120 -+++ linux-2.6.23.15-grsec/include/asm-ia64/elf.h 2008-02-11 10:37:44.000000000 +0000
63121 -@@ -162,7 +162,12 @@ typedef elf_greg_t elf_gregset_t[ELF_NGR
63122 - typedef struct ia64_fpreg elf_fpreg_t;
63123 - typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
63124 -
63125 -+#ifdef CONFIG_PAX_ASLR
63126 -+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
63127 -
63128 -+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
63129 -+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
63130 -+#endif
63131 -
63132 - struct pt_regs; /* forward declaration... */
63133 - extern void ia64_elf_core_copy_regs (struct pt_regs *src, elf_gregset_t dst);
63134 -diff -Nurp linux-2.6.23.15/include/asm-ia64/kmap_types.h linux-2.6.23.15-grsec/include/asm-ia64/kmap_types.h
63135 ---- linux-2.6.23.15/include/asm-ia64/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63136 -+++ linux-2.6.23.15-grsec/include/asm-ia64/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63137 -@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
63138 - D(10) KM_IRQ1,
63139 - D(11) KM_SOFTIRQ0,
63140 - D(12) KM_SOFTIRQ1,
63141 --D(13) KM_TYPE_NR
63142 -+D(13) KM_CLEARPAGE,
63143 -+D(14) KM_TYPE_NR
63144 - };
63145 -
63146 - #undef D
63147 -diff -Nurp linux-2.6.23.15/include/asm-ia64/pgtable.h linux-2.6.23.15-grsec/include/asm-ia64/pgtable.h
63148 ---- linux-2.6.23.15/include/asm-ia64/pgtable.h 2007-10-09 21:31:38.000000000 +0100
63149 -+++ linux-2.6.23.15-grsec/include/asm-ia64/pgtable.h 2008-02-11 10:37:44.000000000 +0000
63150 -@@ -143,6 +143,17 @@
63151 - #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
63152 - #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
63153 - #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
63154 -+
63155 -+#ifdef CONFIG_PAX_PAGEEXEC
63156 -+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
63157 -+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
63158 -+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
63159 -+#else
63160 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
63161 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
63162 -+# define PAGE_COPY_NOEXEC PAGE_COPY
63163 -+#endif
63164 -+
63165 - #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
63166 - #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
63167 - #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
63168 -diff -Nurp linux-2.6.23.15/include/asm-ia64/processor.h linux-2.6.23.15-grsec/include/asm-ia64/processor.h
63169 ---- linux-2.6.23.15/include/asm-ia64/processor.h 2007-10-09 21:31:38.000000000 +0100
63170 -+++ linux-2.6.23.15-grsec/include/asm-ia64/processor.h 2008-02-11 10:37:44.000000000 +0000
63171 -@@ -275,7 +275,7 @@ struct thread_struct {
63172 - .on_ustack = 0, \
63173 - .ksp = 0, \
63174 - .map_base = DEFAULT_MAP_BASE, \
63175 -- .rbs_bot = STACK_TOP - DEFAULT_USER_STACK_SIZE, \
63176 -+ .rbs_bot = __STACK_TOP - DEFAULT_USER_STACK_SIZE, \
63177 - .task_size = DEFAULT_TASK_SIZE, \
63178 - .last_fph_cpu = -1, \
63179 - INIT_THREAD_IA32 \
63180 -diff -Nurp linux-2.6.23.15/include/asm-ia64/ustack.h linux-2.6.23.15-grsec/include/asm-ia64/ustack.h
63181 ---- linux-2.6.23.15/include/asm-ia64/ustack.h 2007-10-09 21:31:38.000000000 +0100
63182 -+++ linux-2.6.23.15-grsec/include/asm-ia64/ustack.h 2008-02-11 10:37:44.000000000 +0000
63183 -@@ -10,8 +10,8 @@
63184 -
63185 - /* The absolute hard limit for stack size is 1/2 of the mappable space in the region */
63186 - #define MAX_USER_STACK_SIZE (RGN_MAP_LIMIT/2)
63187 --#define STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
63188 --#define STACK_TOP_MAX STACK_TOP
63189 -+#define __STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
63190 -+#define STACK_TOP_MAX __STACK_TOP
63191 - #endif
63192 -
63193 - /* Make a default stack size of 2GiB */
63194 -diff -Nurp linux-2.6.23.15/include/asm-m32r/kmap_types.h linux-2.6.23.15-grsec/include/asm-m32r/kmap_types.h
63195 ---- linux-2.6.23.15/include/asm-m32r/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63196 -+++ linux-2.6.23.15-grsec/include/asm-m32r/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63197 -@@ -21,7 +21,8 @@ D(9) KM_IRQ0,
63198 - D(10) KM_IRQ1,
63199 - D(11) KM_SOFTIRQ0,
63200 - D(12) KM_SOFTIRQ1,
63201 --D(13) KM_TYPE_NR
63202 -+D(13) KM_CLEARPAGE,
63203 -+D(14) KM_TYPE_NR
63204 - };
63205 -
63206 - #undef D
63207 -diff -Nurp linux-2.6.23.15/include/asm-m68k/kmap_types.h linux-2.6.23.15-grsec/include/asm-m68k/kmap_types.h
63208 ---- linux-2.6.23.15/include/asm-m68k/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63209 -+++ linux-2.6.23.15-grsec/include/asm-m68k/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63210 -@@ -15,6 +15,7 @@ enum km_type {
63211 - KM_IRQ1,
63212 - KM_SOFTIRQ0,
63213 - KM_SOFTIRQ1,
63214 -+ KM_CLEARPAGE,
63215 - KM_TYPE_NR
63216 - };
63217 -
63218 -diff -Nurp linux-2.6.23.15/include/asm-m68knommu/kmap_types.h linux-2.6.23.15-grsec/include/asm-m68knommu/kmap_types.h
63219 ---- linux-2.6.23.15/include/asm-m68knommu/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63220 -+++ linux-2.6.23.15-grsec/include/asm-m68knommu/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63221 -@@ -15,6 +15,7 @@ enum km_type {
63222 - KM_IRQ1,
63223 - KM_SOFTIRQ0,
63224 - KM_SOFTIRQ1,
63225 -+ KM_CLEARPAGE,
63226 - KM_TYPE_NR
63227 - };
63228 -
63229 -diff -Nurp linux-2.6.23.15/include/asm-mips/a.out.h linux-2.6.23.15-grsec/include/asm-mips/a.out.h
63230 ---- linux-2.6.23.15/include/asm-mips/a.out.h 2007-10-09 21:31:38.000000000 +0100
63231 -+++ linux-2.6.23.15-grsec/include/asm-mips/a.out.h 2008-02-11 10:37:44.000000000 +0000
63232 -@@ -35,10 +35,10 @@ struct exec
63233 - #ifdef __KERNEL__
63234 -
63235 - #ifdef CONFIG_32BIT
63236 --#define STACK_TOP TASK_SIZE
63237 -+#define __STACK_TOP TASK_SIZE
63238 - #endif
63239 - #ifdef CONFIG_64BIT
63240 --#define STACK_TOP \
63241 -+#define __STACK_TOP \
63242 - (test_thread_flag(TIF_32BIT_ADDR) ? TASK_SIZE32 : TASK_SIZE)
63243 - #endif
63244 - #define STACK_TOP_MAX TASK_SIZE
63245 -diff -Nurp linux-2.6.23.15/include/asm-mips/elf.h linux-2.6.23.15-grsec/include/asm-mips/elf.h
63246 ---- linux-2.6.23.15/include/asm-mips/elf.h 2007-10-09 21:31:38.000000000 +0100
63247 -+++ linux-2.6.23.15-grsec/include/asm-mips/elf.h 2008-02-11 10:37:44.000000000 +0000
63248 -@@ -372,4 +372,11 @@ extern int dump_task_fpu(struct task_str
63249 - #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
63250 - #endif
63251 -
63252 -+#ifdef CONFIG_PAX_ASLR
63253 -+#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
63254 -+
63255 -+#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
63256 -+#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
63257 -+#endif
63258 -+
63259 - #endif /* _ASM_ELF_H */
63260 -diff -Nurp linux-2.6.23.15/include/asm-mips/kmap_types.h linux-2.6.23.15-grsec/include/asm-mips/kmap_types.h
63261 ---- linux-2.6.23.15/include/asm-mips/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63262 -+++ linux-2.6.23.15-grsec/include/asm-mips/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63263 -@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
63264 - D(10) KM_IRQ1,
63265 - D(11) KM_SOFTIRQ0,
63266 - D(12) KM_SOFTIRQ1,
63267 --D(13) KM_TYPE_NR
63268 -+D(13) KM_CLEARPAGE,
63269 -+D(14) KM_TYPE_NR
63270 - };
63271 -
63272 - #undef D
63273 -diff -Nurp linux-2.6.23.15/include/asm-mips/page.h linux-2.6.23.15-grsec/include/asm-mips/page.h
63274 ---- linux-2.6.23.15/include/asm-mips/page.h 2007-10-09 21:31:38.000000000 +0100
63275 -+++ linux-2.6.23.15-grsec/include/asm-mips/page.h 2008-02-11 10:37:44.000000000 +0000
63276 -@@ -82,7 +82,7 @@ extern void copy_user_highpage(struct pa
63277 - #ifdef CONFIG_CPU_MIPS32
63278 - typedef struct { unsigned long pte_low, pte_high; } pte_t;
63279 - #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
63280 -- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
63281 -+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
63282 - #else
63283 - typedef struct { unsigned long long pte; } pte_t;
63284 - #define pte_val(x) ((x).pte)
63285 -diff -Nurp linux-2.6.23.15/include/asm-mips/system.h linux-2.6.23.15-grsec/include/asm-mips/system.h
63286 ---- linux-2.6.23.15/include/asm-mips/system.h 2007-10-09 21:31:38.000000000 +0100
63287 -+++ linux-2.6.23.15-grsec/include/asm-mips/system.h 2008-02-11 10:37:44.000000000 +0000
63288 -@@ -213,6 +213,6 @@ extern int stop_a_enabled;
63289 - */
63290 - #define __ARCH_WANT_UNLOCKED_CTXSW
63291 -
63292 --extern unsigned long arch_align_stack(unsigned long sp);
63293 -+#define arch_align_stack(x) (x)
63294 -
63295 - #endif /* _ASM_SYSTEM_H */
63296 -diff -Nurp linux-2.6.23.15/include/asm-parisc/a.out.h linux-2.6.23.15-grsec/include/asm-parisc/a.out.h
63297 ---- linux-2.6.23.15/include/asm-parisc/a.out.h 2007-10-09 21:31:38.000000000 +0100
63298 -+++ linux-2.6.23.15-grsec/include/asm-parisc/a.out.h 2008-02-11 10:37:44.000000000 +0000
63299 -@@ -22,7 +22,7 @@ struct exec
63300 - /* XXX: STACK_TOP actually should be STACK_BOTTOM for parisc.
63301 - * prumpf */
63302 -
63303 --#define STACK_TOP TASK_SIZE
63304 -+#define __STACK_TOP TASK_SIZE
63305 - #define STACK_TOP_MAX DEFAULT_TASK_SIZE
63306 -
63307 - #endif
63308 -diff -Nurp linux-2.6.23.15/include/asm-parisc/elf.h linux-2.6.23.15-grsec/include/asm-parisc/elf.h
63309 ---- linux-2.6.23.15/include/asm-parisc/elf.h 2007-10-09 21:31:38.000000000 +0100
63310 -+++ linux-2.6.23.15-grsec/include/asm-parisc/elf.h 2008-02-11 10:37:44.000000000 +0000
63311 -@@ -337,6 +337,13 @@ struct pt_regs; /* forward declaration..
63312 -
63313 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
63314 -
63315 -+#ifdef CONFIG_PAX_ASLR
63316 -+#define PAX_ELF_ET_DYN_BASE 0x10000UL
63317 -+
63318 -+#define PAX_DELTA_MMAP_LEN 16
63319 -+#define PAX_DELTA_STACK_LEN 16
63320 -+#endif
63321 -+
63322 - /* This yields a mask that user programs can use to figure out what
63323 - instruction set this CPU supports. This could be done in user space,
63324 - but it's not easy, and we've already done it here. */
63325 -diff -Nurp linux-2.6.23.15/include/asm-parisc/kmap_types.h linux-2.6.23.15-grsec/include/asm-parisc/kmap_types.h
63326 ---- linux-2.6.23.15/include/asm-parisc/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63327 -+++ linux-2.6.23.15-grsec/include/asm-parisc/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63328 -@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
63329 - D(10) KM_IRQ1,
63330 - D(11) KM_SOFTIRQ0,
63331 - D(12) KM_SOFTIRQ1,
63332 --D(13) KM_TYPE_NR
63333 -+D(13) KM_CLEARPAGE,
63334 -+D(14) KM_TYPE_NR
63335 - };
63336 -
63337 - #undef D
63338 -diff -Nurp linux-2.6.23.15/include/asm-parisc/pgtable.h linux-2.6.23.15-grsec/include/asm-parisc/pgtable.h
63339 ---- linux-2.6.23.15/include/asm-parisc/pgtable.h 2007-10-09 21:31:38.000000000 +0100
63340 -+++ linux-2.6.23.15-grsec/include/asm-parisc/pgtable.h 2008-02-11 10:37:44.000000000 +0000
63341 -@@ -218,6 +218,17 @@ extern void *vmalloc_start;
63342 - #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
63343 - #define PAGE_COPY PAGE_EXECREAD
63344 - #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
63345 -+
63346 -+#ifdef CONFIG_PAX_PAGEEXEC
63347 -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
63348 -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
63349 -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
63350 -+#else
63351 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
63352 -+# define PAGE_COPY_NOEXEC PAGE_COPY
63353 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
63354 -+#endif
63355 -+
63356 - #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
63357 - #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
63358 - #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
63359 -diff -Nurp linux-2.6.23.15/include/asm-powerpc/a.out.h linux-2.6.23.15-grsec/include/asm-powerpc/a.out.h
63360 ---- linux-2.6.23.15/include/asm-powerpc/a.out.h 2007-10-09 21:31:38.000000000 +0100
63361 -+++ linux-2.6.23.15-grsec/include/asm-powerpc/a.out.h 2008-02-11 10:37:44.000000000 +0000
63362 -@@ -23,15 +23,15 @@ struct exec
63363 - #define STACK_TOP_USER64 TASK_SIZE_USER64
63364 - #define STACK_TOP_USER32 TASK_SIZE_USER32
63365 -
63366 --#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
63367 -+#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
63368 - STACK_TOP_USER32 : STACK_TOP_USER64)
63369 -
63370 - #define STACK_TOP_MAX STACK_TOP_USER64
63371 -
63372 - #else /* __powerpc64__ */
63373 -
63374 --#define STACK_TOP TASK_SIZE
63375 --#define STACK_TOP_MAX STACK_TOP
63376 -+#define __STACK_TOP TASK_SIZE
63377 -+#define STACK_TOP_MAX __STACK_TOP
63378 -
63379 - #endif /* __powerpc64__ */
63380 - #endif /* __KERNEL__ */
63381 -diff -Nurp linux-2.6.23.15/include/asm-powerpc/elf.h linux-2.6.23.15-grsec/include/asm-powerpc/elf.h
63382 ---- linux-2.6.23.15/include/asm-powerpc/elf.h 2007-10-09 21:31:38.000000000 +0100
63383 -+++ linux-2.6.23.15-grsec/include/asm-powerpc/elf.h 2008-02-11 10:37:44.000000000 +0000
63384 -@@ -159,6 +159,18 @@ typedef elf_vrreg_t elf_vrregset_t[ELF_N
63385 - typedef elf_vrreg_t elf_vrregset_t32[ELF_NVRREG32];
63386 - #endif
63387 -
63388 -+#ifdef CONFIG_PAX_ASLR
63389 -+#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
63390 -+
63391 -+#ifdef __powerpc64__
63392 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
63393 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
63394 -+#else
63395 -+#define PAX_DELTA_MMAP_LEN 15
63396 -+#define PAX_DELTA_STACK_LEN 15
63397 -+#endif
63398 -+#endif
63399 -+
63400 - #ifdef __KERNEL__
63401 - /*
63402 - * This is used to ensure we don't load something for the wrong architecture.
63403 -diff -Nurp linux-2.6.23.15/include/asm-powerpc/kmap_types.h linux-2.6.23.15-grsec/include/asm-powerpc/kmap_types.h
63404 ---- linux-2.6.23.15/include/asm-powerpc/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63405 -+++ linux-2.6.23.15-grsec/include/asm-powerpc/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63406 -@@ -26,6 +26,7 @@ enum km_type {
63407 - KM_SOFTIRQ1,
63408 - KM_PPC_SYNC_PAGE,
63409 - KM_PPC_SYNC_ICACHE,
63410 -+ KM_CLEARPAGE,
63411 - KM_TYPE_NR
63412 - };
63413 -
63414 -diff -Nurp linux-2.6.23.15/include/asm-powerpc/page.h linux-2.6.23.15-grsec/include/asm-powerpc/page.h
63415 ---- linux-2.6.23.15/include/asm-powerpc/page.h 2007-10-09 21:31:38.000000000 +0100
63416 -+++ linux-2.6.23.15-grsec/include/asm-powerpc/page.h 2008-02-11 10:37:44.000000000 +0000
63417 -@@ -71,8 +71,9 @@
63418 - * and needs to be executable. This means the whole heap ends
63419 - * up being executable.
63420 - */
63421 --#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
63422 -- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
63423 -+#define VM_DATA_DEFAULT_FLAGS32 \
63424 -+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
63425 -+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
63426 -
63427 - #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
63428 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
63429 -diff -Nurp linux-2.6.23.15/include/asm-powerpc/page_64.h linux-2.6.23.15-grsec/include/asm-powerpc/page_64.h
63430 ---- linux-2.6.23.15/include/asm-powerpc/page_64.h 2007-10-09 21:31:38.000000000 +0100
63431 -+++ linux-2.6.23.15-grsec/include/asm-powerpc/page_64.h 2008-02-11 10:37:44.000000000 +0000
63432 -@@ -158,15 +158,18 @@ extern int is_hugepage_only_range(struct
63433 - * stack by default, so in the absense of a PT_GNU_STACK program header
63434 - * we turn execute permission off.
63435 - */
63436 --#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
63437 -- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
63438 -+#define VM_STACK_DEFAULT_FLAGS32 \
63439 -+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
63440 -+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
63441 -
63442 - #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
63443 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
63444 -
63445 -+#ifndef CONFIG_PAX_PAGEEXEC
63446 - #define VM_STACK_DEFAULT_FLAGS \
63447 - (test_thread_flag(TIF_32BIT) ? \
63448 - VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
63449 -+#endif
63450 -
63451 - #include <asm-generic/page.h>
63452 -
63453 -diff -Nurp linux-2.6.23.15/include/asm-ppc/mmu_context.h linux-2.6.23.15-grsec/include/asm-ppc/mmu_context.h
63454 ---- linux-2.6.23.15/include/asm-ppc/mmu_context.h 2007-10-09 21:31:38.000000000 +0100
63455 -+++ linux-2.6.23.15-grsec/include/asm-ppc/mmu_context.h 2008-02-11 10:37:44.000000000 +0000
63456 -@@ -145,7 +145,8 @@ static inline void get_mmu_context(struc
63457 - static inline int init_new_context(struct task_struct *t, struct mm_struct *mm)
63458 - {
63459 - mm->context.id = NO_CONTEXT;
63460 -- mm->context.vdso_base = 0;
63461 -+ if (t == current)
63462 -+ mm->context.vdso_base = ~0UL;
63463 - return 0;
63464 - }
63465 -
63466 -diff -Nurp linux-2.6.23.15/include/asm-ppc/pgtable.h linux-2.6.23.15-grsec/include/asm-ppc/pgtable.h
63467 ---- linux-2.6.23.15/include/asm-ppc/pgtable.h 2007-10-09 21:31:38.000000000 +0100
63468 -+++ linux-2.6.23.15-grsec/include/asm-ppc/pgtable.h 2008-02-11 10:37:44.000000000 +0000
63469 -@@ -440,11 +440,21 @@ extern unsigned long ioremap_bot, iorema
63470 -
63471 - #define PAGE_NONE __pgprot(_PAGE_BASE)
63472 - #define PAGE_READONLY __pgprot(_PAGE_BASE | _PAGE_USER)
63473 --#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
63474 -+#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
63475 - #define PAGE_SHARED __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW)
63476 --#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC)
63477 -+#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC | _PAGE_HWEXEC)
63478 - #define PAGE_COPY __pgprot(_PAGE_BASE | _PAGE_USER)
63479 --#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
63480 -+#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
63481 -+
63482 -+#if defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_40x) && !defined(CONFIG_44x)
63483 -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_GUARDED)
63484 -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
63485 -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
63486 -+#else
63487 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
63488 -+# define PAGE_COPY_NOEXEC PAGE_COPY
63489 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
63490 -+#endif
63491 -
63492 - #define PAGE_KERNEL __pgprot(_PAGE_RAM)
63493 - #define PAGE_KERNEL_NOCACHE __pgprot(_PAGE_IO)
63494 -@@ -456,21 +466,21 @@ extern unsigned long ioremap_bot, iorema
63495 - * This is the closest we can get..
63496 - */
63497 - #define __P000 PAGE_NONE
63498 --#define __P001 PAGE_READONLY_X
63499 --#define __P010 PAGE_COPY
63500 --#define __P011 PAGE_COPY_X
63501 --#define __P100 PAGE_READONLY
63502 -+#define __P001 PAGE_READONLY_NOEXEC
63503 -+#define __P010 PAGE_COPY_NOEXEC
63504 -+#define __P011 PAGE_COPY_NOEXEC
63505 -+#define __P100 PAGE_READONLY_X
63506 - #define __P101 PAGE_READONLY_X
63507 --#define __P110 PAGE_COPY
63508 -+#define __P110 PAGE_COPY_X
63509 - #define __P111 PAGE_COPY_X
63510 -
63511 - #define __S000 PAGE_NONE
63512 --#define __S001 PAGE_READONLY_X
63513 --#define __S010 PAGE_SHARED
63514 --#define __S011 PAGE_SHARED_X
63515 --#define __S100 PAGE_READONLY
63516 -+#define __S001 PAGE_READONLY_NOEXEC
63517 -+#define __S010 PAGE_SHARED_NOEXEC
63518 -+#define __S011 PAGE_SHARED_NOEXEC
63519 -+#define __S100 PAGE_READONLY_X
63520 - #define __S101 PAGE_READONLY_X
63521 --#define __S110 PAGE_SHARED
63522 -+#define __S110 PAGE_SHARED_X
63523 - #define __S111 PAGE_SHARED_X
63524 -
63525 - #ifndef __ASSEMBLY__
63526 -diff -Nurp linux-2.6.23.15/include/asm-s390/kmap_types.h linux-2.6.23.15-grsec/include/asm-s390/kmap_types.h
63527 ---- linux-2.6.23.15/include/asm-s390/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63528 -+++ linux-2.6.23.15-grsec/include/asm-s390/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63529 -@@ -16,6 +16,7 @@ enum km_type {
63530 - KM_IRQ1,
63531 - KM_SOFTIRQ0,
63532 - KM_SOFTIRQ1,
63533 -+ KM_CLEARPAGE,
63534 - KM_TYPE_NR
63535 - };
63536 -
63537 -diff -Nurp linux-2.6.23.15/include/asm-sh/kmap_types.h linux-2.6.23.15-grsec/include/asm-sh/kmap_types.h
63538 ---- linux-2.6.23.15/include/asm-sh/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63539 -+++ linux-2.6.23.15-grsec/include/asm-sh/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63540 -@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
63541 - D(10) KM_IRQ1,
63542 - D(11) KM_SOFTIRQ0,
63543 - D(12) KM_SOFTIRQ1,
63544 --D(13) KM_TYPE_NR
63545 -+D(13) KM_CLEARPAGE,
63546 -+D(14) KM_TYPE_NR
63547 - };
63548 -
63549 - #undef D
63550 -diff -Nurp linux-2.6.23.15/include/asm-sparc/a.out.h linux-2.6.23.15-grsec/include/asm-sparc/a.out.h
63551 ---- linux-2.6.23.15/include/asm-sparc/a.out.h 2007-10-09 21:31:38.000000000 +0100
63552 -+++ linux-2.6.23.15-grsec/include/asm-sparc/a.out.h 2008-02-11 10:37:44.000000000 +0000
63553 -@@ -91,8 +91,8 @@ struct relocation_info /* used when head
63554 -
63555 - #include <asm/page.h>
63556 -
63557 --#define STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
63558 --#define STACK_TOP_MAX STACK_TOP
63559 -+#define __STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
63560 -+#define STACK_TOP_MAX __STACK_TOP
63561 -
63562 - #endif /* __KERNEL__ */
63563 -
63564 -diff -Nurp linux-2.6.23.15/include/asm-sparc/elf.h linux-2.6.23.15-grsec/include/asm-sparc/elf.h
63565 ---- linux-2.6.23.15/include/asm-sparc/elf.h 2007-10-09 21:31:38.000000000 +0100
63566 -+++ linux-2.6.23.15-grsec/include/asm-sparc/elf.h 2008-02-11 10:37:44.000000000 +0000
63567 -@@ -143,6 +143,13 @@ do { unsigned long *dest = &(__elf_regs[
63568 -
63569 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
63570 -
63571 -+#ifdef CONFIG_PAX_ASLR
63572 -+#define PAX_ELF_ET_DYN_BASE 0x10000UL
63573 -+
63574 -+#define PAX_DELTA_MMAP_LEN 16
63575 -+#define PAX_DELTA_STACK_LEN 16
63576 -+#endif
63577 -+
63578 - /* This yields a mask that user programs can use to figure out what
63579 - instruction set this cpu supports. This can NOT be done in userspace
63580 - on Sparc. */
63581 -diff -Nurp linux-2.6.23.15/include/asm-sparc/kmap_types.h linux-2.6.23.15-grsec/include/asm-sparc/kmap_types.h
63582 ---- linux-2.6.23.15/include/asm-sparc/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63583 -+++ linux-2.6.23.15-grsec/include/asm-sparc/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63584 -@@ -15,6 +15,7 @@ enum km_type {
63585 - KM_IRQ1,
63586 - KM_SOFTIRQ0,
63587 - KM_SOFTIRQ1,
63588 -+ KM_CLEARPAGE,
63589 - KM_TYPE_NR
63590 - };
63591 -
63592 -diff -Nurp linux-2.6.23.15/include/asm-sparc/pgtable.h linux-2.6.23.15-grsec/include/asm-sparc/pgtable.h
63593 ---- linux-2.6.23.15/include/asm-sparc/pgtable.h 2007-10-09 21:31:38.000000000 +0100
63594 -+++ linux-2.6.23.15-grsec/include/asm-sparc/pgtable.h 2008-02-11 10:37:44.000000000 +0000
63595 -@@ -69,6 +69,16 @@ extern pgprot_t PAGE_SHARED;
63596 - #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
63597 - #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
63598 -
63599 -+#ifdef CONFIG_PAX_PAGEEXEC
63600 -+extern pgprot_t PAGE_SHARED_NOEXEC;
63601 -+# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
63602 -+# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
63603 -+#else
63604 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
63605 -+# define PAGE_COPY_NOEXEC PAGE_COPY
63606 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
63607 -+#endif
63608 -+
63609 - extern unsigned long page_kernel;
63610 -
63611 - #ifdef MODULE
63612 -diff -Nurp linux-2.6.23.15/include/asm-sparc/pgtsrmmu.h linux-2.6.23.15-grsec/include/asm-sparc/pgtsrmmu.h
63613 ---- linux-2.6.23.15/include/asm-sparc/pgtsrmmu.h 2007-10-09 21:31:38.000000000 +0100
63614 -+++ linux-2.6.23.15-grsec/include/asm-sparc/pgtsrmmu.h 2008-02-11 10:37:44.000000000 +0000
63615 -@@ -115,6 +115,16 @@
63616 - SRMMU_EXEC | SRMMU_REF)
63617 - #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
63618 - SRMMU_EXEC | SRMMU_REF)
63619 -+
63620 -+#ifdef CONFIG_PAX_PAGEEXEC
63621 -+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
63622 -+ SRMMU_WRITE | SRMMU_REF)
63623 -+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
63624 -+ SRMMU_REF)
63625 -+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
63626 -+ SRMMU_REF)
63627 -+#endif
63628 -+
63629 - #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
63630 - SRMMU_DIRTY | SRMMU_REF)
63631 -
63632 -diff -Nurp linux-2.6.23.15/include/asm-sparc/uaccess.h linux-2.6.23.15-grsec/include/asm-sparc/uaccess.h
63633 ---- linux-2.6.23.15/include/asm-sparc/uaccess.h 2007-10-09 21:31:38.000000000 +0100
63634 -+++ linux-2.6.23.15-grsec/include/asm-sparc/uaccess.h 2008-02-11 10:37:44.000000000 +0000
63635 -@@ -41,7 +41,7 @@
63636 - * No one can read/write anything from userland in the kernel space by setting
63637 - * large size and address near to PAGE_OFFSET - a fault will break his intentions.
63638 - */
63639 --#define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
63640 -+#define __user_ok(addr, size) ({ (void)(size); (addr) < __STACK_TOP; })
63641 - #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
63642 - #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size)))
63643 - #define access_ok(type, addr, size) \
63644 -diff -Nurp linux-2.6.23.15/include/asm-sparc64/a.out.h linux-2.6.23.15-grsec/include/asm-sparc64/a.out.h
63645 ---- linux-2.6.23.15/include/asm-sparc64/a.out.h 2007-10-09 21:31:38.000000000 +0100
63646 -+++ linux-2.6.23.15-grsec/include/asm-sparc64/a.out.h 2008-02-11 10:37:44.000000000 +0000
63647 -@@ -98,7 +98,7 @@ struct relocation_info /* used when head
63648 - #define STACK_TOP32 ((1UL << 32UL) - PAGE_SIZE)
63649 - #define STACK_TOP64 (0x0000080000000000UL - (1UL << 32UL))
63650 -
63651 --#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
63652 -+#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
63653 - STACK_TOP32 : STACK_TOP64)
63654 -
63655 - #define STACK_TOP_MAX STACK_TOP64
63656 -diff -Nurp linux-2.6.23.15/include/asm-sparc64/elf.h linux-2.6.23.15-grsec/include/asm-sparc64/elf.h
63657 ---- linux-2.6.23.15/include/asm-sparc64/elf.h 2007-10-09 21:31:38.000000000 +0100
63658 -+++ linux-2.6.23.15-grsec/include/asm-sparc64/elf.h 2008-02-11 10:37:44.000000000 +0000
63659 -@@ -143,6 +143,12 @@ typedef struct {
63660 - #define ELF_ET_DYN_BASE 0x0000010000000000UL
63661 - #endif
63662 -
63663 -+#ifdef CONFIG_PAX_ASLR
63664 -+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
63665 -+
63666 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28 )
63667 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29 )
63668 -+#endif
63669 -
63670 - /* This yields a mask that user programs can use to figure out what
63671 - instruction set this cpu supports. */
63672 -diff -Nurp linux-2.6.23.15/include/asm-sparc64/kmap_types.h linux-2.6.23.15-grsec/include/asm-sparc64/kmap_types.h
63673 ---- linux-2.6.23.15/include/asm-sparc64/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63674 -+++ linux-2.6.23.15-grsec/include/asm-sparc64/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63675 -@@ -19,6 +19,7 @@ enum km_type {
63676 - KM_IRQ1,
63677 - KM_SOFTIRQ0,
63678 - KM_SOFTIRQ1,
63679 -+ KM_CLEARPAGE,
63680 - KM_TYPE_NR
63681 - };
63682 -
63683 -diff -Nurp linux-2.6.23.15/include/asm-um/kmap_types.h linux-2.6.23.15-grsec/include/asm-um/kmap_types.h
63684 ---- linux-2.6.23.15/include/asm-um/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63685 -+++ linux-2.6.23.15-grsec/include/asm-um/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63686 -@@ -23,6 +23,7 @@ enum km_type {
63687 - KM_IRQ1,
63688 - KM_SOFTIRQ0,
63689 - KM_SOFTIRQ1,
63690 -+ KM_CLEARPAGE,
63691 - KM_TYPE_NR
63692 - };
63693 -
63694 -diff -Nurp linux-2.6.23.15/include/asm-v850/kmap_types.h linux-2.6.23.15-grsec/include/asm-v850/kmap_types.h
63695 ---- linux-2.6.23.15/include/asm-v850/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63696 -+++ linux-2.6.23.15-grsec/include/asm-v850/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63697 -@@ -13,6 +13,7 @@ enum km_type {
63698 - KM_PTE1,
63699 - KM_IRQ0,
63700 - KM_IRQ1,
63701 -+ KM_CLEARPAGE,
63702 - KM_TYPE_NR
63703 - };
63704 -
63705 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/a.out.h linux-2.6.23.15-grsec/include/asm-x86_64/a.out.h
63706 ---- linux-2.6.23.15/include/asm-x86_64/a.out.h 2007-10-09 21:31:38.000000000 +0100
63707 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/a.out.h 2008-02-11 10:37:45.000000000 +0000
63708 -@@ -21,7 +21,7 @@ struct exec
63709 -
63710 - #ifdef __KERNEL__
63711 - #include <linux/thread_info.h>
63712 --#define STACK_TOP TASK_SIZE
63713 -+#define __STACK_TOP TASK_SIZE
63714 - #define STACK_TOP_MAX TASK_SIZE64
63715 - #endif
63716 -
63717 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/apic.h linux-2.6.23.15-grsec/include/asm-x86_64/apic.h
63718 ---- linux-2.6.23.15/include/asm-x86_64/apic.h 2007-10-09 21:31:38.000000000 +0100
63719 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/apic.h 2008-02-11 10:37:45.000000000 +0000
63720 -@@ -7,7 +7,7 @@
63721 - #include <asm/apicdef.h>
63722 - #include <asm/system.h>
63723 -
63724 --#define Dprintk(x...)
63725 -+#define Dprintk(x...) do {} while (0)
63726 -
63727 - /*
63728 - * Debugging macros
63729 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/elf.h linux-2.6.23.15-grsec/include/asm-x86_64/elf.h
63730 ---- linux-2.6.23.15/include/asm-x86_64/elf.h 2007-10-09 21:31:38.000000000 +0100
63731 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/elf.h 2008-02-11 10:37:45.000000000 +0000
63732 -@@ -92,6 +92,13 @@ typedef struct user_i387_struct elf_fpre
63733 -
63734 - #define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
63735 -
63736 -+#ifdef CONFIG_PAX_ASLR
63737 -+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_IA32) ? 0x08048000UL : 0x400000UL)
63738 -+
63739 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_IA32) ? 16 : 32)
63740 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_IA32) ? 16 : 32)
63741 -+#endif
63742 -+
63743 - /* regs is struct pt_regs, pr_reg is elf_gregset_t (which is
63744 - now struct_user_regs, they are different). Assumes current is the process
63745 - getting dumped. */
63746 -@@ -172,7 +179,7 @@ extern int vdso_enabled;
63747 -
63748 - #define ARCH_DLINFO \
63749 - do if (vdso_enabled) { \
63750 -- NEW_AUX_ENT(AT_SYSINFO_EHDR,(unsigned long)current->mm->context.vdso);\
63751 -+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
63752 - } while (0)
63753 -
63754 - #endif
63755 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/futex.h linux-2.6.23.15-grsec/include/asm-x86_64/futex.h
63756 ---- linux-2.6.23.15/include/asm-x86_64/futex.h 2007-10-09 21:31:38.000000000 +0100
63757 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/futex.h 2008-02-11 10:37:45.000000000 +0000
63758 -@@ -42,7 +42,7 @@
63759 - : "r" (oparg), "i" (-EFAULT), "m" (*uaddr), "1" (0))
63760 -
63761 - static inline int
63762 --futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
63763 -+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
63764 - {
63765 - int op = (encoded_op >> 28) & 7;
63766 - int cmp = (encoded_op >> 24) & 15;
63767 -@@ -95,7 +95,7 @@ futex_atomic_op_inuser (int encoded_op,
63768 - }
63769 -
63770 - static inline int
63771 --futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
63772 -+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
63773 - {
63774 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
63775 - return -EFAULT;
63776 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/ia32.h linux-2.6.23.15-grsec/include/asm-x86_64/ia32.h
63777 ---- linux-2.6.23.15/include/asm-x86_64/ia32.h 2007-10-09 21:31:38.000000000 +0100
63778 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/ia32.h 2008-02-11 10:37:45.000000000 +0000
63779 -@@ -156,7 +156,13 @@ struct ustat32 {
63780 - char f_fpack[6];
63781 - };
63782 -
63783 --#define IA32_STACK_TOP IA32_PAGE_OFFSET
63784 -+#ifdef CONFIG_PAX_RANDUSTACK
63785 -+#define IA32_DELTA_STACK (current->mm->delta_stack)
63786 -+#else
63787 -+#define IA32_DELTA_STACK 0UL
63788 -+#endif
63789 -+
63790 -+#define IA32_STACK_TOP (IA32_PAGE_OFFSET - IA32_DELTA_STACK)
63791 -
63792 - #ifdef __KERNEL__
63793 - struct user_desc;
63794 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/kmap_types.h linux-2.6.23.15-grsec/include/asm-x86_64/kmap_types.h
63795 ---- linux-2.6.23.15/include/asm-x86_64/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63796 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/kmap_types.h 2008-02-11 10:37:45.000000000 +0000
63797 -@@ -13,6 +13,7 @@ enum km_type {
63798 - KM_IRQ1,
63799 - KM_SOFTIRQ0,
63800 - KM_SOFTIRQ1,
63801 -+ KM_CLEARPAGE,
63802 - KM_TYPE_NR
63803 - };
63804 -
63805 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/mmu.h linux-2.6.23.15-grsec/include/asm-x86_64/mmu.h
63806 ---- linux-2.6.23.15/include/asm-x86_64/mmu.h 2007-10-09 21:31:38.000000000 +0100
63807 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/mmu.h 2008-02-11 10:37:45.000000000 +0000
63808 -@@ -15,7 +15,7 @@ typedef struct {
63809 - rwlock_t ldtlock;
63810 - int size;
63811 - struct semaphore sem;
63812 -- void *vdso;
63813 -+ unsigned long vdso;
63814 - } mm_context_t;
63815 -
63816 - #endif
63817 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/page.h linux-2.6.23.15-grsec/include/asm-x86_64/page.h
63818 ---- linux-2.6.23.15/include/asm-x86_64/page.h 2007-10-09 21:31:38.000000000 +0100
63819 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/page.h 2008-02-11 10:37:45.000000000 +0000
63820 -@@ -94,6 +94,8 @@ extern unsigned long phys_base;
63821 - #define __START_KERNEL_map _AC(0xffffffff80000000, UL)
63822 - #define __PAGE_OFFSET _AC(0xffff810000000000, UL)
63823 -
63824 -+#define __KERNEL_TEXT_OFFSET (0)
63825 -+
63826 - /* to align the pointer to the (next) page boundary */
63827 - #define PAGE_ALIGN(addr) (((addr)+PAGE_SIZE-1)&PAGE_MASK)
63828 -
63829 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/pgalloc.h linux-2.6.23.15-grsec/include/asm-x86_64/pgalloc.h
63830 ---- linux-2.6.23.15/include/asm-x86_64/pgalloc.h 2007-10-09 21:31:38.000000000 +0100
63831 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/pgalloc.h 2008-02-11 10:37:45.000000000 +0000
63832 -@@ -6,7 +6,7 @@
63833 - #include <linux/mm.h>
63834 -
63835 - #define pmd_populate_kernel(mm, pmd, pte) \
63836 -- set_pmd(pmd, __pmd(_PAGE_TABLE | __pa(pte)))
63837 -+ set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(pte)))
63838 - #define pud_populate(mm, pud, pmd) \
63839 - set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd)))
63840 - #define pgd_populate(mm, pgd, pud) \
63841 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/pgtable.h linux-2.6.23.15-grsec/include/asm-x86_64/pgtable.h
63842 ---- linux-2.6.23.15/include/asm-x86_64/pgtable.h 2007-10-09 21:31:38.000000000 +0100
63843 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/pgtable.h 2008-02-11 10:37:45.000000000 +0000
63844 -@@ -179,6 +179,10 @@ static inline pte_t ptep_get_and_clear_f
63845 - #define PAGE_COPY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
63846 - #define PAGE_READONLY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
63847 - #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
63848 -+
63849 -+#define PAGE_READONLY_NOEXEC PAGE_READONLY
63850 -+#define PAGE_SHARED_NOEXEC PAGE_SHARED
63851 -+
63852 - #define __PAGE_KERNEL \
63853 - (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
63854 - #define __PAGE_KERNEL_EXEC \
63855 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/processor.h linux-2.6.23.15-grsec/include/asm-x86_64/processor.h
63856 ---- linux-2.6.23.15/include/asm-x86_64/processor.h 2007-10-09 21:31:38.000000000 +0100
63857 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/processor.h 2008-02-11 10:37:45.000000000 +0000
63858 -@@ -140,7 +140,7 @@ static inline void clear_in_cr4 (unsigne
63859 - /* This decides where the kernel will search for a free chunk of vm
63860 - * space during mmap's.
63861 - */
63862 --#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFe000)
63863 -+#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFf000)
63864 -
63865 - #define TASK_SIZE (test_thread_flag(TIF_IA32) ? IA32_PAGE_OFFSET : TASK_SIZE64)
63866 - #define TASK_SIZE_OF(child) ((test_tsk_thread_flag(child, TIF_IA32)) ? IA32_PAGE_OFFSET : TASK_SIZE64)
63867 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/system.h linux-2.6.23.15-grsec/include/asm-x86_64/system.h
63868 ---- linux-2.6.23.15/include/asm-x86_64/system.h 2008-02-11 10:36:03.000000000 +0000
63869 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/system.h 2008-02-11 10:37:45.000000000 +0000
63870 -@@ -174,7 +174,7 @@ static inline void write_cr8(unsigned lo
63871 -
63872 - void cpu_idle_wait(void);
63873 -
63874 --extern unsigned long arch_align_stack(unsigned long sp);
63875 -+#define arch_align_stack(x) (x)
63876 - extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
63877 -
63878 - #endif
63879 -diff -Nurp linux-2.6.23.15/include/asm-xtensa/kmap_types.h linux-2.6.23.15-grsec/include/asm-xtensa/kmap_types.h
63880 ---- linux-2.6.23.15/include/asm-xtensa/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63881 -+++ linux-2.6.23.15-grsec/include/asm-xtensa/kmap_types.h 2008-02-11 10:37:45.000000000 +0000
63882 -@@ -25,6 +25,7 @@ enum km_type {
63883 - KM_IRQ1,
63884 - KM_SOFTIRQ0,
63885 - KM_SOFTIRQ1,
63886 -+ KM_CLEARPAGE,
63887 - KM_TYPE_NR
63888 - };
63889 -
63890 -diff -Nurp linux-2.6.23.15/include/linux/a.out.h linux-2.6.23.15-grsec/include/linux/a.out.h
63891 ---- linux-2.6.23.15/include/linux/a.out.h 2007-10-09 21:31:38.000000000 +0100
63892 -+++ linux-2.6.23.15-grsec/include/linux/a.out.h 2008-02-11 10:37:45.000000000 +0000
63893 -@@ -7,6 +7,16 @@
63894 -
63895 - #include <asm/a.out.h>
63896 -
63897 -+#ifdef CONFIG_PAX_RANDUSTACK
63898 -+#define __DELTA_STACK (current->mm->delta_stack)
63899 -+#else
63900 -+#define __DELTA_STACK 0UL
63901 -+#endif
63902 -+
63903 -+#ifndef STACK_TOP
63904 -+#define STACK_TOP (__STACK_TOP - __DELTA_STACK)
63905 -+#endif
63906 -+
63907 - #endif /* __STRUCT_EXEC_OVERRIDE__ */
63908 -
63909 - /* these go in the N_MACHTYPE field */
63910 -@@ -37,6 +47,14 @@ enum machine_type {
63911 - M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
63912 - };
63913 -
63914 -+/* Constants for the N_FLAGS field */
63915 -+#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
63916 -+#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
63917 -+#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
63918 -+#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
63919 -+/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
63920 -+#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
63921 -+
63922 - #if !defined (N_MAGIC)
63923 - #define N_MAGIC(exec) ((exec).a_info & 0xffff)
63924 - #endif
63925 -diff -Nurp linux-2.6.23.15/include/linux/binfmts.h linux-2.6.23.15-grsec/include/linux/binfmts.h
63926 ---- linux-2.6.23.15/include/linux/binfmts.h 2007-10-09 21:31:38.000000000 +0100
63927 -+++ linux-2.6.23.15-grsec/include/linux/binfmts.h 2008-02-11 10:37:45.000000000 +0000
63928 -@@ -48,6 +48,7 @@ struct linux_binprm{
63929 - unsigned interp_data;
63930 - unsigned long loader, exec;
63931 - unsigned long argv_len;
63932 -+ int misc;
63933 - };
63934 -
63935 - #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
63936 -@@ -99,5 +100,8 @@ extern void compute_creds(struct linux_b
63937 - extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
63938 - extern int set_binfmt(struct linux_binfmt *new);
63939 -
63940 -+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
63941 -+void pax_report_insns(void *pc, void *sp);
63942 -+
63943 - #endif /* __KERNEL__ */
63944 - #endif /* _LINUX_BINFMTS_H */
63945 -diff -Nurp linux-2.6.23.15/include/linux/cache.h linux-2.6.23.15-grsec/include/linux/cache.h
63946 ---- linux-2.6.23.15/include/linux/cache.h 2007-10-09 21:31:38.000000000 +0100
63947 -+++ linux-2.6.23.15-grsec/include/linux/cache.h 2008-02-11 10:37:45.000000000 +0000
63948 -@@ -16,6 +16,10 @@
63949 - #define __read_mostly
63950 - #endif
63951 -
63952 -+#ifndef __read_only
63953 -+#define __read_only
63954 -+#endif
63955 -+
63956 - #ifndef ____cacheline_aligned
63957 - #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
63958 - #endif
63959 -diff -Nurp linux-2.6.23.15/include/linux/capability.h linux-2.6.23.15-grsec/include/linux/capability.h
63960 ---- linux-2.6.23.15/include/linux/capability.h 2007-10-09 21:31:38.000000000 +0100
63961 -+++ linux-2.6.23.15-grsec/include/linux/capability.h 2008-02-11 10:37:45.000000000 +0000
63962 -@@ -359,6 +359,7 @@ static inline kernel_cap_t cap_invert(ke
63963 - #define cap_is_fs_cap(c) (CAP_TO_MASK(c) & CAP_FS_MASK)
63964 -
63965 - int capable(int cap);
63966 -+int capable_nolog(int cap);
63967 - int __capable(struct task_struct *t, int cap);
63968 -
63969 - #endif /* __KERNEL__ */
63970 -diff -Nurp linux-2.6.23.15/include/linux/elf.h linux-2.6.23.15-grsec/include/linux/elf.h
63971 ---- linux-2.6.23.15/include/linux/elf.h 2007-10-09 21:31:38.000000000 +0100
63972 -+++ linux-2.6.23.15-grsec/include/linux/elf.h 2008-02-11 10:37:45.000000000 +0000
63973 -@@ -8,6 +8,10 @@
63974 -
63975 - struct file;
63976 -
63977 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
63978 -+#undef elf_read_implies_exec
63979 -+#endif
63980 -+
63981 - #ifndef elf_read_implies_exec
63982 - /* Executables for which elf_read_implies_exec() returns TRUE will
63983 - have the READ_IMPLIES_EXEC personality flag set automatically.
63984 -@@ -49,6 +53,16 @@ typedef __s64 Elf64_Sxword;
63985 -
63986 - #define PT_GNU_STACK (PT_LOOS + 0x474e551)
63987 -
63988 -+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
63989 -+
63990 -+/* Constants for the e_flags field */
63991 -+#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
63992 -+#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
63993 -+#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
63994 -+#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
63995 -+/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
63996 -+#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
63997 -+
63998 - /* These constants define the different elf file types */
63999 - #define ET_NONE 0
64000 - #define ET_REL 1
64001 -@@ -83,6 +97,8 @@ typedef __s64 Elf64_Sxword;
64002 - #define DT_DEBUG 21
64003 - #define DT_TEXTREL 22
64004 - #define DT_JMPREL 23
64005 -+#define DT_FLAGS 30
64006 -+ #define DF_TEXTREL 0x00000004
64007 - #define DT_ENCODING 32
64008 - #define OLD_DT_LOOS 0x60000000
64009 - #define DT_LOOS 0x6000000d
64010 -@@ -229,6 +245,19 @@ typedef struct elf64_hdr {
64011 - #define PF_W 0x2
64012 - #define PF_X 0x1
64013 -
64014 -+#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
64015 -+#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
64016 -+#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
64017 -+#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
64018 -+#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
64019 -+#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
64020 -+/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
64021 -+/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
64022 -+#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
64023 -+#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
64024 -+#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
64025 -+#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
64026 -+
64027 - typedef struct elf32_phdr{
64028 - Elf32_Word p_type;
64029 - Elf32_Off p_offset;
64030 -@@ -321,6 +350,8 @@ typedef struct elf64_shdr {
64031 - #define EI_OSABI 7
64032 - #define EI_PAD 8
64033 -
64034 -+#define EI_PAX 14
64035 -+
64036 - #define ELFMAG0 0x7f /* EI_MAG */
64037 - #define ELFMAG1 'E'
64038 - #define ELFMAG2 'L'
64039 -@@ -378,6 +409,7 @@ extern Elf32_Dyn _DYNAMIC [];
64040 - #define elf_phdr elf32_phdr
64041 - #define elf_note elf32_note
64042 - #define elf_addr_t Elf32_Off
64043 -+#define elf_dyn Elf32_Dyn
64044 -
64045 - #else
64046 -
64047 -@@ -386,6 +418,7 @@ extern Elf64_Dyn _DYNAMIC [];
64048 - #define elf_phdr elf64_phdr
64049 - #define elf_note elf64_note
64050 - #define elf_addr_t Elf64_Off
64051 -+#define elf_dyn Elf64_Dyn
64052 -
64053 - #endif
64054 -
64055 -diff -Nurp linux-2.6.23.15/include/linux/ext4_fs_extents.h linux-2.6.23.15-grsec/include/linux/ext4_fs_extents.h
64056 ---- linux-2.6.23.15/include/linux/ext4_fs_extents.h 2007-10-09 21:31:38.000000000 +0100
64057 -+++ linux-2.6.23.15-grsec/include/linux/ext4_fs_extents.h 2008-02-11 10:37:45.000000000 +0000
64058 -@@ -50,7 +50,7 @@
64059 - #ifdef EXT_DEBUG
64060 - #define ext_debug(a...) printk(a)
64061 - #else
64062 --#define ext_debug(a...)
64063 -+#define ext_debug(a...) do {} while (0)
64064 - #endif
64065 -
64066 - /*
64067 -diff -Nurp linux-2.6.23.15/include/linux/gracl.h linux-2.6.23.15-grsec/include/linux/gracl.h
64068 ---- linux-2.6.23.15/include/linux/gracl.h 1970-01-01 01:00:00.000000000 +0100
64069 -+++ linux-2.6.23.15-grsec/include/linux/gracl.h 2008-02-11 10:37:45.000000000 +0000
64070 -@@ -0,0 +1,317 @@
64071 -+#ifndef GR_ACL_H
64072 -+#define GR_ACL_H
64073 -+
64074 -+#include <linux/grdefs.h>
64075 -+#include <linux/resource.h>
64076 -+#include <linux/dcache.h>
64077 -+#include <asm/resource.h>
64078 -+
64079 -+/* Major status information */
64080 -+
64081 -+#define GR_VERSION "grsecurity 2.1.11"
64082 -+#define GRSECURITY_VERSION 0x2111
64083 -+
64084 -+enum {
64085 -+
64086 -+ SHUTDOWN = 0,
64087 -+ ENABLE = 1,
64088 -+ SPROLE = 2,
64089 -+ RELOAD = 3,
64090 -+ SEGVMOD = 4,
64091 -+ STATUS = 5,
64092 -+ UNSPROLE = 6,
64093 -+ PASSSET = 7,
64094 -+ SPROLEPAM = 8
64095 -+};
64096 -+
64097 -+/* Password setup definitions
64098 -+ * kernel/grhash.c */
64099 -+enum {
64100 -+ GR_PW_LEN = 128,
64101 -+ GR_SALT_LEN = 16,
64102 -+ GR_SHA_LEN = 32,
64103 -+};
64104 -+
64105 -+enum {
64106 -+ GR_SPROLE_LEN = 64,
64107 -+};
64108 -+
64109 -+#define GR_NLIMITS (RLIMIT_LOCKS + 2)
64110 -+
64111 -+/* Begin Data Structures */
64112 -+
64113 -+struct sprole_pw {
64114 -+ unsigned char *rolename;
64115 -+ unsigned char salt[GR_SALT_LEN];
64116 -+ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
64117 -+};
64118 -+
64119 -+struct name_entry {
64120 -+ __u32 key;
64121 -+ ino_t inode;
64122 -+ dev_t device;
64123 -+ char *name;
64124 -+ __u16 len;
64125 -+ __u8 deleted;
64126 -+ struct name_entry *prev;
64127 -+ struct name_entry *next;
64128 -+};
64129 -+
64130 -+struct inodev_entry {
64131 -+ struct name_entry *nentry;
64132 -+ struct inodev_entry *prev;
64133 -+ struct inodev_entry *next;
64134 -+};
64135 -+
64136 -+struct acl_role_db {
64137 -+ struct acl_role_label **r_hash;
64138 -+ __u32 r_size;
64139 -+};
64140 -+
64141 -+struct inodev_db {
64142 -+ struct inodev_entry **i_hash;
64143 -+ __u32 i_size;
64144 -+};
64145 -+
64146 -+struct name_db {
64147 -+ struct name_entry **n_hash;
64148 -+ __u32 n_size;
64149 -+};
64150 -+
64151 -+struct crash_uid {
64152 -+ uid_t uid;
64153 -+ unsigned long expires;
64154 -+};
64155 -+
64156 -+struct gr_hash_struct {
64157 -+ void **table;
64158 -+ void **nametable;
64159 -+ void *first;
64160 -+ __u32 table_size;
64161 -+ __u32 used_size;
64162 -+ int type;
64163 -+};
64164 -+
64165 -+/* Userspace Grsecurity ACL data structures */
64166 -+
64167 -+struct acl_subject_label {
64168 -+ char *filename;
64169 -+ ino_t inode;
64170 -+ dev_t device;
64171 -+ __u32 mode;
64172 -+ __u32 cap_mask;
64173 -+ __u32 cap_lower;
64174 -+
64175 -+ struct rlimit res[GR_NLIMITS];
64176 -+ __u16 resmask;
64177 -+
64178 -+ __u8 user_trans_type;
64179 -+ __u8 group_trans_type;
64180 -+ uid_t *user_transitions;
64181 -+ gid_t *group_transitions;
64182 -+ __u16 user_trans_num;
64183 -+ __u16 group_trans_num;
64184 -+
64185 -+ __u32 ip_proto[8];
64186 -+ __u32 ip_type;
64187 -+ struct acl_ip_label **ips;
64188 -+ __u32 ip_num;
64189 -+
64190 -+ __u32 crashes;
64191 -+ unsigned long expires;
64192 -+
64193 -+ struct acl_subject_label *parent_subject;
64194 -+ struct gr_hash_struct *hash;
64195 -+ struct acl_subject_label *prev;
64196 -+ struct acl_subject_label *next;
64197 -+
64198 -+ struct acl_object_label **obj_hash;
64199 -+ __u32 obj_hash_size;
64200 -+ __u16 pax_flags;
64201 -+};
64202 -+
64203 -+struct role_allowed_ip {
64204 -+ __u32 addr;
64205 -+ __u32 netmask;
64206 -+
64207 -+ struct role_allowed_ip *prev;
64208 -+ struct role_allowed_ip *next;
64209 -+};
64210 -+
64211 -+struct role_transition {
64212 -+ char *rolename;
64213 -+
64214 -+ struct role_transition *prev;
64215 -+ struct role_transition *next;
64216 -+};
64217 -+
64218 -+struct acl_role_label {
64219 -+ char *rolename;
64220 -+ uid_t uidgid;
64221 -+ __u16 roletype;
64222 -+
64223 -+ __u16 auth_attempts;
64224 -+ unsigned long expires;
64225 -+
64226 -+ struct acl_subject_label *root_label;
64227 -+ struct gr_hash_struct *hash;
64228 -+
64229 -+ struct acl_role_label *prev;
64230 -+ struct acl_role_label *next;
64231 -+
64232 -+ struct role_transition *transitions;
64233 -+ struct role_allowed_ip *allowed_ips;
64234 -+ uid_t *domain_children;
64235 -+ __u16 domain_child_num;
64236 -+
64237 -+ struct acl_subject_label **subj_hash;
64238 -+ __u32 subj_hash_size;
64239 -+};
64240 -+
64241 -+struct user_acl_role_db {
64242 -+ struct acl_role_label **r_table;
64243 -+ __u32 num_pointers; /* Number of allocations to track */
64244 -+ __u32 num_roles; /* Number of roles */
64245 -+ __u32 num_domain_children; /* Number of domain children */
64246 -+ __u32 num_subjects; /* Number of subjects */
64247 -+ __u32 num_objects; /* Number of objects */
64248 -+};
64249 -+
64250 -+struct acl_object_label {
64251 -+ char *filename;
64252 -+ ino_t inode;
64253 -+ dev_t device;
64254 -+ __u32 mode;
64255 -+
64256 -+ struct acl_subject_label *nested;
64257 -+ struct acl_object_label *globbed;
64258 -+
64259 -+ /* next two structures not used */
64260 -+
64261 -+ struct acl_object_label *prev;
64262 -+ struct acl_object_label *next;
64263 -+};
64264 -+
64265 -+struct acl_ip_label {
64266 -+ char *iface;
64267 -+ __u32 addr;
64268 -+ __u32 netmask;
64269 -+ __u16 low, high;
64270 -+ __u8 mode;
64271 -+ __u32 type;
64272 -+ __u32 proto[8];
64273 -+
64274 -+ /* next two structures not used */
64275 -+
64276 -+ struct acl_ip_label *prev;
64277 -+ struct acl_ip_label *next;
64278 -+};
64279 -+
64280 -+struct gr_arg {
64281 -+ struct user_acl_role_db role_db;
64282 -+ unsigned char pw[GR_PW_LEN];
64283 -+ unsigned char salt[GR_SALT_LEN];
64284 -+ unsigned char sum[GR_SHA_LEN];
64285 -+ unsigned char sp_role[GR_SPROLE_LEN];
64286 -+ struct sprole_pw *sprole_pws;
64287 -+ dev_t segv_device;
64288 -+ ino_t segv_inode;
64289 -+ uid_t segv_uid;
64290 -+ __u16 num_sprole_pws;
64291 -+ __u16 mode;
64292 -+};
64293 -+
64294 -+struct gr_arg_wrapper {
64295 -+ struct gr_arg *arg;
64296 -+ __u32 version;
64297 -+ __u32 size;
64298 -+};
64299 -+
64300 -+struct subject_map {
64301 -+ struct acl_subject_label *user;
64302 -+ struct acl_subject_label *kernel;
64303 -+ struct subject_map *prev;
64304 -+ struct subject_map *next;
64305 -+};
64306 -+
64307 -+struct acl_subj_map_db {
64308 -+ struct subject_map **s_hash;
64309 -+ __u32 s_size;
64310 -+};
64311 -+
64312 -+/* End Data Structures Section */
64313 -+
64314 -+/* Hash functions generated by empirical testing by Brad Spengler
64315 -+ Makes good use of the low bits of the inode. Generally 0-1 times
64316 -+ in loop for successful match. 0-3 for unsuccessful match.
64317 -+ Shift/add algorithm with modulus of table size and an XOR*/
64318 -+
64319 -+static __inline__ unsigned int
64320 -+rhash(const uid_t uid, const __u16 type, const unsigned int sz)
64321 -+{
64322 -+ return (((uid << type) + (uid ^ type)) % sz);
64323 -+}
64324 -+
64325 -+ static __inline__ unsigned int
64326 -+shash(const struct acl_subject_label *userp, const unsigned int sz)
64327 -+{
64328 -+ return ((const unsigned long)userp % sz);
64329 -+}
64330 -+
64331 -+static __inline__ unsigned int
64332 -+fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
64333 -+{
64334 -+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
64335 -+}
64336 -+
64337 -+static __inline__ unsigned int
64338 -+nhash(const char *name, const __u16 len, const unsigned int sz)
64339 -+{
64340 -+ return full_name_hash(name, len) % sz;
64341 -+}
64342 -+
64343 -+#define FOR_EACH_ROLE_START(role,iter) \
64344 -+ role = NULL; \
64345 -+ iter = 0; \
64346 -+ while (iter < acl_role_set.r_size) { \
64347 -+ if (role == NULL) \
64348 -+ role = acl_role_set.r_hash[iter]; \
64349 -+ if (role == NULL) { \
64350 -+ iter++; \
64351 -+ continue; \
64352 -+ }
64353 -+
64354 -+#define FOR_EACH_ROLE_END(role,iter) \
64355 -+ role = role->next; \
64356 -+ if (role == NULL) \
64357 -+ iter++; \
64358 -+ }
64359 -+
64360 -+#define FOR_EACH_SUBJECT_START(role,subj,iter) \
64361 -+ subj = NULL; \
64362 -+ iter = 0; \
64363 -+ while (iter < role->subj_hash_size) { \
64364 -+ if (subj == NULL) \
64365 -+ subj = role->subj_hash[iter]; \
64366 -+ if (subj == NULL) { \
64367 -+ iter++; \
64368 -+ continue; \
64369 -+ }
64370 -+
64371 -+#define FOR_EACH_SUBJECT_END(subj,iter) \
64372 -+ subj = subj->next; \
64373 -+ if (subj == NULL) \
64374 -+ iter++; \
64375 -+ }
64376 -+
64377 -+
64378 -+#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
64379 -+ subj = role->hash->first; \
64380 -+ while (subj != NULL) {
64381 -+
64382 -+#define FOR_EACH_NESTED_SUBJECT_END(subj) \
64383 -+ subj = subj->next; \
64384 -+ }
64385 -+
64386 -+#endif
64387 -+
64388 -diff -Nurp linux-2.6.23.15/include/linux/gralloc.h linux-2.6.23.15-grsec/include/linux/gralloc.h
64389 ---- linux-2.6.23.15/include/linux/gralloc.h 1970-01-01 01:00:00.000000000 +0100
64390 -+++ linux-2.6.23.15-grsec/include/linux/gralloc.h 2008-02-11 10:37:45.000000000 +0000
64391 -@@ -0,0 +1,8 @@
64392 -+#ifndef __GRALLOC_H
64393 -+#define __GRALLOC_H
64394 -+
64395 -+void acl_free_all(void);
64396 -+int acl_alloc_stack_init(unsigned long size);
64397 -+void *acl_alloc(unsigned long len);
64398 -+
64399 -+#endif
64400 -diff -Nurp linux-2.6.23.15/include/linux/grdefs.h linux-2.6.23.15-grsec/include/linux/grdefs.h
64401 ---- linux-2.6.23.15/include/linux/grdefs.h 1970-01-01 01:00:00.000000000 +0100
64402 -+++ linux-2.6.23.15-grsec/include/linux/grdefs.h 2008-02-11 10:37:45.000000000 +0000
64403 -@@ -0,0 +1,131 @@
64404 -+#ifndef GRDEFS_H
64405 -+#define GRDEFS_H
64406 -+
64407 -+/* Begin grsecurity status declarations */
64408 -+
64409 -+enum {
64410 -+ GR_READY = 0x01,
64411 -+ GR_STATUS_INIT = 0x00 // disabled state
64412 -+};
64413 -+
64414 -+/* Begin ACL declarations */
64415 -+
64416 -+/* Role flags */
64417 -+
64418 -+enum {
64419 -+ GR_ROLE_USER = 0x0001,
64420 -+ GR_ROLE_GROUP = 0x0002,
64421 -+ GR_ROLE_DEFAULT = 0x0004,
64422 -+ GR_ROLE_SPECIAL = 0x0008,
64423 -+ GR_ROLE_AUTH = 0x0010,
64424 -+ GR_ROLE_NOPW = 0x0020,
64425 -+ GR_ROLE_GOD = 0x0040,
64426 -+ GR_ROLE_LEARN = 0x0080,
64427 -+ GR_ROLE_TPE = 0x0100,
64428 -+ GR_ROLE_DOMAIN = 0x0200,
64429 -+ GR_ROLE_PAM = 0x0400
64430 -+};
64431 -+
64432 -+/* ACL Subject and Object mode flags */
64433 -+enum {
64434 -+ GR_DELETED = 0x80000000
64435 -+};
64436 -+
64437 -+/* ACL Object-only mode flags */
64438 -+enum {
64439 -+ GR_READ = 0x00000001,
64440 -+ GR_APPEND = 0x00000002,
64441 -+ GR_WRITE = 0x00000004,
64442 -+ GR_EXEC = 0x00000008,
64443 -+ GR_FIND = 0x00000010,
64444 -+ GR_INHERIT = 0x00000020,
64445 -+ GR_SETID = 0x00000040,
64446 -+ GR_CREATE = 0x00000080,
64447 -+ GR_DELETE = 0x00000100,
64448 -+ GR_LINK = 0x00000200,
64449 -+ GR_AUDIT_READ = 0x00000400,
64450 -+ GR_AUDIT_APPEND = 0x00000800,
64451 -+ GR_AUDIT_WRITE = 0x00001000,
64452 -+ GR_AUDIT_EXEC = 0x00002000,
64453 -+ GR_AUDIT_FIND = 0x00004000,
64454 -+ GR_AUDIT_INHERIT= 0x00008000,
64455 -+ GR_AUDIT_SETID = 0x00010000,
64456 -+ GR_AUDIT_CREATE = 0x00020000,
64457 -+ GR_AUDIT_DELETE = 0x00040000,
64458 -+ GR_AUDIT_LINK = 0x00080000,
64459 -+ GR_PTRACERD = 0x00100000,
64460 -+ GR_NOPTRACE = 0x00200000,
64461 -+ GR_SUPPRESS = 0x00400000,
64462 -+ GR_NOLEARN = 0x00800000
64463 -+};
64464 -+
64465 -+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
64466 -+ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
64467 -+ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
64468 -+
64469 -+/* ACL subject-only mode flags */
64470 -+enum {
64471 -+ GR_KILL = 0x00000001,
64472 -+ GR_VIEW = 0x00000002,
64473 -+ GR_PROTECTED = 0x00000004,
64474 -+ GR_LEARN = 0x00000008,
64475 -+ GR_OVERRIDE = 0x00000010,
64476 -+ /* just a placeholder, this mode is only used in userspace */
64477 -+ GR_DUMMY = 0x00000020,
64478 -+ GR_PROTSHM = 0x00000040,
64479 -+ GR_KILLPROC = 0x00000080,
64480 -+ GR_KILLIPPROC = 0x00000100,
64481 -+ /* just a placeholder, this mode is only used in userspace */
64482 -+ GR_NOTROJAN = 0x00000200,
64483 -+ GR_PROTPROCFD = 0x00000400,
64484 -+ GR_PROCACCT = 0x00000800,
64485 -+ GR_RELAXPTRACE = 0x00001000,
64486 -+ GR_NESTED = 0x00002000,
64487 -+ GR_INHERITLEARN = 0x00004000,
64488 -+ GR_PROCFIND = 0x00008000,
64489 -+ GR_POVERRIDE = 0x00010000,
64490 -+ GR_KERNELAUTH = 0x00020000,
64491 -+};
64492 -+
64493 -+enum {
64494 -+ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
64495 -+ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
64496 -+ GR_PAX_ENABLE_MPROTECT = 0x0004,
64497 -+ GR_PAX_ENABLE_RANDMMAP = 0x0008,
64498 -+ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
64499 -+ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
64500 -+ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
64501 -+ GR_PAX_DISABLE_MPROTECT = 0x0400,
64502 -+ GR_PAX_DISABLE_RANDMMAP = 0x0800,
64503 -+ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
64504 -+};
64505 -+
64506 -+enum {
64507 -+ GR_ID_USER = 0x01,
64508 -+ GR_ID_GROUP = 0x02,
64509 -+};
64510 -+
64511 -+enum {
64512 -+ GR_ID_ALLOW = 0x01,
64513 -+ GR_ID_DENY = 0x02,
64514 -+};
64515 -+
64516 -+#define GR_CRASH_RES 11
64517 -+#define GR_UIDTABLE_MAX 500
64518 -+
64519 -+/* begin resource learning section */
64520 -+enum {
64521 -+ GR_RLIM_CPU_BUMP = 60,
64522 -+ GR_RLIM_FSIZE_BUMP = 50000,
64523 -+ GR_RLIM_DATA_BUMP = 10000,
64524 -+ GR_RLIM_STACK_BUMP = 1000,
64525 -+ GR_RLIM_CORE_BUMP = 10000,
64526 -+ GR_RLIM_RSS_BUMP = 500000,
64527 -+ GR_RLIM_NPROC_BUMP = 1,
64528 -+ GR_RLIM_NOFILE_BUMP = 5,
64529 -+ GR_RLIM_MEMLOCK_BUMP = 50000,
64530 -+ GR_RLIM_AS_BUMP = 500000,
64531 -+ GR_RLIM_LOCKS_BUMP = 2
64532 -+};
64533 -+
64534 -+#endif
64535 -diff -Nurp linux-2.6.23.15/include/linux/grinternal.h linux-2.6.23.15-grsec/include/linux/grinternal.h
64536 ---- linux-2.6.23.15/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100
64537 -+++ linux-2.6.23.15-grsec/include/linux/grinternal.h 2008-02-11 10:37:45.000000000 +0000
64538 -@@ -0,0 +1,210 @@
64539 -+#ifndef __GRINTERNAL_H
64540 -+#define __GRINTERNAL_H
64541 -+
64542 -+#ifdef CONFIG_GRKERNSEC
64543 -+
64544 -+#include <linux/fs.h>
64545 -+#include <linux/gracl.h>
64546 -+#include <linux/grdefs.h>
64547 -+#include <linux/grmsg.h>
64548 -+
64549 -+void gr_add_learn_entry(const char *fmt, ...);
64550 -+__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
64551 -+ const struct vfsmount *mnt);
64552 -+__u32 gr_check_create(const struct dentry *new_dentry,
64553 -+ const struct dentry *parent,
64554 -+ const struct vfsmount *mnt, const __u32 mode);
64555 -+int gr_check_protected_task(const struct task_struct *task);
64556 -+__u32 to_gr_audit(const __u32 reqmode);
64557 -+int gr_set_acls(const int type);
64558 -+
64559 -+int gr_acl_is_enabled(void);
64560 -+char gr_roletype_to_char(void);
64561 -+
64562 -+void gr_handle_alertkill(struct task_struct *task);
64563 -+char *gr_to_filename(const struct dentry *dentry,
64564 -+ const struct vfsmount *mnt);
64565 -+char *gr_to_filename1(const struct dentry *dentry,
64566 -+ const struct vfsmount *mnt);
64567 -+char *gr_to_filename2(const struct dentry *dentry,
64568 -+ const struct vfsmount *mnt);
64569 -+char *gr_to_filename3(const struct dentry *dentry,
64570 -+ const struct vfsmount *mnt);
64571 -+
64572 -+extern int grsec_enable_link;
64573 -+extern int grsec_enable_fifo;
64574 -+extern int grsec_enable_execve;
64575 -+extern int grsec_enable_shm;
64576 -+extern int grsec_enable_execlog;
64577 -+extern int grsec_enable_signal;
64578 -+extern int grsec_enable_forkfail;
64579 -+extern int grsec_enable_time;
64580 -+extern int grsec_enable_chroot_shmat;
64581 -+extern int grsec_enable_chroot_findtask;
64582 -+extern int grsec_enable_chroot_mount;
64583 -+extern int grsec_enable_chroot_double;
64584 -+extern int grsec_enable_chroot_pivot;
64585 -+extern int grsec_enable_chroot_chdir;
64586 -+extern int grsec_enable_chroot_chmod;
64587 -+extern int grsec_enable_chroot_mknod;
64588 -+extern int grsec_enable_chroot_fchdir;
64589 -+extern int grsec_enable_chroot_nice;
64590 -+extern int grsec_enable_chroot_execlog;
64591 -+extern int grsec_enable_chroot_caps;
64592 -+extern int grsec_enable_chroot_sysctl;
64593 -+extern int grsec_enable_chroot_unix;
64594 -+extern int grsec_enable_tpe;
64595 -+extern int grsec_tpe_gid;
64596 -+extern int grsec_enable_tpe_all;
64597 -+extern int grsec_enable_sidcaps;
64598 -+extern int grsec_enable_socket_all;
64599 -+extern int grsec_socket_all_gid;
64600 -+extern int grsec_enable_socket_client;
64601 -+extern int grsec_socket_client_gid;
64602 -+extern int grsec_enable_socket_server;
64603 -+extern int grsec_socket_server_gid;
64604 -+extern int grsec_audit_gid;
64605 -+extern int grsec_enable_group;
64606 -+extern int grsec_enable_audit_ipc;
64607 -+extern int grsec_enable_audit_textrel;
64608 -+extern int grsec_enable_mount;
64609 -+extern int grsec_enable_chdir;
64610 -+extern int grsec_resource_logging;
64611 -+extern int grsec_lock;
64612 -+
64613 -+extern spinlock_t grsec_alert_lock;
64614 -+extern unsigned long grsec_alert_wtime;
64615 -+extern unsigned long grsec_alert_fyet;
64616 -+
64617 -+extern spinlock_t grsec_audit_lock;
64618 -+
64619 -+extern rwlock_t grsec_exec_file_lock;
64620 -+
64621 -+#define gr_task_fullpath(tsk) (tsk->exec_file ? \
64622 -+ gr_to_filename2(tsk->exec_file->f_dentry, \
64623 -+ tsk->exec_file->f_vfsmnt) : "/")
64624 -+
64625 -+#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
64626 -+ gr_to_filename3(tsk->parent->exec_file->f_dentry, \
64627 -+ tsk->parent->exec_file->f_vfsmnt) : "/")
64628 -+
64629 -+#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
64630 -+ gr_to_filename(tsk->exec_file->f_dentry, \
64631 -+ tsk->exec_file->f_vfsmnt) : "/")
64632 -+
64633 -+#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
64634 -+ gr_to_filename1(tsk->parent->exec_file->f_dentry, \
64635 -+ tsk->parent->exec_file->f_vfsmnt) : "/")
64636 -+
64637 -+#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && (tsk_a->fs != NULL) && \
64638 -+ ((tsk_a->fs->root->d_inode->i_sb->s_dev != \
64639 -+ child_reaper(tsk_a)->fs->root->d_inode->i_sb->s_dev) || \
64640 -+ (tsk_a->fs->root->d_inode->i_ino != \
64641 -+ child_reaper(tsk_a)->fs->root->d_inode->i_ino)))
64642 -+
64643 -+#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs != NULL) && (tsk_b->fs != NULL) && \
64644 -+ (tsk_a->fs->root->d_inode->i_sb->s_dev == \
64645 -+ tsk_b->fs->root->d_inode->i_sb->s_dev) && \
64646 -+ (tsk_a->fs->root->d_inode->i_ino == \
64647 -+ tsk_b->fs->root->d_inode->i_ino))
64648 -+
64649 -+#define DEFAULTSECARGS(task) gr_task_fullpath(task), task->comm, \
64650 -+ task->pid, task->uid, \
64651 -+ task->euid, task->gid, task->egid, \
64652 -+ gr_parent_task_fullpath(task), \
64653 -+ task->parent->comm, task->parent->pid, \
64654 -+ task->parent->uid, task->parent->euid, \
64655 -+ task->parent->gid, task->parent->egid
64656 -+
64657 -+#define GR_CHROOT_CAPS ( \
64658 -+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
64659 -+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
64660 -+ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
64661 -+ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
64662 -+ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
64663 -+ CAP_TO_MASK(CAP_IPC_OWNER))
64664 -+
64665 -+#define security_learn(normal_msg,args...) \
64666 -+({ \
64667 -+ read_lock(&grsec_exec_file_lock); \
64668 -+ gr_add_learn_entry(normal_msg "\n", ## args); \
64669 -+ read_unlock(&grsec_exec_file_lock); \
64670 -+})
64671 -+
64672 -+enum {
64673 -+ GR_DO_AUDIT,
64674 -+ GR_DONT_AUDIT,
64675 -+ GR_DONT_AUDIT_GOOD
64676 -+};
64677 -+
64678 -+enum {
64679 -+ GR_TTYSNIFF,
64680 -+ GR_RBAC,
64681 -+ GR_RBAC_STR,
64682 -+ GR_STR_RBAC,
64683 -+ GR_RBAC_MODE2,
64684 -+ GR_RBAC_MODE3,
64685 -+ GR_FILENAME,
64686 -+ GR_SYSCTL_HIDDEN,
64687 -+ GR_NOARGS,
64688 -+ GR_ONE_INT,
64689 -+ GR_ONE_INT_TWO_STR,
64690 -+ GR_ONE_STR,
64691 -+ GR_STR_INT,
64692 -+ GR_TWO_INT,
64693 -+ GR_THREE_INT,
64694 -+ GR_FIVE_INT_TWO_STR,
64695 -+ GR_TWO_STR,
64696 -+ GR_THREE_STR,
64697 -+ GR_FOUR_STR,
64698 -+ GR_STR_FILENAME,
64699 -+ GR_FILENAME_STR,
64700 -+ GR_FILENAME_TWO_INT,
64701 -+ GR_FILENAME_TWO_INT_STR,
64702 -+ GR_TEXTREL,
64703 -+ GR_PTRACE,
64704 -+ GR_RESOURCE,
64705 -+ GR_CAP,
64706 -+ GR_SIG,
64707 -+ GR_CRASH1,
64708 -+ GR_CRASH2,
64709 -+ GR_PSACCT
64710 -+};
64711 -+
64712 -+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
64713 -+#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
64714 -+#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
64715 -+#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
64716 -+#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
64717 -+#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
64718 -+#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
64719 -+#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
64720 -+#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
64721 -+#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
64722 -+#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
64723 -+#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
64724 -+#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
64725 -+#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
64726 -+#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
64727 -+#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
64728 -+#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
64729 -+#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
64730 -+#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
64731 -+#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
64732 -+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
64733 -+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
64734 -+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
64735 -+#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
64736 -+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
64737 -+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
64738 -+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
64739 -+#define gr_log_sig(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG, task, num)
64740 -+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
64741 -+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
64742 -+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
64743 -+
64744 -+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
64745 -+
64746 -+#endif
64747 -+
64748 -+#endif
64749 -diff -Nurp linux-2.6.23.15/include/linux/grmsg.h linux-2.6.23.15-grsec/include/linux/grmsg.h
64750 ---- linux-2.6.23.15/include/linux/grmsg.h 1970-01-01 01:00:00.000000000 +0100
64751 -+++ linux-2.6.23.15-grsec/include/linux/grmsg.h 2008-02-11 10:37:45.000000000 +0000
64752 -@@ -0,0 +1,108 @@
64753 -+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
64754 -+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
64755 -+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
64756 -+#define GR_STOPMOD_MSG "denied modification of module state by "
64757 -+#define GR_IOPERM_MSG "denied use of ioperm() by "
64758 -+#define GR_IOPL_MSG "denied use of iopl() by "
64759 -+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
64760 -+#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
64761 -+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
64762 -+#define GR_KMEM_MSG "denied write of /dev/kmem by "
64763 -+#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
64764 -+#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
64765 -+#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
64766 -+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
64767 -+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u"
64768 -+#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%u.%u.%u.%u"
64769 -+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
64770 -+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
64771 -+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
64772 -+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
64773 -+#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
64774 -+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
64775 -+#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
64776 -+#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%u.%u.%u.%u %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
64777 -+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
64778 -+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
64779 -+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
64780 -+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
64781 -+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
64782 -+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
64783 -+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
64784 -+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
64785 -+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
64786 -+#define GR_NPROC_MSG "denied overstep of process limit by "
64787 -+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
64788 -+#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
64789 -+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
64790 -+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
64791 -+#define GR_MOUNT_CHROOT_MSG "denied mount of %.30s as %.930s from chroot by "
64792 -+#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
64793 -+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
64794 -+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
64795 -+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
64796 -+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
64797 -+#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
64798 -+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
64799 -+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
64800 -+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
64801 -+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
64802 -+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
64803 -+#define GR_INITF_ACL_MSG "init_variables() failed %s by "
64804 -+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
64805 -+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
64806 -+#define GR_SHUTS_ACL_MSG "shutdown auth success for "
64807 -+#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
64808 -+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
64809 -+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
64810 -+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
64811 -+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
64812 -+#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
64813 -+#define GR_ENABLEF_ACL_MSG "unable to load %s for "
64814 -+#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
64815 -+#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
64816 -+#define GR_RELOADF_ACL_MSG "failed reload of %s for "
64817 -+#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
64818 -+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
64819 -+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
64820 -+#define GR_SPROLEF_ACL_MSG "special role %s failure for "
64821 -+#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
64822 -+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
64823 -+#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for "
64824 -+#define GR_INVMODE_ACL_MSG "invalid mode %d by "
64825 -+#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
64826 -+#define GR_FAILFORK_MSG "failed fork with errno %d by "
64827 -+#define GR_NICE_CHROOT_MSG "denied priority change by "
64828 -+#define GR_UNISIGLOG_MSG "signal %d sent to "
64829 -+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
64830 -+#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
64831 -+#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
64832 -+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
64833 -+#define GR_TIME_MSG "time set by "
64834 -+#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
64835 -+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
64836 -+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
64837 -+#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
64838 -+#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
64839 -+#define GR_BIND_MSG "denied bind() by "
64840 -+#define GR_CONNECT_MSG "denied connect() by "
64841 -+#define GR_BIND_ACL_MSG "denied bind() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
64842 -+#define GR_CONNECT_ACL_MSG "denied connect() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
64843 -+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u"
64844 -+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
64845 -+#define GR_CAP_ACL_MSG "use of %s denied for "
64846 -+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
64847 -+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
64848 -+#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by "
64849 -+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by "
64850 -+#define GR_MOUNT_AUDIT_MSG "mount of %.30s to %.64s by "
64851 -+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
64852 -+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
64853 -+#define GR_MSGQ_AUDIT_MSG "message queue created by "
64854 -+#define GR_MSGQR_AUDIT_MSG "message queue of uid:%u euid:%u removed by "
64855 -+#define GR_SEM_AUDIT_MSG "semaphore created by "
64856 -+#define GR_SEMR_AUDIT_MSG "semaphore of uid:%u euid:%u removed by "
64857 -+#define GR_SHM_AUDIT_MSG "shared memory of size %d created by "
64858 -+#define GR_SHMR_AUDIT_MSG "shared memory of uid:%u euid:%u removed by "
64859 -+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
64860 -+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
64861 -diff -Nurp linux-2.6.23.15/include/linux/grsecurity.h linux-2.6.23.15-grsec/include/linux/grsecurity.h
64862 ---- linux-2.6.23.15/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100
64863 -+++ linux-2.6.23.15-grsec/include/linux/grsecurity.h 2008-02-11 10:37:45.000000000 +0000
64864 -@@ -0,0 +1,193 @@
64865 -+#ifndef GR_SECURITY_H
64866 -+#define GR_SECURITY_H
64867 -+#include <linux/fs.h>
64868 -+#include <linux/binfmts.h>
64869 -+#include <linux/gracl.h>
64870 -+
64871 -+void gr_handle_brute_attach(struct task_struct *p);
64872 -+void gr_handle_brute_check(void);
64873 -+
64874 -+char gr_roletype_to_char(void);
64875 -+
64876 -+int gr_check_user_change(int real, int effective, int fs);
64877 -+int gr_check_group_change(int real, int effective, int fs);
64878 -+
64879 -+void gr_del_task_from_ip_table(struct task_struct *p);
64880 -+
64881 -+int gr_pid_is_chrooted(struct task_struct *p);
64882 -+int gr_handle_chroot_nice(void);
64883 -+int gr_handle_chroot_sysctl(const int op);
64884 -+int gr_handle_chroot_setpriority(struct task_struct *p,
64885 -+ const int niceval);
64886 -+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
64887 -+int gr_handle_chroot_chroot(const struct dentry *dentry,
64888 -+ const struct vfsmount *mnt);
64889 -+void gr_handle_chroot_caps(struct task_struct *task);
64890 -+void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt);
64891 -+int gr_handle_chroot_chmod(const struct dentry *dentry,
64892 -+ const struct vfsmount *mnt, const int mode);
64893 -+int gr_handle_chroot_mknod(const struct dentry *dentry,
64894 -+ const struct vfsmount *mnt, const int mode);
64895 -+int gr_handle_chroot_mount(const struct dentry *dentry,
64896 -+ const struct vfsmount *mnt,
64897 -+ const char *dev_name);
64898 -+int gr_handle_chroot_pivot(void);
64899 -+int gr_handle_chroot_unix(const pid_t pid);
64900 -+
64901 -+int gr_handle_rawio(const struct inode *inode);
64902 -+int gr_handle_nproc(void);
64903 -+
64904 -+void gr_handle_ioperm(void);
64905 -+void gr_handle_iopl(void);
64906 -+
64907 -+int gr_tpe_allow(const struct file *file);
64908 -+
64909 -+int gr_random_pid(void);
64910 -+
64911 -+void gr_log_forkfail(const int retval);
64912 -+void gr_log_timechange(void);
64913 -+void gr_log_signal(const int sig, const struct task_struct *t);
64914 -+void gr_log_chdir(const struct dentry *dentry,
64915 -+ const struct vfsmount *mnt);
64916 -+void gr_log_chroot_exec(const struct dentry *dentry,
64917 -+ const struct vfsmount *mnt);
64918 -+void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
64919 -+void gr_log_remount(const char *devname, const int retval);
64920 -+void gr_log_unmount(const char *devname, const int retval);
64921 -+void gr_log_mount(const char *from, const char *to, const int retval);
64922 -+void gr_log_msgget(const int ret, const int msgflg);
64923 -+void gr_log_msgrm(const uid_t uid, const uid_t cuid);
64924 -+void gr_log_semget(const int err, const int semflg);
64925 -+void gr_log_semrm(const uid_t uid, const uid_t cuid);
64926 -+void gr_log_shmget(const int err, const int shmflg, const size_t size);
64927 -+void gr_log_shmrm(const uid_t uid, const uid_t cuid);
64928 -+void gr_log_textrel(struct vm_area_struct *vma);
64929 -+
64930 -+int gr_handle_follow_link(const struct inode *parent,
64931 -+ const struct inode *inode,
64932 -+ const struct dentry *dentry,
64933 -+ const struct vfsmount *mnt);
64934 -+int gr_handle_fifo(const struct dentry *dentry,
64935 -+ const struct vfsmount *mnt,
64936 -+ const struct dentry *dir, const int flag,
64937 -+ const int acc_mode);
64938 -+int gr_handle_hardlink(const struct dentry *dentry,
64939 -+ const struct vfsmount *mnt,
64940 -+ struct inode *inode,
64941 -+ const int mode, const char *to);
64942 -+
64943 -+int gr_task_is_capable(struct task_struct *task, const int cap);
64944 -+int gr_is_capable_nolog(const int cap);
64945 -+void gr_learn_resource(const struct task_struct *task, const int limit,
64946 -+ const unsigned long wanted, const int gt);
64947 -+void gr_copy_label(struct task_struct *tsk);
64948 -+void gr_handle_crash(struct task_struct *task, const int sig);
64949 -+int gr_handle_signal(const struct task_struct *p, const int sig);
64950 -+int gr_check_crash_uid(const uid_t uid);
64951 -+int gr_check_protected_task(const struct task_struct *task);
64952 -+int gr_acl_handle_mmap(const struct file *file,
64953 -+ const unsigned long prot);
64954 -+int gr_acl_handle_mprotect(const struct file *file,
64955 -+ const unsigned long prot);
64956 -+int gr_check_hidden_task(const struct task_struct *tsk);
64957 -+__u32 gr_acl_handle_truncate(const struct dentry *dentry,
64958 -+ const struct vfsmount *mnt);
64959 -+__u32 gr_acl_handle_utime(const struct dentry *dentry,
64960 -+ const struct vfsmount *mnt);
64961 -+__u32 gr_acl_handle_access(const struct dentry *dentry,
64962 -+ const struct vfsmount *mnt, const int fmode);
64963 -+__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
64964 -+ const struct vfsmount *mnt, mode_t mode);
64965 -+__u32 gr_acl_handle_chmod(const struct dentry *dentry,
64966 -+ const struct vfsmount *mnt, mode_t mode);
64967 -+__u32 gr_acl_handle_chown(const struct dentry *dentry,
64968 -+ const struct vfsmount *mnt);
64969 -+int gr_handle_ptrace(struct task_struct *task, const long request);
64970 -+int gr_handle_proc_ptrace(struct task_struct *task);
64971 -+__u32 gr_acl_handle_execve(const struct dentry *dentry,
64972 -+ const struct vfsmount *mnt);
64973 -+int gr_check_crash_exec(const struct file *filp);
64974 -+int gr_acl_is_enabled(void);
64975 -+void gr_set_kernel_label(struct task_struct *task);
64976 -+void gr_set_role_label(struct task_struct *task, const uid_t uid,
64977 -+ const gid_t gid);
64978 -+int gr_set_proc_label(const struct dentry *dentry,
64979 -+ const struct vfsmount *mnt);
64980 -+__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
64981 -+ const struct vfsmount *mnt);
64982 -+__u32 gr_acl_handle_open(const struct dentry *dentry,
64983 -+ const struct vfsmount *mnt, const int fmode);
64984 -+__u32 gr_acl_handle_creat(const struct dentry *dentry,
64985 -+ const struct dentry *p_dentry,
64986 -+ const struct vfsmount *p_mnt, const int fmode,
64987 -+ const int imode);
64988 -+void gr_handle_create(const struct dentry *dentry,
64989 -+ const struct vfsmount *mnt);
64990 -+__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
64991 -+ const struct dentry *parent_dentry,
64992 -+ const struct vfsmount *parent_mnt,
64993 -+ const int mode);
64994 -+__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
64995 -+ const struct dentry *parent_dentry,
64996 -+ const struct vfsmount *parent_mnt);
64997 -+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
64998 -+ const struct vfsmount *mnt);
64999 -+void gr_handle_delete(const ino_t ino, const dev_t dev);
65000 -+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
65001 -+ const struct vfsmount *mnt);
65002 -+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
65003 -+ const struct dentry *parent_dentry,
65004 -+ const struct vfsmount *parent_mnt,
65005 -+ const char *from);
65006 -+__u32 gr_acl_handle_link(const struct dentry *new_dentry,
65007 -+ const struct dentry *parent_dentry,
65008 -+ const struct vfsmount *parent_mnt,
65009 -+ const struct dentry *old_dentry,
65010 -+ const struct vfsmount *old_mnt, const char *to);
65011 -+int gr_acl_handle_rename(struct dentry *new_dentry,
65012 -+ struct dentry *parent_dentry,
65013 -+ const struct vfsmount *parent_mnt,
65014 -+ struct dentry *old_dentry,
65015 -+ struct inode *old_parent_inode,
65016 -+ struct vfsmount *old_mnt, const char *newname);
65017 -+void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
65018 -+ struct dentry *old_dentry,
65019 -+ struct dentry *new_dentry,
65020 -+ struct vfsmount *mnt, const __u8 replace);
65021 -+__u32 gr_check_link(const struct dentry *new_dentry,
65022 -+ const struct dentry *parent_dentry,
65023 -+ const struct vfsmount *parent_mnt,
65024 -+ const struct dentry *old_dentry,
65025 -+ const struct vfsmount *old_mnt);
65026 -+int gr_acl_handle_filldir(const struct file *file, const char *name,
65027 -+ const unsigned int namelen, const ino_t ino);
65028 -+
65029 -+__u32 gr_acl_handle_unix(const struct dentry *dentry,
65030 -+ const struct vfsmount *mnt);
65031 -+void gr_acl_handle_exit(void);
65032 -+void gr_acl_handle_psacct(struct task_struct *task, const long code);
65033 -+int gr_acl_handle_procpidmem(const struct task_struct *task);
65034 -+__u32 gr_cap_rtnetlink(void);
65035 -+
65036 -+#ifdef CONFIG_SYSVIPC
65037 -+void gr_shm_exit(struct task_struct *task);
65038 -+#else
65039 -+static inline void gr_shm_exit(struct task_struct *task)
65040 -+{
65041 -+ return;
65042 -+}
65043 -+#endif
65044 -+
65045 -+#ifdef CONFIG_GRKERNSEC
65046 -+void gr_handle_mem_write(void);
65047 -+void gr_handle_kmem_write(void);
65048 -+void gr_handle_open_port(void);
65049 -+int gr_handle_mem_mmap(const unsigned long offset,
65050 -+ struct vm_area_struct *vma);
65051 -+
65052 -+extern int grsec_enable_dmesg;
65053 -+extern int grsec_enable_randsrc;
65054 -+extern int grsec_enable_shm;
65055 -+#endif
65056 -+
65057 -+#endif
65058 -diff -Nurp linux-2.6.23.15/include/linux/highmem.h linux-2.6.23.15-grsec/include/linux/highmem.h
65059 ---- linux-2.6.23.15/include/linux/highmem.h 2007-10-09 21:31:38.000000000 +0100
65060 -+++ linux-2.6.23.15-grsec/include/linux/highmem.h 2008-02-11 10:37:45.000000000 +0000
65061 -@@ -124,6 +124,13 @@ static inline void clear_highpage(struct
65062 - kunmap_atomic(kaddr, KM_USER0);
65063 - }
65064 -
65065 -+static inline void sanitize_highpage(struct page *page)
65066 -+{
65067 -+ void *kaddr = kmap_atomic(page, KM_CLEARPAGE);
65068 -+ clear_page(kaddr);
65069 -+ kunmap_atomic(kaddr, KM_CLEARPAGE);
65070 -+}
65071 -+
65072 - /*
65073 - * Same but also flushes aliased cache contents to RAM.
65074 - *
65075 -@@ -132,14 +139,14 @@ static inline void clear_highpage(struct
65076 - */
65077 - #define zero_user_page(page, offset, size, km_type) \
65078 - do { \
65079 -- void *kaddr; \
65080 -+ void *__kaddr; \
65081 - \
65082 - BUG_ON((offset) + (size) > PAGE_SIZE); \
65083 - \
65084 -- kaddr = kmap_atomic(page, km_type); \
65085 -- memset((char *)kaddr + (offset), 0, (size)); \
65086 -+ __kaddr = kmap_atomic(page, km_type); \
65087 -+ memset((char *)__kaddr + (offset), 0, (size)); \
65088 - flush_dcache_page(page); \
65089 -- kunmap_atomic(kaddr, (km_type)); \
65090 -+ kunmap_atomic(__kaddr, (km_type)); \
65091 - } while (0)
65092 -
65093 - static inline void __deprecated memclear_highpage_flush(struct page *page,
65094 -diff -Nurp linux-2.6.23.15/include/linux/irqflags.h linux-2.6.23.15-grsec/include/linux/irqflags.h
65095 ---- linux-2.6.23.15/include/linux/irqflags.h 2007-10-09 21:31:38.000000000 +0100
65096 -+++ linux-2.6.23.15-grsec/include/linux/irqflags.h 2008-02-11 10:37:45.000000000 +0000
65097 -@@ -84,10 +84,10 @@
65098 -
65099 - #define irqs_disabled() \
65100 - ({ \
65101 -- unsigned long flags; \
65102 -+ unsigned long __flags; \
65103 - \
65104 -- raw_local_save_flags(flags); \
65105 -- raw_irqs_disabled_flags(flags); \
65106 -+ raw_local_save_flags(__flags); \
65107 -+ raw_irqs_disabled_flags(__flags); \
65108 - })
65109 -
65110 - #define irqs_disabled_flags(flags) raw_irqs_disabled_flags(flags)
65111 -diff -Nurp linux-2.6.23.15/include/linux/jbd.h linux-2.6.23.15-grsec/include/linux/jbd.h
65112 ---- linux-2.6.23.15/include/linux/jbd.h 2007-10-09 21:31:38.000000000 +0100
65113 -+++ linux-2.6.23.15-grsec/include/linux/jbd.h 2008-02-11 10:37:45.000000000 +0000
65114 -@@ -68,7 +68,7 @@ extern int journal_enable_debug;
65115 - } \
65116 - } while (0)
65117 - #else
65118 --#define jbd_debug(f, a...) /**/
65119 -+#define jbd_debug(f, a...) do {} while (0)
65120 - #endif
65121 -
65122 - extern void * __jbd_kmalloc (const char *where, size_t size, gfp_t flags, int retry);
65123 -diff -Nurp linux-2.6.23.15/include/linux/jbd2.h linux-2.6.23.15-grsec/include/linux/jbd2.h
65124 ---- linux-2.6.23.15/include/linux/jbd2.h 2007-10-09 21:31:38.000000000 +0100
65125 -+++ linux-2.6.23.15-grsec/include/linux/jbd2.h 2008-02-11 10:37:45.000000000 +0000
65126 -@@ -68,7 +68,7 @@ extern u8 jbd2_journal_enable_debug;
65127 - } \
65128 - } while (0)
65129 - #else
65130 --#define jbd_debug(f, a...) /**/
65131 -+#define jbd_debug(f, a...) do {} while (0)
65132 - #endif
65133 -
65134 - extern void * __jbd2_kmalloc (const char *where, size_t size, gfp_t flags, int retry);
65135 -diff -Nurp linux-2.6.23.15/include/linux/libata.h linux-2.6.23.15-grsec/include/linux/libata.h
65136 ---- linux-2.6.23.15/include/linux/libata.h 2008-02-11 10:36:03.000000000 +0000
65137 -+++ linux-2.6.23.15-grsec/include/linux/libata.h 2008-02-11 10:37:45.000000000 +0000
65138 -@@ -63,11 +63,11 @@
65139 - #ifdef ATA_VERBOSE_DEBUG
65140 - #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
65141 - #else
65142 --#define VPRINTK(fmt, args...)
65143 -+#define VPRINTK(fmt, args...) do {} while (0)
65144 - #endif /* ATA_VERBOSE_DEBUG */
65145 - #else
65146 --#define DPRINTK(fmt, args...)
65147 --#define VPRINTK(fmt, args...)
65148 -+#define DPRINTK(fmt, args...) do {} while (0)
65149 -+#define VPRINTK(fmt, args...) do {} while (0)
65150 - #endif /* ATA_DEBUG */
65151 -
65152 - #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
65153 -diff -Nurp linux-2.6.23.15/include/linux/mm.h linux-2.6.23.15-grsec/include/linux/mm.h
65154 ---- linux-2.6.23.15/include/linux/mm.h 2007-10-09 21:31:38.000000000 +0100
65155 -+++ linux-2.6.23.15-grsec/include/linux/mm.h 2008-02-11 10:37:45.000000000 +0000
65156 -@@ -38,6 +38,7 @@ extern int sysctl_legacy_va_layout;
65157 - #include <asm/page.h>
65158 - #include <asm/pgtable.h>
65159 - #include <asm/processor.h>
65160 -+#include <asm/mman.h>
65161 -
65162 - #define nth_page(page,n) pfn_to_page(page_to_pfn((page)) + (n))
65163 -
65164 -@@ -111,6 +112,8 @@ struct vm_area_struct {
65165 - #ifdef CONFIG_NUMA
65166 - struct mempolicy *vm_policy; /* NUMA policy for the VMA */
65167 - #endif
65168 -+
65169 -+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
65170 - };
65171 -
65172 - extern struct kmem_cache *vm_area_cachep;
65173 -@@ -171,6 +174,14 @@ extern unsigned int kobjsize(const void
65174 -
65175 - #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
65176 -
65177 -+#ifdef CONFIG_PAX_PAGEEXEC
65178 -+#define VM_PAGEEXEC 0x10000000 /* vma->vm_page_prot needs special handling */
65179 -+#endif
65180 -+
65181 -+#ifdef CONFIG_PAX_MPROTECT
65182 -+#define VM_MAYNOTWRITE 0x20000000 /* vma cannot be granted VM_WRITE any more */
65183 -+#endif
65184 -+
65185 - #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
65186 - #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
65187 - #endif
65188 -@@ -862,6 +873,8 @@ struct shrinker {
65189 - extern void register_shrinker(struct shrinker *);
65190 - extern void unregister_shrinker(struct shrinker *);
65191 -
65192 -+pgprot_t vm_get_page_prot(unsigned long vm_flags);
65193 -+
65194 - int vma_wants_writenotify(struct vm_area_struct *vma);
65195 -
65196 - extern pte_t *FASTCALL(get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl));
65197 -@@ -1088,6 +1101,7 @@ out:
65198 - }
65199 -
65200 - extern int do_munmap(struct mm_struct *, unsigned long, size_t);
65201 -+extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
65202 -
65203 - extern unsigned long do_brk(unsigned long, unsigned long);
65204 -
65205 -@@ -1142,6 +1156,10 @@ extern struct vm_area_struct * find_vma(
65206 - extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
65207 - struct vm_area_struct **pprev);
65208 -
65209 -+extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
65210 -+extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
65211 -+extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
65212 -+
65213 - /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
65214 - NULL if none. Assume start_addr < end_addr. */
65215 - static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
65216 -@@ -1158,7 +1176,6 @@ static inline unsigned long vma_pages(st
65217 - return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
65218 - }
65219 -
65220 --pgprot_t vm_get_page_prot(unsigned long vm_flags);
65221 - struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
65222 - struct page *vmalloc_to_page(void *addr);
65223 - unsigned long vmalloc_to_pfn(void *addr);
65224 -@@ -1218,5 +1235,11 @@ extern int randomize_va_space;
65225 -
65226 - const char * arch_vma_name(struct vm_area_struct *vma);
65227 -
65228 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
65229 -+extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
65230 -+#else
65231 -+static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
65232 -+#endif
65233 -+
65234 - #endif /* __KERNEL__ */
65235 - #endif /* _LINUX_MM_H */
65236 -diff -Nurp linux-2.6.23.15/include/linux/module.h linux-2.6.23.15-grsec/include/linux/module.h
65237 ---- linux-2.6.23.15/include/linux/module.h 2007-10-09 21:31:38.000000000 +0100
65238 -+++ linux-2.6.23.15-grsec/include/linux/module.h 2008-02-11 10:37:45.000000000 +0000
65239 -@@ -295,16 +295,16 @@ struct module
65240 - int (*init)(void);
65241 -
65242 - /* If this is non-NULL, vfree after init() returns */
65243 -- void *module_init;
65244 -+ void *module_init_rx, *module_init_rw;
65245 -
65246 - /* Here is the actual code + data, vfree'd on unload. */
65247 -- void *module_core;
65248 -+ void *module_core_rx, *module_core_rw;
65249 -
65250 - /* Here are the sizes of the init and core sections */
65251 -- unsigned long init_size, core_size;
65252 -+ unsigned long init_size_rw, core_size_rw;
65253 -
65254 - /* The size of the executable code in each section. */
65255 -- unsigned long init_text_size, core_text_size;
65256 -+ unsigned long init_size_rx, core_size_rx;
65257 -
65258 - /* The handle returned from unwind_add_table. */
65259 - void *unwind_info;
65260 -diff -Nurp linux-2.6.23.15/include/linux/moduleloader.h linux-2.6.23.15-grsec/include/linux/moduleloader.h
65261 ---- linux-2.6.23.15/include/linux/moduleloader.h 2007-10-09 21:31:38.000000000 +0100
65262 -+++ linux-2.6.23.15-grsec/include/linux/moduleloader.h 2008-02-11 10:37:45.000000000 +0000
65263 -@@ -17,9 +17,21 @@ int module_frob_arch_sections(Elf_Ehdr *
65264 - sections. Returns NULL on failure. */
65265 - void *module_alloc(unsigned long size);
65266 -
65267 -+#ifdef CONFIG_PAX_KERNEXEC
65268 -+void *module_alloc_exec(unsigned long size);
65269 -+#else
65270 -+#define module_alloc_exec(x) module_alloc(x)
65271 -+#endif
65272 -+
65273 - /* Free memory returned from module_alloc. */
65274 - void module_free(struct module *mod, void *module_region);
65275 -
65276 -+#ifdef CONFIG_PAX_KERNEXEC
65277 -+void module_free_exec(struct module *mod, void *module_region);
65278 -+#else
65279 -+#define module_free_exec(x, y) module_free(x, y)
65280 -+#endif
65281 -+
65282 - /* Apply the given relocation to the (simplified) ELF. Return -error
65283 - or 0. */
65284 - int apply_relocate(Elf_Shdr *sechdrs,
65285 -diff -Nurp linux-2.6.23.15/include/linux/percpu.h linux-2.6.23.15-grsec/include/linux/percpu.h
65286 ---- linux-2.6.23.15/include/linux/percpu.h 2007-10-09 21:31:38.000000000 +0100
65287 -+++ linux-2.6.23.15-grsec/include/linux/percpu.h 2008-02-11 10:37:45.000000000 +0000
65288 -@@ -18,7 +18,7 @@
65289 - #endif
65290 -
65291 - #define PERCPU_ENOUGH_ROOM \
65292 -- (__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE)
65293 -+ ((unsigned long)(__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE))
65294 - #endif /* PERCPU_ENOUGH_ROOM */
65295 -
65296 - /*
65297 -diff -Nurp linux-2.6.23.15/include/linux/random.h linux-2.6.23.15-grsec/include/linux/random.h
65298 ---- linux-2.6.23.15/include/linux/random.h 2007-10-09 21:31:38.000000000 +0100
65299 -+++ linux-2.6.23.15-grsec/include/linux/random.h 2008-02-11 10:37:45.000000000 +0000
65300 -@@ -72,6 +72,11 @@ unsigned long randomize_range(unsigned l
65301 - u32 random32(void);
65302 - void srandom32(u32 seed);
65303 -
65304 -+static inline unsigned long pax_get_random_long(void)
65305 -+{
65306 -+ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
65307 -+}
65308 -+
65309 - #endif /* __KERNEL___ */
65310 -
65311 - #endif /* _LINUX_RANDOM_H */
65312 -diff -Nurp linux-2.6.23.15/include/linux/sched.h linux-2.6.23.15-grsec/include/linux/sched.h
65313 ---- linux-2.6.23.15/include/linux/sched.h 2008-02-11 10:36:03.000000000 +0000
65314 -+++ linux-2.6.23.15-grsec/include/linux/sched.h 2008-02-11 10:37:45.000000000 +0000
65315 -@@ -92,6 +92,7 @@ struct sched_param {
65316 - struct exec_domain;
65317 - struct futex_pi_state;
65318 - struct bio;
65319 -+struct linux_binprm;
65320 -
65321 - /*
65322 - * List of flags we want to share for kernel threads,
65323 -@@ -432,6 +433,24 @@ struct mm_struct {
65324 - /* aio bits */
65325 - rwlock_t ioctx_list_lock;
65326 - struct kioctx *ioctx_list;
65327 -+
65328 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
65329 -+ unsigned long pax_flags;
65330 -+#endif
65331 -+
65332 -+#ifdef CONFIG_PAX_DLRESOLVE
65333 -+ unsigned long call_dl_resolve;
65334 -+#endif
65335 -+
65336 -+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
65337 -+ unsigned long call_syscall;
65338 -+#endif
65339 -+
65340 -+#ifdef CONFIG_PAX_ASLR
65341 -+ unsigned long delta_mmap; /* randomized offset */
65342 -+ unsigned long delta_stack; /* randomized offset */
65343 -+#endif
65344 -+
65345 - };
65346 -
65347 - struct sighand_struct {
65348 -@@ -556,6 +575,15 @@ struct signal_struct {
65349 - unsigned audit_tty;
65350 - struct tty_audit_buf *tty_audit_buf;
65351 - #endif
65352 -+
65353 -+#ifdef CONFIG_GRKERNSEC
65354 -+ u32 curr_ip;
65355 -+ u32 gr_saddr;
65356 -+ u32 gr_daddr;
65357 -+ u16 gr_sport;
65358 -+ u16 gr_dport;
65359 -+ u8 used_accept:1;
65360 -+#endif
65361 - };
65362 -
65363 - /* Context switch must be unlocked if interrupts are to be enabled */
65364 -@@ -1017,8 +1045,8 @@ struct task_struct {
65365 - struct list_head thread_group;
65366 -
65367 - struct completion *vfork_done; /* for vfork() */
65368 -- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
65369 -- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
65370 -+ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
65371 -+ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
65372 -
65373 - unsigned int rt_priority;
65374 - cputime_t utime, stime;
65375 -@@ -1183,6 +1211,17 @@ struct task_struct {
65376 - struct list_head pi_state_list;
65377 - struct futex_pi_state *pi_state_cache;
65378 -
65379 -+#ifdef CONFIG_GRKERNSEC
65380 -+ /* grsecurity */
65381 -+ struct acl_subject_label *acl;
65382 -+ struct acl_role_label *role;
65383 -+ struct file *exec_file;
65384 -+ u16 acl_role_id;
65385 -+ u8 acl_sp_role:1;
65386 -+ u8 is_writable:1;
65387 -+ u8 brute:1;
65388 -+#endif
65389 -+
65390 - atomic_t fs_excl; /* holding fs exclusive resources */
65391 - struct rcu_head rcu;
65392 -
65393 -@@ -1198,6 +1237,46 @@ struct task_struct {
65394 - #endif
65395 - };
65396 -
65397 -+#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
65398 -+#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
65399 -+#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
65400 -+#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
65401 -+/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
65402 -+#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
65403 -+
65404 -+#ifdef CONFIG_PAX_SOFTMODE
65405 -+extern unsigned int pax_softmode;
65406 -+#endif
65407 -+
65408 -+extern int pax_check_flags(unsigned long *);
65409 -+
65410 -+/* if tsk != current then task_lock must be held on it */
65411 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
65412 -+static inline unsigned long pax_get_flags(struct task_struct *tsk)
65413 -+{
65414 -+ if (likely(tsk->mm))
65415 -+ return tsk->mm->pax_flags;
65416 -+ else
65417 -+ return 0UL;
65418 -+}
65419 -+
65420 -+/* if tsk != current then task_lock must be held on it */
65421 -+static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
65422 -+{
65423 -+ if (likely(tsk->mm)) {
65424 -+ tsk->mm->pax_flags = flags;
65425 -+ return 0;
65426 -+ }
65427 -+ return -EINVAL;
65428 -+}
65429 -+#endif
65430 -+
65431 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
65432 -+extern void pax_set_initial_flags(struct linux_binprm *bprm);
65433 -+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
65434 -+extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
65435 -+#endif
65436 -+
65437 - /*
65438 - * Priority of a process goes from 0..MAX_PRIO-1, valid RT
65439 - * priority is 0..MAX_RT_PRIO-1, and SCHED_NORMAL/SCHED_BATCH
65440 -@@ -1831,6 +1910,12 @@ extern void arch_pick_mmap_layout(struct
65441 - static inline void arch_pick_mmap_layout(struct mm_struct *mm)
65442 - {
65443 - mm->mmap_base = TASK_UNMAPPED_BASE;
65444 -+
65445 -+#ifdef CONFIG_PAX_RANDMMAP
65446 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
65447 -+ mm->mmap_base += mm->delta_mmap;
65448 -+#endif
65449 -+
65450 - mm->get_unmapped_area = arch_get_unmapped_area;
65451 - mm->unmap_area = arch_unmap_area;
65452 - }
65453 -diff -Nurp linux-2.6.23.15/include/linux/screen_info.h linux-2.6.23.15-grsec/include/linux/screen_info.h
65454 ---- linux-2.6.23.15/include/linux/screen_info.h 2007-10-09 21:31:38.000000000 +0100
65455 -+++ linux-2.6.23.15-grsec/include/linux/screen_info.h 2008-02-11 10:37:45.000000000 +0000
65456 -@@ -42,7 +42,8 @@ struct screen_info {
65457 - u16 pages; /* 0x32 */
65458 - u16 vesa_attributes; /* 0x34 */
65459 - u32 capabilities; /* 0x36 */
65460 -- u8 _reserved[6]; /* 0x3a */
65461 -+ u16 vesapm_size; /* 0x3a */
65462 -+ u8 _reserved[4]; /* 0x3c */
65463 - } __attribute__((packed));
65464 -
65465 - extern struct screen_info screen_info;
65466 -diff -Nurp linux-2.6.23.15/include/linux/security.h linux-2.6.23.15-grsec/include/linux/security.h
65467 ---- linux-2.6.23.15/include/linux/security.h 2007-10-09 21:31:38.000000000 +0100
65468 -+++ linux-2.6.23.15-grsec/include/linux/security.h 2008-02-11 10:37:45.000000000 +0000
65469 -@@ -2796,7 +2796,7 @@ static inline struct dentry *securityfs_
65470 - mode_t mode,
65471 - struct dentry *parent,
65472 - void *data,
65473 -- struct file_operations *fops)
65474 -+ const struct file_operations *fops)
65475 - {
65476 - return ERR_PTR(-ENODEV);
65477 - }
65478 -diff -Nurp linux-2.6.23.15/include/linux/shm.h linux-2.6.23.15-grsec/include/linux/shm.h
65479 ---- linux-2.6.23.15/include/linux/shm.h 2007-10-09 21:31:38.000000000 +0100
65480 -+++ linux-2.6.23.15-grsec/include/linux/shm.h 2008-02-11 10:37:45.000000000 +0000
65481 -@@ -86,6 +86,10 @@ struct shmid_kernel /* private to the ke
65482 - pid_t shm_cprid;
65483 - pid_t shm_lprid;
65484 - struct user_struct *mlock_user;
65485 -+#ifdef CONFIG_GRKERNSEC
65486 -+ time_t shm_createtime;
65487 -+ pid_t shm_lapid;
65488 -+#endif
65489 - };
65490 -
65491 - /* shm_mode upper byte flags */
65492 -diff -Nurp linux-2.6.23.15/include/linux/skbuff.h linux-2.6.23.15-grsec/include/linux/skbuff.h
65493 ---- linux-2.6.23.15/include/linux/skbuff.h 2008-02-11 10:36:03.000000000 +0000
65494 -+++ linux-2.6.23.15-grsec/include/linux/skbuff.h 2008-02-11 10:37:45.000000000 +0000
65495 -@@ -385,7 +385,7 @@ extern void skb_truesize_bug(struc
65496 -
65497 - static inline void skb_truesize_check(struct sk_buff *skb)
65498 - {
65499 -- if (unlikely((int)skb->truesize < sizeof(struct sk_buff) + skb->len))
65500 -+ if (unlikely(skb->truesize < sizeof(struct sk_buff) + skb->len))
65501 - skb_truesize_bug(skb);
65502 - }
65503 -
65504 -diff -Nurp linux-2.6.23.15/include/linux/sysctl.h linux-2.6.23.15-grsec/include/linux/sysctl.h
65505 ---- linux-2.6.23.15/include/linux/sysctl.h 2008-02-11 10:36:24.000000000 +0000
65506 -+++ linux-2.6.23.15-grsec/include/linux/sysctl.h 2008-02-11 10:37:45.000000000 +0000
65507 -@@ -168,9 +168,22 @@ enum
65508 - #ifdef CONFIG_ALPHA_UAC_SYSCTL
65509 - KERN_UAC_POLICY=78, /* int: Alpha unaligned access control policy flags */
65510 - #endif /* CONFIG_ALPHA_UAC_SYSCTL */
65511 --};
65512 -
65513 -+#ifdef CONFIG_GRKERNSEC
65514 -+ KERN_GRSECURITY=98, /* grsecurity */
65515 -+#endif
65516 -+
65517 -+#ifdef CONFIG_PAX_SOFTMODE
65518 -+ KERN_PAX=99, /* PaX control */
65519 -+#endif
65520 -+
65521 -+};
65522 -
65523 -+#ifdef CONFIG_PAX_SOFTMODE
65524 -+enum {
65525 -+ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
65526 -+};
65527 -+#endif
65528 -
65529 - /* CTL_VM names: */
65530 - enum
65531 -diff -Nurp linux-2.6.23.15/include/linux/uaccess.h linux-2.6.23.15-grsec/include/linux/uaccess.h
65532 ---- linux-2.6.23.15/include/linux/uaccess.h 2007-10-09 21:31:38.000000000 +0100
65533 -+++ linux-2.6.23.15-grsec/include/linux/uaccess.h 2008-02-11 10:37:45.000000000 +0000
65534 -@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
65535 - long ret; \
65536 - mm_segment_t old_fs = get_fs(); \
65537 - \
65538 -- set_fs(KERNEL_DS); \
65539 - pagefault_disable(); \
65540 -+ set_fs(KERNEL_DS); \
65541 - ret = __get_user(retval, (__force typeof(retval) __user *)(addr)); \
65542 -- pagefault_enable(); \
65543 - set_fs(old_fs); \
65544 -+ pagefault_enable(); \
65545 - ret; \
65546 - })
65547 -
65548 -diff -Nurp linux-2.6.23.15/include/linux/udf_fs.h linux-2.6.23.15-grsec/include/linux/udf_fs.h
65549 ---- linux-2.6.23.15/include/linux/udf_fs.h 2007-10-09 21:31:38.000000000 +0100
65550 -+++ linux-2.6.23.15-grsec/include/linux/udf_fs.h 2008-02-11 10:37:45.000000000 +0000
65551 -@@ -45,7 +45,7 @@
65552 - printk (f, ##a); \
65553 - }
65554 - #else
65555 --#define udf_debug(f, a...) /**/
65556 -+#define udf_debug(f, a...) do {} while (0)
65557 - #endif
65558 -
65559 - #define udf_info(f, a...) \
65560 -diff -Nurp linux-2.6.23.15/include/net/sctp/sctp.h linux-2.6.23.15-grsec/include/net/sctp/sctp.h
65561 ---- linux-2.6.23.15/include/net/sctp/sctp.h 2007-10-09 21:31:38.000000000 +0100
65562 -+++ linux-2.6.23.15-grsec/include/net/sctp/sctp.h 2008-02-11 10:37:45.000000000 +0000
65563 -@@ -317,8 +317,8 @@ extern int sctp_debug_flag;
65564 -
65565 - #else /* SCTP_DEBUG */
65566 -
65567 --#define SCTP_DEBUG_PRINTK(whatever...)
65568 --#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
65569 -+#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
65570 -+#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
65571 - #define SCTP_ENABLE_DEBUG
65572 - #define SCTP_DISABLE_DEBUG
65573 - #define SCTP_ASSERT(expr, str, func)
65574 -diff -Nurp linux-2.6.23.15/include/sound/core.h linux-2.6.23.15-grsec/include/sound/core.h
65575 ---- linux-2.6.23.15/include/sound/core.h 2007-10-09 21:31:38.000000000 +0100
65576 -+++ linux-2.6.23.15-grsec/include/sound/core.h 2008-02-11 10:37:45.000000000 +0000
65577 -@@ -396,9 +396,9 @@ void snd_verbose_printd(const char *file
65578 -
65579 - #else /* !CONFIG_SND_DEBUG */
65580 -
65581 --#define snd_printd(fmt, args...) /* nothing */
65582 -+#define snd_printd(fmt, args...) do {} while (0)
65583 - #define snd_assert(expr, args...) (void)(expr)
65584 --#define snd_BUG() /* nothing */
65585 -+#define snd_BUG() do {} while (0)
65586 -
65587 - #endif /* CONFIG_SND_DEBUG */
65588 -
65589 -@@ -412,7 +412,7 @@ void snd_verbose_printd(const char *file
65590 - */
65591 - #define snd_printdd(format, args...) snd_printk(format, ##args)
65592 - #else
65593 --#define snd_printdd(format, args...) /* nothing */
65594 -+#define snd_printdd(format, args...) do {} while (0)
65595 - #endif
65596 -
65597 -
65598 -diff -Nurp linux-2.6.23.15/init/Kconfig linux-2.6.23.15-grsec/init/Kconfig
65599 ---- linux-2.6.23.15/init/Kconfig 2007-10-09 21:31:38.000000000 +0100
65600 -+++ linux-2.6.23.15-grsec/init/Kconfig 2008-02-11 10:37:45.000000000 +0000
65601 -@@ -384,6 +384,7 @@ config SYSCTL_SYSCALL
65602 - config KALLSYMS
65603 - bool "Load all symbols for debugging/ksymoops" if EMBEDDED
65604 - default y
65605 -+ depends on !GRKERNSEC_HIDESYM
65606 - help
65607 - Say Y here to let the kernel print out symbolic crash information and
65608 - symbolic stack backtraces. This increases the size of the kernel
65609 -diff -Nurp linux-2.6.23.15/init/do_mounts.c linux-2.6.23.15-grsec/init/do_mounts.c
65610 ---- linux-2.6.23.15/init/do_mounts.c 2007-10-09 21:31:38.000000000 +0100
65611 -+++ linux-2.6.23.15-grsec/init/do_mounts.c 2008-02-11 10:37:45.000000000 +0000
65612 -@@ -68,11 +68,12 @@ static dev_t try_name(char *name, int pa
65613 -
65614 - /* read device number from .../dev */
65615 -
65616 -- sprintf(path, "/sys/block/%s/dev", name);
65617 -- fd = sys_open(path, 0, 0);
65618 -+ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/dev", name))
65619 -+ goto fail;
65620 -+ fd = sys_open((char __user *)path, 0, 0);
65621 - if (fd < 0)
65622 - goto fail;
65623 -- len = sys_read(fd, buf, 32);
65624 -+ len = sys_read(fd, (char __user *)buf, 32);
65625 - sys_close(fd);
65626 - if (len <= 0 || len == 32 || buf[len - 1] != '\n')
65627 - goto fail;
65628 -@@ -98,11 +99,12 @@ static dev_t try_name(char *name, int pa
65629 - return res;
65630 -
65631 - /* otherwise read range from .../range */
65632 -- sprintf(path, "/sys/block/%s/range", name);
65633 -- fd = sys_open(path, 0, 0);
65634 -+ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/range", name))
65635 -+ goto fail;
65636 -+ fd = sys_open((char __user *)path, 0, 0);
65637 - if (fd < 0)
65638 - goto fail;
65639 -- len = sys_read(fd, buf, 32);
65640 -+ len = sys_read(fd, (char __user *)buf, 32);
65641 - sys_close(fd);
65642 - if (len <= 0 || len == 32 || buf[len - 1] != '\n')
65643 - goto fail;
65644 -@@ -145,8 +147,8 @@ dev_t name_to_dev_t(char *name)
65645 - int part;
65646 -
65647 - #ifdef CONFIG_SYSFS
65648 -- int mkdir_err = sys_mkdir("/sys", 0700);
65649 -- if (sys_mount("sysfs", "/sys", "sysfs", 0, NULL) < 0)
65650 -+ int mkdir_err = sys_mkdir((char __user *)"/sys", 0700);
65651 -+ if (sys_mount((char __user *)"sysfs", (char __user *)"/sys", (char __user *)"sysfs", 0, NULL) < 0)
65652 - goto out;
65653 - #endif
65654 -
65655 -@@ -198,10 +200,10 @@ dev_t name_to_dev_t(char *name)
65656 - res = try_name(s, part);
65657 - done:
65658 - #ifdef CONFIG_SYSFS
65659 -- sys_umount("/sys", 0);
65660 -+ sys_umount((char __user *)"/sys", 0);
65661 - out:
65662 - if (!mkdir_err)
65663 -- sys_rmdir("/sys");
65664 -+ sys_rmdir((char __user *)"/sys");
65665 - #endif
65666 - return res;
65667 - fail:
65668 -@@ -281,11 +283,11 @@ static void __init get_fs_names(char *pa
65669 -
65670 - static int __init do_mount_root(char *name, char *fs, int flags, void *data)
65671 - {
65672 -- int err = sys_mount(name, "/root", fs, flags, data);
65673 -+ int err = sys_mount((char __user *)name, (char __user *)"/root", (char __user *)fs, flags, (void __user *)data);
65674 - if (err)
65675 - return err;
65676 -
65677 -- sys_chdir("/root");
65678 -+ sys_chdir((char __user *)"/root");
65679 - ROOT_DEV = current->fs->pwdmnt->mnt_sb->s_dev;
65680 - printk("VFS: Mounted root (%s filesystem)%s.\n",
65681 - current->fs->pwdmnt->mnt_sb->s_type->name,
65682 -@@ -371,18 +373,18 @@ void __init change_floppy(char *fmt, ...
65683 - va_start(args, fmt);
65684 - vsprintf(buf, fmt, args);
65685 - va_end(args);
65686 -- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
65687 -+ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
65688 - if (fd >= 0) {
65689 - sys_ioctl(fd, FDEJECT, 0);
65690 - sys_close(fd);
65691 - }
65692 - printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
65693 -- fd = sys_open("/dev/console", O_RDWR, 0);
65694 -+ fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
65695 - if (fd >= 0) {
65696 - sys_ioctl(fd, TCGETS, (long)&termios);
65697 - termios.c_lflag &= ~ICANON;
65698 - sys_ioctl(fd, TCSETSF, (long)&termios);
65699 -- sys_read(fd, &c, 1);
65700 -+ sys_read(fd, (char __user *)&c, 1);
65701 - termios.c_lflag |= ICANON;
65702 - sys_ioctl(fd, TCSETSF, (long)&termios);
65703 - sys_close(fd);
65704 -@@ -468,8 +470,8 @@ void __init prepare_namespace(void)
65705 -
65706 - mount_root();
65707 - out:
65708 -- sys_mount(".", "/", NULL, MS_MOVE, NULL);
65709 -- sys_chroot(".");
65710 -+ sys_mount((char __user *)".", (char __user *)"/", NULL, MS_MOVE, NULL);
65711 -+ sys_chroot((char __user *)".");
65712 - security_sb_post_mountroot();
65713 - }
65714 -
65715 -diff -Nurp linux-2.6.23.15/init/do_mounts.h linux-2.6.23.15-grsec/init/do_mounts.h
65716 ---- linux-2.6.23.15/init/do_mounts.h 2007-10-09 21:31:38.000000000 +0100
65717 -+++ linux-2.6.23.15-grsec/init/do_mounts.h 2008-02-11 10:37:45.000000000 +0000
65718 -@@ -15,15 +15,15 @@ extern char *root_device_name;
65719 -
65720 - static inline int create_dev(char *name, dev_t dev)
65721 - {
65722 -- sys_unlink(name);
65723 -- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
65724 -+ sys_unlink((char __user *)name);
65725 -+ return sys_mknod((char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
65726 - }
65727 -
65728 - #if BITS_PER_LONG == 32
65729 - static inline u32 bstat(char *name)
65730 - {
65731 - struct stat64 stat;
65732 -- if (sys_stat64(name, &stat) != 0)
65733 -+ if (sys_stat64((char __user *)name, (struct stat64 __user *)&stat) != 0)
65734 - return 0;
65735 - if (!S_ISBLK(stat.st_mode))
65736 - return 0;
65737 -diff -Nurp linux-2.6.23.15/init/do_mounts_md.c linux-2.6.23.15-grsec/init/do_mounts_md.c
65738 ---- linux-2.6.23.15/init/do_mounts_md.c 2007-10-09 21:31:38.000000000 +0100
65739 -+++ linux-2.6.23.15-grsec/init/do_mounts_md.c 2008-02-11 10:37:45.000000000 +0000
65740 -@@ -167,7 +167,7 @@ static void __init md_setup_drive(void)
65741 - partitioned ? "_d" : "", minor,
65742 - md_setup_args[ent].device_names);
65743 -
65744 -- fd = sys_open(name, 0, 0);
65745 -+ fd = sys_open((char __user *)name, 0, 0);
65746 - if (fd < 0) {
65747 - printk(KERN_ERR "md: open failed - cannot start "
65748 - "array %s\n", name);
65749 -@@ -230,7 +230,7 @@ static void __init md_setup_drive(void)
65750 - * array without it
65751 - */
65752 - sys_close(fd);
65753 -- fd = sys_open(name, 0, 0);
65754 -+ fd = sys_open((char __user *)name, 0, 0);
65755 - sys_ioctl(fd, BLKRRPART, 0);
65756 - }
65757 - sys_close(fd);
65758 -@@ -271,7 +271,7 @@ void __init md_run_setup(void)
65759 - if (raid_noautodetect)
65760 - printk(KERN_INFO "md: Skipping autodetection of RAID arrays. (raid=noautodetect)\n");
65761 - else {
65762 -- int fd = sys_open("/dev/md0", 0, 0);
65763 -+ int fd = sys_open((char __user *)"/dev/md0", 0, 0);
65764 - if (fd >= 0) {
65765 - sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
65766 - sys_close(fd);
65767 -diff -Nurp linux-2.6.23.15/init/initramfs.c linux-2.6.23.15-grsec/init/initramfs.c
65768 ---- linux-2.6.23.15/init/initramfs.c 2007-10-09 21:31:38.000000000 +0100
65769 -+++ linux-2.6.23.15-grsec/init/initramfs.c 2008-02-11 10:37:45.000000000 +0000
65770 -@@ -240,7 +240,7 @@ static int __init maybe_link(void)
65771 - if (nlink >= 2) {
65772 - char *old = find_link(major, minor, ino, mode, collected);
65773 - if (old)
65774 -- return (sys_link(old, collected) < 0) ? -1 : 1;
65775 -+ return (sys_link((char __user *)old, (char __user *)collected) < 0) ? -1 : 1;
65776 - }
65777 - return 0;
65778 - }
65779 -@@ -249,11 +249,11 @@ static void __init clean_path(char *path
65780 - {
65781 - struct stat st;
65782 -
65783 -- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
65784 -+ if (!sys_newlstat((char __user *)path, (struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
65785 - if (S_ISDIR(st.st_mode))
65786 -- sys_rmdir(path);
65787 -+ sys_rmdir((char __user *)path);
65788 - else
65789 -- sys_unlink(path);
65790 -+ sys_unlink((char __user *)path);
65791 - }
65792 - }
65793 -
65794 -@@ -276,7 +276,7 @@ static int __init do_name(void)
65795 - int openflags = O_WRONLY|O_CREAT;
65796 - if (ml != 1)
65797 - openflags |= O_TRUNC;
65798 -- wfd = sys_open(collected, openflags, mode);
65799 -+ wfd = sys_open((char __user *)collected, openflags, mode);
65800 -
65801 - if (wfd >= 0) {
65802 - sys_fchown(wfd, uid, gid);
65803 -@@ -285,15 +285,15 @@ static int __init do_name(void)
65804 - }
65805 - }
65806 - } else if (S_ISDIR(mode)) {
65807 -- sys_mkdir(collected, mode);
65808 -- sys_chown(collected, uid, gid);
65809 -- sys_chmod(collected, mode);
65810 -+ sys_mkdir((char __user *)collected, mode);
65811 -+ sys_chown((char __user *)collected, uid, gid);
65812 -+ sys_chmod((char __user *)collected, mode);
65813 - } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
65814 - S_ISFIFO(mode) || S_ISSOCK(mode)) {
65815 - if (maybe_link() == 0) {
65816 -- sys_mknod(collected, mode, rdev);
65817 -- sys_chown(collected, uid, gid);
65818 -- sys_chmod(collected, mode);
65819 -+ sys_mknod((char __user *)collected, mode, rdev);
65820 -+ sys_chown((char __user *)collected, uid, gid);
65821 -+ sys_chmod((char __user *)collected, mode);
65822 - }
65823 - }
65824 - return 0;
65825 -@@ -302,13 +302,13 @@ static int __init do_name(void)
65826 - static int __init do_copy(void)
65827 - {
65828 - if (count >= body_len) {
65829 -- sys_write(wfd, victim, body_len);
65830 -+ sys_write(wfd, (char __user *)victim, body_len);
65831 - sys_close(wfd);
65832 - eat(body_len);
65833 - state = SkipIt;
65834 - return 0;
65835 - } else {
65836 -- sys_write(wfd, victim, count);
65837 -+ sys_write(wfd, (char __user *)victim, count);
65838 - body_len -= count;
65839 - eat(count);
65840 - return 1;
65841 -@@ -319,8 +319,8 @@ static int __init do_symlink(void)
65842 - {
65843 - collected[N_ALIGN(name_len) + body_len] = '\0';
65844 - clean_path(collected, 0);
65845 -- sys_symlink(collected + N_ALIGN(name_len), collected);
65846 -- sys_lchown(collected, uid, gid);
65847 -+ sys_symlink((char __user *)collected + N_ALIGN(name_len), (char __user *)collected);
65848 -+ sys_lchown((char __user *)collected, uid, gid);
65849 - state = SkipIt;
65850 - next_state = Reset;
65851 - return 0;
65852 -diff -Nurp linux-2.6.23.15/init/main.c linux-2.6.23.15-grsec/init/main.c
65853 ---- linux-2.6.23.15/init/main.c 2007-10-09 21:31:38.000000000 +0100
65854 -+++ linux-2.6.23.15-grsec/init/main.c 2008-02-11 10:37:45.000000000 +0000
65855 -@@ -107,6 +107,7 @@ static inline void mark_rodata_ro(void)
65856 - #ifdef CONFIG_TC
65857 - extern void tc_init(void);
65858 - #endif
65859 -+extern void grsecurity_init(void);
65860 -
65861 - enum system_states system_state;
65862 - EXPORT_SYMBOL(system_state);
65863 -@@ -193,6 +194,17 @@ static int __init set_reset_devices(char
65864 -
65865 - __setup("reset_devices", set_reset_devices);
65866 -
65867 -+#ifdef CONFIG_PAX_SOFTMODE
65868 -+unsigned int pax_softmode;
65869 -+
65870 -+static int __init setup_pax_softmode(char *str)
65871 -+{
65872 -+ get_option(&str, &pax_softmode);
65873 -+ return 1;
65874 -+}
65875 -+__setup("pax_softmode=", setup_pax_softmode);
65876 -+#endif
65877 -+
65878 - static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
65879 - char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
65880 - static const char *panic_later, *panic_param;
65881 -@@ -854,6 +866,8 @@ static int __init kernel_init(void * unu
65882 - prepare_namespace();
65883 - }
65884 -
65885 -+ grsecurity_init();
65886 -+
65887 - /*
65888 - * Ok, we have completed the initial bootup, and
65889 - * we're essentially up and running. Get rid of the
65890 -diff -Nurp linux-2.6.23.15/init/noinitramfs.c linux-2.6.23.15-grsec/init/noinitramfs.c
65891 ---- linux-2.6.23.15/init/noinitramfs.c 2007-10-09 21:31:38.000000000 +0100
65892 -+++ linux-2.6.23.15-grsec/init/noinitramfs.c 2008-02-11 10:37:45.000000000 +0000
65893 -@@ -29,7 +29,7 @@ static int __init default_rootfs(void)
65894 - {
65895 - int err;
65896 -
65897 -- err = sys_mkdir("/dev", 0755);
65898 -+ err = sys_mkdir((const char __user *)"/dev", 0755);
65899 - if (err < 0)
65900 - goto out;
65901 -
65902 -@@ -39,7 +39,7 @@ static int __init default_rootfs(void)
65903 - if (err < 0)
65904 - goto out;
65905 -
65906 -- err = sys_mkdir("/root", 0700);
65907 -+ err = sys_mkdir((const char __user *)"/root", 0700);
65908 - if (err < 0)
65909 - goto out;
65910 -
65911 -diff -Nurp linux-2.6.23.15/ipc/ipc_sysctl.c linux-2.6.23.15-grsec/ipc/ipc_sysctl.c
65912 ---- linux-2.6.23.15/ipc/ipc_sysctl.c 2007-10-09 21:31:38.000000000 +0100
65913 -+++ linux-2.6.23.15-grsec/ipc/ipc_sysctl.c 2008-02-11 10:37:45.000000000 +0000
65914 -@@ -161,7 +161,7 @@ static struct ctl_table ipc_kern_table[]
65915 - .proc_handler = proc_ipc_dointvec,
65916 - .strategy = sysctl_ipc_data,
65917 - },
65918 -- {}
65919 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
65920 - };
65921 -
65922 - static struct ctl_table ipc_root_table[] = {
65923 -@@ -171,7 +171,7 @@ static struct ctl_table ipc_root_table[]
65924 - .mode = 0555,
65925 - .child = ipc_kern_table,
65926 - },
65927 -- {}
65928 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
65929 - };
65930 -
65931 - static int __init ipc_sysctl_init(void)
65932 -diff -Nurp linux-2.6.23.15/ipc/msg.c linux-2.6.23.15-grsec/ipc/msg.c
65933 ---- linux-2.6.23.15/ipc/msg.c 2007-10-09 21:31:38.000000000 +0100
65934 -+++ linux-2.6.23.15-grsec/ipc/msg.c 2008-02-11 10:37:45.000000000 +0000
65935 -@@ -36,6 +36,7 @@
65936 - #include <linux/seq_file.h>
65937 - #include <linux/mutex.h>
65938 - #include <linux/nsproxy.h>
65939 -+#include <linux/grsecurity.h>
65940 -
65941 - #include <asm/current.h>
65942 - #include <asm/uaccess.h>
65943 -@@ -286,6 +287,8 @@ asmlinkage long sys_msgget(key_t key, in
65944 - }
65945 - mutex_unlock(&msg_ids(ns).mutex);
65946 -
65947 -+ gr_log_msgget(ret, msgflg);
65948 -+
65949 - return ret;
65950 - }
65951 -
65952 -@@ -552,6 +555,7 @@ asmlinkage long sys_msgctl(int msqid, in
65953 - break;
65954 - }
65955 - case IPC_RMID:
65956 -+ gr_log_msgrm(ipcp->uid, ipcp->cuid);
65957 - freeque(ns, msq, msqid);
65958 - break;
65959 - }
65960 -diff -Nurp linux-2.6.23.15/ipc/sem.c linux-2.6.23.15-grsec/ipc/sem.c
65961 ---- linux-2.6.23.15/ipc/sem.c 2007-10-09 21:31:38.000000000 +0100
65962 -+++ linux-2.6.23.15-grsec/ipc/sem.c 2008-02-11 10:37:45.000000000 +0000
65963 -@@ -82,6 +82,7 @@
65964 - #include <linux/seq_file.h>
65965 - #include <linux/mutex.h>
65966 - #include <linux/nsproxy.h>
65967 -+#include <linux/grsecurity.h>
65968 -
65969 - #include <asm/uaccess.h>
65970 - #include "util.h"
65971 -@@ -293,6 +294,9 @@ asmlinkage long sys_semget (key_t key, i
65972 - }
65973 -
65974 - mutex_unlock(&sem_ids(ns).mutex);
65975 -+
65976 -+ gr_log_semget(err, semflg);
65977 -+
65978 - return err;
65979 - }
65980 -
65981 -@@ -894,6 +898,7 @@ static int semctl_down(struct ipc_namesp
65982 -
65983 - switch(cmd){
65984 - case IPC_RMID:
65985 -+ gr_log_semrm(ipcp->uid, ipcp->cuid);
65986 - freeary(ns, sma, semid);
65987 - err = 0;
65988 - break;
65989 -diff -Nurp linux-2.6.23.15/ipc/shm.c linux-2.6.23.15-grsec/ipc/shm.c
65990 ---- linux-2.6.23.15/ipc/shm.c 2007-10-09 21:31:38.000000000 +0100
65991 -+++ linux-2.6.23.15-grsec/ipc/shm.c 2008-02-11 10:37:45.000000000 +0000
65992 -@@ -38,6 +38,7 @@
65993 - #include <linux/mutex.h>
65994 - #include <linux/nsproxy.h>
65995 - #include <linux/mount.h>
65996 -+#include <linux/grsecurity.h>
65997 -
65998 - #include <asm/uaccess.h>
65999 -
66000 -@@ -77,6 +78,14 @@ static void shm_destroy (struct ipc_name
66001 - static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
66002 - #endif
66003 -
66004 -+#ifdef CONFIG_GRKERNSEC
66005 -+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
66006 -+ const time_t shm_createtime, const uid_t cuid,
66007 -+ const int shmid);
66008 -+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
66009 -+ const time_t shm_createtime);
66010 -+#endif
66011 -+
66012 - static void __shm_init_ns(struct ipc_namespace *ns, struct ipc_ids *ids)
66013 - {
66014 - ns->ids[IPC_SHM_IDS] = ids;
66015 -@@ -89,6 +98,8 @@ static void __shm_init_ns(struct ipc_nam
66016 -
66017 - static void do_shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *shp)
66018 - {
66019 -+ gr_log_shmrm(shp->shm_perm.uid, shp->shm_perm.cuid);
66020 -+
66021 - if (shp->shm_nattch){
66022 - shp->shm_perm.mode |= SHM_DEST;
66023 - /* Do not find it any more */
66024 -@@ -216,6 +227,17 @@ static void shm_close(struct vm_area_str
66025 - shp->shm_lprid = current->tgid;
66026 - shp->shm_dtim = get_seconds();
66027 - shp->shm_nattch--;
66028 -+#ifdef CONFIG_GRKERNSEC_SHM
66029 -+ if (grsec_enable_shm) {
66030 -+ if (shp->shm_nattch == 0) {
66031 -+ shp->shm_perm.mode |= SHM_DEST;
66032 -+ shm_destroy(ns, shp);
66033 -+ } else
66034 -+ shm_unlock(shp);
66035 -+ mutex_unlock(&shm_ids(ns).mutex);
66036 -+ return;
66037 -+ }
66038 -+#endif
66039 - if(shp->shm_nattch == 0 &&
66040 - shp->shm_perm.mode & SHM_DEST)
66041 - shm_destroy(ns, shp);
66042 -@@ -395,6 +417,9 @@ static int newseg (struct ipc_namespace
66043 - shp->shm_lprid = 0;
66044 - shp->shm_atim = shp->shm_dtim = 0;
66045 - shp->shm_ctim = get_seconds();
66046 -+#ifdef CONFIG_GRKERNSEC
66047 -+ shp->shm_createtime = get_seconds();
66048 -+#endif
66049 - shp->shm_segsz = size;
66050 - shp->shm_nattch = 0;
66051 - shp->id = shm_buildid(ns, id, shp->shm_perm.seq);
66052 -@@ -452,6 +477,8 @@ asmlinkage long sys_shmget (key_t key, s
66053 - }
66054 - mutex_unlock(&shm_ids(ns).mutex);
66055 -
66056 -+ gr_log_shmget(err, shmflg, size);
66057 -+
66058 - return err;
66059 - }
66060 -
66061 -@@ -905,9 +932,21 @@ long do_shmat(int shmid, char __user *sh
66062 - if (err)
66063 - goto out_unlock;
66064 -
66065 -+#ifdef CONFIG_GRKERNSEC
66066 -+ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
66067 -+ shp->shm_perm.cuid, shmid) ||
66068 -+ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
66069 -+ err = -EACCES;
66070 -+ goto out_unlock;
66071 -+ }
66072 -+#endif
66073 -+
66074 - path.dentry = dget(shp->shm_file->f_path.dentry);
66075 - path.mnt = mntget(shp->shm_file->f_path.mnt);
66076 - shp->shm_nattch++;
66077 -+#ifdef CONFIG_GRKERNSEC
66078 -+ shp->shm_lapid = current->pid;
66079 -+#endif
66080 - size = i_size_read(path.dentry->d_inode);
66081 - shm_unlock(shp);
66082 -
66083 -@@ -1111,3 +1150,27 @@ static int sysvipc_shm_proc_show(struct
66084 - shp->shm_ctim);
66085 - }
66086 - #endif
66087 -+
66088 -+void gr_shm_exit(struct task_struct *task)
66089 -+{
66090 -+#ifdef CONFIG_GRKERNSEC_SHM
66091 -+ int i;
66092 -+ struct shmid_kernel *shp;
66093 -+ struct ipc_namespace *ns;
66094 -+
66095 -+ ns = current->nsproxy->ipc_ns;
66096 -+
66097 -+ if (!grsec_enable_shm)
66098 -+ return;
66099 -+
66100 -+ for (i = 0; i <= shm_ids(ns).max_id; i++) {
66101 -+ shp = shm_get(ns, i);
66102 -+ if (shp && (shp->shm_cprid == task->pid) &&
66103 -+ (shp->shm_nattch <= 0)) {
66104 -+ shp->shm_perm.mode |= SHM_DEST;
66105 -+ shm_destroy(ns, shp);
66106 -+ }
66107 -+ }
66108 -+#endif
66109 -+ return;
66110 -+}
66111 -diff -Nurp linux-2.6.23.15/kernel/acct.c linux-2.6.23.15-grsec/kernel/acct.c
66112 ---- linux-2.6.23.15/kernel/acct.c 2007-10-09 21:31:38.000000000 +0100
66113 -+++ linux-2.6.23.15-grsec/kernel/acct.c 2008-02-11 10:37:45.000000000 +0000
66114 -@@ -511,7 +511,7 @@ static void do_acct_process(struct file
66115 - */
66116 - flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
66117 - current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
66118 -- file->f_op->write(file, (char *)&ac,
66119 -+ file->f_op->write(file, (char __user *)&ac,
66120 - sizeof(acct_t), &file->f_pos);
66121 - current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
66122 - set_fs(fs);
66123 -diff -Nurp linux-2.6.23.15/kernel/capability.c linux-2.6.23.15-grsec/kernel/capability.c
66124 ---- linux-2.6.23.15/kernel/capability.c 2007-10-09 21:31:38.000000000 +0100
66125 -+++ linux-2.6.23.15-grsec/kernel/capability.c 2008-02-11 10:37:45.000000000 +0000
66126 -@@ -12,6 +12,7 @@
66127 - #include <linux/module.h>
66128 - #include <linux/security.h>
66129 - #include <linux/syscalls.h>
66130 -+#include <linux/grsecurity.h>
66131 - #include <asm/uaccess.h>
66132 -
66133 - unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
66134 -@@ -236,14 +237,25 @@ out:
66135 - return ret;
66136 - }
66137 -
66138 -+extern int gr_task_is_capable(struct task_struct *task, const int cap);
66139 -+extern int gr_is_capable_nolog(const int cap);
66140 -+
66141 - int __capable(struct task_struct *t, int cap)
66142 - {
66143 -- if (security_capable(t, cap) == 0) {
66144 -+ if ((security_capable(t, cap) == 0) && gr_task_is_capable(t, cap)) {
66145 - t->flags |= PF_SUPERPRIV;
66146 - return 1;
66147 - }
66148 - return 0;
66149 - }
66150 -+int capable_nolog(int cap)
66151 -+{
66152 -+ if ((security_capable(current, cap) == 0) && gr_is_capable_nolog(cap)) {
66153 -+ current->flags |= PF_SUPERPRIV;
66154 -+ return 1;
66155 -+ }
66156 -+ return 0;
66157 -+}
66158 - EXPORT_SYMBOL(__capable);
66159 -
66160 - int capable(int cap)
66161 -@@ -251,3 +263,4 @@ int capable(int cap)
66162 - return __capable(current, cap);
66163 - }
66164 - EXPORT_SYMBOL(capable);
66165 -+EXPORT_SYMBOL(capable_nolog);
66166 -diff -Nurp linux-2.6.23.15/kernel/configs.c linux-2.6.23.15-grsec/kernel/configs.c
66167 ---- linux-2.6.23.15/kernel/configs.c 2007-10-09 21:31:38.000000000 +0100
66168 -+++ linux-2.6.23.15-grsec/kernel/configs.c 2008-02-11 10:37:45.000000000 +0000
66169 -@@ -79,8 +79,16 @@ static int __init ikconfig_init(void)
66170 - struct proc_dir_entry *entry;
66171 -
66172 - /* create the current config file */
66173 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
66174 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
66175 -+ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
66176 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
66177 -+ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
66178 -+#endif
66179 -+#else
66180 - entry = create_proc_entry("config.gz", S_IFREG | S_IRUGO,
66181 - &proc_root);
66182 -+#endif
66183 - if (!entry)
66184 - return -ENOMEM;
66185 -
66186 -diff -Nurp linux-2.6.23.15/kernel/exit.c linux-2.6.23.15-grsec/kernel/exit.c
66187 ---- linux-2.6.23.15/kernel/exit.c 2008-02-11 10:36:03.000000000 +0000
66188 -+++ linux-2.6.23.15-grsec/kernel/exit.c 2008-02-11 10:37:45.000000000 +0000
66189 -@@ -45,6 +45,11 @@
66190 - #include <linux/blkdev.h>
66191 - #include <linux/task_io_accounting_ops.h>
66192 - #include <linux/freezer.h>
66193 -+#include <linux/grsecurity.h>
66194 -+
66195 -+#ifdef CONFIG_GRKERNSEC
66196 -+extern rwlock_t grsec_exec_file_lock;
66197 -+#endif
66198 -
66199 - #include <asm/uaccess.h>
66200 - #include <asm/unistd.h>
66201 -@@ -123,6 +128,7 @@ static void __exit_signal(struct task_st
66202 -
66203 - __unhash_process(tsk);
66204 -
66205 -+ gr_del_task_from_ip_table(tsk);
66206 - tsk->signal = NULL;
66207 - tsk->sighand = NULL;
66208 - spin_unlock(&sighand->siglock);
66209 -@@ -274,12 +280,23 @@ static void reparent_to_kthreadd(void)
66210 - {
66211 - write_lock_irq(&tasklist_lock);
66212 -
66213 -+#ifdef CONFIG_GRKERNSEC
66214 -+ write_lock(&grsec_exec_file_lock);
66215 -+ if (current->exec_file) {
66216 -+ fput(current->exec_file);
66217 -+ current->exec_file = NULL;
66218 -+ }
66219 -+ write_unlock(&grsec_exec_file_lock);
66220 -+#endif
66221 -+
66222 - ptrace_unlink(current);
66223 - /* Reparent to init */
66224 - remove_parent(current);
66225 - current->real_parent = current->parent = kthreadd_task;
66226 - add_parent(current);
66227 -
66228 -+ gr_set_kernel_label(current);
66229 -+
66230 - /* Set the exit signal to SIGCHLD so we signal init on exit */
66231 - current->exit_signal = SIGCHLD;
66232 -
66233 -@@ -374,6 +391,17 @@ void daemonize(const char *name, ...)
66234 - vsnprintf(current->comm, sizeof(current->comm), name, args);
66235 - va_end(args);
66236 -
66237 -+#ifdef CONFIG_GRKERNSEC
66238 -+ write_lock(&grsec_exec_file_lock);
66239 -+ if (current->exec_file) {
66240 -+ fput(current->exec_file);
66241 -+ current->exec_file = NULL;
66242 -+ }
66243 -+ write_unlock(&grsec_exec_file_lock);
66244 -+#endif
66245 -+
66246 -+ gr_set_kernel_label(current);
66247 -+
66248 - /*
66249 - * If we were started as result of loading a module, close all of the
66250 - * user space pages. We don't need them, and if we didn't close them
66251 -@@ -969,11 +997,15 @@ fastcall NORET_TYPE void do_exit(long co
66252 - tsk->exit_code = code;
66253 - taskstats_exit(tsk, group_dead);
66254 -
66255 -+ gr_acl_handle_psacct(tsk, code);
66256 -+ gr_acl_handle_exit();
66257 -+
66258 - exit_mm(tsk);
66259 -
66260 - if (group_dead)
66261 - acct_process();
66262 - exit_sem(tsk);
66263 -+ gr_shm_exit(tsk);
66264 - __exit_files(tsk);
66265 - __exit_fs(tsk);
66266 - check_stack_usage();
66267 -@@ -1174,7 +1206,7 @@ static int wait_task_zombie(struct task_
66268 - pid_t pid = p->pid;
66269 - uid_t uid = p->uid;
66270 - int exit_code = p->exit_code;
66271 -- int why, status;
66272 -+ int why;
66273 -
66274 - if (unlikely(p->exit_state != EXIT_ZOMBIE))
66275 - return 0;
66276 -diff -Nurp linux-2.6.23.15/kernel/fork.c linux-2.6.23.15-grsec/kernel/fork.c
66277 ---- linux-2.6.23.15/kernel/fork.c 2008-02-11 10:36:03.000000000 +0000
66278 -+++ linux-2.6.23.15-grsec/kernel/fork.c 2008-02-11 10:37:45.000000000 +0000
66279 -@@ -50,6 +50,7 @@
66280 - #include <linux/taskstats_kern.h>
66281 - #include <linux/random.h>
66282 - #include <linux/tty.h>
66283 -+#include <linux/grsecurity.h>
66284 -
66285 - #include <asm/pgtable.h>
66286 - #include <asm/pgalloc.h>
66287 -@@ -181,7 +182,7 @@ static struct task_struct *dup_task_stru
66288 - setup_thread_stack(tsk, orig);
66289 -
66290 - #ifdef CONFIG_CC_STACKPROTECTOR
66291 -- tsk->stack_canary = get_random_int();
66292 -+ tsk->stack_canary = pax_get_random_long();
66293 - #endif
66294 -
66295 - /* One for us, one for whoever does the "release_task()" (usually parent) */
66296 -@@ -203,6 +204,10 @@ static inline int dup_mmap(struct mm_str
66297 - unsigned long charge;
66298 - struct mempolicy *pol;
66299 -
66300 -+#ifdef CONFIG_PAX_SEGMEXEC
66301 -+ struct vm_area_struct *mpnt_m;
66302 -+#endif
66303 -+
66304 - down_write(&oldmm->mmap_sem);
66305 - flush_cache_dup_mm(oldmm);
66306 - /*
66307 -@@ -213,8 +218,8 @@ static inline int dup_mmap(struct mm_str
66308 - mm->locked_vm = 0;
66309 - mm->mmap = NULL;
66310 - mm->mmap_cache = NULL;
66311 -- mm->free_area_cache = oldmm->mmap_base;
66312 -- mm->cached_hole_size = ~0UL;
66313 -+ mm->free_area_cache = oldmm->free_area_cache;
66314 -+ mm->cached_hole_size = oldmm->cached_hole_size;
66315 - mm->map_count = 0;
66316 - cpus_clear(mm->cpu_vm_mask);
66317 - mm->mm_rb = RB_ROOT;
66318 -@@ -233,6 +238,7 @@ static inline int dup_mmap(struct mm_str
66319 - continue;
66320 - }
66321 - charge = 0;
66322 -+
66323 - if (mpnt->vm_flags & VM_ACCOUNT) {
66324 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
66325 - if (security_vm_enough_memory(len))
66326 -@@ -251,6 +257,7 @@ static inline int dup_mmap(struct mm_str
66327 - tmp->vm_flags &= ~VM_LOCKED;
66328 - tmp->vm_mm = mm;
66329 - tmp->vm_next = NULL;
66330 -+ tmp->vm_mirror = NULL;
66331 - anon_vma_link(tmp);
66332 - file = tmp->vm_file;
66333 - if (file) {
66334 -@@ -287,6 +294,29 @@ static inline int dup_mmap(struct mm_str
66335 - if (retval)
66336 - goto out;
66337 - }
66338 -+
66339 -+#ifdef CONFIG_PAX_SEGMEXEC
66340 -+ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
66341 -+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
66342 -+ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
66343 -+
66344 -+ if (!mpnt->vm_mirror)
66345 -+ continue;
66346 -+
66347 -+ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
66348 -+ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
66349 -+ mpnt->vm_mirror = mpnt_m;
66350 -+ } else {
66351 -+ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
66352 -+ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
66353 -+ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
66354 -+ mpnt->vm_mirror->vm_mirror = mpnt;
66355 -+ }
66356 -+ }
66357 -+ BUG_ON(mpnt_m);
66358 -+ }
66359 -+#endif
66360 -+
66361 - /* a new mm has just been created */
66362 - arch_dup_mmap(oldmm, mm);
66363 - retval = 0;
66364 -@@ -464,7 +494,7 @@ void mm_release(struct task_struct *tsk,
66365 - if (tsk->clear_child_tid
66366 - && !(tsk->flags & PF_SIGNALED)
66367 - && atomic_read(&mm->mm_users) > 1) {
66368 -- u32 __user * tidptr = tsk->clear_child_tid;
66369 -+ pid_t __user * tidptr = tsk->clear_child_tid;
66370 - tsk->clear_child_tid = NULL;
66371 -
66372 - /*
66373 -@@ -472,7 +502,7 @@ void mm_release(struct task_struct *tsk,
66374 - * not set up a proper pointer then tough luck.
66375 - */
66376 - put_user(0, tidptr);
66377 -- sys_futex(tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
66378 -+ sys_futex((u32 __user *)tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
66379 - }
66380 - }
66381 -
66382 -@@ -1001,6 +1031,9 @@ static struct task_struct *copy_process(
66383 - DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
66384 - #endif
66385 - retval = -EAGAIN;
66386 -+
66387 -+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
66388 -+
66389 - if (atomic_read(&p->user->processes) >=
66390 - p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
66391 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
66392 -@@ -1140,6 +1173,8 @@ static struct task_struct *copy_process(
66393 - if (retval)
66394 - goto bad_fork_cleanup_namespaces;
66395 -
66396 -+ gr_copy_label(p);
66397 -+
66398 - p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
66399 - /*
66400 - * Clear TID on mm_release()?
66401 -@@ -1318,6 +1353,8 @@ bad_fork_cleanup_count:
66402 - bad_fork_free:
66403 - free_task(p);
66404 - fork_out:
66405 -+ gr_log_forkfail(retval);
66406 -+
66407 - return ERR_PTR(retval);
66408 - }
66409 -
66410 -@@ -1391,6 +1428,8 @@ long do_fork(unsigned long clone_flags,
66411 - if (!IS_ERR(p)) {
66412 - struct completion vfork;
66413 -
66414 -+ gr_handle_brute_check();
66415 -+
66416 - if (clone_flags & CLONE_VFORK) {
66417 - p->vfork_done = &vfork;
66418 - init_completion(&vfork);
66419 -diff -Nurp linux-2.6.23.15/kernel/futex.c linux-2.6.23.15-grsec/kernel/futex.c
66420 ---- linux-2.6.23.15/kernel/futex.c 2008-02-11 10:36:03.000000000 +0000
66421 -+++ linux-2.6.23.15-grsec/kernel/futex.c 2008-02-11 10:37:45.000000000 +0000
66422 -@@ -186,6 +186,11 @@ int get_futex_key(u32 __user *uaddr, str
66423 - struct page *page;
66424 - int err;
66425 -
66426 -+#ifdef CONFIG_PAX_SEGMEXEC
66427 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
66428 -+ return -EFAULT;
66429 -+#endif
66430 -+
66431 - /*
66432 - * The futex address must be "naturally" aligned.
66433 - */
66434 -@@ -212,8 +217,8 @@ int get_futex_key(u32 __user *uaddr, str
66435 - * The futex is hashed differently depending on whether
66436 - * it's in a shared or private mapping. So check vma first.
66437 - */
66438 -- vma = find_extend_vma(mm, address);
66439 -- if (unlikely(!vma))
66440 -+ vma = find_vma(mm, address);
66441 -+ if (unlikely(!vma || address < vma->vm_start))
66442 - return -EFAULT;
66443 -
66444 - /*
66445 -@@ -1922,7 +1927,7 @@ retry:
66446 - */
66447 - static inline int fetch_robust_entry(struct robust_list __user **entry,
66448 - struct robust_list __user * __user *head,
66449 -- int *pi)
66450 -+ unsigned int *pi)
66451 - {
66452 - unsigned long uentry;
66453 -
66454 -diff -Nurp linux-2.6.23.15/kernel/irq/handle.c linux-2.6.23.15-grsec/kernel/irq/handle.c
66455 ---- linux-2.6.23.15/kernel/irq/handle.c 2007-10-09 21:31:38.000000000 +0100
66456 -+++ linux-2.6.23.15-grsec/kernel/irq/handle.c 2008-02-11 10:37:45.000000000 +0000
66457 -@@ -55,7 +55,8 @@ struct irq_desc irq_desc[NR_IRQS] __cach
66458 - .depth = 1,
66459 - .lock = __SPIN_LOCK_UNLOCKED(irq_desc->lock),
66460 - #ifdef CONFIG_SMP
66461 -- .affinity = CPU_MASK_ALL
66462 -+ .affinity = CPU_MASK_ALL,
66463 -+ .cpu = 0,
66464 - #endif
66465 - }
66466 - };
66467 -diff -Nurp linux-2.6.23.15/kernel/kallsyms.c linux-2.6.23.15-grsec/kernel/kallsyms.c
66468 ---- linux-2.6.23.15/kernel/kallsyms.c 2007-10-09 21:31:38.000000000 +0100
66469 -+++ linux-2.6.23.15-grsec/kernel/kallsyms.c 2008-02-11 10:37:45.000000000 +0000
66470 -@@ -65,6 +65,19 @@ static inline int is_kernel_text(unsigne
66471 -
66472 - static inline int is_kernel(unsigned long addr)
66473 - {
66474 -+
66475 -+#ifdef CONFIG_PAX_KERNEXEC
66476 -+
66477 -+#ifdef CONFIG_MODULES
66478 -+ if ((unsigned long)MODULES_VADDR <= addr + __KERNEL_TEXT_OFFSET &&
66479 -+ addr + __KERNEL_TEXT_OFFSET < (unsigned long)MODULES_END)
66480 -+ return 0;
66481 -+#endif
66482 -+
66483 -+ if (is_kernel_inittext(addr))
66484 -+ return 1;
66485 -+#endif
66486 -+
66487 - if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
66488 - return 1;
66489 - return in_gate_area_no_task(addr);
66490 -@@ -373,7 +386,6 @@ static unsigned long get_ksymbol_core(st
66491 -
66492 - static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
66493 - {
66494 -- iter->name[0] = '\0';
66495 - iter->nameoff = get_symbol_offset(new_pos);
66496 - iter->pos = new_pos;
66497 - }
66498 -@@ -457,7 +469,7 @@ static int kallsyms_open(struct inode *i
66499 - struct kallsym_iter *iter;
66500 - int ret;
66501 -
66502 -- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
66503 -+ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
66504 - if (!iter)
66505 - return -ENOMEM;
66506 - reset_iter(iter, 0);
66507 -@@ -481,7 +493,15 @@ static int __init kallsyms_init(void)
66508 - {
66509 - struct proc_dir_entry *entry;
66510 -
66511 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
66512 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
66513 -+ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
66514 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
66515 -+ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
66516 -+#endif
66517 -+#else
66518 - entry = create_proc_entry("kallsyms", 0444, NULL);
66519 -+#endif
66520 - if (entry)
66521 - entry->proc_fops = &kallsyms_operations;
66522 - return 0;
66523 -diff -Nurp linux-2.6.23.15/kernel/kprobes.c linux-2.6.23.15-grsec/kernel/kprobes.c
66524 ---- linux-2.6.23.15/kernel/kprobes.c 2007-10-09 21:31:38.000000000 +0100
66525 -+++ linux-2.6.23.15-grsec/kernel/kprobes.c 2008-02-11 10:37:45.000000000 +0000
66526 -@@ -168,7 +168,7 @@ kprobe_opcode_t __kprobes *get_insn_slot
66527 - * kernel image and loaded module images reside. This is required
66528 - * so x86_64 can correctly handle the %rip-relative fixups.
66529 - */
66530 -- kip->insns = module_alloc(PAGE_SIZE);
66531 -+ kip->insns = module_alloc_exec(PAGE_SIZE);
66532 - if (!kip->insns) {
66533 - kfree(kip);
66534 - return NULL;
66535 -@@ -200,7 +200,7 @@ static int __kprobes collect_one_slot(st
66536 - hlist_add_head(&kip->hlist,
66537 - &kprobe_insn_pages);
66538 - } else {
66539 -- module_free(NULL, kip->insns);
66540 -+ module_free_exec(NULL, kip->insns);
66541 - kfree(kip);
66542 - }
66543 - return 1;
66544 -diff -Nurp linux-2.6.23.15/kernel/module.c linux-2.6.23.15-grsec/kernel/module.c
66545 ---- linux-2.6.23.15/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
66546 -+++ linux-2.6.23.15-grsec/kernel/module.c 2008-02-11 10:37:45.000000000 +0000
66547 -@@ -44,6 +44,11 @@
66548 - #include <asm/uaccess.h>
66549 - #include <asm/semaphore.h>
66550 - #include <asm/cacheflush.h>
66551 -+
66552 -+#ifdef CONFIG_PAX_KERNEXEC
66553 -+#include <asm/desc.h>
66554 -+#endif
66555 -+
66556 - #include <linux/license.h>
66557 -
66558 - extern int module_sysfs_initialized;
66559 -@@ -68,6 +73,8 @@ static LIST_HEAD(modules);
66560 -
66561 - static BLOCKING_NOTIFIER_HEAD(module_notify_list);
66562 -
66563 -+extern int gr_check_modstop(void);
66564 -+
66565 - int register_module_notifier(struct notifier_block * nb)
66566 - {
66567 - return blocking_notifier_chain_register(&module_notify_list, nb);
66568 -@@ -347,7 +354,7 @@ static void *percpu_modalloc(unsigned lo
66569 - unsigned int i;
66570 - void *ptr;
66571 -
66572 -- if (align > PAGE_SIZE) {
66573 -+ if (align-1 >= PAGE_SIZE) {
66574 - printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
66575 - name, align, PAGE_SIZE);
66576 - align = PAGE_SIZE;
66577 -@@ -660,6 +667,9 @@ sys_delete_module(const char __user *nam
66578 - char name[MODULE_NAME_LEN];
66579 - int ret, forced = 0;
66580 -
66581 -+ if (gr_check_modstop())
66582 -+ return -EPERM;
66583 -+
66584 - if (!capable(CAP_SYS_MODULE))
66585 - return -EPERM;
66586 -
66587 -@@ -1209,16 +1219,19 @@ static void free_module(struct module *m
66588 - module_unload_free(mod);
66589 -
66590 - /* This may be NULL, but that's OK */
66591 -- module_free(mod, mod->module_init);
66592 -+ module_free(mod, mod->module_init_rw);
66593 -+ module_free_exec(mod, mod->module_init_rx);
66594 - kfree(mod->args);
66595 - if (mod->percpu)
66596 - percpu_modfree(mod->percpu);
66597 -
66598 - /* Free lock-classes: */
66599 -- lockdep_free_key_range(mod->module_core, mod->core_size);
66600 -+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
66601 -+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
66602 -
66603 - /* Finally, free the core (containing the module structure) */
66604 -- module_free(mod, mod->module_core);
66605 -+ module_free_exec(mod, mod->module_core_rx);
66606 -+ module_free(mod, mod->module_core_rw);
66607 - }
66608 -
66609 - void *__symbol_get(const char *symbol)
66610 -@@ -1279,10 +1292,14 @@ static int simplify_symbols(Elf_Shdr *se
66611 - struct module *mod)
66612 - {
66613 - Elf_Sym *sym = (void *)sechdrs[symindex].sh_addr;
66614 -- unsigned long secbase;
66615 -+ unsigned long secbase, symbol;
66616 - unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
66617 - int ret = 0;
66618 -
66619 -+#ifdef CONFIG_PAX_KERNEXEC
66620 -+ unsigned long cr0;
66621 -+#endif
66622 -+
66623 - for (i = 1; i < n; i++) {
66624 - switch (sym[i].st_shndx) {
66625 - case SHN_COMMON:
66626 -@@ -1301,10 +1318,19 @@ static int simplify_symbols(Elf_Shdr *se
66627 - break;
66628 -
66629 - case SHN_UNDEF:
66630 -- sym[i].st_value
66631 -- = resolve_symbol(sechdrs, versindex,
66632 -+ symbol = resolve_symbol(sechdrs, versindex,
66633 - strtab + sym[i].st_name, mod);
66634 -
66635 -+#ifdef CONFIG_PAX_KERNEXEC
66636 -+ pax_open_kernel(cr0);
66637 -+#endif
66638 -+
66639 -+ sym[i].st_value = symbol;
66640 -+
66641 -+#ifdef CONFIG_PAX_KERNEXEC
66642 -+ pax_close_kernel(cr0);
66643 -+#endif
66644 -+
66645 - /* Ok if resolved. */
66646 - if (sym[i].st_value != 0)
66647 - break;
66648 -@@ -1319,11 +1345,27 @@ static int simplify_symbols(Elf_Shdr *se
66649 -
66650 - default:
66651 - /* Divert to percpu allocation if a percpu var. */
66652 -- if (sym[i].st_shndx == pcpuindex)
66653 -+ if (sym[i].st_shndx == pcpuindex) {
66654 -+
66655 -+#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
66656 -+ secbase = (unsigned long)mod->percpu - (unsigned long)__per_cpu_start;
66657 -+#else
66658 - secbase = (unsigned long)mod->percpu;
66659 -- else
66660 -+#endif
66661 -+
66662 -+ } else
66663 - secbase = sechdrs[sym[i].st_shndx].sh_addr;
66664 -+
66665 -+#ifdef CONFIG_PAX_KERNEXEC
66666 -+ pax_open_kernel(cr0);
66667 -+#endif
66668 -+
66669 - sym[i].st_value += secbase;
66670 -+
66671 -+#ifdef CONFIG_PAX_KERNEXEC
66672 -+ pax_close_kernel(cr0);
66673 -+#endif
66674 -+
66675 - break;
66676 - }
66677 - }
66678 -@@ -1375,11 +1417,14 @@ static void layout_sections(struct modul
66679 - || strncmp(secstrings + s->sh_name,
66680 - ".init", 5) == 0)
66681 - continue;
66682 -- s->sh_entsize = get_offset(&mod->core_size, s);
66683 -+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
66684 -+ s->sh_entsize = get_offset(&mod->core_size_rw, s);
66685 -+ else
66686 -+ s->sh_entsize = get_offset(&mod->core_size_rx, s);
66687 - DEBUGP("\t%s\n", secstrings + s->sh_name);
66688 - }
66689 - if (m == 0)
66690 -- mod->core_text_size = mod->core_size;
66691 -+ mod->core_size_rx = mod->core_size_rx;
66692 - }
66693 -
66694 - DEBUGP("Init section allocation order:\n");
66695 -@@ -1393,12 +1438,15 @@ static void layout_sections(struct modul
66696 - || strncmp(secstrings + s->sh_name,
66697 - ".init", 5) != 0)
66698 - continue;
66699 -- s->sh_entsize = (get_offset(&mod->init_size, s)
66700 -- | INIT_OFFSET_MASK);
66701 -+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
66702 -+ s->sh_entsize = get_offset(&mod->init_size_rw, s);
66703 -+ else
66704 -+ s->sh_entsize = get_offset(&mod->init_size_rx, s);
66705 -+ s->sh_entsize |= INIT_OFFSET_MASK;
66706 - DEBUGP("\t%s\n", secstrings + s->sh_name);
66707 - }
66708 - if (m == 0)
66709 -- mod->init_text_size = mod->init_size;
66710 -+ mod->init_size_rx = mod->init_size_rx;
66711 - }
66712 - }
66713 -
66714 -@@ -1525,14 +1573,31 @@ static void add_kallsyms(struct module *
66715 - {
66716 - unsigned int i;
66717 -
66718 -+#ifdef CONFIG_PAX_KERNEXEC
66719 -+ unsigned long cr0;
66720 -+#endif
66721 -+
66722 - mod->symtab = (void *)sechdrs[symindex].sh_addr;
66723 - mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
66724 - mod->strtab = (void *)sechdrs[strindex].sh_addr;
66725 -
66726 - /* Set types up while we still have access to sections. */
66727 -- for (i = 0; i < mod->num_symtab; i++)
66728 -- mod->symtab[i].st_info
66729 -- = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
66730 -+
66731 -+ for (i = 0; i < mod->num_symtab; i++) {
66732 -+ char type = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
66733 -+
66734 -+#ifdef CONFIG_PAX_KERNEXEC
66735 -+ pax_open_kernel(cr0);
66736 -+#endif
66737 -+
66738 -+ mod->symtab[i].st_info = type;
66739 -+
66740 -+#ifdef CONFIG_PAX_KERNEXEC
66741 -+ pax_close_kernel(cr0);
66742 -+#endif
66743 -+
66744 -+ }
66745 -+
66746 - }
66747 - #else
66748 - static inline void add_kallsyms(struct module *mod,
66749 -@@ -1580,6 +1645,10 @@ static struct module *load_module(void _
66750 - struct exception_table_entry *extable;
66751 - mm_segment_t old_fs;
66752 -
66753 -+#ifdef CONFIG_PAX_KERNEXEC
66754 -+ unsigned long cr0;
66755 -+#endif
66756 -+
66757 - DEBUGP("load_module: umod=%p, len=%lu, uargs=%p\n",
66758 - umod, len, uargs);
66759 - if (len < sizeof(*hdr))
66760 -@@ -1738,21 +1807,57 @@ static struct module *load_module(void _
66761 - layout_sections(mod, hdr, sechdrs, secstrings);
66762 -
66763 - /* Do the allocs. */
66764 -- ptr = module_alloc(mod->core_size);
66765 -+ ptr = module_alloc(mod->core_size_rw);
66766 - if (!ptr) {
66767 - err = -ENOMEM;
66768 - goto free_percpu;
66769 - }
66770 -- memset(ptr, 0, mod->core_size);
66771 -- mod->module_core = ptr;
66772 -+ memset(ptr, 0, mod->core_size_rw);
66773 -+ mod->module_core_rw = ptr;
66774 -+
66775 -+ ptr = module_alloc(mod->init_size_rw);
66776 -+ if (!ptr && mod->init_size_rw) {
66777 -+ err = -ENOMEM;
66778 -+ goto free_core_rw;
66779 -+ }
66780 -+ memset(ptr, 0, mod->init_size_rw);
66781 -+ mod->module_init_rw = ptr;
66782 -+
66783 -+ ptr = module_alloc_exec(mod->core_size_rx);
66784 -+ if (!ptr) {
66785 -+ err = -ENOMEM;
66786 -+ goto free_init_rw;
66787 -+ }
66788 -+
66789 -+#ifdef CONFIG_PAX_KERNEXEC
66790 -+ pax_open_kernel(cr0);
66791 -+#endif
66792 -
66793 -- ptr = module_alloc(mod->init_size);
66794 -- if (!ptr && mod->init_size) {
66795 -+ memset(ptr, 0, mod->core_size_rx);
66796 -+
66797 -+#ifdef CONFIG_PAX_KERNEXEC
66798 -+ pax_close_kernel(cr0);
66799 -+#endif
66800 -+
66801 -+ mod->module_core_rx = ptr;
66802 -+
66803 -+ ptr = module_alloc_exec(mod->init_size_rx);
66804 -+ if (!ptr && mod->init_size_rx) {
66805 - err = -ENOMEM;
66806 -- goto free_core;
66807 -+ goto free_core_rx;
66808 - }
66809 -- memset(ptr, 0, mod->init_size);
66810 -- mod->module_init = ptr;
66811 -+
66812 -+#ifdef CONFIG_PAX_KERNEXEC
66813 -+ pax_open_kernel(cr0);
66814 -+#endif
66815 -+
66816 -+ memset(ptr, 0, mod->init_size_rx);
66817 -+
66818 -+#ifdef CONFIG_PAX_KERNEXEC
66819 -+ pax_close_kernel(cr0);
66820 -+#endif
66821 -+
66822 -+ mod->module_init_rx = ptr;
66823 -
66824 - /* Transfer each section which specifies SHF_ALLOC */
66825 - DEBUGP("final section addresses:\n");
66826 -@@ -1762,17 +1867,41 @@ static struct module *load_module(void _
66827 - if (!(sechdrs[i].sh_flags & SHF_ALLOC))
66828 - continue;
66829 -
66830 -- if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
66831 -- dest = mod->module_init
66832 -- + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
66833 -- else
66834 -- dest = mod->module_core + sechdrs[i].sh_entsize;
66835 -+ if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
66836 -+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
66837 -+ dest = mod->module_init_rw
66838 -+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
66839 -+ else
66840 -+ dest = mod->module_init_rx
66841 -+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
66842 -+ } else {
66843 -+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
66844 -+ dest = mod->module_core_rw + sechdrs[i].sh_entsize;
66845 -+ else
66846 -+ dest = mod->module_core_rx + sechdrs[i].sh_entsize;
66847 -+ }
66848 -+
66849 -+ if (sechdrs[i].sh_type != SHT_NOBITS) {
66850 -
66851 -- if (sechdrs[i].sh_type != SHT_NOBITS)
66852 -- memcpy(dest, (void *)sechdrs[i].sh_addr,
66853 -- sechdrs[i].sh_size);
66854 -+#ifdef CONFIG_PAX_KERNEXEC
66855 -+ if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
66856 -+ pax_open_kernel(cr0);
66857 -+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
66858 -+ pax_close_kernel(cr0);
66859 -+ } else
66860 -+#endif
66861 -+
66862 -+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
66863 -+ }
66864 - /* Update sh_addr to point to copy in image. */
66865 -- sechdrs[i].sh_addr = (unsigned long)dest;
66866 -+
66867 -+#ifdef CONFIG_PAX_KERNEXEC
66868 -+ if (sechdrs[i].sh_flags & SHF_EXECINSTR)
66869 -+ sechdrs[i].sh_addr = (unsigned long)dest - __KERNEL_TEXT_OFFSET;
66870 -+ else
66871 -+#endif
66872 -+
66873 -+ sechdrs[i].sh_addr = (unsigned long)dest;
66874 - DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
66875 - }
66876 - /* Module has been moved. */
66877 -@@ -1892,12 +2021,12 @@ static struct module *load_module(void _
66878 - * Do it before processing of module parameters, so the module
66879 - * can provide parameter accessor functions of its own.
66880 - */
66881 -- if (mod->module_init)
66882 -- flush_icache_range((unsigned long)mod->module_init,
66883 -- (unsigned long)mod->module_init
66884 -- + mod->init_size);
66885 -- flush_icache_range((unsigned long)mod->module_core,
66886 -- (unsigned long)mod->module_core + mod->core_size);
66887 -+ if (mod->module_init_rx)
66888 -+ flush_icache_range((unsigned long)mod->module_init_rx,
66889 -+ (unsigned long)mod->module_init_rx
66890 -+ + mod->init_size_rx);
66891 -+ flush_icache_range((unsigned long)mod->module_core_rx,
66892 -+ (unsigned long)mod->module_core_rx + mod->core_size_rx);
66893 -
66894 - set_fs(old_fs);
66895 -
66896 -@@ -1940,9 +2069,13 @@ static struct module *load_module(void _
66897 - module_arch_cleanup(mod);
66898 - cleanup:
66899 - module_unload_free(mod);
66900 -- module_free(mod, mod->module_init);
66901 -- free_core:
66902 -- module_free(mod, mod->module_core);
66903 -+ module_free_exec(mod, mod->module_init_rx);
66904 -+ free_core_rx:
66905 -+ module_free_exec(mod, mod->module_core_rx);
66906 -+ free_init_rw:
66907 -+ module_free(mod, mod->module_init_rw);
66908 -+ free_core_rw:
66909 -+ module_free(mod, mod->module_core_rw);
66910 - free_percpu:
66911 - if (percpu)
66912 - percpu_modfree(percpu);
66913 -@@ -1978,6 +2111,9 @@ sys_init_module(void __user *umod,
66914 - struct module *mod;
66915 - int ret = 0;
66916 -
66917 -+ if (gr_check_modstop())
66918 -+ return -EPERM;
66919 -+
66920 - /* Must have permission */
66921 - if (!capable(CAP_SYS_MODULE))
66922 - return -EPERM;
66923 -@@ -2029,10 +2165,12 @@ sys_init_module(void __user *umod,
66924 - /* Drop initial reference. */
66925 - module_put(mod);
66926 - unwind_remove_table(mod->unwind_info, 1);
66927 -- module_free(mod, mod->module_init);
66928 -- mod->module_init = NULL;
66929 -- mod->init_size = 0;
66930 -- mod->init_text_size = 0;
66931 -+ module_free(mod, mod->module_init_rw);
66932 -+ module_free_exec(mod, mod->module_init_rx);
66933 -+ mod->module_init_rw = NULL;
66934 -+ mod->module_init_rx = NULL;
66935 -+ mod->init_size_rw = 0;
66936 -+ mod->init_size_rx = 0;
66937 - mutex_unlock(&module_mutex);
66938 -
66939 - return 0;
66940 -@@ -2040,6 +2178,13 @@ sys_init_module(void __user *umod,
66941 -
66942 - static inline int within(unsigned long addr, void *start, unsigned long size)
66943 - {
66944 -+
66945 -+#ifdef CONFIG_PAX_KERNEXEC
66946 -+ if (addr + __KERNEL_TEXT_OFFSET >= (unsigned long)start &&
66947 -+ addr + __KERNEL_TEXT_OFFSET < (unsigned long)start + size)
66948 -+ return 1;
66949 -+#endif
66950 -+
66951 - return ((void *)addr >= start && (void *)addr < start + size);
66952 - }
66953 -
66954 -@@ -2063,10 +2208,14 @@ static const char *get_ksymbol(struct mo
66955 - unsigned long nextval;
66956 -
66957 - /* At worse, next value is at end of module */
66958 -- if (within(addr, mod->module_init, mod->init_size))
66959 -- nextval = (unsigned long)mod->module_init+mod->init_text_size;
66960 -- else
66961 -- nextval = (unsigned long)mod->module_core+mod->core_text_size;
66962 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx))
66963 -+ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
66964 -+ else if (within(addr, mod->module_init_rw, mod->init_size_rw))
66965 -+ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
66966 -+ else if (within(addr, mod->module_core_rx, mod->core_size_rx))
66967 -+ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
66968 -+ else
66969 -+ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
66970 -
66971 - /* Scan for closest preceeding symbol, and next symbol. (ELF
66972 - starts real symbols at 1). */
66973 -@@ -2109,8 +2258,10 @@ const char *module_address_lookup(unsign
66974 - struct module *mod;
66975 -
66976 - list_for_each_entry(mod, &modules, list) {
66977 -- if (within(addr, mod->module_init, mod->init_size)
66978 -- || within(addr, mod->module_core, mod->core_size)) {
66979 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
66980 -+ within(addr, mod->module_init_rw, mod->init_size_rw) ||
66981 -+ within(addr, mod->module_core_rx, mod->core_size_rx) ||
66982 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
66983 - if (modname)
66984 - *modname = mod->name;
66985 - return get_ksymbol(mod, addr, size, offset);
66986 -@@ -2125,8 +2276,10 @@ int lookup_module_symbol_name(unsigned l
66987 -
66988 - mutex_lock(&module_mutex);
66989 - list_for_each_entry(mod, &modules, list) {
66990 -- if (within(addr, mod->module_init, mod->init_size) ||
66991 -- within(addr, mod->module_core, mod->core_size)) {
66992 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
66993 -+ within(addr, mod->module_init_rw, mod->init_size_rw) ||
66994 -+ within(addr, mod->module_core_rx, mod->core_size_rx) ||
66995 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
66996 - const char *sym;
66997 -
66998 - sym = get_ksymbol(mod, addr, NULL, NULL);
66999 -@@ -2149,8 +2302,10 @@ int lookup_module_symbol_attrs(unsigned
67000 -
67001 - mutex_lock(&module_mutex);
67002 - list_for_each_entry(mod, &modules, list) {
67003 -- if (within(addr, mod->module_init, mod->init_size) ||
67004 -- within(addr, mod->module_core, mod->core_size)) {
67005 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
67006 -+ within(addr, mod->module_init_rw, mod->init_size_rw) ||
67007 -+ within(addr, mod->module_core_rx, mod->core_size_rx) ||
67008 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
67009 - const char *sym;
67010 -
67011 - sym = get_ksymbol(mod, addr, size, offset);
67012 -@@ -2270,7 +2425,7 @@ static int m_show(struct seq_file *m, vo
67013 - char buf[8];
67014 -
67015 - seq_printf(m, "%s %lu",
67016 -- mod->name, mod->init_size + mod->core_size);
67017 -+ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
67018 - print_unload_info(m, mod);
67019 -
67020 - /* Informative for users. */
67021 -@@ -2279,7 +2434,7 @@ static int m_show(struct seq_file *m, vo
67022 - mod->state == MODULE_STATE_COMING ? "Loading":
67023 - "Live");
67024 - /* Used by oprofile and other similar tools. */
67025 -- seq_printf(m, " 0x%p", mod->module_core);
67026 -+ seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
67027 -
67028 - /* Taints info */
67029 - if (mod->taints)
67030 -@@ -2335,7 +2490,8 @@ int is_module_address(unsigned long addr
67031 - preempt_disable();
67032 -
67033 - list_for_each_entry(mod, &modules, list) {
67034 -- if (within(addr, mod->module_core, mod->core_size)) {
67035 -+ if (within(addr, mod->module_core_rx, mod->core_size_rx) ||
67036 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
67037 - preempt_enable();
67038 - return 1;
67039 - }
67040 -@@ -2353,8 +2509,8 @@ struct module *__module_text_address(uns
67041 - struct module *mod;
67042 -
67043 - list_for_each_entry(mod, &modules, list)
67044 -- if (within(addr, mod->module_init, mod->init_text_size)
67045 -- || within(addr, mod->module_core, mod->core_text_size))
67046 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx)
67047 -+ || within(addr, mod->module_core_rx, mod->core_size_rx))
67048 - return mod;
67049 - return NULL;
67050 - }
67051 -diff -Nurp linux-2.6.23.15/kernel/mutex.c linux-2.6.23.15-grsec/kernel/mutex.c
67052 ---- linux-2.6.23.15/kernel/mutex.c 2007-10-09 21:31:38.000000000 +0100
67053 -+++ linux-2.6.23.15-grsec/kernel/mutex.c 2008-02-11 10:37:45.000000000 +0000
67054 -@@ -81,7 +81,7 @@ __mutex_lock_slowpath(atomic_t *lock_cou
67055 - *
67056 - * This function is similar to (but not equivalent to) down().
67057 - */
67058 --void inline fastcall __sched mutex_lock(struct mutex *lock)
67059 -+inline void fastcall __sched mutex_lock(struct mutex *lock)
67060 - {
67061 - might_sleep();
67062 - /*
67063 -diff -Nurp linux-2.6.23.15/kernel/params.c linux-2.6.23.15-grsec/kernel/params.c
67064 ---- linux-2.6.23.15/kernel/params.c 2008-02-11 10:36:03.000000000 +0000
67065 -+++ linux-2.6.23.15-grsec/kernel/params.c 2008-02-11 10:37:45.000000000 +0000
67066 -@@ -275,7 +275,7 @@ static int param_array(const char *name,
67067 - unsigned int min, unsigned int max,
67068 - void *elem, int elemsize,
67069 - int (*set)(const char *, struct kernel_param *kp),
67070 -- int *num)
67071 -+ unsigned int *num)
67072 - {
67073 - int ret;
67074 - struct kernel_param kp;
67075 -diff -Nurp linux-2.6.23.15/kernel/pid.c linux-2.6.23.15-grsec/kernel/pid.c
67076 ---- linux-2.6.23.15/kernel/pid.c 2007-10-09 21:31:38.000000000 +0100
67077 -+++ linux-2.6.23.15-grsec/kernel/pid.c 2008-02-11 10:37:45.000000000 +0000
67078 -@@ -28,6 +28,7 @@
67079 - #include <linux/hash.h>
67080 - #include <linux/pid_namespace.h>
67081 - #include <linux/init_task.h>
67082 -+#include <linux/grsecurity.h>
67083 -
67084 - #define pid_hashfn(nr) hash_long((unsigned long)nr, pidhash_shift)
67085 - static struct hlist_head *pid_hash;
67086 -@@ -37,7 +38,7 @@ struct pid init_struct_pid = INIT_STRUCT
67087 -
67088 - int pid_max = PID_MAX_DEFAULT;
67089 -
67090 --#define RESERVED_PIDS 300
67091 -+#define RESERVED_PIDS 500
67092 -
67093 - int pid_max_min = RESERVED_PIDS + 1;
67094 - int pid_max_max = PID_MAX_LIMIT;
67095 -@@ -309,7 +310,14 @@ struct task_struct * fastcall pid_task(s
67096 - */
67097 - struct task_struct *find_task_by_pid_type(int type, int nr)
67098 - {
67099 -- return pid_task(find_pid(nr), type);
67100 -+ struct task_struct *task;
67101 -+
67102 -+ task = pid_task(find_pid(nr), type);
67103 -+
67104 -+ if (gr_pid_is_chrooted(task))
67105 -+ return NULL;
67106 -+
67107 -+ return task;
67108 - }
67109 -
67110 - EXPORT_SYMBOL(find_task_by_pid_type);
67111 -diff -Nurp linux-2.6.23.15/kernel/posix-cpu-timers.c linux-2.6.23.15-grsec/kernel/posix-cpu-timers.c
67112 ---- linux-2.6.23.15/kernel/posix-cpu-timers.c 2007-10-09 21:31:38.000000000 +0100
67113 -+++ linux-2.6.23.15-grsec/kernel/posix-cpu-timers.c 2008-02-11 10:37:45.000000000 +0000
67114 -@@ -6,6 +6,7 @@
67115 - #include <linux/posix-timers.h>
67116 - #include <asm/uaccess.h>
67117 - #include <linux/errno.h>
67118 -+#include <linux/grsecurity.h>
67119 -
67120 - static int check_clock(const clockid_t which_clock)
67121 - {
67122 -@@ -1144,6 +1145,7 @@ static void check_process_timers(struct
67123 - __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
67124 - return;
67125 - }
67126 -+ gr_learn_resource(tsk, RLIMIT_CPU, psecs, 1);
67127 - if (psecs >= sig->rlim[RLIMIT_CPU].rlim_cur) {
67128 - /*
67129 - * At the soft limit, send a SIGXCPU every second.
67130 -diff -Nurp linux-2.6.23.15/kernel/power/poweroff.c linux-2.6.23.15-grsec/kernel/power/poweroff.c
67131 ---- linux-2.6.23.15/kernel/power/poweroff.c 2007-10-09 21:31:38.000000000 +0100
67132 -+++ linux-2.6.23.15-grsec/kernel/power/poweroff.c 2008-02-11 10:37:45.000000000 +0000
67133 -@@ -35,7 +35,7 @@ static struct sysrq_key_op sysrq_powerof
67134 - .enable_mask = SYSRQ_ENABLE_BOOT,
67135 - };
67136 -
67137 --static int pm_sysrq_init(void)
67138 -+static int __init pm_sysrq_init(void)
67139 - {
67140 - register_sysrq_key('o', &sysrq_poweroff_op);
67141 - return 0;
67142 -diff -Nurp linux-2.6.23.15/kernel/printk.c linux-2.6.23.15-grsec/kernel/printk.c
67143 ---- linux-2.6.23.15/kernel/printk.c 2007-10-09 21:31:38.000000000 +0100
67144 -+++ linux-2.6.23.15-grsec/kernel/printk.c 2008-02-11 10:37:45.000000000 +0000
67145 -@@ -31,6 +31,7 @@
67146 - #include <linux/bootmem.h>
67147 - #include <linux/syscalls.h>
67148 - #include <linux/jiffies.h>
67149 -+#include <linux/grsecurity.h>
67150 -
67151 - #include <asm/uaccess.h>
67152 -
67153 -@@ -184,6 +185,11 @@ int do_syslog(int type, char __user *buf
67154 - char c;
67155 - int error = 0;
67156 -
67157 -+#ifdef CONFIG_GRKERNSEC_DMESG
67158 -+ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
67159 -+ return -EPERM;
67160 -+#endif
67161 -+
67162 - error = security_syslog(type);
67163 - if (error)
67164 - return error;
67165 -diff -Nurp linux-2.6.23.15/kernel/ptrace.c linux-2.6.23.15-grsec/kernel/ptrace.c
67166 ---- linux-2.6.23.15/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
67167 -+++ linux-2.6.23.15-grsec/kernel/ptrace.c 2008-02-11 10:37:45.000000000 +0000
67168 -@@ -19,6 +19,7 @@
67169 - #include <linux/security.h>
67170 - #include <linux/signal.h>
67171 - #include <linux/audit.h>
67172 -+#include <linux/grsecurity.h>
67173 -
67174 - #include <asm/pgtable.h>
67175 - #include <asm/uaccess.h>
67176 -@@ -138,12 +139,12 @@ static int may_attach(struct task_struct
67177 - (current->uid != task->uid) ||
67178 - (current->gid != task->egid) ||
67179 - (current->gid != task->sgid) ||
67180 -- (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))
67181 -+ (current->gid != task->gid)) && !capable_nolog(CAP_SYS_PTRACE))
67182 - return -EPERM;
67183 - smp_rmb();
67184 - if (task->mm)
67185 - dumpable = get_dumpable(task->mm);
67186 -- if (!dumpable && !capable(CAP_SYS_PTRACE))
67187 -+ if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
67188 - return -EPERM;
67189 -
67190 - return security_ptrace(current, task);
67191 -@@ -480,6 +481,11 @@ asmlinkage long sys_ptrace(long request,
67192 - if (ret < 0)
67193 - goto out_put_task_struct;
67194 -
67195 -+ if (gr_handle_ptrace(child, request)) {
67196 -+ ret = -EPERM;
67197 -+ goto out_put_task_struct;
67198 -+ }
67199 -+
67200 - ret = arch_ptrace(child, request, addr, data);
67201 - if (ret < 0)
67202 - goto out_put_task_struct;
67203 -diff -Nurp linux-2.6.23.15/kernel/rcupdate.c linux-2.6.23.15-grsec/kernel/rcupdate.c
67204 ---- linux-2.6.23.15/kernel/rcupdate.c 2007-10-09 21:31:38.000000000 +0100
67205 -+++ linux-2.6.23.15-grsec/kernel/rcupdate.c 2008-02-11 10:37:45.000000000 +0000
67206 -@@ -63,11 +63,11 @@ static struct rcu_ctrlblk rcu_bh_ctrlblk
67207 - .cpumask = CPU_MASK_NONE,
67208 - };
67209 -
67210 --DEFINE_PER_CPU(struct rcu_data, rcu_data) = { 0L };
67211 --DEFINE_PER_CPU(struct rcu_data, rcu_bh_data) = { 0L };
67212 -+DEFINE_PER_CPU(struct rcu_data, rcu_data);
67213 -+DEFINE_PER_CPU(struct rcu_data, rcu_bh_data);
67214 -
67215 - /* Fake initialization required by compiler */
67216 --static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet) = {NULL};
67217 -+static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet);
67218 - static int blimit = 10;
67219 - static int qhimark = 10000;
67220 - static int qlowmark = 100;
67221 -diff -Nurp linux-2.6.23.15/kernel/relay.c linux-2.6.23.15-grsec/kernel/relay.c
67222 ---- linux-2.6.23.15/kernel/relay.c 2008-02-11 10:36:03.000000000 +0000
67223 -+++ linux-2.6.23.15-grsec/kernel/relay.c 2008-02-11 10:37:45.000000000 +0000
67224 -@@ -1140,7 +1140,7 @@ static int subbuf_splice_actor(struct fi
67225 - return 0;
67226 -
67227 - ret = *nonpad_ret = splice_to_pipe(pipe, &spd);
67228 -- if (ret < 0 || ret < total_len)
67229 -+ if ((int)ret < 0 || ret < total_len)
67230 - return ret;
67231 -
67232 - if (read_start + ret == nonpad_end)
67233 -diff -Nurp linux-2.6.23.15/kernel/resource.c linux-2.6.23.15-grsec/kernel/resource.c
67234 ---- linux-2.6.23.15/kernel/resource.c 2007-10-09 21:31:38.000000000 +0100
67235 -+++ linux-2.6.23.15-grsec/kernel/resource.c 2008-02-11 10:37:45.000000000 +0000
67236 -@@ -133,10 +133,27 @@ static int __init ioresources_init(void)
67237 - {
67238 - struct proc_dir_entry *entry;
67239 -
67240 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
67241 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
67242 -+ entry = create_proc_entry("ioports", S_IRUSR, NULL);
67243 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
67244 -+ entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
67245 -+#endif
67246 -+#else
67247 - entry = create_proc_entry("ioports", 0, NULL);
67248 -+#endif
67249 - if (entry)
67250 - entry->proc_fops = &proc_ioports_operations;
67251 -+
67252 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
67253 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
67254 -+ entry = create_proc_entry("iomem", S_IRUSR, NULL);
67255 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
67256 -+ entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
67257 -+#endif
67258 -+#else
67259 - entry = create_proc_entry("iomem", 0, NULL);
67260 -+#endif
67261 - if (entry)
67262 - entry->proc_fops = &proc_iomem_operations;
67263 - return 0;
67264 -diff -Nurp linux-2.6.23.15/kernel/sched.c linux-2.6.23.15-grsec/kernel/sched.c
67265 ---- linux-2.6.23.15/kernel/sched.c 2008-02-11 10:36:03.000000000 +0000
67266 -+++ linux-2.6.23.15-grsec/kernel/sched.c 2008-02-11 10:37:45.000000000 +0000
67267 -@@ -61,6 +61,7 @@
67268 - #include <linux/delayacct.h>
67269 - #include <linux/reciprocal_div.h>
67270 - #include <linux/unistd.h>
67271 -+#include <linux/grsecurity.h>
67272 -
67273 - #include <asm/tlb.h>
67274 -
67275 -@@ -3470,7 +3471,7 @@ pick_next_task(struct rq *rq, struct tas
67276 - asmlinkage void __sched schedule(void)
67277 - {
67278 - struct task_struct *prev, *next;
67279 -- long *switch_count;
67280 -+ unsigned long *switch_count;
67281 - struct rq *rq;
67282 - int cpu;
67283 -
67284 -@@ -4079,7 +4080,8 @@ asmlinkage long sys_nice(int increment)
67285 - if (nice > 19)
67286 - nice = 19;
67287 -
67288 -- if (increment < 0 && !can_nice(current, nice))
67289 -+ if (increment < 0 && (!can_nice(current, nice) ||
67290 -+ gr_handle_chroot_nice()))
67291 - return -EPERM;
67292 -
67293 - retval = security_task_setnice(current, nice);
67294 -@@ -5267,7 +5269,7 @@ static struct ctl_table sd_ctl_dir[] = {
67295 - .procname = "sched_domain",
67296 - .mode = 0555,
67297 - },
67298 -- {0,},
67299 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
67300 - };
67301 -
67302 - static struct ctl_table sd_ctl_root[] = {
67303 -@@ -5277,7 +5279,7 @@ static struct ctl_table sd_ctl_root[] =
67304 - .mode = 0555,
67305 - .child = sd_ctl_dir,
67306 - },
67307 -- {0,},
67308 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
67309 - };
67310 -
67311 - static struct ctl_table *sd_alloc_ctl_entry(int n)
67312 -diff -Nurp linux-2.6.23.15/kernel/signal.c linux-2.6.23.15-grsec/kernel/signal.c
67313 ---- linux-2.6.23.15/kernel/signal.c 2007-10-09 21:31:38.000000000 +0100
67314 -+++ linux-2.6.23.15-grsec/kernel/signal.c 2008-02-11 10:37:45.000000000 +0000
67315 -@@ -25,6 +25,7 @@
67316 - #include <linux/capability.h>
67317 - #include <linux/freezer.h>
67318 - #include <linux/pid_namespace.h>
67319 -+#include <linux/grsecurity.h>
67320 - #include <linux/nsproxy.h>
67321 -
67322 - #include <asm/param.h>
67323 -@@ -541,7 +542,9 @@ static int check_kill_permission(int sig
67324 - && (current->euid ^ t->suid) && (current->euid ^ t->uid)
67325 - && (current->uid ^ t->suid) && (current->uid ^ t->uid)
67326 - && !capable(CAP_KILL))
67327 -- return error;
67328 -+ return error;
67329 -+ if (gr_handle_signal(t, sig))
67330 -+ return error;
67331 - }
67332 -
67333 - return security_task_kill(t, info, sig, 0);
67334 -@@ -758,7 +761,7 @@ static int __init setup_print_fatal_sign
67335 -
67336 - __setup("print-fatal-signals=", setup_print_fatal_signals);
67337 -
67338 --static int
67339 -+int
67340 - specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
67341 - {
67342 - int ret = 0;
67343 -@@ -812,8 +815,12 @@ force_sig_info(int sig, struct siginfo *
67344 - }
67345 - }
67346 - ret = specific_send_sig_info(sig, info, t);
67347 -+
67348 - spin_unlock_irqrestore(&t->sighand->siglock, flags);
67349 -
67350 -+ gr_log_signal(sig, t);
67351 -+ gr_handle_crash(t, sig);
67352 -+
67353 - return ret;
67354 - }
67355 -
67356 -diff -Nurp linux-2.6.23.15/kernel/softirq.c linux-2.6.23.15-grsec/kernel/softirq.c
67357 ---- linux-2.6.23.15/kernel/softirq.c 2007-10-09 21:31:38.000000000 +0100
67358 -+++ linux-2.6.23.15-grsec/kernel/softirq.c 2008-02-11 10:37:45.000000000 +0000
67359 -@@ -471,9 +471,9 @@ void tasklet_kill(struct tasklet_struct
67360 - printk("Attempt to kill tasklet from interrupt\n");
67361 -
67362 - while (test_and_set_bit(TASKLET_STATE_SCHED, &t->state)) {
67363 -- do
67364 -+ do {
67365 - yield();
67366 -- while (test_bit(TASKLET_STATE_SCHED, &t->state));
67367 -+ } while (test_bit(TASKLET_STATE_SCHED, &t->state));
67368 - }
67369 - tasklet_unlock_wait(t);
67370 - clear_bit(TASKLET_STATE_SCHED, &t->state);
67371 -diff -Nurp linux-2.6.23.15/kernel/sys.c linux-2.6.23.15-grsec/kernel/sys.c
67372 ---- linux-2.6.23.15/kernel/sys.c 2007-10-09 21:31:38.000000000 +0100
67373 -+++ linux-2.6.23.15-grsec/kernel/sys.c 2008-02-11 10:37:45.000000000 +0000
67374 -@@ -33,6 +33,7 @@
67375 - #include <linux/task_io_accounting_ops.h>
67376 - #include <linux/seccomp.h>
67377 - #include <linux/cpu.h>
67378 -+#include <linux/grsecurity.h>
67379 -
67380 - #include <linux/compat.h>
67381 - #include <linux/syscalls.h>
67382 -@@ -651,6 +652,12 @@ static int set_one_prio(struct task_stru
67383 - error = -EACCES;
67384 - goto out;
67385 - }
67386 -+
67387 -+ if (gr_handle_chroot_setpriority(p, niceval)) {
67388 -+ error = -EACCES;
67389 -+ goto out;
67390 -+ }
67391 -+
67392 - no_nice = security_task_setnice(p, niceval);
67393 - if (no_nice) {
67394 - error = no_nice;
67395 -@@ -707,10 +714,10 @@ asmlinkage long sys_setpriority(int whic
67396 - if ((who != current->uid) && !(user = find_user(who)))
67397 - goto out_unlock; /* No processes for this user */
67398 -
67399 -- do_each_thread(g, p)
67400 -+ do_each_thread(g, p) {
67401 - if (p->uid == who)
67402 - error = set_one_prio(p, niceval, error);
67403 -- while_each_thread(g, p);
67404 -+ } while_each_thread(g, p);
67405 - if (who != current->uid)
67406 - free_uid(user); /* For find_user() */
67407 - break;
67408 -@@ -769,13 +776,13 @@ asmlinkage long sys_getpriority(int whic
67409 - if ((who != current->uid) && !(user = find_user(who)))
67410 - goto out_unlock; /* No processes for this user */
67411 -
67412 -- do_each_thread(g, p)
67413 -+ do_each_thread(g, p) {
67414 - if (p->uid == who) {
67415 - niceval = 20 - task_nice(p);
67416 - if (niceval > retval)
67417 - retval = niceval;
67418 - }
67419 -- while_each_thread(g, p);
67420 -+ } while_each_thread(g, p);
67421 - if (who != current->uid)
67422 - free_uid(user); /* for find_user() */
67423 - break;
67424 -@@ -1047,6 +1054,9 @@ asmlinkage long sys_setregid(gid_t rgid,
67425 - if (rgid != (gid_t) -1 ||
67426 - (egid != (gid_t) -1 && egid != old_rgid))
67427 - current->sgid = new_egid;
67428 -+
67429 -+ gr_set_role_label(current, current->uid, new_rgid);
67430 -+
67431 - current->fsgid = new_egid;
67432 - current->egid = new_egid;
67433 - current->gid = new_rgid;
67434 -@@ -1074,6 +1084,9 @@ asmlinkage long sys_setgid(gid_t gid)
67435 - set_dumpable(current->mm, suid_dumpable);
67436 - smp_wmb();
67437 - }
67438 -+
67439 -+ gr_set_role_label(current, current->uid, gid);
67440 -+
67441 - current->gid = current->egid = current->sgid = current->fsgid = gid;
67442 - } else if ((gid == current->gid) || (gid == current->sgid)) {
67443 - if (old_egid != gid) {
67444 -@@ -1111,6 +1124,9 @@ static int set_user(uid_t new_ruid, int
67445 - set_dumpable(current->mm, suid_dumpable);
67446 - smp_wmb();
67447 - }
67448 -+
67449 -+ gr_set_role_label(current, new_ruid, current->gid);
67450 -+
67451 - current->uid = new_ruid;
67452 - return 0;
67453 - }
67454 -@@ -1213,6 +1229,9 @@ asmlinkage long sys_setuid(uid_t uid)
67455 - } else if ((uid != current->uid) && (uid != new_suid))
67456 - return -EPERM;
67457 -
67458 -+ if (gr_check_crash_uid(uid))
67459 -+ return -EPERM;
67460 -+
67461 - if (old_euid != uid) {
67462 - set_dumpable(current->mm, suid_dumpable);
67463 - smp_wmb();
67464 -@@ -1315,8 +1334,10 @@ asmlinkage long sys_setresgid(gid_t rgid
67465 - current->egid = egid;
67466 - }
67467 - current->fsgid = current->egid;
67468 -- if (rgid != (gid_t) -1)
67469 -+ if (rgid != (gid_t) -1) {
67470 -+ gr_set_role_label(current, current->uid, rgid);
67471 - current->gid = rgid;
67472 -+ }
67473 - if (sgid != (gid_t) -1)
67474 - current->sgid = sgid;
67475 -
67476 -@@ -1463,7 +1484,10 @@ asmlinkage long sys_setpgid(pid_t pid, p
67477 - write_lock_irq(&tasklist_lock);
67478 -
67479 - err = -ESRCH;
67480 -- p = find_task_by_pid(pid);
67481 -+ /* grsec: replaced find_task_by_pid with equivalent call
67482 -+ which lacks the chroot restriction
67483 -+ */
67484 -+ p = pid_task(find_pid(pid), PIDTYPE_PID);
67485 - if (!p)
67486 - goto out;
67487 -
67488 -@@ -2183,7 +2207,7 @@ asmlinkage long sys_prctl(int option, un
67489 - error = get_dumpable(current->mm);
67490 - break;
67491 - case PR_SET_DUMPABLE:
67492 -- if (arg2 < 0 || arg2 > 1) {
67493 -+ if (arg2 > 1) {
67494 - error = -EINVAL;
67495 - break;
67496 - }
67497 -diff -Nurp linux-2.6.23.15/kernel/sysctl.c linux-2.6.23.15-grsec/kernel/sysctl.c
67498 ---- linux-2.6.23.15/kernel/sysctl.c 2008-02-11 10:36:24.000000000 +0000
67499 -+++ linux-2.6.23.15-grsec/kernel/sysctl.c 2008-02-11 10:37:45.000000000 +0000
67500 -@@ -56,6 +56,13 @@
67501 - #endif
67502 -
67503 - #if defined(CONFIG_SYSCTL)
67504 -+#include <linux/grsecurity.h>
67505 -+#include <linux/grinternal.h>
67506 -+
67507 -+extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
67508 -+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
67509 -+ const int op);
67510 -+extern int gr_handle_chroot_sysctl(const int op);
67511 -
67512 - /* External variables not in a header file. */
67513 - extern int C_A_D;
67514 -@@ -141,7 +148,7 @@ static int proc_dointvec_taint(ctl_table
67515 -
67516 - static ctl_table root_table[];
67517 - static struct ctl_table_header root_table_header =
67518 -- { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry) };
67519 -+ { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry), 0, NULL };
67520 -
67521 - static ctl_table kern_table[];
67522 - static ctl_table vm_table[];
67523 -@@ -158,11 +165,27 @@ extern ctl_table inotify_table[];
67524 - #ifdef CONFIG_ALPHA_UAC_SYSCTL
67525 - extern ctl_table uac_table[];
67526 - #endif
67527 -+extern ctl_table grsecurity_table[];
67528 -
67529 - #ifdef HAVE_ARCH_PICK_MMAP_LAYOUT
67530 - int sysctl_legacy_va_layout;
67531 - #endif
67532 -
67533 -+#ifdef CONFIG_PAX_SOFTMODE
67534 -+static ctl_table pax_table[] = {
67535 -+ {
67536 -+ .ctl_name = CTL_UNNUMBERED,
67537 -+ .procname = "softmode",
67538 -+ .data = &pax_softmode,
67539 -+ .maxlen = sizeof(unsigned int),
67540 -+ .mode = 0600,
67541 -+ .proc_handler = &proc_dointvec,
67542 -+ },
67543 -+
67544 -+ { .ctl_name = 0 }
67545 -+};
67546 -+#endif
67547 -+
67548 - extern int prove_locking;
67549 - extern int lock_stat;
67550 -
67551 -@@ -207,6 +230,16 @@ static ctl_table root_table[] = {
67552 - .mode = 0555,
67553 - .child = dev_table,
67554 - },
67555 -+
67556 -+#ifdef CONFIG_PAX_SOFTMODE
67557 -+ {
67558 -+ .ctl_name = CTL_UNNUMBERED,
67559 -+ .procname = "pax",
67560 -+ .mode = 0500,
67561 -+ .child = pax_table,
67562 -+ },
67563 -+#endif
67564 -+
67565 - /*
67566 - * NOTE: do not add new entries to this table unless you have read
67567 - * Documentation/sysctl/ctl_unnumbered.txt
67568 -@@ -777,6 +810,14 @@ static ctl_table kern_table[] = {
67569 - .proc_handler = &proc_dostring,
67570 - .strategy = &sysctl_string,
67571 - },
67572 -+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
67573 -+ {
67574 -+ .ctl_name = KERN_GRSECURITY,
67575 -+ .procname = "grsecurity",
67576 -+ .mode = 0500,
67577 -+ .child = grsecurity_table,
67578 -+ },
67579 -+#endif
67580 - /*
67581 - * NOTE: do not add new entries to this table unless you have read
67582 - * Documentation/sysctl/ctl_unnumbered.txt
67583 -@@ -1388,6 +1429,25 @@ static int test_perm(int mode, int op)
67584 - int sysctl_perm(ctl_table *table, int op)
67585 - {
67586 - int error;
67587 -+ if (table->parent != NULL && table->parent->procname != NULL &&
67588 -+ table->procname != NULL &&
67589 -+ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
67590 -+ return -EACCES;
67591 -+ if (gr_handle_chroot_sysctl(op))
67592 -+ return -EACCES;
67593 -+ error = gr_handle_sysctl(table, op);
67594 -+ if (error)
67595 -+ return error;
67596 -+ error = security_sysctl(table, op);
67597 -+ if (error)
67598 -+ return error;
67599 -+ return test_perm(table->mode, op);
67600 -+}
67601 -+
67602 -+int sysctl_perm_nochk(ctl_table *table, int op)
67603 -+{
67604 -+ int error;
67605 -+
67606 - error = security_sysctl(table, op);
67607 - if (error)
67608 - return error;
67609 -@@ -1412,13 +1472,14 @@ repeat:
67610 - if (n == table->ctl_name) {
67611 - int error;
67612 - if (table->child) {
67613 -- if (sysctl_perm(table, 001))
67614 -+ if (sysctl_perm_nochk(table, 001))
67615 - return -EPERM;
67616 - name++;
67617 - nlen--;
67618 - table = table->child;
67619 - goto repeat;
67620 - }
67621 -+
67622 - error = do_sysctl_strategy(table, name, nlen,
67623 - oldval, oldlenp,
67624 - newval, newlen);
67625 -diff -Nurp linux-2.6.23.15/kernel/time.c linux-2.6.23.15-grsec/kernel/time.c
67626 ---- linux-2.6.23.15/kernel/time.c 2007-10-09 21:31:38.000000000 +0100
67627 -+++ linux-2.6.23.15-grsec/kernel/time.c 2008-02-11 10:37:45.000000000 +0000
67628 -@@ -35,6 +35,7 @@
67629 - #include <linux/security.h>
67630 - #include <linux/fs.h>
67631 - #include <linux/module.h>
67632 -+#include <linux/grsecurity.h>
67633 -
67634 - #include <asm/uaccess.h>
67635 - #include <asm/unistd.h>
67636 -@@ -92,6 +93,9 @@ asmlinkage long sys_stime(time_t __user
67637 - return err;
67638 -
67639 - do_settimeofday(&tv);
67640 -+
67641 -+ gr_log_timechange();
67642 -+
67643 - return 0;
67644 - }
67645 -
67646 -@@ -197,6 +201,8 @@ asmlinkage long sys_settimeofday(struct
67647 - return -EFAULT;
67648 - }
67649 -
67650 -+ gr_log_timechange();
67651 -+
67652 - return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
67653 - }
67654 -
67655 -@@ -235,7 +241,7 @@ EXPORT_SYMBOL(current_fs_time);
67656 - * Avoid unnecessary multiplications/divisions in the
67657 - * two most common HZ cases:
67658 - */
67659 --unsigned int inline jiffies_to_msecs(const unsigned long j)
67660 -+inline unsigned int jiffies_to_msecs(const unsigned long j)
67661 - {
67662 - #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
67663 - return (MSEC_PER_SEC / HZ) * j;
67664 -@@ -247,7 +253,7 @@ unsigned int inline jiffies_to_msecs(con
67665 - }
67666 - EXPORT_SYMBOL(jiffies_to_msecs);
67667 -
67668 --unsigned int inline jiffies_to_usecs(const unsigned long j)
67669 -+inline unsigned int jiffies_to_usecs(const unsigned long j)
67670 - {
67671 - #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
67672 - return (USEC_PER_SEC / HZ) * j;
67673 -diff -Nurp linux-2.6.23.15/kernel/utsname_sysctl.c linux-2.6.23.15-grsec/kernel/utsname_sysctl.c
67674 ---- linux-2.6.23.15/kernel/utsname_sysctl.c 2007-10-09 21:31:38.000000000 +0100
67675 -+++ linux-2.6.23.15-grsec/kernel/utsname_sysctl.c 2008-02-11 10:37:45.000000000 +0000
67676 -@@ -121,7 +121,7 @@ static struct ctl_table uts_kern_table[]
67677 - .proc_handler = proc_do_uts_string,
67678 - .strategy = sysctl_uts_string,
67679 - },
67680 -- {}
67681 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
67682 - };
67683 -
67684 - static struct ctl_table uts_root_table[] = {
67685 -@@ -131,7 +131,7 @@ static struct ctl_table uts_root_table[]
67686 - .mode = 0555,
67687 - .child = uts_kern_table,
67688 - },
67689 -- {}
67690 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
67691 - };
67692 -
67693 - static int __init utsname_sysctl_init(void)
67694 -diff -Nurp linux-2.6.23.15/lib/radix-tree.c linux-2.6.23.15-grsec/lib/radix-tree.c
67695 ---- linux-2.6.23.15/lib/radix-tree.c 2007-10-09 21:31:38.000000000 +0100
67696 -+++ linux-2.6.23.15-grsec/lib/radix-tree.c 2008-02-11 10:37:45.000000000 +0000
67697 -@@ -76,7 +76,7 @@ struct radix_tree_preload {
67698 - int nr;
67699 - struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
67700 - };
67701 --DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
67702 -+DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, {NULL} };
67703 -
67704 - static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
67705 - {
67706 -diff -Nurp linux-2.6.23.15/mm/filemap.c linux-2.6.23.15-grsec/mm/filemap.c
67707 ---- linux-2.6.23.15/mm/filemap.c 2008-02-11 10:36:03.000000000 +0000
67708 -+++ linux-2.6.23.15-grsec/mm/filemap.c 2008-02-11 10:37:45.000000000 +0000
67709 -@@ -30,6 +30,7 @@
67710 - #include <linux/security.h>
67711 - #include <linux/syscalls.h>
67712 - #include <linux/cpuset.h>
67713 -+#include <linux/grsecurity.h>
67714 - #include "filemap.h"
67715 - #include "internal.h"
67716 -
67717 -@@ -1461,7 +1462,7 @@ int generic_file_mmap(struct file * file
67718 - struct address_space *mapping = file->f_mapping;
67719 -
67720 - if (!mapping->a_ops->readpage)
67721 -- return -ENOEXEC;
67722 -+ return -ENODEV;
67723 - file_accessed(file);
67724 - vma->vm_ops = &generic_file_vm_ops;
67725 - vma->vm_flags |= VM_CAN_NONLINEAR;
67726 -@@ -1726,6 +1727,7 @@ inline int generic_write_checks(struct f
67727 - *pos = i_size_read(inode);
67728 -
67729 - if (limit != RLIM_INFINITY) {
67730 -+ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
67731 - if (*pos >= limit) {
67732 - send_sig(SIGXFSZ, current, 0);
67733 - return -EFBIG;
67734 -diff -Nurp linux-2.6.23.15/mm/fremap.c linux-2.6.23.15-grsec/mm/fremap.c
67735 ---- linux-2.6.23.15/mm/fremap.c 2007-10-09 21:31:38.000000000 +0100
67736 -+++ linux-2.6.23.15-grsec/mm/fremap.c 2008-02-11 10:37:45.000000000 +0000
67737 -@@ -148,6 +148,13 @@ asmlinkage long sys_remap_file_pages(uns
67738 - retry:
67739 - vma = find_vma(mm, start);
67740 -
67741 -+#ifdef CONFIG_PAX_SEGMEXEC
67742 -+ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC)) {
67743 -+ up_read(&mm->mmap_sem);
67744 -+ return err;
67745 -+ }
67746 -+#endif
67747 -+
67748 - /*
67749 - * Make sure the vma is shared, that it supports prefaulting,
67750 - * and that the remapped range is valid and fully within
67751 -diff -Nurp linux-2.6.23.15/mm/hugetlb.c linux-2.6.23.15-grsec/mm/hugetlb.c
67752 ---- linux-2.6.23.15/mm/hugetlb.c 2007-10-09 21:31:38.000000000 +0100
67753 -+++ linux-2.6.23.15-grsec/mm/hugetlb.c 2008-02-11 10:37:45.000000000 +0000
67754 -@@ -460,6 +460,26 @@ void unmap_hugepage_range(struct vm_area
67755 - }
67756 - }
67757 -
67758 -+#ifdef CONFIG_PAX_SEGMEXEC
67759 -+static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
67760 -+{
67761 -+ struct mm_struct *mm = vma->vm_mm;
67762 -+ struct vm_area_struct *vma_m;
67763 -+ unsigned long address_m;
67764 -+ pte_t *ptep_m;
67765 -+
67766 -+ vma_m = pax_find_mirror_vma(vma);
67767 -+ if (!vma_m)
67768 -+ return;
67769 -+
67770 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67771 -+ address_m = address + SEGMEXEC_TASK_SIZE;
67772 -+ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
67773 -+ get_page(page_m);
67774 -+ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
67775 -+}
67776 -+#endif
67777 -+
67778 - static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
67779 - unsigned long address, pte_t *ptep, pte_t pte)
67780 - {
67781 -@@ -493,6 +513,11 @@ static int hugetlb_cow(struct mm_struct
67782 - /* Break COW */
67783 - set_huge_pte_at(mm, address, ptep,
67784 - make_huge_pte(vma, new_page, 1));
67785 -+
67786 -+#ifdef CONFIG_PAX_SEGMEXEC
67787 -+ pax_mirror_huge_pte(vma, address, new_page);
67788 -+#endif
67789 -+
67790 - /* Make the old page be freed below */
67791 - new_page = old_page;
67792 - }
67793 -@@ -563,6 +588,10 @@ retry:
67794 - && (vma->vm_flags & VM_SHARED)));
67795 - set_huge_pte_at(mm, address, ptep, new_pte);
67796 -
67797 -+#ifdef CONFIG_PAX_SEGMEXEC
67798 -+ pax_mirror_huge_pte(vma, address, page);
67799 -+#endif
67800 -+
67801 - if (write_access && !(vma->vm_flags & VM_SHARED)) {
67802 - /* Optimization, do the COW without a second fault */
67803 - ret = hugetlb_cow(mm, vma, address, ptep, new_pte);
67804 -@@ -589,6 +618,27 @@ int hugetlb_fault(struct mm_struct *mm,
67805 - int ret;
67806 - static DEFINE_MUTEX(hugetlb_instantiation_mutex);
67807 -
67808 -+#ifdef CONFIG_PAX_SEGMEXEC
67809 -+ struct vm_area_struct *vma_m;
67810 -+
67811 -+ vma_m = pax_find_mirror_vma(vma);
67812 -+ if (vma_m) {
67813 -+ unsigned long address_m;
67814 -+
67815 -+ if (vma->vm_start > vma_m->vm_start) {
67816 -+ address_m = address;
67817 -+ address -= SEGMEXEC_TASK_SIZE;
67818 -+ vma = vma_m;
67819 -+ } else
67820 -+ address_m = address + SEGMEXEC_TASK_SIZE;
67821 -+
67822 -+ if (!huge_pte_alloc(mm, address_m))
67823 -+ return VM_FAULT_OOM;
67824 -+ address_m &= HPAGE_MASK;
67825 -+ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE);
67826 -+ }
67827 -+#endif
67828 -+
67829 - ptep = huge_pte_alloc(mm, address);
67830 - if (!ptep)
67831 - return VM_FAULT_OOM;
67832 -diff -Nurp linux-2.6.23.15/mm/madvise.c linux-2.6.23.15-grsec/mm/madvise.c
67833 ---- linux-2.6.23.15/mm/madvise.c 2007-10-09 21:31:38.000000000 +0100
67834 -+++ linux-2.6.23.15-grsec/mm/madvise.c 2008-02-11 10:37:45.000000000 +0000
67835 -@@ -43,6 +43,10 @@ static long madvise_behavior(struct vm_a
67836 - pgoff_t pgoff;
67837 - int new_flags = vma->vm_flags;
67838 -
67839 -+#ifdef CONFIG_PAX_SEGMEXEC
67840 -+ struct vm_area_struct *vma_m;
67841 -+#endif
67842 -+
67843 - switch (behavior) {
67844 - case MADV_NORMAL:
67845 - new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
67846 -@@ -92,6 +96,13 @@ success:
67847 - /*
67848 - * vm_flags is protected by the mmap_sem held in write mode.
67849 - */
67850 -+
67851 -+#ifdef CONFIG_PAX_SEGMEXEC
67852 -+ vma_m = pax_find_mirror_vma(vma);
67853 -+ if (vma_m)
67854 -+ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
67855 -+#endif
67856 -+
67857 - vma->vm_flags = new_flags;
67858 -
67859 - out:
67860 -@@ -236,6 +247,17 @@ madvise_vma(struct vm_area_struct *vma,
67861 -
67862 - case MADV_DONTNEED:
67863 - error = madvise_dontneed(vma, prev, start, end);
67864 -+
67865 -+#ifdef CONFIG_PAX_SEGMEXEC
67866 -+ if (!error) {
67867 -+ struct vm_area_struct *vma_m, *prev_m;
67868 -+
67869 -+ vma_m = pax_find_mirror_vma(vma);
67870 -+ if (vma_m)
67871 -+ error = madvise_dontneed(vma_m, &prev_m, start + SEGMEXEC_TASK_SIZE, end + SEGMEXEC_TASK_SIZE);
67872 -+ }
67873 -+#endif
67874 -+
67875 - break;
67876 -
67877 - default:
67878 -@@ -308,6 +330,16 @@ asmlinkage long sys_madvise(unsigned lon
67879 - if (end < start)
67880 - goto out;
67881 -
67882 -+#ifdef CONFIG_PAX_SEGMEXEC
67883 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
67884 -+ if (end > SEGMEXEC_TASK_SIZE)
67885 -+ goto out;
67886 -+ } else
67887 -+#endif
67888 -+
67889 -+ if (end > TASK_SIZE)
67890 -+ goto out;
67891 -+
67892 - error = 0;
67893 - if (end == start)
67894 - goto out;
67895 -diff -Nurp linux-2.6.23.15/mm/memory.c linux-2.6.23.15-grsec/mm/memory.c
67896 ---- linux-2.6.23.15/mm/memory.c 2007-10-09 21:31:38.000000000 +0100
67897 -+++ linux-2.6.23.15-grsec/mm/memory.c 2008-02-11 10:37:45.000000000 +0000
67898 -@@ -50,6 +50,7 @@
67899 - #include <linux/delayacct.h>
67900 - #include <linux/init.h>
67901 - #include <linux/writeback.h>
67902 -+#include <linux/grsecurity.h>
67903 -
67904 - #include <asm/pgalloc.h>
67905 - #include <asm/uaccess.h>
67906 -@@ -993,7 +994,7 @@ int get_user_pages(struct task_struct *t
67907 - struct vm_area_struct *vma;
67908 - unsigned int foll_flags;
67909 -
67910 -- vma = find_extend_vma(mm, start);
67911 -+ vma = find_vma(mm, start);
67912 - if (!vma && in_gate_area(tsk, start)) {
67913 - unsigned long pg = start & PAGE_MASK;
67914 - struct vm_area_struct *gate_vma = get_gate_vma(tsk);
67915 -@@ -1033,7 +1034,7 @@ int get_user_pages(struct task_struct *t
67916 - continue;
67917 - }
67918 -
67919 -- if (!vma || (vma->vm_flags & (VM_IO | VM_PFNMAP))
67920 -+ if (!vma || start < vma->vm_start || (vma->vm_flags & (VM_IO | VM_PFNMAP))
67921 - || !(vm_flags & vma->vm_flags))
67922 - return i ? : -EFAULT;
67923 -
67924 -@@ -1614,6 +1615,195 @@ static inline void cow_user_page(struct
67925 - copy_user_highpage(dst, src, va, vma);
67926 - }
67927 -
67928 -+#ifdef CONFIG_PAX_SEGMEXEC
67929 -+static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
67930 -+{
67931 -+ struct mm_struct *mm = vma->vm_mm;
67932 -+ spinlock_t *ptl;
67933 -+ pte_t *pte, entry;
67934 -+
67935 -+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
67936 -+ entry = *pte;
67937 -+ if (!pte_present(entry)) {
67938 -+ if (!pte_none(entry)) {
67939 -+ BUG_ON(pte_file(entry));
67940 -+ free_swap_and_cache(pte_to_swp_entry(entry));
67941 -+ pte_clear_not_present_full(mm, address, pte, 0);
67942 -+ }
67943 -+ } else {
67944 -+ struct page *page;
67945 -+
67946 -+ page = vm_normal_page(vma, address, entry);
67947 -+ if (page) {
67948 -+ flush_cache_page(vma, address, pte_pfn(entry));
67949 -+ flush_icache_page(vma, page);
67950 -+ }
67951 -+ ptep_clear_flush(vma, address, pte);
67952 -+ BUG_ON(pte_dirty(entry));
67953 -+ if (page) {
67954 -+ update_hiwater_rss(mm);
67955 -+ if (PageAnon(page))
67956 -+ dec_mm_counter(mm, anon_rss);
67957 -+ else
67958 -+ dec_mm_counter(mm, file_rss);
67959 -+ page_remove_rmap(page, vma);
67960 -+ page_cache_release(page);
67961 -+ }
67962 -+ }
67963 -+ pte_unmap_unlock(pte, ptl);
67964 -+}
67965 -+
67966 -+/* PaX: if vma is mirrored, synchronize the mirror's PTE
67967 -+ *
67968 -+ * the ptl of the lower mapped page is held on entry and is not released on exit
67969 -+ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
67970 -+ */
67971 -+static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
67972 -+{
67973 -+ struct mm_struct *mm = vma->vm_mm;
67974 -+ unsigned long address_m;
67975 -+ spinlock_t *ptl_m;
67976 -+ struct vm_area_struct *vma_m;
67977 -+ pmd_t *pmd_m;
67978 -+ pte_t *pte_m, entry_m;
67979 -+
67980 -+ BUG_ON(!page_m || !PageAnon(page_m));
67981 -+
67982 -+ vma_m = pax_find_mirror_vma(vma);
67983 -+ if (!vma_m)
67984 -+ return;
67985 -+
67986 -+ BUG_ON(!PageLocked(page_m));
67987 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67988 -+ address_m = address + SEGMEXEC_TASK_SIZE;
67989 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67990 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
67991 -+ ptl_m = pte_lockptr(mm, pmd_m);
67992 -+ if (ptl != ptl_m) {
67993 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67994 -+ if (!pte_none(*pte_m)) {
67995 -+ spin_unlock(ptl_m);
67996 -+ pte_unmap_nested(pte_m);
67997 -+ unlock_page(page_m);
67998 -+ return;
67999 -+ }
68000 -+ }
68001 -+
68002 -+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
68003 -+ page_cache_get(page_m);
68004 -+ page_add_anon_rmap(page_m, vma_m, address_m);
68005 -+ inc_mm_counter(mm, anon_rss);
68006 -+ set_pte_at(mm, address_m, pte_m, entry_m);
68007 -+ update_mmu_cache(vma_m, address_m, entry_m);
68008 -+ lazy_mmu_prot_update(entry_m);
68009 -+ if (ptl != ptl_m)
68010 -+ spin_unlock(ptl_m);
68011 -+ pte_unmap_nested(pte_m);
68012 -+ unlock_page(page_m);
68013 -+}
68014 -+
68015 -+void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
68016 -+{
68017 -+ struct mm_struct *mm = vma->vm_mm;
68018 -+ unsigned long address_m;
68019 -+ spinlock_t *ptl_m;
68020 -+ struct vm_area_struct *vma_m;
68021 -+ pmd_t *pmd_m;
68022 -+ pte_t *pte_m, entry_m;
68023 -+
68024 -+ BUG_ON(!page_m || PageAnon(page_m));
68025 -+
68026 -+ vma_m = pax_find_mirror_vma(vma);
68027 -+ if (!vma_m)
68028 -+ return;
68029 -+
68030 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
68031 -+ address_m = address + SEGMEXEC_TASK_SIZE;
68032 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
68033 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
68034 -+ ptl_m = pte_lockptr(mm, pmd_m);
68035 -+ if (ptl != ptl_m) {
68036 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
68037 -+ if (!pte_none(*pte_m)) {
68038 -+ spin_unlock(ptl_m);
68039 -+ pte_unmap_nested(pte_m);
68040 -+ return;
68041 -+ }
68042 -+ }
68043 -+
68044 -+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
68045 -+ page_cache_get(page_m);
68046 -+ page_add_file_rmap(page_m);
68047 -+ inc_mm_counter(mm, file_rss);
68048 -+ set_pte_at(mm, address_m, pte_m, entry_m);
68049 -+ update_mmu_cache(vma_m, address_m, entry_m);
68050 -+ lazy_mmu_prot_update(entry_m);
68051 -+ if (ptl != ptl_m)
68052 -+ spin_unlock(ptl_m);
68053 -+ pte_unmap_nested(pte_m);
68054 -+}
68055 -+
68056 -+static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
68057 -+{
68058 -+ struct mm_struct *mm = vma->vm_mm;
68059 -+ unsigned long address_m;
68060 -+ spinlock_t *ptl_m;
68061 -+ struct vm_area_struct *vma_m;
68062 -+ pmd_t *pmd_m;
68063 -+ pte_t *pte_m, entry_m;
68064 -+
68065 -+ vma_m = pax_find_mirror_vma(vma);
68066 -+ if (!vma_m)
68067 -+ return;
68068 -+
68069 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
68070 -+ address_m = address + SEGMEXEC_TASK_SIZE;
68071 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
68072 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
68073 -+ ptl_m = pte_lockptr(mm, pmd_m);
68074 -+ if (ptl != ptl_m) {
68075 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
68076 -+ if (!pte_none(*pte_m)) {
68077 -+ spin_unlock(ptl_m);
68078 -+ pte_unmap_nested(pte_m);
68079 -+ return;
68080 -+ }
68081 -+ }
68082 -+
68083 -+ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
68084 -+ set_pte_at(mm, address_m, pte_m, entry_m);
68085 -+ if (ptl != ptl_m)
68086 -+ spin_unlock(ptl_m);
68087 -+ pte_unmap_nested(pte_m);
68088 -+}
68089 -+
68090 -+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, spinlock_t *ptl)
68091 -+{
68092 -+ struct page *page_m;
68093 -+ pte_t entry;
68094 -+
68095 -+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
68096 -+ return;
68097 -+
68098 -+ entry = *pte;
68099 -+ page_m = vm_normal_page(vma, address, entry);
68100 -+ if (!page_m)
68101 -+ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
68102 -+ else if (PageAnon(page_m)) {
68103 -+ if (pax_find_mirror_vma(vma)) {
68104 -+ spin_unlock(ptl);
68105 -+ lock_page(page_m);
68106 -+ spin_lock(ptl);
68107 -+ if (pte_same(entry, *pte))
68108 -+ pax_mirror_anon_pte(vma, address, page_m, ptl);
68109 -+ else
68110 -+ unlock_page(page_m);
68111 -+ }
68112 -+ } else
68113 -+ pax_mirror_file_pte(vma, address, page_m, ptl);
68114 -+}
68115 -+#endif
68116 -+
68117 - /*
68118 - * This routine handles present pages, when users try to write
68119 - * to a shared page. It is done by copying the page to a new address
68120 -@@ -1733,6 +1923,12 @@ gotten:
68121 - */
68122 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
68123 - if (likely(pte_same(*page_table, orig_pte))) {
68124 -+
68125 -+#ifdef CONFIG_PAX_SEGMEXEC
68126 -+ if (pax_find_mirror_vma(vma))
68127 -+ BUG_ON(TestSetPageLocked(new_page));
68128 -+#endif
68129 -+
68130 - if (old_page) {
68131 - page_remove_rmap(old_page, vma);
68132 - if (!PageAnon(old_page)) {
68133 -@@ -1757,6 +1953,10 @@ gotten:
68134 - lru_cache_add_active(new_page);
68135 - page_add_new_anon_rmap(new_page, vma, address);
68136 -
68137 -+#ifdef CONFIG_PAX_SEGMEXEC
68138 -+ pax_mirror_anon_pte(vma, address, new_page, ptl);
68139 -+#endif
68140 -+
68141 - /* Free the old page.. */
68142 - new_page = old_page;
68143 - ret |= VM_FAULT_WRITE;
68144 -@@ -2034,6 +2234,7 @@ int vmtruncate(struct inode * inode, lof
68145 -
68146 - do_expand:
68147 - limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
68148 -+ gr_learn_resource(current, RLIMIT_FSIZE, offset, 1);
68149 - if (limit != RLIM_INFINITY && offset > limit)
68150 - goto out_sig;
68151 - if (offset > inode->i_sb->s_maxbytes)
68152 -@@ -2216,6 +2417,11 @@ static int do_swap_page(struct mm_struct
68153 - swap_free(entry);
68154 - if (vm_swap_full())
68155 - remove_exclusive_swap_page(page);
68156 -+
68157 -+#ifdef CONFIG_PAX_SEGMEXEC
68158 -+ if (write_access || !pax_find_mirror_vma(vma))
68159 -+#endif
68160 -+
68161 - unlock_page(page);
68162 -
68163 - if (write_access) {
68164 -@@ -2228,6 +2434,11 @@ static int do_swap_page(struct mm_struct
68165 -
68166 - /* No need to invalidate - it was non-present before */
68167 - update_mmu_cache(vma, address, pte);
68168 -+
68169 -+#ifdef CONFIG_PAX_SEGMEXEC
68170 -+ pax_mirror_anon_pte(vma, address, page, ptl);
68171 -+#endif
68172 -+
68173 - unlock:
68174 - pte_unmap_unlock(page_table, ptl);
68175 - out:
68176 -@@ -2268,6 +2479,12 @@ static int do_anonymous_page(struct mm_s
68177 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
68178 - if (!pte_none(*page_table))
68179 - goto release;
68180 -+
68181 -+#ifdef CONFIG_PAX_SEGMEXEC
68182 -+ if (pax_find_mirror_vma(vma))
68183 -+ BUG_ON(TestSetPageLocked(page));
68184 -+#endif
68185 -+
68186 - inc_mm_counter(mm, anon_rss);
68187 - lru_cache_add_active(page);
68188 - page_add_new_anon_rmap(page, vma, address);
68189 -@@ -2290,6 +2507,14 @@ static int do_anonymous_page(struct mm_s
68190 - /* No need to invalidate - it was non-present before */
68191 - update_mmu_cache(vma, address, entry);
68192 - lazy_mmu_prot_update(entry);
68193 -+
68194 -+#ifdef CONFIG_PAX_SEGMEXEC
68195 -+ if (write_access)
68196 -+ pax_mirror_anon_pte(vma, address, page, ptl);
68197 -+ else
68198 -+ pax_mirror_file_pte(vma, address, page, ptl);
68199 -+#endif
68200 -+
68201 - unlock:
68202 - pte_unmap_unlock(page_table, ptl);
68203 - return 0;
68204 -@@ -2422,6 +2647,12 @@ static int __do_fault(struct mm_struct *
68205 - */
68206 - /* Only go through if we didn't race with anybody else... */
68207 - if (likely(pte_same(*page_table, orig_pte))) {
68208 -+
68209 -+#ifdef CONFIG_PAX_SEGMEXEC
68210 -+ if (anon && pax_find_mirror_vma(vma))
68211 -+ BUG_ON(TestSetPageLocked(page));
68212 -+#endif
68213 -+
68214 - flush_icache_page(vma, page);
68215 - entry = mk_pte(page, vma->vm_page_prot);
68216 - if (flags & FAULT_FLAG_WRITE)
68217 -@@ -2443,6 +2674,14 @@ static int __do_fault(struct mm_struct *
68218 - /* no need to invalidate: a not-present page won't be cached */
68219 - update_mmu_cache(vma, address, entry);
68220 - lazy_mmu_prot_update(entry);
68221 -+
68222 -+#ifdef CONFIG_PAX_SEGMEXEC
68223 -+ if (anon)
68224 -+ pax_mirror_anon_pte(vma, address, page, ptl);
68225 -+ else
68226 -+ pax_mirror_file_pte(vma, address, page, ptl);
68227 -+#endif
68228 -+
68229 - } else {
68230 - if (anon)
68231 - page_cache_release(page);
68232 -@@ -2522,6 +2761,11 @@ static noinline int do_no_pfn(struct mm_
68233 - if (write_access)
68234 - entry = maybe_mkwrite(pte_mkdirty(entry), vma);
68235 - set_pte_at(mm, address, page_table, entry);
68236 -+
68237 -+#ifdef CONFIG_PAX_SEGMEXEC
68238 -+ pax_mirror_pfn_pte(vma, address, pfn, ptl);
68239 -+#endif
68240 -+
68241 - }
68242 - pte_unmap_unlock(page_table, ptl);
68243 - return 0;
68244 -@@ -2625,6 +2869,11 @@ static inline int handle_pte_fault(struc
68245 - if (write_access)
68246 - flush_tlb_page(vma, address);
68247 - }
68248 -+
68249 -+#ifdef CONFIG_PAX_SEGMEXEC
68250 -+ pax_mirror_pte(vma, address, pte, ptl);
68251 -+#endif
68252 -+
68253 - unlock:
68254 - pte_unmap_unlock(pte, ptl);
68255 - return 0;
68256 -@@ -2641,6 +2890,10 @@ int handle_mm_fault(struct mm_struct *mm
68257 - pmd_t *pmd;
68258 - pte_t *pte;
68259 -
68260 -+#ifdef CONFIG_PAX_SEGMEXEC
68261 -+ struct vm_area_struct *vma_m;
68262 -+#endif
68263 -+
68264 - __set_current_state(TASK_RUNNING);
68265 -
68266 - count_vm_event(PGFAULT);
68267 -@@ -2648,6 +2901,34 @@ int handle_mm_fault(struct mm_struct *mm
68268 - if (unlikely(is_vm_hugetlb_page(vma)))
68269 - return hugetlb_fault(mm, vma, address, write_access);
68270 -
68271 -+#ifdef CONFIG_PAX_SEGMEXEC
68272 -+ vma_m = pax_find_mirror_vma(vma);
68273 -+ if (vma_m) {
68274 -+ unsigned long address_m;
68275 -+ pgd_t *pgd_m;
68276 -+ pud_t *pud_m;
68277 -+ pmd_t *pmd_m;
68278 -+
68279 -+ if (vma->vm_start > vma_m->vm_start) {
68280 -+ address_m = address;
68281 -+ address -= SEGMEXEC_TASK_SIZE;
68282 -+ vma = vma_m;
68283 -+ } else
68284 -+ address_m = address + SEGMEXEC_TASK_SIZE;
68285 -+
68286 -+ pgd_m = pgd_offset(mm, address_m);
68287 -+ pud_m = pud_alloc(mm, pgd_m, address_m);
68288 -+ if (!pud_m)
68289 -+ return VM_FAULT_OOM;
68290 -+ pmd_m = pmd_alloc(mm, pud_m, address_m);
68291 -+ if (!pmd_m)
68292 -+ return VM_FAULT_OOM;
68293 -+ if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
68294 -+ return VM_FAULT_OOM;
68295 -+ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
68296 -+ }
68297 -+#endif
68298 -+
68299 - pgd = pgd_offset(mm, address);
68300 - pud = pud_alloc(mm, pgd, address);
68301 - if (!pud)
68302 -@@ -2781,7 +3062,7 @@ static int __init gate_vma_init(void)
68303 - gate_vma.vm_start = FIXADDR_USER_START;
68304 - gate_vma.vm_end = FIXADDR_USER_END;
68305 - gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
68306 -- gate_vma.vm_page_prot = __P101;
68307 -+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
68308 - /*
68309 - * Make sure the vDSO gets into every core dump.
68310 - * Dumping its contents makes post-mortem fully interpretable later
68311 -diff -Nurp linux-2.6.23.15/mm/mempolicy.c linux-2.6.23.15-grsec/mm/mempolicy.c
68312 ---- linux-2.6.23.15/mm/mempolicy.c 2007-10-09 21:31:38.000000000 +0100
68313 -+++ linux-2.6.23.15-grsec/mm/mempolicy.c 2008-02-11 10:37:45.000000000 +0000
68314 -@@ -401,6 +401,10 @@ static int mbind_range(struct vm_area_st
68315 - struct vm_area_struct *next;
68316 - int err;
68317 -
68318 -+#ifdef CONFIG_PAX_SEGMEXEC
68319 -+ struct vm_area_struct *vma_m;
68320 -+#endif
68321 -+
68322 - err = 0;
68323 - for (; vma && vma->vm_start < end; vma = next) {
68324 - next = vma->vm_next;
68325 -@@ -412,6 +416,16 @@ static int mbind_range(struct vm_area_st
68326 - err = policy_vma(vma, new);
68327 - if (err)
68328 - break;
68329 -+
68330 -+#ifdef CONFIG_PAX_SEGMEXEC
68331 -+ vma_m = pax_find_mirror_vma(vma);
68332 -+ if (vma_m) {
68333 -+ err = policy_vma(vma_m, new);
68334 -+ if (err)
68335 -+ break;
68336 -+ }
68337 -+#endif
68338 -+
68339 - }
68340 - return err;
68341 - }
68342 -@@ -732,7 +746,7 @@ static struct page *new_vma_page(struct
68343 - }
68344 - #endif
68345 -
68346 --long do_mbind(unsigned long start, unsigned long len,
68347 -+static long do_mbind(unsigned long start, unsigned long len,
68348 - unsigned long mode, nodemask_t *nmask, unsigned long flags)
68349 - {
68350 - struct vm_area_struct *vma;
68351 -@@ -760,6 +774,17 @@ long do_mbind(unsigned long start, unsig
68352 -
68353 - if (end < start)
68354 - return -EINVAL;
68355 -+
68356 -+#ifdef CONFIG_PAX_SEGMEXEC
68357 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
68358 -+ if (end > SEGMEXEC_TASK_SIZE)
68359 -+ return -EINVAL;
68360 -+ } else
68361 -+#endif
68362 -+
68363 -+ if (end > TASK_SIZE)
68364 -+ return -EINVAL;
68365 -+
68366 - if (end == start)
68367 - return 0;
68368 -
68369 -diff -Nurp linux-2.6.23.15/mm/mlock.c linux-2.6.23.15-grsec/mm/mlock.c
68370 ---- linux-2.6.23.15/mm/mlock.c 2007-10-09 21:31:38.000000000 +0100
68371 -+++ linux-2.6.23.15-grsec/mm/mlock.c 2008-02-11 10:37:45.000000000 +0000
68372 -@@ -12,6 +12,7 @@
68373 - #include <linux/syscalls.h>
68374 - #include <linux/sched.h>
68375 - #include <linux/module.h>
68376 -+#include <linux/grsecurity.h>
68377 -
68378 - int can_do_mlock(void)
68379 - {
68380 -@@ -95,6 +96,17 @@ static int do_mlock(unsigned long start,
68381 - return -EINVAL;
68382 - if (end == start)
68383 - return 0;
68384 -+
68385 -+#ifdef CONFIG_PAX_SEGMEXEC
68386 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
68387 -+ if (end > SEGMEXEC_TASK_SIZE)
68388 -+ return -EINVAL;
68389 -+ } else
68390 -+#endif
68391 -+
68392 -+ if (end > TASK_SIZE)
68393 -+ return -EINVAL;
68394 -+
68395 - vma = find_vma_prev(current->mm, start, &prev);
68396 - if (!vma || vma->vm_start > start)
68397 - return -ENOMEM;
68398 -@@ -152,6 +164,7 @@ asmlinkage long sys_mlock(unsigned long
68399 - lock_limit >>= PAGE_SHIFT;
68400 -
68401 - /* check against resource limits */
68402 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
68403 - if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
68404 - error = do_mlock(start, len, 1);
68405 - up_write(&current->mm->mmap_sem);
68406 -@@ -173,10 +186,10 @@ asmlinkage long sys_munlock(unsigned lon
68407 - static int do_mlockall(int flags)
68408 - {
68409 - struct vm_area_struct * vma, * prev = NULL;
68410 -- unsigned int def_flags = 0;
68411 -+ unsigned int def_flags = current->mm->def_flags & ~VM_LOCKED;
68412 -
68413 - if (flags & MCL_FUTURE)
68414 -- def_flags = VM_LOCKED;
68415 -+ def_flags |= VM_LOCKED;
68416 - current->mm->def_flags = def_flags;
68417 - if (flags == MCL_FUTURE)
68418 - goto out;
68419 -@@ -184,6 +197,12 @@ static int do_mlockall(int flags)
68420 - for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
68421 - unsigned int newflags;
68422 -
68423 -+#ifdef CONFIG_PAX_SEGMEXEC
68424 -+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
68425 -+ break;
68426 -+#endif
68427 -+
68428 -+ BUG_ON(vma->vm_end > TASK_SIZE);
68429 - newflags = vma->vm_flags | VM_LOCKED;
68430 - if (!(flags & MCL_CURRENT))
68431 - newflags &= ~VM_LOCKED;
68432 -@@ -213,6 +232,7 @@ asmlinkage long sys_mlockall(int flags)
68433 - lock_limit >>= PAGE_SHIFT;
68434 -
68435 - ret = -ENOMEM;
68436 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
68437 - if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
68438 - capable(CAP_IPC_LOCK))
68439 - ret = do_mlockall(flags);
68440 -diff -Nurp linux-2.6.23.15/mm/mmap.c linux-2.6.23.15-grsec/mm/mmap.c
68441 ---- linux-2.6.23.15/mm/mmap.c 2008-02-11 10:36:03.000000000 +0000
68442 -+++ linux-2.6.23.15-grsec/mm/mmap.c 2008-02-11 10:43:32.000000000 +0000
68443 -@@ -25,6 +25,7 @@
68444 - #include <linux/mount.h>
68445 - #include <linux/mempolicy.h>
68446 - #include <linux/rmap.h>
68447 -+#include <linux/grsecurity.h>
68448 -
68449 - #include <asm/uaccess.h>
68450 - #include <asm/cacheflush.h>
68451 -@@ -35,6 +36,16 @@
68452 - #define arch_mmap_check(addr, len, flags) (0)
68453 - #endif
68454 -
68455 -+static inline void verify_mm_writelocked(struct mm_struct *mm)
68456 -+{
68457 -+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
68458 -+ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
68459 -+ up_read(&mm->mmap_sem);
68460 -+ BUG();
68461 -+ }
68462 -+#endif
68463 -+}
68464 -+
68465 - static void unmap_region(struct mm_struct *mm,
68466 - struct vm_area_struct *vma, struct vm_area_struct *prev,
68467 - unsigned long start, unsigned long end);
68468 -@@ -60,15 +71,23 @@ static void unmap_region(struct mm_struc
68469 - * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
68470 - *
68471 - */
68472 --pgprot_t protection_map[16] = {
68473 -+pgprot_t protection_map[16] __read_only = {
68474 - __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
68475 - __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
68476 - };
68477 -
68478 - pgprot_t vm_get_page_prot(unsigned long vm_flags)
68479 - {
68480 -- return protection_map[vm_flags &
68481 -- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
68482 -+ pgprot_t prot = protection_map[vm_flags & (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
68483 -+
68484 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68485 -+ if (!nx_enabled &&
68486 -+ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
68487 -+ (vm_flags & (VM_READ | VM_WRITE)))
68488 -+ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
68489 -+#endif
68490 -+
68491 -+ return prot;
68492 - }
68493 - EXPORT_SYMBOL(vm_get_page_prot);
68494 -
68495 -@@ -225,6 +244,7 @@ static struct vm_area_struct *remove_vma
68496 - struct vm_area_struct *next = vma->vm_next;
68497 -
68498 - might_sleep();
68499 -+ BUG_ON(vma->vm_mirror);
68500 - if (vma->vm_ops && vma->vm_ops->close)
68501 - vma->vm_ops->close(vma);
68502 - if (vma->vm_file)
68503 -@@ -252,6 +272,7 @@ asmlinkage unsigned long sys_brk(unsigne
68504 - * not page aligned -Ram Gupta
68505 - */
68506 - rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
68507 -+ gr_learn_resource(current, RLIMIT_DATA, brk - mm->start_data, 1);
68508 - if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim)
68509 - goto out;
68510 -
68511 -@@ -352,8 +373,12 @@ find_vma_prepare(struct mm_struct *mm, u
68512 -
68513 - if (vma_tmp->vm_end > addr) {
68514 - vma = vma_tmp;
68515 -- if (vma_tmp->vm_start <= addr)
68516 -- return vma;
68517 -+ if (vma_tmp->vm_start <= addr) {
68518 -+//printk("PAX: prep: %08lx-%08lx %08lx pr:%p l:%p pa:%p ",
68519 -+//vma->vm_start, vma->vm_end, addr, *pprev, *rb_link, *rb_parent);
68520 -+//__print_symbol("%s\n", __builtin_extract_return_addr(__builtin_return_address(0)));
68521 -+ break;
68522 -+ }
68523 - __rb_link = &__rb_parent->rb_left;
68524 - } else {
68525 - rb_prev = __rb_parent;
68526 -@@ -677,6 +702,12 @@ static int
68527 - can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
68528 - struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
68529 - {
68530 -+
68531 -+#ifdef CONFIG_PAX_SEGMEXEC
68532 -+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
68533 -+ return 0;
68534 -+#endif
68535 -+
68536 - if (is_mergeable_vma(vma, file, vm_flags) &&
68537 - is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
68538 - if (vma->vm_pgoff == vm_pgoff)
68539 -@@ -696,6 +727,12 @@ static int
68540 - can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
68541 - struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
68542 - {
68543 -+
68544 -+#ifdef CONFIG_PAX_SEGMEXEC
68545 -+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
68546 -+ return 0;
68547 -+#endif
68548 -+
68549 - if (is_mergeable_vma(vma, file, vm_flags) &&
68550 - is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
68551 - pgoff_t vm_pglen;
68552 -@@ -738,12 +775,19 @@ can_vma_merge_after(struct vm_area_struc
68553 - struct vm_area_struct *vma_merge(struct mm_struct *mm,
68554 - struct vm_area_struct *prev, unsigned long addr,
68555 - unsigned long end, unsigned long vm_flags,
68556 -- struct anon_vma *anon_vma, struct file *file,
68557 -+ struct anon_vma *anon_vma, struct file *file,
68558 - pgoff_t pgoff, struct mempolicy *policy)
68559 - {
68560 - pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
68561 - struct vm_area_struct *area, *next;
68562 -
68563 -+#ifdef CONFIG_PAX_SEGMEXEC
68564 -+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
68565 -+ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
68566 -+
68567 -+ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
68568 -+#endif
68569 -+
68570 - /*
68571 - * We later require that vma->vm_flags == vm_flags,
68572 - * so this tests vma->vm_flags & VM_SPECIAL, too.
68573 -@@ -759,6 +803,15 @@ struct vm_area_struct *vma_merge(struct
68574 - if (next && next->vm_end == end) /* cases 6, 7, 8 */
68575 - next = next->vm_next;
68576 -
68577 -+#ifdef CONFIG_PAX_SEGMEXEC
68578 -+ if (prev)
68579 -+ prev_m = pax_find_mirror_vma(prev);
68580 -+ if (area)
68581 -+ area_m = pax_find_mirror_vma(area);
68582 -+ if (next)
68583 -+ next_m = pax_find_mirror_vma(next);
68584 -+#endif
68585 -+
68586 - /*
68587 - * Can it merge with the predecessor?
68588 - */
68589 -@@ -778,9 +831,24 @@ struct vm_area_struct *vma_merge(struct
68590 - /* cases 1, 6 */
68591 - vma_adjust(prev, prev->vm_start,
68592 - next->vm_end, prev->vm_pgoff, NULL);
68593 -- } else /* cases 2, 5, 7 */
68594 -+
68595 -+#ifdef CONFIG_PAX_SEGMEXEC
68596 -+ if (prev_m)
68597 -+ vma_adjust(prev_m, prev_m->vm_start,
68598 -+ next_m->vm_end, prev_m->vm_pgoff, NULL);
68599 -+#endif
68600 -+
68601 -+ } else { /* cases 2, 5, 7 */
68602 - vma_adjust(prev, prev->vm_start,
68603 - end, prev->vm_pgoff, NULL);
68604 -+
68605 -+#ifdef CONFIG_PAX_SEGMEXEC
68606 -+ if (prev_m)
68607 -+ vma_adjust(prev_m, prev_m->vm_start,
68608 -+ end_m, prev_m->vm_pgoff, NULL);
68609 -+#endif
68610 -+
68611 -+ }
68612 - return prev;
68613 - }
68614 -
68615 -@@ -791,12 +859,27 @@ struct vm_area_struct *vma_merge(struct
68616 - mpol_equal(policy, vma_policy(next)) &&
68617 - can_vma_merge_before(next, vm_flags,
68618 - anon_vma, file, pgoff+pglen)) {
68619 -- if (prev && addr < prev->vm_end) /* case 4 */
68620 -+ if (prev && addr < prev->vm_end) { /* case 4 */
68621 - vma_adjust(prev, prev->vm_start,
68622 - addr, prev->vm_pgoff, NULL);
68623 -- else /* cases 3, 8 */
68624 -+
68625 -+#ifdef CONFIG_PAX_SEGMEXEC
68626 -+ if (prev_m)
68627 -+ vma_adjust(prev_m, prev_m->vm_start,
68628 -+ addr_m, prev_m->vm_pgoff, NULL);
68629 -+#endif
68630 -+
68631 -+ } else { /* cases 3, 8 */
68632 - vma_adjust(area, addr, next->vm_end,
68633 - next->vm_pgoff - pglen, NULL);
68634 -+
68635 -+#ifdef CONFIG_PAX_SEGMEXEC
68636 -+ if (area_m)
68637 -+ vma_adjust(area_m, addr_m, next_m->vm_end,
68638 -+ next_m->vm_pgoff - pglen, NULL);
68639 -+#endif
68640 -+
68641 -+ }
68642 - return area;
68643 - }
68644 -
68645 -@@ -871,14 +954,11 @@ none:
68646 - void vm_stat_account(struct mm_struct *mm, unsigned long flags,
68647 - struct file *file, long pages)
68648 - {
68649 -- const unsigned long stack_flags
68650 -- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
68651 --
68652 - if (file) {
68653 - mm->shared_vm += pages;
68654 - if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
68655 - mm->exec_vm += pages;
68656 -- } else if (flags & stack_flags)
68657 -+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
68658 - mm->stack_vm += pages;
68659 - if (flags & (VM_RESERVED|VM_IO))
68660 - mm->reserved_vm += pages;
68661 -@@ -906,22 +986,22 @@ unsigned long do_mmap_pgoff(struct file
68662 - * (the exception is when the underlying filesystem is noexec
68663 - * mounted, in which case we dont add PROT_EXEC.)
68664 - */
68665 -- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
68666 -+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
68667 - if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
68668 - prot |= PROT_EXEC;
68669 -
68670 - if (!len)
68671 - return -EINVAL;
68672 -
68673 -- error = arch_mmap_check(addr, len, flags);
68674 -- if (error)
68675 -- return error;
68676 --
68677 - /* Careful about overflows.. */
68678 - len = PAGE_ALIGN(len);
68679 - if (!len || len > TASK_SIZE)
68680 - return -ENOMEM;
68681 -
68682 -+ error = arch_mmap_check(addr, len, flags);
68683 -+ if (error)
68684 -+ return error;
68685 -+
68686 - /* offset overflow? */
68687 - if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
68688 - return -EOVERFLOW;
68689 -@@ -933,7 +1013,7 @@ unsigned long do_mmap_pgoff(struct file
68690 - /* Obtain the address to map to. we verify (or select) it and ensure
68691 - * that it represents a valid section of the address space.
68692 - */
68693 -- addr = get_unmapped_area(file, addr, len, pgoff, flags);
68694 -+ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
68695 - if (addr & ~PAGE_MASK)
68696 - return addr;
68697 -
68698 -@@ -944,6 +1024,26 @@ unsigned long do_mmap_pgoff(struct file
68699 - vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
68700 - mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
68701 -
68702 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
68703 -+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
68704 -+
68705 -+#ifdef CONFIG_PAX_MPROTECT
68706 -+ if (mm->pax_flags & MF_PAX_MPROTECT) {
68707 -+ if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
68708 -+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
68709 -+ else
68710 -+ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
68711 -+ }
68712 -+#endif
68713 -+
68714 -+ }
68715 -+#endif
68716 -+
68717 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68718 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
68719 -+ vm_flags &= ~VM_PAGEEXEC;
68720 -+#endif
68721 -+
68722 - if (flags & MAP_LOCKED) {
68723 - if (!can_do_mlock())
68724 - return -EPERM;
68725 -@@ -956,6 +1056,7 @@ unsigned long do_mmap_pgoff(struct file
68726 - locked += mm->locked_vm;
68727 - lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
68728 - lock_limit >>= PAGE_SHIFT;
68729 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
68730 - if (locked > lock_limit && !capable(CAP_IPC_LOCK))
68731 - return -EAGAIN;
68732 - }
68733 -@@ -1024,6 +1125,9 @@ unsigned long do_mmap_pgoff(struct file
68734 - if (error)
68735 - return error;
68736 -
68737 -+ if (!gr_acl_handle_mmap(file, prot))
68738 -+ return -EACCES;
68739 -+
68740 - return mmap_region(file, addr, len, flags, vm_flags, pgoff,
68741 - accountable);
68742 - }
68743 -@@ -1037,10 +1141,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
68744 - */
68745 - int vma_wants_writenotify(struct vm_area_struct *vma)
68746 - {
68747 -- unsigned int vm_flags = vma->vm_flags;
68748 -+ unsigned long vm_flags = vma->vm_flags;
68749 -
68750 - /* If it was private or non-writable, the write bit is already clear */
68751 -- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
68752 -+ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
68753 - return 0;
68754 -
68755 - /* The backer wishes to know when pages are first written to? */
68756 -@@ -1049,8 +1153,7 @@ int vma_wants_writenotify(struct vm_area
68757 -
68758 - /* The open routine did something to the protections already? */
68759 - if (pgprot_val(vma->vm_page_prot) !=
68760 -- pgprot_val(protection_map[vm_flags &
68761 -- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]))
68762 -+ pgprot_val(vm_get_page_prot(vm_flags)))
68763 - return 0;
68764 -
68765 - /* Specialty mapping? */
68766 -@@ -1076,14 +1179,24 @@ unsigned long mmap_region(struct file *f
68767 - unsigned long charged = 0;
68768 - struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
68769 -
68770 -+#ifdef CONFIG_PAX_SEGMEXEC
68771 -+ struct vm_area_struct *vma_m = NULL;
68772 -+#endif
68773 -+
68774 -+ /*
68775 -+ * mm->mmap_sem is required to protect against another thread
68776 -+ * changing the mappings in case we sleep.
68777 -+ */
68778 -+ verify_mm_writelocked(mm);
68779 -+
68780 - /* Clear old maps */
68781 - error = -ENOMEM;
68782 --munmap_back:
68783 - vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
68784 - if (vma && vma->vm_start < addr + len) {
68785 - if (do_munmap(mm, addr, len))
68786 - return -ENOMEM;
68787 -- goto munmap_back;
68788 -+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
68789 -+ BUG_ON(vma && vma->vm_start < addr + len);
68790 - }
68791 -
68792 - /* Check against address space limit. */
68793 -@@ -1127,12 +1240,22 @@ munmap_back:
68794 - goto unacct_error;
68795 - }
68796 -
68797 -+#ifdef CONFIG_PAX_SEGMEXEC
68798 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
68799 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
68800 -+ if (!vma_m) {
68801 -+ kmem_cache_free(vm_area_cachep, vma);
68802 -+ error = -ENOMEM;
68803 -+ goto unacct_error;
68804 -+ }
68805 -+ }
68806 -+#endif
68807 -+
68808 - vma->vm_mm = mm;
68809 - vma->vm_start = addr;
68810 - vma->vm_end = addr + len;
68811 - vma->vm_flags = vm_flags;
68812 -- vma->vm_page_prot = protection_map[vm_flags &
68813 -- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
68814 -+ vma->vm_page_prot = vm_get_page_prot(vm_flags);
68815 - vma->vm_pgoff = pgoff;
68816 -
68817 - if (file) {
68818 -@@ -1150,6 +1273,14 @@ munmap_back:
68819 - error = file->f_op->mmap(file, vma);
68820 - if (error)
68821 - goto unmap_and_free_vma;
68822 -+
68823 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68824 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
68825 -+ vma->vm_flags |= VM_PAGEEXEC;
68826 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
68827 -+ }
68828 -+#endif
68829 -+
68830 - } else if (vm_flags & VM_SHARED) {
68831 - error = shmem_zero_setup(vma);
68832 - if (error)
68833 -@@ -1174,13 +1305,18 @@ munmap_back:
68834 - vm_flags = vma->vm_flags;
68835 -
68836 - if (vma_wants_writenotify(vma))
68837 -- vma->vm_page_prot =
68838 -- protection_map[vm_flags & (VM_READ|VM_WRITE|VM_EXEC)];
68839 -+ vma->vm_page_prot = vm_get_page_prot(vm_flags & ~VM_SHARED);
68840 -
68841 - if (!file || !vma_merge(mm, prev, addr, vma->vm_end,
68842 - vma->vm_flags, NULL, file, pgoff, vma_policy(vma))) {
68843 - file = vma->vm_file;
68844 - vma_link(mm, vma, prev, rb_link, rb_parent);
68845 -+
68846 -+#ifdef CONFIG_PAX_SEGMEXEC
68847 -+ if (vma_m)
68848 -+ pax_mirror_vma(vma_m, vma);
68849 -+#endif
68850 -+
68851 - if (correct_wcount)
68852 - atomic_inc(&inode->i_writecount);
68853 - } else {
68854 -@@ -1191,10 +1327,12 @@ munmap_back:
68855 - }
68856 - mpol_free(vma_policy(vma));
68857 - kmem_cache_free(vm_area_cachep, vma);
68858 -+ vma = NULL;
68859 - }
68860 - out:
68861 - mm->total_vm += len >> PAGE_SHIFT;
68862 - vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
68863 -+ track_exec_limit(mm, addr, addr + len, vm_flags);
68864 - if (vm_flags & VM_LOCKED) {
68865 - mm->locked_vm += len >> PAGE_SHIFT;
68866 - make_pages_present(addr, addr + len);
68867 -@@ -1213,6 +1351,12 @@ unmap_and_free_vma:
68868 - unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
68869 - charged = 0;
68870 - free_vma:
68871 -+
68872 -+#ifdef CONFIG_PAX_SEGMEXEC
68873 -+ if (vma_m)
68874 -+ kmem_cache_free(vm_area_cachep, vma_m);
68875 -+#endif
68876 -+
68877 - kmem_cache_free(vm_area_cachep, vma);
68878 - unacct_error:
68879 - if (charged)
68880 -@@ -1246,6 +1390,10 @@ arch_get_unmapped_area(struct file *filp
68881 - if (flags & MAP_FIXED)
68882 - return addr;
68883 -
68884 -+#ifdef CONFIG_PAX_RANDMMAP
68885 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
68886 -+#endif
68887 -+
68888 - if (addr) {
68889 - addr = PAGE_ALIGN(addr);
68890 - vma = find_vma(mm, addr);
68891 -@@ -1254,10 +1402,10 @@ arch_get_unmapped_area(struct file *filp
68892 - return addr;
68893 - }
68894 - if (len > mm->cached_hole_size) {
68895 -- start_addr = addr = mm->free_area_cache;
68896 -+ start_addr = addr = mm->free_area_cache;
68897 - } else {
68898 -- start_addr = addr = TASK_UNMAPPED_BASE;
68899 -- mm->cached_hole_size = 0;
68900 -+ start_addr = addr = mm->mmap_base;
68901 -+ mm->cached_hole_size = 0;
68902 - }
68903 -
68904 - full_search:
68905 -@@ -1268,9 +1416,8 @@ full_search:
68906 - * Start a new search - just in case we missed
68907 - * some holes.
68908 - */
68909 -- if (start_addr != TASK_UNMAPPED_BASE) {
68910 -- addr = TASK_UNMAPPED_BASE;
68911 -- start_addr = addr;
68912 -+ if (start_addr != mm->mmap_base) {
68913 -+ start_addr = addr = mm->mmap_base;
68914 - mm->cached_hole_size = 0;
68915 - goto full_search;
68916 - }
68917 -@@ -1292,10 +1439,16 @@ full_search:
68918 -
68919 - void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
68920 - {
68921 -+
68922 -+#ifdef CONFIG_PAX_SEGMEXEC
68923 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
68924 -+ return;
68925 -+#endif
68926 -+
68927 - /*
68928 - * Is this a new hole at the lowest possible address?
68929 - */
68930 -- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
68931 -+ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
68932 - mm->free_area_cache = addr;
68933 - mm->cached_hole_size = ~0UL;
68934 - }
68935 -@@ -1313,7 +1466,7 @@ arch_get_unmapped_area_topdown(struct fi
68936 - {
68937 - struct vm_area_struct *vma;
68938 - struct mm_struct *mm = current->mm;
68939 -- unsigned long addr = addr0;
68940 -+ unsigned long base = mm->mmap_base, addr = addr0;
68941 -
68942 - /* requested length too big for entire address space */
68943 - if (len > TASK_SIZE)
68944 -@@ -1322,6 +1475,10 @@ arch_get_unmapped_area_topdown(struct fi
68945 - if (flags & MAP_FIXED)
68946 - return addr;
68947 -
68948 -+#ifdef CONFIG_PAX_RANDMMAP
68949 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
68950 -+#endif
68951 -+
68952 - /* requesting a specific address */
68953 - if (addr) {
68954 - addr = PAGE_ALIGN(addr);
68955 -@@ -1379,13 +1536,21 @@ bottomup:
68956 - * can happen with large stack limits and large mmap()
68957 - * allocations.
68958 - */
68959 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
68960 -+
68961 -+#ifdef CONFIG_PAX_RANDMMAP
68962 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
68963 -+ mm->mmap_base += mm->delta_mmap;
68964 -+#endif
68965 -+
68966 -+ mm->free_area_cache = mm->mmap_base;
68967 - mm->cached_hole_size = ~0UL;
68968 -- mm->free_area_cache = TASK_UNMAPPED_BASE;
68969 - addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
68970 - /*
68971 - * Restore the topdown base:
68972 - */
68973 -- mm->free_area_cache = mm->mmap_base;
68974 -+ mm->mmap_base = base;
68975 -+ mm->free_area_cache = base;
68976 - mm->cached_hole_size = ~0UL;
68977 -
68978 - return addr;
68979 -@@ -1394,6 +1559,12 @@ bottomup:
68980 -
68981 - void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
68982 - {
68983 -+
68984 -+#ifdef CONFIG_PAX_SEGMEXEC
68985 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
68986 -+ return;
68987 -+#endif
68988 -+
68989 - /*
68990 - * Is this a new hole at the highest possible address?
68991 - */
68992 -@@ -1401,8 +1572,10 @@ void arch_unmap_area_topdown(struct mm_s
68993 - mm->free_area_cache = addr;
68994 -
68995 - /* dont allow allocations above current base */
68996 -- if (mm->free_area_cache > mm->mmap_base)
68997 -+ if (mm->free_area_cache > mm->mmap_base) {
68998 - mm->free_area_cache = mm->mmap_base;
68999 -+ mm->cached_hole_size = ~0UL;
69000 -+ }
69001 - }
69002 -
69003 - unsigned long
69004 -@@ -1502,6 +1675,32 @@ out:
69005 - return prev ? prev->vm_next : vma;
69006 - }
69007 -
69008 -+#ifdef CONFIG_PAX_SEGMEXEC
69009 -+struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
69010 -+{
69011 -+ struct vm_area_struct *vma_m;
69012 -+
69013 -+ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
69014 -+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
69015 -+ BUG_ON(vma->vm_mirror);
69016 -+ return NULL;
69017 -+ }
69018 -+ BUG_ON(vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < vma->vm_start - SEGMEXEC_TASK_SIZE - 1);
69019 -+ vma_m = vma->vm_mirror;
69020 -+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
69021 -+ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
69022 -+ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
69023 -+
69024 -+#ifdef CONFIG_PAX_MPROTECT
69025 -+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_MAYNOTWRITE));
69026 -+#else
69027 -+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
69028 -+#endif
69029 -+
69030 -+ return vma_m;
69031 -+}
69032 -+#endif
69033 -+
69034 - /*
69035 - * Verify that the stack growth is acceptable and
69036 - * update accounting. This is shared with both the
69037 -@@ -1518,6 +1717,7 @@ static int acct_stack_growth(struct vm_a
69038 - return -ENOMEM;
69039 -
69040 - /* Stack limit test */
69041 -+ gr_learn_resource(current, RLIMIT_STACK, size, 1);
69042 - if (size > rlim[RLIMIT_STACK].rlim_cur)
69043 - return -ENOMEM;
69044 -
69045 -@@ -1527,6 +1727,7 @@ static int acct_stack_growth(struct vm_a
69046 - unsigned long limit;
69047 - locked = mm->locked_vm + grow;
69048 - limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
69049 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
69050 - if (locked > limit && !capable(CAP_IPC_LOCK))
69051 - return -ENOMEM;
69052 - }
69053 -@@ -1562,35 +1763,40 @@ static inline
69054 - #endif
69055 - int expand_upwards(struct vm_area_struct *vma, unsigned long address)
69056 - {
69057 -- int error;
69058 -+ int error, locknext;
69059 -
69060 - if (!(vma->vm_flags & VM_GROWSUP))
69061 - return -EFAULT;
69062 -
69063 -+ /* Also guard against wrapping around to address 0. */
69064 -+ if (address < PAGE_ALIGN(address+1))
69065 -+ address = PAGE_ALIGN(address+1);
69066 -+ else
69067 -+ return -ENOMEM;
69068 -+
69069 - /*
69070 - * We must make sure the anon_vma is allocated
69071 - * so that the anon_vma locking is not a noop.
69072 - */
69073 - if (unlikely(anon_vma_prepare(vma)))
69074 - return -ENOMEM;
69075 -+ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
69076 -+ if (locknext && unlikely(anon_vma_prepare(vma->vm_next)))
69077 -+ return -ENOMEM;
69078 - anon_vma_lock(vma);
69079 -+ if (locknext)
69080 -+ anon_vma_lock(vma->vm_next);
69081 -
69082 - /*
69083 - * vma->vm_start/vm_end cannot change under us because the caller
69084 - * is required to hold the mmap_sem in read mode. We need the
69085 -- * anon_vma lock to serialize against concurrent expand_stacks.
69086 -- * Also guard against wrapping around to address 0.
69087 -+ * anon_vma locks to serialize against concurrent expand_stacks
69088 -+ * and expand_upwards.
69089 - */
69090 -- if (address < PAGE_ALIGN(address+4))
69091 -- address = PAGE_ALIGN(address+4);
69092 -- else {
69093 -- anon_vma_unlock(vma);
69094 -- return -ENOMEM;
69095 -- }
69096 - error = 0;
69097 -
69098 - /* Somebody else might have raced and expanded it already */
69099 -- if (address > vma->vm_end) {
69100 -+ if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
69101 - unsigned long size, grow;
69102 -
69103 - size = address - vma->vm_start;
69104 -@@ -1600,6 +1806,8 @@ int expand_upwards(struct vm_area_struct
69105 - if (!error)
69106 - vma->vm_end = address;
69107 - }
69108 -+ if (locknext)
69109 -+ anon_vma_unlock(vma->vm_next);
69110 - anon_vma_unlock(vma);
69111 - return error;
69112 - }
69113 -@@ -1611,7 +1819,8 @@ int expand_upwards(struct vm_area_struct
69114 - static inline int expand_downwards(struct vm_area_struct *vma,
69115 - unsigned long address)
69116 - {
69117 -- int error;
69118 -+ int error, lockprev = 0;
69119 -+ struct vm_area_struct *prev = NULL;
69120 -
69121 - /*
69122 - * We must make sure the anon_vma is allocated
69123 -@@ -1625,6 +1834,15 @@ static inline int expand_downwards(struc
69124 - if (error)
69125 - return error;
69126 -
69127 -+#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
69128 -+ find_vma_prev(address, &prev);
69129 -+ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
69130 -+#endif
69131 -+ if (lockprev && unlikely(anon_vma_prepare(prev)))
69132 -+ return -ENOMEM;
69133 -+ if (lockprev)
69134 -+ anon_vma_lock(prev);
69135 -+
69136 - anon_vma_lock(vma);
69137 -
69138 - /*
69139 -@@ -1634,9 +1852,15 @@ static inline int expand_downwards(struc
69140 - */
69141 -
69142 - /* Somebody else might have raced and expanded it already */
69143 -- if (address < vma->vm_start) {
69144 -+ if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
69145 - unsigned long size, grow;
69146 -
69147 -+#ifdef CONFIG_PAX_SEGMEXEC
69148 -+ struct vm_area_struct *vma_m;
69149 -+
69150 -+ vma_m = pax_find_mirror_vma(vma);
69151 -+#endif
69152 -+
69153 - size = vma->vm_end - address;
69154 - grow = (vma->vm_start - address) >> PAGE_SHIFT;
69155 -
69156 -@@ -1644,9 +1868,20 @@ static inline int expand_downwards(struc
69157 - if (!error) {
69158 - vma->vm_start = address;
69159 - vma->vm_pgoff -= grow;
69160 -+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
69161 -+
69162 -+#ifdef CONFIG_PAX_SEGMEXEC
69163 -+ if (vma_m) {
69164 -+ vma_m->vm_start -= grow << PAGE_SHIFT;
69165 -+ vma_m->vm_pgoff -= grow;
69166 -+ }
69167 -+#endif
69168 -+
69169 - }
69170 - }
69171 - anon_vma_unlock(vma);
69172 -+ if (lockprev)
69173 -+ anon_vma_unlock(prev);
69174 - return error;
69175 - }
69176 -
69177 -@@ -1718,6 +1953,13 @@ static void remove_vma_list(struct mm_st
69178 - do {
69179 - long nrpages = vma_pages(vma);
69180 -
69181 -+#ifdef CONFIG_PAX_SEGMEXEC
69182 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
69183 -+ vma = remove_vma(vma);
69184 -+ continue;
69185 -+ }
69186 -+#endif
69187 -+
69188 - mm->total_vm -= nrpages;
69189 - if (vma->vm_flags & VM_LOCKED)
69190 - mm->locked_vm -= nrpages;
69191 -@@ -1764,6 +2006,16 @@ detach_vmas_to_be_unmapped(struct mm_str
69192 -
69193 - insertion_point = (prev ? &prev->vm_next : &mm->mmap);
69194 - do {
69195 -+
69196 -+#ifdef CONFIG_PAX_SEGMEXEC
69197 -+ if (vma->vm_mirror) {
69198 -+ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
69199 -+ vma->vm_mirror->vm_mirror = NULL;
69200 -+ vma->vm_mirror->vm_flags &= ~VM_EXEC;
69201 -+ vma->vm_mirror = NULL;
69202 -+ }
69203 -+#endif
69204 -+
69205 - rb_erase(&vma->vm_rb, &mm->mm_rb);
69206 - mm->map_count--;
69207 - tail_vma = vma;
69208 -@@ -1783,6 +2035,112 @@ detach_vmas_to_be_unmapped(struct mm_str
69209 - * Split a vma into two pieces at address 'addr', a new vma is allocated
69210 - * either for the first part or the tail.
69211 - */
69212 -+
69213 -+#ifdef CONFIG_PAX_SEGMEXEC
69214 -+int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
69215 -+ unsigned long addr, int new_below)
69216 -+{
69217 -+ struct mempolicy *pol, *pol_m;
69218 -+ struct vm_area_struct *new, *vma_m, *new_m = NULL;
69219 -+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
69220 -+
69221 -+ if (is_vm_hugetlb_page(vma) && (addr & ~HPAGE_MASK))
69222 -+ return -EINVAL;
69223 -+
69224 -+ vma_m = pax_find_mirror_vma(vma);
69225 -+ if (vma_m) {
69226 -+ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
69227 -+ if (mm->map_count >= sysctl_max_map_count-1)
69228 -+ return -ENOMEM;
69229 -+ } else if (mm->map_count >= sysctl_max_map_count)
69230 -+ return -ENOMEM;
69231 -+
69232 -+ new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
69233 -+ if (!new)
69234 -+ return -ENOMEM;
69235 -+
69236 -+ if (vma_m) {
69237 -+ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
69238 -+ if (!new_m) {
69239 -+ kmem_cache_free(vm_area_cachep, new);
69240 -+ return -ENOMEM;
69241 -+ }
69242 -+ }
69243 -+
69244 -+ /* most fields are the same, copy all, and then fixup */
69245 -+ *new = *vma;
69246 -+
69247 -+ if (new_below)
69248 -+ new->vm_end = addr;
69249 -+ else {
69250 -+ new->vm_start = addr;
69251 -+ new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
69252 -+ }
69253 -+
69254 -+ if (vma_m) {
69255 -+ *new_m = *vma_m;
69256 -+ new_m->vm_mirror = new;
69257 -+ new->vm_mirror = new_m;
69258 -+
69259 -+ if (new_below)
69260 -+ new_m->vm_end = addr_m;
69261 -+ else {
69262 -+ new_m->vm_start = addr_m;
69263 -+ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
69264 -+ }
69265 -+ }
69266 -+
69267 -+ pol = mpol_copy(vma_policy(vma));
69268 -+ if (IS_ERR(pol)) {
69269 -+ if (new_m)
69270 -+ kmem_cache_free(vm_area_cachep, new_m);
69271 -+ kmem_cache_free(vm_area_cachep, new);
69272 -+ return PTR_ERR(pol);
69273 -+ }
69274 -+
69275 -+ if (vma_m) {
69276 -+ pol_m = mpol_copy(vma_policy(vma_m));
69277 -+ if (IS_ERR(pol_m)) {
69278 -+ mpol_free(pol);
69279 -+ kmem_cache_free(vm_area_cachep, new_m);
69280 -+ kmem_cache_free(vm_area_cachep, new);
69281 -+ return PTR_ERR(pol);
69282 -+ }
69283 -+ }
69284 -+
69285 -+ vma_set_policy(new, pol);
69286 -+
69287 -+ if (new->vm_file)
69288 -+ get_file(new->vm_file);
69289 -+
69290 -+ if (new->vm_ops && new->vm_ops->open)
69291 -+ new->vm_ops->open(new);
69292 -+
69293 -+ if (new_below)
69294 -+ vma_adjust(vma, addr, vma->vm_end, vma->vm_pgoff +
69295 -+ ((addr - new->vm_start) >> PAGE_SHIFT), new);
69296 -+ else
69297 -+ vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
69298 -+
69299 -+ if (vma_m) {
69300 -+ vma_set_policy(new_m, pol_m);
69301 -+
69302 -+ if (new_m->vm_file)
69303 -+ get_file(new_m->vm_file);
69304 -+
69305 -+ if (new_m->vm_ops && new_m->vm_ops->open)
69306 -+ new_m->vm_ops->open(new_m);
69307 -+
69308 -+ if (new_below)
69309 -+ vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
69310 -+ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
69311 -+ else
69312 -+ vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
69313 -+ }
69314 -+
69315 -+ return 0;
69316 -+}
69317 -+#else
69318 - int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
69319 - unsigned long addr, int new_below)
69320 - {
69321 -@@ -1830,17 +2188,37 @@ int split_vma(struct mm_struct * mm, str
69322 -
69323 - return 0;
69324 - }
69325 -+#endif
69326 -
69327 - /* Munmap is split into 2 main parts -- this part which finds
69328 - * what needs doing, and the areas themselves, which do the
69329 - * work. This now handles partial unmappings.
69330 - * Jeremy Fitzhardinge <jeremy@××××.org>
69331 - */
69332 -+#ifdef CONFIG_PAX_SEGMEXEC
69333 - int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69334 - {
69335 -+ int ret = __do_munmap(mm, start, len);
69336 -+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
69337 -+ return ret;
69338 -+
69339 -+ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
69340 -+}
69341 -+
69342 -+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69343 -+#else
69344 -+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69345 -+#endif
69346 -+{
69347 - unsigned long end;
69348 - struct vm_area_struct *vma, *prev, *last;
69349 -
69350 -+ /*
69351 -+ * mm->mmap_sem is required to protect against another thread
69352 -+ * changing the mappings in case we sleep.
69353 -+ */
69354 -+ verify_mm_writelocked(mm);
69355 -+
69356 - if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
69357 - return -EINVAL;
69358 -
69359 -@@ -1890,6 +2268,8 @@ int do_munmap(struct mm_struct *mm, unsi
69360 - /* Fix up all other VM information */
69361 - remove_vma_list(mm, vma);
69362 -
69363 -+ track_exec_limit(mm, start, end, 0UL);
69364 -+
69365 - return 0;
69366 - }
69367 -
69368 -@@ -1902,22 +2282,18 @@ asmlinkage long sys_munmap(unsigned long
69369 -
69370 - profile_munmap(addr);
69371 -
69372 -+#ifdef CONFIG_PAX_SEGMEXEC
69373 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
69374 -+ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
69375 -+ return -EINVAL;
69376 -+#endif
69377 -+
69378 - down_write(&mm->mmap_sem);
69379 - ret = do_munmap(mm, addr, len);
69380 - up_write(&mm->mmap_sem);
69381 - return ret;
69382 - }
69383 -
69384 --static inline void verify_mm_writelocked(struct mm_struct *mm)
69385 --{
69386 --#ifdef CONFIG_DEBUG_VM
69387 -- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
69388 -- WARN_ON(1);
69389 -- up_read(&mm->mmap_sem);
69390 -- }
69391 --#endif
69392 --}
69393 --
69394 - /*
69395 - * this is really a simplified "do_mmap". it only handles
69396 - * anonymous maps. eventually we may be able to do some
69397 -@@ -1931,6 +2307,11 @@ unsigned long do_brk(unsigned long addr,
69398 - struct rb_node ** rb_link, * rb_parent;
69399 - pgoff_t pgoff = addr >> PAGE_SHIFT;
69400 - int error;
69401 -+ unsigned long charged;
69402 -+
69403 -+#ifdef CONFIG_PAX_SEGMEXEC
69404 -+ struct vm_area_struct *vma_m = NULL;
69405 -+#endif
69406 -
69407 - len = PAGE_ALIGN(len);
69408 - if (!len)
69409 -@@ -1948,19 +2329,34 @@ unsigned long do_brk(unsigned long addr,
69410 -
69411 - flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
69412 -
69413 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
69414 -+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
69415 -+ flags &= ~VM_EXEC;
69416 -+
69417 -+#ifdef CONFIG_PAX_MPROTECT
69418 -+ if (mm->pax_flags & MF_PAX_MPROTECT)
69419 -+ flags &= ~VM_MAYEXEC;
69420 -+#endif
69421 -+
69422 -+ }
69423 -+#endif
69424 -+
69425 - error = arch_mmap_check(addr, len, flags);
69426 - if (error)
69427 - return error;
69428 -
69429 -+ charged = len >> PAGE_SHIFT;
69430 -+
69431 - /*
69432 - * mlock MCL_FUTURE?
69433 - */
69434 - if (mm->def_flags & VM_LOCKED) {
69435 - unsigned long locked, lock_limit;
69436 -- locked = len >> PAGE_SHIFT;
69437 -+ locked = charged;
69438 - locked += mm->locked_vm;
69439 - lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
69440 - lock_limit >>= PAGE_SHIFT;
69441 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
69442 - if (locked > lock_limit && !capable(CAP_IPC_LOCK))
69443 - return -EAGAIN;
69444 - }
69445 -@@ -1974,22 +2370,22 @@ unsigned long do_brk(unsigned long addr,
69446 - /*
69447 - * Clear old maps. this also does some error checking for us
69448 - */
69449 -- munmap_back:
69450 - vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
69451 - if (vma && vma->vm_start < addr + len) {
69452 - if (do_munmap(mm, addr, len))
69453 - return -ENOMEM;
69454 -- goto munmap_back;
69455 -+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
69456 -+ BUG_ON(vma && vma->vm_start < addr + len);
69457 - }
69458 -
69459 - /* Check against address space limits *after* clearing old maps... */
69460 -- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
69461 -+ if (!may_expand_vm(mm, charged))
69462 - return -ENOMEM;
69463 -
69464 - if (mm->map_count > sysctl_max_map_count)
69465 - return -ENOMEM;
69466 -
69467 -- if (security_vm_enough_memory(len >> PAGE_SHIFT))
69468 -+ if (security_vm_enough_memory(charged))
69469 - return -ENOMEM;
69470 -
69471 - /* Can we just expand an old private anonymous mapping? */
69472 -@@ -2002,24 +2398,41 @@ unsigned long do_brk(unsigned long addr,
69473 - */
69474 - vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69475 - if (!vma) {
69476 -- vm_unacct_memory(len >> PAGE_SHIFT);
69477 -+ vm_unacct_memory(charged);
69478 - return -ENOMEM;
69479 - }
69480 -
69481 -+#ifdef CONFIG_PAX_SEGMEXEC
69482 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (flags & VM_EXEC)) {
69483 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69484 -+ if (!vma_m) {
69485 -+ kmem_cache_free(vm_area_cachep, vma);
69486 -+ vm_unacct_memory(charged);
69487 -+ return -ENOMEM;
69488 -+ }
69489 -+ }
69490 -+#endif
69491 -+
69492 - vma->vm_mm = mm;
69493 - vma->vm_start = addr;
69494 - vma->vm_end = addr + len;
69495 - vma->vm_pgoff = pgoff;
69496 - vma->vm_flags = flags;
69497 -- vma->vm_page_prot = protection_map[flags &
69498 -- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
69499 -+ vma->vm_page_prot = vm_get_page_prot(flags);
69500 - vma_link(mm, vma, prev, rb_link, rb_parent);
69501 -+
69502 -+#ifdef CONFIG_PAX_SEGMEXEC
69503 -+ if (vma_m)
69504 -+ pax_mirror_vma(vma_m, vma);
69505 -+#endif
69506 -+
69507 - out:
69508 -- mm->total_vm += len >> PAGE_SHIFT;
69509 -+ mm->total_vm += charged;
69510 - if (flags & VM_LOCKED) {
69511 -- mm->locked_vm += len >> PAGE_SHIFT;
69512 -+ mm->locked_vm += charged;
69513 - make_pages_present(addr, addr + len);
69514 - }
69515 -+ track_exec_limit(mm, addr, addr + len, flags);
69516 - return addr;
69517 - }
69518 -
69519 -@@ -2050,8 +2463,10 @@ void exit_mmap(struct mm_struct *mm)
69520 - * Walk the list again, actually closing and freeing it,
69521 - * with preemption enabled, without holding any MM locks.
69522 - */
69523 -- while (vma)
69524 -+ while (vma) {
69525 -+ vma->vm_mirror = NULL;
69526 - vma = remove_vma(vma);
69527 -+ }
69528 -
69529 - BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
69530 - }
69531 -@@ -2065,6 +2480,10 @@ int insert_vm_struct(struct mm_struct *
69532 - struct vm_area_struct * __vma, * prev;
69533 - struct rb_node ** rb_link, * rb_parent;
69534 -
69535 -+#ifdef CONFIG_PAX_SEGMEXEC
69536 -+ struct vm_area_struct *vma_m = NULL;
69537 -+#endif
69538 -+
69539 - /*
69540 - * The vm_pgoff of a purely anonymous vma should be irrelevant
69541 - * until its first write fault, when page's anon_vma and index
69542 -@@ -2087,7 +2506,22 @@ int insert_vm_struct(struct mm_struct *
69543 - if ((vma->vm_flags & VM_ACCOUNT) &&
69544 - security_vm_enough_memory_mm(mm, vma_pages(vma)))
69545 - return -ENOMEM;
69546 -+
69547 -+#ifdef CONFIG_PAX_SEGMEXEC
69548 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
69549 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69550 -+ if (!vma_m)
69551 -+ return -ENOMEM;
69552 -+ }
69553 -+#endif
69554 -+
69555 - vma_link(mm, vma, prev, rb_link, rb_parent);
69556 -+
69557 -+#ifdef CONFIG_PAX_SEGMEXEC
69558 -+ if (vma_m)
69559 -+ pax_mirror_vma(vma_m, vma);
69560 -+#endif
69561 -+
69562 - return 0;
69563 - }
69564 -
69565 -@@ -2145,6 +2579,30 @@ struct vm_area_struct *copy_vma(struct v
69566 - return new_vma;
69567 - }
69568 -
69569 -+#ifdef CONFIG_PAX_SEGMEXEC
69570 -+void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
69571 -+{
69572 -+ struct vm_area_struct *prev_m;
69573 -+ struct rb_node **rb_link_m, *rb_parent_m;
69574 -+
69575 -+ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
69576 -+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror || vma_policy(vma));
69577 -+ *vma_m = *vma;
69578 -+ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
69579 -+ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
69580 -+ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
69581 -+ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
69582 -+ if (vma_m->vm_file)
69583 -+ get_file(vma_m->vm_file);
69584 -+ if (vma_m->vm_ops && vma_m->vm_ops->open)
69585 -+ vma_m->vm_ops->open(vma_m);
69586 -+ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
69587 -+ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
69588 -+ vma_m->vm_mirror = vma;
69589 -+ vma->vm_mirror = vma_m;
69590 -+}
69591 -+#endif
69592 -+
69593 - /*
69594 - * Return true if the calling process may expand its vm space by the passed
69595 - * number of pages
69596 -@@ -2155,7 +2613,7 @@ int may_expand_vm(struct mm_struct *mm,
69597 - unsigned long lim;
69598 -
69599 - lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
69600 --
69601 -+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
69602 - if (cur + npages > lim)
69603 - return 0;
69604 - return 1;
69605 -@@ -2167,7 +2625,7 @@ static struct page *special_mapping_nopa
69606 - {
69607 - struct page **pages;
69608 -
69609 -- BUG_ON(address < vma->vm_start || address >= vma->vm_end);
69610 -+ BUG_ON(address < vma->vm_start || address >= vma->vm_end || (address & ~PAGE_MASK));
69611 -
69612 - address -= vma->vm_start;
69613 - for (pages = vma->vm_private_data; address > 0 && *pages; ++pages)
69614 -@@ -2217,8 +2675,17 @@ int install_special_mapping(struct mm_st
69615 - vma->vm_start = addr;
69616 - vma->vm_end = addr + len;
69617 -
69618 -+#ifdef CONFIG_PAX_MPROTECT
69619 -+ if (mm->pax_flags & MF_PAX_MPROTECT) {
69620 -+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
69621 -+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
69622 -+ else
69623 -+ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
69624 -+ }
69625 -+#endif
69626 -+
69627 - vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
69628 -- vma->vm_page_prot = protection_map[vma->vm_flags & 7];
69629 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
69630 -
69631 - vma->vm_ops = &special_mapping_vmops;
69632 - vma->vm_private_data = pages;
69633 -diff -Nurp linux-2.6.23.15/mm/mprotect.c linux-2.6.23.15-grsec/mm/mprotect.c
69634 ---- linux-2.6.23.15/mm/mprotect.c 2007-10-09 21:31:38.000000000 +0100
69635 -+++ linux-2.6.23.15-grsec/mm/mprotect.c 2008-02-11 10:37:45.000000000 +0000
69636 -@@ -21,10 +21,17 @@
69637 - #include <linux/syscalls.h>
69638 - #include <linux/swap.h>
69639 - #include <linux/swapops.h>
69640 -+#include <linux/grsecurity.h>
69641 -+
69642 -+#ifdef CONFIG_PAX_MPROTECT
69643 -+#include <linux/elf.h>
69644 -+#endif
69645 -+
69646 - #include <asm/uaccess.h>
69647 - #include <asm/pgtable.h>
69648 - #include <asm/cacheflush.h>
69649 - #include <asm/tlbflush.h>
69650 -+#include <asm/mmu_context.h>
69651 -
69652 - static void change_pte_range(struct mm_struct *mm, pmd_t *pmd,
69653 - unsigned long addr, unsigned long end, pgprot_t newprot,
69654 -@@ -128,6 +135,48 @@ static void change_protection(struct vm_
69655 - flush_tlb_range(vma, start, end);
69656 - }
69657 -
69658 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
69659 -+/* called while holding the mmap semaphor for writing except stack expansion */
69660 -+void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
69661 -+{
69662 -+ unsigned long oldlimit, newlimit = 0UL;
69663 -+
69664 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
69665 -+ return;
69666 -+
69667 -+ spin_lock(&mm->page_table_lock);
69668 -+ oldlimit = mm->context.user_cs_limit;
69669 -+ if ((prot & VM_EXEC) && oldlimit < end)
69670 -+ /* USER_CS limit moved up */
69671 -+ newlimit = end;
69672 -+ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
69673 -+ /* USER_CS limit moved down */
69674 -+ newlimit = start;
69675 -+
69676 -+ if (newlimit) {
69677 -+ mm->context.user_cs_limit = newlimit;
69678 -+
69679 -+#ifdef CONFIG_SMP
69680 -+ wmb();
69681 -+ cpus_clear(mm->context.cpu_user_cs_mask);
69682 -+ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
69683 -+#endif
69684 -+
69685 -+ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
69686 -+ }
69687 -+ spin_unlock(&mm->page_table_lock);
69688 -+ if (newlimit == end) {
69689 -+ struct vm_area_struct *vma = find_vma(mm, oldlimit);
69690 -+
69691 -+ for (; vma && vma->vm_start < end; vma = vma->vm_next)
69692 -+ if (is_vm_hugetlb_page(vma))
69693 -+ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
69694 -+ else
69695 -+ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
69696 -+ }
69697 -+}
69698 -+#endif
69699 -+
69700 - int
69701 - mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
69702 - unsigned long start, unsigned long end, unsigned long newflags)
69703 -@@ -140,11 +189,39 @@ mprotect_fixup(struct vm_area_struct *vm
69704 - int error;
69705 - int dirty_accountable = 0;
69706 -
69707 -+#ifdef CONFIG_PAX_SEGMEXEC
69708 -+ struct vm_area_struct *vma_m = NULL;
69709 -+ unsigned long start_m, end_m;
69710 -+
69711 -+ start_m = start + SEGMEXEC_TASK_SIZE;
69712 -+ end_m = end + SEGMEXEC_TASK_SIZE;
69713 -+#endif
69714 -+
69715 - if (newflags == oldflags) {
69716 - *pprev = vma;
69717 - return 0;
69718 - }
69719 -
69720 -+#ifdef CONFIG_PAX_SEGMEXEC
69721 -+ if (pax_find_mirror_vma(vma) && !(newflags & VM_EXEC)) {
69722 -+ if (start != vma->vm_start) {
69723 -+ error = split_vma(mm, vma, start, 1);
69724 -+ if (error)
69725 -+ return -ENOMEM;
69726 -+ }
69727 -+
69728 -+ if (end != vma->vm_end) {
69729 -+ error = split_vma(mm, vma, end, 0);
69730 -+ if (error)
69731 -+ return -ENOMEM;
69732 -+ }
69733 -+
69734 -+ error = __do_munmap(mm, start_m, end_m - start_m);
69735 -+ if (error)
69736 -+ return -ENOMEM;
69737 -+ }
69738 -+#endif
69739 -+
69740 - /*
69741 - * If we make a private mapping writable we increase our commit;
69742 - * but (without finer accounting) cannot reduce our commit if we
69743 -@@ -187,17 +264,25 @@ mprotect_fixup(struct vm_area_struct *vm
69744 - goto fail;
69745 - }
69746 -
69747 -+#ifdef CONFIG_PAX_SEGMEXEC
69748 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(oldflags & VM_EXEC) && (newflags & VM_EXEC)) {
69749 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69750 -+ if (!vma_m) {
69751 -+ error = -ENOMEM;
69752 -+ goto fail;
69753 -+ }
69754 -+ }
69755 -+#endif
69756 -+
69757 - success:
69758 - /*
69759 - * vm_flags and vm_page_prot are protected by the mmap_sem
69760 - * held in write mode.
69761 - */
69762 - vma->vm_flags = newflags;
69763 -- vma->vm_page_prot = protection_map[newflags &
69764 -- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
69765 -+ vma->vm_page_prot = vm_get_page_prot(newflags);
69766 - if (vma_wants_writenotify(vma)) {
69767 -- vma->vm_page_prot = protection_map[newflags &
69768 -- (VM_READ|VM_WRITE|VM_EXEC)];
69769 -+ vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
69770 - dirty_accountable = 1;
69771 - }
69772 -
69773 -@@ -205,6 +290,12 @@ success:
69774 - hugetlb_change_protection(vma, start, end, vma->vm_page_prot);
69775 - else
69776 - change_protection(vma, start, end, vma->vm_page_prot, dirty_accountable);
69777 -+
69778 -+#ifdef CONFIG_PAX_SEGMEXEC
69779 -+ if (vma_m)
69780 -+ pax_mirror_vma(vma_m, vma);
69781 -+#endif
69782 -+
69783 - vm_stat_account(mm, oldflags, vma->vm_file, -nrpages);
69784 - vm_stat_account(mm, newflags, vma->vm_file, nrpages);
69785 - return 0;
69786 -@@ -214,6 +305,70 @@ fail:
69787 - return error;
69788 - }
69789 -
69790 -+#ifdef CONFIG_PAX_MPROTECT
69791 -+/* PaX: non-PIC ELF libraries need relocations on their executable segments
69792 -+ * therefore we'll grant them VM_MAYWRITE once during their life.
69793 -+ *
69794 -+ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
69795 -+ * basis because we want to allow the common case and not the special ones.
69796 -+ */
69797 -+static inline void pax_handle_maywrite(struct vm_area_struct *vma, unsigned long start)
69798 -+{
69799 -+ struct elfhdr elf_h;
69800 -+ struct elf_phdr elf_p;
69801 -+ elf_addr_t dyn_offset = 0UL;
69802 -+ elf_dyn dyn;
69803 -+ unsigned long i, j = 65536UL / sizeof(struct elf_phdr);
69804 -+
69805 -+#ifndef CONFIG_PAX_NOELFRELOCS
69806 -+ if ((vma->vm_start != start) ||
69807 -+ !vma->vm_file ||
69808 -+ !(vma->vm_flags & VM_MAYEXEC) ||
69809 -+ (vma->vm_flags & VM_MAYNOTWRITE))
69810 -+#endif
69811 -+
69812 -+ return;
69813 -+
69814 -+ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
69815 -+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
69816 -+
69817 -+#ifdef CONFIG_PAX_ETEXECRELOCS
69818 -+ (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) ||
69819 -+#else
69820 -+ elf_h.e_type != ET_DYN ||
69821 -+#endif
69822 -+
69823 -+ !elf_check_arch(&elf_h) ||
69824 -+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
69825 -+ elf_h.e_phnum > j)
69826 -+ return;
69827 -+
69828 -+ for (i = 0UL; i < elf_h.e_phnum; i++) {
69829 -+ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
69830 -+ return;
69831 -+ if (elf_p.p_type == PT_DYNAMIC) {
69832 -+ dyn_offset = elf_p.p_offset;
69833 -+ j = i;
69834 -+ }
69835 -+ }
69836 -+ if (elf_h.e_phnum <= j)
69837 -+ return;
69838 -+
69839 -+ i = 0UL;
69840 -+ do {
69841 -+ if (sizeof(dyn) != kernel_read(vma->vm_file, dyn_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
69842 -+ return;
69843 -+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
69844 -+ vma->vm_flags |= VM_MAYWRITE | VM_MAYNOTWRITE;
69845 -+ gr_log_textrel(vma);
69846 -+ return;
69847 -+ }
69848 -+ i++;
69849 -+ } while (dyn.d_tag != DT_NULL);
69850 -+ return;
69851 -+}
69852 -+#endif
69853 -+
69854 - asmlinkage long
69855 - sys_mprotect(unsigned long start, size_t len, unsigned long prot)
69856 - {
69857 -@@ -233,6 +388,17 @@ sys_mprotect(unsigned long start, size_t
69858 - end = start + len;
69859 - if (end <= start)
69860 - return -ENOMEM;
69861 -+
69862 -+#ifdef CONFIG_PAX_SEGMEXEC
69863 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
69864 -+ if (end > SEGMEXEC_TASK_SIZE)
69865 -+ return -EINVAL;
69866 -+ } else
69867 -+#endif
69868 -+
69869 -+ if (end > TASK_SIZE)
69870 -+ return -EINVAL;
69871 -+
69872 - if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC | PROT_SEM))
69873 - return -EINVAL;
69874 -
69875 -@@ -240,7 +406,7 @@ sys_mprotect(unsigned long start, size_t
69876 - /*
69877 - * Does the application expect PROT_READ to imply PROT_EXEC:
69878 - */
69879 -- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
69880 -+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
69881 - prot |= PROT_EXEC;
69882 -
69883 - vm_flags = calc_vm_prot_bits(prot);
69884 -@@ -272,6 +438,16 @@ sys_mprotect(unsigned long start, size_t
69885 - if (start > vma->vm_start)
69886 - prev = vma;
69887 -
69888 -+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
69889 -+ error = -EACCES;
69890 -+ goto out;
69891 -+ }
69892 -+
69893 -+#ifdef CONFIG_PAX_MPROTECT
69894 -+ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && (prot & PROT_WRITE))
69895 -+ pax_handle_maywrite(vma, start);
69896 -+#endif
69897 -+
69898 - for (nstart = start ; ; ) {
69899 - unsigned long newflags;
69900 -
69901 -@@ -285,6 +461,12 @@ sys_mprotect(unsigned long start, size_t
69902 - goto out;
69903 - }
69904 -
69905 -+#ifdef CONFIG_PAX_MPROTECT
69906 -+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
69907 -+ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && !(prot & PROT_WRITE) && (vma->vm_flags & VM_MAYNOTWRITE))
69908 -+ newflags &= ~VM_MAYWRITE;
69909 -+#endif
69910 -+
69911 - error = security_file_mprotect(vma, reqprot, prot);
69912 - if (error)
69913 - goto out;
69914 -@@ -295,6 +477,9 @@ sys_mprotect(unsigned long start, size_t
69915 - error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
69916 - if (error)
69917 - goto out;
69918 -+
69919 -+ track_exec_limit(current->mm, nstart, tmp, vm_flags);
69920 -+
69921 - nstart = tmp;
69922 -
69923 - if (nstart < prev->vm_end)
69924 -diff -Nurp linux-2.6.23.15/mm/mremap.c linux-2.6.23.15-grsec/mm/mremap.c
69925 ---- linux-2.6.23.15/mm/mremap.c 2007-10-09 21:31:38.000000000 +0100
69926 -+++ linux-2.6.23.15-grsec/mm/mremap.c 2008-02-11 10:37:45.000000000 +0000
69927 -@@ -106,6 +106,12 @@ static void move_ptes(struct vm_area_str
69928 - continue;
69929 - pte = ptep_clear_flush(vma, old_addr, old_pte);
69930 - pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
69931 -+
69932 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
69933 -+ if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
69934 -+ pte = pte_exprotect(pte);
69935 -+#endif
69936 -+
69937 - set_pte_at(mm, new_addr, new_pte, pte);
69938 - }
69939 -
69940 -@@ -254,6 +260,7 @@ unsigned long do_mremap(unsigned long ad
69941 - struct vm_area_struct *vma;
69942 - unsigned long ret = -EINVAL;
69943 - unsigned long charged = 0;
69944 -+ unsigned long task_size = TASK_SIZE;
69945 -
69946 - if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
69947 - goto out;
69948 -@@ -272,6 +279,15 @@ unsigned long do_mremap(unsigned long ad
69949 - if (!new_len)
69950 - goto out;
69951 -
69952 -+#ifdef CONFIG_PAX_SEGMEXEC
69953 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
69954 -+ task_size = SEGMEXEC_TASK_SIZE;
69955 -+#endif
69956 -+
69957 -+ if (new_len > task_size || addr > task_size-new_len ||
69958 -+ old_len > task_size || addr > task_size-old_len)
69959 -+ goto out;
69960 -+
69961 - /* new_addr is only valid if MREMAP_FIXED is specified */
69962 - if (flags & MREMAP_FIXED) {
69963 - if (new_addr & ~PAGE_MASK)
69964 -@@ -279,16 +295,13 @@ unsigned long do_mremap(unsigned long ad
69965 - if (!(flags & MREMAP_MAYMOVE))
69966 - goto out;
69967 -
69968 -- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
69969 -+ if (new_addr > task_size - new_len)
69970 - goto out;
69971 -
69972 - /* Check if the location we're moving into overlaps the
69973 - * old location at all, and fail if it does.
69974 - */
69975 -- if ((new_addr <= addr) && (new_addr+new_len) > addr)
69976 -- goto out;
69977 --
69978 -- if ((addr <= new_addr) && (addr+old_len) > new_addr)
69979 -+ if (addr + old_len > new_addr && new_addr + new_len > addr)
69980 - goto out;
69981 -
69982 - ret = security_file_mmap(0, 0, 0, 0, new_addr, 1);
69983 -@@ -326,6 +339,14 @@ unsigned long do_mremap(unsigned long ad
69984 - ret = -EINVAL;
69985 - goto out;
69986 - }
69987 -+
69988 -+#ifdef CONFIG_PAX_SEGMEXEC
69989 -+ if (pax_find_mirror_vma(vma)) {
69990 -+ ret = -EINVAL;
69991 -+ goto out;
69992 -+ }
69993 -+#endif
69994 -+
69995 - /* We can't remap across vm area boundaries */
69996 - if (old_len > vma->vm_end - addr)
69997 - goto out;
69998 -@@ -359,7 +380,7 @@ unsigned long do_mremap(unsigned long ad
69999 - if (old_len == vma->vm_end - addr &&
70000 - !((flags & MREMAP_FIXED) && (addr != new_addr)) &&
70001 - (old_len != new_len || !(flags & MREMAP_MAYMOVE))) {
70002 -- unsigned long max_addr = TASK_SIZE;
70003 -+ unsigned long max_addr = task_size;
70004 - if (vma->vm_next)
70005 - max_addr = vma->vm_next->vm_start;
70006 - /* can we just expand the current mapping? */
70007 -@@ -377,6 +398,7 @@ unsigned long do_mremap(unsigned long ad
70008 - addr + new_len);
70009 - }
70010 - ret = addr;
70011 -+ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
70012 - goto out;
70013 - }
70014 - }
70015 -@@ -387,8 +409,8 @@ unsigned long do_mremap(unsigned long ad
70016 - */
70017 - ret = -ENOMEM;
70018 - if (flags & MREMAP_MAYMOVE) {
70019 -+ unsigned long map_flags = 0;
70020 - if (!(flags & MREMAP_FIXED)) {
70021 -- unsigned long map_flags = 0;
70022 - if (vma->vm_flags & VM_MAYSHARE)
70023 - map_flags |= MAP_SHARED;
70024 -
70025 -@@ -403,7 +425,12 @@ unsigned long do_mremap(unsigned long ad
70026 - if (ret)
70027 - goto out;
70028 - }
70029 -+ map_flags = vma->vm_flags;
70030 - ret = move_vma(vma, addr, old_len, new_len, new_addr);
70031 -+ if (!(ret & ~PAGE_MASK)) {
70032 -+ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
70033 -+ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
70034 -+ }
70035 - }
70036 - out:
70037 - if (ret & ~PAGE_MASK)
70038 -diff -Nurp linux-2.6.23.15/mm/nommu.c linux-2.6.23.15-grsec/mm/nommu.c
70039 ---- linux-2.6.23.15/mm/nommu.c 2007-10-09 21:31:38.000000000 +0100
70040 -+++ linux-2.6.23.15-grsec/mm/nommu.c 2008-02-11 10:37:45.000000000 +0000
70041 -@@ -376,15 +376,6 @@ struct vm_area_struct *find_vma(struct m
70042 - }
70043 - EXPORT_SYMBOL(find_vma);
70044 -
70045 --/*
70046 -- * find a VMA
70047 -- * - we don't extend stack VMAs under NOMMU conditions
70048 -- */
70049 --struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
70050 --{
70051 -- return find_vma(mm, addr);
70052 --}
70053 --
70054 - int expand_stack(struct vm_area_struct *vma, unsigned long address)
70055 - {
70056 - return -ENOMEM;
70057 -diff -Nurp linux-2.6.23.15/mm/page_alloc.c linux-2.6.23.15-grsec/mm/page_alloc.c
70058 ---- linux-2.6.23.15/mm/page_alloc.c 2007-10-09 21:31:38.000000000 +0100
70059 -+++ linux-2.6.23.15-grsec/mm/page_alloc.c 2008-02-11 10:37:45.000000000 +0000
70060 -@@ -402,7 +402,7 @@ static inline int page_is_buddy(struct p
70061 - static inline void __free_one_page(struct page *page,
70062 - struct zone *zone, unsigned int order)
70063 - {
70064 -- unsigned long page_idx;
70065 -+ unsigned long page_idx, index;
70066 - int order_size = 1 << order;
70067 -
70068 - if (unlikely(PageCompound(page)))
70069 -@@ -413,6 +413,11 @@ static inline void __free_one_page(struc
70070 - VM_BUG_ON(page_idx & (order_size - 1));
70071 - VM_BUG_ON(bad_range(zone, page));
70072 -
70073 -+#ifdef CONFIG_PAX_MEMORY_SANITIZE
70074 -+ for (index = order_size; index; --index)
70075 -+ sanitize_highpage(page + index - 1);
70076 -+#endif
70077 -+
70078 - __mod_zone_page_state(zone, NR_FREE_PAGES, order_size);
70079 - while (order < MAX_ORDER-1) {
70080 - unsigned long combined_idx;
70081 -diff -Nurp linux-2.6.23.15/mm/rmap.c linux-2.6.23.15-grsec/mm/rmap.c
70082 ---- linux-2.6.23.15/mm/rmap.c 2007-10-09 21:31:38.000000000 +0100
70083 -+++ linux-2.6.23.15-grsec/mm/rmap.c 2008-02-11 10:37:45.000000000 +0000
70084 -@@ -63,6 +63,10 @@ int anon_vma_prepare(struct vm_area_stru
70085 - struct mm_struct *mm = vma->vm_mm;
70086 - struct anon_vma *allocated, *locked;
70087 -
70088 -+#ifdef CONFIG_PAX_SEGMEXEC
70089 -+ struct vm_area_struct *vma_m;
70090 -+#endif
70091 -+
70092 - anon_vma = find_mergeable_anon_vma(vma);
70093 - if (anon_vma) {
70094 - allocated = NULL;
70095 -@@ -79,6 +83,15 @@ int anon_vma_prepare(struct vm_area_stru
70096 - /* page_table_lock to protect against threads */
70097 - spin_lock(&mm->page_table_lock);
70098 - if (likely(!vma->anon_vma)) {
70099 -+
70100 -+#ifdef CONFIG_PAX_SEGMEXEC
70101 -+ vma_m = pax_find_mirror_vma(vma);
70102 -+ if (vma_m) {
70103 -+ vma_m->anon_vma = anon_vma;
70104 -+ __anon_vma_link(vma_m);
70105 -+ }
70106 -+#endif
70107 -+
70108 - vma->anon_vma = anon_vma;
70109 - list_add_tail(&vma->anon_vma_node, &anon_vma->head);
70110 - allocated = NULL;
70111 -diff -Nurp linux-2.6.23.15/mm/shmem.c linux-2.6.23.15-grsec/mm/shmem.c
70112 ---- linux-2.6.23.15/mm/shmem.c 2008-02-11 10:36:03.000000000 +0000
70113 -+++ linux-2.6.23.15-grsec/mm/shmem.c 2008-02-11 10:37:45.000000000 +0000
70114 -@@ -2452,7 +2452,7 @@ static struct file_system_type tmpfs_fs_
70115 - .get_sb = shmem_get_sb,
70116 - .kill_sb = kill_litter_super,
70117 - };
70118 --static struct vfsmount *shm_mnt;
70119 -+struct vfsmount *shm_mnt;
70120 -
70121 - static int __init init_tmpfs(void)
70122 - {
70123 -diff -Nurp linux-2.6.23.15/mm/slab.c linux-2.6.23.15-grsec/mm/slab.c
70124 ---- linux-2.6.23.15/mm/slab.c 2007-10-09 21:31:38.000000000 +0100
70125 -+++ linux-2.6.23.15-grsec/mm/slab.c 2008-02-11 10:37:45.000000000 +0000
70126 -@@ -306,7 +306,7 @@ struct kmem_list3 {
70127 - * Need this for bootstrapping a per node allocator.
70128 - */
70129 - #define NUM_INIT_LISTS (2 * MAX_NUMNODES + 1)
70130 --struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
70131 -+struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
70132 - #define CACHE_CACHE 0
70133 - #define SIZE_AC 1
70134 - #define SIZE_L3 (1 + MAX_NUMNODES)
70135 -@@ -655,14 +655,14 @@ struct cache_names {
70136 - static struct cache_names __initdata cache_names[] = {
70137 - #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
70138 - #include <linux/kmalloc_sizes.h>
70139 -- {NULL,}
70140 -+ {NULL, NULL}
70141 - #undef CACHE
70142 - };
70143 -
70144 - static struct arraycache_init initarray_cache __initdata =
70145 -- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
70146 -+ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
70147 - static struct arraycache_init initarray_generic =
70148 -- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
70149 -+ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
70150 -
70151 - /* internal cache of cache description objs */
70152 - static struct kmem_cache cache_cache = {
70153 -@@ -2980,7 +2980,7 @@ retry:
70154 - * there must be at least one object available for
70155 - * allocation.
70156 - */
70157 -- BUG_ON(slabp->inuse < 0 || slabp->inuse >= cachep->num);
70158 -+ BUG_ON(slabp->inuse >= cachep->num);
70159 -
70160 - while (slabp->inuse < cachep->num && batchcount--) {
70161 - STATS_INC_ALLOCED(cachep);
70162 -diff -Nurp linux-2.6.23.15/mm/slub.c linux-2.6.23.15-grsec/mm/slub.c
70163 ---- linux-2.6.23.15/mm/slub.c 2008-02-11 10:36:03.000000000 +0000
70164 -+++ linux-2.6.23.15-grsec/mm/slub.c 2008-02-11 10:37:45.000000000 +0000
70165 -@@ -1530,7 +1530,7 @@ debug:
70166 - *
70167 - * Otherwise we can simply pick the next object from the lockless free list.
70168 - */
70169 --static void __always_inline *slab_alloc(struct kmem_cache *s,
70170 -+static __always_inline void *slab_alloc(struct kmem_cache *s,
70171 - gfp_t gfpflags, int node, void *addr)
70172 - {
70173 - struct page *page;
70174 -@@ -1639,7 +1639,7 @@ debug:
70175 - * If fastpath is not possible then fall back to __slab_free where we deal
70176 - * with all sorts of special processing.
70177 - */
70178 --static void __always_inline slab_free(struct kmem_cache *s,
70179 -+static __always_inline void slab_free(struct kmem_cache *s,
70180 - struct page *page, void *x, void *addr)
70181 - {
70182 - void **object = (void *)x;
70183 -diff -Nurp linux-2.6.23.15/mm/swap.c linux-2.6.23.15-grsec/mm/swap.c
70184 ---- linux-2.6.23.15/mm/swap.c 2007-10-09 21:31:38.000000000 +0100
70185 -+++ linux-2.6.23.15-grsec/mm/swap.c 2008-02-11 10:37:45.000000000 +0000
70186 -@@ -174,8 +174,8 @@ EXPORT_SYMBOL(mark_page_accessed);
70187 - * lru_cache_add: add a page to the page lists
70188 - * @page: the page to add
70189 - */
70190 --static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, };
70191 --static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, };
70192 -+static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, 0, {NULL} };
70193 -+static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, 0, {NULL} };
70194 -
70195 - void fastcall lru_cache_add(struct page *page)
70196 - {
70197 -diff -Nurp linux-2.6.23.15/mm/tiny-shmem.c linux-2.6.23.15-grsec/mm/tiny-shmem.c
70198 ---- linux-2.6.23.15/mm/tiny-shmem.c 2007-10-09 21:31:38.000000000 +0100
70199 -+++ linux-2.6.23.15-grsec/mm/tiny-shmem.c 2008-02-11 10:37:45.000000000 +0000
70200 -@@ -26,7 +26,7 @@ static struct file_system_type tmpfs_fs_
70201 - .kill_sb = kill_litter_super,
70202 - };
70203 -
70204 --static struct vfsmount *shm_mnt;
70205 -+struct vfsmount *shm_mnt;
70206 -
70207 - static int __init init_tmpfs(void)
70208 - {
70209 -diff -Nurp linux-2.6.23.15/mm/vmalloc.c linux-2.6.23.15-grsec/mm/vmalloc.c
70210 ---- linux-2.6.23.15/mm/vmalloc.c 2007-10-09 21:31:38.000000000 +0100
70211 -+++ linux-2.6.23.15-grsec/mm/vmalloc.c 2008-02-11 10:37:45.000000000 +0000
70212 -@@ -201,6 +201,8 @@ static struct vm_struct *__get_vm_area_n
70213 -
70214 - write_lock(&vmlist_lock);
70215 - for (p = &vmlist; (tmp = *p) != NULL ;p = &tmp->next) {
70216 -+ if (addr > end - size)
70217 -+ goto out;
70218 - if ((unsigned long)tmp->addr < addr) {
70219 - if((unsigned long)tmp->addr + tmp->size >= addr)
70220 - addr = ALIGN(tmp->size +
70221 -@@ -212,8 +214,6 @@ static struct vm_struct *__get_vm_area_n
70222 - if (size + addr <= (unsigned long)tmp->addr)
70223 - goto found;
70224 - addr = ALIGN(tmp->size + (unsigned long)tmp->addr, align);
70225 -- if (addr > end - size)
70226 -- goto out;
70227 - }
70228 -
70229 - found:
70230 -diff -Nurp linux-2.6.23.15/net/core/flow.c linux-2.6.23.15-grsec/net/core/flow.c
70231 ---- linux-2.6.23.15/net/core/flow.c 2007-10-09 21:31:38.000000000 +0100
70232 -+++ linux-2.6.23.15-grsec/net/core/flow.c 2008-02-11 10:37:45.000000000 +0000
70233 -@@ -40,7 +40,7 @@ atomic_t flow_cache_genid = ATOMIC_INIT(
70234 -
70235 - static u32 flow_hash_shift;
70236 - #define flow_hash_size (1 << flow_hash_shift)
70237 --static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
70238 -+static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
70239 -
70240 - #define flow_table(cpu) (per_cpu(flow_tables, cpu))
70241 -
70242 -@@ -53,7 +53,7 @@ struct flow_percpu_info {
70243 - u32 hash_rnd;
70244 - int count;
70245 - } ____cacheline_aligned;
70246 --static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
70247 -+static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
70248 -
70249 - #define flow_hash_rnd_recalc(cpu) \
70250 - (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
70251 -@@ -70,7 +70,7 @@ struct flow_flush_info {
70252 - atomic_t cpuleft;
70253 - struct completion completion;
70254 - };
70255 --static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
70256 -+static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
70257 -
70258 - #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
70259 -
70260 -diff -Nurp linux-2.6.23.15/net/dccp/ccids/ccid3.c linux-2.6.23.15-grsec/net/dccp/ccids/ccid3.c
70261 ---- linux-2.6.23.15/net/dccp/ccids/ccid3.c 2007-10-09 21:31:38.000000000 +0100
70262 -+++ linux-2.6.23.15-grsec/net/dccp/ccids/ccid3.c 2008-02-11 10:37:45.000000000 +0000
70263 -@@ -44,7 +44,7 @@
70264 - static int ccid3_debug;
70265 - #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
70266 - #else
70267 --#define ccid3_pr_debug(format, a...)
70268 -+#define ccid3_pr_debug(format, a...) do {} while (0)
70269 - #endif
70270 -
70271 - static struct dccp_tx_hist *ccid3_tx_hist;
70272 -diff -Nurp linux-2.6.23.15/net/dccp/dccp.h linux-2.6.23.15-grsec/net/dccp/dccp.h
70273 ---- linux-2.6.23.15/net/dccp/dccp.h 2007-10-09 21:31:38.000000000 +0100
70274 -+++ linux-2.6.23.15-grsec/net/dccp/dccp.h 2008-02-11 10:37:45.000000000 +0000
70275 -@@ -42,8 +42,8 @@ extern int dccp_debug;
70276 - #define dccp_pr_debug(format, a...) DCCP_PR_DEBUG(dccp_debug, format, ##a)
70277 - #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
70278 - #else
70279 --#define dccp_pr_debug(format, a...)
70280 --#define dccp_pr_debug_cat(format, a...)
70281 -+#define dccp_pr_debug(format, a...) do {} while (0)
70282 -+#define dccp_pr_debug_cat(format, a...) do {} while (0)
70283 - #endif
70284 -
70285 - extern struct inet_hashinfo dccp_hashinfo;
70286 -diff -Nurp linux-2.6.23.15/net/ipv4/inet_connection_sock.c linux-2.6.23.15-grsec/net/ipv4/inet_connection_sock.c
70287 ---- linux-2.6.23.15/net/ipv4/inet_connection_sock.c 2007-10-09 21:31:38.000000000 +0100
70288 -+++ linux-2.6.23.15-grsec/net/ipv4/inet_connection_sock.c 2008-02-11 10:37:45.000000000 +0000
70289 -@@ -15,6 +15,7 @@
70290 -
70291 - #include <linux/module.h>
70292 - #include <linux/jhash.h>
70293 -+#include <linux/grsecurity.h>
70294 -
70295 - #include <net/inet_connection_sock.h>
70296 - #include <net/inet_hashtables.h>
70297 -diff -Nurp linux-2.6.23.15/net/ipv4/inet_hashtables.c linux-2.6.23.15-grsec/net/ipv4/inet_hashtables.c
70298 ---- linux-2.6.23.15/net/ipv4/inet_hashtables.c 2007-10-09 21:31:38.000000000 +0100
70299 -+++ linux-2.6.23.15-grsec/net/ipv4/inet_hashtables.c 2008-02-11 10:37:45.000000000 +0000
70300 -@@ -18,11 +18,14 @@
70301 - #include <linux/sched.h>
70302 - #include <linux/slab.h>
70303 - #include <linux/wait.h>
70304 -+#include <linux/grsecurity.h>
70305 -
70306 - #include <net/inet_connection_sock.h>
70307 - #include <net/inet_hashtables.h>
70308 - #include <net/ip.h>
70309 -
70310 -+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
70311 -+
70312 - /*
70313 - * Allocate and initialize a new local port bind bucket.
70314 - * The bindhash mutex for snum's hash chain must be held here.
70315 -@@ -338,6 +341,8 @@ ok:
70316 - }
70317 - spin_unlock(&head->lock);
70318 -
70319 -+ gr_update_task_in_ip_table(current, inet_sk(sk));
70320 -+
70321 - if (tw) {
70322 - inet_twsk_deschedule(tw, death_row);
70323 - inet_twsk_put(tw);
70324 -diff -Nurp linux-2.6.23.15/net/ipv4/netfilter/Kconfig linux-2.6.23.15-grsec/net/ipv4/netfilter/Kconfig
70325 ---- linux-2.6.23.15/net/ipv4/netfilter/Kconfig 2007-10-09 21:31:38.000000000 +0100
70326 -+++ linux-2.6.23.15-grsec/net/ipv4/netfilter/Kconfig 2008-02-11 10:37:45.000000000 +0000
70327 -@@ -130,6 +130,21 @@ config IP_NF_MATCH_ADDRTYPE
70328 - If you want to compile it as a module, say M here and read
70329 - <file:Documentation/modules.txt>. If unsure, say `N'.
70330 -
70331 -+config IP_NF_MATCH_STEALTH
70332 -+ tristate "stealth match support"
70333 -+ depends on IP_NF_IPTABLES
70334 -+ help
70335 -+ Enabling this option will drop all syn packets coming to unserved tcp
70336 -+ ports as well as all packets coming to unserved udp ports. If you
70337 -+ are using your system to route any type of packets (ie. via NAT)
70338 -+ you should put this module at the end of your ruleset, since it will
70339 -+ drop packets that aren't going to ports that are listening on your
70340 -+ machine itself, it doesn't take into account that the packet might be
70341 -+ destined for someone on your internal network if you're using NAT for
70342 -+ instance.
70343 -+
70344 -+ To compile it as a module, choose M here. If unsure, say N.
70345 -+
70346 - # `filter', generic and specific targets
70347 - config IP_NF_FILTER
70348 - tristate "Packet filtering"
70349 -@@ -403,4 +418,3 @@ config IP_NF_ARP_MANGLE
70350 - hardware and network addresses.
70351 -
70352 - endmenu
70353 --
70354 -diff -Nurp linux-2.6.23.15/net/ipv4/netfilter/Makefile linux-2.6.23.15-grsec/net/ipv4/netfilter/Makefile
70355 ---- linux-2.6.23.15/net/ipv4/netfilter/Makefile 2007-10-09 21:31:38.000000000 +0100
70356 -+++ linux-2.6.23.15-grsec/net/ipv4/netfilter/Makefile 2008-02-11 10:37:45.000000000 +0000
70357 -@@ -49,6 +49,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
70358 - obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
70359 - obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
70360 - obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
70361 -+obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
70362 -
70363 - # targets
70364 - obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
70365 -diff -Nurp linux-2.6.23.15/net/ipv4/netfilter/ipt_stealth.c linux-2.6.23.15-grsec/net/ipv4/netfilter/ipt_stealth.c
70366 ---- linux-2.6.23.15/net/ipv4/netfilter/ipt_stealth.c 1970-01-01 01:00:00.000000000 +0100
70367 -+++ linux-2.6.23.15-grsec/net/ipv4/netfilter/ipt_stealth.c 2008-02-11 10:37:45.000000000 +0000
70368 -@@ -0,0 +1,114 @@
70369 -+/* Kernel module to add stealth support.
70370 -+ *
70371 -+ * Copyright (C) 2002-2006 Brad Spengler <spender@××××××××××.net>
70372 -+ *
70373 -+ */
70374 -+
70375 -+#include <linux/kernel.h>
70376 -+#include <linux/module.h>
70377 -+#include <linux/skbuff.h>
70378 -+#include <linux/net.h>
70379 -+#include <linux/sched.h>
70380 -+#include <linux/inet.h>
70381 -+#include <linux/stddef.h>
70382 -+
70383 -+#include <net/ip.h>
70384 -+#include <net/sock.h>
70385 -+#include <net/tcp.h>
70386 -+#include <net/udp.h>
70387 -+#include <net/route.h>
70388 -+#include <net/inet_common.h>
70389 -+
70390 -+#include <linux/netfilter_ipv4/ip_tables.h>
70391 -+
70392 -+MODULE_LICENSE("GPL");
70393 -+
70394 -+extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
70395 -+
70396 -+static int
70397 -+match(const struct sk_buff *skb,
70398 -+ const struct net_device *in,
70399 -+ const struct net_device *out,
70400 -+ const struct xt_match *match,
70401 -+ const void *matchinfo,
70402 -+ int offset,
70403 -+ unsigned int protoff,
70404 -+ int *hotdrop)
70405 -+{
70406 -+ struct iphdr *ip = ip_hdr(skb);
70407 -+ struct tcphdr th;
70408 -+ struct udphdr uh;
70409 -+ struct sock *sk = NULL;
70410 -+
70411 -+ if (!ip || offset) return 0;
70412 -+
70413 -+ switch(ip->protocol) {
70414 -+ case IPPROTO_TCP:
70415 -+ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &th, sizeof(th)) < 0) {
70416 -+ *hotdrop = 1;
70417 -+ return 0;
70418 -+ }
70419 -+ if (!(th.syn && !th.ack)) return 0;
70420 -+ sk = inet_lookup_listener(&tcp_hashinfo, ip->daddr, th.dest, inet_iif(skb));
70421 -+ break;
70422 -+ case IPPROTO_UDP:
70423 -+ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &uh, sizeof(uh)) < 0) {
70424 -+ *hotdrop = 1;
70425 -+ return 0;
70426 -+ }
70427 -+ sk = udp_v4_lookup(ip->saddr, uh.source, ip->daddr, uh.dest, skb->dev->ifindex);
70428 -+ break;
70429 -+ default:
70430 -+ return 0;
70431 -+ }
70432 -+
70433 -+ if(!sk) // port is being listened on, match this
70434 -+ return 1;
70435 -+ else {
70436 -+ sock_put(sk);
70437 -+ return 0;
70438 -+ }
70439 -+}
70440 -+
70441 -+/* Called when user tries to insert an entry of this type. */
70442 -+static int
70443 -+checkentry(const char *tablename,
70444 -+ const void *nip,
70445 -+ const struct xt_match *match,
70446 -+ void *matchinfo,
70447 -+ unsigned int hook_mask)
70448 -+{
70449 -+ const struct ipt_ip *ip = (const struct ipt_ip *)nip;
70450 -+
70451 -+ if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) ||
70452 -+ ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO)))
70453 -+ && (hook_mask & (1 << NF_IP_LOCAL_IN)))
70454 -+ return 1;
70455 -+
70456 -+ printk("stealth: Only works on TCP and UDP for the INPUT chain.\n");
70457 -+
70458 -+ return 0;
70459 -+}
70460 -+
70461 -+
70462 -+static struct xt_match stealth_match = {
70463 -+ .name = "stealth",
70464 -+ .family = AF_INET,
70465 -+ .match = match,
70466 -+ .checkentry = checkentry,
70467 -+ .destroy = NULL,
70468 -+ .me = THIS_MODULE
70469 -+};
70470 -+
70471 -+static int __init init(void)
70472 -+{
70473 -+ return xt_register_match(&stealth_match);
70474 -+}
70475 -+
70476 -+static void __exit fini(void)
70477 -+{
70478 -+ xt_unregister_match(&stealth_match);
70479 -+}
70480 -+
70481 -+module_init(init);
70482 -+module_exit(fini);
70483 -diff -Nurp linux-2.6.23.15/net/ipv4/tcp.c linux-2.6.23.15-grsec/net/ipv4/tcp.c
70484 ---- linux-2.6.23.15/net/ipv4/tcp.c 2007-10-09 21:31:38.000000000 +0100
70485 -+++ linux-2.6.23.15-grsec/net/ipv4/tcp.c 2008-02-11 10:37:45.000000000 +0000
70486 -@@ -1053,7 +1053,8 @@ int tcp_read_sock(struct sock *sk, read_
70487 - return -ENOTCONN;
70488 - while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) {
70489 - if (offset < skb->len) {
70490 -- size_t used, len;
70491 -+ int used;
70492 -+ size_t len;
70493 -
70494 - len = skb->len - offset;
70495 - /* Stop reading if we hit a patch of urgent data */
70496 -diff -Nurp linux-2.6.23.15/net/ipv4/tcp_ipv4.c linux-2.6.23.15-grsec/net/ipv4/tcp_ipv4.c
70497 ---- linux-2.6.23.15/net/ipv4/tcp_ipv4.c 2007-10-09 21:31:38.000000000 +0100
70498 -+++ linux-2.6.23.15-grsec/net/ipv4/tcp_ipv4.c 2008-02-11 10:37:45.000000000 +0000
70499 -@@ -61,6 +61,7 @@
70500 - #include <linux/jhash.h>
70501 - #include <linux/init.h>
70502 - #include <linux/times.h>
70503 -+#include <linux/grsecurity.h>
70504 -
70505 - #include <net/icmp.h>
70506 - #include <net/inet_hashtables.h>
70507 -diff -Nurp linux-2.6.23.15/net/ipv4/udp.c linux-2.6.23.15-grsec/net/ipv4/udp.c
70508 ---- linux-2.6.23.15/net/ipv4/udp.c 2007-10-09 21:31:38.000000000 +0100
70509 -+++ linux-2.6.23.15-grsec/net/ipv4/udp.c 2008-02-11 10:37:45.000000000 +0000
70510 -@@ -98,12 +98,19 @@
70511 - #include <linux/skbuff.h>
70512 - #include <linux/proc_fs.h>
70513 - #include <linux/seq_file.h>
70514 -+#include <linux/grsecurity.h>
70515 - #include <net/icmp.h>
70516 - #include <net/route.h>
70517 - #include <net/checksum.h>
70518 - #include <net/xfrm.h>
70519 - #include "udp_impl.h"
70520 -
70521 -+extern int gr_search_udp_recvmsg(const struct sock *sk,
70522 -+ const struct sk_buff *skb);
70523 -+extern int gr_search_udp_sendmsg(const struct sock *sk,
70524 -+ const struct sockaddr_in *addr);
70525 -+
70526 -+
70527 - /*
70528 - * Snmp MIB for the UDP layer
70529 - */
70530 -@@ -287,6 +294,13 @@ static struct sock *__udp4_lib_lookup(__
70531 - return result;
70532 - }
70533 -
70534 -+struct sock *udp_v4_lookup(__be32 saddr, __be16 sport,
70535 -+ __be32 daddr, __be16 dport, int dif)
70536 -+{
70537 -+ return __udp4_lib_lookup(saddr, sport, daddr, dport, dif, udp_hash);
70538 -+}
70539 -+
70540 -+
70541 - static inline struct sock *udp_v4_mcast_next(struct sock *sk,
70542 - __be16 loc_port, __be32 loc_addr,
70543 - __be16 rmt_port, __be32 rmt_addr,
70544 -@@ -572,9 +586,16 @@ int udp_sendmsg(struct kiocb *iocb, stru
70545 - dport = usin->sin_port;
70546 - if (dport == 0)
70547 - return -EINVAL;
70548 -+
70549 -+ if (!gr_search_udp_sendmsg(sk, usin))
70550 -+ return -EPERM;
70551 - } else {
70552 - if (sk->sk_state != TCP_ESTABLISHED)
70553 - return -EDESTADDRREQ;
70554 -+
70555 -+ if (!gr_search_udp_sendmsg(sk, NULL))
70556 -+ return -EPERM;
70557 -+
70558 - daddr = inet->daddr;
70559 - dport = inet->dport;
70560 - /* Open fast path for connected socket.
70561 -@@ -834,6 +855,11 @@ try_again:
70562 - if (!skb)
70563 - goto out;
70564 -
70565 -+ if (!gr_search_udp_recvmsg(sk, skb)) {
70566 -+ err = -EPERM;
70567 -+ goto out_free;
70568 -+ }
70569 -+
70570 - ulen = skb->len - sizeof(struct udphdr);
70571 - copied = len;
70572 - if (copied > ulen)
70573 -diff -Nurp linux-2.6.23.15/net/ipv6/exthdrs.c linux-2.6.23.15-grsec/net/ipv6/exthdrs.c
70574 ---- linux-2.6.23.15/net/ipv6/exthdrs.c 2007-10-09 21:31:38.000000000 +0100
70575 -+++ linux-2.6.23.15-grsec/net/ipv6/exthdrs.c 2008-02-11 10:37:45.000000000 +0000
70576 -@@ -645,7 +645,7 @@ static struct tlvtype_proc tlvprochopopt
70577 - .type = IPV6_TLV_JUMBO,
70578 - .func = ipv6_hop_jumbo,
70579 - },
70580 -- { -1, }
70581 -+ { -1, NULL }
70582 - };
70583 -
70584 - int ipv6_parse_hopopts(struct sk_buff **skbp)
70585 -diff -Nurp linux-2.6.23.15/net/ipv6/raw.c linux-2.6.23.15-grsec/net/ipv6/raw.c
70586 ---- linux-2.6.23.15/net/ipv6/raw.c 2007-10-09 21:31:38.000000000 +0100
70587 -+++ linux-2.6.23.15-grsec/net/ipv6/raw.c 2008-02-11 10:37:45.000000000 +0000
70588 -@@ -577,7 +577,7 @@ out:
70589 - return err;
70590 - }
70591 -
70592 --static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
70593 -+static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
70594 - struct flowi *fl, struct rt6_info *rt,
70595 - unsigned int flags)
70596 - {
70597 -diff -Nurp linux-2.6.23.15/net/irda/ircomm/ircomm_tty.c linux-2.6.23.15-grsec/net/irda/ircomm/ircomm_tty.c
70598 ---- linux-2.6.23.15/net/irda/ircomm/ircomm_tty.c 2007-10-09 21:31:38.000000000 +0100
70599 -+++ linux-2.6.23.15-grsec/net/irda/ircomm/ircomm_tty.c 2008-02-11 10:37:45.000000000 +0000
70600 -@@ -371,7 +371,7 @@ static int ircomm_tty_open(struct tty_st
70601 - IRDA_DEBUG(2, "%s()\n", __FUNCTION__ );
70602 -
70603 - line = tty->index;
70604 -- if ((line < 0) || (line >= IRCOMM_TTY_PORTS)) {
70605 -+ if (line >= IRCOMM_TTY_PORTS) {
70606 - return -ENODEV;
70607 - }
70608 -
70609 -diff -Nurp linux-2.6.23.15/net/mac80211/ieee80211.c linux-2.6.23.15-grsec/net/mac80211/ieee80211.c
70610 ---- linux-2.6.23.15/net/mac80211/ieee80211.c 2008-02-11 10:36:03.000000000 +0000
70611 -+++ linux-2.6.23.15-grsec/net/mac80211/ieee80211.c 2008-02-11 10:37:45.000000000 +0000
70612 -@@ -1260,7 +1260,7 @@ __ieee80211_parse_tx_radiotap(
70613 - }
70614 -
70615 -
70616 --static ieee80211_txrx_result inline
70617 -+static inline ieee80211_txrx_result
70618 - __ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
70619 - struct sk_buff *skb,
70620 - struct net_device *dev,
70621 -@@ -1332,7 +1332,7 @@ __ieee80211_tx_prepare(struct ieee80211_
70622 - return res;
70623 - }
70624 -
70625 --static int inline is_ieee80211_device(struct net_device *dev,
70626 -+static inline int is_ieee80211_device(struct net_device *dev,
70627 - struct net_device *master)
70628 - {
70629 - return (wdev_priv(dev->ieee80211_ptr) ==
70630 -@@ -1341,7 +1341,7 @@ static int inline is_ieee80211_device(st
70631 -
70632 - /* Device in tx->dev has a reference added; use dev_put(tx->dev) when
70633 - * finished with it. */
70634 --static int inline ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
70635 -+static inline int ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
70636 - struct sk_buff *skb,
70637 - struct net_device *mdev,
70638 - struct ieee80211_tx_control *control)
70639 -diff -Nurp linux-2.6.23.15/net/mac80211/regdomain.c linux-2.6.23.15-grsec/net/mac80211/regdomain.c
70640 ---- linux-2.6.23.15/net/mac80211/regdomain.c 2007-10-09 21:31:38.000000000 +0100
70641 -+++ linux-2.6.23.15-grsec/net/mac80211/regdomain.c 2008-02-11 10:37:45.000000000 +0000
70642 -@@ -61,14 +61,14 @@ static const struct ieee80211_channel_ra
70643 - { 5180, 5240, 17, 6 } /* IEEE 802.11a, channels 36..48 */,
70644 - { 5260, 5320, 23, 6 } /* IEEE 802.11a, channels 52..64 */,
70645 - { 5745, 5825, 30, 6 } /* IEEE 802.11a, channels 149..165, outdoor */,
70646 -- { 0 }
70647 -+ { 0, 0, 0, 0 }
70648 - };
70649 -
70650 - static const struct ieee80211_channel_range ieee80211_mkk_channels[] = {
70651 - { 2412, 2472, 20, 6 } /* IEEE 802.11b/g, channels 1..13 */,
70652 - { 5170, 5240, 20, 6 } /* IEEE 802.11a, channels 34..48 */,
70653 - { 5260, 5320, 20, 6 } /* IEEE 802.11a, channels 52..64 */,
70654 -- { 0 }
70655 -+ { 0, 0, 0, 0 }
70656 - };
70657 -
70658 -
70659 -diff -Nurp linux-2.6.23.15/net/sctp/socket.c linux-2.6.23.15-grsec/net/sctp/socket.c
70660 ---- linux-2.6.23.15/net/sctp/socket.c 2007-10-09 21:31:38.000000000 +0100
70661 -+++ linux-2.6.23.15-grsec/net/sctp/socket.c 2008-02-11 10:37:45.000000000 +0000
70662 -@@ -1370,7 +1370,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
70663 - struct sctp_sndrcvinfo *sinfo;
70664 - struct sctp_initmsg *sinit;
70665 - sctp_assoc_t associd = 0;
70666 -- sctp_cmsgs_t cmsgs = { NULL };
70667 -+ sctp_cmsgs_t cmsgs = { NULL, NULL };
70668 - int err;
70669 - sctp_scope_t scope;
70670 - long timeo;
70671 -diff -Nurp linux-2.6.23.15/net/socket.c linux-2.6.23.15-grsec/net/socket.c
70672 ---- linux-2.6.23.15/net/socket.c 2008-02-11 10:36:03.000000000 +0000
70673 -+++ linux-2.6.23.15-grsec/net/socket.c 2008-02-11 10:37:45.000000000 +0000
70674 -@@ -84,6 +84,7 @@
70675 - #include <linux/kmod.h>
70676 - #include <linux/audit.h>
70677 - #include <linux/wireless.h>
70678 -+#include <linux/in.h>
70679 -
70680 - #include <asm/uaccess.h>
70681 - #include <asm/unistd.h>
70682 -@@ -93,6 +94,21 @@
70683 - #include <net/sock.h>
70684 - #include <linux/netfilter.h>
70685 -
70686 -+extern void gr_attach_curr_ip(const struct sock *sk);
70687 -+extern int gr_handle_sock_all(const int family, const int type,
70688 -+ const int protocol);
70689 -+extern int gr_handle_sock_server(const struct sockaddr *sck);
70690 -+extern int gr_handle_sock_server_other(const struct socket *sck);
70691 -+extern int gr_handle_sock_client(const struct sockaddr *sck);
70692 -+extern int gr_search_connect(const struct socket * sock,
70693 -+ const struct sockaddr_in * addr);
70694 -+extern int gr_search_bind(const struct socket * sock,
70695 -+ const struct sockaddr_in * addr);
70696 -+extern int gr_search_listen(const struct socket * sock);
70697 -+extern int gr_search_accept(const struct socket * sock);
70698 -+extern int gr_search_socket(const int domain, const int type,
70699 -+ const int protocol);
70700 -+
70701 - static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
70702 - static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
70703 - unsigned long nr_segs, loff_t pos);
70704 -@@ -292,7 +308,7 @@ static int sockfs_get_sb(struct file_sys
70705 - mnt);
70706 - }
70707 -
70708 --static struct vfsmount *sock_mnt __read_mostly;
70709 -+struct vfsmount *sock_mnt __read_mostly;
70710 -
70711 - static struct file_system_type sock_fs_type = {
70712 - .name = "sockfs",
70713 -@@ -1199,6 +1215,16 @@ asmlinkage long sys_socket(int family, i
70714 - int retval;
70715 - struct socket *sock;
70716 -
70717 -+ if(!gr_search_socket(family, type, protocol)) {
70718 -+ retval = -EACCES;
70719 -+ goto out;
70720 -+ }
70721 -+
70722 -+ if (gr_handle_sock_all(family, type, protocol)) {
70723 -+ retval = -EACCES;
70724 -+ goto out;
70725 -+ }
70726 -+
70727 - retval = sock_create(family, type, protocol, &sock);
70728 - if (retval < 0)
70729 - goto out;
70730 -@@ -1329,6 +1355,12 @@ asmlinkage long sys_bind(int fd, struct
70731 - if (sock) {
70732 - err = move_addr_to_kernel(umyaddr, addrlen, address);
70733 - if (err >= 0) {
70734 -+ if (!gr_search_bind(sock, (struct sockaddr_in *)address) ||
70735 -+ gr_handle_sock_server((struct sockaddr *)address)) {
70736 -+ err = -EACCES;
70737 -+ goto error;
70738 -+ }
70739 -+
70740 - err = security_socket_bind(sock,
70741 - (struct sockaddr *)address,
70742 - addrlen);
70743 -@@ -1337,6 +1369,7 @@ asmlinkage long sys_bind(int fd, struct
70744 - (struct sockaddr *)
70745 - address, addrlen);
70746 - }
70747 -+error:
70748 - fput_light(sock->file, fput_needed);
70749 - }
70750 - return err;
70751 -@@ -1360,10 +1393,17 @@ asmlinkage long sys_listen(int fd, int b
70752 - if ((unsigned)backlog > sysctl_somaxconn)
70753 - backlog = sysctl_somaxconn;
70754 -
70755 -+ if (gr_handle_sock_server_other(sock) ||
70756 -+ !gr_search_listen(sock)) {
70757 -+ err = -EPERM;
70758 -+ goto error;
70759 -+ }
70760 -+
70761 - err = security_socket_listen(sock, backlog);
70762 - if (!err)
70763 - err = sock->ops->listen(sock, backlog);
70764 -
70765 -+error:
70766 - fput_light(sock->file, fput_needed);
70767 - }
70768 - return err;
70769 -@@ -1400,6 +1440,13 @@ asmlinkage long sys_accept(int fd, struc
70770 - newsock->type = sock->type;
70771 - newsock->ops = sock->ops;
70772 -
70773 -+ if (gr_handle_sock_server_other(sock) ||
70774 -+ !gr_search_accept(sock)) {
70775 -+ err = -EPERM;
70776 -+ sock_release(newsock);
70777 -+ goto out_put;
70778 -+ }
70779 -+
70780 - /*
70781 - * We don't need try_module_get here, as the listening socket (sock)
70782 - * has the protocol module (sock->ops->owner) held.
70783 -@@ -1443,6 +1490,7 @@ asmlinkage long sys_accept(int fd, struc
70784 - err = newfd;
70785 -
70786 - security_socket_post_accept(sock, newsock);
70787 -+ gr_attach_curr_ip(newsock->sk);
70788 -
70789 - out_put:
70790 - fput_light(sock->file, fput_needed);
70791 -@@ -1476,6 +1524,7 @@ asmlinkage long sys_connect(int fd, stru
70792 - {
70793 - struct socket *sock;
70794 - char address[MAX_SOCK_ADDR];
70795 -+ struct sockaddr *sck;
70796 - int err, fput_needed;
70797 -
70798 - sock = sockfd_lookup_light(fd, &err, &fput_needed);
70799 -@@ -1485,6 +1534,13 @@ asmlinkage long sys_connect(int fd, stru
70800 - if (err < 0)
70801 - goto out_put;
70802 -
70803 -+ sck = (struct sockaddr *)address;
70804 -+ if (!gr_search_connect(sock, (struct sockaddr_in *)sck) ||
70805 -+ gr_handle_sock_client(sck)) {
70806 -+ err = -EACCES;
70807 -+ goto out_put;
70808 -+ }
70809 -+
70810 - err =
70811 - security_socket_connect(sock, (struct sockaddr *)address, addrlen);
70812 - if (err)
70813 -@@ -1762,6 +1818,7 @@ asmlinkage long sys_shutdown(int fd, int
70814 - err = sock->ops->shutdown(sock, how);
70815 - fput_light(sock->file, fput_needed);
70816 - }
70817 -+
70818 - return err;
70819 - }
70820 -
70821 -diff -Nurp linux-2.6.23.15/net/unix/af_unix.c linux-2.6.23.15-grsec/net/unix/af_unix.c
70822 ---- linux-2.6.23.15/net/unix/af_unix.c 2008-02-11 10:36:03.000000000 +0000
70823 -+++ linux-2.6.23.15-grsec/net/unix/af_unix.c 2008-02-11 10:37:45.000000000 +0000
70824 -@@ -115,6 +115,7 @@
70825 - #include <linux/mount.h>
70826 - #include <net/checksum.h>
70827 - #include <linux/security.h>
70828 -+#include <linux/grsecurity.h>
70829 -
70830 - int sysctl_unix_max_dgram_qlen __read_mostly = 10;
70831 -
70832 -@@ -733,6 +734,11 @@ static struct sock *unix_find_other(stru
70833 - if (err)
70834 - goto put_fail;
70835 -
70836 -+ if (!gr_acl_handle_unix(nd.dentry, nd.mnt)) {
70837 -+ err = -EACCES;
70838 -+ goto put_fail;
70839 -+ }
70840 -+
70841 - err = -ECONNREFUSED;
70842 - if (!S_ISSOCK(nd.dentry->d_inode->i_mode))
70843 - goto put_fail;
70844 -@@ -756,6 +762,13 @@ static struct sock *unix_find_other(stru
70845 - if (u) {
70846 - struct dentry *dentry;
70847 - dentry = unix_sk(u)->dentry;
70848 -+
70849 -+ if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
70850 -+ err = -EPERM;
70851 -+ sock_put(u);
70852 -+ goto fail;
70853 -+ }
70854 -+
70855 - if (dentry)
70856 - touch_atime(unix_sk(u)->mnt, dentry);
70857 - } else
70858 -@@ -834,9 +847,18 @@ static int unix_bind(struct socket *sock
70859 - */
70860 - mode = S_IFSOCK |
70861 - (SOCK_INODE(sock)->i_mode & ~current->fs->umask);
70862 -+
70863 -+ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
70864 -+ err = -EACCES;
70865 -+ goto out_mknod_dput;
70866 -+ }
70867 -+
70868 - err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
70869 - if (err)
70870 - goto out_mknod_dput;
70871 -+
70872 -+ gr_handle_create(dentry, nd.mnt);
70873 -+
70874 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
70875 - dput(nd.dentry);
70876 - nd.dentry = dentry;
70877 -@@ -854,6 +876,10 @@ static int unix_bind(struct socket *sock
70878 - goto out_unlock;
70879 - }
70880 -
70881 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
70882 -+ sk->sk_peercred.pid = current->pid;
70883 -+#endif
70884 -+
70885 - list = &unix_socket_table[addr->hash];
70886 - } else {
70887 - list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
70888 -diff -Nurp linux-2.6.23.15/scripts/pnmtologo.c linux-2.6.23.15-grsec/scripts/pnmtologo.c
70889 ---- linux-2.6.23.15/scripts/pnmtologo.c 2007-10-09 21:31:38.000000000 +0100
70890 -+++ linux-2.6.23.15-grsec/scripts/pnmtologo.c 2008-02-11 10:37:45.000000000 +0000
70891 -@@ -237,14 +237,14 @@ static void write_header(void)
70892 - fprintf(out, " * Linux logo %s\n", logoname);
70893 - fputs(" */\n\n", out);
70894 - fputs("#include <linux/linux_logo.h>\n\n", out);
70895 -- fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
70896 -+ fprintf(out, "static unsigned char %s_data[] = {\n",
70897 - logoname);
70898 - }
70899 -
70900 - static void write_footer(void)
70901 - {
70902 - fputs("\n};\n\n", out);
70903 -- fprintf(out, "struct linux_logo %s __initdata = {\n", logoname);
70904 -+ fprintf(out, "struct linux_logo %s = {\n", logoname);
70905 - fprintf(out, " .type\t= %s,\n", logo_types[logo_type]);
70906 - fprintf(out, " .width\t= %d,\n", logo_width);
70907 - fprintf(out, " .height\t= %d,\n", logo_height);
70908 -@@ -374,7 +374,7 @@ static void write_logo_clut224(void)
70909 - fputs("\n};\n\n", out);
70910 -
70911 - /* write logo clut */
70912 -- fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
70913 -+ fprintf(out, "static unsigned char %s_clut[] = {\n",
70914 - logoname);
70915 - write_hex_cnt = 0;
70916 - for (i = 0; i < logo_clutsize; i++) {
70917 -diff -Nurp linux-2.6.23.15/security/Kconfig linux-2.6.23.15-grsec/security/Kconfig
70918 ---- linux-2.6.23.15/security/Kconfig 2007-10-09 21:31:38.000000000 +0100
70919 -+++ linux-2.6.23.15-grsec/security/Kconfig 2008-02-11 10:37:45.000000000 +0000
70920 -@@ -4,6 +4,429 @@
70921 -
70922 - menu "Security options"
70923 -
70924 -+source grsecurity/Kconfig
70925 -+
70926 -+menu "PaX"
70927 -+
70928 -+config PAX
70929 -+ bool "Enable various PaX features"
70930 -+ depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
70931 -+ help
70932 -+ This allows you to enable various PaX features. PaX adds
70933 -+ intrusion prevention mechanisms to the kernel that reduce
70934 -+ the risks posed by exploitable memory corruption bugs.
70935 -+
70936 -+menu "PaX Control"
70937 -+ depends on PAX
70938 -+
70939 -+config PAX_SOFTMODE
70940 -+ bool 'Support soft mode'
70941 -+ help
70942 -+ Enabling this option will allow you to run PaX in soft mode, that
70943 -+ is, PaX features will not be enforced by default, only on executables
70944 -+ marked explicitly. You must also enable PT_PAX_FLAGS support as it
70945 -+ is the only way to mark executables for soft mode use.
70946 -+
70947 -+ Soft mode can be activated by using the "pax_softmode=1" kernel command
70948 -+ line option on boot. Furthermore you can control various PaX features
70949 -+ at runtime via the entries in /proc/sys/kernel/pax.
70950 -+
70951 -+config PAX_EI_PAX
70952 -+ bool 'Use legacy ELF header marking'
70953 -+ help
70954 -+ Enabling this option will allow you to control PaX features on
70955 -+ a per executable basis via the 'chpax' utility available at
70956 -+ http://pax.grsecurity.net/. The control flags will be read from
70957 -+ an otherwise reserved part of the ELF header. This marking has
70958 -+ numerous drawbacks (no support for soft-mode, toolchain does not
70959 -+ know about the non-standard use of the ELF header) therefore it
70960 -+ has been deprecated in favour of PT_PAX_FLAGS support.
70961 -+
70962 -+ If you have applications not marked by the PT_PAX_FLAGS ELF
70963 -+ program header then you MUST enable this option otherwise they
70964 -+ will not get any protection.
70965 -+
70966 -+ Note that if you enable PT_PAX_FLAGS marking support as well,
70967 -+ the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
70968 -+
70969 -+config PAX_PT_PAX_FLAGS
70970 -+ bool 'Use ELF program header marking'
70971 -+ help
70972 -+ Enabling this option will allow you to control PaX features on
70973 -+ a per executable basis via the 'paxctl' utility available at
70974 -+ http://pax.grsecurity.net/. The control flags will be read from
70975 -+ a PaX specific ELF program header (PT_PAX_FLAGS). This marking
70976 -+ has the benefits of supporting both soft mode and being fully
70977 -+ integrated into the toolchain (the binutils patch is available
70978 -+ from http://pax.grsecurity.net).
70979 -+
70980 -+ If you have applications not marked by the PT_PAX_FLAGS ELF
70981 -+ program header then you MUST enable the EI_PAX marking support
70982 -+ otherwise they will not get any protection.
70983 -+
70984 -+ Note that if you enable the legacy EI_PAX marking support as well,
70985 -+ the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
70986 -+
70987 -+choice
70988 -+ prompt 'MAC system integration'
70989 -+ default PAX_HAVE_ACL_FLAGS
70990 -+ help
70991 -+ Mandatory Access Control systems have the option of controlling
70992 -+ PaX flags on a per executable basis, choose the method supported
70993 -+ by your particular system.
70994 -+
70995 -+ - "none": if your MAC system does not interact with PaX,
70996 -+ - "direct": if your MAC system defines pax_set_initial_flags() itself,
70997 -+ - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
70998 -+
70999 -+ NOTE: this option is for developers/integrators only.
71000 -+
71001 -+ config PAX_NO_ACL_FLAGS
71002 -+ bool 'none'
71003 -+
71004 -+ config PAX_HAVE_ACL_FLAGS
71005 -+ bool 'direct'
71006 -+
71007 -+ config PAX_HOOK_ACL_FLAGS
71008 -+ bool 'hook'
71009 -+endchoice
71010 -+
71011 -+endmenu
71012 -+
71013 -+menu "Non-executable pages"
71014 -+ depends on PAX
71015 -+
71016 -+config PAX_NOEXEC
71017 -+ bool "Enforce non-executable pages"
71018 -+ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
71019 -+ help
71020 -+ By design some architectures do not allow for protecting memory
71021 -+ pages against execution or even if they do, Linux does not make
71022 -+ use of this feature. In practice this means that if a page is
71023 -+ readable (such as the stack or heap) it is also executable.
71024 -+
71025 -+ There is a well known exploit technique that makes use of this
71026 -+ fact and a common programming mistake where an attacker can
71027 -+ introduce code of his choice somewhere in the attacked program's
71028 -+ memory (typically the stack or the heap) and then execute it.
71029 -+
71030 -+ If the attacked program was running with different (typically
71031 -+ higher) privileges than that of the attacker, then he can elevate
71032 -+ his own privilege level (e.g. get a root shell, write to files for
71033 -+ which he does not have write access to, etc).
71034 -+
71035 -+ Enabling this option will let you choose from various features
71036 -+ that prevent the injection and execution of 'foreign' code in
71037 -+ a program.
71038 -+
71039 -+ This will also break programs that rely on the old behaviour and
71040 -+ expect that dynamically allocated memory via the malloc() family
71041 -+ of functions is executable (which it is not). Notable examples
71042 -+ are the XFree86 4.x server, the java runtime and wine.
71043 -+
71044 -+config PAX_PAGEEXEC
71045 -+ bool "Paging based non-executable pages"
71046 -+ depends on !COMPAT_VDSO && PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MPENTIUM4 || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2)
71047 -+ help
71048 -+ This implementation is based on the paging feature of the CPU.
71049 -+ On i386 without hardware non-executable bit support there is a
71050 -+ variable but usually low performance impact, however on Intel's
71051 -+ P4 core based CPUs it is very high so you should not enable this
71052 -+ for kernels meant to be used on such CPUs.
71053 -+
71054 -+ On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
71055 -+ with hardware non-executable bit support there is no performance
71056 -+ impact, on ppc the impact is negligible.
71057 -+
71058 -+ Note that several architectures require various emulations due to
71059 -+ badly designed userland ABIs, this will cause a performance impact
71060 -+ but will disappear as soon as userland is fixed (e.g., ppc users
71061 -+ can make use of the secure-plt feature found in binutils).
71062 -+
71063 -+config PAX_SEGMEXEC
71064 -+ bool "Segmentation based non-executable pages"
71065 -+ depends on !COMPAT_VDSO && PAX_NOEXEC && X86_32
71066 -+ help
71067 -+ This implementation is based on the segmentation feature of the
71068 -+ CPU and has a very small performance impact, however applications
71069 -+ will be limited to a 1.5 GB address space instead of the normal
71070 -+ 3 GB.
71071 -+
71072 -+config PAX_EMUTRAMP
71073 -+ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86)
71074 -+ default y if PARISC || PPC32
71075 -+ help
71076 -+ There are some programs and libraries that for one reason or
71077 -+ another attempt to execute special small code snippets from
71078 -+ non-executable memory pages. Most notable examples are the
71079 -+ signal handler return code generated by the kernel itself and
71080 -+ the GCC trampolines.
71081 -+
71082 -+ If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
71083 -+ such programs will no longer work under your kernel.
71084 -+
71085 -+ As a remedy you can say Y here and use the 'chpax' or 'paxctl'
71086 -+ utilities to enable trampoline emulation for the affected programs
71087 -+ yet still have the protection provided by the non-executable pages.
71088 -+
71089 -+ On parisc and ppc you MUST enable this option and EMUSIGRT as
71090 -+ well, otherwise your system will not even boot.
71091 -+
71092 -+ Alternatively you can say N here and use the 'chpax' or 'paxctl'
71093 -+ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
71094 -+ for the affected files.
71095 -+
71096 -+ NOTE: enabling this feature *may* open up a loophole in the
71097 -+ protection provided by non-executable pages that an attacker
71098 -+ could abuse. Therefore the best solution is to not have any
71099 -+ files on your system that would require this option. This can
71100 -+ be achieved by not using libc5 (which relies on the kernel
71101 -+ signal handler return code) and not using or rewriting programs
71102 -+ that make use of the nested function implementation of GCC.
71103 -+ Skilled users can just fix GCC itself so that it implements
71104 -+ nested function calls in a way that does not interfere with PaX.
71105 -+
71106 -+config PAX_EMUSIGRT
71107 -+ bool "Automatically emulate sigreturn trampolines"
71108 -+ depends on PAX_EMUTRAMP && (PARISC || PPC32)
71109 -+ default y
71110 -+ help
71111 -+ Enabling this option will have the kernel automatically detect
71112 -+ and emulate signal return trampolines executing on the stack
71113 -+ that would otherwise lead to task termination.
71114 -+
71115 -+ This solution is intended as a temporary one for users with
71116 -+ legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
71117 -+ Modula-3 runtime, etc) or executables linked to such, basically
71118 -+ everything that does not specify its own SA_RESTORER function in
71119 -+ normal executable memory like glibc 2.1+ does.
71120 -+
71121 -+ On parisc and ppc you MUST enable this option, otherwise your
71122 -+ system will not even boot.
71123 -+
71124 -+ NOTE: this feature cannot be disabled on a per executable basis
71125 -+ and since it *does* open up a loophole in the protection provided
71126 -+ by non-executable pages, the best solution is to not have any
71127 -+ files on your system that would require this option.
71128 -+
71129 -+config PAX_MPROTECT
71130 -+ bool "Restrict mprotect()"
71131 -+ depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && !PPC64
71132 -+ help
71133 -+ Enabling this option will prevent programs from
71134 -+ - changing the executable status of memory pages that were
71135 -+ not originally created as executable,
71136 -+ - making read-only executable pages writable again,
71137 -+ - creating executable pages from anonymous memory.
71138 -+
71139 -+ You should say Y here to complete the protection provided by
71140 -+ the enforcement of non-executable pages.
71141 -+
71142 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
71143 -+ this feature on a per file basis.
71144 -+
71145 -+config PAX_NOELFRELOCS
71146 -+ bool "Disallow ELF text relocations"
71147 -+ depends on PAX_MPROTECT && !PAX_ETEXECRELOCS && (IA64 || X86 || X86_64)
71148 -+ help
71149 -+ Non-executable pages and mprotect() restrictions are effective
71150 -+ in preventing the introduction of new executable code into an
71151 -+ attacked task's address space. There remain only two venues
71152 -+ for this kind of attack: if the attacker can execute already
71153 -+ existing code in the attacked task then he can either have it
71154 -+ create and mmap() a file containing his code or have it mmap()
71155 -+ an already existing ELF library that does not have position
71156 -+ independent code in it and use mprotect() on it to make it
71157 -+ writable and copy his code there. While protecting against
71158 -+ the former approach is beyond PaX, the latter can be prevented
71159 -+ by having only PIC ELF libraries on one's system (which do not
71160 -+ need to relocate their code). If you are sure this is your case,
71161 -+ then enable this option otherwise be careful as you may not even
71162 -+ be able to boot or log on your system (for example, some PAM
71163 -+ modules are erroneously compiled as non-PIC by default).
71164 -+
71165 -+ NOTE: if you are using dynamic ELF executables (as suggested
71166 -+ when using ASLR) then you must have made sure that you linked
71167 -+ your files using the PIC version of crt1 (the et_dyn.tar.gz package
71168 -+ referenced there has already been updated to support this).
71169 -+
71170 -+config PAX_ETEXECRELOCS
71171 -+ bool "Allow ELF ET_EXEC text relocations"
71172 -+ depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
71173 -+ default y
71174 -+ help
71175 -+ On some architectures there are incorrectly created applications
71176 -+ that require text relocations and would not work without enabling
71177 -+ this option. If you are an alpha, ia64 or parisc user, you should
71178 -+ enable this option and disable it once you have made sure that
71179 -+ none of your applications need it.
71180 -+
71181 -+config PAX_EMUPLT
71182 -+ bool "Automatically emulate ELF PLT"
71183 -+ depends on PAX_MPROTECT && (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
71184 -+ default y
71185 -+ help
71186 -+ Enabling this option will have the kernel automatically detect
71187 -+ and emulate the Procedure Linkage Table entries in ELF files.
71188 -+ On some architectures such entries are in writable memory, and
71189 -+ become non-executable leading to task termination. Therefore
71190 -+ it is mandatory that you enable this option on alpha, parisc,
71191 -+ ppc (if secure-plt is not used throughout in userland), sparc
71192 -+ and sparc64, otherwise your system would not even boot.
71193 -+
71194 -+ NOTE: this feature *does* open up a loophole in the protection
71195 -+ provided by the non-executable pages, therefore the proper
71196 -+ solution is to modify the toolchain to produce a PLT that does
71197 -+ not need to be writable.
71198 -+
71199 -+config PAX_DLRESOLVE
71200 -+ bool
71201 -+ depends on PAX_EMUPLT && (SPARC32 || SPARC64)
71202 -+ default y
71203 -+
71204 -+config PAX_SYSCALL
71205 -+ bool
71206 -+ depends on PAX_PAGEEXEC && PPC32
71207 -+ default y
71208 -+
71209 -+config PAX_KERNEXEC
71210 -+ bool "Enforce non-executable kernel pages"
71211 -+ depends on PAX_NOEXEC && X86_32 && !EFI && !COMPAT_VDSO && X86_WP_WORKS_OK && !PARAVIRT
71212 -+ help
71213 -+ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
71214 -+ that is, enabling this option will make it harder to inject
71215 -+ and execute 'foreign' code in kernel memory itself.
71216 -+
71217 -+endmenu
71218 -+
71219 -+menu "Address Space Layout Randomization"
71220 -+ depends on PAX
71221 -+
71222 -+config PAX_ASLR
71223 -+ bool "Address Space Layout Randomization"
71224 -+ depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
71225 -+ help
71226 -+ Many if not most exploit techniques rely on the knowledge of
71227 -+ certain addresses in the attacked program. The following options
71228 -+ will allow the kernel to apply a certain amount of randomization
71229 -+ to specific parts of the program thereby forcing an attacker to
71230 -+ guess them in most cases. Any failed guess will most likely crash
71231 -+ the attacked program which allows the kernel to detect such attempts
71232 -+ and react on them. PaX itself provides no reaction mechanisms,
71233 -+ instead it is strongly encouraged that you make use of Nergal's
71234 -+ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
71235 -+ (http://www.grsecurity.net/) built-in crash detection features or
71236 -+ develop one yourself.
71237 -+
71238 -+ By saying Y here you can choose to randomize the following areas:
71239 -+ - top of the task's kernel stack
71240 -+ - top of the task's userland stack
71241 -+ - base address for mmap() requests that do not specify one
71242 -+ (this includes all libraries)
71243 -+ - base address of the main executable
71244 -+
71245 -+ It is strongly recommended to say Y here as address space layout
71246 -+ randomization has negligible impact on performance yet it provides
71247 -+ a very effective protection.
71248 -+
71249 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
71250 -+ this feature on a per file basis.
71251 -+
71252 -+config PAX_RANDKSTACK
71253 -+ bool "Randomize kernel stack base"
71254 -+ depends on PAX_ASLR && X86_TSC && X86_32
71255 -+ help
71256 -+ By saying Y here the kernel will randomize every task's kernel
71257 -+ stack on every system call. This will not only force an attacker
71258 -+ to guess it but also prevent him from making use of possible
71259 -+ leaked information about it.
71260 -+
71261 -+ Since the kernel stack is a rather scarce resource, randomization
71262 -+ may cause unexpected stack overflows, therefore you should very
71263 -+ carefully test your system. Note that once enabled in the kernel
71264 -+ configuration, this feature cannot be disabled on a per file basis.
71265 -+
71266 -+config PAX_RANDUSTACK
71267 -+ bool "Randomize user stack base"
71268 -+ depends on PAX_ASLR
71269 -+ help
71270 -+ By saying Y here the kernel will randomize every task's userland
71271 -+ stack. The randomization is done in two steps where the second
71272 -+ one may apply a big amount of shift to the top of the stack and
71273 -+ cause problems for programs that want to use lots of memory (more
71274 -+ than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
71275 -+ For this reason the second step can be controlled by 'chpax' or
71276 -+ 'paxctl' on a per file basis.
71277 -+
71278 -+config PAX_RANDMMAP
71279 -+ bool "Randomize mmap() base"
71280 -+ depends on PAX_ASLR
71281 -+ help
71282 -+ By saying Y here the kernel will use a randomized base address for
71283 -+ mmap() requests that do not specify one themselves. As a result
71284 -+ all dynamically loaded libraries will appear at random addresses
71285 -+ and therefore be harder to exploit by a technique where an attacker
71286 -+ attempts to execute library code for his purposes (e.g. spawn a
71287 -+ shell from an exploited program that is running at an elevated
71288 -+ privilege level).
71289 -+
71290 -+ Furthermore, if a program is relinked as a dynamic ELF file, its
71291 -+ base address will be randomized as well, completing the full
71292 -+ randomization of the address space layout. Attacking such programs
71293 -+ becomes a guess game. You can find an example of doing this at
71294 -+ http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
71295 -+ http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
71296 -+
71297 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
71298 -+ feature on a per file basis.
71299 -+
71300 -+endmenu
71301 -+
71302 -+menu "Miscellaneous hardening features"
71303 -+
71304 -+config PAX_MEMORY_SANITIZE
71305 -+ bool "Sanitize all freed memory"
71306 -+ help
71307 -+ By saying Y here the kernel will erase memory pages as soon as they
71308 -+ are freed. This in turn reduces the lifetime of data stored in the
71309 -+ pages, making it less likely that sensitive information such as
71310 -+ passwords, cryptographic secrets, etc stay in memory for too long.
71311 -+
71312 -+ This is especially useful for programs whose runtime is short, long
71313 -+ lived processes and the kernel itself benefit from this as long as
71314 -+ they operate on whole memory pages and ensure timely freeing of pages
71315 -+ that may hold sensitive information.
71316 -+
71317 -+ The tradeoff is performance impact, on a single CPU system kernel
71318 -+ compilation sees a 3% slowdown, other systems and workloads may vary
71319 -+ and you are advised to test this feature on your expected workload
71320 -+ before deploying it.
71321 -+
71322 -+ Note that this feature does not protect data stored in live pages,
71323 -+ e.g., process memory swapped to disk may stay there for a long time.
71324 -+
71325 -+config PAX_MEMORY_UDEREF
71326 -+ bool "Prevent invalid userland pointer dereference"
71327 -+ depends on X86_32 && !COMPAT_VDSO
71328 -+ help
71329 -+ By saying Y here the kernel will be prevented from dereferencing
71330 -+ userland pointers in contexts where the kernel expects only kernel
71331 -+ pointers. This is both a useful runtime debugging feature and a
71332 -+ security measure that prevents exploiting a class of kernel bugs.
71333 -+
71334 -+ The tradeoff is that some virtualization solutions may experience
71335 -+ a huge slowdown and therefore you should not enable this feature
71336 -+ for kernels meant to run in such environments. Whether a given VM
71337 -+ solution is affected or not is best determined by simply trying it
71338 -+ out, the performance impact will be obvious right on boot as this
71339 -+ mechanism engages from very early on. A good rule of thumb is that
71340 -+ VMs running on CPUs without hardware virtualization support (i.e.,
71341 -+ the majority of IA-32 CPUs) will likely experience the slowdown.
71342 -+
71343 -+endmenu
71344 -+
71345 -+endmenu
71346 -+
71347 - config KEYS
71348 - bool "Enable access key retention support"
71349 - help
71350 -diff -Nurp linux-2.6.23.15/security/commoncap.c linux-2.6.23.15-grsec/security/commoncap.c
71351 ---- linux-2.6.23.15/security/commoncap.c 2007-10-09 21:31:38.000000000 +0100
71352 -+++ linux-2.6.23.15-grsec/security/commoncap.c 2008-02-11 10:37:45.000000000 +0000
71353 -@@ -22,10 +22,11 @@
71354 - #include <linux/ptrace.h>
71355 - #include <linux/xattr.h>
71356 - #include <linux/hugetlb.h>
71357 -+#include <linux/grsecurity.h>
71358 -
71359 - int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
71360 - {
71361 -- NETLINK_CB(skb).eff_cap = current->cap_effective;
71362 -+ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink();
71363 - return 0;
71364 - }
71365 -
71366 -@@ -43,7 +44,15 @@ EXPORT_SYMBOL(cap_netlink_recv);
71367 - int cap_capable (struct task_struct *tsk, int cap)
71368 - {
71369 - /* Derived from include/linux/sched.h:capable. */
71370 -- if (cap_raised(tsk->cap_effective, cap))
71371 -+ if (cap_raised (tsk->cap_effective, cap))
71372 -+ return 0;
71373 -+ return -EPERM;
71374 -+}
71375 -+
71376 -+int cap_capable_nolog (struct task_struct *tsk, int cap)
71377 -+{
71378 -+ /* tsk = current for all callers */
71379 -+ if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
71380 - return 0;
71381 - return -EPERM;
71382 - }
71383 -@@ -162,8 +171,11 @@ void cap_bprm_apply_creds (struct linux_
71384 - }
71385 - }
71386 -
71387 -- current->suid = current->euid = current->fsuid = bprm->e_uid;
71388 -- current->sgid = current->egid = current->fsgid = bprm->e_gid;
71389 -+ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
71390 -+ current->suid = current->euid = current->fsuid = bprm->e_uid;
71391 -+
71392 -+ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
71393 -+ current->sgid = current->egid = current->fsgid = bprm->e_gid;
71394 -
71395 - /* For init, we want to retain the capabilities set
71396 - * in the init_task struct. Thus we skip the usual
71397 -@@ -174,6 +186,8 @@ void cap_bprm_apply_creds (struct linux_
71398 - cap_intersect (new_permitted, bprm->cap_effective);
71399 - }
71400 -
71401 -+ gr_handle_chroot_caps(current);
71402 -+
71403 - /* AUD: Audit candidate if current->cap_effective is set */
71404 -
71405 - current->keep_capabilities = 0;
71406 -@@ -319,12 +333,13 @@ int cap_vm_enough_memory(struct mm_struc
71407 - {
71408 - int cap_sys_admin = 0;
71409 -
71410 -- if (cap_capable(current, CAP_SYS_ADMIN) == 0)
71411 -+ if (cap_capable_nolog(current, CAP_SYS_ADMIN) == 0)
71412 - cap_sys_admin = 1;
71413 - return __vm_enough_memory(mm, pages, cap_sys_admin);
71414 - }
71415 -
71416 - EXPORT_SYMBOL(cap_capable);
71417 -+EXPORT_SYMBOL(cap_capable_nolog);
71418 - EXPORT_SYMBOL(cap_settime);
71419 - EXPORT_SYMBOL(cap_ptrace);
71420 - EXPORT_SYMBOL(cap_capget);
71421 -diff -Nurp linux-2.6.23.15/security/dummy.c linux-2.6.23.15-grsec/security/dummy.c
71422 ---- linux-2.6.23.15/security/dummy.c 2007-10-09 21:31:38.000000000 +0100
71423 -+++ linux-2.6.23.15-grsec/security/dummy.c 2008-02-11 10:37:45.000000000 +0000
71424 -@@ -28,6 +28,7 @@
71425 - #include <linux/hugetlb.h>
71426 - #include <linux/ptrace.h>
71427 - #include <linux/file.h>
71428 -+#include <linux/grsecurity.h>
71429 -
71430 - static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
71431 - {
71432 -@@ -138,8 +139,11 @@ static void dummy_bprm_apply_creds (stru
71433 - }
71434 - }
71435 -
71436 -- current->suid = current->euid = current->fsuid = bprm->e_uid;
71437 -- current->sgid = current->egid = current->fsgid = bprm->e_gid;
71438 -+ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
71439 -+ current->suid = current->euid = current->fsuid = bprm->e_uid;
71440 -+
71441 -+ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
71442 -+ current->sgid = current->egid = current->fsgid = bprm->e_gid;
71443 -
71444 - dummy_capget(current, &current->cap_effective, &current->cap_inheritable, &current->cap_permitted);
71445 - }
71446 -diff -Nurp linux-2.6.23.15/sound/core/oss/pcm_oss.c linux-2.6.23.15-grsec/sound/core/oss/pcm_oss.c
71447 ---- linux-2.6.23.15/sound/core/oss/pcm_oss.c 2007-10-09 21:31:38.000000000 +0100
71448 -+++ linux-2.6.23.15-grsec/sound/core/oss/pcm_oss.c 2008-02-11 10:37:45.000000000 +0000
71449 -@@ -2880,8 +2880,8 @@ static void snd_pcm_oss_proc_done(struct
71450 - }
71451 - }
71452 - #else /* !CONFIG_SND_VERBOSE_PROCFS */
71453 --#define snd_pcm_oss_proc_init(pcm)
71454 --#define snd_pcm_oss_proc_done(pcm)
71455 -+#define snd_pcm_oss_proc_init(pcm) do {} while (0)
71456 -+#define snd_pcm_oss_proc_done(pcm) do {} while (0)
71457 - #endif /* CONFIG_SND_VERBOSE_PROCFS */
71458 -
71459 - /*
71460 -diff -Nurp linux-2.6.23.15/sound/core/seq/seq_lock.h linux-2.6.23.15-grsec/sound/core/seq/seq_lock.h
71461 ---- linux-2.6.23.15/sound/core/seq/seq_lock.h 2007-10-09 21:31:38.000000000 +0100
71462 -+++ linux-2.6.23.15-grsec/sound/core/seq/seq_lock.h 2008-02-11 10:37:45.000000000 +0000
71463 -@@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
71464 - #else /* SMP || CONFIG_SND_DEBUG */
71465 -
71466 - typedef spinlock_t snd_use_lock_t; /* dummy */
71467 --#define snd_use_lock_init(lockp) /**/
71468 --#define snd_use_lock_use(lockp) /**/
71469 --#define snd_use_lock_free(lockp) /**/
71470 --#define snd_use_lock_sync(lockp) /**/
71471 -+#define snd_use_lock_init(lockp) do {} while (0)
71472 -+#define snd_use_lock_use(lockp) do {} while (0)
71473 -+#define snd_use_lock_free(lockp) do {} while (0)
71474 -+#define snd_use_lock_sync(lockp) do {} while (0)
71475 -
71476 - #endif /* SMP || CONFIG_SND_DEBUG */
71477 -
71478 -diff -Nurp linux-2.6.23.15/sound/pci/ac97/ac97_patch.c linux-2.6.23.15-grsec/sound/pci/ac97/ac97_patch.c
71479 ---- linux-2.6.23.15/sound/pci/ac97/ac97_patch.c 2007-10-09 21:31:38.000000000 +0100
71480 -+++ linux-2.6.23.15-grsec/sound/pci/ac97/ac97_patch.c 2008-02-11 10:37:45.000000000 +0000
71481 -@@ -1415,7 +1415,7 @@ static const struct snd_ac97_res_table a
71482 - { AC97_VIDEO, 0x9f1f },
71483 - { AC97_AUX, 0x9f1f },
71484 - { AC97_PCM, 0x9f1f },
71485 -- { } /* terminator */
71486 -+ { 0, 0 } /* terminator */
71487 - };
71488 -
71489 - static int patch_ad1819(struct snd_ac97 * ac97)
71490 -@@ -3489,7 +3489,7 @@ static struct snd_ac97_res_table lm4550_
71491 - { AC97_AUX, 0x1f1f },
71492 - { AC97_PCM, 0x1f1f },
71493 - { AC97_REC_GAIN, 0x0f0f },
71494 -- { } /* terminator */
71495 -+ { 0, 0 } /* terminator */
71496 - };
71497 -
71498 - static int patch_lm4550(struct snd_ac97 *ac97)
71499 -diff -Nurp linux-2.6.23.15/sound/pci/ens1370.c linux-2.6.23.15-grsec/sound/pci/ens1370.c
71500 ---- linux-2.6.23.15/sound/pci/ens1370.c 2007-10-09 21:31:38.000000000 +0100
71501 -+++ linux-2.6.23.15-grsec/sound/pci/ens1370.c 2008-02-11 10:37:45.000000000 +0000
71502 -@@ -453,7 +453,7 @@ static struct pci_device_id snd_audiopci
71503 - { 0x1274, 0x5880, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* ES1373 - CT5880 */
71504 - { 0x1102, 0x8938, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* Ectiva EV1938 */
71505 - #endif
71506 -- { 0, }
71507 -+ { 0, 0, 0, 0, 0, 0, 0 }
71508 - };
71509 -
71510 - MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
71511 -diff -Nurp linux-2.6.23.15/sound/pci/intel8x0.c linux-2.6.23.15-grsec/sound/pci/intel8x0.c
71512 ---- linux-2.6.23.15/sound/pci/intel8x0.c 2007-10-09 21:31:38.000000000 +0100
71513 -+++ linux-2.6.23.15-grsec/sound/pci/intel8x0.c 2008-02-11 10:37:45.000000000 +0000
71514 -@@ -436,7 +436,7 @@ static struct pci_device_id snd_intel8x0
71515 - { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
71516 - { 0x1022, 0x7445, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD768 */
71517 - { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
71518 -- { 0, }
71519 -+ { 0, 0, 0, 0, 0, 0, 0 }
71520 - };
71521 -
71522 - MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
71523 -@@ -2044,7 +2044,7 @@ static struct ac97_quirk ac97_quirks[] _
71524 - .type = AC97_TUNE_HP_ONLY
71525 - },
71526 - #endif
71527 -- { } /* terminator */
71528 -+ { 0, 0, 0, 0, NULL, 0 } /* terminator */
71529 - };
71530 -
71531 - static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
71532 -diff -Nurp linux-2.6.23.15/sound/pci/intel8x0m.c linux-2.6.23.15-grsec/sound/pci/intel8x0m.c
71533 ---- linux-2.6.23.15/sound/pci/intel8x0m.c 2007-10-09 21:31:38.000000000 +0100
71534 -+++ linux-2.6.23.15-grsec/sound/pci/intel8x0m.c 2008-02-11 10:37:45.000000000 +0000
71535 -@@ -240,7 +240,7 @@ static struct pci_device_id snd_intel8x0
71536 - { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
71537 - { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
71538 - #endif
71539 -- { 0, }
71540 -+ { 0, 0, 0, 0, 0, 0, 0 }
71541 - };
71542 -
71543 - MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
71544 -@@ -1261,7 +1261,7 @@ static struct shortname_table {
71545 - { 0x5455, "ALi M5455" },
71546 - { 0x746d, "AMD AMD8111" },
71547 - #endif
71548 -- { 0 },
71549 -+ { 0, NULL },
71550 - };
71551 -
71552 - static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
71553
71554 Deleted: hardened-sources/2.6/tags/2.6.23-8/4435_grsec-2.1.10-mute-warnings.patch
71555 ===================================================================
71556 --- hardened-sources/2.6/trunk/2.6.23/4435_grsec-2.1.10-mute-warnings.patch 2008-03-30 17:39:03 UTC (rev 86)
71557 +++ hardened-sources/2.6/tags/2.6.23-8/4435_grsec-2.1.10-mute-warnings.patch 2008-04-30 11:33:52 UTC (rev 91)
71558 @@ -1,23 +0,0 @@
71559 -From: Alexander Gabert <gaberta@××××××××.de>
71560 -
71561 -This patch removes the warnings introduced by grsec patch 2.1.9 and later.
71562 -It removes the -W options added by the patch and restores the original
71563 -warning flags of vanilla kernel versions.
71564 -
71565 -Acked-by: Christian Heim <phreak@g.o>
71566 -
71567 ----
71568 - Makefile | 5 +++--
71569 - 1 file changed, 3 insertions(+), 2 deletions(-)
71570 -
71571 ---- a/Makefile
71572 -+++ b/Makefile
71573 -@@ -312,7 +312,7 @@ LINUXINCLUDE := -Iinclude \
71574 -
71575 - CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
71576 -
71577 --CFLAGS := -Wall -W -Wno-unused -Wno-sign-compare -Wundef -Wstrict-prototypes -Wno-trigraphs \
71578 -+CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
71579 - -fno-strict-aliasing -fno-common \
71580 - -Werror-implicit-function-declaration
71581 - AFLAGS := -D__ASSEMBLY__
71582
71583 Copied: hardened-sources/2.6/tags/2.6.23-8/4435_grsec-kconfig-gentoo.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4435_grsec-kconfig-gentoo.patch)
71584 ===================================================================
71585 --- hardened-sources/2.6/tags/2.6.23-8/4435_grsec-kconfig-gentoo.patch (rev 0)
71586 +++ hardened-sources/2.6/tags/2.6.23-8/4435_grsec-kconfig-gentoo.patch 2008-04-30 11:33:52 UTC (rev 91)
71587 @@ -0,0 +1,117 @@
71588 +From: Kerin Millar <kerframil@×××××.com>
71589 +
71590 +Add a Hardened Gentoo target to the list of security levels. It's
71591 +designed to provide a comparitively high level of security and to be
71592 +generally suitable for as great a majority of the userbase as possible
71593 +(particularly new users). The patch was originally contributed by Ned
71594 +Ludd <solar@g.o>. This instance was revised by the author with
71595 +contributions from Gordon Malm <bugs-gentoo-org-02@××××××.org> for the
71596 +hardened-sources-2.6.23-r9 release where it is now a default.
71597 +
71598 +--- a/grsecurity/Kconfig 2008-03-22 17:27:48.000000000 +0000
71599 ++++ b/grsecurity/Kconfig 2008-03-22 17:54:44.000000000 +0000
71600 +@@ -18,7 +18,7 @@
71601 + choice
71602 + prompt "Security Level"
71603 + depends GRKERNSEC
71604 +- default GRKERNSEC_CUSTOM
71605 ++ default GRKERNSEC_HARDENED
71606 +
71607 + config GRKERNSEC_LOW
71608 + bool "Low"
71609 +@@ -182,6 +182,95 @@
71610 + - Kernel symbol hiding
71611 + - Destroy unused shared memory
71612 + - Prevention of memory exhaustion-based exploits
71613 ++
71614 ++config GRKERNSEC_HARDENED
71615 ++ bool "Hardened [Gentoo]"
71616 ++ select GRKERNSEC_KMEM
71617 ++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
71618 ++ select GRKERNSEC_BRUTE
71619 ++ select GRKERNSEC_MODSTOP if (MODULES)
71620 ++ select GRKERNSEC_HIDESYM
71621 ++ select GRKERNSEC_PROC
71622 ++ select GRKERNSEC_PROC_USER
71623 ++ select GRKERNSEC_PROC_ADD
71624 ++ select GRKERNSEC_LINK
71625 ++ select GRKERNSEC_FIFO
71626 ++ select GRKERNSEC_CHROOT
71627 ++ select GRKERNSEC_CHROOT_MOUNT
71628 ++ select GRKERNSEC_CHROOT_DOUBLE
71629 ++ select GRKERNSEC_CHROOT_PIVOT
71630 ++ select GRKERNSEC_CHROOT_CHDIR
71631 ++ select GRKERNSEC_CHROOT_CHMOD
71632 ++ select GRKERNSEC_CHROOT_FCHDIR
71633 ++ select GRKERNSEC_CHROOT_MKNOD
71634 ++ select GRKERNSEC_CHROOT_SHMAT
71635 ++ select GRKERNSEC_CHROOT_UNIX
71636 ++ select GRKERNSEC_CHROOT_FINDTASK
71637 ++ select GRKERNSEC_CHROOT_NICE
71638 ++ select GRKERNSEC_CHROOT_SYSCTL
71639 ++ select GRKERNSEC_CHROOT_CAPS
71640 ++ select GRKERNSEC_RESLOG
71641 ++ select GRKERNSEC_SIGNAL
71642 ++ select GRKERNSEC_FORKFAIL
71643 ++ select GRKERNSEC_TIME
71644 ++ select GRKERNSEC_PROC_IPADDR
71645 ++ select GRKERNSEC_EXECVE
71646 ++ select GRKERNSEC_DMESG
71647 ++ select GRKERNSEC_RANDNET
71648 ++ select GRKERNSEC_SYSCTL
71649 ++ select GRKERNSEC_SYSCTL_ON
71650 ++ select PAX
71651 ++ select PAX_EI_PAX
71652 ++ select PAX_PT_PAX_FLAGS
71653 ++ select PAX_HAVE_ACL_FLAGS
71654 ++ select PAX_NOEXEC
71655 ++ select PAX_PAGEEXEC
71656 ++ select PAX_SEGMEXEC if (X86 && !X86_64)
71657 ++ select PAX_EMUTRAMP if (PARISC)
71658 ++ select PAX_EMUSIGRT if (PARISC)
71659 ++ select PAX_MPROTECT
71660 ++ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
71661 ++ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
71662 ++ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
71663 ++ select PAX_SYSCALL if (PPC32)
71664 ++ select PAX_KERNEXEC if (X86 && !X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
71665 ++ select PAX_ASLR
71666 ++ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
71667 ++ select PAX_RANDUSTACK
71668 ++ select PAX_RANDMMAP
71669 ++ select PAX_MEMORY_SANITIZE
71670 ++ select PAX_MEMORY_UDEREF if (X86_32 && !COMPAT_VDSO)
71671 ++ help
71672 ++ If you say Y here, a configuration will be used that is endorsed by the
71673 ++ Hardened Gentoo project. It is designed to provide a high level of
71674 ++ security whilst minimizing the chance of incompatibilities with rare
71675 ++ software on your machine. As such, many of the features of grsecurity
71676 ++ and PaX will be enabled. For further information, you should view
71677 ++ <http://grsecurity.net> and <http://pax.grsecurity.net> as well as the
71678 ++ Hardened Gentoo Primer at
71679 ++ <http://gentoo.org/proj/en/hardened/primer.xml>.
71680 ++
71681 ++ You may wish to emerge paxctl which will allow you to toggle specific
71682 ++ PaX features on problematic binaries. Note that this only works for ELF
71683 ++ binaries that contain a PT_PAX_FLAGS header. In layman's terms this
71684 ++ means that, if you need to toggle PaX features on binaries provided by
71685 ++ applications that are distributed only in binary format (rather than
71686 ++ being built locally from sources), you may need to run paxctl -C on the
71687 ++ binaries beforehand so as to add the missing headers.
71688 ++
71689 ++ When this level is selected, some options cannot be changed. However,
71690 ++ you may opt to fully customize the options that are selected by choosing
71691 ++ "Custom" in the Security Level menu. You may find it helpful to inherit
71692 ++ the options selected by the "Hardened [Gentoo]" level as a starting
71693 ++ point for further configuration. To accomplish this, select this level
71694 ++ then exit the menuconfig interface, saving changes when prompted. Next,
71695 ++ run make menuconfig again and select the "Custom" level.
71696 ++
71697 ++ Please note that this security level is not designed to be used in
71698 ++ virtualized environments. If you intend to run the kernel in a virtual
71699 ++ machine then you will probably need to disable the PAX_MEMORY_UDEREF
71700 ++ option in order to avoid an unacceptable impact upon performance.
71701 ++
71702 + config GRKERNSEC_CUSTOM
71703 + bool "Custom"
71704 + help
71705
71706 Deleted: hardened-sources/2.6/tags/2.6.23-8/4440_grsec-2.1.10-pax_curr_ip-fixes.patch
71707 ===================================================================
71708 --- hardened-sources/2.6/trunk/2.6.23/4440_grsec-2.1.10-pax_curr_ip-fixes.patch 2008-03-30 17:39:03 UTC (rev 86)
71709 +++ hardened-sources/2.6/tags/2.6.23-8/4440_grsec-2.1.10-pax_curr_ip-fixes.patch 2008-04-30 11:33:52 UTC (rev 91)
71710 @@ -1,46 +0,0 @@
71711 ----
71712 - arch/i386/mm/fault.c | 2 ++
71713 - fs/exec.c | 2 ++
71714 - security/Kconfig | 2 +-
71715 - 3 files changed, 5 insertions(+), 1 deletion(-)
71716 -
71717 ---- a/arch/i386/mm/fault.c
71718 -+++ b/arch/i386/mm/fault.c
71719 -@@ -722,10 +722,12 @@ no_context:
71720 - #else
71721 - else if (init_mm.start_code <= address && address < init_mm.end_code)
71722 - #endif
71723 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
71724 - if (tsk->signal->curr_ip)
71725 - printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
71726 - NIPQUAD(tsk->signal->curr_ip), tsk->comm, tsk->pid, tsk->uid, tsk->euid);
71727 - else
71728 -+#endif
71729 - printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
71730 - tsk->comm, tsk->pid, tsk->uid, tsk->euid);
71731 - #endif
71732 ---- a/fs/exec.c
71733 -+++ b/fs/exec.c
71734 -@@ -1733,9 +1733,11 @@ void pax_report_fault(struct pt_regs *re
71735 - }
71736 - up_read(&mm->mmap_sem);
71737 - }
71738 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
71739 - if (tsk->signal->curr_ip)
71740 - printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
71741 - else
71742 -+#endif
71743 - printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
71744 - printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
71745 - "PC: %p, SP: %p\n", path_exec, tsk->comm, tsk->pid,
71746 ---- a/security/Kconfig
71747 -+++ b/security/Kconfig
71748 -@@ -10,7 +10,7 @@ menu "PaX"
71749 -
71750 - config PAX
71751 - bool "Enable various PaX features"
71752 -- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
71753 -+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
71754 - help
71755 - This allows you to enable various PaX features. PaX adds
71756 - intrusion prevention mechanisms to the kernel that reduce
71757
71758 Copied: hardened-sources/2.6/tags/2.6.23-8/4440_selinux-avc_audit-log-curr_ip.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4440_selinux-avc_audit-log-curr_ip.patch)
71759 ===================================================================
71760 --- hardened-sources/2.6/tags/2.6.23-8/4440_selinux-avc_audit-log-curr_ip.patch (rev 0)
71761 +++ hardened-sources/2.6/tags/2.6.23-8/4440_selinux-avc_audit-log-curr_ip.patch 2008-04-30 11:33:52 UTC (rev 91)
71762 @@ -0,0 +1,26 @@
71763 +
71764 +Provides support for a new field ipaddr within the SELinux
71765 +AVC audit log, relying in task_struct->curr_ip (ipv4 only)
71766 +provided by grSecurity patch to be applied before.
71767 +
71768 +Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
71769 +---
71770 +
71771 + security/selinux/avc.c | 6 ++++++
71772 + 1 file changed, 6 insertions(+)
71773 +
71774 +--- a/security/selinux/avc.c
71775 ++++ b/security/selinux/avc.c
71776 +@@ -202,6 +202,12 @@ static void avc_dump_query(struct audit_
71777 + char *scontext;
71778 + u32 scontext_len;
71779 +
71780 ++/* CONFIG_PROC_IPADDR if task-signal-curr_ip patch from lorenzo@×××.org is present */
71781 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
71782 ++ if (current->signal->curr_ip)
71783 ++ audit_log_format(ab, "ipaddr=%u.%u.%u.%u ", NIPQUAD(current->signal->curr_ip));
71784 ++#endif /* CONFIG_GRKERNSEC_PROC_IPADDR */
71785 ++
71786 + rc = security_sid_to_context(ssid, &scontext, &scontext_len);
71787 + if (rc)
71788 + audit_log_format(ab, "ssid=%d", ssid);
71789
71790 Copied: hardened-sources/2.6/tags/2.6.23-8/4445_grsec-kconfig-default-gids.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4445_grsec-kconfig-default-gids.patch)
71791 ===================================================================
71792 --- hardened-sources/2.6/tags/2.6.23-8/4445_grsec-kconfig-default-gids.patch (rev 0)
71793 +++ hardened-sources/2.6/tags/2.6.23-8/4445_grsec-kconfig-default-gids.patch 2008-04-30 11:33:52 UTC (rev 91)
71794 @@ -0,0 +1,76 @@
71795 +From: Kerin Millar <kerframil@×××××.com>
71796 +
71797 +grsecurity contains a number of options which allow certain protections
71798 +to be applied to or exempted from members of a given group. However, the
71799 +default GIDs specified in the upstream patch are entirely arbitrary and
71800 +there is no telling which (if any) groups the GIDs will correlate with
71801 +on an end-user's system. Because some users don't pay a great deal of
71802 +attention to the finer points of kernel configuration, it is probably
71803 +wise to specify some reasonable defaults so as to stop careless users
71804 +from shooting themselves in the foot.
71805 +
71806 +--- a/grsecurity/Kconfig 2008-03-22 17:26:35.000000000 +0000
71807 ++++ b/grsecurity/Kconfig 2008-03-22 17:27:48.000000000 +0000
71808 +@@ -355,7 +355,7 @@
71809 + config GRKERNSEC_PROC_GID
71810 + int "GID for special group"
71811 + depends on GRKERNSEC_PROC_USERGROUP
71812 +- default 1001
71813 ++ default 10
71814 +
71815 + config GRKERNSEC_PROC_ADD
71816 + bool "Additional restrictions"
71817 +@@ -550,7 +550,7 @@
71818 + config GRKERNSEC_AUDIT_GID
71819 + int "GID for auditing"
71820 + depends on GRKERNSEC_AUDIT_GROUP
71821 +- default 1007
71822 ++ default 100
71823 +
71824 + config GRKERNSEC_EXECLOG
71825 + bool "Exec logging"
71826 +@@ -714,7 +714,7 @@
71827 + config GRKERNSEC_TPE_GID
71828 + int "GID for untrusted users"
71829 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
71830 +- default 1005
71831 ++ default 100
71832 + help
71833 + If you have selected the "Invert GID option" above, setting this
71834 + GID determines what group TPE restrictions will be *disabled* for.
71835 +@@ -726,7 +726,7 @@
71836 + config GRKERNSEC_TPE_GID
71837 + int "GID for trusted users"
71838 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
71839 +- default 1005
71840 ++ default 10
71841 + help
71842 + If you have selected the "Invert GID option" above, setting this
71843 + GID determines what group TPE restrictions will be *disabled* for.
71844 +@@ -768,7 +768,7 @@
71845 + config GRKERNSEC_SOCKET_ALL_GID
71846 + int "GID to deny all sockets for"
71847 + depends on GRKERNSEC_SOCKET_ALL
71848 +- default 1004
71849 ++ default 65534
71850 + help
71851 + Here you can choose the GID to disable socket access for. Remember to
71852 + add the users you want socket access disabled for to the GID
71853 +@@ -789,7 +789,7 @@
71854 + config GRKERNSEC_SOCKET_CLIENT_GID
71855 + int "GID to deny client sockets for"
71856 + depends on GRKERNSEC_SOCKET_CLIENT
71857 +- default 1003
71858 ++ default 65534
71859 + help
71860 + Here you can choose the GID to disable client socket access for.
71861 + Remember to add the users you want client socket access disabled for to
71862 +@@ -807,7 +807,7 @@
71863 + config GRKERNSEC_SOCKET_SERVER_GID
71864 + int "GID to deny server sockets for"
71865 + depends on GRKERNSEC_SOCKET_SERVER
71866 +- default 1002
71867 ++ default 65534
71868 + help
71869 + Here you can choose the GID to disable server socket access for.
71870 + Remember to add the users you want server socket access disabled for to
71871
71872 Deleted: hardened-sources/2.6/tags/2.6.23-8/4445_grsec-kconfig-gentoo.patch
71873 ===================================================================
71874 --- hardened-sources/2.6/trunk/2.6.23/4445_grsec-kconfig-gentoo.patch 2008-03-30 17:39:03 UTC (rev 86)
71875 +++ hardened-sources/2.6/tags/2.6.23-8/4445_grsec-kconfig-gentoo.patch 2008-04-30 11:33:52 UTC (rev 91)
71876 @@ -1,118 +0,0 @@
71877 -From: Kerin Millar <kerframil@×××××.com>
71878 -
71879 -Add a Hardened Gentoo target to the list of security levels. It's
71880 -designed to provide a comparitively high level of security and to be
71881 -generally suitable for as great a majority of the userbase as possible
71882 -(particularly new users). The patch was originally contributed by Ned
71883 -Ludd <solar@g.o>. This instance was revised by the author with
71884 -contributions from Gordon Malm <bugs-gentoo-org-02@××××××.org> for the
71885 -hardened-sources-2.6.23-r9 release where it is now a default.
71886 -
71887 ---- a/grsecurity/Kconfig 2008-03-22 17:27:48.000000000 +0000
71888 -+++ b/grsecurity/Kconfig 2008-03-22 17:54:44.000000000 +0000
71889 -@@ -18,7 +18,7 @@
71890 - choice
71891 - prompt "Security Level"
71892 - depends GRKERNSEC
71893 -- default GRKERNSEC_CUSTOM
71894 -+ default GRKERNSEC_HARDENED
71895 -
71896 - config GRKERNSEC_LOW
71897 - bool "Low"
71898 -@@ -182,6 +182,96 @@
71899 - - Kernel symbol hiding
71900 - - Destroy unused shared memory
71901 - - Prevention of memory exhaustion-based exploits
71902 -+
71903 -+config GRKERNSEC_HARDENED
71904 -+ bool "Hardened [Gentoo]"
71905 -+ select GRKERNSEC_KMEM
71906 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
71907 -+ select GRKERNSEC_BRUTE
71908 -+ select GRKERNSEC_MODSTOP if (MODULES)
71909 -+ select GRKERNSEC_HIDESYM
71910 -+ select GRKERNSEC_PROC
71911 -+ select GRKERNSEC_PROC_USER
71912 -+ select GRKERNSEC_PROC_ADD
71913 -+ select GRKERNSEC_LINK
71914 -+ select GRKERNSEC_FIFO
71915 -+ select GRKERNSEC_CHROOT
71916 -+ select GRKERNSEC_CHROOT_MOUNT
71917 -+ select GRKERNSEC_CHROOT_DOUBLE
71918 -+ select GRKERNSEC_CHROOT_PIVOT
71919 -+ select GRKERNSEC_CHROOT_CHDIR
71920 -+ select GRKERNSEC_CHROOT_CHMOD
71921 -+ select GRKERNSEC_CHROOT_FCHDIR
71922 -+ select GRKERNSEC_CHROOT_MKNOD
71923 -+ select GRKERNSEC_CHROOT_SHMAT
71924 -+ select GRKERNSEC_CHROOT_UNIX
71925 -+ select GRKERNSEC_CHROOT_FINDTASK
71926 -+ select GRKERNSEC_CHROOT_NICE
71927 -+ select GRKERNSEC_CHROOT_SYSCTL
71928 -+ select GRKERNSEC_CHROOT_CAPS
71929 -+ select GRKERNSEC_RESLOG
71930 -+ select GRKERNSEC_SIGNAL
71931 -+ select GRKERNSEC_FORKFAIL
71932 -+ select GRKERNSEC_TIME
71933 -+ select GRKERNSEC_PROC_IPADDR
71934 -+ select GRKERNSEC_EXECVE
71935 -+ select GRKERNSEC_SHM if (SYSVIPC)
71936 -+ select GRKERNSEC_DMESG
71937 -+ select GRKERNSEC_RANDNET
71938 -+ select GRKERNSEC_SYSCTL
71939 -+ select GRKERNSEC_SYSCTL_ON
71940 -+ select PAX
71941 -+ select PAX_EI_PAX
71942 -+ select PAX_PT_PAX_FLAGS
71943 -+ select PAX_HAVE_ACL_FLAGS
71944 -+ select PAX_NOEXEC
71945 -+ select PAX_PAGEEXEC
71946 -+ select PAX_SEGMEXEC if (X86 && !X86_64)
71947 -+ select PAX_EMUTRAMP if (PARISC)
71948 -+ select PAX_EMUSIGRT if (PARISC)
71949 -+ select PAX_MPROTECT
71950 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
71951 -+ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
71952 -+ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
71953 -+ select PAX_SYSCALL if (PPC32)
71954 -+ select PAX_KERNEXEC if (X86 && !X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
71955 -+ select PAX_ASLR
71956 -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
71957 -+ select PAX_RANDUSTACK
71958 -+ select PAX_RANDMMAP
71959 -+ select PAX_MEMORY_SANITIZE
71960 -+ select PAX_MEMORY_UDEREF if (X86_32 && !COMPAT_VDSO)
71961 -+ help
71962 -+ If you say Y here, a configuration will be used that is endorsed by the
71963 -+ Hardened Gentoo project. It is designed to provide a high level of
71964 -+ security whilst minimizing the chance of incompatibilities with rare
71965 -+ software on your machine. As such, many of the features of grsecurity
71966 -+ and PaX will be enabled. For further information, you should view
71967 -+ <http://grsecurity.net> and <http://pax.grsecurity.net> as well as the
71968 -+ Hardened Gentoo Primer at
71969 -+ <http://gentoo.org/proj/en/hardened/primer.xml>.
71970 -+
71971 -+ You may wish to emerge paxctl which will allow you to toggle specific
71972 -+ PaX features on problematic binaries. Note that this only works for ELF
71973 -+ binaries that contain a PT_PAX_FLAGS header. In layman's terms this
71974 -+ means that, if you need to toggle PaX features on binaries provided by
71975 -+ applications that are distributed only in binary format (rather than
71976 -+ being built locally from sources), you may need to run paxctl -C on the
71977 -+ binaries beforehand so as to add the missing headers.
71978 -+
71979 -+ When this level is selected, some options cannot be changed. However,
71980 -+ you may opt to fully customize the options that are selected by choosing
71981 -+ "Custom" in the Security Level menu. You may find it helpful to inherit
71982 -+ the options selected by the "Hardened [Gentoo]" level as a starting
71983 -+ point for further configuration. To accomplish this, select this level
71984 -+ then exit the menuconfig interface, saving changes when prompted. Next,
71985 -+ run make menuconfig again and select the "Custom" level.
71986 -+
71987 -+ Please note that this security level is not designed to be used in
71988 -+ virtualized environments. If you intend to run the kernel in a virtual
71989 -+ machine then you will probably need to disable the PAX_MEMORY_UDEREF
71990 -+ option in order to avoid an unacceptable impact upon performance.
71991 -+
71992 - config GRKERNSEC_CUSTOM
71993 - bool "Custom"
71994 - help
71995
71996 Copied: hardened-sources/2.6/tags/2.6.23-8/4450_disable-compat_vdso.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4450_disable-compat_vdso.patch)
71997 ===================================================================
71998 --- hardened-sources/2.6/tags/2.6.23-8/4450_disable-compat_vdso.patch (rev 0)
71999 +++ hardened-sources/2.6/tags/2.6.23-8/4450_disable-compat_vdso.patch 2008-04-30 11:33:52 UTC (rev 91)
72000 @@ -0,0 +1,65 @@
72001 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
72002 +From: Kerin Millar <kerframil@×××××.com>
72003 +
72004 +COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It
72005 +conflicts with various parts of PaX, crashing the system if enabled
72006 +while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents
72007 +a number of important PaX options from appearing in the configuration
72008 +menu, including all PaX NOEXEC implementations. Unfortunately, the
72009 +reason for the disappearance of these PaX configuration options is
72010 +often far from obvious to inexperienced users.
72011 +
72012 +Therefore, we disable the COMPAT_VDSO menu entry entirely. However,
72013 +COMPAT_VDSO operation can still be enabled via bootparam and sysctl
72014 +interfaces. Consequently, we must also disable the ability to select
72015 +COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so
72016 +that selecting COMPAT_VDSO operation at boot/runtime has no effect if
72017 +conflicting PaX options are enabled, leaving VDSO_ENABLED operation
72018 +intact.
72019 +
72020 +Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
72021 +
72022 +--- a/arch/i386/Kconfig 2008-02-14 17:46:47.000000000 +0000
72023 ++++ b/arch/i386/Kconfig 2008-02-14 17:57:03.000000000 +0000
72024 +@@ -915,16 +915,8 @@
72025 + /sys/devices/system/cpu.
72026 +
72027 + config COMPAT_VDSO
72028 +- bool "Compat VDSO support"
72029 ++ bool
72030 + default n
72031 +- help
72032 +- Map the VDSO to the predictable old-style address too.
72033 +- ---help---
72034 +- Say N here if you are running a sufficiently recent glibc
72035 +- version (2.3.3 or later), to remove the high-mapped
72036 +- VDSO mapping and to exclusively use the randomized VDSO.
72037 +-
72038 +- If unsure, say Y.
72039 +
72040 + endmenu
72041 +
72042 +--- a/arch/i386/kernel/sysenter.c
72043 ++++ b/arch/i386/kernel/sysenter.c
72044 +@@ -278,9 +278,11 @@ int arch_setup_additional_pages(struct l
72045 +
72046 + map_compat_vdso(compat);
72047 +
72048 ++#if !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
72049 + if (compat)
72050 + addr = VDSO_HIGH_BASE;
72051 + else {
72052 ++#endif
72053 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
72054 + if (IS_ERR_VALUE(addr)) {
72055 + ret = addr;
72056 +@@ -304,7 +306,9 @@ int arch_setup_additional_pages(struct l
72057 +
72058 + if (ret)
72059 + goto up_fail;
72060 ++#if !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
72061 + }
72062 ++#endif
72063 +
72064 + current->mm->context.vdso = addr;
72065 + current_thread_info()->sysenter_return =
72066
72067 Deleted: hardened-sources/2.6/tags/2.6.23-8/4450_selinux-avc_audit-log-curr_ip.patch
72068 ===================================================================
72069 --- hardened-sources/2.6/trunk/2.6.23/4450_selinux-avc_audit-log-curr_ip.patch 2008-03-30 17:39:03 UTC (rev 86)
72070 +++ hardened-sources/2.6/tags/2.6.23-8/4450_selinux-avc_audit-log-curr_ip.patch 2008-04-30 11:33:52 UTC (rev 91)
72071 @@ -1,26 +0,0 @@
72072 -
72073 -Provides support for a new field ipaddr within the SELinux
72074 -AVC audit log, relying in task_struct->curr_ip (ipv4 only)
72075 -provided by grSecurity patch to be applied before.
72076 -
72077 -Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
72078 ----
72079 -
72080 - security/selinux/avc.c | 6 ++++++
72081 - 1 file changed, 6 insertions(+)
72082 -
72083 ---- a/security/selinux/avc.c
72084 -+++ b/security/selinux/avc.c
72085 -@@ -202,6 +202,12 @@ static void avc_dump_query(struct audit_
72086 - char *scontext;
72087 - u32 scontext_len;
72088 -
72089 -+/* CONFIG_PROC_IPADDR if task-signal-curr_ip patch from lorenzo@×××.org is present */
72090 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
72091 -+ if (current->signal->curr_ip)
72092 -+ audit_log_format(ab, "ipaddr=%u.%u.%u.%u ", NIPQUAD(current->signal->curr_ip));
72093 -+#endif /* CONFIG_GRKERNSEC_PROC_IPADDR */
72094 -+
72095 - rc = security_sid_to_context(ssid, &scontext, &scontext_len);
72096 - if (rc)
72097 - audit_log_format(ab, "ssid=%d", ssid);
72098
72099 Deleted: hardened-sources/2.6/tags/2.6.23-8/4455_grsec-kconfig-default-gids.patch
72100 ===================================================================
72101 --- hardened-sources/2.6/trunk/2.6.23/4455_grsec-kconfig-default-gids.patch 2008-03-30 17:39:03 UTC (rev 86)
72102 +++ hardened-sources/2.6/tags/2.6.23-8/4455_grsec-kconfig-default-gids.patch 2008-04-30 11:33:52 UTC (rev 91)
72103 @@ -1,76 +0,0 @@
72104 -From: Kerin Millar <kerframil@×××××.com>
72105 -
72106 -grsecurity contains a number of options which allow certain protections
72107 -to be applied to or exempted from members of a given group. However, the
72108 -default GIDs specified in the upstream patch are entirely arbitrary and
72109 -there is no telling which (if any) groups the GIDs will correlate with
72110 -on an end-user's system. Because some users don't pay a great deal of
72111 -attention to the finer points of kernel configuration, it is probably
72112 -wise to specify some reasonable defaults so as to stop careless users
72113 -from shooting themselves in the foot.
72114 -
72115 ---- a/grsecurity/Kconfig 2008-03-22 17:26:35.000000000 +0000
72116 -+++ b/grsecurity/Kconfig 2008-03-22 17:27:48.000000000 +0000
72117 -@@ -355,7 +355,7 @@
72118 - config GRKERNSEC_PROC_GID
72119 - int "GID for special group"
72120 - depends on GRKERNSEC_PROC_USERGROUP
72121 -- default 1001
72122 -+ default 10
72123 -
72124 - config GRKERNSEC_PROC_ADD
72125 - bool "Additional restrictions"
72126 -@@ -550,7 +550,7 @@
72127 - config GRKERNSEC_AUDIT_GID
72128 - int "GID for auditing"
72129 - depends on GRKERNSEC_AUDIT_GROUP
72130 -- default 1007
72131 -+ default 100
72132 -
72133 - config GRKERNSEC_EXECLOG
72134 - bool "Exec logging"
72135 -@@ -714,7 +714,7 @@
72136 - config GRKERNSEC_TPE_GID
72137 - int "GID for untrusted users"
72138 - depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
72139 -- default 1005
72140 -+ default 100
72141 - help
72142 - If you have selected the "Invert GID option" above, setting this
72143 - GID determines what group TPE restrictions will be *disabled* for.
72144 -@@ -726,7 +726,7 @@
72145 - config GRKERNSEC_TPE_GID
72146 - int "GID for trusted users"
72147 - depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
72148 -- default 1005
72149 -+ default 10
72150 - help
72151 - If you have selected the "Invert GID option" above, setting this
72152 - GID determines what group TPE restrictions will be *disabled* for.
72153 -@@ -768,7 +768,7 @@
72154 - config GRKERNSEC_SOCKET_ALL_GID
72155 - int "GID to deny all sockets for"
72156 - depends on GRKERNSEC_SOCKET_ALL
72157 -- default 1004
72158 -+ default 65534
72159 - help
72160 - Here you can choose the GID to disable socket access for. Remember to
72161 - add the users you want socket access disabled for to the GID
72162 -@@ -789,7 +789,7 @@
72163 - config GRKERNSEC_SOCKET_CLIENT_GID
72164 - int "GID to deny client sockets for"
72165 - depends on GRKERNSEC_SOCKET_CLIENT
72166 -- default 1003
72167 -+ default 65534
72168 - help
72169 - Here you can choose the GID to disable client socket access for.
72170 - Remember to add the users you want client socket access disabled for to
72171 -@@ -807,7 +807,7 @@
72172 - config GRKERNSEC_SOCKET_SERVER_GID
72173 - int "GID to deny server sockets for"
72174 - depends on GRKERNSEC_SOCKET_SERVER
72175 -- default 1002
72176 -+ default 65534
72177 - help
72178 - Here you can choose the GID to disable server socket access for.
72179 - Remember to add the users you want server socket access disabled for to
72180
72181 Copied: hardened-sources/2.6/tags/2.6.23-8/4455_pax-hook-build-error.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4455_pax-hook-build-error.patch)
72182 ===================================================================
72183 --- hardened-sources/2.6/tags/2.6.23-8/4455_pax-hook-build-error.patch (rev 0)
72184 +++ hardened-sources/2.6/tags/2.6.23-8/4455_pax-hook-build-error.patch 2008-04-30 11:33:52 UTC (rev 91)
72185 @@ -0,0 +1,33 @@
72186 +From: Kerin Millar <kerframil@×××××.com>
72187 +
72188 +Fix build error where PAX_HOOK_ACL_FLAGS is enabled along with 32-bit
72189 +ELF support on x86_64/ia64 platforms. Closes gentoo bug 208331.
72190 +
72191 +--- a/fs/binfmt_elf.c 2008-02-09 00:01:18.000000000 +0100
72192 ++++ b/fs/binfmt_elf.c 2008-03-08 01:49:25.000000000 +0100
72193 +@@ -47,11 +47,6 @@
72194 + #include <asm/desc.h>
72195 + #endif
72196 +
72197 +-#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
72198 +-void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
72199 +-EXPORT_SYMBOL(pax_set_initial_flags_func);
72200 +-#endif
72201 +-
72202 + static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs);
72203 + static int load_elf_library(struct file *);
72204 + static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int);
72205 +--- a/fs/exec.c 2008-02-09 00:01:18.000000000 +0100
72206 ++++ b/fs/exec.c 2008-03-08 01:49:02.000000000 +0100
72207 +@@ -61,6 +61,11 @@
72208 + #include <linux/kmod.h>
72209 + #endif
72210 +
72211 ++#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
72212 ++void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
72213 ++EXPORT_SYMBOL(pax_set_initial_flags_func);
72214 ++#endif
72215 ++
72216 + int core_uses_pid;
72217 + char core_pattern[CORENAME_MAX_SIZE] = "core";
72218 + int suid_dumpable = 0;
72219 \ No newline at end of file
72220
72221 Copied: hardened-sources/2.6/tags/2.6.23-8/4460_acct_stack_growth-null-deref.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4460_acct_stack_growth-null-deref.patch)
72222 ===================================================================
72223 --- hardened-sources/2.6/tags/2.6.23-8/4460_acct_stack_growth-null-deref.patch (rev 0)
72224 +++ hardened-sources/2.6/tags/2.6.23-8/4460_acct_stack_growth-null-deref.patch 2008-04-30 11:33:52 UTC (rev 91)
72225 @@ -0,0 +1,42 @@
72226 +At some point the execve() code was changed in terms of how it sets up
72227 +the new task's address space, in particular, how the initial stack was
72228 +initialized, allowing "unlimited" number of args/env/etc. This was done
72229 +by making use of the already present and established mm struct of the
72230 +new task and the normal VM logic that deals with automatic userland
72231 +stack expansion.
72232 +
72233 +However, this broke assumptions elsewhere in the kernel where
72234 +current->mm was used in accounting code and which happened to be NULL
72235 +for kernel threads. In this case, acct_stack_growth() wasn't making use
72236 +of the new security_vm_enough_memory_mm() function as needed. This is
72237 +pertinent to PaX users because only PaX performs "sub-page" stack
72238 +randomization, so it can cause the one page of the initial stack to run
72239 +out and trigger a stack expansion. Unfortunately, it may be a kernel
72240 +thread that does this.
72241 +
72242 +This patch closes bug 210022. For further information:
72243 +
72244 + http://bugs.gentoo.org/show_bug.cgi?id=210022 and
72245 + http://forums.grsecurity.net/viewtopic.php?f=3&t=1873
72246 +
72247 +Thanks to cilly <cilly@××××××××××.nu> for raising the matter and tracking down
72248 +the appropriate patch.
72249 +
72250 +This patch is present in upstream grsecurity patches as of
72251 +pax-linux-2.6.24-test9.patch. This patch can be dropped for any
72252 +hardened-sources-2.6.24 based upon pax-linux-2.6.24-test9.patch or
72253 +later.
72254 +
72255 +Acked-by: Kerin Millar <kerframil@×××××.com>
72256 +
72257 +--- a/mm/mmap.c 2008-02-14 20:14:52.000000000 +0000
72258 ++++ b/mm/mmap.c 2008-02-14 20:40:19.000000000 +0000
72259 +@@ -1742,7 +1742,7 @@ static int acct_stack_growth(struct vm_a
72260 + * Overcommit.. This must be the final test, as it will
72261 + * update security statistics.
72262 + */
72263 +- if (security_vm_enough_memory(grow))
72264 ++ if (security_vm_enough_memory_mm(mm, grow))
72265 + return -ENOMEM;
72266 +
72267 + /* Ok, everything looks good - let it rip */
72268
72269 Deleted: hardened-sources/2.6/tags/2.6.23-8/4460_disable-compat_vdso.patch
72270 ===================================================================
72271 --- hardened-sources/2.6/trunk/2.6.23/4460_disable-compat_vdso.patch 2008-03-30 17:39:03 UTC (rev 86)
72272 +++ hardened-sources/2.6/tags/2.6.23-8/4460_disable-compat_vdso.patch 2008-04-30 11:33:52 UTC (rev 91)
72273 @@ -1,29 +0,0 @@
72274 -From: Kerin Millar <kerframil@×××××.com>
72275 -
72276 -Disable CONFIG_COMPAT_VDSO entirely. It is inappropriate for any Gentoo
72277 -user to activate this option. Moreover, it prevents users from selecting
72278 -a number of important PaX options - notably PAX_PAGEEXEC and
72279 -PAX_SEGMEXEC. Under these circumstances, it is impossible for the user
72280 -to enforce non-executable pages. Unfortunately, this is far from obvious
72281 -to first-time users. Closes bug 210138.
72282 -
72283 ---- a/arch/i386/Kconfig 2008-02-14 17:46:47.000000000 +0000
72284 -+++ b/arch/i386/Kconfig 2008-02-14 17:57:03.000000000 +0000
72285 -@@ -915,16 +915,8 @@
72286 - /sys/devices/system/cpu.
72287 -
72288 - config COMPAT_VDSO
72289 -- bool "Compat VDSO support"
72290 -+ bool
72291 - default n
72292 -- help
72293 -- Map the VDSO to the predictable old-style address too.
72294 -- ---help---
72295 -- Say N here if you are running a sufficiently recent glibc
72296 -- version (2.3.3 or later), to remove the high-mapped
72297 -- VDSO mapping and to exclusively use the randomized VDSO.
72298 --
72299 -- If unsure, say Y.
72300 -
72301 - endmenu
72302 -
72303
72304 Deleted: hardened-sources/2.6/tags/2.6.23-8/4465_pax-hook-build-error.patch
72305 ===================================================================
72306 --- hardened-sources/2.6/trunk/2.6.23/4465_pax-hook-build-error.patch 2008-03-30 17:39:03 UTC (rev 86)
72307 +++ hardened-sources/2.6/tags/2.6.23-8/4465_pax-hook-build-error.patch 2008-04-30 11:33:52 UTC (rev 91)
72308 @@ -1,33 +0,0 @@
72309 -From: Kerin Millar <kerframil@×××××.com>
72310 -
72311 -Fix build error where PAX_HOOK_ACL_FLAGS is enabled along with 32-bit
72312 -ELF support on x86_64/ia64 platforms. Closes gentoo bug 208331.
72313 -
72314 ---- a/fs/binfmt_elf.c 2008-02-09 00:01:18.000000000 +0100
72315 -+++ b/fs/binfmt_elf.c 2008-03-08 01:49:25.000000000 +0100
72316 -@@ -47,11 +47,6 @@
72317 - #include <asm/desc.h>
72318 - #endif
72319 -
72320 --#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
72321 --void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
72322 --EXPORT_SYMBOL(pax_set_initial_flags_func);
72323 --#endif
72324 --
72325 - static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs);
72326 - static int load_elf_library(struct file *);
72327 - static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int);
72328 ---- a/fs/exec.c 2008-02-09 00:01:18.000000000 +0100
72329 -+++ b/fs/exec.c 2008-03-08 01:49:02.000000000 +0100
72330 -@@ -61,6 +61,11 @@
72331 - #include <linux/kmod.h>
72332 - #endif
72333 -
72334 -+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
72335 -+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
72336 -+EXPORT_SYMBOL(pax_set_initial_flags_func);
72337 -+#endif
72338 -+
72339 - int core_uses_pid;
72340 - char core_pattern[CORENAME_MAX_SIZE] = "core";
72341 - int suid_dumpable = 0;
72342 \ No newline at end of file
72343
72344 Copied: hardened-sources/2.6/tags/2.6.23-8/4465_pax-vma-mirroring-fixes.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4465_pax-vma-mirroring-fixes.patch)
72345 ===================================================================
72346 --- hardened-sources/2.6/tags/2.6.23-8/4465_pax-vma-mirroring-fixes.patch (rev 0)
72347 +++ hardened-sources/2.6/tags/2.6.23-8/4465_pax-vma-mirroring-fixes.patch 2008-04-30 11:33:52 UTC (rev 91)
72348 @@ -0,0 +1,190 @@
72349 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
72350 +
72351 +Backport of various fixes for vma mirroring bugs in SEGMEXEC from 2.6.24
72352 +branch. Closes gentoo bug 198051.
72353 +
72354 +These patches are present in upstream grsecurity patches as of
72355 +pax-linux-2.6.24.2-test29.patch. This patch can be dropped for any
72356 +hardened-sources-2.6.24 based upon pax-linux-2.6.24.2-test29.patch or
72357 +later.
72358 +
72359 +Acked-by: Kerin Millar <kerframil@×××××.com>
72360 +
72361 +diff -urP linux-2.6.23-hardened-r7-orig/mm/memory.c linux-2.6.23-hardened-r7-allfixes-r2/mm/memory.c
72362 +--- linux-2.6.23-hardened-r7-orig/mm/memory.c
72363 ++++ linux-2.6.23-hardened-r7-allfixes-r2/mm/memory.c
72364 +@@ -1777,13 +1777,13 @@
72365 + pte_unmap_nested(pte_m);
72366 + }
72367 +
72368 +-static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, spinlock_t *ptl)
72369 ++static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
72370 + {
72371 + struct page *page_m;
72372 + pte_t entry;
72373 +
72374 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
72375 +- return;
72376 ++ goto out;
72377 +
72378 + entry = *pte;
72379 + page_m = vm_normal_page(vma, address, entry);
72380 +@@ -1791,9 +1791,9 @@
72381 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
72382 + else if (PageAnon(page_m)) {
72383 + if (pax_find_mirror_vma(vma)) {
72384 +- spin_unlock(ptl);
72385 ++ pte_unmap_unlock(pte, ptl);
72386 + lock_page(page_m);
72387 +- spin_lock(ptl);
72388 ++ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
72389 + if (pte_same(entry, *pte))
72390 + pax_mirror_anon_pte(vma, address, page_m, ptl);
72391 + else
72392 +@@ -1801,6 +1801,9 @@
72393 + }
72394 + } else
72395 + pax_mirror_file_pte(vma, address, page_m, ptl);
72396 ++
72397 ++out:
72398 ++ pte_unmap_unlock(pte, ptl);
72399 + }
72400 + #endif
72401 +
72402 +@@ -2871,7 +2874,8 @@
72403 + }
72404 +
72405 + #ifdef CONFIG_PAX_SEGMEXEC
72406 +- pax_mirror_pte(vma, address, pte, ptl);
72407 ++ pax_mirror_pte(vma, address, pte, pmd, ptl);
72408 ++ return 0;
72409 + #endif
72410 +
72411 + unlock:
72412 +diff -urP linux-2.6.23-hardened-r7-orig/mm/mmap.c linux-2.6.23-hardened-r7-allfixes-r2/mm/mmap.c
72413 +--- linux-2.6.23-hardened-r7-orig/mm/mmap.c
72414 ++++ linux-2.6.23-hardened-r7-allfixes-r2/mm/mmap.c
72415 +@@ -877,6 +877,19 @@
72416 + if (area_m)
72417 + vma_adjust(area_m, addr_m, next_m->vm_end,
72418 + next_m->vm_pgoff - pglen, NULL);
72419 ++ else if (next_m) {
72420 ++ vma_adjust(next_m, addr_m, next_m->vm_end,
72421 ++ next_m->vm_pgoff - pglen, NULL);
72422 ++ BUG_ON(area == next);
72423 ++ BUG_ON(area->vm_mirror);
72424 ++ BUG_ON(next_m->anon_vma && next_m->anon_vma != area->anon_vma);
72425 ++ area->vm_mirror = next_m;
72426 ++ next_m->vm_mirror = area;
72427 ++ if (area->anon_vma && !next_m->anon_vma) {
72428 ++ next_m->anon_vma = area->anon_vma;
72429 ++ anon_vma_link(next_m);
72430 ++ }
72431 ++ }
72432 + #endif
72433 +
72434 + }
72435 +@@ -1244,9 +1257,8 @@
72436 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
72437 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
72438 + if (!vma_m) {
72439 +- kmem_cache_free(vm_area_cachep, vma);
72440 + error = -ENOMEM;
72441 +- goto unacct_error;
72442 ++ goto free_vma;
72443 + }
72444 + }
72445 + #endif
72446 +@@ -1274,6 +1286,19 @@
72447 + if (error)
72448 + goto unmap_and_free_vma;
72449 +
72450 ++#ifdef CONFIG_PAX_SEGMEXEC
72451 ++ if (vma_m) {
72452 ++ struct mempolicy *pol;
72453 ++
72454 ++ pol = mpol_copy(vma_policy(vma));
72455 ++ if (IS_ERR(pol)) {
72456 ++ mpol_free(vma_policy(vma));
72457 ++ goto unmap_and_free_vma;
72458 ++ }
72459 ++ vma_set_policy(vma_m, pol);
72460 ++ }
72461 ++#endif
72462 ++
72463 + #if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72464 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
72465 + vma->vm_flags |= VM_PAGEEXEC;
72466 +@@ -1328,6 +1353,14 @@
72467 + mpol_free(vma_policy(vma));
72468 + kmem_cache_free(vm_area_cachep, vma);
72469 + vma = NULL;
72470 ++
72471 ++#ifdef CONFIG_PAX_SEGMEXEC
72472 ++ if (vma_m) {
72473 ++ mpol_free(vma_policy(vma_m));
72474 ++ kmem_cache_free(vm_area_cachep, vma_m);
72475 ++ }
72476 ++#endif
72477 ++
72478 + }
72479 + out:
72480 + mm->total_vm += len >> PAGE_SHIFT;
72481 +@@ -2539,6 +2572,8 @@
72482 + struct rb_node **rb_link, *rb_parent;
72483 + struct mempolicy *pol;
72484 +
72485 ++ BUG_ON(vma->vm_mirror);
72486 ++
72487 + /*
72488 + * If anonymous vma has not yet been faulted, update new pgoff
72489 + * to match new location, to increase its chance of merging.
72490 +@@ -2584,10 +2619,14 @@
72491 + {
72492 + struct vm_area_struct *prev_m;
72493 + struct rb_node **rb_link_m, *rb_parent_m;
72494 ++ struct mempolicy *pol_m;
72495 +
72496 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
72497 +- BUG_ON(vma->vm_mirror || vma_m->vm_mirror || vma_policy(vma));
72498 ++ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
72499 ++ BUG_ON(!vma_mpol_equal(vma, vma_m));
72500 ++ pol_m = vma_policy(vma_m);
72501 + *vma_m = *vma;
72502 ++ vma_set_policy(vma_m, pol_m);
72503 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
72504 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
72505 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
72506 +diff -urP linux-2.6.23-hardened-r7-orig/mm/mprotect.c linux-2.6.23-hardened-r7-allfixes-r2/mm/mprotect.c
72507 +--- linux-2.6.23-hardened-r7-orig/mm/mprotect.c
72508 ++++ linux-2.6.23-hardened-r7-allfixes-r2/mm/mprotect.c
72509 +@@ -208,6 +208,8 @@
72510 + error = split_vma(mm, vma, start, 1);
72511 + if (error)
72512 + return -ENOMEM;
72513 ++ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
72514 ++ *pprev = (*pprev)->vm_next;
72515 + }
72516 +
72517 + if (end != vma->vm_end) {
72518 +@@ -266,11 +268,20 @@
72519 +
72520 + #ifdef CONFIG_PAX_SEGMEXEC
72521 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(oldflags & VM_EXEC) && (newflags & VM_EXEC)) {
72522 ++ struct mempolicy *pol;
72523 ++
72524 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
72525 + if (!vma_m) {
72526 + error = -ENOMEM;
72527 + goto fail;
72528 + }
72529 ++ pol = mpol_copy(vma_policy(vma));
72530 ++ if (IS_ERR(pol)) {
72531 ++ kmem_cache_free(vm_area_cachep, vma_m);
72532 ++ error = -ENOMEM;
72533 ++ goto fail;
72534 ++ }
72535 ++ vma_set_policy(vma_m, pol);
72536 + }
72537 + #endif
72538 +
72539
72540 Deleted: hardened-sources/2.6/tags/2.6.23-8/4470_acct_stack_growth-null-deref.patch
72541 ===================================================================
72542 --- hardened-sources/2.6/trunk/2.6.23/4470_acct_stack_growth-null-deref.patch 2008-03-30 17:39:03 UTC (rev 86)
72543 +++ hardened-sources/2.6/tags/2.6.23-8/4470_acct_stack_growth-null-deref.patch 2008-04-30 11:33:52 UTC (rev 91)
72544 @@ -1,42 +0,0 @@
72545 -At some point the execve() code was changed in terms of how it sets up
72546 -the new task's address space, in particular, how the initial stack was
72547 -initialized, allowing "unlimited" number of args/env/etc. This was done
72548 -by making use of the already present and established mm struct of the
72549 -new task and the normal VM logic that deals with automatic userland
72550 -stack expansion.
72551 -
72552 -However, this broke assumptions elsewhere in the kernel where
72553 -current->mm was used in accounting code and which happened to be NULL
72554 -for kernel threads. In this case, acct_stack_growth() wasn't making use
72555 -of the new security_vm_enough_memory_mm() function as needed. This is
72556 -pertinent to PaX users because only PaX performs "sub-page" stack
72557 -randomization, so it can cause the one page of the initial stack to run
72558 -out and trigger a stack expansion. Unfortunately, it may be a kernel
72559 -thread that does this.
72560 -
72561 -This patch closes bug 210022. For further information:
72562 -
72563 - http://bugs.gentoo.org/show_bug.cgi?id=210022 and
72564 - http://forums.grsecurity.net/viewtopic.php?f=3&t=1873
72565 -
72566 -Thanks to cilly <cilly@××××××××××.nu> for raising the matter and tracking down
72567 -the appropriate patch.
72568 -
72569 -This patch is present in upstream grsecurity patches as of
72570 -pax-linux-2.6.24-test9.patch. This patch can be dropped for any
72571 -hardened-sources-2.6.24 based upon pax-linux-2.6.24-test9.patch or
72572 -later.
72573 -
72574 -Acked-by: Kerin Millar <kerframil@×××××.com>
72575 -
72576 ---- a/mm/mmap.c 2008-02-14 20:14:52.000000000 +0000
72577 -+++ b/mm/mmap.c 2008-02-14 20:40:19.000000000 +0000
72578 -@@ -1742,7 +1742,7 @@ static int acct_stack_growth(struct vm_a
72579 - * Overcommit.. This must be the final test, as it will
72580 - * update security statistics.
72581 - */
72582 -- if (security_vm_enough_memory(grow))
72583 -+ if (security_vm_enough_memory_mm(mm, grow))
72584 - return -ENOMEM;
72585 -
72586 - /* Ok, everything looks good - let it rip */
72587
72588 Copied: hardened-sources/2.6/tags/2.6.23-8/4470_vesafb-pmi-kernexec-fix.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4470_vesafb-pmi-kernexec-fix.patch)
72589 ===================================================================
72590 --- hardened-sources/2.6/tags/2.6.23-8/4470_vesafb-pmi-kernexec-fix.patch (rev 0)
72591 +++ hardened-sources/2.6/tags/2.6.23-8/4470_vesafb-pmi-kernexec-fix.patch 2008-04-30 11:33:52 UTC (rev 91)
72592 @@ -0,0 +1,60 @@
72593 +From: Kerin Millar <kerframil@×××××.com>
72594 +
72595 +Disable the use of pmi in the vesafb framebuffer driver where the kernel
72596 +is non-modular and PAX_KERNEXEC is enabled, thus resolving a compile
72597 +error. Closes bug 197626.
72598 +
72599 +This patch is present in upstream grsecurity patches as of
72600 +pax-linux-2.6.24.2-test24.patch. This patch can be dropped for any
72601 +hardened-sources-2.6.24 based upon pax-linux-2.6.24.2-test24.patch or
72602 +later.
72603 +
72604 +--- a/drivers/video/vesafb.c 2008-02-14 20:14:52.000000000 +0000
72605 ++++ b/drivers/video/vesafb.c 2008-02-17 21:37:44.000000000 +0000
72606 +@@ -302,10 +302,10 @@ static int __init vesafb_probe(struct pl
72607 +
72608 + #ifdef __i386__
72609 +
72610 +-#ifdef CONFIG_PAX_KERNEXEC
72611 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72612 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
72613 + if (!pmi_code)
72614 +-#else
72615 ++#elif !defined(CONFIG_PAX_KERNEXEC)
72616 + if (0)
72617 + #endif
72618 +
72619 +@@ -323,13 +323,13 @@ static int __init vesafb_probe(struct pl
72620 + if (ypan || pmi_setpal) {
72621 + unsigned short *pmi_base;
72622 +
72623 +-#ifdef CONFIG_PAX_KERNEXEC
72624 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72625 + unsigned long cr0;
72626 + #endif
72627 +
72628 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
72629 +
72630 +-#ifdef CONFIG_PAX_KERNEXEC
72631 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72632 + pax_open_kernel(cr0);
72633 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
72634 + pax_close_kernel(cr0);
72635 +@@ -340,7 +340,7 @@ static int __init vesafb_probe(struct pl
72636 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
72637 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
72638 +
72639 +-#ifdef CONFIG_PAX_KERNEXEC
72640 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72641 + pmi_start -= __KERNEL_TEXT_OFFSET;
72642 + pmi_pal -= __KERNEL_TEXT_OFFSET;
72643 + #endif
72644 +@@ -487,7 +487,7 @@ static int __init vesafb_probe(struct pl
72645 + return 0;
72646 + err:
72647 +
72648 +-#ifdef CONFIG_PAX_KERNEXEC
72649 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72650 + module_free_exec(NULL, pmi_code);
72651 + #endif
72652 +
72653
72654 Copied: hardened-sources/2.6/tags/2.6.23-8/4475_deselect-kernexec-on-unsupported-arches.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4475_deselect-kernexec-on-unsupported-arches.patch)
72655 ===================================================================
72656 --- hardened-sources/2.6/tags/2.6.23-8/4475_deselect-kernexec-on-unsupported-arches.patch (rev 0)
72657 +++ hardened-sources/2.6/tags/2.6.23-8/4475_deselect-kernexec-on-unsupported-arches.patch 2008-04-30 11:33:52 UTC (rev 91)
72658 @@ -0,0 +1,28 @@
72659 +From: nixnut <nixnut@g.o>
72660 +
72661 +KERNEXEC should probably only be enabled on x86 because otherwise
72662 +module.c will look for a header file that doesn't exist on most arches:
72663 +
72664 +#ifdef CONFIG_PAX_KERNEXEC
72665 +#include <asm/desc.h>
72666 +#endif
72667 +
72668 +KERNEXEC is supported on amd64/x86-64 in grsecurity upstream for
72669 +kernel 2.6.24.2 and the KERNEXEC feature selection logic has been
72670 +fixed. This patch should therefore probably be dropped for any
72671 +hardened-sources-2.6.24 based upon grsecurity for linux 2.6.24.2
72672 +or later.
72673 +
72674 +Acked-by: Kerin Millar <kerframil@×××××.com>
72675 +
72676 +--- a/grsecurity/Kconfig 2008-02-14 22:07:34.000000000 +0100
72677 ++++ b/grsecurity/Kconfig 2008-02-15 17:34:37.000000000 +0100
72678 +@@ -143,7 +143,7 @@
72679 + select PAX_EI_PAX
72680 + select PAX_PT_PAX_FLAGS
72681 + select PAX_HAVE_ACL_FLAGS
72682 +- select PAX_KERNEXEC if (!X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
72683 ++ select PAX_KERNEXEC if (X86 && !X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
72684 + select PAX_MEMORY_UDEREF if (!X86_64 && !COMPAT_VDSO)
72685 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
72686 + select PAX_SEGMEXEC if (X86 && !X86_64)
72687
72688 Deleted: hardened-sources/2.6/tags/2.6.23-8/4475_pax-vma-mirroring-fixes.patch
72689 ===================================================================
72690 --- hardened-sources/2.6/trunk/2.6.23/4475_pax-vma-mirroring-fixes.patch 2008-03-30 17:39:03 UTC (rev 86)
72691 +++ hardened-sources/2.6/tags/2.6.23-8/4475_pax-vma-mirroring-fixes.patch 2008-04-30 11:33:52 UTC (rev 91)
72692 @@ -1,190 +0,0 @@
72693 -From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
72694 -
72695 -Backport of various fixes for vma mirroring bugs in SEGMEXEC from 2.6.24
72696 -branch. Closes gentoo bug 198051.
72697 -
72698 -These patches are present in upstream grsecurity patches as of
72699 -pax-linux-2.6.24.2-test29.patch. This patch can be dropped for any
72700 -hardened-sources-2.6.24 based upon pax-linux-2.6.24.2-test29.patch or
72701 -later.
72702 -
72703 -Acked-by: Kerin Millar <kerframil@×××××.com>
72704 -
72705 -diff -urP linux-2.6.23-hardened-r7-orig/mm/memory.c linux-2.6.23-hardened-r7-allfixes-r2/mm/memory.c
72706 ---- linux-2.6.23-hardened-r7-orig/mm/memory.c
72707 -+++ linux-2.6.23-hardened-r7-allfixes-r2/mm/memory.c
72708 -@@ -1777,13 +1777,13 @@
72709 - pte_unmap_nested(pte_m);
72710 - }
72711 -
72712 --static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, spinlock_t *ptl)
72713 -+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
72714 - {
72715 - struct page *page_m;
72716 - pte_t entry;
72717 -
72718 - if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
72719 -- return;
72720 -+ goto out;
72721 -
72722 - entry = *pte;
72723 - page_m = vm_normal_page(vma, address, entry);
72724 -@@ -1791,9 +1791,9 @@
72725 - pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
72726 - else if (PageAnon(page_m)) {
72727 - if (pax_find_mirror_vma(vma)) {
72728 -- spin_unlock(ptl);
72729 -+ pte_unmap_unlock(pte, ptl);
72730 - lock_page(page_m);
72731 -- spin_lock(ptl);
72732 -+ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
72733 - if (pte_same(entry, *pte))
72734 - pax_mirror_anon_pte(vma, address, page_m, ptl);
72735 - else
72736 -@@ -1801,6 +1801,9 @@
72737 - }
72738 - } else
72739 - pax_mirror_file_pte(vma, address, page_m, ptl);
72740 -+
72741 -+out:
72742 -+ pte_unmap_unlock(pte, ptl);
72743 - }
72744 - #endif
72745 -
72746 -@@ -2871,7 +2874,8 @@
72747 - }
72748 -
72749 - #ifdef CONFIG_PAX_SEGMEXEC
72750 -- pax_mirror_pte(vma, address, pte, ptl);
72751 -+ pax_mirror_pte(vma, address, pte, pmd, ptl);
72752 -+ return 0;
72753 - #endif
72754 -
72755 - unlock:
72756 -diff -urP linux-2.6.23-hardened-r7-orig/mm/mmap.c linux-2.6.23-hardened-r7-allfixes-r2/mm/mmap.c
72757 ---- linux-2.6.23-hardened-r7-orig/mm/mmap.c
72758 -+++ linux-2.6.23-hardened-r7-allfixes-r2/mm/mmap.c
72759 -@@ -877,6 +877,19 @@
72760 - if (area_m)
72761 - vma_adjust(area_m, addr_m, next_m->vm_end,
72762 - next_m->vm_pgoff - pglen, NULL);
72763 -+ else if (next_m) {
72764 -+ vma_adjust(next_m, addr_m, next_m->vm_end,
72765 -+ next_m->vm_pgoff - pglen, NULL);
72766 -+ BUG_ON(area == next);
72767 -+ BUG_ON(area->vm_mirror);
72768 -+ BUG_ON(next_m->anon_vma && next_m->anon_vma != area->anon_vma);
72769 -+ area->vm_mirror = next_m;
72770 -+ next_m->vm_mirror = area;
72771 -+ if (area->anon_vma && !next_m->anon_vma) {
72772 -+ next_m->anon_vma = area->anon_vma;
72773 -+ anon_vma_link(next_m);
72774 -+ }
72775 -+ }
72776 - #endif
72777 -
72778 - }
72779 -@@ -1244,9 +1257,8 @@
72780 - if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
72781 - vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
72782 - if (!vma_m) {
72783 -- kmem_cache_free(vm_area_cachep, vma);
72784 - error = -ENOMEM;
72785 -- goto unacct_error;
72786 -+ goto free_vma;
72787 - }
72788 - }
72789 - #endif
72790 -@@ -1274,6 +1286,19 @@
72791 - if (error)
72792 - goto unmap_and_free_vma;
72793 -
72794 -+#ifdef CONFIG_PAX_SEGMEXEC
72795 -+ if (vma_m) {
72796 -+ struct mempolicy *pol;
72797 -+
72798 -+ pol = mpol_copy(vma_policy(vma));
72799 -+ if (IS_ERR(pol)) {
72800 -+ mpol_free(vma_policy(vma));
72801 -+ goto unmap_and_free_vma;
72802 -+ }
72803 -+ vma_set_policy(vma_m, pol);
72804 -+ }
72805 -+#endif
72806 -+
72807 - #if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72808 - if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
72809 - vma->vm_flags |= VM_PAGEEXEC;
72810 -@@ -1328,6 +1353,14 @@
72811 - mpol_free(vma_policy(vma));
72812 - kmem_cache_free(vm_area_cachep, vma);
72813 - vma = NULL;
72814 -+
72815 -+#ifdef CONFIG_PAX_SEGMEXEC
72816 -+ if (vma_m) {
72817 -+ mpol_free(vma_policy(vma_m));
72818 -+ kmem_cache_free(vm_area_cachep, vma_m);
72819 -+ }
72820 -+#endif
72821 -+
72822 - }
72823 - out:
72824 - mm->total_vm += len >> PAGE_SHIFT;
72825 -@@ -2539,6 +2572,8 @@
72826 - struct rb_node **rb_link, *rb_parent;
72827 - struct mempolicy *pol;
72828 -
72829 -+ BUG_ON(vma->vm_mirror);
72830 -+
72831 - /*
72832 - * If anonymous vma has not yet been faulted, update new pgoff
72833 - * to match new location, to increase its chance of merging.
72834 -@@ -2584,10 +2619,14 @@
72835 - {
72836 - struct vm_area_struct *prev_m;
72837 - struct rb_node **rb_link_m, *rb_parent_m;
72838 -+ struct mempolicy *pol_m;
72839 -
72840 - BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
72841 -- BUG_ON(vma->vm_mirror || vma_m->vm_mirror || vma_policy(vma));
72842 -+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
72843 -+ BUG_ON(!vma_mpol_equal(vma, vma_m));
72844 -+ pol_m = vma_policy(vma_m);
72845 - *vma_m = *vma;
72846 -+ vma_set_policy(vma_m, pol_m);
72847 - vma_m->vm_start += SEGMEXEC_TASK_SIZE;
72848 - vma_m->vm_end += SEGMEXEC_TASK_SIZE;
72849 - vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
72850 -diff -urP linux-2.6.23-hardened-r7-orig/mm/mprotect.c linux-2.6.23-hardened-r7-allfixes-r2/mm/mprotect.c
72851 ---- linux-2.6.23-hardened-r7-orig/mm/mprotect.c
72852 -+++ linux-2.6.23-hardened-r7-allfixes-r2/mm/mprotect.c
72853 -@@ -208,6 +208,8 @@
72854 - error = split_vma(mm, vma, start, 1);
72855 - if (error)
72856 - return -ENOMEM;
72857 -+ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
72858 -+ *pprev = (*pprev)->vm_next;
72859 - }
72860 -
72861 - if (end != vma->vm_end) {
72862 -@@ -266,11 +268,20 @@
72863 -
72864 - #ifdef CONFIG_PAX_SEGMEXEC
72865 - if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(oldflags & VM_EXEC) && (newflags & VM_EXEC)) {
72866 -+ struct mempolicy *pol;
72867 -+
72868 - vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
72869 - if (!vma_m) {
72870 - error = -ENOMEM;
72871 - goto fail;
72872 - }
72873 -+ pol = mpol_copy(vma_policy(vma));
72874 -+ if (IS_ERR(pol)) {
72875 -+ kmem_cache_free(vm_area_cachep, vma_m);
72876 -+ error = -ENOMEM;
72877 -+ goto fail;
72878 -+ }
72879 -+ vma_set_policy(vma_m, pol);
72880 - }
72881 - #endif
72882 -
72883
72884 Copied: hardened-sources/2.6/tags/2.6.23-8/4480_ia64-modular-kernel-compile-fix.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4480_ia64-modular-kernel-compile-fix.patch)
72885 ===================================================================
72886 --- hardened-sources/2.6/tags/2.6.23-8/4480_ia64-modular-kernel-compile-fix.patch (rev 0)
72887 +++ hardened-sources/2.6/tags/2.6.23-8/4480_ia64-modular-kernel-compile-fix.patch 2008-04-30 11:33:52 UTC (rev 91)
72888 @@ -0,0 +1,22 @@
72889 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
72890 +
72891 +ia64: Fix kernel compile failure with loadable module support enabled.
72892 +
72893 +This patch is present in upstream grsecurity patches as of
72894 +pax-linux-2.6.24.1-test12.patch. This patch can be dropped for any
72895 +hardened-sources-2.6.24 based upon pax-linux-2.6.24.1-test12.patch or
72896 +later.
72897 +
72898 +Acked-by: Kerin Millar <kerframil@×××××.com>
72899 +
72900 +--- a/arch/ia64/kernel/module.c
72901 ++++ b/arch/ia64/kernel/module.c
72902 +@@ -531,7 +531,7 @@ in_core_rw (const struct module *mod, ui
72903 + static inline int
72904 + in_core (const struct module *mod, uint64_t addr)
72905 + {
72906 +- return in_core_rx(mod, value) || in_core_rw(mod, value);
72907 ++ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
72908 + }
72909 +
72910 + static inline int
72911
72912 Deleted: hardened-sources/2.6/tags/2.6.23-8/4480_vesafb-pmi-kernexec-fix.patch
72913 ===================================================================
72914 --- hardened-sources/2.6/trunk/2.6.23/4480_vesafb-pmi-kernexec-fix.patch 2008-03-30 17:39:03 UTC (rev 86)
72915 +++ hardened-sources/2.6/tags/2.6.23-8/4480_vesafb-pmi-kernexec-fix.patch 2008-04-30 11:33:52 UTC (rev 91)
72916 @@ -1,60 +0,0 @@
72917 -From: Kerin Millar <kerframil@×××××.com>
72918 -
72919 -Disable the use of pmi in the vesafb framebuffer driver where the kernel
72920 -is non-modular and PAX_KERNEXEC is enabled, thus resolving a compile
72921 -error. Closes bug 197626.
72922 -
72923 -This patch is present in upstream grsecurity patches as of
72924 -pax-linux-2.6.24.2-test24.patch. This patch can be dropped for any
72925 -hardened-sources-2.6.24 based upon pax-linux-2.6.24.2-test24.patch or
72926 -later.
72927 -
72928 ---- a/drivers/video/vesafb.c 2008-02-14 20:14:52.000000000 +0000
72929 -+++ b/drivers/video/vesafb.c 2008-02-17 21:37:44.000000000 +0000
72930 -@@ -302,10 +302,10 @@ static int __init vesafb_probe(struct pl
72931 -
72932 - #ifdef __i386__
72933 -
72934 --#ifdef CONFIG_PAX_KERNEXEC
72935 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72936 - pmi_code = module_alloc_exec(screen_info.vesapm_size);
72937 - if (!pmi_code)
72938 --#else
72939 -+#elif !defined(CONFIG_PAX_KERNEXEC)
72940 - if (0)
72941 - #endif
72942 -
72943 -@@ -323,13 +323,13 @@ static int __init vesafb_probe(struct pl
72944 - if (ypan || pmi_setpal) {
72945 - unsigned short *pmi_base;
72946 -
72947 --#ifdef CONFIG_PAX_KERNEXEC
72948 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72949 - unsigned long cr0;
72950 - #endif
72951 -
72952 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
72953 -
72954 --#ifdef CONFIG_PAX_KERNEXEC
72955 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72956 - pax_open_kernel(cr0);
72957 - memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
72958 - pax_close_kernel(cr0);
72959 -@@ -340,7 +340,7 @@ static int __init vesafb_probe(struct pl
72960 - pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
72961 - pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
72962 -
72963 --#ifdef CONFIG_PAX_KERNEXEC
72964 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72965 - pmi_start -= __KERNEL_TEXT_OFFSET;
72966 - pmi_pal -= __KERNEL_TEXT_OFFSET;
72967 - #endif
72968 -@@ -487,7 +487,7 @@ static int __init vesafb_probe(struct pl
72969 - return 0;
72970 - err:
72971 -
72972 --#ifdef CONFIG_PAX_KERNEXEC
72973 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72974 - module_free_exec(NULL, pmi_code);
72975 - #endif
72976 -
72977
72978 Deleted: hardened-sources/2.6/tags/2.6.23-8/4485_deselect-kernexec-on-unsupported-arches.patch
72979 ===================================================================
72980 --- hardened-sources/2.6/trunk/2.6.23/4485_deselect-kernexec-on-unsupported-arches.patch 2008-03-30 17:39:03 UTC (rev 86)
72981 +++ hardened-sources/2.6/tags/2.6.23-8/4485_deselect-kernexec-on-unsupported-arches.patch 2008-04-30 11:33:52 UTC (rev 91)
72982 @@ -1,30 +0,0 @@
72983 -From: nixnut <nixnut@g.o>
72984 -
72985 -KERNEXEC should probably only be enabled on x86 because otherwise
72986 -module.c will look for a header file that doesn't exist on most arches:
72987 -
72988 -#ifdef CONFIG_PAX_KERNEXEC
72989 -#include <asm/desc.h>
72990 -#endif
72991 -
72992 -Currently it is also enabled on ppc if the security level is set to
72993 -'high' (GRKERNSEC_HIGH).
72994 -
72995 -KERNEXEC is supported on amd64/x86-64 in grsecurity upstream for
72996 -linux kernel 2.6.24.2. This patch should therefore probably be
72997 -dropped for any hardened-sources-2.6.24 based upon grsecurity
72998 -patches for linux kernel 2.6.24.2.
72999 -
73000 -Acked-by: Kerin Millar <kerframil@×××××.com>
73001 -
73002 ---- a/grsecurity/Kconfig 2008-02-14 22:07:34.000000000 +0100
73003 -+++ b/grsecurity/Kconfig 2008-02-15 17:34:37.000000000 +0100
73004 -@@ -143,7 +143,7 @@
73005 - select PAX_EI_PAX
73006 - select PAX_PT_PAX_FLAGS
73007 - select PAX_HAVE_ACL_FLAGS
73008 -- select PAX_KERNEXEC if (!X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
73009 -+ select PAX_KERNEXEC if (X86 && !X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
73010 - select PAX_MEMORY_UDEREF if (!X86_64 && !COMPAT_VDSO)
73011 - select PAX_RANDKSTACK if (X86_TSC && !X86_64)
73012 - select PAX_SEGMEXEC if (X86 && !X86_64)
73013
73014 Copied: hardened-sources/2.6/tags/2.6.23-8/4485_grsec-ptrace-recursive-lock-fix.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4485_grsec-ptrace-recursive-lock-fix.patch)
73015 ===================================================================
73016 --- hardened-sources/2.6/tags/2.6.23-8/4485_grsec-ptrace-recursive-lock-fix.patch (rev 0)
73017 +++ hardened-sources/2.6/tags/2.6.23-8/4485_grsec-ptrace-recursive-lock-fix.patch 2008-04-30 11:33:52 UTC (rev 91)
73018 @@ -0,0 +1,22 @@
73019 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73020 +
73021 +Fix a recursive lock -- call to capable() within ptrace_attach().
73022 +
73023 +This patch is present in upstream grsecurity patches as of
73024 +grsecurity-2.1.11-2.6.24.3-200803131725.patch. This patch can
73025 +be dropped for any hardened-sources-2.6.24 based on
73026 +grsecurity-2.1.11-2.6.24.3-200803131725.patch or later.
73027 +
73028 +Acked-by: Kerin Millar <kerframil@×××××.com>
73029 +
73030 +--- a/kernel/ptrace.c
73031 ++++ b/kernel/ptrace.c
73032 +@@ -203,7 +203,7 @@ repeat:
73033 + /* Go */
73034 + task->ptrace |= PT_PTRACED | ((task->real_parent != current)
73035 + ? PT_ATTACHED : 0);
73036 +- if (capable(CAP_SYS_PTRACE))
73037 ++ if (capable_nolog(CAP_SYS_PTRACE))
73038 + task->ptrace |= PT_PTRACE_CAP;
73039 +
73040 + __ptrace_link(task, current);
73041
73042 Copied: hardened-sources/2.6/tags/2.6.23-8/4490_grsec-netlink-security-fixes.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4490_grsec-netlink-security-fixes.patch)
73043 ===================================================================
73044 --- hardened-sources/2.6/tags/2.6.23-8/4490_grsec-netlink-security-fixes.patch (rev 0)
73045 +++ hardened-sources/2.6/tags/2.6.23-8/4490_grsec-netlink-security-fixes.patch 2008-04-30 11:33:52 UTC (rev 91)
73046 @@ -0,0 +1,162 @@
73047 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73048 +
73049 +Fix bug that allows audit and iscsi operations to be controlled
73050 +via netlink; it should be disallowed by grsec.
73051 +
73052 +More info @ https://bugs.gentoo.org/show_bug.cgi?id=213254
73053 +
73054 +This is grsecurity upstreams' version of the patch submitted
73055 +in the aforementioned bug.
73056 +
73057 +Thanks to cilly <cilly@××××××××××.nu> for bringing the patch to
73058 +our attention. Thanks to Kerin Millar <kerframil@×××××.com> for
73059 +following up with the author of the original patch and reporting
73060 +the matter upstream.
73061 +
73062 +This patch is present in upstream grsecurity patches as of
73063 +grsecurity-2.1.11-2.6.24.3-200803172136.patch. This patch can
73064 +be dropped for any hardened-sources-2.6.24 based on
73065 +grsecurity-2.1.11-2.6.24.3-200803172136.patch or later.
73066 +
73067 +Acked-by: Kerin Millar <kerframil@×××××.com>
73068 +
73069 +--- a/drivers/pci/proc.c
73070 ++++ b/drivers/pci/proc.c
73071 +@@ -469,7 +469,7 @@ static int __init pci_proc_init(void)
73072 + #ifdef CONFIG_GRKERNSEC_PROC_ADD
73073 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73074 + proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
73075 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73076 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73077 + proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
73078 + #endif
73079 + #else
73080 +--- a/fs/proc/base.c
73081 ++++ b/fs/proc/base.c
73082 +@@ -1102,7 +1102,7 @@ static int pid_getattr(struct vfsmount *
73083 + if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
73084 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73085 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
73086 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73087 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73088 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
73089 + #endif
73090 + task_dumpable(task)) {
73091 +@@ -1144,7 +1144,7 @@ static int pid_revalidate(struct dentry
73092 + if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
73093 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73094 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
73095 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73096 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73097 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
73098 + #endif
73099 + task_dumpable(task)) {
73100 +@@ -2265,7 +2265,7 @@ static struct dentry *proc_pid_instantia
73101 +
73102 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73103 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
73104 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73105 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73106 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
73107 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
73108 + #else
73109 +--- a/grsecurity/grsec_sock.c
73110 ++++ b/grsecurity/grsec_sock.c
73111 +@@ -16,6 +16,7 @@ extern struct sock *udp_v4_lookup(u32 sa
73112 + EXPORT_SYMBOL(udp_v4_lookup);
73113 + #endif
73114 +
73115 ++__u32 gr_cap_rtnetlink(struct sock *sock);
73116 + EXPORT_SYMBOL(gr_cap_rtnetlink);
73117 +
73118 + extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
73119 +@@ -247,11 +248,21 @@ gr_handle_sock_client(const struct socka
73120 + }
73121 +
73122 + __u32
73123 +-gr_cap_rtnetlink(void)
73124 ++gr_cap_rtnetlink(struct sock *sock)
73125 + {
73126 + #ifdef CONFIG_GRKERNSEC
73127 + if (!gr_acl_is_enabled())
73128 + return current->cap_effective;
73129 ++ else if (sock->sk_protocol == NETLINK_ISCSI &&
73130 ++ cap_raised(current->cap_effective, CAP_SYS_ADMIN) &&
73131 ++ gr_task_is_capable(current, CAP_SYS_ADMIN))
73132 ++ return current->cap_effective;
73133 ++ else if (sock->sk_protocol == NETLINK_AUDIT &&
73134 ++ cap_raised(current->cap_effective, CAP_AUDIT_WRITE) &&
73135 ++ gr_task_is_capable(current, CAP_AUDIT_WRITE) &&
73136 ++ cap_raised(current->cap_effective, CAP_AUDIT_CONTROL) &&
73137 ++ gr_task_is_capable(current, CAP_AUDIT_CONTROL))
73138 ++ return current->cap_effective;
73139 + else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
73140 + gr_task_is_capable(current, CAP_NET_ADMIN))
73141 + return current->cap_effective;
73142 +--- a/include/linux/grsecurity.h
73143 ++++ b/include/linux/grsecurity.h
73144 +@@ -167,7 +167,6 @@ __u32 gr_acl_handle_unix(const struct de
73145 + void gr_acl_handle_exit(void);
73146 + void gr_acl_handle_psacct(struct task_struct *task, const long code);
73147 + int gr_acl_handle_procpidmem(const struct task_struct *task);
73148 +-__u32 gr_cap_rtnetlink(void);
73149 +
73150 + #ifdef CONFIG_SYSVIPC
73151 + void gr_shm_exit(struct task_struct *task);
73152 +--- a/kernel/configs.c
73153 ++++ b/kernel/configs.c
73154 +@@ -82,7 +82,7 @@ static int __init ikconfig_init(void)
73155 + #ifdef CONFIG_GRKERNSEC_PROC_ADD
73156 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73157 + entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
73158 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73159 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73160 + entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
73161 + #endif
73162 + #else
73163 +--- a/kernel/kallsyms.c
73164 ++++ b/kernel/kallsyms.c
73165 +@@ -496,7 +496,7 @@ static int __init kallsyms_init(void)
73166 + #ifdef CONFIG_GRKERNSEC_PROC_ADD
73167 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73168 + entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
73169 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73170 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73171 + entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
73172 + #endif
73173 + #else
73174 +--- a/kernel/resource.c
73175 ++++ b/kernel/resource.c
73176 +@@ -136,7 +136,7 @@ static int __init ioresources_init(void)
73177 + #ifdef CONFIG_GRKERNSEC_PROC_ADD
73178 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73179 + entry = create_proc_entry("ioports", S_IRUSR, NULL);
73180 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73181 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73182 + entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
73183 + #endif
73184 + #else
73185 +@@ -148,7 +148,7 @@ static int __init ioresources_init(void)
73186 + #ifdef CONFIG_GRKERNSEC_PROC_ADD
73187 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73188 + entry = create_proc_entry("iomem", S_IRUSR, NULL);
73189 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73190 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73191 + entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
73192 + #endif
73193 + #else
73194 +--- a/security/commoncap.c
73195 ++++ b/security/commoncap.c
73196 +@@ -24,9 +24,11 @@
73197 + #include <linux/hugetlb.h>
73198 + #include <linux/grsecurity.h>
73199 +
73200 ++extern __u32 gr_cap_rtnetlink(struct sock *sk);
73201 ++
73202 + int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
73203 + {
73204 +- NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink();
73205 ++ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
73206 + return 0;
73207 + }
73208 +
73209
73210 Deleted: hardened-sources/2.6/tags/2.6.23-8/4490_ia64-modular-kernel-compile-fix.patch
73211 ===================================================================
73212 --- hardened-sources/2.6/trunk/2.6.23/4490_ia64-modular-kernel-compile-fix.patch 2008-03-30 17:39:03 UTC (rev 86)
73213 +++ hardened-sources/2.6/tags/2.6.23-8/4490_ia64-modular-kernel-compile-fix.patch 2008-04-30 11:33:52 UTC (rev 91)
73214 @@ -1,22 +0,0 @@
73215 -From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73216 -
73217 -ia64: Fix kernel compile failure with loadable module support enabled.
73218 -
73219 -This patch is present in upstream grsecurity patches as of
73220 -pax-linux-2.6.24.1-test12.patch. This patch can be dropped for any
73221 -hardened-sources-2.6.24 based upon pax-linux-2.6.24.1-test12.patch or
73222 -later.
73223 -
73224 -Acked-by: Kerin Millar <kerframil@×××××.com>
73225 -
73226 ---- a/arch/ia64/kernel/module.c
73227 -+++ b/arch/ia64/kernel/module.c
73228 -@@ -531,7 +531,7 @@ in_core_rw (const struct module *mod, ui
73229 - static inline int
73230 - in_core (const struct module *mod, uint64_t addr)
73231 - {
73232 -- return in_core_rx(mod, value) || in_core_rw(mod, value);
73233 -+ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
73234 - }
73235 -
73236 - static inline int
73237
73238 Deleted: hardened-sources/2.6/tags/2.6.23-8/4495_grsec-ptrace-recursive-lock-fix.patch
73239 ===================================================================
73240 --- hardened-sources/2.6/trunk/2.6.23/4495_grsec-ptrace-recursive-lock-fix.patch 2008-03-30 17:39:03 UTC (rev 86)
73241 +++ hardened-sources/2.6/tags/2.6.23-8/4495_grsec-ptrace-recursive-lock-fix.patch 2008-04-30 11:33:52 UTC (rev 91)
73242 @@ -1,22 +0,0 @@
73243 -From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73244 -
73245 -Fix a recursive lock -- call to capable() within ptrace_attach().
73246 -
73247 -This patch is present in upstream grsecurity patches as of
73248 -grsecurity-2.1.11-2.6.24.3-200803131725.patch. This patch can
73249 -be dropped for any hardened-sources-2.6.24 based on
73250 -grsecurity-2.1.11-2.6.24.3-200803131725.patch or later.
73251 -
73252 -Acked-by: Kerin Millar <kerframil@×××××.com>
73253 -
73254 ---- a/kernel/ptrace.c
73255 -+++ b/kernel/ptrace.c
73256 -@@ -203,7 +203,7 @@ repeat:
73257 - /* Go */
73258 - task->ptrace |= PT_PTRACED | ((task->real_parent != current)
73259 - ? PT_ATTACHED : 0);
73260 -- if (capable(CAP_SYS_PTRACE))
73261 -+ if (capable_nolog(CAP_SYS_PTRACE))
73262 - task->ptrace |= PT_PTRACE_CAP;
73263 -
73264 - __ptrace_link(task, current);
73265
73266 Copied: hardened-sources/2.6/tags/2.6.23-8/4495_pax-hang-when-coredump-disabled-fix.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4495_pax-hang-when-coredump-disabled-fix.patch)
73267 ===================================================================
73268 --- hardened-sources/2.6/tags/2.6.23-8/4495_pax-hang-when-coredump-disabled-fix.patch (rev 0)
73269 +++ hardened-sources/2.6/tags/2.6.23-8/4495_pax-hang-when-coredump-disabled-fix.patch 2008-04-30 11:33:52 UTC (rev 91)
73270 @@ -0,0 +1,167 @@
73271 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73272 +
73273 +Fix bug where processes that have triggered a kill by PaX hang
73274 +instead when ELF_CORE is disabled.
73275 +
73276 +More info @ http://forums.grsecurity.net/viewtopic.php?f=3&t=1934
73277 +
73278 +This patch is present in upstream grsecurity patches as of
73279 +pax-linux-2.6.24.4-test37.patch. This patch can be dropped for any
73280 +hardened-sources-2.6.24 based upon pax-linux-2.6.24.4-test37.patch
73281 +or later.
73282 +
73283 +--- a/arch/alpha/mm/fault.c
73284 ++++ b/arch/alpha/mm/fault.c
73285 +@@ -267,7 +267,7 @@ do_page_fault(unsigned long address, uns
73286 +
73287 + }
73288 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
73289 +- do_exit(SIGKILL);
73290 ++ do_group_exit(SIGKILL);
73291 + #else
73292 + goto bad_area;
73293 + #endif
73294 +--- a/arch/avr32/mm/fault.c
73295 ++++ b/arch/avr32/mm/fault.c
73296 +@@ -179,7 +179,7 @@ bad_area:
73297 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
73298 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
73299 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
73300 +- do_exit(SIGKILL);
73301 ++ do_group_exit(SIGKILL);
73302 + }
73303 + }
73304 + #endif
73305 +--- a/arch/i386/mm/fault.c
73306 ++++ b/arch/i386/mm/fault.c
73307 +@@ -436,7 +436,7 @@ fastcall void __kprobes do_page_fault(st
73308 + #endif
73309 +
73310 + pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
73311 +- do_exit(SIGKILL);
73312 ++ do_group_exit(SIGKILL);
73313 + }
73314 +
73315 + pmd = pax_get_pmd(mm, address);
73316 +@@ -609,7 +609,7 @@ bad_area_nosemaphore:
73317 + if ((nx_enabled && (error_code & 16)) ||
73318 + ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(error_code & 3) && (regs->eip == address))) {
73319 + pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
73320 +- do_exit(SIGKILL);
73321 ++ do_group_exit(SIGKILL);
73322 + }
73323 + #endif
73324 +
73325 +@@ -624,7 +624,7 @@ bad_area_nosemaphore:
73326 + #endif
73327 +
73328 + pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
73329 +- do_exit(SIGKILL);
73330 ++ do_group_exit(SIGKILL);
73331 + }
73332 + #endif
73333 +
73334 +@@ -775,7 +775,7 @@ no_context:
73335 + tsk->thread.error_code = error_code;
73336 + die("Oops", regs, error_code);
73337 + bust_spinlocks(0);
73338 +- do_exit(SIGKILL);
73339 ++ do_group_exit(SIGKILL);
73340 +
73341 + /*
73342 + * We ran out of memory, or some other thing happened to us that made
73343 +@@ -790,7 +790,7 @@ out_of_memory:
73344 + }
73345 + printk("VM: killing process %s\n", tsk->comm);
73346 + if (error_code & 4)
73347 +- do_exit(SIGKILL);
73348 ++ do_group_exit(SIGKILL);
73349 + goto no_context;
73350 +
73351 + do_sigbus:
73352 +--- a/arch/ia64/mm/fault.c
73353 ++++ b/arch/ia64/mm/fault.c
73354 +@@ -172,7 +172,7 @@ ia64_do_page_fault (unsigned long addres
73355 +
73356 + up_read(&mm->mmap_sem);
73357 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
73358 +- do_exit(SIGKILL);
73359 ++ do_group_exit(SIGKILL);
73360 + }
73361 + #endif
73362 +
73363 +--- a/arch/parisc/mm/fault.c
73364 ++++ b/arch/parisc/mm/fault.c
73365 +@@ -298,7 +298,7 @@ good_area:
73366 +
73367 + }
73368 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
73369 +- do_exit(SIGKILL);
73370 ++ do_group_exit(SIGKILL);
73371 + }
73372 + #endif
73373 +
73374 +--- a/arch/powerpc/mm/fault.c
73375 ++++ b/arch/powerpc/mm/fault.c
73376 +@@ -747,7 +747,7 @@ bad_area_nosemaphore:
73377 + }
73378 +
73379 + pax_report_fault(regs, (void*)regs->nip, (void*)regs->gpr[PT_R1]);
73380 +- do_exit(SIGKILL);
73381 ++ do_group_exit(SIGKILL);
73382 + }
73383 + }
73384 + #endif
73385 +--- a/arch/ppc/mm/fault.c
73386 ++++ b/arch/ppc/mm/fault.c
73387 +@@ -663,7 +663,7 @@ bad_area:
73388 + }
73389 +
73390 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[1]);
73391 +- do_exit(SIGKILL);
73392 ++ do_group_exit(SIGKILL);
73393 + }
73394 + }
73395 + #endif
73396 +--- a/arch/sparc/mm/fault.c
73397 ++++ b/arch/sparc/mm/fault.c
73398 +@@ -544,7 +544,7 @@ good_area:
73399 +
73400 + }
73401 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
73402 +- do_exit(SIGKILL);
73403 ++ do_group_exit(SIGKILL);
73404 + }
73405 + #endif
73406 +
73407 +--- a/arch/sparc64/mm/fault.c
73408 ++++ b/arch/sparc64/mm/fault.c
73409 +@@ -717,7 +717,7 @@ asmlinkage void __kprobes do_sparc64_fau
73410 +
73411 + }
73412 + pax_report_fault(regs, (void*)regs->tpc, (void*)(regs->u_regs[UREG_FP] + STACK_BIAS));
73413 +- do_exit(SIGKILL);
73414 ++ do_group_exit(SIGKILL);
73415 + }
73416 + #endif
73417 +
73418 +--- a/arch/x86_64/mm/fault.c
73419 ++++ b/arch/x86_64/mm/fault.c
73420 +@@ -649,7 +649,7 @@ bad_area_nosemaphore:
73421 + #endif
73422 +
73423 + pax_report_fault(regs, (void*)regs->rip, (void*)regs->rsp);
73424 +- do_exit(SIGKILL);
73425 ++ do_group_exit(SIGKILL);
73426 + }
73427 + #endif
73428 +
73429 +@@ -727,7 +727,7 @@ no_context:
73430 + /* Executive summary in case the body of the oops scrolled away */
73431 + printk(KERN_EMERG "CR2: %016lx\n", address);
73432 + oops_end(flags);
73433 +- do_exit(SIGKILL);
73434 ++ do_group_exit(SIGKILL);
73435 +
73436 + /*
73437 + * We ran out of memory, or some other thing happened to us that made
73438
73439 Deleted: hardened-sources/2.6/tags/2.6.23-8/4500_grsec-netlink-security-fixes.patch
73440 ===================================================================
73441 --- hardened-sources/2.6/trunk/2.6.23/4500_grsec-netlink-security-fixes.patch 2008-03-30 17:39:03 UTC (rev 86)
73442 +++ hardened-sources/2.6/tags/2.6.23-8/4500_grsec-netlink-security-fixes.patch 2008-04-30 11:33:52 UTC (rev 91)
73443 @@ -1,162 +0,0 @@
73444 -From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73445 -
73446 -Fix bug that allows audit and iscsi operations to be controlled
73447 -via netlink; it should be disallowed by grsec.
73448 -
73449 -More info @ https://bugs.gentoo.org/show_bug.cgi?id=213254
73450 -
73451 -This is grsecurity upstreams' version of the patch submitted
73452 -in the aforementioned bug.
73453 -
73454 -Thanks to cilly <cilly@××××××××××.nu> for bringing the patch to
73455 -our attention. Thanks to Kerin Millar <kerframil@×××××.com> for
73456 -following up with the author of the original patch and reporting
73457 -the matter upstream.
73458 -
73459 -This patch is present in upstream grsecurity patches as of
73460 -grsecurity-2.1.11-2.6.24.3-200803172136.patch. This patch can
73461 -be dropped for any hardened-sources-2.6.24 based on
73462 -grsecurity-2.1.11-2.6.24.3-200803172136.patch or later.
73463 -
73464 -Acked-by: Kerin Millar <kerframil@×××××.com>
73465 -
73466 ---- a/drivers/pci/proc.c
73467 -+++ b/drivers/pci/proc.c
73468 -@@ -469,7 +469,7 @@ static int __init pci_proc_init(void)
73469 - #ifdef CONFIG_GRKERNSEC_PROC_ADD
73470 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73471 - proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
73472 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73473 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73474 - proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
73475 - #endif
73476 - #else
73477 ---- a/fs/proc/base.c
73478 -+++ b/fs/proc/base.c
73479 -@@ -1102,7 +1102,7 @@ static int pid_getattr(struct vfsmount *
73480 - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
73481 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73482 - (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
73483 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73484 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73485 - (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
73486 - #endif
73487 - task_dumpable(task)) {
73488 -@@ -1144,7 +1144,7 @@ static int pid_revalidate(struct dentry
73489 - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
73490 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73491 - (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
73492 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73493 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73494 - (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
73495 - #endif
73496 - task_dumpable(task)) {
73497 -@@ -2265,7 +2265,7 @@ static struct dentry *proc_pid_instantia
73498 -
73499 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73500 - inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
73501 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73502 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73503 - inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
73504 - inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
73505 - #else
73506 ---- a/grsecurity/grsec_sock.c
73507 -+++ b/grsecurity/grsec_sock.c
73508 -@@ -16,6 +16,7 @@ extern struct sock *udp_v4_lookup(u32 sa
73509 - EXPORT_SYMBOL(udp_v4_lookup);
73510 - #endif
73511 -
73512 -+__u32 gr_cap_rtnetlink(struct sock *sock);
73513 - EXPORT_SYMBOL(gr_cap_rtnetlink);
73514 -
73515 - extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
73516 -@@ -247,11 +248,21 @@ gr_handle_sock_client(const struct socka
73517 - }
73518 -
73519 - __u32
73520 --gr_cap_rtnetlink(void)
73521 -+gr_cap_rtnetlink(struct sock *sock)
73522 - {
73523 - #ifdef CONFIG_GRKERNSEC
73524 - if (!gr_acl_is_enabled())
73525 - return current->cap_effective;
73526 -+ else if (sock->sk_protocol == NETLINK_ISCSI &&
73527 -+ cap_raised(current->cap_effective, CAP_SYS_ADMIN) &&
73528 -+ gr_task_is_capable(current, CAP_SYS_ADMIN))
73529 -+ return current->cap_effective;
73530 -+ else if (sock->sk_protocol == NETLINK_AUDIT &&
73531 -+ cap_raised(current->cap_effective, CAP_AUDIT_WRITE) &&
73532 -+ gr_task_is_capable(current, CAP_AUDIT_WRITE) &&
73533 -+ cap_raised(current->cap_effective, CAP_AUDIT_CONTROL) &&
73534 -+ gr_task_is_capable(current, CAP_AUDIT_CONTROL))
73535 -+ return current->cap_effective;
73536 - else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
73537 - gr_task_is_capable(current, CAP_NET_ADMIN))
73538 - return current->cap_effective;
73539 ---- a/include/linux/grsecurity.h
73540 -+++ b/include/linux/grsecurity.h
73541 -@@ -167,7 +167,6 @@ __u32 gr_acl_handle_unix(const struct de
73542 - void gr_acl_handle_exit(void);
73543 - void gr_acl_handle_psacct(struct task_struct *task, const long code);
73544 - int gr_acl_handle_procpidmem(const struct task_struct *task);
73545 --__u32 gr_cap_rtnetlink(void);
73546 -
73547 - #ifdef CONFIG_SYSVIPC
73548 - void gr_shm_exit(struct task_struct *task);
73549 ---- a/kernel/configs.c
73550 -+++ b/kernel/configs.c
73551 -@@ -82,7 +82,7 @@ static int __init ikconfig_init(void)
73552 - #ifdef CONFIG_GRKERNSEC_PROC_ADD
73553 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73554 - entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
73555 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73556 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73557 - entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
73558 - #endif
73559 - #else
73560 ---- a/kernel/kallsyms.c
73561 -+++ b/kernel/kallsyms.c
73562 -@@ -496,7 +496,7 @@ static int __init kallsyms_init(void)
73563 - #ifdef CONFIG_GRKERNSEC_PROC_ADD
73564 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73565 - entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
73566 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73567 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73568 - entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
73569 - #endif
73570 - #else
73571 ---- a/kernel/resource.c
73572 -+++ b/kernel/resource.c
73573 -@@ -136,7 +136,7 @@ static int __init ioresources_init(void)
73574 - #ifdef CONFIG_GRKERNSEC_PROC_ADD
73575 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73576 - entry = create_proc_entry("ioports", S_IRUSR, NULL);
73577 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73578 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73579 - entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
73580 - #endif
73581 - #else
73582 -@@ -148,7 +148,7 @@ static int __init ioresources_init(void)
73583 - #ifdef CONFIG_GRKERNSEC_PROC_ADD
73584 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73585 - entry = create_proc_entry("iomem", S_IRUSR, NULL);
73586 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73587 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73588 - entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
73589 - #endif
73590 - #else
73591 ---- a/security/commoncap.c
73592 -+++ b/security/commoncap.c
73593 -@@ -24,9 +24,11 @@
73594 - #include <linux/hugetlb.h>
73595 - #include <linux/grsecurity.h>
73596 -
73597 -+extern __u32 gr_cap_rtnetlink(struct sock *sk);
73598 -+
73599 - int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
73600 - {
73601 -- NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink();
73602 -+ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
73603 - return 0;
73604 - }
73605 -
73606
73607 Copied: hardened-sources/2.6/tags/2.6.23-8/4500_grsec-user_transition-bypass-fix.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4500_grsec-user_transition-bypass-fix.patch)
73608 ===================================================================
73609 --- hardened-sources/2.6/tags/2.6.23-8/4500_grsec-user_transition-bypass-fix.patch (rev 0)
73610 +++ hardened-sources/2.6/tags/2.6.23-8/4500_grsec-user_transition-bypass-fix.patch 2008-04-30 11:33:52 UTC (rev 91)
73611 @@ -0,0 +1,121 @@
73612 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73613 +
73614 +Permission checks for user_transition_{allow,deny} rules in grsecurity's
73615 +RBAC system went missing from kernel/sys.c sometime previous to kernel
73616 +2.6.23. Further, the functions sys_setfsgid() & sys_setfsuid() should
73617 +return old_{fsgid,fsuid} on error.
73618 +
73619 +Local users could possibly use the missing checks to bypass RBAC's
73620 +security restrictions and gain elevated privileges.
73621 +
73622 +This patch is a backport of the bits relevant to fixing this issue,
73623 +sourced from: grsecurity-2.1.11-2.6.24.5-200804211829.patch
73624 +
73625 +This has been fixed as of grsecurity-2.1.11-2.6.24.5-200804211829.patch.
73626 +This patch can be dropped for any hardened-sources release based on
73627 +grsecurity-2.1.11-2.6.24.5-200804211829.patch or later.
73628 +
73629 +Reported by: Robert Buchholz <rbu at gentoo.org>
73630 +
73631 +For more information, reference:
73632 +https://bugs.gentoo.org/show_bug.cgi?id=219089
73633 +http://secunia.com/advisories/29899/
73634 +
73635 +--- a/kernel/sys.c
73636 ++++ b/kernel/sys.c
73637 +@@ -1047,6 +1047,10 @@ asmlinkage long sys_setregid(gid_t rgid,
73638 + else
73639 + return -EPERM;
73640 + }
73641 ++
73642 ++ if (gr_check_group_change(new_rgid, new_egid, -1))
73643 ++ return -EPERM;
73644 ++
73645 + if (new_egid != old_egid) {
73646 + set_dumpable(current->mm, suid_dumpable);
73647 + smp_wmb();
73648 +@@ -1079,6 +1083,9 @@ asmlinkage long sys_setgid(gid_t gid)
73649 + if (retval)
73650 + return retval;
73651 +
73652 ++ if (gr_check_group_change(gid, gid, gid))
73653 ++ return -EPERM;
73654 ++
73655 + if (capable(CAP_SETGID)) {
73656 + if (old_egid != gid) {
73657 + set_dumpable(current->mm, suid_dumpable);
73658 +@@ -1176,6 +1183,9 @@ asmlinkage long sys_setreuid(uid_t ruid,
73659 + return -EPERM;
73660 + }
73661 +
73662 ++ if (gr_check_user_change(new_ruid, new_euid, -1))
73663 ++ return -EPERM;
73664 ++
73665 + if (new_ruid != old_ruid && set_user(new_ruid, new_euid != old_euid) < 0)
73666 + return -EAGAIN;
73667 +
73668 +@@ -1222,6 +1232,12 @@ asmlinkage long sys_setuid(uid_t uid)
73669 + old_suid = current->suid;
73670 + new_suid = old_suid;
73671 +
73672 ++ if (gr_check_crash_uid(uid))
73673 ++ return -EPERM;
73674 ++
73675 ++ if (gr_check_user_change(uid, uid, uid))
73676 ++ return -EPERM;
73677 ++
73678 + if (capable(CAP_SETUID)) {
73679 + if (uid != old_ruid && set_user(uid, old_euid != uid) < 0)
73680 + return -EAGAIN;
73681 +@@ -1229,9 +1245,6 @@ asmlinkage long sys_setuid(uid_t uid)
73682 + } else if ((uid != current->uid) && (uid != new_suid))
73683 + return -EPERM;
73684 +
73685 +- if (gr_check_crash_uid(uid))
73686 +- return -EPERM;
73687 +-
73688 + if (old_euid != uid) {
73689 + set_dumpable(current->mm, suid_dumpable);
73690 + smp_wmb();
73691 +@@ -1272,6 +1285,10 @@ asmlinkage long sys_setresuid(uid_t ruid
73692 + (suid != current->euid) && (suid != current->suid))
73693 + return -EPERM;
73694 + }
73695 ++
73696 ++ if (gr_check_user_change(ruid, euid, -1))
73697 ++ return -EPERM;
73698 ++
73699 + if (ruid != (uid_t) -1) {
73700 + if (ruid != current->uid && set_user(ruid, euid != current->euid) < 0)
73701 + return -EAGAIN;
73702 +@@ -1326,6 +1343,10 @@ asmlinkage long sys_setresgid(gid_t rgid
73703 + (sgid != current->egid) && (sgid != current->sgid))
73704 + return -EPERM;
73705 + }
73706 ++
73707 ++ if (gr_check_group_change(rgid, egid, -1))
73708 ++ return -EPERM;
73709 ++
73710 + if (egid != (gid_t) -1) {
73711 + if (egid != current->egid) {
73712 + set_dumpable(current->mm, suid_dumpable);
73713 +@@ -1372,6 +1393,9 @@ asmlinkage long sys_setfsuid(uid_t uid)
73714 + if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS))
73715 + return old_fsuid;
73716 +
73717 ++ if (gr_check_user_change(-1, -1, uid))
73718 ++ return old_fsuid;
73719 ++
73720 + if (uid == current->uid || uid == current->euid ||
73721 + uid == current->suid || uid == current->fsuid ||
73722 + capable(CAP_SETUID)) {
73723 +@@ -1404,6 +1428,9 @@ asmlinkage long sys_setfsgid(gid_t gid)
73724 + if (gid == current->gid || gid == current->egid ||
73725 + gid == current->sgid || gid == current->fsgid ||
73726 + capable(CAP_SETGID)) {
73727 ++ if (gr_check_group_change(-1, -1, gid))
73728 ++ return old_fsgid;
73729 ++
73730 + if (gid != old_fsgid) {
73731 + set_dumpable(current->mm, suid_dumpable);
73732 + smp_wmb();
73733
73734 Deleted: hardened-sources/2.6/tags/2.6.23-8/4505_grsec-pax_emutramp-only-on-ppc32.patch
73735 ===================================================================
73736 --- hardened-sources/2.6/trunk/2.6.23/4505_grsec-pax_emutramp-only-on-ppc32.patch 2008-03-30 17:39:03 UTC (rev 86)
73737 +++ hardened-sources/2.6/tags/2.6.23-8/4505_grsec-pax_emutramp-only-on-ppc32.patch 2008-04-30 11:33:52 UTC (rev 91)
73738 @@ -1,11 +0,0 @@
73739 ---- a/security/Kconfig
73740 -+++ b/security/Kconfig
73741 -@@ -153,7 +153,7 @@ config PAX_SEGMEXEC
73742 - 3 GB.
73743 -
73744 - config PAX_EMUTRAMP
73745 -- bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86)
73746 -+ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86_32)
73747 - default y if PARISC || PPC32
73748 - help
73749 - There are some programs and libraries that for one reason or
73750
73751 --
73752 gentoo-commits@l.g.o mailing list
Report Message
Find on MARC Find on Google Groups