Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Christian Heim (phreak)" <phreak@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] hardened r92 - hardened-sources/2.6/trunk/2.6.24
Date: Wed, 30 Apr 2008 11:38:31
Message-Id: E1JrAba-0001B8-89@stork.gentoo.org
1 Author: phreak
2 Date: 2008-04-30 11:36:08 +0000 (Wed, 30 Apr 2008)
3 New Revision: 92
4
5 Added:
6 hardened-sources/2.6/trunk/2.6.24/0000_README
7 hardened-sources/2.6/trunk/2.6.24/1005_linux-2.6.24.Q_tehuti-check-register-size.patch
8 hardened-sources/2.6/trunk/2.6.24/1006_linux-2.6.24.Q_tehuti-move-ioctl-perm-check-closer-to-function-start.patch
9 hardened-sources/2.6/trunk/2.6.24/4420_grsec-2.1.11-2.6.24.5-200804211829.patch
10 hardened-sources/2.6/trunk/2.6.24/4425_grsec-kconfig-default-gids.patch
11 hardened-sources/2.6/trunk/2.6.24/4430_grsec-kconfig-gentoo.patch
12 hardened-sources/2.6/trunk/2.6.24/4435_grsec-kconfig-pax-without-grsec.patch
13 hardened-sources/2.6/trunk/2.6.24/4440_disable-compat_vdso.patch
14 hardened-sources/2.6/trunk/2.6.24/4445_grsec-2.1.11-mute-warnings.patch
15 hardened-sources/2.6/trunk/2.6.24/4450_grsec-2.1.11-pax-curr_ip-fixes.patch
16 hardened-sources/2.6/trunk/2.6.24/4455_selinux-avc_audit-log-curr_ip.patch
17 Removed:
18 hardened-sources/2.6/trunk/2.6.24/4420_grsec-2.1.11-2.6.24.4-200803262003.patch
19 hardened-sources/2.6/trunk/2.6.24/4425_alpha-sysctl-uac-for-hardened.patch
20 hardened-sources/2.6/trunk/2.6.24/4430_grsec-kconfig-default-gids.patch
21 hardened-sources/2.6/trunk/2.6.24/4435_grsec-kconfig-gentoo.patch
22 hardened-sources/2.6/trunk/2.6.24/4440_grsec-kconfig-pax-without-grsec.patch
23 hardened-sources/2.6/trunk/2.6.24/4445_disable-compat_vdso.patch
24 hardened-sources/2.6/trunk/2.6.24/4450_grsec-2.1.11-mute-warnings.patch
25 hardened-sources/2.6/trunk/2.6.24/4455_grsec-2.1.11-pax-curr_ip-fixes.patch
26 hardened-sources/2.6/trunk/2.6.24/4460_selinux-avc_audit-log-curr_ip.patch
27 Log:
28 Importing the patchset from Kerin and Gordon for .24-r1.
29
30 Added: hardened-sources/2.6/trunk/2.6.24/0000_README
31 ===================================================================
32 --- hardened-sources/2.6/trunk/2.6.24/0000_README (rev 0)
33 +++ hardened-sources/2.6/trunk/2.6.24/0000_README 2008-04-30 11:36:08 UTC (rev 92)
34 @@ -0,0 +1,55 @@
35 +README
36 +------------------------------------------------------------------------------
37 +
38 +Individual Patch Descriptions:
39 +------------------------------------------------------------------------------
40 +Patch: 1005_linux-2.6.24.Q_tehuti-check-register-size.patch
41 +From: Francois Romieu <romieu@×××××××××.com>
42 +Desc: Fix for CVE-2008-1675 (retrieved from 2.6.24 stable queue)
43 +
44 +Patch: 1006_linux-2.6.24.Q_tehuti-move-ioctl-perm-check-closer-to-function-start.patch
45 +From: Jeff Garzik <jeff@××××××.org>
46 +Desc: Fix for CVE-2008-1675 (retrieved from 2.6.24 stable queue)
47 +
48 +Patch: 4420_grsec-2.1.11-2.6.24.5-200804211829.patch
49 +From: http://www.grsecurity.net
50 +Desc: hardened-sources base patch from upstream grsecurity
51 +
52 +Patch: 4421_remove-localversion-grsec.patch
53 +From: Kerin Millar <kerframil@×××××.com>
54 +Desc: Removes grsecurity's -localversion file
55 +
56 +Patch: 4425_grsec-kconfig-default-gids.patch
57 +From: Kerin Millar <kerframil@×××××.com>
58 +Desc: Sets sane(r) default GIDs on various grsecurity group-dependent
59 + features
60 +
61 +Patch: 4430_grsec-kconfig-gentoo.patch
62 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
63 + Kerin Millar <kerframil@×××××.com>
64 +Desc: Adds Hardened Gentoo [server/workstation] security levels, sets
65 + Hardened Gentoo [workstation] as default
66 +
67 +Patch: 4435_grsec-kconfig-pax-without-grsec.patch
68 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
69 +Desc: Allows PaX features to be selected without enabling GRKERNSEC
70 +
71 +Patch: 4440_disable-compat_vdso.patch
72 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73 + Kerin Millar <kerframil@×××××.com>
74 +Desc: Disables VDSO_COMPAT operation completely
75 +
76 +Patch: 4445_grsec-2.1.11-mute-warnings.patch
77 +From: Alexander Gabert <gaberta@××××××××.de>
78 +Desc: Removes verbose compile warning settings from grsecurity, restores
79 + mainline Linux kernel behavior
80 +
81 +Patch: 4450_grsec-2.1.11-pax-curr_ip-fixes.patch
82 +From: <Unknown>
83 +Desc: Fixes grsecurity attempting to add IP address to log messages when
84 + GRKERNSEC_PROC_IPADDR is not defined
85 +
86 +Patch: 4455_selinux-avc_audit-log-curr_ip.patch
87 +From: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
88 +Desc: Adds IP address to SELinux AVC audit log if GRKERNSEC_PROC_IPADDR
89 + is defined
90
91 Added: hardened-sources/2.6/trunk/2.6.24/1005_linux-2.6.24.Q_tehuti-check-register-size.patch
92 ===================================================================
93 --- hardened-sources/2.6/trunk/2.6.24/1005_linux-2.6.24.Q_tehuti-check-register-size.patch (rev 0)
94 +++ hardened-sources/2.6/trunk/2.6.24/1005_linux-2.6.24.Q_tehuti-check-register-size.patch 2008-04-30 11:36:08 UTC (rev 92)
95 @@ -0,0 +1,52 @@
96 +From 6131a2601f42cd7fdbac0e960713396fe68af59f Mon Sep 17 00:00:00 2001
97 +From: Francois Romieu <romieu@×××××××××.com>
98 +Date: Sun, 20 Apr 2008 19:32:34 +0200
99 +Subject: tehuti: check register size (CVE-2008-1675)
100 +
101 +From: Francois Romieu <romieu@×××××××××.com>
102 +
103 +Signed-off-by: Francois Romieu <romieu@×××××××××.com>
104 +Signed-off-by: Jeff Garzik <jgarzik@××××××.com>
105 +Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
106 +
107 +---
108 + drivers/net/tehuti.c | 14 ++++++++++++++
109 + 1 file changed, 14 insertions(+)
110 +
111 +--- a/drivers/net/tehuti.c
112 ++++ b/drivers/net/tehuti.c
113 +@@ -625,6 +625,12 @@ static void __init bdx_firmware_endianes
114 + s_firmLoad[i] = CPU_CHIP_SWAP32(s_firmLoad[i]);
115 + }
116 +
117 ++static int bdx_range_check(struct bdx_priv *priv, u32 offset)
118 ++{
119 ++ return (offset > (u32) (BDX_REGS_SIZE / priv->nic->port_num)) ?
120 ++ -EINVAL : 0;
121 ++}
122 ++
123 + static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd)
124 + {
125 + struct bdx_priv *priv = ndev->priv;
126 +@@ -646,6 +652,9 @@ static int bdx_ioctl_priv(struct net_dev
127 + switch (data[0]) {
128 +
129 + case BDX_OP_READ:
130 ++ error = bdx_range_check(priv, data[1]);
131 ++ if (error < 0)
132 ++ return error;
133 + data[2] = READ_REG(priv, data[1]);
134 + DBG("read_reg(0x%x)=0x%x (dec %d)\n", data[1], data[2],
135 + data[2]);
136 +@@ -655,6 +664,11 @@ static int bdx_ioctl_priv(struct net_dev
137 + break;
138 +
139 + case BDX_OP_WRITE:
140 ++ if (!capable(CAP_NET_ADMIN))
141 ++ return -EPERM;
142 ++ error = bdx_range_check(priv, data[1]);
143 ++ if (error < 0)
144 ++ return error;
145 + WRITE_REG(priv, data[1], data[2]);
146 + DBG("write_reg(0x%x, 0x%x)\n", data[1], data[2]);
147 + break;
148
149 Added: hardened-sources/2.6/trunk/2.6.24/1006_linux-2.6.24.Q_tehuti-move-ioctl-perm-check-closer-to-function-start.patch
150 ===================================================================
151 --- hardened-sources/2.6/trunk/2.6.24/1006_linux-2.6.24.Q_tehuti-move-ioctl-perm-check-closer-to-function-start.patch (rev 0)
152 +++ hardened-sources/2.6/trunk/2.6.24/1006_linux-2.6.24.Q_tehuti-move-ioctl-perm-check-closer-to-function-start.patch 2008-04-30 11:36:08 UTC (rev 92)
153 @@ -0,0 +1,39 @@
154 +From f946dffed6334f08da065a89ed65026ebf8b33b4 Mon Sep 17 00:00:00 2001
155 +From: Jeff Garzik <jeff@××××××.org>
156 +Date: Fri, 25 Apr 2008 03:11:31 -0400
157 +Subject: tehuti: move ioctl perm check closer to function start (CVE-2008-1675)
158 +
159 +From: Jeff Garzik <jeff@××××××.org>
160 +
161 +Commit f946dffed6334f08da065a89ed65026ebf8b33b4 upstream
162 +
163 +Noticed by davem.
164 +
165 +Signed-off-by: Jeff Garzik <jgarzik@××××××.com>
166 +Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
167 +
168 +---
169 + drivers/net/tehuti.c | 5 +++--
170 + 1 file changed, 3 insertions(+), 2 deletions(-)
171 +
172 +--- a/drivers/net/tehuti.c
173 ++++ b/drivers/net/tehuti.c
174 +@@ -649,6 +649,9 @@ static int bdx_ioctl_priv(struct net_dev
175 + DBG("%d 0x%x 0x%x\n", data[0], data[1], data[2]);
176 + }
177 +
178 ++ if (!capable(CAP_NET_ADMIN))
179 ++ return -EPERM;
180 ++
181 + switch (data[0]) {
182 +
183 + case BDX_OP_READ:
184 +@@ -664,8 +667,6 @@ static int bdx_ioctl_priv(struct net_dev
185 + break;
186 +
187 + case BDX_OP_WRITE:
188 +- if (!capable(CAP_NET_ADMIN))
189 +- return -EPERM;
190 + error = bdx_range_check(priv, data[1]);
191 + if (error < 0)
192 + return error;
193
194 Deleted: hardened-sources/2.6/trunk/2.6.24/4420_grsec-2.1.11-2.6.24.4-200803262003.patch
195 ===================================================================
196 --- hardened-sources/2.6/trunk/2.6.24/4420_grsec-2.1.11-2.6.24.4-200803262003.patch 2008-04-30 11:33:52 UTC (rev 91)
197 +++ hardened-sources/2.6/trunk/2.6.24/4420_grsec-2.1.11-2.6.24.4-200803262003.patch 2008-04-30 11:36:08 UTC (rev 92)
198 @@ -1,37453 +0,0 @@
199 -diff -urNp linux-2.6.24.4/arch/alpha/kernel/module.c linux-2.6.24.4/arch/alpha/kernel/module.c
200 ---- linux-2.6.24.4/arch/alpha/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
201 -+++ linux-2.6.24.4/arch/alpha/kernel/module.c 2008-03-26 17:56:55.000000000 -0400
202 -@@ -176,7 +176,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
203 -
204 - /* The small sections were sorted to the end of the segment.
205 - The following should definitely cover them. */
206 -- gp = (u64)me->module_core + me->core_size - 0x8000;
207 -+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
208 - got = sechdrs[me->arch.gotsecindex].sh_addr;
209 -
210 - for (i = 0; i < n; i++) {
211 -diff -urNp linux-2.6.24.4/arch/alpha/kernel/osf_sys.c linux-2.6.24.4/arch/alpha/kernel/osf_sys.c
212 ---- linux-2.6.24.4/arch/alpha/kernel/osf_sys.c 2008-03-24 14:49:18.000000000 -0400
213 -+++ linux-2.6.24.4/arch/alpha/kernel/osf_sys.c 2008-03-26 17:56:55.000000000 -0400
214 -@@ -1288,6 +1288,10 @@ arch_get_unmapped_area(struct file *filp
215 - merely specific addresses, but regions of memory -- perhaps
216 - this feature should be incorporated into all ports? */
217 -
218 -+#ifdef CONFIG_PAX_RANDMMAP
219 -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
220 -+#endif
221 -+
222 - if (addr) {
223 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
224 - if (addr != (unsigned long) -ENOMEM)
225 -@@ -1295,8 +1299,8 @@ arch_get_unmapped_area(struct file *filp
226 - }
227 -
228 - /* Next, try allocating at TASK_UNMAPPED_BASE. */
229 -- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
230 -- len, limit);
231 -+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
232 -+
233 - if (addr != (unsigned long) -ENOMEM)
234 - return addr;
235 -
236 -diff -urNp linux-2.6.24.4/arch/alpha/kernel/ptrace.c linux-2.6.24.4/arch/alpha/kernel/ptrace.c
237 ---- linux-2.6.24.4/arch/alpha/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
238 -+++ linux-2.6.24.4/arch/alpha/kernel/ptrace.c 2008-03-26 17:56:55.000000000 -0400
239 -@@ -15,6 +15,7 @@
240 - #include <linux/slab.h>
241 - #include <linux/security.h>
242 - #include <linux/signal.h>
243 -+#include <linux/grsecurity.h>
244 -
245 - #include <asm/uaccess.h>
246 - #include <asm/pgtable.h>
247 -@@ -266,6 +267,9 @@ long arch_ptrace(struct task_struct *chi
248 - size_t copied;
249 - long ret;
250 -
251 -+ if (gr_handle_ptrace(child, request))
252 -+ return -EPERM;
253 -+
254 - switch (request) {
255 - /* When I and D space are separate, these will need to be fixed. */
256 - case PTRACE_PEEKTEXT: /* read word at location addr. */
257 -diff -urNp linux-2.6.24.4/arch/alpha/mm/fault.c linux-2.6.24.4/arch/alpha/mm/fault.c
258 ---- linux-2.6.24.4/arch/alpha/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
259 -+++ linux-2.6.24.4/arch/alpha/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
260 -@@ -23,6 +23,7 @@
261 - #include <linux/smp.h>
262 - #include <linux/interrupt.h>
263 - #include <linux/module.h>
264 -+#include <linux/binfmts.h>
265 -
266 - #include <asm/system.h>
267 - #include <asm/uaccess.h>
268 -@@ -54,6 +55,124 @@ __load_new_mm_context(struct mm_struct *
269 - __reload_thread(pcb);
270 - }
271 -
272 -+#ifdef CONFIG_PAX_PAGEEXEC
273 -+/*
274 -+ * PaX: decide what to do with offenders (regs->pc = fault address)
275 -+ *
276 -+ * returns 1 when task should be killed
277 -+ * 2 when patched PLT trampoline was detected
278 -+ * 3 when unpatched PLT trampoline was detected
279 -+ */
280 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
281 -+{
282 -+
283 -+#ifdef CONFIG_PAX_EMUPLT
284 -+ int err;
285 -+
286 -+ do { /* PaX: patched PLT emulation #1 */
287 -+ unsigned int ldah, ldq, jmp;
288 -+
289 -+ err = get_user(ldah, (unsigned int *)regs->pc);
290 -+ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
291 -+ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
292 -+
293 -+ if (err)
294 -+ break;
295 -+
296 -+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
297 -+ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
298 -+ jmp == 0x6BFB0000U)
299 -+ {
300 -+ unsigned long r27, addr;
301 -+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
302 -+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
303 -+
304 -+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
305 -+ err = get_user(r27, (unsigned long *)addr);
306 -+ if (err)
307 -+ break;
308 -+
309 -+ regs->r27 = r27;
310 -+ regs->pc = r27;
311 -+ return 2;
312 -+ }
313 -+ } while (0);
314 -+
315 -+ do { /* PaX: patched PLT emulation #2 */
316 -+ unsigned int ldah, lda, br;
317 -+
318 -+ err = get_user(ldah, (unsigned int *)regs->pc);
319 -+ err |= get_user(lda, (unsigned int *)(regs->pc+4));
320 -+ err |= get_user(br, (unsigned int *)(regs->pc+8));
321 -+
322 -+ if (err)
323 -+ break;
324 -+
325 -+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
326 -+ (lda & 0xFFFF0000U) == 0xA77B0000U &&
327 -+ (br & 0xFFE00000U) == 0xC3E00000U)
328 -+ {
329 -+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
330 -+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
331 -+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
332 -+
333 -+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
334 -+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
335 -+ return 2;
336 -+ }
337 -+ } while (0);
338 -+
339 -+ do { /* PaX: unpatched PLT emulation */
340 -+ unsigned int br;
341 -+
342 -+ err = get_user(br, (unsigned int *)regs->pc);
343 -+
344 -+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
345 -+ unsigned int br2, ldq, nop, jmp;
346 -+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
347 -+
348 -+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
349 -+ err = get_user(br2, (unsigned int *)addr);
350 -+ err |= get_user(ldq, (unsigned int *)(addr+4));
351 -+ err |= get_user(nop, (unsigned int *)(addr+8));
352 -+ err |= get_user(jmp, (unsigned int *)(addr+12));
353 -+ err |= get_user(resolver, (unsigned long *)(addr+16));
354 -+
355 -+ if (err)
356 -+ break;
357 -+
358 -+ if (br2 == 0xC3600000U &&
359 -+ ldq == 0xA77B000CU &&
360 -+ nop == 0x47FF041FU &&
361 -+ jmp == 0x6B7B0000U)
362 -+ {
363 -+ regs->r28 = regs->pc+4;
364 -+ regs->r27 = addr+16;
365 -+ regs->pc = resolver;
366 -+ return 3;
367 -+ }
368 -+ }
369 -+ } while (0);
370 -+#endif
371 -+
372 -+ return 1;
373 -+}
374 -+
375 -+void pax_report_insns(void *pc, void *sp)
376 -+{
377 -+ unsigned long i;
378 -+
379 -+ printk(KERN_ERR "PAX: bytes at PC: ");
380 -+ for (i = 0; i < 5; i++) {
381 -+ unsigned int c;
382 -+ if (get_user(c, (unsigned int *)pc+i))
383 -+ printk("???????? ");
384 -+ else
385 -+ printk("%08x ", c);
386 -+ }
387 -+ printk("\n");
388 -+}
389 -+#endif
390 -
391 - /*
392 - * This routine handles page faults. It determines the address,
393 -@@ -131,8 +250,29 @@ do_page_fault(unsigned long address, uns
394 - good_area:
395 - si_code = SEGV_ACCERR;
396 - if (cause < 0) {
397 -- if (!(vma->vm_flags & VM_EXEC))
398 -+ if (!(vma->vm_flags & VM_EXEC)) {
399 -+
400 -+#ifdef CONFIG_PAX_PAGEEXEC
401 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
402 -+ goto bad_area;
403 -+
404 -+ up_read(&mm->mmap_sem);
405 -+ switch (pax_handle_fetch_fault(regs)) {
406 -+
407 -+#ifdef CONFIG_PAX_EMUPLT
408 -+ case 2:
409 -+ case 3:
410 -+ return;
411 -+#endif
412 -+
413 -+ }
414 -+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
415 -+ do_group_exit(SIGKILL);
416 -+#else
417 - goto bad_area;
418 -+#endif
419 -+
420 -+ }
421 - } else if (!cause) {
422 - /* Allow reads even for write-only mappings */
423 - if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
424 -diff -urNp linux-2.6.24.4/arch/arm/mm/mmap.c linux-2.6.24.4/arch/arm/mm/mmap.c
425 ---- linux-2.6.24.4/arch/arm/mm/mmap.c 2008-03-24 14:49:18.000000000 -0400
426 -+++ linux-2.6.24.4/arch/arm/mm/mmap.c 2008-03-26 17:56:55.000000000 -0400
427 -@@ -60,6 +60,10 @@ arch_get_unmapped_area(struct file *filp
428 - if (len > TASK_SIZE)
429 - return -ENOMEM;
430 -
431 -+#ifdef CONFIG_PAX_RANDMMAP
432 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
433 -+#endif
434 -+
435 - if (addr) {
436 - if (do_align)
437 - addr = COLOUR_ALIGN(addr, pgoff);
438 -@@ -72,10 +76,10 @@ arch_get_unmapped_area(struct file *filp
439 - return addr;
440 - }
441 - if (len > mm->cached_hole_size) {
442 -- start_addr = addr = mm->free_area_cache;
443 -+ start_addr = addr = mm->free_area_cache;
444 - } else {
445 -- start_addr = addr = TASK_UNMAPPED_BASE;
446 -- mm->cached_hole_size = 0;
447 -+ start_addr = addr = mm->mmap_base;
448 -+ mm->cached_hole_size = 0;
449 - }
450 -
451 - full_search:
452 -@@ -91,8 +95,8 @@ full_search:
453 - * Start a new search - just in case we missed
454 - * some holes.
455 - */
456 -- if (start_addr != TASK_UNMAPPED_BASE) {
457 -- start_addr = addr = TASK_UNMAPPED_BASE;
458 -+ if (start_addr != mm->mmap_base) {
459 -+ start_addr = addr = mm->mmap_base;
460 - mm->cached_hole_size = 0;
461 - goto full_search;
462 - }
463 -diff -urNp linux-2.6.24.4/arch/avr32/mm/fault.c linux-2.6.24.4/arch/avr32/mm/fault.c
464 ---- linux-2.6.24.4/arch/avr32/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
465 -+++ linux-2.6.24.4/arch/avr32/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
466 -@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
467 -
468 - int exception_trace = 1;
469 -
470 -+#ifdef CONFIG_PAX_PAGEEXEC
471 -+void pax_report_insns(void *pc, void *sp)
472 -+{
473 -+ unsigned long i;
474 -+
475 -+ printk(KERN_ERR "PAX: bytes at PC: ");
476 -+ for (i = 0; i < 20; i++) {
477 -+ unsigned char c;
478 -+ if (get_user(c, (unsigned char *)pc+i))
479 -+ printk("???????? ");
480 -+ else
481 -+ printk("%02x ", c);
482 -+ }
483 -+ printk("\n");
484 -+}
485 -+#endif
486 -+
487 - /*
488 - * This routine handles page faults. It determines the address and the
489 - * problem, and then passes it off to one of the appropriate routines.
490 -@@ -157,6 +174,16 @@ bad_area:
491 - up_read(&mm->mmap_sem);
492 -
493 - if (user_mode(regs)) {
494 -+
495 -+#ifdef CONFIG_PAX_PAGEEXEC
496 -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
497 -+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
498 -+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
499 -+ do_group_exit(SIGKILL);
500 -+ }
501 -+ }
502 -+#endif
503 -+
504 - if (exception_trace && printk_ratelimit())
505 - printk("%s%s[%d]: segfault at %08lx pc %08lx "
506 - "sp %08lx ecr %lu\n",
507 -diff -urNp linux-2.6.24.4/arch/ia64/ia32/binfmt_elf32.c linux-2.6.24.4/arch/ia64/ia32/binfmt_elf32.c
508 ---- linux-2.6.24.4/arch/ia64/ia32/binfmt_elf32.c 2008-03-24 14:49:18.000000000 -0400
509 -+++ linux-2.6.24.4/arch/ia64/ia32/binfmt_elf32.c 2008-03-26 17:56:55.000000000 -0400
510 -@@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
511 -
512 - #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
513 -
514 -+#ifdef CONFIG_PAX_ASLR
515 -+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
516 -+
517 -+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
518 -+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
519 -+#endif
520 -+
521 - /* Ugly but avoids duplication */
522 - #include "../../../fs/binfmt_elf.c"
523 -
524 -diff -urNp linux-2.6.24.4/arch/ia64/ia32/ia32priv.h linux-2.6.24.4/arch/ia64/ia32/ia32priv.h
525 ---- linux-2.6.24.4/arch/ia64/ia32/ia32priv.h 2008-03-24 14:49:18.000000000 -0400
526 -+++ linux-2.6.24.4/arch/ia64/ia32/ia32priv.h 2008-03-26 17:56:55.000000000 -0400
527 -@@ -303,7 +303,14 @@ struct old_linux32_dirent {
528 - #define ELF_DATA ELFDATA2LSB
529 - #define ELF_ARCH EM_386
530 -
531 --#define IA32_STACK_TOP IA32_PAGE_OFFSET
532 -+#ifdef CONFIG_PAX_RANDUSTACK
533 -+#define __IA32_DELTA_STACK (current->mm->delta_stack)
534 -+#else
535 -+#define __IA32_DELTA_STACK 0UL
536 -+#endif
537 -+
538 -+#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
539 -+
540 - #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
541 - #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
542 -
543 -diff -urNp linux-2.6.24.4/arch/ia64/kernel/module.c linux-2.6.24.4/arch/ia64/kernel/module.c
544 ---- linux-2.6.24.4/arch/ia64/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
545 -+++ linux-2.6.24.4/arch/ia64/kernel/module.c 2008-03-26 17:56:55.000000000 -0400
546 -@@ -321,7 +321,7 @@ module_alloc (unsigned long size)
547 - void
548 - module_free (struct module *mod, void *module_region)
549 - {
550 -- if (mod->arch.init_unw_table && module_region == mod->module_init) {
551 -+ if (mod->arch.init_unw_table && module_region == mod->module_init_rx) {
552 - unw_remove_unwind_table(mod->arch.init_unw_table);
553 - mod->arch.init_unw_table = NULL;
554 - }
555 -@@ -499,15 +499,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
556 - }
557 -
558 - static inline int
559 -+in_init_rx (const struct module *mod, uint64_t addr)
560 -+{
561 -+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
562 -+}
563 -+
564 -+static inline int
565 -+in_init_rw (const struct module *mod, uint64_t addr)
566 -+{
567 -+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
568 -+}
569 -+
570 -+static inline int
571 - in_init (const struct module *mod, uint64_t addr)
572 - {
573 -- return addr - (uint64_t) mod->module_init < mod->init_size;
574 -+ return in_init_rx(mod, value) || in_init_rw(mod, value);
575 -+}
576 -+
577 -+static inline int
578 -+in_core_rx (const struct module *mod, uint64_t addr)
579 -+{
580 -+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
581 -+}
582 -+
583 -+static inline int
584 -+in_core_rw (const struct module *mod, uint64_t addr)
585 -+{
586 -+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
587 - }
588 -
589 - static inline int
590 - in_core (const struct module *mod, uint64_t addr)
591 - {
592 -- return addr - (uint64_t) mod->module_core < mod->core_size;
593 -+ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
594 - }
595 -
596 - static inline int
597 -@@ -691,7 +715,14 @@ do_reloc (struct module *mod, uint8_t r_
598 - break;
599 -
600 - case RV_BDREL:
601 -- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
602 -+ if (in_init_rx(mod, val))
603 -+ val -= (uint64_t) mod->module_init_rx;
604 -+ else if (in_init_rw(mod, val))
605 -+ val -= (uint64_t) mod->module_init_rw;
606 -+ else if (in_core_rx(mod, val))
607 -+ val -= (uint64_t) mod->module_core_rx;
608 -+ else if (in_core_rw(mod, val))
609 -+ val -= (uint64_t) mod->module_core_rw;
610 - break;
611 -
612 - case RV_LTV:
613 -@@ -825,15 +856,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
614 - * addresses have been selected...
615 - */
616 - uint64_t gp;
617 -- if (mod->core_size > MAX_LTOFF)
618 -+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
619 - /*
620 - * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
621 - * at the end of the module.
622 - */
623 -- gp = mod->core_size - MAX_LTOFF / 2;
624 -+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
625 - else
626 -- gp = mod->core_size / 2;
627 -- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
628 -+ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
629 -+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
630 - mod->arch.gp = gp;
631 - DEBUGP("%s: placing gp at 0x%lx\n", __FUNCTION__, gp);
632 - }
633 -diff -urNp linux-2.6.24.4/arch/ia64/kernel/ptrace.c linux-2.6.24.4/arch/ia64/kernel/ptrace.c
634 ---- linux-2.6.24.4/arch/ia64/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
635 -+++ linux-2.6.24.4/arch/ia64/kernel/ptrace.c 2008-03-26 17:56:55.000000000 -0400
636 -@@ -17,6 +17,7 @@
637 - #include <linux/security.h>
638 - #include <linux/audit.h>
639 - #include <linux/signal.h>
640 -+#include <linux/grsecurity.h>
641 -
642 - #include <asm/pgtable.h>
643 - #include <asm/processor.h>
644 -@@ -1451,6 +1452,9 @@ sys_ptrace (long request, pid_t pid, uns
645 - if (pid == 1) /* no messing around with init! */
646 - goto out_tsk;
647 -
648 -+ if (gr_handle_ptrace(child, request))
649 -+ goto out_tsk;
650 -+
651 - if (request == PTRACE_ATTACH) {
652 - ret = ptrace_attach(child);
653 - goto out_tsk;
654 -diff -urNp linux-2.6.24.4/arch/ia64/kernel/sys_ia64.c linux-2.6.24.4/arch/ia64/kernel/sys_ia64.c
655 ---- linux-2.6.24.4/arch/ia64/kernel/sys_ia64.c 2008-03-24 14:49:18.000000000 -0400
656 -+++ linux-2.6.24.4/arch/ia64/kernel/sys_ia64.c 2008-03-26 17:56:55.000000000 -0400
657 -@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
658 - if (REGION_NUMBER(addr) == RGN_HPAGE)
659 - addr = 0;
660 - #endif
661 -+
662 -+#ifdef CONFIG_PAX_RANDMMAP
663 -+ if ((mm->pax_flags & MF_PAX_RANDMMAP) && addr && filp)
664 -+ addr = mm->free_area_cache;
665 -+ else
666 -+#endif
667 -+
668 - if (!addr)
669 - addr = mm->free_area_cache;
670 -
671 -@@ -61,9 +68,9 @@ arch_get_unmapped_area (struct file *fil
672 - for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
673 - /* At this point: (!vma || addr < vma->vm_end). */
674 - if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
675 -- if (start_addr != TASK_UNMAPPED_BASE) {
676 -+ if (start_addr != mm->mmap_base) {
677 - /* Start a new search --- just in case we missed some holes. */
678 -- addr = TASK_UNMAPPED_BASE;
679 -+ addr = mm->mmap_base;
680 - goto full_search;
681 - }
682 - return -ENOMEM;
683 -diff -urNp linux-2.6.24.4/arch/ia64/mm/fault.c linux-2.6.24.4/arch/ia64/mm/fault.c
684 ---- linux-2.6.24.4/arch/ia64/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
685 -+++ linux-2.6.24.4/arch/ia64/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
686 -@@ -10,6 +10,7 @@
687 - #include <linux/interrupt.h>
688 - #include <linux/kprobes.h>
689 - #include <linux/kdebug.h>
690 -+#include <linux/binfmts.h>
691 -
692 - #include <asm/pgtable.h>
693 - #include <asm/processor.h>
694 -@@ -72,6 +73,23 @@ mapped_kernel_page_is_present (unsigned
695 - return pte_present(pte);
696 - }
697 -
698 -+#ifdef CONFIG_PAX_PAGEEXEC
699 -+void pax_report_insns(void *pc, void *sp)
700 -+{
701 -+ unsigned long i;
702 -+
703 -+ printk(KERN_ERR "PAX: bytes at PC: ");
704 -+ for (i = 0; i < 8; i++) {
705 -+ unsigned int c;
706 -+ if (get_user(c, (unsigned int *)pc+i))
707 -+ printk("???????? ");
708 -+ else
709 -+ printk("%08x ", c);
710 -+ }
711 -+ printk("\n");
712 -+}
713 -+#endif
714 -+
715 - void __kprobes
716 - ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
717 - {
718 -@@ -145,9 +163,23 @@ ia64_do_page_fault (unsigned long addres
719 - mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
720 - | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
721 -
722 -- if ((vma->vm_flags & mask) != mask)
723 -+ if ((vma->vm_flags & mask) != mask) {
724 -+
725 -+#ifdef CONFIG_PAX_PAGEEXEC
726 -+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
727 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
728 -+ goto bad_area;
729 -+
730 -+ up_read(&mm->mmap_sem);
731 -+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
732 -+ do_group_exit(SIGKILL);
733 -+ }
734 -+#endif
735 -+
736 - goto bad_area;
737 -
738 -+ }
739 -+
740 - survive:
741 - /*
742 - * If for any reason at all we couldn't handle the fault, make
743 -diff -urNp linux-2.6.24.4/arch/ia64/mm/init.c linux-2.6.24.4/arch/ia64/mm/init.c
744 ---- linux-2.6.24.4/arch/ia64/mm/init.c 2008-03-24 14:49:18.000000000 -0400
745 -+++ linux-2.6.24.4/arch/ia64/mm/init.c 2008-03-26 17:56:55.000000000 -0400
746 -@@ -20,8 +20,8 @@
747 - #include <linux/proc_fs.h>
748 - #include <linux/bitops.h>
749 - #include <linux/kexec.h>
750 -+#include <linux/a.out.h>
751 -
752 --#include <asm/a.out.h>
753 - #include <asm/dma.h>
754 - #include <asm/ia32.h>
755 - #include <asm/io.h>
756 -@@ -128,6 +128,19 @@ ia64_init_addr_space (void)
757 - vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
758 - vma->vm_end = vma->vm_start + PAGE_SIZE;
759 - vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
760 -+
761 -+#ifdef CONFIG_PAX_PAGEEXEC
762 -+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
763 -+ vm->vm_flags &= ~VM_EXEC;
764 -+
765 -+#ifdef CONFIG_PAX_MPROTECT
766 -+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
767 -+ vma->vm_flags &= ~VM_MAYEXEC;
768 -+#endif
769 -+
770 -+ }
771 -+#endif
772 -+
773 - vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
774 - down_write(&current->mm->mmap_sem);
775 - if (insert_vm_struct(current->mm, vma)) {
776 -diff -urNp linux-2.6.24.4/arch/mips/kernel/binfmt_elfn32.c linux-2.6.24.4/arch/mips/kernel/binfmt_elfn32.c
777 ---- linux-2.6.24.4/arch/mips/kernel/binfmt_elfn32.c 2008-03-24 14:49:18.000000000 -0400
778 -+++ linux-2.6.24.4/arch/mips/kernel/binfmt_elfn32.c 2008-03-26 17:56:55.000000000 -0400
779 -@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
780 - #undef ELF_ET_DYN_BASE
781 - #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
782 -
783 -+#ifdef CONFIG_PAX_ASLR
784 -+#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
785 -+
786 -+#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
787 -+#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
788 -+#endif
789 -+
790 - #include <asm/processor.h>
791 - #include <linux/module.h>
792 - #include <linux/elfcore.h>
793 -diff -urNp linux-2.6.24.4/arch/mips/kernel/binfmt_elfo32.c linux-2.6.24.4/arch/mips/kernel/binfmt_elfo32.c
794 ---- linux-2.6.24.4/arch/mips/kernel/binfmt_elfo32.c 2008-03-24 14:49:18.000000000 -0400
795 -+++ linux-2.6.24.4/arch/mips/kernel/binfmt_elfo32.c 2008-03-26 17:56:55.000000000 -0400
796 -@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
797 - #undef ELF_ET_DYN_BASE
798 - #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
799 -
800 -+#ifdef CONFIG_PAX_ASLR
801 -+#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
802 -+
803 -+#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
804 -+#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
805 -+#endif
806 -+
807 - #include <asm/processor.h>
808 - #include <linux/module.h>
809 - #include <linux/elfcore.h>
810 -diff -urNp linux-2.6.24.4/arch/mips/kernel/syscall.c linux-2.6.24.4/arch/mips/kernel/syscall.c
811 ---- linux-2.6.24.4/arch/mips/kernel/syscall.c 2008-03-24 14:49:18.000000000 -0400
812 -+++ linux-2.6.24.4/arch/mips/kernel/syscall.c 2008-03-26 17:56:55.000000000 -0400
813 -@@ -93,6 +93,11 @@ unsigned long arch_get_unmapped_area(str
814 - do_color_align = 0;
815 - if (filp || (flags & MAP_SHARED))
816 - do_color_align = 1;
817 -+
818 -+#ifdef CONFIG_PAX_RANDMMAP
819 -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
820 -+#endif
821 -+
822 - if (addr) {
823 - if (do_color_align)
824 - addr = COLOUR_ALIGN(addr, pgoff);
825 -@@ -103,7 +108,7 @@ unsigned long arch_get_unmapped_area(str
826 - (!vmm || addr + len <= vmm->vm_start))
827 - return addr;
828 - }
829 -- addr = TASK_UNMAPPED_BASE;
830 -+ addr = current->mm->mmap_base;
831 - if (do_color_align)
832 - addr = COLOUR_ALIGN(addr, pgoff);
833 - else
834 -diff -urNp linux-2.6.24.4/arch/mips/mm/fault.c linux-2.6.24.4/arch/mips/mm/fault.c
835 ---- linux-2.6.24.4/arch/mips/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
836 -+++ linux-2.6.24.4/arch/mips/mm/fault.c 2008-03-26 17:56:55.000000000 -0400
837 -@@ -26,6 +26,23 @@
838 - #include <asm/ptrace.h>
839 - #include <asm/highmem.h> /* For VMALLOC_END */
840 -
841 -+#ifdef CONFIG_PAX_PAGEEXEC
842 -+void pax_report_insns(void *pc)
843 -+{
844 -+ unsigned long i;
845 -+
846 -+ printk(KERN_ERR "PAX: bytes at PC: ");
847 -+ for (i = 0; i < 5; i++) {
848 -+ unsigned int c;
849 -+ if (get_user(c, (unsigned int *)pc+i))
850 -+ printk("???????? ");
851 -+ else
852 -+ printk("%08x ", c);
853 -+ }
854 -+ printk("\n");
855 -+}
856 -+#endif
857 -+
858 - /*
859 - * This routine handles page faults. It determines the address,
860 - * and the problem, and then passes it off to one of the appropriate
861 -diff -urNp linux-2.6.24.4/arch/parisc/kernel/module.c linux-2.6.24.4/arch/parisc/kernel/module.c
862 ---- linux-2.6.24.4/arch/parisc/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
863 -+++ linux-2.6.24.4/arch/parisc/kernel/module.c 2008-03-26 17:56:55.000000000 -0400
864 -@@ -73,16 +73,38 @@
865 -
866 - /* three functions to determine where in the module core
867 - * or init pieces the location is */
868 -+static inline int in_init_rx(struct module *me, void *loc)
869 -+{
870 -+ return (loc >= me->module_init_rx &&
871 -+ loc < (me->module_init_rx + me->init_size_rx));
872 -+}
873 -+
874 -+static inline int in_init_rw(struct module *me, void *loc)
875 -+{
876 -+ return (loc >= me->module_init_rw &&
877 -+ loc < (me->module_init_rw + me->init_size_rw));
878 -+}
879 -+
880 - static inline int in_init(struct module *me, void *loc)
881 - {
882 -- return (loc >= me->module_init &&
883 -- loc <= (me->module_init + me->init_size));
884 -+ return in_init_rx(me, loc) || in_init_rw(me, loc);
885 -+}
886 -+
887 -+static inline int in_core_rx(struct module *me, void *loc)
888 -+{
889 -+ return (loc >= me->module_core_rx &&
890 -+ loc < (me->module_core_rx + me->core_size_rx));
891 -+}
892 -+
893 -+static inline int in_core_rw(struct module *me, void *loc)
894 -+{
895 -+ return (loc >= me->module_core_rw &&
896 -+ loc < (me->module_core_rw + me->core_size_rw));
897 - }
898 -
899 - static inline int in_core(struct module *me, void *loc)
900 - {
901 -- return (loc >= me->module_core &&
902 -- loc <= (me->module_core + me->core_size));
903 -+ return in_core_rx(me, loc) || in_core_rw(me, loc);
904 - }
905 -
906 - static inline int in_local(struct module *me, void *loc)
907 -@@ -296,21 +318,21 @@ int module_frob_arch_sections(CONST Elf_
908 - }
909 -
910 - /* align things a bit */
911 -- me->core_size = ALIGN(me->core_size, 16);
912 -- me->arch.got_offset = me->core_size;
913 -- me->core_size += gots * sizeof(struct got_entry);
914 --
915 -- me->core_size = ALIGN(me->core_size, 16);
916 -- me->arch.fdesc_offset = me->core_size;
917 -- me->core_size += fdescs * sizeof(Elf_Fdesc);
918 --
919 -- me->core_size = ALIGN(me->core_size, 16);
920 -- me->arch.stub_offset = me->core_size;
921 -- me->core_size += stubs * sizeof(struct stub_entry);
922 --
923 -- me->init_size = ALIGN(me->init_size, 16);
924 -- me->arch.init_stub_offset = me->init_size;
925 -- me->init_size += init_stubs * sizeof(struct stub_entry);
926 -+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
927 -+ me->arch.got_offset = me->core_size_rw;
928 -+ me->core_size_rw += gots * sizeof(struct got_entry);
929 -+
930 -+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
931 -+ me->arch.fdesc_offset = me->core_size_rw;
932 -+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
933 -+
934 -+ me->core_size_rx = ALIGN(me->core_size_rx, 16);
935 -+ me->arch.stub_offset = me->core_size_rx;
936 -+ me->core_size_rx += stubs * sizeof(struct stub_entry);
937 -+
938 -+ me->init_size_rx = ALIGN(me->init_size_rx, 16);
939 -+ me->arch.init_stub_offset = me->init_size_rx;
940 -+ me->init_size_rx += init_stubs * sizeof(struct stub_entry);
941 -
942 - me->arch.got_max = gots;
943 - me->arch.fdesc_max = fdescs;
944 -@@ -330,7 +352,7 @@ static Elf64_Word get_got(struct module
945 -
946 - BUG_ON(value == 0);
947 -
948 -- got = me->module_core + me->arch.got_offset;
949 -+ got = me->module_core_rw + me->arch.got_offset;
950 - for (i = 0; got[i].addr; i++)
951 - if (got[i].addr == value)
952 - goto out;
953 -@@ -348,7 +370,7 @@ static Elf64_Word get_got(struct module
954 - #ifdef CONFIG_64BIT
955 - static Elf_Addr get_fdesc(struct module *me, unsigned long value)
956 - {
957 -- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
958 -+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
959 -
960 - if (!value) {
961 - printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
962 -@@ -366,7 +388,7 @@ static Elf_Addr get_fdesc(struct module
963 -
964 - /* Create new one */
965 - fdesc->addr = value;
966 -- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
967 -+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
968 - return (Elf_Addr)fdesc;
969 - }
970 - #endif /* CONFIG_64BIT */
971 -@@ -386,12 +408,12 @@ static Elf_Addr get_stub(struct module *
972 - if(init_section) {
973 - i = me->arch.init_stub_count++;
974 - BUG_ON(me->arch.init_stub_count > me->arch.init_stub_max);
975 -- stub = me->module_init + me->arch.init_stub_offset +
976 -+ stub = me->module_init_rx + me->arch.init_stub_offset +
977 - i * sizeof(struct stub_entry);
978 - } else {
979 - i = me->arch.stub_count++;
980 - BUG_ON(me->arch.stub_count > me->arch.stub_max);
981 -- stub = me->module_core + me->arch.stub_offset +
982 -+ stub = me->module_core_rx + me->arch.stub_offset +
983 - i * sizeof(struct stub_entry);
984 - }
985 -
986 -@@ -759,7 +781,7 @@ register_unwind_table(struct module *me,
987 -
988 - table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
989 - end = table + sechdrs[me->arch.unwind_section].sh_size;
990 -- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
991 -+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
992 -
993 - DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
994 - me->arch.unwind_section, table, end, gp);
995 -diff -urNp linux-2.6.24.4/arch/parisc/kernel/sys_parisc.c linux-2.6.24.4/arch/parisc/kernel/sys_parisc.c
996 ---- linux-2.6.24.4/arch/parisc/kernel/sys_parisc.c 2008-03-24 14:49:18.000000000 -0400
997 -+++ linux-2.6.24.4/arch/parisc/kernel/sys_parisc.c 2008-03-26 17:56:55.000000000 -0400
998 -@@ -111,7 +111,7 @@ unsigned long arch_get_unmapped_area(str
999 - if (flags & MAP_FIXED)
1000 - return addr;
1001 - if (!addr)
1002 -- addr = TASK_UNMAPPED_BASE;
1003 -+ addr = current->mm->mmap_base;
1004 -
1005 - if (filp) {
1006 - addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1007 -diff -urNp linux-2.6.24.4/arch/parisc/kernel/traps.c linux-2.6.24.4/arch/parisc/kernel/traps.c
1008 ---- linux-2.6.24.4/arch/parisc/kernel/traps.c 2008-03-24 14:49:18.000000000 -0400
1009 -+++ linux-2.6.24.4/arch/parisc/kernel/traps.c 2008-03-26 17:56:55.000000000 -0400
1010 -@@ -713,9 +713,7 @@ void handle_interruption(int code, struc
1011 -
1012 - down_read(&current->mm->mmap_sem);
1013 - vma = find_vma(current->mm,regs->iaoq[0]);
1014 -- if (vma && (regs->iaoq[0] >= vma->vm_start)
1015 -- && (vma->vm_flags & VM_EXEC)) {
1016 --
1017 -+ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1018 - fault_address = regs->iaoq[0];
1019 - fault_space = regs->iasq[0];
1020 -
1021 -diff -urNp linux-2.6.24.4/arch/parisc/mm/fault.c linux-2.6.24.4/arch/parisc/mm/fault.c
1022 ---- linux-2.6.24.4/arch/parisc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
1023 -+++ linux-2.6.24.4/arch/parisc/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
1024 -@@ -16,6 +16,8 @@
1025 - #include <linux/sched.h>
1026 - #include <linux/interrupt.h>
1027 - #include <linux/module.h>
1028 -+#include <linux/unistd.h>
1029 -+#include <linux/binfmts.h>
1030 -
1031 - #include <asm/uaccess.h>
1032 - #include <asm/traps.h>
1033 -@@ -53,7 +55,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1034 - static unsigned long
1035 - parisc_acctyp(unsigned long code, unsigned int inst)
1036 - {
1037 -- if (code == 6 || code == 16)
1038 -+ if (code == 6 || code == 7 || code == 16)
1039 - return VM_EXEC;
1040 -
1041 - switch (inst & 0xf0000000) {
1042 -@@ -139,6 +141,116 @@ parisc_acctyp(unsigned long code, unsign
1043 - }
1044 - #endif
1045 -
1046 -+#ifdef CONFIG_PAX_PAGEEXEC
1047 -+/*
1048 -+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1049 -+ *
1050 -+ * returns 1 when task should be killed
1051 -+ * 2 when rt_sigreturn trampoline was detected
1052 -+ * 3 when unpatched PLT trampoline was detected
1053 -+ */
1054 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
1055 -+{
1056 -+
1057 -+#ifdef CONFIG_PAX_EMUPLT
1058 -+ int err;
1059 -+
1060 -+ do { /* PaX: unpatched PLT emulation */
1061 -+ unsigned int bl, depwi;
1062 -+
1063 -+ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1064 -+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1065 -+
1066 -+ if (err)
1067 -+ break;
1068 -+
1069 -+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1070 -+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1071 -+
1072 -+ err = get_user(ldw, (unsigned int *)addr);
1073 -+ err |= get_user(bv, (unsigned int *)(addr+4));
1074 -+ err |= get_user(ldw2, (unsigned int *)(addr+8));
1075 -+
1076 -+ if (err)
1077 -+ break;
1078 -+
1079 -+ if (ldw == 0x0E801096U &&
1080 -+ bv == 0xEAC0C000U &&
1081 -+ ldw2 == 0x0E881095U)
1082 -+ {
1083 -+ unsigned int resolver, map;
1084 -+
1085 -+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1086 -+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1087 -+ if (err)
1088 -+ break;
1089 -+
1090 -+ regs->gr[20] = instruction_pointer(regs)+8;
1091 -+ regs->gr[21] = map;
1092 -+ regs->gr[22] = resolver;
1093 -+ regs->iaoq[0] = resolver | 3UL;
1094 -+ regs->iaoq[1] = regs->iaoq[0] + 4;
1095 -+ return 3;
1096 -+ }
1097 -+ }
1098 -+ } while (0);
1099 -+#endif
1100 -+
1101 -+#ifdef CONFIG_PAX_EMUTRAMP
1102 -+
1103 -+#ifndef CONFIG_PAX_EMUSIGRT
1104 -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1105 -+ return 1;
1106 -+#endif
1107 -+
1108 -+ do { /* PaX: rt_sigreturn emulation */
1109 -+ unsigned int ldi1, ldi2, bel, nop;
1110 -+
1111 -+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1112 -+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1113 -+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1114 -+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1115 -+
1116 -+ if (err)
1117 -+ break;
1118 -+
1119 -+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1120 -+ ldi2 == 0x3414015AU &&
1121 -+ bel == 0xE4008200U &&
1122 -+ nop == 0x08000240U)
1123 -+ {
1124 -+ regs->gr[25] = (ldi1 & 2) >> 1;
1125 -+ regs->gr[20] = __NR_rt_sigreturn;
1126 -+ regs->gr[31] = regs->iaoq[1] + 16;
1127 -+ regs->sr[0] = regs->iasq[1];
1128 -+ regs->iaoq[0] = 0x100UL;
1129 -+ regs->iaoq[1] = regs->iaoq[0] + 4;
1130 -+ regs->iasq[0] = regs->sr[2];
1131 -+ regs->iasq[1] = regs->sr[2];
1132 -+ return 2;
1133 -+ }
1134 -+ } while (0);
1135 -+#endif
1136 -+
1137 -+ return 1;
1138 -+}
1139 -+
1140 -+void pax_report_insns(void *pc, void *sp)
1141 -+{
1142 -+ unsigned long i;
1143 -+
1144 -+ printk(KERN_ERR "PAX: bytes at PC: ");
1145 -+ for (i = 0; i < 5; i++) {
1146 -+ unsigned int c;
1147 -+ if (get_user(c, (unsigned int *)pc+i))
1148 -+ printk("???????? ");
1149 -+ else
1150 -+ printk("%08x ", c);
1151 -+ }
1152 -+ printk("\n");
1153 -+}
1154 -+#endif
1155 -+
1156 - void do_page_fault(struct pt_regs *regs, unsigned long code,
1157 - unsigned long address)
1158 - {
1159 -@@ -165,8 +277,33 @@ good_area:
1160 -
1161 - acc_type = parisc_acctyp(code,regs->iir);
1162 -
1163 -- if ((vma->vm_flags & acc_type) != acc_type)
1164 -+ if ((vma->vm_flags & acc_type) != acc_type) {
1165 -+
1166 -+#ifdef CONFIG_PAX_PAGEEXEC
1167 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1168 -+ (address & ~3UL) == instruction_pointer(regs))
1169 -+ {
1170 -+ up_read(&mm->mmap_sem);
1171 -+ switch (pax_handle_fetch_fault(regs)) {
1172 -+
1173 -+#ifdef CONFIG_PAX_EMUPLT
1174 -+ case 3:
1175 -+ return;
1176 -+#endif
1177 -+
1178 -+#ifdef CONFIG_PAX_EMUTRAMP
1179 -+ case 2:
1180 -+ return;
1181 -+#endif
1182 -+
1183 -+ }
1184 -+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1185 -+ do_group_exit(SIGKILL);
1186 -+ }
1187 -+#endif
1188 -+
1189 - goto bad_area;
1190 -+ }
1191 -
1192 - /*
1193 - * If for any reason at all we couldn't handle the fault, make
1194 -diff -urNp linux-2.6.24.4/arch/powerpc/kernel/module_32.c linux-2.6.24.4/arch/powerpc/kernel/module_32.c
1195 ---- linux-2.6.24.4/arch/powerpc/kernel/module_32.c 2008-03-24 14:49:18.000000000 -0400
1196 -+++ linux-2.6.24.4/arch/powerpc/kernel/module_32.c 2008-03-26 17:56:55.000000000 -0400
1197 -@@ -126,7 +126,7 @@ int module_frob_arch_sections(Elf32_Ehdr
1198 - me->arch.core_plt_section = i;
1199 - }
1200 - if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
1201 -- printk("Module doesn't contain .plt or .init.plt sections.\n");
1202 -+ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
1203 - return -ENOEXEC;
1204 - }
1205 -
1206 -@@ -167,11 +167,16 @@ static uint32_t do_plt_call(void *locati
1207 -
1208 - DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
1209 - /* Init, or core PLT? */
1210 -- if (location >= mod->module_core
1211 -- && location < mod->module_core + mod->core_size)
1212 -+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
1213 -+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
1214 - entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
1215 -- else
1216 -+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
1217 -+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
1218 - entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
1219 -+ else {
1220 -+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
1221 -+ return ~0UL;
1222 -+ }
1223 -
1224 - /* Find this entry, or if that fails, the next avail. entry */
1225 - while (entry->jump[0]) {
1226 -diff -urNp linux-2.6.24.4/arch/powerpc/kernel/signal_32.c linux-2.6.24.4/arch/powerpc/kernel/signal_32.c
1227 ---- linux-2.6.24.4/arch/powerpc/kernel/signal_32.c 2008-03-24 14:49:18.000000000 -0400
1228 -+++ linux-2.6.24.4/arch/powerpc/kernel/signal_32.c 2008-03-26 17:56:55.000000000 -0400
1229 -@@ -731,7 +731,7 @@ int handle_rt_signal32(unsigned long sig
1230 - /* Save user registers on the stack */
1231 - frame = &rt_sf->uc.uc_mcontext;
1232 - addr = frame;
1233 -- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
1234 -+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
1235 - if (save_user_regs(regs, frame, 0))
1236 - goto badframe;
1237 - regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
1238 -diff -urNp linux-2.6.24.4/arch/powerpc/kernel/signal_64.c linux-2.6.24.4/arch/powerpc/kernel/signal_64.c
1239 ---- linux-2.6.24.4/arch/powerpc/kernel/signal_64.c 2008-03-24 14:49:18.000000000 -0400
1240 -+++ linux-2.6.24.4/arch/powerpc/kernel/signal_64.c 2008-03-26 17:56:55.000000000 -0400
1241 -@@ -369,7 +369,7 @@ int handle_rt_signal64(int signr, struct
1242 - current->thread.fpscr.val = 0;
1243 -
1244 - /* Set up to return from userspace. */
1245 -- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
1246 -+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
1247 - regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
1248 - } else {
1249 - err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
1250 -diff -urNp linux-2.6.24.4/arch/powerpc/kernel/vdso.c linux-2.6.24.4/arch/powerpc/kernel/vdso.c
1251 ---- linux-2.6.24.4/arch/powerpc/kernel/vdso.c 2008-03-24 14:49:18.000000000 -0400
1252 -+++ linux-2.6.24.4/arch/powerpc/kernel/vdso.c 2008-03-26 17:56:55.000000000 -0400
1253 -@@ -211,7 +211,7 @@ int arch_setup_additional_pages(struct l
1254 - vdso_base = VDSO32_MBASE;
1255 - #endif
1256 -
1257 -- current->mm->context.vdso_base = 0;
1258 -+ current->mm->context.vdso_base = ~0UL;
1259 -
1260 - /* vDSO has a problem and was disabled, just don't "enable" it for the
1261 - * process
1262 -@@ -228,7 +228,7 @@ int arch_setup_additional_pages(struct l
1263 - */
1264 - down_write(&mm->mmap_sem);
1265 - vdso_base = get_unmapped_area(NULL, vdso_base,
1266 -- vdso_pages << PAGE_SHIFT, 0, 0);
1267 -+ vdso_pages << PAGE_SHIFT, 0, MAP_PRIVATE | MAP_EXECUTABLE);
1268 - if (IS_ERR_VALUE(vdso_base)) {
1269 - rc = vdso_base;
1270 - goto fail_mmapsem;
1271 -diff -urNp linux-2.6.24.4/arch/powerpc/mm/fault.c linux-2.6.24.4/arch/powerpc/mm/fault.c
1272 ---- linux-2.6.24.4/arch/powerpc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
1273 -+++ linux-2.6.24.4/arch/powerpc/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
1274 -@@ -29,6 +29,12 @@
1275 - #include <linux/module.h>
1276 - #include <linux/kprobes.h>
1277 - #include <linux/kdebug.h>
1278 -+#include <linux/binfmts.h>
1279 -+#include <linux/slab.h>
1280 -+#include <linux/pagemap.h>
1281 -+#include <linux/compiler.h>
1282 -+#include <linux/binfmts.h>
1283 -+#include <linux/unistd.h>
1284 -
1285 - #include <asm/page.h>
1286 - #include <asm/pgtable.h>
1287 -@@ -62,6 +68,363 @@ static inline int notify_page_fault(stru
1288 - }
1289 - #endif
1290 -
1291 -+#ifdef CONFIG_PAX_EMUSIGRT
1292 -+void pax_syscall_close(struct vm_area_struct *vma)
1293 -+{
1294 -+ vma->vm_mm->call_syscall = 0UL;
1295 -+}
1296 -+
1297 -+static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
1298 -+{
1299 -+ struct page *page;
1300 -+ unsigned int *kaddr;
1301 -+
1302 -+ page = alloc_page(GFP_HIGHUSER);
1303 -+ if (!page)
1304 -+ return NOPAGE_OOM;
1305 -+
1306 -+ kaddr = kmap(page);
1307 -+ memset(kaddr, 0, PAGE_SIZE);
1308 -+ kaddr[0] = 0x44000002U; /* sc */
1309 -+ __flush_dcache_icache(kaddr);
1310 -+ kunmap(page);
1311 -+ if (type)
1312 -+ *type = VM_FAULT_MAJOR;
1313 -+ return page;
1314 -+}
1315 -+
1316 -+static struct vm_operations_struct pax_vm_ops = {
1317 -+ .close = pax_syscall_close,
1318 -+ .nopage = pax_syscall_nopage,
1319 -+};
1320 -+
1321 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
1322 -+{
1323 -+ int ret;
1324 -+
1325 -+ vma->vm_mm = current->mm;
1326 -+ vma->vm_start = addr;
1327 -+ vma->vm_end = addr + PAGE_SIZE;
1328 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
1329 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1330 -+ vma->vm_ops = &pax_vm_ops;
1331 -+
1332 -+ ret = insert_vm_struct(current->mm, vma);
1333 -+ if (ret)
1334 -+ return ret;
1335 -+
1336 -+ ++current->mm->total_vm;
1337 -+ return 0;
1338 -+}
1339 -+#endif
1340 -+
1341 -+#ifdef CONFIG_PAX_PAGEEXEC
1342 -+/*
1343 -+ * PaX: decide what to do with offenders (regs->nip = fault address)
1344 -+ *
1345 -+ * returns 1 when task should be killed
1346 -+ * 2 when patched GOT trampoline was detected
1347 -+ * 3 when patched PLT trampoline was detected
1348 -+ * 4 when unpatched PLT trampoline was detected
1349 -+ * 5 when sigreturn trampoline was detected
1350 -+ * 6 when rt_sigreturn trampoline was detected
1351 -+ */
1352 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
1353 -+{
1354 -+
1355 -+#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
1356 -+ int err;
1357 -+#endif
1358 -+
1359 -+#ifdef CONFIG_PAX_EMUPLT
1360 -+ do { /* PaX: patched GOT emulation */
1361 -+ unsigned int blrl;
1362 -+
1363 -+ err = get_user(blrl, (unsigned int *)regs->nip);
1364 -+
1365 -+ if (!err && blrl == 0x4E800021U) {
1366 -+ unsigned long temp = regs->nip;
1367 -+
1368 -+ regs->nip = regs->link & 0xFFFFFFFCUL;
1369 -+ regs->link = temp + 4UL;
1370 -+ return 2;
1371 -+ }
1372 -+ } while (0);
1373 -+
1374 -+ do { /* PaX: patched PLT emulation #1 */
1375 -+ unsigned int b;
1376 -+
1377 -+ err = get_user(b, (unsigned int *)regs->nip);
1378 -+
1379 -+ if (!err && (b & 0xFC000003U) == 0x48000000U) {
1380 -+ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
1381 -+ return 3;
1382 -+ }
1383 -+ } while (0);
1384 -+
1385 -+ do { /* PaX: unpatched PLT emulation #1 */
1386 -+ unsigned int li, b;
1387 -+
1388 -+ err = get_user(li, (unsigned int *)regs->nip);
1389 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
1390 -+
1391 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
1392 -+ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
1393 -+ unsigned long addr = b | 0xFC000000UL;
1394 -+
1395 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
1396 -+ err = get_user(rlwinm, (unsigned int *)addr);
1397 -+ err |= get_user(add, (unsigned int *)(addr+4));
1398 -+ err |= get_user(li2, (unsigned int *)(addr+8));
1399 -+ err |= get_user(addis2, (unsigned int *)(addr+12));
1400 -+ err |= get_user(mtctr, (unsigned int *)(addr+16));
1401 -+ err |= get_user(li3, (unsigned int *)(addr+20));
1402 -+ err |= get_user(addis3, (unsigned int *)(addr+24));
1403 -+ err |= get_user(bctr, (unsigned int *)(addr+28));
1404 -+
1405 -+ if (err)
1406 -+ break;
1407 -+
1408 -+ if (rlwinm == 0x556C083CU &&
1409 -+ add == 0x7D6C5A14U &&
1410 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
1411 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
1412 -+ mtctr == 0x7D8903A6U &&
1413 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
1414 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
1415 -+ bctr == 0x4E800420U)
1416 -+ {
1417 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1418 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1419 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
1420 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1421 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
1422 -+ regs->nip = regs->ctr;
1423 -+ return 4;
1424 -+ }
1425 -+ }
1426 -+ } while (0);
1427 -+
1428 -+#if 0
1429 -+ do { /* PaX: unpatched PLT emulation #2 */
1430 -+ unsigned int lis, lwzu, b, bctr;
1431 -+
1432 -+ err = get_user(lis, (unsigned int *)regs->nip);
1433 -+ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
1434 -+ err |= get_user(b, (unsigned int *)(regs->nip+8));
1435 -+ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
1436 -+
1437 -+ if (err)
1438 -+ break;
1439 -+
1440 -+ if ((lis & 0xFFFF0000U) == 0x39600000U &&
1441 -+ (lwzu & 0xU) == 0xU &&
1442 -+ (b & 0xFC000003U) == 0x48000000U &&
1443 -+ bctr == 0x4E800420U)
1444 -+ {
1445 -+ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
1446 -+ unsigned long addr = b | 0xFC000000UL;
1447 -+
1448 -+ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
1449 -+ err = get_user(addis, (unsigned int*)addr);
1450 -+ err |= get_user(addi, (unsigned int*)(addr+4));
1451 -+ err |= get_user(rlwinm, (unsigned int*)(addr+8));
1452 -+ err |= get_user(add, (unsigned int*)(addr+12));
1453 -+ err |= get_user(li2, (unsigned int*)(addr+16));
1454 -+ err |= get_user(addis2, (unsigned int*)(addr+20));
1455 -+ err |= get_user(mtctr, (unsigned int*)(addr+24));
1456 -+ err |= get_user(li3, (unsigned int*)(addr+28));
1457 -+ err |= get_user(addis3, (unsigned int*)(addr+32));
1458 -+ err |= get_user(bctr, (unsigned int*)(addr+36));
1459 -+
1460 -+ if (err)
1461 -+ break;
1462 -+
1463 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
1464 -+ (addi & 0xFFFF0000U) == 0x396B0000U &&
1465 -+ rlwinm == 0x556C083CU &&
1466 -+ add == 0x7D6C5A14U &&
1467 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
1468 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
1469 -+ mtctr == 0x7D8903A6U &&
1470 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
1471 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
1472 -+ bctr == 0x4E800420U)
1473 -+ {
1474 -+ regs->gpr[PT_R11] =
1475 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1476 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1477 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
1478 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1479 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
1480 -+ regs->nip = regs->ctr;
1481 -+ return 4;
1482 -+ }
1483 -+ }
1484 -+ } while (0);
1485 -+#endif
1486 -+
1487 -+ do { /* PaX: unpatched PLT emulation #3 */
1488 -+ unsigned int li, b;
1489 -+
1490 -+ err = get_user(li, (unsigned int *)regs->nip);
1491 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
1492 -+
1493 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
1494 -+ unsigned int addis, lwz, mtctr, bctr;
1495 -+ unsigned long addr = b | 0xFC000000UL;
1496 -+
1497 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
1498 -+ err = get_user(addis, (unsigned int *)addr);
1499 -+ err |= get_user(lwz, (unsigned int *)(addr+4));
1500 -+ err |= get_user(mtctr, (unsigned int *)(addr+8));
1501 -+ err |= get_user(bctr, (unsigned int *)(addr+12));
1502 -+
1503 -+ if (err)
1504 -+ break;
1505 -+
1506 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
1507 -+ (lwz & 0xFFFF0000U) == 0x816B0000U &&
1508 -+ mtctr == 0x7D6903A6U &&
1509 -+ bctr == 0x4E800420U)
1510 -+ {
1511 -+ unsigned int r11;
1512 -+
1513 -+ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1514 -+ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1515 -+
1516 -+ err = get_user(r11, (unsigned int *)addr);
1517 -+ if (err)
1518 -+ break;
1519 -+
1520 -+ regs->gpr[PT_R11] = r11;
1521 -+ regs->ctr = r11;
1522 -+ regs->nip = r11;
1523 -+ return 4;
1524 -+ }
1525 -+ }
1526 -+ } while (0);
1527 -+#endif
1528 -+
1529 -+#ifdef CONFIG_PAX_EMUSIGRT
1530 -+ do { /* PaX: sigreturn emulation */
1531 -+ unsigned int li, sc;
1532 -+
1533 -+ err = get_user(li, (unsigned int *)regs->nip);
1534 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
1535 -+
1536 -+ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
1537 -+ struct vm_area_struct *vma;
1538 -+ unsigned long call_syscall;
1539 -+
1540 -+ down_read(&current->mm->mmap_sem);
1541 -+ call_syscall = current->mm->call_syscall;
1542 -+ up_read(&current->mm->mmap_sem);
1543 -+ if (likely(call_syscall))
1544 -+ goto emulate;
1545 -+
1546 -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
1547 -+
1548 -+ down_write(&current->mm->mmap_sem);
1549 -+ if (current->mm->call_syscall) {
1550 -+ call_syscall = current->mm->call_syscall;
1551 -+ up_write(&current->mm->mmap_sem);
1552 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
1553 -+ goto emulate;
1554 -+ }
1555 -+
1556 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
1557 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
1558 -+ up_write(&current->mm->mmap_sem);
1559 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
1560 -+ return 1;
1561 -+ }
1562 -+
1563 -+ if (pax_insert_vma(vma, call_syscall)) {
1564 -+ up_write(&current->mm->mmap_sem);
1565 -+ kmem_cache_free(vm_area_cachep, vma);
1566 -+ return 1;
1567 -+ }
1568 -+
1569 -+ current->mm->call_syscall = call_syscall;
1570 -+ up_write(&current->mm->mmap_sem);
1571 -+
1572 -+emulate:
1573 -+ regs->gpr[PT_R0] = __NR_sigreturn;
1574 -+ regs->nip = call_syscall;
1575 -+ return 5;
1576 -+ }
1577 -+ } while (0);
1578 -+
1579 -+ do { /* PaX: rt_sigreturn emulation */
1580 -+ unsigned int li, sc;
1581 -+
1582 -+ err = get_user(li, (unsigned int *)regs->nip);
1583 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
1584 -+
1585 -+ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
1586 -+ struct vm_area_struct *vma;
1587 -+ unsigned int call_syscall;
1588 -+
1589 -+ down_read(&current->mm->mmap_sem);
1590 -+ call_syscall = current->mm->call_syscall;
1591 -+ up_read(&current->mm->mmap_sem);
1592 -+ if (likely(call_syscall))
1593 -+ goto rt_emulate;
1594 -+
1595 -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
1596 -+
1597 -+ down_write(&current->mm->mmap_sem);
1598 -+ if (current->mm->call_syscall) {
1599 -+ call_syscall = current->mm->call_syscall;
1600 -+ up_write(&current->mm->mmap_sem);
1601 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
1602 -+ goto rt_emulate;
1603 -+ }
1604 -+
1605 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
1606 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
1607 -+ up_write(&current->mm->mmap_sem);
1608 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
1609 -+ return 1;
1610 -+ }
1611 -+
1612 -+ if (pax_insert_vma(vma, call_syscall)) {
1613 -+ up_write(&current->mm->mmap_sem);
1614 -+ kmem_cache_free(vm_area_cachep, vma);
1615 -+ return 1;
1616 -+ }
1617 -+
1618 -+ current->mm->call_syscall = call_syscall;
1619 -+ up_write(&current->mm->mmap_sem);
1620 -+
1621 -+rt_emulate:
1622 -+ regs->gpr[PT_R0] = __NR_rt_sigreturn;
1623 -+ regs->nip = call_syscall;
1624 -+ return 6;
1625 -+ }
1626 -+ } while (0);
1627 -+#endif
1628 -+
1629 -+ return 1;
1630 -+}
1631 -+
1632 -+void pax_report_insns(void *pc, void *sp)
1633 -+{
1634 -+ unsigned long i;
1635 -+
1636 -+ printk(KERN_ERR "PAX: bytes at PC: ");
1637 -+ for (i = 0; i < 5; i++) {
1638 -+ unsigned int c;
1639 -+ if (get_user(c, (unsigned int *)pc+i))
1640 -+ printk("???????? ");
1641 -+ else
1642 -+ printk("%08x ", c);
1643 -+ }
1644 -+ printk("\n");
1645 -+}
1646 -+#endif
1647 -+
1648 - /*
1649 - * Check whether the instruction at regs->nip is a store using
1650 - * an update addressing form which will update r1.
1651 -@@ -157,7 +520,7 @@ int __kprobes do_page_fault(struct pt_re
1652 - * indicate errors in DSISR but can validly be set in SRR1.
1653 - */
1654 - if (trap == 0x400)
1655 -- error_code &= 0x48200000;
1656 -+ error_code &= 0x58200000;
1657 - else
1658 - is_write = error_code & DSISR_ISSTORE;
1659 - #else
1660 -@@ -357,6 +720,37 @@ bad_area:
1661 - bad_area_nosemaphore:
1662 - /* User mode accesses cause a SIGSEGV */
1663 - if (user_mode(regs)) {
1664 -+
1665 -+#ifdef CONFIG_PAX_PAGEEXEC
1666 -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
1667 -+#ifdef CONFIG_PPC64
1668 -+ if (is_exec && (error_code & DSISR_PROTFAULT)) {
1669 -+#else
1670 -+ if (is_exec && regs->nip == address) {
1671 -+#endif
1672 -+ switch (pax_handle_fetch_fault(regs)) {
1673 -+
1674 -+#ifdef CONFIG_PAX_EMUPLT
1675 -+ case 2:
1676 -+ case 3:
1677 -+ case 4:
1678 -+ return 0;
1679 -+#endif
1680 -+
1681 -+#ifdef CONFIG_PAX_EMUSIGRT
1682 -+ case 5:
1683 -+ case 6:
1684 -+ return 0;
1685 -+#endif
1686 -+
1687 -+ }
1688 -+
1689 -+ pax_report_fault(regs, (void*)regs->nip, (void*)regs->gpr[PT_R1]);
1690 -+ do_group_exit(SIGKILL);
1691 -+ }
1692 -+ }
1693 -+#endif
1694 -+
1695 - _exception(SIGSEGV, regs, code, address);
1696 - return 0;
1697 - }
1698 -diff -urNp linux-2.6.24.4/arch/powerpc/mm/mmap.c linux-2.6.24.4/arch/powerpc/mm/mmap.c
1699 ---- linux-2.6.24.4/arch/powerpc/mm/mmap.c 2008-03-24 14:49:18.000000000 -0400
1700 -+++ linux-2.6.24.4/arch/powerpc/mm/mmap.c 2008-03-26 17:56:55.000000000 -0400
1701 -@@ -75,10 +75,22 @@ void arch_pick_mmap_layout(struct mm_str
1702 - */
1703 - if (mmap_is_legacy()) {
1704 - mm->mmap_base = TASK_UNMAPPED_BASE;
1705 -+
1706 -+#ifdef CONFIG_PAX_RANDMMAP
1707 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
1708 -+ mm->mmap_base += mm->delta_mmap;
1709 -+#endif
1710 -+
1711 - mm->get_unmapped_area = arch_get_unmapped_area;
1712 - mm->unmap_area = arch_unmap_area;
1713 - } else {
1714 - mm->mmap_base = mmap_base();
1715 -+
1716 -+#ifdef CONFIG_PAX_RANDMMAP
1717 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
1718 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
1719 -+#endif
1720 -+
1721 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
1722 - mm->unmap_area = arch_unmap_area_topdown;
1723 - }
1724 -diff -urNp linux-2.6.24.4/arch/ppc/mm/fault.c linux-2.6.24.4/arch/ppc/mm/fault.c
1725 ---- linux-2.6.24.4/arch/ppc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
1726 -+++ linux-2.6.24.4/arch/ppc/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
1727 -@@ -25,6 +25,11 @@
1728 - #include <linux/interrupt.h>
1729 - #include <linux/highmem.h>
1730 - #include <linux/module.h>
1731 -+#include <linux/slab.h>
1732 -+#include <linux/pagemap.h>
1733 -+#include <linux/compiler.h>
1734 -+#include <linux/binfmts.h>
1735 -+#include <linux/unistd.h>
1736 -
1737 - #include <asm/page.h>
1738 - #include <asm/pgtable.h>
1739 -@@ -48,6 +53,363 @@ unsigned long pte_misses; /* updated by
1740 - unsigned long pte_errors; /* updated by do_page_fault() */
1741 - unsigned int probingmem;
1742 -
1743 -+#ifdef CONFIG_PAX_EMUSIGRT
1744 -+void pax_syscall_close(struct vm_area_struct *vma)
1745 -+{
1746 -+ vma->vm_mm->call_syscall = 0UL;
1747 -+}
1748 -+
1749 -+static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
1750 -+{
1751 -+ struct page *page;
1752 -+ unsigned int *kaddr;
1753 -+
1754 -+ page = alloc_page(GFP_HIGHUSER);
1755 -+ if (!page)
1756 -+ return NOPAGE_OOM;
1757 -+
1758 -+ kaddr = kmap(page);
1759 -+ memset(kaddr, 0, PAGE_SIZE);
1760 -+ kaddr[0] = 0x44000002U; /* sc */
1761 -+ __flush_dcache_icache(kaddr);
1762 -+ kunmap(page);
1763 -+ if (type)
1764 -+ *type = VM_FAULT_MAJOR;
1765 -+ return page;
1766 -+}
1767 -+
1768 -+static struct vm_operations_struct pax_vm_ops = {
1769 -+ .close = pax_syscall_close,
1770 -+ .nopage = pax_syscall_nopage,
1771 -+};
1772 -+
1773 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
1774 -+{
1775 -+ int ret;
1776 -+
1777 -+ vma->vm_mm = current->mm;
1778 -+ vma->vm_start = addr;
1779 -+ vma->vm_end = addr + PAGE_SIZE;
1780 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
1781 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1782 -+ vma->vm_ops = &pax_vm_ops;
1783 -+
1784 -+ ret = insert_vm_struct(current->mm, vma);
1785 -+ if (ret)
1786 -+ return ret;
1787 -+
1788 -+ ++current->mm->total_vm;
1789 -+ return 0;
1790 -+}
1791 -+#endif
1792 -+
1793 -+#ifdef CONFIG_PAX_PAGEEXEC
1794 -+/*
1795 -+ * PaX: decide what to do with offenders (regs->nip = fault address)
1796 -+ *
1797 -+ * returns 1 when task should be killed
1798 -+ * 2 when patched GOT trampoline was detected
1799 -+ * 3 when patched PLT trampoline was detected
1800 -+ * 4 when unpatched PLT trampoline was detected
1801 -+ * 5 when sigreturn trampoline was detected
1802 -+ * 6 when rt_sigreturn trampoline was detected
1803 -+ */
1804 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
1805 -+{
1806 -+
1807 -+#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
1808 -+ int err;
1809 -+#endif
1810 -+
1811 -+#ifdef CONFIG_PAX_EMUPLT
1812 -+ do { /* PaX: patched GOT emulation */
1813 -+ unsigned int blrl;
1814 -+
1815 -+ err = get_user(blrl, (unsigned int *)regs->nip);
1816 -+
1817 -+ if (!err && blrl == 0x4E800021U) {
1818 -+ unsigned long temp = regs->nip;
1819 -+
1820 -+ regs->nip = regs->link & 0xFFFFFFFCUL;
1821 -+ regs->link = temp + 4UL;
1822 -+ return 2;
1823 -+ }
1824 -+ } while (0);
1825 -+
1826 -+ do { /* PaX: patched PLT emulation #1 */
1827 -+ unsigned int b;
1828 -+
1829 -+ err = get_user(b, (unsigned int *)regs->nip);
1830 -+
1831 -+ if (!err && (b & 0xFC000003U) == 0x48000000U) {
1832 -+ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
1833 -+ return 3;
1834 -+ }
1835 -+ } while (0);
1836 -+
1837 -+ do { /* PaX: unpatched PLT emulation #1 */
1838 -+ unsigned int li, b;
1839 -+
1840 -+ err = get_user(li, (unsigned int *)regs->nip);
1841 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
1842 -+
1843 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
1844 -+ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
1845 -+ unsigned long addr = b | 0xFC000000UL;
1846 -+
1847 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
1848 -+ err = get_user(rlwinm, (unsigned int *)addr);
1849 -+ err |= get_user(add, (unsigned int *)(addr+4));
1850 -+ err |= get_user(li2, (unsigned int *)(addr+8));
1851 -+ err |= get_user(addis2, (unsigned int *)(addr+12));
1852 -+ err |= get_user(mtctr, (unsigned int *)(addr+16));
1853 -+ err |= get_user(li3, (unsigned int *)(addr+20));
1854 -+ err |= get_user(addis3, (unsigned int *)(addr+24));
1855 -+ err |= get_user(bctr, (unsigned int *)(addr+28));
1856 -+
1857 -+ if (err)
1858 -+ break;
1859 -+
1860 -+ if (rlwinm == 0x556C083CU &&
1861 -+ add == 0x7D6C5A14U &&
1862 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
1863 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
1864 -+ mtctr == 0x7D8903A6U &&
1865 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
1866 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
1867 -+ bctr == 0x4E800420U)
1868 -+ {
1869 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1870 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1871 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
1872 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1873 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
1874 -+ regs->nip = regs->ctr;
1875 -+ return 4;
1876 -+ }
1877 -+ }
1878 -+ } while (0);
1879 -+
1880 -+#if 0
1881 -+ do { /* PaX: unpatched PLT emulation #2 */
1882 -+ unsigned int lis, lwzu, b, bctr;
1883 -+
1884 -+ err = get_user(lis, (unsigned int *)regs->nip);
1885 -+ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
1886 -+ err |= get_user(b, (unsigned int *)(regs->nip+8));
1887 -+ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
1888 -+
1889 -+ if (err)
1890 -+ break;
1891 -+
1892 -+ if ((lis & 0xFFFF0000U) == 0x39600000U &&
1893 -+ (lwzu & 0xU) == 0xU &&
1894 -+ (b & 0xFC000003U) == 0x48000000U &&
1895 -+ bctr == 0x4E800420U)
1896 -+ {
1897 -+ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
1898 -+ unsigned long addr = b | 0xFC000000UL;
1899 -+
1900 -+ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
1901 -+ err = get_user(addis, (unsigned int*)addr);
1902 -+ err |= get_user(addi, (unsigned int*)(addr+4));
1903 -+ err |= get_user(rlwinm, (unsigned int*)(addr+8));
1904 -+ err |= get_user(add, (unsigned int*)(addr+12));
1905 -+ err |= get_user(li2, (unsigned int*)(addr+16));
1906 -+ err |= get_user(addis2, (unsigned int*)(addr+20));
1907 -+ err |= get_user(mtctr, (unsigned int*)(addr+24));
1908 -+ err |= get_user(li3, (unsigned int*)(addr+28));
1909 -+ err |= get_user(addis3, (unsigned int*)(addr+32));
1910 -+ err |= get_user(bctr, (unsigned int*)(addr+36));
1911 -+
1912 -+ if (err)
1913 -+ break;
1914 -+
1915 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
1916 -+ (addi & 0xFFFF0000U) == 0x396B0000U &&
1917 -+ rlwinm == 0x556C083CU &&
1918 -+ add == 0x7D6C5A14U &&
1919 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
1920 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
1921 -+ mtctr == 0x7D8903A6U &&
1922 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
1923 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
1924 -+ bctr == 0x4E800420U)
1925 -+ {
1926 -+ regs->gpr[PT_R11] =
1927 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1928 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1929 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
1930 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1931 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
1932 -+ regs->nip = regs->ctr;
1933 -+ return 4;
1934 -+ }
1935 -+ }
1936 -+ } while (0);
1937 -+#endif
1938 -+
1939 -+ do { /* PaX: unpatched PLT emulation #3 */
1940 -+ unsigned int li, b;
1941 -+
1942 -+ err = get_user(li, (unsigned int *)regs->nip);
1943 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
1944 -+
1945 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
1946 -+ unsigned int addis, lwz, mtctr, bctr;
1947 -+ unsigned long addr = b | 0xFC000000UL;
1948 -+
1949 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
1950 -+ err = get_user(addis, (unsigned int *)addr);
1951 -+ err |= get_user(lwz, (unsigned int *)(addr+4));
1952 -+ err |= get_user(mtctr, (unsigned int *)(addr+8));
1953 -+ err |= get_user(bctr, (unsigned int *)(addr+12));
1954 -+
1955 -+ if (err)
1956 -+ break;
1957 -+
1958 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
1959 -+ (lwz & 0xFFFF0000U) == 0x816B0000U &&
1960 -+ mtctr == 0x7D6903A6U &&
1961 -+ bctr == 0x4E800420U)
1962 -+ {
1963 -+ unsigned int r11;
1964 -+
1965 -+ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1966 -+ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1967 -+
1968 -+ err = get_user(r11, (unsigned int *)addr);
1969 -+ if (err)
1970 -+ break;
1971 -+
1972 -+ regs->gpr[PT_R11] = r11;
1973 -+ regs->ctr = r11;
1974 -+ regs->nip = r11;
1975 -+ return 4;
1976 -+ }
1977 -+ }
1978 -+ } while (0);
1979 -+#endif
1980 -+
1981 -+#ifdef CONFIG_PAX_EMUSIGRT
1982 -+ do { /* PaX: sigreturn emulation */
1983 -+ unsigned int li, sc;
1984 -+
1985 -+ err = get_user(li, (unsigned int *)regs->nip);
1986 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
1987 -+
1988 -+ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
1989 -+ struct vm_area_struct *vma;
1990 -+ unsigned long call_syscall;
1991 -+
1992 -+ down_read(&current->mm->mmap_sem);
1993 -+ call_syscall = current->mm->call_syscall;
1994 -+ up_read(&current->mm->mmap_sem);
1995 -+ if (likely(call_syscall))
1996 -+ goto emulate;
1997 -+
1998 -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
1999 -+
2000 -+ down_write(&current->mm->mmap_sem);
2001 -+ if (current->mm->call_syscall) {
2002 -+ call_syscall = current->mm->call_syscall;
2003 -+ up_write(&current->mm->mmap_sem);
2004 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
2005 -+ goto emulate;
2006 -+ }
2007 -+
2008 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
2009 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
2010 -+ up_write(&current->mm->mmap_sem);
2011 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
2012 -+ return 1;
2013 -+ }
2014 -+
2015 -+ if (pax_insert_vma(vma, call_syscall)) {
2016 -+ up_write(&current->mm->mmap_sem);
2017 -+ kmem_cache_free(vm_area_cachep, vma);
2018 -+ return 1;
2019 -+ }
2020 -+
2021 -+ current->mm->call_syscall = call_syscall;
2022 -+ up_write(&current->mm->mmap_sem);
2023 -+
2024 -+emulate:
2025 -+ regs->gpr[PT_R0] = __NR_sigreturn;
2026 -+ regs->nip = call_syscall;
2027 -+ return 5;
2028 -+ }
2029 -+ } while (0);
2030 -+
2031 -+ do { /* PaX: rt_sigreturn emulation */
2032 -+ unsigned int li, sc;
2033 -+
2034 -+ err = get_user(li, (unsigned int *)regs->nip);
2035 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
2036 -+
2037 -+ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
2038 -+ struct vm_area_struct *vma;
2039 -+ unsigned int call_syscall;
2040 -+
2041 -+ down_read(&current->mm->mmap_sem);
2042 -+ call_syscall = current->mm->call_syscall;
2043 -+ up_read(&current->mm->mmap_sem);
2044 -+ if (likely(call_syscall))
2045 -+ goto rt_emulate;
2046 -+
2047 -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
2048 -+
2049 -+ down_write(&current->mm->mmap_sem);
2050 -+ if (current->mm->call_syscall) {
2051 -+ call_syscall = current->mm->call_syscall;
2052 -+ up_write(&current->mm->mmap_sem);
2053 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
2054 -+ goto rt_emulate;
2055 -+ }
2056 -+
2057 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
2058 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
2059 -+ up_write(&current->mm->mmap_sem);
2060 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
2061 -+ return 1;
2062 -+ }
2063 -+
2064 -+ if (pax_insert_vma(vma, call_syscall)) {
2065 -+ up_write(&current->mm->mmap_sem);
2066 -+ kmem_cache_free(vm_area_cachep, vma);
2067 -+ return 1;
2068 -+ }
2069 -+
2070 -+ current->mm->call_syscall = call_syscall;
2071 -+ up_write(&current->mm->mmap_sem);
2072 -+
2073 -+rt_emulate:
2074 -+ regs->gpr[PT_R0] = __NR_rt_sigreturn;
2075 -+ regs->nip = call_syscall;
2076 -+ return 6;
2077 -+ }
2078 -+ } while (0);
2079 -+#endif
2080 -+
2081 -+ return 1;
2082 -+}
2083 -+
2084 -+void pax_report_insns(void *pc, void *sp)
2085 -+{
2086 -+ unsigned long i;
2087 -+
2088 -+ printk(KERN_ERR "PAX: bytes at PC: ");
2089 -+ for (i = 0; i < 5; i++) {
2090 -+ unsigned int c;
2091 -+ if (get_user(c, (unsigned int *)pc+i))
2092 -+ printk("???????? ");
2093 -+ else
2094 -+ printk("%08x ", c);
2095 -+ }
2096 -+ printk("\n");
2097 -+}
2098 -+#endif
2099 -+
2100 - /*
2101 - * Check whether the instruction at regs->nip is a store using
2102 - * an update addressing form which will update r1.
2103 -@@ -109,7 +471,7 @@ int do_page_fault(struct pt_regs *regs,
2104 - * indicate errors in DSISR but can validly be set in SRR1.
2105 - */
2106 - if (TRAP(regs) == 0x400)
2107 -- error_code &= 0x48200000;
2108 -+ error_code &= 0x58200000;
2109 - else
2110 - is_write = error_code & 0x02000000;
2111 - #endif /* CONFIG_4xx || CONFIG_BOOKE */
2112 -@@ -204,15 +566,14 @@ good_area:
2113 - pte_t *ptep;
2114 - pmd_t *pmdp;
2115 -
2116 --#if 0
2117 -+#if 1
2118 - /* It would be nice to actually enforce the VM execute
2119 - permission on CPUs which can do so, but far too
2120 - much stuff in userspace doesn't get the permissions
2121 - right, so we let any page be executed for now. */
2122 - if (! (vma->vm_flags & VM_EXEC))
2123 - goto bad_area;
2124 --#endif
2125 --
2126 -+#else
2127 - /* Since 4xx/Book-E supports per-page execute permission,
2128 - * we lazily flush dcache to icache. */
2129 - ptep = NULL;
2130 -@@ -235,6 +596,7 @@ good_area:
2131 - pte_unmap_unlock(ptep, ptl);
2132 - }
2133 - #endif
2134 -+#endif
2135 - /* a read */
2136 - } else {
2137 - /* protection fault */
2138 -@@ -278,6 +640,33 @@ bad_area:
2139 -
2140 - /* User mode accesses cause a SIGSEGV */
2141 - if (user_mode(regs)) {
2142 -+
2143 -+#ifdef CONFIG_PAX_PAGEEXEC
2144 -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2145 -+ if ((TRAP(regs) == 0x400) && (regs->nip == address)) {
2146 -+ switch (pax_handle_fetch_fault(regs)) {
2147 -+
2148 -+#ifdef CONFIG_PAX_EMUPLT
2149 -+ case 2:
2150 -+ case 3:
2151 -+ case 4:
2152 -+ return 0;
2153 -+#endif
2154 -+
2155 -+#ifdef CONFIG_PAX_EMUSIGRT
2156 -+ case 5:
2157 -+ case 6:
2158 -+ return 0;
2159 -+#endif
2160 -+
2161 -+ }
2162 -+
2163 -+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[1]);
2164 -+ do_group_exit(SIGKILL);
2165 -+ }
2166 -+ }
2167 -+#endif
2168 -+
2169 - _exception(SIGSEGV, regs, code, address);
2170 - return 0;
2171 - }
2172 -diff -urNp linux-2.6.24.4/arch/s390/kernel/module.c linux-2.6.24.4/arch/s390/kernel/module.c
2173 ---- linux-2.6.24.4/arch/s390/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
2174 -+++ linux-2.6.24.4/arch/s390/kernel/module.c 2008-03-26 17:56:55.000000000 -0400
2175 -@@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
2176 -
2177 - /* Increase core size by size of got & plt and set start
2178 - offsets for got and plt. */
2179 -- me->core_size = ALIGN(me->core_size, 4);
2180 -- me->arch.got_offset = me->core_size;
2181 -- me->core_size += me->arch.got_size;
2182 -- me->arch.plt_offset = me->core_size;
2183 -- me->core_size += me->arch.plt_size;
2184 -+ me->core_size_rw = ALIGN(me->core_size_rw, 4);
2185 -+ me->arch.got_offset = me->core_size_rw;
2186 -+ me->core_size_rw += me->arch.got_size;
2187 -+ me->arch.plt_offset = me->core_size_rx;
2188 -+ me->core_size_rx += me->arch.plt_size;
2189 - return 0;
2190 - }
2191 -
2192 -@@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2193 - if (info->got_initialized == 0) {
2194 - Elf_Addr *gotent;
2195 -
2196 -- gotent = me->module_core + me->arch.got_offset +
2197 -+ gotent = me->module_core_rw + me->arch.got_offset +
2198 - info->got_offset;
2199 - *gotent = val;
2200 - info->got_initialized = 1;
2201 -@@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2202 - else if (r_type == R_390_GOTENT ||
2203 - r_type == R_390_GOTPLTENT)
2204 - *(unsigned int *) loc =
2205 -- (val + (Elf_Addr) me->module_core - loc) >> 1;
2206 -+ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
2207 - else if (r_type == R_390_GOT64 ||
2208 - r_type == R_390_GOTPLT64)
2209 - *(unsigned long *) loc = val;
2210 -@@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2211 - case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
2212 - if (info->plt_initialized == 0) {
2213 - unsigned int *ip;
2214 -- ip = me->module_core + me->arch.plt_offset +
2215 -+ ip = me->module_core_rx + me->arch.plt_offset +
2216 - info->plt_offset;
2217 - #ifndef CONFIG_64BIT
2218 - ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
2219 -@@ -316,7 +316,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2220 - val = me->arch.plt_offset - me->arch.got_offset +
2221 - info->plt_offset + rela->r_addend;
2222 - else
2223 -- val = (Elf_Addr) me->module_core +
2224 -+ val = (Elf_Addr) me->module_core_rx +
2225 - me->arch.plt_offset + info->plt_offset +
2226 - rela->r_addend - loc;
2227 - if (r_type == R_390_PLT16DBL)
2228 -@@ -336,7 +336,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2229 - case R_390_GOTOFF32: /* 32 bit offset to GOT. */
2230 - case R_390_GOTOFF64: /* 64 bit offset to GOT. */
2231 - val = val + rela->r_addend -
2232 -- ((Elf_Addr) me->module_core + me->arch.got_offset);
2233 -+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
2234 - if (r_type == R_390_GOTOFF16)
2235 - *(unsigned short *) loc = val;
2236 - else if (r_type == R_390_GOTOFF32)
2237 -@@ -346,7 +346,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2238 - break;
2239 - case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
2240 - case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
2241 -- val = (Elf_Addr) me->module_core + me->arch.got_offset +
2242 -+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
2243 - rela->r_addend - loc;
2244 - if (r_type == R_390_GOTPC)
2245 - *(unsigned int *) loc = val;
2246 -diff -urNp linux-2.6.24.4/arch/sparc/kernel/ptrace.c linux-2.6.24.4/arch/sparc/kernel/ptrace.c
2247 ---- linux-2.6.24.4/arch/sparc/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
2248 -+++ linux-2.6.24.4/arch/sparc/kernel/ptrace.c 2008-03-26 17:56:55.000000000 -0400
2249 -@@ -19,6 +19,7 @@
2250 - #include <linux/smp_lock.h>
2251 - #include <linux/security.h>
2252 - #include <linux/signal.h>
2253 -+#include <linux/grsecurity.h>
2254 -
2255 - #include <asm/pgtable.h>
2256 - #include <asm/system.h>
2257 -@@ -303,6 +304,11 @@ asmlinkage void do_ptrace(struct pt_regs
2258 - goto out;
2259 - }
2260 -
2261 -+ if (gr_handle_ptrace(child, request)) {
2262 -+ pt_error_return(regs, EPERM);
2263 -+ goto out_tsk;
2264 -+ }
2265 -+
2266 - if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
2267 - || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
2268 - if (ptrace_attach(child)) {
2269 -diff -urNp linux-2.6.24.4/arch/sparc/kernel/sys_sparc.c linux-2.6.24.4/arch/sparc/kernel/sys_sparc.c
2270 ---- linux-2.6.24.4/arch/sparc/kernel/sys_sparc.c 2008-03-24 14:49:18.000000000 -0400
2271 -+++ linux-2.6.24.4/arch/sparc/kernel/sys_sparc.c 2008-03-26 17:56:55.000000000 -0400
2272 -@@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
2273 - if (ARCH_SUN4C_SUN4 && len > 0x20000000)
2274 - return -ENOMEM;
2275 - if (!addr)
2276 -- addr = TASK_UNMAPPED_BASE;
2277 -+ addr = current->mm->mmap_base;
2278 -
2279 - if (flags & MAP_SHARED)
2280 - addr = COLOUR_ALIGN(addr);
2281 -diff -urNp linux-2.6.24.4/arch/sparc/Makefile linux-2.6.24.4/arch/sparc/Makefile
2282 ---- linux-2.6.24.4/arch/sparc/Makefile 2008-03-24 14:49:18.000000000 -0400
2283 -+++ linux-2.6.24.4/arch/sparc/Makefile 2008-03-26 17:56:55.000000000 -0400
2284 -@@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
2285 - # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
2286 - INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
2287 - CORE_Y := $(core-y)
2288 --CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
2289 -+CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
2290 - CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
2291 - DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
2292 - NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
2293 -diff -urNp linux-2.6.24.4/arch/sparc/mm/fault.c linux-2.6.24.4/arch/sparc/mm/fault.c
2294 ---- linux-2.6.24.4/arch/sparc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
2295 -+++ linux-2.6.24.4/arch/sparc/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
2296 -@@ -21,6 +21,10 @@
2297 - #include <linux/interrupt.h>
2298 - #include <linux/module.h>
2299 - #include <linux/kdebug.h>
2300 -+#include <linux/slab.h>
2301 -+#include <linux/pagemap.h>
2302 -+#include <linux/compiler.h>
2303 -+#include <linux/binfmts.h>
2304 -
2305 - #include <asm/system.h>
2306 - #include <asm/page.h>
2307 -@@ -216,6 +220,251 @@ static unsigned long compute_si_addr(str
2308 - return safe_compute_effective_address(regs, insn);
2309 - }
2310 -
2311 -+#ifdef CONFIG_PAX_PAGEEXEC
2312 -+void pax_emuplt_close(struct vm_area_struct *vma)
2313 -+{
2314 -+ vma->vm_mm->call_dl_resolve = 0UL;
2315 -+}
2316 -+
2317 -+static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
2318 -+{
2319 -+ struct page *page;
2320 -+ unsigned int *kaddr;
2321 -+
2322 -+ page = alloc_page(GFP_HIGHUSER);
2323 -+ if (!page)
2324 -+ return NOPAGE_OOM;
2325 -+
2326 -+ kaddr = kmap(page);
2327 -+ memset(kaddr, 0, PAGE_SIZE);
2328 -+ kaddr[0] = 0x9DE3BFA8U; /* save */
2329 -+ flush_dcache_page(page);
2330 -+ kunmap(page);
2331 -+ if (type)
2332 -+ *type = VM_FAULT_MAJOR;
2333 -+
2334 -+ return page;
2335 -+}
2336 -+
2337 -+static struct vm_operations_struct pax_vm_ops = {
2338 -+ .close = pax_emuplt_close,
2339 -+ .nopage = pax_emuplt_nopage,
2340 -+};
2341 -+
2342 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
2343 -+{
2344 -+ int ret;
2345 -+
2346 -+ vma->vm_mm = current->mm;
2347 -+ vma->vm_start = addr;
2348 -+ vma->vm_end = addr + PAGE_SIZE;
2349 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
2350 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
2351 -+ vma->vm_ops = &pax_vm_ops;
2352 -+
2353 -+ ret = insert_vm_struct(current->mm, vma);
2354 -+ if (ret)
2355 -+ return ret;
2356 -+
2357 -+ ++current->mm->total_vm;
2358 -+ return 0;
2359 -+}
2360 -+
2361 -+/*
2362 -+ * PaX: decide what to do with offenders (regs->pc = fault address)
2363 -+ *
2364 -+ * returns 1 when task should be killed
2365 -+ * 2 when patched PLT trampoline was detected
2366 -+ * 3 when unpatched PLT trampoline was detected
2367 -+ */
2368 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
2369 -+{
2370 -+
2371 -+#ifdef CONFIG_PAX_EMUPLT
2372 -+ int err;
2373 -+
2374 -+ do { /* PaX: patched PLT emulation #1 */
2375 -+ unsigned int sethi1, sethi2, jmpl;
2376 -+
2377 -+ err = get_user(sethi1, (unsigned int *)regs->pc);
2378 -+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
2379 -+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
2380 -+
2381 -+ if (err)
2382 -+ break;
2383 -+
2384 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
2385 -+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
2386 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
2387 -+ {
2388 -+ unsigned int addr;
2389 -+
2390 -+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
2391 -+ addr = regs->u_regs[UREG_G1];
2392 -+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
2393 -+ regs->pc = addr;
2394 -+ regs->npc = addr+4;
2395 -+ return 2;
2396 -+ }
2397 -+ } while (0);
2398 -+
2399 -+ { /* PaX: patched PLT emulation #2 */
2400 -+ unsigned int ba;
2401 -+
2402 -+ err = get_user(ba, (unsigned int *)regs->pc);
2403 -+
2404 -+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
2405 -+ unsigned int addr;
2406 -+
2407 -+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
2408 -+ regs->pc = addr;
2409 -+ regs->npc = addr+4;
2410 -+ return 2;
2411 -+ }
2412 -+ }
2413 -+
2414 -+ do { /* PaX: patched PLT emulation #3 */
2415 -+ unsigned int sethi, jmpl, nop;
2416 -+
2417 -+ err = get_user(sethi, (unsigned int *)regs->pc);
2418 -+ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
2419 -+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
2420 -+
2421 -+ if (err)
2422 -+ break;
2423 -+
2424 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
2425 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
2426 -+ nop == 0x01000000U)
2427 -+ {
2428 -+ unsigned int addr;
2429 -+
2430 -+ addr = (sethi & 0x003FFFFFU) << 10;
2431 -+ regs->u_regs[UREG_G1] = addr;
2432 -+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
2433 -+ regs->pc = addr;
2434 -+ regs->npc = addr+4;
2435 -+ return 2;
2436 -+ }
2437 -+ } while (0);
2438 -+
2439 -+ do { /* PaX: unpatched PLT emulation step 1 */
2440 -+ unsigned int sethi, ba, nop;
2441 -+
2442 -+ err = get_user(sethi, (unsigned int *)regs->pc);
2443 -+ err |= get_user(ba, (unsigned int *)(regs->pc+4));
2444 -+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
2445 -+
2446 -+ if (err)
2447 -+ break;
2448 -+
2449 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
2450 -+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
2451 -+ nop == 0x01000000U)
2452 -+ {
2453 -+ unsigned int addr, save, call;
2454 -+
2455 -+ if ((ba & 0xFFC00000U) == 0x30800000U)
2456 -+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
2457 -+ else
2458 -+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
2459 -+
2460 -+ err = get_user(save, (unsigned int *)addr);
2461 -+ err |= get_user(call, (unsigned int *)(addr+4));
2462 -+ err |= get_user(nop, (unsigned int *)(addr+8));
2463 -+ if (err)
2464 -+ break;
2465 -+
2466 -+ if (save == 0x9DE3BFA8U &&
2467 -+ (call & 0xC0000000U) == 0x40000000U &&
2468 -+ nop == 0x01000000U)
2469 -+ {
2470 -+ struct vm_area_struct *vma;
2471 -+ unsigned long call_dl_resolve;
2472 -+
2473 -+ down_read(&current->mm->mmap_sem);
2474 -+ call_dl_resolve = current->mm->call_dl_resolve;
2475 -+ up_read(&current->mm->mmap_sem);
2476 -+ if (likely(call_dl_resolve))
2477 -+ goto emulate;
2478 -+
2479 -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
2480 -+
2481 -+ down_write(&current->mm->mmap_sem);
2482 -+ if (current->mm->call_dl_resolve) {
2483 -+ call_dl_resolve = current->mm->call_dl_resolve;
2484 -+ up_write(&current->mm->mmap_sem);
2485 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
2486 -+ goto emulate;
2487 -+ }
2488 -+
2489 -+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
2490 -+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
2491 -+ up_write(&current->mm->mmap_sem);
2492 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
2493 -+ return 1;
2494 -+ }
2495 -+
2496 -+ if (pax_insert_vma(vma, call_dl_resolve)) {
2497 -+ up_write(&current->mm->mmap_sem);
2498 -+ kmem_cache_free(vm_area_cachep, vma);
2499 -+ return 1;
2500 -+ }
2501 -+
2502 -+ current->mm->call_dl_resolve = call_dl_resolve;
2503 -+ up_write(&current->mm->mmap_sem);
2504 -+
2505 -+emulate:
2506 -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
2507 -+ regs->pc = call_dl_resolve;
2508 -+ regs->npc = addr+4;
2509 -+ return 3;
2510 -+ }
2511 -+ }
2512 -+ } while (0);
2513 -+
2514 -+ do { /* PaX: unpatched PLT emulation step 2 */
2515 -+ unsigned int save, call, nop;
2516 -+
2517 -+ err = get_user(save, (unsigned int *)(regs->pc-4));
2518 -+ err |= get_user(call, (unsigned int *)regs->pc);
2519 -+ err |= get_user(nop, (unsigned int *)(regs->pc+4));
2520 -+ if (err)
2521 -+ break;
2522 -+
2523 -+ if (save == 0x9DE3BFA8U &&
2524 -+ (call & 0xC0000000U) == 0x40000000U &&
2525 -+ nop == 0x01000000U)
2526 -+ {
2527 -+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
2528 -+
2529 -+ regs->u_regs[UREG_RETPC] = regs->pc;
2530 -+ regs->pc = dl_resolve;
2531 -+ regs->npc = dl_resolve+4;
2532 -+ return 3;
2533 -+ }
2534 -+ } while (0);
2535 -+#endif
2536 -+
2537 -+ return 1;
2538 -+}
2539 -+
2540 -+void pax_report_insns(void *pc, void *sp)
2541 -+{
2542 -+ unsigned long i;
2543 -+
2544 -+ printk(KERN_ERR "PAX: bytes at PC: ");
2545 -+ for (i = 0; i < 5; i++) {
2546 -+ unsigned int c;
2547 -+ if (get_user(c, (unsigned int *)pc+i))
2548 -+ printk("???????? ");
2549 -+ else
2550 -+ printk("%08x ", c);
2551 -+ }
2552 -+ printk("\n");
2553 -+}
2554 -+#endif
2555 -+
2556 - asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
2557 - unsigned long address)
2558 - {
2559 -@@ -280,6 +529,24 @@ good_area:
2560 - if(!(vma->vm_flags & VM_WRITE))
2561 - goto bad_area;
2562 - } else {
2563 -+
2564 -+#ifdef CONFIG_PAX_PAGEEXEC
2565 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
2566 -+ up_read(&mm->mmap_sem);
2567 -+ switch (pax_handle_fetch_fault(regs)) {
2568 -+
2569 -+#ifdef CONFIG_PAX_EMUPLT
2570 -+ case 2:
2571 -+ case 3:
2572 -+ return;
2573 -+#endif
2574 -+
2575 -+ }
2576 -+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
2577 -+ do_group_exit(SIGKILL);
2578 -+ }
2579 -+#endif
2580 -+
2581 - /* Allow reads even for write-only mappings */
2582 - if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
2583 - goto bad_area;
2584 -diff -urNp linux-2.6.24.4/arch/sparc/mm/init.c linux-2.6.24.4/arch/sparc/mm/init.c
2585 ---- linux-2.6.24.4/arch/sparc/mm/init.c 2008-03-24 14:49:18.000000000 -0400
2586 -+++ linux-2.6.24.4/arch/sparc/mm/init.c 2008-03-26 17:56:55.000000000 -0400
2587 -@@ -336,17 +336,17 @@ void __init paging_init(void)
2588 -
2589 - /* Initialize the protection map with non-constant, MMU dependent values. */
2590 - protection_map[0] = PAGE_NONE;
2591 -- protection_map[1] = PAGE_READONLY;
2592 -- protection_map[2] = PAGE_COPY;
2593 -- protection_map[3] = PAGE_COPY;
2594 -+ protection_map[1] = PAGE_READONLY_NOEXEC;
2595 -+ protection_map[2] = PAGE_COPY_NOEXEC;
2596 -+ protection_map[3] = PAGE_COPY_NOEXEC;
2597 - protection_map[4] = PAGE_READONLY;
2598 - protection_map[5] = PAGE_READONLY;
2599 - protection_map[6] = PAGE_COPY;
2600 - protection_map[7] = PAGE_COPY;
2601 - protection_map[8] = PAGE_NONE;
2602 -- protection_map[9] = PAGE_READONLY;
2603 -- protection_map[10] = PAGE_SHARED;
2604 -- protection_map[11] = PAGE_SHARED;
2605 -+ protection_map[9] = PAGE_READONLY_NOEXEC;
2606 -+ protection_map[10] = PAGE_SHARED_NOEXEC;
2607 -+ protection_map[11] = PAGE_SHARED_NOEXEC;
2608 - protection_map[12] = PAGE_READONLY;
2609 - protection_map[13] = PAGE_READONLY;
2610 - protection_map[14] = PAGE_SHARED;
2611 -diff -urNp linux-2.6.24.4/arch/sparc/mm/srmmu.c linux-2.6.24.4/arch/sparc/mm/srmmu.c
2612 ---- linux-2.6.24.4/arch/sparc/mm/srmmu.c 2008-03-24 14:49:18.000000000 -0400
2613 -+++ linux-2.6.24.4/arch/sparc/mm/srmmu.c 2008-03-26 17:56:55.000000000 -0400
2614 -@@ -2157,6 +2157,13 @@ void __init ld_mmu_srmmu(void)
2615 - PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
2616 - BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
2617 - BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
2618 -+
2619 -+#ifdef CONFIG_PAX_PAGEEXEC
2620 -+ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
2621 -+ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
2622 -+ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
2623 -+#endif
2624 -+
2625 - BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
2626 - page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
2627 -
2628 -diff -urNp linux-2.6.24.4/arch/sparc64/kernel/Makefile linux-2.6.24.4/arch/sparc64/kernel/Makefile
2629 ---- linux-2.6.24.4/arch/sparc64/kernel/Makefile 2008-03-24 14:49:18.000000000 -0400
2630 -+++ linux-2.6.24.4/arch/sparc64/kernel/Makefile 2008-03-26 17:56:55.000000000 -0400
2631 -@@ -3,7 +3,7 @@
2632 - #
2633 -
2634 - EXTRA_AFLAGS := -ansi
2635 --EXTRA_CFLAGS := -Werror
2636 -+#EXTRA_CFLAGS := -Werror
2637 -
2638 - extra-y := head.o init_task.o vmlinux.lds
2639 -
2640 -diff -urNp linux-2.6.24.4/arch/sparc64/kernel/ptrace.c linux-2.6.24.4/arch/sparc64/kernel/ptrace.c
2641 ---- linux-2.6.24.4/arch/sparc64/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
2642 -+++ linux-2.6.24.4/arch/sparc64/kernel/ptrace.c 2008-03-26 17:56:55.000000000 -0400
2643 -@@ -22,6 +22,7 @@
2644 - #include <linux/seccomp.h>
2645 - #include <linux/audit.h>
2646 - #include <linux/signal.h>
2647 -+#include <linux/grsecurity.h>
2648 -
2649 - #include <asm/asi.h>
2650 - #include <asm/pgtable.h>
2651 -@@ -216,6 +217,11 @@ asmlinkage void do_ptrace(struct pt_regs
2652 - goto out;
2653 - }
2654 -
2655 -+ if (gr_handle_ptrace(child, (long)request)) {
2656 -+ pt_error_return(regs, EPERM);
2657 -+ goto out_tsk;
2658 -+ }
2659 -+
2660 - if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
2661 - || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
2662 - if (ptrace_attach(child)) {
2663 -diff -urNp linux-2.6.24.4/arch/sparc64/kernel/sys_sparc.c linux-2.6.24.4/arch/sparc64/kernel/sys_sparc.c
2664 ---- linux-2.6.24.4/arch/sparc64/kernel/sys_sparc.c 2008-03-24 14:49:18.000000000 -0400
2665 -+++ linux-2.6.24.4/arch/sparc64/kernel/sys_sparc.c 2008-03-26 17:56:55.000000000 -0400
2666 -@@ -123,7 +123,7 @@ unsigned long arch_get_unmapped_area(str
2667 - /* We do not accept a shared mapping if it would violate
2668 - * cache aliasing constraints.
2669 - */
2670 -- if ((flags & MAP_SHARED) &&
2671 -+ if ((filp || (flags & MAP_SHARED)) &&
2672 - ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
2673 - return -EINVAL;
2674 - return addr;
2675 -@@ -138,6 +138,10 @@ unsigned long arch_get_unmapped_area(str
2676 - if (filp || (flags & MAP_SHARED))
2677 - do_color_align = 1;
2678 -
2679 -+#ifdef CONFIG_PAX_RANDMMAP
2680 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
2681 -+#endif
2682 -+
2683 - if (addr) {
2684 - if (do_color_align)
2685 - addr = COLOUR_ALIGN(addr, pgoff);
2686 -@@ -151,9 +155,9 @@ unsigned long arch_get_unmapped_area(str
2687 - }
2688 -
2689 - if (len > mm->cached_hole_size) {
2690 -- start_addr = addr = mm->free_area_cache;
2691 -+ start_addr = addr = mm->free_area_cache;
2692 - } else {
2693 -- start_addr = addr = TASK_UNMAPPED_BASE;
2694 -+ start_addr = addr = mm->mmap_base;
2695 - mm->cached_hole_size = 0;
2696 - }
2697 -
2698 -@@ -173,8 +177,8 @@ full_search:
2699 - vma = find_vma(mm, VA_EXCLUDE_END);
2700 - }
2701 - if (unlikely(task_size < addr)) {
2702 -- if (start_addr != TASK_UNMAPPED_BASE) {
2703 -- start_addr = addr = TASK_UNMAPPED_BASE;
2704 -+ if (start_addr != mm->mmap_base) {
2705 -+ start_addr = addr = mm->mmap_base;
2706 - mm->cached_hole_size = 0;
2707 - goto full_search;
2708 - }
2709 -@@ -214,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
2710 - /* We do not accept a shared mapping if it would violate
2711 - * cache aliasing constraints.
2712 - */
2713 -- if ((flags & MAP_SHARED) &&
2714 -+ if ((filp || (flags & MAP_SHARED)) &&
2715 - ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
2716 - return -EINVAL;
2717 - return addr;
2718 -@@ -377,6 +381,12 @@ void arch_pick_mmap_layout(struct mm_str
2719 - current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
2720 - sysctl_legacy_va_layout) {
2721 - mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
2722 -+
2723 -+#ifdef CONFIG_PAX_RANDMMAP
2724 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2725 -+ mm->mmap_base += mm->delta_mmap;
2726 -+#endif
2727 -+
2728 - mm->get_unmapped_area = arch_get_unmapped_area;
2729 - mm->unmap_area = arch_unmap_area;
2730 - } else {
2731 -@@ -391,6 +401,12 @@ void arch_pick_mmap_layout(struct mm_str
2732 - gap = (task_size / 6 * 5);
2733 -
2734 - mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
2735 -+
2736 -+#ifdef CONFIG_PAX_RANDMMAP
2737 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2738 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2739 -+#endif
2740 -+
2741 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2742 - mm->unmap_area = arch_unmap_area_topdown;
2743 - }
2744 -diff -urNp linux-2.6.24.4/arch/sparc64/mm/fault.c linux-2.6.24.4/arch/sparc64/mm/fault.c
2745 ---- linux-2.6.24.4/arch/sparc64/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
2746 -+++ linux-2.6.24.4/arch/sparc64/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
2747 -@@ -20,6 +20,10 @@
2748 - #include <linux/kprobes.h>
2749 - #include <linux/kallsyms.h>
2750 - #include <linux/kdebug.h>
2751 -+#include <linux/slab.h>
2752 -+#include <linux/pagemap.h>
2753 -+#include <linux/compiler.h>
2754 -+#include <linux/binfmts.h>
2755 -
2756 - #include <asm/page.h>
2757 - #include <asm/pgtable.h>
2758 -@@ -262,6 +266,368 @@ cannot_handle:
2759 - unhandled_fault (address, current, regs);
2760 - }
2761 -
2762 -+#ifdef CONFIG_PAX_PAGEEXEC
2763 -+#ifdef CONFIG_PAX_EMUPLT
2764 -+static void pax_emuplt_close(struct vm_area_struct *vma)
2765 -+{
2766 -+ vma->vm_mm->call_dl_resolve = 0UL;
2767 -+}
2768 -+
2769 -+static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
2770 -+{
2771 -+ struct page *page;
2772 -+ unsigned int *kaddr;
2773 -+
2774 -+ page = alloc_page(GFP_HIGHUSER);
2775 -+ if (!page)
2776 -+ return NOPAGE_OOM;
2777 -+
2778 -+ kaddr = kmap(page);
2779 -+ memset(kaddr, 0, PAGE_SIZE);
2780 -+ kaddr[0] = 0x9DE3BFA8U; /* save */
2781 -+ flush_dcache_page(page);
2782 -+ kunmap(page);
2783 -+ if (type)
2784 -+ *type = VM_FAULT_MAJOR;
2785 -+ return page;
2786 -+}
2787 -+
2788 -+static struct vm_operations_struct pax_vm_ops = {
2789 -+ .close = pax_emuplt_close,
2790 -+ .nopage = pax_emuplt_nopage,
2791 -+};
2792 -+
2793 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
2794 -+{
2795 -+ int ret;
2796 -+
2797 -+ vma->vm_mm = current->mm;
2798 -+ vma->vm_start = addr;
2799 -+ vma->vm_end = addr + PAGE_SIZE;
2800 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
2801 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
2802 -+ vma->vm_ops = &pax_vm_ops;
2803 -+
2804 -+ ret = insert_vm_struct(current->mm, vma);
2805 -+ if (ret)
2806 -+ return ret;
2807 -+
2808 -+ ++current->mm->total_vm;
2809 -+ return 0;
2810 -+}
2811 -+#endif
2812 -+
2813 -+/*
2814 -+ * PaX: decide what to do with offenders (regs->tpc = fault address)
2815 -+ *
2816 -+ * returns 1 when task should be killed
2817 -+ * 2 when patched PLT trampoline was detected
2818 -+ * 3 when unpatched PLT trampoline was detected
2819 -+ */
2820 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
2821 -+{
2822 -+
2823 -+#ifdef CONFIG_PAX_EMUPLT
2824 -+ int err;
2825 -+
2826 -+ do { /* PaX: patched PLT emulation #1 */
2827 -+ unsigned int sethi1, sethi2, jmpl;
2828 -+
2829 -+ err = get_user(sethi1, (unsigned int *)regs->tpc);
2830 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
2831 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
2832 -+
2833 -+ if (err)
2834 -+ break;
2835 -+
2836 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
2837 -+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
2838 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
2839 -+ {
2840 -+ unsigned long addr;
2841 -+
2842 -+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
2843 -+ addr = regs->u_regs[UREG_G1];
2844 -+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
2845 -+ regs->tpc = addr;
2846 -+ regs->tnpc = addr+4;
2847 -+ return 2;
2848 -+ }
2849 -+ } while (0);
2850 -+
2851 -+ { /* PaX: patched PLT emulation #2 */
2852 -+ unsigned int ba;
2853 -+
2854 -+ err = get_user(ba, (unsigned int *)regs->tpc);
2855 -+
2856 -+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
2857 -+ unsigned long addr;
2858 -+
2859 -+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
2860 -+ regs->tpc = addr;
2861 -+ regs->tnpc = addr+4;
2862 -+ return 2;
2863 -+ }
2864 -+ }
2865 -+
2866 -+ do { /* PaX: patched PLT emulation #3 */
2867 -+ unsigned int sethi, jmpl, nop;
2868 -+
2869 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
2870 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
2871 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
2872 -+
2873 -+ if (err)
2874 -+ break;
2875 -+
2876 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
2877 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
2878 -+ nop == 0x01000000U)
2879 -+ {
2880 -+ unsigned long addr;
2881 -+
2882 -+ addr = (sethi & 0x003FFFFFU) << 10;
2883 -+ regs->u_regs[UREG_G1] = addr;
2884 -+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
2885 -+ regs->tpc = addr;
2886 -+ regs->tnpc = addr+4;
2887 -+ return 2;
2888 -+ }
2889 -+ } while (0);
2890 -+
2891 -+ do { /* PaX: patched PLT emulation #4 */
2892 -+ unsigned int mov1, call, mov2;
2893 -+
2894 -+ err = get_user(mov1, (unsigned int *)regs->tpc);
2895 -+ err |= get_user(call, (unsigned int *)(regs->tpc+4));
2896 -+ err |= get_user(mov2, (unsigned int *)(regs->tpc+8));
2897 -+
2898 -+ if (err)
2899 -+ break;
2900 -+
2901 -+ if (mov1 == 0x8210000FU &&
2902 -+ (call & 0xC0000000U) == 0x40000000U &&
2903 -+ mov2 == 0x9E100001U)
2904 -+ {
2905 -+ unsigned long addr;
2906 -+
2907 -+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
2908 -+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
2909 -+ regs->tpc = addr;
2910 -+ regs->tnpc = addr+4;
2911 -+ return 2;
2912 -+ }
2913 -+ } while (0);
2914 -+
2915 -+ do { /* PaX: patched PLT emulation #5 */
2916 -+ unsigned int sethi1, sethi2, or1, or2, sllx, jmpl, nop;
2917 -+
2918 -+ err = get_user(sethi1, (unsigned int *)regs->tpc);
2919 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
2920 -+ err |= get_user(or1, (unsigned int *)(regs->tpc+8));
2921 -+ err |= get_user(or2, (unsigned int *)(regs->tpc+12));
2922 -+ err |= get_user(sllx, (unsigned int *)(regs->tpc+16));
2923 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
2924 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
2925 -+
2926 -+ if (err)
2927 -+ break;
2928 -+
2929 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
2930 -+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
2931 -+ (or1 & 0xFFFFE000U) == 0x82106000U &&
2932 -+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
2933 -+ sllx == 0x83287020 &&
2934 -+ jmpl == 0x81C04005U &&
2935 -+ nop == 0x01000000U)
2936 -+ {
2937 -+ unsigned long addr;
2938 -+
2939 -+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
2940 -+ regs->u_regs[UREG_G1] <<= 32;
2941 -+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
2942 -+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
2943 -+ regs->tpc = addr;
2944 -+ regs->tnpc = addr+4;
2945 -+ return 2;
2946 -+ }
2947 -+ } while (0);
2948 -+
2949 -+ do { /* PaX: patched PLT emulation #6 */
2950 -+ unsigned int sethi1, sethi2, sllx, or, jmpl, nop;
2951 -+
2952 -+ err = get_user(sethi1, (unsigned int *)regs->tpc);
2953 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
2954 -+ err |= get_user(sllx, (unsigned int *)(regs->tpc+8));
2955 -+ err |= get_user(or, (unsigned int *)(regs->tpc+12));
2956 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+16));
2957 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+20));
2958 -+
2959 -+ if (err)
2960 -+ break;
2961 -+
2962 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
2963 -+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
2964 -+ sllx == 0x83287020 &&
2965 -+ (or & 0xFFFFE000U) == 0x8A116000U &&
2966 -+ jmpl == 0x81C04005U &&
2967 -+ nop == 0x01000000U)
2968 -+ {
2969 -+ unsigned long addr;
2970 -+
2971 -+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
2972 -+ regs->u_regs[UREG_G1] <<= 32;
2973 -+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
2974 -+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
2975 -+ regs->tpc = addr;
2976 -+ regs->tnpc = addr+4;
2977 -+ return 2;
2978 -+ }
2979 -+ } while (0);
2980 -+
2981 -+ do { /* PaX: patched PLT emulation #7 */
2982 -+ unsigned int sethi, ba, nop;
2983 -+
2984 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
2985 -+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
2986 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
2987 -+
2988 -+ if (err)
2989 -+ break;
2990 -+
2991 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
2992 -+ (ba & 0xFFF00000U) == 0x30600000U &&
2993 -+ nop == 0x01000000U)
2994 -+ {
2995 -+ unsigned long addr;
2996 -+
2997 -+ addr = (sethi & 0x003FFFFFU) << 10;
2998 -+ regs->u_regs[UREG_G1] = addr;
2999 -+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
3000 -+ regs->tpc = addr;
3001 -+ regs->tnpc = addr+4;
3002 -+ return 2;
3003 -+ }
3004 -+ } while (0);
3005 -+
3006 -+ do { /* PaX: unpatched PLT emulation step 1 */
3007 -+ unsigned int sethi, ba, nop;
3008 -+
3009 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
3010 -+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
3011 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
3012 -+
3013 -+ if (err)
3014 -+ break;
3015 -+
3016 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
3017 -+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
3018 -+ nop == 0x01000000U)
3019 -+ {
3020 -+ unsigned long addr;
3021 -+ unsigned int save, call;
3022 -+
3023 -+ if ((ba & 0xFFC00000U) == 0x30800000U)
3024 -+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
3025 -+ else
3026 -+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
3027 -+
3028 -+ err = get_user(save, (unsigned int *)addr);
3029 -+ err |= get_user(call, (unsigned int *)(addr+4));
3030 -+ err |= get_user(nop, (unsigned int *)(addr+8));
3031 -+ if (err)
3032 -+ break;
3033 -+
3034 -+ if (save == 0x9DE3BFA8U &&
3035 -+ (call & 0xC0000000U) == 0x40000000U &&
3036 -+ nop == 0x01000000U)
3037 -+ {
3038 -+ struct vm_area_struct *vma;
3039 -+ unsigned long call_dl_resolve;
3040 -+
3041 -+ down_read(&current->mm->mmap_sem);
3042 -+ call_dl_resolve = current->mm->call_dl_resolve;
3043 -+ up_read(&current->mm->mmap_sem);
3044 -+ if (likely(call_dl_resolve))
3045 -+ goto emulate;
3046 -+
3047 -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
3048 -+
3049 -+ down_write(&current->mm->mmap_sem);
3050 -+ if (current->mm->call_dl_resolve) {
3051 -+ call_dl_resolve = current->mm->call_dl_resolve;
3052 -+ up_write(&current->mm->mmap_sem);
3053 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
3054 -+ goto emulate;
3055 -+ }
3056 -+
3057 -+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
3058 -+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
3059 -+ up_write(&current->mm->mmap_sem);
3060 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
3061 -+ return 1;
3062 -+ }
3063 -+
3064 -+ if (pax_insert_vma(vma, call_dl_resolve)) {
3065 -+ up_write(&current->mm->mmap_sem);
3066 -+ kmem_cache_free(vm_area_cachep, vma);
3067 -+ return 1;
3068 -+ }
3069 -+
3070 -+ current->mm->call_dl_resolve = call_dl_resolve;
3071 -+ up_write(&current->mm->mmap_sem);
3072 -+
3073 -+emulate:
3074 -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
3075 -+ regs->tpc = call_dl_resolve;
3076 -+ regs->tnpc = addr+4;
3077 -+ return 3;
3078 -+ }
3079 -+ }
3080 -+ } while (0);
3081 -+
3082 -+ do { /* PaX: unpatched PLT emulation step 2 */
3083 -+ unsigned int save, call, nop;
3084 -+
3085 -+ err = get_user(save, (unsigned int *)(regs->tpc-4));
3086 -+ err |= get_user(call, (unsigned int *)regs->tpc);
3087 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
3088 -+ if (err)
3089 -+ break;
3090 -+
3091 -+ if (save == 0x9DE3BFA8U &&
3092 -+ (call & 0xC0000000U) == 0x40000000U &&
3093 -+ nop == 0x01000000U)
3094 -+ {
3095 -+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
3096 -+
3097 -+ regs->u_regs[UREG_RETPC] = regs->tpc;
3098 -+ regs->tpc = dl_resolve;
3099 -+ regs->tnpc = dl_resolve+4;
3100 -+ return 3;
3101 -+ }
3102 -+ } while (0);
3103 -+#endif
3104 -+
3105 -+ return 1;
3106 -+}
3107 -+
3108 -+void pax_report_insns(void *pc, void *sp)
3109 -+{
3110 -+ unsigned long i;
3111 -+
3112 -+ printk(KERN_ERR "PAX: bytes at PC: ");
3113 -+ for (i = 0; i < 5; i++) {
3114 -+ unsigned int c;
3115 -+ if (get_user(c, (unsigned int *)pc+i))
3116 -+ printk("???????? ");
3117 -+ else
3118 -+ printk("%08x ", c);
3119 -+ }
3120 -+ printk("\n");
3121 -+}
3122 -+#endif
3123 -+
3124 - asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
3125 - {
3126 - struct mm_struct *mm = current->mm;
3127 -@@ -303,8 +669,10 @@ asmlinkage void __kprobes do_sparc64_fau
3128 - goto intr_or_no_mm;
3129 -
3130 - if (test_thread_flag(TIF_32BIT)) {
3131 -- if (!(regs->tstate & TSTATE_PRIV))
3132 -+ if (!(regs->tstate & TSTATE_PRIV)) {
3133 - regs->tpc &= 0xffffffff;
3134 -+ regs->tnpc &= 0xffffffff;
3135 -+ }
3136 - address &= 0xffffffff;
3137 - }
3138 -
3139 -@@ -321,6 +689,29 @@ asmlinkage void __kprobes do_sparc64_fau
3140 - if (!vma)
3141 - goto bad_area;
3142 -
3143 -+#ifdef CONFIG_PAX_PAGEEXEC
3144 -+ /* PaX: detect ITLB misses on non-exec pages */
3145 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
3146 -+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
3147 -+ {
3148 -+ if (address != regs->tpc)
3149 -+ goto good_area;
3150 -+
3151 -+ up_read(&mm->mmap_sem);
3152 -+ switch (pax_handle_fetch_fault(regs)) {
3153 -+
3154 -+#ifdef CONFIG_PAX_EMUPLT
3155 -+ case 2:
3156 -+ case 3:
3157 -+ return;
3158 -+#endif
3159 -+
3160 -+ }
3161 -+ pax_report_fault(regs, (void*)regs->tpc, (void*)(regs->u_regs[UREG_FP] + STACK_BIAS));
3162 -+ do_group_exit(SIGKILL);
3163 -+ }
3164 -+#endif
3165 -+
3166 - /* Pure DTLB misses do not tell us whether the fault causing
3167 - * load/store/atomic was a write or not, it only says that there
3168 - * was no match. So in such a case we (carefully) read the
3169 -diff -urNp linux-2.6.24.4/arch/sparc64/mm/Makefile linux-2.6.24.4/arch/sparc64/mm/Makefile
3170 ---- linux-2.6.24.4/arch/sparc64/mm/Makefile 2008-03-24 14:49:18.000000000 -0400
3171 -+++ linux-2.6.24.4/arch/sparc64/mm/Makefile 2008-03-26 17:56:55.000000000 -0400
3172 -@@ -3,7 +3,7 @@
3173 - #
3174 -
3175 - EXTRA_AFLAGS := -ansi
3176 --EXTRA_CFLAGS := -Werror
3177 -+#EXTRA_CFLAGS := -Werror
3178 -
3179 - obj-y := ultra.o tlb.o tsb.o fault.o init.o generic.o
3180 -
3181 -diff -urNp linux-2.6.24.4/arch/v850/kernel/module.c linux-2.6.24.4/arch/v850/kernel/module.c
3182 ---- linux-2.6.24.4/arch/v850/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
3183 -+++ linux-2.6.24.4/arch/v850/kernel/module.c 2008-03-26 17:56:55.000000000 -0400
3184 -@@ -150,8 +150,8 @@ static uint32_t do_plt_call (void *locat
3185 - tramp[1] = ((val >> 16) & 0xffff) + 0x610000; /* ...; jmp r1 */
3186 -
3187 - /* Init, or core PLT? */
3188 -- if (location >= mod->module_core
3189 -- && location < mod->module_core + mod->core_size)
3190 -+ if (location >= mod->module_core_rx
3191 -+ && location < mod->module_core_rx + mod->core_size_rx)
3192 - entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
3193 - else
3194 - entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
3195 -diff -urNp linux-2.6.24.4/arch/x86/boot/bitops.h linux-2.6.24.4/arch/x86/boot/bitops.h
3196 ---- linux-2.6.24.4/arch/x86/boot/bitops.h 2008-03-24 14:49:18.000000000 -0400
3197 -+++ linux-2.6.24.4/arch/x86/boot/bitops.h 2008-03-26 17:56:55.000000000 -0400
3198 -@@ -28,7 +28,7 @@ static inline int variable_test_bit(int
3199 - u8 v;
3200 - const u32 *p = (const u32 *)addr;
3201 -
3202 -- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
3203 -+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
3204 - return v;
3205 - }
3206 -
3207 -@@ -39,7 +39,7 @@ static inline int variable_test_bit(int
3208 -
3209 - static inline void set_bit(int nr, void *addr)
3210 - {
3211 -- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
3212 -+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
3213 - }
3214 -
3215 - #endif /* BOOT_BITOPS_H */
3216 -diff -urNp linux-2.6.24.4/arch/x86/boot/boot.h linux-2.6.24.4/arch/x86/boot/boot.h
3217 ---- linux-2.6.24.4/arch/x86/boot/boot.h 2008-03-24 14:49:18.000000000 -0400
3218 -+++ linux-2.6.24.4/arch/x86/boot/boot.h 2008-03-26 17:56:55.000000000 -0400
3219 -@@ -78,7 +78,7 @@ static inline void io_delay(void)
3220 - static inline u16 ds(void)
3221 - {
3222 - u16 seg;
3223 -- asm("movw %%ds,%0" : "=rm" (seg));
3224 -+ asm volatile("movw %%ds,%0" : "=rm" (seg));
3225 - return seg;
3226 - }
3227 -
3228 -@@ -174,7 +174,7 @@ static inline void wrgs32(u32 v, addr_t
3229 - static inline int memcmp(const void *s1, const void *s2, size_t len)
3230 - {
3231 - u8 diff;
3232 -- asm("repe; cmpsb; setnz %0"
3233 -+ asm volatile("repe; cmpsb; setnz %0"
3234 - : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
3235 - return diff;
3236 - }
3237 -diff -urNp linux-2.6.24.4/arch/x86/boot/compressed/head_32.S linux-2.6.24.4/arch/x86/boot/compressed/head_32.S
3238 ---- linux-2.6.24.4/arch/x86/boot/compressed/head_32.S 2008-03-24 14:49:18.000000000 -0400
3239 -+++ linux-2.6.24.4/arch/x86/boot/compressed/head_32.S 2008-03-26 17:56:55.000000000 -0400
3240 -@@ -70,7 +70,7 @@ startup_32:
3241 - addl $(CONFIG_PHYSICAL_ALIGN - 1), %ebx
3242 - andl $(~(CONFIG_PHYSICAL_ALIGN - 1)), %ebx
3243 - #else
3244 -- movl $LOAD_PHYSICAL_ADDR, %ebx
3245 -+ movl $____LOAD_PHYSICAL_ADDR, %ebx
3246 - #endif
3247 -
3248 - /* Replace the compressed data size with the uncompressed size */
3249 -@@ -105,7 +105,7 @@ startup_32:
3250 - addl $(CONFIG_PHYSICAL_ALIGN - 1), %ebp
3251 - andl $(~(CONFIG_PHYSICAL_ALIGN - 1)), %ebp
3252 - #else
3253 -- movl $LOAD_PHYSICAL_ADDR, %ebp
3254 -+ movl $____LOAD_PHYSICAL_ADDR, %ebp
3255 - #endif
3256 -
3257 - /*
3258 -@@ -159,16 +159,15 @@ relocated:
3259 - * and where it was actually loaded.
3260 - */
3261 - movl %ebp, %ebx
3262 -- subl $LOAD_PHYSICAL_ADDR, %ebx
3263 -+ subl $____LOAD_PHYSICAL_ADDR, %ebx
3264 - jz 2f /* Nothing to be done if loaded at compiled addr. */
3265 - /*
3266 - * Process relocations.
3267 - */
3268 -
3269 - 1: subl $4, %edi
3270 -- movl 0(%edi), %ecx
3271 -- testl %ecx, %ecx
3272 -- jz 2f
3273 -+ movl (%edi), %ecx
3274 -+ jecxz 2f
3275 - addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
3276 - jmp 1b
3277 - 2:
3278 -diff -urNp linux-2.6.24.4/arch/x86/boot/compressed/misc_32.c linux-2.6.24.4/arch/x86/boot/compressed/misc_32.c
3279 ---- linux-2.6.24.4/arch/x86/boot/compressed/misc_32.c 2008-03-24 14:49:18.000000000 -0400
3280 -+++ linux-2.6.24.4/arch/x86/boot/compressed/misc_32.c 2008-03-26 17:56:55.000000000 -0400
3281 -@@ -113,7 +113,8 @@ typedef unsigned char uch;
3282 - typedef unsigned short ush;
3283 - typedef unsigned long ulg;
3284 -
3285 --#define WSIZE 0x80000000 /* Window size must be at least 32k,
3286 -+#define WSIZE 0x80000000
3287 -+ /* Window size must be at least 32k,
3288 - * and a power of two
3289 - * We don't actually have a window just
3290 - * a huge output buffer so I report
3291 -@@ -370,7 +371,7 @@ asmlinkage void decompress_kernel(void *
3292 - if (end > ((-__PAGE_OFFSET-(512 <<20)-1) & 0x7fffffff))
3293 - error("Destination address too large");
3294 - #ifndef CONFIG_RELOCATABLE
3295 -- if ((u32)output != LOAD_PHYSICAL_ADDR)
3296 -+ if ((u32)output != ____LOAD_PHYSICAL_ADDR)
3297 - error("Wrong destination address");
3298 - #endif
3299 -
3300 -diff -urNp linux-2.6.24.4/arch/x86/boot/compressed/relocs.c linux-2.6.24.4/arch/x86/boot/compressed/relocs.c
3301 ---- linux-2.6.24.4/arch/x86/boot/compressed/relocs.c 2008-03-24 14:49:18.000000000 -0400
3302 -+++ linux-2.6.24.4/arch/x86/boot/compressed/relocs.c 2008-03-26 17:56:55.000000000 -0400
3303 -@@ -10,9 +10,13 @@
3304 - #define USE_BSD
3305 - #include <endian.h>
3306 -
3307 -+#include "../../../../include/linux/autoconf.h"
3308 -+
3309 -+#define MAX_PHDRS 100
3310 - #define MAX_SHDRS 100
3311 - #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
3312 - static Elf32_Ehdr ehdr;
3313 -+static Elf32_Phdr phdr[MAX_PHDRS];
3314 - static Elf32_Shdr shdr[MAX_SHDRS];
3315 - static Elf32_Sym *symtab[MAX_SHDRS];
3316 - static Elf32_Rel *reltab[MAX_SHDRS];
3317 -@@ -244,6 +248,34 @@ static void read_ehdr(FILE *fp)
3318 - }
3319 - }
3320 -
3321 -+static void read_phdrs(FILE *fp)
3322 -+{
3323 -+ int i;
3324 -+ if (ehdr.e_phnum > MAX_PHDRS) {
3325 -+ die("%d program headers supported: %d\n",
3326 -+ ehdr.e_phnum, MAX_PHDRS);
3327 -+ }
3328 -+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
3329 -+ die("Seek to %d failed: %s\n",
3330 -+ ehdr.e_phoff, strerror(errno));
3331 -+ }
3332 -+ if (fread(&phdr, sizeof(phdr[0]), ehdr.e_phnum, fp) != ehdr.e_phnum) {
3333 -+ die("Cannot read ELF program headers: %s\n",
3334 -+ strerror(errno));
3335 -+ }
3336 -+ for(i = 0; i < ehdr.e_phnum; i++) {
3337 -+ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
3338 -+ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
3339 -+ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
3340 -+ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
3341 -+ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
3342 -+ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
3343 -+ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
3344 -+ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
3345 -+ }
3346 -+
3347 -+}
3348 -+
3349 - static void read_shdrs(FILE *fp)
3350 - {
3351 - int i;
3352 -@@ -330,6 +362,8 @@ static void read_symtabs(FILE *fp)
3353 - static void read_relocs(FILE *fp)
3354 - {
3355 - int i,j;
3356 -+ uint32_t base;
3357 -+
3358 - for(i = 0; i < ehdr.e_shnum; i++) {
3359 - if (shdr[i].sh_type != SHT_REL) {
3360 - continue;
3361 -@@ -347,8 +381,17 @@ static void read_relocs(FILE *fp)
3362 - die("Cannot read symbol table: %s\n",
3363 - strerror(errno));
3364 - }
3365 -+ base = 0;
3366 -+ for (j = 0; j < ehdr.e_phnum; j++) {
3367 -+ if (phdr[j].p_type != PT_LOAD )
3368 -+ continue;
3369 -+ if (shdr[shdr[i].sh_info].sh_offset < phdr[j].p_offset || shdr[shdr[i].sh_info].sh_offset > phdr[j].p_offset + phdr[j].p_filesz)
3370 -+ continue;
3371 -+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
3372 -+ break;
3373 -+ }
3374 - for(j = 0; j < shdr[i].sh_size/sizeof(reltab[0][0]); j++) {
3375 -- reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset);
3376 -+ reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset) + base;
3377 - reltab[i][j].r_info = elf32_to_cpu(reltab[i][j].r_info);
3378 - }
3379 - }
3380 -@@ -485,6 +528,27 @@ static void walk_relocs(void (*visit)(El
3381 - if (sym->st_shndx == SHN_ABS) {
3382 - continue;
3383 - }
3384 -+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
3385 -+ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strncmp(sym_name(sym_strtab, sym), "__per_cpu_", 10)) {
3386 -+ continue;
3387 -+ }
3388 -+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
3389 -+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
3390 -+ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) {
3391 -+ continue;
3392 -+ }
3393 -+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) {
3394 -+ continue;
3395 -+ }
3396 -+ if (!strcmp(sec_name(sym->st_shndx), ".text.head")) {
3397 -+ if (strcmp(sym_name(sym_strtab, sym), "__init_end") &&
3398 -+ strcmp(sym_name(sym_strtab, sym), "KERNEL_TEXT_OFFSET"))
3399 -+ continue;
3400 -+ }
3401 -+ if (!strcmp(sec_name(sym->st_shndx), ".text")) {
3402 -+ continue;
3403 -+ }
3404 -+#endif
3405 - if (r_type == R_386_PC32) {
3406 - /* PC relative relocations don't need to be adjusted */
3407 - }
3408 -@@ -612,6 +676,7 @@ int main(int argc, char **argv)
3409 - fname, strerror(errno));
3410 - }
3411 - read_ehdr(fp);
3412 -+ read_phdrs(fp);
3413 - read_shdrs(fp);
3414 - read_strtabs(fp);
3415 - read_symtabs(fp);
3416 -diff -urNp linux-2.6.24.4/arch/x86/boot/cpucheck.c linux-2.6.24.4/arch/x86/boot/cpucheck.c
3417 ---- linux-2.6.24.4/arch/x86/boot/cpucheck.c 2008-03-24 14:49:18.000000000 -0400
3418 -+++ linux-2.6.24.4/arch/x86/boot/cpucheck.c 2008-03-26 17:56:55.000000000 -0400
3419 -@@ -84,7 +84,7 @@ static int has_fpu(void)
3420 - u16 fcw = -1, fsw = -1;
3421 - u32 cr0;
3422 -
3423 -- asm("movl %%cr0,%0" : "=r" (cr0));
3424 -+ asm volatile("movl %%cr0,%0" : "=r" (cr0));
3425 - if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
3426 - cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
3427 - asm volatile("movl %0,%%cr0" : : "r" (cr0));
3428 -@@ -100,7 +100,7 @@ static int has_eflag(u32 mask)
3429 - {
3430 - u32 f0, f1;
3431 -
3432 -- asm("pushfl ; "
3433 -+ asm volatile("pushfl ; "
3434 - "pushfl ; "
3435 - "popl %0 ; "
3436 - "movl %0,%1 ; "
3437 -@@ -125,7 +125,7 @@ static void get_flags(void)
3438 - set_bit(X86_FEATURE_FPU, cpu.flags);
3439 -
3440 - if (has_eflag(X86_EFLAGS_ID)) {
3441 -- asm("cpuid"
3442 -+ asm volatile("cpuid"
3443 - : "=a" (max_intel_level),
3444 - "=b" (cpu_vendor[0]),
3445 - "=d" (cpu_vendor[1]),
3446 -@@ -134,7 +134,7 @@ static void get_flags(void)
3447 -
3448 - if (max_intel_level >= 0x00000001 &&
3449 - max_intel_level <= 0x0000ffff) {
3450 -- asm("cpuid"
3451 -+ asm volatile("cpuid"
3452 - : "=a" (tfms),
3453 - "=c" (cpu.flags[4]),
3454 - "=d" (cpu.flags[0])
3455 -@@ -146,7 +146,7 @@ static void get_flags(void)
3456 - cpu.model += ((tfms >> 16) & 0xf) << 4;
3457 - }
3458 -
3459 -- asm("cpuid"
3460 -+ asm volatile("cpuid"
3461 - : "=a" (max_amd_level)
3462 - : "a" (0x80000000)
3463 - : "ebx", "ecx", "edx");
3464 -@@ -154,7 +154,7 @@ static void get_flags(void)
3465 - if (max_amd_level >= 0x80000001 &&
3466 - max_amd_level <= 0x8000ffff) {
3467 - u32 eax = 0x80000001;
3468 -- asm("cpuid"
3469 -+ asm volatile("cpuid"
3470 - : "+a" (eax),
3471 - "=c" (cpu.flags[6]),
3472 - "=d" (cpu.flags[1])
3473 -@@ -213,9 +213,9 @@ int check_cpu(int *cpu_level_ptr, int *r
3474 - u32 ecx = MSR_K7_HWCR;
3475 - u32 eax, edx;
3476 -
3477 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
3478 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
3479 - eax &= ~(1 << 15);
3480 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
3481 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
3482 -
3483 - get_flags(); /* Make sure it really did something */
3484 - err = check_flags();
3485 -@@ -228,9 +228,9 @@ int check_cpu(int *cpu_level_ptr, int *r
3486 - u32 ecx = MSR_VIA_FCR;
3487 - u32 eax, edx;
3488 -
3489 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
3490 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
3491 - eax |= (1<<1)|(1<<7);
3492 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
3493 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
3494 -
3495 - set_bit(X86_FEATURE_CX8, cpu.flags);
3496 - err = check_flags();
3497 -@@ -241,12 +241,12 @@ int check_cpu(int *cpu_level_ptr, int *r
3498 - u32 eax, edx;
3499 - u32 level = 1;
3500 -
3501 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
3502 -- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
3503 -- asm("cpuid"
3504 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
3505 -+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
3506 -+ asm volatile("cpuid"
3507 - : "+a" (level), "=d" (cpu.flags[0])
3508 - : : "ecx", "ebx");
3509 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
3510 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
3511 -
3512 - err = check_flags();
3513 - }
3514 -diff -urNp linux-2.6.24.4/arch/x86/boot/edd.c linux-2.6.24.4/arch/x86/boot/edd.c
3515 ---- linux-2.6.24.4/arch/x86/boot/edd.c 2008-03-24 14:49:18.000000000 -0400
3516 -+++ linux-2.6.24.4/arch/x86/boot/edd.c 2008-03-26 17:56:55.000000000 -0400
3517 -@@ -78,7 +78,7 @@ static int get_edd_info(u8 devno, struct
3518 - ax = 0x4100;
3519 - bx = EDDMAGIC1;
3520 - dx = devno;
3521 -- asm("pushfl; stc; int $0x13; setc %%al; popfl"
3522 -+ asm volatile("pushfl; stc; int $0x13; setc %%al; popfl"
3523 - : "+a" (ax), "+b" (bx), "=c" (cx), "+d" (dx)
3524 - : : "esi", "edi");
3525 -
3526 -@@ -97,7 +97,7 @@ static int get_edd_info(u8 devno, struct
3527 - ei->params.length = sizeof(ei->params);
3528 - ax = 0x4800;
3529 - dx = devno;
3530 -- asm("pushfl; int $0x13; popfl"
3531 -+ asm volatile("pushfl; int $0x13; popfl"
3532 - : "+a" (ax), "+d" (dx), "=m" (ei->params)
3533 - : "S" (&ei->params)
3534 - : "ebx", "ecx", "edi");
3535 -@@ -108,7 +108,7 @@ static int get_edd_info(u8 devno, struct
3536 - ax = 0x0800;
3537 - dx = devno;
3538 - di = 0;
3539 -- asm("pushw %%es; "
3540 -+ asm volatile("pushw %%es; "
3541 - "movw %%di,%%es; "
3542 - "pushfl; stc; int $0x13; setc %%al; popfl; "
3543 - "popw %%es"
3544 -diff -urNp linux-2.6.24.4/arch/x86/boot/main.c linux-2.6.24.4/arch/x86/boot/main.c
3545 ---- linux-2.6.24.4/arch/x86/boot/main.c 2008-03-24 14:49:18.000000000 -0400
3546 -+++ linux-2.6.24.4/arch/x86/boot/main.c 2008-03-26 17:56:55.000000000 -0400
3547 -@@ -75,7 +75,7 @@ static void keyboard_set_repeat(void)
3548 - */
3549 - static void query_ist(void)
3550 - {
3551 -- asm("int $0x15"
3552 -+ asm volatile("int $0x15"
3553 - : "=a" (boot_params.ist_info.signature),
3554 - "=b" (boot_params.ist_info.command),
3555 - "=c" (boot_params.ist_info.event),
3556 -diff -urNp linux-2.6.24.4/arch/x86/boot/mca.c linux-2.6.24.4/arch/x86/boot/mca.c
3557 ---- linux-2.6.24.4/arch/x86/boot/mca.c 2008-03-24 14:49:18.000000000 -0400
3558 -+++ linux-2.6.24.4/arch/x86/boot/mca.c 2008-03-26 17:56:55.000000000 -0400
3559 -@@ -21,7 +21,7 @@ int query_mca(void)
3560 - u8 err;
3561 - u16 es, bx, len;
3562 -
3563 -- asm("pushw %%es ; "
3564 -+ asm volatile("pushw %%es ; "
3565 - "int $0x15 ; "
3566 - "setc %0 ; "
3567 - "movw %%es, %1 ; "
3568 -diff -urNp linux-2.6.24.4/arch/x86/boot/memory.c linux-2.6.24.4/arch/x86/boot/memory.c
3569 ---- linux-2.6.24.4/arch/x86/boot/memory.c 2008-03-24 14:49:18.000000000 -0400
3570 -+++ linux-2.6.24.4/arch/x86/boot/memory.c 2008-03-26 17:56:55.000000000 -0400
3571 -@@ -32,7 +32,7 @@ static int detect_memory_e820(void)
3572 - /* Important: %edx is clobbered by some BIOSes,
3573 - so it must be either used for the error output
3574 - or explicitly marked clobbered. */
3575 -- asm("int $0x15; setc %0"
3576 -+ asm volatile("int $0x15; setc %0"
3577 - : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
3578 - "=m" (*desc)
3579 - : "D" (desc), "d" (SMAP), "a" (0xe820));
3580 -@@ -64,7 +64,7 @@ static int detect_memory_e801(void)
3581 -
3582 - bx = cx = dx = 0;
3583 - ax = 0xe801;
3584 -- asm("stc; int $0x15; setc %0"
3585 -+ asm volatile("stc; int $0x15; setc %0"
3586 - : "=m" (err), "+a" (ax), "+b" (bx), "+c" (cx), "+d" (dx));
3587 -
3588 - if (err)
3589 -@@ -94,7 +94,7 @@ static int detect_memory_88(void)
3590 - u8 err;
3591 -
3592 - ax = 0x8800;
3593 -- asm("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
3594 -+ asm volatile("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
3595 -
3596 - boot_params.screen_info.ext_mem_k = ax;
3597 -
3598 -diff -urNp linux-2.6.24.4/arch/x86/boot/video.c linux-2.6.24.4/arch/x86/boot/video.c
3599 ---- linux-2.6.24.4/arch/x86/boot/video.c 2008-03-24 14:49:18.000000000 -0400
3600 -+++ linux-2.6.24.4/arch/x86/boot/video.c 2008-03-26 17:56:55.000000000 -0400
3601 -@@ -40,7 +40,7 @@ static void store_cursor_position(void)
3602 -
3603 - ax = 0x0300;
3604 - bx = 0;
3605 -- asm(INT10
3606 -+ asm volatile(INT10
3607 - : "=d" (curpos), "+a" (ax), "+b" (bx)
3608 - : : "ecx", "esi", "edi");
3609 -
3610 -@@ -55,7 +55,7 @@ static void store_video_mode(void)
3611 - /* N.B.: the saving of the video page here is a bit silly,
3612 - since we pretty much assume page 0 everywhere. */
3613 - ax = 0x0f00;
3614 -- asm(INT10
3615 -+ asm volatile(INT10
3616 - : "+a" (ax), "=b" (page)
3617 - : : "ecx", "edx", "esi", "edi");
3618 -
3619 -diff -urNp linux-2.6.24.4/arch/x86/boot/video-vesa.c linux-2.6.24.4/arch/x86/boot/video-vesa.c
3620 ---- linux-2.6.24.4/arch/x86/boot/video-vesa.c 2008-03-24 14:49:18.000000000 -0400
3621 -+++ linux-2.6.24.4/arch/x86/boot/video-vesa.c 2008-03-26 17:56:55.000000000 -0400
3622 -@@ -41,7 +41,7 @@ static int vesa_probe(void)
3623 -
3624 - ax = 0x4f00;
3625 - di = (size_t)&vginfo;
3626 -- asm(INT10
3627 -+ asm volatile(INT10
3628 - : "+a" (ax), "+D" (di), "=m" (vginfo)
3629 - : : "ebx", "ecx", "edx", "esi");
3630 -
3631 -@@ -68,7 +68,7 @@ static int vesa_probe(void)
3632 - ax = 0x4f01;
3633 - cx = mode;
3634 - di = (size_t)&vminfo;
3635 -- asm(INT10
3636 -+ asm volatile(INT10
3637 - : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
3638 - : : "ebx", "edx", "esi");
3639 -
3640 -@@ -115,7 +115,7 @@ static int vesa_set_mode(struct mode_inf
3641 - ax = 0x4f01;
3642 - cx = vesa_mode;
3643 - di = (size_t)&vminfo;
3644 -- asm(INT10
3645 -+ asm volatile(INT10
3646 - : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
3647 - : : "ebx", "edx", "esi");
3648 -
3649 -@@ -193,19 +193,20 @@ static void vesa_dac_set_8bits(void)
3650 - /* Save the VESA protected mode info */
3651 - static void vesa_store_pm_info(void)
3652 - {
3653 -- u16 ax, bx, di, es;
3654 -+ u16 ax, bx, cx, di, es;
3655 -
3656 - ax = 0x4f0a;
3657 -- bx = di = 0;
3658 -- asm("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
3659 -- : "=d" (es), "+a" (ax), "+b" (bx), "+D" (di)
3660 -- : : "ecx", "esi");
3661 -+ bx = cx = di = 0;
3662 -+ asm volatile("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
3663 -+ : "=d" (es), "+a" (ax), "+b" (bx), "+c" (cx), "+D" (di)
3664 -+ : : "esi");
3665 -
3666 - if (ax != 0x004f)
3667 - return;
3668 -
3669 - boot_params.screen_info.vesapm_seg = es;
3670 - boot_params.screen_info.vesapm_off = di;
3671 -+ boot_params.screen_info.vesapm_size = cx;
3672 - }
3673 -
3674 - /*
3675 -@@ -259,7 +260,7 @@ void vesa_store_edid(void)
3676 - /* Note: The VBE DDC spec is different from the main VESA spec;
3677 - we genuinely have to assume all registers are destroyed here. */
3678 -
3679 -- asm("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
3680 -+ asm volatile("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
3681 - : "+a" (ax), "+b" (bx)
3682 - : "c" (cx), "D" (di)
3683 - : "esi");
3684 -@@ -275,7 +276,7 @@ void vesa_store_edid(void)
3685 - cx = 0; /* Controller 0 */
3686 - dx = 0; /* EDID block number */
3687 - di =(size_t) &boot_params.edid_info; /* (ES:)Pointer to block */
3688 -- asm(INT10
3689 -+ asm volatile(INT10
3690 - : "+a" (ax), "+b" (bx), "+d" (dx), "=m" (boot_params.edid_info)
3691 - : "c" (cx), "D" (di)
3692 - : "esi");
3693 -diff -urNp linux-2.6.24.4/arch/x86/boot/video-vga.c linux-2.6.24.4/arch/x86/boot/video-vga.c
3694 ---- linux-2.6.24.4/arch/x86/boot/video-vga.c 2008-03-24 14:49:18.000000000 -0400
3695 -+++ linux-2.6.24.4/arch/x86/boot/video-vga.c 2008-03-26 17:56:55.000000000 -0400
3696 -@@ -225,7 +225,7 @@ static int vga_probe(void)
3697 - };
3698 - u8 vga_flag;
3699 -
3700 -- asm(INT10
3701 -+ asm volatile(INT10
3702 - : "=b" (boot_params.screen_info.orig_video_ega_bx)
3703 - : "a" (0x1200), "b" (0x10) /* Check EGA/VGA */
3704 - : "ecx", "edx", "esi", "edi");
3705 -@@ -233,7 +233,7 @@ static int vga_probe(void)
3706 - /* If we have MDA/CGA/HGC then BL will be unchanged at 0x10 */
3707 - if ((u8)boot_params.screen_info.orig_video_ega_bx != 0x10) {
3708 - /* EGA/VGA */
3709 -- asm(INT10
3710 -+ asm volatile(INT10
3711 - : "=a" (vga_flag)
3712 - : "a" (0x1a00)
3713 - : "ebx", "ecx", "edx", "esi", "edi");
3714 -diff -urNp linux-2.6.24.4/arch/x86/boot/voyager.c linux-2.6.24.4/arch/x86/boot/voyager.c
3715 ---- linux-2.6.24.4/arch/x86/boot/voyager.c 2008-03-24 14:49:18.000000000 -0400
3716 -+++ linux-2.6.24.4/arch/x86/boot/voyager.c 2008-03-26 17:56:55.000000000 -0400
3717 -@@ -27,7 +27,7 @@ int query_voyager(void)
3718 -
3719 - data_ptr[0] = 0xff; /* Flag on config not found(?) */
3720 -
3721 -- asm("pushw %%es ; "
3722 -+ asm volatile("pushw %%es ; "
3723 - "int $0x15 ; "
3724 - "setc %0 ; "
3725 - "movw %%es, %1 ; "
3726 -diff -urNp linux-2.6.24.4/arch/x86/ia32/ia32_binfmt.c linux-2.6.24.4/arch/x86/ia32/ia32_binfmt.c
3727 ---- linux-2.6.24.4/arch/x86/ia32/ia32_binfmt.c 2008-03-24 14:49:18.000000000 -0400
3728 -+++ linux-2.6.24.4/arch/x86/ia32/ia32_binfmt.c 2008-03-26 17:56:55.000000000 -0400
3729 -@@ -47,12 +47,12 @@
3730 - #define AT_SYSINFO 32
3731 - #define AT_SYSINFO_EHDR 33
3732 -
3733 --int sysctl_vsyscall32 = 1;
3734 -+int sysctl_vsyscall32;
3735 -
3736 - #undef ARCH_DLINFO
3737 - #define ARCH_DLINFO do { \
3738 - if (sysctl_vsyscall32) { \
3739 -- current->mm->context.vdso = (void *)VSYSCALL32_BASE; \
3740 -+ current->mm->context.vdso = VSYSCALL32_BASE; \
3741 - NEW_AUX_ENT(AT_SYSINFO, (u32)(u64)VSYSCALL32_VSYSCALL); \
3742 - NEW_AUX_ENT(AT_SYSINFO_EHDR, VSYSCALL32_BASE); \
3743 - } \
3744 -@@ -66,6 +66,17 @@ struct file;
3745 -
3746 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
3747 -
3748 -+#ifdef CONFIG_PAX_ASLR
3749 -+#undef PAX_ELF_ET_DYN_BASE
3750 -+#undef PAX_DELTA_MMAP_LEN
3751 -+#undef PAX_DELTA_STACK_LEN
3752 -+
3753 -+#define PAX_ELF_ET_DYN_BASE 0x08048000UL
3754 -+
3755 -+#define PAX_DELTA_MMAP_LEN 16
3756 -+#define PAX_DELTA_STACK_LEN 16
3757 -+#endif
3758 -+
3759 - #define jiffies_to_timeval(a,b) do { (b)->tv_usec = 0; (b)->tv_sec = (a)/HZ; }while(0)
3760 -
3761 - #define _GET_SEG(x) \
3762 -@@ -263,7 +274,7 @@ static ctl_table abi_table2[] = {
3763 - .mode = 0644,
3764 - .proc_handler = proc_dointvec
3765 - },
3766 -- {}
3767 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
3768 - };
3769 -
3770 - static ctl_table abi_root_table2[] = {
3771 -@@ -273,7 +284,7 @@ static ctl_table abi_root_table2[] = {
3772 - .mode = 0555,
3773 - .child = abi_table2
3774 - },
3775 -- {}
3776 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
3777 - };
3778 -
3779 - static __init int ia32_binfmt_init(void)
3780 -diff -urNp linux-2.6.24.4/arch/x86/ia32/ia32_signal.c linux-2.6.24.4/arch/x86/ia32/ia32_signal.c
3781 ---- linux-2.6.24.4/arch/x86/ia32/ia32_signal.c 2008-03-24 14:49:18.000000000 -0400
3782 -+++ linux-2.6.24.4/arch/x86/ia32/ia32_signal.c 2008-03-26 17:56:55.000000000 -0400
3783 -@@ -573,6 +573,7 @@ int ia32_setup_rt_frame(int sig, struct
3784 - __NR_ia32_rt_sigreturn,
3785 - 0x80cd,
3786 - 0,
3787 -+ 0
3788 - };
3789 - err |= __copy_to_user(frame->retcode, &code, 8);
3790 - }
3791 -diff -urNp linux-2.6.24.4/arch/x86/ia32/mmap32.c linux-2.6.24.4/arch/x86/ia32/mmap32.c
3792 ---- linux-2.6.24.4/arch/x86/ia32/mmap32.c 2008-03-24 14:49:18.000000000 -0400
3793 -+++ linux-2.6.24.4/arch/x86/ia32/mmap32.c 2008-03-26 17:56:55.000000000 -0400
3794 -@@ -69,10 +69,22 @@ void ia32_pick_mmap_layout(struct mm_str
3795 - (current->personality & ADDR_COMPAT_LAYOUT) ||
3796 - current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
3797 - mm->mmap_base = TASK_UNMAPPED_BASE;
3798 -+
3799 -+#ifdef CONFIG_PAX_RANDMMAP
3800 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3801 -+ mm->mmap_base += mm->delta_mmap;
3802 -+#endif
3803 -+
3804 - mm->get_unmapped_area = arch_get_unmapped_area;
3805 - mm->unmap_area = arch_unmap_area;
3806 - } else {
3807 - mm->mmap_base = mmap_base(mm);
3808 -+
3809 -+#ifdef CONFIG_PAX_RANDMMAP
3810 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3811 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3812 -+#endif
3813 -+
3814 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3815 - mm->unmap_area = arch_unmap_area_topdown;
3816 - }
3817 -diff -urNp linux-2.6.24.4/arch/x86/ia32/ptrace32.c linux-2.6.24.4/arch/x86/ia32/ptrace32.c
3818 ---- linux-2.6.24.4/arch/x86/ia32/ptrace32.c 2008-03-24 14:49:18.000000000 -0400
3819 -+++ linux-2.6.24.4/arch/x86/ia32/ptrace32.c 2008-03-26 17:56:55.000000000 -0400
3820 -@@ -382,7 +382,7 @@ asmlinkage long sys32_ptrace(long reques
3821 - /* no checking to be bug-to-bug compatible with i386. */
3822 - /* but silence warning */
3823 - if (__copy_from_user(&child->thread.i387.fxsave, u, sizeof(*u)))
3824 -- ;
3825 -+ {}
3826 - set_stopped_child_used_math(child);
3827 - child->thread.i387.fxsave.mxcsr &= mxcsr_feature_mask;
3828 - ret = 0;
3829 -diff -urNp linux-2.6.24.4/arch/x86/ia32/syscall32.c linux-2.6.24.4/arch/x86/ia32/syscall32.c
3830 ---- linux-2.6.24.4/arch/x86/ia32/syscall32.c 2008-03-24 14:49:18.000000000 -0400
3831 -+++ linux-2.6.24.4/arch/x86/ia32/syscall32.c 2008-03-26 17:56:55.000000000 -0400
3832 -@@ -30,6 +30,9 @@ int syscall32_setup_pages(struct linux_b
3833 - struct mm_struct *mm = current->mm;
3834 - int ret;
3835 -
3836 -+ if (!sysctl_vsyscall32)
3837 -+ return 0;
3838 -+
3839 - down_write(&mm->mmap_sem);
3840 - /*
3841 - * MAYWRITE to allow gdb to COW and set breakpoints
3842 -diff -urNp linux-2.6.24.4/arch/x86/Kconfig linux-2.6.24.4/arch/x86/Kconfig
3843 ---- linux-2.6.24.4/arch/x86/Kconfig 2008-03-24 14:49:18.000000000 -0400
3844 -+++ linux-2.6.24.4/arch/x86/Kconfig 2008-03-26 17:56:55.000000000 -0400
3845 -@@ -792,7 +792,7 @@ config PAGE_OFFSET
3846 - hex
3847 - default 0xB0000000 if VMSPLIT_3G_OPT
3848 - default 0x80000000 if VMSPLIT_2G
3849 -- default 0x78000000 if VMSPLIT_2G_OPT
3850 -+ default 0x70000000 if VMSPLIT_2G_OPT
3851 - default 0x40000000 if VMSPLIT_1G
3852 - default 0xC0000000
3853 - depends on X86_32
3854 -@@ -1096,8 +1096,7 @@ config CRASH_DUMP
3855 - config PHYSICAL_START
3856 - hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
3857 - default "0x1000000" if X86_NUMAQ
3858 -- default "0x200000" if X86_64
3859 -- default "0x100000"
3860 -+ default "0x200000"
3861 - help
3862 - This gives the physical address where the kernel is loaded.
3863 -
3864 -@@ -1190,8 +1189,8 @@ config HOTPLUG_CPU
3865 -
3866 - config COMPAT_VDSO
3867 - bool "Compat VDSO support"
3868 -- default y
3869 -- depends on X86_32
3870 -+ default n
3871 -+ depends on X86_32 && !PAX_NOEXEC
3872 - help
3873 - Map the VDSO to the predictable old-style address too.
3874 - ---help---
3875 -@@ -1387,7 +1386,7 @@ config PCI
3876 - choice
3877 - prompt "PCI access mode"
3878 - depends on X86_32 && PCI && !X86_VISWS
3879 -- default PCI_GOANY
3880 -+ default PCI_GODIRECT
3881 - ---help---
3882 - On PCI systems, the BIOS can be used to detect the PCI devices and
3883 - determine their configuration. However, some old PCI motherboards
3884 -diff -urNp linux-2.6.24.4/arch/x86/Kconfig.cpu linux-2.6.24.4/arch/x86/Kconfig.cpu
3885 ---- linux-2.6.24.4/arch/x86/Kconfig.cpu 2008-03-24 14:49:18.000000000 -0400
3886 -+++ linux-2.6.24.4/arch/x86/Kconfig.cpu 2008-03-26 17:56:55.000000000 -0400
3887 -@@ -328,7 +328,7 @@ config X86_PPRO_FENCE
3888 -
3889 - config X86_F00F_BUG
3890 - bool
3891 -- depends on M586MMX || M586TSC || M586 || M486 || M386
3892 -+ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
3893 - default y
3894 -
3895 - config X86_WP_WORKS_OK
3896 -@@ -353,7 +353,7 @@ config X86_POPAD_OK
3897 -
3898 - config X86_ALIGNMENT_16
3899 - bool
3900 -- depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
3901 -+ depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
3902 - default y
3903 -
3904 - config X86_GOOD_APIC
3905 -diff -urNp linux-2.6.24.4/arch/x86/Kconfig.debug linux-2.6.24.4/arch/x86/Kconfig.debug
3906 ---- linux-2.6.24.4/arch/x86/Kconfig.debug 2008-03-24 14:49:18.000000000 -0400
3907 -+++ linux-2.6.24.4/arch/x86/Kconfig.debug 2008-03-26 17:56:55.000000000 -0400
3908 -@@ -49,7 +49,7 @@ config DEBUG_PAGEALLOC
3909 -
3910 - config DEBUG_RODATA
3911 - bool "Write protect kernel read-only data structures"
3912 -- depends on DEBUG_KERNEL
3913 -+ depends on DEBUG_KERNEL && BROKEN
3914 - help
3915 - Mark the kernel read-only data as write-protected in the pagetables,
3916 - in order to catch accidental (and incorrect) writes to such const
3917 -diff -urNp linux-2.6.24.4/arch/x86/kernel/acpi/boot.c linux-2.6.24.4/arch/x86/kernel/acpi/boot.c
3918 ---- linux-2.6.24.4/arch/x86/kernel/acpi/boot.c 2008-03-24 14:49:18.000000000 -0400
3919 -+++ linux-2.6.24.4/arch/x86/kernel/acpi/boot.c 2008-03-26 17:56:55.000000000 -0400
3920 -@@ -1155,7 +1155,7 @@ static struct dmi_system_id __initdata a
3921 - DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
3922 - },
3923 - },
3924 -- {}
3925 -+ { NULL, NULL, {{0, NULL}}, NULL}
3926 - };
3927 -
3928 - #endif /* __i386__ */
3929 -diff -urNp linux-2.6.24.4/arch/x86/kernel/acpi/sleep_32.c linux-2.6.24.4/arch/x86/kernel/acpi/sleep_32.c
3930 ---- linux-2.6.24.4/arch/x86/kernel/acpi/sleep_32.c 2008-03-24 14:49:18.000000000 -0400
3931 -+++ linux-2.6.24.4/arch/x86/kernel/acpi/sleep_32.c 2008-03-26 17:56:55.000000000 -0400
3932 -@@ -98,7 +98,7 @@ static __initdata struct dmi_system_id a
3933 - DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),
3934 - },
3935 - },
3936 -- {}
3937 -+ { NULL, NULL, {{0, NULL}}, NULL}
3938 - };
3939 -
3940 - static int __init acpisleep_dmi_init(void)
3941 -diff -urNp linux-2.6.24.4/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.24.4/arch/x86/kernel/acpi/wakeup_32.S
3942 ---- linux-2.6.24.4/arch/x86/kernel/acpi/wakeup_32.S 2008-03-24 14:49:18.000000000 -0400
3943 -+++ linux-2.6.24.4/arch/x86/kernel/acpi/wakeup_32.S 2008-03-26 17:56:55.000000000 -0400
3944 -@@ -2,6 +2,7 @@
3945 - #include <linux/linkage.h>
3946 - #include <asm/segment.h>
3947 - #include <asm/page.h>
3948 -+#include <asm/msr-index.h>
3949 -
3950 - #
3951 - # wakeup_code runs in real mode, and at unknown address (determined at run-time).
3952 -@@ -79,7 +80,7 @@ wakeup_code:
3953 - # restore efer setting
3954 - movl real_save_efer_edx - wakeup_code, %edx
3955 - movl real_save_efer_eax - wakeup_code, %eax
3956 -- mov $0xc0000080, %ecx
3957 -+ mov $MSR_EFER, %ecx
3958 - wrmsr
3959 - 4:
3960 - # make sure %cr4 is set correctly (features, etc)
3961 -@@ -196,13 +197,11 @@ wakeup_pmode_return:
3962 - # and restore the stack ... but you need gdt for this to work
3963 - movl saved_context_esp, %esp
3964 -
3965 -- movl %cs:saved_magic, %eax
3966 -- cmpl $0x12345678, %eax
3967 -+ cmpl $0x12345678, saved_magic
3968 - jne bogus_magic
3969 -
3970 - # jump to place where we left off
3971 -- movl saved_eip,%eax
3972 -- jmp *%eax
3973 -+ jmp *(saved_eip)
3974 -
3975 - bogus_magic:
3976 - jmp bogus_magic
3977 -@@ -233,7 +232,7 @@ ENTRY(acpi_copy_wakeup_routine)
3978 - # save efer setting
3979 - pushl %eax
3980 - movl %eax, %ebx
3981 -- mov $0xc0000080, %ecx
3982 -+ mov $MSR_EFER, %ecx
3983 - rdmsr
3984 - movl %edx, real_save_efer_edx - wakeup_start (%ebx)
3985 - movl %eax, real_save_efer_eax - wakeup_start (%ebx)
3986 -diff -urNp linux-2.6.24.4/arch/x86/kernel/alternative.c linux-2.6.24.4/arch/x86/kernel/alternative.c
3987 ---- linux-2.6.24.4/arch/x86/kernel/alternative.c 2008-03-24 14:49:18.000000000 -0400
3988 -+++ linux-2.6.24.4/arch/x86/kernel/alternative.c 2008-03-26 17:56:55.000000000 -0400
3989 -@@ -389,7 +389,7 @@ void apply_paravirt(struct paravirt_patc
3990 -
3991 - BUG_ON(p->len > MAX_PATCH_LEN);
3992 - /* prep the buffer with the original instructions */
3993 -- memcpy(insnbuf, p->instr, p->len);
3994 -+ memcpy(insnbuf, ktla_ktva(p->instr), p->len);
3995 - used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
3996 - (unsigned long)p->instr, p->len);
3997 -
3998 -@@ -467,7 +467,19 @@ void __init alternative_instructions(voi
3999 - */
4000 - void __kprobes text_poke(void *addr, unsigned char *opcode, int len)
4001 - {
4002 -- memcpy(addr, opcode, len);
4003 -+
4004 -+#ifdef CONFIG_PAX_KERNEXEC
4005 -+ unsigned long cr0;
4006 -+
4007 -+ pax_open_kernel(cr0);
4008 -+#endif
4009 -+
4010 -+ memcpy(ktla_ktva(addr), opcode, len);
4011 -+
4012 -+#ifdef CONFIG_PAX_KERNEXEC
4013 -+ pax_close_kernel(cr0);
4014 -+#endif
4015 -+
4016 - sync_core();
4017 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
4018 - that causes hangs on some VIA CPUs. */
4019 -diff -urNp linux-2.6.24.4/arch/x86/kernel/apm_32.c linux-2.6.24.4/arch/x86/kernel/apm_32.c
4020 ---- linux-2.6.24.4/arch/x86/kernel/apm_32.c 2008-03-24 14:49:18.000000000 -0400
4021 -+++ linux-2.6.24.4/arch/x86/kernel/apm_32.c 2008-03-26 17:56:55.000000000 -0400
4022 -@@ -407,7 +407,7 @@ static DECLARE_WAIT_QUEUE_HEAD(apm_waitq
4023 - static DECLARE_WAIT_QUEUE_HEAD(apm_suspend_waitqueue);
4024 - static struct apm_user * user_list;
4025 - static DEFINE_SPINLOCK(user_list_lock);
4026 --static const struct desc_struct bad_bios_desc = { 0, 0x00409200 };
4027 -+static const struct desc_struct bad_bios_desc = { 0, 0x00409300 };
4028 -
4029 - static const char driver_version[] = "1.16ac"; /* no spaces */
4030 -
4031 -@@ -601,19 +601,42 @@ static u8 apm_bios_call(u32 func, u32 eb
4032 - struct desc_struct save_desc_40;
4033 - struct desc_struct *gdt;
4034 -
4035 -+#ifdef CONFIG_PAX_KERNEXEC
4036 -+ unsigned long cr0;
4037 -+#endif
4038 -+
4039 - cpus = apm_save_cpus();
4040 -
4041 - cpu = get_cpu();
4042 - gdt = get_cpu_gdt_table(cpu);
4043 - save_desc_40 = gdt[0x40 / 8];
4044 -+
4045 -+#ifdef CONFIG_PAX_KERNEXEC
4046 -+ pax_open_kernel(cr0);
4047 -+#endif
4048 -+
4049 - gdt[0x40 / 8] = bad_bios_desc;
4050 -
4051 -+#ifdef CONFIG_PAX_KERNEXEC
4052 -+ pax_close_kernel(cr0);
4053 -+#endif
4054 -+
4055 - apm_irq_save(flags);
4056 - APM_DO_SAVE_SEGS;
4057 - apm_bios_call_asm(func, ebx_in, ecx_in, eax, ebx, ecx, edx, esi);
4058 - APM_DO_RESTORE_SEGS;
4059 - apm_irq_restore(flags);
4060 -+
4061 -+#ifdef CONFIG_PAX_KERNEXEC
4062 -+ pax_open_kernel(cr0);
4063 -+#endif
4064 -+
4065 - gdt[0x40 / 8] = save_desc_40;
4066 -+
4067 -+#ifdef CONFIG_PAX_KERNEXEC
4068 -+ pax_close_kernel(cr0);
4069 -+#endif
4070 -+
4071 - put_cpu();
4072 - apm_restore_cpus(cpus);
4073 -
4074 -@@ -644,19 +667,42 @@ static u8 apm_bios_call_simple(u32 func,
4075 - struct desc_struct save_desc_40;
4076 - struct desc_struct *gdt;
4077 -
4078 -+#ifdef CONFIG_PAX_KERNEXEC
4079 -+ unsigned long cr0;
4080 -+#endif
4081 -+
4082 - cpus = apm_save_cpus();
4083 -
4084 - cpu = get_cpu();
4085 - gdt = get_cpu_gdt_table(cpu);
4086 - save_desc_40 = gdt[0x40 / 8];
4087 -+
4088 -+#ifdef CONFIG_PAX_KERNEXEC
4089 -+ pax_open_kernel(cr0);
4090 -+#endif
4091 -+
4092 - gdt[0x40 / 8] = bad_bios_desc;
4093 -
4094 -+#ifdef CONFIG_PAX_KERNEXEC
4095 -+ pax_close_kernel(cr0);
4096 -+#endif
4097 -+
4098 - apm_irq_save(flags);
4099 - APM_DO_SAVE_SEGS;
4100 - error = apm_bios_call_simple_asm(func, ebx_in, ecx_in, eax);
4101 - APM_DO_RESTORE_SEGS;
4102 - apm_irq_restore(flags);
4103 -+
4104 -+#ifdef CONFIG_PAX_KERNEXEC
4105 -+ pax_open_kernel(cr0);
4106 -+#endif
4107 -+
4108 - gdt[0x40 / 8] = save_desc_40;
4109 -+
4110 -+#ifdef CONFIG_PAX_KERNEXEC
4111 -+ pax_close_kernel(cr0);
4112 -+#endif
4113 -+
4114 - put_cpu();
4115 - apm_restore_cpus(cpus);
4116 - return error;
4117 -@@ -924,7 +970,7 @@ recalc:
4118 -
4119 - static void apm_power_off(void)
4120 - {
4121 -- unsigned char po_bios_call[] = {
4122 -+ const unsigned char po_bios_call[] = {
4123 - 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
4124 - 0x8e, 0xd0, /* movw ax,ss */
4125 - 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
4126 -@@ -1864,7 +1910,10 @@ static const struct file_operations apm_
4127 - static struct miscdevice apm_device = {
4128 - APM_MINOR_DEV,
4129 - "apm_bios",
4130 -- &apm_bios_fops
4131 -+ &apm_bios_fops,
4132 -+ {NULL, NULL},
4133 -+ NULL,
4134 -+ NULL
4135 - };
4136 -
4137 -
4138 -@@ -2177,7 +2226,7 @@ static struct dmi_system_id __initdata a
4139 - { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
4140 - },
4141 -
4142 -- { }
4143 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
4144 - };
4145 -
4146 - /*
4147 -@@ -2196,6 +2245,10 @@ static int __init apm_init(void)
4148 - struct desc_struct *gdt;
4149 - int err;
4150 -
4151 -+#ifdef CONFIG_PAX_KERNEXEC
4152 -+ unsigned long cr0;
4153 -+#endif
4154 -+
4155 - dmi_check_system(apm_dmi_table);
4156 -
4157 - if (apm_info.bios.version == 0 || paravirt_enabled()) {
4158 -@@ -2269,9 +2322,18 @@ static int __init apm_init(void)
4159 - * This is for buggy BIOS's that refer to (real mode) segment 0x40
4160 - * even though they are called in protected mode.
4161 - */
4162 -+
4163 -+#ifdef CONFIG_PAX_KERNEXEC
4164 -+ pax_open_kernel(cr0);
4165 -+#endif
4166 -+
4167 - set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
4168 - _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
4169 -
4170 -+#ifdef CONFIG_PAX_KERNEXEC
4171 -+ pax_close_kernel(cr0);
4172 -+#endif
4173 -+
4174 - /*
4175 - * Set up the long jump entry point to the APM BIOS, which is called
4176 - * from inline assembly.
4177 -@@ -2290,6 +2352,11 @@ static int __init apm_init(void)
4178 - * code to that CPU.
4179 - */
4180 - gdt = get_cpu_gdt_table(0);
4181 -+
4182 -+#ifdef CONFIG_PAX_KERNEXEC
4183 -+ pax_open_kernel(cr0);
4184 -+#endif
4185 -+
4186 - set_base(gdt[APM_CS >> 3],
4187 - __va((unsigned long)apm_info.bios.cseg << 4));
4188 - set_base(gdt[APM_CS_16 >> 3],
4189 -@@ -2297,6 +2364,10 @@ static int __init apm_init(void)
4190 - set_base(gdt[APM_DS >> 3],
4191 - __va((unsigned long)apm_info.bios.dseg << 4));
4192 -
4193 -+#ifdef CONFIG_PAX_KERNEXEC
4194 -+ pax_close_kernel(cr0);
4195 -+#endif
4196 -+
4197 - apm_proc = create_proc_entry("apm", 0, NULL);
4198 - if (apm_proc)
4199 - apm_proc->proc_fops = &apm_file_ops;
4200 -diff -urNp linux-2.6.24.4/arch/x86/kernel/asm-offsets_32.c linux-2.6.24.4/arch/x86/kernel/asm-offsets_32.c
4201 ---- linux-2.6.24.4/arch/x86/kernel/asm-offsets_32.c 2008-03-24 14:49:18.000000000 -0400
4202 -+++ linux-2.6.24.4/arch/x86/kernel/asm-offsets_32.c 2008-03-26 17:56:55.000000000 -0400
4203 -@@ -110,6 +110,7 @@ void foo(void)
4204 - DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
4205 - DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
4206 - DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
4207 -+ DEFINE(PERCPU_MODULE_RESERVE, PERCPU_MODULE_RESERVE);
4208 -
4209 - DEFINE(VDSO_PRELINK_asm, VDSO_PRELINK);
4210 -
4211 -@@ -125,6 +126,7 @@ void foo(void)
4212 - OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
4213 - OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
4214 - OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
4215 -+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
4216 - #endif
4217 -
4218 - #ifdef CONFIG_XEN
4219 -diff -urNp linux-2.6.24.4/arch/x86/kernel/asm-offsets_64.c linux-2.6.24.4/arch/x86/kernel/asm-offsets_64.c
4220 ---- linux-2.6.24.4/arch/x86/kernel/asm-offsets_64.c 2008-03-24 14:49:18.000000000 -0400
4221 -+++ linux-2.6.24.4/arch/x86/kernel/asm-offsets_64.c 2008-03-26 17:56:55.000000000 -0400
4222 -@@ -108,6 +108,7 @@ int main(void)
4223 - ENTRY(cr8);
4224 - BLANK();
4225 - #undef ENTRY
4226 -+ DEFINE(TSS_size, sizeof(struct tss_struct));
4227 - DEFINE(TSS_ist, offsetof(struct tss_struct, ist));
4228 - BLANK();
4229 - DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
4230 -diff -urNp linux-2.6.24.4/arch/x86/kernel/cpu/common.c linux-2.6.24.4/arch/x86/kernel/cpu/common.c
4231 ---- linux-2.6.24.4/arch/x86/kernel/cpu/common.c 2008-03-24 14:49:18.000000000 -0400
4232 -+++ linux-2.6.24.4/arch/x86/kernel/cpu/common.c 2008-03-26 17:56:55.000000000 -0400
4233 -@@ -4,7 +4,6 @@
4234 - #include <linux/smp.h>
4235 - #include <linux/module.h>
4236 - #include <linux/percpu.h>
4237 --#include <linux/bootmem.h>
4238 - #include <asm/semaphore.h>
4239 - #include <asm/processor.h>
4240 - #include <asm/i387.h>
4241 -@@ -21,39 +20,15 @@
4242 -
4243 - #include "cpu.h"
4244 -
4245 --DEFINE_PER_CPU(struct gdt_page, gdt_page) = { .gdt = {
4246 -- [GDT_ENTRY_KERNEL_CS] = { 0x0000ffff, 0x00cf9a00 },
4247 -- [GDT_ENTRY_KERNEL_DS] = { 0x0000ffff, 0x00cf9200 },
4248 -- [GDT_ENTRY_DEFAULT_USER_CS] = { 0x0000ffff, 0x00cffa00 },
4249 -- [GDT_ENTRY_DEFAULT_USER_DS] = { 0x0000ffff, 0x00cff200 },
4250 -- /*
4251 -- * Segments used for calling PnP BIOS have byte granularity.
4252 -- * They code segments and data segments have fixed 64k limits,
4253 -- * the transfer segment sizes are set at run time.
4254 -- */
4255 -- [GDT_ENTRY_PNPBIOS_CS32] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
4256 -- [GDT_ENTRY_PNPBIOS_CS16] = { 0x0000ffff, 0x00009a00 },/* 16-bit code */
4257 -- [GDT_ENTRY_PNPBIOS_DS] = { 0x0000ffff, 0x00009200 }, /* 16-bit data */
4258 -- [GDT_ENTRY_PNPBIOS_TS1] = { 0x00000000, 0x00009200 },/* 16-bit data */
4259 -- [GDT_ENTRY_PNPBIOS_TS2] = { 0x00000000, 0x00009200 },/* 16-bit data */
4260 -- /*
4261 -- * The APM segments have byte granularity and their bases
4262 -- * are set at run time. All have 64k limits.
4263 -- */
4264 -- [GDT_ENTRY_APMBIOS_BASE] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
4265 -- /* 16-bit code */
4266 -- [GDT_ENTRY_APMBIOS_BASE+1] = { 0x0000ffff, 0x00009a00 },
4267 -- [GDT_ENTRY_APMBIOS_BASE+2] = { 0x0000ffff, 0x00409200 }, /* data */
4268 --
4269 -- [GDT_ENTRY_ESPFIX_SS] = { 0x00000000, 0x00c09200 },
4270 -- [GDT_ENTRY_PERCPU] = { 0x00000000, 0x00000000 },
4271 --} };
4272 --EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
4273 --
4274 - static int cachesize_override __cpuinitdata = -1;
4275 - static int disable_x86_fxsr __cpuinitdata;
4276 - static int disable_x86_serial_nr __cpuinitdata = 1;
4277 --static int disable_x86_sep __cpuinitdata;
4278 -+
4279 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
4280 -+int disable_x86_sep __cpuinitdata = 1;
4281 -+#else
4282 -+int disable_x86_sep __cpuinitdata;
4283 -+#endif
4284 -
4285 - struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {};
4286 -
4287 -@@ -262,9 +237,9 @@ void __init cpu_detect(struct cpuinfo_x8
4288 - {
4289 - /* Get vendor name */
4290 - cpuid(0x00000000, &c->cpuid_level,
4291 -- (int *)&c->x86_vendor_id[0],
4292 -- (int *)&c->x86_vendor_id[8],
4293 -- (int *)&c->x86_vendor_id[4]);
4294 -+ (unsigned int *)&c->x86_vendor_id[0],
4295 -+ (unsigned int *)&c->x86_vendor_id[8],
4296 -+ (unsigned int *)&c->x86_vendor_id[4]);
4297 -
4298 - c->x86 = 4;
4299 - if (c->cpuid_level >= 0x00000001) {
4300 -@@ -304,15 +279,14 @@ static void __init early_cpu_detect(void
4301 -
4302 - static void __cpuinit generic_identify(struct cpuinfo_x86 * c)
4303 - {
4304 -- u32 tfms, xlvl;
4305 -- int ebx;
4306 -+ u32 tfms, xlvl, ebx;
4307 -
4308 - if (have_cpuid_p()) {
4309 - /* Get vendor name */
4310 - cpuid(0x00000000, &c->cpuid_level,
4311 -- (int *)&c->x86_vendor_id[0],
4312 -- (int *)&c->x86_vendor_id[8],
4313 -- (int *)&c->x86_vendor_id[4]);
4314 -+ (unsigned int *)&c->x86_vendor_id[0],
4315 -+ (unsigned int *)&c->x86_vendor_id[8],
4316 -+ (unsigned int *)&c->x86_vendor_id[4]);
4317 -
4318 - get_cpu_vendor(c, 0);
4319 - /* Initialize the standard set of capabilities */
4320 -@@ -644,7 +618,7 @@ void switch_to_new_gdt(void)
4321 - {
4322 - struct Xgt_desc_struct gdt_descr;
4323 -
4324 -- gdt_descr.address = (long)get_cpu_gdt_table(smp_processor_id());
4325 -+ gdt_descr.address = get_cpu_gdt_table(smp_processor_id());
4326 - gdt_descr.size = GDT_SIZE - 1;
4327 - load_gdt(&gdt_descr);
4328 - asm("mov %0, %%fs" : : "r" (__KERNEL_PERCPU) : "memory");
4329 -@@ -660,7 +634,7 @@ void __cpuinit cpu_init(void)
4330 - {
4331 - int cpu = smp_processor_id();
4332 - struct task_struct *curr = current;
4333 -- struct tss_struct * t = &per_cpu(init_tss, cpu);
4334 -+ struct tss_struct *t = init_tss + cpu;
4335 - struct thread_struct *thread = &curr->thread;
4336 -
4337 - if (cpu_test_and_set(cpu, cpu_initialized)) {
4338 -diff -urNp linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
4339 ---- linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-03-24 14:49:18.000000000 -0400
4340 -+++ linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-03-26 17:56:55.000000000 -0400
4341 -@@ -549,7 +549,7 @@ static const struct dmi_system_id sw_any
4342 - DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
4343 - },
4344 - },
4345 -- { }
4346 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
4347 - };
4348 - #endif
4349 -
4350 -diff -urNp linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
4351 ---- linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2008-03-24 14:49:18.000000000 -0400
4352 -+++ linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2008-03-26 17:56:55.000000000 -0400
4353 -@@ -223,7 +223,7 @@ static struct cpu_model models[] =
4354 - { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
4355 - { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
4356 -
4357 -- { NULL, }
4358 -+ { NULL, NULL, 0, NULL}
4359 - };
4360 - #undef _BANIAS
4361 - #undef BANIAS
4362 -diff -urNp linux-2.6.24.4/arch/x86/kernel/cpu/intel.c linux-2.6.24.4/arch/x86/kernel/cpu/intel.c
4363 ---- linux-2.6.24.4/arch/x86/kernel/cpu/intel.c 2008-03-24 14:49:18.000000000 -0400
4364 -+++ linux-2.6.24.4/arch/x86/kernel/cpu/intel.c 2008-03-26 17:56:55.000000000 -0400
4365 -@@ -104,6 +104,7 @@ static void __cpuinit trap_init_f00f_bug
4366 - * it uses the read-only mapped virtual address.
4367 - */
4368 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
4369 -+ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
4370 - load_idt(&idt_descr);
4371 - }
4372 - #endif
4373 -diff -urNp linux-2.6.24.4/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.24.4/arch/x86/kernel/cpu/intel_cacheinfo.c
4374 ---- linux-2.6.24.4/arch/x86/kernel/cpu/intel_cacheinfo.c 2008-03-24 14:49:18.000000000 -0400
4375 -+++ linux-2.6.24.4/arch/x86/kernel/cpu/intel_cacheinfo.c 2008-03-26 17:56:55.000000000 -0400
4376 -@@ -352,8 +352,8 @@ unsigned int __cpuinit init_intel_cachei
4377 - */
4378 - if ((num_cache_leaves == 0 || c->x86 == 15) && c->cpuid_level > 1) {
4379 - /* supports eax=2 call */
4380 -- int i, j, n;
4381 -- int regs[4];
4382 -+ int j, n;
4383 -+ unsigned int regs[4];
4384 - unsigned char *dp = (unsigned char *)regs;
4385 - int only_trace = 0;
4386 -
4387 -@@ -368,7 +368,7 @@ unsigned int __cpuinit init_intel_cachei
4388 -
4389 - /* If bit 31 is set, this is an unknown format */
4390 - for ( j = 0 ; j < 3 ; j++ ) {
4391 -- if ( regs[j] < 0 ) regs[j] = 0;
4392 -+ if ( (int)regs[j] < 0 ) regs[j] = 0;
4393 - }
4394 -
4395 - /* Byte 0 is level count, not a descriptor */
4396 -diff -urNp linux-2.6.24.4/arch/x86/kernel/cpu/mcheck/mce_64.c linux-2.6.24.4/arch/x86/kernel/cpu/mcheck/mce_64.c
4397 ---- linux-2.6.24.4/arch/x86/kernel/cpu/mcheck/mce_64.c 2008-03-24 14:49:18.000000000 -0400
4398 -+++ linux-2.6.24.4/arch/x86/kernel/cpu/mcheck/mce_64.c 2008-03-26 17:56:55.000000000 -0400
4399 -@@ -671,6 +671,7 @@ static struct miscdevice mce_log_device
4400 - MISC_MCELOG_MINOR,
4401 - "mcelog",
4402 - &mce_chrdev_ops,
4403 -+ {NULL, NULL}, NULL, NULL
4404 - };
4405 -
4406 - static unsigned long old_cr4 __initdata;
4407 -diff -urNp linux-2.6.24.4/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.24.4/arch/x86/kernel/cpu/mtrr/generic.c
4408 ---- linux-2.6.24.4/arch/x86/kernel/cpu/mtrr/generic.c 2008-03-24 14:49:18.000000000 -0400
4409 -+++ linux-2.6.24.4/arch/x86/kernel/cpu/mtrr/generic.c 2008-03-26 17:56:55.000000000 -0400
4410 -@@ -29,11 +29,11 @@ static struct fixed_range_block fixed_ra
4411 - { MTRRfix64K_00000_MSR, 1 }, /* one 64k MTRR */
4412 - { MTRRfix16K_80000_MSR, 2 }, /* two 16k MTRRs */
4413 - { MTRRfix4K_C0000_MSR, 8 }, /* eight 4k MTRRs */
4414 -- {}
4415 -+ { 0, 0 }
4416 - };
4417 -
4418 - static unsigned long smp_changes_mask;
4419 --static struct mtrr_state mtrr_state = {};
4420 -+static struct mtrr_state mtrr_state;
4421 -
4422 - #undef MODULE_PARAM_PREFIX
4423 - #define MODULE_PARAM_PREFIX "mtrr."
4424 -diff -urNp linux-2.6.24.4/arch/x86/kernel/crash.c linux-2.6.24.4/arch/x86/kernel/crash.c
4425 ---- linux-2.6.24.4/arch/x86/kernel/crash.c 2008-03-24 14:49:18.000000000 -0400
4426 -+++ linux-2.6.24.4/arch/x86/kernel/crash.c 2008-03-26 17:56:55.000000000 -0400
4427 -@@ -62,7 +62,7 @@ static int crash_nmi_callback(struct not
4428 - local_irq_disable();
4429 -
4430 - #ifdef CONFIG_X86_32
4431 -- if (!user_mode_vm(regs)) {
4432 -+ if (!user_mode(regs)) {
4433 - crash_fixup_ss_esp(&fixed_regs, regs);
4434 - regs = &fixed_regs;
4435 - }
4436 -diff -urNp linux-2.6.24.4/arch/x86/kernel/doublefault_32.c linux-2.6.24.4/arch/x86/kernel/doublefault_32.c
4437 ---- linux-2.6.24.4/arch/x86/kernel/doublefault_32.c 2008-03-24 14:49:18.000000000 -0400
4438 -+++ linux-2.6.24.4/arch/x86/kernel/doublefault_32.c 2008-03-26 17:56:55.000000000 -0400
4439 -@@ -11,17 +11,17 @@
4440 -
4441 - #define DOUBLEFAULT_STACKSIZE (1024)
4442 - static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
4443 --#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
4444 -+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
4445 -
4446 - #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
4447 -
4448 - static void doublefault_fn(void)
4449 - {
4450 -- struct Xgt_desc_struct gdt_desc = {0, 0};
4451 -+ struct Xgt_desc_struct gdt_desc = {0, NULL, 0};
4452 - unsigned long gdt, tss;
4453 -
4454 - store_gdt(&gdt_desc);
4455 -- gdt = gdt_desc.address;
4456 -+ gdt = (unsigned long)gdt_desc.address;
4457 -
4458 - printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
4459 -
4460 -@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cach
4461 - /* 0x2 bit is always set */
4462 - .eflags = X86_EFLAGS_SF | 0x2,
4463 - .esp = STACK_START,
4464 -- .es = __USER_DS,
4465 -+ .es = __KERNEL_DS,
4466 - .cs = __KERNEL_CS,
4467 - .ss = __KERNEL_DS,
4468 -- .ds = __USER_DS,
4469 -+ .ds = __KERNEL_DS,
4470 - .fs = __KERNEL_PERCPU,
4471 -
4472 - .__cr3 = __pa(swapper_pg_dir)
4473 -diff -urNp linux-2.6.24.4/arch/x86/kernel/efi_32.c linux-2.6.24.4/arch/x86/kernel/efi_32.c
4474 ---- linux-2.6.24.4/arch/x86/kernel/efi_32.c 2008-03-24 14:49:18.000000000 -0400
4475 -+++ linux-2.6.24.4/arch/x86/kernel/efi_32.c 2008-03-26 17:56:55.000000000 -0400
4476 -@@ -63,71 +63,38 @@ extern void * boot_ioremap(unsigned long
4477 -
4478 - static unsigned long efi_rt_eflags;
4479 - static DEFINE_SPINLOCK(efi_rt_lock);
4480 --static pgd_t efi_bak_pg_dir_pointer[2];
4481 -+static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS] __attribute__ ((aligned (4096)));
4482 -
4483 --static void efi_call_phys_prelog(void) __acquires(efi_rt_lock)
4484 -+static void __init efi_call_phys_prelog(void) __acquires(efi_rt_lock)
4485 - {
4486 -- unsigned long cr4;
4487 -- unsigned long temp;
4488 - struct Xgt_desc_struct gdt_descr;
4489 -
4490 - spin_lock(&efi_rt_lock);
4491 - local_irq_save(efi_rt_eflags);
4492 -
4493 -- /*
4494 -- * If I don't have PSE, I should just duplicate two entries in page
4495 -- * directory. If I have PSE, I just need to duplicate one entry in
4496 -- * page directory.
4497 -- */
4498 -- cr4 = read_cr4();
4499 --
4500 -- if (cr4 & X86_CR4_PSE) {
4501 -- efi_bak_pg_dir_pointer[0].pgd =
4502 -- swapper_pg_dir[pgd_index(0)].pgd;
4503 -- swapper_pg_dir[0].pgd =
4504 -- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
4505 -- } else {
4506 -- efi_bak_pg_dir_pointer[0].pgd =
4507 -- swapper_pg_dir[pgd_index(0)].pgd;
4508 -- efi_bak_pg_dir_pointer[1].pgd =
4509 -- swapper_pg_dir[pgd_index(0x400000)].pgd;
4510 -- swapper_pg_dir[pgd_index(0)].pgd =
4511 -- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
4512 -- temp = PAGE_OFFSET + 0x400000;
4513 -- swapper_pg_dir[pgd_index(0x400000)].pgd =
4514 -- swapper_pg_dir[pgd_index(temp)].pgd;
4515 -- }
4516 -+ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
4517 -+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
4518 -+ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
4519 -
4520 - /*
4521 - * After the lock is released, the original page table is restored.
4522 - */
4523 - local_flush_tlb();
4524 -
4525 -- gdt_descr.address = __pa(get_cpu_gdt_table(0));
4526 -+ gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
4527 - gdt_descr.size = GDT_SIZE - 1;
4528 - load_gdt(&gdt_descr);
4529 - }
4530 -
4531 --static void efi_call_phys_epilog(void) __releases(efi_rt_lock)
4532 -+static void __init efi_call_phys_epilog(void) __releases(efi_rt_lock)
4533 - {
4534 -- unsigned long cr4;
4535 - struct Xgt_desc_struct gdt_descr;
4536 -
4537 -- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
4538 -+ gdt_descr.address = get_cpu_gdt_table(0);
4539 - gdt_descr.size = GDT_SIZE - 1;
4540 - load_gdt(&gdt_descr);
4541 -
4542 -- cr4 = read_cr4();
4543 --
4544 -- if (cr4 & X86_CR4_PSE) {
4545 -- swapper_pg_dir[pgd_index(0)].pgd =
4546 -- efi_bak_pg_dir_pointer[0].pgd;
4547 -- } else {
4548 -- swapper_pg_dir[pgd_index(0)].pgd =
4549 -- efi_bak_pg_dir_pointer[0].pgd;
4550 -- swapper_pg_dir[pgd_index(0x400000)].pgd =
4551 -- efi_bak_pg_dir_pointer[1].pgd;
4552 -- }
4553 -+ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
4554 -
4555 - /*
4556 - * After the lock is released, the original page table is restored.
4557 -@@ -138,7 +105,7 @@ static void efi_call_phys_epilog(void) _
4558 - spin_unlock(&efi_rt_lock);
4559 - }
4560 -
4561 --static efi_status_t
4562 -+static efi_status_t __init
4563 - phys_efi_set_virtual_address_map(unsigned long memory_map_size,
4564 - unsigned long descriptor_size,
4565 - u32 descriptor_version,
4566 -@@ -154,7 +121,7 @@ phys_efi_set_virtual_address_map(unsigne
4567 - return status;
4568 - }
4569 -
4570 --static efi_status_t
4571 -+static noinline efi_status_t __init
4572 - phys_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)
4573 - {
4574 - efi_status_t status;
4575 -@@ -198,7 +165,7 @@ inline int efi_set_rtc_mmss(unsigned lon
4576 - * services have been remapped and also during suspend, therefore,
4577 - * we'll need to call both in physical and virtual modes.
4578 - */
4579 --inline unsigned long efi_get_time(void)
4580 -+unsigned long efi_get_time(void)
4581 - {
4582 - efi_status_t status;
4583 - efi_time_t eft;
4584 -diff -urNp linux-2.6.24.4/arch/x86/kernel/efi_stub_32.S linux-2.6.24.4/arch/x86/kernel/efi_stub_32.S
4585 ---- linux-2.6.24.4/arch/x86/kernel/efi_stub_32.S 2008-03-24 14:49:18.000000000 -0400
4586 -+++ linux-2.6.24.4/arch/x86/kernel/efi_stub_32.S 2008-03-26 17:56:55.000000000 -0400
4587 -@@ -6,6 +6,7 @@
4588 - */
4589 -
4590 - #include <linux/linkage.h>
4591 -+#include <linux/init.h>
4592 - #include <asm/page.h>
4593 -
4594 - /*
4595 -@@ -20,7 +21,7 @@
4596 - * service functions will comply with gcc calling convention, too.
4597 - */
4598 -
4599 --.text
4600 -+__INIT
4601 - ENTRY(efi_call_phys)
4602 - /*
4603 - * 0. The function can only be called in Linux kernel. So CS has been
4604 -@@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
4605 - * The mapping of lower virtual memory has been created in prelog and
4606 - * epilog.
4607 - */
4608 -- movl $1f, %edx
4609 -- subl $__PAGE_OFFSET, %edx
4610 -- jmp *%edx
4611 -+ jmp 1f-__PAGE_OFFSET
4612 - 1:
4613 -
4614 - /*
4615 -@@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
4616 - * parameter 2, ..., param n. To make things easy, we save the return
4617 - * address of efi_call_phys in a global variable.
4618 - */
4619 -- popl %edx
4620 -- movl %edx, saved_return_addr
4621 -- /* get the function pointer into ECX*/
4622 -- popl %ecx
4623 -- movl %ecx, efi_rt_function_ptr
4624 -- movl $2f, %edx
4625 -- subl $__PAGE_OFFSET, %edx
4626 -- pushl %edx
4627 -+ popl (saved_return_addr)
4628 -+ popl (efi_rt_function_ptr)
4629 -
4630 - /*
4631 - * 3. Clear PG bit in %CR0.
4632 -@@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
4633 - /*
4634 - * 5. Call the physical function.
4635 - */
4636 -- jmp *%ecx
4637 -+ call *(efi_rt_function_ptr-__PAGE_OFFSET)
4638 -
4639 --2:
4640 - /*
4641 - * 6. After EFI runtime service returns, control will return to
4642 - * following instruction. We'd better readjust stack pointer first.
4643 -@@ -88,34 +80,27 @@ ENTRY(efi_call_phys)
4644 - movl %cr0, %edx
4645 - orl $0x80000000, %edx
4646 - movl %edx, %cr0
4647 -- jmp 1f
4648 --1:
4649 -+
4650 - /*
4651 - * 8. Now restore the virtual mode from flat mode by
4652 - * adding EIP with PAGE_OFFSET.
4653 - */
4654 -- movl $1f, %edx
4655 -- jmp *%edx
4656 -+ jmp 1f+__PAGE_OFFSET
4657 - 1:
4658 -
4659 - /*
4660 - * 9. Balance the stack. And because EAX contain the return value,
4661 - * we'd better not clobber it.
4662 - */
4663 -- leal efi_rt_function_ptr, %edx
4664 -- movl (%edx), %ecx
4665 -- pushl %ecx
4666 -+ pushl (efi_rt_function_ptr)
4667 -
4668 - /*
4669 -- * 10. Push the saved return address onto the stack and return.
4670 -+ * 10. Return to the saved return address.
4671 - */
4672 -- leal saved_return_addr, %edx
4673 -- movl (%edx), %ecx
4674 -- pushl %ecx
4675 -- ret
4676 -+ jmpl *(saved_return_addr)
4677 - .previous
4678 -
4679 --.data
4680 -+__INITDATA
4681 - saved_return_addr:
4682 - .long 0
4683 - efi_rt_function_ptr:
4684 -diff -urNp linux-2.6.24.4/arch/x86/kernel/entry_32.S linux-2.6.24.4/arch/x86/kernel/entry_32.S
4685 ---- linux-2.6.24.4/arch/x86/kernel/entry_32.S 2008-03-24 14:49:18.000000000 -0400
4686 -+++ linux-2.6.24.4/arch/x86/kernel/entry_32.S 2008-03-26 17:56:55.000000000 -0400
4687 -@@ -97,7 +97,7 @@ VM_MASK = 0x00020000
4688 - #define resume_userspace_sig resume_userspace
4689 - #endif
4690 -
4691 --#define SAVE_ALL \
4692 -+#define __SAVE_ALL(_DS) \
4693 - cld; \
4694 - pushl %fs; \
4695 - CFI_ADJUST_CFA_OFFSET 4;\
4696 -@@ -129,12 +129,26 @@ VM_MASK = 0x00020000
4697 - pushl %ebx; \
4698 - CFI_ADJUST_CFA_OFFSET 4;\
4699 - CFI_REL_OFFSET ebx, 0;\
4700 -- movl $(__USER_DS), %edx; \
4701 -+ movl $(_DS), %edx; \
4702 - movl %edx, %ds; \
4703 - movl %edx, %es; \
4704 - movl $(__KERNEL_PERCPU), %edx; \
4705 - movl %edx, %fs
4706 -
4707 -+#ifdef CONFIG_PAX_KERNEXEC
4708 -+#define SAVE_ALL \
4709 -+ __SAVE_ALL(__KERNEL_DS); \
4710 -+ GET_CR0_INTO_EDX; \
4711 -+ movl %edx, %esi; \
4712 -+ orl $X86_CR0_WP, %edx; \
4713 -+ xorl %edx, %esi; \
4714 -+ SET_CR0_FROM_EDX
4715 -+#elif defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
4716 -+#define SAVE_ALL __SAVE_ALL(__KERNEL_DS)
4717 -+#else
4718 -+#define SAVE_ALL __SAVE_ALL(__USER_DS)
4719 -+#endif
4720 -+
4721 - #define RESTORE_INT_REGS \
4722 - popl %ebx; \
4723 - CFI_ADJUST_CFA_OFFSET -4;\
4724 -@@ -248,7 +262,17 @@ check_userspace:
4725 - movb PT_CS(%esp), %al
4726 - andl $(VM_MASK | SEGMENT_RPL_MASK), %eax
4727 - cmpl $USER_RPL, %eax
4728 -+
4729 -+#ifdef CONFIG_PAX_KERNEXEC
4730 -+ jae resume_userspace
4731 -+
4732 -+ GET_CR0_INTO_EDX
4733 -+ xorl %esi, %edx
4734 -+ SET_CR0_FROM_EDX
4735 -+ jmp resume_kernel
4736 -+#else
4737 - jb resume_kernel # not returning to v8086 or userspace
4738 -+#endif
4739 -
4740 - ENTRY(resume_userspace)
4741 - LOCKDEP_SYS_EXIT
4742 -@@ -308,10 +332,9 @@ sysenter_past_esp:
4743 - /*CFI_REL_OFFSET cs, 0*/
4744 - /*
4745 - * Push current_thread_info()->sysenter_return to the stack.
4746 -- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
4747 -- * pushed above; +8 corresponds to copy_thread's esp0 setting.
4748 - */
4749 -- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
4750 -+ GET_THREAD_INFO(%ebp)
4751 -+ pushl TI_sysenter_return(%ebp)
4752 - CFI_ADJUST_CFA_OFFSET 4
4753 - CFI_REL_OFFSET eip, 0
4754 -
4755 -@@ -319,9 +342,17 @@ sysenter_past_esp:
4756 - * Load the potential sixth argument from user stack.
4757 - * Careful about security.
4758 - */
4759 -+ movl 12(%esp),%ebp
4760 -+
4761 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
4762 -+ mov 16(%esp),%ds
4763 -+1: movl %ds:(%ebp),%ebp
4764 -+#else
4765 - cmpl $__PAGE_OFFSET-3,%ebp
4766 - jae syscall_fault
4767 - 1: movl (%ebp),%ebp
4768 -+#endif
4769 -+
4770 - .section __ex_table,"a"
4771 - .align 4
4772 - .long 1b,syscall_fault
4773 -@@ -345,20 +376,37 @@ sysenter_past_esp:
4774 - movl TI_flags(%ebp), %ecx
4775 - testw $_TIF_ALLWORK_MASK, %cx
4776 - jne syscall_exit_work
4777 -+
4778 -+#ifdef CONFIG_PAX_RANDKSTACK
4779 -+ pushl %eax
4780 -+ CFI_ADJUST_CFA_OFFSET 4
4781 -+ call pax_randomize_kstack
4782 -+ popl %eax
4783 -+ CFI_ADJUST_CFA_OFFSET -4
4784 -+#endif
4785 -+
4786 - /* if something modifies registers it must also disable sysexit */
4787 - movl PT_EIP(%esp), %edx
4788 - movl PT_OLDESP(%esp), %ecx
4789 - xorl %ebp,%ebp
4790 - TRACE_IRQS_ON
4791 - 1: mov PT_FS(%esp), %fs
4792 -+2: mov PT_DS(%esp), %ds
4793 -+3: mov PT_ES(%esp), %es
4794 - ENABLE_INTERRUPTS_SYSEXIT
4795 - CFI_ENDPROC
4796 - .pushsection .fixup,"ax"
4797 --2: movl $0,PT_FS(%esp)
4798 -+4: movl $0,PT_FS(%esp)
4799 - jmp 1b
4800 -+5: movl $0,PT_DS(%esp)
4801 -+ jmp 2b
4802 -+6: movl $0,PT_ES(%esp)
4803 -+ jmp 3b
4804 - .section __ex_table,"a"
4805 - .align 4
4806 -- .long 1b,2b
4807 -+ .long 1b,4b
4808 -+ .long 2b,5b
4809 -+ .long 3b,6b
4810 - .popsection
4811 - ENDPROC(sysenter_entry)
4812 -
4813 -@@ -392,6 +440,10 @@ no_singlestep:
4814 - testw $_TIF_ALLWORK_MASK, %cx # current->work
4815 - jne syscall_exit_work
4816 -
4817 -+#ifdef CONFIG_PAX_RANDKSTACK
4818 -+ call pax_randomize_kstack
4819 -+#endif
4820 -+
4821 - restore_all:
4822 - movl PT_EFLAGS(%esp), %eax # mix EFLAGS, SS and CS
4823 - # Warning: PT_OLDSS(%esp) contains the wrong/random values if we
4824 -@@ -556,17 +608,24 @@ syscall_badsys:
4825 - END(syscall_badsys)
4826 - CFI_ENDPROC
4827 -
4828 --#define FIXUP_ESPFIX_STACK \
4829 -- /* since we are on a wrong stack, we cant make it a C code :( */ \
4830 -- PER_CPU(gdt_page, %ebx); \
4831 -- GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah); \
4832 -- addl %esp, %eax; \
4833 -- pushl $__KERNEL_DS; \
4834 -- CFI_ADJUST_CFA_OFFSET 4; \
4835 -- pushl %eax; \
4836 -- CFI_ADJUST_CFA_OFFSET 4; \
4837 -- lss (%esp), %esp; \
4838 -+.macro FIXUP_ESPFIX_STACK
4839 -+ /* since we are on a wrong stack, we cant make it a C code :( */
4840 -+#ifdef CONFIG_SMP
4841 -+ movl PER_CPU_VAR(cpu_number), %ebx;
4842 -+ shll $PAGE_SHIFT_asm, %ebx;
4843 -+ addl $cpu_gdt_table, %ebx;
4844 -+#else
4845 -+ movl $cpu_gdt_table, %ebx;
4846 -+#endif
4847 -+ GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah);
4848 -+ addl %esp, %eax;
4849 -+ pushl $__KERNEL_DS;
4850 -+ CFI_ADJUST_CFA_OFFSET 4;
4851 -+ pushl %eax;
4852 -+ CFI_ADJUST_CFA_OFFSET 4;
4853 -+ lss (%esp), %esp;
4854 - CFI_ADJUST_CFA_OFFSET -8;
4855 -+.endm
4856 - #define UNWIND_ESPFIX_STACK \
4857 - movl %ss, %eax; \
4858 - /* see if on espfix stack */ \
4859 -@@ -583,7 +642,7 @@ END(syscall_badsys)
4860 - * Build the entry stubs and pointer table with
4861 - * some assembler magic.
4862 - */
4863 --.data
4864 -+.section .rodata,"a",@progbits
4865 - ENTRY(interrupt)
4866 - .text
4867 -
4868 -@@ -683,12 +742,21 @@ error_code:
4869 - popl %ecx
4870 - CFI_ADJUST_CFA_OFFSET -4
4871 - /*CFI_REGISTER es, ecx*/
4872 -+
4873 -+#ifdef CONFIG_PAX_KERNEXEC
4874 -+ GET_CR0_INTO_EDX
4875 -+ movl %edx, %esi
4876 -+ orl $X86_CR0_WP, %edx
4877 -+ xorl %edx, %esi
4878 -+ SET_CR0_FROM_EDX
4879 -+#endif
4880 -+
4881 - movl PT_FS(%esp), %edi # get the function address
4882 - movl PT_ORIG_EAX(%esp), %edx # get the error code
4883 - movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
4884 - mov %ecx, PT_FS(%esp)
4885 - /*CFI_REL_OFFSET fs, ES*/
4886 -- movl $(__USER_DS), %ecx
4887 -+ movl $(__KERNEL_DS), %ecx
4888 - movl %ecx, %ds
4889 - movl %ecx, %es
4890 - movl %esp,%eax # pt_regs pointer
4891 -@@ -822,6 +890,13 @@ nmi_stack_correct:
4892 - xorl %edx,%edx # zero error code
4893 - movl %esp,%eax # pt_regs pointer
4894 - call do_nmi
4895 -+
4896 -+#ifdef CONFIG_PAX_KERNEXEC
4897 -+ GET_CR0_INTO_EDX
4898 -+ xorl %esi, %edx
4899 -+ SET_CR0_FROM_EDX
4900 -+#endif
4901 -+
4902 - jmp restore_nocheck_notrace
4903 - CFI_ENDPROC
4904 -
4905 -@@ -862,6 +937,13 @@ nmi_espfix_stack:
4906 - FIXUP_ESPFIX_STACK # %eax == %esp
4907 - xorl %edx,%edx # zero error code
4908 - call do_nmi
4909 -+
4910 -+#ifdef CONFIG_PAX_KERNEXEC
4911 -+ GET_CR0_INTO_EDX
4912 -+ xorl %esi, %edx
4913 -+ SET_CR0_FROM_EDX
4914 -+#endif
4915 -+
4916 - RESTORE_REGS
4917 - lss 12+4(%esp), %esp # back to espfix stack
4918 - CFI_ADJUST_CFA_OFFSET -24
4919 -@@ -1110,7 +1192,6 @@ ENDPROC(xen_failsafe_callback)
4920 -
4921 - #endif /* CONFIG_XEN */
4922 -
4923 --.section .rodata,"a"
4924 - #include "syscall_table_32.S"
4925 -
4926 - syscall_table_size=(.-sys_call_table)
4927 -diff -urNp linux-2.6.24.4/arch/x86/kernel/entry_64.S linux-2.6.24.4/arch/x86/kernel/entry_64.S
4928 ---- linux-2.6.24.4/arch/x86/kernel/entry_64.S 2008-03-24 14:49:18.000000000 -0400
4929 -+++ linux-2.6.24.4/arch/x86/kernel/entry_64.S 2008-03-26 17:56:55.000000000 -0400
4930 -@@ -440,6 +440,7 @@ ENTRY(stub_execve)
4931 - CFI_REGISTER rip, r11
4932 - SAVE_REST
4933 - FIXUP_TOP_OF_STACK %r11
4934 -+ movq %rsp, %rcx
4935 - call sys_execve
4936 - RESTORE_TOP_OF_STACK %r11
4937 - movq %rax,RAX(%rsp)
4938 -@@ -735,17 +736,18 @@ END(spurious_interrupt)
4939 - xorl %ebx,%ebx
4940 - 1:
4941 - .if \ist
4942 -- movq %gs:pda_data_offset, %rbp
4943 -+ imul $TSS_size, %gs:pda_cpunumber, %ebp
4944 -+ lea init_tss(%rbp), %rbp
4945 - .endif
4946 - movq %rsp,%rdi
4947 - movq ORIG_RAX(%rsp),%rsi
4948 - movq $-1,ORIG_RAX(%rsp)
4949 - .if \ist
4950 -- subq $EXCEPTION_STKSZ, per_cpu__init_tss + TSS_ist + (\ist - 1) * 8(%rbp)
4951 -+ subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
4952 - .endif
4953 - call \sym
4954 - .if \ist
4955 -- addq $EXCEPTION_STKSZ, per_cpu__init_tss + TSS_ist + (\ist - 1) * 8(%rbp)
4956 -+ addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
4957 - .endif
4958 - cli
4959 - .if \irqtrace
4960 -@@ -1003,15 +1005,16 @@ ENDPROC(child_rip)
4961 - * rdi: name, rsi: argv, rdx: envp
4962 - *
4963 - * We want to fallback into:
4964 -- * extern long sys_execve(char *name, char **argv,char **envp, struct pt_regs regs)
4965 -+ * extern long sys_execve(char *name, char **argv,char **envp, struct pt_regs *regs)
4966 - *
4967 - * do_sys_execve asm fallback arguments:
4968 -- * rdi: name, rsi: argv, rdx: envp, fake frame on the stack
4969 -+ * rdi: name, rsi: argv, rdx: envp, rcx: fake frame on the stack
4970 - */
4971 - ENTRY(kernel_execve)
4972 - CFI_STARTPROC
4973 - FAKE_STACK_FRAME $0
4974 - SAVE_ALL
4975 -+ movq %rsp,%rcx
4976 - call sys_execve
4977 - movq %rax, RAX(%rsp)
4978 - RESTORE_REST
4979 -diff -urNp linux-2.6.24.4/arch/x86/kernel/head_32.S linux-2.6.24.4/arch/x86/kernel/head_32.S
4980 ---- linux-2.6.24.4/arch/x86/kernel/head_32.S 2008-03-24 14:49:18.000000000 -0400
4981 -+++ linux-2.6.24.4/arch/x86/kernel/head_32.S 2008-03-26 17:56:55.000000000 -0400
4982 -@@ -18,6 +18,7 @@
4983 - #include <asm/thread_info.h>
4984 - #include <asm/asm-offsets.h>
4985 - #include <asm/setup.h>
4986 -+#include <asm/msr-index.h>
4987 -
4988 - /*
4989 - * References to members of the new_cpu_data structure.
4990 -@@ -60,17 +61,22 @@ LOW_PAGES = 1<<(32-PAGE_SHIFT_asm)
4991 - LOW_PAGES = LOW_PAGES + 0x1000000
4992 - #endif
4993 -
4994 --#if PTRS_PER_PMD > 1
4995 --PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PMD) + PTRS_PER_PGD
4996 --#else
4997 --PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PGD)
4998 --#endif
4999 -+PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PTE)
5000 - BOOTBITMAP_SIZE = LOW_PAGES / 8
5001 - ALLOCATOR_SLOP = 4
5002 -
5003 - INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE + (PAGE_TABLE_SIZE + ALLOCATOR_SLOP)*PAGE_SIZE_asm
5004 -
5005 - /*
5006 -+ * Real beginning of normal "text" segment
5007 -+ */
5008 -+ENTRY(stext)
5009 -+ENTRY(_stext)
5010 -+
5011 -+.section .text.startup,"ax",@progbits
5012 -+ ljmp $(__BOOT_CS),$phys_startup_32
5013 -+
5014 -+/*
5015 - * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
5016 - * %esi points to the real-mode code as a 32-bit pointer.
5017 - * CS and DS must be 4 GB flat segments, but we don't depend on
5018 -@@ -78,6 +84,12 @@ INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE +
5019 - * can.
5020 - */
5021 - .section .text.head,"ax",@progbits
5022 -+
5023 -+#ifdef CONFIG_PAX_KERNEXEC
5024 -+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
5025 -+.fill 4096,1,0xcc
5026 -+#endif
5027 -+
5028 - ENTRY(startup_32)
5029 - /* check to see if KEEP_SEGMENTS flag is meaningful */
5030 - cmpw $0x207, BP_version(%esi)
5031 -@@ -99,6 +111,43 @@ ENTRY(startup_32)
5032 - movl %eax,%gs
5033 - 2:
5034 -
5035 -+ movl $__per_cpu_start,%eax
5036 -+ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 2)
5037 -+ rorl $16,%eax
5038 -+ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 4)
5039 -+ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 7)
5040 -+ movl $__per_cpu_end + PERCPU_MODULE_RESERVE,%eax
5041 -+ subl $__per_cpu_start,%eax
5042 -+ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 0)
5043 -+
5044 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
5045 -+ /* check for VMware */
5046 -+ movl $0x564d5868,%eax
5047 -+ xorl %ebx,%ebx
5048 -+ movl $0xa,%ecx
5049 -+ movl $0x5658,%edx
5050 -+ in (%dx),%eax
5051 -+ cmpl $0x564d5868,%ebx
5052 -+ jz 1f
5053 -+
5054 -+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),%eax
5055 -+ movl %eax,(cpu_gdt_table - __PAGE_OFFSET + GDT_ENTRY_KERNEL_DS * 8 + 4)
5056 -+1:
5057 -+#endif
5058 -+
5059 -+#ifdef CONFIG_PAX_KERNEXEC
5060 -+ movl $KERNEL_TEXT_OFFSET,%eax
5061 -+ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 2)
5062 -+ rorl $16,%eax
5063 -+ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 4)
5064 -+ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 7)
5065 -+
5066 -+ movb %al,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 4)
5067 -+ movb %ah,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 7)
5068 -+ rorl $16,%eax
5069 -+ movw %ax,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 2)
5070 -+#endif
5071 -+
5072 - /*
5073 - * Clear BSS first so that there are no surprises...
5074 - */
5075 -@@ -141,9 +190,7 @@ ENTRY(startup_32)
5076 - cmpl $num_subarch_entries, %eax
5077 - jae bad_subarch
5078 -
5079 -- movl subarch_entries - __PAGE_OFFSET(,%eax,4), %eax
5080 -- subl $__PAGE_OFFSET, %eax
5081 -- jmp *%eax
5082 -+ jmp *(subarch_entries - __PAGE_OFFSET)(,%eax,4)
5083 -
5084 - bad_subarch:
5085 - WEAK(lguest_entry)
5086 -@@ -151,11 +198,11 @@ WEAK(xen_entry)
5087 - /* Unknown implementation; there's really
5088 - nothing we can do at this point. */
5089 - ud2a
5090 --.data
5091 -+.section .rodata,"a",@progbits
5092 - subarch_entries:
5093 -- .long default_entry /* normal x86/PC */
5094 -- .long lguest_entry /* lguest hypervisor */
5095 -- .long xen_entry /* Xen hypervisor */
5096 -+ .long default_entry - __PAGE_OFFSET /* normal x86/PC */
5097 -+ .long lguest_entry - __PAGE_OFFSET /* lguest hypervisor */
5098 -+ .long xen_entry - __PAGE_OFFSET /* Xen hypervisor */
5099 - num_subarch_entries = (. - subarch_entries) / 4
5100 - .previous
5101 - #endif /* CONFIG_PARAVIRT */
5102 -@@ -170,34 +217,55 @@ num_subarch_entries = (. - subarch_entri
5103 - * Warning: don't use %esi or the stack in this code. However, %esp
5104 - * can be used as a GPR if you really need it...
5105 - */
5106 --page_pde_offset = (__PAGE_OFFSET >> 20);
5107 -+#ifdef CONFIG_X86_PAE
5108 -+page_pde_offset = ((__PAGE_OFFSET >> 21) * (PAGE_SIZE_asm / PTRS_PER_PTE));
5109 -+#else
5110 -+page_pde_offset = ((__PAGE_OFFSET >> 22) * (PAGE_SIZE_asm / PTRS_PER_PTE));
5111 -+#endif
5112 -
5113 - default_entry:
5114 - movl $(pg0 - __PAGE_OFFSET), %edi
5115 -+#ifdef CONFIG_X86_PAE
5116 -+ movl $(swapper_pm_dir - __PAGE_OFFSET), %edx
5117 -+#else
5118 - movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
5119 -- movl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
5120 -+#endif
5121 -+ movl $0x063, %eax /* 0x063 = PRESENT+RW+ACCESSED+DIRTY */
5122 - 10:
5123 -- leal 0x007(%edi),%ecx /* Create PDE entry */
5124 -+ leal 0x063(%edi),%ecx /* Create PDE entry */
5125 - movl %ecx,(%edx) /* Store identity PDE entry */
5126 - movl %ecx,page_pde_offset(%edx) /* Store kernel PDE entry */
5127 -+#ifdef CONFIG_X86_PAE
5128 -+ movl $0,4(%edx)
5129 -+ movl $0,page_pde_offset+4(%edx)
5130 -+ addl $8,%edx
5131 -+ movl $512, %ecx
5132 -+#else
5133 - addl $4,%edx
5134 - movl $1024, %ecx
5135 -+#endif
5136 - 11:
5137 - stosl
5138 -+#ifdef CONFIG_X86_PAE
5139 -+ movl $0,(%edi)
5140 -+ addl $4,%edi
5141 -+#endif
5142 - addl $0x1000,%eax
5143 - loop 11b
5144 - /* End condition: we must map up to and including INIT_MAP_BEYOND_END */
5145 -- /* bytes beyond the end of our own page tables; the +0x007 is the attribute bits */
5146 -- leal (INIT_MAP_BEYOND_END+0x007)(%edi),%ebp
5147 -+ /* bytes beyond the end of our own page tables; the +0x063 is the attribute bits */
5148 -+ leal (INIT_MAP_BEYOND_END+0x063)(%edi),%ebp
5149 - cmpl %ebp,%eax
5150 - jb 10b
5151 - movl %edi,(init_pg_tables_end - __PAGE_OFFSET)
5152 -
5153 - /* Do an early initialization of the fixmap area */
5154 -- movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
5155 -- movl $(swapper_pg_pmd - __PAGE_OFFSET), %eax
5156 -- addl $0x67, %eax /* 0x67 == _PAGE_TABLE */
5157 -- movl %eax, 4092(%edx)
5158 -+ /* 0x067 = PRESENT+RW+USER+ACCESSED+DIRTY */
5159 -+#ifdef CONFIG_X86_PAE
5160 -+ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pm_dir - __PAGE_OFFSET + 4096 - 8)
5161 -+#else
5162 -+ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pg_dir - __PAGE_OFFSET + 4096 - 4)
5163 -+#endif
5164 -
5165 - xorl %ebx,%ebx /* This is the boot CPU (BSP) */
5166 - jmp 3f
5167 -@@ -223,6 +291,11 @@ ENTRY(startup_32_smp)
5168 - movl %eax,%fs
5169 - movl %eax,%gs
5170 -
5171 -+ /* This is a secondary processor (AP) */
5172 -+ xorl %ebx,%ebx
5173 -+ incl %ebx
5174 -+#endif /* CONFIG_SMP */
5175 -+
5176 - /*
5177 - * New page tables may be in 4Mbyte page mode and may
5178 - * be using the global pages.
5179 -@@ -238,42 +311,47 @@ ENTRY(startup_32_smp)
5180 - * not yet offset PAGE_OFFSET..
5181 - */
5182 - #define cr4_bits mmu_cr4_features-__PAGE_OFFSET
5183 -+3:
5184 - movl cr4_bits,%edx
5185 - andl %edx,%edx
5186 -- jz 6f
5187 -+ jz 5f
5188 - movl %cr4,%eax # Turn on paging options (PSE,PAE,..)
5189 - orl %edx,%eax
5190 - movl %eax,%cr4
5191 -
5192 -- btl $5, %eax # check if PAE is enabled
5193 -- jnc 6f
5194 -+#ifdef CONFIG_X86_PAE
5195 -+ movl %ebx,%edi
5196 -
5197 - /* Check if extended functions are implemented */
5198 - movl $0x80000000, %eax
5199 - cpuid
5200 - cmpl $0x80000000, %eax
5201 -- jbe 6f
5202 -+ jbe 4f
5203 - mov $0x80000001, %eax
5204 - cpuid
5205 - /* Execute Disable bit supported? */
5206 - btl $20, %edx
5207 -- jnc 6f
5208 -+ jnc 4f
5209 -
5210 - /* Setup EFER (Extended Feature Enable Register) */
5211 -- movl $0xc0000080, %ecx
5212 -+ movl $MSR_EFER, %ecx
5213 - rdmsr
5214 -
5215 - btsl $11, %eax
5216 - /* Make changes effective */
5217 - wrmsr
5218 -
5219 --6:
5220 -- /* This is a secondary processor (AP) */
5221 -- xorl %ebx,%ebx
5222 -- incl %ebx
5223 -+ btsl $63-32,__supported_pte_mask+4-__PAGE_OFFSET
5224 -+ movl $1,nx_enabled-__PAGE_OFFSET
5225 -
5226 --#endif /* CONFIG_SMP */
5227 --3:
5228 -+#if !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
5229 -+ movl $0,disable_x86_sep-__PAGE_OFFSET
5230 -+#endif
5231 -+
5232 -+4:
5233 -+ movl %edi,%ebx
5234 -+#endif
5235 -+5:
5236 -
5237 - /*
5238 - * Enable paging
5239 -@@ -298,9 +376,7 @@ ENTRY(startup_32_smp)
5240 -
5241 - #ifdef CONFIG_SMP
5242 - andl %ebx,%ebx
5243 -- jz 1f /* Initial CPU cleans BSS */
5244 -- jmp checkCPUtype
5245 --1:
5246 -+ jnz checkCPUtype /* Initial CPU cleans BSS */
5247 - #endif /* CONFIG_SMP */
5248 -
5249 - /*
5250 -@@ -377,12 +453,12 @@ is386: movl $2,%ecx # set MP
5251 - ljmp $(__KERNEL_CS),$1f
5252 - 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
5253 - movl %eax,%ss # after changing gdt.
5254 -- movl %eax,%fs # gets reset once there's real percpu
5255 --
5256 -- movl $(__USER_DS),%eax # DS/ES contains default USER segment
5257 - movl %eax,%ds
5258 - movl %eax,%es
5259 -
5260 -+ movl $(__KERNEL_PERCPU), %eax
5261 -+ movl %eax,%fs # set this cpu's percpu
5262 -+
5263 - xorl %eax,%eax # Clear GS and LDT
5264 - movl %eax,%gs
5265 - lldt %ax
5266 -@@ -393,11 +469,7 @@ is386: movl $2,%ecx # set MP
5267 - movb ready, %cl
5268 - movb $1, ready
5269 - cmpb $0,%cl # the first CPU calls start_kernel
5270 -- je 1f
5271 -- movl $(__KERNEL_PERCPU), %eax
5272 -- movl %eax,%fs # set this cpu's percpu
5273 -- jmp initialize_secondary # all other CPUs call initialize_secondary
5274 --1:
5275 -+ jne initialize_secondary # all other CPUs call initialize_secondary
5276 - #endif /* CONFIG_SMP */
5277 - jmp start_kernel
5278 -
5279 -@@ -483,8 +555,8 @@ early_page_fault:
5280 - jmp early_fault
5281 -
5282 - early_fault:
5283 -- cld
5284 - #ifdef CONFIG_PRINTK
5285 -+ cld
5286 - pusha
5287 - movl $(__KERNEL_DS),%eax
5288 - movl %eax,%ds
5289 -@@ -509,8 +581,8 @@ hlt_loop:
5290 - /* This is the default interrupt "handler" :-) */
5291 - ALIGN
5292 - ignore_int:
5293 -- cld
5294 - #ifdef CONFIG_PRINTK
5295 -+ cld
5296 - pushl %eax
5297 - pushl %ecx
5298 - pushl %edx
5299 -@@ -541,31 +613,58 @@ ignore_int:
5300 - #endif
5301 - iret
5302 -
5303 --.section .text
5304 --/*
5305 -- * Real beginning of normal "text" segment
5306 -- */
5307 --ENTRY(stext)
5308 --ENTRY(_stext)
5309 --
5310 - /*
5311 - * BSS section
5312 - */
5313 --.section ".bss.page_aligned","wa"
5314 -+.section .swapper_pg_dir,"a",@progbits
5315 - .align PAGE_SIZE_asm
5316 - ENTRY(swapper_pg_dir)
5317 -+#ifdef CONFIG_X86_PAE
5318 -+ .long swapper_pm_dir-__PAGE_OFFSET+1
5319 -+ .long 0
5320 -+ .long swapper_pm_dir+512*8-__PAGE_OFFSET+1
5321 -+ .long 0
5322 -+ .long swapper_pm_dir+512*16-__PAGE_OFFSET+1
5323 -+ .long 0
5324 -+ .long swapper_pm_dir+512*24-__PAGE_OFFSET+1
5325 -+ .long 0
5326 -+#else
5327 - .fill 1024,4,0
5328 -+#endif
5329 -+
5330 -+.section .swapper_pm_dir,"a",@progbits
5331 -+#ifdef CONFIG_X86_PAE
5332 -+ENTRY(swapper_pm_dir)
5333 -+ .fill 512,8,0
5334 -+ .fill 512,8,0
5335 -+ .fill 512,8,0
5336 -+ .fill 512,8,0
5337 -+#endif
5338 -+
5339 - ENTRY(swapper_pg_pmd)
5340 - .fill 1024,4,0
5341 -+
5342 -+.section .empty_zero_page,"a",@progbits
5343 - ENTRY(empty_zero_page)
5344 - .fill 4096,1,0
5345 -
5346 - /*
5347 -+ * The IDT has to be page-aligned to simplify the Pentium
5348 -+ * F0 0F bug workaround.. We have a special link segment
5349 -+ * for this.
5350 -+ */
5351 -+.section .idt,"a",@progbits
5352 -+ENTRY(idt_table)
5353 -+ .fill 256,8,0
5354 -+
5355 -+/*
5356 - * This starts the data section.
5357 - */
5358 - .data
5359 -+
5360 -+.section .rodata,"a",@progbits
5361 - ENTRY(stack_start)
5362 -- .long init_thread_union+THREAD_SIZE
5363 -+ .long init_thread_union+THREAD_SIZE-8
5364 - .long __BOOT_DS
5365 -
5366 - ready: .byte 0
5367 -@@ -615,7 +714,7 @@ idt_descr:
5368 - .word 0 # 32 bit align gdt_desc.address
5369 - ENTRY(early_gdt_descr)
5370 - .word GDT_ENTRIES*8-1
5371 -- .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
5372 -+ .long cpu_gdt_table /* Overwritten for secondary CPUs */
5373 -
5374 - /*
5375 - * The boot_gdt must mirror the equivalent in setup.S and is
5376 -@@ -624,5 +723,61 @@ ENTRY(early_gdt_descr)
5377 - .align L1_CACHE_BYTES
5378 - ENTRY(boot_gdt)
5379 - .fill GDT_ENTRY_BOOT_CS,8,0
5380 -- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
5381 -- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
5382 -+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
5383 -+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
5384 -+
5385 -+ .align PAGE_SIZE_asm
5386 -+ENTRY(cpu_gdt_table)
5387 -+ .quad 0x0000000000000000 /* NULL descriptor */
5388 -+ .quad 0x0000000000000000 /* 0x0b reserved */
5389 -+ .quad 0x0000000000000000 /* 0x13 reserved */
5390 -+ .quad 0x0000000000000000 /* 0x1b reserved */
5391 -+ .quad 0x0000000000000000 /* 0x20 unused */
5392 -+ .quad 0x0000000000000000 /* 0x28 unused */
5393 -+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
5394 -+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
5395 -+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
5396 -+ .quad 0x0000000000000000 /* 0x4b reserved */
5397 -+ .quad 0x0000000000000000 /* 0x53 reserved */
5398 -+ .quad 0x0000000000000000 /* 0x5b reserved */
5399 -+
5400 -+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
5401 -+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
5402 -+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
5403 -+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
5404 -+
5405 -+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
5406 -+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
5407 -+
5408 -+ /*
5409 -+ * Segments used for calling PnP BIOS have byte granularity.
5410 -+ * The code segments and data segments have fixed 64k limits,
5411 -+ * the transfer segment sizes are set at run time.
5412 -+ */
5413 -+ .quad 0x00409b000000ffff /* 0x90 32-bit code */
5414 -+ .quad 0x00009b000000ffff /* 0x98 16-bit code */
5415 -+ .quad 0x000093000000ffff /* 0xa0 16-bit data */
5416 -+ .quad 0x0000930000000000 /* 0xa8 16-bit data */
5417 -+ .quad 0x0000930000000000 /* 0xb0 16-bit data */
5418 -+
5419 -+ /*
5420 -+ * The APM segments have byte granularity and their bases
5421 -+ * are set at run time. All have 64k limits.
5422 -+ */
5423 -+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
5424 -+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
5425 -+ .quad 0x004093000000ffff /* 0xc8 APM DS data */
5426 -+
5427 -+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
5428 -+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
5429 -+ .quad 0x0000000000000000 /* 0xe0 - PCIBIOS_CS */
5430 -+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_DS */
5431 -+ .quad 0x0000000000000000 /* 0xf0 - unused */
5432 -+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
5433 -+
5434 -+ /* Be sure this is zeroed to avoid false validations in Xen */
5435 -+ .fill PAGE_SIZE_asm - GDT_ENTRIES,1,0
5436 -+
5437 -+#ifdef CONFIG_SMP
5438 -+ .fill (NR_CPUS-1) * (PAGE_SIZE_asm),1,0 /* other CPU's GDT */
5439 -+#endif
5440 -diff -urNp linux-2.6.24.4/arch/x86/kernel/head64.c linux-2.6.24.4/arch/x86/kernel/head64.c
5441 ---- linux-2.6.24.4/arch/x86/kernel/head64.c 2008-03-24 14:49:18.000000000 -0400
5442 -+++ linux-2.6.24.4/arch/x86/kernel/head64.c 2008-03-26 17:56:55.000000000 -0400
5443 -@@ -24,7 +24,7 @@ static void __init zap_identity_mappings
5444 - {
5445 - pgd_t *pgd = pgd_offset_k(0UL);
5446 - pgd_clear(pgd);
5447 -- __flush_tlb();
5448 -+ __flush_tlb_all();
5449 - }
5450 -
5451 - /* Don't add a printk in there. printk relies on the PDA which is not initialized
5452 -@@ -56,16 +56,17 @@ void __init x86_64_start_kernel(char * r
5453 - /* Make NULL pointers segfault */
5454 - zap_identity_mappings();
5455 -
5456 -+ for (i = 0; i < NR_CPUS; i++)
5457 -+ cpu_pda(i) = &boot_cpu_pda[i];
5458 -+
5459 -+ pda_init(0);
5460 -+
5461 - for (i = 0; i < IDT_ENTRIES; i++)
5462 - set_intr_gate(i, early_idt_handler);
5463 - load_idt((const struct desc_ptr *)&idt_descr);
5464 -
5465 - early_printk("Kernel alive\n");
5466 -
5467 -- for (i = 0; i < NR_CPUS; i++)
5468 -- cpu_pda(i) = &boot_cpu_pda[i];
5469 --
5470 -- pda_init(0);
5471 - copy_bootdata(__va(real_mode_data));
5472 - #ifdef CONFIG_SMP
5473 - cpu_set(0, cpu_online_map);
5474 -diff -urNp linux-2.6.24.4/arch/x86/kernel/head_64.S linux-2.6.24.4/arch/x86/kernel/head_64.S
5475 ---- linux-2.6.24.4/arch/x86/kernel/head_64.S 2008-03-24 14:49:18.000000000 -0400
5476 -+++ linux-2.6.24.4/arch/x86/kernel/head_64.S 2008-03-26 17:56:55.000000000 -0400
5477 -@@ -173,6 +173,10 @@ ENTRY(secondary_startup_64)
5478 - btl $20,%edi /* No Execute supported? */
5479 - jnc 1f
5480 - btsl $_EFER_NX, %eax
5481 -+ movq $(init_level4_pgt), %rdi
5482 -+ addq phys_base(%rip), %rdi
5483 -+ btsq $_PAGE_BIT_NX, 8*258(%rdi)
5484 -+ btsq $_PAGE_BIT_NX, 8*388(%rdi)
5485 - 1: wrmsr /* Make changes effective */
5486 -
5487 - /* Setup cr0 */
5488 -@@ -242,24 +246,25 @@ ENTRY(secondary_startup_64)
5489 - pushq %rax # target address in negative space
5490 - lretq
5491 -
5492 -+bad_address:
5493 -+ jmp bad_address
5494 -+
5495 - /* SMP bootup changes these two */
5496 --#ifndef CONFIG_HOTPLUG_CPU
5497 -- .pushsection .init.data
5498 -+#ifdef CONFIG_HOTPLUG_CPU
5499 -+ __INITDATA_REFOK
5500 -+#else
5501 -+ __INITDATA
5502 - #endif
5503 - .align 8
5504 - .globl initial_code
5505 - initial_code:
5506 - .quad x86_64_start_kernel
5507 --#ifndef CONFIG_HOTPLUG_CPU
5508 -- .popsection
5509 --#endif
5510 -+
5511 - .globl init_rsp
5512 - init_rsp:
5513 - .quad init_thread_union+THREAD_SIZE-8
5514 -
5515 --bad_address:
5516 -- jmp bad_address
5517 --
5518 -+ __INIT
5519 - ENTRY(early_idt_handler)
5520 - cmpl $2,early_recursion_flag(%rip)
5521 - jz 1f
5522 -@@ -280,9 +285,12 @@ ENTRY(early_idt_handler)
5523 - #endif
5524 - 1: hlt
5525 - jmp 1b
5526 -+
5527 -+ __INITDATA
5528 - early_recursion_flag:
5529 - .long 0
5530 -
5531 -+ .section .rodata,"a",@progbits
5532 - early_idt_msg:
5533 - .asciz "PANIC: early exception rip %lx error %lx cr2 %lx\n"
5534 - early_idt_ripmsg:
5535 -@@ -312,7 +320,9 @@ NEXT_PAGE(init_level4_pgt)
5536 - .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
5537 - .fill 257,8,0
5538 - .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
5539 -- .fill 252,8,0
5540 -+ .fill 129,8,0
5541 -+ .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
5542 -+ .fill 122,8,0
5543 - /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
5544 - .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
5545 -
5546 -@@ -320,6 +330,9 @@ NEXT_PAGE(level3_ident_pgt)
5547 - .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
5548 - .fill 511,8,0
5549 -
5550 -+NEXT_PAGE(level3_vmalloc_pgt)
5551 -+ .fill 512,8,0
5552 -+
5553 - NEXT_PAGE(level3_kernel_pgt)
5554 - .fill 510,8,0
5555 - /* (2^48-(2*1024*1024*1024)-((2^39)*511))/(2^30) = 510 */
5556 -@@ -355,19 +368,12 @@ NEXT_PAGE(level2_spare_pgt)
5557 - #undef PMDS
5558 - #undef NEXT_PAGE
5559 -
5560 -- .data
5561 - .align 16
5562 - .globl cpu_gdt_descr
5563 - cpu_gdt_descr:
5564 -- .word gdt_end-cpu_gdt_table-1
5565 -+ .word GDT_SIZE-1
5566 - gdt:
5567 - .quad cpu_gdt_table
5568 --#ifdef CONFIG_SMP
5569 -- .rept NR_CPUS-1
5570 -- .word 0
5571 -- .quad 0
5572 -- .endr
5573 --#endif
5574 -
5575 - ENTRY(phys_base)
5576 - /* This must match the first entry in level2_kernel_pgt */
5577 -@@ -377,8 +383,7 @@ ENTRY(phys_base)
5578 - * IRET will check the segment types kkeil 2000/10/28
5579 - * Also sysret mandates a special GDT layout
5580 - */
5581 --
5582 -- .section .data.page_aligned, "aw"
5583 -+
5584 - .align PAGE_SIZE
5585 -
5586 - /* The TLS descriptors are currently at a different place compared to i386.
5587 -@@ -397,15 +402,15 @@ ENTRY(cpu_gdt_table)
5588 - .quad 0,0 /* LDT */
5589 - .quad 0,0,0 /* three TLS descriptors */
5590 - .quad 0x0000f40000000000 /* node/CPU stored in limit */
5591 --gdt_end:
5592 - /* asm/segment.h:GDT_ENTRIES must match this */
5593 - /* This should be a multiple of the cache line size */
5594 -- /* GDTs of other CPUs are now dynamically allocated */
5595 -
5596 - /* zero the remaining page */
5597 - .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
5598 -+#ifdef CONFIG_SMP
5599 -+ .fill (NR_CPUS-1) * (PAGE_SIZE),1,0 /* other CPU's GDT */
5600 -+#endif
5601 -
5602 -- .section .bss, "aw", @nobits
5603 - .align L1_CACHE_BYTES
5604 - ENTRY(idt_table)
5605 - .skip 256 * 16
5606 -diff -urNp linux-2.6.24.4/arch/x86/kernel/hpet.c linux-2.6.24.4/arch/x86/kernel/hpet.c
5607 ---- linux-2.6.24.4/arch/x86/kernel/hpet.c 2008-03-24 14:49:18.000000000 -0400
5608 -+++ linux-2.6.24.4/arch/x86/kernel/hpet.c 2008-03-26 17:56:55.000000000 -0400
5609 -@@ -137,7 +137,7 @@ static void hpet_reserve_platform_timers
5610 - hd.hd_irq[1] = HPET_LEGACY_RTC;
5611 -
5612 - for (i = 2; i < nrtimers; timer++, i++)
5613 -- hd.hd_irq[i] = (timer->hpet_config & Tn_INT_ROUTE_CNF_MASK) >>
5614 -+ hd.hd_irq[i] = (readl(&timer->hpet_config) & Tn_INT_ROUTE_CNF_MASK) >>
5615 - Tn_INT_ROUTE_CNF_SHIFT;
5616 -
5617 - hpet_alloc(&hd);
5618 -diff -urNp linux-2.6.24.4/arch/x86/kernel/i386_ksyms_32.c linux-2.6.24.4/arch/x86/kernel/i386_ksyms_32.c
5619 ---- linux-2.6.24.4/arch/x86/kernel/i386_ksyms_32.c 2008-03-24 14:49:18.000000000 -0400
5620 -+++ linux-2.6.24.4/arch/x86/kernel/i386_ksyms_32.c 2008-03-26 17:56:55.000000000 -0400
5621 -@@ -4,12 +4,16 @@
5622 - #include <asm/desc.h>
5623 - #include <asm/pgtable.h>
5624 -
5625 -+EXPORT_SYMBOL_GPL(cpu_gdt_table);
5626 -+
5627 - EXPORT_SYMBOL(__down_failed);
5628 - EXPORT_SYMBOL(__down_failed_interruptible);
5629 - EXPORT_SYMBOL(__down_failed_trylock);
5630 - EXPORT_SYMBOL(__up_wakeup);
5631 - /* Networking helper routines. */
5632 - EXPORT_SYMBOL(csum_partial_copy_generic);
5633 -+EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
5634 -+EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
5635 -
5636 - EXPORT_SYMBOL(__get_user_1);
5637 - EXPORT_SYMBOL(__get_user_2);
5638 -@@ -31,3 +35,7 @@ EXPORT_SYMBOL(__read_lock_failed);
5639 -
5640 - EXPORT_SYMBOL(csum_partial);
5641 - EXPORT_SYMBOL(empty_zero_page);
5642 -+
5643 -+#ifdef CONFIG_PAX_KERNEXEC
5644 -+EXPORT_SYMBOL(KERNEL_TEXT_OFFSET);
5645 -+#endif
5646 -diff -urNp linux-2.6.24.4/arch/x86/kernel/init_task.c linux-2.6.24.4/arch/x86/kernel/init_task.c
5647 ---- linux-2.6.24.4/arch/x86/kernel/init_task.c 2008-03-24 14:49:18.000000000 -0400
5648 -+++ linux-2.6.24.4/arch/x86/kernel/init_task.c 2008-03-26 17:56:55.000000000 -0400
5649 -@@ -43,5 +43,4 @@ EXPORT_SYMBOL(init_task);
5650 - * section. Since TSS's are completely CPU-local, we want them
5651 - * on exact cacheline boundaries, to eliminate cacheline ping-pong.
5652 - */
5653 --DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
5654 --
5655 -+struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
5656 -diff -urNp linux-2.6.24.4/arch/x86/kernel/ioport_32.c linux-2.6.24.4/arch/x86/kernel/ioport_32.c
5657 ---- linux-2.6.24.4/arch/x86/kernel/ioport_32.c 2008-03-24 14:49:18.000000000 -0400
5658 -+++ linux-2.6.24.4/arch/x86/kernel/ioport_32.c 2008-03-26 17:56:55.000000000 -0400
5659 -@@ -14,6 +14,7 @@
5660 - #include <linux/slab.h>
5661 - #include <linux/thread_info.h>
5662 - #include <linux/syscalls.h>
5663 -+#include <linux/grsecurity.h>
5664 -
5665 - /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
5666 - static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
5667 -@@ -62,9 +63,16 @@ asmlinkage long sys_ioperm(unsigned long
5668 -
5669 - if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
5670 - return -EINVAL;
5671 -+#ifdef CONFIG_GRKERNSEC_IO
5672 -+ if (turn_on) {
5673 -+ gr_handle_ioperm();
5674 -+#else
5675 - if (turn_on && !capable(CAP_SYS_RAWIO))
5676 -+#endif
5677 - return -EPERM;
5678 --
5679 -+#ifdef CONFIG_GRKERNSEC_IO
5680 -+ }
5681 -+#endif
5682 - /*
5683 - * If it's the first ioperm() call in this thread's lifetime, set the
5684 - * IO bitmap up. ioperm() is much less timing critical than clone(),
5685 -@@ -87,7 +95,7 @@ asmlinkage long sys_ioperm(unsigned long
5686 - * because the ->io_bitmap_max value must match the bitmap
5687 - * contents:
5688 - */
5689 -- tss = &per_cpu(init_tss, get_cpu());
5690 -+ tss = init_tss + get_cpu();
5691 -
5692 - set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
5693 -
5694 -@@ -141,8 +149,13 @@ asmlinkage long sys_iopl(unsigned long u
5695 - return -EINVAL;
5696 - /* Trying to gain more privileges? */
5697 - if (level > old) {
5698 -+#ifdef CONFIG_GRKERNSEC_IO
5699 -+ gr_handle_iopl();
5700 -+ return -EPERM;
5701 -+#else
5702 - if (!capable(CAP_SYS_RAWIO))
5703 - return -EPERM;
5704 -+#endif
5705 - }
5706 - t->iopl = level << 12;
5707 - regs->eflags = (regs->eflags & ~X86_EFLAGS_IOPL) | t->iopl;
5708 -diff -urNp linux-2.6.24.4/arch/x86/kernel/ioport_64.c linux-2.6.24.4/arch/x86/kernel/ioport_64.c
5709 ---- linux-2.6.24.4/arch/x86/kernel/ioport_64.c 2008-03-24 14:49:18.000000000 -0400
5710 -+++ linux-2.6.24.4/arch/x86/kernel/ioport_64.c 2008-03-26 17:56:55.000000000 -0400
5711 -@@ -14,6 +14,7 @@
5712 - #include <linux/slab.h>
5713 - #include <linux/thread_info.h>
5714 - #include <linux/syscalls.h>
5715 -+#include <linux/grsecurity.h>
5716 -
5717 - /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
5718 - static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
5719 -@@ -39,8 +40,17 @@ asmlinkage long sys_ioperm(unsigned long
5720 -
5721 - if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
5722 - return -EINVAL;
5723 -+
5724 -+#ifdef CONFIG_GRKERNSEC_IO
5725 -+ if (turn_on) {
5726 -+ gr_handle_ioperm();
5727 -+#else
5728 - if (turn_on && !capable(CAP_SYS_RAWIO))
5729 -+#endif
5730 - return -EPERM;
5731 -+#ifdef CONFIG_GRKERNSEC_IO
5732 -+ }
5733 -+#endif
5734 -
5735 - /*
5736 - * If it's the first ioperm() call in this thread's lifetime, set the
5737 -@@ -64,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
5738 - * because the ->io_bitmap_max value must match the bitmap
5739 - * contents:
5740 - */
5741 -- tss = &per_cpu(init_tss, get_cpu());
5742 -+ tss = init_tss + get_cpu();
5743 -
5744 - set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
5745 -
5746 -@@ -109,8 +119,13 @@ asmlinkage long sys_iopl(unsigned int le
5747 - return -EINVAL;
5748 - /* Trying to gain more privileges? */
5749 - if (level > old) {
5750 -+#ifdef CONFIG_GRKERNSEC_IO
5751 -+ gr_handle_iopl();
5752 -+ return -EPERM;
5753 -+#else
5754 - if (!capable(CAP_SYS_RAWIO))
5755 - return -EPERM;
5756 -+#endif
5757 - }
5758 - regs->eflags = (regs->eflags &~ X86_EFLAGS_IOPL) | (level << 12);
5759 - return 0;
5760 -diff -urNp linux-2.6.24.4/arch/x86/kernel/irq_32.c linux-2.6.24.4/arch/x86/kernel/irq_32.c
5761 ---- linux-2.6.24.4/arch/x86/kernel/irq_32.c 2008-03-24 14:49:18.000000000 -0400
5762 -+++ linux-2.6.24.4/arch/x86/kernel/irq_32.c 2008-03-26 17:56:55.000000000 -0400
5763 -@@ -115,7 +115,7 @@ fastcall unsigned int do_IRQ(struct pt_r
5764 - int arg1, arg2, ebx;
5765 -
5766 - /* build the stack frame on the IRQ stack */
5767 -- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
5768 -+ isp = (u32*) ((char*)irqctx + sizeof(*irqctx) - 8);
5769 - irqctx->tinfo.task = curctx->tinfo.task;
5770 - irqctx->tinfo.previous_esp = current_stack_pointer;
5771 -
5772 -@@ -211,7 +211,7 @@ asmlinkage void do_softirq(void)
5773 - irqctx->tinfo.previous_esp = current_stack_pointer;
5774 -
5775 - /* build the stack frame on the softirq stack */
5776 -- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
5777 -+ isp = (u32*) ((char*)irqctx + sizeof(*irqctx) - 8);
5778 -
5779 - asm volatile(
5780 - " xchgl %%ebx,%%esp \n"
5781 -diff -urNp linux-2.6.24.4/arch/x86/kernel/kprobes_32.c linux-2.6.24.4/arch/x86/kernel/kprobes_32.c
5782 ---- linux-2.6.24.4/arch/x86/kernel/kprobes_32.c 2008-03-24 14:49:18.000000000 -0400
5783 -+++ linux-2.6.24.4/arch/x86/kernel/kprobes_32.c 2008-03-26 17:56:55.000000000 -0400
5784 -@@ -55,9 +55,24 @@ static __always_inline void set_jmp_op(v
5785 - char op;
5786 - long raddr;
5787 - } __attribute__((packed)) *jop;
5788 -- jop = (struct __arch_jmp_op *)from;
5789 -+
5790 -+#ifdef CONFIG_PAX_KERNEXEC
5791 -+ unsigned long cr0;
5792 -+#endif
5793 -+
5794 -+ jop = (struct __arch_jmp_op *)(ktla_ktva(from));
5795 -+
5796 -+#ifdef CONFIG_PAX_KERNEXEC
5797 -+ pax_open_kernel(cr0);
5798 -+#endif
5799 -+
5800 - jop->raddr = (long)(to) - ((long)(from) + 5);
5801 - jop->op = RELATIVEJUMP_INSTRUCTION;
5802 -+
5803 -+#ifdef CONFIG_PAX_KERNEXEC
5804 -+ pax_close_kernel(cr0);
5805 -+#endif
5806 -+
5807 - }
5808 -
5809 - /*
5810 -@@ -159,14 +174,28 @@ static int __kprobes is_IF_modifier(kpro
5811 -
5812 - int __kprobes arch_prepare_kprobe(struct kprobe *p)
5813 - {
5814 -+
5815 -+#ifdef CONFIG_PAX_KERNEXEC
5816 -+ unsigned long cr0;
5817 -+#endif
5818 -+
5819 - /* insn: must be on special executable page on i386. */
5820 - p->ainsn.insn = get_insn_slot();
5821 - if (!p->ainsn.insn)
5822 - return -ENOMEM;
5823 -
5824 -- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
5825 -- p->opcode = *p->addr;
5826 -- if (can_boost(p->addr)) {
5827 -+#ifdef CONFIG_PAX_KERNEXEC
5828 -+ pax_open_kernel(cr0);
5829 -+#endif
5830 -+
5831 -+ memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
5832 -+
5833 -+#ifdef CONFIG_PAX_KERNEXEC
5834 -+ pax_close_kernel(cr0);
5835 -+#endif
5836 -+
5837 -+ p->opcode = *(ktla_ktva(p->addr));
5838 -+ if (can_boost(ktla_ktva(p->addr))) {
5839 - p->ainsn.boostable = 0;
5840 - } else {
5841 - p->ainsn.boostable = -1;
5842 -@@ -225,7 +254,7 @@ static void __kprobes prepare_singlestep
5843 - if (p->opcode == BREAKPOINT_INSTRUCTION)
5844 - regs->eip = (unsigned long)p->addr;
5845 - else
5846 -- regs->eip = (unsigned long)p->ainsn.insn;
5847 -+ regs->eip = ktva_ktla((unsigned long)p->ainsn.insn);
5848 - }
5849 -
5850 - /* Called with kretprobe_lock held */
5851 -@@ -331,7 +360,7 @@ ss_probe:
5852 - if (p->ainsn.boostable == 1 && !p->post_handler){
5853 - /* Boost up -- we can execute copied instructions directly */
5854 - reset_current_kprobe();
5855 -- regs->eip = (unsigned long)p->ainsn.insn;
5856 -+ regs->eip = ktva_ktla((unsigned long)p->ainsn.insn);
5857 - preempt_enable_no_resched();
5858 - return 1;
5859 - }
5860 -@@ -481,7 +510,7 @@ static void __kprobes resume_execution(s
5861 - struct pt_regs *regs, struct kprobe_ctlblk *kcb)
5862 - {
5863 - unsigned long *tos = (unsigned long *)&regs->esp;
5864 -- unsigned long copy_eip = (unsigned long)p->ainsn.insn;
5865 -+ unsigned long copy_eip = ktva_ktla((unsigned long)p->ainsn.insn);
5866 - unsigned long orig_eip = (unsigned long)p->addr;
5867 -
5868 - regs->eflags &= ~TF_MASK;
5869 -@@ -655,7 +684,7 @@ int __kprobes kprobe_exceptions_notify(s
5870 - struct die_args *args = (struct die_args *)data;
5871 - int ret = NOTIFY_DONE;
5872 -
5873 -- if (args->regs && user_mode_vm(args->regs))
5874 -+ if (args->regs && user_mode(args->regs))
5875 - return ret;
5876 -
5877 - switch (val) {
5878 -diff -urNp linux-2.6.24.4/arch/x86/kernel/kprobes_64.c linux-2.6.24.4/arch/x86/kernel/kprobes_64.c
5879 ---- linux-2.6.24.4/arch/x86/kernel/kprobes_64.c 2008-03-24 14:49:18.000000000 -0400
5880 -+++ linux-2.6.24.4/arch/x86/kernel/kprobes_64.c 2008-03-26 17:56:55.000000000 -0400
5881 -@@ -190,7 +190,19 @@ static s32 __kprobes *is_riprel(u8 *insn
5882 - static void __kprobes arch_copy_kprobe(struct kprobe *p)
5883 - {
5884 - s32 *ripdisp;
5885 -+
5886 -+#ifdef CONFIG_PAX_KERNEXEC
5887 -+ unsigned long cr0;
5888 -+
5889 -+ pax_open_kernel(cr0);
5890 -+#endif
5891 -+
5892 - memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE);
5893 -+
5894 -+#ifdef CONFIG_PAX_KERNEXEC
5895 -+ pax_close_kernel(cr0);
5896 -+#endif
5897 -+
5898 - ripdisp = is_riprel(p->ainsn.insn);
5899 - if (ripdisp) {
5900 - /*
5901 -@@ -208,7 +220,17 @@ static void __kprobes arch_copy_kprobe(s
5902 - */
5903 - s64 disp = (u8 *) p->addr + *ripdisp - (u8 *) p->ainsn.insn;
5904 - BUG_ON((s64) (s32) disp != disp); /* Sanity check. */
5905 -+
5906 -+#ifdef CONFIG_PAX_KERNEXEC
5907 -+ pax_open_kernel(cr0);
5908 -+#endif
5909 -+
5910 - *ripdisp = disp;
5911 -+
5912 -+#ifdef CONFIG_PAX_KERNEXEC
5913 -+ pax_close_kernel(cr0);
5914 -+#endif
5915 -+
5916 - }
5917 - p->opcode = *p->addr;
5918 - }
5919 -diff -urNp linux-2.6.24.4/arch/x86/kernel/ldt_32.c linux-2.6.24.4/arch/x86/kernel/ldt_32.c
5920 ---- linux-2.6.24.4/arch/x86/kernel/ldt_32.c 2008-03-24 14:49:18.000000000 -0400
5921 -+++ linux-2.6.24.4/arch/x86/kernel/ldt_32.c 2008-03-26 17:56:55.000000000 -0400
5922 -@@ -56,7 +56,7 @@ static int alloc_ldt(mm_context_t *pc, i
5923 - #ifdef CONFIG_SMP
5924 - cpumask_t mask;
5925 - preempt_disable();
5926 -- load_LDT(pc);
5927 -+ load_LDT_nolock(pc);
5928 - mask = cpumask_of_cpu(smp_processor_id());
5929 - if (!cpus_equal(current->mm->cpu_vm_mask, mask))
5930 - smp_call_function(flush_ldt, NULL, 1, 1);
5931 -@@ -100,6 +100,22 @@ int init_new_context(struct task_struct
5932 - retval = copy_ldt(&mm->context, &old_mm->context);
5933 - mutex_unlock(&old_mm->context.lock);
5934 - }
5935 -+
5936 -+ if (tsk == current) {
5937 -+ mm->context.vdso = ~0UL;
5938 -+
5939 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
5940 -+ mm->context.user_cs_base = 0UL;
5941 -+ mm->context.user_cs_limit = ~0UL;
5942 -+
5943 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
5944 -+ cpus_clear(mm->context.cpu_user_cs_mask);
5945 -+#endif
5946 -+
5947 -+#endif
5948 -+
5949 -+ }
5950 -+
5951 - return retval;
5952 - }
5953 -
5954 -@@ -210,6 +226,13 @@ static int write_ldt(void __user * ptr,
5955 - }
5956 - }
5957 -
5958 -+#ifdef CONFIG_PAX_SEGMEXEC
5959 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
5960 -+ error = -EINVAL;
5961 -+ goto out_unlock;
5962 -+ }
5963 -+#endif
5964 -+
5965 - entry_1 = LDT_entry_a(&ldt_info);
5966 - entry_2 = LDT_entry_b(&ldt_info);
5967 - if (oldmode)
5968 -diff -urNp linux-2.6.24.4/arch/x86/kernel/machine_kexec_32.c linux-2.6.24.4/arch/x86/kernel/machine_kexec_32.c
5969 ---- linux-2.6.24.4/arch/x86/kernel/machine_kexec_32.c 2008-03-24 14:49:18.000000000 -0400
5970 -+++ linux-2.6.24.4/arch/x86/kernel/machine_kexec_32.c 2008-03-26 17:56:55.000000000 -0400
5971 -@@ -30,25 +30,25 @@ static u32 kexec_pmd1[1024] PAGE_ALIGNED
5972 - static u32 kexec_pte0[1024] PAGE_ALIGNED;
5973 - static u32 kexec_pte1[1024] PAGE_ALIGNED;
5974 -
5975 --static void set_idt(void *newidt, __u16 limit)
5976 -+static void set_idt(struct desc_struct *newidt, __u16 limit)
5977 - {
5978 - struct Xgt_desc_struct curidt;
5979 -
5980 - /* ia32 supports unaliged loads & stores */
5981 - curidt.size = limit;
5982 -- curidt.address = (unsigned long)newidt;
5983 -+ curidt.address = newidt;
5984 -
5985 - load_idt(&curidt);
5986 - };
5987 -
5988 -
5989 --static void set_gdt(void *newgdt, __u16 limit)
5990 -+static void set_gdt(struct desc_struct *newgdt, __u16 limit)
5991 - {
5992 - struct Xgt_desc_struct curgdt;
5993 -
5994 - /* ia32 supports unaligned loads & stores */
5995 - curgdt.size = limit;
5996 -- curgdt.address = (unsigned long)newgdt;
5997 -+ curgdt.address = newgdt;
5998 -
5999 - load_gdt(&curgdt);
6000 - };
6001 -@@ -111,10 +111,10 @@ NORET_TYPE void machine_kexec(struct kim
6002 - local_irq_disable();
6003 -
6004 - control_page = page_address(image->control_code_page);
6005 -- memcpy(control_page, relocate_kernel, PAGE_SIZE);
6006 -+ memcpy(control_page, ktla_ktva(relocate_kernel), PAGE_SIZE);
6007 -
6008 - page_list[PA_CONTROL_PAGE] = __pa(control_page);
6009 -- page_list[VA_CONTROL_PAGE] = (unsigned long)relocate_kernel;
6010 -+ page_list[VA_CONTROL_PAGE] = ktla_ktva((unsigned long)relocate_kernel);
6011 - page_list[PA_PGD] = __pa(kexec_pgd);
6012 - page_list[VA_PGD] = (unsigned long)kexec_pgd;
6013 - #ifdef CONFIG_X86_PAE
6014 -diff -urNp linux-2.6.24.4/arch/x86/kernel/Makefile_64 linux-2.6.24.4/arch/x86/kernel/Makefile_64
6015 ---- linux-2.6.24.4/arch/x86/kernel/Makefile_64 2008-03-24 14:49:18.000000000 -0400
6016 -+++ linux-2.6.24.4/arch/x86/kernel/Makefile_64 2008-03-26 17:56:55.000000000 -0400
6017 -@@ -42,4 +42,6 @@ obj-$(CONFIG_PCI) += early-quirks.o
6018 - obj-y += topology.o
6019 - obj-y += pcspeaker.o
6020 -
6021 --CFLAGS_vsyscall_64.o := $(PROFILING) -g0
6022 -+CFLAGS_vsyscall_64.o := $(PROFILING) -g0 -fno-stack-protector
6023 -+CFLAGS_hpet.o := -fno-stack-protector
6024 -+CFLAGS_tsc_64.o := -fno-stack-protector
6025 -diff -urNp linux-2.6.24.4/arch/x86/kernel/module_32.c linux-2.6.24.4/arch/x86/kernel/module_32.c
6026 ---- linux-2.6.24.4/arch/x86/kernel/module_32.c 2008-03-24 14:49:18.000000000 -0400
6027 -+++ linux-2.6.24.4/arch/x86/kernel/module_32.c 2008-03-26 17:56:55.000000000 -0400
6028 -@@ -23,6 +23,8 @@
6029 - #include <linux/kernel.h>
6030 - #include <linux/bug.h>
6031 -
6032 -+#include <asm/desc.h>
6033 -+
6034 - #if 0
6035 - #define DEBUGP printk
6036 - #else
6037 -@@ -33,9 +35,30 @@ void *module_alloc(unsigned long size)
6038 - {
6039 - if (size == 0)
6040 - return NULL;
6041 -+
6042 -+#ifdef CONFIG_PAX_KERNEXEC
6043 -+ return vmalloc(size);
6044 -+#else
6045 - return vmalloc_exec(size);
6046 -+#endif
6047 -+
6048 - }
6049 -
6050 -+#ifdef CONFIG_PAX_KERNEXEC
6051 -+void *module_alloc_exec(unsigned long size)
6052 -+{
6053 -+ struct vm_struct *area;
6054 -+
6055 -+ if (size == 0)
6056 -+ return NULL;
6057 -+
6058 -+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_VADDR, (unsigned long)&MODULES_END);
6059 -+ if (area)
6060 -+ return area->addr;
6061 -+
6062 -+ return NULL;
6063 -+}
6064 -+#endif
6065 -
6066 - /* Free memory returned from module_alloc */
6067 - void module_free(struct module *mod, void *module_region)
6068 -@@ -45,6 +68,45 @@ void module_free(struct module *mod, voi
6069 - table entries. */
6070 - }
6071 -
6072 -+#ifdef CONFIG_PAX_KERNEXEC
6073 -+void module_free_exec(struct module *mod, void *module_region)
6074 -+{
6075 -+ struct vm_struct **p, *tmp;
6076 -+
6077 -+ if (!module_region)
6078 -+ return;
6079 -+
6080 -+ if ((PAGE_SIZE-1) & (unsigned long)module_region) {
6081 -+ printk(KERN_ERR "Trying to module_free_exec() bad address (%p)\n", module_region);
6082 -+ WARN_ON(1);
6083 -+ return;
6084 -+ }
6085 -+
6086 -+ write_lock(&vmlist_lock);
6087 -+ for (p = &vmlist; (tmp = *p) != NULL; p = &tmp->next)
6088 -+ if (tmp->addr == module_region)
6089 -+ break;
6090 -+
6091 -+ if (tmp) {
6092 -+ unsigned long cr0;
6093 -+
6094 -+ pax_open_kernel(cr0);
6095 -+ memset(tmp->addr, 0xCC, tmp->size);
6096 -+ pax_close_kernel(cr0);
6097 -+
6098 -+ *p = tmp->next;
6099 -+ kfree(tmp);
6100 -+ }
6101 -+ write_unlock(&vmlist_lock);
6102 -+
6103 -+ if (!tmp) {
6104 -+ printk(KERN_ERR "Trying to module_free_exec() nonexistent vm area (%p)\n",
6105 -+ module_region);
6106 -+ WARN_ON(1);
6107 -+ }
6108 -+}
6109 -+#endif
6110 -+
6111 - /* We don't need anything special. */
6112 - int module_frob_arch_sections(Elf_Ehdr *hdr,
6113 - Elf_Shdr *sechdrs,
6114 -@@ -63,14 +125,20 @@ int apply_relocate(Elf32_Shdr *sechdrs,
6115 - unsigned int i;
6116 - Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
6117 - Elf32_Sym *sym;
6118 -- uint32_t *location;
6119 -+ uint32_t *plocation, location;
6120 -+
6121 -+#ifdef CONFIG_PAX_KERNEXEC
6122 -+ unsigned long cr0;
6123 -+#endif
6124 -
6125 - DEBUGP("Applying relocate section %u to %u\n", relsec,
6126 - sechdrs[relsec].sh_info);
6127 - for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
6128 - /* This is where to make the change */
6129 -- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
6130 -- + rel[i].r_offset;
6131 -+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
6132 -+ location = (uint32_t)plocation;
6133 -+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
6134 -+ plocation = ktla_ktva((void *)plocation);
6135 - /* This is the symbol it is referring to. Note that all
6136 - undefined symbols have been resolved. */
6137 - sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
6138 -@@ -78,12 +146,32 @@ int apply_relocate(Elf32_Shdr *sechdrs,
6139 -
6140 - switch (ELF32_R_TYPE(rel[i].r_info)) {
6141 - case R_386_32:
6142 -+
6143 -+#ifdef CONFIG_PAX_KERNEXEC
6144 -+ pax_open_kernel(cr0);
6145 -+#endif
6146 -+
6147 - /* We add the value into the location given */
6148 -- *location += sym->st_value;
6149 -+ *plocation += sym->st_value;
6150 -+
6151 -+#ifdef CONFIG_PAX_KERNEXEC
6152 -+ pax_close_kernel(cr0);
6153 -+#endif
6154 -+
6155 - break;
6156 - case R_386_PC32:
6157 -+
6158 -+#ifdef CONFIG_PAX_KERNEXEC
6159 -+ pax_open_kernel(cr0);
6160 -+#endif
6161 -+
6162 - /* Add the value, subtract its postition */
6163 -- *location += sym->st_value - (uint32_t)location;
6164 -+ *plocation += sym->st_value - location;
6165 -+
6166 -+#ifdef CONFIG_PAX_KERNEXEC
6167 -+ pax_close_kernel(cr0);
6168 -+#endif
6169 -+
6170 - break;
6171 - default:
6172 - printk(KERN_ERR "module %s: Unknown relocation: %u\n",
6173 -diff -urNp linux-2.6.24.4/arch/x86/kernel/module_64.c linux-2.6.24.4/arch/x86/kernel/module_64.c
6174 ---- linux-2.6.24.4/arch/x86/kernel/module_64.c 2008-03-24 14:49:18.000000000 -0400
6175 -+++ linux-2.6.24.4/arch/x86/kernel/module_64.c 2008-03-26 17:56:55.000000000 -0400
6176 -@@ -39,7 +39,7 @@ void module_free(struct module *mod, voi
6177 - table entries. */
6178 - }
6179 -
6180 --void *module_alloc(unsigned long size)
6181 -+static void *__module_alloc(unsigned long size, pgprot_t prot)
6182 - {
6183 - struct vm_struct *area;
6184 -
6185 -@@ -53,8 +53,31 @@ void *module_alloc(unsigned long size)
6186 - if (!area)
6187 - return NULL;
6188 -
6189 -- return __vmalloc_area(area, GFP_KERNEL, PAGE_KERNEL_EXEC);
6190 -+ return __vmalloc_area(area, GFP_KERNEL | __GFP_ZERO, prot);
6191 -+}
6192 -+
6193 -+#ifdef CONFIG_PAX_KERNEXEC
6194 -+void *module_alloc(unsigned long size)
6195 -+{
6196 -+ return __module_alloc(size, PAGE_KERNEL);
6197 -+}
6198 -+
6199 -+void module_free_exec(struct module *mod, void *module_region)
6200 -+{
6201 -+ module_free(mod, module_region);
6202 -+}
6203 -+
6204 -+void *module_alloc_exec(unsigned long size)
6205 -+{
6206 -+ return __module_alloc(size, PAGE_KERNEL_RX);
6207 - }
6208 -+#else
6209 -+void *module_alloc(unsigned long size)
6210 -+{
6211 -+ return __module_alloc(size, PAGE_KERNEL_EXEC);
6212 -+}
6213 -+#endif
6214 -+
6215 - #endif
6216 -
6217 - /* We don't need anything special. */
6218 -@@ -76,7 +99,11 @@ int apply_relocate_add(Elf64_Shdr *sechd
6219 - Elf64_Rela *rel = (void *)sechdrs[relsec].sh_addr;
6220 - Elf64_Sym *sym;
6221 - void *loc;
6222 -- u64 val;
6223 -+ u64 val;
6224 -+
6225 -+#ifdef CONFIG_PAX_KERNEXEC
6226 -+ unsigned long cr0;
6227 -+#endif
6228 -
6229 - DEBUGP("Applying relocate section %u to %u\n", relsec,
6230 - sechdrs[relsec].sh_info);
6231 -@@ -100,21 +127,61 @@ int apply_relocate_add(Elf64_Shdr *sechd
6232 - case R_X86_64_NONE:
6233 - break;
6234 - case R_X86_64_64:
6235 -+
6236 -+#ifdef CONFIG_PAX_KERNEXEC
6237 -+ pax_open_kernel(cr0);
6238 -+#endif
6239 -+
6240 - *(u64 *)loc = val;
6241 -+
6242 -+#ifdef CONFIG_PAX_KERNEXEC
6243 -+ pax_close_kernel(cr0);
6244 -+#endif
6245 -+
6246 - break;
6247 - case R_X86_64_32:
6248 -+
6249 -+#ifdef CONFIG_PAX_KERNEXEC
6250 -+ pax_open_kernel(cr0);
6251 -+#endif
6252 -+
6253 - *(u32 *)loc = val;
6254 -+
6255 -+#ifdef CONFIG_PAX_KERNEXEC
6256 -+ pax_close_kernel(cr0);
6257 -+#endif
6258 -+
6259 - if (val != *(u32 *)loc)
6260 - goto overflow;
6261 - break;
6262 - case R_X86_64_32S:
6263 -+
6264 -+#ifdef CONFIG_PAX_KERNEXEC
6265 -+ pax_open_kernel(cr0);
6266 -+#endif
6267 -+
6268 - *(s32 *)loc = val;
6269 -+
6270 -+#ifdef CONFIG_PAX_KERNEXEC
6271 -+ pax_close_kernel(cr0);
6272 -+#endif
6273 -+
6274 - if ((s64)val != *(s32 *)loc)
6275 - goto overflow;
6276 - break;
6277 - case R_X86_64_PC32:
6278 - val -= (u64)loc;
6279 -+
6280 -+#ifdef CONFIG_PAX_KERNEXEC
6281 -+ pax_open_kernel(cr0);
6282 -+#endif
6283 -+
6284 - *(u32 *)loc = val;
6285 -+
6286 -+#ifdef CONFIG_PAX_KERNEXEC
6287 -+ pax_close_kernel(cr0);
6288 -+#endif
6289 -+
6290 - #if 0
6291 - if ((s64)val != *(s32 *)loc)
6292 - goto overflow;
6293 -diff -urNp linux-2.6.24.4/arch/x86/kernel/paravirt_32.c linux-2.6.24.4/arch/x86/kernel/paravirt_32.c
6294 ---- linux-2.6.24.4/arch/x86/kernel/paravirt_32.c 2008-03-24 14:49:18.000000000 -0400
6295 -+++ linux-2.6.24.4/arch/x86/kernel/paravirt_32.c 2008-03-26 17:56:55.000000000 -0400
6296 -@@ -39,7 +39,7 @@ void _paravirt_nop(void)
6297 - {
6298 - }
6299 -
6300 --static void __init default_banner(void)
6301 -+static void default_banner(void)
6302 - {
6303 - printk(KERN_INFO "Booting paravirtualized kernel on %s\n",
6304 - pv_info.name);
6305 -@@ -206,7 +206,7 @@ unsigned paravirt_patch_insns(void *insn
6306 - if (insn_len > len || start == NULL)
6307 - insn_len = len;
6308 - else
6309 -- memcpy(insnbuf, start, insn_len);
6310 -+ memcpy(insnbuf, ktla_ktva(start), insn_len);
6311 -
6312 - return insn_len;
6313 - }
6314 -@@ -324,21 +324,21 @@ enum paravirt_lazy_mode paravirt_get_laz
6315 - return x86_read_percpu(paravirt_lazy_mode);
6316 - }
6317 -
6318 --struct pv_info pv_info = {
6319 -+struct pv_info pv_info __read_only = {
6320 - .name = "bare hardware",
6321 - .paravirt_enabled = 0,
6322 - .kernel_rpl = 0,
6323 - .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
6324 - };
6325 -
6326 --struct pv_init_ops pv_init_ops = {
6327 -+struct pv_init_ops pv_init_ops __read_only = {
6328 - .patch = native_patch,
6329 - .banner = default_banner,
6330 - .arch_setup = paravirt_nop,
6331 - .memory_setup = machine_specific_memory_setup,
6332 - };
6333 -
6334 --struct pv_time_ops pv_time_ops = {
6335 -+struct pv_time_ops pv_time_ops __read_only = {
6336 - .time_init = hpet_time_init,
6337 - .get_wallclock = native_get_wallclock,
6338 - .set_wallclock = native_set_wallclock,
6339 -@@ -346,7 +346,7 @@ struct pv_time_ops pv_time_ops = {
6340 - .get_cpu_khz = native_calculate_cpu_khz,
6341 - };
6342 -
6343 --struct pv_irq_ops pv_irq_ops = {
6344 -+struct pv_irq_ops pv_irq_ops __read_only = {
6345 - .init_IRQ = native_init_IRQ,
6346 - .save_fl = native_save_fl,
6347 - .restore_fl = native_restore_fl,
6348 -@@ -356,7 +356,7 @@ struct pv_irq_ops pv_irq_ops = {
6349 - .halt = native_halt,
6350 - };
6351 -
6352 --struct pv_cpu_ops pv_cpu_ops = {
6353 -+struct pv_cpu_ops pv_cpu_ops __read_only = {
6354 - .cpuid = native_cpuid,
6355 - .get_debugreg = native_get_debugreg,
6356 - .set_debugreg = native_set_debugreg,
6357 -@@ -396,7 +396,7 @@ struct pv_cpu_ops pv_cpu_ops = {
6358 - },
6359 - };
6360 -
6361 --struct pv_apic_ops pv_apic_ops = {
6362 -+struct pv_apic_ops pv_apic_ops __read_only = {
6363 - #ifdef CONFIG_X86_LOCAL_APIC
6364 - .apic_write = native_apic_write,
6365 - .apic_write_atomic = native_apic_write_atomic,
6366 -@@ -407,7 +407,7 @@ struct pv_apic_ops pv_apic_ops = {
6367 - #endif
6368 - };
6369 -
6370 --struct pv_mmu_ops pv_mmu_ops = {
6371 -+struct pv_mmu_ops pv_mmu_ops __read_only = {
6372 - .pagetable_setup_start = native_pagetable_setup_start,
6373 - .pagetable_setup_done = native_pagetable_setup_done,
6374 -
6375 -diff -urNp linux-2.6.24.4/arch/x86/kernel/process_32.c linux-2.6.24.4/arch/x86/kernel/process_32.c
6376 ---- linux-2.6.24.4/arch/x86/kernel/process_32.c 2008-03-24 14:49:18.000000000 -0400
6377 -+++ linux-2.6.24.4/arch/x86/kernel/process_32.c 2008-03-26 17:56:55.000000000 -0400
6378 -@@ -66,15 +66,17 @@ EXPORT_SYMBOL(boot_option_idle_override)
6379 - DEFINE_PER_CPU(struct task_struct *, current_task) = &init_task;
6380 - EXPORT_PER_CPU_SYMBOL(current_task);
6381 -
6382 -+#ifdef CONFIG_SMP
6383 - DEFINE_PER_CPU(int, cpu_number);
6384 - EXPORT_PER_CPU_SYMBOL(cpu_number);
6385 -+#endif
6386 -
6387 - /*
6388 - * Return saved PC of a blocked thread.
6389 - */
6390 - unsigned long thread_saved_pc(struct task_struct *tsk)
6391 - {
6392 -- return ((unsigned long *)tsk->thread.esp)[3];
6393 -+ return tsk->thread.eip;
6394 - }
6395 -
6396 - /*
6397 -@@ -313,7 +315,7 @@ void __show_registers(struct pt_regs *re
6398 - unsigned long esp;
6399 - unsigned short ss, gs;
6400 -
6401 -- if (user_mode_vm(regs)) {
6402 -+ if (user_mode(regs)) {
6403 - esp = regs->esp;
6404 - ss = regs->xss & 0xffff;
6405 - savesegment(gs, gs);
6406 -@@ -391,8 +393,8 @@ int kernel_thread(int (*fn)(void *), voi
6407 - regs.ebx = (unsigned long) fn;
6408 - regs.edx = (unsigned long) arg;
6409 -
6410 -- regs.xds = __USER_DS;
6411 -- regs.xes = __USER_DS;
6412 -+ regs.xds = __KERNEL_DS;
6413 -+ regs.xes = __KERNEL_DS;
6414 - regs.xfs = __KERNEL_PERCPU;
6415 - regs.orig_eax = -1;
6416 - regs.eip = (unsigned long) kernel_thread_helper;
6417 -@@ -414,7 +416,7 @@ void exit_thread(void)
6418 - struct task_struct *tsk = current;
6419 - struct thread_struct *t = &tsk->thread;
6420 - int cpu = get_cpu();
6421 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
6422 -+ struct tss_struct *tss = init_tss + cpu;
6423 -
6424 - kfree(t->io_bitmap_ptr);
6425 - t->io_bitmap_ptr = NULL;
6426 -@@ -435,6 +437,7 @@ void flush_thread(void)
6427 - {
6428 - struct task_struct *tsk = current;
6429 -
6430 -+ __asm__("mov %0,%%gs\n" : : "r" (0) : "memory");
6431 - memset(tsk->thread.debugreg, 0, sizeof(unsigned long)*8);
6432 - memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
6433 - clear_tsk_thread_flag(tsk, TIF_DEBUG);
6434 -@@ -468,7 +471,7 @@ int copy_thread(int nr, unsigned long cl
6435 - struct task_struct *tsk;
6436 - int err;
6437 -
6438 -- childregs = task_pt_regs(p);
6439 -+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
6440 - *childregs = *regs;
6441 - childregs->eax = 0;
6442 - childregs->esp = esp;
6443 -@@ -510,6 +513,11 @@ int copy_thread(int nr, unsigned long cl
6444 - if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
6445 - goto out;
6446 -
6447 -+#ifdef CONFIG_PAX_SEGMEXEC
6448 -+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
6449 -+ goto out;
6450 -+#endif
6451 -+
6452 - desc = p->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
6453 - desc->a = LDT_entry_a(&info);
6454 - desc->b = LDT_entry_b(&info);
6455 -@@ -696,7 +704,7 @@ struct task_struct fastcall * __switch_t
6456 - struct thread_struct *prev = &prev_p->thread,
6457 - *next = &next_p->thread;
6458 - int cpu = smp_processor_id();
6459 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
6460 -+ struct tss_struct *tss = init_tss + cpu;
6461 -
6462 - /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
6463 -
6464 -@@ -724,6 +732,11 @@ struct task_struct fastcall * __switch_t
6465 - */
6466 - savesegment(gs, prev->gs);
6467 -
6468 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
6469 -+ if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
6470 -+ __set_fs(task_thread_info(next_p)->addr_limit, cpu);
6471 -+#endif
6472 -+
6473 - /*
6474 - * Load the per-thread Thread-Local Storage descriptor.
6475 - */
6476 -@@ -888,6 +901,12 @@ asmlinkage int sys_set_thread_area(struc
6477 -
6478 - if (copy_from_user(&info, u_info, sizeof(info)))
6479 - return -EFAULT;
6480 -+
6481 -+#ifdef CONFIG_PAX_SEGMEXEC
6482 -+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
6483 -+ return -EINVAL;
6484 -+#endif
6485 -+
6486 - idx = info.entry_number;
6487 -
6488 - /*
6489 -@@ -976,9 +995,27 @@ asmlinkage int sys_get_thread_area(struc
6490 - return 0;
6491 - }
6492 -
6493 --unsigned long arch_align_stack(unsigned long sp)
6494 -+#ifdef CONFIG_PAX_RANDKSTACK
6495 -+asmlinkage void pax_randomize_kstack(void)
6496 - {
6497 -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
6498 -- sp -= get_random_int() % 8192;
6499 -- return sp & ~0xf;
6500 -+ struct thread_struct *thread = &current->thread;
6501 -+ unsigned long time;
6502 -+
6503 -+ if (!randomize_va_space)
6504 -+ return;
6505 -+
6506 -+ rdtscl(time);
6507 -+
6508 -+ /* P4 seems to return a 0 LSB, ignore it */
6509 -+#ifdef CONFIG_MPENTIUM4
6510 -+ time &= 0x1EUL;
6511 -+ time <<= 2;
6512 -+#else
6513 -+ time &= 0xFUL;
6514 -+ time <<= 3;
6515 -+#endif
6516 -+
6517 -+ thread->esp0 ^= time;
6518 -+ load_esp0(init_tss + smp_processor_id(), thread);
6519 - }
6520 -+#endif
6521 -diff -urNp linux-2.6.24.4/arch/x86/kernel/process_64.c linux-2.6.24.4/arch/x86/kernel/process_64.c
6522 ---- linux-2.6.24.4/arch/x86/kernel/process_64.c 2008-03-24 14:49:18.000000000 -0400
6523 -+++ linux-2.6.24.4/arch/x86/kernel/process_64.c 2008-03-26 17:56:55.000000000 -0400
6524 -@@ -210,6 +210,8 @@ static inline void play_dead(void)
6525 - void cpu_idle (void)
6526 - {
6527 - current_thread_info()->status |= TS_POLLING;
6528 -+ current->stack_canary = pax_get_random_long();
6529 -+ write_pda(stack_canary, current->stack_canary);
6530 - /* endless idle loop with no priority at all */
6531 - while (1) {
6532 - tick_nohz_stop_sched_tick();
6533 -@@ -390,7 +392,7 @@ void exit_thread(void)
6534 - struct thread_struct *t = &me->thread;
6535 -
6536 - if (me->thread.io_bitmap_ptr) {
6537 -- struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
6538 -+ struct tss_struct *tss = init_tss + get_cpu();
6539 -
6540 - kfree(t->io_bitmap_ptr);
6541 - t->io_bitmap_ptr = NULL;
6542 -@@ -597,7 +599,7 @@ __switch_to(struct task_struct *prev_p,
6543 - struct thread_struct *prev = &prev_p->thread,
6544 - *next = &next_p->thread;
6545 - int cpu = smp_processor_id();
6546 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
6547 -+ struct tss_struct *tss = init_tss + cpu;
6548 -
6549 - /* we're going to use this soon, after a few expensive things */
6550 - if (next_p->fpu_counter>5)
6551 -@@ -672,7 +674,6 @@ __switch_to(struct task_struct *prev_p,
6552 - write_pda(kernelstack,
6553 - (unsigned long)task_stack_page(next_p) + THREAD_SIZE - PDA_STACKOFFSET);
6554 - #ifdef CONFIG_CC_STACKPROTECTOR
6555 -- write_pda(stack_canary, next_p->stack_canary);
6556 - /*
6557 - * Build time only check to make sure the stack_canary is at
6558 - * offset 40 in the pda; this is a gcc ABI requirement
6559 -@@ -701,7 +702,7 @@ __switch_to(struct task_struct *prev_p,
6560 - */
6561 - asmlinkage
6562 - long sys_execve(char __user *name, char __user * __user *argv,
6563 -- char __user * __user *envp, struct pt_regs regs)
6564 -+ char __user * __user *envp, struct pt_regs *regs)
6565 - {
6566 - long error;
6567 - char * filename;
6568 -@@ -710,7 +711,7 @@ long sys_execve(char __user *name, char
6569 - error = PTR_ERR(filename);
6570 - if (IS_ERR(filename))
6571 - return error;
6572 -- error = do_execve(filename, argv, envp, &regs);
6573 -+ error = do_execve(filename, argv, envp, regs);
6574 - if (error == 0) {
6575 - task_lock(current);
6576 - current->ptrace &= ~PT_DTRACE;
6577 -@@ -906,10 +907,3 @@ int dump_task_regs(struct task_struct *t
6578 -
6579 - return 1;
6580 - }
6581 --
6582 --unsigned long arch_align_stack(unsigned long sp)
6583 --{
6584 -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
6585 -- sp -= get_random_int() % 8192;
6586 -- return sp & ~0xf;
6587 --}
6588 -diff -urNp linux-2.6.24.4/arch/x86/kernel/ptrace_32.c linux-2.6.24.4/arch/x86/kernel/ptrace_32.c
6589 ---- linux-2.6.24.4/arch/x86/kernel/ptrace_32.c 2008-03-24 14:49:18.000000000 -0400
6590 -+++ linux-2.6.24.4/arch/x86/kernel/ptrace_32.c 2008-03-26 17:56:55.000000000 -0400
6591 -@@ -160,22 +160,20 @@ static unsigned long convert_eip_to_line
6592 - * and APM bios ones we just ignore here.
6593 - */
6594 - if (seg & LDT_SEGMENT) {
6595 -- u32 *desc;
6596 -+ struct desc_struct *desc;
6597 - unsigned long base;
6598 -
6599 -- seg &= ~7UL;
6600 -+ seg >>= 3;
6601 -
6602 - mutex_lock(&child->mm->context.lock);
6603 -- if (unlikely((seg >> 3) >= child->mm->context.size))
6604 -- addr = -1L; /* bogus selector, access would fault */
6605 -+ if (unlikely(seg >= child->mm->context.size))
6606 -+ addr = -EINVAL;
6607 - else {
6608 -- desc = child->mm->context.ldt + seg;
6609 -- base = ((desc[0] >> 16) |
6610 -- ((desc[1] & 0xff) << 16) |
6611 -- (desc[1] & 0xff000000));
6612 -+ desc = &child->mm->context.ldt[seg];
6613 -+ base = (desc->a >> 16) | ((desc->b & 0xff) << 16) | (desc->b & 0xff000000);
6614 -
6615 - /* 16-bit code segment? */
6616 -- if (!((desc[1] >> 22) & 1))
6617 -+ if (!((desc->b >> 22) & 1))
6618 - addr &= 0xffff;
6619 - addr += base;
6620 - }
6621 -@@ -190,6 +188,9 @@ static inline int is_setting_trap_flag(s
6622 - unsigned char opcode[15];
6623 - unsigned long addr = convert_eip_to_linear(child, regs);
6624 -
6625 -+ if (addr == -EINVAL)
6626 -+ return 0;
6627 -+
6628 - copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
6629 - for (i = 0; i < copied; i++) {
6630 - switch (opcode[i]) {
6631 -@@ -340,6 +341,11 @@ ptrace_set_thread_area(struct task_struc
6632 - if (copy_from_user(&info, user_desc, sizeof(info)))
6633 - return -EFAULT;
6634 -
6635 -+#ifdef CONFIG_PAX_SEGMEXEC
6636 -+ if ((child->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
6637 -+ return -EINVAL;
6638 -+#endif
6639 -+
6640 - if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
6641 - return -EINVAL;
6642 -
6643 -@@ -419,7 +425,17 @@ long arch_ptrace(struct task_struct *chi
6644 - if(addr == (long) &dummy->u_debugreg[5]) break;
6645 - if(addr < (long) &dummy->u_debugreg[4] &&
6646 - ((unsigned long) data) >= TASK_SIZE-3) break;
6647 --
6648 -+
6649 -+#ifdef CONFIG_GRKERNSEC
6650 -+ if(addr >= (long) &dummy->u_debugreg[0] &&
6651 -+ addr <= (long) &dummy->u_debugreg[3]) {
6652 -+ long reg = (addr - (long) &dummy->u_debugreg[0]) >> 2;
6653 -+ long type = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 4*reg)) & 3;
6654 -+ long align = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 2 + 4*reg)) & 3;
6655 -+ if ((type & 1) && (data & align))
6656 -+ break;
6657 -+ }
6658 -+#endif
6659 - /* Sanity-check data. Take one half-byte at once with
6660 - * check = (val >> (16 + 4*i)) & 0xf. It contains the
6661 - * R/Wi and LENi bits; bits 0 and 1 are R/Wi, and bits
6662 -@@ -630,7 +646,7 @@ void send_sigtrap(struct task_struct *ts
6663 - info.si_code = TRAP_BRKPT;
6664 -
6665 - /* User-mode eip? */
6666 -- info.si_addr = user_mode_vm(regs) ? (void __user *) regs->eip : NULL;
6667 -+ info.si_addr = user_mode(regs) ? (void __user *) regs->eip : NULL;
6668 -
6669 - /* Send us the fake SIGTRAP */
6670 - force_sig_info(SIGTRAP, &info, tsk);
6671 -diff -urNp linux-2.6.24.4/arch/x86/kernel/ptrace_64.c linux-2.6.24.4/arch/x86/kernel/ptrace_64.c
6672 ---- linux-2.6.24.4/arch/x86/kernel/ptrace_64.c 2008-03-24 14:49:18.000000000 -0400
6673 -+++ linux-2.6.24.4/arch/x86/kernel/ptrace_64.c 2008-03-26 17:56:55.000000000 -0400
6674 -@@ -98,22 +98,20 @@ unsigned long convert_rip_to_linear(stru
6675 - * and APM bios ones we just ignore here.
6676 - */
6677 - if (seg & LDT_SEGMENT) {
6678 -- u32 *desc;
6679 -+ struct desc_struct *desc;
6680 - unsigned long base;
6681 -
6682 -- seg &= ~7UL;
6683 -+ seg >>= 3;
6684 -
6685 - mutex_lock(&child->mm->context.lock);
6686 -- if (unlikely((seg >> 3) >= child->mm->context.size))
6687 -- addr = -1L; /* bogus selector, access would fault */
6688 -+ if (unlikely(seg >= child->mm->context.size))
6689 -+ addr = -EINVAL; /* bogus selector, access would fault */
6690 - else {
6691 -- desc = child->mm->context.ldt + seg;
6692 -- base = ((desc[0] >> 16) |
6693 -- ((desc[1] & 0xff) << 16) |
6694 -- (desc[1] & 0xff000000));
6695 -+ desc = &child->mm->context.ldt[seg];
6696 -+ base = desc->base0 | (desc->base1 << 16) | (desc->base2 << 24);
6697 -
6698 - /* 16-bit code segment? */
6699 -- if (!((desc[1] >> 22) & 1))
6700 -+ if (!desc->d)
6701 - addr &= 0xffff;
6702 - addr += base;
6703 - }
6704 -@@ -129,6 +127,9 @@ static int is_setting_trap_flag(struct t
6705 - unsigned char opcode[15];
6706 - unsigned long addr = convert_rip_to_linear(child, regs);
6707 -
6708 -+ if (addr == -EINVAL)
6709 -+ return 0;
6710 -+
6711 - copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
6712 - for (i = 0; i < copied; i++) {
6713 - switch (opcode[i]) {
6714 -diff -urNp linux-2.6.24.4/arch/x86/kernel/reboot_32.c linux-2.6.24.4/arch/x86/kernel/reboot_32.c
6715 ---- linux-2.6.24.4/arch/x86/kernel/reboot_32.c 2008-03-24 14:49:18.000000000 -0400
6716 -+++ linux-2.6.24.4/arch/x86/kernel/reboot_32.c 2008-03-26 17:56:55.000000000 -0400
6717 -@@ -23,7 +23,7 @@
6718 - void (*pm_power_off)(void);
6719 - EXPORT_SYMBOL(pm_power_off);
6720 -
6721 --static int reboot_mode;
6722 -+static unsigned short reboot_mode;
6723 - static int reboot_thru_bios;
6724 -
6725 - #ifdef CONFIG_SMP
6726 -@@ -135,7 +135,7 @@ static struct dmi_system_id __initdata r
6727 - DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq"),
6728 - },
6729 - },
6730 -- { }
6731 -+ { NULL, NULL, {{0, NULL}}, NULL}
6732 - };
6733 -
6734 - static int __init reboot_init(void)
6735 -@@ -153,18 +153,18 @@ core_initcall(reboot_init);
6736 - doesn't work with at least one type of 486 motherboard. It is easy
6737 - to stop this code working; hence the copious comments. */
6738 -
6739 --static unsigned long long
6740 --real_mode_gdt_entries [3] =
6741 -+static struct desc_struct
6742 -+real_mode_gdt_entries [3] __read_only =
6743 - {
6744 -- 0x0000000000000000ULL, /* Null descriptor */
6745 -- 0x00009a000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
6746 -- 0x000092000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
6747 -+ {0x00000000, 0x00000000}, /* Null descriptor */
6748 -+ {0x0000ffff, 0x00009b00}, /* 16-bit real-mode 64k code at 0x00000000 */
6749 -+ {0x0100ffff, 0x00009300} /* 16-bit real-mode 64k data at 0x00000100 */
6750 - };
6751 -
6752 --static struct Xgt_desc_struct
6753 --real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (long)real_mode_gdt_entries },
6754 --real_mode_idt = { 0x3ff, 0 },
6755 --no_idt = { 0, 0 };
6756 -+static const struct Xgt_desc_struct
6757 -+real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (struct desc_struct *)__pa(real_mode_gdt_entries), 0 },
6758 -+real_mode_idt = { 0x3ff, NULL, 0 },
6759 -+no_idt = { 0, NULL, 0 };
6760 -
6761 -
6762 - /* This is 16-bit protected mode code to disable paging and the cache,
6763 -@@ -186,7 +186,7 @@ no_idt = { 0, 0 };
6764 - More could be done here to set up the registers as if a CPU reset had
6765 - occurred; hopefully real BIOSs don't assume much. */
6766 -
6767 --static unsigned char real_mode_switch [] =
6768 -+static const unsigned char real_mode_switch [] =
6769 - {
6770 - 0x66, 0x0f, 0x20, 0xc0, /* movl %cr0,%eax */
6771 - 0x66, 0x83, 0xe0, 0x11, /* andl $0x00000011,%eax */
6772 -@@ -200,7 +200,7 @@ static unsigned char real_mode_switch []
6773 - 0x24, 0x10, /* f: andb $0x10,al */
6774 - 0x66, 0x0f, 0x22, 0xc0 /* movl %eax,%cr0 */
6775 - };
6776 --static unsigned char jump_to_bios [] =
6777 -+static const unsigned char jump_to_bios [] =
6778 - {
6779 - 0xea, 0x00, 0x00, 0xff, 0xff /* ljmp $0xffff,$0x0000 */
6780 - };
6781 -@@ -210,7 +210,7 @@ static unsigned char jump_to_bios [] =
6782 - * specified by the code and length parameters.
6783 - * We assume that length will aways be less that 100!
6784 - */
6785 --void machine_real_restart(unsigned char *code, int length)
6786 -+void machine_real_restart(const unsigned char *code, unsigned int length)
6787 - {
6788 - local_irq_disable();
6789 -
6790 -@@ -232,8 +232,8 @@ void machine_real_restart(unsigned char
6791 - from the kernel segment. This assumes the kernel segment starts at
6792 - virtual address PAGE_OFFSET. */
6793 -
6794 -- memcpy (swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
6795 -- sizeof (swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
6796 -+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
6797 -+ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
6798 -
6799 - /*
6800 - * Use `swapper_pg_dir' as our page directory.
6801 -@@ -246,7 +246,7 @@ void machine_real_restart(unsigned char
6802 - REBOOT.COM programs, and the previous reset routine did this
6803 - too. */
6804 -
6805 -- *((unsigned short *)0x472) = reboot_mode;
6806 -+ *(unsigned short *)(__va(0x472)) = reboot_mode;
6807 -
6808 - /* For the switch to real mode, copy some code to low memory. It has
6809 - to be in the first 64k because it is running in 16-bit mode, and it
6810 -@@ -254,9 +254,8 @@ void machine_real_restart(unsigned char
6811 - off paging. Copy it near the end of the first page, out of the way
6812 - of BIOS variables. */
6813 -
6814 -- memcpy ((void *) (0x1000 - sizeof (real_mode_switch) - 100),
6815 -- real_mode_switch, sizeof (real_mode_switch));
6816 -- memcpy ((void *) (0x1000 - 100), code, length);
6817 -+ memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
6818 -+ memcpy(__va(0x1000 - 100), code, length);
6819 -
6820 - /* Set up the IDT for real mode. */
6821 -
6822 -diff -urNp linux-2.6.24.4/arch/x86/kernel/setup_32.c linux-2.6.24.4/arch/x86/kernel/setup_32.c
6823 ---- linux-2.6.24.4/arch/x86/kernel/setup_32.c 2008-03-24 14:49:18.000000000 -0400
6824 -+++ linux-2.6.24.4/arch/x86/kernel/setup_32.c 2008-03-26 17:56:55.000000000 -0400
6825 -@@ -61,6 +61,7 @@
6826 - #include <setup_arch.h>
6827 - #include <bios_ebda.h>
6828 - #include <asm/cacheflush.h>
6829 -+#include <asm/boot.h>
6830 -
6831 - /* This value is set up by the early boot code to point to the value
6832 - immediately after the boot time page tables. It contains a *physical*
6833 -@@ -82,7 +83,11 @@ struct cpuinfo_x86 new_cpu_data __cpuini
6834 - struct cpuinfo_x86 boot_cpu_data __read_mostly = { 0, 0, 0, 0, -1, 1, 0, 0, -1 };
6835 - EXPORT_SYMBOL(boot_cpu_data);
6836 -
6837 -+#ifdef CONFIG_X86_PAE
6838 -+unsigned long mmu_cr4_features = X86_CR4_PAE;
6839 -+#else
6840 - unsigned long mmu_cr4_features;
6841 -+#endif
6842 -
6843 - /* for MCA, but anyone else can use it if they want */
6844 - unsigned int machine_id;
6845 -@@ -436,8 +441,8 @@ void __init setup_bootmem_allocator(void
6846 - * the (very unlikely) case of us accidentally initializing the
6847 - * bootmem allocator with an invalid RAM area.
6848 - */
6849 -- reserve_bootmem(__pa_symbol(_text), (PFN_PHYS(min_low_pfn) +
6850 -- bootmap_size + PAGE_SIZE-1) - __pa_symbol(_text));
6851 -+ reserve_bootmem(LOAD_PHYSICAL_ADDR, (PFN_PHYS(min_low_pfn) +
6852 -+ bootmap_size + PAGE_SIZE-1) - LOAD_PHYSICAL_ADDR);
6853 -
6854 - /*
6855 - * reserve physical page 0 - it's a special BIOS page on many boxes,
6856 -@@ -590,14 +595,14 @@ void __init setup_arch(char **cmdline_p)
6857 -
6858 - if (!boot_params.hdr.root_flags)
6859 - root_mountflags &= ~MS_RDONLY;
6860 -- init_mm.start_code = (unsigned long) _text;
6861 -- init_mm.end_code = (unsigned long) _etext;
6862 -+ init_mm.start_code = ktla_ktva((unsigned long) _text);
6863 -+ init_mm.end_code = ktla_ktva((unsigned long) _etext);
6864 - init_mm.end_data = (unsigned long) _edata;
6865 - init_mm.brk = init_pg_tables_end + PAGE_OFFSET;
6866 -
6867 -- code_resource.start = virt_to_phys(_text);
6868 -- code_resource.end = virt_to_phys(_etext)-1;
6869 -- data_resource.start = virt_to_phys(_etext);
6870 -+ code_resource.start = virt_to_phys(ktla_ktva(_text));
6871 -+ code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
6872 -+ data_resource.start = virt_to_phys(_data);
6873 - data_resource.end = virt_to_phys(_edata)-1;
6874 - bss_resource.start = virt_to_phys(&__bss_start);
6875 - bss_resource.end = virt_to_phys(&__bss_stop)-1;
6876 -@@ -692,3 +697,23 @@ void __init setup_arch(char **cmdline_p)
6877 - #endif
6878 - #endif
6879 - }
6880 -+
6881 -+unsigned long __per_cpu_offset[NR_CPUS] __read_only;
6882 -+
6883 -+EXPORT_SYMBOL(__per_cpu_offset);
6884 -+
6885 -+void __init setup_per_cpu_areas(void)
6886 -+{
6887 -+ unsigned long size, i;
6888 -+ char *ptr;
6889 -+
6890 -+ /* Copy section for each CPU (we discard the original) */
6891 -+ size = ALIGN(PERCPU_ENOUGH_ROOM, PAGE_SIZE);
6892 -+ ptr = alloc_bootmem_pages(size * num_possible_cpus());
6893 -+
6894 -+ for_each_possible_cpu(i) {
6895 -+ __per_cpu_offset[i] = (unsigned long)ptr;
6896 -+ memcpy(ptr, __per_cpu_start, __per_cpu_end - __per_cpu_start);
6897 -+ ptr += size;
6898 -+ }
6899 -+}
6900 -diff -urNp linux-2.6.24.4/arch/x86/kernel/setup64.c linux-2.6.24.4/arch/x86/kernel/setup64.c
6901 ---- linux-2.6.24.4/arch/x86/kernel/setup64.c 2008-03-24 14:49:18.000000000 -0400
6902 -+++ linux-2.6.24.4/arch/x86/kernel/setup64.c 2008-03-26 17:56:55.000000000 -0400
6903 -@@ -32,12 +32,12 @@ struct x8664_pda *_cpu_pda[NR_CPUS] __re
6904 - EXPORT_SYMBOL(_cpu_pda);
6905 - struct x8664_pda boot_cpu_pda[NR_CPUS] __cacheline_aligned;
6906 -
6907 --struct desc_ptr idt_descr = { 256 * 16 - 1, (unsigned long) idt_table };
6908 -+const struct desc_ptr idt_descr = { 256 * 16 - 1, (unsigned long) idt_table };
6909 -
6910 - char boot_cpu_stack[IRQSTACKSIZE] __attribute__((section(".bss.page_aligned")));
6911 -
6912 - unsigned long __supported_pte_mask __read_mostly = ~0UL;
6913 --static int do_not_nx __cpuinitdata = 0;
6914 -+EXPORT_SYMBOL(__supported_pte_mask);
6915 -
6916 - /* noexec=on|off
6917 - Control non executable mappings for 64bit processes.
6918 -@@ -51,16 +51,14 @@ static int __init nonx_setup(char *str)
6919 - return -EINVAL;
6920 - if (!strncmp(str, "on", 2)) {
6921 - __supported_pte_mask |= _PAGE_NX;
6922 -- do_not_nx = 0;
6923 - } else if (!strncmp(str, "off", 3)) {
6924 -- do_not_nx = 1;
6925 - __supported_pte_mask &= ~_PAGE_NX;
6926 - }
6927 - return 0;
6928 - }
6929 - early_param("noexec", nonx_setup);
6930 -
6931 --int force_personality32 = 0;
6932 -+int force_personality32;
6933 -
6934 - /* noexec32=on|off
6935 - Control non executable heap for 32bit processes.
6936 -@@ -177,7 +175,7 @@ void __cpuinit check_efer(void)
6937 - unsigned long efer;
6938 -
6939 - rdmsrl(MSR_EFER, efer);
6940 -- if (!(efer & EFER_NX) || do_not_nx) {
6941 -+ if (!(efer & EFER_NX)) {
6942 - __supported_pte_mask &= ~_PAGE_NX;
6943 - }
6944 - }
6945 -@@ -200,12 +198,13 @@ DEFINE_PER_CPU(struct orig_ist, orig_ist
6946 - void __cpuinit cpu_init (void)
6947 - {
6948 - int cpu = stack_smp_processor_id();
6949 -- struct tss_struct *t = &per_cpu(init_tss, cpu);
6950 -+ struct tss_struct *t = init_tss + cpu;
6951 - struct orig_ist *orig_ist = &per_cpu(orig_ist, cpu);
6952 - unsigned long v;
6953 - char *estacks = NULL;
6954 - struct task_struct *me;
6955 - int i;
6956 -+ struct desc_ptr cpu_gdt_descr = { .size = GDT_SIZE - 1, .address = (unsigned long)cpu_gdt_table[cpu]};
6957 -
6958 - /* CPU 0 is initialised in head64.c */
6959 - if (cpu != 0) {
6960 -@@ -223,14 +222,12 @@ void __cpuinit cpu_init (void)
6961 - clear_in_cr4(X86_CR4_VME|X86_CR4_PVI|X86_CR4_TSD|X86_CR4_DE);
6962 -
6963 - /*
6964 -- * Initialize the per-CPU GDT with the boot GDT,
6965 -- * and set up the GDT descriptor:
6966 -+ * Initialize the per-CPU GDT with the boot GDT:
6967 - */
6968 - if (cpu)
6969 - memcpy(cpu_gdt(cpu), cpu_gdt_table, GDT_SIZE);
6970 -
6971 -- cpu_gdt_descr[cpu].size = GDT_SIZE;
6972 -- load_gdt((const struct desc_ptr *)&cpu_gdt_descr[cpu]);
6973 -+ load_gdt(&cpu_gdt_descr);
6974 - load_idt((const struct desc_ptr *)&idt_descr);
6975 -
6976 - memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
6977 -diff -urNp linux-2.6.24.4/arch/x86/kernel/signal_32.c linux-2.6.24.4/arch/x86/kernel/signal_32.c
6978 ---- linux-2.6.24.4/arch/x86/kernel/signal_32.c 2008-03-24 14:49:18.000000000 -0400
6979 -+++ linux-2.6.24.4/arch/x86/kernel/signal_32.c 2008-03-26 17:56:55.000000000 -0400
6980 -@@ -355,9 +355,9 @@ static int setup_frame(int sig, struct k
6981 - }
6982 -
6983 - if (current->binfmt->hasvdso)
6984 -- restorer = (void *)VDSO_SYM(&__kernel_sigreturn);
6985 -+ restorer = (void __user *)VDSO_SYM(&__kernel_sigreturn);
6986 - else
6987 -- restorer = (void *)&frame->retcode;
6988 -+ restorer = (void __user *)&frame->retcode;
6989 - if (ka->sa.sa_flags & SA_RESTORER)
6990 - restorer = ka->sa.sa_restorer;
6991 -
6992 -@@ -452,7 +452,7 @@ static int setup_rt_frame(int sig, struc
6993 - goto give_sigsegv;
6994 -
6995 - /* Set up to return from userspace. */
6996 -- restorer = (void *)VDSO_SYM(&__kernel_rt_sigreturn);
6997 -+ restorer = (void __user *)VDSO_SYM(&__kernel_rt_sigreturn);
6998 - if (ka->sa.sa_flags & SA_RESTORER)
6999 - restorer = ka->sa.sa_restorer;
7000 - err |= __put_user(restorer, &frame->pretcode);
7001 -@@ -584,7 +584,7 @@ static void fastcall do_signal(struct pt
7002 - * before reaching here, so testing against kernel
7003 - * CS suffices.
7004 - */
7005 -- if (!user_mode(regs))
7006 -+ if (!user_mode_novm(regs))
7007 - return;
7008 -
7009 - if (test_thread_flag(TIF_RESTORE_SIGMASK))
7010 -diff -urNp linux-2.6.24.4/arch/x86/kernel/signal_64.c linux-2.6.24.4/arch/x86/kernel/signal_64.c
7011 ---- linux-2.6.24.4/arch/x86/kernel/signal_64.c 2008-03-24 14:49:18.000000000 -0400
7012 -+++ linux-2.6.24.4/arch/x86/kernel/signal_64.c 2008-03-26 17:56:55.000000000 -0400
7013 -@@ -252,8 +252,8 @@ static int setup_rt_frame(int sig, struc
7014 - err |= setup_sigcontext(&frame->uc.uc_mcontext, regs, set->sig[0], me);
7015 - err |= __put_user(fp, &frame->uc.uc_mcontext.fpstate);
7016 - if (sizeof(*set) == 16) {
7017 -- __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
7018 -- __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
7019 -+ err |= __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
7020 -+ err |= __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
7021 - } else
7022 - err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
7023 -
7024 -diff -urNp linux-2.6.24.4/arch/x86/kernel/smp_32.c linux-2.6.24.4/arch/x86/kernel/smp_32.c
7025 ---- linux-2.6.24.4/arch/x86/kernel/smp_32.c 2008-03-24 14:49:18.000000000 -0400
7026 -+++ linux-2.6.24.4/arch/x86/kernel/smp_32.c 2008-03-26 17:56:55.000000000 -0400
7027 -@@ -104,7 +104,7 @@
7028 - * about nothing of note with C stepping upwards.
7029 - */
7030 -
7031 --DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, };
7032 -+DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, {0} };
7033 -
7034 - /*
7035 - * the following functions deal with sending IPIs between CPUs.
7036 -diff -urNp linux-2.6.24.4/arch/x86/kernel/smpboot_32.c linux-2.6.24.4/arch/x86/kernel/smpboot_32.c
7037 ---- linux-2.6.24.4/arch/x86/kernel/smpboot_32.c 2008-03-24 14:49:18.000000000 -0400
7038 -+++ linux-2.6.24.4/arch/x86/kernel/smpboot_32.c 2008-03-26 17:56:55.000000000 -0400
7039 -@@ -781,6 +781,10 @@ static int __cpuinit do_boot_cpu(int api
7040 - unsigned long start_eip;
7041 - unsigned short nmi_high = 0, nmi_low = 0;
7042 -
7043 -+#ifdef CONFIG_PAX_KERNEXEC
7044 -+ unsigned long cr0;
7045 -+#endif
7046 -+
7047 - /*
7048 - * Save current MTRR state in case it was changed since early boot
7049 - * (e.g. by the ACPI SMI) to initialize new CPUs with MTRRs in sync:
7050 -@@ -797,7 +801,16 @@ static int __cpuinit do_boot_cpu(int api
7051 -
7052 - init_gdt(cpu);
7053 - per_cpu(current_task, cpu) = idle;
7054 -- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
7055 -+
7056 -+#ifdef CONFIG_PAX_KERNEXEC
7057 -+ pax_open_kernel(cr0);
7058 -+#endif
7059 -+
7060 -+ early_gdt_descr.address = get_cpu_gdt_table(cpu);
7061 -+
7062 -+#ifdef CONFIG_PAX_KERNEXEC
7063 -+ pax_close_kernel(cr0);
7064 -+#endif
7065 -
7066 - idle->thread.eip = (unsigned long) start_secondary;
7067 - /* start_eip had better be page-aligned! */
7068 -@@ -1122,7 +1135,7 @@ static void __init smp_boot_cpus(unsigne
7069 - * construct cpu_sibling_map, so that we can tell sibling CPUs
7070 - * efficiently.
7071 - */
7072 -- for (cpu = 0; cpu < NR_CPUS; cpu++) {
7073 -+ for_each_possible_cpu(cpu) {
7074 - cpus_clear(per_cpu(cpu_sibling_map, cpu));
7075 - cpus_clear(per_cpu(cpu_core_map, cpu));
7076 - }
7077 -diff -urNp linux-2.6.24.4/arch/x86/kernel/smpboot_64.c linux-2.6.24.4/arch/x86/kernel/smpboot_64.c
7078 ---- linux-2.6.24.4/arch/x86/kernel/smpboot_64.c 2008-03-24 14:49:18.000000000 -0400
7079 -+++ linux-2.6.24.4/arch/x86/kernel/smpboot_64.c 2008-03-26 17:56:55.000000000 -0400
7080 -@@ -549,13 +549,6 @@ static int __cpuinit do_boot_cpu(int cpu
7081 - .done = COMPLETION_INITIALIZER_ONSTACK(c_idle.done),
7082 - };
7083 -
7084 -- /* allocate memory for gdts of secondary cpus. Hotplug is considered */
7085 -- if (!cpu_gdt_descr[cpu].address &&
7086 -- !(cpu_gdt_descr[cpu].address = get_zeroed_page(GFP_KERNEL))) {
7087 -- printk(KERN_ERR "Failed to allocate GDT for CPU %d\n", cpu);
7088 -- return -1;
7089 -- }
7090 --
7091 - /* Allocate node local memory for AP pdas */
7092 - if (cpu_pda(cpu) == &boot_cpu_pda[cpu]) {
7093 - struct x8664_pda *newpda, *pda;
7094 -@@ -614,7 +607,7 @@ do_rest:
7095 - start_rip = setup_trampoline();
7096 -
7097 - init_rsp = c_idle.idle->thread.rsp;
7098 -- per_cpu(init_tss,cpu).rsp0 = init_rsp;
7099 -+ init_tss[cpu].rsp0 = init_rsp;
7100 - initial_code = start_secondary;
7101 - clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
7102 -
7103 -diff -urNp linux-2.6.24.4/arch/x86/kernel/smpcommon_32.c linux-2.6.24.4/arch/x86/kernel/smpcommon_32.c
7104 ---- linux-2.6.24.4/arch/x86/kernel/smpcommon_32.c 2008-03-24 14:49:18.000000000 -0400
7105 -+++ linux-2.6.24.4/arch/x86/kernel/smpcommon_32.c 2008-03-26 17:56:55.000000000 -0400
7106 -@@ -3,6 +3,7 @@
7107 - */
7108 - #include <linux/module.h>
7109 - #include <asm/smp.h>
7110 -+#include <asm/sections.h>
7111 -
7112 - DEFINE_PER_CPU(unsigned long, this_cpu_off);
7113 - EXPORT_PER_CPU_SYMBOL(this_cpu_off);
7114 -@@ -14,10 +15,29 @@ __cpuinit void init_gdt(int cpu)
7115 - {
7116 - struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7117 -
7118 -- pack_descriptor((u32 *)&gdt[GDT_ENTRY_PERCPU].a,
7119 -- (u32 *)&gdt[GDT_ENTRY_PERCPU].b,
7120 -- __per_cpu_offset[cpu], 0xFFFFF,
7121 -- 0x80 | DESCTYPE_S | 0x2, 0x8);
7122 -+#ifdef CONFIG_PAX_KERNEXEC
7123 -+ unsigned long cr0;
7124 -+
7125 -+ pax_open_kernel(cr0);
7126 -+#endif
7127 -+
7128 -+ if (cpu)
7129 -+ memcpy(gdt, cpu_gdt_table, GDT_SIZE);
7130 -+
7131 -+ if (PERCPU_ENOUGH_ROOM <= 64*1024*1024)
7132 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
7133 -+ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
7134 -+ __per_cpu_offset[cpu], PERCPU_ENOUGH_ROOM-1,
7135 -+ 0x80 | DESCTYPE_S | 0x3, 0x4);
7136 -+ else
7137 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
7138 -+ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
7139 -+ __per_cpu_offset[cpu], ((PERCPU_ENOUGH_ROOM-1) >> PAGE_SHIFT),
7140 -+ 0x80 | DESCTYPE_S | 0x3, 0xC);
7141 -+
7142 -+#ifdef CONFIG_PAX_KERNEXEC
7143 -+ pax_close_kernel(cr0);
7144 -+#endif
7145 -
7146 - per_cpu(this_cpu_off, cpu) = __per_cpu_offset[cpu];
7147 - per_cpu(cpu_number, cpu) = cpu;
7148 -diff -urNp linux-2.6.24.4/arch/x86/kernel/suspend_64.c linux-2.6.24.4/arch/x86/kernel/suspend_64.c
7149 ---- linux-2.6.24.4/arch/x86/kernel/suspend_64.c 2008-03-24 14:49:18.000000000 -0400
7150 -+++ linux-2.6.24.4/arch/x86/kernel/suspend_64.c 2008-03-26 17:56:55.000000000 -0400
7151 -@@ -116,12 +116,22 @@ void restore_processor_state(void)
7152 - void fix_processor_context(void)
7153 - {
7154 - int cpu = smp_processor_id();
7155 -- struct tss_struct *t = &per_cpu(init_tss, cpu);
7156 -+ struct tss_struct *t = init_tss + cpu;
7157 -+
7158 -+#ifdef CONFIG_PAX_KERNEXEC
7159 -+ unsigned long cr0;
7160 -+
7161 -+ pax_open_kernel(cr0);
7162 -+#endif
7163 -
7164 - set_tss_desc(cpu,t); /* This just modifies memory; should not be necessary. But... This is necessary, because 386 hardware has concept of busy TSS or some similar stupidity. */
7165 -
7166 - cpu_gdt(cpu)[GDT_ENTRY_TSS].type = 9;
7167 -
7168 -+#ifdef CONFIG_PAX_KERNEXEC
7169 -+ pax_close_kernel(cr0);
7170 -+#endif
7171 -+
7172 - syscall_init(); /* This sets MSR_*STAR and related */
7173 - load_TR_desc(); /* This does ltr */
7174 - load_LDT(&current->active_mm->context); /* This does lldt */
7175 -diff -urNp linux-2.6.24.4/arch/x86/kernel/syscall_table_32.S linux-2.6.24.4/arch/x86/kernel/syscall_table_32.S
7176 ---- linux-2.6.24.4/arch/x86/kernel/syscall_table_32.S 2008-03-24 14:49:18.000000000 -0400
7177 -+++ linux-2.6.24.4/arch/x86/kernel/syscall_table_32.S 2008-03-26 17:56:55.000000000 -0400
7178 -@@ -1,3 +1,4 @@
7179 -+.section .rodata,"a",@progbits
7180 - ENTRY(sys_call_table)
7181 - .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
7182 - .long sys_exit
7183 -diff -urNp linux-2.6.24.4/arch/x86/kernel/sysenter_32.c linux-2.6.24.4/arch/x86/kernel/sysenter_32.c
7184 ---- linux-2.6.24.4/arch/x86/kernel/sysenter_32.c 2008-03-24 14:49:18.000000000 -0400
7185 -+++ linux-2.6.24.4/arch/x86/kernel/sysenter_32.c 2008-03-26 17:56:55.000000000 -0400
7186 -@@ -175,7 +175,7 @@ static __init void relocate_vdso(Elf32_E
7187 - void enable_sep_cpu(void)
7188 - {
7189 - int cpu = get_cpu();
7190 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
7191 -+ struct tss_struct *tss = init_tss + cpu;
7192 -
7193 - if (!boot_cpu_has(X86_FEATURE_SEP)) {
7194 - put_cpu();
7195 -@@ -198,7 +198,7 @@ static int __init gate_vma_init(void)
7196 - gate_vma.vm_start = FIXADDR_USER_START;
7197 - gate_vma.vm_end = FIXADDR_USER_END;
7198 - gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
7199 -- gate_vma.vm_page_prot = __P101;
7200 -+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
7201 - /*
7202 - * Make sure the vDSO gets into every core dump.
7203 - * Dumping its contents makes post-mortem fully interpretable later
7204 -@@ -281,7 +281,7 @@ int arch_setup_additional_pages(struct l
7205 - if (compat)
7206 - addr = VDSO_HIGH_BASE;
7207 - else {
7208 -- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
7209 -+ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
7210 - if (IS_ERR_VALUE(addr)) {
7211 - ret = addr;
7212 - goto up_fail;
7213 -@@ -306,7 +306,7 @@ int arch_setup_additional_pages(struct l
7214 - goto up_fail;
7215 - }
7216 -
7217 -- current->mm->context.vdso = (void *)addr;
7218 -+ current->mm->context.vdso = addr;
7219 - current_thread_info()->sysenter_return =
7220 - (void *)VDSO_SYM(&SYSENTER_RETURN);
7221 -
7222 -@@ -318,8 +318,14 @@ int arch_setup_additional_pages(struct l
7223 -
7224 - const char *arch_vma_name(struct vm_area_struct *vma)
7225 - {
7226 -- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
7227 -+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
7228 - return "[vdso]";
7229 -+
7230 -+#ifdef CONFIG_PAX_SEGMEXEC
7231 -+ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
7232 -+ return "[vdso]";
7233 -+#endif
7234 -+
7235 - return NULL;
7236 - }
7237 -
7238 -@@ -328,7 +334,7 @@ struct vm_area_struct *get_gate_vma(stru
7239 - struct mm_struct *mm = tsk->mm;
7240 -
7241 - /* Check to see if this task was created in compat vdso mode */
7242 -- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
7243 -+ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
7244 - return &gate_vma;
7245 - return NULL;
7246 - }
7247 -diff -urNp linux-2.6.24.4/arch/x86/kernel/sys_i386_32.c linux-2.6.24.4/arch/x86/kernel/sys_i386_32.c
7248 ---- linux-2.6.24.4/arch/x86/kernel/sys_i386_32.c 2008-03-24 14:49:18.000000000 -0400
7249 -+++ linux-2.6.24.4/arch/x86/kernel/sys_i386_32.c 2008-03-26 17:56:55.000000000 -0400
7250 -@@ -39,6 +39,21 @@ asmlinkage int sys_pipe(unsigned long __
7251 - return error;
7252 - }
7253 -
7254 -+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
7255 -+{
7256 -+ unsigned long task_size = TASK_SIZE;
7257 -+
7258 -+#ifdef CONFIG_PAX_SEGMEXEC
7259 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
7260 -+ task_size = SEGMEXEC_TASK_SIZE;
7261 -+#endif
7262 -+
7263 -+ if (len > task_size || addr > task_size - len)
7264 -+ return -EINVAL;
7265 -+
7266 -+ return 0;
7267 -+}
7268 -+
7269 - asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
7270 - unsigned long prot, unsigned long flags,
7271 - unsigned long fd, unsigned long pgoff)
7272 -@@ -98,6 +113,205 @@ out:
7273 - return err;
7274 - }
7275 -
7276 -+unsigned long
7277 -+arch_get_unmapped_area(struct file *filp, unsigned long addr,
7278 -+ unsigned long len, unsigned long pgoff, unsigned long flags)
7279 -+{
7280 -+ struct mm_struct *mm = current->mm;
7281 -+ struct vm_area_struct *vma;
7282 -+ unsigned long start_addr, task_size = TASK_SIZE;
7283 -+
7284 -+#ifdef CONFIG_PAX_SEGMEXEC
7285 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7286 -+ task_size = SEGMEXEC_TASK_SIZE;
7287 -+#endif
7288 -+
7289 -+ if (len > task_size)
7290 -+ return -ENOMEM;
7291 -+
7292 -+ if (flags & MAP_FIXED)
7293 -+ return addr;
7294 -+
7295 -+#ifdef CONFIG_PAX_RANDMMAP
7296 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
7297 -+#endif
7298 -+
7299 -+ if (addr) {
7300 -+ addr = PAGE_ALIGN(addr);
7301 -+ vma = find_vma(mm, addr);
7302 -+ if (task_size - len >= addr &&
7303 -+ (!vma || addr + len <= vma->vm_start))
7304 -+ return addr;
7305 -+ }
7306 -+ if (len > mm->cached_hole_size) {
7307 -+ start_addr = addr = mm->free_area_cache;
7308 -+ } else {
7309 -+ start_addr = addr = mm->mmap_base;
7310 -+ mm->cached_hole_size = 0;
7311 -+ }
7312 -+
7313 -+#ifdef CONFIG_PAX_PAGEEXEC
7314 -+ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
7315 -+ start_addr = 0x00110000UL;
7316 -+
7317 -+#ifdef CONFIG_PAX_RANDMMAP
7318 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
7319 -+ start_addr += mm->delta_mmap & 0x03FFF000UL;
7320 -+#endif
7321 -+
7322 -+ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
7323 -+ start_addr = addr = mm->mmap_base;
7324 -+ else
7325 -+ addr = start_addr;
7326 -+ }
7327 -+#endif
7328 -+
7329 -+full_search:
7330 -+ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
7331 -+ /* At this point: (!vma || addr < vma->vm_end). */
7332 -+ if (task_size - len < addr) {
7333 -+ /*
7334 -+ * Start a new search - just in case we missed
7335 -+ * some holes.
7336 -+ */
7337 -+ if (start_addr != mm->mmap_base) {
7338 -+ start_addr = addr = mm->mmap_base;
7339 -+ mm->cached_hole_size = 0;
7340 -+ goto full_search;
7341 -+ }
7342 -+ return -ENOMEM;
7343 -+ }
7344 -+ if (!vma || addr + len <= vma->vm_start) {
7345 -+ /*
7346 -+ * Remember the place where we stopped the search:
7347 -+ */
7348 -+ mm->free_area_cache = addr + len;
7349 -+ return addr;
7350 -+ }
7351 -+ if (addr + mm->cached_hole_size < vma->vm_start)
7352 -+ mm->cached_hole_size = vma->vm_start - addr;
7353 -+ addr = vma->vm_end;
7354 -+ if (mm->start_brk <= addr && addr < mm->mmap_base) {
7355 -+ start_addr = addr = mm->mmap_base;
7356 -+ mm->cached_hole_size = 0;
7357 -+ goto full_search;
7358 -+ }
7359 -+ }
7360 -+}
7361 -+
7362 -+unsigned long
7363 -+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7364 -+ const unsigned long len, const unsigned long pgoff,
7365 -+ const unsigned long flags)
7366 -+{
7367 -+ struct vm_area_struct *vma;
7368 -+ struct mm_struct *mm = current->mm;
7369 -+ unsigned long base = mm->mmap_base, addr = addr0, task_size = TASK_SIZE;
7370 -+
7371 -+#ifdef CONFIG_PAX_SEGMEXEC
7372 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7373 -+ task_size = SEGMEXEC_TASK_SIZE;
7374 -+#endif
7375 -+
7376 -+ /* requested length too big for entire address space */
7377 -+ if (len > task_size)
7378 -+ return -ENOMEM;
7379 -+
7380 -+ if (flags & MAP_FIXED)
7381 -+ return addr;
7382 -+
7383 -+#ifdef CONFIG_PAX_PAGEEXEC
7384 -+ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
7385 -+ goto bottomup;
7386 -+#endif
7387 -+
7388 -+#ifdef CONFIG_PAX_RANDMMAP
7389 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
7390 -+#endif
7391 -+
7392 -+ /* requesting a specific address */
7393 -+ if (addr) {
7394 -+ addr = PAGE_ALIGN(addr);
7395 -+ vma = find_vma(mm, addr);
7396 -+ if (task_size - len >= addr &&
7397 -+ (!vma || addr + len <= vma->vm_start))
7398 -+ return addr;
7399 -+ }
7400 -+
7401 -+ /* check if free_area_cache is useful for us */
7402 -+ if (len <= mm->cached_hole_size) {
7403 -+ mm->cached_hole_size = 0;
7404 -+ mm->free_area_cache = mm->mmap_base;
7405 -+ }
7406 -+
7407 -+ /* either no address requested or can't fit in requested address hole */
7408 -+ addr = mm->free_area_cache;
7409 -+
7410 -+ /* make sure it can fit in the remaining address space */
7411 -+ if (addr > len) {
7412 -+ vma = find_vma(mm, addr-len);
7413 -+ if (!vma || addr <= vma->vm_start)
7414 -+ /* remember the address as a hint for next time */
7415 -+ return (mm->free_area_cache = addr-len);
7416 -+ }
7417 -+
7418 -+ if (mm->mmap_base < len)
7419 -+ goto bottomup;
7420 -+
7421 -+ addr = mm->mmap_base-len;
7422 -+
7423 -+ do {
7424 -+ /*
7425 -+ * Lookup failure means no vma is above this address,
7426 -+ * else if new region fits below vma->vm_start,
7427 -+ * return with success:
7428 -+ */
7429 -+ vma = find_vma(mm, addr);
7430 -+ if (!vma || addr+len <= vma->vm_start)
7431 -+ /* remember the address as a hint for next time */
7432 -+ return (mm->free_area_cache = addr);
7433 -+
7434 -+ /* remember the largest hole we saw so far */
7435 -+ if (addr + mm->cached_hole_size < vma->vm_start)
7436 -+ mm->cached_hole_size = vma->vm_start - addr;
7437 -+
7438 -+ /* try just below the current vma->vm_start */
7439 -+ addr = vma->vm_start-len;
7440 -+ } while (len < vma->vm_start);
7441 -+
7442 -+bottomup:
7443 -+ /*
7444 -+ * A failed mmap() very likely causes application failure,
7445 -+ * so fall back to the bottom-up function here. This scenario
7446 -+ * can happen with large stack limits and large mmap()
7447 -+ * allocations.
7448 -+ */
7449 -+
7450 -+#ifdef CONFIG_PAX_SEGMEXEC
7451 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7452 -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
7453 -+ else
7454 -+#endif
7455 -+
7456 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
7457 -+
7458 -+#ifdef CONFIG_PAX_RANDMMAP
7459 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
7460 -+ mm->mmap_base += mm->delta_mmap;
7461 -+#endif
7462 -+
7463 -+ mm->free_area_cache = mm->mmap_base;
7464 -+ mm->cached_hole_size = ~0UL;
7465 -+ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
7466 -+ /*
7467 -+ * Restore the topdown base:
7468 -+ */
7469 -+ mm->mmap_base = base;
7470 -+ mm->free_area_cache = base;
7471 -+ mm->cached_hole_size = ~0UL;
7472 -+
7473 -+ return addr;
7474 -+}
7475 -
7476 - struct sel_arg_struct {
7477 - unsigned long n;
7478 -diff -urNp linux-2.6.24.4/arch/x86/kernel/sys_x86_64.c linux-2.6.24.4/arch/x86/kernel/sys_x86_64.c
7479 ---- linux-2.6.24.4/arch/x86/kernel/sys_x86_64.c 2008-03-24 14:49:18.000000000 -0400
7480 -+++ linux-2.6.24.4/arch/x86/kernel/sys_x86_64.c 2008-03-26 17:56:55.000000000 -0400
7481 -@@ -61,8 +61,8 @@ out:
7482 - return error;
7483 - }
7484 -
7485 --static void find_start_end(unsigned long flags, unsigned long *begin,
7486 -- unsigned long *end)
7487 -+static void find_start_end(struct mm_struct *mm, unsigned long flags,
7488 -+ unsigned long *begin, unsigned long *end)
7489 - {
7490 - if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
7491 - /* This is usually used needed to map code in small
7492 -@@ -75,7 +75,7 @@ static void find_start_end(unsigned long
7493 - *begin = 0x40000000;
7494 - *end = 0x80000000;
7495 - } else {
7496 -- *begin = TASK_UNMAPPED_BASE;
7497 -+ *begin = mm->mmap_base;
7498 - *end = TASK_SIZE;
7499 - }
7500 - }
7501 -@@ -92,11 +92,15 @@ arch_get_unmapped_area(struct file *filp
7502 - if (flags & MAP_FIXED)
7503 - return addr;
7504 -
7505 -- find_start_end(flags, &begin, &end);
7506 -+ find_start_end(mm, flags, &begin, &end);
7507 -
7508 - if (len > end)
7509 - return -ENOMEM;
7510 -
7511 -+#ifdef CONFIG_PAX_RANDMMAP
7512 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
7513 -+#endif
7514 -+
7515 - if (addr) {
7516 - addr = PAGE_ALIGN(addr);
7517 - vma = find_vma(mm, addr);
7518 -diff -urNp linux-2.6.24.4/arch/x86/kernel/time_32.c linux-2.6.24.4/arch/x86/kernel/time_32.c
7519 ---- linux-2.6.24.4/arch/x86/kernel/time_32.c 2008-03-24 14:49:18.000000000 -0400
7520 -+++ linux-2.6.24.4/arch/x86/kernel/time_32.c 2008-03-26 17:56:55.000000000 -0400
7521 -@@ -130,20 +130,30 @@ unsigned long profile_pc(struct pt_regs
7522 - if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs) &&
7523 - in_lock_functions(pc)) {
7524 - #ifdef CONFIG_FRAME_POINTER
7525 -- return *(unsigned long *)(regs->ebp + 4);
7526 -+ return ktla_ktva(*(unsigned long *)(regs->ebp + 4));
7527 - #else
7528 - unsigned long *sp = (unsigned long *)&regs->esp;
7529 -
7530 - /* Return address is either directly at stack pointer
7531 - or above a saved eflags. Eflags has bits 22-31 zero,
7532 - kernel addresses don't. */
7533 -+
7534 -+#ifdef CONFIG_PAX_KERNEXEC
7535 -+ return ktla_ktva(sp[0]);
7536 -+#else
7537 - if (sp[0] >> 22)
7538 - return sp[0];
7539 - if (sp[1] >> 22)
7540 - return sp[1];
7541 - #endif
7542 -+
7543 -+#endif
7544 - }
7545 - #endif
7546 -+
7547 -+ if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs))
7548 -+ pc = ktla_ktva(pc);
7549 -+
7550 - return pc;
7551 - }
7552 - EXPORT_SYMBOL(profile_pc);
7553 -diff -urNp linux-2.6.24.4/arch/x86/kernel/traps_32.c linux-2.6.24.4/arch/x86/kernel/traps_32.c
7554 ---- linux-2.6.24.4/arch/x86/kernel/traps_32.c 2008-03-24 14:49:18.000000000 -0400
7555 -+++ linux-2.6.24.4/arch/x86/kernel/traps_32.c 2008-03-26 17:56:55.000000000 -0400
7556 -@@ -29,6 +29,7 @@
7557 - #include <linux/uaccess.h>
7558 - #include <linux/nmi.h>
7559 - #include <linux/bug.h>
7560 -+#include <linux/binfmts.h>
7561 -
7562 - #ifdef CONFIG_EISA
7563 - #include <linux/ioport.h>
7564 -@@ -71,12 +72,7 @@ asmlinkage int system_call(void);
7565 - /* Do we ignore FPU interrupts ? */
7566 - char ignore_fpu_irq = 0;
7567 -
7568 --/*
7569 -- * The IDT has to be page-aligned to simplify the Pentium
7570 -- * F0 0F bug workaround.. We have a special link segment
7571 -- * for this.
7572 -- */
7573 --struct desc_struct idt_table[256] __attribute__((__section__(".data.idt"))) = { {0, 0}, };
7574 -+extern struct desc_struct idt_table[256];
7575 -
7576 - asmlinkage void divide_error(void);
7577 - asmlinkage void debug(void);
7578 -@@ -306,22 +302,23 @@ void show_registers(struct pt_regs *regs
7579 - * When in-kernel, we also print out the stack and code at the
7580 - * time of the fault..
7581 - */
7582 -- if (!user_mode_vm(regs)) {
7583 -+ if (!user_mode(regs)) {
7584 - u8 *eip;
7585 - unsigned int code_prologue = code_bytes * 43 / 64;
7586 - unsigned int code_len = code_bytes;
7587 - unsigned char c;
7588 -+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->xcs) >> 3]);
7589 -
7590 - printk("\n" KERN_EMERG "Stack: ");
7591 - show_stack_log_lvl(NULL, regs, &regs->esp, KERN_EMERG);
7592 -
7593 - printk(KERN_EMERG "Code: ");
7594 -
7595 -- eip = (u8 *)regs->eip - code_prologue;
7596 -+ eip = (u8 *)regs->eip - code_prologue + cs_base;
7597 - if (eip < (u8 *)PAGE_OFFSET ||
7598 - probe_kernel_address(eip, c)) {
7599 - /* try starting at EIP */
7600 -- eip = (u8 *)regs->eip;
7601 -+ eip = (u8 *)regs->eip + cs_base;
7602 - code_len = code_len - code_prologue + 1;
7603 - }
7604 - for (i = 0; i < code_len; i++, eip++) {
7605 -@@ -330,7 +327,7 @@ void show_registers(struct pt_regs *regs
7606 - printk(" Bad EIP value.");
7607 - break;
7608 - }
7609 -- if (eip == (u8 *)regs->eip)
7610 -+ if (eip == (u8 *)regs->eip + cs_base)
7611 - printk("<%02x> ", c);
7612 - else
7613 - printk("%02x ", c);
7614 -@@ -343,6 +340,7 @@ int is_valid_bugaddr(unsigned long eip)
7615 - {
7616 - unsigned short ud2;
7617 -
7618 -+ eip = ktla_ktva(eip);
7619 - if (eip < PAGE_OFFSET)
7620 - return 0;
7621 - if (probe_kernel_address((unsigned short *)eip, ud2))
7622 -@@ -444,7 +442,7 @@ void die(const char * str, struct pt_reg
7623 -
7624 - static inline void die_if_kernel(const char * str, struct pt_regs * regs, long err)
7625 - {
7626 -- if (!user_mode_vm(regs))
7627 -+ if (!user_mode(regs))
7628 - die(str, regs, err);
7629 - }
7630 -
7631 -@@ -460,7 +458,7 @@ static void __kprobes do_trap(int trapnr
7632 - goto trap_signal;
7633 - }
7634 -
7635 -- if (!user_mode(regs))
7636 -+ if (!user_mode_novm(regs))
7637 - goto kernel_trap;
7638 -
7639 - trap_signal: {
7640 -@@ -566,7 +564,7 @@ fastcall void __kprobes do_general_prote
7641 - long error_code)
7642 - {
7643 - int cpu = get_cpu();
7644 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
7645 -+ struct tss_struct *tss = &init_tss[cpu];
7646 - struct thread_struct *thread = &current->thread;
7647 -
7648 - /*
7649 -@@ -599,9 +597,25 @@ fastcall void __kprobes do_general_prote
7650 - if (regs->eflags & VM_MASK)
7651 - goto gp_in_vm86;
7652 -
7653 -- if (!user_mode(regs))
7654 -+ if (!user_mode_novm(regs))
7655 - goto gp_in_kernel;
7656 -
7657 -+#ifdef CONFIG_PAX_PAGEEXEC
7658 -+ if (!nx_enabled && current->mm && (current->mm->pax_flags & MF_PAX_PAGEEXEC)) {
7659 -+ struct mm_struct *mm = current->mm;
7660 -+ unsigned long limit;
7661 -+
7662 -+ down_write(&mm->mmap_sem);
7663 -+ limit = mm->context.user_cs_limit;
7664 -+ if (limit < TASK_SIZE) {
7665 -+ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
7666 -+ up_write(&mm->mmap_sem);
7667 -+ return;
7668 -+ }
7669 -+ up_write(&mm->mmap_sem);
7670 -+ }
7671 -+#endif
7672 -+
7673 - current->thread.error_code = error_code;
7674 - current->thread.trap_no = 13;
7675 - if (show_unhandled_signals && unhandled_signal(current, SIGSEGV) &&
7676 -@@ -626,6 +640,13 @@ gp_in_kernel:
7677 - if (notify_die(DIE_GPF, "general protection fault", regs,
7678 - error_code, 13, SIGSEGV) == NOTIFY_STOP)
7679 - return;
7680 -+
7681 -+#ifdef CONFIG_PAX_KERNEXEC
7682 -+ if ((regs->xcs & 0xFFFF) == __KERNEL_CS)
7683 -+ die("PAX: suspicious general protection fault", regs, error_code);
7684 -+ else
7685 -+#endif
7686 -+
7687 - die("general protection fault", regs, error_code);
7688 - }
7689 - }
7690 -@@ -715,7 +736,7 @@ void __kprobes die_nmi(struct pt_regs *r
7691 - /* If we are in kernel we are probably nested up pretty bad
7692 - * and might aswell get out now while we still can.
7693 - */
7694 -- if (!user_mode_vm(regs)) {
7695 -+ if (!user_mode(regs)) {
7696 - current->thread.trap_no = 2;
7697 - crash_kexec(regs);
7698 - }
7699 -@@ -866,7 +887,7 @@ fastcall void __kprobes do_debug(struct
7700 - * check for kernel mode by just checking the CPL
7701 - * of CS.
7702 - */
7703 -- if (!user_mode(regs))
7704 -+ if (!user_mode_novm(regs))
7705 - goto clear_TF_reenable;
7706 - }
7707 -
7708 -@@ -1044,18 +1065,14 @@ fastcall void do_spurious_interrupt_bug(
7709 - fastcall unsigned long patch_espfix_desc(unsigned long uesp,
7710 - unsigned long kesp)
7711 - {
7712 -- struct desc_struct *gdt = __get_cpu_var(gdt_page).gdt;
7713 - unsigned long base = (kesp - uesp) & -THREAD_SIZE;
7714 - unsigned long new_kesp = kesp - base;
7715 - unsigned long lim_pages = (new_kesp | (THREAD_SIZE - 1)) >> PAGE_SHIFT;
7716 -- __u64 desc = *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS];
7717 -+ __u32 a, b;
7718 -+
7719 - /* Set up base for espfix segment */
7720 -- desc &= 0x00f0ff0000000000ULL;
7721 -- desc |= ((((__u64)base) << 16) & 0x000000ffffff0000ULL) |
7722 -- ((((__u64)base) << 32) & 0xff00000000000000ULL) |
7723 -- ((((__u64)lim_pages) << 32) & 0x000f000000000000ULL) |
7724 -- (lim_pages & 0xffff);
7725 -- *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS] = desc;
7726 -+ pack_descriptor(&a, &b, base, lim_pages, 0x93, 0xC);
7727 -+ write_gdt_entry(get_cpu_gdt_table(smp_processor_id()), GDT_ENTRY_ESPFIX_SS, a, b);
7728 - return new_kesp;
7729 - }
7730 -
7731 -diff -urNp linux-2.6.24.4/arch/x86/kernel/tsc_32.c linux-2.6.24.4/arch/x86/kernel/tsc_32.c
7732 ---- linux-2.6.24.4/arch/x86/kernel/tsc_32.c 2008-03-24 14:49:18.000000000 -0400
7733 -+++ linux-2.6.24.4/arch/x86/kernel/tsc_32.c 2008-03-26 17:56:55.000000000 -0400
7734 -@@ -322,7 +322,7 @@ static struct dmi_system_id __initdata b
7735 - DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
7736 - },
7737 - },
7738 -- {}
7739 -+ { NULL, NULL, {{0, NULL}}, NULL}
7740 - };
7741 -
7742 - /*
7743 -diff -urNp linux-2.6.24.4/arch/x86/kernel/vm86_32.c linux-2.6.24.4/arch/x86/kernel/vm86_32.c
7744 ---- linux-2.6.24.4/arch/x86/kernel/vm86_32.c 2008-03-24 14:49:18.000000000 -0400
7745 -+++ linux-2.6.24.4/arch/x86/kernel/vm86_32.c 2008-03-26 17:56:55.000000000 -0400
7746 -@@ -146,7 +146,7 @@ struct pt_regs * fastcall save_v86_state
7747 - do_exit(SIGSEGV);
7748 - }
7749 -
7750 -- tss = &per_cpu(init_tss, get_cpu());
7751 -+ tss = init_tss + get_cpu();
7752 - current->thread.esp0 = current->thread.saved_esp0;
7753 - current->thread.sysenter_cs = __KERNEL_CS;
7754 - load_esp0(tss, &current->thread);
7755 -@@ -322,7 +322,7 @@ static void do_sys_vm86(struct kernel_vm
7756 - tsk->thread.saved_fs = info->regs32->xfs;
7757 - savesegment(gs, tsk->thread.saved_gs);
7758 -
7759 -- tss = &per_cpu(init_tss, get_cpu());
7760 -+ tss = init_tss + get_cpu();
7761 - tsk->thread.esp0 = (unsigned long) &info->VM86_TSS_ESP0;
7762 - if (cpu_has_sep)
7763 - tsk->thread.sysenter_cs = 0;
7764 -diff -urNp linux-2.6.24.4/arch/x86/kernel/vmi_32.c linux-2.6.24.4/arch/x86/kernel/vmi_32.c
7765 ---- linux-2.6.24.4/arch/x86/kernel/vmi_32.c 2008-03-24 14:49:18.000000000 -0400
7766 -+++ linux-2.6.24.4/arch/x86/kernel/vmi_32.c 2008-03-26 17:56:55.000000000 -0400
7767 -@@ -98,18 +98,43 @@ static unsigned patch_internal(int call,
7768 - {
7769 - u64 reloc;
7770 - struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
7771 -+
7772 -+#ifdef CONFIG_PAX_KERNEXEC
7773 -+ unsigned long cr0;
7774 -+#endif
7775 -+
7776 - reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
7777 - switch(rel->type) {
7778 - case VMI_RELOCATION_CALL_REL:
7779 - BUG_ON(len < 5);
7780 -+
7781 -+#ifdef CONFIG_PAX_KERNEXEC
7782 -+ pax_open_kernel(cr0);
7783 -+#endif
7784 -+
7785 - *(char *)insnbuf = MNEM_CALL;
7786 - patch_offset(insnbuf, eip, (unsigned long)rel->eip);
7787 -+
7788 -+#ifdef CONFIG_PAX_KERNEXEC
7789 -+ pax_close_kernel(cr0);
7790 -+#endif
7791 -+
7792 - return 5;
7793 -
7794 - case VMI_RELOCATION_JUMP_REL:
7795 - BUG_ON(len < 5);
7796 -+
7797 -+#ifdef CONFIG_PAX_KERNEXEC
7798 -+ pax_open_kernel(cr0);
7799 -+#endif
7800 -+
7801 - *(char *)insnbuf = MNEM_JMP;
7802 - patch_offset(insnbuf, eip, (unsigned long)rel->eip);
7803 -+
7804 -+#ifdef CONFIG_PAX_KERNEXEC
7805 -+ pax_close_kernel(cr0);
7806 -+#endif
7807 -+
7808 - return 5;
7809 -
7810 - case VMI_RELOCATION_NOP:
7811 -@@ -492,14 +517,14 @@ static void vmi_set_pud(pud_t *pudp, pud
7812 -
7813 - static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
7814 - {
7815 -- const pte_t pte = { 0 };
7816 -+ const pte_t pte = __pte(0ULL);
7817 - vmi_check_page_type(__pa(ptep) >> PAGE_SHIFT, VMI_PAGE_PTE);
7818 - vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
7819 - }
7820 -
7821 - static void vmi_pmd_clear(pmd_t *pmd)
7822 - {
7823 -- const pte_t pte = { 0 };
7824 -+ const pte_t pte = __pte(0ULL);
7825 - vmi_check_page_type(__pa(pmd) >> PAGE_SHIFT, VMI_PAGE_PMD);
7826 - vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
7827 - }
7828 -@@ -528,8 +553,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
7829 - ap.ss = __KERNEL_DS;
7830 - ap.esp = (unsigned long) start_esp;
7831 -
7832 -- ap.ds = __USER_DS;
7833 -- ap.es = __USER_DS;
7834 -+ ap.ds = __KERNEL_DS;
7835 -+ ap.es = __KERNEL_DS;
7836 - ap.fs = __KERNEL_PERCPU;
7837 - ap.gs = 0;
7838 -
7839 -@@ -724,12 +749,20 @@ static inline int __init activate_vmi(vo
7840 - u64 reloc;
7841 - const struct vmi_relocation_info *rel = (struct vmi_relocation_info *)&reloc;
7842 -
7843 -+#ifdef CONFIG_PAX_KERNEXEC
7844 -+ unsigned long cr0;
7845 -+#endif
7846 -+
7847 - if (call_vrom_func(vmi_rom, vmi_init) != 0) {
7848 - printk(KERN_ERR "VMI ROM failed to initialize!");
7849 - return 0;
7850 - }
7851 - savesegment(cs, kernel_cs);
7852 -
7853 -+#ifdef CONFIG_PAX_KERNEXEC
7854 -+ pax_open_kernel(cr0);
7855 -+#endif
7856 -+
7857 - pv_info.paravirt_enabled = 1;
7858 - pv_info.kernel_rpl = kernel_cs & SEGMENT_RPL_MASK;
7859 - pv_info.name = "vmi";
7860 -@@ -917,6 +950,10 @@ static inline int __init activate_vmi(vo
7861 -
7862 - para_fill(pv_irq_ops.safe_halt, Halt);
7863 -
7864 -+#ifdef CONFIG_PAX_KERNEXEC
7865 -+ pax_close_kernel(cr0);
7866 -+#endif
7867 -+
7868 - /*
7869 - * Alternative instruction rewriting doesn't happen soon enough
7870 - * to convert VMI_IRET to a call instead of a jump; so we have
7871 -diff -urNp linux-2.6.24.4/arch/x86/kernel/vmlinux_32.lds.S linux-2.6.24.4/arch/x86/kernel/vmlinux_32.lds.S
7872 ---- linux-2.6.24.4/arch/x86/kernel/vmlinux_32.lds.S 2008-03-24 14:49:18.000000000 -0400
7873 -+++ linux-2.6.24.4/arch/x86/kernel/vmlinux_32.lds.S 2008-03-26 17:56:55.000000000 -0400
7874 -@@ -21,6 +21,20 @@
7875 - #include <asm/page.h>
7876 - #include <asm/cache.h>
7877 - #include <asm/boot.h>
7878 -+#include <asm/segment.h>
7879 -+
7880 -+#ifdef CONFIG_X86_PAE
7881 -+#define PMD_SHIFT 21
7882 -+#else
7883 -+#define PMD_SHIFT 22
7884 -+#endif
7885 -+#define PMD_SIZE (1 << PMD_SHIFT)
7886 -+
7887 -+#ifdef CONFIG_PAX_KERNEXEC
7888 -+#define __KERNEL_TEXT_OFFSET (__PAGE_OFFSET + (((____LOAD_PHYSICAL_ADDR + 2*(PMD_SIZE - 1)) - 1) & ~(PMD_SIZE - 1)))
7889 -+#else
7890 -+#define __KERNEL_TEXT_OFFSET 0
7891 -+#endif
7892 -
7893 - OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
7894 - OUTPUT_ARCH(i386)
7895 -@@ -28,22 +42,125 @@ ENTRY(phys_startup_32)
7896 - jiffies = jiffies_64;
7897 -
7898 - PHDRS {
7899 -- text PT_LOAD FLAGS(5); /* R_E */
7900 -- data PT_LOAD FLAGS(7); /* RWE */
7901 -- note PT_NOTE FLAGS(0); /* ___ */
7902 -+ initdata PT_LOAD FLAGS(6); /* RW_ */
7903 -+ percpu PT_LOAD FLAGS(6); /* RW_ */
7904 -+ inittext PT_LOAD FLAGS(5); /* R_E */
7905 -+ text PT_LOAD FLAGS(5); /* R_E */
7906 -+ rodata PT_LOAD FLAGS(4); /* R__ */
7907 -+ data PT_LOAD FLAGS(6); /* RW_ */
7908 -+ note PT_NOTE FLAGS(0); /* ___ */
7909 - }
7910 - SECTIONS
7911 - {
7912 -- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
7913 -- phys_startup_32 = startup_32 - LOAD_OFFSET;
7914 -+ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
7915 -+
7916 -+ .text.startup : AT(ADDR(.text.startup) - LOAD_OFFSET) {
7917 -+ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET;
7918 -+ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
7919 -+ *(.text.startup)
7920 -+ } :initdata
7921 -+
7922 -+ /* might get freed after init */
7923 -+ . = ALIGN(4096);
7924 -+ .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
7925 -+ __smp_locks = .;
7926 -+ *(.smp_locks)
7927 -+ __smp_locks_end = .;
7928 -+ }
7929 -+ /* will be freed after init
7930 -+ * Following ALIGN() is required to make sure no other data falls on the
7931 -+ * same page where __smp_alt_end is pointing as that page might be freed
7932 -+ * after boot. Always make sure that ALIGN() directive is present after
7933 -+ * the section which contains __smp_alt_end.
7934 -+ */
7935 -+ . = ALIGN(4096);
7936 -+
7937 -+ /* will be freed after init */
7938 -+ .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) {
7939 -+ __init_begin = .;
7940 -+ *(.init.data)
7941 -+ }
7942 -+ . = ALIGN(16);
7943 -+ .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
7944 -+ __setup_start = .;
7945 -+ *(.init.setup)
7946 -+ __setup_end = .;
7947 -+ }
7948 -+ .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
7949 -+ __initcall_start = .;
7950 -+ INITCALLS
7951 -+ __initcall_end = .;
7952 -+ }
7953 -+ .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
7954 -+ __con_initcall_start = .;
7955 -+ *(.con_initcall.init)
7956 -+ __con_initcall_end = .;
7957 -+ }
7958 -+ SECURITY_INIT
7959 -+ . = ALIGN(4);
7960 -+ .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
7961 -+ __alt_instructions = .;
7962 -+ *(.altinstructions)
7963 -+ __alt_instructions_end = .;
7964 -+ }
7965 -+ .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
7966 -+ *(.altinstr_replacement)
7967 -+ }
7968 -+ . = ALIGN(4);
7969 -+ .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
7970 -+ __parainstructions = .;
7971 -+ *(.parainstructions)
7972 -+ __parainstructions_end = .;
7973 -+ }
7974 -+ .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
7975 -+#if defined(CONFIG_BLK_DEV_INITRD)
7976 -+ . = ALIGN(4096);
7977 -+ .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
7978 -+ __initramfs_start = .;
7979 -+ *(.init.ramfs)
7980 -+ __initramfs_end = .;
7981 -+ }
7982 -+#endif
7983 -+ . = ALIGN(4096);
7984 -+ per_cpu_start = .;
7985 -+ .data.percpu (0) : AT(ADDR(.data.percpu) - LOAD_OFFSET + per_cpu_start) {
7986 -+ __per_cpu_start = . + per_cpu_start;
7987 -+ LONG(0)
7988 -+ *(.data.percpu)
7989 -+ *(.data.percpu.shared_aligned)
7990 -+ __per_cpu_end = . + per_cpu_start;
7991 -+ } :percpu
7992 -+ . += per_cpu_start;
7993 -+
7994 -+ /* read-only */
7995 -+
7996 -+ . = ALIGN(4096); /* Init code and data */
7997 -+ .init.text (. - __KERNEL_TEXT_OFFSET) : AT(ADDR(.init.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
7998 -+ _sinittext = .;
7999 -+ *(.init.text)
8000 -+ _einittext = .;
8001 -+ } :inittext
8002 -+
8003 -+ /* .exit.text is discard at runtime, not link time, to deal with references
8004 -+ from .altinstructions and .eh_frame */
8005 -+ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) { *(.exit.text) }
8006 -
8007 -- .text.head : AT(ADDR(.text.head) - LOAD_OFFSET) {
8008 -- _text = .; /* Text and read-only data */
8009 -+ .filler : AT(ADDR(.filler) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
8010 -+ BYTE(0)
8011 -+ . = ALIGN(2*PMD_SIZE) - 1;
8012 -+ }
8013 -+
8014 -+ /* freed after init ends here */
8015 -+
8016 -+ .text.head : AT(ADDR(.text.head) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
8017 -+ __init_end = . + __KERNEL_TEXT_OFFSET;
8018 -+ KERNEL_TEXT_OFFSET = . + __KERNEL_TEXT_OFFSET;
8019 -+ _text = .; /* Text and read-only data */
8020 - *(.text.head)
8021 - } :text = 0x9090
8022 -
8023 - /* read-only */
8024 -- .text : AT(ADDR(.text) - LOAD_OFFSET) {
8025 -+ .text : AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
8026 - TEXT_TEXT
8027 - SCHED_TEXT
8028 - LOCK_TEXT
8029 -@@ -53,16 +170,17 @@ SECTIONS
8030 - _etext = .; /* End of text section */
8031 - } :text = 0x9090
8032 -
8033 -- . = ALIGN(16); /* Exception table */
8034 -+ . += __KERNEL_TEXT_OFFSET;
8035 -+ . = ALIGN(4096); /* Exception table */
8036 - __ex_table : AT(ADDR(__ex_table) - LOAD_OFFSET) {
8037 - __start___ex_table = .;
8038 - *(__ex_table)
8039 - __stop___ex_table = .;
8040 -- }
8041 -+ } :rodata
8042 -
8043 -- NOTES :text :note
8044 -+ NOTES :rodata :note
8045 -
8046 -- BUG_TABLE :text
8047 -+ BUG_TABLE :rodata
8048 -
8049 - . = ALIGN(4);
8050 - .tracedata : AT(ADDR(.tracedata) - LOAD_OFFSET) {
8051 -@@ -71,11 +189,38 @@ SECTIONS
8052 - __tracedata_end = .;
8053 - }
8054 -
8055 -- RODATA
8056 -+ RO_DATA(4096)
8057 -+
8058 -+ . = ALIGN(4096);
8059 -+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
8060 -+ *(.idt)
8061 -+ . = ALIGN(4096);
8062 -+ *(.empty_zero_page)
8063 -+ *(.swapper_pm_dir)
8064 -+ *(.swapper_pg_dir)
8065 -+ }
8066 -+
8067 -+#ifdef CONFIG_PAX_KERNEXEC
8068 -+
8069 -+#ifdef CONFIG_MODULES
8070 -+ . = ALIGN(4096);
8071 -+ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
8072 -+ MODULES_VADDR = .;
8073 -+ BYTE(0)
8074 -+ . += (6 * 1024 * 1024);
8075 -+ . = ALIGN( PMD_SIZE) - 1;
8076 -+ MODULES_END = .;
8077 -+ }
8078 -+#else
8079 -+ . = ALIGN(PMD_SIZE) - 1;
8080 -+#endif
8081 -+
8082 -+#endif
8083 -
8084 - /* writeable */
8085 - . = ALIGN(4096);
8086 - .data : AT(ADDR(.data) - LOAD_OFFSET) { /* Data */
8087 -+ _data = .;
8088 - DATA_DATA
8089 - CONSTRUCTORS
8090 - } :data
8091 -@@ -91,7 +236,6 @@ SECTIONS
8092 - . = ALIGN(4096);
8093 - .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
8094 - *(.data.page_aligned)
8095 -- *(.data.idt)
8096 - }
8097 -
8098 - . = ALIGN(32);
8099 -@@ -111,86 +255,7 @@ SECTIONS
8100 - *(.data.init_task)
8101 - }
8102 -
8103 -- /* might get freed after init */
8104 -- . = ALIGN(4096);
8105 -- .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
8106 -- __smp_locks = .;
8107 -- *(.smp_locks)
8108 -- __smp_locks_end = .;
8109 -- }
8110 -- /* will be freed after init
8111 -- * Following ALIGN() is required to make sure no other data falls on the
8112 -- * same page where __smp_alt_end is pointing as that page might be freed
8113 -- * after boot. Always make sure that ALIGN() directive is present after
8114 -- * the section which contains __smp_alt_end.
8115 -- */
8116 -- . = ALIGN(4096);
8117 --
8118 -- /* will be freed after init */
8119 -- . = ALIGN(4096); /* Init code and data */
8120 -- .init.text : AT(ADDR(.init.text) - LOAD_OFFSET) {
8121 -- __init_begin = .;
8122 -- _sinittext = .;
8123 -- *(.init.text)
8124 -- _einittext = .;
8125 -- }
8126 -- .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) { *(.init.data) }
8127 -- . = ALIGN(16);
8128 -- .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
8129 -- __setup_start = .;
8130 -- *(.init.setup)
8131 -- __setup_end = .;
8132 -- }
8133 -- .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
8134 -- __initcall_start = .;
8135 -- INITCALLS
8136 -- __initcall_end = .;
8137 -- }
8138 -- .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
8139 -- __con_initcall_start = .;
8140 -- *(.con_initcall.init)
8141 -- __con_initcall_end = .;
8142 -- }
8143 -- SECURITY_INIT
8144 -- . = ALIGN(4);
8145 -- .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
8146 -- __alt_instructions = .;
8147 -- *(.altinstructions)
8148 -- __alt_instructions_end = .;
8149 -- }
8150 -- .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
8151 -- *(.altinstr_replacement)
8152 -- }
8153 -- . = ALIGN(4);
8154 -- .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
8155 -- __parainstructions = .;
8156 -- *(.parainstructions)
8157 -- __parainstructions_end = .;
8158 -- }
8159 -- /* .exit.text is discard at runtime, not link time, to deal with references
8160 -- from .altinstructions and .eh_frame */
8161 -- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) { *(.exit.text) }
8162 -- .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
8163 --#if defined(CONFIG_BLK_DEV_INITRD)
8164 -- . = ALIGN(4096);
8165 -- .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
8166 -- __initramfs_start = .;
8167 -- *(.init.ramfs)
8168 -- __initramfs_end = .;
8169 -- }
8170 --#endif
8171 -- . = ALIGN(4096);
8172 -- .data.percpu : AT(ADDR(.data.percpu) - LOAD_OFFSET) {
8173 -- __per_cpu_start = .;
8174 -- *(.data.percpu)
8175 -- *(.data.percpu.shared_aligned)
8176 -- __per_cpu_end = .;
8177 -- }
8178 -- . = ALIGN(4096);
8179 -- /* freed after init ends here */
8180 --
8181 - .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
8182 -- __init_end = .;
8183 - __bss_start = .; /* BSS */
8184 - *(.bss.page_aligned)
8185 - *(.bss)
8186 -diff -urNp linux-2.6.24.4/arch/x86/kernel/vmlinux_64.lds.S linux-2.6.24.4/arch/x86/kernel/vmlinux_64.lds.S
8187 ---- linux-2.6.24.4/arch/x86/kernel/vmlinux_64.lds.S 2008-03-24 14:49:18.000000000 -0400
8188 -+++ linux-2.6.24.4/arch/x86/kernel/vmlinux_64.lds.S 2008-03-26 17:56:55.000000000 -0400
8189 -@@ -16,8 +16,8 @@ jiffies_64 = jiffies;
8190 - _proxy_pda = 1;
8191 - PHDRS {
8192 - text PT_LOAD FLAGS(5); /* R_E */
8193 -- data PT_LOAD FLAGS(7); /* RWE */
8194 -- user PT_LOAD FLAGS(7); /* RWE */
8195 -+ data PT_LOAD FLAGS(6); /* RW_ */
8196 -+ user PT_LOAD FLAGS(7); /* RWX */
8197 - data.init PT_LOAD FLAGS(7); /* RWE */
8198 - note PT_NOTE FLAGS(4); /* R__ */
8199 - }
8200 -@@ -52,7 +52,7 @@ SECTIONS
8201 -
8202 - BUG_TABLE :text
8203 -
8204 -- RODATA
8205 -+ RO_DATA(4096)
8206 -
8207 - . = ALIGN(4);
8208 - .tracedata : AT(ADDR(.tracedata) - LOAD_OFFSET) {
8209 -@@ -61,15 +61,18 @@ SECTIONS
8210 - __tracedata_end = .;
8211 - }
8212 -
8213 -+#ifdef CONFIG_PAX_KERNEXEC
8214 -+ . = ALIGN(2*1024*1024); /* Align data segment to PMD size boundary */
8215 -+#else
8216 - . = ALIGN(PAGE_SIZE); /* Align data segment to page size boundary */
8217 -+#endif
8218 - /* Data */
8219 -+ _data = .;
8220 - .data : AT(ADDR(.data) - LOAD_OFFSET) {
8221 - DATA_DATA
8222 - CONSTRUCTORS
8223 - } :data
8224 -
8225 -- _edata = .; /* End of data section */
8226 --
8227 - . = ALIGN(PAGE_SIZE);
8228 - . = ALIGN(CONFIG_X86_L1_CACHE_BYTES);
8229 - .data.cacheline_aligned : AT(ADDR(.data.cacheline_aligned) - LOAD_OFFSET) {
8230 -@@ -80,9 +83,27 @@ SECTIONS
8231 - *(.data.read_mostly)
8232 - }
8233 -
8234 -+ . = ALIGN(8192); /* init_task */
8235 -+ .data.init_task : AT(ADDR(.data.init_task) - LOAD_OFFSET) {
8236 -+ *(.data.init_task)
8237 -+ }
8238 -+
8239 -+ . = ALIGN(4096);
8240 -+ .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
8241 -+ *(.data.page_aligned)
8242 -+ }
8243 -+
8244 -+ . = ALIGN(4096);
8245 -+ __nosave_begin = .;
8246 -+ .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) { *(.data.nosave) }
8247 -+ . = ALIGN(4096);
8248 -+ __nosave_end = .;
8249 -+
8250 -+ _edata = .; /* End of data section */
8251 -+
8252 - #define VSYSCALL_ADDR (-10*1024*1024)
8253 --#define VSYSCALL_PHYS_ADDR ((LOADADDR(.data.read_mostly) + SIZEOF(.data.read_mostly) + 4095) & ~(4095))
8254 --#define VSYSCALL_VIRT_ADDR ((ADDR(.data.read_mostly) + SIZEOF(.data.read_mostly) + 4095) & ~(4095))
8255 -+#define VSYSCALL_PHYS_ADDR ((LOADADDR(.data_nosave) + SIZEOF(.data_nosave) + 4095) & ~(4095))
8256 -+#define VSYSCALL_VIRT_ADDR ((ADDR(.data_nosave) + SIZEOF(.data_nosave) + 4095) & ~(4095))
8257 -
8258 - #define VLOAD_OFFSET (VSYSCALL_ADDR - VSYSCALL_PHYS_ADDR)
8259 - #define VLOAD(x) (ADDR(x) - VLOAD_OFFSET)
8260 -@@ -130,23 +151,13 @@ SECTIONS
8261 - #undef VVIRT_OFFSET
8262 - #undef VVIRT
8263 -
8264 -- . = ALIGN(8192); /* init_task */
8265 -- .data.init_task : AT(ADDR(.data.init_task) - LOAD_OFFSET) {
8266 -- *(.data.init_task)
8267 -- }:data.init
8268 --
8269 -- . = ALIGN(4096);
8270 -- .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
8271 -- *(.data.page_aligned)
8272 -- }
8273 --
8274 - /* might get freed after init */
8275 - . = ALIGN(4096);
8276 - __smp_alt_begin = .;
8277 - __smp_locks = .;
8278 - .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
8279 - *(.smp_locks)
8280 -- }
8281 -+ } :data.init
8282 - __smp_locks_end = .;
8283 - . = ALIGN(4096);
8284 - __smp_alt_end = .;
8285 -@@ -208,12 +219,6 @@ SECTIONS
8286 - . = ALIGN(4096);
8287 - __init_end = .;
8288 -
8289 -- . = ALIGN(4096);
8290 -- __nosave_begin = .;
8291 -- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) { *(.data.nosave) }
8292 -- . = ALIGN(4096);
8293 -- __nosave_end = .;
8294 --
8295 - __bss_start = .; /* BSS */
8296 - .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
8297 - *(.bss.page_aligned)
8298 -@@ -221,6 +226,7 @@ SECTIONS
8299 - }
8300 - __bss_stop = .;
8301 -
8302 -+ . = ALIGN(2*1024*1024);
8303 - _end = . ;
8304 -
8305 - /* Sections to be discarded */
8306 -diff -urNp linux-2.6.24.4/arch/x86/kernel/vsyscall_64.c linux-2.6.24.4/arch/x86/kernel/vsyscall_64.c
8307 ---- linux-2.6.24.4/arch/x86/kernel/vsyscall_64.c 2008-03-24 14:49:18.000000000 -0400
8308 -+++ linux-2.6.24.4/arch/x86/kernel/vsyscall_64.c 2008-03-26 17:56:55.000000000 -0400
8309 -@@ -271,13 +271,13 @@ static ctl_table kernel_table2[] = {
8310 - .data = &vsyscall_gtod_data.sysctl_enabled, .maxlen = sizeof(int),
8311 - .mode = 0644,
8312 - .proc_handler = vsyscall_sysctl_change },
8313 -- {}
8314 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
8315 - };
8316 -
8317 - static ctl_table kernel_root_table2[] = {
8318 - { .ctl_name = CTL_KERN, .procname = "kernel", .mode = 0555,
8319 - .child = kernel_table2 },
8320 -- {}
8321 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
8322 - };
8323 -
8324 - #endif
8325 -@@ -288,6 +288,11 @@ static void __cpuinit vsyscall_set_cpu(i
8326 - {
8327 - unsigned long *d;
8328 - unsigned long node = 0;
8329 -+
8330 -+#ifdef CONFIG_PAX_KERNEXEC
8331 -+ unsigned long cr0;
8332 -+#endif
8333 -+
8334 - #ifdef CONFIG_NUMA
8335 - node = cpu_to_node(cpu);
8336 - #endif
8337 -@@ -298,10 +303,20 @@ static void __cpuinit vsyscall_set_cpu(i
8338 - in user space in vgetcpu.
8339 - 12 bits for the CPU and 8 bits for the node. */
8340 - d = (unsigned long *)(cpu_gdt(cpu) + GDT_ENTRY_PER_CPU);
8341 -+
8342 -+#ifdef CONFIG_PAX_KERNEXEC
8343 -+ pax_open_kernel(cr0);
8344 -+#endif
8345 -+
8346 - *d = 0x0f40000000000ULL;
8347 - *d |= cpu;
8348 - *d |= (node & 0xf) << 12;
8349 - *d |= (node >> 4) << 48;
8350 -+
8351 -+#ifdef CONFIG_PAX_KERNEXEC
8352 -+ pax_close_kernel(cr0);
8353 -+#endif
8354 -+
8355 - }
8356 -
8357 - static void __cpuinit cpu_vsyscall_init(void *arg)
8358 -diff -urNp linux-2.6.24.4/arch/x86/lib/checksum_32.S linux-2.6.24.4/arch/x86/lib/checksum_32.S
8359 ---- linux-2.6.24.4/arch/x86/lib/checksum_32.S 2008-03-24 14:49:18.000000000 -0400
8360 -+++ linux-2.6.24.4/arch/x86/lib/checksum_32.S 2008-03-26 17:56:55.000000000 -0400
8361 -@@ -28,7 +28,8 @@
8362 - #include <linux/linkage.h>
8363 - #include <asm/dwarf2.h>
8364 - #include <asm/errno.h>
8365 --
8366 -+#include <asm/segment.h>
8367 -+
8368 - /*
8369 - * computes a partial checksum, e.g. for TCP/UDP fragments
8370 - */
8371 -@@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
8372 -
8373 - #define ARGBASE 16
8374 - #define FP 12
8375 --
8376 --ENTRY(csum_partial_copy_generic)
8377 -+
8378 -+ENTRY(csum_partial_copy_generic_to_user)
8379 - CFI_STARTPROC
8380 -+ pushl $(__USER_DS)
8381 -+ CFI_ADJUST_CFA_OFFSET 4
8382 -+ popl %es
8383 -+ CFI_ADJUST_CFA_OFFSET -4
8384 -+ jmp csum_partial_copy_generic
8385 -+
8386 -+ENTRY(csum_partial_copy_generic_from_user)
8387 -+ pushl $(__USER_DS)
8388 -+ CFI_ADJUST_CFA_OFFSET 4
8389 -+ popl %ds
8390 -+ CFI_ADJUST_CFA_OFFSET -4
8391 -+
8392 -+ENTRY(csum_partial_copy_generic)
8393 - subl $4,%esp
8394 - CFI_ADJUST_CFA_OFFSET 4
8395 - pushl %edi
8396 -@@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
8397 - jmp 4f
8398 - SRC(1: movw (%esi), %bx )
8399 - addl $2, %esi
8400 --DST( movw %bx, (%edi) )
8401 -+DST( movw %bx, %es:(%edi) )
8402 - addl $2, %edi
8403 - addw %bx, %ax
8404 - adcl $0, %eax
8405 -@@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
8406 - SRC(1: movl (%esi), %ebx )
8407 - SRC( movl 4(%esi), %edx )
8408 - adcl %ebx, %eax
8409 --DST( movl %ebx, (%edi) )
8410 -+DST( movl %ebx, %es:(%edi) )
8411 - adcl %edx, %eax
8412 --DST( movl %edx, 4(%edi) )
8413 -+DST( movl %edx, %es:4(%edi) )
8414 -
8415 - SRC( movl 8(%esi), %ebx )
8416 - SRC( movl 12(%esi), %edx )
8417 - adcl %ebx, %eax
8418 --DST( movl %ebx, 8(%edi) )
8419 -+DST( movl %ebx, %es:8(%edi) )
8420 - adcl %edx, %eax
8421 --DST( movl %edx, 12(%edi) )
8422 -+DST( movl %edx, %es:12(%edi) )
8423 -
8424 - SRC( movl 16(%esi), %ebx )
8425 - SRC( movl 20(%esi), %edx )
8426 - adcl %ebx, %eax
8427 --DST( movl %ebx, 16(%edi) )
8428 -+DST( movl %ebx, %es:16(%edi) )
8429 - adcl %edx, %eax
8430 --DST( movl %edx, 20(%edi) )
8431 -+DST( movl %edx, %es:20(%edi) )
8432 -
8433 - SRC( movl 24(%esi), %ebx )
8434 - SRC( movl 28(%esi), %edx )
8435 - adcl %ebx, %eax
8436 --DST( movl %ebx, 24(%edi) )
8437 -+DST( movl %ebx, %es:24(%edi) )
8438 - adcl %edx, %eax
8439 --DST( movl %edx, 28(%edi) )
8440 -+DST( movl %edx, %es:28(%edi) )
8441 -
8442 - lea 32(%esi), %esi
8443 - lea 32(%edi), %edi
8444 -@@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
8445 - shrl $2, %edx # This clears CF
8446 - SRC(3: movl (%esi), %ebx )
8447 - adcl %ebx, %eax
8448 --DST( movl %ebx, (%edi) )
8449 -+DST( movl %ebx, %es:(%edi) )
8450 - lea 4(%esi), %esi
8451 - lea 4(%edi), %edi
8452 - dec %edx
8453 -@@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
8454 - jb 5f
8455 - SRC( movw (%esi), %cx )
8456 - leal 2(%esi), %esi
8457 --DST( movw %cx, (%edi) )
8458 -+DST( movw %cx, %es:(%edi) )
8459 - leal 2(%edi), %edi
8460 - je 6f
8461 - shll $16,%ecx
8462 - SRC(5: movb (%esi), %cl )
8463 --DST( movb %cl, (%edi) )
8464 -+DST( movb %cl, %es:(%edi) )
8465 - 6: addl %ecx, %eax
8466 - adcl $0, %eax
8467 - 7:
8468 -@@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
8469 -
8470 - 6001:
8471 - movl ARGBASE+20(%esp), %ebx # src_err_ptr
8472 -- movl $-EFAULT, (%ebx)
8473 -+ movl $-EFAULT, %ss:(%ebx)
8474 -
8475 - # zero the complete destination - computing the rest
8476 - # is too much work
8477 -@@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
8478 -
8479 - 6002:
8480 - movl ARGBASE+24(%esp), %ebx # dst_err_ptr
8481 -- movl $-EFAULT,(%ebx)
8482 -+ movl $-EFAULT,%ss:(%ebx)
8483 - jmp 5000b
8484 -
8485 - .previous
8486 -
8487 -+ pushl %ss
8488 -+ CFI_ADJUST_CFA_OFFSET 4
8489 -+ popl %ds
8490 -+ CFI_ADJUST_CFA_OFFSET -4
8491 -+ pushl %ss
8492 -+ CFI_ADJUST_CFA_OFFSET 4
8493 -+ popl %es
8494 -+ CFI_ADJUST_CFA_OFFSET -4
8495 - popl %ebx
8496 - CFI_ADJUST_CFA_OFFSET -4
8497 - CFI_RESTORE ebx
8498 -@@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
8499 - CFI_ADJUST_CFA_OFFSET -4
8500 - ret
8501 - CFI_ENDPROC
8502 --ENDPROC(csum_partial_copy_generic)
8503 -+ENDPROC(csum_partial_copy_generic_to_user)
8504 -
8505 - #else
8506 -
8507 - /* Version for PentiumII/PPro */
8508 -
8509 - #define ROUND1(x) \
8510 -+ nop; nop; nop; \
8511 - SRC(movl x(%esi), %ebx ) ; \
8512 - addl %ebx, %eax ; \
8513 -- DST(movl %ebx, x(%edi) ) ;
8514 -+ DST(movl %ebx, %es:x(%edi)) ;
8515 -
8516 - #define ROUND(x) \
8517 -+ nop; nop; nop; \
8518 - SRC(movl x(%esi), %ebx ) ; \
8519 - adcl %ebx, %eax ; \
8520 -- DST(movl %ebx, x(%edi) ) ;
8521 -+ DST(movl %ebx, %es:x(%edi)) ;
8522 -
8523 - #define ARGBASE 12
8524 --
8525 --ENTRY(csum_partial_copy_generic)
8526 -+
8527 -+ENTRY(csum_partial_copy_generic_to_user)
8528 - CFI_STARTPROC
8529 -+ pushl $(__USER_DS)
8530 -+ CFI_ADJUST_CFA_OFFSET 4
8531 -+ popl %es
8532 -+ CFI_ADJUST_CFA_OFFSET -4
8533 -+ jmp csum_partial_copy_generic
8534 -+
8535 -+ENTRY(csum_partial_copy_generic_from_user)
8536 -+ pushl $(__USER_DS)
8537 -+ CFI_ADJUST_CFA_OFFSET 4
8538 -+ popl %ds
8539 -+ CFI_ADJUST_CFA_OFFSET -4
8540 -+
8541 -+ENTRY(csum_partial_copy_generic)
8542 - pushl %ebx
8543 - CFI_ADJUST_CFA_OFFSET 4
8544 - CFI_REL_OFFSET ebx, 0
8545 -@@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
8546 - subl %ebx, %edi
8547 - lea -1(%esi),%edx
8548 - andl $-32,%edx
8549 -- lea 3f(%ebx,%ebx), %ebx
8550 -+ lea 3f(%ebx,%ebx,2), %ebx
8551 - testl %esi, %esi
8552 - jmp *%ebx
8553 - 1: addl $64,%esi
8554 -@@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
8555 - jb 5f
8556 - SRC( movw (%esi), %dx )
8557 - leal 2(%esi), %esi
8558 --DST( movw %dx, (%edi) )
8559 -+DST( movw %dx, %es:(%edi) )
8560 - leal 2(%edi), %edi
8561 - je 6f
8562 - shll $16,%edx
8563 - 5:
8564 - SRC( movb (%esi), %dl )
8565 --DST( movb %dl, (%edi) )
8566 -+DST( movb %dl, %es:(%edi) )
8567 - 6: addl %edx, %eax
8568 - adcl $0, %eax
8569 - 7:
8570 - .section .fixup, "ax"
8571 - 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
8572 -- movl $-EFAULT, (%ebx)
8573 -+ movl $-EFAULT, %ss:(%ebx)
8574 - # zero the complete destination (computing the rest is too much work)
8575 - movl ARGBASE+8(%esp),%edi # dst
8576 - movl ARGBASE+12(%esp),%ecx # len
8577 -@@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
8578 - rep; stosb
8579 - jmp 7b
8580 - 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
8581 -- movl $-EFAULT, (%ebx)
8582 -+ movl $-EFAULT, %ss:(%ebx)
8583 - jmp 7b
8584 - .previous
8585 -
8586 -+ pushl %ss
8587 -+ CFI_ADJUST_CFA_OFFSET 4
8588 -+ popl %ds
8589 -+ CFI_ADJUST_CFA_OFFSET -4
8590 -+ pushl %ss
8591 -+ CFI_ADJUST_CFA_OFFSET 4
8592 -+ popl %es
8593 -+ CFI_ADJUST_CFA_OFFSET -4
8594 - popl %esi
8595 - CFI_ADJUST_CFA_OFFSET -4
8596 - CFI_RESTORE esi
8597 -@@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
8598 - CFI_RESTORE ebx
8599 - ret
8600 - CFI_ENDPROC
8601 --ENDPROC(csum_partial_copy_generic)
8602 -+ENDPROC(csum_partial_copy_generic_to_user)
8603 -
8604 - #undef ROUND
8605 - #undef ROUND1
8606 -diff -urNp linux-2.6.24.4/arch/x86/lib/clear_page_64.S linux-2.6.24.4/arch/x86/lib/clear_page_64.S
8607 ---- linux-2.6.24.4/arch/x86/lib/clear_page_64.S 2008-03-24 14:49:18.000000000 -0400
8608 -+++ linux-2.6.24.4/arch/x86/lib/clear_page_64.S 2008-03-26 17:56:55.000000000 -0400
8609 -@@ -44,7 +44,7 @@ ENDPROC(clear_page)
8610 -
8611 - #include <asm/cpufeature.h>
8612 -
8613 -- .section .altinstr_replacement,"ax"
8614 -+ .section .altinstr_replacement,"a"
8615 - 1: .byte 0xeb /* jmp <disp8> */
8616 - .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
8617 - 2:
8618 -diff -urNp linux-2.6.24.4/arch/x86/lib/copy_page_64.S linux-2.6.24.4/arch/x86/lib/copy_page_64.S
8619 ---- linux-2.6.24.4/arch/x86/lib/copy_page_64.S 2008-03-24 14:49:18.000000000 -0400
8620 -+++ linux-2.6.24.4/arch/x86/lib/copy_page_64.S 2008-03-26 17:56:55.000000000 -0400
8621 -@@ -104,7 +104,7 @@ ENDPROC(copy_page)
8622 -
8623 - #include <asm/cpufeature.h>
8624 -
8625 -- .section .altinstr_replacement,"ax"
8626 -+ .section .altinstr_replacement,"a"
8627 - 1: .byte 0xeb /* jmp <disp8> */
8628 - .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
8629 - 2:
8630 -diff -urNp linux-2.6.24.4/arch/x86/lib/copy_user_64.S linux-2.6.24.4/arch/x86/lib/copy_user_64.S
8631 ---- linux-2.6.24.4/arch/x86/lib/copy_user_64.S 2008-03-24 14:49:18.000000000 -0400
8632 -+++ linux-2.6.24.4/arch/x86/lib/copy_user_64.S 2008-03-26 17:56:55.000000000 -0400
8633 -@@ -19,7 +19,7 @@
8634 - .byte 0xe9 /* 32bit jump */
8635 - .long \orig-1f /* by default jump to orig */
8636 - 1:
8637 -- .section .altinstr_replacement,"ax"
8638 -+ .section .altinstr_replacement,"a"
8639 - 2: .byte 0xe9 /* near jump with 32bit immediate */
8640 - .long \alt-1b /* offset */ /* or alternatively to alt */
8641 - .previous
8642 -diff -urNp linux-2.6.24.4/arch/x86/lib/getuser_32.S linux-2.6.24.4/arch/x86/lib/getuser_32.S
8643 ---- linux-2.6.24.4/arch/x86/lib/getuser_32.S 2008-03-24 14:49:18.000000000 -0400
8644 -+++ linux-2.6.24.4/arch/x86/lib/getuser_32.S 2008-03-26 17:56:55.000000000 -0400
8645 -@@ -11,7 +11,7 @@
8646 - #include <linux/linkage.h>
8647 - #include <asm/dwarf2.h>
8648 - #include <asm/thread_info.h>
8649 --
8650 -+#include <asm/segment.h>
8651 -
8652 - /*
8653 - * __get_user_X
8654 -@@ -31,7 +31,11 @@ ENTRY(__get_user_1)
8655 - GET_THREAD_INFO(%edx)
8656 - cmpl TI_addr_limit(%edx),%eax
8657 - jae bad_get_user
8658 -+ pushl $(__USER_DS)
8659 -+ popl %ds
8660 - 1: movzbl (%eax),%edx
8661 -+ pushl %ss
8662 -+ pop %ds
8663 - xorl %eax,%eax
8664 - ret
8665 - CFI_ENDPROC
8666 -@@ -44,7 +48,11 @@ ENTRY(__get_user_2)
8667 - GET_THREAD_INFO(%edx)
8668 - cmpl TI_addr_limit(%edx),%eax
8669 - jae bad_get_user
8670 -+ pushl $(__USER_DS)
8671 -+ popl %ds
8672 - 2: movzwl -1(%eax),%edx
8673 -+ pushl %ss
8674 -+ pop %ds
8675 - xorl %eax,%eax
8676 - ret
8677 - CFI_ENDPROC
8678 -@@ -57,7 +65,11 @@ ENTRY(__get_user_4)
8679 - GET_THREAD_INFO(%edx)
8680 - cmpl TI_addr_limit(%edx),%eax
8681 - jae bad_get_user
8682 -+ pushl $(__USER_DS)
8683 -+ popl %ds
8684 - 3: movl -3(%eax),%edx
8685 -+ pushl %ss
8686 -+ pop %ds
8687 - xorl %eax,%eax
8688 - ret
8689 - CFI_ENDPROC
8690 -@@ -65,6 +77,8 @@ ENDPROC(__get_user_4)
8691 -
8692 - bad_get_user:
8693 - CFI_STARTPROC
8694 -+ pushl %ss
8695 -+ pop %ds
8696 - xorl %edx,%edx
8697 - movl $-14,%eax
8698 - ret
8699 -diff -urNp linux-2.6.24.4/arch/x86/lib/memcpy_64.S linux-2.6.24.4/arch/x86/lib/memcpy_64.S
8700 ---- linux-2.6.24.4/arch/x86/lib/memcpy_64.S 2008-03-24 14:49:18.000000000 -0400
8701 -+++ linux-2.6.24.4/arch/x86/lib/memcpy_64.S 2008-03-26 17:56:55.000000000 -0400
8702 -@@ -114,7 +114,7 @@ ENDPROC(__memcpy)
8703 - /* Some CPUs run faster using the string copy instructions.
8704 - It is also a lot simpler. Use this when possible */
8705 -
8706 -- .section .altinstr_replacement,"ax"
8707 -+ .section .altinstr_replacement,"a"
8708 - 1: .byte 0xeb /* jmp <disp8> */
8709 - .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
8710 - 2:
8711 -diff -urNp linux-2.6.24.4/arch/x86/lib/memset_64.S linux-2.6.24.4/arch/x86/lib/memset_64.S
8712 ---- linux-2.6.24.4/arch/x86/lib/memset_64.S 2008-03-24 14:49:18.000000000 -0400
8713 -+++ linux-2.6.24.4/arch/x86/lib/memset_64.S 2008-03-26 17:56:55.000000000 -0400
8714 -@@ -118,7 +118,7 @@ ENDPROC(__memset)
8715 -
8716 - #include <asm/cpufeature.h>
8717 -
8718 -- .section .altinstr_replacement,"ax"
8719 -+ .section .altinstr_replacement,"a"
8720 - 1: .byte 0xeb /* jmp <disp8> */
8721 - .byte (memset_c - memset) - (2f - 1b) /* offset */
8722 - 2:
8723 -diff -urNp linux-2.6.24.4/arch/x86/lib/mmx_32.c linux-2.6.24.4/arch/x86/lib/mmx_32.c
8724 ---- linux-2.6.24.4/arch/x86/lib/mmx_32.c 2008-03-24 14:49:18.000000000 -0400
8725 -+++ linux-2.6.24.4/arch/x86/lib/mmx_32.c 2008-03-26 17:56:55.000000000 -0400
8726 -@@ -30,6 +30,7 @@ void *_mmx_memcpy(void *to, const void *
8727 - {
8728 - void *p;
8729 - int i;
8730 -+ unsigned long cr0;
8731 -
8732 - if (unlikely(in_interrupt()))
8733 - return __memcpy(to, from, len);
8734 -@@ -40,52 +41,80 @@ void *_mmx_memcpy(void *to, const void *
8735 - kernel_fpu_begin();
8736 -
8737 - __asm__ __volatile__ (
8738 -- "1: prefetch (%0)\n" /* This set is 28 bytes */
8739 -- " prefetch 64(%0)\n"
8740 -- " prefetch 128(%0)\n"
8741 -- " prefetch 192(%0)\n"
8742 -- " prefetch 256(%0)\n"
8743 -+ "1: prefetch (%1)\n" /* This set is 28 bytes */
8744 -+ " prefetch 64(%1)\n"
8745 -+ " prefetch 128(%1)\n"
8746 -+ " prefetch 192(%1)\n"
8747 -+ " prefetch 256(%1)\n"
8748 - "2: \n"
8749 - ".section .fixup, \"ax\"\n"
8750 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
8751 -+ "3: \n"
8752 -+
8753 -+#ifdef CONFIG_PAX_KERNEXEC
8754 -+ " movl %%cr0, %0\n"
8755 -+ " movl %0, %%eax\n"
8756 -+ " andl $0xFFFEFFFF, %%eax\n"
8757 -+ " movl %%eax, %%cr0\n"
8758 -+#endif
8759 -+
8760 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
8761 -+
8762 -+#ifdef CONFIG_PAX_KERNEXEC
8763 -+ " movl %0, %%cr0\n"
8764 -+#endif
8765 -+
8766 - " jmp 2b\n"
8767 - ".previous\n"
8768 - ".section __ex_table,\"a\"\n"
8769 - " .align 4\n"
8770 - " .long 1b, 3b\n"
8771 - ".previous"
8772 -- : : "r" (from) );
8773 -+ : "=&r" (cr0) : "r" (from) : "ax");
8774 -
8775 -
8776 - for(; i>5; i--)
8777 - {
8778 - __asm__ __volatile__ (
8779 -- "1: prefetch 320(%0)\n"
8780 -- "2: movq (%0), %%mm0\n"
8781 -- " movq 8(%0), %%mm1\n"
8782 -- " movq 16(%0), %%mm2\n"
8783 -- " movq 24(%0), %%mm3\n"
8784 -- " movq %%mm0, (%1)\n"
8785 -- " movq %%mm1, 8(%1)\n"
8786 -- " movq %%mm2, 16(%1)\n"
8787 -- " movq %%mm3, 24(%1)\n"
8788 -- " movq 32(%0), %%mm0\n"
8789 -- " movq 40(%0), %%mm1\n"
8790 -- " movq 48(%0), %%mm2\n"
8791 -- " movq 56(%0), %%mm3\n"
8792 -- " movq %%mm0, 32(%1)\n"
8793 -- " movq %%mm1, 40(%1)\n"
8794 -- " movq %%mm2, 48(%1)\n"
8795 -- " movq %%mm3, 56(%1)\n"
8796 -+ "1: prefetch 320(%1)\n"
8797 -+ "2: movq (%1), %%mm0\n"
8798 -+ " movq 8(%1), %%mm1\n"
8799 -+ " movq 16(%1), %%mm2\n"
8800 -+ " movq 24(%1), %%mm3\n"
8801 -+ " movq %%mm0, (%2)\n"
8802 -+ " movq %%mm1, 8(%2)\n"
8803 -+ " movq %%mm2, 16(%2)\n"
8804 -+ " movq %%mm3, 24(%2)\n"
8805 -+ " movq 32(%1), %%mm0\n"
8806 -+ " movq 40(%1), %%mm1\n"
8807 -+ " movq 48(%1), %%mm2\n"
8808 -+ " movq 56(%1), %%mm3\n"
8809 -+ " movq %%mm0, 32(%2)\n"
8810 -+ " movq %%mm1, 40(%2)\n"
8811 -+ " movq %%mm2, 48(%2)\n"
8812 -+ " movq %%mm3, 56(%2)\n"
8813 - ".section .fixup, \"ax\"\n"
8814 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
8815 -+ "3:\n"
8816 -+
8817 -+#ifdef CONFIG_PAX_KERNEXEC
8818 -+ " movl %%cr0, %0\n"
8819 -+ " movl %0, %%eax\n"
8820 -+ " andl $0xFFFEFFFF, %%eax\n"
8821 -+ " movl %%eax, %%cr0\n"
8822 -+#endif
8823 -+
8824 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
8825 -+
8826 -+#ifdef CONFIG_PAX_KERNEXEC
8827 -+ " movl %0, %%cr0\n"
8828 -+#endif
8829 -+
8830 - " jmp 2b\n"
8831 - ".previous\n"
8832 - ".section __ex_table,\"a\"\n"
8833 - " .align 4\n"
8834 - " .long 1b, 3b\n"
8835 - ".previous"
8836 -- : : "r" (from), "r" (to) : "memory");
8837 -+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
8838 - from+=64;
8839 - to+=64;
8840 - }
8841 -@@ -164,6 +193,7 @@ static void fast_clear_page(void *page)
8842 - static void fast_copy_page(void *to, void *from)
8843 - {
8844 - int i;
8845 -+ unsigned long cr0;
8846 -
8847 - kernel_fpu_begin();
8848 -
8849 -@@ -171,51 +201,79 @@ static void fast_copy_page(void *to, voi
8850 - * but that is for later. -AV
8851 - */
8852 - __asm__ __volatile__ (
8853 -- "1: prefetch (%0)\n"
8854 -- " prefetch 64(%0)\n"
8855 -- " prefetch 128(%0)\n"
8856 -- " prefetch 192(%0)\n"
8857 -- " prefetch 256(%0)\n"
8858 -+ "1: prefetch (%1)\n"
8859 -+ " prefetch 64(%1)\n"
8860 -+ " prefetch 128(%1)\n"
8861 -+ " prefetch 192(%1)\n"
8862 -+ " prefetch 256(%1)\n"
8863 - "2: \n"
8864 - ".section .fixup, \"ax\"\n"
8865 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
8866 -+ "3: \n"
8867 -+
8868 -+#ifdef CONFIG_PAX_KERNEXEC
8869 -+ " movl %%cr0, %0\n"
8870 -+ " movl %0, %%eax\n"
8871 -+ " andl $0xFFFEFFFF, %%eax\n"
8872 -+ " movl %%eax, %%cr0\n"
8873 -+#endif
8874 -+
8875 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
8876 -+
8877 -+#ifdef CONFIG_PAX_KERNEXEC
8878 -+ " movl %0, %%cr0\n"
8879 -+#endif
8880 -+
8881 - " jmp 2b\n"
8882 - ".previous\n"
8883 - ".section __ex_table,\"a\"\n"
8884 - " .align 4\n"
8885 - " .long 1b, 3b\n"
8886 - ".previous"
8887 -- : : "r" (from) );
8888 -+ : "=&r" (cr0) : "r" (from) : "ax");
8889 -
8890 - for(i=0; i<(4096-320)/64; i++)
8891 - {
8892 - __asm__ __volatile__ (
8893 -- "1: prefetch 320(%0)\n"
8894 -- "2: movq (%0), %%mm0\n"
8895 -- " movntq %%mm0, (%1)\n"
8896 -- " movq 8(%0), %%mm1\n"
8897 -- " movntq %%mm1, 8(%1)\n"
8898 -- " movq 16(%0), %%mm2\n"
8899 -- " movntq %%mm2, 16(%1)\n"
8900 -- " movq 24(%0), %%mm3\n"
8901 -- " movntq %%mm3, 24(%1)\n"
8902 -- " movq 32(%0), %%mm4\n"
8903 -- " movntq %%mm4, 32(%1)\n"
8904 -- " movq 40(%0), %%mm5\n"
8905 -- " movntq %%mm5, 40(%1)\n"
8906 -- " movq 48(%0), %%mm6\n"
8907 -- " movntq %%mm6, 48(%1)\n"
8908 -- " movq 56(%0), %%mm7\n"
8909 -- " movntq %%mm7, 56(%1)\n"
8910 -+ "1: prefetch 320(%1)\n"
8911 -+ "2: movq (%1), %%mm0\n"
8912 -+ " movntq %%mm0, (%2)\n"
8913 -+ " movq 8(%1), %%mm1\n"
8914 -+ " movntq %%mm1, 8(%2)\n"
8915 -+ " movq 16(%1), %%mm2\n"
8916 -+ " movntq %%mm2, 16(%2)\n"
8917 -+ " movq 24(%1), %%mm3\n"
8918 -+ " movntq %%mm3, 24(%2)\n"
8919 -+ " movq 32(%1), %%mm4\n"
8920 -+ " movntq %%mm4, 32(%2)\n"
8921 -+ " movq 40(%1), %%mm5\n"
8922 -+ " movntq %%mm5, 40(%2)\n"
8923 -+ " movq 48(%1), %%mm6\n"
8924 -+ " movntq %%mm6, 48(%2)\n"
8925 -+ " movq 56(%1), %%mm7\n"
8926 -+ " movntq %%mm7, 56(%2)\n"
8927 - ".section .fixup, \"ax\"\n"
8928 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
8929 -+ "3:\n"
8930 -+
8931 -+#ifdef CONFIG_PAX_KERNEXEC
8932 -+ " movl %%cr0, %0\n"
8933 -+ " movl %0, %%eax\n"
8934 -+ " andl $0xFFFEFFFF, %%eax\n"
8935 -+ " movl %%eax, %%cr0\n"
8936 -+#endif
8937 -+
8938 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
8939 -+
8940 -+#ifdef CONFIG_PAX_KERNEXEC
8941 -+ " movl %0, %%cr0\n"
8942 -+#endif
8943 -+
8944 - " jmp 2b\n"
8945 - ".previous\n"
8946 - ".section __ex_table,\"a\"\n"
8947 - " .align 4\n"
8948 - " .long 1b, 3b\n"
8949 - ".previous"
8950 -- : : "r" (from), "r" (to) : "memory");
8951 -+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
8952 - from+=64;
8953 - to+=64;
8954 - }
8955 -@@ -296,56 +354,84 @@ static void fast_clear_page(void *page)
8956 - static void fast_copy_page(void *to, void *from)
8957 - {
8958 - int i;
8959 --
8960 --
8961 -+ unsigned long cr0;
8962 -+
8963 - kernel_fpu_begin();
8964 -
8965 - __asm__ __volatile__ (
8966 -- "1: prefetch (%0)\n"
8967 -- " prefetch 64(%0)\n"
8968 -- " prefetch 128(%0)\n"
8969 -- " prefetch 192(%0)\n"
8970 -- " prefetch 256(%0)\n"
8971 -+ "1: prefetch (%1)\n"
8972 -+ " prefetch 64(%1)\n"
8973 -+ " prefetch 128(%1)\n"
8974 -+ " prefetch 192(%1)\n"
8975 -+ " prefetch 256(%1)\n"
8976 - "2: \n"
8977 - ".section .fixup, \"ax\"\n"
8978 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
8979 -+ "3: \n"
8980 -+
8981 -+#ifdef CONFIG_PAX_KERNEXEC
8982 -+ " movl %%cr0, %0\n"
8983 -+ " movl %0, %%eax\n"
8984 -+ " andl $0xFFFEFFFF, %%eax\n"
8985 -+ " movl %%eax, %%cr0\n"
8986 -+#endif
8987 -+
8988 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
8989 -+
8990 -+#ifdef CONFIG_PAX_KERNEXEC
8991 -+ " movl %0, %%cr0\n"
8992 -+#endif
8993 -+
8994 - " jmp 2b\n"
8995 - ".previous\n"
8996 - ".section __ex_table,\"a\"\n"
8997 - " .align 4\n"
8998 - " .long 1b, 3b\n"
8999 - ".previous"
9000 -- : : "r" (from) );
9001 -+ : "=&r" (cr0) : "r" (from) : "ax");
9002 -
9003 - for(i=0; i<4096/64; i++)
9004 - {
9005 - __asm__ __volatile__ (
9006 -- "1: prefetch 320(%0)\n"
9007 -- "2: movq (%0), %%mm0\n"
9008 -- " movq 8(%0), %%mm1\n"
9009 -- " movq 16(%0), %%mm2\n"
9010 -- " movq 24(%0), %%mm3\n"
9011 -- " movq %%mm0, (%1)\n"
9012 -- " movq %%mm1, 8(%1)\n"
9013 -- " movq %%mm2, 16(%1)\n"
9014 -- " movq %%mm3, 24(%1)\n"
9015 -- " movq 32(%0), %%mm0\n"
9016 -- " movq 40(%0), %%mm1\n"
9017 -- " movq 48(%0), %%mm2\n"
9018 -- " movq 56(%0), %%mm3\n"
9019 -- " movq %%mm0, 32(%1)\n"
9020 -- " movq %%mm1, 40(%1)\n"
9021 -- " movq %%mm2, 48(%1)\n"
9022 -- " movq %%mm3, 56(%1)\n"
9023 -+ "1: prefetch 320(%1)\n"
9024 -+ "2: movq (%1), %%mm0\n"
9025 -+ " movq 8(%1), %%mm1\n"
9026 -+ " movq 16(%1), %%mm2\n"
9027 -+ " movq 24(%1), %%mm3\n"
9028 -+ " movq %%mm0, (%2)\n"
9029 -+ " movq %%mm1, 8(%2)\n"
9030 -+ " movq %%mm2, 16(%2)\n"
9031 -+ " movq %%mm3, 24(%2)\n"
9032 -+ " movq 32(%1), %%mm0\n"
9033 -+ " movq 40(%1), %%mm1\n"
9034 -+ " movq 48(%1), %%mm2\n"
9035 -+ " movq 56(%1), %%mm3\n"
9036 -+ " movq %%mm0, 32(%2)\n"
9037 -+ " movq %%mm1, 40(%2)\n"
9038 -+ " movq %%mm2, 48(%2)\n"
9039 -+ " movq %%mm3, 56(%2)\n"
9040 - ".section .fixup, \"ax\"\n"
9041 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
9042 -+ "3:\n"
9043 -+
9044 -+#ifdef CONFIG_PAX_KERNEXEC
9045 -+ " movl %%cr0, %0\n"
9046 -+ " movl %0, %%eax\n"
9047 -+ " andl $0xFFFEFFFF, %%eax\n"
9048 -+ " movl %%eax, %%cr0\n"
9049 -+#endif
9050 -+
9051 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
9052 -+
9053 -+#ifdef CONFIG_PAX_KERNEXEC
9054 -+ " movl %0, %%cr0\n"
9055 -+#endif
9056 -+
9057 - " jmp 2b\n"
9058 - ".previous\n"
9059 - ".section __ex_table,\"a\"\n"
9060 - " .align 4\n"
9061 - " .long 1b, 3b\n"
9062 - ".previous"
9063 -- : : "r" (from), "r" (to) : "memory");
9064 -+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
9065 - from+=64;
9066 - to+=64;
9067 - }
9068 -diff -urNp linux-2.6.24.4/arch/x86/lib/putuser_32.S linux-2.6.24.4/arch/x86/lib/putuser_32.S
9069 ---- linux-2.6.24.4/arch/x86/lib/putuser_32.S 2008-03-24 14:49:18.000000000 -0400
9070 -+++ linux-2.6.24.4/arch/x86/lib/putuser_32.S 2008-03-26 17:56:55.000000000 -0400
9071 -@@ -11,7 +11,7 @@
9072 - #include <linux/linkage.h>
9073 - #include <asm/dwarf2.h>
9074 - #include <asm/thread_info.h>
9075 --
9076 -+#include <asm/segment.h>
9077 -
9078 - /*
9079 - * __put_user_X
9080 -@@ -41,7 +41,11 @@ ENTRY(__put_user_1)
9081 - ENTER
9082 - cmpl TI_addr_limit(%ebx),%ecx
9083 - jae bad_put_user
9084 -+ pushl $(__USER_DS)
9085 -+ popl %ds
9086 - 1: movb %al,(%ecx)
9087 -+ pushl %ss
9088 -+ popl %ds
9089 - xorl %eax,%eax
9090 - EXIT
9091 - ENDPROC(__put_user_1)
9092 -@@ -52,7 +56,11 @@ ENTRY(__put_user_2)
9093 - subl $1,%ebx
9094 - cmpl %ebx,%ecx
9095 - jae bad_put_user
9096 -+ pushl $(__USER_DS)
9097 -+ popl %ds
9098 - 2: movw %ax,(%ecx)
9099 -+ pushl %ss
9100 -+ popl %ds
9101 - xorl %eax,%eax
9102 - EXIT
9103 - ENDPROC(__put_user_2)
9104 -@@ -63,7 +71,11 @@ ENTRY(__put_user_4)
9105 - subl $3,%ebx
9106 - cmpl %ebx,%ecx
9107 - jae bad_put_user
9108 -+ pushl $(__USER_DS)
9109 -+ popl %ds
9110 - 3: movl %eax,(%ecx)
9111 -+ pushl %ss
9112 -+ popl %ds
9113 - xorl %eax,%eax
9114 - EXIT
9115 - ENDPROC(__put_user_4)
9116 -@@ -74,8 +86,12 @@ ENTRY(__put_user_8)
9117 - subl $7,%ebx
9118 - cmpl %ebx,%ecx
9119 - jae bad_put_user
9120 -+ pushl $(__USER_DS)
9121 -+ popl %ds
9122 - 4: movl %eax,(%ecx)
9123 - 5: movl %edx,4(%ecx)
9124 -+ pushl %ss
9125 -+ popl %ds
9126 - xorl %eax,%eax
9127 - EXIT
9128 - ENDPROC(__put_user_8)
9129 -@@ -85,6 +101,10 @@ bad_put_user:
9130 - CFI_DEF_CFA esp, 2*4
9131 - CFI_OFFSET eip, -1*4
9132 - CFI_OFFSET ebx, -2*4
9133 -+ pushl %ss
9134 -+ CFI_ADJUST_CFA_OFFSET 4
9135 -+ popl %ds
9136 -+ CFI_ADJUST_CFA_OFFSET -4
9137 - movl $-14,%eax
9138 - EXIT
9139 - END(bad_put_user)
9140 -diff -urNp linux-2.6.24.4/arch/x86/lib/usercopy_32.c linux-2.6.24.4/arch/x86/lib/usercopy_32.c
9141 ---- linux-2.6.24.4/arch/x86/lib/usercopy_32.c 2008-03-24 14:49:18.000000000 -0400
9142 -+++ linux-2.6.24.4/arch/x86/lib/usercopy_32.c 2008-03-26 17:56:55.000000000 -0400
9143 -@@ -29,34 +29,41 @@ static inline int __movsl_is_ok(unsigned
9144 - * Copy a null terminated string from userspace.
9145 - */
9146 -
9147 --#define __do_strncpy_from_user(dst,src,count,res) \
9148 --do { \
9149 -- int __d0, __d1, __d2; \
9150 -- might_sleep(); \
9151 -- __asm__ __volatile__( \
9152 -- " testl %1,%1\n" \
9153 -- " jz 2f\n" \
9154 -- "0: lodsb\n" \
9155 -- " stosb\n" \
9156 -- " testb %%al,%%al\n" \
9157 -- " jz 1f\n" \
9158 -- " decl %1\n" \
9159 -- " jnz 0b\n" \
9160 -- "1: subl %1,%0\n" \
9161 -- "2:\n" \
9162 -- ".section .fixup,\"ax\"\n" \
9163 -- "3: movl %5,%0\n" \
9164 -- " jmp 2b\n" \
9165 -- ".previous\n" \
9166 -- ".section __ex_table,\"a\"\n" \
9167 -- " .align 4\n" \
9168 -- " .long 0b,3b\n" \
9169 -- ".previous" \
9170 -- : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1), \
9171 -- "=&D" (__d2) \
9172 -- : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
9173 -- : "memory"); \
9174 --} while (0)
9175 -+static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
9176 -+{
9177 -+ int __d0, __d1, __d2;
9178 -+ long res = -EFAULT;
9179 -+
9180 -+ might_sleep();
9181 -+ __asm__ __volatile__(
9182 -+ " movw %w10,%%ds\n"
9183 -+ " testl %1,%1\n"
9184 -+ " jz 2f\n"
9185 -+ "0: lodsb\n"
9186 -+ " stosb\n"
9187 -+ " testb %%al,%%al\n"
9188 -+ " jz 1f\n"
9189 -+ " decl %1\n"
9190 -+ " jnz 0b\n"
9191 -+ "1: subl %1,%0\n"
9192 -+ "2:\n"
9193 -+ " pushl %%ss\n"
9194 -+ " popl %%ds\n"
9195 -+ ".section .fixup,\"ax\"\n"
9196 -+ "3: movl %5,%0\n"
9197 -+ " jmp 2b\n"
9198 -+ ".previous\n"
9199 -+ ".section __ex_table,\"a\"\n"
9200 -+ " .align 4\n"
9201 -+ " .long 0b,3b\n"
9202 -+ ".previous"
9203 -+ : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1),
9204 -+ "=&D" (__d2)
9205 -+ : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
9206 -+ "r"(__USER_DS)
9207 -+ : "memory");
9208 -+ return res;
9209 -+}
9210 -
9211 - /**
9212 - * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
9213 -@@ -81,9 +88,7 @@ do { \
9214 - long
9215 - __strncpy_from_user(char *dst, const char __user *src, long count)
9216 - {
9217 -- long res;
9218 -- __do_strncpy_from_user(dst, src, count, res);
9219 -- return res;
9220 -+ return __do_strncpy_from_user(dst, src, count);
9221 - }
9222 - EXPORT_SYMBOL(__strncpy_from_user);
9223 -
9224 -@@ -110,7 +115,7 @@ strncpy_from_user(char *dst, const char
9225 - {
9226 - long res = -EFAULT;
9227 - if (access_ok(VERIFY_READ, src, 1))
9228 -- __do_strncpy_from_user(dst, src, count, res);
9229 -+ res = __do_strncpy_from_user(dst, src, count);
9230 - return res;
9231 - }
9232 - EXPORT_SYMBOL(strncpy_from_user);
9233 -@@ -119,27 +124,33 @@ EXPORT_SYMBOL(strncpy_from_user);
9234 - * Zero Userspace
9235 - */
9236 -
9237 --#define __do_clear_user(addr,size) \
9238 --do { \
9239 -- int __d0; \
9240 -- might_sleep(); \
9241 -- __asm__ __volatile__( \
9242 -- "0: rep; stosl\n" \
9243 -- " movl %2,%0\n" \
9244 -- "1: rep; stosb\n" \
9245 -- "2:\n" \
9246 -- ".section .fixup,\"ax\"\n" \
9247 -- "3: lea 0(%2,%0,4),%0\n" \
9248 -- " jmp 2b\n" \
9249 -- ".previous\n" \
9250 -- ".section __ex_table,\"a\"\n" \
9251 -- " .align 4\n" \
9252 -- " .long 0b,3b\n" \
9253 -- " .long 1b,2b\n" \
9254 -- ".previous" \
9255 -- : "=&c"(size), "=&D" (__d0) \
9256 -- : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
9257 --} while (0)
9258 -+static unsigned long __do_clear_user(void __user *addr, unsigned long size)
9259 -+{
9260 -+ int __d0;
9261 -+
9262 -+ might_sleep();
9263 -+ __asm__ __volatile__(
9264 -+ " movw %w6,%%es\n"
9265 -+ "0: rep; stosl\n"
9266 -+ " movl %2,%0\n"
9267 -+ "1: rep; stosb\n"
9268 -+ "2:\n"
9269 -+ " pushl %%ss\n"
9270 -+ " popl %%es\n"
9271 -+ ".section .fixup,\"ax\"\n"
9272 -+ "3: lea 0(%2,%0,4),%0\n"
9273 -+ " jmp 2b\n"
9274 -+ ".previous\n"
9275 -+ ".section __ex_table,\"a\"\n"
9276 -+ " .align 4\n"
9277 -+ " .long 0b,3b\n"
9278 -+ " .long 1b,2b\n"
9279 -+ ".previous"
9280 -+ : "=&c"(size), "=&D" (__d0)
9281 -+ : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
9282 -+ "r"(__USER_DS));
9283 -+ return size;
9284 -+}
9285 -
9286 - /**
9287 - * clear_user: - Zero a block of memory in user space.
9288 -@@ -156,7 +167,7 @@ clear_user(void __user *to, unsigned lon
9289 - {
9290 - might_sleep();
9291 - if (access_ok(VERIFY_WRITE, to, n))
9292 -- __do_clear_user(to, n);
9293 -+ n = __do_clear_user(to, n);
9294 - return n;
9295 - }
9296 - EXPORT_SYMBOL(clear_user);
9297 -@@ -175,8 +186,7 @@ EXPORT_SYMBOL(clear_user);
9298 - unsigned long
9299 - __clear_user(void __user *to, unsigned long n)
9300 - {
9301 -- __do_clear_user(to, n);
9302 -- return n;
9303 -+ return __do_clear_user(to, n);
9304 - }
9305 - EXPORT_SYMBOL(__clear_user);
9306 -
9307 -@@ -199,14 +209,17 @@ long strnlen_user(const char __user *s,
9308 - might_sleep();
9309 -
9310 - __asm__ __volatile__(
9311 -+ " movw %w8,%%es\n"
9312 - " testl %0, %0\n"
9313 - " jz 3f\n"
9314 -- " andl %0,%%ecx\n"
9315 -+ " movl %0,%%ecx\n"
9316 - "0: repne; scasb\n"
9317 - " setne %%al\n"
9318 - " subl %%ecx,%0\n"
9319 - " addl %0,%%eax\n"
9320 - "1:\n"
9321 -+ " pushl %%ss\n"
9322 -+ " popl %%es\n"
9323 - ".section .fixup,\"ax\"\n"
9324 - "2: xorl %%eax,%%eax\n"
9325 - " jmp 1b\n"
9326 -@@ -218,7 +231,7 @@ long strnlen_user(const char __user *s,
9327 - " .long 0b,2b\n"
9328 - ".previous"
9329 - :"=r" (n), "=D" (s), "=a" (res), "=c" (tmp)
9330 -- :"0" (n), "1" (s), "2" (0), "3" (mask)
9331 -+ :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
9332 - :"cc");
9333 - return res & mask;
9334 - }
9335 -@@ -226,10 +239,121 @@ EXPORT_SYMBOL(strnlen_user);
9336 -
9337 - #ifdef CONFIG_X86_INTEL_USERCOPY
9338 - static unsigned long
9339 --__copy_user_intel(void __user *to, const void *from, unsigned long size)
9340 -+__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
9341 -+{
9342 -+ int d0, d1;
9343 -+ __asm__ __volatile__(
9344 -+ " movw %w6, %%es\n"
9345 -+ " .align 2,0x90\n"
9346 -+ "1: movl 32(%4), %%eax\n"
9347 -+ " cmpl $67, %0\n"
9348 -+ " jbe 3f\n"
9349 -+ "2: movl 64(%4), %%eax\n"
9350 -+ " .align 2,0x90\n"
9351 -+ "3: movl 0(%4), %%eax\n"
9352 -+ "4: movl 4(%4), %%edx\n"
9353 -+ "5: movl %%eax, %%es:0(%3)\n"
9354 -+ "6: movl %%edx, %%es:4(%3)\n"
9355 -+ "7: movl 8(%4), %%eax\n"
9356 -+ "8: movl 12(%4),%%edx\n"
9357 -+ "9: movl %%eax, %%es:8(%3)\n"
9358 -+ "10: movl %%edx, %%es:12(%3)\n"
9359 -+ "11: movl 16(%4), %%eax\n"
9360 -+ "12: movl 20(%4), %%edx\n"
9361 -+ "13: movl %%eax, %%es:16(%3)\n"
9362 -+ "14: movl %%edx, %%es:20(%3)\n"
9363 -+ "15: movl 24(%4), %%eax\n"
9364 -+ "16: movl 28(%4), %%edx\n"
9365 -+ "17: movl %%eax, %%es:24(%3)\n"
9366 -+ "18: movl %%edx, %%es:28(%3)\n"
9367 -+ "19: movl 32(%4), %%eax\n"
9368 -+ "20: movl 36(%4), %%edx\n"
9369 -+ "21: movl %%eax, %%es:32(%3)\n"
9370 -+ "22: movl %%edx, %%es:36(%3)\n"
9371 -+ "23: movl 40(%4), %%eax\n"
9372 -+ "24: movl 44(%4), %%edx\n"
9373 -+ "25: movl %%eax, %%es:40(%3)\n"
9374 -+ "26: movl %%edx, %%es:44(%3)\n"
9375 -+ "27: movl 48(%4), %%eax\n"
9376 -+ "28: movl 52(%4), %%edx\n"
9377 -+ "29: movl %%eax, %%es:48(%3)\n"
9378 -+ "30: movl %%edx, %%es:52(%3)\n"
9379 -+ "31: movl 56(%4), %%eax\n"
9380 -+ "32: movl 60(%4), %%edx\n"
9381 -+ "33: movl %%eax, %%es:56(%3)\n"
9382 -+ "34: movl %%edx, %%es:60(%3)\n"
9383 -+ " addl $-64, %0\n"
9384 -+ " addl $64, %4\n"
9385 -+ " addl $64, %3\n"
9386 -+ " cmpl $63, %0\n"
9387 -+ " ja 1b\n"
9388 -+ "35: movl %0, %%eax\n"
9389 -+ " shrl $2, %0\n"
9390 -+ " andl $3, %%eax\n"
9391 -+ " cld\n"
9392 -+ "99: rep; movsl\n"
9393 -+ "36: movl %%eax, %0\n"
9394 -+ "37: rep; movsb\n"
9395 -+ "100:\n"
9396 -+ " pushl %%ss\n"
9397 -+ " popl %%es\n"
9398 -+ ".section .fixup,\"ax\"\n"
9399 -+ "101: lea 0(%%eax,%0,4),%0\n"
9400 -+ " jmp 100b\n"
9401 -+ ".previous\n"
9402 -+ ".section __ex_table,\"a\"\n"
9403 -+ " .align 4\n"
9404 -+ " .long 1b,100b\n"
9405 -+ " .long 2b,100b\n"
9406 -+ " .long 3b,100b\n"
9407 -+ " .long 4b,100b\n"
9408 -+ " .long 5b,100b\n"
9409 -+ " .long 6b,100b\n"
9410 -+ " .long 7b,100b\n"
9411 -+ " .long 8b,100b\n"
9412 -+ " .long 9b,100b\n"
9413 -+ " .long 10b,100b\n"
9414 -+ " .long 11b,100b\n"
9415 -+ " .long 12b,100b\n"
9416 -+ " .long 13b,100b\n"
9417 -+ " .long 14b,100b\n"
9418 -+ " .long 15b,100b\n"
9419 -+ " .long 16b,100b\n"
9420 -+ " .long 17b,100b\n"
9421 -+ " .long 18b,100b\n"
9422 -+ " .long 19b,100b\n"
9423 -+ " .long 20b,100b\n"
9424 -+ " .long 21b,100b\n"
9425 -+ " .long 22b,100b\n"
9426 -+ " .long 23b,100b\n"
9427 -+ " .long 24b,100b\n"
9428 -+ " .long 25b,100b\n"
9429 -+ " .long 26b,100b\n"
9430 -+ " .long 27b,100b\n"
9431 -+ " .long 28b,100b\n"
9432 -+ " .long 29b,100b\n"
9433 -+ " .long 30b,100b\n"
9434 -+ " .long 31b,100b\n"
9435 -+ " .long 32b,100b\n"
9436 -+ " .long 33b,100b\n"
9437 -+ " .long 34b,100b\n"
9438 -+ " .long 35b,100b\n"
9439 -+ " .long 36b,100b\n"
9440 -+ " .long 37b,100b\n"
9441 -+ " .long 99b,101b\n"
9442 -+ ".previous"
9443 -+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
9444 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
9445 -+ : "eax", "edx", "memory");
9446 -+ return size;
9447 -+}
9448 -+
9449 -+static unsigned long
9450 -+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
9451 - {
9452 - int d0, d1;
9453 - __asm__ __volatile__(
9454 -+ " movw %w6, %%ds\n"
9455 - " .align 2,0x90\n"
9456 - "1: movl 32(%4), %%eax\n"
9457 - " cmpl $67, %0\n"
9458 -@@ -238,36 +362,36 @@ __copy_user_intel(void __user *to, const
9459 - " .align 2,0x90\n"
9460 - "3: movl 0(%4), %%eax\n"
9461 - "4: movl 4(%4), %%edx\n"
9462 -- "5: movl %%eax, 0(%3)\n"
9463 -- "6: movl %%edx, 4(%3)\n"
9464 -+ "5: movl %%eax, %%es:0(%3)\n"
9465 -+ "6: movl %%edx, %%es:4(%3)\n"
9466 - "7: movl 8(%4), %%eax\n"
9467 - "8: movl 12(%4),%%edx\n"
9468 -- "9: movl %%eax, 8(%3)\n"
9469 -- "10: movl %%edx, 12(%3)\n"
9470 -+ "9: movl %%eax, %%es:8(%3)\n"
9471 -+ "10: movl %%edx, %%es:12(%3)\n"
9472 - "11: movl 16(%4), %%eax\n"
9473 - "12: movl 20(%4), %%edx\n"
9474 -- "13: movl %%eax, 16(%3)\n"
9475 -- "14: movl %%edx, 20(%3)\n"
9476 -+ "13: movl %%eax, %%es:16(%3)\n"
9477 -+ "14: movl %%edx, %%es:20(%3)\n"
9478 - "15: movl 24(%4), %%eax\n"
9479 - "16: movl 28(%4), %%edx\n"
9480 -- "17: movl %%eax, 24(%3)\n"
9481 -- "18: movl %%edx, 28(%3)\n"
9482 -+ "17: movl %%eax, %%es:24(%3)\n"
9483 -+ "18: movl %%edx, %%es:28(%3)\n"
9484 - "19: movl 32(%4), %%eax\n"
9485 - "20: movl 36(%4), %%edx\n"
9486 -- "21: movl %%eax, 32(%3)\n"
9487 -- "22: movl %%edx, 36(%3)\n"
9488 -+ "21: movl %%eax, %%es:32(%3)\n"
9489 -+ "22: movl %%edx, %%es:36(%3)\n"
9490 - "23: movl 40(%4), %%eax\n"
9491 - "24: movl 44(%4), %%edx\n"
9492 -- "25: movl %%eax, 40(%3)\n"
9493 -- "26: movl %%edx, 44(%3)\n"
9494 -+ "25: movl %%eax, %%es:40(%3)\n"
9495 -+ "26: movl %%edx, %%es:44(%3)\n"
9496 - "27: movl 48(%4), %%eax\n"
9497 - "28: movl 52(%4), %%edx\n"
9498 -- "29: movl %%eax, 48(%3)\n"
9499 -- "30: movl %%edx, 52(%3)\n"
9500 -+ "29: movl %%eax, %%es:48(%3)\n"
9501 -+ "30: movl %%edx, %%es:52(%3)\n"
9502 - "31: movl 56(%4), %%eax\n"
9503 - "32: movl 60(%4), %%edx\n"
9504 -- "33: movl %%eax, 56(%3)\n"
9505 -- "34: movl %%edx, 60(%3)\n"
9506 -+ "33: movl %%eax, %%es:56(%3)\n"
9507 -+ "34: movl %%edx, %%es:60(%3)\n"
9508 - " addl $-64, %0\n"
9509 - " addl $64, %4\n"
9510 - " addl $64, %3\n"
9511 -@@ -281,6 +405,8 @@ __copy_user_intel(void __user *to, const
9512 - "36: movl %%eax, %0\n"
9513 - "37: rep; movsb\n"
9514 - "100:\n"
9515 -+ " pushl %%ss\n"
9516 -+ " popl %%ds\n"
9517 - ".section .fixup,\"ax\"\n"
9518 - "101: lea 0(%%eax,%0,4),%0\n"
9519 - " jmp 100b\n"
9520 -@@ -327,7 +453,7 @@ __copy_user_intel(void __user *to, const
9521 - " .long 99b,101b\n"
9522 - ".previous"
9523 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
9524 -- : "1"(to), "2"(from), "0"(size)
9525 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
9526 - : "eax", "edx", "memory");
9527 - return size;
9528 - }
9529 -@@ -337,6 +463,7 @@ __copy_user_zeroing_intel(void *to, cons
9530 - {
9531 - int d0, d1;
9532 - __asm__ __volatile__(
9533 -+ " movw %w6, %%ds\n"
9534 - " .align 2,0x90\n"
9535 - "0: movl 32(%4), %%eax\n"
9536 - " cmpl $67, %0\n"
9537 -@@ -345,36 +472,36 @@ __copy_user_zeroing_intel(void *to, cons
9538 - " .align 2,0x90\n"
9539 - "2: movl 0(%4), %%eax\n"
9540 - "21: movl 4(%4), %%edx\n"
9541 -- " movl %%eax, 0(%3)\n"
9542 -- " movl %%edx, 4(%3)\n"
9543 -+ " movl %%eax, %%es:0(%3)\n"
9544 -+ " movl %%edx, %%es:4(%3)\n"
9545 - "3: movl 8(%4), %%eax\n"
9546 - "31: movl 12(%4),%%edx\n"
9547 -- " movl %%eax, 8(%3)\n"
9548 -- " movl %%edx, 12(%3)\n"
9549 -+ " movl %%eax, %%es:8(%3)\n"
9550 -+ " movl %%edx, %%es:12(%3)\n"
9551 - "4: movl 16(%4), %%eax\n"
9552 - "41: movl 20(%4), %%edx\n"
9553 -- " movl %%eax, 16(%3)\n"
9554 -- " movl %%edx, 20(%3)\n"
9555 -+ " movl %%eax, %%es:16(%3)\n"
9556 -+ " movl %%edx, %%es:20(%3)\n"
9557 - "10: movl 24(%4), %%eax\n"
9558 - "51: movl 28(%4), %%edx\n"
9559 -- " movl %%eax, 24(%3)\n"
9560 -- " movl %%edx, 28(%3)\n"
9561 -+ " movl %%eax, %%es:24(%3)\n"
9562 -+ " movl %%edx, %%es:28(%3)\n"
9563 - "11: movl 32(%4), %%eax\n"
9564 - "61: movl 36(%4), %%edx\n"
9565 -- " movl %%eax, 32(%3)\n"
9566 -- " movl %%edx, 36(%3)\n"
9567 -+ " movl %%eax, %%es:32(%3)\n"
9568 -+ " movl %%edx, %%es:36(%3)\n"
9569 - "12: movl 40(%4), %%eax\n"
9570 - "71: movl 44(%4), %%edx\n"
9571 -- " movl %%eax, 40(%3)\n"
9572 -- " movl %%edx, 44(%3)\n"
9573 -+ " movl %%eax, %%es:40(%3)\n"
9574 -+ " movl %%edx, %%es:44(%3)\n"
9575 - "13: movl 48(%4), %%eax\n"
9576 - "81: movl 52(%4), %%edx\n"
9577 -- " movl %%eax, 48(%3)\n"
9578 -- " movl %%edx, 52(%3)\n"
9579 -+ " movl %%eax, %%es:48(%3)\n"
9580 -+ " movl %%edx, %%es:52(%3)\n"
9581 - "14: movl 56(%4), %%eax\n"
9582 - "91: movl 60(%4), %%edx\n"
9583 -- " movl %%eax, 56(%3)\n"
9584 -- " movl %%edx, 60(%3)\n"
9585 -+ " movl %%eax, %%es:56(%3)\n"
9586 -+ " movl %%edx, %%es:60(%3)\n"
9587 - " addl $-64, %0\n"
9588 - " addl $64, %4\n"
9589 - " addl $64, %3\n"
9590 -@@ -388,6 +515,8 @@ __copy_user_zeroing_intel(void *to, cons
9591 - " movl %%eax,%0\n"
9592 - "7: rep; movsb\n"
9593 - "8:\n"
9594 -+ " pushl %%ss\n"
9595 -+ " popl %%ds\n"
9596 - ".section .fixup,\"ax\"\n"
9597 - "9: lea 0(%%eax,%0,4),%0\n"
9598 - "16: pushl %0\n"
9599 -@@ -422,7 +551,7 @@ __copy_user_zeroing_intel(void *to, cons
9600 - " .long 7b,16b\n"
9601 - ".previous"
9602 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
9603 -- : "1"(to), "2"(from), "0"(size)
9604 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
9605 - : "eax", "edx", "memory");
9606 - return size;
9607 - }
9608 -@@ -438,6 +567,7 @@ static unsigned long __copy_user_zeroing
9609 - int d0, d1;
9610 -
9611 - __asm__ __volatile__(
9612 -+ " movw %w6, %%ds\n"
9613 - " .align 2,0x90\n"
9614 - "0: movl 32(%4), %%eax\n"
9615 - " cmpl $67, %0\n"
9616 -@@ -446,36 +576,36 @@ static unsigned long __copy_user_zeroing
9617 - " .align 2,0x90\n"
9618 - "2: movl 0(%4), %%eax\n"
9619 - "21: movl 4(%4), %%edx\n"
9620 -- " movnti %%eax, 0(%3)\n"
9621 -- " movnti %%edx, 4(%3)\n"
9622 -+ " movnti %%eax, %%es:0(%3)\n"
9623 -+ " movnti %%edx, %%es:4(%3)\n"
9624 - "3: movl 8(%4), %%eax\n"
9625 - "31: movl 12(%4),%%edx\n"
9626 -- " movnti %%eax, 8(%3)\n"
9627 -- " movnti %%edx, 12(%3)\n"
9628 -+ " movnti %%eax, %%es:8(%3)\n"
9629 -+ " movnti %%edx, %%es:12(%3)\n"
9630 - "4: movl 16(%4), %%eax\n"
9631 - "41: movl 20(%4), %%edx\n"
9632 -- " movnti %%eax, 16(%3)\n"
9633 -- " movnti %%edx, 20(%3)\n"
9634 -+ " movnti %%eax, %%es:16(%3)\n"
9635 -+ " movnti %%edx, %%es:20(%3)\n"
9636 - "10: movl 24(%4), %%eax\n"
9637 - "51: movl 28(%4), %%edx\n"
9638 -- " movnti %%eax, 24(%3)\n"
9639 -- " movnti %%edx, 28(%3)\n"
9640 -+ " movnti %%eax, %%es:24(%3)\n"
9641 -+ " movnti %%edx, %%es:28(%3)\n"
9642 - "11: movl 32(%4), %%eax\n"
9643 - "61: movl 36(%4), %%edx\n"
9644 -- " movnti %%eax, 32(%3)\n"
9645 -- " movnti %%edx, 36(%3)\n"
9646 -+ " movnti %%eax, %%es:32(%3)\n"
9647 -+ " movnti %%edx, %%es:36(%3)\n"
9648 - "12: movl 40(%4), %%eax\n"
9649 - "71: movl 44(%4), %%edx\n"
9650 -- " movnti %%eax, 40(%3)\n"
9651 -- " movnti %%edx, 44(%3)\n"
9652 -+ " movnti %%eax, %%es:40(%3)\n"
9653 -+ " movnti %%edx, %%es:44(%3)\n"
9654 - "13: movl 48(%4), %%eax\n"
9655 - "81: movl 52(%4), %%edx\n"
9656 -- " movnti %%eax, 48(%3)\n"
9657 -- " movnti %%edx, 52(%3)\n"
9658 -+ " movnti %%eax, %%es:48(%3)\n"
9659 -+ " movnti %%edx, %%es:52(%3)\n"
9660 - "14: movl 56(%4), %%eax\n"
9661 - "91: movl 60(%4), %%edx\n"
9662 -- " movnti %%eax, 56(%3)\n"
9663 -- " movnti %%edx, 60(%3)\n"
9664 -+ " movnti %%eax, %%es:56(%3)\n"
9665 -+ " movnti %%edx, %%es:60(%3)\n"
9666 - " addl $-64, %0\n"
9667 - " addl $64, %4\n"
9668 - " addl $64, %3\n"
9669 -@@ -490,6 +620,8 @@ static unsigned long __copy_user_zeroing
9670 - " movl %%eax,%0\n"
9671 - "7: rep; movsb\n"
9672 - "8:\n"
9673 -+ " pushl %%ss\n"
9674 -+ " popl %%ds\n"
9675 - ".section .fixup,\"ax\"\n"
9676 - "9: lea 0(%%eax,%0,4),%0\n"
9677 - "16: pushl %0\n"
9678 -@@ -524,7 +656,7 @@ static unsigned long __copy_user_zeroing
9679 - " .long 7b,16b\n"
9680 - ".previous"
9681 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
9682 -- : "1"(to), "2"(from), "0"(size)
9683 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
9684 - : "eax", "edx", "memory");
9685 - return size;
9686 - }
9687 -@@ -535,6 +667,7 @@ static unsigned long __copy_user_intel_n
9688 - int d0, d1;
9689 -
9690 - __asm__ __volatile__(
9691 -+ " movw %w6, %%ds\n"
9692 - " .align 2,0x90\n"
9693 - "0: movl 32(%4), %%eax\n"
9694 - " cmpl $67, %0\n"
9695 -@@ -543,36 +676,36 @@ static unsigned long __copy_user_intel_n
9696 - " .align 2,0x90\n"
9697 - "2: movl 0(%4), %%eax\n"
9698 - "21: movl 4(%4), %%edx\n"
9699 -- " movnti %%eax, 0(%3)\n"
9700 -- " movnti %%edx, 4(%3)\n"
9701 -+ " movnti %%eax, %%es:0(%3)\n"
9702 -+ " movnti %%edx, %%es:4(%3)\n"
9703 - "3: movl 8(%4), %%eax\n"
9704 - "31: movl 12(%4),%%edx\n"
9705 -- " movnti %%eax, 8(%3)\n"
9706 -- " movnti %%edx, 12(%3)\n"
9707 -+ " movnti %%eax, %%es:8(%3)\n"
9708 -+ " movnti %%edx, %%es:12(%3)\n"
9709 - "4: movl 16(%4), %%eax\n"
9710 - "41: movl 20(%4), %%edx\n"
9711 -- " movnti %%eax, 16(%3)\n"
9712 -- " movnti %%edx, 20(%3)\n"
9713 -+ " movnti %%eax, %%es:16(%3)\n"
9714 -+ " movnti %%edx, %%es:20(%3)\n"
9715 - "10: movl 24(%4), %%eax\n"
9716 - "51: movl 28(%4), %%edx\n"
9717 -- " movnti %%eax, 24(%3)\n"
9718 -- " movnti %%edx, 28(%3)\n"
9719 -+ " movnti %%eax, %%es:24(%3)\n"
9720 -+ " movnti %%edx, %%es:28(%3)\n"
9721 - "11: movl 32(%4), %%eax\n"
9722 - "61: movl 36(%4), %%edx\n"
9723 -- " movnti %%eax, 32(%3)\n"
9724 -- " movnti %%edx, 36(%3)\n"
9725 -+ " movnti %%eax, %%es:32(%3)\n"
9726 -+ " movnti %%edx, %%es:36(%3)\n"
9727 - "12: movl 40(%4), %%eax\n"
9728 - "71: movl 44(%4), %%edx\n"
9729 -- " movnti %%eax, 40(%3)\n"
9730 -- " movnti %%edx, 44(%3)\n"
9731 -+ " movnti %%eax, %%es:40(%3)\n"
9732 -+ " movnti %%edx, %%es:44(%3)\n"
9733 - "13: movl 48(%4), %%eax\n"
9734 - "81: movl 52(%4), %%edx\n"
9735 -- " movnti %%eax, 48(%3)\n"
9736 -- " movnti %%edx, 52(%3)\n"
9737 -+ " movnti %%eax, %%es:48(%3)\n"
9738 -+ " movnti %%edx, %%es:52(%3)\n"
9739 - "14: movl 56(%4), %%eax\n"
9740 - "91: movl 60(%4), %%edx\n"
9741 -- " movnti %%eax, 56(%3)\n"
9742 -- " movnti %%edx, 60(%3)\n"
9743 -+ " movnti %%eax, %%es:56(%3)\n"
9744 -+ " movnti %%edx, %%es:60(%3)\n"
9745 - " addl $-64, %0\n"
9746 - " addl $64, %4\n"
9747 - " addl $64, %3\n"
9748 -@@ -587,6 +720,8 @@ static unsigned long __copy_user_intel_n
9749 - " movl %%eax,%0\n"
9750 - "7: rep; movsb\n"
9751 - "8:\n"
9752 -+ " pushl %%ss\n"
9753 -+ " popl %%ds\n"
9754 - ".section .fixup,\"ax\"\n"
9755 - "9: lea 0(%%eax,%0,4),%0\n"
9756 - "16: jmp 8b\n"
9757 -@@ -615,7 +750,7 @@ static unsigned long __copy_user_intel_n
9758 - " .long 7b,16b\n"
9759 - ".previous"
9760 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
9761 -- : "1"(to), "2"(from), "0"(size)
9762 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
9763 - : "eax", "edx", "memory");
9764 - return size;
9765 - }
9766 -@@ -628,90 +763,146 @@ static unsigned long __copy_user_intel_n
9767 - */
9768 - unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
9769 - unsigned long size);
9770 --unsigned long __copy_user_intel(void __user *to, const void *from,
9771 -+unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
9772 -+ unsigned long size);
9773 -+unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
9774 - unsigned long size);
9775 - unsigned long __copy_user_zeroing_intel_nocache(void *to,
9776 - const void __user *from, unsigned long size);
9777 - #endif /* CONFIG_X86_INTEL_USERCOPY */
9778 -
9779 - /* Generic arbitrary sized copy. */
9780 --#define __copy_user(to,from,size) \
9781 --do { \
9782 -- int __d0, __d1, __d2; \
9783 -- __asm__ __volatile__( \
9784 -- " cmp $7,%0\n" \
9785 -- " jbe 1f\n" \
9786 -- " movl %1,%0\n" \
9787 -- " negl %0\n" \
9788 -- " andl $7,%0\n" \
9789 -- " subl %0,%3\n" \
9790 -- "4: rep; movsb\n" \
9791 -- " movl %3,%0\n" \
9792 -- " shrl $2,%0\n" \
9793 -- " andl $3,%3\n" \
9794 -- " .align 2,0x90\n" \
9795 -- "0: rep; movsl\n" \
9796 -- " movl %3,%0\n" \
9797 -- "1: rep; movsb\n" \
9798 -- "2:\n" \
9799 -- ".section .fixup,\"ax\"\n" \
9800 -- "5: addl %3,%0\n" \
9801 -- " jmp 2b\n" \
9802 -- "3: lea 0(%3,%0,4),%0\n" \
9803 -- " jmp 2b\n" \
9804 -- ".previous\n" \
9805 -- ".section __ex_table,\"a\"\n" \
9806 -- " .align 4\n" \
9807 -- " .long 4b,5b\n" \
9808 -- " .long 0b,3b\n" \
9809 -- " .long 1b,2b\n" \
9810 -- ".previous" \
9811 -- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
9812 -- : "3"(size), "0"(size), "1"(to), "2"(from) \
9813 -- : "memory"); \
9814 --} while (0)
9815 --
9816 --#define __copy_user_zeroing(to,from,size) \
9817 --do { \
9818 -- int __d0, __d1, __d2; \
9819 -- __asm__ __volatile__( \
9820 -- " cmp $7,%0\n" \
9821 -- " jbe 1f\n" \
9822 -- " movl %1,%0\n" \
9823 -- " negl %0\n" \
9824 -- " andl $7,%0\n" \
9825 -- " subl %0,%3\n" \
9826 -- "4: rep; movsb\n" \
9827 -- " movl %3,%0\n" \
9828 -- " shrl $2,%0\n" \
9829 -- " andl $3,%3\n" \
9830 -- " .align 2,0x90\n" \
9831 -- "0: rep; movsl\n" \
9832 -- " movl %3,%0\n" \
9833 -- "1: rep; movsb\n" \
9834 -- "2:\n" \
9835 -- ".section .fixup,\"ax\"\n" \
9836 -- "5: addl %3,%0\n" \
9837 -- " jmp 6f\n" \
9838 -- "3: lea 0(%3,%0,4),%0\n" \
9839 -- "6: pushl %0\n" \
9840 -- " pushl %%eax\n" \
9841 -- " xorl %%eax,%%eax\n" \
9842 -- " rep; stosb\n" \
9843 -- " popl %%eax\n" \
9844 -- " popl %0\n" \
9845 -- " jmp 2b\n" \
9846 -- ".previous\n" \
9847 -- ".section __ex_table,\"a\"\n" \
9848 -- " .align 4\n" \
9849 -- " .long 4b,5b\n" \
9850 -- " .long 0b,3b\n" \
9851 -- " .long 1b,6b\n" \
9852 -- ".previous" \
9853 -- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
9854 -- : "3"(size), "0"(size), "1"(to), "2"(from) \
9855 -- : "memory"); \
9856 --} while (0)
9857 -+static unsigned long
9858 -+__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
9859 -+{
9860 -+ int __d0, __d1, __d2;
9861 -+
9862 -+ __asm__ __volatile__(
9863 -+ " movw %w8,%%es\n"
9864 -+ " cmp $7,%0\n"
9865 -+ " jbe 1f\n"
9866 -+ " movl %1,%0\n"
9867 -+ " negl %0\n"
9868 -+ " andl $7,%0\n"
9869 -+ " subl %0,%3\n"
9870 -+ "4: rep; movsb\n"
9871 -+ " movl %3,%0\n"
9872 -+ " shrl $2,%0\n"
9873 -+ " andl $3,%3\n"
9874 -+ " .align 2,0x90\n"
9875 -+ "0: rep; movsl\n"
9876 -+ " movl %3,%0\n"
9877 -+ "1: rep; movsb\n"
9878 -+ "2:\n"
9879 -+ " pushl %%ss\n"
9880 -+ " popl %%es\n"
9881 -+ ".section .fixup,\"ax\"\n"
9882 -+ "5: addl %3,%0\n"
9883 -+ " jmp 2b\n"
9884 -+ "3: lea 0(%3,%0,4),%0\n"
9885 -+ " jmp 2b\n"
9886 -+ ".previous\n"
9887 -+ ".section __ex_table,\"a\"\n"
9888 -+ " .align 4\n"
9889 -+ " .long 4b,5b\n"
9890 -+ " .long 0b,3b\n"
9891 -+ " .long 1b,2b\n"
9892 -+ ".previous"
9893 -+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
9894 -+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
9895 -+ : "memory");
9896 -+ return size;
9897 -+}
9898 -+
9899 -+static unsigned long
9900 -+__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
9901 -+{
9902 -+ int __d0, __d1, __d2;
9903 -+
9904 -+ __asm__ __volatile__(
9905 -+ " movw %w8,%%ds\n"
9906 -+ " cmp $7,%0\n"
9907 -+ " jbe 1f\n"
9908 -+ " movl %1,%0\n"
9909 -+ " negl %0\n"
9910 -+ " andl $7,%0\n"
9911 -+ " subl %0,%3\n"
9912 -+ "4: rep; movsb\n"
9913 -+ " movl %3,%0\n"
9914 -+ " shrl $2,%0\n"
9915 -+ " andl $3,%3\n"
9916 -+ " .align 2,0x90\n"
9917 -+ "0: rep; movsl\n"
9918 -+ " movl %3,%0\n"
9919 -+ "1: rep; movsb\n"
9920 -+ "2:\n"
9921 -+ " pushl %%ss\n"
9922 -+ " popl %%ds\n"
9923 -+ ".section .fixup,\"ax\"\n"
9924 -+ "5: addl %3,%0\n"
9925 -+ " jmp 2b\n"
9926 -+ "3: lea 0(%3,%0,4),%0\n"
9927 -+ " jmp 2b\n"
9928 -+ ".previous\n"
9929 -+ ".section __ex_table,\"a\"\n"
9930 -+ " .align 4\n"
9931 -+ " .long 4b,5b\n"
9932 -+ " .long 0b,3b\n"
9933 -+ " .long 1b,2b\n"
9934 -+ ".previous"
9935 -+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
9936 -+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
9937 -+ : "memory");
9938 -+ return size;
9939 -+}
9940 -+
9941 -+static unsigned long
9942 -+__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
9943 -+{
9944 -+ int __d0, __d1, __d2;
9945 -+
9946 -+ __asm__ __volatile__(
9947 -+ " movw %w8,%%ds\n"
9948 -+ " cmp $7,%0\n"
9949 -+ " jbe 1f\n"
9950 -+ " movl %1,%0\n"
9951 -+ " negl %0\n"
9952 -+ " andl $7,%0\n"
9953 -+ " subl %0,%3\n"
9954 -+ "4: rep; movsb\n"
9955 -+ " movl %3,%0\n"
9956 -+ " shrl $2,%0\n"
9957 -+ " andl $3,%3\n"
9958 -+ " .align 2,0x90\n"
9959 -+ "0: rep; movsl\n"
9960 -+ " movl %3,%0\n"
9961 -+ "1: rep; movsb\n"
9962 -+ "2:\n"
9963 -+ " pushl %%ss\n"
9964 -+ " popl %%ds\n"
9965 -+ ".section .fixup,\"ax\"\n"
9966 -+ "5: addl %3,%0\n"
9967 -+ " jmp 6f\n"
9968 -+ "3: lea 0(%3,%0,4),%0\n"
9969 -+ "6: pushl %0\n"
9970 -+ " pushl %%eax\n"
9971 -+ " xorl %%eax,%%eax\n"
9972 -+ " rep; stosb\n"
9973 -+ " popl %%eax\n"
9974 -+ " popl %0\n"
9975 -+ " jmp 2b\n"
9976 -+ ".previous\n"
9977 -+ ".section __ex_table,\"a\"\n"
9978 -+ " .align 4\n"
9979 -+ " .long 4b,5b\n"
9980 -+ " .long 0b,3b\n"
9981 -+ " .long 1b,6b\n"
9982 -+ ".previous"
9983 -+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
9984 -+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
9985 -+ : "memory");
9986 -+ return size;
9987 -+}
9988 -
9989 - unsigned long __copy_to_user_ll(void __user *to, const void *from,
9990 - unsigned long n)
9991 -@@ -774,9 +965,9 @@ survive:
9992 - }
9993 - #endif
9994 - if (movsl_is_ok(to, from, n))
9995 -- __copy_user(to, from, n);
9996 -+ n = __generic_copy_to_user(to, from, n);
9997 - else
9998 -- n = __copy_user_intel(to, from, n);
9999 -+ n = __generic_copy_to_user_intel(to, from, n);
10000 - return n;
10001 - }
10002 - EXPORT_SYMBOL(__copy_to_user_ll);
10003 -@@ -785,7 +976,7 @@ unsigned long __copy_from_user_ll(void *
10004 - unsigned long n)
10005 - {
10006 - if (movsl_is_ok(to, from, n))
10007 -- __copy_user_zeroing(to, from, n);
10008 -+ n = __copy_user_zeroing(to, from, n);
10009 - else
10010 - n = __copy_user_zeroing_intel(to, from, n);
10011 - return n;
10012 -@@ -796,9 +987,9 @@ unsigned long __copy_from_user_ll_nozero
10013 - unsigned long n)
10014 - {
10015 - if (movsl_is_ok(to, from, n))
10016 -- __copy_user(to, from, n);
10017 -+ n = __generic_copy_from_user(to, from, n);
10018 - else
10019 -- n = __copy_user_intel((void __user *)to,
10020 -+ n = __generic_copy_from_user_intel((void __user *)to,
10021 - (const void *)from, n);
10022 - return n;
10023 - }
10024 -@@ -809,9 +1000,9 @@ unsigned long __copy_from_user_ll_nocach
10025 - {
10026 - #ifdef CONFIG_X86_INTEL_USERCOPY
10027 - if ( n > 64 && cpu_has_xmm2)
10028 -- n = __copy_user_zeroing_intel_nocache(to, from, n);
10029 -+ n = __copy_user_zeroing_intel_nocache(to, from, n);
10030 - else
10031 -- __copy_user_zeroing(to, from, n);
10032 -+ n = __copy_user_zeroing(to, from, n);
10033 - #else
10034 - __copy_user_zeroing(to, from, n);
10035 - #endif
10036 -@@ -823,11 +1014,11 @@ unsigned long __copy_from_user_ll_nocach
10037 - {
10038 - #ifdef CONFIG_X86_INTEL_USERCOPY
10039 - if ( n > 64 && cpu_has_xmm2)
10040 -- n = __copy_user_intel_nocache(to, from, n);
10041 -+ n = __copy_user_intel_nocache(to, from, n);
10042 - else
10043 -- __copy_user(to, from, n);
10044 -+ n = __generic_copy_from_user(to, from, n);
10045 - #else
10046 -- __copy_user(to, from, n);
10047 -+ n = __generic_copy_from_user(to, from, n);
10048 - #endif
10049 - return n;
10050 - }
10051 -@@ -880,3 +1071,30 @@ copy_from_user(void *to, const void __us
10052 - return n;
10053 - }
10054 - EXPORT_SYMBOL(copy_from_user);
10055 -+
10056 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
10057 -+void __set_fs(mm_segment_t x, int cpu)
10058 -+{
10059 -+ unsigned long limit = x.seg;
10060 -+ __u32 a, b;
10061 -+
10062 -+ current_thread_info()->addr_limit = x;
10063 -+ if (likely(limit))
10064 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
10065 -+ pack_descriptor(&a, &b, 0UL, limit, 0xF3, 0xC);
10066 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, a, b);
10067 -+}
10068 -+
10069 -+void set_fs(mm_segment_t x)
10070 -+{
10071 -+ __set_fs(x, get_cpu());
10072 -+ put_cpu_no_resched();
10073 -+}
10074 -+#else
10075 -+void set_fs(mm_segment_t x)
10076 -+{
10077 -+ current_thread_info()->addr_limit = x;
10078 -+}
10079 -+#endif
10080 -+
10081 -+EXPORT_SYMBOL(set_fs);
10082 -diff -urNp linux-2.6.24.4/arch/x86/mach-voyager/voyager_basic.c linux-2.6.24.4/arch/x86/mach-voyager/voyager_basic.c
10083 ---- linux-2.6.24.4/arch/x86/mach-voyager/voyager_basic.c 2008-03-24 14:49:18.000000000 -0400
10084 -+++ linux-2.6.24.4/arch/x86/mach-voyager/voyager_basic.c 2008-03-26 17:56:55.000000000 -0400
10085 -@@ -130,7 +130,7 @@ voyager_memory_detect(int region, __u32
10086 - __u8 cmos[4];
10087 - ClickMap_t *map;
10088 - unsigned long map_addr;
10089 -- unsigned long old;
10090 -+ pte_t old;
10091 -
10092 - if(region >= CLICK_ENTRIES) {
10093 - printk("Voyager: Illegal ClickMap region %d\n", region);
10094 -@@ -144,7 +144,7 @@ voyager_memory_detect(int region, __u32
10095 -
10096 - /* steal page 0 for this */
10097 - old = pg0[0];
10098 -- pg0[0] = ((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
10099 -+ pg0[0] = __pte((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
10100 - local_flush_tlb();
10101 - /* now clear everything out but page 0 */
10102 - map = (ClickMap_t *)(map_addr & (~PAGE_MASK));
10103 -diff -urNp linux-2.6.24.4/arch/x86/mach-voyager/voyager_smp.c linux-2.6.24.4/arch/x86/mach-voyager/voyager_smp.c
10104 ---- linux-2.6.24.4/arch/x86/mach-voyager/voyager_smp.c 2008-03-24 14:49:18.000000000 -0400
10105 -+++ linux-2.6.24.4/arch/x86/mach-voyager/voyager_smp.c 2008-03-26 17:56:55.000000000 -0400
10106 -@@ -554,6 +554,10 @@ do_boot_cpu(__u8 cpu)
10107 - __u32 *hijack_vector;
10108 - __u32 start_phys_address = setup_trampoline();
10109 -
10110 -+#ifdef CONFIG_PAX_KERNEXEC
10111 -+ unsigned long cr0;
10112 -+#endif
10113 -+
10114 - /* There's a clever trick to this: The linux trampoline is
10115 - * compiled to begin at absolute location zero, so make the
10116 - * address zero but have the data segment selector compensate
10117 -@@ -573,7 +577,17 @@ do_boot_cpu(__u8 cpu)
10118 -
10119 - init_gdt(cpu);
10120 - per_cpu(current_task, cpu) = idle;
10121 -- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10122 -+
10123 -+#ifdef CONFIG_PAX_KERNEXEC
10124 -+ pax_open_kernel(cr0);
10125 -+#endif
10126 -+
10127 -+ early_gdt_descr.address = get_cpu_gdt_table(cpu);
10128 -+
10129 -+#ifdef CONFIG_PAX_KERNEXEC
10130 -+ pax_close_kernel(cr0);
10131 -+#endif
10132 -+
10133 - irq_ctx_init(cpu);
10134 -
10135 - /* Note: Don't modify initial ss override */
10136 -@@ -1277,7 +1291,7 @@ smp_local_timer_interrupt(void)
10137 - per_cpu(prof_counter, cpu);
10138 - }
10139 -
10140 -- update_process_times(user_mode_vm(get_irq_regs()));
10141 -+ update_process_times(user_mode(get_irq_regs()));
10142 - }
10143 -
10144 - if( ((1<<cpu) & voyager_extended_vic_processors) == 0)
10145 -diff -urNp linux-2.6.24.4/arch/x86/mm/boot_ioremap_32.c linux-2.6.24.4/arch/x86/mm/boot_ioremap_32.c
10146 ---- linux-2.6.24.4/arch/x86/mm/boot_ioremap_32.c 2008-03-24 14:49:18.000000000 -0400
10147 -+++ linux-2.6.24.4/arch/x86/mm/boot_ioremap_32.c 2008-03-26 17:56:55.000000000 -0400
10148 -@@ -7,57 +7,37 @@
10149 - * Written by Dave Hansen <haveblue@××××××.com>
10150 - */
10151 -
10152 --
10153 --/*
10154 -- * We need to use the 2-level pagetable functions, but CONFIG_X86_PAE
10155 -- * keeps that from happening. If anyone has a better way, I'm listening.
10156 -- *
10157 -- * boot_pte_t is defined only if this all works correctly
10158 -- */
10159 --
10160 --#undef CONFIG_X86_PAE
10161 - #undef CONFIG_PARAVIRT
10162 - #include <asm/page.h>
10163 - #include <asm/pgtable.h>
10164 - #include <asm/tlbflush.h>
10165 - #include <linux/init.h>
10166 - #include <linux/stddef.h>
10167 --
10168 --/*
10169 -- * I'm cheating here. It is known that the two boot PTE pages are
10170 -- * allocated next to each other. I'm pretending that they're just
10171 -- * one big array.
10172 -- */
10173 --
10174 --#define BOOT_PTE_PTRS (PTRS_PER_PTE*2)
10175 --
10176 --static unsigned long boot_pte_index(unsigned long vaddr)
10177 --{
10178 -- return __pa(vaddr) >> PAGE_SHIFT;
10179 --}
10180 --
10181 --static inline boot_pte_t* boot_vaddr_to_pte(void *address)
10182 --{
10183 -- boot_pte_t* boot_pg = (boot_pte_t*)pg0;
10184 -- return &boot_pg[boot_pte_index((unsigned long)address)];
10185 --}
10186 -+#include <linux/sched.h>
10187 -
10188 - /*
10189 - * This is only for a caller who is clever enough to page-align
10190 - * phys_addr and virtual_source, and who also has a preference
10191 - * about which virtual address from which to steal ptes
10192 - */
10193 --static void __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
10194 -- void* virtual_source)
10195 -+static void __init __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
10196 -+ char* virtual_source)
10197 - {
10198 -- boot_pte_t* pte;
10199 -- int i;
10200 -- char *vaddr = virtual_source;
10201 -+ pgd_t *pgd;
10202 -+ pud_t *pud;
10203 -+ pmd_t *pmd;
10204 -+ pte_t* pte;
10205 -+ unsigned int i;
10206 -+ unsigned long vaddr = (unsigned long)virtual_source;
10207 -+
10208 -+ pgd = pgd_offset_k(vaddr);
10209 -+ pud = pud_offset(pgd, vaddr);
10210 -+ pmd = pmd_offset(pud, vaddr);
10211 -+ pte = pte_offset_kernel(pmd, vaddr);
10212 -
10213 -- pte = boot_vaddr_to_pte(virtual_source);
10214 - for (i=0; i < nrpages; i++, phys_addr += PAGE_SIZE, pte++) {
10215 - set_pte(pte, pfn_pte(phys_addr>>PAGE_SHIFT, PAGE_KERNEL));
10216 -- __flush_tlb_one(&vaddr[i*PAGE_SIZE]);
10217 -+ __flush_tlb_one(&virtual_source[i*PAGE_SIZE]);
10218 - }
10219 - }
10220 -
10221 -diff -urNp linux-2.6.24.4/arch/x86/mm/extable_32.c linux-2.6.24.4/arch/x86/mm/extable_32.c
10222 ---- linux-2.6.24.4/arch/x86/mm/extable_32.c 2008-03-24 14:49:18.000000000 -0400
10223 -+++ linux-2.6.24.4/arch/x86/mm/extable_32.c 2008-03-26 17:56:55.000000000 -0400
10224 -@@ -4,14 +4,63 @@
10225 -
10226 - #include <linux/module.h>
10227 - #include <linux/spinlock.h>
10228 -+#include <linux/sort.h>
10229 - #include <asm/uaccess.h>
10230 -
10231 -+/*
10232 -+ * The exception table needs to be sorted so that the binary
10233 -+ * search that we use to find entries in it works properly.
10234 -+ * This is used both for the kernel exception table and for
10235 -+ * the exception tables of modules that get loaded.
10236 -+ */
10237 -+static int cmp_ex(const void *a, const void *b)
10238 -+{
10239 -+ const struct exception_table_entry *x = a, *y = b;
10240 -+
10241 -+ /* avoid overflow */
10242 -+ if (x->insn > y->insn)
10243 -+ return 1;
10244 -+ if (x->insn < y->insn)
10245 -+ return -1;
10246 -+ return 0;
10247 -+}
10248 -+
10249 -+static void swap_ex(void *a, void *b, int size)
10250 -+{
10251 -+ struct exception_table_entry t, *x = a, *y = b;
10252 -+
10253 -+#ifdef CONFIG_PAX_KERNEXEC
10254 -+ unsigned long cr0;
10255 -+#endif
10256 -+
10257 -+ t = *x;
10258 -+
10259 -+#ifdef CONFIG_PAX_KERNEXEC
10260 -+ pax_open_kernel(cr0);
10261 -+#endif
10262 -+
10263 -+ *x = *y;
10264 -+ *y = t;
10265 -+
10266 -+#ifdef CONFIG_PAX_KERNEXEC
10267 -+ pax_close_kernel(cr0);
10268 -+#endif
10269 -+
10270 -+}
10271 -+
10272 -+void sort_extable(struct exception_table_entry *start,
10273 -+ struct exception_table_entry *finish)
10274 -+{
10275 -+ sort(start, finish - start, sizeof(struct exception_table_entry),
10276 -+ cmp_ex, swap_ex);
10277 -+}
10278 -+
10279 - int fixup_exception(struct pt_regs *regs)
10280 - {
10281 - const struct exception_table_entry *fixup;
10282 -
10283 - #ifdef CONFIG_PNPBIOS
10284 -- if (unlikely(SEGMENT_IS_PNP_CODE(regs->xcs)))
10285 -+ if (unlikely(!(regs->eflags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->xcs)))
10286 - {
10287 - extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
10288 - extern u32 pnp_bios_is_utter_crap;
10289 -diff -urNp linux-2.6.24.4/arch/x86/mm/extable_64.c linux-2.6.24.4/arch/x86/mm/extable_64.c
10290 ---- linux-2.6.24.4/arch/x86/mm/extable_64.c 2008-03-24 14:49:18.000000000 -0400
10291 -+++ linux-2.6.24.4/arch/x86/mm/extable_64.c 2008-03-26 17:56:55.000000000 -0400
10292 -@@ -4,9 +4,58 @@
10293 -
10294 - #include <linux/module.h>
10295 - #include <linux/spinlock.h>
10296 -+#include <linux/sort.h>
10297 - #include <linux/init.h>
10298 - #include <asm/uaccess.h>
10299 -
10300 -+/*
10301 -+ * The exception table needs to be sorted so that the binary
10302 -+ * search that we use to find entries in it works properly.
10303 -+ * This is used both for the kernel exception table and for
10304 -+ * the exception tables of modules that get loaded.
10305 -+ */
10306 -+static int cmp_ex(const void *a, const void *b)
10307 -+{
10308 -+ const struct exception_table_entry *x = a, *y = b;
10309 -+
10310 -+ /* avoid overflow */
10311 -+ if (x->insn > y->insn)
10312 -+ return 1;
10313 -+ if (x->insn < y->insn)
10314 -+ return -1;
10315 -+ return 0;
10316 -+}
10317 -+
10318 -+static void swap_ex(void *a, void *b, int size)
10319 -+{
10320 -+ struct exception_table_entry t, *x = a, *y = b;
10321 -+
10322 -+#ifdef CONFIG_PAX_KERNEXEC
10323 -+ unsigned long cr0;
10324 -+#endif
10325 -+
10326 -+ t = *x;
10327 -+
10328 -+#ifdef CONFIG_PAX_KERNEXEC
10329 -+ pax_open_kernel(cr0);
10330 -+#endif
10331 -+
10332 -+ *x = *y;
10333 -+ *y = t;
10334 -+
10335 -+#ifdef CONFIG_PAX_KERNEXEC
10336 -+ pax_close_kernel(cr0);
10337 -+#endif
10338 -+
10339 -+}
10340 -+
10341 -+void sort_extable(struct exception_table_entry *start,
10342 -+ struct exception_table_entry *finish)
10343 -+{
10344 -+ sort(start, finish - start, sizeof(struct exception_table_entry),
10345 -+ cmp_ex, swap_ex);
10346 -+}
10347 -+
10348 - /* Simple binary search */
10349 - const struct exception_table_entry *
10350 - search_extable(const struct exception_table_entry *first,
10351 -diff -urNp linux-2.6.24.4/arch/x86/mm/fault_32.c linux-2.6.24.4/arch/x86/mm/fault_32.c
10352 ---- linux-2.6.24.4/arch/x86/mm/fault_32.c 2008-03-24 14:49:18.000000000 -0400
10353 -+++ linux-2.6.24.4/arch/x86/mm/fault_32.c 2008-03-26 18:53:27.000000000 -0400
10354 -@@ -26,10 +26,14 @@
10355 - #include <linux/uaccess.h>
10356 - #include <linux/kdebug.h>
10357 - #include <linux/kprobes.h>
10358 -+#include <linux/unistd.h>
10359 -+#include <linux/compiler.h>
10360 -+#include <linux/binfmts.h>
10361 -
10362 - #include <asm/system.h>
10363 - #include <asm/desc.h>
10364 - #include <asm/segment.h>
10365 -+#include <asm/tlbflush.h>
10366 -
10367 - extern void die(const char *,struct pt_regs *,long);
10368 -
10369 -@@ -39,7 +43,7 @@ static inline int notify_page_fault(stru
10370 - int ret = 0;
10371 -
10372 - /* kprobe_running() needs smp_processor_id() */
10373 -- if (!user_mode_vm(regs)) {
10374 -+ if (!user_mode(regs)) {
10375 - preempt_disable();
10376 - if (kprobe_running() && kprobe_fault_handler(regs, 14))
10377 - ret = 1;
10378 -@@ -74,7 +78,8 @@ static inline unsigned long get_segment_
10379 - {
10380 - unsigned long eip = regs->eip;
10381 - unsigned seg = regs->xcs & 0xffff;
10382 -- u32 seg_ar, seg_limit, base, *desc;
10383 -+ u32 seg_ar, seg_limit, base;
10384 -+ struct desc_struct *desc;
10385 -
10386 - /* Unlikely, but must come before segment checks. */
10387 - if (unlikely(regs->eflags & VM_MASK)) {
10388 -@@ -88,7 +93,7 @@ static inline unsigned long get_segment_
10389 -
10390 - /* By far the most common cases. */
10391 - if (likely(SEGMENT_IS_FLAT_CODE(seg)))
10392 -- return eip;
10393 -+ return seg == __KERNEL_CS ? ktla_ktva(eip) : eip;
10394 -
10395 - /* Check the segment exists, is within the current LDT/GDT size,
10396 - that kernel/user (ring 0..3) has the appropriate privilege,
10397 -@@ -103,21 +108,24 @@ static inline unsigned long get_segment_
10398 - /* Get the GDT/LDT descriptor base.
10399 - When you look for races in this code remember that
10400 - LDT and other horrors are only used in user space. */
10401 -- if (seg & (1<<2)) {
10402 -+ if (seg & SEGMENT_LDT) {
10403 - /* Must lock the LDT while reading it. */
10404 - mutex_lock(&current->mm->context.lock);
10405 -- desc = current->mm->context.ldt;
10406 -- desc = (void *)desc + (seg & ~7);
10407 -+ if ((seg >> 3) >= current->mm->context.size) {
10408 -+ mutex_unlock(&current->mm->context.lock);
10409 -+ *eip_limit = 0;
10410 -+ return 1; /* So that returned eip > *eip_limit. */
10411 -+ }
10412 -+ desc = &current->mm->context.ldt[seg >> 3];
10413 - } else {
10414 - /* Must disable preemption while reading the GDT. */
10415 -- desc = (u32 *)get_cpu_gdt_table(get_cpu());
10416 -- desc = (void *)desc + (seg & ~7);
10417 -+ desc = &get_cpu_gdt_table(get_cpu())[seg >> 3];
10418 - }
10419 -
10420 - /* Decode the code segment base from the descriptor */
10421 -- base = get_desc_base((unsigned long *)desc);
10422 -+ base = get_desc_base(desc);
10423 -
10424 -- if (seg & (1<<2)) {
10425 -+ if (seg & SEGMENT_LDT) {
10426 - mutex_unlock(&current->mm->context.lock);
10427 - } else
10428 - put_cpu();
10429 -@@ -216,6 +224,30 @@ static noinline void force_sig_info_faul
10430 -
10431 - fastcall void do_invalid_op(struct pt_regs *, unsigned long);
10432 -
10433 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
10434 -+static int pax_handle_fetch_fault(struct pt_regs *regs);
10435 -+#endif
10436 -+
10437 -+#ifdef CONFIG_PAX_PAGEEXEC
10438 -+static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
10439 -+{
10440 -+ pgd_t *pgd;
10441 -+ pud_t *pud;
10442 -+ pmd_t *pmd;
10443 -+
10444 -+ pgd = pgd_offset(mm, address);
10445 -+ if (!pgd_present(*pgd))
10446 -+ return NULL;
10447 -+ pud = pud_offset(pgd, address);
10448 -+ if (!pud_present(*pud))
10449 -+ return NULL;
10450 -+ pmd = pmd_offset(pud, address);
10451 -+ if (!pmd_present(*pmd))
10452 -+ return NULL;
10453 -+ return pmd;
10454 -+}
10455 -+#endif
10456 -+
10457 - static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address)
10458 - {
10459 - unsigned index = pgd_index(address);
10460 -@@ -299,19 +331,26 @@ fastcall void __kprobes do_page_fault(st
10461 - struct task_struct *tsk;
10462 - struct mm_struct *mm;
10463 - struct vm_area_struct * vma;
10464 -- unsigned long address;
10465 - int write, si_code;
10466 - int fault;
10467 -+ pte_t *pte;
10468 -+
10469 -+#ifdef CONFIG_PAX_PAGEEXEC
10470 -+ pmd_t *pmd;
10471 -+ spinlock_t *ptl;
10472 -+ unsigned char pte_mask;
10473 -+#endif
10474 -+
10475 -+ /* get the address */
10476 -+ const unsigned long address = read_cr2();
10477 -
10478 - /*
10479 - * We can fault from pretty much anywhere, with unknown IRQ state.
10480 - */
10481 - trace_hardirqs_fixup();
10482 -
10483 -- /* get the address */
10484 -- address = read_cr2();
10485 --
10486 - tsk = current;
10487 -+ mm = tsk->mm;
10488 -
10489 - si_code = SEGV_MAPERR;
10490 -
10491 -@@ -348,14 +387,12 @@ fastcall void __kprobes do_page_fault(st
10492 - if (regs->eflags & (X86_EFLAGS_IF|VM_MASK))
10493 - local_irq_enable();
10494 -
10495 -- mm = tsk->mm;
10496 --
10497 - /*
10498 - * If we're in an interrupt, have no user context or are running in an
10499 - * atomic region then we must not take the fault..
10500 - */
10501 - if (in_atomic() || !mm)
10502 -- goto bad_area_nosemaphore;
10503 -+ goto bad_area_nopax;
10504 -
10505 - /* When running in the kernel we expect faults to occur only to
10506 - * addresses in user space. All other faults represent errors in the
10507 -@@ -375,10 +412,104 @@ fastcall void __kprobes do_page_fault(st
10508 - if (!down_read_trylock(&mm->mmap_sem)) {
10509 - if ((error_code & 4) == 0 &&
10510 - !search_exception_tables(regs->eip))
10511 -- goto bad_area_nosemaphore;
10512 -+ goto bad_area_nopax;
10513 - down_read(&mm->mmap_sem);
10514 - }
10515 -
10516 -+#ifdef CONFIG_PAX_PAGEEXEC
10517 -+ if (nx_enabled || (error_code & 5) != 5 || (regs->eflags & X86_EFLAGS_VM) ||
10518 -+ !(mm->pax_flags & MF_PAX_PAGEEXEC))
10519 -+ goto not_pax_fault;
10520 -+
10521 -+ /* PaX: it's our fault, let's handle it if we can */
10522 -+
10523 -+ /* PaX: take a look at read faults before acquiring any locks */
10524 -+ if (unlikely(!(error_code & 2) && (regs->eip == address))) {
10525 -+ /* instruction fetch attempt from a protected page in user mode */
10526 -+ up_read(&mm->mmap_sem);
10527 -+
10528 -+#ifdef CONFIG_PAX_EMUTRAMP
10529 -+ switch (pax_handle_fetch_fault(regs)) {
10530 -+ case 2:
10531 -+ return;
10532 -+ }
10533 -+#endif
10534 -+
10535 -+ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
10536 -+ do_group_exit(SIGKILL);
10537 -+ }
10538 -+
10539 -+ pmd = pax_get_pmd(mm, address);
10540 -+ if (unlikely(!pmd))
10541 -+ goto not_pax_fault;
10542 -+
10543 -+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
10544 -+ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
10545 -+ pte_unmap_unlock(pte, ptl);
10546 -+ goto not_pax_fault;
10547 -+ }
10548 -+
10549 -+ if (unlikely((error_code & 2) && !pte_write(*pte))) {
10550 -+ /* write attempt to a protected page in user mode */
10551 -+ pte_unmap_unlock(pte, ptl);
10552 -+ goto not_pax_fault;
10553 -+ }
10554 -+
10555 -+#ifdef CONFIG_SMP
10556 -+ if (likely(address > get_limit(regs->xcs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
10557 -+#else
10558 -+ if (likely(address > get_limit(regs->xcs)))
10559 -+#endif
10560 -+ {
10561 -+ set_pte(pte, pte_mkread(*pte));
10562 -+ __flush_tlb_one(address);
10563 -+ pte_unmap_unlock(pte, ptl);
10564 -+ up_read(&mm->mmap_sem);
10565 -+ return;
10566 -+ }
10567 -+
10568 -+ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & 2) << (_PAGE_BIT_DIRTY-1));
10569 -+
10570 -+ /*
10571 -+ * PaX: fill DTLB with user rights and retry
10572 -+ */
10573 -+ __asm__ __volatile__ (
10574 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
10575 -+ "movw %w4,%%es\n"
10576 -+#endif
10577 -+ "orb %2,(%1)\n"
10578 -+#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
10579 -+/*
10580 -+ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
10581 -+ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
10582 -+ * page fault when examined during a TLB load attempt. this is true not only
10583 -+ * for PTEs holding a non-present entry but also present entries that will
10584 -+ * raise a page fault (such as those set up by PaX, or the copy-on-write
10585 -+ * mechanism). in effect it means that we do *not* need to flush the TLBs
10586 -+ * for our target pages since their PTEs are simply not in the TLBs at all.
10587 -+
10588 -+ * the best thing in omitting it is that we gain around 15-20% speed in the
10589 -+ * fast path of the page fault handler and can get rid of tracing since we
10590 -+ * can no longer flush unintended entries.
10591 -+ */
10592 -+ "invlpg (%0)\n"
10593 -+#endif
10594 -+ "testb $0,%%es:(%0)\n"
10595 -+ "xorb %3,(%1)\n"
10596 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
10597 -+ "pushl %%ss\n"
10598 -+ "popl %%es\n"
10599 -+#endif
10600 -+ :
10601 -+ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
10602 -+ : "memory", "cc");
10603 -+ pte_unmap_unlock(pte, ptl);
10604 -+ up_read(&mm->mmap_sem);
10605 -+ return;
10606 -+
10607 -+not_pax_fault:
10608 -+#endif
10609 -+
10610 - vma = find_vma(mm, address);
10611 - if (!vma)
10612 - goto bad_area;
10613 -@@ -396,6 +527,12 @@ fastcall void __kprobes do_page_fault(st
10614 - if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp)
10615 - goto bad_area;
10616 - }
10617 -+
10618 -+#ifdef CONFIG_PAX_SEGMEXEC
10619 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)
10620 -+ goto bad_area;
10621 -+#endif
10622 -+
10623 - if (expand_stack(vma, address))
10624 - goto bad_area;
10625 - /*
10626 -@@ -405,6 +542,8 @@ fastcall void __kprobes do_page_fault(st
10627 - good_area:
10628 - si_code = SEGV_ACCERR;
10629 - write = 0;
10630 -+ if (nx_enabled && (error_code & 16) && !(vma->vm_flags & VM_EXEC))
10631 -+ goto bad_area;
10632 - switch (error_code & 3) {
10633 - default: /* 3: write, present */
10634 - /* fall through */
10635 -@@ -458,6 +597,49 @@ bad_area:
10636 - up_read(&mm->mmap_sem);
10637 -
10638 - bad_area_nosemaphore:
10639 -+
10640 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
10641 -+ if (mm && (error_code & 4) && !(regs->eflags & X86_EFLAGS_VM)) {
10642 -+ /*
10643 -+ * It's possible to have interrupts off here.
10644 -+ */
10645 -+ local_irq_enable();
10646 -+
10647 -+#ifdef CONFIG_PAX_PAGEEXEC
10648 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
10649 -+ ((nx_enabled && ((error_code & 16) || !(error_code & 3)) && (regs->eip == address)))) {
10650 -+
10651 -+#ifdef CONFIG_PAX_EMUTRAMP
10652 -+ switch (pax_handle_fetch_fault(regs)) {
10653 -+ case 2:
10654 -+ return;
10655 -+ }
10656 -+#endif
10657 -+
10658 -+ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
10659 -+ do_group_exit(SIGKILL);
10660 -+ }
10661 -+#endif
10662 -+
10663 -+#ifdef CONFIG_PAX_SEGMEXEC
10664 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & 3) && (regs->eip + SEGMEXEC_TASK_SIZE == address)) {
10665 -+
10666 -+#ifdef CONFIG_PAX_EMUTRAMP
10667 -+ switch (pax_handle_fetch_fault(regs)) {
10668 -+ case 2:
10669 -+ return;
10670 -+ }
10671 -+#endif
10672 -+
10673 -+ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
10674 -+ do_group_exit(SIGKILL);
10675 -+ }
10676 -+#endif
10677 -+
10678 -+ }
10679 -+#endif
10680 -+
10681 -+bad_area_nopax:
10682 - /* User mode accesses just cause a SIGSEGV */
10683 - if (error_code & 4) {
10684 - /*
10685 -@@ -495,7 +677,7 @@ bad_area_nosemaphore:
10686 - if (boot_cpu_data.f00f_bug) {
10687 - unsigned long nr;
10688 -
10689 -- nr = (address - idt_descr.address) >> 3;
10690 -+ nr = (address - (unsigned long)idt_descr.address) >> 3;
10691 -
10692 - if (nr == 6) {
10693 - do_invalid_op(regs, 0);
10694 -@@ -528,18 +710,34 @@ no_context:
10695 - __typeof__(pte_val(__pte(0))) page;
10696 -
10697 - #ifdef CONFIG_X86_PAE
10698 -- if (error_code & 16) {
10699 -- pte_t *pte = lookup_address(address);
10700 -+ if (nx_enabled && (error_code & 16)) {
10701 -+ pte = lookup_address(address);
10702 -
10703 - if (pte && pte_present(*pte) && !pte_exec_kernel(*pte))
10704 - printk(KERN_CRIT "kernel tried to execute "
10705 - "NX-protected page - exploit attempt? "
10706 -- "(uid: %d)\n", current->uid);
10707 -+ "(uid: %d, task: %s, pid: %d)\n",
10708 -+ tsk->uid, tsk->comm, task_pid_nr(tsk));
10709 - }
10710 - #endif
10711 - if (address < PAGE_SIZE)
10712 - printk(KERN_ALERT "BUG: unable to handle kernel NULL "
10713 - "pointer dereference");
10714 -+
10715 -+#ifdef CONFIG_PAX_KERNEXEC
10716 -+#ifdef CONFIG_MODULES
10717 -+ else if (init_mm.start_code <= address && address < (unsigned long)MODULES_END)
10718 -+#else
10719 -+ else if (init_mm.start_code <= address && address < init_mm.end_code)
10720 -+#endif
10721 -+ if (tsk->signal->curr_ip)
10722 -+ printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
10723 -+ NIPQUAD(tsk->signal->curr_ip), tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
10724 -+ else
10725 -+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
10726 -+ tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
10727 -+#endif
10728 -+
10729 - else
10730 - printk(KERN_ALERT "BUG: unable to handle kernel paging"
10731 - " request");
10732 -@@ -585,7 +783,7 @@ no_context:
10733 - tsk->thread.error_code = error_code;
10734 - die("Oops", regs, error_code);
10735 - bust_spinlocks(0);
10736 -- do_exit(SIGKILL);
10737 -+ do_group_exit(SIGKILL);
10738 -
10739 - /*
10740 - * We ran out of memory, or some other thing happened to us that made
10741 -@@ -657,3 +855,92 @@ void vmalloc_sync_all(void)
10742 - start = address + PGDIR_SIZE;
10743 - }
10744 - }
10745 -+
10746 -+#ifdef CONFIG_PAX_EMUTRAMP
10747 -+/*
10748 -+ * PaX: decide what to do with offenders (regs->eip = fault address)
10749 -+ *
10750 -+ * returns 1 when task should be killed
10751 -+ * 2 when gcc trampoline was detected
10752 -+ */
10753 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
10754 -+{
10755 -+ int err;
10756 -+
10757 -+ if (regs->eflags & X86_EFLAGS_VM)
10758 -+ return 1;
10759 -+
10760 -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
10761 -+ return 1;
10762 -+
10763 -+ do { /* PaX: gcc trampoline emulation #1 */
10764 -+ unsigned char mov1, mov2;
10765 -+ unsigned short jmp;
10766 -+ unsigned long addr1, addr2;
10767 -+
10768 -+ err = get_user(mov1, (unsigned char __user *)regs->eip);
10769 -+ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
10770 -+ err |= get_user(mov2, (unsigned char __user *)(regs->eip + 5));
10771 -+ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
10772 -+ err |= get_user(jmp, (unsigned short __user *)(regs->eip + 10));
10773 -+
10774 -+ if (err)
10775 -+ break;
10776 -+
10777 -+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
10778 -+ regs->ecx = addr1;
10779 -+ regs->eax = addr2;
10780 -+ regs->eip = addr2;
10781 -+ return 2;
10782 -+ }
10783 -+ } while (0);
10784 -+
10785 -+ do { /* PaX: gcc trampoline emulation #2 */
10786 -+ unsigned char mov, jmp;
10787 -+ unsigned long addr1, addr2;
10788 -+
10789 -+ err = get_user(mov, (unsigned char __user *)regs->eip);
10790 -+ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
10791 -+ err |= get_user(jmp, (unsigned char __user *)(regs->eip + 5));
10792 -+ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
10793 -+
10794 -+ if (err)
10795 -+ break;
10796 -+
10797 -+ if (mov == 0xB9 && jmp == 0xE9) {
10798 -+ regs->ecx = addr1;
10799 -+ regs->eip += addr2 + 10;
10800 -+ return 2;
10801 -+ }
10802 -+ } while (0);
10803 -+
10804 -+ return 1; /* PaX in action */
10805 -+}
10806 -+#endif
10807 -+
10808 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
10809 -+void pax_report_insns(void *pc, void *sp)
10810 -+{
10811 -+ long i;
10812 -+
10813 -+ printk(KERN_ERR "PAX: bytes at PC: ");
10814 -+ for (i = 0; i < 20; i++) {
10815 -+ unsigned char c;
10816 -+ if (get_user(c, (unsigned char __user *)pc+i))
10817 -+ printk("?? ");
10818 -+ else
10819 -+ printk("%02x ", c);
10820 -+ }
10821 -+ printk("\n");
10822 -+
10823 -+ printk(KERN_ERR "PAX: bytes at SP-4: ");
10824 -+ for (i = -1; i < 20; i++) {
10825 -+ unsigned long c;
10826 -+ if (get_user(c, (unsigned long __user *)sp+i))
10827 -+ printk("???????? ");
10828 -+ else
10829 -+ printk("%08lx ", c);
10830 -+ }
10831 -+ printk("\n");
10832 -+}
10833 -+#endif
10834 -diff -urNp linux-2.6.24.4/arch/x86/mm/fault_64.c linux-2.6.24.4/arch/x86/mm/fault_64.c
10835 ---- linux-2.6.24.4/arch/x86/mm/fault_64.c 2008-03-24 14:49:18.000000000 -0400
10836 -+++ linux-2.6.24.4/arch/x86/mm/fault_64.c 2008-03-26 18:53:27.000000000 -0400
10837 -@@ -26,6 +26,7 @@
10838 - #include <linux/uaccess.h>
10839 - #include <linux/kdebug.h>
10840 - #include <linux/kprobes.h>
10841 -+#include <linux/binfmts.h>
10842 -
10843 - #include <asm/system.h>
10844 - #include <asm/pgalloc.h>
10845 -@@ -285,6 +286,163 @@ static int vmalloc_fault(unsigned long a
10846 - return 0;
10847 - }
10848 -
10849 -+#ifdef CONFIG_PAX_EMUTRAMP
10850 -+static int pax_handle_fetch_fault_32(struct pt_regs *regs)
10851 -+{
10852 -+ int err;
10853 -+
10854 -+ do { /* PaX: gcc trampoline emulation #1 */
10855 -+ unsigned char mov1, mov2;
10856 -+ unsigned short jmp;
10857 -+ unsigned int addr1, addr2;
10858 -+
10859 -+ if ((regs->rip + 11) >> 32)
10860 -+ break;
10861 -+
10862 -+ err = get_user(mov1, (unsigned char __user *)regs->rip);
10863 -+ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
10864 -+ err |= get_user(mov2, (unsigned char __user *)(regs->rip + 5));
10865 -+ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
10866 -+ err |= get_user(jmp, (unsigned short __user *)(regs->rip + 10));
10867 -+
10868 -+ if (err)
10869 -+ break;
10870 -+
10871 -+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
10872 -+ regs->rcx = addr1;
10873 -+ regs->rax = addr2;
10874 -+ regs->rip = addr2;
10875 -+ return 2;
10876 -+ }
10877 -+ } while (0);
10878 -+
10879 -+ do { /* PaX: gcc trampoline emulation #2 */
10880 -+ unsigned char mov, jmp;
10881 -+ unsigned int addr1, addr2;
10882 -+
10883 -+ if ((regs->rip + 9) >> 32)
10884 -+ break;
10885 -+
10886 -+ err = get_user(mov, (unsigned char __user *)regs->rip);
10887 -+ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
10888 -+ err |= get_user(jmp, (unsigned char __user *)(regs->rip + 5));
10889 -+ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
10890 -+
10891 -+ if (err)
10892 -+ break;
10893 -+
10894 -+ if (mov == 0xB9 && jmp == 0xE9) {
10895 -+ regs->rcx = addr1;
10896 -+ regs->rip = (unsigned int)(regs->rip + addr2 + 10);
10897 -+ return 2;
10898 -+ }
10899 -+ } while (0);
10900 -+
10901 -+ return 1; /* PaX in action */
10902 -+}
10903 -+
10904 -+static int pax_handle_fetch_fault_64(struct pt_regs *regs)
10905 -+{
10906 -+ int err;
10907 -+
10908 -+ do { /* PaX: gcc trampoline emulation #1 */
10909 -+ unsigned short mov1, mov2, jmp1;
10910 -+ unsigned char jmp2;
10911 -+ unsigned int addr1;
10912 -+ unsigned long addr2;
10913 -+
10914 -+ err = get_user(mov1, (unsigned short __user *)regs->rip);
10915 -+ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 2));
10916 -+ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 6));
10917 -+ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 8));
10918 -+ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 16));
10919 -+ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 18));
10920 -+
10921 -+ if (err)
10922 -+ break;
10923 -+
10924 -+ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
10925 -+ regs->r11 = addr1;
10926 -+ regs->r10 = addr2;
10927 -+ regs->rip = addr1;
10928 -+ return 2;
10929 -+ }
10930 -+ } while (0);
10931 -+
10932 -+ do { /* PaX: gcc trampoline emulation #2 */
10933 -+ unsigned short mov1, mov2, jmp1;
10934 -+ unsigned char jmp2;
10935 -+ unsigned long addr1, addr2;
10936 -+
10937 -+ err = get_user(mov1, (unsigned short __user *)regs->rip);
10938 -+ err |= get_user(addr1, (unsigned long __user *)(regs->rip + 2));
10939 -+ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 10));
10940 -+ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 12));
10941 -+ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 20));
10942 -+ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 22));
10943 -+
10944 -+ if (err)
10945 -+ break;
10946 -+
10947 -+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
10948 -+ regs->r11 = addr1;
10949 -+ regs->r10 = addr2;
10950 -+ regs->rip = addr1;
10951 -+ return 2;
10952 -+ }
10953 -+ } while (0);
10954 -+
10955 -+ return 1; /* PaX in action */
10956 -+}
10957 -+
10958 -+/*
10959 -+ * PaX: decide what to do with offenders (regs->rip = fault address)
10960 -+ *
10961 -+ * returns 1 when task should be killed
10962 -+ * 2 when gcc trampoline was detected
10963 -+ */
10964 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
10965 -+{
10966 -+ if (regs->eflags & X86_EFLAGS_VM)
10967 -+ return 1;
10968 -+
10969 -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
10970 -+ return 1;
10971 -+
10972 -+ if (regs->cs == __USER32_CS || (regs->cs & (1<<2)))
10973 -+ return pax_handle_fetch_fault_32(regs);
10974 -+ else
10975 -+ return pax_handle_fetch_fault_64(regs);
10976 -+}
10977 -+#endif
10978 -+
10979 -+#ifdef CONFIG_PAX_PAGEEXEC
10980 -+void pax_report_insns(void *pc, void *sp)
10981 -+{
10982 -+ long i;
10983 -+
10984 -+ printk(KERN_ERR "PAX: bytes at PC: ");
10985 -+ for (i = 0; i < 20; i++) {
10986 -+ unsigned char c;
10987 -+ if (get_user(c, (unsigned char __user *)pc+i))
10988 -+ printk("?? ");
10989 -+ else
10990 -+ printk("%02x ", c);
10991 -+ }
10992 -+ printk("\n");
10993 -+
10994 -+ printk(KERN_ERR "PAX: bytes at SP-8: ");
10995 -+ for (i = -1; i < 10; i++) {
10996 -+ unsigned long c;
10997 -+ if (get_user(c, (unsigned long __user *)sp+i))
10998 -+ printk("???????????????? ");
10999 -+ else
11000 -+ printk("%016lx ", c);
11001 -+ }
11002 -+ printk("\n");
11003 -+}
11004 -+#endif
11005 -+
11006 - int show_unhandled_signals = 1;
11007 -
11008 - /*
11009 -@@ -405,7 +563,7 @@ asmlinkage void __kprobes do_page_fault(
11010 - goto good_area;
11011 - if (!(vma->vm_flags & VM_GROWSDOWN))
11012 - goto bad_area;
11013 -- if (error_code & 4) {
11014 -+ if (error_code & PF_USER) {
11015 - /* Allow userspace just enough access below the stack pointer
11016 - * to let the 'enter' instruction work.
11017 - */
11018 -@@ -421,6 +579,8 @@ asmlinkage void __kprobes do_page_fault(
11019 - good_area:
11020 - info.si_code = SEGV_ACCERR;
11021 - write = 0;
11022 -+ if ((error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
11023 -+ goto bad_area;
11024 - switch (error_code & (PF_PROT|PF_WRITE)) {
11025 - default: /* 3: write, present */
11026 - /* fall through */
11027 -@@ -472,6 +632,21 @@ bad_area_nosemaphore:
11028 - */
11029 - local_irq_enable();
11030 -
11031 -+#ifdef CONFIG_PAX_PAGEEXEC
11032 -+ if (mm && (mm->pax_flags & MF_PAX_PAGEEXEC) && (error_code & PF_INSTR)) {
11033 -+
11034 -+#ifdef CONFIG_PAX_EMUTRAMP
11035 -+ switch (pax_handle_fetch_fault(regs)) {
11036 -+ case 2:
11037 -+ return;
11038 -+ }
11039 -+#endif
11040 -+
11041 -+ pax_report_fault(regs, (void*)regs->rip, (void*)regs->rsp);
11042 -+ do_group_exit(SIGKILL);
11043 -+ }
11044 -+#endif
11045 -+
11046 - if (is_prefetch(regs, address, error_code))
11047 - return;
11048 -
11049 -@@ -489,8 +664,8 @@ bad_area_nosemaphore:
11050 - printk_ratelimit()) {
11051 - printk(
11052 - "%s%s[%d]: segfault at %lx rip %lx rsp %lx error %lx\n",
11053 -- tsk->pid > 1 ? KERN_INFO : KERN_EMERG,
11054 -- tsk->comm, tsk->pid, address, regs->rip,
11055 -+ task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
11056 -+ tsk->comm, task_pid_nr(tsk), address, regs->rip,
11057 - regs->rsp, error_code);
11058 - }
11059 -
11060 -@@ -534,6 +709,9 @@ no_context:
11061 -
11062 - if (address < PAGE_SIZE)
11063 - printk(KERN_ALERT "Unable to handle kernel NULL pointer dereference");
11064 -+ else if (error_code & PF_INSTR)
11065 -+ printk(KERN_ALERT "PAX: %s:%d, uid/euid: %u/%u, invalid execution attempt",
11066 -+ tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
11067 - else
11068 - printk(KERN_ALERT "Unable to handle kernel paging request");
11069 - printk(" at %016lx RIP: \n" KERN_ALERT,address);
11070 -@@ -546,7 +724,7 @@ no_context:
11071 - /* Executive summary in case the body of the oops scrolled away */
11072 - printk(KERN_EMERG "CR2: %016lx\n", address);
11073 - oops_end(flags);
11074 -- do_exit(SIGKILL);
11075 -+ do_group_exit(SIGKILL);
11076 -
11077 - /*
11078 - * We ran out of memory, or some other thing happened to us that made
11079 -diff -urNp linux-2.6.24.4/arch/x86/mm/highmem_32.c linux-2.6.24.4/arch/x86/mm/highmem_32.c
11080 ---- linux-2.6.24.4/arch/x86/mm/highmem_32.c 2008-03-24 14:49:18.000000000 -0400
11081 -+++ linux-2.6.24.4/arch/x86/mm/highmem_32.c 2008-03-26 17:56:55.000000000 -0400
11082 -@@ -31,6 +31,10 @@ void *kmap_atomic_prot(struct page *page
11083 - enum fixed_addresses idx;
11084 - unsigned long vaddr;
11085 -
11086 -+#ifdef CONFIG_PAX_KERNEXEC
11087 -+ unsigned long cr0;
11088 -+#endif
11089 -+
11090 - /* even !CONFIG_PREEMPT needs this, for in_atomic in do_page_fault */
11091 - pagefault_disable();
11092 -
11093 -@@ -40,7 +44,17 @@ void *kmap_atomic_prot(struct page *page
11094 - idx = type + KM_TYPE_NR*smp_processor_id();
11095 - vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
11096 - BUG_ON(!pte_none(*(kmap_pte-idx)));
11097 -+
11098 -+#ifdef CONFIG_PAX_KERNEXEC
11099 -+ pax_open_kernel(cr0);
11100 -+#endif
11101 -+
11102 - set_pte(kmap_pte-idx, mk_pte(page, prot));
11103 -+
11104 -+#ifdef CONFIG_PAX_KERNEXEC
11105 -+ pax_close_kernel(cr0);
11106 -+#endif
11107 -+
11108 - arch_flush_lazy_mmu_mode();
11109 -
11110 - return (void *)vaddr;
11111 -@@ -56,15 +70,29 @@ void kunmap_atomic(void *kvaddr, enum km
11112 - unsigned long vaddr = (unsigned long) kvaddr & PAGE_MASK;
11113 - enum fixed_addresses idx = type + KM_TYPE_NR*smp_processor_id();
11114 -
11115 -+#ifdef CONFIG_PAX_KERNEXEC
11116 -+ unsigned long cr0;
11117 -+#endif
11118 -+
11119 - /*
11120 - * Force other mappings to Oops if they'll try to access this pte
11121 - * without first remap it. Keeping stale mappings around is a bad idea
11122 - * also, in case the page changes cacheability attributes or becomes
11123 - * a protected page in a hypervisor.
11124 - */
11125 -- if (vaddr == __fix_to_virt(FIX_KMAP_BEGIN+idx))
11126 -+ if (vaddr == __fix_to_virt(FIX_KMAP_BEGIN+idx)) {
11127 -+
11128 -+#ifdef CONFIG_PAX_KERNEXEC
11129 -+ pax_open_kernel(cr0);
11130 -+#endif
11131 -+
11132 - kpte_clear_flush(kmap_pte-idx, vaddr);
11133 -- else {
11134 -+
11135 -+#ifdef CONFIG_PAX_KERNEXEC
11136 -+ pax_close_kernel(cr0);
11137 -+#endif
11138 -+
11139 -+ } else {
11140 - #ifdef CONFIG_DEBUG_HIGHMEM
11141 - BUG_ON(vaddr < PAGE_OFFSET);
11142 - BUG_ON(vaddr >= (unsigned long)high_memory);
11143 -@@ -83,11 +111,25 @@ void *kmap_atomic_pfn(unsigned long pfn,
11144 - enum fixed_addresses idx;
11145 - unsigned long vaddr;
11146 -
11147 -+#ifdef CONFIG_PAX_KERNEXEC
11148 -+ unsigned long cr0;
11149 -+#endif
11150 -+
11151 - pagefault_disable();
11152 -
11153 - idx = type + KM_TYPE_NR*smp_processor_id();
11154 - vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
11155 -+
11156 -+#ifdef CONFIG_PAX_KERNEXEC
11157 -+ pax_open_kernel(cr0);
11158 -+#endif
11159 -+
11160 - set_pte(kmap_pte-idx, pfn_pte(pfn, kmap_prot));
11161 -+
11162 -+#ifdef CONFIG_PAX_KERNEXEC
11163 -+ pax_close_kernel(cr0);
11164 -+#endif
11165 -+
11166 - arch_flush_lazy_mmu_mode();
11167 -
11168 - return (void*) vaddr;
11169 -diff -urNp linux-2.6.24.4/arch/x86/mm/hugetlbpage.c linux-2.6.24.4/arch/x86/mm/hugetlbpage.c
11170 ---- linux-2.6.24.4/arch/x86/mm/hugetlbpage.c 2008-03-24 14:49:18.000000000 -0400
11171 -+++ linux-2.6.24.4/arch/x86/mm/hugetlbpage.c 2008-03-26 17:56:55.000000000 -0400
11172 -@@ -229,13 +229,18 @@ static unsigned long hugetlb_get_unmappe
11173 - {
11174 - struct mm_struct *mm = current->mm;
11175 - struct vm_area_struct *vma;
11176 -- unsigned long start_addr;
11177 -+ unsigned long start_addr, task_size = TASK_SIZE;
11178 -+
11179 -+#ifdef CONFIG_PAX_SEGMEXEC
11180 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
11181 -+ task_size = SEGMEXEC_TASK_SIZE;
11182 -+#endif
11183 -
11184 - if (len > mm->cached_hole_size) {
11185 -- start_addr = mm->free_area_cache;
11186 -+ start_addr = mm->free_area_cache;
11187 - } else {
11188 -- start_addr = TASK_UNMAPPED_BASE;
11189 -- mm->cached_hole_size = 0;
11190 -+ start_addr = mm->mmap_base;
11191 -+ mm->cached_hole_size = 0;
11192 - }
11193 -
11194 - full_search:
11195 -@@ -243,13 +248,13 @@ full_search:
11196 -
11197 - for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
11198 - /* At this point: (!vma || addr < vma->vm_end). */
11199 -- if (TASK_SIZE - len < addr) {
11200 -+ if (task_size - len < addr) {
11201 - /*
11202 - * Start a new search - just in case we missed
11203 - * some holes.
11204 - */
11205 -- if (start_addr != TASK_UNMAPPED_BASE) {
11206 -- start_addr = TASK_UNMAPPED_BASE;
11207 -+ if (start_addr != mm->mmap_base) {
11208 -+ start_addr = mm->mmap_base;
11209 - mm->cached_hole_size = 0;
11210 - goto full_search;
11211 - }
11212 -@@ -271,9 +276,8 @@ static unsigned long hugetlb_get_unmappe
11213 - {
11214 - struct mm_struct *mm = current->mm;
11215 - struct vm_area_struct *vma, *prev_vma;
11216 -- unsigned long base = mm->mmap_base, addr = addr0;
11217 -+ unsigned long base = mm->mmap_base, addr;
11218 - unsigned long largest_hole = mm->cached_hole_size;
11219 -- int first_time = 1;
11220 -
11221 - /* don't allow allocations above current base */
11222 - if (mm->free_area_cache > base)
11223 -@@ -283,7 +287,7 @@ static unsigned long hugetlb_get_unmappe
11224 - largest_hole = 0;
11225 - mm->free_area_cache = base;
11226 - }
11227 --try_again:
11228 -+
11229 - /* make sure it can fit in the remaining address space */
11230 - if (mm->free_area_cache < len)
11231 - goto fail;
11232 -@@ -325,22 +329,26 @@ try_again:
11233 -
11234 - fail:
11235 - /*
11236 -- * if hint left us with no space for the requested
11237 -- * mapping then try again:
11238 -- */
11239 -- if (first_time) {
11240 -- mm->free_area_cache = base;
11241 -- largest_hole = 0;
11242 -- first_time = 0;
11243 -- goto try_again;
11244 -- }
11245 -- /*
11246 - * A failed mmap() very likely causes application failure,
11247 - * so fall back to the bottom-up function here. This scenario
11248 - * can happen with large stack limits and large mmap()
11249 - * allocations.
11250 - */
11251 -- mm->free_area_cache = TASK_UNMAPPED_BASE;
11252 -+
11253 -+#ifdef CONFIG_PAX_SEGMEXEC
11254 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
11255 -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
11256 -+ else
11257 -+#endif
11258 -+
11259 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
11260 -+
11261 -+#ifdef CONFIG_PAX_RANDMMAP
11262 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11263 -+ mm->mmap_base += mm->delta_mmap;
11264 -+#endif
11265 -+
11266 -+ mm->free_area_cache = mm->mmap_base;
11267 - mm->cached_hole_size = ~0UL;
11268 - addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
11269 - len, pgoff, flags);
11270 -@@ -348,6 +356,7 @@ fail:
11271 - /*
11272 - * Restore the topdown base:
11273 - */
11274 -+ mm->mmap_base = base;
11275 - mm->free_area_cache = base;
11276 - mm->cached_hole_size = ~0UL;
11277 -
11278 -@@ -360,10 +369,17 @@ hugetlb_get_unmapped_area(struct file *f
11279 - {
11280 - struct mm_struct *mm = current->mm;
11281 - struct vm_area_struct *vma;
11282 -+ unsigned long task_size = TASK_SIZE;
11283 -
11284 - if (len & ~HPAGE_MASK)
11285 - return -EINVAL;
11286 -- if (len > TASK_SIZE)
11287 -+
11288 -+#ifdef CONFIG_PAX_SEGMEXEC
11289 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
11290 -+ task_size = SEGMEXEC_TASK_SIZE;
11291 -+#endif
11292 -+
11293 -+ if (len > task_size)
11294 - return -ENOMEM;
11295 -
11296 - if (flags & MAP_FIXED) {
11297 -@@ -375,7 +391,7 @@ hugetlb_get_unmapped_area(struct file *f
11298 - if (addr) {
11299 - addr = ALIGN(addr, HPAGE_SIZE);
11300 - vma = find_vma(mm, addr);
11301 -- if (TASK_SIZE - len >= addr &&
11302 -+ if (task_size - len >= addr &&
11303 - (!vma || addr + len <= vma->vm_start))
11304 - return addr;
11305 - }
11306 -diff -urNp linux-2.6.24.4/arch/x86/mm/init_32.c linux-2.6.24.4/arch/x86/mm/init_32.c
11307 ---- linux-2.6.24.4/arch/x86/mm/init_32.c 2008-03-24 14:49:18.000000000 -0400
11308 -+++ linux-2.6.24.4/arch/x86/mm/init_32.c 2008-03-26 17:56:55.000000000 -0400
11309 -@@ -44,6 +44,7 @@
11310 - #include <asm/tlbflush.h>
11311 - #include <asm/sections.h>
11312 - #include <asm/paravirt.h>
11313 -+#include <asm/desc.h>
11314 -
11315 - unsigned int __VMALLOC_RESERVE = 128 << 20;
11316 -
11317 -@@ -53,32 +54,6 @@ unsigned long highstart_pfn, highend_pfn
11318 - static int noinline do_test_wp_bit(void);
11319 -
11320 - /*
11321 -- * Creates a middle page table and puts a pointer to it in the
11322 -- * given global directory entry. This only returns the gd entry
11323 -- * in non-PAE compilation mode, since the middle layer is folded.
11324 -- */
11325 --static pmd_t * __init one_md_table_init(pgd_t *pgd)
11326 --{
11327 -- pud_t *pud;
11328 -- pmd_t *pmd_table;
11329 --
11330 --#ifdef CONFIG_X86_PAE
11331 -- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
11332 -- pmd_table = (pmd_t *) alloc_bootmem_low_pages(PAGE_SIZE);
11333 --
11334 -- paravirt_alloc_pd(__pa(pmd_table) >> PAGE_SHIFT);
11335 -- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
11336 -- pud = pud_offset(pgd, 0);
11337 -- if (pmd_table != pmd_offset(pud, 0))
11338 -- BUG();
11339 -- }
11340 --#endif
11341 -- pud = pud_offset(pgd, 0);
11342 -- pmd_table = pmd_offset(pud, 0);
11343 -- return pmd_table;
11344 --}
11345 --
11346 --/*
11347 - * Create a page table and place a pointer to it in a middle page
11348 - * directory entry.
11349 - */
11350 -@@ -95,7 +70,11 @@ static pte_t * __init one_page_table_ini
11351 - (pte_t *)alloc_bootmem_low_pages(PAGE_SIZE);
11352 -
11353 - paravirt_alloc_pt(&init_mm, __pa(page_table) >> PAGE_SHIFT);
11354 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
11355 -+ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
11356 -+#else
11357 - set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
11358 -+#endif
11359 - BUG_ON(page_table != pte_offset_kernel(pmd, 0));
11360 - }
11361 -
11362 -@@ -116,6 +95,7 @@ static pte_t * __init one_page_table_ini
11363 - static void __init page_table_range_init (unsigned long start, unsigned long end, pgd_t *pgd_base)
11364 - {
11365 - pgd_t *pgd;
11366 -+ pud_t *pud;
11367 - pmd_t *pmd;
11368 - int pgd_idx, pmd_idx;
11369 - unsigned long vaddr;
11370 -@@ -126,8 +106,13 @@ static void __init page_table_range_init
11371 - pgd = pgd_base + pgd_idx;
11372 -
11373 - for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
11374 -- pmd = one_md_table_init(pgd);
11375 -- pmd = pmd + pmd_index(vaddr);
11376 -+ pud = pud_offset(pgd, vaddr);
11377 -+ pmd = pmd_offset(pud, vaddr);
11378 -+
11379 -+#ifdef CONFIG_X86_PAE
11380 -+ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
11381 -+#endif
11382 -+
11383 - for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end); pmd++, pmd_idx++) {
11384 - one_page_table_init(pmd);
11385 -
11386 -@@ -137,11 +122,23 @@ static void __init page_table_range_init
11387 - }
11388 - }
11389 -
11390 --static inline int is_kernel_text(unsigned long addr)
11391 -+static inline int is_kernel_text(unsigned long start, unsigned long end)
11392 - {
11393 -- if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
11394 -- return 1;
11395 -- return 0;
11396 -+ unsigned long etext;
11397 -+
11398 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
11399 -+ etext = ktva_ktla((unsigned long)&MODULES_END);
11400 -+#else
11401 -+ etext = (unsigned long)&_etext;
11402 -+#endif
11403 -+
11404 -+ if ((start > ktla_ktva(etext) ||
11405 -+ end <= ktla_ktva((unsigned long)_stext)) &&
11406 -+ (start > ktla_ktva((unsigned long)_einittext) ||
11407 -+ end <= ktla_ktva((unsigned long)_sinittext)) &&
11408 -+ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
11409 -+ return 0;
11410 -+ return 1;
11411 - }
11412 -
11413 - /*
11414 -@@ -153,25 +150,29 @@ static void __init kernel_physical_mappi
11415 - {
11416 - unsigned long pfn;
11417 - pgd_t *pgd;
11418 -+ pud_t *pud;
11419 - pmd_t *pmd;
11420 - pte_t *pte;
11421 -- int pgd_idx, pmd_idx, pte_ofs;
11422 -+ unsigned int pgd_idx, pmd_idx, pte_ofs;
11423 -
11424 - pgd_idx = pgd_index(PAGE_OFFSET);
11425 - pgd = pgd_base + pgd_idx;
11426 - pfn = 0;
11427 -
11428 -- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
11429 -- pmd = one_md_table_init(pgd);
11430 -- if (pfn >= max_low_pfn)
11431 -- continue;
11432 -+ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
11433 -+ pud = pud_offset(pgd, 0);
11434 -+ pmd = pmd_offset(pud, 0);
11435 -+
11436 -+#ifdef CONFIG_X86_PAE
11437 -+ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
11438 -+#endif
11439 -+
11440 - for (pmd_idx = 0; pmd_idx < PTRS_PER_PMD && pfn < max_low_pfn; pmd++, pmd_idx++) {
11441 -- unsigned int address = pfn * PAGE_SIZE + PAGE_OFFSET;
11442 -+ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
11443 -
11444 - /* Map with big pages if possible, otherwise create normal page tables. */
11445 -- if (cpu_has_pse) {
11446 -- unsigned int address2 = (pfn + PTRS_PER_PTE - 1) * PAGE_SIZE + PAGE_OFFSET + PAGE_SIZE-1;
11447 -- if (is_kernel_text(address) || is_kernel_text(address2))
11448 -+ if (cpu_has_pse && address >= (unsigned long)__va(0x100000)) {
11449 -+ if (is_kernel_text(address, address + PMD_SIZE))
11450 - set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE_EXEC));
11451 - else
11452 - set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE));
11453 -@@ -183,7 +184,7 @@ static void __init kernel_physical_mappi
11454 - for (pte_ofs = 0;
11455 - pte_ofs < PTRS_PER_PTE && pfn < max_low_pfn;
11456 - pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
11457 -- if (is_kernel_text(address))
11458 -+ if (is_kernel_text(address, address + PAGE_SIZE))
11459 - set_pte(pte, pfn_pte(pfn, PAGE_KERNEL_EXEC));
11460 - else
11461 - set_pte(pte, pfn_pte(pfn, PAGE_KERNEL));
11462 -@@ -338,9 +339,9 @@ static void __init set_highmem_pages_ini
11463 - #define set_highmem_pages_init(bad_ppro) do { } while (0)
11464 - #endif /* CONFIG_HIGHMEM */
11465 -
11466 --unsigned long long __PAGE_KERNEL = _PAGE_KERNEL;
11467 -+unsigned long long __PAGE_KERNEL __read_only = _PAGE_KERNEL;
11468 - EXPORT_SYMBOL(__PAGE_KERNEL);
11469 --unsigned long long __PAGE_KERNEL_EXEC = _PAGE_KERNEL_EXEC;
11470 -+unsigned long long __PAGE_KERNEL_EXEC __read_only = _PAGE_KERNEL_EXEC;
11471 -
11472 - #ifdef CONFIG_NUMA
11473 - extern void __init remap_numa_kva(void);
11474 -@@ -351,26 +352,10 @@ extern void __init remap_numa_kva(void);
11475 - void __init native_pagetable_setup_start(pgd_t *base)
11476 - {
11477 - #ifdef CONFIG_X86_PAE
11478 -- int i;
11479 --
11480 -- /*
11481 -- * Init entries of the first-level page table to the
11482 -- * zero page, if they haven't already been set up.
11483 -- *
11484 -- * In a normal native boot, we'll be running on a
11485 -- * pagetable rooted in swapper_pg_dir, but not in PAE
11486 -- * mode, so this will end up clobbering the mappings
11487 -- * for the lower 24Mbytes of the address space,
11488 -- * without affecting the kernel address space.
11489 -- */
11490 -- for (i = 0; i < USER_PTRS_PER_PGD; i++)
11491 -- set_pgd(&base[i],
11492 -- __pgd(__pa(empty_zero_page) | _PAGE_PRESENT));
11493 -+ unsigned int i;
11494 -
11495 -- /* Make sure kernel address space is empty so that a pagetable
11496 -- will be allocated for it. */
11497 -- memset(&base[USER_PTRS_PER_PGD], 0,
11498 -- KERNEL_PGD_PTRS * sizeof(pgd_t));
11499 -+ for (i = 0; i < PTRS_PER_PGD; i++)
11500 -+ paravirt_alloc_pd(__pa(swapper_pm_dir + i) >> PAGE_SHIFT);
11501 - #else
11502 - paravirt_alloc_pd(__pa(swapper_pg_dir) >> PAGE_SHIFT);
11503 - #endif
11504 -@@ -378,16 +363,6 @@ void __init native_pagetable_setup_start
11505 -
11506 - void __init native_pagetable_setup_done(pgd_t *base)
11507 - {
11508 --#ifdef CONFIG_X86_PAE
11509 -- /*
11510 -- * Add low memory identity-mappings - SMP needs it when
11511 -- * starting up on an AP from real-mode. In the non-PAE
11512 -- * case we already have these mappings through head.S.
11513 -- * All user-space mappings are explicitly cleared after
11514 -- * SMP startup.
11515 -- */
11516 -- set_pgd(&base[0], base[USER_PTRS_PER_PGD]);
11517 --#endif
11518 - }
11519 -
11520 - /*
11521 -@@ -449,12 +424,12 @@ static void __init pagetable_init (void)
11522 - * Swap suspend & friends need this for resume because things like the intel-agp
11523 - * driver might have split up a kernel 4MB mapping.
11524 - */
11525 --char __nosavedata swsusp_pg_dir[PAGE_SIZE]
11526 -+pgd_t __nosavedata swsusp_pg_dir[PTRS_PER_PGD]
11527 - __attribute__ ((aligned (PAGE_SIZE)));
11528 -
11529 - static inline void save_pg_dir(void)
11530 - {
11531 -- memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
11532 -+ clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
11533 - }
11534 - #else
11535 - static inline void save_pg_dir(void)
11536 -@@ -483,12 +458,11 @@ void zap_low_mappings (void)
11537 - flush_tlb_all();
11538 - }
11539 -
11540 --int nx_enabled = 0;
11541 -+int nx_enabled;
11542 -
11543 - #ifdef CONFIG_X86_PAE
11544 -
11545 --static int disable_nx __initdata = 0;
11546 --u64 __supported_pte_mask __read_mostly = ~_PAGE_NX;
11547 -+u64 __supported_pte_mask __read_only = ~_PAGE_NX;
11548 - EXPORT_SYMBOL_GPL(__supported_pte_mask);
11549 -
11550 - /*
11551 -@@ -499,36 +473,31 @@ EXPORT_SYMBOL_GPL(__supported_pte_mask);
11552 - * on Enable
11553 - * off Disable
11554 - */
11555 -+#if !defined(CONFIG_PAX_PAGEEXEC)
11556 - static int __init noexec_setup(char *str)
11557 - {
11558 - if (!str || !strcmp(str, "on")) {
11559 -- if (cpu_has_nx) {
11560 -- __supported_pte_mask |= _PAGE_NX;
11561 -- disable_nx = 0;
11562 -- }
11563 -+ if (cpu_has_nx)
11564 -+ nx_enabled = 1;
11565 - } else if (!strcmp(str,"off")) {
11566 -- disable_nx = 1;
11567 -- __supported_pte_mask &= ~_PAGE_NX;
11568 -+ nx_enabled = 0;
11569 - } else
11570 - return -EINVAL;
11571 -
11572 - return 0;
11573 - }
11574 - early_param("noexec", noexec_setup);
11575 -+#endif
11576 -
11577 - static void __init set_nx(void)
11578 - {
11579 -- unsigned int v[4], l, h;
11580 -+ if (!nx_enabled && cpu_has_nx) {
11581 -+ unsigned l, h;
11582 -
11583 -- if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
11584 -- cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
11585 -- if ((v[3] & (1 << 20)) && !disable_nx) {
11586 -- rdmsr(MSR_EFER, l, h);
11587 -- l |= EFER_NX;
11588 -- wrmsr(MSR_EFER, l, h);
11589 -- nx_enabled = 1;
11590 -- __supported_pte_mask |= _PAGE_NX;
11591 -- }
11592 -+ __supported_pte_mask &= ~_PAGE_NX;
11593 -+ rdmsr(MSR_EFER, l, h);
11594 -+ l &= ~EFER_NX;
11595 -+ wrmsr(MSR_EFER, l, h);
11596 - }
11597 - }
11598 -
11599 -@@ -581,14 +550,6 @@ void __init paging_init(void)
11600 -
11601 - load_cr3(swapper_pg_dir);
11602 -
11603 --#ifdef CONFIG_X86_PAE
11604 -- /*
11605 -- * We will bail out later - printk doesn't work right now so
11606 -- * the user would just see a hanging kernel.
11607 -- */
11608 -- if (cpu_has_pae)
11609 -- set_in_cr4(X86_CR4_PAE);
11610 --#endif
11611 - __flush_tlb_all();
11612 -
11613 - kmap_init();
11614 -@@ -659,7 +620,7 @@ void __init mem_init(void)
11615 - set_highmem_pages_init(bad_ppro);
11616 -
11617 - codesize = (unsigned long) &_etext - (unsigned long) &_text;
11618 -- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
11619 -+ datasize = (unsigned long) &_edata - (unsigned long) &_data;
11620 - initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
11621 -
11622 - kclist_add(&kcore_mem, __va(0), max_low_pfn << PAGE_SHIFT);
11623 -@@ -704,10 +665,10 @@ void __init mem_init(void)
11624 - (unsigned long)&__init_begin, (unsigned long)&__init_end,
11625 - ((unsigned long)&__init_end - (unsigned long)&__init_begin) >> 10,
11626 -
11627 -- (unsigned long)&_etext, (unsigned long)&_edata,
11628 -- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
11629 -+ (unsigned long)&_data, (unsigned long)&_edata,
11630 -+ ((unsigned long)&_edata - (unsigned long)&_data) >> 10,
11631 -
11632 -- (unsigned long)&_text, (unsigned long)&_etext,
11633 -+ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
11634 - ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
11635 -
11636 - #ifdef CONFIG_HIGHMEM
11637 -@@ -718,10 +679,6 @@ void __init mem_init(void)
11638 - BUG_ON((unsigned long)high_memory > VMALLOC_START);
11639 - #endif /* double-sanity-check paranoia */
11640 -
11641 --#ifdef CONFIG_X86_PAE
11642 -- if (!cpu_has_pae)
11643 -- panic("cannot execute a PAE-enabled kernel on a PAE-less CPU!");
11644 --#endif
11645 - if (boot_cpu_data.wp_works_ok < 0)
11646 - test_wp_bit();
11647 -
11648 -@@ -839,6 +796,46 @@ void free_init_pages(char *what, unsigne
11649 -
11650 - void free_initmem(void)
11651 - {
11652 -+
11653 -+#ifdef CONFIG_PAX_KERNEXEC
11654 -+ /* PaX: limit KERNEL_CS to actual size */
11655 -+ unsigned long addr, limit;
11656 -+ __u32 a, b;
11657 -+ int cpu;
11658 -+ pgd_t *pgd;
11659 -+ pud_t *pud;
11660 -+ pmd_t *pmd;
11661 -+
11662 -+#ifdef CONFIG_MODULES
11663 -+ limit = ktva_ktla((unsigned long)&MODULES_END);
11664 -+#else
11665 -+ limit = (unsigned long)&_etext;
11666 -+#endif
11667 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
11668 -+
11669 -+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
11670 -+ pack_descriptor(&a, &b, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
11671 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, a, b);
11672 -+ }
11673 -+
11674 -+ /* PaX: make KERNEL_CS read-only */
11675 -+ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_data; addr += PMD_SIZE) {
11676 -+ pgd = pgd_offset_k(addr);
11677 -+ pud = pud_offset(pgd, addr);
11678 -+ pmd = pmd_offset(pud, addr);
11679 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
11680 -+ }
11681 -+#ifdef CONFIG_X86_PAE
11682 -+ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
11683 -+ pgd = pgd_offset_k(addr);
11684 -+ pud = pud_offset(pgd, addr);
11685 -+ pmd = pmd_offset(pud, addr);
11686 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
11687 -+ }
11688 -+#endif
11689 -+ flush_tlb_all();
11690 -+#endif
11691 -+
11692 - free_init_pages("unused kernel memory",
11693 - (unsigned long)(&__init_begin),
11694 - (unsigned long)(&__init_end));
11695 -diff -urNp linux-2.6.24.4/arch/x86/mm/init_64.c linux-2.6.24.4/arch/x86/mm/init_64.c
11696 ---- linux-2.6.24.4/arch/x86/mm/init_64.c 2008-03-24 14:49:18.000000000 -0400
11697 -+++ linux-2.6.24.4/arch/x86/mm/init_64.c 2008-03-26 17:56:55.000000000 -0400
11698 -@@ -45,7 +45,7 @@
11699 - #include <asm/sections.h>
11700 -
11701 - #ifndef Dprintk
11702 --#define Dprintk(x...)
11703 -+#define Dprintk(x...) do {} while (0)
11704 - #endif
11705 -
11706 - const struct dma_mapping_ops* dma_ops;
11707 -@@ -121,6 +121,10 @@ static __init void set_pte_phys(unsigned
11708 - pmd_t *pmd;
11709 - pte_t *pte, new_pte;
11710 -
11711 -+#ifdef CONFIG_PAX_KERNEXEC
11712 -+ unsigned long cr0;
11713 -+#endif
11714 -+
11715 - Dprintk("set_pte_phys %lx to %lx\n", vaddr, phys);
11716 -
11717 - pgd = pgd_offset_k(vaddr);
11718 -@@ -131,7 +135,7 @@ static __init void set_pte_phys(unsigned
11719 - pud = pud_offset(pgd, vaddr);
11720 - if (pud_none(*pud)) {
11721 - pmd = (pmd_t *) spp_getpage();
11722 -- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE | _PAGE_USER));
11723 -+ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
11724 - if (pmd != pmd_offset(pud, 0)) {
11725 - printk("PAGETABLE BUG #01! %p <-> %p\n", pmd, pmd_offset(pud,0));
11726 - return;
11727 -@@ -140,7 +144,7 @@ static __init void set_pte_phys(unsigned
11728 - pmd = pmd_offset(pud, vaddr);
11729 - if (pmd_none(*pmd)) {
11730 - pte = (pte_t *) spp_getpage();
11731 -- set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE | _PAGE_USER));
11732 -+ set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
11733 - if (pte != pte_offset_kernel(pmd, 0)) {
11734 - printk("PAGETABLE BUG #02!\n");
11735 - return;
11736 -@@ -152,8 +156,17 @@ static __init void set_pte_phys(unsigned
11737 - if (!pte_none(*pte) &&
11738 - pte_val(*pte) != (pte_val(new_pte) & __supported_pte_mask))
11739 - pte_ERROR(*pte);
11740 -+
11741 -+#ifdef CONFIG_PAX_KERNEXEC
11742 -+ pax_open_kernel(cr0);
11743 -+#endif
11744 -+
11745 - set_pte(pte, new_pte);
11746 -
11747 -+#ifdef CONFIG_PAX_KERNEXEC
11748 -+ pax_close_kernel(cr0);
11749 -+#endif
11750 -+
11751 - /*
11752 - * It's enough to flush this one mapping.
11753 - * (PGE mappings get flushed as well)
11754 -@@ -225,7 +238,7 @@ __meminit void *early_ioremap(unsigned l
11755 - addr &= PMD_MASK;
11756 - for (i = 0; i < pmds; i++, addr += PMD_SIZE)
11757 - set_pmd(pmd + i,__pmd(addr | _KERNPG_TABLE | _PAGE_PSE));
11758 -- __flush_tlb();
11759 -+ __flush_tlb_all();
11760 - return (void *)vaddr;
11761 - next:
11762 - ;
11763 -@@ -246,7 +259,7 @@ __meminit void early_iounmap(void *addr,
11764 - pmd = level2_kernel_pgt + pmd_index(vaddr);
11765 - for (i = 0; i < pmds; i++)
11766 - pmd_clear(pmd + i);
11767 -- __flush_tlb();
11768 -+ __flush_tlb_all();
11769 - }
11770 -
11771 - static void __meminit
11772 -@@ -314,7 +327,7 @@ static void __meminit phys_pud_init(pud_
11773 - spin_unlock(&init_mm.page_table_lock);
11774 - unmap_low_page(pmd);
11775 - }
11776 -- __flush_tlb();
11777 -+ __flush_tlb_all();
11778 - }
11779 -
11780 - static void __init find_early_table_space(unsigned long end)
11781 -@@ -583,6 +596,39 @@ void free_init_pages(char *what, unsigne
11782 -
11783 - void free_initmem(void)
11784 - {
11785 -+
11786 -+#ifdef CONFIG_PAX_KERNEXEC
11787 -+ unsigned long addr, end;
11788 -+ pgd_t *pgd;
11789 -+ pud_t *pud;
11790 -+ pmd_t *pmd;
11791 -+
11792 -+ /* PaX: make kernel code/rodata read-only, rest non-executable */
11793 -+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_TEXT_SIZE; addr += PMD_SIZE) {
11794 -+ pgd = pgd_offset_k(addr);
11795 -+ pud = pud_offset(pgd, addr);
11796 -+ pmd = pmd_offset(pud, addr);
11797 -+ if ((unsigned long)_text <= addr && addr < (unsigned long)_data)
11798 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
11799 -+ else
11800 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
11801 -+ }
11802 -+
11803 -+ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
11804 -+ end = addr + KERNEL_TEXT_SIZE;
11805 -+ for (; addr < end; addr += PMD_SIZE) {
11806 -+ pgd = pgd_offset_k(addr);
11807 -+ pud = pud_offset(pgd, addr);
11808 -+ pmd = pmd_offset(pud, addr);
11809 -+ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_data)))
11810 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
11811 -+ else
11812 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
11813 -+ }
11814 -+
11815 -+ flush_tlb_all();
11816 -+#endif
11817 -+
11818 - free_init_pages("unused kernel memory",
11819 - (unsigned long)(&__init_begin),
11820 - (unsigned long)(&__init_end));
11821 -@@ -730,7 +776,7 @@ int in_gate_area_no_task(unsigned long a
11822 -
11823 - const char *arch_vma_name(struct vm_area_struct *vma)
11824 - {
11825 -- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
11826 -+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
11827 - return "[vdso]";
11828 - if (vma == &gate_vma)
11829 - return "[vsyscall]";
11830 -diff -urNp linux-2.6.24.4/arch/x86/mm/ioremap_32.c linux-2.6.24.4/arch/x86/mm/ioremap_32.c
11831 ---- linux-2.6.24.4/arch/x86/mm/ioremap_32.c 2008-03-24 14:49:18.000000000 -0400
11832 -+++ linux-2.6.24.4/arch/x86/mm/ioremap_32.c 2008-03-26 17:56:55.000000000 -0400
11833 -@@ -67,8 +67,11 @@ void __iomem * __ioremap(unsigned long p
11834 - return NULL;
11835 - }
11836 -
11837 -- prot = __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY
11838 -- | _PAGE_ACCESSED | flags);
11839 -+#ifdef CONFIG_X86_PAE
11840 -+ prot = __pgprot((__PAGE_KERNEL | _PAGE_GLOBAL | flags) & __supported_pte_mask);
11841 -+#else
11842 -+ prot = __pgprot(__PAGE_KERNEL | _PAGE_GLOBAL | flags);
11843 -+#endif
11844 -
11845 - /*
11846 - * Mappings have to be page-aligned
11847 -diff -urNp linux-2.6.24.4/arch/x86/mm/ioremap_64.c linux-2.6.24.4/arch/x86/mm/ioremap_64.c
11848 ---- linux-2.6.24.4/arch/x86/mm/ioremap_64.c 2008-03-24 14:49:18.000000000 -0400
11849 -+++ linux-2.6.24.4/arch/x86/mm/ioremap_64.c 2008-03-26 17:56:55.000000000 -0400
11850 -@@ -48,7 +48,7 @@ ioremap_change_attr(unsigned long phys_a
11851 - * Must use a address here and not struct page because the phys addr
11852 - * can be a in hole between nodes and not have an memmap entry.
11853 - */
11854 -- err = change_page_attr_addr(vaddr,npages,__pgprot(__PAGE_KERNEL|flags));
11855 -+ err = change_page_attr_addr(vaddr,npages,__pgprot((__PAGE_KERNEL|_PAGE_GLOBAL|flags) & __supported_pte_mask));
11856 - if (!err)
11857 - global_flush_tlb();
11858 - }
11859 -@@ -103,8 +103,8 @@ void __iomem * __ioremap(unsigned long p
11860 - }
11861 - #endif
11862 -
11863 -- pgprot = __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_GLOBAL
11864 -- | _PAGE_DIRTY | _PAGE_ACCESSED | flags);
11865 -+ pgprot = __pgprot((__PAGE_KERNEL | _PAGE_GLOBAL | flags) & __supported_pte_mask);
11866 -+
11867 - /*
11868 - * Mappings have to be page-aligned
11869 - */
11870 -@@ -126,7 +126,7 @@ void __iomem * __ioremap(unsigned long p
11871 - return NULL;
11872 - }
11873 - if (flags && ioremap_change_attr(phys_addr, size, flags) < 0) {
11874 -- area->flags &= 0xffffff;
11875 -+ area->flags &= 0xfffff;
11876 - vunmap(addr);
11877 - return NULL;
11878 - }
11879 -@@ -199,7 +199,7 @@ void iounmap(volatile void __iomem *addr
11880 -
11881 - /* Reset the direct mapping. Can block */
11882 - if (p->flags >> 20)
11883 -- ioremap_change_attr(p->phys_addr, p->size, 0);
11884 -+ ioremap_change_attr(p->phys_addr, p->size - PAGE_SIZE, 0);
11885 -
11886 - /* Finally remove it */
11887 - o = remove_vm_area((void *)addr);
11888 -diff -urNp linux-2.6.24.4/arch/x86/mm/mmap_32.c linux-2.6.24.4/arch/x86/mm/mmap_32.c
11889 ---- linux-2.6.24.4/arch/x86/mm/mmap_32.c 2008-03-24 14:49:18.000000000 -0400
11890 -+++ linux-2.6.24.4/arch/x86/mm/mmap_32.c 2008-03-26 17:56:55.000000000 -0400
11891 -@@ -35,12 +35,18 @@
11892 - * Leave an at least ~128 MB hole.
11893 - */
11894 - #define MIN_GAP (128*1024*1024)
11895 --#define MAX_GAP (TASK_SIZE/6*5)
11896 -+#define MAX_GAP (task_size/6*5)
11897 -
11898 - static inline unsigned long mmap_base(struct mm_struct *mm)
11899 - {
11900 - unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
11901 - unsigned long random_factor = 0;
11902 -+ unsigned long task_size = TASK_SIZE;
11903 -+
11904 -+#ifdef CONFIG_PAX_SEGMEXEC
11905 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
11906 -+ task_size = SEGMEXEC_TASK_SIZE;
11907 -+#endif
11908 -
11909 - if (current->flags & PF_RANDOMIZE)
11910 - random_factor = get_random_int() % (1024*1024);
11911 -@@ -50,7 +56,7 @@ static inline unsigned long mmap_base(st
11912 - else if (gap > MAX_GAP)
11913 - gap = MAX_GAP;
11914 -
11915 -- return PAGE_ALIGN(TASK_SIZE - gap - random_factor);
11916 -+ return PAGE_ALIGN(task_size - gap - random_factor);
11917 - }
11918 -
11919 - /*
11920 -@@ -66,11 +72,30 @@ void arch_pick_mmap_layout(struct mm_str
11921 - if (sysctl_legacy_va_layout ||
11922 - (current->personality & ADDR_COMPAT_LAYOUT) ||
11923 - current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
11924 -+
11925 -+#ifdef CONFIG_PAX_SEGMEXEC
11926 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
11927 -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
11928 -+ else
11929 -+#endif
11930 -+
11931 - mm->mmap_base = TASK_UNMAPPED_BASE;
11932 -+
11933 -+#ifdef CONFIG_PAX_RANDMMAP
11934 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11935 -+ mm->mmap_base += mm->delta_mmap;
11936 -+#endif
11937 -+
11938 - mm->get_unmapped_area = arch_get_unmapped_area;
11939 - mm->unmap_area = arch_unmap_area;
11940 - } else {
11941 - mm->mmap_base = mmap_base(mm);
11942 -+
11943 -+#ifdef CONFIG_PAX_RANDMMAP
11944 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11945 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
11946 -+#endif
11947 -+
11948 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
11949 - mm->unmap_area = arch_unmap_area_topdown;
11950 - }
11951 -diff -urNp linux-2.6.24.4/arch/x86/mm/mmap_64.c linux-2.6.24.4/arch/x86/mm/mmap_64.c
11952 ---- linux-2.6.24.4/arch/x86/mm/mmap_64.c 2008-03-24 14:49:18.000000000 -0400
11953 -+++ linux-2.6.24.4/arch/x86/mm/mmap_64.c 2008-03-26 17:56:55.000000000 -0400
11954 -@@ -23,6 +23,12 @@ void arch_pick_mmap_layout(struct mm_str
11955 - unsigned rnd = get_random_int() & 0xfffffff;
11956 - mm->mmap_base += ((unsigned long)rnd) << PAGE_SHIFT;
11957 - }
11958 -+
11959 -+#ifdef CONFIG_PAX_RANDMMAP
11960 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11961 -+ mm->mmap_base += mm->delta_mmap;
11962 -+#endif
11963 -+
11964 - mm->get_unmapped_area = arch_get_unmapped_area;
11965 - mm->unmap_area = arch_unmap_area;
11966 - }
11967 -diff -urNp linux-2.6.24.4/arch/x86/mm/numa_64.c linux-2.6.24.4/arch/x86/mm/numa_64.c
11968 ---- linux-2.6.24.4/arch/x86/mm/numa_64.c 2008-03-24 14:49:18.000000000 -0400
11969 -+++ linux-2.6.24.4/arch/x86/mm/numa_64.c 2008-03-26 17:56:55.000000000 -0400
11970 -@@ -19,7 +19,7 @@
11971 - #include <asm/acpi.h>
11972 -
11973 - #ifndef Dprintk
11974 --#define Dprintk(x...)
11975 -+#define Dprintk(x...) do {} while (0)
11976 - #endif
11977 -
11978 - struct pglist_data *node_data[MAX_NUMNODES] __read_mostly;
11979 -diff -urNp linux-2.6.24.4/arch/x86/mm/pageattr_32.c linux-2.6.24.4/arch/x86/mm/pageattr_32.c
11980 ---- linux-2.6.24.4/arch/x86/mm/pageattr_32.c 2008-03-24 14:49:18.000000000 -0400
11981 -+++ linux-2.6.24.4/arch/x86/mm/pageattr_32.c 2008-03-26 17:56:55.000000000 -0400
11982 -@@ -13,6 +13,7 @@
11983 - #include <asm/tlbflush.h>
11984 - #include <asm/pgalloc.h>
11985 - #include <asm/sections.h>
11986 -+#include <asm/desc.h>
11987 -
11988 - static DEFINE_SPINLOCK(cpa_lock);
11989 - static struct list_head df_list = LIST_HEAD_INIT(df_list);
11990 -@@ -37,16 +38,16 @@ pte_t *lookup_address(unsigned long addr
11991 - }
11992 -
11993 - static struct page *split_large_page(unsigned long address, pgprot_t prot,
11994 -- pgprot_t ref_prot)
11995 -+ pgprot_t ref_prot, unsigned long flags)
11996 - {
11997 - int i;
11998 - unsigned long addr;
11999 - struct page *base;
12000 - pte_t *pbase;
12001 -
12002 -- spin_unlock_irq(&cpa_lock);
12003 -+ spin_unlock_irqrestore(&cpa_lock, flags);
12004 - base = alloc_pages(GFP_KERNEL, 0);
12005 -- spin_lock_irq(&cpa_lock);
12006 -+ spin_lock_irqsave(&cpa_lock, flags);
12007 - if (!base)
12008 - return NULL;
12009 -
12010 -@@ -99,7 +100,18 @@ static void set_pmd_pte(pte_t *kpte, uns
12011 - struct page *page;
12012 - unsigned long flags;
12013 -
12014 -+#ifdef CONFIG_PAX_KERNEXEC
12015 -+ unsigned long cr0;
12016 -+
12017 -+ pax_open_kernel(cr0);
12018 -+#endif
12019 -+
12020 - set_pte_atomic(kpte, pte); /* change init_mm */
12021 -+
12022 -+#ifdef CONFIG_PAX_KERNEXEC
12023 -+ pax_close_kernel(cr0);
12024 -+#endif
12025 -+
12026 - if (SHARED_KERNEL_PMD)
12027 - return;
12028 -
12029 -@@ -126,7 +138,7 @@ static inline void revert_page(struct pa
12030 - pte_t *linear;
12031 -
12032 - ref_prot =
12033 -- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
12034 -+ ((address & LARGE_PAGE_MASK) < ktla_ktva((unsigned long)&_etext))
12035 - ? PAGE_KERNEL_LARGE_EXEC : PAGE_KERNEL_LARGE;
12036 -
12037 - linear = (pte_t *)
12038 -@@ -143,7 +155,7 @@ static inline void save_page(struct page
12039 - }
12040 -
12041 - static int
12042 --__change_page_attr(struct page *page, pgprot_t prot)
12043 -+__change_page_attr(struct page *page, pgprot_t prot, unsigned long flags)
12044 - {
12045 - pte_t *kpte;
12046 - unsigned long address;
12047 -@@ -167,13 +179,20 @@ __change_page_attr(struct page *page, pg
12048 - struct page *split;
12049 -
12050 - ref_prot =
12051 -- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
12052 -+ ((address & LARGE_PAGE_MASK) < ktla_ktva((unsigned long)&_etext))
12053 - ? PAGE_KERNEL_EXEC : PAGE_KERNEL;
12054 -- split = split_large_page(address, prot, ref_prot);
12055 -+ split = split_large_page(address, prot, ref_prot, flags);
12056 - if (!split)
12057 - return -ENOMEM;
12058 -- set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
12059 -- kpte_page = split;
12060 -+ if (pte_huge(*kpte)) {
12061 -+ set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
12062 -+ kpte_page = split;
12063 -+ } else {
12064 -+ __free_pages(split, 0);
12065 -+ kpte = lookup_address(address);
12066 -+ kpte_page = virt_to_page(kpte);
12067 -+ set_pte_atomic(kpte, mk_pte(page, prot));
12068 -+ }
12069 - }
12070 - page_private(kpte_page)++;
12071 - } else if (!pte_huge(*kpte)) {
12072 -@@ -225,7 +244,7 @@ int change_page_attr(struct page *page,
12073 -
12074 - spin_lock_irqsave(&cpa_lock, flags);
12075 - for (i = 0; i < numpages; i++, page++) {
12076 -- err = __change_page_attr(page, prot);
12077 -+ err = __change_page_attr(page, prot, flags);
12078 - if (err)
12079 - break;
12080 - }
12081 -diff -urNp linux-2.6.24.4/arch/x86/mm/pageattr_64.c linux-2.6.24.4/arch/x86/mm/pageattr_64.c
12082 ---- linux-2.6.24.4/arch/x86/mm/pageattr_64.c 2008-03-24 14:49:18.000000000 -0400
12083 -+++ linux-2.6.24.4/arch/x86/mm/pageattr_64.c 2008-03-26 17:56:55.000000000 -0400
12084 -@@ -110,6 +110,10 @@ static void revert_page(unsigned long ad
12085 - pte_t large_pte;
12086 - unsigned long pfn;
12087 -
12088 -+#ifdef CONFIG_PAX_KERNEXEC
12089 -+ unsigned long cr0;
12090 -+#endif
12091 -+
12092 - pgd = pgd_offset_k(address);
12093 - BUG_ON(pgd_none(*pgd));
12094 - pud = pud_offset(pgd,address);
12095 -@@ -119,8 +123,18 @@ static void revert_page(unsigned long ad
12096 - pfn = (__pa(address) & LARGE_PAGE_MASK) >> PAGE_SHIFT;
12097 - large_pte = pfn_pte(pfn, ref_prot);
12098 - large_pte = pte_mkhuge(large_pte);
12099 -+
12100 -+#ifdef CONFIG_PAX_KERNEXEC
12101 -+ pax_open_kernel(cr0);
12102 -+#endif
12103 -+
12104 - set_pte((pte_t *)pmd, large_pte);
12105 --}
12106 -+
12107 -+#ifdef CONFIG_PAX_KERNEXEC
12108 -+ pax_close_kernel(cr0);
12109 -+#endif
12110 -+
12111 -+}
12112 -
12113 - static int
12114 - __change_page_attr(unsigned long address, unsigned long pfn, pgprot_t prot,
12115 -@@ -136,22 +150,36 @@ __change_page_attr(unsigned long address
12116 - BUG_ON(PageLRU(kpte_page));
12117 - BUG_ON(PageCompound(kpte_page));
12118 - if (pgprot_val(prot) != pgprot_val(ref_prot)) {
12119 -- if (!pte_huge(*kpte)) {
12120 -- set_pte(kpte, pfn_pte(pfn, prot));
12121 -- } else {
12122 -+ if (pte_huge(*kpte)) {
12123 - /*
12124 - * split_large_page will take the reference for this
12125 - * change_page_attr on the split page.
12126 - */
12127 - struct page *split;
12128 -+
12129 -+#ifdef CONFIG_PAX_KERNEXEC
12130 -+ unsigned long cr0;
12131 -+#endif
12132 -+
12133 - ref_prot2 = pte_pgprot(pte_clrhuge(*kpte));
12134 - split = split_large_page(address, prot, ref_prot2);
12135 - if (!split)
12136 - return -ENOMEM;
12137 - pgprot_val(ref_prot2) &= ~_PAGE_NX;
12138 -+
12139 -+#ifdef CONFIG_PAX_KERNEXEC
12140 -+ pax_open_kernel(cr0);
12141 -+#endif
12142 -+
12143 - set_pte(kpte, mk_pte(split, ref_prot2));
12144 -+
12145 -+#ifdef CONFIG_PAX_KERNEXEC
12146 -+ pax_close_kernel(cr0);
12147 -+#endif
12148 -+
12149 - kpte_page = split;
12150 -- }
12151 -+ } else
12152 -+ set_pte(kpte, pfn_pte(pfn, prot));
12153 - page_private(kpte_page)++;
12154 - } else if (!pte_huge(*kpte)) {
12155 - set_pte(kpte, pfn_pte(pfn, ref_prot));
12156 -diff -urNp linux-2.6.24.4/arch/x86/mm/pgtable_32.c linux-2.6.24.4/arch/x86/mm/pgtable_32.c
12157 ---- linux-2.6.24.4/arch/x86/mm/pgtable_32.c 2008-03-24 14:49:18.000000000 -0400
12158 -+++ linux-2.6.24.4/arch/x86/mm/pgtable_32.c 2008-03-26 17:56:55.000000000 -0400
12159 -@@ -83,6 +83,10 @@ static void set_pte_pfn(unsigned long va
12160 - pmd_t *pmd;
12161 - pte_t *pte;
12162 -
12163 -+#ifdef CONFIG_PAX_KERNEXEC
12164 -+ unsigned long cr0;
12165 -+#endif
12166 -+
12167 - pgd = swapper_pg_dir + pgd_index(vaddr);
12168 - if (pgd_none(*pgd)) {
12169 - BUG();
12170 -@@ -99,11 +103,20 @@ static void set_pte_pfn(unsigned long va
12171 - return;
12172 - }
12173 - pte = pte_offset_kernel(pmd, vaddr);
12174 -+
12175 -+#ifdef CONFIG_PAX_KERNEXEC
12176 -+ pax_open_kernel(cr0);
12177 -+#endif
12178 -+
12179 - if (pgprot_val(flags))
12180 - set_pte_present(&init_mm, vaddr, pte, pfn_pte(pfn, flags));
12181 - else
12182 - pte_clear(&init_mm, vaddr, pte);
12183 -
12184 -+#ifdef CONFIG_PAX_KERNEXEC
12185 -+ pax_close_kernel(cr0);
12186 -+#endif
12187 -+
12188 - /*
12189 - * It's enough to flush this one mapping.
12190 - * (PGE mappings get flushed as well)
12191 -diff -urNp linux-2.6.24.4/arch/x86/oprofile/backtrace.c linux-2.6.24.4/arch/x86/oprofile/backtrace.c
12192 ---- linux-2.6.24.4/arch/x86/oprofile/backtrace.c 2008-03-24 14:49:18.000000000 -0400
12193 -+++ linux-2.6.24.4/arch/x86/oprofile/backtrace.c 2008-03-26 17:56:55.000000000 -0400
12194 -@@ -37,7 +37,7 @@ static void backtrace_address(void *data
12195 - unsigned int *depth = data;
12196 -
12197 - if ((*depth)--)
12198 -- oprofile_add_trace(addr);
12199 -+ oprofile_add_trace(ktla_ktva(addr));
12200 - }
12201 -
12202 - static struct stacktrace_ops backtrace_ops = {
12203 -@@ -79,7 +79,7 @@ x86_backtrace(struct pt_regs * const reg
12204 - struct frame_head *head = (struct frame_head *)frame_pointer(regs);
12205 - unsigned long stack = stack_pointer(regs);
12206 -
12207 -- if (!user_mode_vm(regs)) {
12208 -+ if (!user_mode(regs)) {
12209 - if (depth)
12210 - dump_trace(NULL, regs, (unsigned long *)stack,
12211 - &backtrace_ops, &depth);
12212 -diff -urNp linux-2.6.24.4/arch/x86/oprofile/op_model_p4.c linux-2.6.24.4/arch/x86/oprofile/op_model_p4.c
12213 ---- linux-2.6.24.4/arch/x86/oprofile/op_model_p4.c 2008-03-24 14:49:18.000000000 -0400
12214 -+++ linux-2.6.24.4/arch/x86/oprofile/op_model_p4.c 2008-03-26 17:56:55.000000000 -0400
12215 -@@ -47,7 +47,7 @@ static inline void setup_num_counters(vo
12216 - #endif
12217 - }
12218 -
12219 --static int inline addr_increment(void)
12220 -+static inline int addr_increment(void)
12221 - {
12222 - #ifdef CONFIG_SMP
12223 - return smp_num_siblings == 2 ? 2 : 1;
12224 -diff -urNp linux-2.6.24.4/arch/x86/pci/common.c linux-2.6.24.4/arch/x86/pci/common.c
12225 ---- linux-2.6.24.4/arch/x86/pci/common.c 2008-03-24 14:49:18.000000000 -0400
12226 -+++ linux-2.6.24.4/arch/x86/pci/common.c 2008-03-26 17:56:55.000000000 -0400
12227 -@@ -331,7 +331,7 @@ static struct dmi_system_id __devinitdat
12228 - DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
12229 - },
12230 - },
12231 -- {}
12232 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
12233 - };
12234 -
12235 - struct pci_bus * __devinit pcibios_scan_root(int busnum)
12236 -diff -urNp linux-2.6.24.4/arch/x86/pci/early.c linux-2.6.24.4/arch/x86/pci/early.c
12237 ---- linux-2.6.24.4/arch/x86/pci/early.c 2008-03-24 14:49:18.000000000 -0400
12238 -+++ linux-2.6.24.4/arch/x86/pci/early.c 2008-03-26 17:56:55.000000000 -0400
12239 -@@ -7,7 +7,7 @@
12240 - /* Direct PCI access. This is used for PCI accesses in early boot before
12241 - the PCI subsystem works. */
12242 -
12243 --#define PDprintk(x...)
12244 -+#define PDprintk(x...) do {} while (0)
12245 -
12246 - u32 read_pci_config(u8 bus, u8 slot, u8 func, u8 offset)
12247 - {
12248 -diff -urNp linux-2.6.24.4/arch/x86/pci/fixup.c linux-2.6.24.4/arch/x86/pci/fixup.c
12249 ---- linux-2.6.24.4/arch/x86/pci/fixup.c 2008-03-24 14:49:18.000000000 -0400
12250 -+++ linux-2.6.24.4/arch/x86/pci/fixup.c 2008-03-26 17:56:55.000000000 -0400
12251 -@@ -362,7 +362,7 @@ static struct dmi_system_id __devinitdat
12252 - DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
12253 - },
12254 - },
12255 -- {}
12256 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
12257 - };
12258 -
12259 - /*
12260 -@@ -433,7 +433,7 @@ static struct dmi_system_id __devinitdat
12261 - DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
12262 - },
12263 - },
12264 -- { }
12265 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
12266 - };
12267 -
12268 - static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
12269 -diff -urNp linux-2.6.24.4/arch/x86/pci/irq.c linux-2.6.24.4/arch/x86/pci/irq.c
12270 ---- linux-2.6.24.4/arch/x86/pci/irq.c 2008-03-24 14:49:18.000000000 -0400
12271 -+++ linux-2.6.24.4/arch/x86/pci/irq.c 2008-03-26 17:56:55.000000000 -0400
12272 -@@ -528,7 +528,7 @@ static __init int intel_router_probe(str
12273 - static struct pci_device_id __initdata pirq_440gx[] = {
12274 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
12275 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
12276 -- { },
12277 -+ { PCI_DEVICE(0, 0) }
12278 - };
12279 -
12280 - /* 440GX has a proprietary PIRQ router -- don't use it */
12281 -@@ -1090,7 +1090,7 @@ static struct dmi_system_id __initdata p
12282 - DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
12283 - },
12284 - },
12285 -- { }
12286 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
12287 - };
12288 -
12289 - static int __init pcibios_irq_init(void)
12290 -diff -urNp linux-2.6.24.4/arch/x86/pci/pcbios.c linux-2.6.24.4/arch/x86/pci/pcbios.c
12291 ---- linux-2.6.24.4/arch/x86/pci/pcbios.c 2008-03-24 14:49:18.000000000 -0400
12292 -+++ linux-2.6.24.4/arch/x86/pci/pcbios.c 2008-03-26 17:56:55.000000000 -0400
12293 -@@ -57,50 +57,124 @@ union bios32 {
12294 - static struct {
12295 - unsigned long address;
12296 - unsigned short segment;
12297 --} bios32_indirect = { 0, __KERNEL_CS };
12298 -+} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
12299 -
12300 - /*
12301 - * Returns the entry point for the given service, NULL on error
12302 - */
12303 -
12304 --static unsigned long bios32_service(unsigned long service)
12305 -+static unsigned long __devinit bios32_service(unsigned long service)
12306 - {
12307 - unsigned char return_code; /* %al */
12308 - unsigned long address; /* %ebx */
12309 - unsigned long length; /* %ecx */
12310 - unsigned long entry; /* %edx */
12311 - unsigned long flags;
12312 -+ struct desc_struct *gdt;
12313 -+
12314 -+#ifdef CONFIG_PAX_KERNEXEC
12315 -+ unsigned long cr0;
12316 -+#endif
12317 -
12318 - local_irq_save(flags);
12319 -- __asm__("lcall *(%%edi); cld"
12320 -+
12321 -+ gdt = get_cpu_gdt_table(smp_processor_id());
12322 -+
12323 -+#ifdef CONFIG_PAX_KERNEXEC
12324 -+ pax_open_kernel(cr0);
12325 -+#endif
12326 -+
12327 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
12328 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
12329 -+ 0UL, 0xFFFFFUL, 0x9B, 0xC);
12330 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
12331 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
12332 -+ 0UL, 0xFFFFFUL, 0x93, 0xC);
12333 -+
12334 -+#ifdef CONFIG_PAX_KERNEXEC
12335 -+ pax_close_kernel(cr0);
12336 -+#endif
12337 -+
12338 -+ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
12339 - : "=a" (return_code),
12340 - "=b" (address),
12341 - "=c" (length),
12342 - "=d" (entry)
12343 - : "0" (service),
12344 - "1" (0),
12345 -- "D" (&bios32_indirect));
12346 -+ "D" (&bios32_indirect),
12347 -+ "r"(__PCIBIOS_DS)
12348 -+ : "memory");
12349 -+
12350 -+#ifdef CONFIG_PAX_KERNEXEC
12351 -+ pax_open_kernel(cr0);
12352 -+#endif
12353 -+
12354 -+ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
12355 -+ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
12356 -+ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
12357 -+ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
12358 -+
12359 -+#ifdef CONFIG_PAX_KERNEXEC
12360 -+ pax_close_kernel(cr0);
12361 -+#endif
12362 -+
12363 - local_irq_restore(flags);
12364 -
12365 - switch (return_code) {
12366 -- case 0:
12367 -- return address + entry;
12368 -- case 0x80: /* Not present */
12369 -- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
12370 -- return 0;
12371 -- default: /* Shouldn't happen */
12372 -- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
12373 -- service, return_code);
12374 -+ case 0: {
12375 -+ int cpu;
12376 -+ unsigned char flags;
12377 -+
12378 -+ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
12379 -+ if (address >= 0xFFFF0 || length >= 0xFFFF0 - address || length <= entry) {
12380 -+ printk(KERN_WARNING "bios32_service: not valid\n");
12381 - return 0;
12382 -+ }
12383 -+ address = address + PAGE_OFFSET;
12384 -+ length += 16UL; /* some BIOSs underreport this... */
12385 -+ flags = 4;
12386 -+ if (length >= 64*1024*1024) {
12387 -+ length >>= PAGE_SHIFT;
12388 -+ flags |= 8;
12389 -+ }
12390 -+
12391 -+#ifdef CONFIG_PAX_KERNEXEC
12392 -+ pax_open_kernel(cr0);
12393 -+#endif
12394 -+
12395 -+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
12396 -+ gdt = get_cpu_gdt_table(cpu);
12397 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
12398 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
12399 -+ address, length, 0x9b, flags);
12400 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
12401 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
12402 -+ address, length, 0x93, flags);
12403 -+ }
12404 -+
12405 -+#ifdef CONFIG_PAX_KERNEXEC
12406 -+ pax_close_kernel(cr0);
12407 -+#endif
12408 -+
12409 -+ return entry;
12410 -+ }
12411 -+ case 0x80: /* Not present */
12412 -+ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
12413 -+ return 0;
12414 -+ default: /* Shouldn't happen */
12415 -+ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
12416 -+ service, return_code);
12417 -+ return 0;
12418 - }
12419 - }
12420 -
12421 - static struct {
12422 - unsigned long address;
12423 - unsigned short segment;
12424 --} pci_indirect = { 0, __KERNEL_CS };
12425 -+} pci_indirect __read_only = { 0, __PCIBIOS_CS };
12426 -
12427 --static int pci_bios_present;
12428 -+static int pci_bios_present __read_only;
12429 -
12430 - static int __devinit check_pcibios(void)
12431 - {
12432 -@@ -109,11 +183,13 @@ static int __devinit check_pcibios(void)
12433 - unsigned long flags, pcibios_entry;
12434 -
12435 - if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
12436 -- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
12437 -+ pci_indirect.address = pcibios_entry;
12438 -
12439 - local_irq_save(flags);
12440 -- __asm__(
12441 -- "lcall *(%%edi); cld\n\t"
12442 -+ __asm__("movw %w6, %%ds\n\t"
12443 -+ "lcall *%%ss:(%%edi); cld\n\t"
12444 -+ "push %%ss\n\t"
12445 -+ "pop %%ds\n\t"
12446 - "jc 1f\n\t"
12447 - "xor %%ah, %%ah\n"
12448 - "1:"
12449 -@@ -122,7 +198,8 @@ static int __devinit check_pcibios(void)
12450 - "=b" (ebx),
12451 - "=c" (ecx)
12452 - : "1" (PCIBIOS_PCI_BIOS_PRESENT),
12453 -- "D" (&pci_indirect)
12454 -+ "D" (&pci_indirect),
12455 -+ "r" (__PCIBIOS_DS)
12456 - : "memory");
12457 - local_irq_restore(flags);
12458 -
12459 -@@ -158,7 +235,10 @@ static int __devinit pci_bios_find_devic
12460 - unsigned short bx;
12461 - unsigned short ret;
12462 -
12463 -- __asm__("lcall *(%%edi); cld\n\t"
12464 -+ __asm__("movw %w7, %%ds\n\t"
12465 -+ "lcall *%%ss:(%%edi); cld\n\t"
12466 -+ "push %%ss\n\t"
12467 -+ "pop %%ds\n\t"
12468 - "jc 1f\n\t"
12469 - "xor %%ah, %%ah\n"
12470 - "1:"
12471 -@@ -168,7 +248,8 @@ static int __devinit pci_bios_find_devic
12472 - "c" (device_id),
12473 - "d" (vendor),
12474 - "S" ((int) index),
12475 -- "D" (&pci_indirect));
12476 -+ "D" (&pci_indirect),
12477 -+ "r" (__PCIBIOS_DS));
12478 - *bus = (bx >> 8) & 0xff;
12479 - *device_fn = bx & 0xff;
12480 - return (int) (ret & 0xff00) >> 8;
12481 -@@ -188,7 +269,10 @@ static int pci_bios_read(unsigned int se
12482 -
12483 - switch (len) {
12484 - case 1:
12485 -- __asm__("lcall *(%%esi); cld\n\t"
12486 -+ __asm__("movw %w6, %%ds\n\t"
12487 -+ "lcall *%%ss:(%%esi); cld\n\t"
12488 -+ "push %%ss\n\t"
12489 -+ "pop %%ds\n\t"
12490 - "jc 1f\n\t"
12491 - "xor %%ah, %%ah\n"
12492 - "1:"
12493 -@@ -197,10 +281,14 @@ static int pci_bios_read(unsigned int se
12494 - : "1" (PCIBIOS_READ_CONFIG_BYTE),
12495 - "b" (bx),
12496 - "D" ((long)reg),
12497 -- "S" (&pci_indirect));
12498 -+ "S" (&pci_indirect),
12499 -+ "r" (__PCIBIOS_DS));
12500 - break;
12501 - case 2:
12502 -- __asm__("lcall *(%%esi); cld\n\t"
12503 -+ __asm__("movw %w6, %%ds\n\t"
12504 -+ "lcall *%%ss:(%%esi); cld\n\t"
12505 -+ "push %%ss\n\t"
12506 -+ "pop %%ds\n\t"
12507 - "jc 1f\n\t"
12508 - "xor %%ah, %%ah\n"
12509 - "1:"
12510 -@@ -209,10 +297,14 @@ static int pci_bios_read(unsigned int se
12511 - : "1" (PCIBIOS_READ_CONFIG_WORD),
12512 - "b" (bx),
12513 - "D" ((long)reg),
12514 -- "S" (&pci_indirect));
12515 -+ "S" (&pci_indirect),
12516 -+ "r" (__PCIBIOS_DS));
12517 - break;
12518 - case 4:
12519 -- __asm__("lcall *(%%esi); cld\n\t"
12520 -+ __asm__("movw %w6, %%ds\n\t"
12521 -+ "lcall *%%ss:(%%esi); cld\n\t"
12522 -+ "push %%ss\n\t"
12523 -+ "pop %%ds\n\t"
12524 - "jc 1f\n\t"
12525 - "xor %%ah, %%ah\n"
12526 - "1:"
12527 -@@ -221,7 +313,8 @@ static int pci_bios_read(unsigned int se
12528 - : "1" (PCIBIOS_READ_CONFIG_DWORD),
12529 - "b" (bx),
12530 - "D" ((long)reg),
12531 -- "S" (&pci_indirect));
12532 -+ "S" (&pci_indirect),
12533 -+ "r" (__PCIBIOS_DS));
12534 - break;
12535 - }
12536 -
12537 -@@ -244,7 +337,10 @@ static int pci_bios_write(unsigned int s
12538 -
12539 - switch (len) {
12540 - case 1:
12541 -- __asm__("lcall *(%%esi); cld\n\t"
12542 -+ __asm__("movw %w6, %%ds\n\t"
12543 -+ "lcall *%%ss:(%%esi); cld\n\t"
12544 -+ "push %%ss\n\t"
12545 -+ "pop %%ds\n\t"
12546 - "jc 1f\n\t"
12547 - "xor %%ah, %%ah\n"
12548 - "1:"
12549 -@@ -253,10 +349,14 @@ static int pci_bios_write(unsigned int s
12550 - "c" (value),
12551 - "b" (bx),
12552 - "D" ((long)reg),
12553 -- "S" (&pci_indirect));
12554 -+ "S" (&pci_indirect),
12555 -+ "r" (__PCIBIOS_DS));
12556 - break;
12557 - case 2:
12558 -- __asm__("lcall *(%%esi); cld\n\t"
12559 -+ __asm__("movw %w6, %%ds\n\t"
12560 -+ "lcall *%%ss:(%%esi); cld\n\t"
12561 -+ "push %%ss\n\t"
12562 -+ "pop %%ds\n\t"
12563 - "jc 1f\n\t"
12564 - "xor %%ah, %%ah\n"
12565 - "1:"
12566 -@@ -265,10 +365,14 @@ static int pci_bios_write(unsigned int s
12567 - "c" (value),
12568 - "b" (bx),
12569 - "D" ((long)reg),
12570 -- "S" (&pci_indirect));
12571 -+ "S" (&pci_indirect),
12572 -+ "r" (__PCIBIOS_DS));
12573 - break;
12574 - case 4:
12575 -- __asm__("lcall *(%%esi); cld\n\t"
12576 -+ __asm__("movw %w6, %%ds\n\t"
12577 -+ "lcall *%%ss:(%%esi); cld\n\t"
12578 -+ "push %%ss\n\t"
12579 -+ "pop %%ds\n\t"
12580 - "jc 1f\n\t"
12581 - "xor %%ah, %%ah\n"
12582 - "1:"
12583 -@@ -277,7 +381,8 @@ static int pci_bios_write(unsigned int s
12584 - "c" (value),
12585 - "b" (bx),
12586 - "D" ((long)reg),
12587 -- "S" (&pci_indirect));
12588 -+ "S" (&pci_indirect),
12589 -+ "r" (__PCIBIOS_DS));
12590 - break;
12591 - }
12592 -
12593 -@@ -430,10 +535,13 @@ struct irq_routing_table * pcibios_get_i
12594 -
12595 - DBG("PCI: Fetching IRQ routing table... ");
12596 - __asm__("push %%es\n\t"
12597 -+ "movw %w8, %%ds\n\t"
12598 - "push %%ds\n\t"
12599 - "pop %%es\n\t"
12600 -- "lcall *(%%esi); cld\n\t"
12601 -+ "lcall *%%ss:(%%esi); cld\n\t"
12602 - "pop %%es\n\t"
12603 -+ "push %%ss\n\t"
12604 -+ "pop %%ds\n"
12605 - "jc 1f\n\t"
12606 - "xor %%ah, %%ah\n"
12607 - "1:"
12608 -@@ -444,7 +552,8 @@ struct irq_routing_table * pcibios_get_i
12609 - "1" (0),
12610 - "D" ((long) &opt),
12611 - "S" (&pci_indirect),
12612 -- "m" (opt)
12613 -+ "m" (opt),
12614 -+ "r" (__PCIBIOS_DS)
12615 - : "memory");
12616 - DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
12617 - if (ret & 0xff00)
12618 -@@ -468,7 +577,10 @@ int pcibios_set_irq_routing(struct pci_d
12619 - {
12620 - int ret;
12621 -
12622 -- __asm__("lcall *(%%esi); cld\n\t"
12623 -+ __asm__("movw %w5, %%ds\n\t"
12624 -+ "lcall *%%ss:(%%esi); cld\n\t"
12625 -+ "push %%ss\n\t"
12626 -+ "pop %%ds\n"
12627 - "jc 1f\n\t"
12628 - "xor %%ah, %%ah\n"
12629 - "1:"
12630 -@@ -476,7 +588,8 @@ int pcibios_set_irq_routing(struct pci_d
12631 - : "0" (PCIBIOS_SET_PCI_HW_INT),
12632 - "b" ((dev->bus->number << 8) | dev->devfn),
12633 - "c" ((irq << 8) | (pin + 10)),
12634 -- "S" (&pci_indirect));
12635 -+ "S" (&pci_indirect),
12636 -+ "r" (__PCIBIOS_DS));
12637 - return !(ret & 0xff00);
12638 - }
12639 - EXPORT_SYMBOL(pcibios_set_irq_routing);
12640 -diff -urNp linux-2.6.24.4/arch/x86/power/cpu.c linux-2.6.24.4/arch/x86/power/cpu.c
12641 ---- linux-2.6.24.4/arch/x86/power/cpu.c 2008-03-24 14:49:18.000000000 -0400
12642 -+++ linux-2.6.24.4/arch/x86/power/cpu.c 2008-03-26 17:56:55.000000000 -0400
12643 -@@ -64,10 +64,20 @@ static void do_fpu_end(void)
12644 - static void fix_processor_context(void)
12645 - {
12646 - int cpu = smp_processor_id();
12647 -- struct tss_struct * t = &per_cpu(init_tss, cpu);
12648 -+ struct tss_struct *t = init_tss + cpu;
12649 -+
12650 -+#ifdef CONFIG_PAX_KERNEXEC
12651 -+ unsigned long cr0;
12652 -+
12653 -+ pax_open_kernel(cr0);
12654 -+#endif
12655 -
12656 - set_tss_desc(cpu,t); /* This just modifies memory; should not be necessary. But... This is necessary, because 386 hardware has concept of busy TSS or some similar stupidity. */
12657 -
12658 -+#ifdef CONFIG_PAX_KERNEXEC
12659 -+ pax_close_kernel(cr0);
12660 -+#endif
12661 -+
12662 - load_TR_desc(); /* This does ltr */
12663 - load_LDT(&current->active_mm->context); /* This does lldt */
12664 -
12665 -diff -urNp linux-2.6.24.4/arch/x86/vdso/vma.c linux-2.6.24.4/arch/x86/vdso/vma.c
12666 ---- linux-2.6.24.4/arch/x86/vdso/vma.c 2008-03-24 14:49:18.000000000 -0400
12667 -+++ linux-2.6.24.4/arch/x86/vdso/vma.c 2008-03-26 17:56:55.000000000 -0400
12668 -@@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
12669 - if (ret)
12670 - goto up_fail;
12671 -
12672 -- current->mm->context.vdso = (void *)addr;
12673 -+ current->mm->context.vdso = addr;
12674 - up_fail:
12675 - up_write(&mm->mmap_sem);
12676 - return ret;
12677 -diff -urNp linux-2.6.24.4/arch/x86/xen/enlighten.c linux-2.6.24.4/arch/x86/xen/enlighten.c
12678 ---- linux-2.6.24.4/arch/x86/xen/enlighten.c 2008-03-24 14:49:18.000000000 -0400
12679 -+++ linux-2.6.24.4/arch/x86/xen/enlighten.c 2008-03-26 17:56:55.000000000 -0400
12680 -@@ -298,7 +298,7 @@ static void xen_set_ldt(const void *addr
12681 - static void xen_load_gdt(const struct Xgt_desc_struct *dtr)
12682 - {
12683 - unsigned long *frames;
12684 -- unsigned long va = dtr->address;
12685 -+ unsigned long va = (unsigned long)dtr->address;
12686 - unsigned int size = dtr->size + 1;
12687 - unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
12688 - int f;
12689 -@@ -313,7 +313,7 @@ static void xen_load_gdt(const struct Xg
12690 - mcs = xen_mc_entry(sizeof(*frames) * pages);
12691 - frames = mcs.args;
12692 -
12693 -- for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
12694 -+ for (f = 0; va < (unsigned long)dtr->address + size; va += PAGE_SIZE, f++) {
12695 - frames[f] = virt_to_mfn(va);
12696 - make_lowmem_page_readonly((void *)va);
12697 - }
12698 -@@ -407,7 +407,7 @@ static void xen_write_idt_entry(struct d
12699 -
12700 - preempt_disable();
12701 -
12702 -- start = __get_cpu_var(idt_desc).address;
12703 -+ start = (unsigned long)__get_cpu_var(idt_desc).address;
12704 - end = start + __get_cpu_var(idt_desc).size + 1;
12705 -
12706 - xen_mc_flush();
12707 -diff -urNp linux-2.6.24.4/arch/x86/xen/smp.c linux-2.6.24.4/arch/x86/xen/smp.c
12708 ---- linux-2.6.24.4/arch/x86/xen/smp.c 2008-03-24 14:49:18.000000000 -0400
12709 -+++ linux-2.6.24.4/arch/x86/xen/smp.c 2008-03-26 17:56:55.000000000 -0400
12710 -@@ -144,7 +144,7 @@ void __init xen_smp_prepare_boot_cpu(voi
12711 -
12712 - /* We've switched to the "real" per-cpu gdt, so make sure the
12713 - old memory can be recycled */
12714 -- make_lowmem_page_readwrite(&per_cpu__gdt_page);
12715 -+ make_lowmem_page_readwrite(get_cpu_gdt_table(smp_processor_id()));
12716 -
12717 - for (cpu = 0; cpu < NR_CPUS; cpu++) {
12718 - cpus_clear(per_cpu(cpu_sibling_map, cpu));
12719 -@@ -208,7 +208,7 @@ static __cpuinit int
12720 - cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
12721 - {
12722 - struct vcpu_guest_context *ctxt;
12723 -- struct gdt_page *gdt = &per_cpu(gdt_page, cpu);
12724 -+ struct desc_struct *gdt = get_cpu_gdt_table(cpu);
12725 -
12726 - if (cpu_test_and_set(cpu, cpu_initialized_map))
12727 - return 0;
12728 -@@ -218,8 +218,8 @@ cpu_initialize_context(unsigned int cpu,
12729 - return -ENOMEM;
12730 -
12731 - ctxt->flags = VGCF_IN_KERNEL;
12732 -- ctxt->user_regs.ds = __USER_DS;
12733 -- ctxt->user_regs.es = __USER_DS;
12734 -+ ctxt->user_regs.ds = __KERNEL_DS;
12735 -+ ctxt->user_regs.es = __KERNEL_DS;
12736 - ctxt->user_regs.fs = __KERNEL_PERCPU;
12737 - ctxt->user_regs.gs = 0;
12738 - ctxt->user_regs.ss = __KERNEL_DS;
12739 -@@ -232,11 +232,11 @@ cpu_initialize_context(unsigned int cpu,
12740 -
12741 - ctxt->ldt_ents = 0;
12742 -
12743 -- BUG_ON((unsigned long)gdt->gdt & ~PAGE_MASK);
12744 -- make_lowmem_page_readonly(gdt->gdt);
12745 -+ BUG_ON((unsigned long)gdt & ~PAGE_MASK);
12746 -+ make_lowmem_page_readonly(gdt);
12747 -
12748 -- ctxt->gdt_frames[0] = virt_to_mfn(gdt->gdt);
12749 -- ctxt->gdt_ents = ARRAY_SIZE(gdt->gdt);
12750 -+ ctxt->gdt_frames[0] = virt_to_mfn(gdt);
12751 -+ ctxt->gdt_ents = GDT_ENTRIES;
12752 -
12753 - ctxt->user_regs.cs = __KERNEL_CS;
12754 - ctxt->user_regs.esp = idle->thread.esp0 - sizeof(struct pt_regs);
12755 -diff -urNp linux-2.6.24.4/crypto/async_tx/async_tx.c linux-2.6.24.4/crypto/async_tx/async_tx.c
12756 ---- linux-2.6.24.4/crypto/async_tx/async_tx.c 2008-03-24 14:49:18.000000000 -0400
12757 -+++ linux-2.6.24.4/crypto/async_tx/async_tx.c 2008-03-26 17:56:55.000000000 -0400
12758 -@@ -342,8 +342,8 @@ async_tx_init(void)
12759 - err:
12760 - printk(KERN_ERR "async_tx: initialization failure\n");
12761 -
12762 -- while (--cap >= 0)
12763 -- free_percpu(channel_table[cap]);
12764 -+ while (cap)
12765 -+ free_percpu(channel_table[--cap]);
12766 -
12767 - return 1;
12768 - }
12769 -diff -urNp linux-2.6.24.4/crypto/lrw.c linux-2.6.24.4/crypto/lrw.c
12770 ---- linux-2.6.24.4/crypto/lrw.c 2008-03-24 14:49:18.000000000 -0400
12771 -+++ linux-2.6.24.4/crypto/lrw.c 2008-03-26 17:56:55.000000000 -0400
12772 -@@ -54,7 +54,7 @@ static int setkey(struct crypto_tfm *par
12773 - struct priv *ctx = crypto_tfm_ctx(parent);
12774 - struct crypto_cipher *child = ctx->child;
12775 - int err, i;
12776 -- be128 tmp = { 0 };
12777 -+ be128 tmp = { 0, 0 };
12778 - int bsize = crypto_cipher_blocksize(child);
12779 -
12780 - crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
12781 -diff -urNp linux-2.6.24.4/Documentation/dontdiff linux-2.6.24.4/Documentation/dontdiff
12782 ---- linux-2.6.24.4/Documentation/dontdiff 2008-03-24 14:49:18.000000000 -0400
12783 -+++ linux-2.6.24.4/Documentation/dontdiff 2008-03-26 17:56:55.000000000 -0400
12784 -@@ -3,6 +3,7 @@
12785 - *.bin
12786 - *.cpio
12787 - *.css
12788 -+*.dbg
12789 - *.dvi
12790 - *.eps
12791 - *.gif
12792 -@@ -183,11 +184,14 @@ version.h*
12793 - vmlinux
12794 - vmlinux-*
12795 - vmlinux.aout
12796 --vmlinux*.lds*
12797 -+vmlinux.bin.all
12798 -+vmlinux*.lds
12799 -+vmlinux.relocs
12800 - vmlinux*.scr
12801 --vsyscall.lds
12802 -+vsyscall*.lds
12803 - wanxlfw.inc
12804 - uImage
12805 - unifdef
12806 -+utsrelease.h
12807 - zImage*
12808 - zconf.hash.c
12809 -diff -urNp linux-2.6.24.4/drivers/acpi/blacklist.c linux-2.6.24.4/drivers/acpi/blacklist.c
12810 ---- linux-2.6.24.4/drivers/acpi/blacklist.c 2008-03-24 14:49:18.000000000 -0400
12811 -+++ linux-2.6.24.4/drivers/acpi/blacklist.c 2008-03-26 17:56:55.000000000 -0400
12812 -@@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
12813 - {"ASUS\0\0", "P2B-S ", 0, ACPI_SIG_DSDT, all_versions,
12814 - "Bogus PCI routing", 1},
12815 -
12816 -- {""}
12817 -+ {"", "", 0, 0, 0, all_versions, 0}
12818 - };
12819 -
12820 - #if CONFIG_ACPI_BLACKLIST_YEAR
12821 -diff -urNp linux-2.6.24.4/drivers/acpi/osl.c linux-2.6.24.4/drivers/acpi/osl.c
12822 ---- linux-2.6.24.4/drivers/acpi/osl.c 2008-03-24 14:49:18.000000000 -0400
12823 -+++ linux-2.6.24.4/drivers/acpi/osl.c 2008-03-26 17:56:55.000000000 -0400
12824 -@@ -470,6 +470,8 @@ acpi_os_read_memory(acpi_physical_addres
12825 - void __iomem *virt_addr;
12826 -
12827 - virt_addr = ioremap(phys_addr, width);
12828 -+ if (!virt_addr)
12829 -+ return AE_NO_MEMORY;
12830 - if (!value)
12831 - value = &dummy;
12832 -
12833 -@@ -498,6 +500,8 @@ acpi_os_write_memory(acpi_physical_addre
12834 - void __iomem *virt_addr;
12835 -
12836 - virt_addr = ioremap(phys_addr, width);
12837 -+ if (!virt_addr)
12838 -+ return AE_NO_MEMORY;
12839 -
12840 - switch (width) {
12841 - case 8:
12842 -@@ -520,7 +524,7 @@ acpi_os_write_memory(acpi_physical_addre
12843 -
12844 - acpi_status
12845 - acpi_os_read_pci_configuration(struct acpi_pci_id * pci_id, u32 reg,
12846 -- void *value, u32 width)
12847 -+ u32 *value, u32 width)
12848 - {
12849 - int result, size;
12850 -
12851 -@@ -592,7 +596,7 @@ static void acpi_os_derive_pci_id_2(acpi
12852 - acpi_status status;
12853 - unsigned long temp;
12854 - acpi_object_type type;
12855 -- u8 tu8;
12856 -+ u32 tu8;
12857 -
12858 - acpi_get_parent(chandle, &handle);
12859 - if (handle != rhandle) {
12860 -diff -urNp linux-2.6.24.4/drivers/acpi/processor_core.c linux-2.6.24.4/drivers/acpi/processor_core.c
12861 ---- linux-2.6.24.4/drivers/acpi/processor_core.c 2008-03-24 14:49:18.000000000 -0400
12862 -+++ linux-2.6.24.4/drivers/acpi/processor_core.c 2008-03-26 17:56:55.000000000 -0400
12863 -@@ -632,7 +632,7 @@ static int __cpuinit acpi_processor_star
12864 - return 0;
12865 - }
12866 -
12867 -- BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
12868 -+ BUG_ON(pr->id >= nr_cpu_ids);
12869 -
12870 - /*
12871 - * Buggy BIOS check
12872 -diff -urNp linux-2.6.24.4/drivers/acpi/processor_idle.c linux-2.6.24.4/drivers/acpi/processor_idle.c
12873 ---- linux-2.6.24.4/drivers/acpi/processor_idle.c 2008-03-24 14:49:18.000000000 -0400
12874 -+++ linux-2.6.24.4/drivers/acpi/processor_idle.c 2008-03-26 17:56:55.000000000 -0400
12875 -@@ -178,7 +178,7 @@ static struct dmi_system_id __cpuinitdat
12876 - DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
12877 - DMI_MATCH(DMI_BIOS_VERSION,"SHE845M0.86C.0013.D.0302131307")},
12878 - (void *)2},
12879 -- {},
12880 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
12881 - };
12882 -
12883 - static inline u32 ticks_elapsed(u32 t1, u32 t2)
12884 -diff -urNp linux-2.6.24.4/drivers/acpi/sleep/main.c linux-2.6.24.4/drivers/acpi/sleep/main.c
12885 ---- linux-2.6.24.4/drivers/acpi/sleep/main.c 2008-03-24 14:49:18.000000000 -0400
12886 -+++ linux-2.6.24.4/drivers/acpi/sleep/main.c 2008-03-26 17:56:55.000000000 -0400
12887 -@@ -224,7 +224,7 @@ static struct dmi_system_id __initdata a
12888 - .ident = "Toshiba Satellite 4030cdt",
12889 - .matches = {DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),},
12890 - },
12891 -- {},
12892 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
12893 - };
12894 - #endif /* CONFIG_SUSPEND */
12895 -
12896 -diff -urNp linux-2.6.24.4/drivers/acpi/tables/tbfadt.c linux-2.6.24.4/drivers/acpi/tables/tbfadt.c
12897 ---- linux-2.6.24.4/drivers/acpi/tables/tbfadt.c 2008-03-24 14:49:18.000000000 -0400
12898 -+++ linux-2.6.24.4/drivers/acpi/tables/tbfadt.c 2008-03-26 17:56:55.000000000 -0400
12899 -@@ -48,7 +48,7 @@
12900 - ACPI_MODULE_NAME("tbfadt")
12901 -
12902 - /* Local prototypes */
12903 --static void inline
12904 -+static inline void
12905 - acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
12906 - u8 bit_width, u64 address);
12907 -
12908 -@@ -122,7 +122,7 @@ static struct acpi_fadt_info fadt_info_t
12909 - *
12910 - ******************************************************************************/
12911 -
12912 --static void inline
12913 -+static inline void
12914 - acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
12915 - u8 bit_width, u64 address)
12916 - {
12917 -diff -urNp linux-2.6.24.4/drivers/acpi/tables/tbxface.c linux-2.6.24.4/drivers/acpi/tables/tbxface.c
12918 ---- linux-2.6.24.4/drivers/acpi/tables/tbxface.c 2008-03-24 14:49:18.000000000 -0400
12919 -+++ linux-2.6.24.4/drivers/acpi/tables/tbxface.c 2008-03-26 17:56:55.000000000 -0400
12920 -@@ -540,7 +540,7 @@ static acpi_status acpi_tb_load_namespac
12921 - acpi_tb_print_table_header(0, table);
12922 -
12923 - if (no_auto_ssdt == 0) {
12924 -- printk(KERN_WARNING "ACPI: DSDT override uses original SSDTs unless \"acpi_no_auto_ssdt\"");
12925 -+ printk(KERN_WARNING "ACPI: DSDT override uses original SSDTs unless \"acpi_no_auto_ssdt\"\n");
12926 - }
12927 - }
12928 -
12929 -diff -urNp linux-2.6.24.4/drivers/ata/ahci.c linux-2.6.24.4/drivers/ata/ahci.c
12930 ---- linux-2.6.24.4/drivers/ata/ahci.c 2008-03-24 14:49:18.000000000 -0400
12931 -+++ linux-2.6.24.4/drivers/ata/ahci.c 2008-03-26 17:56:55.000000000 -0400
12932 -@@ -563,7 +563,7 @@ static const struct pci_device_id ahci_p
12933 - { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
12934 - PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
12935 -
12936 -- { } /* terminate list */
12937 -+ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
12938 - };
12939 -
12940 -
12941 -diff -urNp linux-2.6.24.4/drivers/ata/ata_piix.c linux-2.6.24.4/drivers/ata/ata_piix.c
12942 ---- linux-2.6.24.4/drivers/ata/ata_piix.c 2008-03-24 14:49:18.000000000 -0400
12943 -+++ linux-2.6.24.4/drivers/ata/ata_piix.c 2008-03-26 17:56:55.000000000 -0400
12944 -@@ -264,7 +264,7 @@ static const struct pci_device_id piix_p
12945 - /* SATA Controller IDE (Tolapai) */
12946 - { 0x8086, 0x5028, PCI_ANY_ID, PCI_ANY_ID, 0, 0, tolapai_sata_ahci },
12947 -
12948 -- { } /* terminate list */
12949 -+ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
12950 - };
12951 -
12952 - static struct pci_driver piix_pci_driver = {
12953 -@@ -701,7 +701,7 @@ static const struct ich_laptop ich_lapto
12954 - { 0x27DF, 0x103C, 0x30A1 }, /* ICH7 on HP Compaq nc2400 */
12955 - { 0x24CA, 0x1025, 0x0061 }, /* ICH4 on ACER Aspire 2023WLMi */
12956 - /* end marker */
12957 -- { 0, }
12958 -+ { 0, 0, 0 }
12959 - };
12960 -
12961 - /**
12962 -@@ -1097,7 +1097,7 @@ static int piix_broken_suspend(void)
12963 - },
12964 - },
12965 -
12966 -- { } /* terminate list */
12967 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL } /* terminate list */
12968 - };
12969 - static const char *oemstrs[] = {
12970 - "Tecra M3,",
12971 -diff -urNp linux-2.6.24.4/drivers/ata/libata-core.c linux-2.6.24.4/drivers/ata/libata-core.c
12972 ---- linux-2.6.24.4/drivers/ata/libata-core.c 2008-03-24 14:49:18.000000000 -0400
12973 -+++ linux-2.6.24.4/drivers/ata/libata-core.c 2008-03-26 17:56:55.000000000 -0400
12974 -@@ -489,7 +489,7 @@ static const struct ata_xfer_ent {
12975 - { ATA_SHIFT_PIO, ATA_BITS_PIO, XFER_PIO_0 },
12976 - { ATA_SHIFT_MWDMA, ATA_BITS_MWDMA, XFER_MW_DMA_0 },
12977 - { ATA_SHIFT_UDMA, ATA_BITS_UDMA, XFER_UDMA_0 },
12978 -- { -1, },
12979 -+ { -1, 0, 0 },
12980 - };
12981 -
12982 - /**
12983 -@@ -2814,7 +2814,7 @@ static const struct ata_timing ata_timin
12984 -
12985 - /* { XFER_PIO_SLOW, 120, 290, 240, 960, 290, 240, 960, 0 }, */
12986 -
12987 -- { 0xFF }
12988 -+ { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
12989 - };
12990 -
12991 - #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
12992 -@@ -4178,7 +4178,7 @@ static const struct ata_blacklist_entry
12993 - { "TSSTcorp CDDVDW SH-S202N", "SB01", ATA_HORKAGE_IVB, },
12994 -
12995 - /* End Marker */
12996 -- { }
12997 -+ { NULL, NULL, 0 }
12998 - };
12999 -
13000 - static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
13001 -diff -urNp linux-2.6.24.4/drivers/char/agp/frontend.c linux-2.6.24.4/drivers/char/agp/frontend.c
13002 ---- linux-2.6.24.4/drivers/char/agp/frontend.c 2008-03-24 14:49:18.000000000 -0400
13003 -+++ linux-2.6.24.4/drivers/char/agp/frontend.c 2008-03-26 17:56:55.000000000 -0400
13004 -@@ -820,7 +820,7 @@ static int agpioc_reserve_wrap(struct ag
13005 - if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
13006 - return -EFAULT;
13007 -
13008 -- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
13009 -+ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
13010 - return -EFAULT;
13011 -
13012 - client = agp_find_client_by_pid(reserve.pid);
13013 -diff -urNp linux-2.6.24.4/drivers/char/agp/intel-agp.c linux-2.6.24.4/drivers/char/agp/intel-agp.c
13014 ---- linux-2.6.24.4/drivers/char/agp/intel-agp.c 2008-03-24 14:49:18.000000000 -0400
13015 -+++ linux-2.6.24.4/drivers/char/agp/intel-agp.c 2008-03-26 17:56:55.000000000 -0400
13016 -@@ -2080,7 +2080,7 @@ static struct pci_device_id agp_intel_pc
13017 - ID(PCI_DEVICE_ID_INTEL_G33_HB),
13018 - ID(PCI_DEVICE_ID_INTEL_Q35_HB),
13019 - ID(PCI_DEVICE_ID_INTEL_Q33_HB),
13020 -- { }
13021 -+ { 0, 0, 0, 0, 0, 0, 0 }
13022 - };
13023 -
13024 - MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
13025 -diff -urNp linux-2.6.24.4/drivers/char/drm/drm_pciids.h linux-2.6.24.4/drivers/char/drm/drm_pciids.h
13026 ---- linux-2.6.24.4/drivers/char/drm/drm_pciids.h 2008-03-24 14:49:18.000000000 -0400
13027 -+++ linux-2.6.24.4/drivers/char/drm/drm_pciids.h 2008-03-26 17:56:55.000000000 -0400
13028 -@@ -249,7 +249,7 @@
13029 - {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
13030 - {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
13031 - {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
13032 -- {0, 0, 0}
13033 -+ {0, 0, 0, 0, 0, 0, 0 }
13034 -
13035 - #define i830_PCI_IDS \
13036 - {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
13037 -diff -urNp linux-2.6.24.4/drivers/char/hpet.c linux-2.6.24.4/drivers/char/hpet.c
13038 ---- linux-2.6.24.4/drivers/char/hpet.c 2008-03-24 14:49:18.000000000 -0400
13039 -+++ linux-2.6.24.4/drivers/char/hpet.c 2008-03-26 17:56:55.000000000 -0400
13040 -@@ -1028,7 +1028,7 @@ static struct acpi_driver hpet_acpi_driv
13041 - },
13042 - };
13043 -
13044 --static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
13045 -+static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
13046 -
13047 - static int __init hpet_init(void)
13048 - {
13049 -diff -urNp linux-2.6.24.4/drivers/char/keyboard.c linux-2.6.24.4/drivers/char/keyboard.c
13050 ---- linux-2.6.24.4/drivers/char/keyboard.c 2008-03-24 14:49:18.000000000 -0400
13051 -+++ linux-2.6.24.4/drivers/char/keyboard.c 2008-03-26 17:56:55.000000000 -0400
13052 -@@ -631,6 +631,16 @@ static void k_spec(struct vc_data *vc, u
13053 - kbd->kbdmode == VC_MEDIUMRAW) &&
13054 - value != KVAL(K_SAK))
13055 - return; /* SAK is allowed even in raw mode */
13056 -+
13057 -+#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
13058 -+ {
13059 -+ void *func = fn_handler[value];
13060 -+ if (func == fn_show_state || func == fn_show_ptregs ||
13061 -+ func == fn_show_mem)
13062 -+ return;
13063 -+ }
13064 -+#endif
13065 -+
13066 - fn_handler[value](vc);
13067 - }
13068 -
13069 -@@ -1385,7 +1395,7 @@ static const struct input_device_id kbd_
13070 - .evbit = { BIT_MASK(EV_SND) },
13071 - },
13072 -
13073 -- { }, /* Terminating entry */
13074 -+ { 0 }, /* Terminating entry */
13075 - };
13076 -
13077 - MODULE_DEVICE_TABLE(input, kbd_ids);
13078 -diff -urNp linux-2.6.24.4/drivers/char/mem.c linux-2.6.24.4/drivers/char/mem.c
13079 ---- linux-2.6.24.4/drivers/char/mem.c 2008-03-24 14:49:18.000000000 -0400
13080 -+++ linux-2.6.24.4/drivers/char/mem.c 2008-03-26 17:56:55.000000000 -0400
13081 -@@ -26,6 +26,7 @@
13082 - #include <linux/bootmem.h>
13083 - #include <linux/splice.h>
13084 - #include <linux/pfn.h>
13085 -+#include <linux/grsecurity.h>
13086 -
13087 - #include <asm/uaccess.h>
13088 - #include <asm/io.h>
13089 -@@ -34,6 +35,10 @@
13090 - # include <linux/efi.h>
13091 - #endif
13092 -
13093 -+#ifdef CONFIG_GRKERNSEC
13094 -+extern struct file_operations grsec_fops;
13095 -+#endif
13096 -+
13097 - /*
13098 - * Architectures vary in how they handle caching for addresses
13099 - * outside of main memory.
13100 -@@ -180,6 +185,11 @@ static ssize_t write_mem(struct file * f
13101 - if (!valid_phys_addr_range(p, count))
13102 - return -EFAULT;
13103 -
13104 -+#ifdef CONFIG_GRKERNSEC_KMEM
13105 -+ gr_handle_mem_write();
13106 -+ return -EPERM;
13107 -+#endif
13108 -+
13109 - written = 0;
13110 -
13111 - #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
13112 -@@ -281,6 +291,11 @@ static int mmap_mem(struct file * file,
13113 - if (!private_mapping_ok(vma))
13114 - return -ENOSYS;
13115 -
13116 -+#ifdef CONFIG_GRKERNSEC_KMEM
13117 -+ if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
13118 -+ return -EPERM;
13119 -+#endif
13120 -+
13121 - vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
13122 - size,
13123 - vma->vm_page_prot);
13124 -@@ -512,6 +527,11 @@ static ssize_t write_kmem(struct file *
13125 - ssize_t written;
13126 - char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
13127 -
13128 -+#ifdef CONFIG_GRKERNSEC_KMEM
13129 -+ gr_handle_kmem_write();
13130 -+ return -EPERM;
13131 -+#endif
13132 -+
13133 - if (p < (unsigned long) high_memory) {
13134 -
13135 - wrote = count;
13136 -@@ -714,6 +734,16 @@ static loff_t memory_lseek(struct file *
13137 -
13138 - static int open_port(struct inode * inode, struct file * filp)
13139 - {
13140 -+#ifdef CONFIG_GRKERNSEC_KMEM
13141 -+ gr_handle_open_port();
13142 -+ return -EPERM;
13143 -+#endif
13144 -+
13145 -+ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
13146 -+}
13147 -+
13148 -+static int open_mem(struct inode * inode, struct file * filp)
13149 -+{
13150 - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
13151 - }
13152 -
13153 -@@ -721,7 +751,6 @@ static int open_port(struct inode * inod
13154 - #define full_lseek null_lseek
13155 - #define write_zero write_null
13156 - #define read_full read_zero
13157 --#define open_mem open_port
13158 - #define open_kmem open_mem
13159 - #define open_oldmem open_mem
13160 -
13161 -@@ -854,6 +883,11 @@ static int memory_open(struct inode * in
13162 - filp->f_op = &oldmem_fops;
13163 - break;
13164 - #endif
13165 -+#ifdef CONFIG_GRKERNSEC
13166 -+ case 13:
13167 -+ filp->f_op = &grsec_fops;
13168 -+ break;
13169 -+#endif
13170 - default:
13171 - return -ENXIO;
13172 - }
13173 -@@ -886,6 +920,9 @@ static const struct {
13174 - #ifdef CONFIG_CRASH_DUMP
13175 - {12,"oldmem", S_IRUSR | S_IWUSR | S_IRGRP, &oldmem_fops},
13176 - #endif
13177 -+#ifdef CONFIG_GRKERNSEC
13178 -+ {13,"grsec", S_IRUSR | S_IWUGO, &grsec_fops},
13179 -+#endif
13180 - };
13181 -
13182 - static struct class *mem_class;
13183 -diff -urNp linux-2.6.24.4/drivers/char/nvram.c linux-2.6.24.4/drivers/char/nvram.c
13184 ---- linux-2.6.24.4/drivers/char/nvram.c 2008-03-24 14:49:18.000000000 -0400
13185 -+++ linux-2.6.24.4/drivers/char/nvram.c 2008-03-26 17:56:55.000000000 -0400
13186 -@@ -430,7 +430,10 @@ static const struct file_operations nvra
13187 - static struct miscdevice nvram_dev = {
13188 - NVRAM_MINOR,
13189 - "nvram",
13190 -- &nvram_fops
13191 -+ &nvram_fops,
13192 -+ {NULL, NULL},
13193 -+ NULL,
13194 -+ NULL
13195 - };
13196 -
13197 - static int __init
13198 -diff -urNp linux-2.6.24.4/drivers/char/random.c linux-2.6.24.4/drivers/char/random.c
13199 ---- linux-2.6.24.4/drivers/char/random.c 2008-03-24 14:49:18.000000000 -0400
13200 -+++ linux-2.6.24.4/drivers/char/random.c 2008-03-26 17:56:55.000000000 -0400
13201 -@@ -248,8 +248,13 @@
13202 - /*
13203 - * Configuration information
13204 - */
13205 -+#ifdef CONFIG_GRKERNSEC_RANDNET
13206 -+#define INPUT_POOL_WORDS 512
13207 -+#define OUTPUT_POOL_WORDS 128
13208 -+#else
13209 - #define INPUT_POOL_WORDS 128
13210 - #define OUTPUT_POOL_WORDS 32
13211 -+#endif
13212 - #define SEC_XFER_SIZE 512
13213 -
13214 - /*
13215 -@@ -286,10 +291,17 @@ static struct poolinfo {
13216 - int poolwords;
13217 - int tap1, tap2, tap3, tap4, tap5;
13218 - } poolinfo_table[] = {
13219 -+#ifdef CONFIG_GRKERNSEC_RANDNET
13220 -+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
13221 -+ { 512, 411, 308, 208, 104, 1 },
13222 -+ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
13223 -+ { 128, 103, 76, 51, 25, 1 },
13224 -+#else
13225 - /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
13226 - { 128, 103, 76, 51, 25, 1 },
13227 - /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
13228 - { 32, 26, 20, 14, 7, 1 },
13229 -+#endif
13230 - #if 0
13231 - /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
13232 - { 2048, 1638, 1231, 819, 411, 1 },
13233 -@@ -1172,7 +1184,7 @@ EXPORT_SYMBOL(generate_random_uuid);
13234 - #include <linux/sysctl.h>
13235 -
13236 - static int min_read_thresh = 8, min_write_thresh;
13237 --static int max_read_thresh = INPUT_POOL_WORDS * 32;
13238 -+static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
13239 - static int max_write_thresh = INPUT_POOL_WORDS * 32;
13240 - static char sysctl_bootid[16];
13241 -
13242 -diff -urNp linux-2.6.24.4/drivers/char/vt_ioctl.c linux-2.6.24.4/drivers/char/vt_ioctl.c
13243 ---- linux-2.6.24.4/drivers/char/vt_ioctl.c 2008-03-24 14:49:18.000000000 -0400
13244 -+++ linux-2.6.24.4/drivers/char/vt_ioctl.c 2008-03-26 17:56:55.000000000 -0400
13245 -@@ -96,6 +96,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
13246 - case KDSKBENT:
13247 - if (!perm)
13248 - return -EPERM;
13249 -+
13250 -+#ifdef CONFIG_GRKERNSEC
13251 -+ if (!capable(CAP_SYS_TTY_CONFIG))
13252 -+ return -EPERM;
13253 -+#endif
13254 -+
13255 - if (!i && v == K_NOSUCHMAP) {
13256 - /* deallocate map */
13257 - key_map = key_maps[s];
13258 -@@ -236,6 +242,13 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
13259 - goto reterr;
13260 - }
13261 -
13262 -+#ifdef CONFIG_GRKERNSEC
13263 -+ if (!capable(CAP_SYS_TTY_CONFIG)) {
13264 -+ ret = -EPERM;
13265 -+ goto reterr;
13266 -+ }
13267 -+#endif
13268 -+
13269 - q = func_table[i];
13270 - first_free = funcbufptr + (funcbufsize - funcbufleft);
13271 - for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
13272 -diff -urNp linux-2.6.24.4/drivers/edac/edac_core.h linux-2.6.24.4/drivers/edac/edac_core.h
13273 ---- linux-2.6.24.4/drivers/edac/edac_core.h 2008-03-24 14:49:18.000000000 -0400
13274 -+++ linux-2.6.24.4/drivers/edac/edac_core.h 2008-03-26 17:56:55.000000000 -0400
13275 -@@ -86,11 +86,11 @@ extern int edac_debug_level;
13276 -
13277 - #else /* !CONFIG_EDAC_DEBUG */
13278 -
13279 --#define debugf0( ... )
13280 --#define debugf1( ... )
13281 --#define debugf2( ... )
13282 --#define debugf3( ... )
13283 --#define debugf4( ... )
13284 -+#define debugf0( ... ) do {} while (0)
13285 -+#define debugf1( ... ) do {} while (0)
13286 -+#define debugf2( ... ) do {} while (0)
13287 -+#define debugf3( ... ) do {} while (0)
13288 -+#define debugf4( ... ) do {} while (0)
13289 -
13290 - #endif /* !CONFIG_EDAC_DEBUG */
13291 -
13292 -diff -urNp linux-2.6.24.4/drivers/firmware/dmi_scan.c linux-2.6.24.4/drivers/firmware/dmi_scan.c
13293 ---- linux-2.6.24.4/drivers/firmware/dmi_scan.c 2008-03-24 14:49:18.000000000 -0400
13294 -+++ linux-2.6.24.4/drivers/firmware/dmi_scan.c 2008-03-26 17:56:55.000000000 -0400
13295 -@@ -318,21 +318,19 @@ void __init dmi_scan_machine(void)
13296 - }
13297 - }
13298 - else {
13299 -- /*
13300 -- * no iounmap() for that ioremap(); it would be a no-op, but
13301 -- * it's so early in setup that sucker gets confused into doing
13302 -- * what it shouldn't if we actually call it.
13303 -- */
13304 - p = dmi_ioremap(0xF0000, 0x10000);
13305 - if (p == NULL)
13306 - goto out;
13307 -
13308 - for (q = p; q < p + 0x10000; q += 16) {
13309 - rc = dmi_present(q);
13310 -- if (!rc) {
13311 -- dmi_available = 1;
13312 -- return;
13313 -- }
13314 -+ if (!rc)
13315 -+ break;
13316 -+ }
13317 -+ dmi_iounmap(p, 0x10000);
13318 -+ if (!rc) {
13319 -+ dmi_available = 1;
13320 -+ return;
13321 - }
13322 - }
13323 - out: printk(KERN_INFO "DMI not present or invalid.\n");
13324 -diff -urNp linux-2.6.24.4/drivers/hwmon/fscpos.c linux-2.6.24.4/drivers/hwmon/fscpos.c
13325 ---- linux-2.6.24.4/drivers/hwmon/fscpos.c 2008-03-24 14:49:18.000000000 -0400
13326 -+++ linux-2.6.24.4/drivers/hwmon/fscpos.c 2008-03-26 17:56:55.000000000 -0400
13327 -@@ -231,7 +231,6 @@ static ssize_t set_pwm(struct i2c_client
13328 - unsigned long v = simple_strtoul(buf, NULL, 10);
13329 -
13330 - /* Range: 0..255 */
13331 -- if (v < 0) v = 0;
13332 - if (v > 255) v = 255;
13333 -
13334 - mutex_lock(&data->update_lock);
13335 -diff -urNp linux-2.6.24.4/drivers/hwmon/k8temp.c linux-2.6.24.4/drivers/hwmon/k8temp.c
13336 ---- linux-2.6.24.4/drivers/hwmon/k8temp.c 2008-03-24 14:49:18.000000000 -0400
13337 -+++ linux-2.6.24.4/drivers/hwmon/k8temp.c 2008-03-26 17:56:55.000000000 -0400
13338 -@@ -130,7 +130,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
13339 -
13340 - static struct pci_device_id k8temp_ids[] = {
13341 - { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
13342 -- { 0 },
13343 -+ { 0, 0, 0, 0, 0, 0, 0 },
13344 - };
13345 -
13346 - MODULE_DEVICE_TABLE(pci, k8temp_ids);
13347 -diff -urNp linux-2.6.24.4/drivers/hwmon/sis5595.c linux-2.6.24.4/drivers/hwmon/sis5595.c
13348 ---- linux-2.6.24.4/drivers/hwmon/sis5595.c 2008-03-24 14:49:18.000000000 -0400
13349 -+++ linux-2.6.24.4/drivers/hwmon/sis5595.c 2008-03-26 17:56:55.000000000 -0400
13350 -@@ -698,7 +698,7 @@ static struct sis5595_data *sis5595_upda
13351 -
13352 - static struct pci_device_id sis5595_pci_ids[] = {
13353 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
13354 -- { 0, }
13355 -+ { 0, 0, 0, 0, 0, 0, 0 }
13356 - };
13357 -
13358 - MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
13359 -diff -urNp linux-2.6.24.4/drivers/hwmon/thmc50.c linux-2.6.24.4/drivers/hwmon/thmc50.c
13360 ---- linux-2.6.24.4/drivers/hwmon/thmc50.c 2008-03-24 14:49:18.000000000 -0400
13361 -+++ linux-2.6.24.4/drivers/hwmon/thmc50.c 2008-03-26 17:56:55.000000000 -0400
13362 -@@ -52,9 +52,9 @@ I2C_CLIENT_MODULE_PARM(adm1022_temp3, "L
13363 - */
13364 - #define THMC50_REG_INTR 0x41
13365 -
13366 --const static u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
13367 --const static u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
13368 --const static u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
13369 -+static const u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
13370 -+static const u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
13371 -+static const u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
13372 -
13373 - #define THMC50_REG_CONF_nFANOFF 0x20
13374 -
13375 -diff -urNp linux-2.6.24.4/drivers/hwmon/via686a.c linux-2.6.24.4/drivers/hwmon/via686a.c
13376 ---- linux-2.6.24.4/drivers/hwmon/via686a.c 2008-03-24 14:49:18.000000000 -0400
13377 -+++ linux-2.6.24.4/drivers/hwmon/via686a.c 2008-03-26 17:56:55.000000000 -0400
13378 -@@ -740,7 +740,7 @@ static struct via686a_data *via686a_upda
13379 -
13380 - static struct pci_device_id via686a_pci_ids[] = {
13381 - { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
13382 -- { 0, }
13383 -+ { 0, 0, 0, 0, 0, 0, 0 }
13384 - };
13385 -
13386 - MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
13387 -diff -urNp linux-2.6.24.4/drivers/hwmon/vt8231.c linux-2.6.24.4/drivers/hwmon/vt8231.c
13388 ---- linux-2.6.24.4/drivers/hwmon/vt8231.c 2008-03-24 14:49:18.000000000 -0400
13389 -+++ linux-2.6.24.4/drivers/hwmon/vt8231.c 2008-03-26 17:56:55.000000000 -0400
13390 -@@ -662,7 +662,7 @@ static struct platform_driver vt8231_dri
13391 -
13392 - static struct pci_device_id vt8231_pci_ids[] = {
13393 - { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
13394 -- { 0, }
13395 -+ { 0, 0, 0, 0, 0, 0, 0 }
13396 - };
13397 -
13398 - MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
13399 -diff -urNp linux-2.6.24.4/drivers/hwmon/w83791d.c linux-2.6.24.4/drivers/hwmon/w83791d.c
13400 ---- linux-2.6.24.4/drivers/hwmon/w83791d.c 2008-03-24 14:49:18.000000000 -0400
13401 -+++ linux-2.6.24.4/drivers/hwmon/w83791d.c 2008-03-26 17:56:55.000000000 -0400
13402 -@@ -289,8 +289,8 @@ static int w83791d_attach_adapter(struct
13403 - static int w83791d_detect(struct i2c_adapter *adapter, int address, int kind);
13404 - static int w83791d_detach_client(struct i2c_client *client);
13405 -
13406 --static int w83791d_read(struct i2c_client *client, u8 register);
13407 --static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
13408 -+static int w83791d_read(struct i2c_client *client, u8 reg);
13409 -+static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
13410 - static struct w83791d_data *w83791d_update_device(struct device *dev);
13411 -
13412 - #ifdef DEBUG
13413 -diff -urNp linux-2.6.24.4/drivers/i2c/busses/i2c-i801.c linux-2.6.24.4/drivers/i2c/busses/i2c-i801.c
13414 ---- linux-2.6.24.4/drivers/i2c/busses/i2c-i801.c 2008-03-24 14:49:18.000000000 -0400
13415 -+++ linux-2.6.24.4/drivers/i2c/busses/i2c-i801.c 2008-03-26 17:56:55.000000000 -0400
13416 -@@ -545,7 +545,7 @@ static struct pci_device_id i801_ids[] =
13417 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH8_5) },
13418 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH9_6) },
13419 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_TOLAPAI_1) },
13420 -- { 0, }
13421 -+ { 0, 0, 0, 0, 0, 0, 0 }
13422 - };
13423 -
13424 - MODULE_DEVICE_TABLE (pci, i801_ids);
13425 -diff -urNp linux-2.6.24.4/drivers/i2c/busses/i2c-i810.c linux-2.6.24.4/drivers/i2c/busses/i2c-i810.c
13426 ---- linux-2.6.24.4/drivers/i2c/busses/i2c-i810.c 2008-03-24 14:49:18.000000000 -0400
13427 -+++ linux-2.6.24.4/drivers/i2c/busses/i2c-i810.c 2008-03-26 17:56:55.000000000 -0400
13428 -@@ -198,7 +198,7 @@ static struct pci_device_id i810_ids[] _
13429 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82810E_IG) },
13430 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC) },
13431 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82845G_IG) },
13432 -- { 0, },
13433 -+ { 0, 0, 0, 0, 0, 0, 0 },
13434 - };
13435 -
13436 - MODULE_DEVICE_TABLE (pci, i810_ids);
13437 -diff -urNp linux-2.6.24.4/drivers/i2c/busses/i2c-piix4.c linux-2.6.24.4/drivers/i2c/busses/i2c-piix4.c
13438 ---- linux-2.6.24.4/drivers/i2c/busses/i2c-piix4.c 2008-03-24 14:49:18.000000000 -0400
13439 -+++ linux-2.6.24.4/drivers/i2c/busses/i2c-piix4.c 2008-03-26 17:56:55.000000000 -0400
13440 -@@ -113,7 +113,7 @@ static struct dmi_system_id __devinitdat
13441 - .ident = "IBM",
13442 - .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
13443 - },
13444 -- { },
13445 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL },
13446 - };
13447 -
13448 - static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
13449 -@@ -411,7 +411,7 @@ static struct pci_device_id piix4_ids[]
13450 - .driver_data = 3 },
13451 - { PCI_DEVICE(PCI_VENDOR_ID_EFAR, PCI_DEVICE_ID_EFAR_SLC90E66_3),
13452 - .driver_data = 0 },
13453 -- { 0, }
13454 -+ { 0, 0, 0, 0, 0, 0, 0 }
13455 - };
13456 -
13457 - MODULE_DEVICE_TABLE (pci, piix4_ids);
13458 -diff -urNp linux-2.6.24.4/drivers/i2c/busses/i2c-sis630.c linux-2.6.24.4/drivers/i2c/busses/i2c-sis630.c
13459 ---- linux-2.6.24.4/drivers/i2c/busses/i2c-sis630.c 2008-03-24 14:49:18.000000000 -0400
13460 -+++ linux-2.6.24.4/drivers/i2c/busses/i2c-sis630.c 2008-03-26 17:56:56.000000000 -0400
13461 -@@ -465,7 +465,7 @@ static struct i2c_adapter sis630_adapter
13462 - static struct pci_device_id sis630_ids[] __devinitdata = {
13463 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
13464 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
13465 -- { 0, }
13466 -+ { 0, 0, 0, 0, 0, 0, 0 }
13467 - };
13468 -
13469 - MODULE_DEVICE_TABLE (pci, sis630_ids);
13470 -diff -urNp linux-2.6.24.4/drivers/i2c/busses/i2c-sis96x.c linux-2.6.24.4/drivers/i2c/busses/i2c-sis96x.c
13471 ---- linux-2.6.24.4/drivers/i2c/busses/i2c-sis96x.c 2008-03-24 14:49:18.000000000 -0400
13472 -+++ linux-2.6.24.4/drivers/i2c/busses/i2c-sis96x.c 2008-03-26 17:56:56.000000000 -0400
13473 -@@ -255,7 +255,7 @@ static struct i2c_adapter sis96x_adapter
13474 -
13475 - static struct pci_device_id sis96x_ids[] = {
13476 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
13477 -- { 0, }
13478 -+ { 0, 0, 0, 0, 0, 0, 0 }
13479 - };
13480 -
13481 - MODULE_DEVICE_TABLE (pci, sis96x_ids);
13482 -diff -urNp linux-2.6.24.4/drivers/ide/ide-cd.c linux-2.6.24.4/drivers/ide/ide-cd.c
13483 ---- linux-2.6.24.4/drivers/ide/ide-cd.c 2008-03-24 14:49:18.000000000 -0400
13484 -+++ linux-2.6.24.4/drivers/ide/ide-cd.c 2008-03-26 17:56:56.000000000 -0400
13485 -@@ -457,8 +457,6 @@ void cdrom_analyze_sense_data(ide_drive_
13486 - sector &= ~(bio_sectors -1);
13487 - valid = (sector - failed_command->sector) << 9;
13488 -
13489 -- if (valid < 0)
13490 -- valid = 0;
13491 - if (sector < get_capacity(info->disk) &&
13492 - drive->probed_capacity - sector < 4 * 75) {
13493 - set_capacity(info->disk, sector);
13494 -diff -urNp linux-2.6.24.4/drivers/ieee1394/dv1394.c linux-2.6.24.4/drivers/ieee1394/dv1394.c
13495 ---- linux-2.6.24.4/drivers/ieee1394/dv1394.c 2008-03-24 14:49:18.000000000 -0400
13496 -+++ linux-2.6.24.4/drivers/ieee1394/dv1394.c 2008-03-26 17:56:56.000000000 -0400
13497 -@@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
13498 - based upon DIF section and sequence
13499 - */
13500 -
13501 --static void inline
13502 -+static inline void
13503 - frame_put_packet (struct frame *f, struct packet *p)
13504 - {
13505 - int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
13506 -@@ -918,7 +918,7 @@ static int do_dv1394_init(struct video_c
13507 - /* default SYT offset is 3 cycles */
13508 - init->syt_offset = 3;
13509 -
13510 -- if ( (init->channel > 63) || (init->channel < 0) )
13511 -+ if (init->channel > 63)
13512 - init->channel = 63;
13513 -
13514 - chan_mask = (u64)1 << init->channel;
13515 -@@ -2173,7 +2173,7 @@ static struct ieee1394_device_id dv1394_
13516 - .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
13517 - .version = AVC_SW_VERSION_ENTRY & 0xffffff
13518 - },
13519 -- { }
13520 -+ { 0, 0, 0, 0, 0, 0 }
13521 - };
13522 -
13523 - MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
13524 -diff -urNp linux-2.6.24.4/drivers/ieee1394/eth1394.c linux-2.6.24.4/drivers/ieee1394/eth1394.c
13525 ---- linux-2.6.24.4/drivers/ieee1394/eth1394.c 2008-03-24 14:49:18.000000000 -0400
13526 -+++ linux-2.6.24.4/drivers/ieee1394/eth1394.c 2008-03-26 17:56:56.000000000 -0400
13527 -@@ -451,7 +451,7 @@ static struct ieee1394_device_id eth1394
13528 - .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
13529 - .version = ETHER1394_GASP_VERSION,
13530 - },
13531 -- {}
13532 -+ { 0, 0, 0, 0, 0, 0 }
13533 - };
13534 -
13535 - MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
13536 -diff -urNp linux-2.6.24.4/drivers/ieee1394/hosts.c linux-2.6.24.4/drivers/ieee1394/hosts.c
13537 ---- linux-2.6.24.4/drivers/ieee1394/hosts.c 2008-03-24 14:49:18.000000000 -0400
13538 -+++ linux-2.6.24.4/drivers/ieee1394/hosts.c 2008-03-26 17:56:56.000000000 -0400
13539 -@@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
13540 - }
13541 -
13542 - static struct hpsb_host_driver dummy_driver = {
13543 -+ .name = "dummy",
13544 - .transmit_packet = dummy_transmit_packet,
13545 - .devctl = dummy_devctl,
13546 - .isoctl = dummy_isoctl
13547 -diff -urNp linux-2.6.24.4/drivers/ieee1394/ohci1394.c linux-2.6.24.4/drivers/ieee1394/ohci1394.c
13548 ---- linux-2.6.24.4/drivers/ieee1394/ohci1394.c 2008-03-24 14:49:18.000000000 -0400
13549 -+++ linux-2.6.24.4/drivers/ieee1394/ohci1394.c 2008-03-26 17:56:56.000000000 -0400
13550 -@@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
13551 - printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
13552 -
13553 - /* Module Parameters */
13554 --static int phys_dma = 1;
13555 -+static int phys_dma;
13556 - module_param(phys_dma, int, 0444);
13557 --MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 1).");
13558 -+MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 0).");
13559 -
13560 - static void dma_trm_tasklet(unsigned long data);
13561 - static void dma_trm_reset(struct dma_trm_ctx *d);
13562 -@@ -3396,7 +3396,7 @@ static struct pci_device_id ohci1394_pci
13563 - .subvendor = PCI_ANY_ID,
13564 - .subdevice = PCI_ANY_ID,
13565 - },
13566 -- { 0, },
13567 -+ { 0, 0, 0, 0, 0, 0, 0 },
13568 - };
13569 -
13570 - MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
13571 -diff -urNp linux-2.6.24.4/drivers/ieee1394/raw1394.c linux-2.6.24.4/drivers/ieee1394/raw1394.c
13572 ---- linux-2.6.24.4/drivers/ieee1394/raw1394.c 2008-03-24 14:49:18.000000000 -0400
13573 -+++ linux-2.6.24.4/drivers/ieee1394/raw1394.c 2008-03-26 17:56:56.000000000 -0400
13574 -@@ -2952,7 +2952,7 @@ static struct ieee1394_device_id raw1394
13575 - .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
13576 - .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
13577 - .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
13578 -- {}
13579 -+ { 0, 0, 0, 0, 0, 0 }
13580 - };
13581 -
13582 - MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
13583 -diff -urNp linux-2.6.24.4/drivers/ieee1394/sbp2.c linux-2.6.24.4/drivers/ieee1394/sbp2.c
13584 ---- linux-2.6.24.4/drivers/ieee1394/sbp2.c 2008-03-24 14:49:18.000000000 -0400
13585 -+++ linux-2.6.24.4/drivers/ieee1394/sbp2.c 2008-03-26 17:56:56.000000000 -0400
13586 -@@ -274,7 +274,7 @@ static struct ieee1394_device_id sbp2_id
13587 - .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
13588 - .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
13589 - .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
13590 -- {}
13591 -+ { 0, 0, 0, 0, 0, 0 }
13592 - };
13593 - MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
13594 -
13595 -@@ -2078,7 +2078,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
13596 - MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
13597 - MODULE_LICENSE("GPL");
13598 -
13599 --static int sbp2_module_init(void)
13600 -+static int __init sbp2_module_init(void)
13601 - {
13602 - int ret;
13603 -
13604 -diff -urNp linux-2.6.24.4/drivers/ieee1394/video1394.c linux-2.6.24.4/drivers/ieee1394/video1394.c
13605 ---- linux-2.6.24.4/drivers/ieee1394/video1394.c 2008-03-24 14:49:18.000000000 -0400
13606 -+++ linux-2.6.24.4/drivers/ieee1394/video1394.c 2008-03-26 17:56:56.000000000 -0400
13607 -@@ -893,7 +893,7 @@ static long video1394_ioctl(struct file
13608 - if (unlikely(d == NULL))
13609 - return -EFAULT;
13610 -
13611 -- if (unlikely((v.buffer<0) || (v.buffer>=d->num_desc - 1))) {
13612 -+ if (unlikely(v.buffer>=d->num_desc - 1)) {
13613 - PRINT(KERN_ERR, ohci->host->id,
13614 - "Buffer %d out of range",v.buffer);
13615 - return -EINVAL;
13616 -@@ -959,7 +959,7 @@ static long video1394_ioctl(struct file
13617 - if (unlikely(d == NULL))
13618 - return -EFAULT;
13619 -
13620 -- if (unlikely((v.buffer<0) || (v.buffer>d->num_desc - 1))) {
13621 -+ if (unlikely(v.buffer>d->num_desc - 1)) {
13622 - PRINT(KERN_ERR, ohci->host->id,
13623 - "Buffer %d out of range",v.buffer);
13624 - return -EINVAL;
13625 -@@ -1030,7 +1030,7 @@ static long video1394_ioctl(struct file
13626 - d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
13627 - if (d == NULL) return -EFAULT;
13628 -
13629 -- if ((v.buffer<0) || (v.buffer>=d->num_desc - 1)) {
13630 -+ if (v.buffer>=d->num_desc - 1) {
13631 - PRINT(KERN_ERR, ohci->host->id,
13632 - "Buffer %d out of range",v.buffer);
13633 - return -EINVAL;
13634 -@@ -1137,7 +1137,7 @@ static long video1394_ioctl(struct file
13635 - d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
13636 - if (d == NULL) return -EFAULT;
13637 -
13638 -- if ((v.buffer<0) || (v.buffer>=d->num_desc-1)) {
13639 -+ if (v.buffer>=d->num_desc-1) {
13640 - PRINT(KERN_ERR, ohci->host->id,
13641 - "Buffer %d out of range",v.buffer);
13642 - return -EINVAL;
13643 -@@ -1309,7 +1309,7 @@ static struct ieee1394_device_id video13
13644 - .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
13645 - .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
13646 - },
13647 -- { }
13648 -+ { 0, 0, 0, 0, 0, 0 }
13649 - };
13650 -
13651 - MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
13652 -diff -urNp linux-2.6.24.4/drivers/input/keyboard/atkbd.c linux-2.6.24.4/drivers/input/keyboard/atkbd.c
13653 ---- linux-2.6.24.4/drivers/input/keyboard/atkbd.c 2008-03-24 14:49:18.000000000 -0400
13654 -+++ linux-2.6.24.4/drivers/input/keyboard/atkbd.c 2008-03-26 17:56:56.000000000 -0400
13655 -@@ -1080,7 +1080,7 @@ static struct serio_device_id atkbd_seri
13656 - .id = SERIO_ANY,
13657 - .extra = SERIO_ANY,
13658 - },
13659 -- { 0 }
13660 -+ { 0, 0, 0, 0 }
13661 - };
13662 -
13663 - MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
13664 -diff -urNp linux-2.6.24.4/drivers/input/mouse/lifebook.c linux-2.6.24.4/drivers/input/mouse/lifebook.c
13665 ---- linux-2.6.24.4/drivers/input/mouse/lifebook.c 2008-03-24 14:49:18.000000000 -0400
13666 -+++ linux-2.6.24.4/drivers/input/mouse/lifebook.c 2008-03-26 17:56:56.000000000 -0400
13667 -@@ -110,7 +110,7 @@ static const struct dmi_system_id lifebo
13668 - DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
13669 - },
13670 - },
13671 -- { }
13672 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
13673 - };
13674 -
13675 - static psmouse_ret_t lifebook_process_byte(struct psmouse *psmouse)
13676 -diff -urNp linux-2.6.24.4/drivers/input/mouse/psmouse-base.c linux-2.6.24.4/drivers/input/mouse/psmouse-base.c
13677 ---- linux-2.6.24.4/drivers/input/mouse/psmouse-base.c 2008-03-24 14:49:18.000000000 -0400
13678 -+++ linux-2.6.24.4/drivers/input/mouse/psmouse-base.c 2008-03-26 17:56:56.000000000 -0400
13679 -@@ -1329,7 +1329,7 @@ static struct serio_device_id psmouse_se
13680 - .id = SERIO_ANY,
13681 - .extra = SERIO_ANY,
13682 - },
13683 -- { 0 }
13684 -+ { 0, 0, 0, 0 }
13685 - };
13686 -
13687 - MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
13688 -diff -urNp linux-2.6.24.4/drivers/input/mouse/synaptics.c linux-2.6.24.4/drivers/input/mouse/synaptics.c
13689 ---- linux-2.6.24.4/drivers/input/mouse/synaptics.c 2008-03-24 14:49:18.000000000 -0400
13690 -+++ linux-2.6.24.4/drivers/input/mouse/synaptics.c 2008-03-26 17:56:56.000000000 -0400
13691 -@@ -417,7 +417,7 @@ static void synaptics_process_packet(str
13692 - break;
13693 - case 2:
13694 - if (SYN_MODEL_PEN(priv->model_id))
13695 -- ; /* Nothing, treat a pen as a single finger */
13696 -+ break; /* Nothing, treat a pen as a single finger */
13697 - break;
13698 - case 4 ... 15:
13699 - if (SYN_CAP_PALMDETECT(priv->capabilities))
13700 -@@ -624,7 +624,7 @@ static const struct dmi_system_id toshib
13701 - DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
13702 - },
13703 - },
13704 -- { }
13705 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
13706 - };
13707 - #endif
13708 -
13709 -diff -urNp linux-2.6.24.4/drivers/input/mousedev.c linux-2.6.24.4/drivers/input/mousedev.c
13710 ---- linux-2.6.24.4/drivers/input/mousedev.c 2008-03-24 14:49:18.000000000 -0400
13711 -+++ linux-2.6.24.4/drivers/input/mousedev.c 2008-03-26 17:56:56.000000000 -0400
13712 -@@ -1056,7 +1056,7 @@ static struct input_handler mousedev_han
13713 -
13714 - #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
13715 - static struct miscdevice psaux_mouse = {
13716 -- PSMOUSE_MINOR, "psaux", &mousedev_fops
13717 -+ PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
13718 - };
13719 - static int psaux_registered;
13720 - #endif
13721 -diff -urNp linux-2.6.24.4/drivers/input/serio/i8042-x86ia64io.h linux-2.6.24.4/drivers/input/serio/i8042-x86ia64io.h
13722 ---- linux-2.6.24.4/drivers/input/serio/i8042-x86ia64io.h 2008-03-24 14:49:18.000000000 -0400
13723 -+++ linux-2.6.24.4/drivers/input/serio/i8042-x86ia64io.h 2008-03-26 17:56:56.000000000 -0400
13724 -@@ -118,7 +118,7 @@ static struct dmi_system_id __initdata i
13725 - DMI_MATCH(DMI_PRODUCT_VERSION, "VS2005R2"),
13726 - },
13727 - },
13728 -- { }
13729 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
13730 - };
13731 -
13732 - /*
13733 -@@ -270,7 +270,7 @@ static struct dmi_system_id __initdata i
13734 - DMI_MATCH(DMI_PRODUCT_NAME, "M636/A737 platform"),
13735 - },
13736 - },
13737 -- { }
13738 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
13739 - };
13740 -
13741 -
13742 -diff -urNp linux-2.6.24.4/drivers/input/serio/serio_raw.c linux-2.6.24.4/drivers/input/serio/serio_raw.c
13743 ---- linux-2.6.24.4/drivers/input/serio/serio_raw.c 2008-03-24 14:49:18.000000000 -0400
13744 -+++ linux-2.6.24.4/drivers/input/serio/serio_raw.c 2008-03-26 17:56:56.000000000 -0400
13745 -@@ -369,7 +369,7 @@ static struct serio_device_id serio_raw_
13746 - .id = SERIO_ANY,
13747 - .extra = SERIO_ANY,
13748 - },
13749 -- { 0 }
13750 -+ { 0, 0, 0, 0 }
13751 - };
13752 -
13753 - MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
13754 -diff -urNp linux-2.6.24.4/drivers/kvm/kvm_main.c linux-2.6.24.4/drivers/kvm/kvm_main.c
13755 ---- linux-2.6.24.4/drivers/kvm/kvm_main.c 2008-03-24 14:49:18.000000000 -0400
13756 -+++ linux-2.6.24.4/drivers/kvm/kvm_main.c 2008-03-26 17:56:56.000000000 -0400
13757 -@@ -67,22 +67,22 @@ static struct kvm_stats_debugfs_item {
13758 - int offset;
13759 - struct dentry *dentry;
13760 - } debugfs_entries[] = {
13761 -- { "pf_fixed", STAT_OFFSET(pf_fixed) },
13762 -- { "pf_guest", STAT_OFFSET(pf_guest) },
13763 -- { "tlb_flush", STAT_OFFSET(tlb_flush) },
13764 -- { "invlpg", STAT_OFFSET(invlpg) },
13765 -- { "exits", STAT_OFFSET(exits) },
13766 -- { "io_exits", STAT_OFFSET(io_exits) },
13767 -- { "mmio_exits", STAT_OFFSET(mmio_exits) },
13768 -- { "signal_exits", STAT_OFFSET(signal_exits) },
13769 -- { "irq_window", STAT_OFFSET(irq_window_exits) },
13770 -- { "halt_exits", STAT_OFFSET(halt_exits) },
13771 -- { "halt_wakeup", STAT_OFFSET(halt_wakeup) },
13772 -- { "request_irq", STAT_OFFSET(request_irq_exits) },
13773 -- { "irq_exits", STAT_OFFSET(irq_exits) },
13774 -- { "light_exits", STAT_OFFSET(light_exits) },
13775 -- { "efer_reload", STAT_OFFSET(efer_reload) },
13776 -- { NULL }
13777 -+ { "pf_fixed", STAT_OFFSET(pf_fixed), NULL },
13778 -+ { "pf_guest", STAT_OFFSET(pf_guest), NULL },
13779 -+ { "tlb_flush", STAT_OFFSET(tlb_flush), NULL },
13780 -+ { "invlpg", STAT_OFFSET(invlpg), NULL },
13781 -+ { "exits", STAT_OFFSET(exits), NULL },
13782 -+ { "io_exits", STAT_OFFSET(io_exits), NULL },
13783 -+ { "mmio_exits", STAT_OFFSET(mmio_exits), NULL },
13784 -+ { "signal_exits", STAT_OFFSET(signal_exits), NULL },
13785 -+ { "irq_window", STAT_OFFSET(irq_window_exits), NULL },
13786 -+ { "halt_exits", STAT_OFFSET(halt_exits), NULL },
13787 -+ { "halt_wakeup", STAT_OFFSET(halt_wakeup), NULL },
13788 -+ { "request_irq", STAT_OFFSET(request_irq_exits), NULL },
13789 -+ { "irq_exits", STAT_OFFSET(irq_exits), NULL },
13790 -+ { "light_exits", STAT_OFFSET(light_exits), NULL },
13791 -+ { "efer_reload", STAT_OFFSET(efer_reload), NULL },
13792 -+ { NULL, 0, NULL }
13793 - };
13794 -
13795 - static struct dentry *debugfs_dir;
13796 -@@ -2505,7 +2505,7 @@ static int kvm_vcpu_ioctl_translate(stru
13797 - static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
13798 - struct kvm_interrupt *irq)
13799 - {
13800 -- if (irq->irq < 0 || irq->irq >= 256)
13801 -+ if (irq->irq >= 256)
13802 - return -EINVAL;
13803 - if (irqchip_in_kernel(vcpu->kvm))
13804 - return -ENXIO;
13805 -@@ -3250,6 +3250,9 @@ static struct miscdevice kvm_dev = {
13806 - KVM_MINOR,
13807 - "kvm",
13808 - &kvm_chardev_ops,
13809 -+ {NULL, NULL},
13810 -+ NULL,
13811 -+ NULL
13812 - };
13813 -
13814 - /*
13815 -diff -urNp linux-2.6.24.4/drivers/kvm/svm.c linux-2.6.24.4/drivers/kvm/svm.c
13816 ---- linux-2.6.24.4/drivers/kvm/svm.c 2008-03-24 14:49:18.000000000 -0400
13817 -+++ linux-2.6.24.4/drivers/kvm/svm.c 2008-03-26 17:56:56.000000000 -0400
13818 -@@ -1307,8 +1307,20 @@ static void reload_tss(struct kvm_vcpu *
13819 - int cpu = raw_smp_processor_id();
13820 -
13821 - struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
13822 -+
13823 -+#ifdef CONFIG_PAX_KERNEXEC
13824 -+ unsigned long cr0;
13825 -+
13826 -+ pax_open_kernel(cr0);
13827 -+#endif
13828 -+
13829 - svm_data->tss_desc->type = 9; //available 32/64-bit TSS
13830 - load_TR_desc();
13831 -+
13832 -+#ifdef CONFIG_PAX_KERNEXEC
13833 -+ pax_close_kernel(cr0);
13834 -+#endif
13835 -+
13836 - }
13837 -
13838 - static void pre_svm_run(struct vcpu_svm *svm)
13839 -diff -urNp linux-2.6.24.4/drivers/kvm/vmx.c linux-2.6.24.4/drivers/kvm/vmx.c
13840 ---- linux-2.6.24.4/drivers/kvm/vmx.c 2008-03-24 14:49:18.000000000 -0400
13841 -+++ linux-2.6.24.4/drivers/kvm/vmx.c 2008-03-26 17:56:56.000000000 -0400
13842 -@@ -335,10 +335,24 @@ static void reload_tss(void)
13843 - struct descriptor_table gdt;
13844 - struct segment_descriptor *descs;
13845 -
13846 -+#ifdef CONFIG_PAX_KERNEXEC
13847 -+ unsigned long cr0;
13848 -+#endif
13849 -+
13850 - get_gdt(&gdt);
13851 - descs = (void *)gdt.base;
13852 -+
13853 -+#ifdef CONFIG_PAX_KERNEXEC
13854 -+ pax_open_kernel(cr0);
13855 -+#endif
13856 -+
13857 - descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
13858 - load_TR_desc();
13859 -+
13860 -+#ifdef CONFIG_PAX_KERNEXEC
13861 -+ pax_close_kernel(cr0);
13862 -+#endif
13863 -+
13864 - #endif
13865 - }
13866 -
13867 -@@ -2322,7 +2336,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
13868 -
13869 - vcpu->interrupt_window_open = (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & 3) == 0;
13870 -
13871 -- asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
13872 -+ asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
13873 - vmx->launched = 1;
13874 -
13875 - intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
13876 -diff -urNp linux-2.6.24.4/drivers/md/bitmap.c linux-2.6.24.4/drivers/md/bitmap.c
13877 ---- linux-2.6.24.4/drivers/md/bitmap.c 2008-03-24 14:49:18.000000000 -0400
13878 -+++ linux-2.6.24.4/drivers/md/bitmap.c 2008-03-26 17:56:56.000000000 -0400
13879 -@@ -57,7 +57,7 @@
13880 - # if DEBUG > 0
13881 - # define PRINTK(x...) printk(KERN_DEBUG x)
13882 - # else
13883 --# define PRINTK(x...)
13884 -+# define PRINTK(x...) do {} while (0)
13885 - # endif
13886 - #endif
13887 -
13888 -diff -urNp linux-2.6.24.4/drivers/mtd/devices/doc2000.c linux-2.6.24.4/drivers/mtd/devices/doc2000.c
13889 ---- linux-2.6.24.4/drivers/mtd/devices/doc2000.c 2008-03-24 14:49:18.000000000 -0400
13890 -+++ linux-2.6.24.4/drivers/mtd/devices/doc2000.c 2008-03-26 17:56:56.000000000 -0400
13891 -@@ -632,7 +632,7 @@ static int doc_read(struct mtd_info *mtd
13892 - len = ((from | 0x1ff) + 1) - from;
13893 -
13894 - /* The ECC will not be calculated correctly if less than 512 is read */
13895 -- if (len != 0x200 && eccbuf)
13896 -+ if (len != 0x200)
13897 - printk(KERN_WARNING
13898 - "ECC needs a full sector read (adr: %lx size %lx)\n",
13899 - (long) from, (long) len);
13900 -diff -urNp linux-2.6.24.4/drivers/mtd/devices/doc2001.c linux-2.6.24.4/drivers/mtd/devices/doc2001.c
13901 ---- linux-2.6.24.4/drivers/mtd/devices/doc2001.c 2008-03-24 14:49:18.000000000 -0400
13902 -+++ linux-2.6.24.4/drivers/mtd/devices/doc2001.c 2008-03-26 17:56:56.000000000 -0400
13903 -@@ -398,6 +398,8 @@ static int doc_read (struct mtd_info *mt
13904 - /* Don't allow read past end of device */
13905 - if (from >= this->totlen)
13906 - return -EINVAL;
13907 -+ if (!len)
13908 -+ return -EINVAL;
13909 -
13910 - /* Don't allow a single read to cross a 512-byte block boundary */
13911 - if (from + len > ((from | 0x1ff) + 1))
13912 -diff -urNp linux-2.6.24.4/drivers/mtd/devices/doc2001plus.c linux-2.6.24.4/drivers/mtd/devices/doc2001plus.c
13913 ---- linux-2.6.24.4/drivers/mtd/devices/doc2001plus.c 2008-03-24 14:49:18.000000000 -0400
13914 -+++ linux-2.6.24.4/drivers/mtd/devices/doc2001plus.c 2008-03-26 17:56:56.000000000 -0400
13915 -@@ -748,7 +748,7 @@ static int doc_write(struct mtd_info *mt
13916 - WriteDOC(DoC_GetDataOffset(mtd, &fto), docptr, Mplus_FlashCmd);
13917 -
13918 - /* On interleaved devices the flags for 2nd half 512 are before data */
13919 -- if (eccbuf && before)
13920 -+ if (before)
13921 - fto -= 2;
13922 -
13923 - /* issue the Serial Data In command to initial the Page Program process */
13924 -diff -urNp linux-2.6.24.4/drivers/mtd/devices/slram.c linux-2.6.24.4/drivers/mtd/devices/slram.c
13925 ---- linux-2.6.24.4/drivers/mtd/devices/slram.c 2008-03-24 14:49:18.000000000 -0400
13926 -+++ linux-2.6.24.4/drivers/mtd/devices/slram.c 2008-03-26 17:56:56.000000000 -0400
13927 -@@ -270,7 +270,7 @@ static int parse_cmdline(char *devname,
13928 - }
13929 - T("slram: devname=%s, devstart=0x%lx, devlength=0x%lx\n",
13930 - devname, devstart, devlength);
13931 -- if ((devstart < 0) || (devlength < 0) || (devlength % SLRAM_BLK_SZ != 0)) {
13932 -+ if (devlength % SLRAM_BLK_SZ != 0) {
13933 - E("slram: Illegal start / length parameter.\n");
13934 - return(-EINVAL);
13935 - }
13936 -diff -urNp linux-2.6.24.4/drivers/mtd/ubi/build.c linux-2.6.24.4/drivers/mtd/ubi/build.c
13937 ---- linux-2.6.24.4/drivers/mtd/ubi/build.c 2008-03-24 14:49:18.000000000 -0400
13938 -+++ linux-2.6.24.4/drivers/mtd/ubi/build.c 2008-03-26 17:56:56.000000000 -0400
13939 -@@ -753,7 +753,7 @@ static int __init bytes_str_to_int(const
13940 - unsigned long result;
13941 -
13942 - result = simple_strtoul(str, &endp, 0);
13943 -- if (str == endp || result < 0) {
13944 -+ if (str == endp) {
13945 - printk("UBI error: incorrect bytes count: \"%s\"\n", str);
13946 - return -EINVAL;
13947 - }
13948 -diff -urNp linux-2.6.24.4/drivers/net/eepro100.c linux-2.6.24.4/drivers/net/eepro100.c
13949 ---- linux-2.6.24.4/drivers/net/eepro100.c 2008-03-24 14:49:18.000000000 -0400
13950 -+++ linux-2.6.24.4/drivers/net/eepro100.c 2008-03-26 17:56:56.000000000 -0400
13951 -@@ -47,7 +47,7 @@ static int rxdmacount /* = 0 */;
13952 - # define rx_align(skb) skb_reserve((skb), 2)
13953 - # define RxFD_ALIGNMENT __attribute__ ((aligned (2), packed))
13954 - #else
13955 --# define rx_align(skb)
13956 -+# define rx_align(skb) do {} while (0)
13957 - # define RxFD_ALIGNMENT
13958 - #endif
13959 -
13960 -@@ -2340,33 +2340,33 @@ static void __devexit eepro100_remove_on
13961 - }
13962 -
13963 - static struct pci_device_id eepro100_pci_tbl[] = {
13964 -- { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, },
13965 -- { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, },
13966 -- { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, },
13967 -- { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, },
13968 -- { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, },
13969 -- { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, },
13970 -- { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, },
13971 -- { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, },
13972 -- { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, },
13973 -- { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, },
13974 -- { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, },
13975 -- { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, },
13976 -- { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, },
13977 -- { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, },
13978 -- { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, },
13979 -- { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, },
13980 -- { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, },
13981 -- { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, },
13982 -- { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, },
13983 -- { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, },
13984 -- { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, },
13985 -- { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, },
13986 -- { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, },
13987 -- { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, },
13988 -- { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, },
13989 -- { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, },
13990 -- { 0,}
13991 -+ { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
13992 -+ { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
13993 -+ { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
13994 -+ { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
13995 -+ { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
13996 -+ { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
13997 -+ { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
13998 -+ { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
13999 -+ { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14000 -+ { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14001 -+ { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14002 -+ { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14003 -+ { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14004 -+ { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14005 -+ { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14006 -+ { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14007 -+ { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14008 -+ { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14009 -+ { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14010 -+ { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14011 -+ { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14012 -+ { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14013 -+ { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14014 -+ { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14015 -+ { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14016 -+ { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14017 -+ { 0, 0, 0, 0, 0, 0, 0 }
14018 - };
14019 - MODULE_DEVICE_TABLE(pci, eepro100_pci_tbl);
14020 -
14021 -diff -urNp linux-2.6.24.4/drivers/net/irda/vlsi_ir.c linux-2.6.24.4/drivers/net/irda/vlsi_ir.c
14022 ---- linux-2.6.24.4/drivers/net/irda/vlsi_ir.c 2008-03-24 14:49:18.000000000 -0400
14023 -+++ linux-2.6.24.4/drivers/net/irda/vlsi_ir.c 2008-03-26 17:56:56.000000000 -0400
14024 -@@ -906,13 +906,12 @@ static int vlsi_hard_start_xmit(struct s
14025 - /* no race - tx-ring already empty */
14026 - vlsi_set_baud(idev, iobase);
14027 - netif_wake_queue(ndev);
14028 -- }
14029 -- else
14030 -- ;
14031 -+ } else {
14032 - /* keep the speed change pending like it would
14033 - * for any len>0 packet. tx completion interrupt
14034 - * will apply it when the tx ring becomes empty.
14035 - */
14036 -+ }
14037 - spin_unlock_irqrestore(&idev->lock, flags);
14038 - dev_kfree_skb_any(skb);
14039 - return 0;
14040 -diff -urNp linux-2.6.24.4/drivers/net/pcnet32.c linux-2.6.24.4/drivers/net/pcnet32.c
14041 ---- linux-2.6.24.4/drivers/net/pcnet32.c 2008-03-24 14:49:18.000000000 -0400
14042 -+++ linux-2.6.24.4/drivers/net/pcnet32.c 2008-03-26 17:56:56.000000000 -0400
14043 -@@ -82,7 +82,7 @@ static int cards_found;
14044 - /*
14045 - * VLB I/O addresses
14046 - */
14047 --static unsigned int pcnet32_portlist[] __initdata =
14048 -+static unsigned int pcnet32_portlist[] __devinitdata =
14049 - { 0x300, 0x320, 0x340, 0x360, 0 };
14050 -
14051 - static int pcnet32_debug = 0;
14052 -diff -urNp linux-2.6.24.4/drivers/net/tg3.h linux-2.6.24.4/drivers/net/tg3.h
14053 ---- linux-2.6.24.4/drivers/net/tg3.h 2008-03-24 14:49:18.000000000 -0400
14054 -+++ linux-2.6.24.4/drivers/net/tg3.h 2008-03-26 17:56:56.000000000 -0400
14055 -@@ -102,6 +102,7 @@
14056 - #define CHIPREV_ID_5750_A0 0x4000
14057 - #define CHIPREV_ID_5750_A1 0x4001
14058 - #define CHIPREV_ID_5750_A3 0x4003
14059 -+#define CHIPREV_ID_5750_C1 0x4201
14060 - #define CHIPREV_ID_5750_C2 0x4202
14061 - #define CHIPREV_ID_5752_A0_HW 0x5000
14062 - #define CHIPREV_ID_5752_A0 0x6000
14063 -diff -urNp linux-2.6.24.4/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.24.4/drivers/pci/hotplug/cpqphp_nvram.c
14064 ---- linux-2.6.24.4/drivers/pci/hotplug/cpqphp_nvram.c 2008-03-24 14:49:18.000000000 -0400
14065 -+++ linux-2.6.24.4/drivers/pci/hotplug/cpqphp_nvram.c 2008-03-26 17:56:56.000000000 -0400
14066 -@@ -425,9 +425,13 @@ static u32 store_HRT (void __iomem *rom_
14067 -
14068 - void compaq_nvram_init (void __iomem *rom_start)
14069 - {
14070 -+
14071 -+#ifndef CONFIG_PAX_KERNEXEC
14072 - if (rom_start) {
14073 - compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
14074 - }
14075 -+#endif
14076 -+
14077 - dbg("int15 entry = %p\n", compaq_int15_entry_point);
14078 -
14079 - /* initialize our int15 lock */
14080 -diff -urNp linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv.c linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv.c
14081 ---- linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv.c 2008-03-24 14:49:18.000000000 -0400
14082 -+++ linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv.c 2008-03-26 17:56:56.000000000 -0400
14083 -@@ -58,7 +58,7 @@ static struct pcie_port_service_id aer_i
14084 - .port_type = PCIE_RC_PORT,
14085 - .service_type = PCIE_PORT_SERVICE_AER,
14086 - },
14087 -- { /* end: all zeroes */ }
14088 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0 }
14089 - };
14090 -
14091 - static struct pci_error_handlers aer_error_handlers = {
14092 -diff -urNp linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv_core.c linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv_core.c
14093 ---- linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv_core.c 2008-03-24 14:49:18.000000000 -0400
14094 -+++ linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv_core.c 2008-03-26 17:56:56.000000000 -0400
14095 -@@ -661,7 +661,7 @@ static void aer_isr_one_error(struct pci
14096 - struct aer_err_source *e_src)
14097 - {
14098 - struct device *s_device;
14099 -- struct aer_err_info e_info = {0, 0, 0,};
14100 -+ struct aer_err_info e_info = {0, 0, 0, {0, 0, 0, 0}};
14101 - int i;
14102 - u16 id;
14103 -
14104 -diff -urNp linux-2.6.24.4/drivers/pci/pcie/portdrv_pci.c linux-2.6.24.4/drivers/pci/pcie/portdrv_pci.c
14105 ---- linux-2.6.24.4/drivers/pci/pcie/portdrv_pci.c 2008-03-24 14:49:18.000000000 -0400
14106 -+++ linux-2.6.24.4/drivers/pci/pcie/portdrv_pci.c 2008-03-26 17:56:56.000000000 -0400
14107 -@@ -265,7 +265,7 @@ static void pcie_portdrv_err_resume(stru
14108 - static const struct pci_device_id port_pci_ids[] = { {
14109 - /* handle any PCI-Express port */
14110 - PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
14111 -- }, { /* end: all zeroes */ }
14112 -+ }, { 0, 0, 0, 0, 0, 0, 0 }
14113 - };
14114 - MODULE_DEVICE_TABLE(pci, port_pci_ids);
14115 -
14116 -diff -urNp linux-2.6.24.4/drivers/pci/proc.c linux-2.6.24.4/drivers/pci/proc.c
14117 ---- linux-2.6.24.4/drivers/pci/proc.c 2008-03-24 14:49:18.000000000 -0400
14118 -+++ linux-2.6.24.4/drivers/pci/proc.c 2008-03-26 17:56:56.000000000 -0400
14119 -@@ -467,7 +467,15 @@ static int __init pci_proc_init(void)
14120 - {
14121 - struct proc_dir_entry *entry;
14122 - struct pci_dev *dev = NULL;
14123 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
14124 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
14125 -+ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
14126 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
14127 -+ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
14128 -+#endif
14129 -+#else
14130 - proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
14131 -+#endif
14132 - entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
14133 - if (entry)
14134 - entry->proc_fops = &proc_bus_pci_dev_operations;
14135 -diff -urNp linux-2.6.24.4/drivers/pcmcia/ti113x.h linux-2.6.24.4/drivers/pcmcia/ti113x.h
14136 ---- linux-2.6.24.4/drivers/pcmcia/ti113x.h 2008-03-24 14:49:18.000000000 -0400
14137 -+++ linux-2.6.24.4/drivers/pcmcia/ti113x.h 2008-03-26 17:56:56.000000000 -0400
14138 -@@ -897,7 +897,7 @@ static struct pci_device_id ene_tune_tbl
14139 - DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
14140 - ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
14141 -
14142 -- {}
14143 -+ { 0, 0, 0, 0, 0, 0, 0 }
14144 - };
14145 -
14146 - static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
14147 -diff -urNp linux-2.6.24.4/drivers/pcmcia/yenta_socket.c linux-2.6.24.4/drivers/pcmcia/yenta_socket.c
14148 ---- linux-2.6.24.4/drivers/pcmcia/yenta_socket.c 2008-03-24 14:49:18.000000000 -0400
14149 -+++ linux-2.6.24.4/drivers/pcmcia/yenta_socket.c 2008-03-26 17:56:56.000000000 -0400
14150 -@@ -1358,7 +1358,7 @@ static struct pci_device_id yenta_table
14151 -
14152 - /* match any cardbus bridge */
14153 - CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
14154 -- { /* all zeroes */ }
14155 -+ { 0, 0, 0, 0, 0, 0, 0 }
14156 - };
14157 - MODULE_DEVICE_TABLE(pci, yenta_table);
14158 -
14159 -diff -urNp linux-2.6.24.4/drivers/pnp/pnpbios/bioscalls.c linux-2.6.24.4/drivers/pnp/pnpbios/bioscalls.c
14160 ---- linux-2.6.24.4/drivers/pnp/pnpbios/bioscalls.c 2008-03-24 14:49:18.000000000 -0400
14161 -+++ linux-2.6.24.4/drivers/pnp/pnpbios/bioscalls.c 2008-03-26 17:56:56.000000000 -0400
14162 -@@ -61,7 +61,7 @@ set_base(gdt[(selname) >> 3], (u32)(addr
14163 - set_limit(gdt[(selname) >> 3], size); \
14164 - } while(0)
14165 -
14166 --static struct desc_struct bad_bios_desc = { 0, 0x00409200 };
14167 -+static struct desc_struct bad_bios_desc __read_only = { 0, 0x00409300 };
14168 -
14169 - /*
14170 - * At some point we want to use this stack frame pointer to unwind
14171 -@@ -88,6 +88,10 @@ static inline u16 call_pnp_bios(u16 func
14172 - struct desc_struct save_desc_40;
14173 - int cpu;
14174 -
14175 -+#ifdef CONFIG_PAX_KERNEXEC
14176 -+ unsigned long cr0;
14177 -+#endif
14178 -+
14179 - /*
14180 - * PnP BIOSes are generally not terribly re-entrant.
14181 - * Also, don't rely on them to save everything correctly.
14182 -@@ -97,8 +101,17 @@ static inline u16 call_pnp_bios(u16 func
14183 -
14184 - cpu = get_cpu();
14185 - save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
14186 -+
14187 -+#ifdef CONFIG_PAX_KERNEXEC
14188 -+ pax_open_kernel(cr0);
14189 -+#endif
14190 -+
14191 - get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
14192 -
14193 -+#ifdef CONFIG_PAX_KERNEXEC
14194 -+ pax_close_kernel(cr0);
14195 -+#endif
14196 -+
14197 - /* On some boxes IRQ's during PnP BIOS calls are deadly. */
14198 - spin_lock_irqsave(&pnp_bios_lock, flags);
14199 -
14200 -@@ -135,7 +148,16 @@ static inline u16 call_pnp_bios(u16 func
14201 - :"memory");
14202 - spin_unlock_irqrestore(&pnp_bios_lock, flags);
14203 -
14204 -+#ifdef CONFIG_PAX_KERNEXEC
14205 -+ pax_open_kernel(cr0);
14206 -+#endif
14207 -+
14208 - get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
14209 -+
14210 -+#ifdef CONFIG_PAX_KERNEXEC
14211 -+ pax_close_kernel(cr0);
14212 -+#endif
14213 -+
14214 - put_cpu();
14215 -
14216 - /* If we get here and this is set then the PnP BIOS faulted on us. */
14217 -@@ -469,16 +491,25 @@ int pnp_bios_read_escd(char *data, u32 n
14218 - return status;
14219 - }
14220 -
14221 --void pnpbios_calls_init(union pnp_bios_install_struct *header)
14222 -+void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
14223 - {
14224 - int i;
14225 -
14226 -+#ifdef CONFIG_PAX_KERNEXEC
14227 -+ unsigned long cr0;
14228 -+#endif
14229 -+
14230 - spin_lock_init(&pnp_bios_lock);
14231 - pnp_bios_callpoint.offset = header->fields.pm16offset;
14232 - pnp_bios_callpoint.segment = PNP_CS16;
14233 -
14234 - set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
14235 - _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
14236 -+
14237 -+#ifdef CONFIG_PAX_KERNEXEC
14238 -+ pax_open_kernel(cr0);
14239 -+#endif
14240 -+
14241 - for (i = 0; i < NR_CPUS; i++) {
14242 - struct desc_struct *gdt = get_cpu_gdt_table(i);
14243 - if (!gdt)
14244 -@@ -489,4 +520,9 @@ void pnpbios_calls_init(union pnp_bios_i
14245 - set_base(gdt[GDT_ENTRY_PNPBIOS_DS],
14246 - __va(header->fields.pm16dseg));
14247 - }
14248 -+
14249 -+#ifdef CONFIG_PAX_KERNEXEC
14250 -+ pax_close_kernel(cr0);
14251 -+#endif
14252 -+
14253 - }
14254 -diff -urNp linux-2.6.24.4/drivers/pnp/quirks.c linux-2.6.24.4/drivers/pnp/quirks.c
14255 ---- linux-2.6.24.4/drivers/pnp/quirks.c 2008-03-24 14:49:18.000000000 -0400
14256 -+++ linux-2.6.24.4/drivers/pnp/quirks.c 2008-03-26 17:56:56.000000000 -0400
14257 -@@ -128,7 +128,7 @@ static struct pnp_fixup pnp_fixups[] = {
14258 - {"CTL0043", quirk_sb16audio_resources},
14259 - {"CTL0044", quirk_sb16audio_resources},
14260 - {"CTL0045", quirk_sb16audio_resources},
14261 -- {""}
14262 -+ {"", NULL}
14263 - };
14264 -
14265 - void pnp_fixup_device(struct pnp_dev *dev)
14266 -diff -urNp linux-2.6.24.4/drivers/pnp/resource.c linux-2.6.24.4/drivers/pnp/resource.c
14267 ---- linux-2.6.24.4/drivers/pnp/resource.c 2008-03-24 14:49:18.000000000 -0400
14268 -+++ linux-2.6.24.4/drivers/pnp/resource.c 2008-03-26 17:56:56.000000000 -0400
14269 -@@ -345,7 +345,7 @@ int pnp_check_irq(struct pnp_dev *dev, i
14270 - return 1;
14271 -
14272 - /* check if the resource is valid */
14273 -- if (*irq < 0 || *irq > 15)
14274 -+ if (*irq > 15)
14275 - return 0;
14276 -
14277 - /* check if the resource is reserved */
14278 -@@ -414,7 +414,7 @@ int pnp_check_dma(struct pnp_dev *dev, i
14279 - return 1;
14280 -
14281 - /* check if the resource is valid */
14282 -- if (*dma < 0 || *dma == 4 || *dma > 7)
14283 -+ if (*dma == 4 || *dma > 7)
14284 - return 0;
14285 -
14286 - /* check if the resource is reserved */
14287 -diff -urNp linux-2.6.24.4/drivers/scsi/scsi_logging.h linux-2.6.24.4/drivers/scsi/scsi_logging.h
14288 ---- linux-2.6.24.4/drivers/scsi/scsi_logging.h 2008-03-24 14:49:18.000000000 -0400
14289 -+++ linux-2.6.24.4/drivers/scsi/scsi_logging.h 2008-03-26 17:56:56.000000000 -0400
14290 -@@ -51,7 +51,7 @@ do { \
14291 - } while (0); \
14292 - } while (0)
14293 - #else
14294 --#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
14295 -+#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
14296 - #endif /* CONFIG_SCSI_LOGGING */
14297 -
14298 - /*
14299 -diff -urNp linux-2.6.24.4/drivers/serial/8250_pci.c linux-2.6.24.4/drivers/serial/8250_pci.c
14300 ---- linux-2.6.24.4/drivers/serial/8250_pci.c 2008-03-24 14:49:18.000000000 -0400
14301 -+++ linux-2.6.24.4/drivers/serial/8250_pci.c 2008-03-26 17:56:56.000000000 -0400
14302 -@@ -2712,7 +2712,7 @@ static struct pci_device_id serial_pci_t
14303 - PCI_ANY_ID, PCI_ANY_ID,
14304 - PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
14305 - 0xffff00, pbn_default },
14306 -- { 0, }
14307 -+ { 0, 0, 0, 0, 0, 0, 0 }
14308 - };
14309 -
14310 - static struct pci_driver serial_pci_driver = {
14311 -diff -urNp linux-2.6.24.4/drivers/usb/class/cdc-acm.c linux-2.6.24.4/drivers/usb/class/cdc-acm.c
14312 ---- linux-2.6.24.4/drivers/usb/class/cdc-acm.c 2008-03-24 14:49:18.000000000 -0400
14313 -+++ linux-2.6.24.4/drivers/usb/class/cdc-acm.c 2008-03-26 17:56:56.000000000 -0400
14314 -@@ -1199,7 +1199,7 @@ static struct usb_device_id acm_ids[] =
14315 - USB_CDC_ACM_PROTO_AT_CDMA) },
14316 -
14317 - /* NOTE: COMM/ACM/0xff is likely MSFT RNDIS ... NOT a modem!! */
14318 -- { }
14319 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
14320 - };
14321 -
14322 - MODULE_DEVICE_TABLE (usb, acm_ids);
14323 -diff -urNp linux-2.6.24.4/drivers/usb/class/usblp.c linux-2.6.24.4/drivers/usb/class/usblp.c
14324 ---- linux-2.6.24.4/drivers/usb/class/usblp.c 2008-03-24 14:49:18.000000000 -0400
14325 -+++ linux-2.6.24.4/drivers/usb/class/usblp.c 2008-03-26 17:56:56.000000000 -0400
14326 -@@ -227,7 +227,7 @@ static const struct quirk_printer_struct
14327 - { 0x0409, 0xf1be, USBLP_QUIRK_BIDIR }, /* NEC Picty800 (HP OEM) */
14328 - { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@×××.de> */
14329 - { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
14330 -- { 0, 0 }
14331 -+ { 0, 0, 0 }
14332 - };
14333 -
14334 - static int usblp_wwait(struct usblp *usblp, int nonblock);
14335 -@@ -1401,7 +1401,7 @@ static struct usb_device_id usblp_ids []
14336 - { USB_INTERFACE_INFO(7, 1, 2) },
14337 - { USB_INTERFACE_INFO(7, 1, 3) },
14338 - { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
14339 -- { } /* Terminating entry */
14340 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
14341 - };
14342 -
14343 - MODULE_DEVICE_TABLE (usb, usblp_ids);
14344 -diff -urNp linux-2.6.24.4/drivers/usb/core/hub.c linux-2.6.24.4/drivers/usb/core/hub.c
14345 ---- linux-2.6.24.4/drivers/usb/core/hub.c 2008-03-24 14:49:18.000000000 -0400
14346 -+++ linux-2.6.24.4/drivers/usb/core/hub.c 2008-03-26 17:56:56.000000000 -0400
14347 -@@ -2884,7 +2884,7 @@ static struct usb_device_id hub_id_table
14348 - .bDeviceClass = USB_CLASS_HUB},
14349 - { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
14350 - .bInterfaceClass = USB_CLASS_HUB},
14351 -- { } /* Terminating entry */
14352 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
14353 - };
14354 -
14355 - MODULE_DEVICE_TABLE (usb, hub_id_table);
14356 -diff -urNp linux-2.6.24.4/drivers/usb/host/ehci-pci.c linux-2.6.24.4/drivers/usb/host/ehci-pci.c
14357 ---- linux-2.6.24.4/drivers/usb/host/ehci-pci.c 2008-03-24 14:49:18.000000000 -0400
14358 -+++ linux-2.6.24.4/drivers/usb/host/ehci-pci.c 2008-03-26 17:56:56.000000000 -0400
14359 -@@ -374,7 +374,7 @@ static const struct pci_device_id pci_id
14360 - PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
14361 - .driver_data = (unsigned long) &ehci_pci_hc_driver,
14362 - },
14363 -- { /* end: all zeroes */ }
14364 -+ { 0, 0, 0, 0, 0, 0, 0 }
14365 - };
14366 - MODULE_DEVICE_TABLE(pci, pci_ids);
14367 -
14368 -diff -urNp linux-2.6.24.4/drivers/usb/host/uhci-hcd.c linux-2.6.24.4/drivers/usb/host/uhci-hcd.c
14369 ---- linux-2.6.24.4/drivers/usb/host/uhci-hcd.c 2008-03-24 14:49:18.000000000 -0400
14370 -+++ linux-2.6.24.4/drivers/usb/host/uhci-hcd.c 2008-03-26 17:56:56.000000000 -0400
14371 -@@ -893,7 +893,7 @@ static const struct pci_device_id uhci_p
14372 - /* handle any USB UHCI controller */
14373 - PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
14374 - .driver_data = (unsigned long) &uhci_driver,
14375 -- }, { /* end: all zeroes */ }
14376 -+ }, { 0, 0, 0, 0, 0, 0, 0 }
14377 - };
14378 -
14379 - MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
14380 -diff -urNp linux-2.6.24.4/drivers/usb/storage/debug.h linux-2.6.24.4/drivers/usb/storage/debug.h
14381 ---- linux-2.6.24.4/drivers/usb/storage/debug.h 2008-03-24 14:49:18.000000000 -0400
14382 -+++ linux-2.6.24.4/drivers/usb/storage/debug.h 2008-03-26 17:56:56.000000000 -0400
14383 -@@ -56,9 +56,9 @@ void usb_stor_show_sense( unsigned char
14384 - #define US_DEBUGPX(x...) printk( x )
14385 - #define US_DEBUG(x) x
14386 - #else
14387 --#define US_DEBUGP(x...)
14388 --#define US_DEBUGPX(x...)
14389 --#define US_DEBUG(x)
14390 -+#define US_DEBUGP(x...) do {} while (0)
14391 -+#define US_DEBUGPX(x...) do {} while (0)
14392 -+#define US_DEBUG(x) do {} while (0)
14393 - #endif
14394 -
14395 - #endif
14396 -diff -urNp linux-2.6.24.4/drivers/usb/storage/usb.c linux-2.6.24.4/drivers/usb/storage/usb.c
14397 ---- linux-2.6.24.4/drivers/usb/storage/usb.c 2008-03-24 14:49:18.000000000 -0400
14398 -+++ linux-2.6.24.4/drivers/usb/storage/usb.c 2008-03-26 17:56:56.000000000 -0400
14399 -@@ -134,7 +134,7 @@ static struct usb_device_id storage_usb_
14400 - #undef UNUSUAL_DEV
14401 - #undef USUAL_DEV
14402 - /* Terminating entry */
14403 -- { }
14404 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
14405 - };
14406 -
14407 - MODULE_DEVICE_TABLE (usb, storage_usb_ids);
14408 -@@ -174,7 +174,7 @@ static struct us_unusual_dev us_unusual_
14409 - # undef USUAL_DEV
14410 -
14411 - /* Terminating entry */
14412 -- { NULL }
14413 -+ { NULL, NULL, 0, 0, NULL }
14414 - };
14415 -
14416 -
14417 -diff -urNp linux-2.6.24.4/drivers/video/fbcmap.c linux-2.6.24.4/drivers/video/fbcmap.c
14418 ---- linux-2.6.24.4/drivers/video/fbcmap.c 2008-03-24 14:49:18.000000000 -0400
14419 -+++ linux-2.6.24.4/drivers/video/fbcmap.c 2008-03-26 17:56:56.000000000 -0400
14420 -@@ -250,8 +250,7 @@ int fb_set_user_cmap(struct fb_cmap_user
14421 - int rc, size = cmap->len * sizeof(u16);
14422 - struct fb_cmap umap;
14423 -
14424 -- if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
14425 -- !info->fbops->fb_setcmap))
14426 -+ if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap)
14427 - return -EINVAL;
14428 -
14429 - memset(&umap, 0, sizeof(struct fb_cmap));
14430 -diff -urNp linux-2.6.24.4/drivers/video/fbmem.c linux-2.6.24.4/drivers/video/fbmem.c
14431 ---- linux-2.6.24.4/drivers/video/fbmem.c 2008-03-24 14:49:18.000000000 -0400
14432 -+++ linux-2.6.24.4/drivers/video/fbmem.c 2008-03-26 17:56:56.000000000 -0400
14433 -@@ -394,7 +394,7 @@ static void fb_do_show_logo(struct fb_in
14434 - image->dx += image->width + 8;
14435 - }
14436 - } else if (rotate == FB_ROTATE_UD) {
14437 -- for (x = 0; x < num && image->dx >= 0; x++) {
14438 -+ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
14439 - info->fbops->fb_imageblit(info, image);
14440 - image->dx -= image->width + 8;
14441 - }
14442 -@@ -406,7 +406,7 @@ static void fb_do_show_logo(struct fb_in
14443 - image->dy += image->height + 8;
14444 - }
14445 - } else if (rotate == FB_ROTATE_CCW) {
14446 -- for (x = 0; x < num && image->dy >= 0; x++) {
14447 -+ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
14448 - info->fbops->fb_imageblit(info, image);
14449 - image->dy -= image->height + 8;
14450 - }
14451 -@@ -1057,9 +1057,9 @@ fb_ioctl(struct inode *inode, struct fil
14452 - case FBIOPUT_CON2FBMAP:
14453 - if (copy_from_user(&con2fb, argp, sizeof(con2fb)))
14454 - return - EFAULT;
14455 -- if (con2fb.console < 0 || con2fb.console > MAX_NR_CONSOLES)
14456 -+ if (con2fb.console > MAX_NR_CONSOLES)
14457 - return -EINVAL;
14458 -- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
14459 -+ if (con2fb.framebuffer >= FB_MAX)
14460 - return -EINVAL;
14461 - #ifdef CONFIG_KMOD
14462 - if (!registered_fb[con2fb.framebuffer])
14463 -diff -urNp linux-2.6.24.4/drivers/video/fbmon.c linux-2.6.24.4/drivers/video/fbmon.c
14464 ---- linux-2.6.24.4/drivers/video/fbmon.c 2008-03-24 14:49:18.000000000 -0400
14465 -+++ linux-2.6.24.4/drivers/video/fbmon.c 2008-03-26 17:56:56.000000000 -0400
14466 -@@ -45,7 +45,7 @@
14467 - #ifdef DEBUG
14468 - #define DPRINTK(fmt, args...) printk(fmt,## args)
14469 - #else
14470 --#define DPRINTK(fmt, args...)
14471 -+#define DPRINTK(fmt, args...) do {} while (0)
14472 - #endif
14473 -
14474 - #define FBMON_FIX_HEADER 1
14475 -diff -urNp linux-2.6.24.4/drivers/video/i810/i810_accel.c linux-2.6.24.4/drivers/video/i810/i810_accel.c
14476 ---- linux-2.6.24.4/drivers/video/i810/i810_accel.c 2008-03-24 14:49:18.000000000 -0400
14477 -+++ linux-2.6.24.4/drivers/video/i810/i810_accel.c 2008-03-26 17:56:56.000000000 -0400
14478 -@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
14479 - }
14480 - }
14481 - printk("ringbuffer lockup!!!\n");
14482 -+ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
14483 - i810_report_error(mmio);
14484 - par->dev_flags |= LOCKUP;
14485 - info->pixmap.scan_align = 1;
14486 -diff -urNp linux-2.6.24.4/drivers/video/i810/i810_main.c linux-2.6.24.4/drivers/video/i810/i810_main.c
14487 ---- linux-2.6.24.4/drivers/video/i810/i810_main.c 2008-03-24 14:49:18.000000000 -0400
14488 -+++ linux-2.6.24.4/drivers/video/i810/i810_main.c 2008-03-26 17:56:56.000000000 -0400
14489 -@@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
14490 - PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
14491 - { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
14492 - PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
14493 -- { 0 },
14494 -+ { 0, 0, 0, 0, 0, 0, 0 },
14495 - };
14496 -
14497 - static struct pci_driver i810fb_driver = {
14498 -@@ -1509,7 +1509,7 @@ static int i810fb_cursor(struct fb_info
14499 - int size = ((cursor->image.width + 7) >> 3) *
14500 - cursor->image.height;
14501 - int i;
14502 -- u8 *data = kmalloc(64 * 8, GFP_ATOMIC);
14503 -+ u8 *data = kmalloc(64 * 8, GFP_KERNEL);
14504 -
14505 - if (data == NULL)
14506 - return -ENOMEM;
14507 -diff -urNp linux-2.6.24.4/drivers/video/modedb.c linux-2.6.24.4/drivers/video/modedb.c
14508 ---- linux-2.6.24.4/drivers/video/modedb.c 2008-03-24 14:49:18.000000000 -0400
14509 -+++ linux-2.6.24.4/drivers/video/modedb.c 2008-03-26 17:56:56.000000000 -0400
14510 -@@ -37,232 +37,232 @@ static const struct fb_videomode modedb[
14511 - {
14512 - /* 640x400 @ 70 Hz, 31.5 kHz hsync */
14513 - NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
14514 -- 0, FB_VMODE_NONINTERLACED
14515 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14516 - }, {
14517 - /* 640x480 @ 60 Hz, 31.5 kHz hsync */
14518 - NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
14519 -- 0, FB_VMODE_NONINTERLACED
14520 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14521 - }, {
14522 - /* 800x600 @ 56 Hz, 35.15 kHz hsync */
14523 - NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
14524 -- 0, FB_VMODE_NONINTERLACED
14525 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14526 - }, {
14527 - /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
14528 - NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
14529 -- 0, FB_VMODE_INTERLACED
14530 -+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
14531 - }, {
14532 - /* 640x400 @ 85 Hz, 37.86 kHz hsync */
14533 - NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
14534 -- FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14535 -+ FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14536 - }, {
14537 - /* 640x480 @ 72 Hz, 36.5 kHz hsync */
14538 - NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
14539 -- 0, FB_VMODE_NONINTERLACED
14540 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14541 - }, {
14542 - /* 640x480 @ 75 Hz, 37.50 kHz hsync */
14543 - NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
14544 -- 0, FB_VMODE_NONINTERLACED
14545 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14546 - }, {
14547 - /* 800x600 @ 60 Hz, 37.8 kHz hsync */
14548 - NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
14549 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14550 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14551 - }, {
14552 - /* 640x480 @ 85 Hz, 43.27 kHz hsync */
14553 - NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
14554 -- 0, FB_VMODE_NONINTERLACED
14555 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14556 - }, {
14557 - /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
14558 - NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
14559 -- 0, FB_VMODE_INTERLACED
14560 -+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
14561 - }, {
14562 - /* 800x600 @ 72 Hz, 48.0 kHz hsync */
14563 - NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
14564 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14565 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14566 - }, {
14567 - /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
14568 - NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
14569 -- 0, FB_VMODE_NONINTERLACED
14570 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14571 - }, {
14572 - /* 640x480 @ 100 Hz, 53.01 kHz hsync */
14573 - NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
14574 -- 0, FB_VMODE_NONINTERLACED
14575 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14576 - }, {
14577 - /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
14578 - NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
14579 -- 0, FB_VMODE_NONINTERLACED
14580 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14581 - }, {
14582 - /* 800x600 @ 85 Hz, 55.84 kHz hsync */
14583 - NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
14584 -- 0, FB_VMODE_NONINTERLACED
14585 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14586 - }, {
14587 - /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
14588 - NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
14589 -- 0, FB_VMODE_NONINTERLACED
14590 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14591 - }, {
14592 - /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
14593 - NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
14594 -- 0, FB_VMODE_INTERLACED
14595 -+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
14596 - }, {
14597 - /* 800x600 @ 100 Hz, 64.02 kHz hsync */
14598 - NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
14599 -- 0, FB_VMODE_NONINTERLACED
14600 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14601 - }, {
14602 - /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
14603 - NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
14604 -- 0, FB_VMODE_NONINTERLACED
14605 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14606 - }, {
14607 - /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
14608 - NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
14609 -- 0, FB_VMODE_NONINTERLACED
14610 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14611 - }, {
14612 - /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
14613 - NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
14614 -- 0, FB_VMODE_NONINTERLACED
14615 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14616 - }, {
14617 - /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
14618 - NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
14619 -- 0, FB_VMODE_NONINTERLACED
14620 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14621 - }, {
14622 - /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
14623 - NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
14624 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14625 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14626 - }, {
14627 - /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
14628 - NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
14629 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14630 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14631 - }, {
14632 - /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
14633 - NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
14634 -- 0, FB_VMODE_NONINTERLACED
14635 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14636 - }, {
14637 - /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
14638 - NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
14639 -- 0, FB_VMODE_NONINTERLACED
14640 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14641 - }, {
14642 - /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
14643 - NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
14644 -- 0, FB_VMODE_NONINTERLACED
14645 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14646 - }, {
14647 - /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
14648 - NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
14649 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14650 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14651 - }, {
14652 - /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
14653 - NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
14654 -- 0, FB_VMODE_NONINTERLACED
14655 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14656 - }, {
14657 - /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
14658 - NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
14659 -- 0, FB_VMODE_NONINTERLACED
14660 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14661 - }, {
14662 - /* 1024x768 @ 100Hz, 80.21 kHz hsync */
14663 - NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
14664 -- 0, FB_VMODE_NONINTERLACED
14665 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14666 - }, {
14667 - /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
14668 - NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
14669 -- 0, FB_VMODE_NONINTERLACED
14670 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14671 - }, {
14672 - /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
14673 - NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
14674 -- 0, FB_VMODE_NONINTERLACED
14675 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14676 - }, {
14677 - /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
14678 - NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
14679 -- 0, FB_VMODE_NONINTERLACED
14680 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14681 - }, {
14682 - /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
14683 - NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
14684 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14685 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14686 - }, {
14687 - /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
14688 - NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
14689 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14690 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14691 - }, {
14692 - /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
14693 - NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
14694 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14695 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14696 - }, {
14697 - /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
14698 - NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
14699 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14700 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14701 - }, {
14702 - /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
14703 - NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
14704 -- 0, FB_VMODE_NONINTERLACED
14705 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14706 - }, {
14707 - /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
14708 - NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
14709 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14710 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14711 - }, {
14712 - /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
14713 - NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
14714 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14715 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14716 - }, {
14717 - /* 512x384 @ 78 Hz, 31.50 kHz hsync */
14718 - NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
14719 -- 0, FB_VMODE_NONINTERLACED
14720 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14721 - }, {
14722 - /* 512x384 @ 85 Hz, 34.38 kHz hsync */
14723 - NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
14724 -- 0, FB_VMODE_NONINTERLACED
14725 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14726 - }, {
14727 - /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
14728 - NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
14729 -- 0, FB_VMODE_DOUBLE
14730 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14731 - }, {
14732 - /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
14733 - NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
14734 -- 0, FB_VMODE_DOUBLE
14735 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14736 - }, {
14737 - /* 320x240 @ 72 Hz, 36.5 kHz hsync */
14738 - NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
14739 -- 0, FB_VMODE_DOUBLE
14740 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14741 - }, {
14742 - /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
14743 - NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
14744 -- 0, FB_VMODE_DOUBLE
14745 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14746 - }, {
14747 - /* 400x300 @ 60 Hz, 37.8 kHz hsync */
14748 - NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
14749 -- 0, FB_VMODE_DOUBLE
14750 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14751 - }, {
14752 - /* 400x300 @ 72 Hz, 48.0 kHz hsync */
14753 - NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
14754 -- 0, FB_VMODE_DOUBLE
14755 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14756 - }, {
14757 - /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
14758 - NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
14759 -- 0, FB_VMODE_DOUBLE
14760 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14761 - }, {
14762 - /* 480x300 @ 60 Hz, 37.8 kHz hsync */
14763 - NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
14764 -- 0, FB_VMODE_DOUBLE
14765 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14766 - }, {
14767 - /* 480x300 @ 63 Hz, 39.6 kHz hsync */
14768 - NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
14769 -- 0, FB_VMODE_DOUBLE
14770 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14771 - }, {
14772 - /* 480x300 @ 72 Hz, 48.0 kHz hsync */
14773 - NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
14774 -- 0, FB_VMODE_DOUBLE
14775 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14776 - }, {
14777 - /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
14778 - NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
14779 - FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
14780 -- FB_VMODE_NONINTERLACED
14781 -+ FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14782 - }, {
14783 - /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
14784 - NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
14785 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14786 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14787 - }, {
14788 - /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
14789 - NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
14790 -- 0, FB_VMODE_NONINTERLACED
14791 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14792 - }, {
14793 - /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
14794 - NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
14795 -- 0, FB_VMODE_NONINTERLACED
14796 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14797 - },
14798 - };
14799 -
14800 -diff -urNp linux-2.6.24.4/drivers/video/uvesafb.c linux-2.6.24.4/drivers/video/uvesafb.c
14801 ---- linux-2.6.24.4/drivers/video/uvesafb.c 2008-03-24 14:49:18.000000000 -0400
14802 -+++ linux-2.6.24.4/drivers/video/uvesafb.c 2008-03-26 17:56:56.000000000 -0400
14803 -@@ -117,7 +117,7 @@ static int uvesafb_helper_start(void)
14804 - NULL,
14805 - };
14806 -
14807 -- return call_usermodehelper(v86d_path, argv, envp, 1);
14808 -+ return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
14809 - }
14810 -
14811 - /*
14812 -diff -urNp linux-2.6.24.4/drivers/video/vesafb.c linux-2.6.24.4/drivers/video/vesafb.c
14813 ---- linux-2.6.24.4/drivers/video/vesafb.c 2008-03-24 14:49:18.000000000 -0400
14814 -+++ linux-2.6.24.4/drivers/video/vesafb.c 2008-03-26 17:56:56.000000000 -0400
14815 -@@ -9,6 +9,7 @@
14816 - */
14817 -
14818 - #include <linux/module.h>
14819 -+#include <linux/moduleloader.h>
14820 - #include <linux/kernel.h>
14821 - #include <linux/errno.h>
14822 - #include <linux/string.h>
14823 -@@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
14824 - static int vram_total __initdata; /* Set total amount of memory */
14825 - static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
14826 - static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
14827 --static void (*pmi_start)(void) __read_mostly;
14828 --static void (*pmi_pal) (void) __read_mostly;
14829 -+static void (*pmi_start)(void) __read_only;
14830 -+static void (*pmi_pal) (void) __read_only;
14831 - static int depth __read_mostly;
14832 - static int vga_compat __read_mostly;
14833 - /* --------------------------------------------------------------------- */
14834 -@@ -224,6 +225,7 @@ static int __init vesafb_probe(struct pl
14835 - unsigned int size_vmode;
14836 - unsigned int size_remap;
14837 - unsigned int size_total;
14838 -+ void *pmi_code = NULL;
14839 -
14840 - if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
14841 - return -ENODEV;
14842 -@@ -266,10 +268,6 @@ static int __init vesafb_probe(struct pl
14843 - size_remap = size_total;
14844 - vesafb_fix.smem_len = size_remap;
14845 -
14846 --#ifndef __i386__
14847 -- screen_info.vesapm_seg = 0;
14848 --#endif
14849 --
14850 - if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
14851 - printk(KERN_WARNING
14852 - "vesafb: cannot reserve video memory at 0x%lx\n",
14853 -@@ -302,9 +300,21 @@ static int __init vesafb_probe(struct pl
14854 - printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
14855 - vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
14856 -
14857 -+#ifdef __i386__
14858 -+
14859 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
14860 -+ pmi_code = module_alloc_exec(screen_info.vesapm_size);
14861 -+ if (!pmi_code)
14862 -+#elif !defined(CONFIG_PAX_KERNEXEC)
14863 -+ if (0)
14864 -+#endif
14865 -+
14866 -+#endif
14867 -+ screen_info.vesapm_seg = 0;
14868 -+
14869 - if (screen_info.vesapm_seg) {
14870 -- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
14871 -- screen_info.vesapm_seg,screen_info.vesapm_off);
14872 -+ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
14873 -+ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
14874 - }
14875 -
14876 - if (screen_info.vesapm_seg < 0xc000)
14877 -@@ -312,9 +322,29 @@ static int __init vesafb_probe(struct pl
14878 -
14879 - if (ypan || pmi_setpal) {
14880 - unsigned short *pmi_base;
14881 -- pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
14882 -- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
14883 -- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
14884 -+
14885 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
14886 -+ unsigned long cr0;
14887 -+#endif
14888 -+
14889 -+ pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
14890 -+
14891 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
14892 -+ pax_open_kernel(cr0);
14893 -+ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
14894 -+#else
14895 -+ pmi_code = pmi_base;
14896 -+#endif
14897 -+
14898 -+ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
14899 -+ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
14900 -+
14901 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
14902 -+ pmi_start = ktva_ktla(pmi_start);
14903 -+ pmi_pal = ktva_ktla(pmi_pal);
14904 -+ pax_close_kernel(cr0);
14905 -+#endif
14906 -+
14907 - printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
14908 - if (pmi_base[3]) {
14909 - printk(KERN_INFO "vesafb: pmi: ports = ");
14910 -@@ -456,6 +486,11 @@ static int __init vesafb_probe(struct pl
14911 - info->node, info->fix.id);
14912 - return 0;
14913 - err:
14914 -+
14915 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
14916 -+ module_free_exec(NULL, pmi_code);
14917 -+#endif
14918 -+
14919 - if (info->screen_base)
14920 - iounmap(info->screen_base);
14921 - framebuffer_release(info);
14922 -diff -urNp linux-2.6.24.4/fs/9p/vfs_inode.c linux-2.6.24.4/fs/9p/vfs_inode.c
14923 ---- linux-2.6.24.4/fs/9p/vfs_inode.c 2008-03-24 14:49:18.000000000 -0400
14924 -+++ linux-2.6.24.4/fs/9p/vfs_inode.c 2008-03-26 17:56:56.000000000 -0400
14925 -@@ -996,7 +996,7 @@ static void *v9fs_vfs_follow_link(struct
14926 -
14927 - static void v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
14928 - {
14929 -- char *s = nd_get_link(nd);
14930 -+ const char *s = nd_get_link(nd);
14931 -
14932 - P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name, s);
14933 - if (!IS_ERR(s))
14934 -diff -urNp linux-2.6.24.4/fs/aio.c linux-2.6.24.4/fs/aio.c
14935 ---- linux-2.6.24.4/fs/aio.c 2008-03-24 14:49:18.000000000 -0400
14936 -+++ linux-2.6.24.4/fs/aio.c 2008-03-26 17:56:56.000000000 -0400
14937 -@@ -114,7 +114,7 @@ static int aio_setup_ring(struct kioctx
14938 - size += sizeof(struct io_event) * nr_events;
14939 - nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
14940 -
14941 -- if (nr_pages < 0)
14942 -+ if (nr_pages <= 0)
14943 - return -EINVAL;
14944 -
14945 - nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
14946 -diff -urNp linux-2.6.24.4/fs/autofs4/symlink.c linux-2.6.24.4/fs/autofs4/symlink.c
14947 ---- linux-2.6.24.4/fs/autofs4/symlink.c 2008-03-24 14:49:18.000000000 -0400
14948 -+++ linux-2.6.24.4/fs/autofs4/symlink.c 2008-03-26 17:56:56.000000000 -0400
14949 -@@ -15,7 +15,7 @@
14950 - static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
14951 - {
14952 - struct autofs_info *ino = autofs4_dentry_ino(dentry);
14953 -- nd_set_link(nd, (char *)ino->u.symlink);
14954 -+ nd_set_link(nd, ino->u.symlink);
14955 - return NULL;
14956 - }
14957 -
14958 -diff -urNp linux-2.6.24.4/fs/befs/linuxvfs.c linux-2.6.24.4/fs/befs/linuxvfs.c
14959 ---- linux-2.6.24.4/fs/befs/linuxvfs.c 2008-03-24 14:49:18.000000000 -0400
14960 -+++ linux-2.6.24.4/fs/befs/linuxvfs.c 2008-03-26 17:56:56.000000000 -0400
14961 -@@ -482,7 +482,7 @@ static void befs_put_link(struct dentry
14962 - {
14963 - befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
14964 - if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
14965 -- char *p = nd_get_link(nd);
14966 -+ const char *p = nd_get_link(nd);
14967 - if (!IS_ERR(p))
14968 - kfree(p);
14969 - }
14970 -diff -urNp linux-2.6.24.4/fs/binfmt_aout.c linux-2.6.24.4/fs/binfmt_aout.c
14971 ---- linux-2.6.24.4/fs/binfmt_aout.c 2008-03-24 14:49:18.000000000 -0400
14972 -+++ linux-2.6.24.4/fs/binfmt_aout.c 2008-03-26 17:56:56.000000000 -0400
14973 -@@ -24,6 +24,7 @@
14974 - #include <linux/binfmts.h>
14975 - #include <linux/personality.h>
14976 - #include <linux/init.h>
14977 -+#include <linux/grsecurity.h>
14978 -
14979 - #include <asm/system.h>
14980 - #include <asm/uaccess.h>
14981 -@@ -123,18 +124,22 @@ static int aout_core_dump(long signr, st
14982 - /* If the size of the dump file exceeds the rlimit, then see what would happen
14983 - if we wrote the stack, but not the data area. */
14984 - #ifdef __sparc__
14985 -+ gr_learn_resource(current, RLIMIT_CORE, dump.u_dsize + dump.u_ssize, 1);
14986 - if ((dump.u_dsize + dump.u_ssize) > limit)
14987 - dump.u_dsize = 0;
14988 - #else
14989 -+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
14990 - if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > limit)
14991 - dump.u_dsize = 0;
14992 - #endif
14993 -
14994 - /* Make sure we have enough room to write the stack and data areas. */
14995 - #ifdef __sparc__
14996 -+ gr_learn_resource(current, RLIMIT_CORE, dump.u_ssize, 1);
14997 - if (dump.u_ssize > limit)
14998 - dump.u_ssize = 0;
14999 - #else
15000 -+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
15001 - if ((dump.u_ssize + 1) * PAGE_SIZE > limit)
15002 - dump.u_ssize = 0;
15003 - #endif
15004 -@@ -290,6 +295,8 @@ static int load_aout_binary(struct linux
15005 - rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
15006 - if (rlim >= RLIM_INFINITY)
15007 - rlim = ~0;
15008 -+
15009 -+ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
15010 - if (ex.a_data + ex.a_bss > rlim)
15011 - return -ENOMEM;
15012 -
15013 -@@ -321,6 +328,28 @@ static int load_aout_binary(struct linux
15014 -
15015 - compute_creds(bprm);
15016 - current->flags &= ~PF_FORKNOEXEC;
15017 -+
15018 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
15019 -+ current->mm->pax_flags = 0UL;
15020 -+#endif
15021 -+
15022 -+#ifdef CONFIG_PAX_PAGEEXEC
15023 -+ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
15024 -+ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
15025 -+
15026 -+#ifdef CONFIG_PAX_EMUTRAMP
15027 -+ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
15028 -+ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
15029 -+#endif
15030 -+
15031 -+#ifdef CONFIG_PAX_MPROTECT
15032 -+ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
15033 -+ current->mm->pax_flags |= MF_PAX_MPROTECT;
15034 -+#endif
15035 -+
15036 -+ }
15037 -+#endif
15038 -+
15039 - #ifdef __sparc__
15040 - if (N_MAGIC(ex) == NMAGIC) {
15041 - loff_t pos = fd_offset;
15042 -@@ -416,7 +445,7 @@ static int load_aout_binary(struct linux
15043 -
15044 - down_write(&current->mm->mmap_sem);
15045 - error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
15046 -- PROT_READ | PROT_WRITE | PROT_EXEC,
15047 -+ PROT_READ | PROT_WRITE,
15048 - MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
15049 - fd_offset + ex.a_text);
15050 - up_write(&current->mm->mmap_sem);
15051 -diff -urNp linux-2.6.24.4/fs/binfmt_elf.c linux-2.6.24.4/fs/binfmt_elf.c
15052 ---- linux-2.6.24.4/fs/binfmt_elf.c 2008-03-24 14:49:18.000000000 -0400
15053 -+++ linux-2.6.24.4/fs/binfmt_elf.c 2008-03-26 17:56:56.000000000 -0400
15054 -@@ -39,10 +39,16 @@
15055 - #include <linux/random.h>
15056 - #include <linux/elf.h>
15057 - #include <linux/utsname.h>
15058 -+#include <linux/grsecurity.h>
15059 -+
15060 - #include <asm/uaccess.h>
15061 - #include <asm/param.h>
15062 - #include <asm/page.h>
15063 -
15064 -+#ifdef CONFIG_PAX_SEGMEXEC
15065 -+#include <asm/desc.h>
15066 -+#endif
15067 -+
15068 - static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs);
15069 - static int load_elf_library(struct file *);
15070 - static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int);
15071 -@@ -84,6 +90,8 @@ static struct linux_binfmt elf_format =
15072 -
15073 - static int set_brk(unsigned long start, unsigned long end)
15074 - {
15075 -+ unsigned long e = end;
15076 -+
15077 - start = ELF_PAGEALIGN(start);
15078 - end = ELF_PAGEALIGN(end);
15079 - if (end > start) {
15080 -@@ -94,7 +102,7 @@ static int set_brk(unsigned long start,
15081 - if (BAD_ADDR(addr))
15082 - return addr;
15083 - }
15084 -- current->mm->start_brk = current->mm->brk = end;
15085 -+ current->mm->start_brk = current->mm->brk = e;
15086 - return 0;
15087 - }
15088 -
15089 -@@ -328,10 +336,9 @@ static unsigned long load_elf_interp(str
15090 - {
15091 - struct elf_phdr *elf_phdata;
15092 - struct elf_phdr *eppnt;
15093 -- unsigned long load_addr = 0;
15094 -- int load_addr_set = 0;
15095 -+ unsigned long load_addr = 0, min_addr, max_addr, task_size = TASK_SIZE;
15096 - unsigned long last_bss = 0, elf_bss = 0;
15097 -- unsigned long error = ~0UL;
15098 -+ unsigned long error = -EINVAL;
15099 - int retval, i, size;
15100 -
15101 - /* First of all, some simple consistency checks */
15102 -@@ -370,66 +377,86 @@ static unsigned long load_elf_interp(str
15103 - goto out_close;
15104 - }
15105 -
15106 -+#ifdef CONFIG_PAX_SEGMEXEC
15107 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
15108 -+ task_size = SEGMEXEC_TASK_SIZE;
15109 -+#endif
15110 -+
15111 - eppnt = elf_phdata;
15112 -+ min_addr = task_size;
15113 -+ max_addr = 0;
15114 -+ error = -ENOMEM;
15115 -+
15116 - for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
15117 -- if (eppnt->p_type == PT_LOAD) {
15118 -- int elf_type = MAP_PRIVATE | MAP_DENYWRITE;
15119 -- int elf_prot = 0;
15120 -- unsigned long vaddr = 0;
15121 -- unsigned long k, map_addr;
15122 --
15123 -- if (eppnt->p_flags & PF_R)
15124 -- elf_prot = PROT_READ;
15125 -- if (eppnt->p_flags & PF_W)
15126 -- elf_prot |= PROT_WRITE;
15127 -- if (eppnt->p_flags & PF_X)
15128 -- elf_prot |= PROT_EXEC;
15129 -- vaddr = eppnt->p_vaddr;
15130 -- if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
15131 -- elf_type |= MAP_FIXED;
15132 --
15133 -- map_addr = elf_map(interpreter, load_addr + vaddr,
15134 -- eppnt, elf_prot, elf_type);
15135 -- error = map_addr;
15136 -- if (BAD_ADDR(map_addr))
15137 -- goto out_close;
15138 --
15139 -- if (!load_addr_set &&
15140 -- interp_elf_ex->e_type == ET_DYN) {
15141 -- load_addr = map_addr - ELF_PAGESTART(vaddr);
15142 -- load_addr_set = 1;
15143 -- }
15144 -+ if (eppnt->p_type != PT_LOAD)
15145 -+ continue;
15146 -
15147 -- /*
15148 -- * Check to see if the section's size will overflow the
15149 -- * allowed task size. Note that p_filesz must always be
15150 -- * <= p_memsize so it's only necessary to check p_memsz.
15151 -- */
15152 -- k = load_addr + eppnt->p_vaddr;
15153 -- if (BAD_ADDR(k) ||
15154 -- eppnt->p_filesz > eppnt->p_memsz ||
15155 -- eppnt->p_memsz > TASK_SIZE ||
15156 -- TASK_SIZE - eppnt->p_memsz < k) {
15157 -- error = -ENOMEM;
15158 -- goto out_close;
15159 -- }
15160 -+ /*
15161 -+ * Check to see if the section's size will overflow the
15162 -+ * allowed task size. Note that p_filesz must always be
15163 -+ * <= p_memsize so it is only necessary to check p_memsz.
15164 -+ */
15165 -+ if (eppnt->p_filesz > eppnt->p_memsz || eppnt->p_vaddr >= eppnt->p_vaddr + eppnt->p_memsz)
15166 -+ goto out_close;
15167 -
15168 -- /*
15169 -- * Find the end of the file mapping for this phdr, and
15170 -- * keep track of the largest address we see for this.
15171 -- */
15172 -- k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
15173 -- if (k > elf_bss)
15174 -- elf_bss = k;
15175 -+ if (min_addr > ELF_PAGESTART(eppnt->p_vaddr))
15176 -+ min_addr = ELF_PAGESTART(eppnt->p_vaddr);
15177 -+ if (max_addr < ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz))
15178 -+ max_addr = ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz);
15179 -+ }
15180 -+ if (min_addr >= max_addr || max_addr > task_size)
15181 -+ goto out_close;
15182 -
15183 -- /*
15184 -- * Do the same thing for the memory mapping - between
15185 -- * elf_bss and last_bss is the bss section.
15186 -- */
15187 -- k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
15188 -- if (k > last_bss)
15189 -- last_bss = k;
15190 -- }
15191 -+ if (interp_elf_ex->e_type == ET_DYN) {
15192 -+ load_addr = get_unmapped_area(interpreter, 0, max_addr - min_addr, 0, MAP_PRIVATE | MAP_EXECUTABLE);
15193 -+
15194 -+ if (load_addr >= task_size)
15195 -+ goto out_close;
15196 -+
15197 -+ load_addr -= min_addr;
15198 -+ }
15199 -+
15200 -+ eppnt = elf_phdata;
15201 -+ for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
15202 -+ int elf_type = MAP_PRIVATE | MAP_DENYWRITE | MAP_FIXED;
15203 -+ int elf_prot = 0;
15204 -+ unsigned long vaddr = 0;
15205 -+ unsigned long k, map_addr;
15206 -+
15207 -+ if (eppnt->p_type != PT_LOAD)
15208 -+ continue;
15209 -+
15210 -+ if (eppnt->p_flags & PF_R)
15211 -+ elf_prot = PROT_READ;
15212 -+ if (eppnt->p_flags & PF_W)
15213 -+ elf_prot |= PROT_WRITE;
15214 -+ if (eppnt->p_flags & PF_X)
15215 -+ elf_prot |= PROT_EXEC;
15216 -+ vaddr = eppnt->p_vaddr;
15217 -+
15218 -+ map_addr = elf_map(interpreter, load_addr + vaddr,
15219 -+ eppnt, elf_prot, elf_type);
15220 -+ error = map_addr;
15221 -+ if (BAD_ADDR(map_addr))
15222 -+ goto out_close;
15223 -+
15224 -+ k = load_addr + eppnt->p_vaddr;
15225 -+
15226 -+ /*
15227 -+ * Find the end of the file mapping for this phdr, and
15228 -+ * keep track of the largest address we see for this.
15229 -+ */
15230 -+ k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
15231 -+ if (k > elf_bss)
15232 -+ elf_bss = k;
15233 -+
15234 -+ /*
15235 -+ * Do the same thing for the memory mapping - between
15236 -+ * elf_bss and last_bss is the bss section.
15237 -+ */
15238 -+ k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
15239 -+ if (k > last_bss)
15240 -+ last_bss = k;
15241 - }
15242 -
15243 - /*
15244 -@@ -457,6 +484,8 @@ static unsigned long load_elf_interp(str
15245 -
15246 - *interp_load_addr = load_addr;
15247 - error = ((unsigned long)interp_elf_ex->e_entry) + load_addr;
15248 -+ if (BAD_ADDR(error))
15249 -+ error = -EFAULT;
15250 -
15251 - out_close:
15252 - kfree(elf_phdata);
15253 -@@ -467,7 +496,7 @@ out:
15254 - static unsigned long load_aout_interp(struct exec *interp_ex,
15255 - struct file *interpreter)
15256 - {
15257 -- unsigned long text_data, elf_entry = ~0UL;
15258 -+ unsigned long text_data, elf_entry = -EINVAL;
15259 - char __user * addr;
15260 - loff_t offset;
15261 -
15262 -@@ -510,6 +539,177 @@ out:
15263 - return elf_entry;
15264 - }
15265 -
15266 -+#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
15267 -+static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
15268 -+{
15269 -+ unsigned long pax_flags = 0UL;
15270 -+
15271 -+#ifdef CONFIG_PAX_PAGEEXEC
15272 -+ if (elf_phdata->p_flags & PF_PAGEEXEC)
15273 -+ pax_flags |= MF_PAX_PAGEEXEC;
15274 -+#endif
15275 -+
15276 -+#ifdef CONFIG_PAX_SEGMEXEC
15277 -+ if (elf_phdata->p_flags & PF_SEGMEXEC)
15278 -+ pax_flags |= MF_PAX_SEGMEXEC;
15279 -+#endif
15280 -+
15281 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
15282 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
15283 -+ if (nx_enabled)
15284 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
15285 -+ else
15286 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
15287 -+ }
15288 -+#endif
15289 -+
15290 -+#ifdef CONFIG_PAX_EMUTRAMP
15291 -+ if (elf_phdata->p_flags & PF_EMUTRAMP)
15292 -+ pax_flags |= MF_PAX_EMUTRAMP;
15293 -+#endif
15294 -+
15295 -+#ifdef CONFIG_PAX_MPROTECT
15296 -+ if (elf_phdata->p_flags & PF_MPROTECT)
15297 -+ pax_flags |= MF_PAX_MPROTECT;
15298 -+#endif
15299 -+
15300 -+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
15301 -+ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
15302 -+ pax_flags |= MF_PAX_RANDMMAP;
15303 -+#endif
15304 -+
15305 -+ return pax_flags;
15306 -+}
15307 -+#endif
15308 -+
15309 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
15310 -+static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
15311 -+{
15312 -+ unsigned long pax_flags = 0UL;
15313 -+
15314 -+#ifdef CONFIG_PAX_PAGEEXEC
15315 -+ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
15316 -+ pax_flags |= MF_PAX_PAGEEXEC;
15317 -+#endif
15318 -+
15319 -+#ifdef CONFIG_PAX_SEGMEXEC
15320 -+ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
15321 -+ pax_flags |= MF_PAX_SEGMEXEC;
15322 -+#endif
15323 -+
15324 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
15325 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
15326 -+ if (nx_enabled)
15327 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
15328 -+ else
15329 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
15330 -+ }
15331 -+#endif
15332 -+
15333 -+#ifdef CONFIG_PAX_EMUTRAMP
15334 -+ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
15335 -+ pax_flags |= MF_PAX_EMUTRAMP;
15336 -+#endif
15337 -+
15338 -+#ifdef CONFIG_PAX_MPROTECT
15339 -+ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
15340 -+ pax_flags |= MF_PAX_MPROTECT;
15341 -+#endif
15342 -+
15343 -+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
15344 -+ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
15345 -+ pax_flags |= MF_PAX_RANDMMAP;
15346 -+#endif
15347 -+
15348 -+ return pax_flags;
15349 -+}
15350 -+#endif
15351 -+
15352 -+#ifdef CONFIG_PAX_EI_PAX
15353 -+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
15354 -+{
15355 -+ unsigned long pax_flags = 0UL;
15356 -+
15357 -+#ifdef CONFIG_PAX_PAGEEXEC
15358 -+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
15359 -+ pax_flags |= MF_PAX_PAGEEXEC;
15360 -+#endif
15361 -+
15362 -+#ifdef CONFIG_PAX_SEGMEXEC
15363 -+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
15364 -+ pax_flags |= MF_PAX_SEGMEXEC;
15365 -+#endif
15366 -+
15367 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
15368 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
15369 -+ if (nx_enabled)
15370 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
15371 -+ else
15372 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
15373 -+ }
15374 -+#endif
15375 -+
15376 -+#ifdef CONFIG_PAX_EMUTRAMP
15377 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
15378 -+ pax_flags |= MF_PAX_EMUTRAMP;
15379 -+#endif
15380 -+
15381 -+#ifdef CONFIG_PAX_MPROTECT
15382 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
15383 -+ pax_flags |= MF_PAX_MPROTECT;
15384 -+#endif
15385 -+
15386 -+#ifdef CONFIG_PAX_ASLR
15387 -+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
15388 -+ pax_flags |= MF_PAX_RANDMMAP;
15389 -+#endif
15390 -+
15391 -+ return pax_flags;
15392 -+}
15393 -+#endif
15394 -+
15395 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
15396 -+static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
15397 -+{
15398 -+ unsigned long pax_flags = 0UL;
15399 -+
15400 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
15401 -+ unsigned long i;
15402 -+#endif
15403 -+
15404 -+#ifdef CONFIG_PAX_EI_PAX
15405 -+ pax_flags = pax_parse_ei_pax(elf_ex);
15406 -+#endif
15407 -+
15408 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
15409 -+ for (i = 0UL; i < elf_ex->e_phnum; i++)
15410 -+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
15411 -+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
15412 -+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
15413 -+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
15414 -+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
15415 -+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
15416 -+ return -EINVAL;
15417 -+
15418 -+#ifdef CONFIG_PAX_SOFTMODE
15419 -+ if (pax_softmode)
15420 -+ pax_flags = pax_parse_softmode(&elf_phdata[i]);
15421 -+ else
15422 -+#endif
15423 -+
15424 -+ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
15425 -+ break;
15426 -+ }
15427 -+#endif
15428 -+
15429 -+ if (0 > pax_check_flags(&pax_flags))
15430 -+ return -EINVAL;
15431 -+
15432 -+ current->mm->pax_flags = pax_flags;
15433 -+ return 0;
15434 -+}
15435 -+#endif
15436 -+
15437 - /*
15438 - * These are the functions used to load ELF style executables and shared
15439 - * libraries. There is no binary dependent code anywhere else.
15440 -@@ -547,7 +747,7 @@ static int load_elf_binary(struct linux_
15441 - char * elf_interpreter = NULL;
15442 - unsigned int interpreter_type = INTERPRETER_NONE;
15443 - unsigned char ibcs2_interpreter = 0;
15444 -- unsigned long error;
15445 -+ unsigned long error = 0;
15446 - struct elf_phdr *elf_ppnt, *elf_phdata;
15447 - unsigned long elf_bss, elf_brk;
15448 - int elf_exec_fileno;
15449 -@@ -559,12 +759,12 @@ static int load_elf_binary(struct linux_
15450 - char passed_fileno[6];
15451 - struct files_struct *files;
15452 - int executable_stack = EXSTACK_DEFAULT;
15453 -- unsigned long def_flags = 0;
15454 - struct {
15455 - struct elfhdr elf_ex;
15456 - struct elfhdr interp_elf_ex;
15457 - struct exec interp_ex;
15458 - } *loc;
15459 -+ unsigned long task_size = TASK_SIZE;
15460 -
15461 - loc = kmalloc(sizeof(*loc), GFP_KERNEL);
15462 - if (!loc) {
15463 -@@ -799,14 +999,89 @@ static int load_elf_binary(struct linux_
15464 -
15465 - /* OK, This is the point of no return */
15466 - current->flags &= ~PF_FORKNOEXEC;
15467 -- current->mm->def_flags = def_flags;
15468 -+
15469 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
15470 -+ current->mm->pax_flags = 0UL;
15471 -+#endif
15472 -+
15473 -+#ifdef CONFIG_PAX_DLRESOLVE
15474 -+ current->mm->call_dl_resolve = 0UL;
15475 -+#endif
15476 -+
15477 -+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
15478 -+ current->mm->call_syscall = 0UL;
15479 -+#endif
15480 -+
15481 -+#ifdef CONFIG_PAX_ASLR
15482 -+ current->mm->delta_mmap = 0UL;
15483 -+ current->mm->delta_stack = 0UL;
15484 -+#endif
15485 -+
15486 -+ current->mm->def_flags = 0;
15487 -+
15488 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
15489 -+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
15490 -+ send_sig(SIGKILL, current, 0);
15491 -+ goto out_free_dentry;
15492 -+ }
15493 -+#endif
15494 -+
15495 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
15496 -+ pax_set_initial_flags(bprm);
15497 -+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
15498 -+ if (pax_set_initial_flags_func)
15499 -+ (pax_set_initial_flags_func)(bprm);
15500 -+#endif
15501 -+
15502 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
15503 -+ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
15504 -+ current->mm->context.user_cs_limit = PAGE_SIZE;
15505 -+ current->mm->def_flags |= VM_PAGEEXEC;
15506 -+ }
15507 -+#endif
15508 -+
15509 -+#ifdef CONFIG_PAX_SEGMEXEC
15510 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
15511 -+ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
15512 -+ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
15513 -+ task_size = SEGMEXEC_TASK_SIZE;
15514 -+ }
15515 -+#endif
15516 -+
15517 -+#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
15518 -+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
15519 -+ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
15520 -+ put_cpu_no_resched();
15521 -+ }
15522 -+#endif
15523 -+
15524 -+#ifdef CONFIG_PAX_ASLR
15525 -+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
15526 -+ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
15527 -+ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
15528 -+ }
15529 -+#endif
15530 -+
15531 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
15532 -+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
15533 -+ executable_stack = EXSTACK_DEFAULT;
15534 -+#endif
15535 -
15536 - /* Do this immediately, since STACK_TOP as used in setup_arg_pages
15537 - may depend on the personality. */
15538 - SET_PERSONALITY(loc->elf_ex, ibcs2_interpreter);
15539 -+
15540 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
15541 -+ if (!(current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
15542 -+#endif
15543 -+
15544 - if (elf_read_implies_exec(loc->elf_ex, executable_stack))
15545 - current->personality |= READ_IMPLIES_EXEC;
15546 -
15547 -+#ifdef CONFIG_PAX_ASLR
15548 -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
15549 -+#endif
15550 -+
15551 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
15552 - current->flags |= PF_RANDOMIZE;
15553 - arch_pick_mmap_layout(current->mm);
15554 -@@ -882,6 +1157,20 @@ static int load_elf_binary(struct linux_
15555 - * might try to exec. This is because the brk will
15556 - * follow the loader, and is not movable. */
15557 - load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
15558 -+
15559 -+#ifdef CONFIG_PAX_RANDMMAP
15560 -+ /* PaX: randomize base address at the default exe base if requested */
15561 -+ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
15562 -+#ifdef CONFIG_SPARC64
15563 -+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
15564 -+#else
15565 -+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
15566 -+#endif
15567 -+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
15568 -+ elf_flags |= MAP_FIXED;
15569 -+ }
15570 -+#endif
15571 -+
15572 - }
15573 -
15574 - error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
15575 -@@ -914,9 +1203,9 @@ static int load_elf_binary(struct linux_
15576 - * allowed task size. Note that p_filesz must always be
15577 - * <= p_memsz so it is only necessary to check p_memsz.
15578 - */
15579 -- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
15580 -- elf_ppnt->p_memsz > TASK_SIZE ||
15581 -- TASK_SIZE - elf_ppnt->p_memsz < k) {
15582 -+ if (k >= task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
15583 -+ elf_ppnt->p_memsz > task_size ||
15584 -+ task_size - elf_ppnt->p_memsz < k) {
15585 - /* set_brk can never work. Avoid overflows. */
15586 - send_sig(SIGKILL, current, 0);
15587 - retval = -EINVAL;
15588 -@@ -944,6 +1233,11 @@ static int load_elf_binary(struct linux_
15589 - start_data += load_bias;
15590 - end_data += load_bias;
15591 -
15592 -+#ifdef CONFIG_PAX_RANDMMAP
15593 -+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
15594 -+ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
15595 -+#endif
15596 -+
15597 - /* Calling set_brk effectively mmaps the pages that we need
15598 - * for the bss and break sections. We must do this before
15599 - * mapping in the interpreter, to make sure it doesn't wind
15600 -@@ -955,9 +1249,11 @@ static int load_elf_binary(struct linux_
15601 - goto out_free_dentry;
15602 - }
15603 - if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
15604 -- send_sig(SIGSEGV, current, 0);
15605 -- retval = -EFAULT; /* Nobody gets to see this, but.. */
15606 -- goto out_free_dentry;
15607 -+ /*
15608 -+ * This bss-zeroing can fail if the ELF
15609 -+ * file specifies odd protections. So
15610 -+ * we don't check the return value
15611 -+ */
15612 - }
15613 -
15614 - if (elf_interpreter) {
15615 -@@ -1194,8 +1490,10 @@ static int dump_seek(struct file *file,
15616 - unsigned long n = off;
15617 - if (n > PAGE_SIZE)
15618 - n = PAGE_SIZE;
15619 -- if (!dump_write(file, buf, n))
15620 -+ if (!dump_write(file, buf, n)) {
15621 -+ free_page((unsigned long)buf);
15622 - return 0;
15623 -+ }
15624 - off -= n;
15625 - }
15626 - free_page((unsigned long)buf);
15627 -@@ -1207,7 +1505,7 @@ static int dump_seek(struct file *file,
15628 - * Decide what to dump of a segment, part, all or none.
15629 - */
15630 - static unsigned long vma_dump_size(struct vm_area_struct *vma,
15631 -- unsigned long mm_flags)
15632 -+ unsigned long mm_flags, long signr)
15633 - {
15634 - /* The vma can be set up to tell us the answer directly. */
15635 - if (vma->vm_flags & VM_ALWAYSDUMP)
15636 -@@ -1233,7 +1531,7 @@ static unsigned long vma_dump_size(struc
15637 - if (vma->vm_file == NULL)
15638 - return 0;
15639 -
15640 -- if (FILTER(MAPPED_PRIVATE))
15641 -+ if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
15642 - goto whole;
15643 -
15644 - /*
15645 -@@ -1319,8 +1617,11 @@ static int writenote(struct memelfnote *
15646 - #undef DUMP_WRITE
15647 -
15648 - #define DUMP_WRITE(addr, nr) \
15649 -+ do { \
15650 -+ gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
15651 - if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
15652 -- goto end_coredump;
15653 -+ goto end_coredump; \
15654 -+ } while (0);
15655 - #define DUMP_SEEK(off) \
15656 - if (!dump_seek(file, (off))) \
15657 - goto end_coredump;
15658 -@@ -1710,7 +2011,7 @@ static int elf_core_dump(long signr, str
15659 - phdr.p_offset = offset;
15660 - phdr.p_vaddr = vma->vm_start;
15661 - phdr.p_paddr = 0;
15662 -- phdr.p_filesz = vma_dump_size(vma, mm_flags);
15663 -+ phdr.p_filesz = vma_dump_size(vma, mm_flags, signr);
15664 - phdr.p_memsz = vma->vm_end - vma->vm_start;
15665 - offset += phdr.p_filesz;
15666 - phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
15667 -@@ -1753,7 +2054,7 @@ static int elf_core_dump(long signr, str
15668 - unsigned long addr;
15669 - unsigned long end;
15670 -
15671 -- end = vma->vm_start + vma_dump_size(vma, mm_flags);
15672 -+ end = vma->vm_start + vma_dump_size(vma, mm_flags, signr);
15673 -
15674 - for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
15675 - struct page *page;
15676 -@@ -1773,6 +2074,7 @@ static int elf_core_dump(long signr, str
15677 - flush_cache_page(vma, addr,
15678 - page_to_pfn(page));
15679 - kaddr = kmap(page);
15680 -+ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
15681 - if ((size += PAGE_SIZE) > limit ||
15682 - !dump_write(file, kaddr,
15683 - PAGE_SIZE)) {
15684 -diff -urNp linux-2.6.24.4/fs/binfmt_flat.c linux-2.6.24.4/fs/binfmt_flat.c
15685 ---- linux-2.6.24.4/fs/binfmt_flat.c 2008-03-24 14:49:18.000000000 -0400
15686 -+++ linux-2.6.24.4/fs/binfmt_flat.c 2008-03-26 17:56:56.000000000 -0400
15687 -@@ -561,7 +561,9 @@ static int load_flat_file(struct linux_b
15688 - realdatastart = (unsigned long) -ENOMEM;
15689 - printk("Unable to allocate RAM for process data, errno %d\n",
15690 - (int)-realdatastart);
15691 -+ down_write(&current->mm->mmap_sem);
15692 - do_munmap(current->mm, textpos, text_len);
15693 -+ up_write(&current->mm->mmap_sem);
15694 - ret = realdatastart;
15695 - goto err;
15696 - }
15697 -@@ -583,8 +585,10 @@ static int load_flat_file(struct linux_b
15698 - }
15699 - if (result >= (unsigned long)-4096) {
15700 - printk("Unable to read data+bss, errno %d\n", (int)-result);
15701 -+ down_write(&current->mm->mmap_sem);
15702 - do_munmap(current->mm, textpos, text_len);
15703 - do_munmap(current->mm, realdatastart, data_len + extra);
15704 -+ up_write(&current->mm->mmap_sem);
15705 - ret = result;
15706 - goto err;
15707 - }
15708 -@@ -657,8 +661,10 @@ static int load_flat_file(struct linux_b
15709 - }
15710 - if (result >= (unsigned long)-4096) {
15711 - printk("Unable to read code+data+bss, errno %d\n",(int)-result);
15712 -+ down_write(&current->mm->mmap_sem);
15713 - do_munmap(current->mm, textpos, text_len + data_len + extra +
15714 - MAX_SHARED_LIBS * sizeof(unsigned long));
15715 -+ up_write(&current->mm->mmap_sem);
15716 - ret = result;
15717 - goto err;
15718 - }
15719 -diff -urNp linux-2.6.24.4/fs/binfmt_misc.c linux-2.6.24.4/fs/binfmt_misc.c
15720 ---- linux-2.6.24.4/fs/binfmt_misc.c 2008-03-24 14:49:18.000000000 -0400
15721 -+++ linux-2.6.24.4/fs/binfmt_misc.c 2008-03-26 17:56:56.000000000 -0400
15722 -@@ -113,9 +113,11 @@ static int load_misc_binary(struct linux
15723 - struct files_struct *files = NULL;
15724 -
15725 - retval = -ENOEXEC;
15726 -- if (!enabled)
15727 -+ if (!enabled || bprm->misc)
15728 - goto _ret;
15729 -
15730 -+ bprm->misc++;
15731 -+
15732 - /* to keep locking time low, we copy the interpreter string */
15733 - read_lock(&entries_lock);
15734 - fmt = check_file(bprm);
15735 -@@ -720,7 +722,7 @@ static int bm_fill_super(struct super_bl
15736 - static struct tree_descr bm_files[] = {
15737 - [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
15738 - [3] = {"register", &bm_register_operations, S_IWUSR},
15739 -- /* last one */ {""}
15740 -+ /* last one */ {"", NULL, 0}
15741 - };
15742 - int err = simple_fill_super(sb, 0x42494e4d, bm_files);
15743 - if (!err)
15744 -diff -urNp linux-2.6.24.4/fs/buffer.c linux-2.6.24.4/fs/buffer.c
15745 ---- linux-2.6.24.4/fs/buffer.c 2008-03-24 14:49:18.000000000 -0400
15746 -+++ linux-2.6.24.4/fs/buffer.c 2008-03-26 17:56:56.000000000 -0400
15747 -@@ -41,6 +41,7 @@
15748 - #include <linux/bitops.h>
15749 - #include <linux/mpage.h>
15750 - #include <linux/bit_spinlock.h>
15751 -+#include <linux/grsecurity.h>
15752 -
15753 - static int fsync_buffers_list(spinlock_t *lock, struct list_head *list);
15754 -
15755 -@@ -2170,6 +2171,7 @@ int generic_cont_expand_simple(struct in
15756 -
15757 - err = -EFBIG;
15758 - limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
15759 -+ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long) size, 1);
15760 - if (limit != RLIM_INFINITY && size > (loff_t)limit) {
15761 - send_sig(SIGXFSZ, current, 0);
15762 - goto out;
15763 -diff -urNp linux-2.6.24.4/fs/cifs/cifs_uniupr.h linux-2.6.24.4/fs/cifs/cifs_uniupr.h
15764 ---- linux-2.6.24.4/fs/cifs/cifs_uniupr.h 2008-03-24 14:49:18.000000000 -0400
15765 -+++ linux-2.6.24.4/fs/cifs/cifs_uniupr.h 2008-03-26 17:56:56.000000000 -0400
15766 -@@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
15767 - {0x0490, 0x04cc, UniCaseRangeU0490},
15768 - {0x1e00, 0x1ffc, UniCaseRangeU1e00},
15769 - {0xff40, 0xff5a, UniCaseRangeUff40},
15770 -- {0}
15771 -+ {0, 0, NULL}
15772 - };
15773 - #endif
15774 -
15775 -diff -urNp linux-2.6.24.4/fs/cifs/link.c linux-2.6.24.4/fs/cifs/link.c
15776 ---- linux-2.6.24.4/fs/cifs/link.c 2008-03-24 14:49:18.000000000 -0400
15777 -+++ linux-2.6.24.4/fs/cifs/link.c 2008-03-26 17:56:56.000000000 -0400
15778 -@@ -355,7 +355,7 @@ cifs_readlink(struct dentry *direntry, c
15779 -
15780 - void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
15781 - {
15782 -- char *p = nd_get_link(nd);
15783 -+ const char *p = nd_get_link(nd);
15784 - if (!IS_ERR(p))
15785 - kfree(p);
15786 - }
15787 -diff -urNp linux-2.6.24.4/fs/compat.c linux-2.6.24.4/fs/compat.c
15788 ---- linux-2.6.24.4/fs/compat.c 2008-03-24 14:49:18.000000000 -0400
15789 -+++ linux-2.6.24.4/fs/compat.c 2008-03-26 17:56:56.000000000 -0400
15790 -@@ -50,6 +50,7 @@
15791 - #include <linux/poll.h>
15792 - #include <linux/mm.h>
15793 - #include <linux/eventpoll.h>
15794 -+#include <linux/grsecurity.h>
15795 -
15796 - #include <asm/uaccess.h>
15797 - #include <asm/mmu_context.h>
15798 -@@ -1300,14 +1301,12 @@ static int compat_copy_strings(int argc,
15799 - if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
15800 - struct page *page;
15801 -
15802 --#ifdef CONFIG_STACK_GROWSUP
15803 - ret = expand_stack_downwards(bprm->vma, pos);
15804 - if (ret < 0) {
15805 - /* We've exceed the stack rlimit. */
15806 - ret = -E2BIG;
15807 - goto out;
15808 - }
15809 --#endif
15810 - ret = get_user_pages(current, bprm->mm, pos,
15811 - 1, 1, 1, &page, NULL);
15812 - if (ret <= 0) {
15813 -@@ -1353,6 +1352,11 @@ int compat_do_execve(char * filename,
15814 - compat_uptr_t __user *envp,
15815 - struct pt_regs * regs)
15816 - {
15817 -+#ifdef CONFIG_GRKERNSEC
15818 -+ struct file *old_exec_file;
15819 -+ struct acl_subject_label *old_acl;
15820 -+ struct rlimit old_rlim[RLIM_NLIMITS];
15821 -+#endif
15822 - struct linux_binprm *bprm;
15823 - struct file *file;
15824 - int retval;
15825 -@@ -1373,6 +1377,14 @@ int compat_do_execve(char * filename,
15826 - bprm->filename = filename;
15827 - bprm->interp = filename;
15828 -
15829 -+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
15830 -+ retval = -EAGAIN;
15831 -+ if (gr_handle_nproc())
15832 -+ goto out_file;
15833 -+ retval = -EACCES;
15834 -+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
15835 -+ goto out_file;
15836 -+
15837 - retval = bprm_mm_init(bprm);
15838 - if (retval)
15839 - goto out_file;
15840 -@@ -1406,8 +1418,36 @@ int compat_do_execve(char * filename,
15841 - if (retval < 0)
15842 - goto out;
15843 -
15844 -+ if (!gr_tpe_allow(file)) {
15845 -+ retval = -EACCES;
15846 -+ goto out;
15847 -+ }
15848 -+
15849 -+ if (gr_check_crash_exec(file)) {
15850 -+ retval = -EACCES;
15851 -+ goto out;
15852 -+ }
15853 -+
15854 -+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
15855 -+
15856 -+ gr_handle_exec_args(bprm, (char __user * __user *)argv);
15857 -+
15858 -+#ifdef CONFIG_GRKERNSEC
15859 -+ old_acl = current->acl;
15860 -+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
15861 -+ old_exec_file = current->exec_file;
15862 -+ get_file(file);
15863 -+ current->exec_file = file;
15864 -+#endif
15865 -+
15866 -+ gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
15867 -+
15868 - retval = search_binary_handler(bprm, regs);
15869 - if (retval >= 0) {
15870 -+#ifdef CONFIG_GRKERNSEC
15871 -+ if (old_exec_file)
15872 -+ fput(old_exec_file);
15873 -+#endif
15874 - /* execve success */
15875 - security_bprm_free(bprm);
15876 - acct_update_integrals(current);
15877 -@@ -1415,6 +1455,13 @@ int compat_do_execve(char * filename,
15878 - return retval;
15879 - }
15880 -
15881 -+#ifdef CONFIG_GRKERNSEC
15882 -+ current->acl = old_acl;
15883 -+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
15884 -+ fput(current->exec_file);
15885 -+ current->exec_file = old_exec_file;
15886 -+#endif
15887 -+
15888 - out:
15889 - if (bprm->security)
15890 - security_bprm_free(bprm);
15891 -diff -urNp linux-2.6.24.4/fs/compat_ioctl.c linux-2.6.24.4/fs/compat_ioctl.c
15892 ---- linux-2.6.24.4/fs/compat_ioctl.c 2008-03-24 14:49:18.000000000 -0400
15893 -+++ linux-2.6.24.4/fs/compat_ioctl.c 2008-03-26 17:56:56.000000000 -0400
15894 -@@ -1890,15 +1890,15 @@ struct ioctl_trans {
15895 - };
15896 -
15897 - #define HANDLE_IOCTL(cmd,handler) \
15898 -- { (cmd), (ioctl_trans_handler_t)(handler) },
15899 -+ { (cmd), (ioctl_trans_handler_t)(handler), NULL },
15900 -
15901 - /* pointer to compatible structure or no argument */
15902 - #define COMPATIBLE_IOCTL(cmd) \
15903 -- { (cmd), do_ioctl32_pointer },
15904 -+ { (cmd), do_ioctl32_pointer, NULL },
15905 -
15906 - /* argument is an unsigned long integer, not a pointer */
15907 - #define ULONG_IOCTL(cmd) \
15908 -- { (cmd), (ioctl_trans_handler_t)sys_ioctl },
15909 -+ { (cmd), (ioctl_trans_handler_t)sys_ioctl, NULL },
15910 -
15911 - /* ioctl should not be warned about even if it's not implemented.
15912 - Valid reasons to use this:
15913 -diff -urNp linux-2.6.24.4/fs/debugfs/inode.c linux-2.6.24.4/fs/debugfs/inode.c
15914 ---- linux-2.6.24.4/fs/debugfs/inode.c 2008-03-24 14:49:18.000000000 -0400
15915 -+++ linux-2.6.24.4/fs/debugfs/inode.c 2008-03-26 17:56:56.000000000 -0400
15916 -@@ -125,7 +125,7 @@ static inline int debugfs_positive(struc
15917 -
15918 - static int debug_fill_super(struct super_block *sb, void *data, int silent)
15919 - {
15920 -- static struct tree_descr debug_files[] = {{""}};
15921 -+ static struct tree_descr debug_files[] = {{"", NULL, 0}};
15922 -
15923 - return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
15924 - }
15925 -diff -urNp linux-2.6.24.4/fs/exec.c linux-2.6.24.4/fs/exec.c
15926 ---- linux-2.6.24.4/fs/exec.c 2008-03-24 14:49:18.000000000 -0400
15927 -+++ linux-2.6.24.4/fs/exec.c 2008-03-26 18:53:27.000000000 -0400
15928 -@@ -51,6 +51,8 @@
15929 - #include <linux/tsacct_kern.h>
15930 - #include <linux/cn_proc.h>
15931 - #include <linux/audit.h>
15932 -+#include <linux/random.h>
15933 -+#include <linux/grsecurity.h>
15934 -
15935 - #include <asm/uaccess.h>
15936 - #include <asm/mmu_context.h>
15937 -@@ -60,6 +62,11 @@
15938 - #include <linux/kmod.h>
15939 - #endif
15940 -
15941 -+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
15942 -+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
15943 -+EXPORT_SYMBOL(pax_set_initial_flags_func);
15944 -+#endif
15945 -+
15946 - int core_uses_pid;
15947 - char core_pattern[CORENAME_MAX_SIZE] = "core";
15948 - int suid_dumpable = 0;
15949 -@@ -158,18 +165,10 @@ static struct page *get_arg_page(struct
15950 - int write)
15951 - {
15952 - struct page *page;
15953 -- int ret;
15954 -
15955 --#ifdef CONFIG_STACK_GROWSUP
15956 -- if (write) {
15957 -- ret = expand_stack_downwards(bprm->vma, pos);
15958 -- if (ret < 0)
15959 -- return NULL;
15960 -- }
15961 --#endif
15962 -- ret = get_user_pages(current, bprm->mm, pos,
15963 -- 1, write, 1, &page, NULL);
15964 -- if (ret <= 0)
15965 -+ if (0 > expand_stack_downwards(bprm->vma, pos))
15966 -+ return NULL;
15967 -+ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
15968 - return NULL;
15969 -
15970 - if (write) {
15971 -@@ -234,6 +233,11 @@ static int __bprm_mm_init(struct linux_b
15972 - vma->vm_start = vma->vm_end - PAGE_SIZE;
15973 -
15974 - vma->vm_flags = VM_STACK_FLAGS;
15975 -+
15976 -+#ifdef CONFIG_PAX_SEGMEXEC
15977 -+ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
15978 -+#endif
15979 -+
15980 - vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
15981 - err = insert_vm_struct(mm, vma);
15982 - if (err) {
15983 -@@ -246,6 +250,11 @@ static int __bprm_mm_init(struct linux_b
15984 -
15985 - bprm->p = vma->vm_end - sizeof(void *);
15986 -
15987 -+#ifdef CONFIG_PAX_RANDUSTACK
15988 -+ if (randomize_va_space)
15989 -+ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
15990 -+#endif
15991 -+
15992 - return 0;
15993 -
15994 - err:
15995 -@@ -369,7 +378,7 @@ static int count(char __user * __user *
15996 - if (!p)
15997 - break;
15998 - argv++;
15999 -- if(++i > max)
16000 -+ if (++i > max)
16001 - return -E2BIG;
16002 - cond_resched();
16003 - }
16004 -@@ -509,6 +518,10 @@ static int shift_arg_pages(struct vm_are
16005 - if (vma != find_vma(mm, new_start))
16006 - return -EFAULT;
16007 -
16008 -+#ifdef CONFIG_PAX_SEGMEXEC
16009 -+ BUG_ON(pax_find_mirror_vma(vma));
16010 -+#endif
16011 -+
16012 - /*
16013 - * cover the whole range: [new_start, old_end)
16014 - */
16015 -@@ -597,6 +610,14 @@ int setup_arg_pages(struct linux_binprm
16016 - bprm->exec -= stack_shift;
16017 -
16018 - down_write(&mm->mmap_sem);
16019 -+
16020 -+ /* Move stack pages down in memory. */
16021 -+ if (stack_shift) {
16022 -+ ret = shift_arg_pages(vma, stack_shift);
16023 -+ if (ret)
16024 -+ goto out_unlock;
16025 -+ }
16026 -+
16027 - vm_flags = vma->vm_flags;
16028 -
16029 - /*
16030 -@@ -608,23 +629,28 @@ int setup_arg_pages(struct linux_binprm
16031 - vm_flags |= VM_EXEC;
16032 - else if (executable_stack == EXSTACK_DISABLE_X)
16033 - vm_flags &= ~VM_EXEC;
16034 -+ else
16035 -+ vm_flags = VM_STACK_FLAGS;
16036 - vm_flags |= mm->def_flags;
16037 -
16038 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16039 -+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
16040 -+ vm_flags &= ~VM_EXEC;
16041 -+
16042 -+#ifdef CONFIG_PAX_MPROTECT
16043 -+ if (mm->pax_flags & MF_PAX_MPROTECT)
16044 -+ vm_flags &= ~VM_MAYEXEC;
16045 -+#endif
16046 -+
16047 -+ }
16048 -+#endif
16049 -+
16050 - ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
16051 - vm_flags);
16052 - if (ret)
16053 - goto out_unlock;
16054 - BUG_ON(prev != vma);
16055 -
16056 -- /* Move stack pages down in memory. */
16057 -- if (stack_shift) {
16058 -- ret = shift_arg_pages(vma, stack_shift);
16059 -- if (ret) {
16060 -- up_write(&mm->mmap_sem);
16061 -- return ret;
16062 -- }
16063 -- }
16064 --
16065 - #ifdef CONFIG_STACK_GROWSUP
16066 - stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE;
16067 - #else
16068 -@@ -636,7 +662,7 @@ int setup_arg_pages(struct linux_binprm
16069 -
16070 - out_unlock:
16071 - up_write(&mm->mmap_sem);
16072 -- return 0;
16073 -+ return ret;
16074 - }
16075 - EXPORT_SYMBOL(setup_arg_pages);
16076 -
16077 -@@ -655,7 +681,7 @@ struct file *open_exec(const char *name)
16078 - struct inode *inode = nd.dentry->d_inode;
16079 - file = ERR_PTR(-EACCES);
16080 - if (S_ISREG(inode->i_mode)) {
16081 -- int err = vfs_permission(&nd, MAY_EXEC);
16082 -+ err = vfs_permission(&nd, MAY_EXEC);
16083 - file = ERR_PTR(err);
16084 - if (!err) {
16085 - file = nameidata_to_filp(&nd, O_RDONLY);
16086 -@@ -1293,6 +1319,11 @@ int do_execve(char * filename,
16087 - char __user *__user *envp,
16088 - struct pt_regs * regs)
16089 - {
16090 -+#ifdef CONFIG_GRKERNSEC
16091 -+ struct file *old_exec_file;
16092 -+ struct acl_subject_label *old_acl;
16093 -+ struct rlimit old_rlim[RLIM_NLIMITS];
16094 -+#endif
16095 - struct linux_binprm *bprm;
16096 - struct file *file;
16097 - unsigned long env_p;
16098 -@@ -1308,6 +1339,20 @@ int do_execve(char * filename,
16099 - if (IS_ERR(file))
16100 - goto out_kfree;
16101 -
16102 -+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
16103 -+
16104 -+ if (gr_handle_nproc()) {
16105 -+ allow_write_access(file);
16106 -+ fput(file);
16107 -+ return -EAGAIN;
16108 -+ }
16109 -+
16110 -+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
16111 -+ allow_write_access(file);
16112 -+ fput(file);
16113 -+ return -EACCES;
16114 -+ }
16115 -+
16116 - sched_exec();
16117 -
16118 - bprm->file = file;
16119 -@@ -1349,8 +1394,38 @@ int do_execve(char * filename,
16120 - goto out;
16121 - bprm->argv_len = env_p - bprm->p;
16122 -
16123 -+ if (!gr_tpe_allow(file)) {
16124 -+ retval = -EACCES;
16125 -+ goto out;
16126 -+ }
16127 -+
16128 -+ if (gr_check_crash_exec(file)) {
16129 -+ retval = -EACCES;
16130 -+ goto out;
16131 -+ }
16132 -+
16133 -+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
16134 -+
16135 -+ gr_handle_exec_args(bprm, argv);
16136 -+
16137 -+#ifdef CONFIG_GRKERNSEC
16138 -+ old_acl = current->acl;
16139 -+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
16140 -+ old_exec_file = current->exec_file;
16141 -+ get_file(file);
16142 -+ current->exec_file = file;
16143 -+#endif
16144 -+
16145 -+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
16146 -+ if (retval < 0)
16147 -+ goto out_fail;
16148 -+
16149 - retval = search_binary_handler(bprm,regs);
16150 - if (retval >= 0) {
16151 -+#ifdef CONFIG_GRKERNSEC
16152 -+ if (old_exec_file)
16153 -+ fput(old_exec_file);
16154 -+#endif
16155 - /* execve success */
16156 - free_arg_pages(bprm);
16157 - security_bprm_free(bprm);
16158 -@@ -1359,6 +1434,14 @@ int do_execve(char * filename,
16159 - return retval;
16160 - }
16161 -
16162 -+out_fail:
16163 -+#ifdef CONFIG_GRKERNSEC
16164 -+ current->acl = old_acl;
16165 -+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
16166 -+ fput(current->exec_file);
16167 -+ current->exec_file = old_exec_file;
16168 -+#endif
16169 -+
16170 - out:
16171 - free_arg_pages(bprm);
16172 - if (bprm->security)
16173 -@@ -1523,6 +1606,114 @@ out:
16174 - return ispipe;
16175 - }
16176 -
16177 -+int pax_check_flags(unsigned long *flags)
16178 -+{
16179 -+ int retval = 0;
16180 -+
16181 -+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
16182 -+ if (*flags & MF_PAX_SEGMEXEC)
16183 -+ {
16184 -+ *flags &= ~MF_PAX_SEGMEXEC;
16185 -+ retval = -EINVAL;
16186 -+ }
16187 -+#endif
16188 -+
16189 -+ if ((*flags & MF_PAX_PAGEEXEC)
16190 -+
16191 -+#ifdef CONFIG_PAX_PAGEEXEC
16192 -+ && (*flags & MF_PAX_SEGMEXEC)
16193 -+#endif
16194 -+
16195 -+ )
16196 -+ {
16197 -+ *flags &= ~MF_PAX_PAGEEXEC;
16198 -+ retval = -EINVAL;
16199 -+ }
16200 -+
16201 -+ if ((*flags & MF_PAX_MPROTECT)
16202 -+
16203 -+#ifdef CONFIG_PAX_MPROTECT
16204 -+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
16205 -+#endif
16206 -+
16207 -+ )
16208 -+ {
16209 -+ *flags &= ~MF_PAX_MPROTECT;
16210 -+ retval = -EINVAL;
16211 -+ }
16212 -+
16213 -+ if ((*flags & MF_PAX_EMUTRAMP)
16214 -+
16215 -+#ifdef CONFIG_PAX_EMUTRAMP
16216 -+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
16217 -+#endif
16218 -+
16219 -+ )
16220 -+ {
16221 -+ *flags &= ~MF_PAX_EMUTRAMP;
16222 -+ retval = -EINVAL;
16223 -+ }
16224 -+
16225 -+ return retval;
16226 -+}
16227 -+
16228 -+EXPORT_SYMBOL(pax_check_flags);
16229 -+
16230 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16231 -+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
16232 -+{
16233 -+ struct task_struct *tsk = current;
16234 -+ struct mm_struct *mm = current->mm;
16235 -+ char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
16236 -+ char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
16237 -+ char *path_exec = NULL;
16238 -+ char *path_fault = NULL;
16239 -+ unsigned long start = 0UL, end = 0UL, offset = 0UL;
16240 -+
16241 -+ if (buffer_exec && buffer_fault) {
16242 -+ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
16243 -+
16244 -+ down_read(&mm->mmap_sem);
16245 -+ vma = mm->mmap;
16246 -+ while (vma && (!vma_exec || !vma_fault)) {
16247 -+ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
16248 -+ vma_exec = vma;
16249 -+ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
16250 -+ vma_fault = vma;
16251 -+ vma = vma->vm_next;
16252 -+ }
16253 -+ if (vma_exec) {
16254 -+ path_exec = d_path(vma_exec->vm_file->f_path.dentry, vma_exec->vm_file->f_path.mnt, buffer_exec, PAGE_SIZE);
16255 -+ if (IS_ERR(path_exec))
16256 -+ path_exec = "<path too long>";
16257 -+ }
16258 -+ if (vma_fault) {
16259 -+ start = vma_fault->vm_start;
16260 -+ end = vma_fault->vm_end;
16261 -+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
16262 -+ if (vma_fault->vm_file) {
16263 -+ path_fault = d_path(vma_fault->vm_file->f_path.dentry, vma_fault->vm_file->f_path.mnt, buffer_fault, PAGE_SIZE);
16264 -+ if (IS_ERR(path_fault))
16265 -+ path_fault = "<path too long>";
16266 -+ } else
16267 -+ path_fault = "<anonymous mapping>";
16268 -+ }
16269 -+ up_read(&mm->mmap_sem);
16270 -+ }
16271 -+ if (tsk->signal->curr_ip)
16272 -+ printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
16273 -+ else
16274 -+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
16275 -+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
16276 -+ "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
16277 -+ tsk->uid, tsk->euid, pc, sp);
16278 -+ free_page((unsigned long)buffer_exec);
16279 -+ free_page((unsigned long)buffer_fault);
16280 -+ pax_report_insns(pc, sp);
16281 -+ do_coredump(SIGKILL, SIGKILL, regs);
16282 -+}
16283 -+#endif
16284 -+
16285 - static void zap_process(struct task_struct *start)
16286 - {
16287 - struct task_struct *t;
16288 -@@ -1720,6 +1911,10 @@ int do_coredump(long signr, int exit_cod
16289 - */
16290 - clear_thread_flag(TIF_SIGPENDING);
16291 -
16292 -+ if (signr == SIGKILL || signr == SIGILL)
16293 -+ gr_handle_brute_attach(current);
16294 -+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
16295 -+
16296 - /*
16297 - * lock_kernel() because format_corename() is controlled by sysctl, which
16298 - * uses lock_kernel()
16299 -@@ -1740,6 +1935,8 @@ int do_coredump(long signr, int exit_cod
16300 -
16301 - if (ispipe) {
16302 - helper_argv = argv_split(GFP_KERNEL, corename+1, &helper_argc);
16303 -+ if (!helper_argv)
16304 -+ goto fail_unlock;
16305 - /* Terminate the string before the first option */
16306 - delimit = strchr(corename, ' ');
16307 - if (delimit)
16308 -diff -urNp linux-2.6.24.4/fs/ext2/balloc.c linux-2.6.24.4/fs/ext2/balloc.c
16309 ---- linux-2.6.24.4/fs/ext2/balloc.c 2008-03-24 14:49:18.000000000 -0400
16310 -+++ linux-2.6.24.4/fs/ext2/balloc.c 2008-03-26 17:56:56.000000000 -0400
16311 -@@ -1127,7 +1127,7 @@ static int ext2_has_free_blocks(struct e
16312 -
16313 - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
16314 - root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
16315 -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
16316 -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
16317 - sbi->s_resuid != current->fsuid &&
16318 - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
16319 - return 0;
16320 -diff -urNp linux-2.6.24.4/fs/ext3/balloc.c linux-2.6.24.4/fs/ext3/balloc.c
16321 ---- linux-2.6.24.4/fs/ext3/balloc.c 2008-03-24 14:49:18.000000000 -0400
16322 -+++ linux-2.6.24.4/fs/ext3/balloc.c 2008-03-26 17:56:56.000000000 -0400
16323 -@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
16324 -
16325 - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
16326 - root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
16327 -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
16328 -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
16329 - sbi->s_resuid != current->fsuid &&
16330 - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
16331 - return 0;
16332 -diff -urNp linux-2.6.24.4/fs/ext3/namei.c linux-2.6.24.4/fs/ext3/namei.c
16333 ---- linux-2.6.24.4/fs/ext3/namei.c 2008-03-24 14:49:18.000000000 -0400
16334 -+++ linux-2.6.24.4/fs/ext3/namei.c 2008-03-26 17:56:56.000000000 -0400
16335 -@@ -1181,9 +1181,9 @@ static struct ext3_dir_entry_2 *do_split
16336 - u32 hash2;
16337 - struct dx_map_entry *map;
16338 - char *data1 = (*bh)->b_data, *data2;
16339 -- unsigned split, move, size, i;
16340 -+ unsigned split, move, size;
16341 - struct ext3_dir_entry_2 *de = NULL, *de2;
16342 -- int err = 0;
16343 -+ int i, err = 0;
16344 -
16345 - bh2 = ext3_append (handle, dir, &newblock, &err);
16346 - if (!(bh2)) {
16347 -diff -urNp linux-2.6.24.4/fs/ext3/xattr.c linux-2.6.24.4/fs/ext3/xattr.c
16348 ---- linux-2.6.24.4/fs/ext3/xattr.c 2008-03-24 14:49:18.000000000 -0400
16349 -+++ linux-2.6.24.4/fs/ext3/xattr.c 2008-03-26 17:56:56.000000000 -0400
16350 -@@ -89,8 +89,8 @@
16351 - printk("\n"); \
16352 - } while (0)
16353 - #else
16354 --# define ea_idebug(f...)
16355 --# define ea_bdebug(f...)
16356 -+# define ea_idebug(f...) do {} while (0)
16357 -+# define ea_bdebug(f...) do {} while (0)
16358 - #endif
16359 -
16360 - static void ext3_xattr_cache_insert(struct buffer_head *);
16361 -diff -urNp linux-2.6.24.4/fs/ext4/balloc.c linux-2.6.24.4/fs/ext4/balloc.c
16362 ---- linux-2.6.24.4/fs/ext4/balloc.c 2008-03-24 14:49:18.000000000 -0400
16363 -+++ linux-2.6.24.4/fs/ext4/balloc.c 2008-03-26 17:56:56.000000000 -0400
16364 -@@ -1479,7 +1479,7 @@ static int ext4_has_free_blocks(struct e
16365 -
16366 - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
16367 - root_blocks = ext4_r_blocks_count(sbi->s_es);
16368 -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
16369 -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
16370 - sbi->s_resuid != current->fsuid &&
16371 - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
16372 - return 0;
16373 -diff -urNp linux-2.6.24.4/fs/ext4/namei.c linux-2.6.24.4/fs/ext4/namei.c
16374 ---- linux-2.6.24.4/fs/ext4/namei.c 2008-03-24 14:49:18.000000000 -0400
16375 -+++ linux-2.6.24.4/fs/ext4/namei.c 2008-03-26 17:56:56.000000000 -0400
16376 -@@ -1178,9 +1178,9 @@ static struct ext4_dir_entry_2 *do_split
16377 - u32 hash2;
16378 - struct dx_map_entry *map;
16379 - char *data1 = (*bh)->b_data, *data2;
16380 -- unsigned split, move, size, i;
16381 -+ unsigned split, move, size;
16382 - struct ext4_dir_entry_2 *de = NULL, *de2;
16383 -- int err = 0;
16384 -+ int i, err = 0;
16385 -
16386 - bh2 = ext4_append (handle, dir, &newblock, &err);
16387 - if (!(bh2)) {
16388 -diff -urNp linux-2.6.24.4/fs/fcntl.c linux-2.6.24.4/fs/fcntl.c
16389 ---- linux-2.6.24.4/fs/fcntl.c 2008-03-24 14:49:18.000000000 -0400
16390 -+++ linux-2.6.24.4/fs/fcntl.c 2008-03-26 17:56:56.000000000 -0400
16391 -@@ -19,6 +19,7 @@
16392 - #include <linux/signal.h>
16393 - #include <linux/rcupdate.h>
16394 - #include <linux/pid_namespace.h>
16395 -+#include <linux/grsecurity.h>
16396 -
16397 - #include <asm/poll.h>
16398 - #include <asm/siginfo.h>
16399 -@@ -64,6 +65,7 @@ static int locate_fd(struct files_struct
16400 - struct fdtable *fdt;
16401 -
16402 - error = -EINVAL;
16403 -+ gr_learn_resource(current, RLIMIT_NOFILE, orig_start, 0);
16404 - if (orig_start >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
16405 - goto out;
16406 -
16407 -@@ -83,6 +85,7 @@ repeat:
16408 - fdt->max_fds, start);
16409 -
16410 - error = -EMFILE;
16411 -+ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
16412 - if (newfd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
16413 - goto out;
16414 -
16415 -@@ -144,6 +147,8 @@ asmlinkage long sys_dup2(unsigned int ol
16416 - struct files_struct * files = current->files;
16417 - struct fdtable *fdt;
16418 -
16419 -+ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
16420 -+
16421 - spin_lock(&files->file_lock);
16422 - if (!(file = fcheck(oldfd)))
16423 - goto out_unlock;
16424 -@@ -463,7 +468,8 @@ static inline int sigio_perm(struct task
16425 - return (((fown->euid == 0) ||
16426 - (fown->euid == p->suid) || (fown->euid == p->uid) ||
16427 - (fown->uid == p->suid) || (fown->uid == p->uid)) &&
16428 -- !security_file_send_sigiotask(p, fown, sig));
16429 -+ !security_file_send_sigiotask(p, fown, sig) &&
16430 -+ !gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
16431 - }
16432 -
16433 - static void send_sigio_to_task(struct task_struct *p,
16434 -diff -urNp linux-2.6.24.4/fs/fuse/control.c linux-2.6.24.4/fs/fuse/control.c
16435 ---- linux-2.6.24.4/fs/fuse/control.c 2008-03-24 14:49:18.000000000 -0400
16436 -+++ linux-2.6.24.4/fs/fuse/control.c 2008-03-26 17:56:56.000000000 -0400
16437 -@@ -159,7 +159,7 @@ void fuse_ctl_remove_conn(struct fuse_co
16438 -
16439 - static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
16440 - {
16441 -- struct tree_descr empty_descr = {""};
16442 -+ struct tree_descr empty_descr = {"", NULL, 0};
16443 - struct fuse_conn *fc;
16444 - int err;
16445 -
16446 -diff -urNp linux-2.6.24.4/fs/fuse/dir.c linux-2.6.24.4/fs/fuse/dir.c
16447 ---- linux-2.6.24.4/fs/fuse/dir.c 2008-03-24 14:49:18.000000000 -0400
16448 -+++ linux-2.6.24.4/fs/fuse/dir.c 2008-03-26 17:56:56.000000000 -0400
16449 -@@ -1030,7 +1030,7 @@ static char *read_link(struct dentry *de
16450 - return link;
16451 - }
16452 -
16453 --static void free_link(char *link)
16454 -+static void free_link(const char *link)
16455 - {
16456 - if (!IS_ERR(link))
16457 - free_page((unsigned long) link);
16458 -diff -urNp linux-2.6.24.4/fs/hfs/inode.c linux-2.6.24.4/fs/hfs/inode.c
16459 ---- linux-2.6.24.4/fs/hfs/inode.c 2008-03-24 14:49:18.000000000 -0400
16460 -+++ linux-2.6.24.4/fs/hfs/inode.c 2008-03-26 17:56:56.000000000 -0400
16461 -@@ -419,7 +419,7 @@ int hfs_write_inode(struct inode *inode,
16462 -
16463 - if (S_ISDIR(main_inode->i_mode)) {
16464 - if (fd.entrylength < sizeof(struct hfs_cat_dir))
16465 -- /* panic? */;
16466 -+ {/* panic? */}
16467 - hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
16468 - sizeof(struct hfs_cat_dir));
16469 - if (rec.type != HFS_CDR_DIR ||
16470 -@@ -440,7 +440,7 @@ int hfs_write_inode(struct inode *inode,
16471 - sizeof(struct hfs_cat_file));
16472 - } else {
16473 - if (fd.entrylength < sizeof(struct hfs_cat_file))
16474 -- /* panic? */;
16475 -+ {/* panic? */}
16476 - hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
16477 - sizeof(struct hfs_cat_file));
16478 - if (rec.type != HFS_CDR_FIL ||
16479 -diff -urNp linux-2.6.24.4/fs/hfsplus/inode.c linux-2.6.24.4/fs/hfsplus/inode.c
16480 ---- linux-2.6.24.4/fs/hfsplus/inode.c 2008-03-24 14:49:18.000000000 -0400
16481 -+++ linux-2.6.24.4/fs/hfsplus/inode.c 2008-03-26 17:56:56.000000000 -0400
16482 -@@ -422,7 +422,7 @@ int hfsplus_cat_read_inode(struct inode
16483 - struct hfsplus_cat_folder *folder = &entry.folder;
16484 -
16485 - if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
16486 -- /* panic? */;
16487 -+ {/* panic? */}
16488 - hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
16489 - sizeof(struct hfsplus_cat_folder));
16490 - hfsplus_get_perms(inode, &folder->permissions, 1);
16491 -@@ -439,7 +439,7 @@ int hfsplus_cat_read_inode(struct inode
16492 - struct hfsplus_cat_file *file = &entry.file;
16493 -
16494 - if (fd->entrylength < sizeof(struct hfsplus_cat_file))
16495 -- /* panic? */;
16496 -+ {/* panic? */}
16497 - hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
16498 - sizeof(struct hfsplus_cat_file));
16499 -
16500 -@@ -495,7 +495,7 @@ int hfsplus_cat_write_inode(struct inode
16501 - struct hfsplus_cat_folder *folder = &entry.folder;
16502 -
16503 - if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
16504 -- /* panic? */;
16505 -+ {/* panic? */}
16506 - hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
16507 - sizeof(struct hfsplus_cat_folder));
16508 - /* simple node checks? */
16509 -@@ -517,7 +517,7 @@ int hfsplus_cat_write_inode(struct inode
16510 - struct hfsplus_cat_file *file = &entry.file;
16511 -
16512 - if (fd.entrylength < sizeof(struct hfsplus_cat_file))
16513 -- /* panic? */;
16514 -+ {/* panic? */}
16515 - hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
16516 - sizeof(struct hfsplus_cat_file));
16517 - hfsplus_inode_write_fork(inode, &file->data_fork);
16518 -diff -urNp linux-2.6.24.4/fs/jffs2/debug.h linux-2.6.24.4/fs/jffs2/debug.h
16519 ---- linux-2.6.24.4/fs/jffs2/debug.h 2008-03-24 14:49:18.000000000 -0400
16520 -+++ linux-2.6.24.4/fs/jffs2/debug.h 2008-03-26 17:56:56.000000000 -0400
16521 -@@ -51,13 +51,13 @@
16522 - #if CONFIG_JFFS2_FS_DEBUG > 0
16523 - #define D1(x) x
16524 - #else
16525 --#define D1(x)
16526 -+#define D1(x) do {} while (0);
16527 - #endif
16528 -
16529 - #if CONFIG_JFFS2_FS_DEBUG > 1
16530 - #define D2(x) x
16531 - #else
16532 --#define D2(x)
16533 -+#define D2(x) do {} while (0);
16534 - #endif
16535 -
16536 - /* The prefixes of JFFS2 messages */
16537 -@@ -113,68 +113,68 @@
16538 - #ifdef JFFS2_DBG_READINODE_MESSAGES
16539 - #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16540 - #else
16541 --#define dbg_readinode(fmt, ...)
16542 -+#define dbg_readinode(fmt, ...) do {} while (0)
16543 - #endif
16544 -
16545 - /* Fragtree build debugging messages */
16546 - #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
16547 - #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16548 - #else
16549 --#define dbg_fragtree(fmt, ...)
16550 -+#define dbg_fragtree(fmt, ...) do {} while (0)
16551 - #endif
16552 - #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
16553 - #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16554 - #else
16555 --#define dbg_fragtree2(fmt, ...)
16556 -+#define dbg_fragtree2(fmt, ...) do {} while (0)
16557 - #endif
16558 -
16559 - /* Directory entry list manilulation debugging messages */
16560 - #ifdef JFFS2_DBG_DENTLIST_MESSAGES
16561 - #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16562 - #else
16563 --#define dbg_dentlist(fmt, ...)
16564 -+#define dbg_dentlist(fmt, ...) do {} while (0)
16565 - #endif
16566 -
16567 - /* Print the messages about manipulating node_refs */
16568 - #ifdef JFFS2_DBG_NODEREF_MESSAGES
16569 - #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16570 - #else
16571 --#define dbg_noderef(fmt, ...)
16572 -+#define dbg_noderef(fmt, ...) do {} while (0)
16573 - #endif
16574 -
16575 - /* Manipulations with the list of inodes (JFFS2 inocache) */
16576 - #ifdef JFFS2_DBG_INOCACHE_MESSAGES
16577 - #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16578 - #else
16579 --#define dbg_inocache(fmt, ...)
16580 -+#define dbg_inocache(fmt, ...) do {} while (0)
16581 - #endif
16582 -
16583 - /* Summary debugging messages */
16584 - #ifdef JFFS2_DBG_SUMMARY_MESSAGES
16585 - #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16586 - #else
16587 --#define dbg_summary(fmt, ...)
16588 -+#define dbg_summary(fmt, ...) do {} while (0)
16589 - #endif
16590 -
16591 - /* File system build messages */
16592 - #ifdef JFFS2_DBG_FSBUILD_MESSAGES
16593 - #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16594 - #else
16595 --#define dbg_fsbuild(fmt, ...)
16596 -+#define dbg_fsbuild(fmt, ...) do {} while (0)
16597 - #endif
16598 -
16599 - /* Watch the object allocations */
16600 - #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
16601 - #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16602 - #else
16603 --#define dbg_memalloc(fmt, ...)
16604 -+#define dbg_memalloc(fmt, ...) do {} while (0)
16605 - #endif
16606 -
16607 - /* Watch the XATTR subsystem */
16608 - #ifdef JFFS2_DBG_XATTR_MESSAGES
16609 - #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16610 - #else
16611 --#define dbg_xattr(fmt, ...)
16612 -+#define dbg_xattr(fmt, ...) do {} while (0)
16613 - #endif
16614 -
16615 - /* "Sanity" checks */
16616 -diff -urNp linux-2.6.24.4/fs/jffs2/erase.c linux-2.6.24.4/fs/jffs2/erase.c
16617 ---- linux-2.6.24.4/fs/jffs2/erase.c 2008-03-24 14:49:18.000000000 -0400
16618 -+++ linux-2.6.24.4/fs/jffs2/erase.c 2008-03-26 17:56:56.000000000 -0400
16619 -@@ -428,7 +428,8 @@ static void jffs2_mark_erased_block(stru
16620 - struct jffs2_unknown_node marker = {
16621 - .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
16622 - .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
16623 -- .totlen = cpu_to_je32(c->cleanmarker_size)
16624 -+ .totlen = cpu_to_je32(c->cleanmarker_size),
16625 -+ .hdr_crc = cpu_to_je32(0)
16626 - };
16627 -
16628 - jffs2_prealloc_raw_node_refs(c, jeb, 1);
16629 -diff -urNp linux-2.6.24.4/fs/jffs2/summary.h linux-2.6.24.4/fs/jffs2/summary.h
16630 ---- linux-2.6.24.4/fs/jffs2/summary.h 2008-03-24 14:49:18.000000000 -0400
16631 -+++ linux-2.6.24.4/fs/jffs2/summary.h 2008-03-26 17:56:56.000000000 -0400
16632 -@@ -188,18 +188,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
16633 -
16634 - #define jffs2_sum_active() (0)
16635 - #define jffs2_sum_init(a) (0)
16636 --#define jffs2_sum_exit(a)
16637 --#define jffs2_sum_disable_collecting(a)
16638 -+#define jffs2_sum_exit(a) do {} while (0)
16639 -+#define jffs2_sum_disable_collecting(a) do {} while (0)
16640 - #define jffs2_sum_is_disabled(a) (0)
16641 --#define jffs2_sum_reset_collected(a)
16642 -+#define jffs2_sum_reset_collected(a) do {} while (0)
16643 - #define jffs2_sum_add_kvec(a,b,c,d) (0)
16644 --#define jffs2_sum_move_collected(a,b)
16645 -+#define jffs2_sum_move_collected(a,b) do {} while (0)
16646 - #define jffs2_sum_write_sumnode(a) (0)
16647 --#define jffs2_sum_add_padding_mem(a,b)
16648 --#define jffs2_sum_add_inode_mem(a,b,c)
16649 --#define jffs2_sum_add_dirent_mem(a,b,c)
16650 --#define jffs2_sum_add_xattr_mem(a,b,c)
16651 --#define jffs2_sum_add_xref_mem(a,b,c)
16652 -+#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
16653 -+#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
16654 -+#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
16655 -+#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
16656 -+#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
16657 - #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
16658 -
16659 - #endif /* CONFIG_JFFS2_SUMMARY */
16660 -diff -urNp linux-2.6.24.4/fs/jffs2/wbuf.c linux-2.6.24.4/fs/jffs2/wbuf.c
16661 ---- linux-2.6.24.4/fs/jffs2/wbuf.c 2008-03-24 14:49:18.000000000 -0400
16662 -+++ linux-2.6.24.4/fs/jffs2/wbuf.c 2008-03-26 17:56:56.000000000 -0400
16663 -@@ -1015,7 +1015,8 @@ static const struct jffs2_unknown_node o
16664 - {
16665 - .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
16666 - .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
16667 -- .totlen = constant_cpu_to_je32(8)
16668 -+ .totlen = constant_cpu_to_je32(8),
16669 -+ .hdr_crc = constant_cpu_to_je32(0)
16670 - };
16671 -
16672 - /*
16673 -diff -urNp linux-2.6.24.4/fs/Kconfig linux-2.6.24.4/fs/Kconfig
16674 ---- linux-2.6.24.4/fs/Kconfig 2008-03-24 14:49:18.000000000 -0400
16675 -+++ linux-2.6.24.4/fs/Kconfig 2008-03-26 17:56:56.000000000 -0400
16676 -@@ -937,7 +937,7 @@ config PROC_FS
16677 -
16678 - config PROC_KCORE
16679 - bool "/proc/kcore support" if !ARM
16680 -- depends on PROC_FS && MMU
16681 -+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
16682 -
16683 - config PROC_VMCORE
16684 - bool "/proc/vmcore support (EXPERIMENTAL)"
16685 -diff -urNp linux-2.6.24.4/fs/namei.c linux-2.6.24.4/fs/namei.c
16686 ---- linux-2.6.24.4/fs/namei.c 2008-03-24 14:49:18.000000000 -0400
16687 -+++ linux-2.6.24.4/fs/namei.c 2008-03-26 17:56:56.000000000 -0400
16688 -@@ -30,6 +30,7 @@
16689 - #include <linux/capability.h>
16690 - #include <linux/file.h>
16691 - #include <linux/fcntl.h>
16692 -+#include <linux/grsecurity.h>
16693 - #include <asm/namei.h>
16694 - #include <asm/uaccess.h>
16695 -
16696 -@@ -621,7 +622,7 @@ static __always_inline int __do_follow_l
16697 - cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
16698 - error = PTR_ERR(cookie);
16699 - if (!IS_ERR(cookie)) {
16700 -- char *s = nd_get_link(nd);
16701 -+ const char *s = nd_get_link(nd);
16702 - error = 0;
16703 - if (s)
16704 - error = __vfs_follow_link(nd, s);
16705 -@@ -653,6 +654,13 @@ static inline int do_follow_link(struct
16706 - err = security_inode_follow_link(path->dentry, nd);
16707 - if (err)
16708 - goto loop;
16709 -+
16710 -+ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
16711 -+ path->dentry->d_inode, path->dentry, nd->mnt)) {
16712 -+ err = -EACCES;
16713 -+ goto loop;
16714 -+ }
16715 -+
16716 - current->link_count++;
16717 - current->total_link_count++;
16718 - nd->depth++;
16719 -@@ -998,11 +1006,18 @@ return_reval:
16720 - break;
16721 - }
16722 - return_base:
16723 -+ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt)) {
16724 -+ path_release(nd);
16725 -+ return -ENOENT;
16726 -+ }
16727 - return 0;
16728 - out_dput:
16729 - dput_path(&next, nd);
16730 - break;
16731 - }
16732 -+ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt))
16733 -+ err = -ENOENT;
16734 -+
16735 - path_release(nd);
16736 - return_err:
16737 - return err;
16738 -@@ -1680,9 +1695,17 @@ static int open_namei_create(struct name
16739 - int error;
16740 - struct dentry *dir = nd->dentry;
16741 -
16742 -+ if (!gr_acl_handle_creat(path->dentry, nd->dentry, nd->mnt, flag, mode)) {
16743 -+ error = -EACCES;
16744 -+ goto out_unlock_dput;
16745 -+ }
16746 -+
16747 - if (!IS_POSIXACL(dir->d_inode))
16748 - mode &= ~current->fs->umask;
16749 - error = vfs_create(dir->d_inode, path->dentry, mode, nd);
16750 -+ if (!error)
16751 -+ gr_handle_create(path->dentry, nd->mnt);
16752 -+out_unlock_dput:
16753 - mutex_unlock(&dir->d_inode->i_mutex);
16754 - dput(nd->dentry);
16755 - nd->dentry = path->dentry;
16756 -@@ -1733,6 +1756,17 @@ int open_namei(int dfd, const char *path
16757 - nd, flag);
16758 - if (error)
16759 - return error;
16760 -+
16761 -+ if (gr_handle_rawio(nd->dentry->d_inode)) {
16762 -+ error = -EPERM;
16763 -+ goto exit;
16764 -+ }
16765 -+
16766 -+ if (!gr_acl_handle_open(nd->dentry, nd->mnt, flag)) {
16767 -+ error = -EACCES;
16768 -+ goto exit;
16769 -+ }
16770 -+
16771 - goto ok;
16772 - }
16773 -
16774 -@@ -1782,6 +1816,23 @@ do_last:
16775 - /*
16776 - * It already exists.
16777 - */
16778 -+
16779 -+ if (gr_handle_rawio(path.dentry->d_inode)) {
16780 -+ mutex_unlock(&dir->d_inode->i_mutex);
16781 -+ error = -EPERM;
16782 -+ goto exit_dput;
16783 -+ }
16784 -+ if (!gr_acl_handle_open(path.dentry, nd->mnt, flag)) {
16785 -+ mutex_unlock(&dir->d_inode->i_mutex);
16786 -+ error = -EACCES;
16787 -+ goto exit_dput;
16788 -+ }
16789 -+ if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) {
16790 -+ mutex_unlock(&dir->d_inode->i_mutex);
16791 -+ error = -EACCES;
16792 -+ goto exit_dput;
16793 -+ }
16794 -+
16795 - mutex_unlock(&dir->d_inode->i_mutex);
16796 - audit_inode(pathname, path.dentry);
16797 -
16798 -@@ -1837,6 +1888,13 @@ do_link:
16799 - error = security_inode_follow_link(path.dentry, nd);
16800 - if (error)
16801 - goto exit_dput;
16802 -+
16803 -+ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
16804 -+ path.dentry, nd->mnt)) {
16805 -+ error = -EACCES;
16806 -+ goto exit_dput;
16807 -+ }
16808 -+
16809 - error = __do_follow_link(&path, nd);
16810 - if (error) {
16811 - /* Does someone understand code flow here? Or it is only
16812 -@@ -1965,6 +2023,22 @@ asmlinkage long sys_mknodat(int dfd, con
16813 - if (!IS_POSIXACL(nd.dentry->d_inode))
16814 - mode &= ~current->fs->umask;
16815 - if (!IS_ERR(dentry)) {
16816 -+ if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) {
16817 -+ error = -EPERM;
16818 -+ dput(dentry);
16819 -+ mutex_unlock(&nd.dentry->d_inode->i_mutex);
16820 -+ path_release(&nd);
16821 -+ goto out;
16822 -+ }
16823 -+
16824 -+ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
16825 -+ error = -EACCES;
16826 -+ dput(dentry);
16827 -+ mutex_unlock(&nd.dentry->d_inode->i_mutex);
16828 -+ path_release(&nd);
16829 -+ goto out;
16830 -+ }
16831 -+
16832 - switch (mode & S_IFMT) {
16833 - case 0: case S_IFREG:
16834 - error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd);
16835 -@@ -1982,6 +2056,10 @@ asmlinkage long sys_mknodat(int dfd, con
16836 - default:
16837 - error = -EINVAL;
16838 - }
16839 -+
16840 -+ if (!error)
16841 -+ gr_handle_create(dentry, nd.mnt);
16842 -+
16843 - dput(dentry);
16844 - }
16845 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
16846 -@@ -2039,9 +2117,18 @@ asmlinkage long sys_mkdirat(int dfd, con
16847 - if (IS_ERR(dentry))
16848 - goto out_unlock;
16849 -
16850 -+ if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt)) {
16851 -+ error = -EACCES;
16852 -+ goto out_unlock_dput;
16853 -+ }
16854 -+
16855 - if (!IS_POSIXACL(nd.dentry->d_inode))
16856 - mode &= ~current->fs->umask;
16857 - error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
16858 -+
16859 -+ if (!error)
16860 -+ gr_handle_create(dentry, nd.mnt);
16861 -+out_unlock_dput:
16862 - dput(dentry);
16863 - out_unlock:
16864 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
16865 -@@ -2123,6 +2210,8 @@ static long do_rmdir(int dfd, const char
16866 - char * name;
16867 - struct dentry *dentry;
16868 - struct nameidata nd;
16869 -+ ino_t saved_ino = 0;
16870 -+ dev_t saved_dev = 0;
16871 -
16872 - name = getname(pathname);
16873 - if(IS_ERR(name))
16874 -@@ -2148,7 +2237,22 @@ static long do_rmdir(int dfd, const char
16875 - error = PTR_ERR(dentry);
16876 - if (IS_ERR(dentry))
16877 - goto exit2;
16878 -+
16879 -+ if (dentry->d_inode != NULL) {
16880 -+ if (dentry->d_inode->i_nlink <= 1) {
16881 -+ saved_ino = dentry->d_inode->i_ino;
16882 -+ saved_dev = dentry->d_inode->i_sb->s_dev;
16883 -+ }
16884 -+
16885 -+ if (!gr_acl_handle_rmdir(dentry, nd.mnt)) {
16886 -+ error = -EACCES;
16887 -+ goto dput_exit2;
16888 -+ }
16889 -+ }
16890 - error = vfs_rmdir(nd.dentry->d_inode, dentry);
16891 -+ if (!error && (saved_dev || saved_ino))
16892 -+ gr_handle_delete(saved_ino, saved_dev);
16893 -+dput_exit2:
16894 - dput(dentry);
16895 - exit2:
16896 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
16897 -@@ -2207,6 +2311,8 @@ static long do_unlinkat(int dfd, const c
16898 - struct dentry *dentry;
16899 - struct nameidata nd;
16900 - struct inode *inode = NULL;
16901 -+ ino_t saved_ino = 0;
16902 -+ dev_t saved_dev = 0;
16903 -
16904 - name = getname(pathname);
16905 - if(IS_ERR(name))
16906 -@@ -2222,13 +2328,26 @@ static long do_unlinkat(int dfd, const c
16907 - dentry = lookup_hash(&nd);
16908 - error = PTR_ERR(dentry);
16909 - if (!IS_ERR(dentry)) {
16910 -+ error = 0;
16911 - /* Why not before? Because we want correct error value */
16912 - if (nd.last.name[nd.last.len])
16913 - goto slashes;
16914 - inode = dentry->d_inode;
16915 -- if (inode)
16916 -+ if (inode) {
16917 -+ if (inode->i_nlink <= 1) {
16918 -+ saved_ino = inode->i_ino;
16919 -+ saved_dev = inode->i_sb->s_dev;
16920 -+ }
16921 -+
16922 -+ if (!gr_acl_handle_unlink(dentry, nd.mnt))
16923 -+ error = -EACCES;
16924 -+
16925 - atomic_inc(&inode->i_count);
16926 -- error = vfs_unlink(nd.dentry->d_inode, dentry);
16927 -+ }
16928 -+ if (!error)
16929 -+ error = vfs_unlink(nd.dentry->d_inode, dentry);
16930 -+ if (!error && (saved_ino || saved_dev))
16931 -+ gr_handle_delete(saved_ino, saved_dev);
16932 - exit2:
16933 - dput(dentry);
16934 - }
16935 -@@ -2309,7 +2428,16 @@ asmlinkage long sys_symlinkat(const char
16936 - if (IS_ERR(dentry))
16937 - goto out_unlock;
16938 -
16939 -+ if (!gr_acl_handle_symlink(dentry, nd.dentry, nd.mnt, from)) {
16940 -+ error = -EACCES;
16941 -+ goto out_dput_unlock;
16942 -+ }
16943 -+
16944 - error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
16945 -+
16946 -+ if (!error)
16947 -+ gr_handle_create(dentry, nd.mnt);
16948 -+out_dput_unlock:
16949 - dput(dentry);
16950 - out_unlock:
16951 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
16952 -@@ -2404,7 +2532,25 @@ asmlinkage long sys_linkat(int olddfd, c
16953 - error = PTR_ERR(new_dentry);
16954 - if (IS_ERR(new_dentry))
16955 - goto out_unlock;
16956 -+
16957 -+ if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
16958 -+ old_nd.dentry->d_inode,
16959 -+ old_nd.dentry->d_inode->i_mode, to)) {
16960 -+ error = -EACCES;
16961 -+ goto out_unlock_dput;
16962 -+ }
16963 -+
16964 -+ if (!gr_acl_handle_link(new_dentry, nd.dentry, nd.mnt,
16965 -+ old_nd.dentry, old_nd.mnt, to)) {
16966 -+ error = -EACCES;
16967 -+ goto out_unlock_dput;
16968 -+ }
16969 -+
16970 - error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
16971 -+
16972 -+ if (!error)
16973 -+ gr_handle_create(new_dentry, nd.mnt);
16974 -+out_unlock_dput:
16975 - dput(new_dentry);
16976 - out_unlock:
16977 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
16978 -@@ -2630,8 +2776,16 @@ static int do_rename(int olddfd, const c
16979 - if (new_dentry == trap)
16980 - goto exit5;
16981 -
16982 -- error = vfs_rename(old_dir->d_inode, old_dentry,
16983 -+ error = gr_acl_handle_rename(new_dentry, newnd.dentry, newnd.mnt,
16984 -+ old_dentry, old_dir->d_inode, oldnd.mnt,
16985 -+ newname);
16986 -+
16987 -+ if (!error)
16988 -+ error = vfs_rename(old_dir->d_inode, old_dentry,
16989 - new_dir->d_inode, new_dentry);
16990 -+ if (!error)
16991 -+ gr_handle_rename(old_dir->d_inode, newnd.dentry->d_inode, old_dentry,
16992 -+ new_dentry, oldnd.mnt, new_dentry->d_inode ? 1 : 0);
16993 - exit5:
16994 - dput(new_dentry);
16995 - exit4:
16996 -diff -urNp linux-2.6.24.4/fs/namespace.c linux-2.6.24.4/fs/namespace.c
16997 ---- linux-2.6.24.4/fs/namespace.c 2008-03-24 14:49:18.000000000 -0400
16998 -+++ linux-2.6.24.4/fs/namespace.c 2008-03-26 17:56:56.000000000 -0400
16999 -@@ -25,6 +25,7 @@
17000 - #include <linux/security.h>
17001 - #include <linux/mount.h>
17002 - #include <linux/ramfs.h>
17003 -+#include <linux/grsecurity.h>
17004 - #include <asm/uaccess.h>
17005 - #include <asm/unistd.h>
17006 - #include "pnode.h"
17007 -@@ -597,6 +598,8 @@ static int do_umount(struct vfsmount *mn
17008 - DQUOT_OFF(sb);
17009 - retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
17010 - unlock_kernel();
17011 -+
17012 -+ gr_log_remount(mnt->mnt_devname, retval);
17013 - }
17014 - up_write(&sb->s_umount);
17015 - return retval;
17016 -@@ -617,6 +620,9 @@ static int do_umount(struct vfsmount *mn
17017 - security_sb_umount_busy(mnt);
17018 - up_write(&namespace_sem);
17019 - release_mounts(&umount_list);
17020 -+
17021 -+ gr_log_unmount(mnt->mnt_devname, retval);
17022 -+
17023 - return retval;
17024 - }
17025 -
17026 -@@ -1442,6 +1448,11 @@ long do_mount(char *dev_name, char *dir_
17027 - if (retval)
17028 - goto dput_out;
17029 -
17030 -+ if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) {
17031 -+ retval = -EPERM;
17032 -+ goto dput_out;
17033 -+ }
17034 -+
17035 - if (flags & MS_REMOUNT)
17036 - retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
17037 - data_page);
17038 -@@ -1456,6 +1467,9 @@ long do_mount(char *dev_name, char *dir_
17039 - dev_name, data_page);
17040 - dput_out:
17041 - path_release(&nd);
17042 -+
17043 -+ gr_log_mount(dev_name, dir_name, retval);
17044 -+
17045 - return retval;
17046 - }
17047 -
17048 -@@ -1693,6 +1707,9 @@ asmlinkage long sys_pivot_root(const cha
17049 - if (!capable(CAP_SYS_ADMIN))
17050 - return -EPERM;
17051 -
17052 -+ if (gr_handle_chroot_pivot())
17053 -+ return -EPERM;
17054 -+
17055 - lock_kernel();
17056 -
17057 - error = __user_walk(new_root, LOOKUP_FOLLOW | LOOKUP_DIRECTORY,
17058 -diff -urNp linux-2.6.24.4/fs/nfs/callback_xdr.c linux-2.6.24.4/fs/nfs/callback_xdr.c
17059 ---- linux-2.6.24.4/fs/nfs/callback_xdr.c 2008-03-24 14:49:18.000000000 -0400
17060 -+++ linux-2.6.24.4/fs/nfs/callback_xdr.c 2008-03-26 17:56:56.000000000 -0400
17061 -@@ -139,7 +139,7 @@ static __be32 decode_compound_hdr_arg(st
17062 - if (unlikely(status != 0))
17063 - return status;
17064 - /* We do not like overly long tags! */
17065 -- if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12 || hdr->taglen < 0) {
17066 -+ if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12) {
17067 - printk("NFSv4 CALLBACK %s: client sent tag of length %u\n",
17068 - __FUNCTION__, hdr->taglen);
17069 - return htonl(NFS4ERR_RESOURCE);
17070 -diff -urNp linux-2.6.24.4/fs/nfs/nfs4proc.c linux-2.6.24.4/fs/nfs/nfs4proc.c
17071 ---- linux-2.6.24.4/fs/nfs/nfs4proc.c 2008-03-24 14:49:18.000000000 -0400
17072 -+++ linux-2.6.24.4/fs/nfs/nfs4proc.c 2008-03-26 17:56:56.000000000 -0400
17073 -@@ -656,7 +656,7 @@ static int _nfs4_do_open_reclaim(struct
17074 - static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
17075 - {
17076 - struct nfs_server *server = NFS_SERVER(state->inode);
17077 -- struct nfs4_exception exception = { };
17078 -+ struct nfs4_exception exception = {0, 0};
17079 - int err;
17080 - do {
17081 - err = _nfs4_do_open_reclaim(ctx, state);
17082 -@@ -698,7 +698,7 @@ static int _nfs4_open_delegation_recall(
17083 -
17084 - int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
17085 - {
17086 -- struct nfs4_exception exception = { };
17087 -+ struct nfs4_exception exception = {0, 0};
17088 - struct nfs_server *server = NFS_SERVER(state->inode);
17089 - int err;
17090 - do {
17091 -@@ -987,7 +987,7 @@ static int _nfs4_open_expired(struct nfs
17092 - static inline int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
17093 - {
17094 - struct nfs_server *server = NFS_SERVER(state->inode);
17095 -- struct nfs4_exception exception = { };
17096 -+ struct nfs4_exception exception = {0, 0};
17097 - int err;
17098 -
17099 - do {
17100 -@@ -1089,7 +1089,7 @@ out_err:
17101 -
17102 - static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, int flags, struct iattr *sattr, struct rpc_cred *cred)
17103 - {
17104 -- struct nfs4_exception exception = { };
17105 -+ struct nfs4_exception exception = {0, 0};
17106 - struct nfs4_state *res;
17107 - int status;
17108 -
17109 -@@ -1178,7 +1178,7 @@ static int nfs4_do_setattr(struct inode
17110 - struct iattr *sattr, struct nfs4_state *state)
17111 - {
17112 - struct nfs_server *server = NFS_SERVER(inode);
17113 -- struct nfs4_exception exception = { };
17114 -+ struct nfs4_exception exception = {0, 0};
17115 - int err;
17116 - do {
17117 - err = nfs4_handle_exception(server,
17118 -@@ -1484,7 +1484,7 @@ static int _nfs4_server_capabilities(str
17119 -
17120 - int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
17121 - {
17122 -- struct nfs4_exception exception = { };
17123 -+ struct nfs4_exception exception = {0, 0};
17124 - int err;
17125 - do {
17126 - err = nfs4_handle_exception(server,
17127 -@@ -1517,7 +1517,7 @@ static int _nfs4_lookup_root(struct nfs_
17128 - static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
17129 - struct nfs_fsinfo *info)
17130 - {
17131 -- struct nfs4_exception exception = { };
17132 -+ struct nfs4_exception exception = {0, 0};
17133 - int err;
17134 - do {
17135 - err = nfs4_handle_exception(server,
17136 -@@ -1606,7 +1606,7 @@ static int _nfs4_proc_getattr(struct nfs
17137 -
17138 - static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
17139 - {
17140 -- struct nfs4_exception exception = { };
17141 -+ struct nfs4_exception exception = {0, 0};
17142 - int err;
17143 - do {
17144 - err = nfs4_handle_exception(server,
17145 -@@ -1696,7 +1696,7 @@ static int nfs4_proc_lookupfh(struct nfs
17146 - struct qstr *name, struct nfs_fh *fhandle,
17147 - struct nfs_fattr *fattr)
17148 - {
17149 -- struct nfs4_exception exception = { };
17150 -+ struct nfs4_exception exception = {0, 0};
17151 - int err;
17152 - do {
17153 - err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
17154 -@@ -1725,7 +1725,7 @@ static int _nfs4_proc_lookup(struct inod
17155 -
17156 - static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
17157 - {
17158 -- struct nfs4_exception exception = { };
17159 -+ struct nfs4_exception exception = {0, 0};
17160 - int err;
17161 - do {
17162 - err = nfs4_handle_exception(NFS_SERVER(dir),
17163 -@@ -1789,7 +1789,7 @@ static int _nfs4_proc_access(struct inod
17164 -
17165 - static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
17166 - {
17167 -- struct nfs4_exception exception = { };
17168 -+ struct nfs4_exception exception = {0, 0};
17169 - int err;
17170 - do {
17171 - err = nfs4_handle_exception(NFS_SERVER(inode),
17172 -@@ -1844,7 +1844,7 @@ static int _nfs4_proc_readlink(struct in
17173 - static int nfs4_proc_readlink(struct inode *inode, struct page *page,
17174 - unsigned int pgbase, unsigned int pglen)
17175 - {
17176 -- struct nfs4_exception exception = { };
17177 -+ struct nfs4_exception exception = {0, 0};
17178 - int err;
17179 - do {
17180 - err = nfs4_handle_exception(NFS_SERVER(inode),
17181 -@@ -1940,7 +1940,7 @@ static int _nfs4_proc_remove(struct inod
17182 -
17183 - static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
17184 - {
17185 -- struct nfs4_exception exception = { };
17186 -+ struct nfs4_exception exception = {0, 0};
17187 - int err;
17188 - do {
17189 - err = nfs4_handle_exception(NFS_SERVER(dir),
17190 -@@ -2012,7 +2012,7 @@ static int _nfs4_proc_rename(struct inod
17191 - static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
17192 - struct inode *new_dir, struct qstr *new_name)
17193 - {
17194 -- struct nfs4_exception exception = { };
17195 -+ struct nfs4_exception exception = {0, 0};
17196 - int err;
17197 - do {
17198 - err = nfs4_handle_exception(NFS_SERVER(old_dir),
17199 -@@ -2059,7 +2059,7 @@ static int _nfs4_proc_link(struct inode
17200 -
17201 - static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
17202 - {
17203 -- struct nfs4_exception exception = { };
17204 -+ struct nfs4_exception exception = {0, 0};
17205 - int err;
17206 - do {
17207 - err = nfs4_handle_exception(NFS_SERVER(inode),
17208 -@@ -2116,7 +2116,7 @@ static int _nfs4_proc_symlink(struct ino
17209 - static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
17210 - struct page *page, unsigned int len, struct iattr *sattr)
17211 - {
17212 -- struct nfs4_exception exception = { };
17213 -+ struct nfs4_exception exception = {0, 0};
17214 - int err;
17215 - do {
17216 - err = nfs4_handle_exception(NFS_SERVER(dir),
17217 -@@ -2169,7 +2169,7 @@ static int _nfs4_proc_mkdir(struct inode
17218 - static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
17219 - struct iattr *sattr)
17220 - {
17221 -- struct nfs4_exception exception = { };
17222 -+ struct nfs4_exception exception = {0, 0};
17223 - int err;
17224 - do {
17225 - err = nfs4_handle_exception(NFS_SERVER(dir),
17226 -@@ -2218,7 +2218,7 @@ static int _nfs4_proc_readdir(struct den
17227 - static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
17228 - u64 cookie, struct page *page, unsigned int count, int plus)
17229 - {
17230 -- struct nfs4_exception exception = { };
17231 -+ struct nfs4_exception exception = {0, 0};
17232 - int err;
17233 - do {
17234 - err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
17235 -@@ -2288,7 +2288,7 @@ static int _nfs4_proc_mknod(struct inode
17236 - static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
17237 - struct iattr *sattr, dev_t rdev)
17238 - {
17239 -- struct nfs4_exception exception = { };
17240 -+ struct nfs4_exception exception = {0, 0};
17241 - int err;
17242 - do {
17243 - err = nfs4_handle_exception(NFS_SERVER(dir),
17244 -@@ -2317,7 +2317,7 @@ static int _nfs4_proc_statfs(struct nfs_
17245 -
17246 - static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
17247 - {
17248 -- struct nfs4_exception exception = { };
17249 -+ struct nfs4_exception exception = {0, 0};
17250 - int err;
17251 - do {
17252 - err = nfs4_handle_exception(server,
17253 -@@ -2345,7 +2345,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
17254 -
17255 - static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
17256 - {
17257 -- struct nfs4_exception exception = { };
17258 -+ struct nfs4_exception exception = {0, 0};
17259 - int err;
17260 -
17261 - do {
17262 -@@ -2388,7 +2388,7 @@ static int _nfs4_proc_pathconf(struct nf
17263 - static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
17264 - struct nfs_pathconf *pathconf)
17265 - {
17266 -- struct nfs4_exception exception = { };
17267 -+ struct nfs4_exception exception = {0, 0};
17268 - int err;
17269 -
17270 - do {
17271 -@@ -2708,7 +2708,7 @@ out_free:
17272 -
17273 - static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
17274 - {
17275 -- struct nfs4_exception exception = { };
17276 -+ struct nfs4_exception exception = {0, 0};
17277 - ssize_t ret;
17278 - do {
17279 - ret = __nfs4_get_acl_uncached(inode, buf, buflen);
17280 -@@ -2762,7 +2762,7 @@ static int __nfs4_proc_set_acl(struct in
17281 -
17282 - static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
17283 - {
17284 -- struct nfs4_exception exception = { };
17285 -+ struct nfs4_exception exception = {0, 0};
17286 - int err;
17287 - do {
17288 - err = nfs4_handle_exception(NFS_SERVER(inode),
17289 -@@ -3059,7 +3059,7 @@ static int _nfs4_proc_delegreturn(struct
17290 - int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid)
17291 - {
17292 - struct nfs_server *server = NFS_SERVER(inode);
17293 -- struct nfs4_exception exception = { };
17294 -+ struct nfs4_exception exception = {0, 0};
17295 - int err;
17296 - do {
17297 - err = _nfs4_proc_delegreturn(inode, cred, stateid);
17298 -@@ -3134,7 +3134,7 @@ out:
17299 -
17300 - static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
17301 - {
17302 -- struct nfs4_exception exception = { };
17303 -+ struct nfs4_exception exception = {0, 0};
17304 - int err;
17305 -
17306 - do {
17307 -@@ -3476,7 +3476,7 @@ static int _nfs4_do_setlk(struct nfs4_st
17308 - static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
17309 - {
17310 - struct nfs_server *server = NFS_SERVER(state->inode);
17311 -- struct nfs4_exception exception = { };
17312 -+ struct nfs4_exception exception = {0, 0};
17313 - int err;
17314 -
17315 - do {
17316 -@@ -3494,7 +3494,7 @@ static int nfs4_lock_reclaim(struct nfs4
17317 - static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
17318 - {
17319 - struct nfs_server *server = NFS_SERVER(state->inode);
17320 -- struct nfs4_exception exception = { };
17321 -+ struct nfs4_exception exception = {0, 0};
17322 - int err;
17323 -
17324 - err = nfs4_set_lock_state(state, request);
17325 -@@ -3555,7 +3555,7 @@ out:
17326 -
17327 - static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
17328 - {
17329 -- struct nfs4_exception exception = { };
17330 -+ struct nfs4_exception exception = {0, 0};
17331 - int err;
17332 -
17333 - do {
17334 -@@ -3605,7 +3605,7 @@ nfs4_proc_lock(struct file *filp, int cm
17335 - int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
17336 - {
17337 - struct nfs_server *server = NFS_SERVER(state->inode);
17338 -- struct nfs4_exception exception = { };
17339 -+ struct nfs4_exception exception = {0, 0};
17340 - int err;
17341 -
17342 - err = nfs4_set_lock_state(state, fl);
17343 -diff -urNp linux-2.6.24.4/fs/nfsd/export.c linux-2.6.24.4/fs/nfsd/export.c
17344 ---- linux-2.6.24.4/fs/nfsd/export.c 2008-03-24 14:49:18.000000000 -0400
17345 -+++ linux-2.6.24.4/fs/nfsd/export.c 2008-03-26 17:56:56.000000000 -0400
17346 -@@ -476,7 +476,7 @@ static int secinfo_parse(char **mesg, ch
17347 - * probably discover the problem when someone fails to
17348 - * authenticate.
17349 - */
17350 -- if (f->pseudoflavor < 0)
17351 -+ if ((s32)f->pseudoflavor < 0)
17352 - return -EINVAL;
17353 - err = get_int(mesg, &f->flags);
17354 - if (err)
17355 -diff -urNp linux-2.6.24.4/fs/nfsd/nfs4state.c linux-2.6.24.4/fs/nfsd/nfs4state.c
17356 ---- linux-2.6.24.4/fs/nfsd/nfs4state.c 2008-03-24 14:49:18.000000000 -0400
17357 -+++ linux-2.6.24.4/fs/nfsd/nfs4state.c 2008-03-26 17:56:56.000000000 -0400
17358 -@@ -1233,7 +1233,7 @@ static int access_valid(u32 x)
17359 -
17360 - static int deny_valid(u32 x)
17361 - {
17362 -- return (x >= 0 && x < 5);
17363 -+ return (x < 5);
17364 - }
17365 -
17366 - static void
17367 -diff -urNp linux-2.6.24.4/fs/nls/nls_base.c linux-2.6.24.4/fs/nls/nls_base.c
17368 ---- linux-2.6.24.4/fs/nls/nls_base.c 2008-03-24 14:49:18.000000000 -0400
17369 -+++ linux-2.6.24.4/fs/nls/nls_base.c 2008-03-26 17:56:56.000000000 -0400
17370 -@@ -42,7 +42,7 @@ static const struct utf8_table utf8_tabl
17371 - {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
17372 - {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
17373 - {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
17374 -- {0, /* end of table */}
17375 -+ {0, 0, 0, 0, 0, /* end of table */}
17376 - };
17377 -
17378 - int
17379 -diff -urNp linux-2.6.24.4/fs/ntfs/file.c linux-2.6.24.4/fs/ntfs/file.c
17380 ---- linux-2.6.24.4/fs/ntfs/file.c 2008-03-24 14:49:18.000000000 -0400
17381 -+++ linux-2.6.24.4/fs/ntfs/file.c 2008-03-26 17:56:56.000000000 -0400
17382 -@@ -2293,6 +2293,6 @@ const struct inode_operations ntfs_file_
17383 - #endif /* NTFS_RW */
17384 - };
17385 -
17386 --const struct file_operations ntfs_empty_file_ops = {};
17387 -+const struct file_operations ntfs_empty_file_ops;
17388 -
17389 --const struct inode_operations ntfs_empty_inode_ops = {};
17390 -+const struct inode_operations ntfs_empty_inode_ops;
17391 -diff -urNp linux-2.6.24.4/fs/open.c linux-2.6.24.4/fs/open.c
17392 ---- linux-2.6.24.4/fs/open.c 2008-03-24 14:49:18.000000000 -0400
17393 -+++ linux-2.6.24.4/fs/open.c 2008-03-26 17:56:56.000000000 -0400
17394 -@@ -27,6 +27,7 @@
17395 - #include <linux/rcupdate.h>
17396 - #include <linux/audit.h>
17397 - #include <linux/falloc.h>
17398 -+#include <linux/grsecurity.h>
17399 -
17400 - int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
17401 - {
17402 -@@ -204,6 +205,9 @@ int do_truncate(struct dentry *dentry, l
17403 - if (length < 0)
17404 - return -EINVAL;
17405 -
17406 -+ if (filp && !gr_acl_handle_truncate(dentry, filp->f_vfsmnt))
17407 -+ return -EACCES;
17408 -+
17409 - newattrs.ia_size = length;
17410 - newattrs.ia_valid = ATTR_SIZE | time_attrs;
17411 - if (filp) {
17412 -@@ -461,6 +465,9 @@ asmlinkage long sys_faccessat(int dfd, c
17413 - if(IS_RDONLY(nd.dentry->d_inode))
17414 - res = -EROFS;
17415 -
17416 -+ if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode))
17417 -+ res = -EACCES;
17418 -+
17419 - out_path_release:
17420 - path_release(&nd);
17421 - out:
17422 -@@ -490,6 +497,8 @@ asmlinkage long sys_chdir(const char __u
17423 - if (error)
17424 - goto dput_and_out;
17425 -
17426 -+ gr_log_chdir(nd.dentry, nd.mnt);
17427 -+
17428 - set_fs_pwd(current->fs, nd.mnt, nd.dentry);
17429 -
17430 - dput_and_out:
17431 -@@ -520,6 +529,13 @@ asmlinkage long sys_fchdir(unsigned int
17432 - goto out_putf;
17433 -
17434 - error = file_permission(file, MAY_EXEC);
17435 -+
17436 -+ if (!error && !gr_chroot_fchdir(dentry, mnt))
17437 -+ error = -EPERM;
17438 -+
17439 -+ if (!error)
17440 -+ gr_log_chdir(dentry, mnt);
17441 -+
17442 - if (!error)
17443 - set_fs_pwd(current->fs, mnt, dentry);
17444 - out_putf:
17445 -@@ -545,8 +561,16 @@ asmlinkage long sys_chroot(const char __
17446 - if (!capable(CAP_SYS_CHROOT))
17447 - goto dput_and_out;
17448 -
17449 -+ if (gr_handle_chroot_chroot(nd.dentry, nd.mnt))
17450 -+ goto dput_and_out;
17451 -+
17452 - set_fs_root(current->fs, nd.mnt, nd.dentry);
17453 - set_fs_altroot();
17454 -+
17455 -+ gr_handle_chroot_caps(current);
17456 -+
17457 -+ gr_handle_chroot_chdir(nd.dentry, nd.mnt);
17458 -+
17459 - error = 0;
17460 - dput_and_out:
17461 - path_release(&nd);
17462 -@@ -577,9 +601,22 @@ asmlinkage long sys_fchmod(unsigned int
17463 - err = -EPERM;
17464 - if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
17465 - goto out_putf;
17466 -+
17467 -+ if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
17468 -+ err = -EACCES;
17469 -+ goto out_putf;
17470 -+ }
17471 -+
17472 - mutex_lock(&inode->i_mutex);
17473 - if (mode == (mode_t) -1)
17474 - mode = inode->i_mode;
17475 -+
17476 -+ if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
17477 -+ err = -EPERM;
17478 -+ mutex_unlock(&inode->i_mutex);
17479 -+ goto out_putf;
17480 -+ }
17481 -+
17482 - newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
17483 - newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
17484 - err = notify_change(dentry, &newattrs);
17485 -@@ -612,9 +649,21 @@ asmlinkage long sys_fchmodat(int dfd, co
17486 - if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
17487 - goto dput_and_out;
17488 -
17489 -+ if (!gr_acl_handle_chmod(nd.dentry, nd.mnt, mode)) {
17490 -+ error = -EACCES;
17491 -+ goto dput_and_out;
17492 -+ };
17493 -+
17494 - mutex_lock(&inode->i_mutex);
17495 - if (mode == (mode_t) -1)
17496 - mode = inode->i_mode;
17497 -+
17498 -+ if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) {
17499 -+ error = -EACCES;
17500 -+ mutex_unlock(&inode->i_mutex);
17501 -+ goto dput_and_out;
17502 -+ }
17503 -+
17504 - newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
17505 - newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
17506 - error = notify_change(nd.dentry, &newattrs);
17507 -@@ -631,7 +680,7 @@ asmlinkage long sys_chmod(const char __u
17508 - return sys_fchmodat(AT_FDCWD, filename, mode);
17509 - }
17510 -
17511 --static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
17512 -+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
17513 - {
17514 - struct inode * inode;
17515 - int error;
17516 -@@ -648,6 +697,12 @@ static int chown_common(struct dentry *
17517 - error = -EPERM;
17518 - if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
17519 - goto out;
17520 -+
17521 -+ if (!gr_acl_handle_chown(dentry, mnt)) {
17522 -+ error = -EACCES;
17523 -+ goto out;
17524 -+ }
17525 -+
17526 - newattrs.ia_valid = ATTR_CTIME;
17527 - if (user != (uid_t) -1) {
17528 - newattrs.ia_valid |= ATTR_UID;
17529 -@@ -675,7 +730,7 @@ asmlinkage long sys_chown(const char __u
17530 - error = user_path_walk(filename, &nd);
17531 - if (error)
17532 - goto out;
17533 -- error = chown_common(nd.dentry, user, group);
17534 -+ error = chown_common(nd.dentry, user, group, nd.mnt);
17535 - path_release(&nd);
17536 - out:
17537 - return error;
17538 -@@ -695,7 +750,7 @@ asmlinkage long sys_fchownat(int dfd, co
17539 - error = __user_walk_fd(dfd, filename, follow, &nd);
17540 - if (error)
17541 - goto out;
17542 -- error = chown_common(nd.dentry, user, group);
17543 -+ error = chown_common(nd.dentry, user, group, nd.mnt);
17544 - path_release(&nd);
17545 - out:
17546 - return error;
17547 -@@ -709,7 +764,7 @@ asmlinkage long sys_lchown(const char __
17548 - error = user_path_walk_link(filename, &nd);
17549 - if (error)
17550 - goto out;
17551 -- error = chown_common(nd.dentry, user, group);
17552 -+ error = chown_common(nd.dentry, user, group, nd.mnt);
17553 - path_release(&nd);
17554 - out:
17555 - return error;
17556 -@@ -728,7 +783,7 @@ asmlinkage long sys_fchown(unsigned int
17557 -
17558 - dentry = file->f_path.dentry;
17559 - audit_inode(NULL, dentry);
17560 -- error = chown_common(dentry, user, group);
17561 -+ error = chown_common(dentry, user, group, file->f_vfsmnt);
17562 - fput(file);
17563 - out:
17564 - return error;
17565 -@@ -939,6 +994,7 @@ repeat:
17566 - * N.B. For clone tasks sharing a files structure, this test
17567 - * will limit the total number of files that can be opened.
17568 - */
17569 -+ gr_learn_resource(current, RLIMIT_NOFILE, fd, 0);
17570 - if (fd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
17571 - goto out;
17572 -
17573 -diff -urNp linux-2.6.24.4/fs/partitions/efi.c linux-2.6.24.4/fs/partitions/efi.c
17574 ---- linux-2.6.24.4/fs/partitions/efi.c 2008-03-24 14:49:18.000000000 -0400
17575 -+++ linux-2.6.24.4/fs/partitions/efi.c 2008-03-26 17:56:56.000000000 -0400
17576 -@@ -99,7 +99,7 @@
17577 - #ifdef EFI_DEBUG
17578 - #define Dprintk(x...) printk(KERN_DEBUG x)
17579 - #else
17580 --#define Dprintk(x...)
17581 -+#define Dprintk(x...) do {} while (0)
17582 - #endif
17583 -
17584 - /* This allows a kernel command line option 'gpt' to override
17585 -diff -urNp linux-2.6.24.4/fs/pipe.c linux-2.6.24.4/fs/pipe.c
17586 ---- linux-2.6.24.4/fs/pipe.c 2008-03-24 14:49:18.000000000 -0400
17587 -+++ linux-2.6.24.4/fs/pipe.c 2008-03-26 17:56:56.000000000 -0400
17588 -@@ -887,7 +887,7 @@ void free_pipe_info(struct inode *inode)
17589 - inode->i_pipe = NULL;
17590 - }
17591 -
17592 --static struct vfsmount *pipe_mnt __read_mostly;
17593 -+struct vfsmount *pipe_mnt __read_mostly;
17594 - static int pipefs_delete_dentry(struct dentry *dentry)
17595 - {
17596 - /*
17597 -diff -urNp linux-2.6.24.4/fs/proc/array.c linux-2.6.24.4/fs/proc/array.c
17598 ---- linux-2.6.24.4/fs/proc/array.c 2008-03-24 14:49:18.000000000 -0400
17599 -+++ linux-2.6.24.4/fs/proc/array.c 2008-03-26 17:56:56.000000000 -0400
17600 -@@ -305,6 +305,21 @@ static inline char *task_context_switch_
17601 - p->nivcsw);
17602 - }
17603 -
17604 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
17605 -+static inline char *task_pax(struct task_struct *p, char *buffer)
17606 -+{
17607 -+ if (p->mm)
17608 -+ return buffer + sprintf(buffer, "PaX:\t%c%c%c%c%c\n",
17609 -+ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
17610 -+ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
17611 -+ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
17612 -+ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
17613 -+ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
17614 -+ else
17615 -+ return buffer + sprintf(buffer, "PaX:\t-----\n");
17616 -+}
17617 -+#endif
17618 -+
17619 - int proc_pid_status(struct task_struct *task, char *buffer)
17620 - {
17621 - char *orig = buffer;
17622 -@@ -324,6 +339,11 @@ int proc_pid_status(struct task_struct *
17623 - buffer = task_show_regs(task, buffer);
17624 - #endif
17625 - buffer = task_context_switch_counts(task, buffer);
17626 -+
17627 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
17628 -+ buffer = task_pax(task, buffer);
17629 -+#endif
17630 -+
17631 - return buffer - orig;
17632 - }
17633 -
17634 -@@ -386,6 +406,12 @@ static cputime_t task_gtime(struct task_
17635 - return p->gtime;
17636 - }
17637 -
17638 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
17639 -+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
17640 -+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
17641 -+ _mm->pax_flags & MF_PAX_SEGMEXEC))
17642 -+#endif
17643 -+
17644 - static int do_task_stat(struct task_struct *task, char *buffer, int whole)
17645 - {
17646 - unsigned long vsize, eip, esp, wchan = ~0UL;
17647 -@@ -481,6 +507,19 @@ static int do_task_stat(struct task_stru
17648 - gtime = task_gtime(task);
17649 - }
17650 -
17651 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
17652 -+ if (PAX_RAND_FLAGS(mm)) {
17653 -+ eip = 0;
17654 -+ esp = 0;
17655 -+ wchan = 0;
17656 -+ }
17657 -+#endif
17658 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
17659 -+ wchan = 0;
17660 -+ eip =0;
17661 -+ esp =0;
17662 -+#endif
17663 -+
17664 - /* scale priority and nice values from timeslices to -20..20 */
17665 - /* to make it look like a "normal" Unix priority/nice value */
17666 - priority = task_prio(task);
17667 -@@ -521,9 +560,15 @@ static int do_task_stat(struct task_stru
17668 - vsize,
17669 - mm ? get_mm_rss(mm) : 0,
17670 - rsslim,
17671 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
17672 -+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
17673 -+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
17674 -+ PAX_RAND_FLAGS(mm) ? 0 : (mm ? mm->start_stack : 0),
17675 -+#else
17676 - mm ? mm->start_code : 0,
17677 - mm ? mm->end_code : 0,
17678 - mm ? mm->start_stack : 0,
17679 -+#endif
17680 - esp,
17681 - eip,
17682 - /* The signal information here is obsolete.
17683 -@@ -572,3 +617,14 @@ int proc_pid_statm(struct task_struct *t
17684 - return sprintf(buffer, "%d %d %d %d %d %d %d\n",
17685 - size, resident, shared, text, lib, data, 0);
17686 - }
17687 -+
17688 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
17689 -+int proc_pid_ipaddr(struct task_struct *task, char * buffer)
17690 -+{
17691 -+ int len;
17692 -+
17693 -+ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
17694 -+ return len;
17695 -+}
17696 -+#endif
17697 -+
17698 -diff -urNp linux-2.6.24.4/fs/proc/base.c linux-2.6.24.4/fs/proc/base.c
17699 ---- linux-2.6.24.4/fs/proc/base.c 2008-03-24 14:49:18.000000000 -0400
17700 -+++ linux-2.6.24.4/fs/proc/base.c 2008-03-26 19:57:50.000000000 -0400
17701 -@@ -76,6 +76,8 @@
17702 - #include <linux/oom.h>
17703 - #include <linux/elf.h>
17704 - #include <linux/pid_namespace.h>
17705 -+#include <linux/grsecurity.h>
17706 -+
17707 - #include "internal.h"
17708 -
17709 - /* NOTE:
17710 -@@ -126,7 +128,7 @@ struct pid_entry {
17711 - NULL, &proc_info_file_operations, \
17712 - { .proc_read = &proc_##OTYPE } )
17713 -
17714 --int maps_protect;
17715 -+int maps_protect = 1;
17716 - EXPORT_SYMBOL(maps_protect);
17717 -
17718 - static struct fs_struct *get_fs_struct(struct task_struct *task)
17719 -@@ -200,7 +202,7 @@ static int proc_root_link(struct inode *
17720 - (task->parent == current && \
17721 - (task->ptrace & PT_PTRACED) && \
17722 - (task->state == TASK_STOPPED || task->state == TASK_TRACED) && \
17723 -- security_ptrace(current,task) == 0))
17724 -+ security_ptrace(current,task) == 0 && !gr_handle_proc_ptrace(task)))
17725 -
17726 - struct mm_struct *mm_for_maps(struct task_struct *task)
17727 - {
17728 -@@ -265,9 +267,9 @@ static int proc_pid_auxv(struct task_str
17729 - struct mm_struct *mm = get_task_mm(task);
17730 - if (mm) {
17731 - unsigned int nwords = 0;
17732 -- do
17733 -+ do {
17734 - nwords += 2;
17735 -- while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
17736 -+ } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
17737 - res = nwords * sizeof(mm->saved_auxv[0]);
17738 - if (res > PAGE_SIZE)
17739 - res = PAGE_SIZE;
17740 -@@ -609,7 +611,7 @@ static ssize_t mem_read(struct file * fi
17741 - if (!task)
17742 - goto out_no_task;
17743 -
17744 -- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
17745 -+ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
17746 - goto out;
17747 -
17748 - ret = -ENOMEM;
17749 -@@ -679,7 +681,7 @@ static ssize_t mem_write(struct file * f
17750 - if (!task)
17751 - goto out_no_task;
17752 -
17753 -- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
17754 -+ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
17755 - goto out;
17756 -
17757 - copied = -ENOMEM;
17758 -@@ -1202,7 +1204,11 @@ static struct inode *proc_pid_make_inode
17759 - inode->i_gid = 0;
17760 - if (task_dumpable(task)) {
17761 - inode->i_uid = task->euid;
17762 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
17763 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
17764 -+#else
17765 - inode->i_gid = task->egid;
17766 -+#endif
17767 - }
17768 - security_task_to_inode(task, inode);
17769 -
17770 -@@ -1218,17 +1224,45 @@ static int pid_getattr(struct vfsmount *
17771 - {
17772 - struct inode *inode = dentry->d_inode;
17773 - struct task_struct *task;
17774 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
17775 -+ struct task_struct *tmp = current;
17776 -+#endif
17777 -+
17778 - generic_fillattr(inode, stat);
17779 -
17780 - rcu_read_lock();
17781 - stat->uid = 0;
17782 - stat->gid = 0;
17783 - task = pid_task(proc_pid(inode), PIDTYPE_PID);
17784 -- if (task) {
17785 -+
17786 -+ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
17787 -+ rcu_read_unlock();
17788 -+ return -ENOENT;
17789 -+ }
17790 -+
17791 -+
17792 -+ if (task
17793 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
17794 -+ && (!tmp->uid || (tmp->uid == task->uid)
17795 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
17796 -+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
17797 -+#endif
17798 -+ )
17799 -+#endif
17800 -+ ) {
17801 - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
17802 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
17803 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
17804 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
17805 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
17806 -+#endif
17807 - task_dumpable(task)) {
17808 - stat->uid = task->euid;
17809 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
17810 -+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
17811 -+#else
17812 - stat->gid = task->egid;
17813 -+#endif
17814 - }
17815 - }
17816 - rcu_read_unlock();
17817 -@@ -1256,11 +1290,21 @@ static int pid_revalidate(struct dentry
17818 - {
17819 - struct inode *inode = dentry->d_inode;
17820 - struct task_struct *task = get_proc_task(inode);
17821 -+
17822 - if (task) {
17823 - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
17824 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
17825 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
17826 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
17827 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
17828 -+#endif
17829 - task_dumpable(task)) {
17830 - inode->i_uid = task->euid;
17831 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
17832 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
17833 -+#else
17834 - inode->i_gid = task->egid;
17835 -+#endif
17836 - } else {
17837 - inode->i_uid = 0;
17838 - inode->i_gid = 0;
17839 -@@ -1633,12 +1677,22 @@ static int proc_fd_permission(struct ino
17840 - struct nameidata *nd)
17841 - {
17842 - int rv;
17843 -+ struct task_struct *task;
17844 -
17845 - rv = generic_permission(inode, mask, NULL);
17846 -- if (rv == 0)
17847 -- return 0;
17848 -+
17849 - if (task_pid(current) == proc_pid(inode))
17850 - rv = 0;
17851 -+
17852 -+ task = get_proc_task(inode);
17853 -+ if (task == NULL)
17854 -+ return rv;
17855 -+
17856 -+ if (gr_acl_handle_procpidmem(task))
17857 -+ rv = -EACCES;
17858 -+
17859 -+ put_task_struct(task);
17860 -+
17861 - return rv;
17862 - }
17863 -
17864 -@@ -1749,6 +1803,9 @@ static struct dentry *proc_pident_lookup
17865 - if (!task)
17866 - goto out_no_task;
17867 -
17868 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
17869 -+ goto out;
17870 -+
17871 - /*
17872 - * Yes, it does not scale. And it should not. Don't add
17873 - * new entries into /proc/<tgid>/ without very good reasons.
17874 -@@ -1793,6 +1850,9 @@ static int proc_pident_readdir(struct fi
17875 - if (!task)
17876 - goto out_no_task;
17877 -
17878 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
17879 -+ goto out;
17880 -+
17881 - ret = 0;
17882 - i = filp->f_pos;
17883 - switch (i) {
17884 -@@ -2147,6 +2207,9 @@ static struct dentry *proc_base_lookup(s
17885 - if (p > last)
17886 - goto out;
17887 -
17888 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
17889 -+ goto out;
17890 -+
17891 - error = proc_base_instantiate(dir, dentry, task, p);
17892 -
17893 - out:
17894 -@@ -2250,6 +2313,9 @@ static const struct pid_entry tgid_base_
17895 - #ifdef CONFIG_TASK_IO_ACCOUNTING
17896 - INF("io", S_IRUGO, pid_io_accounting),
17897 - #endif
17898 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
17899 -+ INF("ipaddr", S_IRUSR, pid_ipaddr),
17900 -+#endif
17901 - };
17902 -
17903 - static int proc_tgid_base_readdir(struct file * filp,
17904 -@@ -2378,7 +2444,14 @@ static struct dentry *proc_pid_instantia
17905 - if (!inode)
17906 - goto out;
17907 -
17908 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
17909 -+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
17910 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
17911 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
17912 -+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
17913 -+#else
17914 - inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
17915 -+#endif
17916 - inode->i_op = &proc_tgid_base_inode_operations;
17917 - inode->i_fop = &proc_tgid_base_operations;
17918 - inode->i_flags|=S_IMMUTABLE;
17919 -@@ -2421,7 +2494,11 @@ struct dentry *proc_pid_lookup(struct in
17920 - if (!task)
17921 - goto out;
17922 -
17923 -+ if (gr_check_hidden_task(task))
17924 -+ goto out_put_task;
17925 -+
17926 - result = proc_pid_instantiate(dir, dentry, task, NULL);
17927 -+out_put_task:
17928 - put_task_struct(task);
17929 - out:
17930 - return result;
17931 -@@ -2486,6 +2563,9 @@ int proc_pid_readdir(struct file * filp,
17932 - {
17933 - unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
17934 - struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
17935 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
17936 -+ struct task_struct *tmp = current;
17937 -+#endif
17938 - struct tgid_iter iter;
17939 - struct pid_namespace *ns;
17940 -
17941 -@@ -2504,6 +2584,17 @@ int proc_pid_readdir(struct file * filp,
17942 - for (iter = next_tgid(ns, iter);
17943 - iter.task;
17944 - iter.tgid += 1, iter = next_tgid(ns, iter)) {
17945 -+ if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
17946 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
17947 -+ || (tmp->uid && (iter.task->uid != tmp->uid)
17948 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
17949 -+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
17950 -+#endif
17951 -+ )
17952 -+#endif
17953 -+ )
17954 -+ continue;
17955 -+
17956 - filp->f_pos = iter.tgid + TGID_OFFSET;
17957 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
17958 - put_task_struct(iter.task);
17959 -diff -urNp linux-2.6.24.4/fs/proc/inode.c linux-2.6.24.4/fs/proc/inode.c
17960 ---- linux-2.6.24.4/fs/proc/inode.c 2008-03-24 14:49:18.000000000 -0400
17961 -+++ linux-2.6.24.4/fs/proc/inode.c 2008-03-26 17:56:56.000000000 -0400
17962 -@@ -411,7 +411,11 @@ struct inode *proc_get_inode(struct supe
17963 - if (de->mode) {
17964 - inode->i_mode = de->mode;
17965 - inode->i_uid = de->uid;
17966 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
17967 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
17968 -+#else
17969 - inode->i_gid = de->gid;
17970 -+#endif
17971 - }
17972 - if (de->size)
17973 - inode->i_size = de->size;
17974 -diff -urNp linux-2.6.24.4/fs/proc/internal.h linux-2.6.24.4/fs/proc/internal.h
17975 ---- linux-2.6.24.4/fs/proc/internal.h 2008-03-24 14:49:18.000000000 -0400
17976 -+++ linux-2.6.24.4/fs/proc/internal.h 2008-03-26 17:56:56.000000000 -0400
17977 -@@ -52,6 +52,9 @@ extern int proc_tid_stat(struct task_str
17978 - extern int proc_tgid_stat(struct task_struct *, char *);
17979 - extern int proc_pid_status(struct task_struct *, char *);
17980 - extern int proc_pid_statm(struct task_struct *, char *);
17981 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
17982 -+extern int proc_pid_ipaddr(struct task_struct*,char*);
17983 -+#endif
17984 -
17985 - extern const struct file_operations proc_maps_operations;
17986 - extern const struct file_operations proc_numa_maps_operations;
17987 -diff -urNp linux-2.6.24.4/fs/proc/proc_misc.c linux-2.6.24.4/fs/proc/proc_misc.c
17988 ---- linux-2.6.24.4/fs/proc/proc_misc.c 2008-03-24 14:49:18.000000000 -0400
17989 -+++ linux-2.6.24.4/fs/proc/proc_misc.c 2008-03-26 17:56:56.000000000 -0400
17990 -@@ -687,6 +687,8 @@ void create_seq_entry(char *name, mode_t
17991 -
17992 - void __init proc_misc_init(void)
17993 - {
17994 -+ int gr_mode = 0;
17995 -+
17996 - static struct {
17997 - char *name;
17998 - int (*read_proc)(char*,char**,off_t,int,int*,void*);
17999 -@@ -702,13 +704,24 @@ void __init proc_misc_init(void)
18000 - {"stram", stram_read_proc},
18001 - #endif
18002 - {"filesystems", filesystems_read_proc},
18003 -+#ifndef CONFIG_GRKERNSEC_PROC_ADD
18004 - {"cmdline", cmdline_read_proc},
18005 -+#endif
18006 - {"execdomains", execdomains_read_proc},
18007 - {NULL,}
18008 - };
18009 - for (p = simple_ones; p->name; p++)
18010 - create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
18011 -
18012 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
18013 -+ gr_mode = S_IRUSR;
18014 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
18015 -+ gr_mode = S_IRUSR | S_IRGRP;
18016 -+#endif
18017 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
18018 -+ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
18019 -+#endif
18020 -+
18021 - proc_symlink("mounts", NULL, "self/mounts");
18022 -
18023 - /* And now for trickier ones */
18024 -@@ -721,7 +734,11 @@ void __init proc_misc_init(void)
18025 - }
18026 - #endif
18027 - create_seq_entry("locks", 0, &proc_locks_operations);
18028 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
18029 -+ create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
18030 -+#else
18031 - create_seq_entry("devices", 0, &proc_devinfo_operations);
18032 -+#endif
18033 - create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
18034 - #ifdef CONFIG_BLOCK
18035 - create_seq_entry("partitions", 0, &proc_partitions_operations);
18036 -@@ -729,7 +746,11 @@ void __init proc_misc_init(void)
18037 - create_seq_entry("stat", 0, &proc_stat_operations);
18038 - create_seq_entry("interrupts", 0, &proc_interrupts_operations);
18039 - #ifdef CONFIG_SLABINFO
18040 -+#ifdef CONFIG_GRKRENSEC_PROC_ADD
18041 -+ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
18042 -+#else
18043 - create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
18044 -+#endif
18045 - #ifdef CONFIG_DEBUG_SLAB_LEAK
18046 - create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
18047 - #endif
18048 -@@ -747,7 +768,7 @@ void __init proc_misc_init(void)
18049 - #ifdef CONFIG_SCHEDSTATS
18050 - create_seq_entry("schedstat", 0, &proc_schedstat_operations);
18051 - #endif
18052 --#ifdef CONFIG_PROC_KCORE
18053 -+#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
18054 - proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
18055 - if (proc_root_kcore) {
18056 - proc_root_kcore->proc_fops = &proc_kcore_operations;
18057 -diff -urNp linux-2.6.24.4/fs/proc/proc_net.c linux-2.6.24.4/fs/proc/proc_net.c
18058 ---- linux-2.6.24.4/fs/proc/proc_net.c 2008-03-24 14:49:18.000000000 -0400
18059 -+++ linux-2.6.24.4/fs/proc/proc_net.c 2008-03-26 17:56:56.000000000 -0400
18060 -@@ -69,7 +69,13 @@ static __net_init int proc_net_ns_init(s
18061 - goto out;
18062 -
18063 - err = -EEXIST;
18064 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
18065 -+ netd = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, root);
18066 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
18067 -+ netd = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, root);
18068 -+#else
18069 - netd = proc_mkdir("net", root);
18070 -+#endif
18071 - if (!netd)
18072 - goto free_root;
18073 -
18074 -diff -urNp linux-2.6.24.4/fs/proc/proc_sysctl.c linux-2.6.24.4/fs/proc/proc_sysctl.c
18075 ---- linux-2.6.24.4/fs/proc/proc_sysctl.c 2008-03-24 14:49:18.000000000 -0400
18076 -+++ linux-2.6.24.4/fs/proc/proc_sysctl.c 2008-03-26 17:56:56.000000000 -0400
18077 -@@ -7,6 +7,8 @@
18078 - #include <linux/security.h>
18079 - #include "internal.h"
18080 -
18081 -+extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
18082 -+
18083 - static struct dentry_operations proc_sys_dentry_operations;
18084 - static const struct file_operations proc_sys_file_operations;
18085 - static struct inode_operations proc_sys_inode_operations;
18086 -@@ -151,6 +153,9 @@ static struct dentry *proc_sys_lookup(st
18087 - if (!table)
18088 - goto out;
18089 -
18090 -+ if (gr_handle_sysctl(table, 001))
18091 -+ goto out;
18092 -+
18093 - err = ERR_PTR(-ENOMEM);
18094 - inode = proc_sys_make_inode(dir, table);
18095 - if (!inode)
18096 -@@ -360,6 +365,9 @@ static int proc_sys_readdir(struct file
18097 - if (pos < filp->f_pos)
18098 - continue;
18099 -
18100 -+ if (gr_handle_sysctl(table, 0))
18101 -+ continue;
18102 -+
18103 - if (proc_sys_fill_cache(filp, dirent, filldir, table) < 0)
18104 - goto out;
18105 - filp->f_pos = pos + 1;
18106 -@@ -422,6 +430,30 @@ out:
18107 - return error;
18108 - }
18109 -
18110 -+/* Eric Biederman is to blame */
18111 -+static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
18112 -+{
18113 -+ int error = 0;
18114 -+ struct ctl_table_header *head;
18115 -+ struct ctl_table *table;
18116 -+
18117 -+ table = do_proc_sys_lookup(dentry->d_parent, &dentry->d_name, &head);
18118 -+ /* Has the sysctl entry disappeared on us? */
18119 -+ if (!table)
18120 -+ goto out;
18121 -+
18122 -+ if (gr_handle_sysctl(table, 001)) {
18123 -+ error = -ENOENT;
18124 -+ goto out;
18125 -+ }
18126 -+
18127 -+out:
18128 -+ sysctl_head_finish(head);
18129 -+
18130 -+ generic_fillattr(dentry->d_inode, stat);
18131 -+
18132 -+ return error;
18133 -+}
18134 - static int proc_sys_setattr(struct dentry *dentry, struct iattr *attr)
18135 - {
18136 - struct inode *inode = dentry->d_inode;
18137 -@@ -450,6 +482,7 @@ static struct inode_operations proc_sys_
18138 - .lookup = proc_sys_lookup,
18139 - .permission = proc_sys_permission,
18140 - .setattr = proc_sys_setattr,
18141 -+ .getattr = proc_sys_getattr,
18142 - };
18143 -
18144 - static int proc_sys_revalidate(struct dentry *dentry, struct nameidata *nd)
18145 -diff -urNp linux-2.6.24.4/fs/proc/root.c linux-2.6.24.4/fs/proc/root.c
18146 ---- linux-2.6.24.4/fs/proc/root.c 2008-03-24 14:49:18.000000000 -0400
18147 -+++ linux-2.6.24.4/fs/proc/root.c 2008-03-26 17:56:56.000000000 -0400
18148 -@@ -137,7 +137,15 @@ void __init proc_root_init(void)
18149 - #ifdef CONFIG_PROC_DEVICETREE
18150 - proc_device_tree_init();
18151 - #endif
18152 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
18153 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
18154 -+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
18155 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
18156 -+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
18157 -+#endif
18158 -+#else
18159 - proc_bus = proc_mkdir("bus", NULL);
18160 -+#endif
18161 - proc_sys_init();
18162 - }
18163 -
18164 -diff -urNp linux-2.6.24.4/fs/proc/task_mmu.c linux-2.6.24.4/fs/proc/task_mmu.c
18165 ---- linux-2.6.24.4/fs/proc/task_mmu.c 2008-03-24 14:49:18.000000000 -0400
18166 -+++ linux-2.6.24.4/fs/proc/task_mmu.c 2008-03-26 17:56:56.000000000 -0400
18167 -@@ -44,15 +44,27 @@ char *task_mem(struct mm_struct *mm, cha
18168 - "VmStk:\t%8lu kB\n"
18169 - "VmExe:\t%8lu kB\n"
18170 - "VmLib:\t%8lu kB\n"
18171 -- "VmPTE:\t%8lu kB\n",
18172 -- hiwater_vm << (PAGE_SHIFT-10),
18173 -+ "VmPTE:\t%8lu kB\n"
18174 -+
18175 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
18176 -+ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
18177 -+#endif
18178 -+
18179 -+ ,hiwater_vm << (PAGE_SHIFT-10),
18180 - (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
18181 - mm->locked_vm << (PAGE_SHIFT-10),
18182 - hiwater_rss << (PAGE_SHIFT-10),
18183 - total_rss << (PAGE_SHIFT-10),
18184 - data << (PAGE_SHIFT-10),
18185 - mm->stack_vm << (PAGE_SHIFT-10), text, lib,
18186 -- (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
18187 -+ (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
18188 -+
18189 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
18190 -+ , mm->context.user_cs_base, mm->context.user_cs_limit
18191 -+#endif
18192 -+
18193 -+ );
18194 -+
18195 - return buffer;
18196 - }
18197 -
18198 -@@ -131,6 +143,12 @@ struct pmd_walker {
18199 - unsigned long, void *);
18200 - };
18201 -
18202 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
18203 -+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
18204 -+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
18205 -+ _mm->pax_flags & MF_PAX_SEGMEXEC))
18206 -+#endif
18207 -+
18208 - static int show_map_internal(struct seq_file *m, void *v, struct mem_size_stats *mss)
18209 - {
18210 - struct proc_maps_private *priv = m->private;
18211 -@@ -153,13 +171,22 @@ static int show_map_internal(struct seq_
18212 - }
18213 -
18214 - seq_printf(m, "%08lx-%08lx %c%c%c%c %08lx %02x:%02x %lu %n",
18215 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
18216 -+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
18217 -+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
18218 -+#else
18219 - vma->vm_start,
18220 - vma->vm_end,
18221 -+#endif
18222 - flags & VM_READ ? 'r' : '-',
18223 - flags & VM_WRITE ? 'w' : '-',
18224 - flags & VM_EXEC ? 'x' : '-',
18225 - flags & VM_MAYSHARE ? 's' : 'p',
18226 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
18227 -+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_pgoff << PAGE_SHIFT,
18228 -+#else
18229 - vma->vm_pgoff << PAGE_SHIFT,
18230 -+#endif
18231 - MAJOR(dev), MINOR(dev), ino, &len);
18232 -
18233 - /*
18234 -@@ -173,11 +200,11 @@ static int show_map_internal(struct seq_
18235 - const char *name = arch_vma_name(vma);
18236 - if (!name) {
18237 - if (mm) {
18238 -- if (vma->vm_start <= mm->start_brk &&
18239 -- vma->vm_end >= mm->brk) {
18240 -+ if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
18241 - name = "[heap]";
18242 -- } else if (vma->vm_start <= mm->start_stack &&
18243 -- vma->vm_end >= mm->start_stack) {
18244 -+ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
18245 -+ (vma->vm_start <= mm->start_stack &&
18246 -+ vma->vm_end >= mm->start_stack)) {
18247 - name = "[stack]";
18248 - }
18249 - } else {
18250 -@@ -191,7 +218,27 @@ static int show_map_internal(struct seq_
18251 - }
18252 - seq_putc(m, '\n');
18253 -
18254 -- if (mss)
18255 -+
18256 -+ if (mss) {
18257 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
18258 -+ if (PAX_RAND_FLAGS(mm))
18259 -+ seq_printf(m,
18260 -+ "Size: %8lu kB\n"
18261 -+ "Rss: %8lu kB\n"
18262 -+ "Shared_Clean: %8lu kB\n"
18263 -+ "Shared_Dirty: %8lu kB\n"
18264 -+ "Private_Clean: %8lu kB\n"
18265 -+ "Private_Dirty: %8lu kB\n",
18266 -+ "Referenced: %8lu kB\n",
18267 -+ 0UL,
18268 -+ 0UL,
18269 -+ 0UL,
18270 -+ 0UL,
18271 -+ 0UL,
18272 -+ 0UL,
18273 -+ 0UL);
18274 -+ else
18275 -+#endif
18276 - seq_printf(m,
18277 - "Size: %8lu kB\n"
18278 - "Rss: %8lu kB\n"
18279 -@@ -207,6 +254,7 @@ static int show_map_internal(struct seq_
18280 - mss->private_clean >> 10,
18281 - mss->private_dirty >> 10,
18282 - mss->referenced >> 10);
18283 -+ }
18284 -
18285 - if (m->count < m->size) /* vma is copied successfully */
18286 - m->version = (vma != get_gate_vma(task))? vma->vm_start: 0;
18287 -diff -urNp linux-2.6.24.4/fs/readdir.c linux-2.6.24.4/fs/readdir.c
18288 ---- linux-2.6.24.4/fs/readdir.c 2008-03-24 14:49:18.000000000 -0400
18289 -+++ linux-2.6.24.4/fs/readdir.c 2008-03-26 17:56:56.000000000 -0400
18290 -@@ -16,6 +16,8 @@
18291 - #include <linux/security.h>
18292 - #include <linux/syscalls.h>
18293 - #include <linux/unistd.h>
18294 -+#include <linux/namei.h>
18295 -+#include <linux/grsecurity.h>
18296 -
18297 - #include <asm/uaccess.h>
18298 -
18299 -@@ -64,6 +66,7 @@ struct old_linux_dirent {
18300 -
18301 - struct readdir_callback {
18302 - struct old_linux_dirent __user * dirent;
18303 -+ struct file * file;
18304 - int result;
18305 - };
18306 -
18307 -@@ -79,6 +82,10 @@ static int fillonedir(void * __buf, cons
18308 - d_ino = ino;
18309 - if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
18310 - return -EOVERFLOW;
18311 -+
18312 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
18313 -+ return 0;
18314 -+
18315 - buf->result++;
18316 - dirent = buf->dirent;
18317 - if (!access_ok(VERIFY_WRITE, dirent,
18318 -@@ -110,6 +117,7 @@ asmlinkage long old_readdir(unsigned int
18319 -
18320 - buf.result = 0;
18321 - buf.dirent = dirent;
18322 -+ buf.file = file;
18323 -
18324 - error = vfs_readdir(file, fillonedir, &buf);
18325 - if (error >= 0)
18326 -@@ -136,6 +144,7 @@ struct linux_dirent {
18327 - struct getdents_callback {
18328 - struct linux_dirent __user * current_dir;
18329 - struct linux_dirent __user * previous;
18330 -+ struct file * file;
18331 - int count;
18332 - int error;
18333 - };
18334 -@@ -154,6 +163,10 @@ static int filldir(void * __buf, const c
18335 - d_ino = ino;
18336 - if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
18337 - return -EOVERFLOW;
18338 -+
18339 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
18340 -+ return 0;
18341 -+
18342 - dirent = buf->previous;
18343 - if (dirent) {
18344 - if (__put_user(offset, &dirent->d_off))
18345 -@@ -200,6 +213,7 @@ asmlinkage long sys_getdents(unsigned in
18346 - buf.previous = NULL;
18347 - buf.count = count;
18348 - buf.error = 0;
18349 -+ buf.file = file;
18350 -
18351 - error = vfs_readdir(file, filldir, &buf);
18352 - if (error < 0)
18353 -@@ -222,6 +236,7 @@ out:
18354 - struct getdents_callback64 {
18355 - struct linux_dirent64 __user * current_dir;
18356 - struct linux_dirent64 __user * previous;
18357 -+ struct file *file;
18358 - int count;
18359 - int error;
18360 - };
18361 -@@ -236,6 +251,10 @@ static int filldir64(void * __buf, const
18362 - buf->error = -EINVAL; /* only used if we fail.. */
18363 - if (reclen > buf->count)
18364 - return -EINVAL;
18365 -+
18366 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
18367 -+ return 0;
18368 -+
18369 - dirent = buf->previous;
18370 - if (dirent) {
18371 - if (__put_user(offset, &dirent->d_off))
18372 -@@ -282,6 +301,7 @@ asmlinkage long sys_getdents64(unsigned
18373 -
18374 - buf.current_dir = dirent;
18375 - buf.previous = NULL;
18376 -+ buf.file = file;
18377 - buf.count = count;
18378 - buf.error = 0;
18379 -
18380 -diff -urNp linux-2.6.24.4/fs/smbfs/symlink.c linux-2.6.24.4/fs/smbfs/symlink.c
18381 ---- linux-2.6.24.4/fs/smbfs/symlink.c 2008-03-24 14:49:18.000000000 -0400
18382 -+++ linux-2.6.24.4/fs/smbfs/symlink.c 2008-03-26 17:56:56.000000000 -0400
18383 -@@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
18384 -
18385 - static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
18386 - {
18387 -- char *s = nd_get_link(nd);
18388 -+ const char *s = nd_get_link(nd);
18389 - if (!IS_ERR(s))
18390 - __putname(s);
18391 - }
18392 -diff -urNp linux-2.6.24.4/fs/sysfs/symlink.c linux-2.6.24.4/fs/sysfs/symlink.c
18393 ---- linux-2.6.24.4/fs/sysfs/symlink.c 2008-03-24 14:49:18.000000000 -0400
18394 -+++ linux-2.6.24.4/fs/sysfs/symlink.c 2008-03-26 17:56:56.000000000 -0400
18395 -@@ -172,7 +172,7 @@ static void *sysfs_follow_link(struct de
18396 -
18397 - static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
18398 - {
18399 -- char *page = nd_get_link(nd);
18400 -+ const char *page = nd_get_link(nd);
18401 - if (!IS_ERR(page))
18402 - free_page((unsigned long)page);
18403 - }
18404 -diff -urNp linux-2.6.24.4/fs/udf/balloc.c linux-2.6.24.4/fs/udf/balloc.c
18405 ---- linux-2.6.24.4/fs/udf/balloc.c 2008-03-24 14:49:18.000000000 -0400
18406 -+++ linux-2.6.24.4/fs/udf/balloc.c 2008-03-26 17:56:56.000000000 -0400
18407 -@@ -154,8 +154,7 @@ static void udf_bitmap_free_blocks(struc
18408 - unsigned long overflow;
18409 -
18410 - mutex_lock(&sbi->s_alloc_mutex);
18411 -- if (bloc.logicalBlockNum < 0 ||
18412 -- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
18413 -+ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
18414 - udf_debug("%d < %d || %d + %d > %d\n",
18415 - bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
18416 - UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
18417 -@@ -221,7 +220,7 @@ static int udf_bitmap_prealloc_blocks(st
18418 - struct buffer_head *bh;
18419 -
18420 - mutex_lock(&sbi->s_alloc_mutex);
18421 -- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
18422 -+ if (first_block >= UDF_SB_PARTLEN(sb, partition))
18423 - goto out;
18424 -
18425 - if (first_block + block_count > UDF_SB_PARTLEN(sb, partition))
18426 -@@ -287,7 +286,7 @@ static int udf_bitmap_new_block(struct s
18427 - mutex_lock(&sbi->s_alloc_mutex);
18428 -
18429 - repeat:
18430 -- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
18431 -+ if (goal >= UDF_SB_PARTLEN(sb, partition))
18432 - goal = 0;
18433 -
18434 - nr_groups = bitmap->s_nr_groups;
18435 -@@ -420,8 +419,7 @@ static void udf_table_free_blocks(struct
18436 - int i;
18437 -
18438 - mutex_lock(&sbi->s_alloc_mutex);
18439 -- if (bloc.logicalBlockNum < 0 ||
18440 -- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
18441 -+ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
18442 - udf_debug("%d < %d || %d + %d > %d\n",
18443 - bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
18444 - UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
18445 -@@ -627,7 +625,7 @@ static int udf_table_prealloc_blocks(str
18446 - struct extent_position epos;
18447 - int8_t etype = -1;
18448 -
18449 -- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
18450 -+ if (first_block >= UDF_SB_PARTLEN(sb, partition))
18451 - return 0;
18452 -
18453 - if (UDF_I_ALLOCTYPE(table) == ICBTAG_FLAG_AD_SHORT)
18454 -@@ -703,7 +701,7 @@ static int udf_table_new_block(struct su
18455 - return newblock;
18456 -
18457 - mutex_lock(&sbi->s_alloc_mutex);
18458 -- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
18459 -+ if (goal >= UDF_SB_PARTLEN(sb, partition))
18460 - goal = 0;
18461 -
18462 - /* We search for the closest matching block to goal. If we find a exact hit,
18463 -diff -urNp linux-2.6.24.4/fs/udf/inode.c linux-2.6.24.4/fs/udf/inode.c
18464 ---- linux-2.6.24.4/fs/udf/inode.c 2008-03-24 14:49:18.000000000 -0400
18465 -+++ linux-2.6.24.4/fs/udf/inode.c 2008-03-26 17:56:56.000000000 -0400
18466 -@@ -311,9 +311,6 @@ static int udf_get_block(struct inode *i
18467 -
18468 - lock_kernel();
18469 -
18470 -- if (block < 0)
18471 -- goto abort_negative;
18472 --
18473 - if (block == UDF_I_NEXT_ALLOC_BLOCK(inode) + 1) {
18474 - UDF_I_NEXT_ALLOC_BLOCK(inode)++;
18475 - UDF_I_NEXT_ALLOC_GOAL(inode)++;
18476 -@@ -334,10 +331,6 @@ static int udf_get_block(struct inode *i
18477 - abort:
18478 - unlock_kernel();
18479 - return err;
18480 --
18481 --abort_negative:
18482 -- udf_warning(inode->i_sb, "udf_get_block", "block < 0");
18483 -- goto abort;
18484 - }
18485 -
18486 - static struct buffer_head *udf_getblk(struct inode *inode, long block,
18487 -diff -urNp linux-2.6.24.4/fs/ufs/inode.c linux-2.6.24.4/fs/ufs/inode.c
18488 ---- linux-2.6.24.4/fs/ufs/inode.c 2008-03-24 14:49:18.000000000 -0400
18489 -+++ linux-2.6.24.4/fs/ufs/inode.c 2008-03-26 17:56:56.000000000 -0400
18490 -@@ -56,9 +56,7 @@ static int ufs_block_to_path(struct inod
18491 -
18492 -
18493 - UFSD("ptrs=uspi->s_apb = %d,double_blocks=%ld \n",ptrs,double_blocks);
18494 -- if (i_block < 0) {
18495 -- ufs_warning(inode->i_sb, "ufs_block_to_path", "block < 0");
18496 -- } else if (i_block < direct_blocks) {
18497 -+ if (i_block < direct_blocks) {
18498 - offsets[n++] = i_block;
18499 - } else if ((i_block -= direct_blocks) < indirect_blocks) {
18500 - offsets[n++] = UFS_IND_BLOCK;
18501 -@@ -440,8 +438,6 @@ int ufs_getfrag_block(struct inode *inod
18502 - lock_kernel();
18503 -
18504 - UFSD("ENTER, ino %lu, fragment %llu\n", inode->i_ino, (unsigned long long)fragment);
18505 -- if (fragment < 0)
18506 -- goto abort_negative;
18507 - if (fragment >
18508 - ((UFS_NDADDR + uspi->s_apb + uspi->s_2apb + uspi->s_3apb)
18509 - << uspi->s_fpbshift))
18510 -@@ -504,10 +500,6 @@ abort:
18511 - unlock_kernel();
18512 - return err;
18513 -
18514 --abort_negative:
18515 -- ufs_warning(sb, "ufs_get_block", "block < 0");
18516 -- goto abort;
18517 --
18518 - abort_too_big:
18519 - ufs_warning(sb, "ufs_get_block", "block > big");
18520 - goto abort;
18521 -diff -urNp linux-2.6.24.4/fs/utimes.c linux-2.6.24.4/fs/utimes.c
18522 ---- linux-2.6.24.4/fs/utimes.c 2008-03-24 14:49:18.000000000 -0400
18523 -+++ linux-2.6.24.4/fs/utimes.c 2008-03-26 17:56:56.000000000 -0400
18524 -@@ -6,6 +6,7 @@
18525 - #include <linux/sched.h>
18526 - #include <linux/stat.h>
18527 - #include <linux/utime.h>
18528 -+#include <linux/grsecurity.h>
18529 - #include <asm/uaccess.h>
18530 - #include <asm/unistd.h>
18531 -
18532 -@@ -55,6 +56,7 @@ long do_utimes(int dfd, char __user *fil
18533 - int error;
18534 - struct nameidata nd;
18535 - struct dentry *dentry;
18536 -+ struct vfsmount *mnt;
18537 - struct inode *inode;
18538 - struct iattr newattrs;
18539 - struct file *f = NULL;
18540 -@@ -78,12 +80,14 @@ long do_utimes(int dfd, char __user *fil
18541 - if (!f)
18542 - goto out;
18543 - dentry = f->f_path.dentry;
18544 -+ mnt = f->f_path.mnt;
18545 - } else {
18546 - error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd);
18547 - if (error)
18548 - goto out;
18549 -
18550 - dentry = nd.dentry;
18551 -+ mnt = nd.mnt;
18552 - }
18553 -
18554 - inode = dentry->d_inode;
18555 -@@ -130,6 +134,12 @@ long do_utimes(int dfd, char __user *fil
18556 - }
18557 - }
18558 - }
18559 -+
18560 -+ if (!gr_acl_handle_utime(dentry, mnt)) {
18561 -+ error = -EACCES;
18562 -+ goto dput_and_out;
18563 -+ }
18564 -+
18565 - mutex_lock(&inode->i_mutex);
18566 - error = notify_change(dentry, &newattrs);
18567 - mutex_unlock(&inode->i_mutex);
18568 -diff -urNp linux-2.6.24.4/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.24.4/fs/xfs/linux-2.6/xfs_iops.c
18569 ---- linux-2.6.24.4/fs/xfs/linux-2.6/xfs_iops.c 2008-03-24 14:49:18.000000000 -0400
18570 -+++ linux-2.6.24.4/fs/xfs/linux-2.6/xfs_iops.c 2008-03-26 17:56:56.000000000 -0400
18571 -@@ -534,7 +534,7 @@ xfs_vn_put_link(
18572 - struct nameidata *nd,
18573 - void *p)
18574 - {
18575 -- char *s = nd_get_link(nd);
18576 -+ const char *s = nd_get_link(nd);
18577 -
18578 - if (!IS_ERR(s))
18579 - kfree(s);
18580 -diff -urNp linux-2.6.24.4/fs/xfs/xfs_bmap.c linux-2.6.24.4/fs/xfs/xfs_bmap.c
18581 ---- linux-2.6.24.4/fs/xfs/xfs_bmap.c 2008-03-24 14:49:18.000000000 -0400
18582 -+++ linux-2.6.24.4/fs/xfs/xfs_bmap.c 2008-03-26 17:56:56.000000000 -0400
18583 -@@ -360,7 +360,7 @@ xfs_bmap_validate_ret(
18584 - int nmap,
18585 - int ret_nmap);
18586 - #else
18587 --#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
18588 -+#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
18589 - #endif /* DEBUG */
18590 -
18591 - #if defined(XFS_RW_TRACE)
18592 -diff -urNp linux-2.6.24.4/grsecurity/gracl_alloc.c linux-2.6.24.4/grsecurity/gracl_alloc.c
18593 ---- linux-2.6.24.4/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
18594 -+++ linux-2.6.24.4/grsecurity/gracl_alloc.c 2008-03-26 17:56:56.000000000 -0400
18595 -@@ -0,0 +1,91 @@
18596 -+#include <linux/kernel.h>
18597 -+#include <linux/mm.h>
18598 -+#include <linux/slab.h>
18599 -+#include <linux/vmalloc.h>
18600 -+#include <linux/gracl.h>
18601 -+#include <linux/grsecurity.h>
18602 -+
18603 -+static unsigned long alloc_stack_next = 1;
18604 -+static unsigned long alloc_stack_size = 1;
18605 -+static void **alloc_stack;
18606 -+
18607 -+static __inline__ int
18608 -+alloc_pop(void)
18609 -+{
18610 -+ if (alloc_stack_next == 1)
18611 -+ return 0;
18612 -+
18613 -+ kfree(alloc_stack[alloc_stack_next - 2]);
18614 -+
18615 -+ alloc_stack_next--;
18616 -+
18617 -+ return 1;
18618 -+}
18619 -+
18620 -+static __inline__ void
18621 -+alloc_push(void *buf)
18622 -+{
18623 -+ if (alloc_stack_next >= alloc_stack_size)
18624 -+ BUG();
18625 -+
18626 -+ alloc_stack[alloc_stack_next - 1] = buf;
18627 -+
18628 -+ alloc_stack_next++;
18629 -+
18630 -+ return;
18631 -+}
18632 -+
18633 -+void *
18634 -+acl_alloc(unsigned long len)
18635 -+{
18636 -+ void *ret;
18637 -+
18638 -+ if (len > PAGE_SIZE)
18639 -+ BUG();
18640 -+
18641 -+ ret = kmalloc(len, GFP_KERNEL);
18642 -+
18643 -+ if (ret)
18644 -+ alloc_push(ret);
18645 -+
18646 -+ return ret;
18647 -+}
18648 -+
18649 -+void
18650 -+acl_free_all(void)
18651 -+{
18652 -+ if (gr_acl_is_enabled() || !alloc_stack)
18653 -+ return;
18654 -+
18655 -+ while (alloc_pop()) ;
18656 -+
18657 -+ if (alloc_stack) {
18658 -+ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
18659 -+ kfree(alloc_stack);
18660 -+ else
18661 -+ vfree(alloc_stack);
18662 -+ }
18663 -+
18664 -+ alloc_stack = NULL;
18665 -+ alloc_stack_size = 1;
18666 -+ alloc_stack_next = 1;
18667 -+
18668 -+ return;
18669 -+}
18670 -+
18671 -+int
18672 -+acl_alloc_stack_init(unsigned long size)
18673 -+{
18674 -+ if ((size * sizeof (void *)) <= PAGE_SIZE)
18675 -+ alloc_stack =
18676 -+ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
18677 -+ else
18678 -+ alloc_stack = (void **) vmalloc(size * sizeof (void *));
18679 -+
18680 -+ alloc_stack_size = size;
18681 -+
18682 -+ if (!alloc_stack)
18683 -+ return 0;
18684 -+ else
18685 -+ return 1;
18686 -+}
18687 -diff -urNp linux-2.6.24.4/grsecurity/gracl.c linux-2.6.24.4/grsecurity/gracl.c
18688 ---- linux-2.6.24.4/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
18689 -+++ linux-2.6.24.4/grsecurity/gracl.c 2008-03-26 17:56:56.000000000 -0400
18690 -@@ -0,0 +1,3722 @@
18691 -+#include <linux/kernel.h>
18692 -+#include <linux/module.h>
18693 -+#include <linux/sched.h>
18694 -+#include <linux/mm.h>
18695 -+#include <linux/file.h>
18696 -+#include <linux/fs.h>
18697 -+#include <linux/namei.h>
18698 -+#include <linux/mount.h>
18699 -+#include <linux/tty.h>
18700 -+#include <linux/proc_fs.h>
18701 -+#include <linux/smp_lock.h>
18702 -+#include <linux/slab.h>
18703 -+#include <linux/vmalloc.h>
18704 -+#include <linux/types.h>
18705 -+#include <linux/capability.h>
18706 -+#include <linux/sysctl.h>
18707 -+#include <linux/netdevice.h>
18708 -+#include <linux/ptrace.h>
18709 -+#include <linux/gracl.h>
18710 -+#include <linux/gralloc.h>
18711 -+#include <linux/grsecurity.h>
18712 -+#include <linux/grinternal.h>
18713 -+#include <linux/pid_namespace.h>
18714 -+#include <linux/percpu.h>
18715 -+
18716 -+#include <asm/uaccess.h>
18717 -+#include <asm/errno.h>
18718 -+#include <asm/mman.h>
18719 -+
18720 -+static struct acl_role_db acl_role_set;
18721 -+static struct name_db name_set;
18722 -+static struct inodev_db inodev_set;
18723 -+
18724 -+/* for keeping track of userspace pointers used for subjects, so we
18725 -+ can share references in the kernel as well
18726 -+*/
18727 -+
18728 -+static struct dentry *real_root;
18729 -+static struct vfsmount *real_root_mnt;
18730 -+
18731 -+static struct acl_subj_map_db subj_map_set;
18732 -+
18733 -+static struct acl_role_label *default_role;
18734 -+
18735 -+static u16 acl_sp_role_value;
18736 -+
18737 -+extern char *gr_shared_page[4];
18738 -+static DECLARE_MUTEX(gr_dev_sem);
18739 -+rwlock_t gr_inode_lock = RW_LOCK_UNLOCKED;
18740 -+
18741 -+struct gr_arg *gr_usermode;
18742 -+
18743 -+static unsigned int gr_status = GR_STATUS_INIT;
18744 -+
18745 -+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
18746 -+extern void gr_clear_learn_entries(void);
18747 -+
18748 -+#ifdef CONFIG_GRKERNSEC_RESLOG
18749 -+extern void gr_log_resource(const struct task_struct *task,
18750 -+ const int res, const unsigned long wanted, const int gt);
18751 -+#endif
18752 -+
18753 -+unsigned char *gr_system_salt;
18754 -+unsigned char *gr_system_sum;
18755 -+
18756 -+static struct sprole_pw **acl_special_roles = NULL;
18757 -+static __u16 num_sprole_pws = 0;
18758 -+
18759 -+static struct acl_role_label *kernel_role = NULL;
18760 -+
18761 -+static unsigned int gr_auth_attempts = 0;
18762 -+static unsigned long gr_auth_expires = 0UL;
18763 -+
18764 -+extern struct vfsmount *sock_mnt;
18765 -+extern struct vfsmount *pipe_mnt;
18766 -+extern struct vfsmount *shm_mnt;
18767 -+static struct acl_object_label *fakefs_obj;
18768 -+
18769 -+extern int gr_init_uidset(void);
18770 -+extern void gr_free_uidset(void);
18771 -+extern void gr_remove_uid(uid_t uid);
18772 -+extern int gr_find_uid(uid_t uid);
18773 -+
18774 -+__inline__ int
18775 -+gr_acl_is_enabled(void)
18776 -+{
18777 -+ return (gr_status & GR_READY);
18778 -+}
18779 -+
18780 -+char gr_roletype_to_char(void)
18781 -+{
18782 -+ switch (current->role->roletype &
18783 -+ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
18784 -+ GR_ROLE_SPECIAL)) {
18785 -+ case GR_ROLE_DEFAULT:
18786 -+ return 'D';
18787 -+ case GR_ROLE_USER:
18788 -+ return 'U';
18789 -+ case GR_ROLE_GROUP:
18790 -+ return 'G';
18791 -+ case GR_ROLE_SPECIAL:
18792 -+ return 'S';
18793 -+ }
18794 -+
18795 -+ return 'X';
18796 -+}
18797 -+
18798 -+__inline__ int
18799 -+gr_acl_tpe_check(void)
18800 -+{
18801 -+ if (unlikely(!(gr_status & GR_READY)))
18802 -+ return 0;
18803 -+ if (current->role->roletype & GR_ROLE_TPE)
18804 -+ return 1;
18805 -+ else
18806 -+ return 0;
18807 -+}
18808 -+
18809 -+int
18810 -+gr_handle_rawio(const struct inode *inode)
18811 -+{
18812 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
18813 -+ if (inode && S_ISBLK(inode->i_mode) &&
18814 -+ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
18815 -+ !capable(CAP_SYS_RAWIO))
18816 -+ return 1;
18817 -+#endif
18818 -+ return 0;
18819 -+}
18820 -+
18821 -+static int
18822 -+gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
18823 -+{
18824 -+ int i;
18825 -+ unsigned long *l1;
18826 -+ unsigned long *l2;
18827 -+ unsigned char *c1;
18828 -+ unsigned char *c2;
18829 -+ int num_longs;
18830 -+
18831 -+ if (likely(lena != lenb))
18832 -+ return 0;
18833 -+
18834 -+ l1 = (unsigned long *)a;
18835 -+ l2 = (unsigned long *)b;
18836 -+
18837 -+ num_longs = lena / sizeof(unsigned long);
18838 -+
18839 -+ for (i = num_longs; i--; l1++, l2++) {
18840 -+ if (unlikely(*l1 != *l2))
18841 -+ return 0;
18842 -+ }
18843 -+
18844 -+ c1 = (unsigned char *) l1;
18845 -+ c2 = (unsigned char *) l2;
18846 -+
18847 -+ i = lena - (num_longs * sizeof(unsigned long));
18848 -+
18849 -+ for (; i--; c1++, c2++) {
18850 -+ if (unlikely(*c1 != *c2))
18851 -+ return 0;
18852 -+ }
18853 -+
18854 -+ return 1;
18855 -+}
18856 -+
18857 -+static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
18858 -+ struct dentry *root, struct vfsmount *rootmnt,
18859 -+ char *buffer, int buflen)
18860 -+{
18861 -+ char * end = buffer+buflen;
18862 -+ char * retval;
18863 -+ int namelen;
18864 -+
18865 -+ *--end = '\0';
18866 -+ buflen--;
18867 -+
18868 -+ if (buflen < 1)
18869 -+ goto Elong;
18870 -+ /* Get '/' right */
18871 -+ retval = end-1;
18872 -+ *retval = '/';
18873 -+
18874 -+ for (;;) {
18875 -+ struct dentry * parent;
18876 -+
18877 -+ if (dentry == root && vfsmnt == rootmnt)
18878 -+ break;
18879 -+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
18880 -+ /* Global root? */
18881 -+ spin_lock(&vfsmount_lock);
18882 -+ if (vfsmnt->mnt_parent == vfsmnt) {
18883 -+ spin_unlock(&vfsmount_lock);
18884 -+ goto global_root;
18885 -+ }
18886 -+ dentry = vfsmnt->mnt_mountpoint;
18887 -+ vfsmnt = vfsmnt->mnt_parent;
18888 -+ spin_unlock(&vfsmount_lock);
18889 -+ continue;
18890 -+ }
18891 -+ parent = dentry->d_parent;
18892 -+ prefetch(parent);
18893 -+ namelen = dentry->d_name.len;
18894 -+ buflen -= namelen + 1;
18895 -+ if (buflen < 0)
18896 -+ goto Elong;
18897 -+ end -= namelen;
18898 -+ memcpy(end, dentry->d_name.name, namelen);
18899 -+ *--end = '/';
18900 -+ retval = end;
18901 -+ dentry = parent;
18902 -+ }
18903 -+
18904 -+ return retval;
18905 -+
18906 -+global_root:
18907 -+ namelen = dentry->d_name.len;
18908 -+ buflen -= namelen;
18909 -+ if (buflen < 0)
18910 -+ goto Elong;
18911 -+ retval -= namelen-1; /* hit the slash */
18912 -+ memcpy(retval, dentry->d_name.name, namelen);
18913 -+ return retval;
18914 -+Elong:
18915 -+ return ERR_PTR(-ENAMETOOLONG);
18916 -+}
18917 -+
18918 -+static char *
18919 -+gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
18920 -+ struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
18921 -+{
18922 -+ char *retval;
18923 -+
18924 -+ retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
18925 -+ if (unlikely(IS_ERR(retval)))
18926 -+ retval = strcpy(buf, "<path too long>");
18927 -+ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
18928 -+ retval[1] = '\0';
18929 -+
18930 -+ return retval;
18931 -+}
18932 -+
18933 -+static char *
18934 -+__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
18935 -+ char *buf, int buflen)
18936 -+{
18937 -+ char *res;
18938 -+
18939 -+ /* we can use real_root, real_root_mnt, because this is only called
18940 -+ by the RBAC system */
18941 -+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
18942 -+
18943 -+ return res;
18944 -+}
18945 -+
18946 -+static char *
18947 -+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
18948 -+ char *buf, int buflen)
18949 -+{
18950 -+ char *res;
18951 -+ struct dentry *root;
18952 -+ struct vfsmount *rootmnt;
18953 -+ struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
18954 -+
18955 -+ /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
18956 -+ read_lock(&reaper->fs->lock);
18957 -+ root = dget(reaper->fs->root);
18958 -+ rootmnt = mntget(reaper->fs->rootmnt);
18959 -+ read_unlock(&reaper->fs->lock);
18960 -+
18961 -+ spin_lock(&dcache_lock);
18962 -+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
18963 -+ spin_unlock(&dcache_lock);
18964 -+
18965 -+ dput(root);
18966 -+ mntput(rootmnt);
18967 -+ return res;
18968 -+}
18969 -+
18970 -+static char *
18971 -+gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
18972 -+{
18973 -+ char *ret;
18974 -+ spin_lock(&dcache_lock);
18975 -+ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
18976 -+ PAGE_SIZE);
18977 -+ spin_unlock(&dcache_lock);
18978 -+ return ret;
18979 -+}
18980 -+
18981 -+char *
18982 -+gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
18983 -+{
18984 -+ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
18985 -+ PAGE_SIZE);
18986 -+}
18987 -+
18988 -+char *
18989 -+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
18990 -+{
18991 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
18992 -+ PAGE_SIZE);
18993 -+}
18994 -+
18995 -+char *
18996 -+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
18997 -+{
18998 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
18999 -+ PAGE_SIZE);
19000 -+}
19001 -+
19002 -+char *
19003 -+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
19004 -+{
19005 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
19006 -+ PAGE_SIZE);
19007 -+}
19008 -+
19009 -+char *
19010 -+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
19011 -+{
19012 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
19013 -+ PAGE_SIZE);
19014 -+}
19015 -+
19016 -+__inline__ __u32
19017 -+to_gr_audit(const __u32 reqmode)
19018 -+{
19019 -+ /* masks off auditable permission flags, then shifts them to create
19020 -+ auditing flags, and adds the special case of append auditing if
19021 -+ we're requesting write */
19022 -+ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
19023 -+}
19024 -+
19025 -+struct acl_subject_label *
19026 -+lookup_subject_map(const struct acl_subject_label *userp)
19027 -+{
19028 -+ unsigned int index = shash(userp, subj_map_set.s_size);
19029 -+ struct subject_map *match;
19030 -+
19031 -+ match = subj_map_set.s_hash[index];
19032 -+
19033 -+ while (match && match->user != userp)
19034 -+ match = match->next;
19035 -+
19036 -+ if (match != NULL)
19037 -+ return match->kernel;
19038 -+ else
19039 -+ return NULL;
19040 -+}
19041 -+
19042 -+static void
19043 -+insert_subj_map_entry(struct subject_map *subjmap)
19044 -+{
19045 -+ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
19046 -+ struct subject_map **curr;
19047 -+
19048 -+ subjmap->prev = NULL;
19049 -+
19050 -+ curr = &subj_map_set.s_hash[index];
19051 -+ if (*curr != NULL)
19052 -+ (*curr)->prev = subjmap;
19053 -+
19054 -+ subjmap->next = *curr;
19055 -+ *curr = subjmap;
19056 -+
19057 -+ return;
19058 -+}
19059 -+
19060 -+static struct acl_role_label *
19061 -+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
19062 -+ const gid_t gid)
19063 -+{
19064 -+ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
19065 -+ struct acl_role_label *match;
19066 -+ struct role_allowed_ip *ipp;
19067 -+ unsigned int x;
19068 -+
19069 -+ match = acl_role_set.r_hash[index];
19070 -+
19071 -+ while (match) {
19072 -+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
19073 -+ for (x = 0; x < match->domain_child_num; x++) {
19074 -+ if (match->domain_children[x] == uid)
19075 -+ goto found;
19076 -+ }
19077 -+ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
19078 -+ break;
19079 -+ match = match->next;
19080 -+ }
19081 -+found:
19082 -+ if (match == NULL) {
19083 -+ try_group:
19084 -+ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
19085 -+ match = acl_role_set.r_hash[index];
19086 -+
19087 -+ while (match) {
19088 -+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
19089 -+ for (x = 0; x < match->domain_child_num; x++) {
19090 -+ if (match->domain_children[x] == gid)
19091 -+ goto found2;
19092 -+ }
19093 -+ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
19094 -+ break;
19095 -+ match = match->next;
19096 -+ }
19097 -+found2:
19098 -+ if (match == NULL)
19099 -+ match = default_role;
19100 -+ if (match->allowed_ips == NULL)
19101 -+ return match;
19102 -+ else {
19103 -+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
19104 -+ if (likely
19105 -+ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
19106 -+ (ntohl(ipp->addr) & ipp->netmask)))
19107 -+ return match;
19108 -+ }
19109 -+ match = default_role;
19110 -+ }
19111 -+ } else if (match->allowed_ips == NULL) {
19112 -+ return match;
19113 -+ } else {
19114 -+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
19115 -+ if (likely
19116 -+ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
19117 -+ (ntohl(ipp->addr) & ipp->netmask)))
19118 -+ return match;
19119 -+ }
19120 -+ goto try_group;
19121 -+ }
19122 -+
19123 -+ return match;
19124 -+}
19125 -+
19126 -+struct acl_subject_label *
19127 -+lookup_acl_subj_label(const ino_t ino, const dev_t dev,
19128 -+ const struct acl_role_label *role)
19129 -+{
19130 -+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
19131 -+ struct acl_subject_label *match;
19132 -+
19133 -+ match = role->subj_hash[index];
19134 -+
19135 -+ while (match && (match->inode != ino || match->device != dev ||
19136 -+ (match->mode & GR_DELETED))) {
19137 -+ match = match->next;
19138 -+ }
19139 -+
19140 -+ if (match && !(match->mode & GR_DELETED))
19141 -+ return match;
19142 -+ else
19143 -+ return NULL;
19144 -+}
19145 -+
19146 -+static struct acl_object_label *
19147 -+lookup_acl_obj_label(const ino_t ino, const dev_t dev,
19148 -+ const struct acl_subject_label *subj)
19149 -+{
19150 -+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
19151 -+ struct acl_object_label *match;
19152 -+
19153 -+ match = subj->obj_hash[index];
19154 -+
19155 -+ while (match && (match->inode != ino || match->device != dev ||
19156 -+ (match->mode & GR_DELETED))) {
19157 -+ match = match->next;
19158 -+ }
19159 -+
19160 -+ if (match && !(match->mode & GR_DELETED))
19161 -+ return match;
19162 -+ else
19163 -+ return NULL;
19164 -+}
19165 -+
19166 -+static struct acl_object_label *
19167 -+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
19168 -+ const struct acl_subject_label *subj)
19169 -+{
19170 -+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
19171 -+ struct acl_object_label *match;
19172 -+
19173 -+ match = subj->obj_hash[index];
19174 -+
19175 -+ while (match && (match->inode != ino || match->device != dev ||
19176 -+ !(match->mode & GR_DELETED))) {
19177 -+ match = match->next;
19178 -+ }
19179 -+
19180 -+ if (match && (match->mode & GR_DELETED))
19181 -+ return match;
19182 -+
19183 -+ match = subj->obj_hash[index];
19184 -+
19185 -+ while (match && (match->inode != ino || match->device != dev ||
19186 -+ (match->mode & GR_DELETED))) {
19187 -+ match = match->next;
19188 -+ }
19189 -+
19190 -+ if (match && !(match->mode & GR_DELETED))
19191 -+ return match;
19192 -+ else
19193 -+ return NULL;
19194 -+}
19195 -+
19196 -+static struct name_entry *
19197 -+lookup_name_entry(const char *name)
19198 -+{
19199 -+ unsigned int len = strlen(name);
19200 -+ unsigned int key = full_name_hash(name, len);
19201 -+ unsigned int index = key % name_set.n_size;
19202 -+ struct name_entry *match;
19203 -+
19204 -+ match = name_set.n_hash[index];
19205 -+
19206 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
19207 -+ match = match->next;
19208 -+
19209 -+ return match;
19210 -+}
19211 -+
19212 -+static struct name_entry *
19213 -+lookup_name_entry_create(const char *name)
19214 -+{
19215 -+ unsigned int len = strlen(name);
19216 -+ unsigned int key = full_name_hash(name, len);
19217 -+ unsigned int index = key % name_set.n_size;
19218 -+ struct name_entry *match;
19219 -+
19220 -+ match = name_set.n_hash[index];
19221 -+
19222 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
19223 -+ !match->deleted))
19224 -+ match = match->next;
19225 -+
19226 -+ if (match && match->deleted)
19227 -+ return match;
19228 -+
19229 -+ match = name_set.n_hash[index];
19230 -+
19231 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
19232 -+ match->deleted))
19233 -+ match = match->next;
19234 -+
19235 -+ if (match && !match->deleted)
19236 -+ return match;
19237 -+ else
19238 -+ return NULL;
19239 -+}
19240 -+
19241 -+static struct inodev_entry *
19242 -+lookup_inodev_entry(const ino_t ino, const dev_t dev)
19243 -+{
19244 -+ unsigned int index = fhash(ino, dev, inodev_set.i_size);
19245 -+ struct inodev_entry *match;
19246 -+
19247 -+ match = inodev_set.i_hash[index];
19248 -+
19249 -+ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
19250 -+ match = match->next;
19251 -+
19252 -+ return match;
19253 -+}
19254 -+
19255 -+static void
19256 -+insert_inodev_entry(struct inodev_entry *entry)
19257 -+{
19258 -+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
19259 -+ inodev_set.i_size);
19260 -+ struct inodev_entry **curr;
19261 -+
19262 -+ entry->prev = NULL;
19263 -+
19264 -+ curr = &inodev_set.i_hash[index];
19265 -+ if (*curr != NULL)
19266 -+ (*curr)->prev = entry;
19267 -+
19268 -+ entry->next = *curr;
19269 -+ *curr = entry;
19270 -+
19271 -+ return;
19272 -+}
19273 -+
19274 -+static void
19275 -+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
19276 -+{
19277 -+ unsigned int index =
19278 -+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
19279 -+ struct acl_role_label **curr;
19280 -+
19281 -+ role->prev = NULL;
19282 -+
19283 -+ curr = &acl_role_set.r_hash[index];
19284 -+ if (*curr != NULL)
19285 -+ (*curr)->prev = role;
19286 -+
19287 -+ role->next = *curr;
19288 -+ *curr = role;
19289 -+
19290 -+ return;
19291 -+}
19292 -+
19293 -+static void
19294 -+insert_acl_role_label(struct acl_role_label *role)
19295 -+{
19296 -+ int i;
19297 -+
19298 -+ if (role->roletype & GR_ROLE_DOMAIN) {
19299 -+ for (i = 0; i < role->domain_child_num; i++)
19300 -+ __insert_acl_role_label(role, role->domain_children[i]);
19301 -+ } else
19302 -+ __insert_acl_role_label(role, role->uidgid);
19303 -+}
19304 -+
19305 -+static int
19306 -+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
19307 -+{
19308 -+ struct name_entry **curr, *nentry;
19309 -+ struct inodev_entry *ientry;
19310 -+ unsigned int len = strlen(name);
19311 -+ unsigned int key = full_name_hash(name, len);
19312 -+ unsigned int index = key % name_set.n_size;
19313 -+
19314 -+ curr = &name_set.n_hash[index];
19315 -+
19316 -+ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
19317 -+ curr = &((*curr)->next);
19318 -+
19319 -+ if (*curr != NULL)
19320 -+ return 1;
19321 -+
19322 -+ nentry = acl_alloc(sizeof (struct name_entry));
19323 -+ if (nentry == NULL)
19324 -+ return 0;
19325 -+ ientry = acl_alloc(sizeof (struct inodev_entry));
19326 -+ if (ientry == NULL)
19327 -+ return 0;
19328 -+ ientry->nentry = nentry;
19329 -+
19330 -+ nentry->key = key;
19331 -+ nentry->name = name;
19332 -+ nentry->inode = inode;
19333 -+ nentry->device = device;
19334 -+ nentry->len = len;
19335 -+ nentry->deleted = deleted;
19336 -+
19337 -+ nentry->prev = NULL;
19338 -+ curr = &name_set.n_hash[index];
19339 -+ if (*curr != NULL)
19340 -+ (*curr)->prev = nentry;
19341 -+ nentry->next = *curr;
19342 -+ *curr = nentry;
19343 -+
19344 -+ /* insert us into the table searchable by inode/dev */
19345 -+ insert_inodev_entry(ientry);
19346 -+
19347 -+ return 1;
19348 -+}
19349 -+
19350 -+static void
19351 -+insert_acl_obj_label(struct acl_object_label *obj,
19352 -+ struct acl_subject_label *subj)
19353 -+{
19354 -+ unsigned int index =
19355 -+ fhash(obj->inode, obj->device, subj->obj_hash_size);
19356 -+ struct acl_object_label **curr;
19357 -+
19358 -+
19359 -+ obj->prev = NULL;
19360 -+
19361 -+ curr = &subj->obj_hash[index];
19362 -+ if (*curr != NULL)
19363 -+ (*curr)->prev = obj;
19364 -+
19365 -+ obj->next = *curr;
19366 -+ *curr = obj;
19367 -+
19368 -+ return;
19369 -+}
19370 -+
19371 -+static void
19372 -+insert_acl_subj_label(struct acl_subject_label *obj,
19373 -+ struct acl_role_label *role)
19374 -+{
19375 -+ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
19376 -+ struct acl_subject_label **curr;
19377 -+
19378 -+ obj->prev = NULL;
19379 -+
19380 -+ curr = &role->subj_hash[index];
19381 -+ if (*curr != NULL)
19382 -+ (*curr)->prev = obj;
19383 -+
19384 -+ obj->next = *curr;
19385 -+ *curr = obj;
19386 -+
19387 -+ return;
19388 -+}
19389 -+
19390 -+/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
19391 -+
19392 -+static void *
19393 -+create_table(__u32 * len, int elementsize)
19394 -+{
19395 -+ unsigned int table_sizes[] = {
19396 -+ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
19397 -+ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
19398 -+ 4194301, 8388593, 16777213, 33554393, 67108859, 134217689,
19399 -+ 268435399, 536870909, 1073741789, 2147483647
19400 -+ };
19401 -+ void *newtable = NULL;
19402 -+ unsigned int pwr = 0;
19403 -+
19404 -+ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
19405 -+ table_sizes[pwr] <= *len)
19406 -+ pwr++;
19407 -+
19408 -+ if (table_sizes[pwr] <= *len)
19409 -+ return newtable;
19410 -+
19411 -+ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
19412 -+ newtable =
19413 -+ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
19414 -+ else
19415 -+ newtable = vmalloc(table_sizes[pwr] * elementsize);
19416 -+
19417 -+ *len = table_sizes[pwr];
19418 -+
19419 -+ return newtable;
19420 -+}
19421 -+
19422 -+static int
19423 -+init_variables(const struct gr_arg *arg)
19424 -+{
19425 -+ struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
19426 -+ unsigned int stacksize;
19427 -+
19428 -+ subj_map_set.s_size = arg->role_db.num_subjects;
19429 -+ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
19430 -+ name_set.n_size = arg->role_db.num_objects;
19431 -+ inodev_set.i_size = arg->role_db.num_objects;
19432 -+
19433 -+ if (!subj_map_set.s_size || !acl_role_set.r_size ||
19434 -+ !name_set.n_size || !inodev_set.i_size)
19435 -+ return 1;
19436 -+
19437 -+ if (!gr_init_uidset())
19438 -+ return 1;
19439 -+
19440 -+ /* set up the stack that holds allocation info */
19441 -+
19442 -+ stacksize = arg->role_db.num_pointers + 5;
19443 -+
19444 -+ if (!acl_alloc_stack_init(stacksize))
19445 -+ return 1;
19446 -+
19447 -+ /* grab reference for the real root dentry and vfsmount */
19448 -+ read_lock(&reaper->fs->lock);
19449 -+ real_root_mnt = mntget(reaper->fs->rootmnt);
19450 -+ real_root = dget(reaper->fs->root);
19451 -+ read_unlock(&reaper->fs->lock);
19452 -+
19453 -+ fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
19454 -+ if (fakefs_obj == NULL)
19455 -+ return 1;
19456 -+ fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
19457 -+
19458 -+ subj_map_set.s_hash =
19459 -+ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
19460 -+ acl_role_set.r_hash =
19461 -+ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
19462 -+ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
19463 -+ inodev_set.i_hash =
19464 -+ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
19465 -+
19466 -+ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
19467 -+ !name_set.n_hash || !inodev_set.i_hash)
19468 -+ return 1;
19469 -+
19470 -+ memset(subj_map_set.s_hash, 0,
19471 -+ sizeof(struct subject_map *) * subj_map_set.s_size);
19472 -+ memset(acl_role_set.r_hash, 0,
19473 -+ sizeof (struct acl_role_label *) * acl_role_set.r_size);
19474 -+ memset(name_set.n_hash, 0,
19475 -+ sizeof (struct name_entry *) * name_set.n_size);
19476 -+ memset(inodev_set.i_hash, 0,
19477 -+ sizeof (struct inodev_entry *) * inodev_set.i_size);
19478 -+
19479 -+ return 0;
19480 -+}
19481 -+
19482 -+/* free information not needed after startup
19483 -+ currently contains user->kernel pointer mappings for subjects
19484 -+*/
19485 -+
19486 -+static void
19487 -+free_init_variables(void)
19488 -+{
19489 -+ __u32 i;
19490 -+
19491 -+ if (subj_map_set.s_hash) {
19492 -+ for (i = 0; i < subj_map_set.s_size; i++) {
19493 -+ if (subj_map_set.s_hash[i]) {
19494 -+ kfree(subj_map_set.s_hash[i]);
19495 -+ subj_map_set.s_hash[i] = NULL;
19496 -+ }
19497 -+ }
19498 -+
19499 -+ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
19500 -+ PAGE_SIZE)
19501 -+ kfree(subj_map_set.s_hash);
19502 -+ else
19503 -+ vfree(subj_map_set.s_hash);
19504 -+ }
19505 -+
19506 -+ return;
19507 -+}
19508 -+
19509 -+static void
19510 -+free_variables(void)
19511 -+{
19512 -+ struct acl_subject_label *s;
19513 -+ struct acl_role_label *r;
19514 -+ struct task_struct *task, *task2;
19515 -+ unsigned int i, x;
19516 -+
19517 -+ gr_clear_learn_entries();
19518 -+
19519 -+ read_lock(&tasklist_lock);
19520 -+ do_each_thread(task2, task) {
19521 -+ task->acl_sp_role = 0;
19522 -+ task->acl_role_id = 0;
19523 -+ task->acl = NULL;
19524 -+ task->role = NULL;
19525 -+ } while_each_thread(task2, task);
19526 -+ read_unlock(&tasklist_lock);
19527 -+
19528 -+ /* release the reference to the real root dentry and vfsmount */
19529 -+ if (real_root)
19530 -+ dput(real_root);
19531 -+ real_root = NULL;
19532 -+ if (real_root_mnt)
19533 -+ mntput(real_root_mnt);
19534 -+ real_root_mnt = NULL;
19535 -+
19536 -+ /* free all object hash tables */
19537 -+
19538 -+ FOR_EACH_ROLE_START(r, i)
19539 -+ if (r->subj_hash == NULL)
19540 -+ break;
19541 -+ FOR_EACH_SUBJECT_START(r, s, x)
19542 -+ if (s->obj_hash == NULL)
19543 -+ break;
19544 -+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
19545 -+ kfree(s->obj_hash);
19546 -+ else
19547 -+ vfree(s->obj_hash);
19548 -+ FOR_EACH_SUBJECT_END(s, x)
19549 -+ FOR_EACH_NESTED_SUBJECT_START(r, s)
19550 -+ if (s->obj_hash == NULL)
19551 -+ break;
19552 -+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
19553 -+ kfree(s->obj_hash);
19554 -+ else
19555 -+ vfree(s->obj_hash);
19556 -+ FOR_EACH_NESTED_SUBJECT_END(s)
19557 -+ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
19558 -+ kfree(r->subj_hash);
19559 -+ else
19560 -+ vfree(r->subj_hash);
19561 -+ r->subj_hash = NULL;
19562 -+ FOR_EACH_ROLE_END(r,i)
19563 -+
19564 -+ acl_free_all();
19565 -+
19566 -+ if (acl_role_set.r_hash) {
19567 -+ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
19568 -+ PAGE_SIZE)
19569 -+ kfree(acl_role_set.r_hash);
19570 -+ else
19571 -+ vfree(acl_role_set.r_hash);
19572 -+ }
19573 -+ if (name_set.n_hash) {
19574 -+ if ((name_set.n_size * sizeof (struct name_entry *)) <=
19575 -+ PAGE_SIZE)
19576 -+ kfree(name_set.n_hash);
19577 -+ else
19578 -+ vfree(name_set.n_hash);
19579 -+ }
19580 -+
19581 -+ if (inodev_set.i_hash) {
19582 -+ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
19583 -+ PAGE_SIZE)
19584 -+ kfree(inodev_set.i_hash);
19585 -+ else
19586 -+ vfree(inodev_set.i_hash);
19587 -+ }
19588 -+
19589 -+ gr_free_uidset();
19590 -+
19591 -+ memset(&name_set, 0, sizeof (struct name_db));
19592 -+ memset(&inodev_set, 0, sizeof (struct inodev_db));
19593 -+ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
19594 -+ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
19595 -+
19596 -+ default_role = NULL;
19597 -+
19598 -+ return;
19599 -+}
19600 -+
19601 -+static __u32
19602 -+count_user_objs(struct acl_object_label *userp)
19603 -+{
19604 -+ struct acl_object_label o_tmp;
19605 -+ __u32 num = 0;
19606 -+
19607 -+ while (userp) {
19608 -+ if (copy_from_user(&o_tmp, userp,
19609 -+ sizeof (struct acl_object_label)))
19610 -+ break;
19611 -+
19612 -+ userp = o_tmp.prev;
19613 -+ num++;
19614 -+ }
19615 -+
19616 -+ return num;
19617 -+}
19618 -+
19619 -+static struct acl_subject_label *
19620 -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
19621 -+
19622 -+static int
19623 -+copy_user_glob(struct acl_object_label *obj)
19624 -+{
19625 -+ struct acl_object_label *g_tmp, **guser;
19626 -+ unsigned int len;
19627 -+ char *tmp;
19628 -+
19629 -+ if (obj->globbed == NULL)
19630 -+ return 0;
19631 -+
19632 -+ guser = &obj->globbed;
19633 -+ while (*guser) {
19634 -+ g_tmp = (struct acl_object_label *)
19635 -+ acl_alloc(sizeof (struct acl_object_label));
19636 -+ if (g_tmp == NULL)
19637 -+ return -ENOMEM;
19638 -+
19639 -+ if (copy_from_user(g_tmp, *guser,
19640 -+ sizeof (struct acl_object_label)))
19641 -+ return -EFAULT;
19642 -+
19643 -+ len = strnlen_user(g_tmp->filename, PATH_MAX);
19644 -+
19645 -+ if (!len || len >= PATH_MAX)
19646 -+ return -EINVAL;
19647 -+
19648 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
19649 -+ return -ENOMEM;
19650 -+
19651 -+ if (copy_from_user(tmp, g_tmp->filename, len))
19652 -+ return -EFAULT;
19653 -+
19654 -+ g_tmp->filename = tmp;
19655 -+
19656 -+ *guser = g_tmp;
19657 -+ guser = &(g_tmp->next);
19658 -+ }
19659 -+
19660 -+ return 0;
19661 -+}
19662 -+
19663 -+static int
19664 -+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
19665 -+ struct acl_role_label *role)
19666 -+{
19667 -+ struct acl_object_label *o_tmp;
19668 -+ unsigned int len;
19669 -+ int ret;
19670 -+ char *tmp;
19671 -+
19672 -+ while (userp) {
19673 -+ if ((o_tmp = (struct acl_object_label *)
19674 -+ acl_alloc(sizeof (struct acl_object_label))) == NULL)
19675 -+ return -ENOMEM;
19676 -+
19677 -+ if (copy_from_user(o_tmp, userp,
19678 -+ sizeof (struct acl_object_label)))
19679 -+ return -EFAULT;
19680 -+
19681 -+ userp = o_tmp->prev;
19682 -+
19683 -+ len = strnlen_user(o_tmp->filename, PATH_MAX);
19684 -+
19685 -+ if (!len || len >= PATH_MAX)
19686 -+ return -EINVAL;
19687 -+
19688 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
19689 -+ return -ENOMEM;
19690 -+
19691 -+ if (copy_from_user(tmp, o_tmp->filename, len))
19692 -+ return -EFAULT;
19693 -+
19694 -+ o_tmp->filename = tmp;
19695 -+
19696 -+ insert_acl_obj_label(o_tmp, subj);
19697 -+ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
19698 -+ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
19699 -+ return -ENOMEM;
19700 -+
19701 -+ ret = copy_user_glob(o_tmp);
19702 -+ if (ret)
19703 -+ return ret;
19704 -+
19705 -+ if (o_tmp->nested) {
19706 -+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
19707 -+ if (IS_ERR(o_tmp->nested))
19708 -+ return PTR_ERR(o_tmp->nested);
19709 -+
19710 -+ /* insert into nested subject list */
19711 -+ o_tmp->nested->next = role->hash->first;
19712 -+ role->hash->first = o_tmp->nested;
19713 -+ }
19714 -+ }
19715 -+
19716 -+ return 0;
19717 -+}
19718 -+
19719 -+static __u32
19720 -+count_user_subjs(struct acl_subject_label *userp)
19721 -+{
19722 -+ struct acl_subject_label s_tmp;
19723 -+ __u32 num = 0;
19724 -+
19725 -+ while (userp) {
19726 -+ if (copy_from_user(&s_tmp, userp,
19727 -+ sizeof (struct acl_subject_label)))
19728 -+ break;
19729 -+
19730 -+ userp = s_tmp.prev;
19731 -+ /* do not count nested subjects against this count, since
19732 -+ they are not included in the hash table, but are
19733 -+ attached to objects. We have already counted
19734 -+ the subjects in userspace for the allocation
19735 -+ stack
19736 -+ */
19737 -+ if (!(s_tmp.mode & GR_NESTED))
19738 -+ num++;
19739 -+ }
19740 -+
19741 -+ return num;
19742 -+}
19743 -+
19744 -+static int
19745 -+copy_user_allowedips(struct acl_role_label *rolep)
19746 -+{
19747 -+ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
19748 -+
19749 -+ ruserip = rolep->allowed_ips;
19750 -+
19751 -+ while (ruserip) {
19752 -+ rlast = rtmp;
19753 -+
19754 -+ if ((rtmp = (struct role_allowed_ip *)
19755 -+ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
19756 -+ return -ENOMEM;
19757 -+
19758 -+ if (copy_from_user(rtmp, ruserip,
19759 -+ sizeof (struct role_allowed_ip)))
19760 -+ return -EFAULT;
19761 -+
19762 -+ ruserip = rtmp->prev;
19763 -+
19764 -+ if (!rlast) {
19765 -+ rtmp->prev = NULL;
19766 -+ rolep->allowed_ips = rtmp;
19767 -+ } else {
19768 -+ rlast->next = rtmp;
19769 -+ rtmp->prev = rlast;
19770 -+ }
19771 -+
19772 -+ if (!ruserip)
19773 -+ rtmp->next = NULL;
19774 -+ }
19775 -+
19776 -+ return 0;
19777 -+}
19778 -+
19779 -+static int
19780 -+copy_user_transitions(struct acl_role_label *rolep)
19781 -+{
19782 -+ struct role_transition *rusertp, *rtmp = NULL, *rlast;
19783 -+
19784 -+ unsigned int len;
19785 -+ char *tmp;
19786 -+
19787 -+ rusertp = rolep->transitions;
19788 -+
19789 -+ while (rusertp) {
19790 -+ rlast = rtmp;
19791 -+
19792 -+ if ((rtmp = (struct role_transition *)
19793 -+ acl_alloc(sizeof (struct role_transition))) == NULL)
19794 -+ return -ENOMEM;
19795 -+
19796 -+ if (copy_from_user(rtmp, rusertp,
19797 -+ sizeof (struct role_transition)))
19798 -+ return -EFAULT;
19799 -+
19800 -+ rusertp = rtmp->prev;
19801 -+
19802 -+ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
19803 -+
19804 -+ if (!len || len >= GR_SPROLE_LEN)
19805 -+ return -EINVAL;
19806 -+
19807 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
19808 -+ return -ENOMEM;
19809 -+
19810 -+ if (copy_from_user(tmp, rtmp->rolename, len))
19811 -+ return -EFAULT;
19812 -+
19813 -+ rtmp->rolename = tmp;
19814 -+
19815 -+ if (!rlast) {
19816 -+ rtmp->prev = NULL;
19817 -+ rolep->transitions = rtmp;
19818 -+ } else {
19819 -+ rlast->next = rtmp;
19820 -+ rtmp->prev = rlast;
19821 -+ }
19822 -+
19823 -+ if (!rusertp)
19824 -+ rtmp->next = NULL;
19825 -+ }
19826 -+
19827 -+ return 0;
19828 -+}
19829 -+
19830 -+static struct acl_subject_label *
19831 -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
19832 -+{
19833 -+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
19834 -+ unsigned int len;
19835 -+ char *tmp;
19836 -+ __u32 num_objs;
19837 -+ struct acl_ip_label **i_tmp, *i_utmp2;
19838 -+ struct gr_hash_struct ghash;
19839 -+ struct subject_map *subjmap;
19840 -+ unsigned int i_num;
19841 -+ int err;
19842 -+
19843 -+ s_tmp = lookup_subject_map(userp);
19844 -+
19845 -+ /* we've already copied this subject into the kernel, just return
19846 -+ the reference to it, and don't copy it over again
19847 -+ */
19848 -+ if (s_tmp)
19849 -+ return(s_tmp);
19850 -+
19851 -+ if ((s_tmp = (struct acl_subject_label *)
19852 -+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
19853 -+ return ERR_PTR(-ENOMEM);
19854 -+
19855 -+ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
19856 -+ if (subjmap == NULL)
19857 -+ return ERR_PTR(-ENOMEM);
19858 -+
19859 -+ subjmap->user = userp;
19860 -+ subjmap->kernel = s_tmp;
19861 -+ insert_subj_map_entry(subjmap);
19862 -+
19863 -+ if (copy_from_user(s_tmp, userp,
19864 -+ sizeof (struct acl_subject_label)))
19865 -+ return ERR_PTR(-EFAULT);
19866 -+
19867 -+ len = strnlen_user(s_tmp->filename, PATH_MAX);
19868 -+
19869 -+ if (!len || len >= PATH_MAX)
19870 -+ return ERR_PTR(-EINVAL);
19871 -+
19872 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
19873 -+ return ERR_PTR(-ENOMEM);
19874 -+
19875 -+ if (copy_from_user(tmp, s_tmp->filename, len))
19876 -+ return ERR_PTR(-EFAULT);
19877 -+
19878 -+ s_tmp->filename = tmp;
19879 -+
19880 -+ if (!strcmp(s_tmp->filename, "/"))
19881 -+ role->root_label = s_tmp;
19882 -+
19883 -+ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
19884 -+ return ERR_PTR(-EFAULT);
19885 -+
19886 -+ /* copy user and group transition tables */
19887 -+
19888 -+ if (s_tmp->user_trans_num) {
19889 -+ uid_t *uidlist;
19890 -+
19891 -+ uidlist = (uid_t *)acl_alloc(s_tmp->user_trans_num * sizeof(uid_t));
19892 -+ if (uidlist == NULL)
19893 -+ return ERR_PTR(-ENOMEM);
19894 -+ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
19895 -+ return ERR_PTR(-EFAULT);
19896 -+
19897 -+ s_tmp->user_transitions = uidlist;
19898 -+ }
19899 -+
19900 -+ if (s_tmp->group_trans_num) {
19901 -+ gid_t *gidlist;
19902 -+
19903 -+ gidlist = (gid_t *)acl_alloc(s_tmp->group_trans_num * sizeof(gid_t));
19904 -+ if (gidlist == NULL)
19905 -+ return ERR_PTR(-ENOMEM);
19906 -+ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
19907 -+ return ERR_PTR(-EFAULT);
19908 -+
19909 -+ s_tmp->group_transitions = gidlist;
19910 -+ }
19911 -+
19912 -+ /* set up object hash table */
19913 -+ num_objs = count_user_objs(ghash.first);
19914 -+
19915 -+ s_tmp->obj_hash_size = num_objs;
19916 -+ s_tmp->obj_hash =
19917 -+ (struct acl_object_label **)
19918 -+ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
19919 -+
19920 -+ if (!s_tmp->obj_hash)
19921 -+ return ERR_PTR(-ENOMEM);
19922 -+
19923 -+ memset(s_tmp->obj_hash, 0,
19924 -+ s_tmp->obj_hash_size *
19925 -+ sizeof (struct acl_object_label *));
19926 -+
19927 -+ /* add in objects */
19928 -+ err = copy_user_objs(ghash.first, s_tmp, role);
19929 -+
19930 -+ if (err)
19931 -+ return ERR_PTR(err);
19932 -+
19933 -+ /* set pointer for parent subject */
19934 -+ if (s_tmp->parent_subject) {
19935 -+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
19936 -+
19937 -+ if (IS_ERR(s_tmp2))
19938 -+ return s_tmp2;
19939 -+
19940 -+ s_tmp->parent_subject = s_tmp2;
19941 -+ }
19942 -+
19943 -+ /* add in ip acls */
19944 -+
19945 -+ if (!s_tmp->ip_num) {
19946 -+ s_tmp->ips = NULL;
19947 -+ goto insert;
19948 -+ }
19949 -+
19950 -+ i_tmp =
19951 -+ (struct acl_ip_label **) acl_alloc(s_tmp->ip_num *
19952 -+ sizeof (struct
19953 -+ acl_ip_label *));
19954 -+
19955 -+ if (!i_tmp)
19956 -+ return ERR_PTR(-ENOMEM);
19957 -+
19958 -+ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
19959 -+ *(i_tmp + i_num) =
19960 -+ (struct acl_ip_label *)
19961 -+ acl_alloc(sizeof (struct acl_ip_label));
19962 -+ if (!*(i_tmp + i_num))
19963 -+ return ERR_PTR(-ENOMEM);
19964 -+
19965 -+ if (copy_from_user
19966 -+ (&i_utmp2, s_tmp->ips + i_num,
19967 -+ sizeof (struct acl_ip_label *)))
19968 -+ return ERR_PTR(-EFAULT);
19969 -+
19970 -+ if (copy_from_user
19971 -+ (*(i_tmp + i_num), i_utmp2,
19972 -+ sizeof (struct acl_ip_label)))
19973 -+ return ERR_PTR(-EFAULT);
19974 -+
19975 -+ if ((*(i_tmp + i_num))->iface == NULL)
19976 -+ continue;
19977 -+
19978 -+ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
19979 -+ if (!len || len >= IFNAMSIZ)
19980 -+ return ERR_PTR(-EINVAL);
19981 -+ tmp = acl_alloc(len);
19982 -+ if (tmp == NULL)
19983 -+ return ERR_PTR(-ENOMEM);
19984 -+ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
19985 -+ return ERR_PTR(-EFAULT);
19986 -+ (*(i_tmp + i_num))->iface = tmp;
19987 -+ }
19988 -+
19989 -+ s_tmp->ips = i_tmp;
19990 -+
19991 -+insert:
19992 -+ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
19993 -+ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
19994 -+ return ERR_PTR(-ENOMEM);
19995 -+
19996 -+ return s_tmp;
19997 -+}
19998 -+
19999 -+static int
20000 -+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
20001 -+{
20002 -+ struct acl_subject_label s_pre;
20003 -+ struct acl_subject_label * ret;
20004 -+ int err;
20005 -+
20006 -+ while (userp) {
20007 -+ if (copy_from_user(&s_pre, userp,
20008 -+ sizeof (struct acl_subject_label)))
20009 -+ return -EFAULT;
20010 -+
20011 -+ /* do not add nested subjects here, add
20012 -+ while parsing objects
20013 -+ */
20014 -+
20015 -+ if (s_pre.mode & GR_NESTED) {
20016 -+ userp = s_pre.prev;
20017 -+ continue;
20018 -+ }
20019 -+
20020 -+ ret = do_copy_user_subj(userp, role);
20021 -+
20022 -+ err = PTR_ERR(ret);
20023 -+ if (IS_ERR(ret))
20024 -+ return err;
20025 -+
20026 -+ insert_acl_subj_label(ret, role);
20027 -+
20028 -+ userp = s_pre.prev;
20029 -+ }
20030 -+
20031 -+ return 0;
20032 -+}
20033 -+
20034 -+static int
20035 -+copy_user_acl(struct gr_arg *arg)
20036 -+{
20037 -+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
20038 -+ struct sprole_pw *sptmp;
20039 -+ struct gr_hash_struct *ghash;
20040 -+ uid_t *domainlist;
20041 -+ unsigned int r_num;
20042 -+ unsigned int len;
20043 -+ char *tmp;
20044 -+ int err = 0;
20045 -+ __u16 i;
20046 -+ __u32 num_subjs;
20047 -+
20048 -+ /* we need a default and kernel role */
20049 -+ if (arg->role_db.num_roles < 2)
20050 -+ return -EINVAL;
20051 -+
20052 -+ /* copy special role authentication info from userspace */
20053 -+
20054 -+ num_sprole_pws = arg->num_sprole_pws;
20055 -+ acl_special_roles = (struct sprole_pw **) acl_alloc(num_sprole_pws * sizeof(struct sprole_pw *));
20056 -+
20057 -+ if (!acl_special_roles) {
20058 -+ err = -ENOMEM;
20059 -+ goto cleanup;
20060 -+ }
20061 -+
20062 -+ for (i = 0; i < num_sprole_pws; i++) {
20063 -+ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
20064 -+ if (!sptmp) {
20065 -+ err = -ENOMEM;
20066 -+ goto cleanup;
20067 -+ }
20068 -+ if (copy_from_user(sptmp, arg->sprole_pws + i,
20069 -+ sizeof (struct sprole_pw))) {
20070 -+ err = -EFAULT;
20071 -+ goto cleanup;
20072 -+ }
20073 -+
20074 -+ len =
20075 -+ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
20076 -+
20077 -+ if (!len || len >= GR_SPROLE_LEN) {
20078 -+ err = -EINVAL;
20079 -+ goto cleanup;
20080 -+ }
20081 -+
20082 -+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
20083 -+ err = -ENOMEM;
20084 -+ goto cleanup;
20085 -+ }
20086 -+
20087 -+ if (copy_from_user(tmp, sptmp->rolename, len)) {
20088 -+ err = -EFAULT;
20089 -+ goto cleanup;
20090 -+ }
20091 -+
20092 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
20093 -+ printk(KERN_ALERT "Copying special role %s\n", tmp);
20094 -+#endif
20095 -+ sptmp->rolename = tmp;
20096 -+ acl_special_roles[i] = sptmp;
20097 -+ }
20098 -+
20099 -+ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
20100 -+
20101 -+ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
20102 -+ r_tmp = acl_alloc(sizeof (struct acl_role_label));
20103 -+
20104 -+ if (!r_tmp) {
20105 -+ err = -ENOMEM;
20106 -+ goto cleanup;
20107 -+ }
20108 -+
20109 -+ if (copy_from_user(&r_utmp2, r_utmp + r_num,
20110 -+ sizeof (struct acl_role_label *))) {
20111 -+ err = -EFAULT;
20112 -+ goto cleanup;
20113 -+ }
20114 -+
20115 -+ if (copy_from_user(r_tmp, r_utmp2,
20116 -+ sizeof (struct acl_role_label))) {
20117 -+ err = -EFAULT;
20118 -+ goto cleanup;
20119 -+ }
20120 -+
20121 -+ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
20122 -+
20123 -+ if (!len || len >= PATH_MAX) {
20124 -+ err = -EINVAL;
20125 -+ goto cleanup;
20126 -+ }
20127 -+
20128 -+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
20129 -+ err = -ENOMEM;
20130 -+ goto cleanup;
20131 -+ }
20132 -+ if (copy_from_user(tmp, r_tmp->rolename, len)) {
20133 -+ err = -EFAULT;
20134 -+ goto cleanup;
20135 -+ }
20136 -+ r_tmp->rolename = tmp;
20137 -+
20138 -+ if (!strcmp(r_tmp->rolename, "default")
20139 -+ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
20140 -+ default_role = r_tmp;
20141 -+ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
20142 -+ kernel_role = r_tmp;
20143 -+ }
20144 -+
20145 -+ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
20146 -+ err = -ENOMEM;
20147 -+ goto cleanup;
20148 -+ }
20149 -+ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
20150 -+ err = -EFAULT;
20151 -+ goto cleanup;
20152 -+ }
20153 -+
20154 -+ r_tmp->hash = ghash;
20155 -+
20156 -+ num_subjs = count_user_subjs(r_tmp->hash->first);
20157 -+
20158 -+ r_tmp->subj_hash_size = num_subjs;
20159 -+ r_tmp->subj_hash =
20160 -+ (struct acl_subject_label **)
20161 -+ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
20162 -+
20163 -+ if (!r_tmp->subj_hash) {
20164 -+ err = -ENOMEM;
20165 -+ goto cleanup;
20166 -+ }
20167 -+
20168 -+ err = copy_user_allowedips(r_tmp);
20169 -+ if (err)
20170 -+ goto cleanup;
20171 -+
20172 -+ /* copy domain info */
20173 -+ if (r_tmp->domain_children != NULL) {
20174 -+ domainlist = acl_alloc(r_tmp->domain_child_num * sizeof(uid_t));
20175 -+ if (domainlist == NULL) {
20176 -+ err = -ENOMEM;
20177 -+ goto cleanup;
20178 -+ }
20179 -+ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
20180 -+ err = -EFAULT;
20181 -+ goto cleanup;
20182 -+ }
20183 -+ r_tmp->domain_children = domainlist;
20184 -+ }
20185 -+
20186 -+ err = copy_user_transitions(r_tmp);
20187 -+ if (err)
20188 -+ goto cleanup;
20189 -+
20190 -+ memset(r_tmp->subj_hash, 0,
20191 -+ r_tmp->subj_hash_size *
20192 -+ sizeof (struct acl_subject_label *));
20193 -+
20194 -+ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
20195 -+
20196 -+ if (err)
20197 -+ goto cleanup;
20198 -+
20199 -+ /* set nested subject list to null */
20200 -+ r_tmp->hash->first = NULL;
20201 -+
20202 -+ insert_acl_role_label(r_tmp);
20203 -+ }
20204 -+
20205 -+ goto return_err;
20206 -+ cleanup:
20207 -+ free_variables();
20208 -+ return_err:
20209 -+ return err;
20210 -+
20211 -+}
20212 -+
20213 -+static int
20214 -+gracl_init(struct gr_arg *args)
20215 -+{
20216 -+ int error = 0;
20217 -+
20218 -+ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
20219 -+ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
20220 -+
20221 -+ if (init_variables(args)) {
20222 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
20223 -+ error = -ENOMEM;
20224 -+ free_variables();
20225 -+ goto out;
20226 -+ }
20227 -+
20228 -+ error = copy_user_acl(args);
20229 -+ free_init_variables();
20230 -+ if (error) {
20231 -+ free_variables();
20232 -+ goto out;
20233 -+ }
20234 -+
20235 -+ if ((error = gr_set_acls(0))) {
20236 -+ free_variables();
20237 -+ goto out;
20238 -+ }
20239 -+
20240 -+ gr_status |= GR_READY;
20241 -+ out:
20242 -+ return error;
20243 -+}
20244 -+
20245 -+/* derived from glibc fnmatch() 0: match, 1: no match*/
20246 -+
20247 -+static int
20248 -+glob_match(const char *p, const char *n)
20249 -+{
20250 -+ char c;
20251 -+
20252 -+ while ((c = *p++) != '\0') {
20253 -+ switch (c) {
20254 -+ case '?':
20255 -+ if (*n == '\0')
20256 -+ return 1;
20257 -+ else if (*n == '/')
20258 -+ return 1;
20259 -+ break;
20260 -+ case '\\':
20261 -+ if (*n != c)
20262 -+ return 1;
20263 -+ break;
20264 -+ case '*':
20265 -+ for (c = *p++; c == '?' || c == '*'; c = *p++) {
20266 -+ if (*n == '/')
20267 -+ return 1;
20268 -+ else if (c == '?') {
20269 -+ if (*n == '\0')
20270 -+ return 1;
20271 -+ else
20272 -+ ++n;
20273 -+ }
20274 -+ }
20275 -+ if (c == '\0') {
20276 -+ return 0;
20277 -+ } else {
20278 -+ const char *endp;
20279 -+
20280 -+ if ((endp = strchr(n, '/')) == NULL)
20281 -+ endp = n + strlen(n);
20282 -+
20283 -+ if (c == '[') {
20284 -+ for (--p; n < endp; ++n)
20285 -+ if (!glob_match(p, n))
20286 -+ return 0;
20287 -+ } else if (c == '/') {
20288 -+ while (*n != '\0' && *n != '/')
20289 -+ ++n;
20290 -+ if (*n == '/' && !glob_match(p, n + 1))
20291 -+ return 0;
20292 -+ } else {
20293 -+ for (--p; n < endp; ++n)
20294 -+ if (*n == c && !glob_match(p, n))
20295 -+ return 0;
20296 -+ }
20297 -+
20298 -+ return 1;
20299 -+ }
20300 -+ case '[':
20301 -+ {
20302 -+ int not;
20303 -+ char cold;
20304 -+
20305 -+ if (*n == '\0' || *n == '/')
20306 -+ return 1;
20307 -+
20308 -+ not = (*p == '!' || *p == '^');
20309 -+ if (not)
20310 -+ ++p;
20311 -+
20312 -+ c = *p++;
20313 -+ for (;;) {
20314 -+ unsigned char fn = (unsigned char)*n;
20315 -+
20316 -+ if (c == '\0')
20317 -+ return 1;
20318 -+ else {
20319 -+ if (c == fn)
20320 -+ goto matched;
20321 -+ cold = c;
20322 -+ c = *p++;
20323 -+
20324 -+ if (c == '-' && *p != ']') {
20325 -+ unsigned char cend = *p++;
20326 -+
20327 -+ if (cend == '\0')
20328 -+ return 1;
20329 -+
20330 -+ if (cold <= fn && fn <= cend)
20331 -+ goto matched;
20332 -+
20333 -+ c = *p++;
20334 -+ }
20335 -+ }
20336 -+
20337 -+ if (c == ']')
20338 -+ break;
20339 -+ }
20340 -+ if (!not)
20341 -+ return 1;
20342 -+ break;
20343 -+ matched:
20344 -+ while (c != ']') {
20345 -+ if (c == '\0')
20346 -+ return 1;
20347 -+
20348 -+ c = *p++;
20349 -+ }
20350 -+ if (not)
20351 -+ return 1;
20352 -+ }
20353 -+ break;
20354 -+ default:
20355 -+ if (c != *n)
20356 -+ return 1;
20357 -+ }
20358 -+
20359 -+ ++n;
20360 -+ }
20361 -+
20362 -+ if (*n == '\0')
20363 -+ return 0;
20364 -+
20365 -+ if (*n == '/')
20366 -+ return 0;
20367 -+
20368 -+ return 1;
20369 -+}
20370 -+
20371 -+static struct acl_object_label *
20372 -+chk_glob_label(struct acl_object_label *globbed,
20373 -+ struct dentry *dentry, struct vfsmount *mnt, char **path)
20374 -+{
20375 -+ struct acl_object_label *tmp;
20376 -+
20377 -+ if (*path == NULL)
20378 -+ *path = gr_to_filename_nolock(dentry, mnt);
20379 -+
20380 -+ tmp = globbed;
20381 -+
20382 -+ while (tmp) {
20383 -+ if (!glob_match(tmp->filename, *path))
20384 -+ return tmp;
20385 -+ tmp = tmp->next;
20386 -+ }
20387 -+
20388 -+ return NULL;
20389 -+}
20390 -+
20391 -+static struct acl_object_label *
20392 -+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
20393 -+ const ino_t curr_ino, const dev_t curr_dev,
20394 -+ const struct acl_subject_label *subj, char **path)
20395 -+{
20396 -+ struct acl_subject_label *tmpsubj;
20397 -+ struct acl_object_label *retval;
20398 -+ struct acl_object_label *retval2;
20399 -+
20400 -+ tmpsubj = (struct acl_subject_label *) subj;
20401 -+ read_lock(&gr_inode_lock);
20402 -+ do {
20403 -+ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
20404 -+ if (retval) {
20405 -+ if (retval->globbed) {
20406 -+ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
20407 -+ (struct vfsmount *)orig_mnt, path);
20408 -+ if (retval2)
20409 -+ retval = retval2;
20410 -+ }
20411 -+ break;
20412 -+ }
20413 -+ } while ((tmpsubj = tmpsubj->parent_subject));
20414 -+ read_unlock(&gr_inode_lock);
20415 -+
20416 -+ return retval;
20417 -+}
20418 -+
20419 -+static __inline__ struct acl_object_label *
20420 -+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
20421 -+ const struct dentry *curr_dentry,
20422 -+ const struct acl_subject_label *subj, char **path)
20423 -+{
20424 -+ return __full_lookup(orig_dentry, orig_mnt,
20425 -+ curr_dentry->d_inode->i_ino,
20426 -+ curr_dentry->d_inode->i_sb->s_dev, subj, path);
20427 -+}
20428 -+
20429 -+static struct acl_object_label *
20430 -+__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
20431 -+ const struct acl_subject_label *subj, char *path)
20432 -+{
20433 -+ struct dentry *dentry = (struct dentry *) l_dentry;
20434 -+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
20435 -+ struct acl_object_label *retval;
20436 -+
20437 -+ spin_lock(&dcache_lock);
20438 -+
20439 -+ if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
20440 -+ /* ignore Eric Biederman */
20441 -+ IS_PRIVATE(l_dentry->d_inode))) {
20442 -+ retval = fakefs_obj;
20443 -+ goto out;
20444 -+ }
20445 -+
20446 -+ for (;;) {
20447 -+ if (dentry == real_root && mnt == real_root_mnt)
20448 -+ break;
20449 -+
20450 -+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
20451 -+ if (mnt->mnt_parent == mnt)
20452 -+ break;
20453 -+
20454 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
20455 -+ if (retval != NULL)
20456 -+ goto out;
20457 -+
20458 -+ dentry = mnt->mnt_mountpoint;
20459 -+ mnt = mnt->mnt_parent;
20460 -+ continue;
20461 -+ }
20462 -+
20463 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
20464 -+ if (retval != NULL)
20465 -+ goto out;
20466 -+
20467 -+ dentry = dentry->d_parent;
20468 -+ }
20469 -+
20470 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
20471 -+
20472 -+ if (retval == NULL)
20473 -+ retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path);
20474 -+out:
20475 -+ spin_unlock(&dcache_lock);
20476 -+ return retval;
20477 -+}
20478 -+
20479 -+static __inline__ struct acl_object_label *
20480 -+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
20481 -+ const struct acl_subject_label *subj)
20482 -+{
20483 -+ char *path = NULL;
20484 -+ return __chk_obj_label(l_dentry, l_mnt, subj, path);
20485 -+}
20486 -+
20487 -+static __inline__ struct acl_object_label *
20488 -+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
20489 -+ const struct acl_subject_label *subj, char *path)
20490 -+{
20491 -+ return __chk_obj_label(l_dentry, l_mnt, subj, path);
20492 -+}
20493 -+
20494 -+static struct acl_subject_label *
20495 -+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
20496 -+ const struct acl_role_label *role)
20497 -+{
20498 -+ struct dentry *dentry = (struct dentry *) l_dentry;
20499 -+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
20500 -+ struct acl_subject_label *retval;
20501 -+
20502 -+ spin_lock(&dcache_lock);
20503 -+
20504 -+ for (;;) {
20505 -+ if (dentry == real_root && mnt == real_root_mnt)
20506 -+ break;
20507 -+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
20508 -+ if (mnt->mnt_parent == mnt)
20509 -+ break;
20510 -+
20511 -+ read_lock(&gr_inode_lock);
20512 -+ retval =
20513 -+ lookup_acl_subj_label(dentry->d_inode->i_ino,
20514 -+ dentry->d_inode->i_sb->s_dev, role);
20515 -+ read_unlock(&gr_inode_lock);
20516 -+ if (retval != NULL)
20517 -+ goto out;
20518 -+
20519 -+ dentry = mnt->mnt_mountpoint;
20520 -+ mnt = mnt->mnt_parent;
20521 -+ continue;
20522 -+ }
20523 -+
20524 -+ read_lock(&gr_inode_lock);
20525 -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
20526 -+ dentry->d_inode->i_sb->s_dev, role);
20527 -+ read_unlock(&gr_inode_lock);
20528 -+ if (retval != NULL)
20529 -+ goto out;
20530 -+
20531 -+ dentry = dentry->d_parent;
20532 -+ }
20533 -+
20534 -+ read_lock(&gr_inode_lock);
20535 -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
20536 -+ dentry->d_inode->i_sb->s_dev, role);
20537 -+ read_unlock(&gr_inode_lock);
20538 -+
20539 -+ if (unlikely(retval == NULL)) {
20540 -+ read_lock(&gr_inode_lock);
20541 -+ retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
20542 -+ real_root->d_inode->i_sb->s_dev, role);
20543 -+ read_unlock(&gr_inode_lock);
20544 -+ }
20545 -+out:
20546 -+ spin_unlock(&dcache_lock);
20547 -+
20548 -+ return retval;
20549 -+}
20550 -+
20551 -+static void
20552 -+gr_log_learn(const struct task_struct *task, const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
20553 -+{
20554 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
20555 -+ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
20556 -+ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
20557 -+ 1, 1, gr_to_filename(dentry, mnt), (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
20558 -+
20559 -+ return;
20560 -+}
20561 -+
20562 -+static void
20563 -+gr_log_learn_sysctl(const struct task_struct *task, const char *path, const __u32 mode)
20564 -+{
20565 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
20566 -+ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
20567 -+ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
20568 -+ 1, 1, path, (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
20569 -+
20570 -+ return;
20571 -+}
20572 -+
20573 -+static void
20574 -+gr_log_learn_id_change(const struct task_struct *task, const char type, const unsigned int real,
20575 -+ const unsigned int effective, const unsigned int fs)
20576 -+{
20577 -+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
20578 -+ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
20579 -+ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
20580 -+ type, real, effective, fs, NIPQUAD(task->signal->curr_ip));
20581 -+
20582 -+ return;
20583 -+}
20584 -+
20585 -+__u32
20586 -+gr_check_link(const struct dentry * new_dentry,
20587 -+ const struct dentry * parent_dentry,
20588 -+ const struct vfsmount * parent_mnt,
20589 -+ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
20590 -+{
20591 -+ struct acl_object_label *obj;
20592 -+ __u32 oldmode, newmode;
20593 -+ __u32 needmode;
20594 -+
20595 -+ if (unlikely(!(gr_status & GR_READY)))
20596 -+ return (GR_CREATE | GR_LINK);
20597 -+
20598 -+ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
20599 -+ oldmode = obj->mode;
20600 -+
20601 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
20602 -+ oldmode |= (GR_CREATE | GR_LINK);
20603 -+
20604 -+ needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
20605 -+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
20606 -+ needmode |= GR_SETID | GR_AUDIT_SETID;
20607 -+
20608 -+ newmode =
20609 -+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
20610 -+ oldmode | needmode);
20611 -+
20612 -+ needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
20613 -+ GR_SETID | GR_READ | GR_FIND | GR_DELETE |
20614 -+ GR_INHERIT | GR_AUDIT_INHERIT);
20615 -+
20616 -+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
20617 -+ goto bad;
20618 -+
20619 -+ if ((oldmode & needmode) != needmode)
20620 -+ goto bad;
20621 -+
20622 -+ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
20623 -+ if ((newmode & needmode) != needmode)
20624 -+ goto bad;
20625 -+
20626 -+ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
20627 -+ return newmode;
20628 -+bad:
20629 -+ needmode = oldmode;
20630 -+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
20631 -+ needmode |= GR_SETID;
20632 -+
20633 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
20634 -+ gr_log_learn(current, old_dentry, old_mnt, needmode);
20635 -+ return (GR_CREATE | GR_LINK);
20636 -+ } else if (newmode & GR_SUPPRESS)
20637 -+ return GR_SUPPRESS;
20638 -+ else
20639 -+ return 0;
20640 -+}
20641 -+
20642 -+__u32
20643 -+gr_search_file(const struct dentry * dentry, const __u32 mode,
20644 -+ const struct vfsmount * mnt)
20645 -+{
20646 -+ __u32 retval = mode;
20647 -+ struct acl_subject_label *curracl;
20648 -+ struct acl_object_label *currobj;
20649 -+
20650 -+ if (unlikely(!(gr_status & GR_READY)))
20651 -+ return (mode & ~GR_AUDITS);
20652 -+
20653 -+ curracl = current->acl;
20654 -+
20655 -+ currobj = chk_obj_label(dentry, mnt, curracl);
20656 -+ retval = currobj->mode & mode;
20657 -+
20658 -+ if (unlikely
20659 -+ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
20660 -+ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
20661 -+ __u32 new_mode = mode;
20662 -+
20663 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
20664 -+
20665 -+ retval = new_mode;
20666 -+
20667 -+ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
20668 -+ new_mode |= GR_INHERIT;
20669 -+
20670 -+ if (!(mode & GR_NOLEARN))
20671 -+ gr_log_learn(current, dentry, mnt, new_mode);
20672 -+ }
20673 -+
20674 -+ return retval;
20675 -+}
20676 -+
20677 -+__u32
20678 -+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
20679 -+ const struct vfsmount * mnt, const __u32 mode)
20680 -+{
20681 -+ struct name_entry *match;
20682 -+ struct acl_object_label *matchpo;
20683 -+ struct acl_subject_label *curracl;
20684 -+ char *path;
20685 -+ __u32 retval;
20686 -+
20687 -+ if (unlikely(!(gr_status & GR_READY)))
20688 -+ return (mode & ~GR_AUDITS);
20689 -+
20690 -+ preempt_disable();
20691 -+ path = gr_to_filename_rbac(new_dentry, mnt);
20692 -+ match = lookup_name_entry_create(path);
20693 -+
20694 -+ if (!match)
20695 -+ goto check_parent;
20696 -+
20697 -+ curracl = current->acl;
20698 -+
20699 -+ read_lock(&gr_inode_lock);
20700 -+ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
20701 -+ read_unlock(&gr_inode_lock);
20702 -+
20703 -+ if (matchpo) {
20704 -+ if ((matchpo->mode & mode) !=
20705 -+ (mode & ~(GR_AUDITS | GR_SUPPRESS))
20706 -+ && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
20707 -+ __u32 new_mode = mode;
20708 -+
20709 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
20710 -+
20711 -+ gr_log_learn(current, new_dentry, mnt, new_mode);
20712 -+
20713 -+ preempt_enable();
20714 -+ return new_mode;
20715 -+ }
20716 -+ preempt_enable();
20717 -+ return (matchpo->mode & mode);
20718 -+ }
20719 -+
20720 -+ check_parent:
20721 -+ curracl = current->acl;
20722 -+
20723 -+ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
20724 -+ retval = matchpo->mode & mode;
20725 -+
20726 -+ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
20727 -+ && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
20728 -+ __u32 new_mode = mode;
20729 -+
20730 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
20731 -+
20732 -+ gr_log_learn(current, new_dentry, mnt, new_mode);
20733 -+ preempt_enable();
20734 -+ return new_mode;
20735 -+ }
20736 -+
20737 -+ preempt_enable();
20738 -+ return retval;
20739 -+}
20740 -+
20741 -+int
20742 -+gr_check_hidden_task(const struct task_struct *task)
20743 -+{
20744 -+ if (unlikely(!(gr_status & GR_READY)))
20745 -+ return 0;
20746 -+
20747 -+ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
20748 -+ return 1;
20749 -+
20750 -+ return 0;
20751 -+}
20752 -+
20753 -+int
20754 -+gr_check_protected_task(const struct task_struct *task)
20755 -+{
20756 -+ if (unlikely(!(gr_status & GR_READY) || !task))
20757 -+ return 0;
20758 -+
20759 -+ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
20760 -+ task->acl != current->acl)
20761 -+ return 1;
20762 -+
20763 -+ return 0;
20764 -+}
20765 -+
20766 -+void
20767 -+gr_copy_label(struct task_struct *tsk)
20768 -+{
20769 -+ tsk->signal->used_accept = 0;
20770 -+ tsk->acl_sp_role = 0;
20771 -+ tsk->acl_role_id = current->acl_role_id;
20772 -+ tsk->acl = current->acl;
20773 -+ tsk->role = current->role;
20774 -+ tsk->signal->curr_ip = current->signal->curr_ip;
20775 -+ if (current->exec_file)
20776 -+ get_file(current->exec_file);
20777 -+ tsk->exec_file = current->exec_file;
20778 -+ tsk->is_writable = current->is_writable;
20779 -+ if (unlikely(current->signal->used_accept))
20780 -+ current->signal->curr_ip = 0;
20781 -+
20782 -+ return;
20783 -+}
20784 -+
20785 -+static void
20786 -+gr_set_proc_res(struct task_struct *task)
20787 -+{
20788 -+ struct acl_subject_label *proc;
20789 -+ unsigned short i;
20790 -+
20791 -+ proc = task->acl;
20792 -+
20793 -+ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
20794 -+ return;
20795 -+
20796 -+ for (i = 0; i < (GR_NLIMITS - 1); i++) {
20797 -+ if (!(proc->resmask & (1 << i)))
20798 -+ continue;
20799 -+
20800 -+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
20801 -+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
20802 -+ }
20803 -+
20804 -+ return;
20805 -+}
20806 -+
20807 -+int
20808 -+gr_check_user_change(int real, int effective, int fs)
20809 -+{
20810 -+ unsigned int i;
20811 -+ __u16 num;
20812 -+ uid_t *uidlist;
20813 -+ int curuid;
20814 -+ int realok = 0;
20815 -+ int effectiveok = 0;
20816 -+ int fsok = 0;
20817 -+
20818 -+ if (unlikely(!(gr_status & GR_READY)))
20819 -+ return 0;
20820 -+
20821 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
20822 -+ gr_log_learn_id_change(current, 'u', real, effective, fs);
20823 -+
20824 -+ num = current->acl->user_trans_num;
20825 -+ uidlist = current->acl->user_transitions;
20826 -+
20827 -+ if (uidlist == NULL)
20828 -+ return 0;
20829 -+
20830 -+ if (real == -1)
20831 -+ realok = 1;
20832 -+ if (effective == -1)
20833 -+ effectiveok = 1;
20834 -+ if (fs == -1)
20835 -+ fsok = 1;
20836 -+
20837 -+ if (current->acl->user_trans_type & GR_ID_ALLOW) {
20838 -+ for (i = 0; i < num; i++) {
20839 -+ curuid = (int)uidlist[i];
20840 -+ if (real == curuid)
20841 -+ realok = 1;
20842 -+ if (effective == curuid)
20843 -+ effectiveok = 1;
20844 -+ if (fs == curuid)
20845 -+ fsok = 1;
20846 -+ }
20847 -+ } else if (current->acl->user_trans_type & GR_ID_DENY) {
20848 -+ for (i = 0; i < num; i++) {
20849 -+ curuid = (int)uidlist[i];
20850 -+ if (real == curuid)
20851 -+ break;
20852 -+ if (effective == curuid)
20853 -+ break;
20854 -+ if (fs == curuid)
20855 -+ break;
20856 -+ }
20857 -+ /* not in deny list */
20858 -+ if (i == num) {
20859 -+ realok = 1;
20860 -+ effectiveok = 1;
20861 -+ fsok = 1;
20862 -+ }
20863 -+ }
20864 -+
20865 -+ if (realok && effectiveok && fsok)
20866 -+ return 0;
20867 -+ else {
20868 -+ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
20869 -+ return 1;
20870 -+ }
20871 -+}
20872 -+
20873 -+int
20874 -+gr_check_group_change(int real, int effective, int fs)
20875 -+{
20876 -+ unsigned int i;
20877 -+ __u16 num;
20878 -+ gid_t *gidlist;
20879 -+ int curgid;
20880 -+ int realok = 0;
20881 -+ int effectiveok = 0;
20882 -+ int fsok = 0;
20883 -+
20884 -+ if (unlikely(!(gr_status & GR_READY)))
20885 -+ return 0;
20886 -+
20887 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
20888 -+ gr_log_learn_id_change(current, 'g', real, effective, fs);
20889 -+
20890 -+ num = current->acl->group_trans_num;
20891 -+ gidlist = current->acl->group_transitions;
20892 -+
20893 -+ if (gidlist == NULL)
20894 -+ return 0;
20895 -+
20896 -+ if (real == -1)
20897 -+ realok = 1;
20898 -+ if (effective == -1)
20899 -+ effectiveok = 1;
20900 -+ if (fs == -1)
20901 -+ fsok = 1;
20902 -+
20903 -+ if (current->acl->group_trans_type & GR_ID_ALLOW) {
20904 -+ for (i = 0; i < num; i++) {
20905 -+ curgid = (int)gidlist[i];
20906 -+ if (real == curgid)
20907 -+ realok = 1;
20908 -+ if (effective == curgid)
20909 -+ effectiveok = 1;
20910 -+ if (fs == curgid)
20911 -+ fsok = 1;
20912 -+ }
20913 -+ } else if (current->acl->group_trans_type & GR_ID_DENY) {
20914 -+ for (i = 0; i < num; i++) {
20915 -+ curgid = (int)gidlist[i];
20916 -+ if (real == curgid)
20917 -+ break;
20918 -+ if (effective == curgid)
20919 -+ break;
20920 -+ if (fs == curgid)
20921 -+ break;
20922 -+ }
20923 -+ /* not in deny list */
20924 -+ if (i == num) {
20925 -+ realok = 1;
20926 -+ effectiveok = 1;
20927 -+ fsok = 1;
20928 -+ }
20929 -+ }
20930 -+
20931 -+ if (realok && effectiveok && fsok)
20932 -+ return 0;
20933 -+ else {
20934 -+ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
20935 -+ return 1;
20936 -+ }
20937 -+}
20938 -+
20939 -+void
20940 -+gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
20941 -+{
20942 -+ struct acl_role_label *role = task->role;
20943 -+ struct acl_subject_label *subj = NULL;
20944 -+ struct acl_object_label *obj;
20945 -+ struct file *filp;
20946 -+
20947 -+ if (unlikely(!(gr_status & GR_READY)))
20948 -+ return;
20949 -+
20950 -+ filp = task->exec_file;
20951 -+
20952 -+ /* kernel process, we'll give them the kernel role */
20953 -+ if (unlikely(!filp)) {
20954 -+ task->role = kernel_role;
20955 -+ task->acl = kernel_role->root_label;
20956 -+ return;
20957 -+ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
20958 -+ role = lookup_acl_role_label(task, uid, gid);
20959 -+
20960 -+ /* perform subject lookup in possibly new role
20961 -+ we can use this result below in the case where role == task->role
20962 -+ */
20963 -+ subj = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, role);
20964 -+
20965 -+ /* if we changed uid/gid, but result in the same role
20966 -+ and are using inheritance, don't lose the inherited subject
20967 -+ if current subject is other than what normal lookup
20968 -+ would result in, we arrived via inheritance, don't
20969 -+ lose subject
20970 -+ */
20971 -+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
20972 -+ (subj == task->acl)))
20973 -+ task->acl = subj;
20974 -+
20975 -+ task->role = role;
20976 -+
20977 -+ task->is_writable = 0;
20978 -+
20979 -+ /* ignore additional mmap checks for processes that are writable
20980 -+ by the default ACL */
20981 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
20982 -+ if (unlikely(obj->mode & GR_WRITE))
20983 -+ task->is_writable = 1;
20984 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
20985 -+ if (unlikely(obj->mode & GR_WRITE))
20986 -+ task->is_writable = 1;
20987 -+
20988 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
20989 -+ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
20990 -+#endif
20991 -+
20992 -+ gr_set_proc_res(task);
20993 -+
20994 -+ return;
20995 -+}
20996 -+
20997 -+int
20998 -+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
20999 -+{
21000 -+ struct task_struct *task = current;
21001 -+ struct acl_subject_label *newacl;
21002 -+ struct acl_object_label *obj;
21003 -+ __u32 retmode;
21004 -+
21005 -+ if (unlikely(!(gr_status & GR_READY)))
21006 -+ return 0;
21007 -+
21008 -+ newacl = chk_subj_label(dentry, mnt, task->role);
21009 -+
21010 -+ task_lock(task);
21011 -+ if (((task->ptrace & PT_PTRACED) && !(task->acl->mode &
21012 -+ GR_POVERRIDE) && (task->acl != newacl) &&
21013 -+ !(task->role->roletype & GR_ROLE_GOD) &&
21014 -+ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
21015 -+ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN))) ||
21016 -+ (atomic_read(&task->fs->count) > 1 ||
21017 -+ atomic_read(&task->files->count) > 1 ||
21018 -+ atomic_read(&task->sighand->count) > 1)) {
21019 -+ task_unlock(task);
21020 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
21021 -+ return -EACCES;
21022 -+ }
21023 -+ task_unlock(task);
21024 -+
21025 -+ obj = chk_obj_label(dentry, mnt, task->acl);
21026 -+ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
21027 -+
21028 -+ if (!(task->acl->mode & GR_INHERITLEARN) &&
21029 -+ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
21030 -+ if (obj->nested)
21031 -+ task->acl = obj->nested;
21032 -+ else
21033 -+ task->acl = newacl;
21034 -+ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
21035 -+ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
21036 -+
21037 -+ task->is_writable = 0;
21038 -+
21039 -+ /* ignore additional mmap checks for processes that are writable
21040 -+ by the default ACL */
21041 -+ obj = chk_obj_label(dentry, mnt, default_role->root_label);
21042 -+ if (unlikely(obj->mode & GR_WRITE))
21043 -+ task->is_writable = 1;
21044 -+ obj = chk_obj_label(dentry, mnt, task->role->root_label);
21045 -+ if (unlikely(obj->mode & GR_WRITE))
21046 -+ task->is_writable = 1;
21047 -+
21048 -+ gr_set_proc_res(task);
21049 -+
21050 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
21051 -+ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
21052 -+#endif
21053 -+ return 0;
21054 -+}
21055 -+
21056 -+/* always called with valid inodev ptr */
21057 -+static void
21058 -+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
21059 -+{
21060 -+ struct acl_object_label *matchpo;
21061 -+ struct acl_subject_label *matchps;
21062 -+ struct acl_subject_label *subj;
21063 -+ struct acl_role_label *role;
21064 -+ unsigned int i, x;
21065 -+
21066 -+ FOR_EACH_ROLE_START(role, i)
21067 -+ FOR_EACH_SUBJECT_START(role, subj, x)
21068 -+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
21069 -+ matchpo->mode |= GR_DELETED;
21070 -+ FOR_EACH_SUBJECT_END(subj,x)
21071 -+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
21072 -+ if (subj->inode == ino && subj->device == dev)
21073 -+ subj->mode |= GR_DELETED;
21074 -+ FOR_EACH_NESTED_SUBJECT_END(subj)
21075 -+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
21076 -+ matchps->mode |= GR_DELETED;
21077 -+ FOR_EACH_ROLE_END(role,i)
21078 -+
21079 -+ inodev->nentry->deleted = 1;
21080 -+
21081 -+ return;
21082 -+}
21083 -+
21084 -+void
21085 -+gr_handle_delete(const ino_t ino, const dev_t dev)
21086 -+{
21087 -+ struct inodev_entry *inodev;
21088 -+
21089 -+ if (unlikely(!(gr_status & GR_READY)))
21090 -+ return;
21091 -+
21092 -+ write_lock(&gr_inode_lock);
21093 -+ inodev = lookup_inodev_entry(ino, dev);
21094 -+ if (inodev != NULL)
21095 -+ do_handle_delete(inodev, ino, dev);
21096 -+ write_unlock(&gr_inode_lock);
21097 -+
21098 -+ return;
21099 -+}
21100 -+
21101 -+static void
21102 -+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
21103 -+ const ino_t newinode, const dev_t newdevice,
21104 -+ struct acl_subject_label *subj)
21105 -+{
21106 -+ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
21107 -+ struct acl_object_label *match;
21108 -+
21109 -+ match = subj->obj_hash[index];
21110 -+
21111 -+ while (match && (match->inode != oldinode ||
21112 -+ match->device != olddevice ||
21113 -+ !(match->mode & GR_DELETED)))
21114 -+ match = match->next;
21115 -+
21116 -+ if (match && (match->inode == oldinode)
21117 -+ && (match->device == olddevice)
21118 -+ && (match->mode & GR_DELETED)) {
21119 -+ if (match->prev == NULL) {
21120 -+ subj->obj_hash[index] = match->next;
21121 -+ if (match->next != NULL)
21122 -+ match->next->prev = NULL;
21123 -+ } else {
21124 -+ match->prev->next = match->next;
21125 -+ if (match->next != NULL)
21126 -+ match->next->prev = match->prev;
21127 -+ }
21128 -+ match->prev = NULL;
21129 -+ match->next = NULL;
21130 -+ match->inode = newinode;
21131 -+ match->device = newdevice;
21132 -+ match->mode &= ~GR_DELETED;
21133 -+
21134 -+ insert_acl_obj_label(match, subj);
21135 -+ }
21136 -+
21137 -+ return;
21138 -+}
21139 -+
21140 -+static void
21141 -+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
21142 -+ const ino_t newinode, const dev_t newdevice,
21143 -+ struct acl_role_label *role)
21144 -+{
21145 -+ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
21146 -+ struct acl_subject_label *match;
21147 -+
21148 -+ match = role->subj_hash[index];
21149 -+
21150 -+ while (match && (match->inode != oldinode ||
21151 -+ match->device != olddevice ||
21152 -+ !(match->mode & GR_DELETED)))
21153 -+ match = match->next;
21154 -+
21155 -+ if (match && (match->inode == oldinode)
21156 -+ && (match->device == olddevice)
21157 -+ && (match->mode & GR_DELETED)) {
21158 -+ if (match->prev == NULL) {
21159 -+ role->subj_hash[index] = match->next;
21160 -+ if (match->next != NULL)
21161 -+ match->next->prev = NULL;
21162 -+ } else {
21163 -+ match->prev->next = match->next;
21164 -+ if (match->next != NULL)
21165 -+ match->next->prev = match->prev;
21166 -+ }
21167 -+ match->prev = NULL;
21168 -+ match->next = NULL;
21169 -+ match->inode = newinode;
21170 -+ match->device = newdevice;
21171 -+ match->mode &= ~GR_DELETED;
21172 -+
21173 -+ insert_acl_subj_label(match, role);
21174 -+ }
21175 -+
21176 -+ return;
21177 -+}
21178 -+
21179 -+static void
21180 -+update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
21181 -+ const ino_t newinode, const dev_t newdevice)
21182 -+{
21183 -+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
21184 -+ struct inodev_entry *match;
21185 -+
21186 -+ match = inodev_set.i_hash[index];
21187 -+
21188 -+ while (match && (match->nentry->inode != oldinode ||
21189 -+ match->nentry->device != olddevice || !match->nentry->deleted))
21190 -+ match = match->next;
21191 -+
21192 -+ if (match && (match->nentry->inode == oldinode)
21193 -+ && (match->nentry->device == olddevice) &&
21194 -+ match->nentry->deleted) {
21195 -+ if (match->prev == NULL) {
21196 -+ inodev_set.i_hash[index] = match->next;
21197 -+ if (match->next != NULL)
21198 -+ match->next->prev = NULL;
21199 -+ } else {
21200 -+ match->prev->next = match->next;
21201 -+ if (match->next != NULL)
21202 -+ match->next->prev = match->prev;
21203 -+ }
21204 -+ match->prev = NULL;
21205 -+ match->next = NULL;
21206 -+ match->nentry->inode = newinode;
21207 -+ match->nentry->device = newdevice;
21208 -+ match->nentry->deleted = 0;
21209 -+
21210 -+ insert_inodev_entry(match);
21211 -+ }
21212 -+
21213 -+ return;
21214 -+}
21215 -+
21216 -+static void
21217 -+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
21218 -+ const struct vfsmount *mnt)
21219 -+{
21220 -+ struct acl_subject_label *subj;
21221 -+ struct acl_role_label *role;
21222 -+ unsigned int i, x;
21223 -+
21224 -+ FOR_EACH_ROLE_START(role, i)
21225 -+ update_acl_subj_label(matchn->inode, matchn->device,
21226 -+ dentry->d_inode->i_ino,
21227 -+ dentry->d_inode->i_sb->s_dev, role);
21228 -+
21229 -+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
21230 -+ if ((subj->inode == dentry->d_inode->i_ino) &&
21231 -+ (subj->device == dentry->d_inode->i_sb->s_dev)) {
21232 -+ subj->inode = dentry->d_inode->i_ino;
21233 -+ subj->device = dentry->d_inode->i_sb->s_dev;
21234 -+ }
21235 -+ FOR_EACH_NESTED_SUBJECT_END(subj)
21236 -+ FOR_EACH_SUBJECT_START(role, subj, x)
21237 -+ update_acl_obj_label(matchn->inode, matchn->device,
21238 -+ dentry->d_inode->i_ino,
21239 -+ dentry->d_inode->i_sb->s_dev, subj);
21240 -+ FOR_EACH_SUBJECT_END(subj,x)
21241 -+ FOR_EACH_ROLE_END(role,i)
21242 -+
21243 -+ update_inodev_entry(matchn->inode, matchn->device,
21244 -+ dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
21245 -+
21246 -+ return;
21247 -+}
21248 -+
21249 -+void
21250 -+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
21251 -+{
21252 -+ struct name_entry *matchn;
21253 -+
21254 -+ if (unlikely(!(gr_status & GR_READY)))
21255 -+ return;
21256 -+
21257 -+ preempt_disable();
21258 -+ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
21259 -+
21260 -+ if (unlikely((unsigned long)matchn)) {
21261 -+ write_lock(&gr_inode_lock);
21262 -+ do_handle_create(matchn, dentry, mnt);
21263 -+ write_unlock(&gr_inode_lock);
21264 -+ }
21265 -+ preempt_enable();
21266 -+
21267 -+ return;
21268 -+}
21269 -+
21270 -+void
21271 -+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
21272 -+ struct dentry *old_dentry,
21273 -+ struct dentry *new_dentry,
21274 -+ struct vfsmount *mnt, const __u8 replace)
21275 -+{
21276 -+ struct name_entry *matchn;
21277 -+ struct inodev_entry *inodev;
21278 -+
21279 -+ /* vfs_rename swaps the name and parent link for old_dentry and
21280 -+ new_dentry
21281 -+ at this point, old_dentry has the new name, parent link, and inode
21282 -+ for the renamed file
21283 -+ if a file is being replaced by a rename, new_dentry has the inode
21284 -+ and name for the replaced file
21285 -+ */
21286 -+
21287 -+ if (unlikely(!(gr_status & GR_READY)))
21288 -+ return;
21289 -+
21290 -+ preempt_disable();
21291 -+ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
21292 -+
21293 -+ /* we wouldn't have to check d_inode if it weren't for
21294 -+ NFS silly-renaming
21295 -+ */
21296 -+
21297 -+ write_lock(&gr_inode_lock);
21298 -+ if (unlikely(replace && new_dentry->d_inode)) {
21299 -+ inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
21300 -+ new_dentry->d_inode->i_sb->s_dev);
21301 -+ if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
21302 -+ do_handle_delete(inodev, new_dentry->d_inode->i_ino,
21303 -+ new_dentry->d_inode->i_sb->s_dev);
21304 -+ }
21305 -+
21306 -+ inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
21307 -+ old_dentry->d_inode->i_sb->s_dev);
21308 -+ if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
21309 -+ do_handle_delete(inodev, old_dentry->d_inode->i_ino,
21310 -+ old_dentry->d_inode->i_sb->s_dev);
21311 -+
21312 -+ if (unlikely((unsigned long)matchn))
21313 -+ do_handle_create(matchn, old_dentry, mnt);
21314 -+
21315 -+ write_unlock(&gr_inode_lock);
21316 -+ preempt_enable();
21317 -+
21318 -+ return;
21319 -+}
21320 -+
21321 -+static int
21322 -+lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
21323 -+ unsigned char **sum)
21324 -+{
21325 -+ struct acl_role_label *r;
21326 -+ struct role_allowed_ip *ipp;
21327 -+ struct role_transition *trans;
21328 -+ unsigned int i;
21329 -+ int found = 0;
21330 -+
21331 -+ /* check transition table */
21332 -+
21333 -+ for (trans = current->role->transitions; trans; trans = trans->next) {
21334 -+ if (!strcmp(rolename, trans->rolename)) {
21335 -+ found = 1;
21336 -+ break;
21337 -+ }
21338 -+ }
21339 -+
21340 -+ if (!found)
21341 -+ return 0;
21342 -+
21343 -+ /* handle special roles that do not require authentication
21344 -+ and check ip */
21345 -+
21346 -+ FOR_EACH_ROLE_START(r, i)
21347 -+ if (!strcmp(rolename, r->rolename) &&
21348 -+ (r->roletype & GR_ROLE_SPECIAL)) {
21349 -+ found = 0;
21350 -+ if (r->allowed_ips != NULL) {
21351 -+ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
21352 -+ if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
21353 -+ (ntohl(ipp->addr) & ipp->netmask))
21354 -+ found = 1;
21355 -+ }
21356 -+ } else
21357 -+ found = 2;
21358 -+ if (!found)
21359 -+ return 0;
21360 -+
21361 -+ if (((mode == SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
21362 -+ ((mode == SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
21363 -+ *salt = NULL;
21364 -+ *sum = NULL;
21365 -+ return 1;
21366 -+ }
21367 -+ }
21368 -+ FOR_EACH_ROLE_END(r,i)
21369 -+
21370 -+ for (i = 0; i < num_sprole_pws; i++) {
21371 -+ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
21372 -+ *salt = acl_special_roles[i]->salt;
21373 -+ *sum = acl_special_roles[i]->sum;
21374 -+ return 1;
21375 -+ }
21376 -+ }
21377 -+
21378 -+ return 0;
21379 -+}
21380 -+
21381 -+static void
21382 -+assign_special_role(char *rolename)
21383 -+{
21384 -+ struct acl_object_label *obj;
21385 -+ struct acl_role_label *r;
21386 -+ struct acl_role_label *assigned = NULL;
21387 -+ struct task_struct *tsk;
21388 -+ struct file *filp;
21389 -+ unsigned int i;
21390 -+
21391 -+ FOR_EACH_ROLE_START(r, i)
21392 -+ if (!strcmp(rolename, r->rolename) &&
21393 -+ (r->roletype & GR_ROLE_SPECIAL))
21394 -+ assigned = r;
21395 -+ FOR_EACH_ROLE_END(r,i)
21396 -+
21397 -+ if (!assigned)
21398 -+ return;
21399 -+
21400 -+ read_lock(&tasklist_lock);
21401 -+ read_lock(&grsec_exec_file_lock);
21402 -+
21403 -+ tsk = current->parent;
21404 -+ if (tsk == NULL)
21405 -+ goto out_unlock;
21406 -+
21407 -+ filp = tsk->exec_file;
21408 -+ if (filp == NULL)
21409 -+ goto out_unlock;
21410 -+
21411 -+ tsk->is_writable = 0;
21412 -+
21413 -+ tsk->acl_sp_role = 1;
21414 -+ tsk->acl_role_id = ++acl_sp_role_value;
21415 -+ tsk->role = assigned;
21416 -+ tsk->acl = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role);
21417 -+
21418 -+ /* ignore additional mmap checks for processes that are writable
21419 -+ by the default ACL */
21420 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
21421 -+ if (unlikely(obj->mode & GR_WRITE))
21422 -+ tsk->is_writable = 1;
21423 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role->root_label);
21424 -+ if (unlikely(obj->mode & GR_WRITE))
21425 -+ tsk->is_writable = 1;
21426 -+
21427 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
21428 -+ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
21429 -+#endif
21430 -+
21431 -+out_unlock:
21432 -+ read_unlock(&grsec_exec_file_lock);
21433 -+ read_unlock(&tasklist_lock);
21434 -+ return;
21435 -+}
21436 -+
21437 -+int gr_check_secure_terminal(struct task_struct *task)
21438 -+{
21439 -+ struct task_struct *p, *p2, *p3;
21440 -+ struct files_struct *files;
21441 -+ struct fdtable *fdt;
21442 -+ struct file *our_file = NULL, *file;
21443 -+ int i;
21444 -+
21445 -+ if (task->signal->tty == NULL)
21446 -+ return 1;
21447 -+
21448 -+ files = get_files_struct(task);
21449 -+ if (files != NULL) {
21450 -+ rcu_read_lock();
21451 -+ fdt = files_fdtable(files);
21452 -+ for (i=0; i < fdt->max_fds; i++) {
21453 -+ file = fcheck_files(files, i);
21454 -+ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
21455 -+ get_file(file);
21456 -+ our_file = file;
21457 -+ }
21458 -+ }
21459 -+ rcu_read_unlock();
21460 -+ put_files_struct(files);
21461 -+ }
21462 -+
21463 -+ if (our_file == NULL)
21464 -+ return 1;
21465 -+
21466 -+ read_lock(&tasklist_lock);
21467 -+ do_each_thread(p2, p) {
21468 -+ files = get_files_struct(p);
21469 -+ if (files == NULL ||
21470 -+ (p->signal && p->signal->tty == task->signal->tty)) {
21471 -+ if (files != NULL)
21472 -+ put_files_struct(files);
21473 -+ continue;
21474 -+ }
21475 -+ rcu_read_lock();
21476 -+ fdt = files_fdtable(files);
21477 -+ for (i=0; i < fdt->max_fds; i++) {
21478 -+ file = fcheck_files(files, i);
21479 -+ if (file && S_ISCHR(file->f_dentry->d_inode->i_mode) &&
21480 -+ file->f_dentry->d_inode->i_rdev == our_file->f_dentry->d_inode->i_rdev) {
21481 -+ p3 = task;
21482 -+ while (p3->pid > 0) {
21483 -+ if (p3 == p)
21484 -+ break;
21485 -+ p3 = p3->parent;
21486 -+ }
21487 -+ if (p3 == p)
21488 -+ break;
21489 -+ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
21490 -+ gr_handle_alertkill(p);
21491 -+ rcu_read_unlock();
21492 -+ put_files_struct(files);
21493 -+ read_unlock(&tasklist_lock);
21494 -+ fput(our_file);
21495 -+ return 0;
21496 -+ }
21497 -+ }
21498 -+ rcu_read_unlock();
21499 -+ put_files_struct(files);
21500 -+ } while_each_thread(p2, p);
21501 -+ read_unlock(&tasklist_lock);
21502 -+
21503 -+ fput(our_file);
21504 -+ return 1;
21505 -+}
21506 -+
21507 -+ssize_t
21508 -+write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
21509 -+{
21510 -+ struct gr_arg_wrapper uwrap;
21511 -+ unsigned char *sprole_salt;
21512 -+ unsigned char *sprole_sum;
21513 -+ int error = sizeof (struct gr_arg_wrapper);
21514 -+ int error2 = 0;
21515 -+
21516 -+ down(&gr_dev_sem);
21517 -+
21518 -+ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
21519 -+ error = -EPERM;
21520 -+ goto out;
21521 -+ }
21522 -+
21523 -+ if (count != sizeof (struct gr_arg_wrapper)) {
21524 -+ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
21525 -+ error = -EINVAL;
21526 -+ goto out;
21527 -+ }
21528 -+
21529 -+
21530 -+ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
21531 -+ gr_auth_expires = 0;
21532 -+ gr_auth_attempts = 0;
21533 -+ }
21534 -+
21535 -+ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
21536 -+ error = -EFAULT;
21537 -+ goto out;
21538 -+ }
21539 -+
21540 -+ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
21541 -+ error = -EINVAL;
21542 -+ goto out;
21543 -+ }
21544 -+
21545 -+ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
21546 -+ error = -EFAULT;
21547 -+ goto out;
21548 -+ }
21549 -+
21550 -+ if (gr_usermode->mode != SPROLE && gr_usermode->mode != SPROLEPAM &&
21551 -+ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
21552 -+ time_after(gr_auth_expires, get_seconds())) {
21553 -+ error = -EBUSY;
21554 -+ goto out;
21555 -+ }
21556 -+
21557 -+ /* if non-root trying to do anything other than use a special role,
21558 -+ do not attempt authentication, do not count towards authentication
21559 -+ locking
21560 -+ */
21561 -+
21562 -+ if (gr_usermode->mode != SPROLE && gr_usermode->mode != STATUS &&
21563 -+ gr_usermode->mode != UNSPROLE && gr_usermode->mode != SPROLEPAM &&
21564 -+ current->uid) {
21565 -+ error = -EPERM;
21566 -+ goto out;
21567 -+ }
21568 -+
21569 -+ /* ensure pw and special role name are null terminated */
21570 -+
21571 -+ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
21572 -+ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
21573 -+
21574 -+ /* Okay.
21575 -+ * We have our enough of the argument structure..(we have yet
21576 -+ * to copy_from_user the tables themselves) . Copy the tables
21577 -+ * only if we need them, i.e. for loading operations. */
21578 -+
21579 -+ switch (gr_usermode->mode) {
21580 -+ case STATUS:
21581 -+ if (gr_status & GR_READY) {
21582 -+ error = 1;
21583 -+ if (!gr_check_secure_terminal(current))
21584 -+ error = 3;
21585 -+ } else
21586 -+ error = 2;
21587 -+ goto out;
21588 -+ case SHUTDOWN:
21589 -+ if ((gr_status & GR_READY)
21590 -+ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
21591 -+ gr_status &= ~GR_READY;
21592 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
21593 -+ free_variables();
21594 -+ memset(gr_usermode, 0, sizeof (struct gr_arg));
21595 -+ memset(gr_system_salt, 0, GR_SALT_LEN);
21596 -+ memset(gr_system_sum, 0, GR_SHA_LEN);
21597 -+ } else if (gr_status & GR_READY) {
21598 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
21599 -+ error = -EPERM;
21600 -+ } else {
21601 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
21602 -+ error = -EAGAIN;
21603 -+ }
21604 -+ break;
21605 -+ case ENABLE:
21606 -+ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
21607 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
21608 -+ else {
21609 -+ if (gr_status & GR_READY)
21610 -+ error = -EAGAIN;
21611 -+ else
21612 -+ error = error2;
21613 -+ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
21614 -+ }
21615 -+ break;
21616 -+ case RELOAD:
21617 -+ if (!(gr_status & GR_READY)) {
21618 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
21619 -+ error = -EAGAIN;
21620 -+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
21621 -+ lock_kernel();
21622 -+ gr_status &= ~GR_READY;
21623 -+ free_variables();
21624 -+ if (!(error2 = gracl_init(gr_usermode))) {
21625 -+ unlock_kernel();
21626 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
21627 -+ } else {
21628 -+ unlock_kernel();
21629 -+ error = error2;
21630 -+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
21631 -+ }
21632 -+ } else {
21633 -+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
21634 -+ error = -EPERM;
21635 -+ }
21636 -+ break;
21637 -+ case SEGVMOD:
21638 -+ if (unlikely(!(gr_status & GR_READY))) {
21639 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
21640 -+ error = -EAGAIN;
21641 -+ break;
21642 -+ }
21643 -+
21644 -+ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
21645 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
21646 -+ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
21647 -+ struct acl_subject_label *segvacl;
21648 -+ segvacl =
21649 -+ lookup_acl_subj_label(gr_usermode->segv_inode,
21650 -+ gr_usermode->segv_device,
21651 -+ current->role);
21652 -+ if (segvacl) {
21653 -+ segvacl->crashes = 0;
21654 -+ segvacl->expires = 0;
21655 -+ }
21656 -+ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
21657 -+ gr_remove_uid(gr_usermode->segv_uid);
21658 -+ }
21659 -+ } else {
21660 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
21661 -+ error = -EPERM;
21662 -+ }
21663 -+ break;
21664 -+ case SPROLE:
21665 -+ case SPROLEPAM:
21666 -+ if (unlikely(!(gr_status & GR_READY))) {
21667 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
21668 -+ error = -EAGAIN;
21669 -+ break;
21670 -+ }
21671 -+
21672 -+ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
21673 -+ current->role->expires = 0;
21674 -+ current->role->auth_attempts = 0;
21675 -+ }
21676 -+
21677 -+ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
21678 -+ time_after(current->role->expires, get_seconds())) {
21679 -+ error = -EBUSY;
21680 -+ goto out;
21681 -+ }
21682 -+
21683 -+ if (lookup_special_role_auth
21684 -+ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
21685 -+ && ((!sprole_salt && !sprole_sum)
21686 -+ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
21687 -+ char *p = "";
21688 -+ assign_special_role(gr_usermode->sp_role);
21689 -+ read_lock(&tasklist_lock);
21690 -+ if (current->parent)
21691 -+ p = current->parent->role->rolename;
21692 -+ read_unlock(&tasklist_lock);
21693 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
21694 -+ p, acl_sp_role_value);
21695 -+ } else {
21696 -+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
21697 -+ error = -EPERM;
21698 -+ if(!(current->role->auth_attempts++))
21699 -+ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
21700 -+
21701 -+ goto out;
21702 -+ }
21703 -+ break;
21704 -+ case UNSPROLE:
21705 -+ if (unlikely(!(gr_status & GR_READY))) {
21706 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
21707 -+ error = -EAGAIN;
21708 -+ break;
21709 -+ }
21710 -+
21711 -+ if (current->role->roletype & GR_ROLE_SPECIAL) {
21712 -+ char *p = "";
21713 -+ int i = 0;
21714 -+
21715 -+ read_lock(&tasklist_lock);
21716 -+ if (current->parent) {
21717 -+ p = current->parent->role->rolename;
21718 -+ i = current->parent->acl_role_id;
21719 -+ }
21720 -+ read_unlock(&tasklist_lock);
21721 -+
21722 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
21723 -+ gr_set_acls(1);
21724 -+ } else {
21725 -+ gr_log_str(GR_DONT_AUDIT, GR_UNSPROLEF_ACL_MSG, current->role->rolename);
21726 -+ error = -EPERM;
21727 -+ goto out;
21728 -+ }
21729 -+ break;
21730 -+ default:
21731 -+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
21732 -+ error = -EINVAL;
21733 -+ break;
21734 -+ }
21735 -+
21736 -+ if (error != -EPERM)
21737 -+ goto out;
21738 -+
21739 -+ if(!(gr_auth_attempts++))
21740 -+ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
21741 -+
21742 -+ out:
21743 -+ up(&gr_dev_sem);
21744 -+ return error;
21745 -+}
21746 -+
21747 -+int
21748 -+gr_set_acls(const int type)
21749 -+{
21750 -+ struct acl_object_label *obj;
21751 -+ struct task_struct *task, *task2;
21752 -+ struct file *filp;
21753 -+ struct acl_role_label *role = current->role;
21754 -+ __u16 acl_role_id = current->acl_role_id;
21755 -+
21756 -+ read_lock(&tasklist_lock);
21757 -+ read_lock(&grsec_exec_file_lock);
21758 -+ do_each_thread(task2, task) {
21759 -+ /* check to see if we're called from the exit handler,
21760 -+ if so, only replace ACLs that have inherited the admin
21761 -+ ACL */
21762 -+
21763 -+ if (type && (task->role != role ||
21764 -+ task->acl_role_id != acl_role_id))
21765 -+ continue;
21766 -+
21767 -+ task->acl_role_id = 0;
21768 -+ task->acl_sp_role = 0;
21769 -+
21770 -+ if ((filp = task->exec_file)) {
21771 -+ task->role = lookup_acl_role_label(task, task->uid, task->gid);
21772 -+
21773 -+ task->acl =
21774 -+ chk_subj_label(filp->f_dentry, filp->f_vfsmnt,
21775 -+ task->role);
21776 -+ if (task->acl) {
21777 -+ struct acl_subject_label *curr;
21778 -+ curr = task->acl;
21779 -+
21780 -+ task->is_writable = 0;
21781 -+ /* ignore additional mmap checks for processes that are writable
21782 -+ by the default ACL */
21783 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
21784 -+ if (unlikely(obj->mode & GR_WRITE))
21785 -+ task->is_writable = 1;
21786 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
21787 -+ if (unlikely(obj->mode & GR_WRITE))
21788 -+ task->is_writable = 1;
21789 -+
21790 -+ gr_set_proc_res(task);
21791 -+
21792 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
21793 -+ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
21794 -+#endif
21795 -+ } else {
21796 -+ read_unlock(&grsec_exec_file_lock);
21797 -+ read_unlock(&tasklist_lock);
21798 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
21799 -+ return 1;
21800 -+ }
21801 -+ } else {
21802 -+ // it's a kernel process
21803 -+ task->role = kernel_role;
21804 -+ task->acl = kernel_role->root_label;
21805 -+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
21806 -+ task->acl->mode &= ~GR_PROCFIND;
21807 -+#endif
21808 -+ }
21809 -+ } while_each_thread(task2, task);
21810 -+ read_unlock(&grsec_exec_file_lock);
21811 -+ read_unlock(&tasklist_lock);
21812 -+ return 0;
21813 -+}
21814 -+
21815 -+void
21816 -+gr_learn_resource(const struct task_struct *task,
21817 -+ const int res, const unsigned long wanted, const int gt)
21818 -+{
21819 -+ struct acl_subject_label *acl;
21820 -+
21821 -+ if (unlikely((gr_status & GR_READY) &&
21822 -+ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
21823 -+ goto skip_reslog;
21824 -+
21825 -+#ifdef CONFIG_GRKERNSEC_RESLOG
21826 -+ gr_log_resource(task, res, wanted, gt);
21827 -+#endif
21828 -+ skip_reslog:
21829 -+
21830 -+ if (unlikely(!(gr_status & GR_READY) || !wanted))
21831 -+ return;
21832 -+
21833 -+ acl = task->acl;
21834 -+
21835 -+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
21836 -+ !(acl->resmask & (1 << (unsigned short) res))))
21837 -+ return;
21838 -+
21839 -+ if (wanted >= acl->res[res].rlim_cur) {
21840 -+ unsigned long res_add;
21841 -+
21842 -+ res_add = wanted;
21843 -+ switch (res) {
21844 -+ case RLIMIT_CPU:
21845 -+ res_add += GR_RLIM_CPU_BUMP;
21846 -+ break;
21847 -+ case RLIMIT_FSIZE:
21848 -+ res_add += GR_RLIM_FSIZE_BUMP;
21849 -+ break;
21850 -+ case RLIMIT_DATA:
21851 -+ res_add += GR_RLIM_DATA_BUMP;
21852 -+ break;
21853 -+ case RLIMIT_STACK:
21854 -+ res_add += GR_RLIM_STACK_BUMP;
21855 -+ break;
21856 -+ case RLIMIT_CORE:
21857 -+ res_add += GR_RLIM_CORE_BUMP;
21858 -+ break;
21859 -+ case RLIMIT_RSS:
21860 -+ res_add += GR_RLIM_RSS_BUMP;
21861 -+ break;
21862 -+ case RLIMIT_NPROC:
21863 -+ res_add += GR_RLIM_NPROC_BUMP;
21864 -+ break;
21865 -+ case RLIMIT_NOFILE:
21866 -+ res_add += GR_RLIM_NOFILE_BUMP;
21867 -+ break;
21868 -+ case RLIMIT_MEMLOCK:
21869 -+ res_add += GR_RLIM_MEMLOCK_BUMP;
21870 -+ break;
21871 -+ case RLIMIT_AS:
21872 -+ res_add += GR_RLIM_AS_BUMP;
21873 -+ break;
21874 -+ case RLIMIT_LOCKS:
21875 -+ res_add += GR_RLIM_LOCKS_BUMP;
21876 -+ break;
21877 -+ }
21878 -+
21879 -+ acl->res[res].rlim_cur = res_add;
21880 -+
21881 -+ if (wanted > acl->res[res].rlim_max)
21882 -+ acl->res[res].rlim_max = res_add;
21883 -+
21884 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
21885 -+ task->role->roletype, acl->filename,
21886 -+ acl->res[res].rlim_cur, acl->res[res].rlim_max,
21887 -+ "", (unsigned long) res);
21888 -+ }
21889 -+
21890 -+ return;
21891 -+}
21892 -+
21893 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
21894 -+void
21895 -+pax_set_initial_flags(struct linux_binprm *bprm)
21896 -+{
21897 -+ struct task_struct *task = current;
21898 -+ struct acl_subject_label *proc;
21899 -+ unsigned long flags;
21900 -+
21901 -+ if (unlikely(!(gr_status & GR_READY)))
21902 -+ return;
21903 -+
21904 -+ flags = pax_get_flags(task);
21905 -+
21906 -+ proc = task->acl;
21907 -+
21908 -+ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
21909 -+ flags &= ~MF_PAX_PAGEEXEC;
21910 -+ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
21911 -+ flags &= ~MF_PAX_SEGMEXEC;
21912 -+ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
21913 -+ flags &= ~MF_PAX_RANDMMAP;
21914 -+ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
21915 -+ flags &= ~MF_PAX_EMUTRAMP;
21916 -+ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
21917 -+ flags &= ~MF_PAX_MPROTECT;
21918 -+
21919 -+ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
21920 -+ flags |= MF_PAX_PAGEEXEC;
21921 -+ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
21922 -+ flags |= MF_PAX_SEGMEXEC;
21923 -+ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
21924 -+ flags |= MF_PAX_RANDMMAP;
21925 -+ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
21926 -+ flags |= MF_PAX_EMUTRAMP;
21927 -+ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
21928 -+ flags |= MF_PAX_MPROTECT;
21929 -+
21930 -+ pax_set_flags(task, flags);
21931 -+
21932 -+ return;
21933 -+}
21934 -+#endif
21935 -+
21936 -+#ifdef CONFIG_SYSCTL
21937 -+/* Eric Biederman likes breaking userland ABI and every inode-based security
21938 -+ system to save 35kb of memory */
21939 -+
21940 -+/* we modify the passed in filename, but adjust it back before returning */
21941 -+static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
21942 -+{
21943 -+ struct name_entry *nmatch;
21944 -+ char *p, *lastp = NULL;
21945 -+ struct acl_object_label *obj = NULL, *tmp;
21946 -+ struct acl_subject_label *tmpsubj;
21947 -+ char c = '\0';
21948 -+
21949 -+ read_lock(&gr_inode_lock);
21950 -+
21951 -+ p = name + len - 1;
21952 -+ do {
21953 -+ nmatch = lookup_name_entry(name);
21954 -+ if (lastp != NULL)
21955 -+ *lastp = c;
21956 -+
21957 -+ if (nmatch == NULL)
21958 -+ goto next_component;
21959 -+ tmpsubj = current->acl;
21960 -+ do {
21961 -+ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
21962 -+ if (obj != NULL) {
21963 -+ tmp = obj->globbed;
21964 -+ while (tmp) {
21965 -+ if (!glob_match(tmp->filename, name)) {
21966 -+ obj = tmp;
21967 -+ goto found_obj;
21968 -+ }
21969 -+ tmp = tmp->next;
21970 -+ }
21971 -+ goto found_obj;
21972 -+ }
21973 -+ } while ((tmpsubj = tmpsubj->parent_subject));
21974 -+next_component:
21975 -+ /* end case */
21976 -+ if (p == name)
21977 -+ break;
21978 -+
21979 -+ while (*p != '/')
21980 -+ p--;
21981 -+ if (p == name)
21982 -+ lastp = p + 1;
21983 -+ else {
21984 -+ lastp = p;
21985 -+ p--;
21986 -+ }
21987 -+ c = *lastp;
21988 -+ *lastp = '\0';
21989 -+ } while (1);
21990 -+found_obj:
21991 -+ read_unlock(&gr_inode_lock);
21992 -+ /* obj returned will always be non-null */
21993 -+ return obj;
21994 -+}
21995 -+
21996 -+/* returns 0 when allowing, non-zero on error
21997 -+ op of 0 is used for readdir, so we don't log the names of hidden files
21998 -+*/
21999 -+__u32
22000 -+gr_handle_sysctl(const struct ctl_table *table, const int op)
22001 -+{
22002 -+ ctl_table *tmp;
22003 -+ const char *proc_sys = "/proc/sys";
22004 -+ char *path;
22005 -+ struct acl_object_label *obj;
22006 -+ unsigned short len = 0, pos = 0, depth = 0, i;
22007 -+ __u32 err = 0;
22008 -+ __u32 mode = 0;
22009 -+
22010 -+ if (unlikely(!(gr_status & GR_READY)))
22011 -+ return 0;
22012 -+
22013 -+ /* for now, ignore operations on non-sysctl entries if it's not a
22014 -+ readdir*/
22015 -+ if (table->child != NULL && op != 0)
22016 -+ return 0;
22017 -+
22018 -+ mode |= GR_FIND;
22019 -+ /* it's only a read if it's an entry, read on dirs is for readdir */
22020 -+ if (op & 004)
22021 -+ mode |= GR_READ;
22022 -+ if (op & 002)
22023 -+ mode |= GR_WRITE;
22024 -+
22025 -+ preempt_disable();
22026 -+
22027 -+ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
22028 -+
22029 -+ /* it's only a read/write if it's an actual entry, not a dir
22030 -+ (which are opened for readdir)
22031 -+ */
22032 -+
22033 -+ /* convert the requested sysctl entry into a pathname */
22034 -+
22035 -+ for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
22036 -+ len += strlen(tmp->procname);
22037 -+ len++;
22038 -+ depth++;
22039 -+ }
22040 -+
22041 -+ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
22042 -+ /* deny */
22043 -+ goto out;
22044 -+ }
22045 -+
22046 -+ memset(path, 0, PAGE_SIZE);
22047 -+
22048 -+ memcpy(path, proc_sys, strlen(proc_sys));
22049 -+
22050 -+ pos += strlen(proc_sys);
22051 -+
22052 -+ for (; depth > 0; depth--) {
22053 -+ path[pos] = '/';
22054 -+ pos++;
22055 -+ for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
22056 -+ if (depth == i) {
22057 -+ memcpy(path + pos, tmp->procname,
22058 -+ strlen(tmp->procname));
22059 -+ pos += strlen(tmp->procname);
22060 -+ }
22061 -+ i++;
22062 -+ }
22063 -+ }
22064 -+
22065 -+ obj = gr_lookup_by_name(path, pos);
22066 -+ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
22067 -+
22068 -+ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
22069 -+ ((err & mode) != mode))) {
22070 -+ __u32 new_mode = mode;
22071 -+
22072 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
22073 -+
22074 -+ err = 0;
22075 -+ gr_log_learn_sysctl(current, path, new_mode);
22076 -+ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
22077 -+ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
22078 -+ err = -ENOENT;
22079 -+ } else if (!(err & GR_FIND)) {
22080 -+ err = -ENOENT;
22081 -+ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
22082 -+ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
22083 -+ path, (mode & GR_READ) ? " reading" : "",
22084 -+ (mode & GR_WRITE) ? " writing" : "");
22085 -+ err = -EACCES;
22086 -+ } else if ((err & mode) != mode) {
22087 -+ err = -EACCES;
22088 -+ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
22089 -+ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
22090 -+ path, (mode & GR_READ) ? " reading" : "",
22091 -+ (mode & GR_WRITE) ? " writing" : "");
22092 -+ err = 0;
22093 -+ } else
22094 -+ err = 0;
22095 -+
22096 -+ out:
22097 -+ preempt_enable();
22098 -+
22099 -+ return err;
22100 -+}
22101 -+#endif
22102 -+
22103 -+int
22104 -+gr_handle_proc_ptrace(struct task_struct *task)
22105 -+{
22106 -+ struct file *filp;
22107 -+ struct task_struct *tmp = task;
22108 -+ struct task_struct *curtemp = current;
22109 -+ __u32 retmode;
22110 -+
22111 -+ if (unlikely(!(gr_status & GR_READY)))
22112 -+ return 0;
22113 -+
22114 -+ read_lock(&tasklist_lock);
22115 -+ read_lock(&grsec_exec_file_lock);
22116 -+ filp = task->exec_file;
22117 -+
22118 -+ while (tmp->pid > 0) {
22119 -+ if (tmp == curtemp)
22120 -+ break;
22121 -+ tmp = tmp->parent;
22122 -+ }
22123 -+
22124 -+ if (!filp || (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE))) {
22125 -+ read_unlock(&grsec_exec_file_lock);
22126 -+ read_unlock(&tasklist_lock);
22127 -+ return 1;
22128 -+ }
22129 -+
22130 -+ retmode = gr_search_file(filp->f_dentry, GR_NOPTRACE, filp->f_vfsmnt);
22131 -+ read_unlock(&grsec_exec_file_lock);
22132 -+ read_unlock(&tasklist_lock);
22133 -+
22134 -+ if (retmode & GR_NOPTRACE)
22135 -+ return 1;
22136 -+
22137 -+ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
22138 -+ && (current->acl != task->acl || (current->acl != current->role->root_label
22139 -+ && current->pid != task->pid)))
22140 -+ return 1;
22141 -+
22142 -+ return 0;
22143 -+}
22144 -+
22145 -+int
22146 -+gr_handle_ptrace(struct task_struct *task, const long request)
22147 -+{
22148 -+ struct task_struct *tmp = task;
22149 -+ struct task_struct *curtemp = current;
22150 -+ __u32 retmode;
22151 -+
22152 -+ if (unlikely(!(gr_status & GR_READY)))
22153 -+ return 0;
22154 -+
22155 -+ read_lock(&tasklist_lock);
22156 -+ while (tmp->pid > 0) {
22157 -+ if (tmp == curtemp)
22158 -+ break;
22159 -+ tmp = tmp->parent;
22160 -+ }
22161 -+
22162 -+ if (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE)) {
22163 -+ read_unlock(&tasklist_lock);
22164 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
22165 -+ return 1;
22166 -+ }
22167 -+ read_unlock(&tasklist_lock);
22168 -+
22169 -+ read_lock(&grsec_exec_file_lock);
22170 -+ if (unlikely(!task->exec_file)) {
22171 -+ read_unlock(&grsec_exec_file_lock);
22172 -+ return 0;
22173 -+ }
22174 -+
22175 -+ retmode = gr_search_file(task->exec_file->f_dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_vfsmnt);
22176 -+ read_unlock(&grsec_exec_file_lock);
22177 -+
22178 -+ if (retmode & GR_NOPTRACE) {
22179 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
22180 -+ return 1;
22181 -+ }
22182 -+
22183 -+ if (retmode & GR_PTRACERD) {
22184 -+ switch (request) {
22185 -+ case PTRACE_POKETEXT:
22186 -+ case PTRACE_POKEDATA:
22187 -+ case PTRACE_POKEUSR:
22188 -+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
22189 -+ case PTRACE_SETREGS:
22190 -+ case PTRACE_SETFPREGS:
22191 -+#endif
22192 -+#ifdef CONFIG_X86
22193 -+ case PTRACE_SETFPXREGS:
22194 -+#endif
22195 -+#ifdef CONFIG_ALTIVEC
22196 -+ case PTRACE_SETVRREGS:
22197 -+#endif
22198 -+ return 1;
22199 -+ default:
22200 -+ return 0;
22201 -+ }
22202 -+ } else if (!(current->acl->mode & GR_POVERRIDE) &&
22203 -+ !(current->role->roletype & GR_ROLE_GOD) &&
22204 -+ (current->acl != task->acl)) {
22205 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
22206 -+ return 1;
22207 -+ }
22208 -+
22209 -+ return 0;
22210 -+}
22211 -+
22212 -+static int is_writable_mmap(const struct file *filp)
22213 -+{
22214 -+ struct task_struct *task = current;
22215 -+ struct acl_object_label *obj, *obj2;
22216 -+
22217 -+ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
22218 -+ !task->is_writable && S_ISREG(filp->f_dentry->d_inode->i_mode)) {
22219 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
22220 -+ obj2 = chk_obj_label(filp->f_dentry, filp->f_vfsmnt,
22221 -+ task->role->root_label);
22222 -+ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
22223 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_dentry, filp->f_vfsmnt);
22224 -+ return 1;
22225 -+ }
22226 -+ }
22227 -+ return 0;
22228 -+}
22229 -+
22230 -+int
22231 -+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
22232 -+{
22233 -+ __u32 mode;
22234 -+
22235 -+ if (unlikely(!file || !(prot & PROT_EXEC)))
22236 -+ return 1;
22237 -+
22238 -+ if (is_writable_mmap(file))
22239 -+ return 0;
22240 -+
22241 -+ mode =
22242 -+ gr_search_file(file->f_dentry,
22243 -+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
22244 -+ file->f_vfsmnt);
22245 -+
22246 -+ if (!gr_tpe_allow(file))
22247 -+ return 0;
22248 -+
22249 -+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
22250 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
22251 -+ return 0;
22252 -+ } else if (unlikely(!(mode & GR_EXEC))) {
22253 -+ return 0;
22254 -+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
22255 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
22256 -+ return 1;
22257 -+ }
22258 -+
22259 -+ return 1;
22260 -+}
22261 -+
22262 -+int
22263 -+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
22264 -+{
22265 -+ __u32 mode;
22266 -+
22267 -+ if (unlikely(!file || !(prot & PROT_EXEC)))
22268 -+ return 1;
22269 -+
22270 -+ if (is_writable_mmap(file))
22271 -+ return 0;
22272 -+
22273 -+ mode =
22274 -+ gr_search_file(file->f_dentry,
22275 -+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
22276 -+ file->f_vfsmnt);
22277 -+
22278 -+ if (!gr_tpe_allow(file))
22279 -+ return 0;
22280 -+
22281 -+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
22282 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
22283 -+ return 0;
22284 -+ } else if (unlikely(!(mode & GR_EXEC))) {
22285 -+ return 0;
22286 -+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
22287 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
22288 -+ return 1;
22289 -+ }
22290 -+
22291 -+ return 1;
22292 -+}
22293 -+
22294 -+void
22295 -+gr_acl_handle_psacct(struct task_struct *task, const long code)
22296 -+{
22297 -+ unsigned long runtime;
22298 -+ unsigned long cputime;
22299 -+ unsigned int wday, cday;
22300 -+ __u8 whr, chr;
22301 -+ __u8 wmin, cmin;
22302 -+ __u8 wsec, csec;
22303 -+ struct timespec timeval;
22304 -+
22305 -+ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
22306 -+ !(task->acl->mode & GR_PROCACCT)))
22307 -+ return;
22308 -+
22309 -+ do_posix_clock_monotonic_gettime(&timeval);
22310 -+ runtime = timeval.tv_sec - task->start_time.tv_sec;
22311 -+ wday = runtime / (3600 * 24);
22312 -+ runtime -= wday * (3600 * 24);
22313 -+ whr = runtime / 3600;
22314 -+ runtime -= whr * 3600;
22315 -+ wmin = runtime / 60;
22316 -+ runtime -= wmin * 60;
22317 -+ wsec = runtime;
22318 -+
22319 -+ cputime = (task->utime + task->stime) / HZ;
22320 -+ cday = cputime / (3600 * 24);
22321 -+ cputime -= cday * (3600 * 24);
22322 -+ chr = cputime / 3600;
22323 -+ cputime -= chr * 3600;
22324 -+ cmin = cputime / 60;
22325 -+ cputime -= cmin * 60;
22326 -+ csec = cputime;
22327 -+
22328 -+ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
22329 -+
22330 -+ return;
22331 -+}
22332 -+
22333 -+void gr_set_kernel_label(struct task_struct *task)
22334 -+{
22335 -+ if (gr_status & GR_READY) {
22336 -+ task->role = kernel_role;
22337 -+ task->acl = kernel_role->root_label;
22338 -+ }
22339 -+ return;
22340 -+}
22341 -+
22342 -+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
22343 -+{
22344 -+ struct task_struct *task = current;
22345 -+ struct dentry *dentry = file->f_dentry;
22346 -+ struct vfsmount *mnt = file->f_vfsmnt;
22347 -+ struct acl_object_label *obj, *tmp;
22348 -+ struct acl_subject_label *subj;
22349 -+ unsigned int bufsize;
22350 -+ int is_not_root;
22351 -+ char *path;
22352 -+
22353 -+ if (unlikely(!(gr_status & GR_READY)))
22354 -+ return 1;
22355 -+
22356 -+ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
22357 -+ return 1;
22358 -+
22359 -+ /* ignore Eric Biederman */
22360 -+ if (IS_PRIVATE(dentry->d_inode))
22361 -+ return 1;
22362 -+
22363 -+ subj = task->acl;
22364 -+ do {
22365 -+ obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
22366 -+ if (obj != NULL)
22367 -+ return (obj->mode & GR_FIND) ? 1 : 0;
22368 -+ } while ((subj = subj->parent_subject));
22369 -+
22370 -+ obj = chk_obj_label(dentry, mnt, task->acl);
22371 -+ if (obj->globbed == NULL)
22372 -+ return (obj->mode & GR_FIND) ? 1 : 0;
22373 -+
22374 -+ is_not_root = ((obj->filename[0] == '/') &&
22375 -+ (obj->filename[1] == '\0')) ? 0 : 1;
22376 -+ bufsize = PAGE_SIZE - namelen - is_not_root;
22377 -+
22378 -+ /* check bufsize > PAGE_SIZE || bufsize == 0 */
22379 -+ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
22380 -+ return 1;
22381 -+
22382 -+ preempt_disable();
22383 -+ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
22384 -+ bufsize);
22385 -+
22386 -+ bufsize = strlen(path);
22387 -+
22388 -+ /* if base is "/", don't append an additional slash */
22389 -+ if (is_not_root)
22390 -+ *(path + bufsize) = '/';
22391 -+ memcpy(path + bufsize + is_not_root, name, namelen);
22392 -+ *(path + bufsize + namelen + is_not_root) = '\0';
22393 -+
22394 -+ tmp = obj->globbed;
22395 -+ while (tmp) {
22396 -+ if (!glob_match(tmp->filename, path)) {
22397 -+ preempt_enable();
22398 -+ return (tmp->mode & GR_FIND) ? 1 : 0;
22399 -+ }
22400 -+ tmp = tmp->next;
22401 -+ }
22402 -+ preempt_enable();
22403 -+ return (obj->mode & GR_FIND) ? 1 : 0;
22404 -+}
22405 -+
22406 -+EXPORT_SYMBOL(gr_learn_resource);
22407 -+EXPORT_SYMBOL(gr_set_kernel_label);
22408 -+#ifdef CONFIG_SECURITY
22409 -+EXPORT_SYMBOL(gr_check_user_change);
22410 -+EXPORT_SYMBOL(gr_check_group_change);
22411 -+#endif
22412 -+
22413 -diff -urNp linux-2.6.24.4/grsecurity/gracl_cap.c linux-2.6.24.4/grsecurity/gracl_cap.c
22414 ---- linux-2.6.24.4/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
22415 -+++ linux-2.6.24.4/grsecurity/gracl_cap.c 2008-03-26 17:56:56.000000000 -0400
22416 -@@ -0,0 +1,112 @@
22417 -+#include <linux/kernel.h>
22418 -+#include <linux/module.h>
22419 -+#include <linux/sched.h>
22420 -+#include <linux/capability.h>
22421 -+#include <linux/gracl.h>
22422 -+#include <linux/grsecurity.h>
22423 -+#include <linux/grinternal.h>
22424 -+
22425 -+static const char *captab_log[] = {
22426 -+ "CAP_CHOWN",
22427 -+ "CAP_DAC_OVERRIDE",
22428 -+ "CAP_DAC_READ_SEARCH",
22429 -+ "CAP_FOWNER",
22430 -+ "CAP_FSETID",
22431 -+ "CAP_KILL",
22432 -+ "CAP_SETGID",
22433 -+ "CAP_SETUID",
22434 -+ "CAP_SETPCAP",
22435 -+ "CAP_LINUX_IMMUTABLE",
22436 -+ "CAP_NET_BIND_SERVICE",
22437 -+ "CAP_NET_BROADCAST",
22438 -+ "CAP_NET_ADMIN",
22439 -+ "CAP_NET_RAW",
22440 -+ "CAP_IPC_LOCK",
22441 -+ "CAP_IPC_OWNER",
22442 -+ "CAP_SYS_MODULE",
22443 -+ "CAP_SYS_RAWIO",
22444 -+ "CAP_SYS_CHROOT",
22445 -+ "CAP_SYS_PTRACE",
22446 -+ "CAP_SYS_PACCT",
22447 -+ "CAP_SYS_ADMIN",
22448 -+ "CAP_SYS_BOOT",
22449 -+ "CAP_SYS_NICE",
22450 -+ "CAP_SYS_RESOURCE",
22451 -+ "CAP_SYS_TIME",
22452 -+ "CAP_SYS_TTY_CONFIG",
22453 -+ "CAP_MKNOD",
22454 -+ "CAP_LEASE",
22455 -+ "CAP_AUDIT_WRITE",
22456 -+ "CAP_AUDIT_CONTROL"
22457 -+};
22458 -+
22459 -+EXPORT_SYMBOL(gr_task_is_capable);
22460 -+EXPORT_SYMBOL(gr_is_capable_nolog);
22461 -+
22462 -+int
22463 -+gr_task_is_capable(struct task_struct *task, const int cap)
22464 -+{
22465 -+ struct acl_subject_label *curracl;
22466 -+ __u32 cap_drop = 0, cap_mask = 0;
22467 -+
22468 -+ if (!gr_acl_is_enabled())
22469 -+ return 1;
22470 -+
22471 -+ curracl = task->acl;
22472 -+
22473 -+ cap_drop = curracl->cap_lower;
22474 -+ cap_mask = curracl->cap_mask;
22475 -+
22476 -+ while ((curracl = curracl->parent_subject)) {
22477 -+ if (!(cap_mask & (1 << cap)) && (curracl->cap_mask & (1 << cap)))
22478 -+ cap_drop |= curracl->cap_lower & (1 << cap);
22479 -+ cap_mask |= curracl->cap_mask;
22480 -+ }
22481 -+
22482 -+ if (!cap_raised(cap_drop, cap))
22483 -+ return 1;
22484 -+
22485 -+ curracl = task->acl;
22486 -+
22487 -+ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
22488 -+ && cap_raised(task->cap_effective, cap)) {
22489 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
22490 -+ task->role->roletype, task->uid,
22491 -+ task->gid, task->exec_file ?
22492 -+ gr_to_filename(task->exec_file->f_dentry,
22493 -+ task->exec_file->f_vfsmnt) : curracl->filename,
22494 -+ curracl->filename, 0UL,
22495 -+ 0UL, "", (unsigned long) cap, NIPQUAD(task->signal->curr_ip));
22496 -+ return 1;
22497 -+ }
22498 -+
22499 -+ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(task->cap_effective, cap))
22500 -+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
22501 -+ return 0;
22502 -+}
22503 -+
22504 -+int
22505 -+gr_is_capable_nolog(const int cap)
22506 -+{
22507 -+ struct acl_subject_label *curracl;
22508 -+ __u32 cap_drop = 0, cap_mask = 0;
22509 -+
22510 -+ if (!gr_acl_is_enabled())
22511 -+ return 1;
22512 -+
22513 -+ curracl = current->acl;
22514 -+
22515 -+ cap_drop = curracl->cap_lower;
22516 -+ cap_mask = curracl->cap_mask;
22517 -+
22518 -+ while ((curracl = curracl->parent_subject)) {
22519 -+ cap_drop |= curracl->cap_lower & (cap_mask & ~curracl->cap_mask);
22520 -+ cap_mask |= curracl->cap_mask;
22521 -+ }
22522 -+
22523 -+ if (!cap_raised(cap_drop, cap))
22524 -+ return 1;
22525 -+
22526 -+ return 0;
22527 -+}
22528 -+
22529 -diff -urNp linux-2.6.24.4/grsecurity/gracl_fs.c linux-2.6.24.4/grsecurity/gracl_fs.c
22530 ---- linux-2.6.24.4/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
22531 -+++ linux-2.6.24.4/grsecurity/gracl_fs.c 2008-03-26 18:14:13.000000000 -0400
22532 -@@ -0,0 +1,423 @@
22533 -+#include <linux/kernel.h>
22534 -+#include <linux/sched.h>
22535 -+#include <linux/types.h>
22536 -+#include <linux/fs.h>
22537 -+#include <linux/file.h>
22538 -+#include <linux/stat.h>
22539 -+#include <linux/grsecurity.h>
22540 -+#include <linux/grinternal.h>
22541 -+#include <linux/gracl.h>
22542 -+
22543 -+__u32
22544 -+gr_acl_handle_hidden_file(const struct dentry * dentry,
22545 -+ const struct vfsmount * mnt)
22546 -+{
22547 -+ __u32 mode;
22548 -+
22549 -+ if (unlikely(!dentry->d_inode))
22550 -+ return GR_FIND;
22551 -+
22552 -+ mode =
22553 -+ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
22554 -+
22555 -+ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
22556 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
22557 -+ return mode;
22558 -+ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
22559 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
22560 -+ return 0;
22561 -+ } else if (unlikely(!(mode & GR_FIND)))
22562 -+ return 0;
22563 -+
22564 -+ return GR_FIND;
22565 -+}
22566 -+
22567 -+__u32
22568 -+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
22569 -+ const int fmode)
22570 -+{
22571 -+ __u32 reqmode = GR_FIND;
22572 -+ __u32 mode;
22573 -+
22574 -+ if (unlikely(!dentry->d_inode))
22575 -+ return reqmode;
22576 -+
22577 -+ if (unlikely(fmode & O_APPEND))
22578 -+ reqmode |= GR_APPEND;
22579 -+ else if (unlikely(fmode & FMODE_WRITE))
22580 -+ reqmode |= GR_WRITE;
22581 -+ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
22582 -+ reqmode |= GR_READ;
22583 -+
22584 -+ mode =
22585 -+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
22586 -+ mnt);
22587 -+
22588 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
22589 -+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
22590 -+ reqmode & GR_READ ? " reading" : "",
22591 -+ reqmode & GR_WRITE ? " writing" : reqmode &
22592 -+ GR_APPEND ? " appending" : "");
22593 -+ return reqmode;
22594 -+ } else
22595 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
22596 -+ {
22597 -+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
22598 -+ reqmode & GR_READ ? " reading" : "",
22599 -+ reqmode & GR_WRITE ? " writing" : reqmode &
22600 -+ GR_APPEND ? " appending" : "");
22601 -+ return 0;
22602 -+ } else if (unlikely((mode & reqmode) != reqmode))
22603 -+ return 0;
22604 -+
22605 -+ return reqmode;
22606 -+}
22607 -+
22608 -+__u32
22609 -+gr_acl_handle_creat(const struct dentry * dentry,
22610 -+ const struct dentry * p_dentry,
22611 -+ const struct vfsmount * p_mnt, const int fmode,
22612 -+ const int imode)
22613 -+{
22614 -+ __u32 reqmode = GR_WRITE | GR_CREATE;
22615 -+ __u32 mode;
22616 -+
22617 -+ if (unlikely(fmode & O_APPEND))
22618 -+ reqmode |= GR_APPEND;
22619 -+ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
22620 -+ reqmode |= GR_READ;
22621 -+ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
22622 -+ reqmode |= GR_SETID;
22623 -+
22624 -+ mode =
22625 -+ gr_check_create(dentry, p_dentry, p_mnt,
22626 -+ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
22627 -+
22628 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
22629 -+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
22630 -+ reqmode & GR_READ ? " reading" : "",
22631 -+ reqmode & GR_WRITE ? " writing" : reqmode &
22632 -+ GR_APPEND ? " appending" : "");
22633 -+ return reqmode;
22634 -+ } else
22635 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
22636 -+ {
22637 -+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
22638 -+ reqmode & GR_READ ? " reading" : "",
22639 -+ reqmode & GR_WRITE ? " writing" : reqmode &
22640 -+ GR_APPEND ? " appending" : "");
22641 -+ return 0;
22642 -+ } else if (unlikely((mode & reqmode) != reqmode))
22643 -+ return 0;
22644 -+
22645 -+ return reqmode;
22646 -+}
22647 -+
22648 -+__u32
22649 -+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
22650 -+ const int fmode)
22651 -+{
22652 -+ __u32 mode, reqmode = GR_FIND;
22653 -+
22654 -+ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
22655 -+ reqmode |= GR_EXEC;
22656 -+ if (fmode & S_IWOTH)
22657 -+ reqmode |= GR_WRITE;
22658 -+ if (fmode & S_IROTH)
22659 -+ reqmode |= GR_READ;
22660 -+
22661 -+ mode =
22662 -+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
22663 -+ mnt);
22664 -+
22665 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
22666 -+ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
22667 -+ reqmode & GR_READ ? " reading" : "",
22668 -+ reqmode & GR_WRITE ? " writing" : "",
22669 -+ reqmode & GR_EXEC ? " executing" : "");
22670 -+ return reqmode;
22671 -+ } else
22672 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
22673 -+ {
22674 -+ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
22675 -+ reqmode & GR_READ ? " reading" : "",
22676 -+ reqmode & GR_WRITE ? " writing" : "",
22677 -+ reqmode & GR_EXEC ? " executing" : "");
22678 -+ return 0;
22679 -+ } else if (unlikely((mode & reqmode) != reqmode))
22680 -+ return 0;
22681 -+
22682 -+ return reqmode;
22683 -+}
22684 -+
22685 -+static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
22686 -+{
22687 -+ __u32 mode;
22688 -+
22689 -+ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
22690 -+
22691 -+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
22692 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
22693 -+ return mode;
22694 -+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
22695 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
22696 -+ return 0;
22697 -+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
22698 -+ return 0;
22699 -+
22700 -+ return (reqmode);
22701 -+}
22702 -+
22703 -+__u32
22704 -+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
22705 -+{
22706 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
22707 -+}
22708 -+
22709 -+__u32
22710 -+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
22711 -+{
22712 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
22713 -+}
22714 -+
22715 -+__u32
22716 -+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
22717 -+{
22718 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
22719 -+}
22720 -+
22721 -+__u32
22722 -+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
22723 -+{
22724 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
22725 -+}
22726 -+
22727 -+__u32
22728 -+gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
22729 -+ mode_t mode)
22730 -+{
22731 -+ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
22732 -+ return 1;
22733 -+
22734 -+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
22735 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
22736 -+ GR_FCHMOD_ACL_MSG);
22737 -+ } else {
22738 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
22739 -+ }
22740 -+}
22741 -+
22742 -+__u32
22743 -+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
22744 -+ mode_t mode)
22745 -+{
22746 -+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
22747 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
22748 -+ GR_CHMOD_ACL_MSG);
22749 -+ } else {
22750 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
22751 -+ }
22752 -+}
22753 -+
22754 -+__u32
22755 -+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
22756 -+{
22757 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
22758 -+}
22759 -+
22760 -+__u32
22761 -+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
22762 -+{
22763 -+ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
22764 -+}
22765 -+
22766 -+__u32
22767 -+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
22768 -+{
22769 -+ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
22770 -+ GR_UNIXCONNECT_ACL_MSG);
22771 -+}
22772 -+
22773 -+/* hardlinks require at minimum create permission,
22774 -+ any additional privilege required is based on the
22775 -+ privilege of the file being linked to
22776 -+*/
22777 -+__u32
22778 -+gr_acl_handle_link(const struct dentry * new_dentry,
22779 -+ const struct dentry * parent_dentry,
22780 -+ const struct vfsmount * parent_mnt,
22781 -+ const struct dentry * old_dentry,
22782 -+ const struct vfsmount * old_mnt, const char *to)
22783 -+{
22784 -+ __u32 mode;
22785 -+ __u32 needmode = GR_CREATE | GR_LINK;
22786 -+ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
22787 -+
22788 -+ mode =
22789 -+ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
22790 -+ old_mnt);
22791 -+
22792 -+ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
22793 -+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
22794 -+ return mode;
22795 -+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
22796 -+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
22797 -+ return 0;
22798 -+ } else if (unlikely((mode & needmode) != needmode))
22799 -+ return 0;
22800 -+
22801 -+ return 1;
22802 -+}
22803 -+
22804 -+__u32
22805 -+gr_acl_handle_symlink(const struct dentry * new_dentry,
22806 -+ const struct dentry * parent_dentry,
22807 -+ const struct vfsmount * parent_mnt, const char *from)
22808 -+{
22809 -+ __u32 needmode = GR_WRITE | GR_CREATE;
22810 -+ __u32 mode;
22811 -+
22812 -+ mode =
22813 -+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
22814 -+ GR_CREATE | GR_AUDIT_CREATE |
22815 -+ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
22816 -+
22817 -+ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
22818 -+ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
22819 -+ return mode;
22820 -+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
22821 -+ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
22822 -+ return 0;
22823 -+ } else if (unlikely((mode & needmode) != needmode))
22824 -+ return 0;
22825 -+
22826 -+ return (GR_WRITE | GR_CREATE);
22827 -+}
22828 -+
22829 -+static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
22830 -+{
22831 -+ __u32 mode;
22832 -+
22833 -+ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
22834 -+
22835 -+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
22836 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
22837 -+ return mode;
22838 -+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
22839 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
22840 -+ return 0;
22841 -+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
22842 -+ return 0;
22843 -+
22844 -+ return (reqmode);
22845 -+}
22846 -+
22847 -+__u32
22848 -+gr_acl_handle_mknod(const struct dentry * new_dentry,
22849 -+ const struct dentry * parent_dentry,
22850 -+ const struct vfsmount * parent_mnt,
22851 -+ const int mode)
22852 -+{
22853 -+ __u32 reqmode = GR_WRITE | GR_CREATE;
22854 -+ if (unlikely(mode & (S_ISUID | S_ISGID)))
22855 -+ reqmode |= GR_SETID;
22856 -+
22857 -+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
22858 -+ reqmode, GR_MKNOD_ACL_MSG);
22859 -+}
22860 -+
22861 -+__u32
22862 -+gr_acl_handle_mkdir(const struct dentry *new_dentry,
22863 -+ const struct dentry *parent_dentry,
22864 -+ const struct vfsmount *parent_mnt)
22865 -+{
22866 -+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
22867 -+ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
22868 -+}
22869 -+
22870 -+#define RENAME_CHECK_SUCCESS(old, new) \
22871 -+ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
22872 -+ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
22873 -+
22874 -+int
22875 -+gr_acl_handle_rename(struct dentry *new_dentry,
22876 -+ struct dentry *parent_dentry,
22877 -+ const struct vfsmount *parent_mnt,
22878 -+ struct dentry *old_dentry,
22879 -+ struct inode *old_parent_inode,
22880 -+ struct vfsmount *old_mnt, const char *newname)
22881 -+{
22882 -+ __u32 comp1, comp2;
22883 -+ int error = 0;
22884 -+
22885 -+ if (unlikely(!gr_acl_is_enabled()))
22886 -+ return 0;
22887 -+
22888 -+ if (!new_dentry->d_inode) {
22889 -+ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
22890 -+ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
22891 -+ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
22892 -+ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
22893 -+ GR_DELETE | GR_AUDIT_DELETE |
22894 -+ GR_AUDIT_READ | GR_AUDIT_WRITE |
22895 -+ GR_SUPPRESS, old_mnt);
22896 -+ } else {
22897 -+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
22898 -+ GR_CREATE | GR_DELETE |
22899 -+ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
22900 -+ GR_AUDIT_READ | GR_AUDIT_WRITE |
22901 -+ GR_SUPPRESS, parent_mnt);
22902 -+ comp2 =
22903 -+ gr_search_file(old_dentry,
22904 -+ GR_READ | GR_WRITE | GR_AUDIT_READ |
22905 -+ GR_DELETE | GR_AUDIT_DELETE |
22906 -+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
22907 -+ }
22908 -+
22909 -+ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
22910 -+ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
22911 -+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
22912 -+ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
22913 -+ && !(comp2 & GR_SUPPRESS)) {
22914 -+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
22915 -+ error = -EACCES;
22916 -+ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
22917 -+ error = -EACCES;
22918 -+
22919 -+ return error;
22920 -+}
22921 -+
22922 -+void
22923 -+gr_acl_handle_exit(void)
22924 -+{
22925 -+ u16 id;
22926 -+ char *rolename;
22927 -+ struct file *exec_file;
22928 -+
22929 -+ if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
22930 -+ id = current->acl_role_id;
22931 -+ rolename = current->role->rolename;
22932 -+ gr_set_acls(1);
22933 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
22934 -+ }
22935 -+
22936 -+ write_lock(&grsec_exec_file_lock);
22937 -+ exec_file = current->exec_file;
22938 -+ current->exec_file = NULL;
22939 -+ write_unlock(&grsec_exec_file_lock);
22940 -+
22941 -+ if (exec_file)
22942 -+ fput(exec_file);
22943 -+}
22944 -+
22945 -+int
22946 -+gr_acl_handle_procpidmem(const struct task_struct *task)
22947 -+{
22948 -+ if (unlikely(!gr_acl_is_enabled()))
22949 -+ return 0;
22950 -+
22951 -+ if (task != current && task->acl->mode & GR_PROTPROCFD)
22952 -+ return -EACCES;
22953 -+
22954 -+ return 0;
22955 -+}
22956 -diff -urNp linux-2.6.24.4/grsecurity/gracl_ip.c linux-2.6.24.4/grsecurity/gracl_ip.c
22957 ---- linux-2.6.24.4/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
22958 -+++ linux-2.6.24.4/grsecurity/gracl_ip.c 2008-03-26 17:56:56.000000000 -0400
22959 -@@ -0,0 +1,313 @@
22960 -+#include <linux/kernel.h>
22961 -+#include <asm/uaccess.h>
22962 -+#include <asm/errno.h>
22963 -+#include <net/sock.h>
22964 -+#include <linux/file.h>
22965 -+#include <linux/fs.h>
22966 -+#include <linux/net.h>
22967 -+#include <linux/in.h>
22968 -+#include <linux/skbuff.h>
22969 -+#include <linux/ip.h>
22970 -+#include <linux/udp.h>
22971 -+#include <linux/smp_lock.h>
22972 -+#include <linux/types.h>
22973 -+#include <linux/sched.h>
22974 -+#include <linux/netdevice.h>
22975 -+#include <linux/inetdevice.h>
22976 -+#include <linux/gracl.h>
22977 -+#include <linux/grsecurity.h>
22978 -+#include <linux/grinternal.h>
22979 -+
22980 -+#define GR_BIND 0x01
22981 -+#define GR_CONNECT 0x02
22982 -+#define GR_INVERT 0x04
22983 -+
22984 -+static const char * gr_protocols[256] = {
22985 -+ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
22986 -+ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
22987 -+ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
22988 -+ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
22989 -+ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
22990 -+ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
22991 -+ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
22992 -+ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
22993 -+ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
22994 -+ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
22995 -+ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
22996 -+ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
22997 -+ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
22998 -+ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
22999 -+ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
23000 -+ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
23001 -+ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
23002 -+ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
23003 -+ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
23004 -+ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
23005 -+ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
23006 -+ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
23007 -+ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
23008 -+ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
23009 -+ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
23010 -+ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
23011 -+ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
23012 -+ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
23013 -+ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
23014 -+ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
23015 -+ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
23016 -+ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
23017 -+ };
23018 -+
23019 -+static const char * gr_socktypes[11] = {
23020 -+ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
23021 -+ "unknown:7", "unknown:8", "unknown:9", "packet"
23022 -+ };
23023 -+
23024 -+const char *
23025 -+gr_proto_to_name(unsigned char proto)
23026 -+{
23027 -+ return gr_protocols[proto];
23028 -+}
23029 -+
23030 -+const char *
23031 -+gr_socktype_to_name(unsigned char type)
23032 -+{
23033 -+ return gr_socktypes[type];
23034 -+}
23035 -+
23036 -+int
23037 -+gr_search_socket(const int domain, const int type, const int protocol)
23038 -+{
23039 -+ struct acl_subject_label *curr;
23040 -+
23041 -+ if (unlikely(!gr_acl_is_enabled()))
23042 -+ goto exit;
23043 -+
23044 -+ if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
23045 -+ || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
23046 -+ goto exit; // let the kernel handle it
23047 -+
23048 -+ curr = current->acl;
23049 -+
23050 -+ if (!curr->ips)
23051 -+ goto exit;
23052 -+
23053 -+ if ((curr->ip_type & (1 << type)) &&
23054 -+ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
23055 -+ goto exit;
23056 -+
23057 -+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
23058 -+ /* we don't place acls on raw sockets , and sometimes
23059 -+ dgram/ip sockets are opened for ioctl and not
23060 -+ bind/connect, so we'll fake a bind learn log */
23061 -+ if (type == SOCK_RAW || type == SOCK_PACKET) {
23062 -+ __u32 fakeip = 0;
23063 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
23064 -+ current->role->roletype, current->uid,
23065 -+ current->gid, current->exec_file ?
23066 -+ gr_to_filename(current->exec_file->f_dentry,
23067 -+ current->exec_file->f_vfsmnt) :
23068 -+ curr->filename, curr->filename,
23069 -+ NIPQUAD(fakeip), 0, type,
23070 -+ protocol, GR_CONNECT,
23071 -+NIPQUAD(current->signal->curr_ip));
23072 -+ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
23073 -+ __u32 fakeip = 0;
23074 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
23075 -+ current->role->roletype, current->uid,
23076 -+ current->gid, current->exec_file ?
23077 -+ gr_to_filename(current->exec_file->f_dentry,
23078 -+ current->exec_file->f_vfsmnt) :
23079 -+ curr->filename, curr->filename,
23080 -+ NIPQUAD(fakeip), 0, type,
23081 -+ protocol, GR_BIND, NIPQUAD(current->signal->curr_ip));
23082 -+ }
23083 -+ /* we'll log when they use connect or bind */
23084 -+ goto exit;
23085 -+ }
23086 -+
23087 -+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
23088 -+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
23089 -+
23090 -+ return 0;
23091 -+ exit:
23092 -+ return 1;
23093 -+}
23094 -+
23095 -+int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
23096 -+{
23097 -+ if ((ip->mode & mode) &&
23098 -+ (ip_port >= ip->low) &&
23099 -+ (ip_port <= ip->high) &&
23100 -+ ((ntohl(ip_addr) & our_netmask) ==
23101 -+ (ntohl(our_addr) & our_netmask))
23102 -+ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
23103 -+ && (ip->type & (1 << type))) {
23104 -+ if (ip->mode & GR_INVERT)
23105 -+ return 2; // specifically denied
23106 -+ else
23107 -+ return 1; // allowed
23108 -+ }
23109 -+
23110 -+ return 0; // not specifically allowed, may continue parsing
23111 -+}
23112 -+
23113 -+static int
23114 -+gr_search_connectbind(const int mode, const struct sock *sk,
23115 -+ const struct sockaddr_in *addr, const int type)
23116 -+{
23117 -+ char iface[IFNAMSIZ] = {0};
23118 -+ struct acl_subject_label *curr;
23119 -+ struct acl_ip_label *ip;
23120 -+ struct net_device *dev;
23121 -+ struct in_device *idev;
23122 -+ unsigned long i;
23123 -+ int ret;
23124 -+ __u32 ip_addr = 0;
23125 -+ __u32 our_addr;
23126 -+ __u32 our_netmask;
23127 -+ char *p;
23128 -+ __u16 ip_port = 0;
23129 -+
23130 -+ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
23131 -+ return 1;
23132 -+
23133 -+ curr = current->acl;
23134 -+
23135 -+ if (!curr->ips)
23136 -+ return 1;
23137 -+
23138 -+ ip_addr = addr->sin_addr.s_addr;
23139 -+ ip_port = ntohs(addr->sin_port);
23140 -+
23141 -+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
23142 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
23143 -+ current->role->roletype, current->uid,
23144 -+ current->gid, current->exec_file ?
23145 -+ gr_to_filename(current->exec_file->f_dentry,
23146 -+ current->exec_file->f_vfsmnt) :
23147 -+ curr->filename, curr->filename,
23148 -+ NIPQUAD(ip_addr), ip_port, type,
23149 -+ sk->sk_protocol, mode, NIPQUAD(current->signal->curr_ip));
23150 -+ return 1;
23151 -+ }
23152 -+
23153 -+ for (i = 0; i < curr->ip_num; i++) {
23154 -+ ip = *(curr->ips + i);
23155 -+ if (ip->iface != NULL) {
23156 -+ strncpy(iface, ip->iface, IFNAMSIZ - 1);
23157 -+ p = strchr(iface, ':');
23158 -+ if (p != NULL)
23159 -+ *p = '\0';
23160 -+ dev = dev_get_by_name(sk->sk_net, iface);
23161 -+ if (dev == NULL)
23162 -+ continue;
23163 -+ idev = in_dev_get(dev);
23164 -+ if (idev == NULL) {
23165 -+ dev_put(dev);
23166 -+ continue;
23167 -+ }
23168 -+ rcu_read_lock();
23169 -+ for_ifa(idev) {
23170 -+ if (!strcmp(ip->iface, ifa->ifa_label)) {
23171 -+ our_addr = ifa->ifa_address;
23172 -+ our_netmask = 0xffffffff;
23173 -+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
23174 -+ if (ret == 1) {
23175 -+ rcu_read_unlock();
23176 -+ in_dev_put(idev);
23177 -+ dev_put(dev);
23178 -+ return 1;
23179 -+ } else if (ret == 2) {
23180 -+ rcu_read_unlock();
23181 -+ in_dev_put(idev);
23182 -+ dev_put(dev);
23183 -+ goto denied;
23184 -+ }
23185 -+ }
23186 -+ } endfor_ifa(idev);
23187 -+ rcu_read_unlock();
23188 -+ in_dev_put(idev);
23189 -+ dev_put(dev);
23190 -+ } else {
23191 -+ our_addr = ip->addr;
23192 -+ our_netmask = ip->netmask;
23193 -+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
23194 -+ if (ret == 1)
23195 -+ return 1;
23196 -+ else if (ret == 2)
23197 -+ goto denied;
23198 -+ }
23199 -+ }
23200 -+
23201 -+denied:
23202 -+ if (mode == GR_BIND)
23203 -+ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
23204 -+ else if (mode == GR_CONNECT)
23205 -+ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
23206 -+
23207 -+ return 0;
23208 -+}
23209 -+
23210 -+int
23211 -+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
23212 -+{
23213 -+ return gr_search_connectbind(GR_CONNECT, sock->sk, addr, sock->type);
23214 -+}
23215 -+
23216 -+int
23217 -+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
23218 -+{
23219 -+ return gr_search_connectbind(GR_BIND, sock->sk, addr, sock->type);
23220 -+}
23221 -+
23222 -+int gr_search_listen(const struct socket *sock)
23223 -+{
23224 -+ struct sock *sk = sock->sk;
23225 -+ struct sockaddr_in addr;
23226 -+
23227 -+ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
23228 -+ addr.sin_port = inet_sk(sk)->sport;
23229 -+
23230 -+ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
23231 -+}
23232 -+
23233 -+int gr_search_accept(const struct socket *sock)
23234 -+{
23235 -+ struct sock *sk = sock->sk;
23236 -+ struct sockaddr_in addr;
23237 -+
23238 -+ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
23239 -+ addr.sin_port = inet_sk(sk)->sport;
23240 -+
23241 -+ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
23242 -+}
23243 -+
23244 -+int
23245 -+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
23246 -+{
23247 -+ if (addr)
23248 -+ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
23249 -+ else {
23250 -+ struct sockaddr_in sin;
23251 -+ const struct inet_sock *inet = inet_sk(sk);
23252 -+
23253 -+ sin.sin_addr.s_addr = inet->daddr;
23254 -+ sin.sin_port = inet->dport;
23255 -+
23256 -+ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
23257 -+ }
23258 -+}
23259 -+
23260 -+int
23261 -+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
23262 -+{
23263 -+ struct sockaddr_in sin;
23264 -+
23265 -+ if (unlikely(skb->len < sizeof (struct udphdr)))
23266 -+ return 1; // skip this packet
23267 -+
23268 -+ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
23269 -+ sin.sin_port = udp_hdr(skb)->source;
23270 -+
23271 -+ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
23272 -+}
23273 -diff -urNp linux-2.6.24.4/grsecurity/gracl_learn.c linux-2.6.24.4/grsecurity/gracl_learn.c
23274 ---- linux-2.6.24.4/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
23275 -+++ linux-2.6.24.4/grsecurity/gracl_learn.c 2008-03-26 17:56:56.000000000 -0400
23276 -@@ -0,0 +1,211 @@
23277 -+#include <linux/kernel.h>
23278 -+#include <linux/mm.h>
23279 -+#include <linux/sched.h>
23280 -+#include <linux/poll.h>
23281 -+#include <linux/smp_lock.h>
23282 -+#include <linux/string.h>
23283 -+#include <linux/file.h>
23284 -+#include <linux/types.h>
23285 -+#include <linux/vmalloc.h>
23286 -+#include <linux/grinternal.h>
23287 -+
23288 -+extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
23289 -+ size_t count, loff_t *ppos);
23290 -+extern int gr_acl_is_enabled(void);
23291 -+
23292 -+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
23293 -+static int gr_learn_attached;
23294 -+
23295 -+/* use a 512k buffer */
23296 -+#define LEARN_BUFFER_SIZE (512 * 1024)
23297 -+
23298 -+static spinlock_t gr_learn_lock = SPIN_LOCK_UNLOCKED;
23299 -+static DECLARE_MUTEX(gr_learn_user_sem);
23300 -+
23301 -+/* we need to maintain two buffers, so that the kernel context of grlearn
23302 -+ uses a semaphore around the userspace copying, and the other kernel contexts
23303 -+ use a spinlock when copying into the buffer, since they cannot sleep
23304 -+*/
23305 -+static char *learn_buffer;
23306 -+static char *learn_buffer_user;
23307 -+static int learn_buffer_len;
23308 -+static int learn_buffer_user_len;
23309 -+
23310 -+static ssize_t
23311 -+read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
23312 -+{
23313 -+ DECLARE_WAITQUEUE(wait, current);
23314 -+ ssize_t retval = 0;
23315 -+
23316 -+ add_wait_queue(&learn_wait, &wait);
23317 -+ set_current_state(TASK_INTERRUPTIBLE);
23318 -+ do {
23319 -+ down(&gr_learn_user_sem);
23320 -+ spin_lock(&gr_learn_lock);
23321 -+ if (learn_buffer_len)
23322 -+ break;
23323 -+ spin_unlock(&gr_learn_lock);
23324 -+ up(&gr_learn_user_sem);
23325 -+ if (file->f_flags & O_NONBLOCK) {
23326 -+ retval = -EAGAIN;
23327 -+ goto out;
23328 -+ }
23329 -+ if (signal_pending(current)) {
23330 -+ retval = -ERESTARTSYS;
23331 -+ goto out;
23332 -+ }
23333 -+
23334 -+ schedule();
23335 -+ } while (1);
23336 -+
23337 -+ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
23338 -+ learn_buffer_user_len = learn_buffer_len;
23339 -+ retval = learn_buffer_len;
23340 -+ learn_buffer_len = 0;
23341 -+
23342 -+ spin_unlock(&gr_learn_lock);
23343 -+
23344 -+ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
23345 -+ retval = -EFAULT;
23346 -+
23347 -+ up(&gr_learn_user_sem);
23348 -+out:
23349 -+ set_current_state(TASK_RUNNING);
23350 -+ remove_wait_queue(&learn_wait, &wait);
23351 -+ return retval;
23352 -+}
23353 -+
23354 -+static unsigned int
23355 -+poll_learn(struct file * file, poll_table * wait)
23356 -+{
23357 -+ poll_wait(file, &learn_wait, wait);
23358 -+
23359 -+ if (learn_buffer_len)
23360 -+ return (POLLIN | POLLRDNORM);
23361 -+
23362 -+ return 0;
23363 -+}
23364 -+
23365 -+void
23366 -+gr_clear_learn_entries(void)
23367 -+{
23368 -+ char *tmp;
23369 -+
23370 -+ down(&gr_learn_user_sem);
23371 -+ if (learn_buffer != NULL) {
23372 -+ spin_lock(&gr_learn_lock);
23373 -+ tmp = learn_buffer;
23374 -+ learn_buffer = NULL;
23375 -+ spin_unlock(&gr_learn_lock);
23376 -+ vfree(learn_buffer);
23377 -+ }
23378 -+ if (learn_buffer_user != NULL) {
23379 -+ vfree(learn_buffer_user);
23380 -+ learn_buffer_user = NULL;
23381 -+ }
23382 -+ learn_buffer_len = 0;
23383 -+ up(&gr_learn_user_sem);
23384 -+
23385 -+ return;
23386 -+}
23387 -+
23388 -+void
23389 -+gr_add_learn_entry(const char *fmt, ...)
23390 -+{
23391 -+ va_list args;
23392 -+ unsigned int len;
23393 -+
23394 -+ if (!gr_learn_attached)
23395 -+ return;
23396 -+
23397 -+ spin_lock(&gr_learn_lock);
23398 -+
23399 -+ /* leave a gap at the end so we know when it's "full" but don't have to
23400 -+ compute the exact length of the string we're trying to append
23401 -+ */
23402 -+ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
23403 -+ spin_unlock(&gr_learn_lock);
23404 -+ wake_up_interruptible(&learn_wait);
23405 -+ return;
23406 -+ }
23407 -+ if (learn_buffer == NULL) {
23408 -+ spin_unlock(&gr_learn_lock);
23409 -+ return;
23410 -+ }
23411 -+
23412 -+ va_start(args, fmt);
23413 -+ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
23414 -+ va_end(args);
23415 -+
23416 -+ learn_buffer_len += len + 1;
23417 -+
23418 -+ spin_unlock(&gr_learn_lock);
23419 -+ wake_up_interruptible(&learn_wait);
23420 -+
23421 -+ return;
23422 -+}
23423 -+
23424 -+static int
23425 -+open_learn(struct inode *inode, struct file *file)
23426 -+{
23427 -+ if (file->f_mode & FMODE_READ && gr_learn_attached)
23428 -+ return -EBUSY;
23429 -+ if (file->f_mode & FMODE_READ) {
23430 -+ int retval = 0;
23431 -+ down(&gr_learn_user_sem);
23432 -+ if (learn_buffer == NULL)
23433 -+ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
23434 -+ if (learn_buffer_user == NULL)
23435 -+ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
23436 -+ if (learn_buffer == NULL) {
23437 -+ retval = -ENOMEM;
23438 -+ goto out_error;
23439 -+ }
23440 -+ if (learn_buffer_user == NULL) {
23441 -+ retval = -ENOMEM;
23442 -+ goto out_error;
23443 -+ }
23444 -+ learn_buffer_len = 0;
23445 -+ learn_buffer_user_len = 0;
23446 -+ gr_learn_attached = 1;
23447 -+out_error:
23448 -+ up(&gr_learn_user_sem);
23449 -+ return retval;
23450 -+ }
23451 -+ return 0;
23452 -+}
23453 -+
23454 -+static int
23455 -+close_learn(struct inode *inode, struct file *file)
23456 -+{
23457 -+ char *tmp;
23458 -+
23459 -+ if (file->f_mode & FMODE_READ) {
23460 -+ down(&gr_learn_user_sem);
23461 -+ if (learn_buffer != NULL) {
23462 -+ spin_lock(&gr_learn_lock);
23463 -+ tmp = learn_buffer;
23464 -+ learn_buffer = NULL;
23465 -+ spin_unlock(&gr_learn_lock);
23466 -+ vfree(tmp);
23467 -+ }
23468 -+ if (learn_buffer_user != NULL) {
23469 -+ vfree(learn_buffer_user);
23470 -+ learn_buffer_user = NULL;
23471 -+ }
23472 -+ learn_buffer_len = 0;
23473 -+ learn_buffer_user_len = 0;
23474 -+ gr_learn_attached = 0;
23475 -+ up(&gr_learn_user_sem);
23476 -+ }
23477 -+
23478 -+ return 0;
23479 -+}
23480 -+
23481 -+struct file_operations grsec_fops = {
23482 -+ .read = read_learn,
23483 -+ .write = write_grsec_handler,
23484 -+ .open = open_learn,
23485 -+ .release = close_learn,
23486 -+ .poll = poll_learn,
23487 -+};
23488 -diff -urNp linux-2.6.24.4/grsecurity/gracl_res.c linux-2.6.24.4/grsecurity/gracl_res.c
23489 ---- linux-2.6.24.4/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
23490 -+++ linux-2.6.24.4/grsecurity/gracl_res.c 2008-03-26 17:56:56.000000000 -0400
23491 -@@ -0,0 +1,45 @@
23492 -+#include <linux/kernel.h>
23493 -+#include <linux/sched.h>
23494 -+#include <linux/gracl.h>
23495 -+#include <linux/grinternal.h>
23496 -+
23497 -+static const char *restab_log[] = {
23498 -+ [RLIMIT_CPU] = "RLIMIT_CPU",
23499 -+ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
23500 -+ [RLIMIT_DATA] = "RLIMIT_DATA",
23501 -+ [RLIMIT_STACK] = "RLIMIT_STACK",
23502 -+ [RLIMIT_CORE] = "RLIMIT_CORE",
23503 -+ [RLIMIT_RSS] = "RLIMIT_RSS",
23504 -+ [RLIMIT_NPROC] = "RLIMIT_NPROC",
23505 -+ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
23506 -+ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
23507 -+ [RLIMIT_AS] = "RLIMIT_AS",
23508 -+ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
23509 -+ [RLIMIT_LOCKS + 1] = "RLIMIT_CRASH"
23510 -+};
23511 -+
23512 -+void
23513 -+gr_log_resource(const struct task_struct *task,
23514 -+ const int res, const unsigned long wanted, const int gt)
23515 -+{
23516 -+ if (res == RLIMIT_NPROC &&
23517 -+ (cap_raised(task->cap_effective, CAP_SYS_ADMIN) ||
23518 -+ cap_raised(task->cap_effective, CAP_SYS_RESOURCE)))
23519 -+ return;
23520 -+ else if (res == RLIMIT_MEMLOCK &&
23521 -+ cap_raised(task->cap_effective, CAP_IPC_LOCK))
23522 -+ return;
23523 -+
23524 -+ if (!gr_acl_is_enabled() && !grsec_resource_logging)
23525 -+ return;
23526 -+
23527 -+ preempt_disable();
23528 -+
23529 -+ if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
23530 -+ (!gt && wanted >= task->signal->rlim[res].rlim_cur)) &&
23531 -+ task->signal->rlim[res].rlim_cur != RLIM_INFINITY))
23532 -+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur);
23533 -+ preempt_enable_no_resched();
23534 -+
23535 -+ return;
23536 -+}
23537 -diff -urNp linux-2.6.24.4/grsecurity/gracl_segv.c linux-2.6.24.4/grsecurity/gracl_segv.c
23538 ---- linux-2.6.24.4/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
23539 -+++ linux-2.6.24.4/grsecurity/gracl_segv.c 2008-03-26 17:56:56.000000000 -0400
23540 -@@ -0,0 +1,301 @@
23541 -+#include <linux/kernel.h>
23542 -+#include <linux/mm.h>
23543 -+#include <asm/uaccess.h>
23544 -+#include <asm/errno.h>
23545 -+#include <asm/mman.h>
23546 -+#include <net/sock.h>
23547 -+#include <linux/file.h>
23548 -+#include <linux/fs.h>
23549 -+#include <linux/net.h>
23550 -+#include <linux/in.h>
23551 -+#include <linux/smp_lock.h>
23552 -+#include <linux/slab.h>
23553 -+#include <linux/types.h>
23554 -+#include <linux/sched.h>
23555 -+#include <linux/timer.h>
23556 -+#include <linux/gracl.h>
23557 -+#include <linux/grsecurity.h>
23558 -+#include <linux/grinternal.h>
23559 -+
23560 -+static struct crash_uid *uid_set;
23561 -+static unsigned short uid_used;
23562 -+static spinlock_t gr_uid_lock = SPIN_LOCK_UNLOCKED;
23563 -+extern rwlock_t gr_inode_lock;
23564 -+extern struct acl_subject_label *
23565 -+ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
23566 -+ struct acl_role_label *role);
23567 -+extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
23568 -+
23569 -+int
23570 -+gr_init_uidset(void)
23571 -+{
23572 -+ uid_set =
23573 -+ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
23574 -+ uid_used = 0;
23575 -+
23576 -+ return uid_set ? 1 : 0;
23577 -+}
23578 -+
23579 -+void
23580 -+gr_free_uidset(void)
23581 -+{
23582 -+ if (uid_set)
23583 -+ kfree(uid_set);
23584 -+
23585 -+ return;
23586 -+}
23587 -+
23588 -+int
23589 -+gr_find_uid(const uid_t uid)
23590 -+{
23591 -+ struct crash_uid *tmp = uid_set;
23592 -+ uid_t buid;
23593 -+ int low = 0, high = uid_used - 1, mid;
23594 -+
23595 -+ while (high >= low) {
23596 -+ mid = (low + high) >> 1;
23597 -+ buid = tmp[mid].uid;
23598 -+ if (buid == uid)
23599 -+ return mid;
23600 -+ if (buid > uid)
23601 -+ high = mid - 1;
23602 -+ if (buid < uid)
23603 -+ low = mid + 1;
23604 -+ }
23605 -+
23606 -+ return -1;
23607 -+}
23608 -+
23609 -+static __inline__ void
23610 -+gr_insertsort(void)
23611 -+{
23612 -+ unsigned short i, j;
23613 -+ struct crash_uid index;
23614 -+
23615 -+ for (i = 1; i < uid_used; i++) {
23616 -+ index = uid_set[i];
23617 -+ j = i;
23618 -+ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
23619 -+ uid_set[j] = uid_set[j - 1];
23620 -+ j--;
23621 -+ }
23622 -+ uid_set[j] = index;
23623 -+ }
23624 -+
23625 -+ return;
23626 -+}
23627 -+
23628 -+static __inline__ void
23629 -+gr_insert_uid(const uid_t uid, const unsigned long expires)
23630 -+{
23631 -+ int loc;
23632 -+
23633 -+ if (uid_used == GR_UIDTABLE_MAX)
23634 -+ return;
23635 -+
23636 -+ loc = gr_find_uid(uid);
23637 -+
23638 -+ if (loc >= 0) {
23639 -+ uid_set[loc].expires = expires;
23640 -+ return;
23641 -+ }
23642 -+
23643 -+ uid_set[uid_used].uid = uid;
23644 -+ uid_set[uid_used].expires = expires;
23645 -+ uid_used++;
23646 -+
23647 -+ gr_insertsort();
23648 -+
23649 -+ return;
23650 -+}
23651 -+
23652 -+void
23653 -+gr_remove_uid(const unsigned short loc)
23654 -+{
23655 -+ unsigned short i;
23656 -+
23657 -+ for (i = loc + 1; i < uid_used; i++)
23658 -+ uid_set[i - 1] = uid_set[i];
23659 -+
23660 -+ uid_used--;
23661 -+
23662 -+ return;
23663 -+}
23664 -+
23665 -+int
23666 -+gr_check_crash_uid(const uid_t uid)
23667 -+{
23668 -+ int loc;
23669 -+ int ret = 0;
23670 -+
23671 -+ if (unlikely(!gr_acl_is_enabled()))
23672 -+ return 0;
23673 -+
23674 -+ spin_lock(&gr_uid_lock);
23675 -+ loc = gr_find_uid(uid);
23676 -+
23677 -+ if (loc < 0)
23678 -+ goto out_unlock;
23679 -+
23680 -+ if (time_before_eq(uid_set[loc].expires, get_seconds()))
23681 -+ gr_remove_uid(loc);
23682 -+ else
23683 -+ ret = 1;
23684 -+
23685 -+out_unlock:
23686 -+ spin_unlock(&gr_uid_lock);
23687 -+ return ret;
23688 -+}
23689 -+
23690 -+static __inline__ int
23691 -+proc_is_setxid(const struct task_struct *task)
23692 -+{
23693 -+ if (task->uid != task->euid || task->uid != task->suid ||
23694 -+ task->uid != task->fsuid)
23695 -+ return 1;
23696 -+ if (task->gid != task->egid || task->gid != task->sgid ||
23697 -+ task->gid != task->fsgid)
23698 -+ return 1;
23699 -+
23700 -+ return 0;
23701 -+}
23702 -+static __inline__ int
23703 -+gr_fake_force_sig(int sig, struct task_struct *t)
23704 -+{
23705 -+ unsigned long int flags;
23706 -+ int ret, blocked, ignored;
23707 -+ struct k_sigaction *action;
23708 -+
23709 -+ spin_lock_irqsave(&t->sighand->siglock, flags);
23710 -+ action = &t->sighand->action[sig-1];
23711 -+ ignored = action->sa.sa_handler == SIG_IGN;
23712 -+ blocked = sigismember(&t->blocked, sig);
23713 -+ if (blocked || ignored) {
23714 -+ action->sa.sa_handler = SIG_DFL;
23715 -+ if (blocked) {
23716 -+ sigdelset(&t->blocked, sig);
23717 -+ recalc_sigpending_and_wake(t);
23718 -+ }
23719 -+ }
23720 -+ ret = specific_send_sig_info(sig, (void*)1L, t);
23721 -+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
23722 -+
23723 -+ return ret;
23724 -+}
23725 -+
23726 -+void
23727 -+gr_handle_crash(struct task_struct *task, const int sig)
23728 -+{
23729 -+ struct acl_subject_label *curr;
23730 -+ struct acl_subject_label *curr2;
23731 -+ struct task_struct *tsk, *tsk2;
23732 -+
23733 -+ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
23734 -+ return;
23735 -+
23736 -+ if (unlikely(!gr_acl_is_enabled()))
23737 -+ return;
23738 -+
23739 -+ curr = task->acl;
23740 -+
23741 -+ if (!(curr->resmask & (1 << GR_CRASH_RES)))
23742 -+ return;
23743 -+
23744 -+ if (time_before_eq(curr->expires, get_seconds())) {
23745 -+ curr->expires = 0;
23746 -+ curr->crashes = 0;
23747 -+ }
23748 -+
23749 -+ curr->crashes++;
23750 -+
23751 -+ if (!curr->expires)
23752 -+ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
23753 -+
23754 -+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
23755 -+ time_after(curr->expires, get_seconds())) {
23756 -+ if (task->uid && proc_is_setxid(task)) {
23757 -+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
23758 -+ spin_lock(&gr_uid_lock);
23759 -+ gr_insert_uid(task->uid, curr->expires);
23760 -+ spin_unlock(&gr_uid_lock);
23761 -+ curr->expires = 0;
23762 -+ curr->crashes = 0;
23763 -+ read_lock(&tasklist_lock);
23764 -+ do_each_thread(tsk2, tsk) {
23765 -+ if (tsk != task && tsk->uid == task->uid)
23766 -+ gr_fake_force_sig(SIGKILL, tsk);
23767 -+ } while_each_thread(tsk2, tsk);
23768 -+ read_unlock(&tasklist_lock);
23769 -+ } else {
23770 -+ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
23771 -+ read_lock(&tasklist_lock);
23772 -+ do_each_thread(tsk2, tsk) {
23773 -+ if (likely(tsk != task)) {
23774 -+ curr2 = tsk->acl;
23775 -+
23776 -+ if (curr2->device == curr->device &&
23777 -+ curr2->inode == curr->inode)
23778 -+ gr_fake_force_sig(SIGKILL, tsk);
23779 -+ }
23780 -+ } while_each_thread(tsk2, tsk);
23781 -+ read_unlock(&tasklist_lock);
23782 -+ }
23783 -+ }
23784 -+
23785 -+ return;
23786 -+}
23787 -+
23788 -+int
23789 -+gr_check_crash_exec(const struct file *filp)
23790 -+{
23791 -+ struct acl_subject_label *curr;
23792 -+
23793 -+ if (unlikely(!gr_acl_is_enabled()))
23794 -+ return 0;
23795 -+
23796 -+ read_lock(&gr_inode_lock);
23797 -+ curr = lookup_acl_subj_label(filp->f_dentry->d_inode->i_ino,
23798 -+ filp->f_dentry->d_inode->i_sb->s_dev,
23799 -+ current->role);
23800 -+ read_unlock(&gr_inode_lock);
23801 -+
23802 -+ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
23803 -+ (!curr->crashes && !curr->expires))
23804 -+ return 0;
23805 -+
23806 -+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
23807 -+ time_after(curr->expires, get_seconds()))
23808 -+ return 1;
23809 -+ else if (time_before_eq(curr->expires, get_seconds())) {
23810 -+ curr->crashes = 0;
23811 -+ curr->expires = 0;
23812 -+ }
23813 -+
23814 -+ return 0;
23815 -+}
23816 -+
23817 -+void
23818 -+gr_handle_alertkill(struct task_struct *task)
23819 -+{
23820 -+ struct acl_subject_label *curracl;
23821 -+ __u32 curr_ip;
23822 -+ struct task_struct *p, *p2;
23823 -+
23824 -+ if (unlikely(!gr_acl_is_enabled()))
23825 -+ return;
23826 -+
23827 -+ curracl = task->acl;
23828 -+ curr_ip = task->signal->curr_ip;
23829 -+
23830 -+ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
23831 -+ read_lock(&tasklist_lock);
23832 -+ do_each_thread(p2, p) {
23833 -+ if (p->signal->curr_ip == curr_ip)
23834 -+ gr_fake_force_sig(SIGKILL, p);
23835 -+ } while_each_thread(p2, p);
23836 -+ read_unlock(&tasklist_lock);
23837 -+ } else if (curracl->mode & GR_KILLPROC)
23838 -+ gr_fake_force_sig(SIGKILL, task);
23839 -+
23840 -+ return;
23841 -+}
23842 -diff -urNp linux-2.6.24.4/grsecurity/gracl_shm.c linux-2.6.24.4/grsecurity/gracl_shm.c
23843 ---- linux-2.6.24.4/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
23844 -+++ linux-2.6.24.4/grsecurity/gracl_shm.c 2008-03-26 17:56:56.000000000 -0400
23845 -@@ -0,0 +1,33 @@
23846 -+#include <linux/kernel.h>
23847 -+#include <linux/mm.h>
23848 -+#include <linux/sched.h>
23849 -+#include <linux/file.h>
23850 -+#include <linux/ipc.h>
23851 -+#include <linux/gracl.h>
23852 -+#include <linux/grsecurity.h>
23853 -+#include <linux/grinternal.h>
23854 -+
23855 -+int
23856 -+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
23857 -+ const time_t shm_createtime, const uid_t cuid, const int shmid)
23858 -+{
23859 -+ struct task_struct *task;
23860 -+
23861 -+ if (!gr_acl_is_enabled())
23862 -+ return 1;
23863 -+
23864 -+ task = find_task_by_pid(shm_cprid);
23865 -+
23866 -+ if (unlikely(!task))
23867 -+ task = find_task_by_pid(shm_lapid);
23868 -+
23869 -+ if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
23870 -+ (task->pid == shm_lapid)) &&
23871 -+ (task->acl->mode & GR_PROTSHM) &&
23872 -+ (task->acl != current->acl))) {
23873 -+ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
23874 -+ return 0;
23875 -+ }
23876 -+
23877 -+ return 1;
23878 -+}
23879 -diff -urNp linux-2.6.24.4/grsecurity/grsec_chdir.c linux-2.6.24.4/grsecurity/grsec_chdir.c
23880 ---- linux-2.6.24.4/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
23881 -+++ linux-2.6.24.4/grsecurity/grsec_chdir.c 2008-03-26 17:56:56.000000000 -0400
23882 -@@ -0,0 +1,19 @@
23883 -+#include <linux/kernel.h>
23884 -+#include <linux/sched.h>
23885 -+#include <linux/fs.h>
23886 -+#include <linux/file.h>
23887 -+#include <linux/grsecurity.h>
23888 -+#include <linux/grinternal.h>
23889 -+
23890 -+void
23891 -+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
23892 -+{
23893 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
23894 -+ if ((grsec_enable_chdir && grsec_enable_group &&
23895 -+ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
23896 -+ !grsec_enable_group)) {
23897 -+ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
23898 -+ }
23899 -+#endif
23900 -+ return;
23901 -+}
23902 -diff -urNp linux-2.6.24.4/grsecurity/grsec_chroot.c linux-2.6.24.4/grsecurity/grsec_chroot.c
23903 ---- linux-2.6.24.4/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
23904 -+++ linux-2.6.24.4/grsecurity/grsec_chroot.c 2008-03-26 17:56:56.000000000 -0400
23905 -@@ -0,0 +1,335 @@
23906 -+#include <linux/kernel.h>
23907 -+#include <linux/module.h>
23908 -+#include <linux/sched.h>
23909 -+#include <linux/file.h>
23910 -+#include <linux/fs.h>
23911 -+#include <linux/mount.h>
23912 -+#include <linux/types.h>
23913 -+#include <linux/pid_namespace.h>
23914 -+#include <linux/grsecurity.h>
23915 -+#include <linux/grinternal.h>
23916 -+
23917 -+int
23918 -+gr_handle_chroot_unix(const pid_t pid)
23919 -+{
23920 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
23921 -+ struct pid *spid = NULL;
23922 -+
23923 -+ if (unlikely(!grsec_enable_chroot_unix))
23924 -+ return 1;
23925 -+
23926 -+ if (likely(!proc_is_chrooted(current)))
23927 -+ return 1;
23928 -+
23929 -+ read_lock(&tasklist_lock);
23930 -+
23931 -+ spid = find_pid(pid);
23932 -+ if (spid) {
23933 -+ struct task_struct *p;
23934 -+ p = pid_task(spid, PIDTYPE_PID);
23935 -+ task_lock(p);
23936 -+ if (unlikely(!have_same_root(current, p))) {
23937 -+ task_unlock(p);
23938 -+ read_unlock(&tasklist_lock);
23939 -+ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
23940 -+ return 0;
23941 -+ }
23942 -+ task_unlock(p);
23943 -+ }
23944 -+ read_unlock(&tasklist_lock);
23945 -+#endif
23946 -+ return 1;
23947 -+}
23948 -+
23949 -+int
23950 -+gr_handle_chroot_nice(void)
23951 -+{
23952 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
23953 -+ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
23954 -+ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
23955 -+ return -EPERM;
23956 -+ }
23957 -+#endif
23958 -+ return 0;
23959 -+}
23960 -+
23961 -+int
23962 -+gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
23963 -+{
23964 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
23965 -+ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
23966 -+ && proc_is_chrooted(current)) {
23967 -+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
23968 -+ return -EACCES;
23969 -+ }
23970 -+#endif
23971 -+ return 0;
23972 -+}
23973 -+
23974 -+int
23975 -+gr_handle_chroot_rawio(const struct inode *inode)
23976 -+{
23977 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
23978 -+ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
23979 -+ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
23980 -+ return 1;
23981 -+#endif
23982 -+ return 0;
23983 -+}
23984 -+
23985 -+int
23986 -+gr_pid_is_chrooted(struct task_struct *p)
23987 -+{
23988 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
23989 -+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
23990 -+ return 0;
23991 -+
23992 -+ task_lock(p);
23993 -+ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
23994 -+ !have_same_root(current, p)) {
23995 -+ task_unlock(p);
23996 -+ return 1;
23997 -+ }
23998 -+ task_unlock(p);
23999 -+#endif
24000 -+ return 0;
24001 -+}
24002 -+
24003 -+EXPORT_SYMBOL(gr_pid_is_chrooted);
24004 -+
24005 -+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
24006 -+int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
24007 -+{
24008 -+ struct dentry *dentry = (struct dentry *)u_dentry;
24009 -+ struct vfsmount *mnt = (struct vfsmount *)u_mnt;
24010 -+ struct dentry *realroot;
24011 -+ struct vfsmount *realrootmnt;
24012 -+ struct dentry *currentroot;
24013 -+ struct vfsmount *currentmnt;
24014 -+ struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
24015 -+ int ret = 1;
24016 -+
24017 -+ read_lock(&reaper->fs->lock);
24018 -+ realrootmnt = mntget(reaper->fs->rootmnt);
24019 -+ realroot = dget(reaper->fs->root);
24020 -+ read_unlock(&reaper->fs->lock);
24021 -+
24022 -+ read_lock(&current->fs->lock);
24023 -+ currentmnt = mntget(current->fs->rootmnt);
24024 -+ currentroot = dget(current->fs->root);
24025 -+ read_unlock(&current->fs->lock);
24026 -+
24027 -+ spin_lock(&dcache_lock);
24028 -+ for (;;) {
24029 -+ if (unlikely((dentry == realroot && mnt == realrootmnt)
24030 -+ || (dentry == currentroot && mnt == currentmnt)))
24031 -+ break;
24032 -+ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
24033 -+ if (mnt->mnt_parent == mnt)
24034 -+ break;
24035 -+ dentry = mnt->mnt_mountpoint;
24036 -+ mnt = mnt->mnt_parent;
24037 -+ continue;
24038 -+ }
24039 -+ dentry = dentry->d_parent;
24040 -+ }
24041 -+ spin_unlock(&dcache_lock);
24042 -+
24043 -+ dput(currentroot);
24044 -+ mntput(currentmnt);
24045 -+
24046 -+ /* access is outside of chroot */
24047 -+ if (dentry == realroot && mnt == realrootmnt)
24048 -+ ret = 0;
24049 -+
24050 -+ dput(realroot);
24051 -+ mntput(realrootmnt);
24052 -+ return ret;
24053 -+}
24054 -+#endif
24055 -+
24056 -+int
24057 -+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
24058 -+{
24059 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
24060 -+ if (!grsec_enable_chroot_fchdir)
24061 -+ return 1;
24062 -+
24063 -+ if (!proc_is_chrooted(current))
24064 -+ return 1;
24065 -+ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
24066 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
24067 -+ return 0;
24068 -+ }
24069 -+#endif
24070 -+ return 1;
24071 -+}
24072 -+
24073 -+int
24074 -+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
24075 -+ const time_t shm_createtime)
24076 -+{
24077 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
24078 -+ struct pid *pid = NULL;
24079 -+ time_t starttime;
24080 -+
24081 -+ if (unlikely(!grsec_enable_chroot_shmat))
24082 -+ return 1;
24083 -+
24084 -+ if (likely(!proc_is_chrooted(current)))
24085 -+ return 1;
24086 -+
24087 -+ read_lock(&tasklist_lock);
24088 -+
24089 -+ pid = find_pid(shm_cprid);
24090 -+ if (pid) {
24091 -+ struct task_struct *p;
24092 -+ p = pid_task(pid, PIDTYPE_PID);
24093 -+ task_lock(p);
24094 -+ starttime = p->start_time.tv_sec;
24095 -+ if (unlikely(!have_same_root(current, p) &&
24096 -+ time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
24097 -+ task_unlock(p);
24098 -+ read_unlock(&tasklist_lock);
24099 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
24100 -+ return 0;
24101 -+ }
24102 -+ task_unlock(p);
24103 -+ } else {
24104 -+ pid = find_pid(shm_lapid);
24105 -+ if (pid) {
24106 -+ struct task_struct *p;
24107 -+ p = pid_task(pid, PIDTYPE_PID);
24108 -+ task_lock(p);
24109 -+ if (unlikely(!have_same_root(current, p))) {
24110 -+ task_unlock(p);
24111 -+ read_unlock(&tasklist_lock);
24112 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
24113 -+ return 0;
24114 -+ }
24115 -+ task_unlock(p);
24116 -+ }
24117 -+ }
24118 -+
24119 -+ read_unlock(&tasklist_lock);
24120 -+#endif
24121 -+ return 1;
24122 -+}
24123 -+
24124 -+void
24125 -+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
24126 -+{
24127 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
24128 -+ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
24129 -+ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
24130 -+#endif
24131 -+ return;
24132 -+}
24133 -+
24134 -+int
24135 -+gr_handle_chroot_mknod(const struct dentry *dentry,
24136 -+ const struct vfsmount *mnt, const int mode)
24137 -+{
24138 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
24139 -+ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
24140 -+ proc_is_chrooted(current)) {
24141 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
24142 -+ return -EPERM;
24143 -+ }
24144 -+#endif
24145 -+ return 0;
24146 -+}
24147 -+
24148 -+int
24149 -+gr_handle_chroot_mount(const struct dentry *dentry,
24150 -+ const struct vfsmount *mnt, const char *dev_name)
24151 -+{
24152 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
24153 -+ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
24154 -+ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
24155 -+ return -EPERM;
24156 -+ }
24157 -+#endif
24158 -+ return 0;
24159 -+}
24160 -+
24161 -+int
24162 -+gr_handle_chroot_pivot(void)
24163 -+{
24164 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
24165 -+ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
24166 -+ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
24167 -+ return -EPERM;
24168 -+ }
24169 -+#endif
24170 -+ return 0;
24171 -+}
24172 -+
24173 -+int
24174 -+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
24175 -+{
24176 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
24177 -+ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
24178 -+ !gr_is_outside_chroot(dentry, mnt)) {
24179 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
24180 -+ return -EPERM;
24181 -+ }
24182 -+#endif
24183 -+ return 0;
24184 -+}
24185 -+
24186 -+void
24187 -+gr_handle_chroot_caps(struct task_struct *task)
24188 -+{
24189 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
24190 -+ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
24191 -+ task->cap_permitted =
24192 -+ cap_drop(task->cap_permitted, GR_CHROOT_CAPS);
24193 -+ task->cap_inheritable =
24194 -+ cap_drop(task->cap_inheritable, GR_CHROOT_CAPS);
24195 -+ task->cap_effective =
24196 -+ cap_drop(task->cap_effective, GR_CHROOT_CAPS);
24197 -+ }
24198 -+#endif
24199 -+ return;
24200 -+}
24201 -+
24202 -+int
24203 -+gr_handle_chroot_sysctl(const int op)
24204 -+{
24205 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
24206 -+ if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
24207 -+ && (op & 002))
24208 -+ return -EACCES;
24209 -+#endif
24210 -+ return 0;
24211 -+}
24212 -+
24213 -+void
24214 -+gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt)
24215 -+{
24216 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
24217 -+ if (grsec_enable_chroot_chdir)
24218 -+ set_fs_pwd(current->fs, mnt, dentry);
24219 -+#endif
24220 -+ return;
24221 -+}
24222 -+
24223 -+int
24224 -+gr_handle_chroot_chmod(const struct dentry *dentry,
24225 -+ const struct vfsmount *mnt, const int mode)
24226 -+{
24227 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
24228 -+ if (grsec_enable_chroot_chmod &&
24229 -+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
24230 -+ proc_is_chrooted(current)) {
24231 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
24232 -+ return -EPERM;
24233 -+ }
24234 -+#endif
24235 -+ return 0;
24236 -+}
24237 -+
24238 -+#ifdef CONFIG_SECURITY
24239 -+EXPORT_SYMBOL(gr_handle_chroot_caps);
24240 -+#endif
24241 -diff -urNp linux-2.6.24.4/grsecurity/grsec_disabled.c linux-2.6.24.4/grsecurity/grsec_disabled.c
24242 ---- linux-2.6.24.4/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
24243 -+++ linux-2.6.24.4/grsecurity/grsec_disabled.c 2008-03-26 17:56:56.000000000 -0400
24244 -@@ -0,0 +1,418 @@
24245 -+#include <linux/kernel.h>
24246 -+#include <linux/module.h>
24247 -+#include <linux/sched.h>
24248 -+#include <linux/file.h>
24249 -+#include <linux/fs.h>
24250 -+#include <linux/kdev_t.h>
24251 -+#include <linux/net.h>
24252 -+#include <linux/in.h>
24253 -+#include <linux/ip.h>
24254 -+#include <linux/skbuff.h>
24255 -+#include <linux/sysctl.h>
24256 -+
24257 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
24258 -+void
24259 -+pax_set_initial_flags(struct linux_binprm *bprm)
24260 -+{
24261 -+ return;
24262 -+}
24263 -+#endif
24264 -+
24265 -+#ifdef CONFIG_SYSCTL
24266 -+__u32
24267 -+gr_handle_sysctl(const struct ctl_table * table, const int op)
24268 -+{
24269 -+ return 0;
24270 -+}
24271 -+#endif
24272 -+
24273 -+int
24274 -+gr_acl_is_enabled(void)
24275 -+{
24276 -+ return 0;
24277 -+}
24278 -+
24279 -+int
24280 -+gr_handle_rawio(const struct inode *inode)
24281 -+{
24282 -+ return 0;
24283 -+}
24284 -+
24285 -+void
24286 -+gr_acl_handle_psacct(struct task_struct *task, const long code)
24287 -+{
24288 -+ return;
24289 -+}
24290 -+
24291 -+int
24292 -+gr_handle_ptrace(struct task_struct *task, const long request)
24293 -+{
24294 -+ return 0;
24295 -+}
24296 -+
24297 -+int
24298 -+gr_handle_proc_ptrace(struct task_struct *task)
24299 -+{
24300 -+ return 0;
24301 -+}
24302 -+
24303 -+void
24304 -+gr_learn_resource(const struct task_struct *task,
24305 -+ const int res, const unsigned long wanted, const int gt)
24306 -+{
24307 -+ return;
24308 -+}
24309 -+
24310 -+int
24311 -+gr_set_acls(const int type)
24312 -+{
24313 -+ return 0;
24314 -+}
24315 -+
24316 -+int
24317 -+gr_check_hidden_task(const struct task_struct *tsk)
24318 -+{
24319 -+ return 0;
24320 -+}
24321 -+
24322 -+int
24323 -+gr_check_protected_task(const struct task_struct *task)
24324 -+{
24325 -+ return 0;
24326 -+}
24327 -+
24328 -+void
24329 -+gr_copy_label(struct task_struct *tsk)
24330 -+{
24331 -+ return;
24332 -+}
24333 -+
24334 -+void
24335 -+gr_set_pax_flags(struct task_struct *task)
24336 -+{
24337 -+ return;
24338 -+}
24339 -+
24340 -+int
24341 -+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
24342 -+{
24343 -+ return 0;
24344 -+}
24345 -+
24346 -+void
24347 -+gr_handle_delete(const ino_t ino, const dev_t dev)
24348 -+{
24349 -+ return;
24350 -+}
24351 -+
24352 -+void
24353 -+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
24354 -+{
24355 -+ return;
24356 -+}
24357 -+
24358 -+void
24359 -+gr_handle_crash(struct task_struct *task, const int sig)
24360 -+{
24361 -+ return;
24362 -+}
24363 -+
24364 -+int
24365 -+gr_check_crash_exec(const struct file *filp)
24366 -+{
24367 -+ return 0;
24368 -+}
24369 -+
24370 -+int
24371 -+gr_check_crash_uid(const uid_t uid)
24372 -+{
24373 -+ return 0;
24374 -+}
24375 -+
24376 -+void
24377 -+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
24378 -+ struct dentry *old_dentry,
24379 -+ struct dentry *new_dentry,
24380 -+ struct vfsmount *mnt, const __u8 replace)
24381 -+{
24382 -+ return;
24383 -+}
24384 -+
24385 -+int
24386 -+gr_search_socket(const int family, const int type, const int protocol)
24387 -+{
24388 -+ return 1;
24389 -+}
24390 -+
24391 -+int
24392 -+gr_search_connectbind(const int mode, const struct socket *sock,
24393 -+ const struct sockaddr_in *addr)
24394 -+{
24395 -+ return 1;
24396 -+}
24397 -+
24398 -+int
24399 -+gr_task_is_capable(struct task_struct *task, const int cap)
24400 -+{
24401 -+ return 1;
24402 -+}
24403 -+
24404 -+int
24405 -+gr_is_capable_nolog(const int cap)
24406 -+{
24407 -+ return 1;
24408 -+}
24409 -+
24410 -+void
24411 -+gr_handle_alertkill(struct task_struct *task)
24412 -+{
24413 -+ return;
24414 -+}
24415 -+
24416 -+__u32
24417 -+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
24418 -+{
24419 -+ return 1;
24420 -+}
24421 -+
24422 -+__u32
24423 -+gr_acl_handle_hidden_file(const struct dentry * dentry,
24424 -+ const struct vfsmount * mnt)
24425 -+{
24426 -+ return 1;
24427 -+}
24428 -+
24429 -+__u32
24430 -+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
24431 -+ const int fmode)
24432 -+{
24433 -+ return 1;
24434 -+}
24435 -+
24436 -+__u32
24437 -+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
24438 -+{
24439 -+ return 1;
24440 -+}
24441 -+
24442 -+__u32
24443 -+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
24444 -+{
24445 -+ return 1;
24446 -+}
24447 -+
24448 -+int
24449 -+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
24450 -+ unsigned int *vm_flags)
24451 -+{
24452 -+ return 1;
24453 -+}
24454 -+
24455 -+__u32
24456 -+gr_acl_handle_truncate(const struct dentry * dentry,
24457 -+ const struct vfsmount * mnt)
24458 -+{
24459 -+ return 1;
24460 -+}
24461 -+
24462 -+__u32
24463 -+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
24464 -+{
24465 -+ return 1;
24466 -+}
24467 -+
24468 -+__u32
24469 -+gr_acl_handle_access(const struct dentry * dentry,
24470 -+ const struct vfsmount * mnt, const int fmode)
24471 -+{
24472 -+ return 1;
24473 -+}
24474 -+
24475 -+__u32
24476 -+gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
24477 -+ mode_t mode)
24478 -+{
24479 -+ return 1;
24480 -+}
24481 -+
24482 -+__u32
24483 -+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
24484 -+ mode_t mode)
24485 -+{
24486 -+ return 1;
24487 -+}
24488 -+
24489 -+__u32
24490 -+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
24491 -+{
24492 -+ return 1;
24493 -+}
24494 -+
24495 -+void
24496 -+grsecurity_init(void)
24497 -+{
24498 -+ return;
24499 -+}
24500 -+
24501 -+__u32
24502 -+gr_acl_handle_mknod(const struct dentry * new_dentry,
24503 -+ const struct dentry * parent_dentry,
24504 -+ const struct vfsmount * parent_mnt,
24505 -+ const int mode)
24506 -+{
24507 -+ return 1;
24508 -+}
24509 -+
24510 -+__u32
24511 -+gr_acl_handle_mkdir(const struct dentry * new_dentry,
24512 -+ const struct dentry * parent_dentry,
24513 -+ const struct vfsmount * parent_mnt)
24514 -+{
24515 -+ return 1;
24516 -+}
24517 -+
24518 -+__u32
24519 -+gr_acl_handle_symlink(const struct dentry * new_dentry,
24520 -+ const struct dentry * parent_dentry,
24521 -+ const struct vfsmount * parent_mnt, const char *from)
24522 -+{
24523 -+ return 1;
24524 -+}
24525 -+
24526 -+__u32
24527 -+gr_acl_handle_link(const struct dentry * new_dentry,
24528 -+ const struct dentry * parent_dentry,
24529 -+ const struct vfsmount * parent_mnt,
24530 -+ const struct dentry * old_dentry,
24531 -+ const struct vfsmount * old_mnt, const char *to)
24532 -+{
24533 -+ return 1;
24534 -+}
24535 -+
24536 -+int
24537 -+gr_acl_handle_rename(const struct dentry *new_dentry,
24538 -+ const struct dentry *parent_dentry,
24539 -+ const struct vfsmount *parent_mnt,
24540 -+ const struct dentry *old_dentry,
24541 -+ const struct inode *old_parent_inode,
24542 -+ const struct vfsmount *old_mnt, const char *newname)
24543 -+{
24544 -+ return 0;
24545 -+}
24546 -+
24547 -+int
24548 -+gr_acl_handle_filldir(const struct file *file, const char *name,
24549 -+ const int namelen, const ino_t ino)
24550 -+{
24551 -+ return 1;
24552 -+}
24553 -+
24554 -+int
24555 -+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
24556 -+ const time_t shm_createtime, const uid_t cuid, const int shmid)
24557 -+{
24558 -+ return 1;
24559 -+}
24560 -+
24561 -+int
24562 -+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
24563 -+{
24564 -+ return 1;
24565 -+}
24566 -+
24567 -+int
24568 -+gr_search_accept(const struct socket *sock)
24569 -+{
24570 -+ return 1;
24571 -+}
24572 -+
24573 -+int
24574 -+gr_search_listen(const struct socket *sock)
24575 -+{
24576 -+ return 1;
24577 -+}
24578 -+
24579 -+int
24580 -+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
24581 -+{
24582 -+ return 1;
24583 -+}
24584 -+
24585 -+__u32
24586 -+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
24587 -+{
24588 -+ return 1;
24589 -+}
24590 -+
24591 -+__u32
24592 -+gr_acl_handle_creat(const struct dentry * dentry,
24593 -+ const struct dentry * p_dentry,
24594 -+ const struct vfsmount * p_mnt, const int fmode,
24595 -+ const int imode)
24596 -+{
24597 -+ return 1;
24598 -+}
24599 -+
24600 -+void
24601 -+gr_acl_handle_exit(void)
24602 -+{
24603 -+ return;
24604 -+}
24605 -+
24606 -+int
24607 -+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
24608 -+{
24609 -+ return 1;
24610 -+}
24611 -+
24612 -+void
24613 -+gr_set_role_label(const uid_t uid, const gid_t gid)
24614 -+{
24615 -+ return;
24616 -+}
24617 -+
24618 -+int
24619 -+gr_acl_handle_procpidmem(const struct task_struct *task)
24620 -+{
24621 -+ return 0;
24622 -+}
24623 -+
24624 -+int
24625 -+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
24626 -+{
24627 -+ return 1;
24628 -+}
24629 -+
24630 -+int
24631 -+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
24632 -+{
24633 -+ return 1;
24634 -+}
24635 -+
24636 -+void
24637 -+gr_set_kernel_label(struct task_struct *task)
24638 -+{
24639 -+ return;
24640 -+}
24641 -+
24642 -+int
24643 -+gr_check_user_change(int real, int effective, int fs)
24644 -+{
24645 -+ return 0;
24646 -+}
24647 -+
24648 -+int
24649 -+gr_check_group_change(int real, int effective, int fs)
24650 -+{
24651 -+ return 0;
24652 -+}
24653 -+
24654 -+
24655 -+EXPORT_SYMBOL(gr_task_is_capable);
24656 -+EXPORT_SYMBOL(gr_is_capable_nolog);
24657 -+EXPORT_SYMBOL(gr_learn_resource);
24658 -+EXPORT_SYMBOL(gr_set_kernel_label);
24659 -+#ifdef CONFIG_SECURITY
24660 -+EXPORT_SYMBOL(gr_check_user_change);
24661 -+EXPORT_SYMBOL(gr_check_group_change);
24662 -+#endif
24663 -diff -urNp linux-2.6.24.4/grsecurity/grsec_exec.c linux-2.6.24.4/grsecurity/grsec_exec.c
24664 ---- linux-2.6.24.4/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
24665 -+++ linux-2.6.24.4/grsecurity/grsec_exec.c 2008-03-26 17:56:56.000000000 -0400
24666 -@@ -0,0 +1,88 @@
24667 -+#include <linux/kernel.h>
24668 -+#include <linux/sched.h>
24669 -+#include <linux/file.h>
24670 -+#include <linux/binfmts.h>
24671 -+#include <linux/smp_lock.h>
24672 -+#include <linux/fs.h>
24673 -+#include <linux/types.h>
24674 -+#include <linux/grdefs.h>
24675 -+#include <linux/grinternal.h>
24676 -+#include <linux/capability.h>
24677 -+
24678 -+#include <asm/uaccess.h>
24679 -+
24680 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
24681 -+static char gr_exec_arg_buf[132];
24682 -+static DECLARE_MUTEX(gr_exec_arg_sem);
24683 -+#endif
24684 -+
24685 -+int
24686 -+gr_handle_nproc(void)
24687 -+{
24688 -+#ifdef CONFIG_GRKERNSEC_EXECVE
24689 -+ if (grsec_enable_execve && current->user &&
24690 -+ (atomic_read(&current->user->processes) >
24691 -+ current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
24692 -+ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
24693 -+ gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
24694 -+ return -EAGAIN;
24695 -+ }
24696 -+#endif
24697 -+ return 0;
24698 -+}
24699 -+
24700 -+void
24701 -+gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
24702 -+{
24703 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
24704 -+ char *grarg = gr_exec_arg_buf;
24705 -+ unsigned int i, x, execlen = 0;
24706 -+ char c;
24707 -+
24708 -+ if (!((grsec_enable_execlog && grsec_enable_group &&
24709 -+ in_group_p(grsec_audit_gid))
24710 -+ || (grsec_enable_execlog && !grsec_enable_group)))
24711 -+ return;
24712 -+
24713 -+ down(&gr_exec_arg_sem);
24714 -+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
24715 -+
24716 -+ if (unlikely(argv == NULL))
24717 -+ goto log;
24718 -+
24719 -+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
24720 -+ const char __user *p;
24721 -+ unsigned int len;
24722 -+
24723 -+ if (copy_from_user(&p, argv + i, sizeof(p)))
24724 -+ goto log;
24725 -+ if (!p)
24726 -+ goto log;
24727 -+ len = strnlen_user(p, 128 - execlen);
24728 -+ if (len > 128 - execlen)
24729 -+ len = 128 - execlen;
24730 -+ else if (len > 0)
24731 -+ len--;
24732 -+ if (copy_from_user(grarg + execlen, p, len))
24733 -+ goto log;
24734 -+
24735 -+ /* rewrite unprintable characters */
24736 -+ for (x = 0; x < len; x++) {
24737 -+ c = *(grarg + execlen + x);
24738 -+ if (c < 32 || c > 126)
24739 -+ *(grarg + execlen + x) = ' ';
24740 -+ }
24741 -+
24742 -+ execlen += len;
24743 -+ *(grarg + execlen) = ' ';
24744 -+ *(grarg + execlen + 1) = '\0';
24745 -+ execlen++;
24746 -+ }
24747 -+
24748 -+ log:
24749 -+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_dentry,
24750 -+ bprm->file->f_vfsmnt, grarg);
24751 -+ up(&gr_exec_arg_sem);
24752 -+#endif
24753 -+ return;
24754 -+}
24755 -diff -urNp linux-2.6.24.4/grsecurity/grsec_fifo.c linux-2.6.24.4/grsecurity/grsec_fifo.c
24756 ---- linux-2.6.24.4/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
24757 -+++ linux-2.6.24.4/grsecurity/grsec_fifo.c 2008-03-26 17:56:56.000000000 -0400
24758 -@@ -0,0 +1,22 @@
24759 -+#include <linux/kernel.h>
24760 -+#include <linux/sched.h>
24761 -+#include <linux/fs.h>
24762 -+#include <linux/file.h>
24763 -+#include <linux/grinternal.h>
24764 -+
24765 -+int
24766 -+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
24767 -+ const struct dentry *dir, const int flag, const int acc_mode)
24768 -+{
24769 -+#ifdef CONFIG_GRKERNSEC_FIFO
24770 -+ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
24771 -+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
24772 -+ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
24773 -+ (current->fsuid != dentry->d_inode->i_uid)) {
24774 -+ if (!generic_permission(dentry->d_inode, acc_mode, NULL))
24775 -+ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
24776 -+ return -EACCES;
24777 -+ }
24778 -+#endif
24779 -+ return 0;
24780 -+}
24781 -diff -urNp linux-2.6.24.4/grsecurity/grsec_fork.c linux-2.6.24.4/grsecurity/grsec_fork.c
24782 ---- linux-2.6.24.4/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
24783 -+++ linux-2.6.24.4/grsecurity/grsec_fork.c 2008-03-26 17:56:56.000000000 -0400
24784 -@@ -0,0 +1,15 @@
24785 -+#include <linux/kernel.h>
24786 -+#include <linux/sched.h>
24787 -+#include <linux/grsecurity.h>
24788 -+#include <linux/grinternal.h>
24789 -+#include <linux/errno.h>
24790 -+
24791 -+void
24792 -+gr_log_forkfail(const int retval)
24793 -+{
24794 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
24795 -+ if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
24796 -+ gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
24797 -+#endif
24798 -+ return;
24799 -+}
24800 -diff -urNp linux-2.6.24.4/grsecurity/grsec_init.c linux-2.6.24.4/grsecurity/grsec_init.c
24801 ---- linux-2.6.24.4/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
24802 -+++ linux-2.6.24.4/grsecurity/grsec_init.c 2008-03-26 17:56:56.000000000 -0400
24803 -@@ -0,0 +1,226 @@
24804 -+#include <linux/kernel.h>
24805 -+#include <linux/sched.h>
24806 -+#include <linux/mm.h>
24807 -+#include <linux/smp_lock.h>
24808 -+#include <linux/gracl.h>
24809 -+#include <linux/slab.h>
24810 -+#include <linux/vmalloc.h>
24811 -+#include <linux/percpu.h>
24812 -+
24813 -+int grsec_enable_link;
24814 -+int grsec_enable_dmesg;
24815 -+int grsec_enable_fifo;
24816 -+int grsec_enable_execve;
24817 -+int grsec_enable_execlog;
24818 -+int grsec_enable_signal;
24819 -+int grsec_enable_forkfail;
24820 -+int grsec_enable_time;
24821 -+int grsec_enable_audit_textrel;
24822 -+int grsec_enable_group;
24823 -+int grsec_audit_gid;
24824 -+int grsec_enable_chdir;
24825 -+int grsec_enable_audit_ipc;
24826 -+int grsec_enable_mount;
24827 -+int grsec_enable_chroot_findtask;
24828 -+int grsec_enable_chroot_mount;
24829 -+int grsec_enable_chroot_shmat;
24830 -+int grsec_enable_chroot_fchdir;
24831 -+int grsec_enable_chroot_double;
24832 -+int grsec_enable_chroot_pivot;
24833 -+int grsec_enable_chroot_chdir;
24834 -+int grsec_enable_chroot_chmod;
24835 -+int grsec_enable_chroot_mknod;
24836 -+int grsec_enable_chroot_nice;
24837 -+int grsec_enable_chroot_execlog;
24838 -+int grsec_enable_chroot_caps;
24839 -+int grsec_enable_chroot_sysctl;
24840 -+int grsec_enable_chroot_unix;
24841 -+int grsec_enable_tpe;
24842 -+int grsec_tpe_gid;
24843 -+int grsec_enable_tpe_all;
24844 -+int grsec_enable_socket_all;
24845 -+int grsec_socket_all_gid;
24846 -+int grsec_enable_socket_client;
24847 -+int grsec_socket_client_gid;
24848 -+int grsec_enable_socket_server;
24849 -+int grsec_socket_server_gid;
24850 -+int grsec_resource_logging;
24851 -+int grsec_lock;
24852 -+
24853 -+spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED;
24854 -+unsigned long grsec_alert_wtime = 0;
24855 -+unsigned long grsec_alert_fyet = 0;
24856 -+
24857 -+spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED;
24858 -+
24859 -+rwlock_t grsec_exec_file_lock = RW_LOCK_UNLOCKED;
24860 -+
24861 -+char *gr_shared_page[4];
24862 -+
24863 -+char *gr_alert_log_fmt;
24864 -+char *gr_audit_log_fmt;
24865 -+char *gr_alert_log_buf;
24866 -+char *gr_audit_log_buf;
24867 -+
24868 -+extern struct gr_arg *gr_usermode;
24869 -+extern unsigned char *gr_system_salt;
24870 -+extern unsigned char *gr_system_sum;
24871 -+
24872 -+void
24873 -+grsecurity_init(void)
24874 -+{
24875 -+ int j;
24876 -+ /* create the per-cpu shared pages */
24877 -+
24878 -+ for (j = 0; j < 4; j++) {
24879 -+ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE);
24880 -+ if (gr_shared_page[j] == NULL) {
24881 -+ panic("Unable to allocate grsecurity shared page");
24882 -+ return;
24883 -+ }
24884 -+ }
24885 -+
24886 -+ /* allocate log buffers */
24887 -+ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
24888 -+ if (!gr_alert_log_fmt) {
24889 -+ panic("Unable to allocate grsecurity alert log format buffer");
24890 -+ return;
24891 -+ }
24892 -+ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
24893 -+ if (!gr_audit_log_fmt) {
24894 -+ panic("Unable to allocate grsecurity audit log format buffer");
24895 -+ return;
24896 -+ }
24897 -+ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
24898 -+ if (!gr_alert_log_buf) {
24899 -+ panic("Unable to allocate grsecurity alert log buffer");
24900 -+ return;
24901 -+ }
24902 -+ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
24903 -+ if (!gr_audit_log_buf) {
24904 -+ panic("Unable to allocate grsecurity audit log buffer");
24905 -+ return;
24906 -+ }
24907 -+
24908 -+ /* allocate memory for authentication structure */
24909 -+ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
24910 -+ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
24911 -+ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
24912 -+
24913 -+ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
24914 -+ panic("Unable to allocate grsecurity authentication structure");
24915 -+ return;
24916 -+ }
24917 -+
24918 -+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
24919 -+#ifndef CONFIG_GRKERNSEC_SYSCTL
24920 -+ grsec_lock = 1;
24921 -+#endif
24922 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
24923 -+ grsec_enable_audit_textrel = 1;
24924 -+#endif
24925 -+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
24926 -+ grsec_enable_group = 1;
24927 -+ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
24928 -+#endif
24929 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
24930 -+ grsec_enable_chdir = 1;
24931 -+#endif
24932 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24933 -+ grsec_enable_audit_ipc = 1;
24934 -+#endif
24935 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
24936 -+ grsec_enable_mount = 1;
24937 -+#endif
24938 -+#ifdef CONFIG_GRKERNSEC_LINK
24939 -+ grsec_enable_link = 1;
24940 -+#endif
24941 -+#ifdef CONFIG_GRKERNSEC_DMESG
24942 -+ grsec_enable_dmesg = 1;
24943 -+#endif
24944 -+#ifdef CONFIG_GRKERNSEC_FIFO
24945 -+ grsec_enable_fifo = 1;
24946 -+#endif
24947 -+#ifdef CONFIG_GRKERNSEC_EXECVE
24948 -+ grsec_enable_execve = 1;
24949 -+#endif
24950 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
24951 -+ grsec_enable_execlog = 1;
24952 -+#endif
24953 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
24954 -+ grsec_enable_signal = 1;
24955 -+#endif
24956 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
24957 -+ grsec_enable_forkfail = 1;
24958 -+#endif
24959 -+#ifdef CONFIG_GRKERNSEC_TIME
24960 -+ grsec_enable_time = 1;
24961 -+#endif
24962 -+#ifdef CONFIG_GRKERNSEC_RESLOG
24963 -+ grsec_resource_logging = 1;
24964 -+#endif
24965 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
24966 -+ grsec_enable_chroot_findtask = 1;
24967 -+#endif
24968 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
24969 -+ grsec_enable_chroot_unix = 1;
24970 -+#endif
24971 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
24972 -+ grsec_enable_chroot_mount = 1;
24973 -+#endif
24974 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
24975 -+ grsec_enable_chroot_fchdir = 1;
24976 -+#endif
24977 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
24978 -+ grsec_enable_chroot_shmat = 1;
24979 -+#endif
24980 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
24981 -+ grsec_enable_chroot_double = 1;
24982 -+#endif
24983 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
24984 -+ grsec_enable_chroot_pivot = 1;
24985 -+#endif
24986 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
24987 -+ grsec_enable_chroot_chdir = 1;
24988 -+#endif
24989 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
24990 -+ grsec_enable_chroot_chmod = 1;
24991 -+#endif
24992 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
24993 -+ grsec_enable_chroot_mknod = 1;
24994 -+#endif
24995 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
24996 -+ grsec_enable_chroot_nice = 1;
24997 -+#endif
24998 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
24999 -+ grsec_enable_chroot_execlog = 1;
25000 -+#endif
25001 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
25002 -+ grsec_enable_chroot_caps = 1;
25003 -+#endif
25004 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
25005 -+ grsec_enable_chroot_sysctl = 1;
25006 -+#endif
25007 -+#ifdef CONFIG_GRKERNSEC_TPE
25008 -+ grsec_enable_tpe = 1;
25009 -+ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
25010 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
25011 -+ grsec_enable_tpe_all = 1;
25012 -+#endif
25013 -+#endif
25014 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
25015 -+ grsec_enable_socket_all = 1;
25016 -+ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
25017 -+#endif
25018 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
25019 -+ grsec_enable_socket_client = 1;
25020 -+ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
25021 -+#endif
25022 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
25023 -+ grsec_enable_socket_server = 1;
25024 -+ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
25025 -+#endif
25026 -+#endif
25027 -+
25028 -+ return;
25029 -+}
25030 -diff -urNp linux-2.6.24.4/grsecurity/grsec_ipc.c linux-2.6.24.4/grsecurity/grsec_ipc.c
25031 ---- linux-2.6.24.4/grsecurity/grsec_ipc.c 1969-12-31 19:00:00.000000000 -0500
25032 -+++ linux-2.6.24.4/grsecurity/grsec_ipc.c 2008-03-26 17:56:56.000000000 -0400
25033 -@@ -0,0 +1,81 @@
25034 -+#include <linux/kernel.h>
25035 -+#include <linux/sched.h>
25036 -+#include <linux/types.h>
25037 -+#include <linux/ipc.h>
25038 -+#include <linux/grsecurity.h>
25039 -+#include <linux/grinternal.h>
25040 -+
25041 -+void
25042 -+gr_log_msgget(const int ret, const int msgflg)
25043 -+{
25044 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
25045 -+ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
25046 -+ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
25047 -+ !grsec_enable_group)) && (ret >= 0)
25048 -+ && (msgflg & IPC_CREAT))
25049 -+ gr_log_noargs(GR_DO_AUDIT, GR_MSGQ_AUDIT_MSG);
25050 -+#endif
25051 -+ return;
25052 -+}
25053 -+
25054 -+void
25055 -+gr_log_msgrm(const uid_t uid, const uid_t cuid)
25056 -+{
25057 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
25058 -+ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
25059 -+ grsec_enable_audit_ipc) ||
25060 -+ (grsec_enable_audit_ipc && !grsec_enable_group))
25061 -+ gr_log_int_int(GR_DO_AUDIT, GR_MSGQR_AUDIT_MSG, uid, cuid);
25062 -+#endif
25063 -+ return;
25064 -+}
25065 -+
25066 -+void
25067 -+gr_log_semget(const int err, const int semflg)
25068 -+{
25069 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
25070 -+ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
25071 -+ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
25072 -+ !grsec_enable_group)) && (err >= 0)
25073 -+ && (semflg & IPC_CREAT))
25074 -+ gr_log_noargs(GR_DO_AUDIT, GR_SEM_AUDIT_MSG);
25075 -+#endif
25076 -+ return;
25077 -+}
25078 -+
25079 -+void
25080 -+gr_log_semrm(const uid_t uid, const uid_t cuid)
25081 -+{
25082 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
25083 -+ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
25084 -+ grsec_enable_audit_ipc) ||
25085 -+ (grsec_enable_audit_ipc && !grsec_enable_group))
25086 -+ gr_log_int_int(GR_DO_AUDIT, GR_SEMR_AUDIT_MSG, uid, cuid);
25087 -+#endif
25088 -+ return;
25089 -+}
25090 -+
25091 -+void
25092 -+gr_log_shmget(const int err, const int shmflg, const size_t size)
25093 -+{
25094 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
25095 -+ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
25096 -+ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
25097 -+ !grsec_enable_group)) && (err >= 0)
25098 -+ && (shmflg & IPC_CREAT))
25099 -+ gr_log_int(GR_DO_AUDIT, GR_SHM_AUDIT_MSG, size);
25100 -+#endif
25101 -+ return;
25102 -+}
25103 -+
25104 -+void
25105 -+gr_log_shmrm(const uid_t uid, const uid_t cuid)
25106 -+{
25107 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
25108 -+ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
25109 -+ grsec_enable_audit_ipc) ||
25110 -+ (grsec_enable_audit_ipc && !grsec_enable_group))
25111 -+ gr_log_int_int(GR_DO_AUDIT, GR_SHMR_AUDIT_MSG, uid, cuid);
25112 -+#endif
25113 -+ return;
25114 -+}
25115 -diff -urNp linux-2.6.24.4/grsecurity/grsec_link.c linux-2.6.24.4/grsecurity/grsec_link.c
25116 ---- linux-2.6.24.4/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
25117 -+++ linux-2.6.24.4/grsecurity/grsec_link.c 2008-03-26 17:56:56.000000000 -0400
25118 -@@ -0,0 +1,39 @@
25119 -+#include <linux/kernel.h>
25120 -+#include <linux/sched.h>
25121 -+#include <linux/fs.h>
25122 -+#include <linux/file.h>
25123 -+#include <linux/grinternal.h>
25124 -+
25125 -+int
25126 -+gr_handle_follow_link(const struct inode *parent,
25127 -+ const struct inode *inode,
25128 -+ const struct dentry *dentry, const struct vfsmount *mnt)
25129 -+{
25130 -+#ifdef CONFIG_GRKERNSEC_LINK
25131 -+ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
25132 -+ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
25133 -+ (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
25134 -+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
25135 -+ return -EACCES;
25136 -+ }
25137 -+#endif
25138 -+ return 0;
25139 -+}
25140 -+
25141 -+int
25142 -+gr_handle_hardlink(const struct dentry *dentry,
25143 -+ const struct vfsmount *mnt,
25144 -+ struct inode *inode, const int mode, const char *to)
25145 -+{
25146 -+#ifdef CONFIG_GRKERNSEC_LINK
25147 -+ if (grsec_enable_link && current->fsuid != inode->i_uid &&
25148 -+ (!S_ISREG(mode) || (mode & S_ISUID) ||
25149 -+ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
25150 -+ (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
25151 -+ !capable(CAP_FOWNER) && current->uid) {
25152 -+ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
25153 -+ return -EPERM;
25154 -+ }
25155 -+#endif
25156 -+ return 0;
25157 -+}
25158 -diff -urNp linux-2.6.24.4/grsecurity/grsec_log.c linux-2.6.24.4/grsecurity/grsec_log.c
25159 ---- linux-2.6.24.4/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
25160 -+++ linux-2.6.24.4/grsecurity/grsec_log.c 2008-03-26 17:56:56.000000000 -0400
25161 -@@ -0,0 +1,269 @@
25162 -+#include <linux/kernel.h>
25163 -+#include <linux/sched.h>
25164 -+#include <linux/file.h>
25165 -+#include <linux/tty.h>
25166 -+#include <linux/fs.h>
25167 -+#include <linux/grinternal.h>
25168 -+
25169 -+#define BEGIN_LOCKS(x) \
25170 -+ read_lock(&tasklist_lock); \
25171 -+ read_lock(&grsec_exec_file_lock); \
25172 -+ if (x != GR_DO_AUDIT) \
25173 -+ spin_lock(&grsec_alert_lock); \
25174 -+ else \
25175 -+ spin_lock(&grsec_audit_lock)
25176 -+
25177 -+#define END_LOCKS(x) \
25178 -+ if (x != GR_DO_AUDIT) \
25179 -+ spin_unlock(&grsec_alert_lock); \
25180 -+ else \
25181 -+ spin_unlock(&grsec_audit_lock); \
25182 -+ read_unlock(&grsec_exec_file_lock); \
25183 -+ read_unlock(&tasklist_lock); \
25184 -+ if (x == GR_DONT_AUDIT) \
25185 -+ gr_handle_alertkill(current)
25186 -+
25187 -+enum {
25188 -+ FLOODING,
25189 -+ NO_FLOODING
25190 -+};
25191 -+
25192 -+extern char *gr_alert_log_fmt;
25193 -+extern char *gr_audit_log_fmt;
25194 -+extern char *gr_alert_log_buf;
25195 -+extern char *gr_audit_log_buf;
25196 -+
25197 -+static int gr_log_start(int audit)
25198 -+{
25199 -+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
25200 -+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
25201 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
25202 -+
25203 -+ if (audit == GR_DO_AUDIT)
25204 -+ goto set_fmt;
25205 -+
25206 -+ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
25207 -+ grsec_alert_wtime = jiffies;
25208 -+ grsec_alert_fyet = 0;
25209 -+ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
25210 -+ grsec_alert_fyet++;
25211 -+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
25212 -+ grsec_alert_wtime = jiffies;
25213 -+ grsec_alert_fyet++;
25214 -+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
25215 -+ return FLOODING;
25216 -+ } else return FLOODING;
25217 -+
25218 -+set_fmt:
25219 -+ memset(buf, 0, PAGE_SIZE);
25220 -+ if (current->signal->curr_ip && gr_acl_is_enabled()) {
25221 -+ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: (%.64s:%c:%.950s) ");
25222 -+ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip), current->role->rolename, gr_roletype_to_char(), current->acl->filename);
25223 -+ } else if (current->signal->curr_ip) {
25224 -+ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: ");
25225 -+ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip));
25226 -+ } else if (gr_acl_is_enabled()) {
25227 -+ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
25228 -+ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
25229 -+ } else {
25230 -+ sprintf(fmt, "%s%s", loglevel, "grsec: ");
25231 -+ strcpy(buf, fmt);
25232 -+ }
25233 -+
25234 -+ return NO_FLOODING;
25235 -+}
25236 -+
25237 -+static void gr_log_middle(int audit, const char *msg, va_list ap)
25238 -+{
25239 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
25240 -+ unsigned int len = strlen(buf);
25241 -+
25242 -+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
25243 -+
25244 -+ return;
25245 -+}
25246 -+
25247 -+static void gr_log_middle_varargs(int audit, const char *msg, ...)
25248 -+{
25249 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
25250 -+ unsigned int len = strlen(buf);
25251 -+ va_list ap;
25252 -+
25253 -+ va_start(ap, msg);
25254 -+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
25255 -+ va_end(ap);
25256 -+
25257 -+ return;
25258 -+}
25259 -+
25260 -+static void gr_log_end(int audit)
25261 -+{
25262 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
25263 -+ unsigned int len = strlen(buf);
25264 -+
25265 -+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current));
25266 -+ printk("%s\n", buf);
25267 -+
25268 -+ return;
25269 -+}
25270 -+
25271 -+void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
25272 -+{
25273 -+ int logtype;
25274 -+ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
25275 -+ char *str1, *str2, *str3;
25276 -+ int num1, num2;
25277 -+ unsigned long ulong1, ulong2;
25278 -+ struct dentry *dentry;
25279 -+ struct vfsmount *mnt;
25280 -+ struct file *file;
25281 -+ struct task_struct *task;
25282 -+ va_list ap;
25283 -+
25284 -+ BEGIN_LOCKS(audit);
25285 -+ logtype = gr_log_start(audit);
25286 -+ if (logtype == FLOODING) {
25287 -+ END_LOCKS(audit);
25288 -+ return;
25289 -+ }
25290 -+ va_start(ap, argtypes);
25291 -+ switch (argtypes) {
25292 -+ case GR_TTYSNIFF:
25293 -+ task = va_arg(ap, struct task_struct *);
25294 -+ gr_log_middle_varargs(audit, msg, NIPQUAD(task->signal->curr_ip), gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
25295 -+ break;
25296 -+ case GR_SYSCTL_HIDDEN:
25297 -+ str1 = va_arg(ap, char *);
25298 -+ gr_log_middle_varargs(audit, msg, result, str1);
25299 -+ break;
25300 -+ case GR_RBAC:
25301 -+ dentry = va_arg(ap, struct dentry *);
25302 -+ mnt = va_arg(ap, struct vfsmount *);
25303 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
25304 -+ break;
25305 -+ case GR_RBAC_STR:
25306 -+ dentry = va_arg(ap, struct dentry *);
25307 -+ mnt = va_arg(ap, struct vfsmount *);
25308 -+ str1 = va_arg(ap, char *);
25309 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
25310 -+ break;
25311 -+ case GR_STR_RBAC:
25312 -+ str1 = va_arg(ap, char *);
25313 -+ dentry = va_arg(ap, struct dentry *);
25314 -+ mnt = va_arg(ap, struct vfsmount *);
25315 -+ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
25316 -+ break;
25317 -+ case GR_RBAC_MODE2:
25318 -+ dentry = va_arg(ap, struct dentry *);
25319 -+ mnt = va_arg(ap, struct vfsmount *);
25320 -+ str1 = va_arg(ap, char *);
25321 -+ str2 = va_arg(ap, char *);
25322 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
25323 -+ break;
25324 -+ case GR_RBAC_MODE3:
25325 -+ dentry = va_arg(ap, struct dentry *);
25326 -+ mnt = va_arg(ap, struct vfsmount *);
25327 -+ str1 = va_arg(ap, char *);
25328 -+ str2 = va_arg(ap, char *);
25329 -+ str3 = va_arg(ap, char *);
25330 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
25331 -+ break;
25332 -+ case GR_FILENAME:
25333 -+ dentry = va_arg(ap, struct dentry *);
25334 -+ mnt = va_arg(ap, struct vfsmount *);
25335 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
25336 -+ break;
25337 -+ case GR_STR_FILENAME:
25338 -+ str1 = va_arg(ap, char *);
25339 -+ dentry = va_arg(ap, struct dentry *);
25340 -+ mnt = va_arg(ap, struct vfsmount *);
25341 -+ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
25342 -+ break;
25343 -+ case GR_FILENAME_STR:
25344 -+ dentry = va_arg(ap, struct dentry *);
25345 -+ mnt = va_arg(ap, struct vfsmount *);
25346 -+ str1 = va_arg(ap, char *);
25347 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
25348 -+ break;
25349 -+ case GR_FILENAME_TWO_INT:
25350 -+ dentry = va_arg(ap, struct dentry *);
25351 -+ mnt = va_arg(ap, struct vfsmount *);
25352 -+ num1 = va_arg(ap, int);
25353 -+ num2 = va_arg(ap, int);
25354 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
25355 -+ break;
25356 -+ case GR_FILENAME_TWO_INT_STR:
25357 -+ dentry = va_arg(ap, struct dentry *);
25358 -+ mnt = va_arg(ap, struct vfsmount *);
25359 -+ num1 = va_arg(ap, int);
25360 -+ num2 = va_arg(ap, int);
25361 -+ str1 = va_arg(ap, char *);
25362 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
25363 -+ break;
25364 -+ case GR_TEXTREL:
25365 -+ file = va_arg(ap, struct file *);
25366 -+ ulong1 = va_arg(ap, unsigned long);
25367 -+ ulong2 = va_arg(ap, unsigned long);
25368 -+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_dentry, file->f_vfsmnt) : "<anonymous mapping>", ulong1, ulong2);
25369 -+ break;
25370 -+ case GR_PTRACE:
25371 -+ task = va_arg(ap, struct task_struct *);
25372 -+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_dentry, task->exec_file->f_vfsmnt) : "(none)", task->comm, task->pid);
25373 -+ break;
25374 -+ case GR_RESOURCE:
25375 -+ task = va_arg(ap, struct task_struct *);
25376 -+ ulong1 = va_arg(ap, unsigned long);
25377 -+ str1 = va_arg(ap, char *);
25378 -+ ulong2 = va_arg(ap, unsigned long);
25379 -+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
25380 -+ break;
25381 -+ case GR_CAP:
25382 -+ task = va_arg(ap, struct task_struct *);
25383 -+ str1 = va_arg(ap, char *);
25384 -+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
25385 -+ break;
25386 -+ case GR_SIG:
25387 -+ task = va_arg(ap, struct task_struct *);
25388 -+ num1 = va_arg(ap, int);
25389 -+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
25390 -+ break;
25391 -+ case GR_CRASH1:
25392 -+ task = va_arg(ap, struct task_struct *);
25393 -+ ulong1 = va_arg(ap, unsigned long);
25394 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, task->uid, ulong1);
25395 -+ break;
25396 -+ case GR_CRASH2:
25397 -+ task = va_arg(ap, struct task_struct *);
25398 -+ ulong1 = va_arg(ap, unsigned long);
25399 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, ulong1);
25400 -+ break;
25401 -+ case GR_PSACCT:
25402 -+ {
25403 -+ unsigned int wday, cday;
25404 -+ __u8 whr, chr;
25405 -+ __u8 wmin, cmin;
25406 -+ __u8 wsec, csec;
25407 -+ char cur_tty[64] = { 0 };
25408 -+ char parent_tty[64] = { 0 };
25409 -+
25410 -+ task = va_arg(ap, struct task_struct *);
25411 -+ wday = va_arg(ap, unsigned int);
25412 -+ cday = va_arg(ap, unsigned int);
25413 -+ whr = va_arg(ap, int);
25414 -+ chr = va_arg(ap, int);
25415 -+ wmin = va_arg(ap, int);
25416 -+ cmin = va_arg(ap, int);
25417 -+ wsec = va_arg(ap, int);
25418 -+ csec = va_arg(ap, int);
25419 -+ ulong1 = va_arg(ap, unsigned long);
25420 -+
25421 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, NIPQUAD(task->signal->curr_ip), tty_name(task->signal->tty, cur_tty), task->uid, task->euid, task->gid, task->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, NIPQUAD(task->parent->signal->curr_ip), tty_name(task->parent->signal->tty, parent_tty), task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
25422 -+ }
25423 -+ break;
25424 -+ default:
25425 -+ gr_log_middle(audit, msg, ap);
25426 -+ }
25427 -+ va_end(ap);
25428 -+ gr_log_end(audit);
25429 -+ END_LOCKS(audit);
25430 -+}
25431 -diff -urNp linux-2.6.24.4/grsecurity/grsec_mem.c linux-2.6.24.4/grsecurity/grsec_mem.c
25432 ---- linux-2.6.24.4/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
25433 -+++ linux-2.6.24.4/grsecurity/grsec_mem.c 2008-03-26 17:56:56.000000000 -0400
25434 -@@ -0,0 +1,71 @@
25435 -+#include <linux/kernel.h>
25436 -+#include <linux/sched.h>
25437 -+#include <linux/mm.h>
25438 -+#include <linux/mman.h>
25439 -+#include <linux/grinternal.h>
25440 -+
25441 -+void
25442 -+gr_handle_ioperm(void)
25443 -+{
25444 -+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
25445 -+ return;
25446 -+}
25447 -+
25448 -+void
25449 -+gr_handle_iopl(void)
25450 -+{
25451 -+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
25452 -+ return;
25453 -+}
25454 -+
25455 -+void
25456 -+gr_handle_mem_write(void)
25457 -+{
25458 -+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
25459 -+ return;
25460 -+}
25461 -+
25462 -+void
25463 -+gr_handle_kmem_write(void)
25464 -+{
25465 -+ gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
25466 -+ return;
25467 -+}
25468 -+
25469 -+void
25470 -+gr_handle_open_port(void)
25471 -+{
25472 -+ gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
25473 -+ return;
25474 -+}
25475 -+
25476 -+int
25477 -+gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
25478 -+{
25479 -+ unsigned long start, end;
25480 -+
25481 -+ start = offset;
25482 -+ end = start + vma->vm_end - vma->vm_start;
25483 -+
25484 -+ if (start > end) {
25485 -+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
25486 -+ return -EPERM;
25487 -+ }
25488 -+
25489 -+ /* allowed ranges : ISA I/O BIOS */
25490 -+ if ((start >= __pa(high_memory))
25491 -+#ifdef CONFIG_X86
25492 -+ || (start >= 0x000a0000 && end <= 0x00100000)
25493 -+ || (start >= 0x00000000 && end <= 0x00001000)
25494 -+#endif
25495 -+ )
25496 -+ return 0;
25497 -+
25498 -+ if (vma->vm_flags & VM_WRITE) {
25499 -+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
25500 -+ return -EPERM;
25501 -+ } else
25502 -+ vma->vm_flags &= ~VM_MAYWRITE;
25503 -+
25504 -+ return 0;
25505 -+}
25506 -diff -urNp linux-2.6.24.4/grsecurity/grsec_mount.c linux-2.6.24.4/grsecurity/grsec_mount.c
25507 ---- linux-2.6.24.4/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
25508 -+++ linux-2.6.24.4/grsecurity/grsec_mount.c 2008-03-26 17:56:56.000000000 -0400
25509 -@@ -0,0 +1,34 @@
25510 -+#include <linux/kernel.h>
25511 -+#include <linux/sched.h>
25512 -+#include <linux/grsecurity.h>
25513 -+#include <linux/grinternal.h>
25514 -+
25515 -+void
25516 -+gr_log_remount(const char *devname, const int retval)
25517 -+{
25518 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
25519 -+ if (grsec_enable_mount && (retval >= 0))
25520 -+ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
25521 -+#endif
25522 -+ return;
25523 -+}
25524 -+
25525 -+void
25526 -+gr_log_unmount(const char *devname, const int retval)
25527 -+{
25528 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
25529 -+ if (grsec_enable_mount && (retval >= 0))
25530 -+ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
25531 -+#endif
25532 -+ return;
25533 -+}
25534 -+
25535 -+void
25536 -+gr_log_mount(const char *from, const char *to, const int retval)
25537 -+{
25538 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
25539 -+ if (grsec_enable_mount && (retval >= 0))
25540 -+ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
25541 -+#endif
25542 -+ return;
25543 -+}
25544 -diff -urNp linux-2.6.24.4/grsecurity/grsec_sig.c linux-2.6.24.4/grsecurity/grsec_sig.c
25545 ---- linux-2.6.24.4/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
25546 -+++ linux-2.6.24.4/grsecurity/grsec_sig.c 2008-03-26 17:56:56.000000000 -0400
25547 -@@ -0,0 +1,58 @@
25548 -+#include <linux/kernel.h>
25549 -+#include <linux/sched.h>
25550 -+#include <linux/delay.h>
25551 -+#include <linux/grsecurity.h>
25552 -+#include <linux/grinternal.h>
25553 -+
25554 -+void
25555 -+gr_log_signal(const int sig, const struct task_struct *t)
25556 -+{
25557 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
25558 -+ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
25559 -+ (sig == SIGABRT) || (sig == SIGBUS))) {
25560 -+ if (t->pid == current->pid) {
25561 -+ gr_log_int(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, sig);
25562 -+ } else {
25563 -+ gr_log_sig(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
25564 -+ }
25565 -+ }
25566 -+#endif
25567 -+ return;
25568 -+}
25569 -+
25570 -+int
25571 -+gr_handle_signal(const struct task_struct *p, const int sig)
25572 -+{
25573 -+#ifdef CONFIG_GRKERNSEC
25574 -+ if (current->pid > 1 && gr_check_protected_task(p)) {
25575 -+ gr_log_sig(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
25576 -+ return -EPERM;
25577 -+ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
25578 -+ return -EPERM;
25579 -+ }
25580 -+#endif
25581 -+ return 0;
25582 -+}
25583 -+
25584 -+void gr_handle_brute_attach(struct task_struct *p)
25585 -+{
25586 -+#ifdef CONFIG_GRKERNSEC_BRUTE
25587 -+ read_lock(&tasklist_lock);
25588 -+ read_lock(&grsec_exec_file_lock);
25589 -+ if (p->parent && p->parent->exec_file == p->exec_file)
25590 -+ p->parent->brute = 1;
25591 -+ read_unlock(&grsec_exec_file_lock);
25592 -+ read_unlock(&tasklist_lock);
25593 -+#endif
25594 -+ return;
25595 -+}
25596 -+
25597 -+void gr_handle_brute_check(void)
25598 -+{
25599 -+#ifdef CONFIG_GRKERNSEC_BRUTE
25600 -+ if (current->brute)
25601 -+ msleep(30 * 1000);
25602 -+#endif
25603 -+ return;
25604 -+}
25605 -+
25606 -diff -urNp linux-2.6.24.4/grsecurity/grsec_sock.c linux-2.6.24.4/grsecurity/grsec_sock.c
25607 ---- linux-2.6.24.4/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
25608 -+++ linux-2.6.24.4/grsecurity/grsec_sock.c 2008-03-26 17:56:56.000000000 -0400
25609 -@@ -0,0 +1,274 @@
25610 -+#include <linux/kernel.h>
25611 -+#include <linux/module.h>
25612 -+#include <linux/sched.h>
25613 -+#include <linux/file.h>
25614 -+#include <linux/net.h>
25615 -+#include <linux/in.h>
25616 -+#include <linux/ip.h>
25617 -+#include <net/sock.h>
25618 -+#include <net/inet_sock.h>
25619 -+#include <linux/grsecurity.h>
25620 -+#include <linux/grinternal.h>
25621 -+#include <linux/gracl.h>
25622 -+
25623 -+#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE)
25624 -+extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
25625 -+EXPORT_SYMBOL(udp_v4_lookup);
25626 -+#endif
25627 -+
25628 -+__u32 gr_cap_rtnetlink(struct sock *sock);
25629 -+EXPORT_SYMBOL(gr_cap_rtnetlink);
25630 -+
25631 -+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
25632 -+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
25633 -+
25634 -+EXPORT_SYMBOL(gr_search_udp_recvmsg);
25635 -+EXPORT_SYMBOL(gr_search_udp_sendmsg);
25636 -+
25637 -+#ifdef CONFIG_UNIX_MODULE
25638 -+EXPORT_SYMBOL(gr_acl_handle_unix);
25639 -+EXPORT_SYMBOL(gr_acl_handle_mknod);
25640 -+EXPORT_SYMBOL(gr_handle_chroot_unix);
25641 -+EXPORT_SYMBOL(gr_handle_create);
25642 -+#endif
25643 -+
25644 -+#ifdef CONFIG_GRKERNSEC
25645 -+#define gr_conn_table_size 32749
25646 -+struct conn_table_entry {
25647 -+ struct conn_table_entry *next;
25648 -+ struct signal_struct *sig;
25649 -+};
25650 -+
25651 -+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
25652 -+spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
25653 -+
25654 -+extern const char * gr_socktype_to_name(unsigned char type);
25655 -+extern const char * gr_proto_to_name(unsigned char proto);
25656 -+
25657 -+static __inline__ int
25658 -+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
25659 -+{
25660 -+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
25661 -+}
25662 -+
25663 -+static __inline__ int
25664 -+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
25665 -+ __u16 sport, __u16 dport)
25666 -+{
25667 -+ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
25668 -+ sig->gr_sport == sport && sig->gr_dport == dport))
25669 -+ return 1;
25670 -+ else
25671 -+ return 0;
25672 -+}
25673 -+
25674 -+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
25675 -+{
25676 -+ struct conn_table_entry **match;
25677 -+ unsigned int index;
25678 -+
25679 -+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
25680 -+ sig->gr_sport, sig->gr_dport,
25681 -+ gr_conn_table_size);
25682 -+
25683 -+ newent->sig = sig;
25684 -+
25685 -+ match = &gr_conn_table[index];
25686 -+ newent->next = *match;
25687 -+ *match = newent;
25688 -+
25689 -+ return;
25690 -+}
25691 -+
25692 -+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
25693 -+{
25694 -+ struct conn_table_entry *match, *last = NULL;
25695 -+ unsigned int index;
25696 -+
25697 -+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
25698 -+ sig->gr_sport, sig->gr_dport,
25699 -+ gr_conn_table_size);
25700 -+
25701 -+ match = gr_conn_table[index];
25702 -+ while (match && !conn_match(match->sig,
25703 -+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
25704 -+ sig->gr_dport)) {
25705 -+ last = match;
25706 -+ match = match->next;
25707 -+ }
25708 -+
25709 -+ if (match) {
25710 -+ if (last)
25711 -+ last->next = match->next;
25712 -+ else
25713 -+ gr_conn_table[index] = NULL;
25714 -+ kfree(match);
25715 -+ }
25716 -+
25717 -+ return;
25718 -+}
25719 -+
25720 -+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
25721 -+ __u16 sport, __u16 dport)
25722 -+{
25723 -+ struct conn_table_entry *match;
25724 -+ unsigned int index;
25725 -+
25726 -+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
25727 -+
25728 -+ match = gr_conn_table[index];
25729 -+ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
25730 -+ match = match->next;
25731 -+
25732 -+ if (match)
25733 -+ return match->sig;
25734 -+ else
25735 -+ return NULL;
25736 -+}
25737 -+
25738 -+#endif
25739 -+
25740 -+void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
25741 -+{
25742 -+#ifdef CONFIG_GRKERNSEC
25743 -+ struct signal_struct *sig = task->signal;
25744 -+ struct conn_table_entry *newent;
25745 -+
25746 -+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
25747 -+ if (newent == NULL)
25748 -+ return;
25749 -+ /* no bh lock needed since we are called with bh disabled */
25750 -+ spin_lock(&gr_conn_table_lock);
25751 -+ gr_del_task_from_ip_table_nolock(sig);
25752 -+ sig->gr_saddr = inet->rcv_saddr;
25753 -+ sig->gr_daddr = inet->daddr;
25754 -+ sig->gr_sport = inet->sport;
25755 -+ sig->gr_dport = inet->dport;
25756 -+ gr_add_to_task_ip_table_nolock(sig, newent);
25757 -+ spin_unlock(&gr_conn_table_lock);
25758 -+#endif
25759 -+ return;
25760 -+}
25761 -+
25762 -+void gr_del_task_from_ip_table(struct task_struct *task)
25763 -+{
25764 -+#ifdef CONFIG_GRKERNSEC
25765 -+ spin_lock(&gr_conn_table_lock);
25766 -+ gr_del_task_from_ip_table_nolock(task->signal);
25767 -+ spin_unlock(&gr_conn_table_lock);
25768 -+#endif
25769 -+ return;
25770 -+}
25771 -+
25772 -+void
25773 -+gr_attach_curr_ip(const struct sock *sk)
25774 -+{
25775 -+#ifdef CONFIG_GRKERNSEC
25776 -+ struct signal_struct *p, *set;
25777 -+ const struct inet_sock *inet = inet_sk(sk);
25778 -+
25779 -+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
25780 -+ return;
25781 -+
25782 -+ set = current->signal;
25783 -+
25784 -+ spin_lock_bh(&gr_conn_table_lock);
25785 -+ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
25786 -+ inet->dport, inet->sport);
25787 -+ if (unlikely(p != NULL)) {
25788 -+ set->curr_ip = p->curr_ip;
25789 -+ set->used_accept = 1;
25790 -+ gr_del_task_from_ip_table_nolock(p);
25791 -+ spin_unlock_bh(&gr_conn_table_lock);
25792 -+ return;
25793 -+ }
25794 -+ spin_unlock_bh(&gr_conn_table_lock);
25795 -+
25796 -+ set->curr_ip = inet->daddr;
25797 -+ set->used_accept = 1;
25798 -+#endif
25799 -+ return;
25800 -+}
25801 -+
25802 -+int
25803 -+gr_handle_sock_all(const int family, const int type, const int protocol)
25804 -+{
25805 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
25806 -+ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
25807 -+ (family != AF_UNIX) && (family != AF_LOCAL)) {
25808 -+ gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
25809 -+ return -EACCES;
25810 -+ }
25811 -+#endif
25812 -+ return 0;
25813 -+}
25814 -+
25815 -+int
25816 -+gr_handle_sock_server(const struct sockaddr *sck)
25817 -+{
25818 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
25819 -+ if (grsec_enable_socket_server &&
25820 -+ in_group_p(grsec_socket_server_gid) &&
25821 -+ sck && (sck->sa_family != AF_UNIX) &&
25822 -+ (sck->sa_family != AF_LOCAL)) {
25823 -+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
25824 -+ return -EACCES;
25825 -+ }
25826 -+#endif
25827 -+ return 0;
25828 -+}
25829 -+
25830 -+int
25831 -+gr_handle_sock_server_other(const struct sock *sck)
25832 -+{
25833 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
25834 -+ if (grsec_enable_socket_server &&
25835 -+ in_group_p(grsec_socket_server_gid) &&
25836 -+ sck && (sck->sk_family != AF_UNIX) &&
25837 -+ (sck->sk_family != AF_LOCAL)) {
25838 -+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
25839 -+ return -EACCES;
25840 -+ }
25841 -+#endif
25842 -+ return 0;
25843 -+}
25844 -+
25845 -+int
25846 -+gr_handle_sock_client(const struct sockaddr *sck)
25847 -+{
25848 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
25849 -+ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
25850 -+ sck && (sck->sa_family != AF_UNIX) &&
25851 -+ (sck->sa_family != AF_LOCAL)) {
25852 -+ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
25853 -+ return -EACCES;
25854 -+ }
25855 -+#endif
25856 -+ return 0;
25857 -+}
25858 -+
25859 -+__u32
25860 -+gr_cap_rtnetlink(struct sock *sock)
25861 -+{
25862 -+#ifdef CONFIG_GRKERNSEC
25863 -+ if (!gr_acl_is_enabled())
25864 -+ return current->cap_effective;
25865 -+ else if (sock->sk_protocol == NETLINK_ISCSI &&
25866 -+ cap_raised(current->cap_effective, CAP_SYS_ADMIN) &&
25867 -+ gr_task_is_capable(current, CAP_SYS_ADMIN))
25868 -+ return current->cap_effective;
25869 -+ else if (sock->sk_protocol == NETLINK_AUDIT &&
25870 -+ cap_raised(current->cap_effective, CAP_AUDIT_WRITE) &&
25871 -+ gr_task_is_capable(current, CAP_AUDIT_WRITE) &&
25872 -+ cap_raised(current->cap_effective, CAP_AUDIT_CONTROL) &&
25873 -+ gr_task_is_capable(current, CAP_AUDIT_CONTROL))
25874 -+ return current->cap_effective;
25875 -+ else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
25876 -+ gr_task_is_capable(current, CAP_NET_ADMIN))
25877 -+ return current->cap_effective;
25878 -+ else
25879 -+ return 0;
25880 -+#else
25881 -+ return current->cap_effective;
25882 -+#endif
25883 -+}
25884 -diff -urNp linux-2.6.24.4/grsecurity/grsec_sysctl.c linux-2.6.24.4/grsecurity/grsec_sysctl.c
25885 ---- linux-2.6.24.4/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
25886 -+++ linux-2.6.24.4/grsecurity/grsec_sysctl.c 2008-03-26 17:56:56.000000000 -0400
25887 -@@ -0,0 +1,435 @@
25888 -+#include <linux/kernel.h>
25889 -+#include <linux/sched.h>
25890 -+#include <linux/sysctl.h>
25891 -+#include <linux/grsecurity.h>
25892 -+#include <linux/grinternal.h>
25893 -+
25894 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
25895 -+int grsec_modstop;
25896 -+#endif
25897 -+
25898 -+int
25899 -+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
25900 -+{
25901 -+#ifdef CONFIG_GRKERNSEC_SYSCTL
25902 -+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
25903 -+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
25904 -+ return -EACCES;
25905 -+ }
25906 -+#endif
25907 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
25908 -+ if (!strcmp(dirname, "grsecurity") && !strcmp(name, "disable_modules") &&
25909 -+ grsec_modstop && (op & 002)) {
25910 -+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
25911 -+ return -EACCES;
25912 -+ }
25913 -+#endif
25914 -+ return 0;
25915 -+}
25916 -+
25917 -+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
25918 -+ctl_table grsecurity_table[] = {
25919 -+#ifdef CONFIG_GRKERNSEC_SYSCTL
25920 -+#ifdef CONFIG_GRKERNSEC_LINK
25921 -+ {
25922 -+ .ctl_name = CTL_UNNUMBERED,
25923 -+ .procname = "linking_restrictions",
25924 -+ .data = &grsec_enable_link,
25925 -+ .maxlen = sizeof(int),
25926 -+ .mode = 0600,
25927 -+ .proc_handler = &proc_dointvec,
25928 -+ },
25929 -+#endif
25930 -+#ifdef CONFIG_GRKERNSEC_FIFO
25931 -+ {
25932 -+ .ctl_name = CTL_UNNUMBERED,
25933 -+ .procname = "fifo_restrictions",
25934 -+ .data = &grsec_enable_fifo,
25935 -+ .maxlen = sizeof(int),
25936 -+ .mode = 0600,
25937 -+ .proc_handler = &proc_dointvec,
25938 -+ },
25939 -+#endif
25940 -+#ifdef CONFIG_GRKERNSEC_EXECVE
25941 -+ {
25942 -+ .ctl_name = CTL_UNNUMBERED,
25943 -+ .procname = "execve_limiting",
25944 -+ .data = &grsec_enable_execve,
25945 -+ .maxlen = sizeof(int),
25946 -+ .mode = 0600,
25947 -+ .proc_handler = &proc_dointvec,
25948 -+ },
25949 -+#endif
25950 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
25951 -+ {
25952 -+ .ctl_name = CTL_UNNUMBERED,
25953 -+ .procname = "exec_logging",
25954 -+ .data = &grsec_enable_execlog,
25955 -+ .maxlen = sizeof(int),
25956 -+ .mode = 0600,
25957 -+ .proc_handler = &proc_dointvec,
25958 -+ },
25959 -+#endif
25960 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
25961 -+ {
25962 -+ .ctl_name = CTL_UNNUMBERED,
25963 -+ .procname = "signal_logging",
25964 -+ .data = &grsec_enable_signal,
25965 -+ .maxlen = sizeof(int),
25966 -+ .mode = 0600,
25967 -+ .proc_handler = &proc_dointvec,
25968 -+ },
25969 -+#endif
25970 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
25971 -+ {
25972 -+ .ctl_name = CTL_UNNUMBERED,
25973 -+ .procname = "forkfail_logging",
25974 -+ .data = &grsec_enable_forkfail,
25975 -+ .maxlen = sizeof(int),
25976 -+ .mode = 0600,
25977 -+ .proc_handler = &proc_dointvec,
25978 -+ },
25979 -+#endif
25980 -+#ifdef CONFIG_GRKERNSEC_TIME
25981 -+ {
25982 -+ .ctl_name = CTL_UNNUMBERED,
25983 -+ .procname = "timechange_logging",
25984 -+ .data = &grsec_enable_time,
25985 -+ .maxlen = sizeof(int),
25986 -+ .mode = 0600,
25987 -+ .proc_handler = &proc_dointvec,
25988 -+ },
25989 -+#endif
25990 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
25991 -+ {
25992 -+ .ctl_name = CTL_UNNUMBERED,
25993 -+ .procname = "chroot_deny_shmat",
25994 -+ .data = &grsec_enable_chroot_shmat,
25995 -+ .maxlen = sizeof(int),
25996 -+ .mode = 0600,
25997 -+ .proc_handler = &proc_dointvec,
25998 -+ },
25999 -+#endif
26000 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
26001 -+ {
26002 -+ .ctl_name = CTL_UNNUMBERED,
26003 -+ .procname = "chroot_deny_unix",
26004 -+ .data = &grsec_enable_chroot_unix,
26005 -+ .maxlen = sizeof(int),
26006 -+ .mode = 0600,
26007 -+ .proc_handler = &proc_dointvec,
26008 -+ },
26009 -+#endif
26010 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
26011 -+ {
26012 -+ .ctl_name = CTL_UNNUMBERED,
26013 -+ .procname = "chroot_deny_mount",
26014 -+ .data = &grsec_enable_chroot_mount,
26015 -+ .maxlen = sizeof(int),
26016 -+ .mode = 0600,
26017 -+ .proc_handler = &proc_dointvec,
26018 -+ },
26019 -+#endif
26020 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
26021 -+ {
26022 -+ .ctl_name = CTL_UNNUMBERED,
26023 -+ .procname = "chroot_deny_fchdir",
26024 -+ .data = &grsec_enable_chroot_fchdir,
26025 -+ .maxlen = sizeof(int),
26026 -+ .mode = 0600,
26027 -+ .proc_handler = &proc_dointvec,
26028 -+ },
26029 -+#endif
26030 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
26031 -+ {
26032 -+ .ctl_name = CTL_UNNUMBERED,
26033 -+ .procname = "chroot_deny_chroot",
26034 -+ .data = &grsec_enable_chroot_double,
26035 -+ .maxlen = sizeof(int),
26036 -+ .mode = 0600,
26037 -+ .proc_handler = &proc_dointvec,
26038 -+ },
26039 -+#endif
26040 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
26041 -+ {
26042 -+ .ctl_name = CTL_UNNUMBERED,
26043 -+ .procname = "chroot_deny_pivot",
26044 -+ .data = &grsec_enable_chroot_pivot,
26045 -+ .maxlen = sizeof(int),
26046 -+ .mode = 0600,
26047 -+ .proc_handler = &proc_dointvec,
26048 -+ },
26049 -+#endif
26050 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
26051 -+ {
26052 -+ .ctl_name = CTL_UNNUMBERED,
26053 -+ .procname = "chroot_enforce_chdir",
26054 -+ .data = &grsec_enable_chroot_chdir,
26055 -+ .maxlen = sizeof(int),
26056 -+ .mode = 0600,
26057 -+ .proc_handler = &proc_dointvec,
26058 -+ },
26059 -+#endif
26060 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
26061 -+ {
26062 -+ .ctl_name = CTL_UNNUMBERED,
26063 -+ .procname = "chroot_deny_chmod",
26064 -+ .data = &grsec_enable_chroot_chmod,
26065 -+ .maxlen = sizeof(int),
26066 -+ .mode = 0600,
26067 -+ .proc_handler = &proc_dointvec,
26068 -+ },
26069 -+#endif
26070 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
26071 -+ {
26072 -+ .ctl_name = CTL_UNNUMBERED,
26073 -+ .procname = "chroot_deny_mknod",
26074 -+ .data = &grsec_enable_chroot_mknod,
26075 -+ .maxlen = sizeof(int),
26076 -+ .mode = 0600,
26077 -+ .proc_handler = &proc_dointvec,
26078 -+ },
26079 -+#endif
26080 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
26081 -+ {
26082 -+ .ctl_name = CTL_UNNUMBERED,
26083 -+ .procname = "chroot_restrict_nice",
26084 -+ .data = &grsec_enable_chroot_nice,
26085 -+ .maxlen = sizeof(int),
26086 -+ .mode = 0600,
26087 -+ .proc_handler = &proc_dointvec,
26088 -+ },
26089 -+#endif
26090 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
26091 -+ {
26092 -+ .ctl_name = CTL_UNNUMBERED,
26093 -+ .procname = "chroot_execlog",
26094 -+ .data = &grsec_enable_chroot_execlog,
26095 -+ .maxlen = sizeof(int),
26096 -+ .mode = 0600,
26097 -+ .proc_handler = &proc_dointvec,
26098 -+ },
26099 -+#endif
26100 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
26101 -+ {
26102 -+ .ctl_name = CTL_UNNUMBERED,
26103 -+ .procname = "chroot_caps",
26104 -+ .data = &grsec_enable_chroot_caps,
26105 -+ .maxlen = sizeof(int),
26106 -+ .mode = 0600,
26107 -+ .proc_handler = &proc_dointvec,
26108 -+ },
26109 -+#endif
26110 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
26111 -+ {
26112 -+ .ctl_name = CTL_UNNUMBERED,
26113 -+ .procname = "chroot_deny_sysctl",
26114 -+ .data = &grsec_enable_chroot_sysctl,
26115 -+ .maxlen = sizeof(int),
26116 -+ .mode = 0600,
26117 -+ .proc_handler = &proc_dointvec,
26118 -+ },
26119 -+#endif
26120 -+#ifdef CONFIG_GRKERNSEC_TPE
26121 -+ {
26122 -+ .ctl_name = CTL_UNNUMBERED,
26123 -+ .procname = "tpe",
26124 -+ .data = &grsec_enable_tpe,
26125 -+ .maxlen = sizeof(int),
26126 -+ .mode = 0600,
26127 -+ .proc_handler = &proc_dointvec,
26128 -+ },
26129 -+ {
26130 -+ .ctl_name = CTL_UNNUMBERED,
26131 -+ .procname = "tpe_gid",
26132 -+ .data = &grsec_tpe_gid,
26133 -+ .maxlen = sizeof(int),
26134 -+ .mode = 0600,
26135 -+ .proc_handler = &proc_dointvec,
26136 -+ },
26137 -+#endif
26138 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
26139 -+ {
26140 -+ .ctl_name = CTL_UNNUMBERED,
26141 -+ .procname = "tpe_restrict_all",
26142 -+ .data = &grsec_enable_tpe_all,
26143 -+ .maxlen = sizeof(int),
26144 -+ .mode = 0600,
26145 -+ .proc_handler = &proc_dointvec,
26146 -+ },
26147 -+#endif
26148 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
26149 -+ {
26150 -+ .ctl_name = CTL_UNNUMBERED,
26151 -+ .procname = "socket_all",
26152 -+ .data = &grsec_enable_socket_all,
26153 -+ .maxlen = sizeof(int),
26154 -+ .mode = 0600,
26155 -+ .proc_handler = &proc_dointvec,
26156 -+ },
26157 -+ {
26158 -+ .ctl_name = CTL_UNNUMBERED,
26159 -+ .procname = "socket_all_gid",
26160 -+ .data = &grsec_socket_all_gid,
26161 -+ .maxlen = sizeof(int),
26162 -+ .mode = 0600,
26163 -+ .proc_handler = &proc_dointvec,
26164 -+ },
26165 -+#endif
26166 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
26167 -+ {
26168 -+ .ctl_name = CTL_UNNUMBERED,
26169 -+ .procname = "socket_client",
26170 -+ .data = &grsec_enable_socket_client,
26171 -+ .maxlen = sizeof(int),
26172 -+ .mode = 0600,
26173 -+ .proc_handler = &proc_dointvec,
26174 -+ },
26175 -+ {
26176 -+ .ctl_name = CTL_UNNUMBERED,
26177 -+ .procname = "socket_client_gid",
26178 -+ .data = &grsec_socket_client_gid,
26179 -+ .maxlen = sizeof(int),
26180 -+ .mode = 0600,
26181 -+ .proc_handler = &proc_dointvec,
26182 -+ },
26183 -+#endif
26184 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
26185 -+ {
26186 -+ .ctl_name = CTL_UNNUMBERED,
26187 -+ .procname = "socket_server",
26188 -+ .data = &grsec_enable_socket_server,
26189 -+ .maxlen = sizeof(int),
26190 -+ .mode = 0600,
26191 -+ .proc_handler = &proc_dointvec,
26192 -+ },
26193 -+ {
26194 -+ .ctl_name = CTL_UNNUMBERED,
26195 -+ .procname = "socket_server_gid",
26196 -+ .data = &grsec_socket_server_gid,
26197 -+ .maxlen = sizeof(int),
26198 -+ .mode = 0600,
26199 -+ .proc_handler = &proc_dointvec,
26200 -+ },
26201 -+#endif
26202 -+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
26203 -+ {
26204 -+ .ctl_name = CTL_UNNUMBERED,
26205 -+ .procname = "audit_group",
26206 -+ .data = &grsec_enable_group,
26207 -+ .maxlen = sizeof(int),
26208 -+ .mode = 0600,
26209 -+ .proc_handler = &proc_dointvec,
26210 -+ },
26211 -+ {
26212 -+ .ctl_name = CTL_UNNUMBERED,
26213 -+ .procname = "audit_gid",
26214 -+ .data = &grsec_audit_gid,
26215 -+ .maxlen = sizeof(int),
26216 -+ .mode = 0600,
26217 -+ .proc_handler = &proc_dointvec,
26218 -+ },
26219 -+#endif
26220 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
26221 -+ {
26222 -+ .ctl_name = CTL_UNNUMBERED,
26223 -+ .procname = "audit_chdir",
26224 -+ .data = &grsec_enable_chdir,
26225 -+ .maxlen = sizeof(int),
26226 -+ .mode = 0600,
26227 -+ .proc_handler = &proc_dointvec,
26228 -+ },
26229 -+#endif
26230 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
26231 -+ {
26232 -+ .ctl_name = CTL_UNNUMBERED,
26233 -+ .procname = "audit_mount",
26234 -+ .data = &grsec_enable_mount,
26235 -+ .maxlen = sizeof(int),
26236 -+ .mode = 0600,
26237 -+ .proc_handler = &proc_dointvec,
26238 -+ },
26239 -+#endif
26240 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
26241 -+ {
26242 -+ .ctl_name = CTL_UNNUMBERED,
26243 -+ .procname = "audit_ipc",
26244 -+ .data = &grsec_enable_audit_ipc,
26245 -+ .maxlen = sizeof(int),
26246 -+ .mode = 0600,
26247 -+ .proc_handler = &proc_dointvec,
26248 -+ },
26249 -+#endif
26250 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
26251 -+ {
26252 -+ .ctl_name = CTL_UNNUMBERED,
26253 -+ .procname = "audit_textrel",
26254 -+ .data = &grsec_enable_audit_textrel,
26255 -+ .maxlen = sizeof(int),
26256 -+ .mode = 0600,
26257 -+ .proc_handler = &proc_dointvec,
26258 -+ },
26259 -+#endif
26260 -+#ifdef CONFIG_GRKERNSEC_DMESG
26261 -+ {
26262 -+ .ctl_name = CTL_UNNUMBERED,
26263 -+ .procname = "dmesg",
26264 -+ .data = &grsec_enable_dmesg,
26265 -+ .maxlen = sizeof(int),
26266 -+ .mode = 0600,
26267 -+ .proc_handler = &proc_dointvec,
26268 -+ },
26269 -+#endif
26270 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
26271 -+ {
26272 -+ .ctl_name = CTL_UNNUMBERED,
26273 -+ .procname = "chroot_findtask",
26274 -+ .data = &grsec_enable_chroot_findtask,
26275 -+ .maxlen = sizeof(int),
26276 -+ .mode = 0600,
26277 -+ .proc_handler = &proc_dointvec,
26278 -+ },
26279 -+#endif
26280 -+#ifdef CONFIG_GRKERNSEC_RESLOG
26281 -+ {
26282 -+ .ctl_name = CTL_UNNUMBERED,
26283 -+ .procname = "resource_logging",
26284 -+ .data = &grsec_resource_logging,
26285 -+ .maxlen = sizeof(int),
26286 -+ .mode = 0600,
26287 -+ .proc_handler = &proc_dointvec,
26288 -+ },
26289 -+#endif
26290 -+ {
26291 -+ .ctl_name = CTL_UNNUMBERED,
26292 -+ .procname = "grsec_lock",
26293 -+ .data = &grsec_lock,
26294 -+ .maxlen = sizeof(int),
26295 -+ .mode = 0600,
26296 -+ .proc_handler = &proc_dointvec,
26297 -+ },
26298 -+#endif
26299 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
26300 -+ {
26301 -+ .ctl_name = CTL_UNNUMBERED,
26302 -+ .procname = "disable_modules",
26303 -+ .data = &grsec_modstop,
26304 -+ .maxlen = sizeof(int),
26305 -+ .mode = 0600,
26306 -+ .proc_handler = &proc_dointvec,
26307 -+ },
26308 -+#endif
26309 -+ { .ctl_name = 0 }
26310 -+};
26311 -+#endif
26312 -+
26313 -+int gr_check_modstop(void)
26314 -+{
26315 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
26316 -+ if (grsec_modstop == 1) {
26317 -+ gr_log_noargs(GR_DONT_AUDIT, GR_STOPMOD_MSG);
26318 -+ return 1;
26319 -+ }
26320 -+#endif
26321 -+ return 0;
26322 -+}
26323 -diff -urNp linux-2.6.24.4/grsecurity/grsec_textrel.c linux-2.6.24.4/grsecurity/grsec_textrel.c
26324 ---- linux-2.6.24.4/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
26325 -+++ linux-2.6.24.4/grsecurity/grsec_textrel.c 2008-03-26 17:56:56.000000000 -0400
26326 -@@ -0,0 +1,16 @@
26327 -+#include <linux/kernel.h>
26328 -+#include <linux/sched.h>
26329 -+#include <linux/mm.h>
26330 -+#include <linux/file.h>
26331 -+#include <linux/grinternal.h>
26332 -+#include <linux/grsecurity.h>
26333 -+
26334 -+void
26335 -+gr_log_textrel(struct vm_area_struct * vma)
26336 -+{
26337 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
26338 -+ if (grsec_enable_audit_textrel)
26339 -+ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
26340 -+#endif
26341 -+ return;
26342 -+}
26343 -diff -urNp linux-2.6.24.4/grsecurity/grsec_time.c linux-2.6.24.4/grsecurity/grsec_time.c
26344 ---- linux-2.6.24.4/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
26345 -+++ linux-2.6.24.4/grsecurity/grsec_time.c 2008-03-26 17:56:56.000000000 -0400
26346 -@@ -0,0 +1,13 @@
26347 -+#include <linux/kernel.h>
26348 -+#include <linux/sched.h>
26349 -+#include <linux/grinternal.h>
26350 -+
26351 -+void
26352 -+gr_log_timechange(void)
26353 -+{
26354 -+#ifdef CONFIG_GRKERNSEC_TIME
26355 -+ if (grsec_enable_time)
26356 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
26357 -+#endif
26358 -+ return;
26359 -+}
26360 -diff -urNp linux-2.6.24.4/grsecurity/grsec_tpe.c linux-2.6.24.4/grsecurity/grsec_tpe.c
26361 ---- linux-2.6.24.4/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
26362 -+++ linux-2.6.24.4/grsecurity/grsec_tpe.c 2008-03-26 17:56:56.000000000 -0400
26363 -@@ -0,0 +1,37 @@
26364 -+#include <linux/kernel.h>
26365 -+#include <linux/sched.h>
26366 -+#include <linux/file.h>
26367 -+#include <linux/fs.h>
26368 -+#include <linux/grinternal.h>
26369 -+
26370 -+extern int gr_acl_tpe_check(void);
26371 -+
26372 -+int
26373 -+gr_tpe_allow(const struct file *file)
26374 -+{
26375 -+#ifdef CONFIG_GRKERNSEC
26376 -+ struct inode *inode = file->f_dentry->d_parent->d_inode;
26377 -+
26378 -+ if (current->uid && ((grsec_enable_tpe &&
26379 -+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
26380 -+ !in_group_p(grsec_tpe_gid)
26381 -+#else
26382 -+ in_group_p(grsec_tpe_gid)
26383 -+#endif
26384 -+ ) || gr_acl_tpe_check()) &&
26385 -+ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
26386 -+ (inode->i_mode & S_IWOTH))))) {
26387 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
26388 -+ return 0;
26389 -+ }
26390 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
26391 -+ if (current->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
26392 -+ ((inode->i_uid && (inode->i_uid != current->uid)) ||
26393 -+ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
26394 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
26395 -+ return 0;
26396 -+ }
26397 -+#endif
26398 -+#endif
26399 -+ return 1;
26400 -+}
26401 -diff -urNp linux-2.6.24.4/grsecurity/grsum.c linux-2.6.24.4/grsecurity/grsum.c
26402 ---- linux-2.6.24.4/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
26403 -+++ linux-2.6.24.4/grsecurity/grsum.c 2008-03-26 17:56:56.000000000 -0400
26404 -@@ -0,0 +1,59 @@
26405 -+#include <linux/err.h>
26406 -+#include <linux/kernel.h>
26407 -+#include <linux/sched.h>
26408 -+#include <linux/mm.h>
26409 -+#include <linux/scatterlist.h>
26410 -+#include <linux/crypto.h>
26411 -+#include <linux/gracl.h>
26412 -+
26413 -+
26414 -+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
26415 -+#error "crypto and sha256 must be built into the kernel"
26416 -+#endif
26417 -+
26418 -+int
26419 -+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
26420 -+{
26421 -+ char *p;
26422 -+ struct crypto_hash *tfm;
26423 -+ struct hash_desc desc;
26424 -+ struct scatterlist sg;
26425 -+ unsigned char temp_sum[GR_SHA_LEN];
26426 -+ volatile int retval = 0;
26427 -+ volatile int dummy = 0;
26428 -+ unsigned int i;
26429 -+
26430 -+ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
26431 -+ if (IS_ERR(tfm)) {
26432 -+ /* should never happen, since sha256 should be built in */
26433 -+ return 1;
26434 -+ }
26435 -+
26436 -+ desc.tfm = tfm;
26437 -+ desc.flags = 0;
26438 -+
26439 -+ crypto_hash_init(&desc);
26440 -+
26441 -+ p = salt;
26442 -+ sg_set_buf(&sg, p, GR_SALT_LEN);
26443 -+ crypto_hash_update(&desc, &sg, sg.length);
26444 -+
26445 -+ p = entry->pw;
26446 -+ sg_set_buf(&sg, p, strlen(p));
26447 -+
26448 -+ crypto_hash_update(&desc, &sg, sg.length);
26449 -+
26450 -+ crypto_hash_final(&desc, temp_sum);
26451 -+
26452 -+ memset(entry->pw, 0, GR_PW_LEN);
26453 -+
26454 -+ for (i = 0; i < GR_SHA_LEN; i++)
26455 -+ if (sum[i] != temp_sum[i])
26456 -+ retval = 1;
26457 -+ else
26458 -+ dummy = 1; // waste a cycle
26459 -+
26460 -+ crypto_free_hash(tfm);
26461 -+
26462 -+ return retval;
26463 -+}
26464 -diff -urNp linux-2.6.24.4/grsecurity/Kconfig linux-2.6.24.4/grsecurity/Kconfig
26465 ---- linux-2.6.24.4/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
26466 -+++ linux-2.6.24.4/grsecurity/Kconfig 2008-03-26 17:56:56.000000000 -0400
26467 -@@ -0,0 +1,861 @@
26468 -+#
26469 -+# grecurity configuration
26470 -+#
26471 -+
26472 -+menu "Grsecurity"
26473 -+
26474 -+config GRKERNSEC
26475 -+ bool "Grsecurity"
26476 -+ select CRYPTO
26477 -+ select CRYPTO_SHA256
26478 -+ select SECURITY
26479 -+ select SECURITY_CAPABILITIES
26480 -+ help
26481 -+ If you say Y here, you will be able to configure many features
26482 -+ that will enhance the security of your system. It is highly
26483 -+ recommended that you say Y here and read through the help
26484 -+ for each option so that you fully understand the features and
26485 -+ can evaluate their usefulness for your machine.
26486 -+
26487 -+choice
26488 -+ prompt "Security Level"
26489 -+ depends on GRKERNSEC
26490 -+ default GRKERNSEC_CUSTOM
26491 -+
26492 -+config GRKERNSEC_LOW
26493 -+ bool "Low"
26494 -+ select GRKERNSEC_LINK
26495 -+ select GRKERNSEC_FIFO
26496 -+ select GRKERNSEC_EXECVE
26497 -+ select GRKERNSEC_RANDNET
26498 -+ select GRKERNSEC_DMESG
26499 -+ select GRKERNSEC_CHROOT_CHDIR
26500 -+ select GRKERNSEC_MODSTOP if (MODULES)
26501 -+
26502 -+ help
26503 -+ If you choose this option, several of the grsecurity options will
26504 -+ be enabled that will give you greater protection against a number
26505 -+ of attacks, while assuring that none of your software will have any
26506 -+ conflicts with the additional security measures. If you run a lot
26507 -+ of unusual software, or you are having problems with the higher
26508 -+ security levels, you should say Y here. With this option, the
26509 -+ following features are enabled:
26510 -+
26511 -+ - Linking restrictions
26512 -+ - FIFO restrictions
26513 -+ - Enforcing RLIMIT_NPROC on execve
26514 -+ - Restricted dmesg
26515 -+ - Enforced chdir("/") on chroot
26516 -+ - Runtime module disabling
26517 -+
26518 -+config GRKERNSEC_MEDIUM
26519 -+ bool "Medium"
26520 -+ select PAX
26521 -+ select PAX_EI_PAX
26522 -+ select PAX_PT_PAX_FLAGS
26523 -+ select PAX_HAVE_ACL_FLAGS
26524 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
26525 -+ select GRKERNSEC_CHROOT_SYSCTL
26526 -+ select GRKERNSEC_LINK
26527 -+ select GRKERNSEC_FIFO
26528 -+ select GRKERNSEC_EXECVE
26529 -+ select GRKERNSEC_DMESG
26530 -+ select GRKERNSEC_RANDNET
26531 -+ select GRKERNSEC_FORKFAIL
26532 -+ select GRKERNSEC_TIME
26533 -+ select GRKERNSEC_SIGNAL
26534 -+ select GRKERNSEC_CHROOT
26535 -+ select GRKERNSEC_CHROOT_UNIX
26536 -+ select GRKERNSEC_CHROOT_MOUNT
26537 -+ select GRKERNSEC_CHROOT_PIVOT
26538 -+ select GRKERNSEC_CHROOT_DOUBLE
26539 -+ select GRKERNSEC_CHROOT_CHDIR
26540 -+ select GRKERNSEC_CHROOT_MKNOD
26541 -+ select GRKERNSEC_PROC
26542 -+ select GRKERNSEC_PROC_USERGROUP
26543 -+ select GRKERNSEC_MODSTOP if (MODULES)
26544 -+ select PAX_RANDUSTACK
26545 -+ select PAX_ASLR
26546 -+ select PAX_RANDMMAP
26547 -+
26548 -+ help
26549 -+ If you say Y here, several features in addition to those included
26550 -+ in the low additional security level will be enabled. These
26551 -+ features provide even more security to your system, though in rare
26552 -+ cases they may be incompatible with very old or poorly written
26553 -+ software. If you enable this option, make sure that your auth
26554 -+ service (identd) is running as gid 1001. With this option,
26555 -+ the following features (in addition to those provided in the
26556 -+ low additional security level) will be enabled:
26557 -+
26558 -+ - Failed fork logging
26559 -+ - Time change logging
26560 -+ - Signal logging
26561 -+ - Deny mounts in chroot
26562 -+ - Deny double chrooting
26563 -+ - Deny sysctl writes in chroot
26564 -+ - Deny mknod in chroot
26565 -+ - Deny access to abstract AF_UNIX sockets out of chroot
26566 -+ - Deny pivot_root in chroot
26567 -+ - Denied writes of /dev/kmem, /dev/mem, and /dev/port
26568 -+ - /proc restrictions with special GID set to 10 (usually wheel)
26569 -+ - Address Space Layout Randomization (ASLR)
26570 -+
26571 -+config GRKERNSEC_HIGH
26572 -+ bool "High"
26573 -+ select GRKERNSEC_LINK
26574 -+ select GRKERNSEC_FIFO
26575 -+ select GRKERNSEC_EXECVE
26576 -+ select GRKERNSEC_DMESG
26577 -+ select GRKERNSEC_FORKFAIL
26578 -+ select GRKERNSEC_TIME
26579 -+ select GRKERNSEC_SIGNAL
26580 -+ select GRKERNSEC_CHROOT_SHMAT
26581 -+ select GRKERNSEC_CHROOT_UNIX
26582 -+ select GRKERNSEC_CHROOT_MOUNT
26583 -+ select GRKERNSEC_CHROOT_FCHDIR
26584 -+ select GRKERNSEC_CHROOT_PIVOT
26585 -+ select GRKERNSEC_CHROOT_DOUBLE
26586 -+ select GRKERNSEC_CHROOT_CHDIR
26587 -+ select GRKERNSEC_CHROOT_MKNOD
26588 -+ select GRKERNSEC_CHROOT_CAPS
26589 -+ select GRKERNSEC_CHROOT_SYSCTL
26590 -+ select GRKERNSEC_CHROOT_FINDTASK
26591 -+ select GRKERNSEC_PROC
26592 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
26593 -+ select GRKERNSEC_HIDESYM
26594 -+ select GRKERNSEC_BRUTE
26595 -+ select GRKERNSEC_PROC_USERGROUP
26596 -+ select GRKERNSEC_KMEM
26597 -+ select GRKERNSEC_RESLOG
26598 -+ select GRKERNSEC_RANDNET
26599 -+ select GRKERNSEC_PROC_ADD
26600 -+ select GRKERNSEC_CHROOT_CHMOD
26601 -+ select GRKERNSEC_CHROOT_NICE
26602 -+ select GRKERNSEC_AUDIT_MOUNT
26603 -+ select GRKERNSEC_MODSTOP if (MODULES)
26604 -+ select PAX
26605 -+ select PAX_RANDUSTACK
26606 -+ select PAX_ASLR
26607 -+ select PAX_RANDMMAP
26608 -+ select PAX_NOEXEC
26609 -+ select PAX_MPROTECT
26610 -+ select PAX_EI_PAX
26611 -+ select PAX_PT_PAX_FLAGS
26612 -+ select PAX_HAVE_ACL_FLAGS
26613 -+ select PAX_KERNEXEC if (X86 && !EFI && !COMPAT_VDSO && !PARAVIRT && (!X86_32 || X86_WP_WORKS_OK))
26614 -+ select PAX_MEMORY_UDEREF if (!X86_64 && !COMPAT_VDSO)
26615 -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
26616 -+ select PAX_SEGMEXEC if (X86 && !X86_64)
26617 -+ select PAX_PAGEEXEC if (!X86)
26618 -+ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
26619 -+ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
26620 -+ select PAX_SYSCALL if (PPC32)
26621 -+ select PAX_EMUTRAMP if (PARISC)
26622 -+ select PAX_EMUSIGRT if (PARISC)
26623 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
26624 -+ help
26625 -+ If you say Y here, many of the features of grsecurity will be
26626 -+ enabled, which will protect you against many kinds of attacks
26627 -+ against your system. The heightened security comes at a cost
26628 -+ of an increased chance of incompatibilities with rare software
26629 -+ on your machine. Since this security level enables PaX, you should
26630 -+ view <http://pax.grsecurity.net> and read about the PaX
26631 -+ project. While you are there, download chpax and run it on
26632 -+ binaries that cause problems with PaX. Also remember that
26633 -+ since the /proc restrictions are enabled, you must run your
26634 -+ identd as gid 1001. This security level enables the following
26635 -+ features in addition to those listed in the low and medium
26636 -+ security levels:
26637 -+
26638 -+ - Additional /proc restrictions
26639 -+ - Chmod restrictions in chroot
26640 -+ - No signals, ptrace, or viewing of processes outside of chroot
26641 -+ - Capability restrictions in chroot
26642 -+ - Deny fchdir out of chroot
26643 -+ - Priority restrictions in chroot
26644 -+ - Segmentation-based implementation of PaX
26645 -+ - Mprotect restrictions
26646 -+ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
26647 -+ - Kernel stack randomization
26648 -+ - Mount/unmount/remount logging
26649 -+ - Kernel symbol hiding
26650 -+ - Prevention of memory exhaustion-based exploits
26651 -+config GRKERNSEC_CUSTOM
26652 -+ bool "Custom"
26653 -+ help
26654 -+ If you say Y here, you will be able to configure every grsecurity
26655 -+ option, which allows you to enable many more features that aren't
26656 -+ covered in the basic security levels. These additional features
26657 -+ include TPE, socket restrictions, and the sysctl system for
26658 -+ grsecurity. It is advised that you read through the help for
26659 -+ each option to determine its usefulness in your situation.
26660 -+
26661 -+endchoice
26662 -+
26663 -+menu "Address Space Protection"
26664 -+depends on GRKERNSEC
26665 -+
26666 -+config GRKERNSEC_KMEM
26667 -+ bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
26668 -+ help
26669 -+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
26670 -+ be written to via mmap or otherwise to modify the running kernel.
26671 -+ /dev/port will also not be allowed to be opened. If you have module
26672 -+ support disabled, enabling this will close up four ways that are
26673 -+ currently used to insert malicious code into the running kernel.
26674 -+ Even with all these features enabled, we still highly recommend that
26675 -+ you use the RBAC system, as it is still possible for an attacker to
26676 -+ modify the running kernel through privileged I/O granted by ioperm/iopl.
26677 -+ If you are not using XFree86, you may be able to stop this additional
26678 -+ case by enabling the 'Disable privileged I/O' option. Though nothing
26679 -+ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
26680 -+ but only to video memory, which is the only writing we allow in this
26681 -+ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
26682 -+ not be allowed to mprotect it with PROT_WRITE later.
26683 -+ It is highly recommended that you say Y here if you meet all the
26684 -+ conditions above.
26685 -+
26686 -+config GRKERNSEC_IO
26687 -+ bool "Disable privileged I/O"
26688 -+ depends on X86
26689 -+ select RTC
26690 -+ help
26691 -+ If you say Y here, all ioperm and iopl calls will return an error.
26692 -+ Ioperm and iopl can be used to modify the running kernel.
26693 -+ Unfortunately, some programs need this access to operate properly,
26694 -+ the most notable of which are XFree86 and hwclock. hwclock can be
26695 -+ remedied by having RTC support in the kernel, so CONFIG_RTC is
26696 -+ enabled if this option is enabled, to ensure that hwclock operates
26697 -+ correctly. XFree86 still will not operate correctly with this option
26698 -+ enabled, so DO NOT CHOOSE Y IF YOU USE XFree86. If you use XFree86
26699 -+ and you still want to protect your kernel against modification,
26700 -+ use the RBAC system.
26701 -+
26702 -+config GRKERNSEC_PROC_MEMMAP
26703 -+ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
26704 -+ depends on PAX_NOEXEC || PAX_ASLR
26705 -+ help
26706 -+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
26707 -+ give no information about the addresses of its mappings if
26708 -+ PaX features that rely on random addresses are enabled on the task.
26709 -+ If you use PaX it is greatly recommended that you say Y here as it
26710 -+ closes up a hole that makes the full ASLR useless for suid
26711 -+ binaries.
26712 -+
26713 -+config GRKERNSEC_BRUTE
26714 -+ bool "Deter exploit bruteforcing"
26715 -+ help
26716 -+ If you say Y here, attempts to bruteforce exploits against forking
26717 -+ daemons such as apache or sshd will be deterred. When a child of a
26718 -+ forking daemon is killed by PaX or crashes due to an illegal
26719 -+ instruction, the parent process will be delayed 30 seconds upon every
26720 -+ subsequent fork until the administrator is able to assess the
26721 -+ situation and restart the daemon. It is recommended that you also
26722 -+ enable signal logging in the auditing section so that logs are
26723 -+ generated when a process performs an illegal instruction.
26724 -+
26725 -+config GRKERNSEC_MODSTOP
26726 -+ bool "Runtime module disabling"
26727 -+ depends on MODULES
26728 -+ help
26729 -+ If you say Y here, you will be able to disable the ability to (un)load
26730 -+ modules at runtime. This feature is useful if you need the ability
26731 -+ to load kernel modules at boot time, but do not want to allow an
26732 -+ attacker to load a rootkit kernel module into the system, or to remove
26733 -+ a loaded kernel module important to system functioning. You should
26734 -+ enable the /dev/mem protection feature as well, since rootkits can be
26735 -+ inserted into the kernel via other methods than kernel modules. Since
26736 -+ an untrusted module could still be loaded by modifying init scripts and
26737 -+ rebooting the system, it is also recommended that you enable the RBAC
26738 -+ system. If you enable this option, a sysctl option with name
26739 -+ "disable_modules" will be created. Setting this option to "1" disables
26740 -+ module loading. After this option is set, no further writes to it are
26741 -+ allowed until the system is rebooted.
26742 -+
26743 -+config GRKERNSEC_HIDESYM
26744 -+ bool "Hide kernel symbols"
26745 -+ help
26746 -+ If you say Y here, getting information on loaded modules, and
26747 -+ displaying all kernel symbols through a syscall will be restricted
26748 -+ to users with CAP_SYS_MODULE. This option is only effective
26749 -+ provided the following conditions are met:
26750 -+ 1) The kernel using grsecurity is not precompiled by some distribution
26751 -+ 2) You are using the RBAC system and hiding other files such as your
26752 -+ kernel image and System.map
26753 -+ 3) You have the additional /proc restrictions enabled, which removes
26754 -+ /proc/kcore
26755 -+ If the above conditions are met, this option will aid to provide a
26756 -+ useful protection against local and remote kernel exploitation of
26757 -+ overflows and arbitrary read/write vulnerabilities.
26758 -+
26759 -+endmenu
26760 -+menu "Role Based Access Control Options"
26761 -+depends on GRKERNSEC
26762 -+
26763 -+config GRKERNSEC_ACL_HIDEKERN
26764 -+ bool "Hide kernel processes"
26765 -+ help
26766 -+ If you say Y here, all kernel threads will be hidden to all
26767 -+ processes but those whose subject has the "view hidden processes"
26768 -+ flag.
26769 -+
26770 -+config GRKERNSEC_ACL_MAXTRIES
26771 -+ int "Maximum tries before password lockout"
26772 -+ default 3
26773 -+ help
26774 -+ This option enforces the maximum number of times a user can attempt
26775 -+ to authorize themselves with the grsecurity RBAC system before being
26776 -+ denied the ability to attempt authorization again for a specified time.
26777 -+ The lower the number, the harder it will be to brute-force a password.
26778 -+
26779 -+config GRKERNSEC_ACL_TIMEOUT
26780 -+ int "Time to wait after max password tries, in seconds"
26781 -+ default 30
26782 -+ help
26783 -+ This option specifies the time the user must wait after attempting to
26784 -+ authorize to the RBAC system with the maximum number of invalid
26785 -+ passwords. The higher the number, the harder it will be to brute-force
26786 -+ a password.
26787 -+
26788 -+endmenu
26789 -+menu "Filesystem Protections"
26790 -+depends on GRKERNSEC
26791 -+
26792 -+config GRKERNSEC_PROC
26793 -+ bool "Proc restrictions"
26794 -+ help
26795 -+ If you say Y here, the permissions of the /proc filesystem
26796 -+ will be altered to enhance system security and privacy. You MUST
26797 -+ choose either a user only restriction or a user and group restriction.
26798 -+ Depending upon the option you choose, you can either restrict users to
26799 -+ see only the processes they themselves run, or choose a group that can
26800 -+ view all processes and files normally restricted to root if you choose
26801 -+ the "restrict to user only" option. NOTE: If you're running identd as
26802 -+ a non-root user, you will have to run it as the group you specify here.
26803 -+
26804 -+config GRKERNSEC_PROC_USER
26805 -+ bool "Restrict /proc to user only"
26806 -+ depends on GRKERNSEC_PROC
26807 -+ help
26808 -+ If you say Y here, non-root users will only be able to view their own
26809 -+ processes, and restricts them from viewing network-related information,
26810 -+ and viewing kernel symbol and module information.
26811 -+
26812 -+config GRKERNSEC_PROC_USERGROUP
26813 -+ bool "Allow special group"
26814 -+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
26815 -+ help
26816 -+ If you say Y here, you will be able to select a group that will be
26817 -+ able to view all processes, network-related information, and
26818 -+ kernel and symbol information. This option is useful if you want
26819 -+ to run identd as a non-root user.
26820 -+
26821 -+config GRKERNSEC_PROC_GID
26822 -+ int "GID for special group"
26823 -+ depends on GRKERNSEC_PROC_USERGROUP
26824 -+ default 1001
26825 -+
26826 -+config GRKERNSEC_PROC_ADD
26827 -+ bool "Additional restrictions"
26828 -+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
26829 -+ help
26830 -+ If you say Y here, additional restrictions will be placed on
26831 -+ /proc that keep normal users from viewing device information and
26832 -+ slabinfo information that could be useful for exploits.
26833 -+
26834 -+config GRKERNSEC_LINK
26835 -+ bool "Linking restrictions"
26836 -+ help
26837 -+ If you say Y here, /tmp race exploits will be prevented, since users
26838 -+ will no longer be able to follow symlinks owned by other users in
26839 -+ world-writable +t directories (i.e. /tmp), unless the owner of the
26840 -+ symlink is the owner of the directory. users will also not be
26841 -+ able to hardlink to files they do not own. If the sysctl option is
26842 -+ enabled, a sysctl option with name "linking_restrictions" is created.
26843 -+
26844 -+config GRKERNSEC_FIFO
26845 -+ bool "FIFO restrictions"
26846 -+ help
26847 -+ If you say Y here, users will not be able to write to FIFOs they don't
26848 -+ own in world-writable +t directories (i.e. /tmp), unless the owner of
26849 -+ the FIFO is the same owner of the directory it's held in. If the sysctl
26850 -+ option is enabled, a sysctl option with name "fifo_restrictions" is
26851 -+ created.
26852 -+
26853 -+config GRKERNSEC_CHROOT
26854 -+ bool "Chroot jail restrictions"
26855 -+ help
26856 -+ If you say Y here, you will be able to choose several options that will
26857 -+ make breaking out of a chrooted jail much more difficult. If you
26858 -+ encounter no software incompatibilities with the following options, it
26859 -+ is recommended that you enable each one.
26860 -+
26861 -+config GRKERNSEC_CHROOT_MOUNT
26862 -+ bool "Deny mounts"
26863 -+ depends on GRKERNSEC_CHROOT
26864 -+ help
26865 -+ If you say Y here, processes inside a chroot will not be able to
26866 -+ mount or remount filesystems. If the sysctl option is enabled, a
26867 -+ sysctl option with name "chroot_deny_mount" is created.
26868 -+
26869 -+config GRKERNSEC_CHROOT_DOUBLE
26870 -+ bool "Deny double-chroots"
26871 -+ depends on GRKERNSEC_CHROOT
26872 -+ help
26873 -+ If you say Y here, processes inside a chroot will not be able to chroot
26874 -+ again outside the chroot. This is a widely used method of breaking
26875 -+ out of a chroot jail and should not be allowed. If the sysctl
26876 -+ option is enabled, a sysctl option with name
26877 -+ "chroot_deny_chroot" is created.
26878 -+
26879 -+config GRKERNSEC_CHROOT_PIVOT
26880 -+ bool "Deny pivot_root in chroot"
26881 -+ depends on GRKERNSEC_CHROOT
26882 -+ help
26883 -+ If you say Y here, processes inside a chroot will not be able to use
26884 -+ a function called pivot_root() that was introduced in Linux 2.3.41. It
26885 -+ works similar to chroot in that it changes the root filesystem. This
26886 -+ function could be misused in a chrooted process to attempt to break out
26887 -+ of the chroot, and therefore should not be allowed. If the sysctl
26888 -+ option is enabled, a sysctl option with name "chroot_deny_pivot" is
26889 -+ created.
26890 -+
26891 -+config GRKERNSEC_CHROOT_CHDIR
26892 -+ bool "Enforce chdir(\"/\") on all chroots"
26893 -+ depends on GRKERNSEC_CHROOT
26894 -+ help
26895 -+ If you say Y here, the current working directory of all newly-chrooted
26896 -+ applications will be set to the the root directory of the chroot.
26897 -+ The man page on chroot(2) states:
26898 -+ Note that this call does not change the current working
26899 -+ directory, so that `.' can be outside the tree rooted at
26900 -+ `/'. In particular, the super-user can escape from a
26901 -+ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
26902 -+
26903 -+ It is recommended that you say Y here, since it's not known to break
26904 -+ any software. If the sysctl option is enabled, a sysctl option with
26905 -+ name "chroot_enforce_chdir" is created.
26906 -+
26907 -+config GRKERNSEC_CHROOT_CHMOD
26908 -+ bool "Deny (f)chmod +s"
26909 -+ depends on GRKERNSEC_CHROOT
26910 -+ help
26911 -+ If you say Y here, processes inside a chroot will not be able to chmod
26912 -+ or fchmod files to make them have suid or sgid bits. This protects
26913 -+ against another published method of breaking a chroot. If the sysctl
26914 -+ option is enabled, a sysctl option with name "chroot_deny_chmod" is
26915 -+ created.
26916 -+
26917 -+config GRKERNSEC_CHROOT_FCHDIR
26918 -+ bool "Deny fchdir out of chroot"
26919 -+ depends on GRKERNSEC_CHROOT
26920 -+ help
26921 -+ If you say Y here, a well-known method of breaking chroots by fchdir'ing
26922 -+ to a file descriptor of the chrooting process that points to a directory
26923 -+ outside the filesystem will be stopped. If the sysctl option
26924 -+ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
26925 -+
26926 -+config GRKERNSEC_CHROOT_MKNOD
26927 -+ bool "Deny mknod"
26928 -+ depends on GRKERNSEC_CHROOT
26929 -+ help
26930 -+ If you say Y here, processes inside a chroot will not be allowed to
26931 -+ mknod. The problem with using mknod inside a chroot is that it
26932 -+ would allow an attacker to create a device entry that is the same
26933 -+ as one on the physical root of your system, which could range from
26934 -+ anything from the console device to a device for your harddrive (which
26935 -+ they could then use to wipe the drive or steal data). It is recommended
26936 -+ that you say Y here, unless you run into software incompatibilities.
26937 -+ If the sysctl option is enabled, a sysctl option with name
26938 -+ "chroot_deny_mknod" is created.
26939 -+
26940 -+config GRKERNSEC_CHROOT_SHMAT
26941 -+ bool "Deny shmat() out of chroot"
26942 -+ depends on GRKERNSEC_CHROOT
26943 -+ help
26944 -+ If you say Y here, processes inside a chroot will not be able to attach
26945 -+ to shared memory segments that were created outside of the chroot jail.
26946 -+ It is recommended that you say Y here. If the sysctl option is enabled,
26947 -+ a sysctl option with name "chroot_deny_shmat" is created.
26948 -+
26949 -+config GRKERNSEC_CHROOT_UNIX
26950 -+ bool "Deny access to abstract AF_UNIX sockets out of chroot"
26951 -+ depends on GRKERNSEC_CHROOT
26952 -+ help
26953 -+ If you say Y here, processes inside a chroot will not be able to
26954 -+ connect to abstract (meaning not belonging to a filesystem) Unix
26955 -+ domain sockets that were bound outside of a chroot. It is recommended
26956 -+ that you say Y here. If the sysctl option is enabled, a sysctl option
26957 -+ with name "chroot_deny_unix" is created.
26958 -+
26959 -+config GRKERNSEC_CHROOT_FINDTASK
26960 -+ bool "Protect outside processes"
26961 -+ depends on GRKERNSEC_CHROOT
26962 -+ help
26963 -+ If you say Y here, processes inside a chroot will not be able to
26964 -+ kill, send signals with fcntl, ptrace, capget, getpgid, getsid,
26965 -+ or view any process outside of the chroot. If the sysctl
26966 -+ option is enabled, a sysctl option with name "chroot_findtask" is
26967 -+ created.
26968 -+
26969 -+config GRKERNSEC_CHROOT_NICE
26970 -+ bool "Restrict priority changes"
26971 -+ depends on GRKERNSEC_CHROOT
26972 -+ help
26973 -+ If you say Y here, processes inside a chroot will not be able to raise
26974 -+ the priority of processes in the chroot, or alter the priority of
26975 -+ processes outside the chroot. This provides more security than simply
26976 -+ removing CAP_SYS_NICE from the process' capability set. If the
26977 -+ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
26978 -+ is created.
26979 -+
26980 -+config GRKERNSEC_CHROOT_SYSCTL
26981 -+ bool "Deny sysctl writes"
26982 -+ depends on GRKERNSEC_CHROOT
26983 -+ help
26984 -+ If you say Y here, an attacker in a chroot will not be able to
26985 -+ write to sysctl entries, either by sysctl(2) or through a /proc
26986 -+ interface. It is strongly recommended that you say Y here. If the
26987 -+ sysctl option is enabled, a sysctl option with name
26988 -+ "chroot_deny_sysctl" is created.
26989 -+
26990 -+config GRKERNSEC_CHROOT_CAPS
26991 -+ bool "Capability restrictions"
26992 -+ depends on GRKERNSEC_CHROOT
26993 -+ help
26994 -+ If you say Y here, the capabilities on all root processes within a
26995 -+ chroot jail will be lowered to stop module insertion, raw i/o,
26996 -+ system and net admin tasks, rebooting the system, modifying immutable
26997 -+ files, modifying IPC owned by another, and changing the system time.
26998 -+ This is left an option because it can break some apps. Disable this
26999 -+ if your chrooted apps are having problems performing those kinds of
27000 -+ tasks. If the sysctl option is enabled, a sysctl option with
27001 -+ name "chroot_caps" is created.
27002 -+
27003 -+endmenu
27004 -+menu "Kernel Auditing"
27005 -+depends on GRKERNSEC
27006 -+
27007 -+config GRKERNSEC_AUDIT_GROUP
27008 -+ bool "Single group for auditing"
27009 -+ help
27010 -+ If you say Y here, the exec, chdir, (un)mount, and ipc logging features
27011 -+ will only operate on a group you specify. This option is recommended
27012 -+ if you only want to watch certain users instead of having a large
27013 -+ amount of logs from the entire system. If the sysctl option is enabled,
27014 -+ a sysctl option with name "audit_group" is created.
27015 -+
27016 -+config GRKERNSEC_AUDIT_GID
27017 -+ int "GID for auditing"
27018 -+ depends on GRKERNSEC_AUDIT_GROUP
27019 -+ default 1007
27020 -+
27021 -+config GRKERNSEC_EXECLOG
27022 -+ bool "Exec logging"
27023 -+ help
27024 -+ If you say Y here, all execve() calls will be logged (since the
27025 -+ other exec*() calls are frontends to execve(), all execution
27026 -+ will be logged). Useful for shell-servers that like to keep track
27027 -+ of their users. If the sysctl option is enabled, a sysctl option with
27028 -+ name "exec_logging" is created.
27029 -+ WARNING: This option when enabled will produce a LOT of logs, especially
27030 -+ on an active system.
27031 -+
27032 -+config GRKERNSEC_RESLOG
27033 -+ bool "Resource logging"
27034 -+ help
27035 -+ If you say Y here, all attempts to overstep resource limits will
27036 -+ be logged with the resource name, the requested size, and the current
27037 -+ limit. It is highly recommended that you say Y here. If the sysctl
27038 -+ option is enabled, a sysctl option with name "resource_logging" is
27039 -+ created. If the RBAC system is enabled, the sysctl value is ignored.
27040 -+
27041 -+config GRKERNSEC_CHROOT_EXECLOG
27042 -+ bool "Log execs within chroot"
27043 -+ help
27044 -+ If you say Y here, all executions inside a chroot jail will be logged
27045 -+ to syslog. This can cause a large amount of logs if certain
27046 -+ applications (eg. djb's daemontools) are installed on the system, and
27047 -+ is therefore left as an option. If the sysctl option is enabled, a
27048 -+ sysctl option with name "chroot_execlog" is created.
27049 -+
27050 -+config GRKERNSEC_AUDIT_CHDIR
27051 -+ bool "Chdir logging"
27052 -+ help
27053 -+ If you say Y here, all chdir() calls will be logged. If the sysctl
27054 -+ option is enabled, a sysctl option with name "audit_chdir" is created.
27055 -+
27056 -+config GRKERNSEC_AUDIT_MOUNT
27057 -+ bool "(Un)Mount logging"
27058 -+ help
27059 -+ If you say Y here, all mounts and unmounts will be logged. If the
27060 -+ sysctl option is enabled, a sysctl option with name "audit_mount" is
27061 -+ created.
27062 -+
27063 -+config GRKERNSEC_AUDIT_IPC
27064 -+ bool "IPC logging"
27065 -+ help
27066 -+ If you say Y here, creation and removal of message queues, semaphores,
27067 -+ and shared memory will be logged. If the sysctl option is enabled, a
27068 -+ sysctl option with name "audit_ipc" is created.
27069 -+
27070 -+config GRKERNSEC_SIGNAL
27071 -+ bool "Signal logging"
27072 -+ help
27073 -+ If you say Y here, certain important signals will be logged, such as
27074 -+ SIGSEGV, which will as a result inform you of when a error in a program
27075 -+ occurred, which in some cases could mean a possible exploit attempt.
27076 -+ If the sysctl option is enabled, a sysctl option with name
27077 -+ "signal_logging" is created.
27078 -+
27079 -+config GRKERNSEC_FORKFAIL
27080 -+ bool "Fork failure logging"
27081 -+ help
27082 -+ If you say Y here, all failed fork() attempts will be logged.
27083 -+ This could suggest a fork bomb, or someone attempting to overstep
27084 -+ their process limit. If the sysctl option is enabled, a sysctl option
27085 -+ with name "forkfail_logging" is created.
27086 -+
27087 -+config GRKERNSEC_TIME
27088 -+ bool "Time change logging"
27089 -+ help
27090 -+ If you say Y here, any changes of the system clock will be logged.
27091 -+ If the sysctl option is enabled, a sysctl option with name
27092 -+ "timechange_logging" is created.
27093 -+
27094 -+config GRKERNSEC_PROC_IPADDR
27095 -+ bool "/proc/<pid>/ipaddr support"
27096 -+ help
27097 -+ If you say Y here, a new entry will be added to each /proc/<pid>
27098 -+ directory that contains the IP address of the person using the task.
27099 -+ The IP is carried across local TCP and AF_UNIX stream sockets.
27100 -+ This information can be useful for IDS/IPSes to perform remote response
27101 -+ to a local attack. The entry is readable by only the owner of the
27102 -+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
27103 -+ the RBAC system), and thus does not create privacy concerns.
27104 -+
27105 -+config GRKERNSEC_AUDIT_TEXTREL
27106 -+ bool 'ELF text relocations logging (READ HELP)'
27107 -+ depends on PAX_MPROTECT
27108 -+ help
27109 -+ If you say Y here, text relocations will be logged with the filename
27110 -+ of the offending library or binary. The purpose of the feature is
27111 -+ to help Linux distribution developers get rid of libraries and
27112 -+ binaries that need text relocations which hinder the future progress
27113 -+ of PaX. Only Linux distribution developers should say Y here, and
27114 -+ never on a production machine, as this option creates an information
27115 -+ leak that could aid an attacker in defeating the randomization of
27116 -+ a single memory region. If the sysctl option is enabled, a sysctl
27117 -+ option with name "audit_textrel" is created.
27118 -+
27119 -+endmenu
27120 -+
27121 -+menu "Executable Protections"
27122 -+depends on GRKERNSEC
27123 -+
27124 -+config GRKERNSEC_EXECVE
27125 -+ bool "Enforce RLIMIT_NPROC on execs"
27126 -+ help
27127 -+ If you say Y here, users with a resource limit on processes will
27128 -+ have the value checked during execve() calls. The current system
27129 -+ only checks the system limit during fork() calls. If the sysctl option
27130 -+ is enabled, a sysctl option with name "execve_limiting" is created.
27131 -+
27132 -+config GRKERNSEC_DMESG
27133 -+ bool "Dmesg(8) restriction"
27134 -+ help
27135 -+ If you say Y here, non-root users will not be able to use dmesg(8)
27136 -+ to view up to the last 4kb of messages in the kernel's log buffer.
27137 -+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
27138 -+ created.
27139 -+
27140 -+config GRKERNSEC_TPE
27141 -+ bool "Trusted Path Execution (TPE)"
27142 -+ help
27143 -+ If you say Y here, you will be able to choose a gid to add to the
27144 -+ supplementary groups of users you want to mark as "untrusted."
27145 -+ These users will not be able to execute any files that are not in
27146 -+ root-owned directories writable only by root. If the sysctl option
27147 -+ is enabled, a sysctl option with name "tpe" is created.
27148 -+
27149 -+config GRKERNSEC_TPE_ALL
27150 -+ bool "Partially restrict non-root users"
27151 -+ depends on GRKERNSEC_TPE
27152 -+ help
27153 -+ If you say Y here, All non-root users other than the ones in the
27154 -+ group specified in the main TPE option will only be allowed to
27155 -+ execute files in directories they own that are not group or
27156 -+ world-writable, or in directories owned by root and writable only by
27157 -+ root. If the sysctl option is enabled, a sysctl option with name
27158 -+ "tpe_restrict_all" is created.
27159 -+
27160 -+config GRKERNSEC_TPE_INVERT
27161 -+ bool "Invert GID option"
27162 -+ depends on GRKERNSEC_TPE
27163 -+ help
27164 -+ If you say Y here, the group you specify in the TPE configuration will
27165 -+ decide what group TPE restrictions will be *disabled* for. This
27166 -+ option is useful if you want TPE restrictions to be applied to most
27167 -+ users on the system.
27168 -+
27169 -+config GRKERNSEC_TPE_GID
27170 -+ int "GID for untrusted users"
27171 -+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
27172 -+ default 1005
27173 -+ help
27174 -+ If you have selected the "Invert GID option" above, setting this
27175 -+ GID determines what group TPE restrictions will be *disabled* for.
27176 -+ If you have not selected the "Invert GID option" above, setting this
27177 -+ GID determines what group TPE restrictions will be *enabled* for.
27178 -+ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
27179 -+ is created.
27180 -+
27181 -+config GRKERNSEC_TPE_GID
27182 -+ int "GID for trusted users"
27183 -+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
27184 -+ default 1005
27185 -+ help
27186 -+ If you have selected the "Invert GID option" above, setting this
27187 -+ GID determines what group TPE restrictions will be *disabled* for.
27188 -+ If you have not selected the "Invert GID option" above, setting this
27189 -+ GID determines what group TPE restrictions will be *enabled* for.
27190 -+ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
27191 -+ is created.
27192 -+
27193 -+endmenu
27194 -+menu "Network Protections"
27195 -+depends on GRKERNSEC
27196 -+
27197 -+config GRKERNSEC_RANDNET
27198 -+ bool "Larger entropy pools"
27199 -+ help
27200 -+ If you say Y here, the entropy pools used for many features of Linux
27201 -+ and grsecurity will be doubled in size. Since several grsecurity
27202 -+ features use additional randomness, it is recommended that you say Y
27203 -+ here. Saying Y here has a similar effect as modifying
27204 -+ /proc/sys/kernel/random/poolsize.
27205 -+
27206 -+config GRKERNSEC_SOCKET
27207 -+ bool "Socket restrictions"
27208 -+ help
27209 -+ If you say Y here, you will be able to choose from several options.
27210 -+ If you assign a GID on your system and add it to the supplementary
27211 -+ groups of users you want to restrict socket access to, this patch
27212 -+ will perform up to three things, based on the option(s) you choose.
27213 -+
27214 -+config GRKERNSEC_SOCKET_ALL
27215 -+ bool "Deny any sockets to group"
27216 -+ depends on GRKERNSEC_SOCKET
27217 -+ help
27218 -+ If you say Y here, you will be able to choose a GID of whose users will
27219 -+ be unable to connect to other hosts from your machine or run server
27220 -+ applications from your machine. If the sysctl option is enabled, a
27221 -+ sysctl option with name "socket_all" is created.
27222 -+
27223 -+config GRKERNSEC_SOCKET_ALL_GID
27224 -+ int "GID to deny all sockets for"
27225 -+ depends on GRKERNSEC_SOCKET_ALL
27226 -+ default 1004
27227 -+ help
27228 -+ Here you can choose the GID to disable socket access for. Remember to
27229 -+ add the users you want socket access disabled for to the GID
27230 -+ specified here. If the sysctl option is enabled, a sysctl option
27231 -+ with name "socket_all_gid" is created.
27232 -+
27233 -+config GRKERNSEC_SOCKET_CLIENT
27234 -+ bool "Deny client sockets to group"
27235 -+ depends on GRKERNSEC_SOCKET
27236 -+ help
27237 -+ If you say Y here, you will be able to choose a GID of whose users will
27238 -+ be unable to connect to other hosts from your machine, but will be
27239 -+ able to run servers. If this option is enabled, all users in the group
27240 -+ you specify will have to use passive mode when initiating ftp transfers
27241 -+ from the shell on your machine. If the sysctl option is enabled, a
27242 -+ sysctl option with name "socket_client" is created.
27243 -+
27244 -+config GRKERNSEC_SOCKET_CLIENT_GID
27245 -+ int "GID to deny client sockets for"
27246 -+ depends on GRKERNSEC_SOCKET_CLIENT
27247 -+ default 1003
27248 -+ help
27249 -+ Here you can choose the GID to disable client socket access for.
27250 -+ Remember to add the users you want client socket access disabled for to
27251 -+ the GID specified here. If the sysctl option is enabled, a sysctl
27252 -+ option with name "socket_client_gid" is created.
27253 -+
27254 -+config GRKERNSEC_SOCKET_SERVER
27255 -+ bool "Deny server sockets to group"
27256 -+ depends on GRKERNSEC_SOCKET
27257 -+ help
27258 -+ If you say Y here, you will be able to choose a GID of whose users will
27259 -+ be unable to run server applications from your machine. If the sysctl
27260 -+ option is enabled, a sysctl option with name "socket_server" is created.
27261 -+
27262 -+config GRKERNSEC_SOCKET_SERVER_GID
27263 -+ int "GID to deny server sockets for"
27264 -+ depends on GRKERNSEC_SOCKET_SERVER
27265 -+ default 1002
27266 -+ help
27267 -+ Here you can choose the GID to disable server socket access for.
27268 -+ Remember to add the users you want server socket access disabled for to
27269 -+ the GID specified here. If the sysctl option is enabled, a sysctl
27270 -+ option with name "socket_server_gid" is created.
27271 -+
27272 -+endmenu
27273 -+menu "Sysctl support"
27274 -+depends on GRKERNSEC && SYSCTL
27275 -+
27276 -+config GRKERNSEC_SYSCTL
27277 -+ bool "Sysctl support"
27278 -+ help
27279 -+ If you say Y here, you will be able to change the options that
27280 -+ grsecurity runs with at bootup, without having to recompile your
27281 -+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
27282 -+ to enable (1) or disable (0) various features. All the sysctl entries
27283 -+ are mutable until the "grsec_lock" entry is set to a non-zero value.
27284 -+ All features enabled in the kernel configuration are disabled at boot
27285 -+ if you do not say Y to the "Turn on features by default" option.
27286 -+ All options should be set at startup, and the grsec_lock entry should
27287 -+ be set to a non-zero value after all the options are set.
27288 -+ *THIS IS EXTREMELY IMPORTANT*
27289 -+
27290 -+config GRKERNSEC_SYSCTL_ON
27291 -+ bool "Turn on features by default"
27292 -+ depends on GRKERNSEC_SYSCTL
27293 -+ help
27294 -+ If you say Y here, instead of having all features enabled in the
27295 -+ kernel configuration disabled at boot time, the features will be
27296 -+ enabled at boot time. It is recommended you say Y here unless
27297 -+ there is some reason you would want all sysctl-tunable features to
27298 -+ be disabled by default. As mentioned elsewhere, it is important
27299 -+ to enable the grsec_lock entry once you have finished modifying
27300 -+ the sysctl entries.
27301 -+
27302 -+endmenu
27303 -+menu "Logging Options"
27304 -+depends on GRKERNSEC
27305 -+
27306 -+config GRKERNSEC_FLOODTIME
27307 -+ int "Seconds in between log messages (minimum)"
27308 -+ default 10
27309 -+ help
27310 -+ This option allows you to enforce the number of seconds between
27311 -+ grsecurity log messages. The default should be suitable for most
27312 -+ people, however, if you choose to change it, choose a value small enough
27313 -+ to allow informative logs to be produced, but large enough to
27314 -+ prevent flooding.
27315 -+
27316 -+config GRKERNSEC_FLOODBURST
27317 -+ int "Number of messages in a burst (maximum)"
27318 -+ default 4
27319 -+ help
27320 -+ This option allows you to choose the maximum number of messages allowed
27321 -+ within the flood time interval you chose in a separate option. The
27322 -+ default should be suitable for most people, however if you find that
27323 -+ many of your logs are being interpreted as flooding, you may want to
27324 -+ raise this value.
27325 -+
27326 -+endmenu
27327 -+
27328 -+endmenu
27329 -diff -urNp linux-2.6.24.4/grsecurity/Makefile linux-2.6.24.4/grsecurity/Makefile
27330 ---- linux-2.6.24.4/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
27331 -+++ linux-2.6.24.4/grsecurity/Makefile 2008-03-26 17:56:56.000000000 -0400
27332 -@@ -0,0 +1,20 @@
27333 -+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
27334 -+# during 2001-2005 it has been completely redesigned by Brad Spengler
27335 -+# into an RBAC system
27336 -+#
27337 -+# All code in this directory and various hooks inserted throughout the kernel
27338 -+# are copyright Brad Spengler, and released under the GPL v2 or higher
27339 -+
27340 -+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
27341 -+ grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
27342 -+ grsec_time.o grsec_tpe.o grsec_ipc.o grsec_link.o grsec_textrel.o
27343 -+
27344 -+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
27345 -+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
27346 -+ gracl_learn.o grsec_log.o
27347 -+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
27348 -+
27349 -+ifndef CONFIG_GRKERNSEC
27350 -+obj-y += grsec_disabled.o
27351 -+endif
27352 -+
27353 -diff -urNp linux-2.6.24.4/include/acpi/acpiosxf.h linux-2.6.24.4/include/acpi/acpiosxf.h
27354 ---- linux-2.6.24.4/include/acpi/acpiosxf.h 2008-03-24 14:49:18.000000000 -0400
27355 -+++ linux-2.6.24.4/include/acpi/acpiosxf.h 2008-03-26 17:56:56.000000000 -0400
27356 -@@ -219,7 +219,7 @@ acpi_os_write_memory(acpi_physical_addre
27357 - */
27358 - acpi_status
27359 - acpi_os_read_pci_configuration(struct acpi_pci_id *pci_id,
27360 -- u32 reg, void *value, u32 width);
27361 -+ u32 reg, u32 *value, u32 width);
27362 -
27363 - acpi_status
27364 - acpi_os_write_pci_configuration(struct acpi_pci_id *pci_id,
27365 -diff -urNp linux-2.6.24.4/include/asm-alpha/a.out.h linux-2.6.24.4/include/asm-alpha/a.out.h
27366 ---- linux-2.6.24.4/include/asm-alpha/a.out.h 2008-03-24 14:49:18.000000000 -0400
27367 -+++ linux-2.6.24.4/include/asm-alpha/a.out.h 2008-03-26 17:56:56.000000000 -0400
27368 -@@ -98,7 +98,7 @@ struct exec
27369 - set_personality (((BFPM->sh_bang || EX.ah.entry < 0x100000000L \
27370 - ? ADDR_LIMIT_32BIT : 0) | PER_OSF4))
27371 -
27372 --#define STACK_TOP \
27373 -+#define __STACK_TOP \
27374 - (current->personality & ADDR_LIMIT_32BIT ? 0x80000000 : 0x00120000000UL)
27375 -
27376 - #define STACK_TOP_MAX 0x00120000000UL
27377 -diff -urNp linux-2.6.24.4/include/asm-alpha/elf.h linux-2.6.24.4/include/asm-alpha/elf.h
27378 ---- linux-2.6.24.4/include/asm-alpha/elf.h 2008-03-24 14:49:18.000000000 -0400
27379 -+++ linux-2.6.24.4/include/asm-alpha/elf.h 2008-03-26 17:56:56.000000000 -0400
27380 -@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
27381 -
27382 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
27383 -
27384 -+#ifdef CONFIG_PAX_ASLR
27385 -+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
27386 -+
27387 -+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27388 -+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
27389 -+#endif
27390 -+
27391 - /* $0 is set by ld.so to a pointer to a function which might be
27392 - registered using atexit. This provides a mean for the dynamic
27393 - linker to call DT_FINI functions for shared libraries that have
27394 -diff -urNp linux-2.6.24.4/include/asm-alpha/kmap_types.h linux-2.6.24.4/include/asm-alpha/kmap_types.h
27395 ---- linux-2.6.24.4/include/asm-alpha/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27396 -+++ linux-2.6.24.4/include/asm-alpha/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27397 -@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
27398 - D(10) KM_IRQ1,
27399 - D(11) KM_SOFTIRQ0,
27400 - D(12) KM_SOFTIRQ1,
27401 --D(13) KM_TYPE_NR
27402 -+D(13) KM_CLEARPAGE,
27403 -+D(14) KM_TYPE_NR
27404 - };
27405 -
27406 - #undef D
27407 -diff -urNp linux-2.6.24.4/include/asm-alpha/pgtable.h linux-2.6.24.4/include/asm-alpha/pgtable.h
27408 ---- linux-2.6.24.4/include/asm-alpha/pgtable.h 2008-03-24 14:49:18.000000000 -0400
27409 -+++ linux-2.6.24.4/include/asm-alpha/pgtable.h 2008-03-26 17:56:56.000000000 -0400
27410 -@@ -101,6 +101,17 @@ struct vm_area_struct;
27411 - #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
27412 - #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
27413 - #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
27414 -+
27415 -+#ifdef CONFIG_PAX_PAGEEXEC
27416 -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
27417 -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
27418 -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
27419 -+#else
27420 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
27421 -+# define PAGE_COPY_NOEXEC PAGE_COPY
27422 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
27423 -+#endif
27424 -+
27425 - #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
27426 -
27427 - #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
27428 -diff -urNp linux-2.6.24.4/include/asm-arm/a.out.h linux-2.6.24.4/include/asm-arm/a.out.h
27429 ---- linux-2.6.24.4/include/asm-arm/a.out.h 2008-03-24 14:49:18.000000000 -0400
27430 -+++ linux-2.6.24.4/include/asm-arm/a.out.h 2008-03-26 17:56:56.000000000 -0400
27431 -@@ -28,7 +28,7 @@ struct exec
27432 - #define M_ARM 103
27433 -
27434 - #ifdef __KERNEL__
27435 --#define STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
27436 -+#define __STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
27437 - TASK_SIZE : TASK_SIZE_26)
27438 - #define STACK_TOP_MAX TASK_SIZE
27439 - #endif
27440 -diff -urNp linux-2.6.24.4/include/asm-arm/elf.h linux-2.6.24.4/include/asm-arm/elf.h
27441 ---- linux-2.6.24.4/include/asm-arm/elf.h 2008-03-24 14:49:18.000000000 -0400
27442 -+++ linux-2.6.24.4/include/asm-arm/elf.h 2008-03-26 17:56:56.000000000 -0400
27443 -@@ -88,7 +88,14 @@ extern char elf_platform[];
27444 - the loader. We need to make sure that it is out of the way of the program
27445 - that it will "exec", and that there is sufficient room for the brk. */
27446 -
27447 --#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
27448 -+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
27449 -+
27450 -+#ifdef CONFIG_PAX_ASLR
27451 -+#define PAX_ELF_ET_DYN_BASE 0x00008000UL
27452 -+
27453 -+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
27454 -+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
27455 -+#endif
27456 -
27457 - /* When the program starts, a1 contains a pointer to a function to be
27458 - registered with atexit, as per the SVR4 ABI. A value of 0 means we
27459 -diff -urNp linux-2.6.24.4/include/asm-arm/kmap_types.h linux-2.6.24.4/include/asm-arm/kmap_types.h
27460 ---- linux-2.6.24.4/include/asm-arm/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27461 -+++ linux-2.6.24.4/include/asm-arm/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27462 -@@ -18,6 +18,7 @@ enum km_type {
27463 - KM_IRQ1,
27464 - KM_SOFTIRQ0,
27465 - KM_SOFTIRQ1,
27466 -+ KM_CLEARPAGE,
27467 - KM_TYPE_NR
27468 - };
27469 -
27470 -diff -urNp linux-2.6.24.4/include/asm-avr32/a.out.h linux-2.6.24.4/include/asm-avr32/a.out.h
27471 ---- linux-2.6.24.4/include/asm-avr32/a.out.h 2008-03-24 14:49:18.000000000 -0400
27472 -+++ linux-2.6.24.4/include/asm-avr32/a.out.h 2008-03-26 17:56:56.000000000 -0400
27473 -@@ -19,8 +19,8 @@ struct exec
27474 -
27475 - #ifdef __KERNEL__
27476 -
27477 --#define STACK_TOP TASK_SIZE
27478 --#define STACK_TOP_MAX STACK_TOP
27479 -+#define __STACK_TOP TASK_SIZE
27480 -+#define STACK_TOP_MAX __STACK_TOP
27481 -
27482 - #endif
27483 -
27484 -diff -urNp linux-2.6.24.4/include/asm-avr32/elf.h linux-2.6.24.4/include/asm-avr32/elf.h
27485 ---- linux-2.6.24.4/include/asm-avr32/elf.h 2008-03-24 14:49:18.000000000 -0400
27486 -+++ linux-2.6.24.4/include/asm-avr32/elf.h 2008-03-26 17:56:56.000000000 -0400
27487 -@@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
27488 - the loader. We need to make sure that it is out of the way of the program
27489 - that it will "exec", and that there is sufficient room for the brk. */
27490 -
27491 --#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
27492 -+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
27493 -
27494 -+#ifdef CONFIG_PAX_ASLR
27495 -+#define PAX_ELF_ET_DYN_BASE 0x00001000UL
27496 -+
27497 -+#define PAX_DELTA_MMAP_LEN 15
27498 -+#define PAX_DELTA_STACK_LEN 15
27499 -+#endif
27500 -
27501 - /* This yields a mask that user programs can use to figure out what
27502 - instruction set this CPU supports. This could be done in user space,
27503 -diff -urNp linux-2.6.24.4/include/asm-avr32/kmap_types.h linux-2.6.24.4/include/asm-avr32/kmap_types.h
27504 ---- linux-2.6.24.4/include/asm-avr32/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27505 -+++ linux-2.6.24.4/include/asm-avr32/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27506 -@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
27507 - D(11) KM_IRQ1,
27508 - D(12) KM_SOFTIRQ0,
27509 - D(13) KM_SOFTIRQ1,
27510 --D(14) KM_TYPE_NR
27511 -+D(14) KM_CLEARPAGE,
27512 -+D(15) KM_TYPE_NR
27513 - };
27514 -
27515 - #undef D
27516 -diff -urNp linux-2.6.24.4/include/asm-blackfin/kmap_types.h linux-2.6.24.4/include/asm-blackfin/kmap_types.h
27517 ---- linux-2.6.24.4/include/asm-blackfin/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27518 -+++ linux-2.6.24.4/include/asm-blackfin/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27519 -@@ -15,6 +15,7 @@ enum km_type {
27520 - KM_IRQ1,
27521 - KM_SOFTIRQ0,
27522 - KM_SOFTIRQ1,
27523 -+ KM_CLEARPAGE,
27524 - KM_TYPE_NR
27525 - };
27526 -
27527 -diff -urNp linux-2.6.24.4/include/asm-cris/kmap_types.h linux-2.6.24.4/include/asm-cris/kmap_types.h
27528 ---- linux-2.6.24.4/include/asm-cris/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27529 -+++ linux-2.6.24.4/include/asm-cris/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27530 -@@ -19,6 +19,7 @@ enum km_type {
27531 - KM_IRQ1,
27532 - KM_SOFTIRQ0,
27533 - KM_SOFTIRQ1,
27534 -+ KM_CLEARPAGE,
27535 - KM_TYPE_NR
27536 - };
27537 -
27538 -diff -urNp linux-2.6.24.4/include/asm-frv/kmap_types.h linux-2.6.24.4/include/asm-frv/kmap_types.h
27539 ---- linux-2.6.24.4/include/asm-frv/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27540 -+++ linux-2.6.24.4/include/asm-frv/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27541 -@@ -23,6 +23,7 @@ enum km_type {
27542 - KM_IRQ1,
27543 - KM_SOFTIRQ0,
27544 - KM_SOFTIRQ1,
27545 -+ KM_CLEARPAGE,
27546 - KM_TYPE_NR
27547 - };
27548 -
27549 -diff -urNp linux-2.6.24.4/include/asm-generic/futex.h linux-2.6.24.4/include/asm-generic/futex.h
27550 ---- linux-2.6.24.4/include/asm-generic/futex.h 2008-03-24 14:49:18.000000000 -0400
27551 -+++ linux-2.6.24.4/include/asm-generic/futex.h 2008-03-26 17:56:56.000000000 -0400
27552 -@@ -8,7 +8,7 @@
27553 - #include <asm/uaccess.h>
27554 -
27555 - static inline int
27556 --futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
27557 -+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
27558 - {
27559 - int op = (encoded_op >> 28) & 7;
27560 - int cmp = (encoded_op >> 24) & 15;
27561 -@@ -50,7 +50,7 @@ futex_atomic_op_inuser (int encoded_op,
27562 - }
27563 -
27564 - static inline int
27565 --futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
27566 -+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
27567 - {
27568 - return -ENOSYS;
27569 - }
27570 -diff -urNp linux-2.6.24.4/include/asm-generic/vmlinux.lds.h linux-2.6.24.4/include/asm-generic/vmlinux.lds.h
27571 ---- linux-2.6.24.4/include/asm-generic/vmlinux.lds.h 2008-03-24 14:49:18.000000000 -0400
27572 -+++ linux-2.6.24.4/include/asm-generic/vmlinux.lds.h 2008-03-26 17:56:56.000000000 -0400
27573 -@@ -23,6 +23,7 @@
27574 - .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
27575 - VMLINUX_SYMBOL(__start_rodata) = .; \
27576 - *(.rodata) *(.rodata.*) \
27577 -+ *(.data.read_only) \
27578 - *(__vermagic) /* Kernel version magic */ \
27579 - *(__markers_strings) /* Markers: strings */ \
27580 - } \
27581 -diff -urNp linux-2.6.24.4/include/asm-h8300/kmap_types.h linux-2.6.24.4/include/asm-h8300/kmap_types.h
27582 ---- linux-2.6.24.4/include/asm-h8300/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27583 -+++ linux-2.6.24.4/include/asm-h8300/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27584 -@@ -15,6 +15,7 @@ enum km_type {
27585 - KM_IRQ1,
27586 - KM_SOFTIRQ0,
27587 - KM_SOFTIRQ1,
27588 -+ KM_CLEARPAGE,
27589 - KM_TYPE_NR
27590 - };
27591 -
27592 -diff -urNp linux-2.6.24.4/include/asm-ia64/elf.h linux-2.6.24.4/include/asm-ia64/elf.h
27593 ---- linux-2.6.24.4/include/asm-ia64/elf.h 2008-03-24 14:49:18.000000000 -0400
27594 -+++ linux-2.6.24.4/include/asm-ia64/elf.h 2008-03-26 17:56:56.000000000 -0400
27595 -@@ -162,7 +162,12 @@ typedef elf_greg_t elf_gregset_t[ELF_NGR
27596 - typedef struct ia64_fpreg elf_fpreg_t;
27597 - typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
27598 -
27599 -+#ifdef CONFIG_PAX_ASLR
27600 -+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
27601 -
27602 -+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
27603 -+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
27604 -+#endif
27605 -
27606 - struct pt_regs; /* forward declaration... */
27607 - extern void ia64_elf_core_copy_regs (struct pt_regs *src, elf_gregset_t dst);
27608 -diff -urNp linux-2.6.24.4/include/asm-ia64/kmap_types.h linux-2.6.24.4/include/asm-ia64/kmap_types.h
27609 ---- linux-2.6.24.4/include/asm-ia64/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27610 -+++ linux-2.6.24.4/include/asm-ia64/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27611 -@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
27612 - D(10) KM_IRQ1,
27613 - D(11) KM_SOFTIRQ0,
27614 - D(12) KM_SOFTIRQ1,
27615 --D(13) KM_TYPE_NR
27616 -+D(13) KM_CLEARPAGE,
27617 -+D(14) KM_TYPE_NR
27618 - };
27619 -
27620 - #undef D
27621 -diff -urNp linux-2.6.24.4/include/asm-ia64/pgtable.h linux-2.6.24.4/include/asm-ia64/pgtable.h
27622 ---- linux-2.6.24.4/include/asm-ia64/pgtable.h 2008-03-24 14:49:18.000000000 -0400
27623 -+++ linux-2.6.24.4/include/asm-ia64/pgtable.h 2008-03-26 17:56:56.000000000 -0400
27624 -@@ -143,6 +143,17 @@
27625 - #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27626 - #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27627 - #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
27628 -+
27629 -+#ifdef CONFIG_PAX_PAGEEXEC
27630 -+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
27631 -+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27632 -+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27633 -+#else
27634 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
27635 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
27636 -+# define PAGE_COPY_NOEXEC PAGE_COPY
27637 -+#endif
27638 -+
27639 - #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
27640 - #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
27641 - #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
27642 -diff -urNp linux-2.6.24.4/include/asm-ia64/processor.h linux-2.6.24.4/include/asm-ia64/processor.h
27643 ---- linux-2.6.24.4/include/asm-ia64/processor.h 2008-03-24 14:49:18.000000000 -0400
27644 -+++ linux-2.6.24.4/include/asm-ia64/processor.h 2008-03-26 17:56:56.000000000 -0400
27645 -@@ -275,7 +275,7 @@ struct thread_struct {
27646 - .on_ustack = 0, \
27647 - .ksp = 0, \
27648 - .map_base = DEFAULT_MAP_BASE, \
27649 -- .rbs_bot = STACK_TOP - DEFAULT_USER_STACK_SIZE, \
27650 -+ .rbs_bot = __STACK_TOP - DEFAULT_USER_STACK_SIZE, \
27651 - .task_size = DEFAULT_TASK_SIZE, \
27652 - .last_fph_cpu = -1, \
27653 - INIT_THREAD_IA32 \
27654 -diff -urNp linux-2.6.24.4/include/asm-ia64/ustack.h linux-2.6.24.4/include/asm-ia64/ustack.h
27655 ---- linux-2.6.24.4/include/asm-ia64/ustack.h 2008-03-24 14:49:18.000000000 -0400
27656 -+++ linux-2.6.24.4/include/asm-ia64/ustack.h 2008-03-26 17:56:56.000000000 -0400
27657 -@@ -10,8 +10,8 @@
27658 -
27659 - /* The absolute hard limit for stack size is 1/2 of the mappable space in the region */
27660 - #define MAX_USER_STACK_SIZE (RGN_MAP_LIMIT/2)
27661 --#define STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
27662 --#define STACK_TOP_MAX STACK_TOP
27663 -+#define __STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
27664 -+#define STACK_TOP_MAX __STACK_TOP
27665 - #endif
27666 -
27667 - /* Make a default stack size of 2GiB */
27668 -diff -urNp linux-2.6.24.4/include/asm-m32r/kmap_types.h linux-2.6.24.4/include/asm-m32r/kmap_types.h
27669 ---- linux-2.6.24.4/include/asm-m32r/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27670 -+++ linux-2.6.24.4/include/asm-m32r/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27671 -@@ -21,7 +21,8 @@ D(9) KM_IRQ0,
27672 - D(10) KM_IRQ1,
27673 - D(11) KM_SOFTIRQ0,
27674 - D(12) KM_SOFTIRQ1,
27675 --D(13) KM_TYPE_NR
27676 -+D(13) KM_CLEARPAGE,
27677 -+D(14) KM_TYPE_NR
27678 - };
27679 -
27680 - #undef D
27681 -diff -urNp linux-2.6.24.4/include/asm-m68k/kmap_types.h linux-2.6.24.4/include/asm-m68k/kmap_types.h
27682 ---- linux-2.6.24.4/include/asm-m68k/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27683 -+++ linux-2.6.24.4/include/asm-m68k/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27684 -@@ -15,6 +15,7 @@ enum km_type {
27685 - KM_IRQ1,
27686 - KM_SOFTIRQ0,
27687 - KM_SOFTIRQ1,
27688 -+ KM_CLEARPAGE,
27689 - KM_TYPE_NR
27690 - };
27691 -
27692 -diff -urNp linux-2.6.24.4/include/asm-m68knommu/kmap_types.h linux-2.6.24.4/include/asm-m68knommu/kmap_types.h
27693 ---- linux-2.6.24.4/include/asm-m68knommu/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27694 -+++ linux-2.6.24.4/include/asm-m68knommu/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27695 -@@ -15,6 +15,7 @@ enum km_type {
27696 - KM_IRQ1,
27697 - KM_SOFTIRQ0,
27698 - KM_SOFTIRQ1,
27699 -+ KM_CLEARPAGE,
27700 - KM_TYPE_NR
27701 - };
27702 -
27703 -diff -urNp linux-2.6.24.4/include/asm-mips/a.out.h linux-2.6.24.4/include/asm-mips/a.out.h
27704 ---- linux-2.6.24.4/include/asm-mips/a.out.h 2008-03-24 14:49:18.000000000 -0400
27705 -+++ linux-2.6.24.4/include/asm-mips/a.out.h 2008-03-26 17:56:56.000000000 -0400
27706 -@@ -35,10 +35,10 @@ struct exec
27707 - #ifdef __KERNEL__
27708 -
27709 - #ifdef CONFIG_32BIT
27710 --#define STACK_TOP TASK_SIZE
27711 -+#define __STACK_TOP TASK_SIZE
27712 - #endif
27713 - #ifdef CONFIG_64BIT
27714 --#define STACK_TOP \
27715 -+#define __STACK_TOP \
27716 - (test_thread_flag(TIF_32BIT_ADDR) ? TASK_SIZE32 : TASK_SIZE)
27717 - #endif
27718 - #define STACK_TOP_MAX TASK_SIZE
27719 -diff -urNp linux-2.6.24.4/include/asm-mips/elf.h linux-2.6.24.4/include/asm-mips/elf.h
27720 ---- linux-2.6.24.4/include/asm-mips/elf.h 2008-03-24 14:49:18.000000000 -0400
27721 -+++ linux-2.6.24.4/include/asm-mips/elf.h 2008-03-26 17:56:56.000000000 -0400
27722 -@@ -372,4 +372,11 @@ extern int dump_task_fpu(struct task_str
27723 - #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
27724 - #endif
27725 -
27726 -+#ifdef CONFIG_PAX_ASLR
27727 -+#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
27728 -+
27729 -+#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
27730 -+#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
27731 -+#endif
27732 -+
27733 - #endif /* _ASM_ELF_H */
27734 -diff -urNp linux-2.6.24.4/include/asm-mips/kmap_types.h linux-2.6.24.4/include/asm-mips/kmap_types.h
27735 ---- linux-2.6.24.4/include/asm-mips/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27736 -+++ linux-2.6.24.4/include/asm-mips/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27737 -@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
27738 - D(10) KM_IRQ1,
27739 - D(11) KM_SOFTIRQ0,
27740 - D(12) KM_SOFTIRQ1,
27741 --D(13) KM_TYPE_NR
27742 -+D(13) KM_CLEARPAGE,
27743 -+D(14) KM_TYPE_NR
27744 - };
27745 -
27746 - #undef D
27747 -diff -urNp linux-2.6.24.4/include/asm-mips/page.h linux-2.6.24.4/include/asm-mips/page.h
27748 ---- linux-2.6.24.4/include/asm-mips/page.h 2008-03-24 14:49:18.000000000 -0400
27749 -+++ linux-2.6.24.4/include/asm-mips/page.h 2008-03-26 17:56:56.000000000 -0400
27750 -@@ -82,7 +82,7 @@ extern void copy_user_highpage(struct pa
27751 - #ifdef CONFIG_CPU_MIPS32
27752 - typedef struct { unsigned long pte_low, pte_high; } pte_t;
27753 - #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
27754 -- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
27755 -+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
27756 - #else
27757 - typedef struct { unsigned long long pte; } pte_t;
27758 - #define pte_val(x) ((x).pte)
27759 -diff -urNp linux-2.6.24.4/include/asm-mips/system.h linux-2.6.24.4/include/asm-mips/system.h
27760 ---- linux-2.6.24.4/include/asm-mips/system.h 2008-03-24 14:49:18.000000000 -0400
27761 -+++ linux-2.6.24.4/include/asm-mips/system.h 2008-03-26 17:56:56.000000000 -0400
27762 -@@ -215,6 +215,6 @@ extern void per_cpu_trap_init(void);
27763 - */
27764 - #define __ARCH_WANT_UNLOCKED_CTXSW
27765 -
27766 --extern unsigned long arch_align_stack(unsigned long sp);
27767 -+#define arch_align_stack(x) (x)
27768 -
27769 - #endif /* _ASM_SYSTEM_H */
27770 -diff -urNp linux-2.6.24.4/include/asm-parisc/a.out.h linux-2.6.24.4/include/asm-parisc/a.out.h
27771 ---- linux-2.6.24.4/include/asm-parisc/a.out.h 2008-03-24 14:49:18.000000000 -0400
27772 -+++ linux-2.6.24.4/include/asm-parisc/a.out.h 2008-03-26 17:56:56.000000000 -0400
27773 -@@ -22,7 +22,7 @@ struct exec
27774 - /* XXX: STACK_TOP actually should be STACK_BOTTOM for parisc.
27775 - * prumpf */
27776 -
27777 --#define STACK_TOP TASK_SIZE
27778 -+#define __STACK_TOP TASK_SIZE
27779 - #define STACK_TOP_MAX DEFAULT_TASK_SIZE
27780 -
27781 - #endif
27782 -diff -urNp linux-2.6.24.4/include/asm-parisc/elf.h linux-2.6.24.4/include/asm-parisc/elf.h
27783 ---- linux-2.6.24.4/include/asm-parisc/elf.h 2008-03-24 14:49:18.000000000 -0400
27784 -+++ linux-2.6.24.4/include/asm-parisc/elf.h 2008-03-26 17:56:56.000000000 -0400
27785 -@@ -337,6 +337,13 @@ struct pt_regs; /* forward declaration..
27786 -
27787 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
27788 -
27789 -+#ifdef CONFIG_PAX_ASLR
27790 -+#define PAX_ELF_ET_DYN_BASE 0x10000UL
27791 -+
27792 -+#define PAX_DELTA_MMAP_LEN 16
27793 -+#define PAX_DELTA_STACK_LEN 16
27794 -+#endif
27795 -+
27796 - /* This yields a mask that user programs can use to figure out what
27797 - instruction set this CPU supports. This could be done in user space,
27798 - but it's not easy, and we've already done it here. */
27799 -diff -urNp linux-2.6.24.4/include/asm-parisc/kmap_types.h linux-2.6.24.4/include/asm-parisc/kmap_types.h
27800 ---- linux-2.6.24.4/include/asm-parisc/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27801 -+++ linux-2.6.24.4/include/asm-parisc/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27802 -@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
27803 - D(10) KM_IRQ1,
27804 - D(11) KM_SOFTIRQ0,
27805 - D(12) KM_SOFTIRQ1,
27806 --D(13) KM_TYPE_NR
27807 -+D(13) KM_CLEARPAGE,
27808 -+D(14) KM_TYPE_NR
27809 - };
27810 -
27811 - #undef D
27812 -diff -urNp linux-2.6.24.4/include/asm-parisc/pgtable.h linux-2.6.24.4/include/asm-parisc/pgtable.h
27813 ---- linux-2.6.24.4/include/asm-parisc/pgtable.h 2008-03-24 14:49:18.000000000 -0400
27814 -+++ linux-2.6.24.4/include/asm-parisc/pgtable.h 2008-03-26 17:56:56.000000000 -0400
27815 -@@ -210,6 +210,17 @@ extern void *vmalloc_start;
27816 - #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
27817 - #define PAGE_COPY PAGE_EXECREAD
27818 - #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
27819 -+
27820 -+#ifdef CONFIG_PAX_PAGEEXEC
27821 -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
27822 -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
27823 -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
27824 -+#else
27825 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
27826 -+# define PAGE_COPY_NOEXEC PAGE_COPY
27827 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
27828 -+#endif
27829 -+
27830 - #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
27831 - #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
27832 - #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
27833 -diff -urNp linux-2.6.24.4/include/asm-powerpc/a.out.h linux-2.6.24.4/include/asm-powerpc/a.out.h
27834 ---- linux-2.6.24.4/include/asm-powerpc/a.out.h 2008-03-24 14:49:18.000000000 -0400
27835 -+++ linux-2.6.24.4/include/asm-powerpc/a.out.h 2008-03-26 17:56:56.000000000 -0400
27836 -@@ -23,15 +23,15 @@ struct exec
27837 - #define STACK_TOP_USER64 TASK_SIZE_USER64
27838 - #define STACK_TOP_USER32 TASK_SIZE_USER32
27839 -
27840 --#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
27841 -+#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
27842 - STACK_TOP_USER32 : STACK_TOP_USER64)
27843 -
27844 - #define STACK_TOP_MAX STACK_TOP_USER64
27845 -
27846 - #else /* __powerpc64__ */
27847 -
27848 --#define STACK_TOP TASK_SIZE
27849 --#define STACK_TOP_MAX STACK_TOP
27850 -+#define __STACK_TOP TASK_SIZE
27851 -+#define STACK_TOP_MAX __STACK_TOP
27852 -
27853 - #endif /* __powerpc64__ */
27854 - #endif /* __KERNEL__ */
27855 -diff -urNp linux-2.6.24.4/include/asm-powerpc/elf.h linux-2.6.24.4/include/asm-powerpc/elf.h
27856 ---- linux-2.6.24.4/include/asm-powerpc/elf.h 2008-03-24 14:49:18.000000000 -0400
27857 -+++ linux-2.6.24.4/include/asm-powerpc/elf.h 2008-03-26 17:56:56.000000000 -0400
27858 -@@ -160,6 +160,18 @@ typedef elf_vrreg_t elf_vrregset_t[ELF_N
27859 - typedef elf_vrreg_t elf_vrregset_t32[ELF_NVRREG32];
27860 - #endif
27861 -
27862 -+#ifdef CONFIG_PAX_ASLR
27863 -+#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
27864 -+
27865 -+#ifdef __powerpc64__
27866 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
27867 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
27868 -+#else
27869 -+#define PAX_DELTA_MMAP_LEN 15
27870 -+#define PAX_DELTA_STACK_LEN 15
27871 -+#endif
27872 -+#endif
27873 -+
27874 - #ifdef __KERNEL__
27875 - /*
27876 - * This is used to ensure we don't load something for the wrong architecture.
27877 -diff -urNp linux-2.6.24.4/include/asm-powerpc/kmap_types.h linux-2.6.24.4/include/asm-powerpc/kmap_types.h
27878 ---- linux-2.6.24.4/include/asm-powerpc/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27879 -+++ linux-2.6.24.4/include/asm-powerpc/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27880 -@@ -26,6 +26,7 @@ enum km_type {
27881 - KM_SOFTIRQ1,
27882 - KM_PPC_SYNC_PAGE,
27883 - KM_PPC_SYNC_ICACHE,
27884 -+ KM_CLEARPAGE,
27885 - KM_TYPE_NR
27886 - };
27887 -
27888 -diff -urNp linux-2.6.24.4/include/asm-powerpc/page_64.h linux-2.6.24.4/include/asm-powerpc/page_64.h
27889 ---- linux-2.6.24.4/include/asm-powerpc/page_64.h 2008-03-24 14:49:18.000000000 -0400
27890 -+++ linux-2.6.24.4/include/asm-powerpc/page_64.h 2008-03-26 17:56:56.000000000 -0400
27891 -@@ -171,15 +171,18 @@ do { \
27892 - * stack by default, so in the absense of a PT_GNU_STACK program header
27893 - * we turn execute permission off.
27894 - */
27895 --#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
27896 -- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27897 -+#define VM_STACK_DEFAULT_FLAGS32 \
27898 -+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
27899 -+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27900 -
27901 - #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
27902 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27903 -
27904 -+#ifndef CONFIG_PAX_PAGEEXEC
27905 - #define VM_STACK_DEFAULT_FLAGS \
27906 - (test_thread_flag(TIF_32BIT) ? \
27907 - VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
27908 -+#endif
27909 -
27910 - #include <asm-generic/page.h>
27911 -
27912 -diff -urNp linux-2.6.24.4/include/asm-powerpc/page.h linux-2.6.24.4/include/asm-powerpc/page.h
27913 ---- linux-2.6.24.4/include/asm-powerpc/page.h 2008-03-24 14:49:18.000000000 -0400
27914 -+++ linux-2.6.24.4/include/asm-powerpc/page.h 2008-03-26 17:56:56.000000000 -0400
27915 -@@ -71,8 +71,9 @@
27916 - * and needs to be executable. This means the whole heap ends
27917 - * up being executable.
27918 - */
27919 --#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
27920 -- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27921 -+#define VM_DATA_DEFAULT_FLAGS32 \
27922 -+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
27923 -+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27924 -
27925 - #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
27926 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27927 -diff -urNp linux-2.6.24.4/include/asm-ppc/mmu_context.h linux-2.6.24.4/include/asm-ppc/mmu_context.h
27928 ---- linux-2.6.24.4/include/asm-ppc/mmu_context.h 2008-03-24 14:49:18.000000000 -0400
27929 -+++ linux-2.6.24.4/include/asm-ppc/mmu_context.h 2008-03-26 17:56:56.000000000 -0400
27930 -@@ -146,7 +146,8 @@ static inline void get_mmu_context(struc
27931 - static inline int init_new_context(struct task_struct *t, struct mm_struct *mm)
27932 - {
27933 - mm->context.id = NO_CONTEXT;
27934 -- mm->context.vdso_base = 0;
27935 -+ if (t == current)
27936 -+ mm->context.vdso_base = ~0UL;
27937 - return 0;
27938 - }
27939 -
27940 -diff -urNp linux-2.6.24.4/include/asm-ppc/pgtable.h linux-2.6.24.4/include/asm-ppc/pgtable.h
27941 ---- linux-2.6.24.4/include/asm-ppc/pgtable.h 2008-03-24 14:49:18.000000000 -0400
27942 -+++ linux-2.6.24.4/include/asm-ppc/pgtable.h 2008-03-26 17:56:56.000000000 -0400
27943 -@@ -440,11 +440,21 @@ extern unsigned long ioremap_bot, iorema
27944 -
27945 - #define PAGE_NONE __pgprot(_PAGE_BASE)
27946 - #define PAGE_READONLY __pgprot(_PAGE_BASE | _PAGE_USER)
27947 --#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
27948 -+#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
27949 - #define PAGE_SHARED __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW)
27950 --#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC)
27951 -+#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC | _PAGE_HWEXEC)
27952 - #define PAGE_COPY __pgprot(_PAGE_BASE | _PAGE_USER)
27953 --#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
27954 -+#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
27955 -+
27956 -+#if defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_40x) && !defined(CONFIG_44x)
27957 -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_GUARDED)
27958 -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
27959 -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
27960 -+#else
27961 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
27962 -+# define PAGE_COPY_NOEXEC PAGE_COPY
27963 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
27964 -+#endif
27965 -
27966 - #define PAGE_KERNEL __pgprot(_PAGE_RAM)
27967 - #define PAGE_KERNEL_NOCACHE __pgprot(_PAGE_IO)
27968 -@@ -456,21 +466,21 @@ extern unsigned long ioremap_bot, iorema
27969 - * This is the closest we can get..
27970 - */
27971 - #define __P000 PAGE_NONE
27972 --#define __P001 PAGE_READONLY_X
27973 --#define __P010 PAGE_COPY
27974 --#define __P011 PAGE_COPY_X
27975 --#define __P100 PAGE_READONLY
27976 -+#define __P001 PAGE_READONLY_NOEXEC
27977 -+#define __P010 PAGE_COPY_NOEXEC
27978 -+#define __P011 PAGE_COPY_NOEXEC
27979 -+#define __P100 PAGE_READONLY_X
27980 - #define __P101 PAGE_READONLY_X
27981 --#define __P110 PAGE_COPY
27982 -+#define __P110 PAGE_COPY_X
27983 - #define __P111 PAGE_COPY_X
27984 -
27985 - #define __S000 PAGE_NONE
27986 --#define __S001 PAGE_READONLY_X
27987 --#define __S010 PAGE_SHARED
27988 --#define __S011 PAGE_SHARED_X
27989 --#define __S100 PAGE_READONLY
27990 -+#define __S001 PAGE_READONLY_NOEXEC
27991 -+#define __S010 PAGE_SHARED_NOEXEC
27992 -+#define __S011 PAGE_SHARED_NOEXEC
27993 -+#define __S100 PAGE_READONLY_X
27994 - #define __S101 PAGE_READONLY_X
27995 --#define __S110 PAGE_SHARED
27996 -+#define __S110 PAGE_SHARED_X
27997 - #define __S111 PAGE_SHARED_X
27998 -
27999 - #ifndef __ASSEMBLY__
28000 -diff -urNp linux-2.6.24.4/include/asm-s390/kmap_types.h linux-2.6.24.4/include/asm-s390/kmap_types.h
28001 ---- linux-2.6.24.4/include/asm-s390/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
28002 -+++ linux-2.6.24.4/include/asm-s390/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
28003 -@@ -16,6 +16,7 @@ enum km_type {
28004 - KM_IRQ1,
28005 - KM_SOFTIRQ0,
28006 - KM_SOFTIRQ1,
28007 -+ KM_CLEARPAGE,
28008 - KM_TYPE_NR
28009 - };
28010 -
28011 -diff -urNp linux-2.6.24.4/include/asm-sh/kmap_types.h linux-2.6.24.4/include/asm-sh/kmap_types.h
28012 ---- linux-2.6.24.4/include/asm-sh/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
28013 -+++ linux-2.6.24.4/include/asm-sh/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
28014 -@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
28015 - D(10) KM_IRQ1,
28016 - D(11) KM_SOFTIRQ0,
28017 - D(12) KM_SOFTIRQ1,
28018 --D(13) KM_TYPE_NR
28019 -+D(13) KM_CLEARPAGE,
28020 -+D(14) KM_TYPE_NR
28021 - };
28022 -
28023 - #undef D
28024 -diff -urNp linux-2.6.24.4/include/asm-sparc/a.out.h linux-2.6.24.4/include/asm-sparc/a.out.h
28025 ---- linux-2.6.24.4/include/asm-sparc/a.out.h 2008-03-24 14:49:18.000000000 -0400
28026 -+++ linux-2.6.24.4/include/asm-sparc/a.out.h 2008-03-26 17:56:56.000000000 -0400
28027 -@@ -91,8 +91,8 @@ struct relocation_info /* used when head
28028 -
28029 - #include <asm/page.h>
28030 -
28031 --#define STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
28032 --#define STACK_TOP_MAX STACK_TOP
28033 -+#define __STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
28034 -+#define STACK_TOP_MAX __STACK_TOP
28035 -
28036 - #endif /* __KERNEL__ */
28037 -
28038 -diff -urNp linux-2.6.24.4/include/asm-sparc/elf.h linux-2.6.24.4/include/asm-sparc/elf.h
28039 ---- linux-2.6.24.4/include/asm-sparc/elf.h 2008-03-24 14:49:18.000000000 -0400
28040 -+++ linux-2.6.24.4/include/asm-sparc/elf.h 2008-03-26 17:56:56.000000000 -0400
28041 -@@ -143,6 +143,13 @@ do { unsigned long *dest = &(__elf_regs[
28042 -
28043 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
28044 -
28045 -+#ifdef CONFIG_PAX_ASLR
28046 -+#define PAX_ELF_ET_DYN_BASE 0x10000UL
28047 -+
28048 -+#define PAX_DELTA_MMAP_LEN 16
28049 -+#define PAX_DELTA_STACK_LEN 16
28050 -+#endif
28051 -+
28052 - /* This yields a mask that user programs can use to figure out what
28053 - instruction set this cpu supports. This can NOT be done in userspace
28054 - on Sparc. */
28055 -diff -urNp linux-2.6.24.4/include/asm-sparc/kmap_types.h linux-2.6.24.4/include/asm-sparc/kmap_types.h
28056 ---- linux-2.6.24.4/include/asm-sparc/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
28057 -+++ linux-2.6.24.4/include/asm-sparc/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
28058 -@@ -15,6 +15,7 @@ enum km_type {
28059 - KM_IRQ1,
28060 - KM_SOFTIRQ0,
28061 - KM_SOFTIRQ1,
28062 -+ KM_CLEARPAGE,
28063 - KM_TYPE_NR
28064 - };
28065 -
28066 -diff -urNp linux-2.6.24.4/include/asm-sparc/pgtable.h linux-2.6.24.4/include/asm-sparc/pgtable.h
28067 ---- linux-2.6.24.4/include/asm-sparc/pgtable.h 2008-03-24 14:49:18.000000000 -0400
28068 -+++ linux-2.6.24.4/include/asm-sparc/pgtable.h 2008-03-26 17:56:56.000000000 -0400
28069 -@@ -69,6 +69,16 @@ extern pgprot_t PAGE_SHARED;
28070 - #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
28071 - #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
28072 -
28073 -+#ifdef CONFIG_PAX_PAGEEXEC
28074 -+extern pgprot_t PAGE_SHARED_NOEXEC;
28075 -+# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
28076 -+# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
28077 -+#else
28078 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
28079 -+# define PAGE_COPY_NOEXEC PAGE_COPY
28080 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
28081 -+#endif
28082 -+
28083 - extern unsigned long page_kernel;
28084 -
28085 - #ifdef MODULE
28086 -diff -urNp linux-2.6.24.4/include/asm-sparc/pgtsrmmu.h linux-2.6.24.4/include/asm-sparc/pgtsrmmu.h
28087 ---- linux-2.6.24.4/include/asm-sparc/pgtsrmmu.h 2008-03-24 14:49:18.000000000 -0400
28088 -+++ linux-2.6.24.4/include/asm-sparc/pgtsrmmu.h 2008-03-26 17:56:56.000000000 -0400
28089 -@@ -115,6 +115,16 @@
28090 - SRMMU_EXEC | SRMMU_REF)
28091 - #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
28092 - SRMMU_EXEC | SRMMU_REF)
28093 -+
28094 -+#ifdef CONFIG_PAX_PAGEEXEC
28095 -+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
28096 -+ SRMMU_WRITE | SRMMU_REF)
28097 -+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
28098 -+ SRMMU_REF)
28099 -+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
28100 -+ SRMMU_REF)
28101 -+#endif
28102 -+
28103 - #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
28104 - SRMMU_DIRTY | SRMMU_REF)
28105 -
28106 -diff -urNp linux-2.6.24.4/include/asm-sparc/uaccess.h linux-2.6.24.4/include/asm-sparc/uaccess.h
28107 ---- linux-2.6.24.4/include/asm-sparc/uaccess.h 2008-03-24 14:49:18.000000000 -0400
28108 -+++ linux-2.6.24.4/include/asm-sparc/uaccess.h 2008-03-26 17:56:56.000000000 -0400
28109 -@@ -41,7 +41,7 @@
28110 - * No one can read/write anything from userland in the kernel space by setting
28111 - * large size and address near to PAGE_OFFSET - a fault will break his intentions.
28112 - */
28113 --#define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
28114 -+#define __user_ok(addr, size) ({ (void)(size); (addr) < __STACK_TOP; })
28115 - #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
28116 - #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size)))
28117 - #define access_ok(type, addr, size) \
28118 -diff -urNp linux-2.6.24.4/include/asm-sparc64/a.out.h linux-2.6.24.4/include/asm-sparc64/a.out.h
28119 ---- linux-2.6.24.4/include/asm-sparc64/a.out.h 2008-03-24 14:49:18.000000000 -0400
28120 -+++ linux-2.6.24.4/include/asm-sparc64/a.out.h 2008-03-26 17:56:56.000000000 -0400
28121 -@@ -98,7 +98,7 @@ struct relocation_info /* used when head
28122 - #define STACK_TOP32 ((1UL << 32UL) - PAGE_SIZE)
28123 - #define STACK_TOP64 (0x0000080000000000UL - (1UL << 32UL))
28124 -
28125 --#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
28126 -+#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
28127 - STACK_TOP32 : STACK_TOP64)
28128 -
28129 - #define STACK_TOP_MAX STACK_TOP64
28130 -diff -urNp linux-2.6.24.4/include/asm-sparc64/elf.h linux-2.6.24.4/include/asm-sparc64/elf.h
28131 ---- linux-2.6.24.4/include/asm-sparc64/elf.h 2008-03-24 14:49:18.000000000 -0400
28132 -+++ linux-2.6.24.4/include/asm-sparc64/elf.h 2008-03-26 17:56:56.000000000 -0400
28133 -@@ -143,6 +143,12 @@ typedef struct {
28134 - #define ELF_ET_DYN_BASE 0x0000010000000000UL
28135 - #endif
28136 -
28137 -+#ifdef CONFIG_PAX_ASLR
28138 -+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
28139 -+
28140 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28 )
28141 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29 )
28142 -+#endif
28143 -
28144 - /* This yields a mask that user programs can use to figure out what
28145 - instruction set this cpu supports. */
28146 -diff -urNp linux-2.6.24.4/include/asm-sparc64/kmap_types.h linux-2.6.24.4/include/asm-sparc64/kmap_types.h
28147 ---- linux-2.6.24.4/include/asm-sparc64/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
28148 -+++ linux-2.6.24.4/include/asm-sparc64/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
28149 -@@ -19,6 +19,7 @@ enum km_type {
28150 - KM_IRQ1,
28151 - KM_SOFTIRQ0,
28152 - KM_SOFTIRQ1,
28153 -+ KM_CLEARPAGE,
28154 - KM_TYPE_NR
28155 - };
28156 -
28157 -diff -urNp linux-2.6.24.4/include/asm-um/kmap_types.h linux-2.6.24.4/include/asm-um/kmap_types.h
28158 ---- linux-2.6.24.4/include/asm-um/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
28159 -+++ linux-2.6.24.4/include/asm-um/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
28160 -@@ -23,6 +23,7 @@ enum km_type {
28161 - KM_IRQ1,
28162 - KM_SOFTIRQ0,
28163 - KM_SOFTIRQ1,
28164 -+ KM_CLEARPAGE,
28165 - KM_TYPE_NR
28166 - };
28167 -
28168 -diff -urNp linux-2.6.24.4/include/asm-v850/kmap_types.h linux-2.6.24.4/include/asm-v850/kmap_types.h
28169 ---- linux-2.6.24.4/include/asm-v850/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
28170 -+++ linux-2.6.24.4/include/asm-v850/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
28171 -@@ -13,6 +13,7 @@ enum km_type {
28172 - KM_PTE1,
28173 - KM_IRQ0,
28174 - KM_IRQ1,
28175 -+ KM_CLEARPAGE,
28176 - KM_TYPE_NR
28177 - };
28178 -
28179 -diff -urNp linux-2.6.24.4/include/asm-x86/alternative_32.h linux-2.6.24.4/include/asm-x86/alternative_32.h
28180 ---- linux-2.6.24.4/include/asm-x86/alternative_32.h 2008-03-24 14:49:18.000000000 -0400
28181 -+++ linux-2.6.24.4/include/asm-x86/alternative_32.h 2008-03-26 17:56:56.000000000 -0400
28182 -@@ -54,7 +54,7 @@ static inline void alternatives_smp_swit
28183 - " .byte 662b-661b\n" /* sourcelen */ \
28184 - " .byte 664f-663f\n" /* replacementlen */ \
28185 - ".previous\n" \
28186 -- ".section .altinstr_replacement,\"ax\"\n" \
28187 -+ ".section .altinstr_replacement,\"a\"\n" \
28188 - "663:\n\t" newinstr "\n664:\n" /* replacement */\
28189 - ".previous" :: "i" (feature) : "memory")
28190 -
28191 -@@ -78,7 +78,7 @@ static inline void alternatives_smp_swit
28192 - " .byte 662b-661b\n" /* sourcelen */ \
28193 - " .byte 664f-663f\n" /* replacementlen */ \
28194 - ".previous\n" \
28195 -- ".section .altinstr_replacement,\"ax\"\n" \
28196 -+ ".section .altinstr_replacement,\"a\"\n" \
28197 - "663:\n\t" newinstr "\n664:\n" /* replacement */\
28198 - ".previous" :: "i" (feature), ##input)
28199 -
28200 -@@ -93,7 +93,7 @@ static inline void alternatives_smp_swit
28201 - " .byte 662b-661b\n" /* sourcelen */ \
28202 - " .byte 664f-663f\n" /* replacementlen */ \
28203 - ".previous\n" \
28204 -- ".section .altinstr_replacement,\"ax\"\n" \
28205 -+ ".section .altinstr_replacement,\"a\"\n" \
28206 - "663:\n\t" newinstr "\n664:\n" /* replacement */ \
28207 - ".previous" : output : [feat] "i" (feature), ##input)
28208 -
28209 -diff -urNp linux-2.6.24.4/include/asm-x86/alternative_64.h linux-2.6.24.4/include/asm-x86/alternative_64.h
28210 ---- linux-2.6.24.4/include/asm-x86/alternative_64.h 2008-03-24 14:49:18.000000000 -0400
28211 -+++ linux-2.6.24.4/include/asm-x86/alternative_64.h 2008-03-26 17:56:56.000000000 -0400
28212 -@@ -94,7 +94,7 @@ static inline void alternatives_smp_swit
28213 - " .byte 662b-661b\n" /* sourcelen */ \
28214 - " .byte 664f-663f\n" /* replacementlen */ \
28215 - ".previous\n" \
28216 -- ".section .altinstr_replacement,\"ax\"\n" \
28217 -+ ".section .altinstr_replacement,\"a\"\n" \
28218 - "663:\n\t" newinstr "\n664:\n" /* replacement */ \
28219 - ".previous" :: "i" (feature) : "memory")
28220 -
28221 -@@ -118,7 +118,7 @@ static inline void alternatives_smp_swit
28222 - " .byte 662b-661b\n" /* sourcelen */ \
28223 - " .byte 664f-663f\n" /* replacementlen */ \
28224 - ".previous\n" \
28225 -- ".section .altinstr_replacement,\"ax\"\n" \
28226 -+ ".section .altinstr_replacement,\"a\"\n" \
28227 - "663:\n\t" newinstr "\n664:\n" /* replacement */ \
28228 - ".previous" :: "i" (feature), ##input)
28229 -
28230 -@@ -133,7 +133,7 @@ static inline void alternatives_smp_swit
28231 - " .byte 662b-661b\n" /* sourcelen */ \
28232 - " .byte 664f-663f\n" /* replacementlen */ \
28233 - ".previous\n" \
28234 -- ".section .altinstr_replacement,\"ax\"\n" \
28235 -+ ".section .altinstr_replacement,\"a\"\n" \
28236 - "663:\n\t" newinstr "\n664:\n" /* replacement */ \
28237 - ".previous" : output : [feat] "i" (feature), ##input)
28238 -
28239 -diff -urNp linux-2.6.24.4/include/asm-x86/a.out.h linux-2.6.24.4/include/asm-x86/a.out.h
28240 ---- linux-2.6.24.4/include/asm-x86/a.out.h 2008-03-24 14:49:18.000000000 -0400
28241 -+++ linux-2.6.24.4/include/asm-x86/a.out.h 2008-03-26 17:56:56.000000000 -0400
28242 -@@ -19,9 +19,13 @@ struct exec
28243 -
28244 - #ifdef __KERNEL__
28245 - # include <linux/thread_info.h>
28246 --# define STACK_TOP TASK_SIZE
28247 -+# ifdef CONFIG_PAX_SEGMEXEC
28248 -+# define __STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?TASK_SIZE/2:TASK_SIZE)
28249 -+# else
28250 -+# define __STACK_TOP TASK_SIZE
28251 -+# endif
28252 - # ifdef CONFIG_X86_32
28253 --# define STACK_TOP_MAX STACK_TOP
28254 -+# define STACK_TOP_MAX TASK_SIZE
28255 - # else
28256 - # define STACK_TOP_MAX TASK_SIZE64
28257 - # endif
28258 -diff -urNp linux-2.6.24.4/include/asm-x86/apic_32.h linux-2.6.24.4/include/asm-x86/apic_32.h
28259 ---- linux-2.6.24.4/include/asm-x86/apic_32.h 2008-03-24 14:49:18.000000000 -0400
28260 -+++ linux-2.6.24.4/include/asm-x86/apic_32.h 2008-03-26 17:56:56.000000000 -0400
28261 -@@ -8,7 +8,7 @@
28262 - #include <asm/processor.h>
28263 - #include <asm/system.h>
28264 -
28265 --#define Dprintk(x...)
28266 -+#define Dprintk(x...) do {} while (0)
28267 -
28268 - /*
28269 - * Debugging macros
28270 -diff -urNp linux-2.6.24.4/include/asm-x86/apic_64.h linux-2.6.24.4/include/asm-x86/apic_64.h
28271 ---- linux-2.6.24.4/include/asm-x86/apic_64.h 2008-03-24 14:49:18.000000000 -0400
28272 -+++ linux-2.6.24.4/include/asm-x86/apic_64.h 2008-03-26 17:56:56.000000000 -0400
28273 -@@ -7,7 +7,7 @@
28274 - #include <asm/apicdef.h>
28275 - #include <asm/system.h>
28276 -
28277 --#define Dprintk(x...)
28278 -+#define Dprintk(x...) do {} while (0)
28279 -
28280 - /*
28281 - * Debugging macros
28282 -diff -urNp linux-2.6.24.4/include/asm-x86/boot.h linux-2.6.24.4/include/asm-x86/boot.h
28283 ---- linux-2.6.24.4/include/asm-x86/boot.h 2008-03-24 14:49:18.000000000 -0400
28284 -+++ linux-2.6.24.4/include/asm-x86/boot.h 2008-03-26 17:56:56.000000000 -0400
28285 -@@ -13,8 +13,13 @@
28286 - #define ASK_VGA 0xfffd /* ask for it at bootup */
28287 -
28288 - /* Physical address where kernel should be loaded. */
28289 --#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
28290 -+#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
28291 - + (CONFIG_PHYSICAL_ALIGN - 1)) \
28292 - & ~(CONFIG_PHYSICAL_ALIGN - 1))
28293 -
28294 -+#ifndef __ASSEMBLY__
28295 -+extern unsigned char __LOAD_PHYSICAL_ADDR[];
28296 -+#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
28297 -+#endif
28298 -+
28299 - #endif /* _ASM_BOOT_H */
28300 -diff -urNp linux-2.6.24.4/include/asm-x86/cache.h linux-2.6.24.4/include/asm-x86/cache.h
28301 ---- linux-2.6.24.4/include/asm-x86/cache.h 2008-03-24 14:49:18.000000000 -0400
28302 -+++ linux-2.6.24.4/include/asm-x86/cache.h 2008-03-26 17:56:56.000000000 -0400
28303 -@@ -6,6 +6,7 @@
28304 - #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
28305 -
28306 - #define __read_mostly __attribute__((__section__(".data.read_mostly")))
28307 -+#define __read_only __attribute__((__section__(".data.read_only")))
28308 -
28309 - #ifdef CONFIG_X86_VSMP
28310 - /* vSMP Internode cacheline shift */
28311 -diff -urNp linux-2.6.24.4/include/asm-x86/checksum_32.h linux-2.6.24.4/include/asm-x86/checksum_32.h
28312 ---- linux-2.6.24.4/include/asm-x86/checksum_32.h 2008-03-24 14:49:18.000000000 -0400
28313 -+++ linux-2.6.24.4/include/asm-x86/checksum_32.h 2008-03-26 17:56:56.000000000 -0400
28314 -@@ -30,6 +30,12 @@ asmlinkage __wsum csum_partial(const voi
28315 - asmlinkage __wsum csum_partial_copy_generic(const void *src, void *dst,
28316 - int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
28317 -
28318 -+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
28319 -+ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
28320 -+
28321 -+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
28322 -+ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
28323 -+
28324 - /*
28325 - * Note: when you get a NULL pointer exception here this means someone
28326 - * passed in an incorrect kernel address to one of these functions.
28327 -@@ -49,7 +55,7 @@ __wsum csum_partial_copy_from_user(const
28328 - int len, __wsum sum, int *err_ptr)
28329 - {
28330 - might_sleep();
28331 -- return csum_partial_copy_generic((__force void *)src, dst,
28332 -+ return csum_partial_copy_generic_from_user((__force void *)src, dst,
28333 - len, sum, err_ptr, NULL);
28334 - }
28335 -
28336 -@@ -180,7 +186,7 @@ static __inline__ __wsum csum_and_copy_t
28337 - {
28338 - might_sleep();
28339 - if (access_ok(VERIFY_WRITE, dst, len))
28340 -- return csum_partial_copy_generic(src, (__force void *)dst, len, sum, NULL, err_ptr);
28341 -+ return csum_partial_copy_generic_to_user(src, (__force void *)dst, len, sum, NULL, err_ptr);
28342 -
28343 - if (len)
28344 - *err_ptr = -EFAULT;
28345 -diff -urNp linux-2.6.24.4/include/asm-x86/desc_32.h linux-2.6.24.4/include/asm-x86/desc_32.h
28346 ---- linux-2.6.24.4/include/asm-x86/desc_32.h 2008-03-24 14:49:18.000000000 -0400
28347 -+++ linux-2.6.24.4/include/asm-x86/desc_32.h 2008-03-26 17:56:56.000000000 -0400
28348 -@@ -7,30 +7,26 @@
28349 - #ifndef __ASSEMBLY__
28350 -
28351 - #include <linux/preempt.h>
28352 --#include <linux/smp.h>
28353 - #include <linux/percpu.h>
28354 -+#include <linux/smp.h>
28355 -
28356 - #include <asm/mmu.h>
28357 -
28358 -+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
28359 -+
28360 - struct Xgt_desc_struct {
28361 - unsigned short size;
28362 -- unsigned long address __attribute__((packed));
28363 -+ struct desc_struct *address __attribute__((packed));
28364 - unsigned short pad;
28365 - } __attribute__ ((packed));
28366 -
28367 --struct gdt_page
28368 --{
28369 -- struct desc_struct gdt[GDT_ENTRIES];
28370 --} __attribute__((aligned(PAGE_SIZE)));
28371 --DECLARE_PER_CPU(struct gdt_page, gdt_page);
28372 --
28373 - static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
28374 - {
28375 -- return per_cpu(gdt_page, cpu).gdt;
28376 -+ return cpu_gdt_table[cpu];
28377 - }
28378 -
28379 - extern struct Xgt_desc_struct idt_descr;
28380 --extern struct desc_struct idt_table[];
28381 -+extern struct desc_struct idt_table[256];
28382 - extern void set_intr_gate(unsigned int irq, void * addr);
28383 -
28384 - static inline void pack_descriptor(__u32 *a, __u32 *b,
28385 -@@ -81,8 +77,20 @@ static inline void pack_gate(__u32 *a, _
28386 - static inline void write_dt_entry(struct desc_struct *dt,
28387 - int entry, u32 entry_low, u32 entry_high)
28388 - {
28389 -+
28390 -+#ifdef CONFIG_PAX_KERNEXEC
28391 -+ unsigned long cr0;
28392 -+
28393 -+ pax_open_kernel(cr0);
28394 -+#endif
28395 -+
28396 - dt[entry].a = entry_low;
28397 - dt[entry].b = entry_high;
28398 -+
28399 -+#ifdef CONFIG_PAX_KERNEXEC
28400 -+ pax_close_kernel(cr0);
28401 -+#endif
28402 -+
28403 - }
28404 -
28405 - static inline void native_set_ldt(const void *addr, unsigned int entries)
28406 -@@ -139,8 +147,19 @@ static inline void native_load_tls(struc
28407 - unsigned int i;
28408 - struct desc_struct *gdt = get_cpu_gdt_table(cpu);
28409 -
28410 -+#ifdef CONFIG_PAX_KERNEXEC
28411 -+ unsigned long cr0;
28412 -+
28413 -+ pax_open_kernel(cr0);
28414 -+#endif
28415 -+
28416 - for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
28417 - gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
28418 -+
28419 -+#ifdef CONFIG_PAX_KERNEXEC
28420 -+ pax_close_kernel(cr0);
28421 -+#endif
28422 -+
28423 - }
28424 -
28425 - static inline void _set_gate(int gate, unsigned int type, void *addr, unsigned short seg)
28426 -@@ -175,7 +194,7 @@ static inline void __set_tss_desc(unsign
28427 - ((info)->seg_32bit << 22) | \
28428 - ((info)->limit_in_pages << 23) | \
28429 - ((info)->useable << 20) | \
28430 -- 0x7000)
28431 -+ 0x7100)
28432 -
28433 - #define LDT_empty(info) (\
28434 - (info)->base_addr == 0 && \
28435 -@@ -207,15 +226,25 @@ static inline void load_LDT(mm_context_t
28436 - preempt_enable();
28437 - }
28438 -
28439 --static inline unsigned long get_desc_base(unsigned long *desc)
28440 -+static inline unsigned long get_desc_base(struct desc_struct *desc)
28441 - {
28442 - unsigned long base;
28443 -- base = ((desc[0] >> 16) & 0x0000ffff) |
28444 -- ((desc[1] << 16) & 0x00ff0000) |
28445 -- (desc[1] & 0xff000000);
28446 -+ base = ((desc->a >> 16) & 0x0000ffff) |
28447 -+ ((desc->b << 16) & 0x00ff0000) |
28448 -+ (desc->b & 0xff000000);
28449 - return base;
28450 - }
28451 -
28452 -+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
28453 -+{
28454 -+ __u32 a, b;
28455 -+
28456 -+ if (likely(limit))
28457 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
28458 -+ pack_descriptor(&a, &b, base, limit, 0xFB, 0xC);
28459 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, a, b);
28460 -+}
28461 -+
28462 - #else /* __ASSEMBLY__ */
28463 -
28464 - /*
28465 -diff -urNp linux-2.6.24.4/include/asm-x86/desc_64.h linux-2.6.24.4/include/asm-x86/desc_64.h
28466 ---- linux-2.6.24.4/include/asm-x86/desc_64.h 2008-03-24 14:49:18.000000000 -0400
28467 -+++ linux-2.6.24.4/include/asm-x86/desc_64.h 2008-03-26 17:56:56.000000000 -0400
28468 -@@ -14,7 +14,7 @@
28469 - #include <asm/segment.h>
28470 - #include <asm/mmu.h>
28471 -
28472 --extern struct desc_struct cpu_gdt_table[GDT_ENTRIES];
28473 -+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
28474 -
28475 - #define load_TR_desc() asm volatile("ltr %w0"::"r" (GDT_ENTRY_TSS*8))
28476 - #define load_LDT_desc() asm volatile("lldt %w0"::"r" (GDT_ENTRY_LDT*8))
28477 -@@ -34,12 +34,10 @@ static inline unsigned long __store_tr(v
28478 - * This is the ldt that every process will get unless we need
28479 - * something other than this.
28480 - */
28481 --extern struct desc_struct default_ldt[];
28482 - extern struct gate_struct idt_table[];
28483 --extern struct desc_ptr cpu_gdt_descr[];
28484 -
28485 - /* the cpu gdt accessor */
28486 --#define cpu_gdt(_cpu) ((struct desc_struct *)cpu_gdt_descr[_cpu].address)
28487 -+#define cpu_gdt(_cpu) (cpu_gdt_table[_cpu])
28488 -
28489 - static inline void load_gdt(const struct desc_ptr *ptr)
28490 - {
28491 -@@ -54,6 +52,11 @@ static inline void store_gdt(struct desc
28492 - static inline void _set_gate(void *adr, unsigned type, unsigned long func, unsigned dpl, unsigned ist)
28493 - {
28494 - struct gate_struct s;
28495 -+
28496 -+#ifdef CONFIG_PAX_KERNEXEC
28497 -+ unsigned long cr0;
28498 -+#endif
28499 -+
28500 - s.offset_low = PTR_LOW(func);
28501 - s.segment = __KERNEL_CS;
28502 - s.ist = ist;
28503 -@@ -65,7 +68,17 @@ static inline void _set_gate(void *adr,
28504 - s.offset_middle = PTR_MIDDLE(func);
28505 - s.offset_high = PTR_HIGH(func);
28506 - /* does not need to be atomic because it is only done once at setup time */
28507 -+
28508 -+#ifdef CONFIG_PAX_KERNEXEC
28509 -+ pax_open_kernel(cr0);
28510 -+#endif
28511 -+
28512 - memcpy(adr, &s, 16);
28513 -+
28514 -+#ifdef CONFIG_PAX_KERNEXEC
28515 -+ pax_close_kernel(cr0);
28516 -+#endif
28517 -+
28518 - }
28519 -
28520 - static inline void set_intr_gate(int nr, void *func)
28521 -@@ -105,6 +118,11 @@ static inline void set_tssldt_descriptor
28522 - unsigned size)
28523 - {
28524 - struct ldttss_desc d;
28525 -+
28526 -+#ifdef CONFIG_PAX_KERNEXEC
28527 -+ unsigned long cr0;
28528 -+#endif
28529 -+
28530 - memset(&d,0,sizeof(d));
28531 - d.limit0 = size & 0xFFFF;
28532 - d.base0 = PTR_LOW(tss);
28533 -@@ -114,7 +132,17 @@ static inline void set_tssldt_descriptor
28534 - d.limit1 = (size >> 16) & 0xF;
28535 - d.base2 = (PTR_MIDDLE(tss) >> 8) & 0xFF;
28536 - d.base3 = PTR_HIGH(tss);
28537 -+
28538 -+#ifdef CONFIG_PAX_KERNEXEC
28539 -+ pax_open_kernel(cr0);
28540 -+#endif
28541 -+
28542 - memcpy(ptr, &d, 16);
28543 -+
28544 -+#ifdef CONFIG_PAX_KERNEXEC
28545 -+ pax_close_kernel(cr0);
28546 -+#endif
28547 -+
28548 - }
28549 -
28550 - static inline void set_tss_desc(unsigned cpu, void *addr)
28551 -@@ -152,7 +180,7 @@ static inline void set_ldt_desc(unsigned
28552 - ((info)->limit_in_pages << 23) | \
28553 - ((info)->useable << 20) | \
28554 - /* ((info)->lm << 21) | */ \
28555 -- 0x7000)
28556 -+ 0x7100)
28557 -
28558 - #define LDT_empty(info) (\
28559 - (info)->base_addr == 0 && \
28560 -@@ -170,8 +198,19 @@ static inline void load_TLS(struct threa
28561 - unsigned int i;
28562 - u64 *gdt = (u64 *)(cpu_gdt(cpu) + GDT_ENTRY_TLS_MIN);
28563 -
28564 -+#ifdef CONFIG_PAX_KERNEXEC
28565 -+ unsigned long cr0;
28566 -+
28567 -+ pax_open_kernel(cr0);
28568 -+#endif
28569 -+
28570 - for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
28571 - gdt[i] = t->tls_array[i];
28572 -+
28573 -+#ifdef CONFIG_PAX_KERNEXEC
28574 -+ pax_close_kernel(cr0);
28575 -+#endif
28576 -+
28577 - }
28578 -
28579 - /*
28580 -@@ -197,7 +236,7 @@ static inline void load_LDT(mm_context_t
28581 - put_cpu();
28582 - }
28583 -
28584 --extern struct desc_ptr idt_descr;
28585 -+extern const struct desc_ptr idt_descr;
28586 -
28587 - #endif /* !__ASSEMBLY__ */
28588 -
28589 -diff -urNp linux-2.6.24.4/include/asm-x86/elf.h linux-2.6.24.4/include/asm-x86/elf.h
28590 ---- linux-2.6.24.4/include/asm-x86/elf.h 2008-03-24 14:49:18.000000000 -0400
28591 -+++ linux-2.6.24.4/include/asm-x86/elf.h 2008-03-26 17:56:56.000000000 -0400
28592 -@@ -206,7 +206,25 @@ extern int vdso_enabled;
28593 - the loader. We need to make sure that it is out of the way of the program
28594 - that it will "exec", and that there is sufficient room for the brk. */
28595 -
28596 -+#ifdef CONFIG_PAX_SEGMEXEC
28597 -+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
28598 -+#else
28599 - #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
28600 -+#endif
28601 -+
28602 -+#ifdef CONFIG_PAX_ASLR
28603 -+#ifdef CONFIG_X86_32
28604 -+#define PAX_ELF_ET_DYN_BASE 0x10000000UL
28605 -+
28606 -+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
28607 -+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
28608 -+#else
28609 -+#define PAX_ELF_ET_DYN_BASE 0x400000UL
28610 -+
28611 -+#define PAX_DELTA_MMAP_LEN 32
28612 -+#define PAX_DELTA_STACK_LEN 32
28613 -+#endif
28614 -+#endif
28615 -
28616 - /* This yields a mask that user programs can use to figure out what
28617 - instruction set this CPU supports. This could be done in user space,
28618 -@@ -246,7 +264,7 @@ extern int dump_task_extended_fpu (struc
28619 - #define ELF_CORE_XFPREG_TYPE NT_PRXFPREG
28620 -
28621 - #define VDSO_HIGH_BASE (__fix_to_virt(FIX_VDSO))
28622 --#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
28623 -+#define VDSO_CURRENT_BASE (current->mm->context.vdso)
28624 - #define VDSO_PRELINK 0
28625 -
28626 - #define VDSO_SYM(x) \
28627 -@@ -274,7 +292,7 @@ do if (vdso_enabled) { \
28628 -
28629 - #define ARCH_DLINFO \
28630 - do if (vdso_enabled) { \
28631 -- NEW_AUX_ENT(AT_SYSINFO_EHDR,(unsigned long)current->mm->context.vdso);\
28632 -+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
28633 - } while (0)
28634 -
28635 - #endif /* !CONFIG_X86_32 */
28636 -diff -urNp linux-2.6.24.4/include/asm-x86/futex_32.h linux-2.6.24.4/include/asm-x86/futex_32.h
28637 ---- linux-2.6.24.4/include/asm-x86/futex_32.h 2008-03-24 14:49:18.000000000 -0400
28638 -+++ linux-2.6.24.4/include/asm-x86/futex_32.h 2008-03-26 17:56:56.000000000 -0400
28639 -@@ -11,8 +11,11 @@
28640 -
28641 - #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
28642 - __asm__ __volatile ( \
28643 -+ "movw %w6, %%ds\n"\
28644 - "1: " insn "\n" \
28645 --"2: .section .fixup,\"ax\"\n\
28646 -+"2: pushl %%ss\n\
28647 -+ popl %%ds\n\
28648 -+ .section .fixup,\"ax\"\n\
28649 - 3: mov %3, %1\n\
28650 - jmp 2b\n\
28651 - .previous\n\
28652 -@@ -21,16 +24,19 @@
28653 - .long 1b,3b\n\
28654 - .previous" \
28655 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
28656 -- : "i" (-EFAULT), "0" (oparg), "1" (0))
28657 -+ : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
28658 -
28659 - #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
28660 - __asm__ __volatile ( \
28661 --"1: movl %2, %0\n\
28662 -+" movw %w7, %%es\n\
28663 -+1: movl %%es:%2, %0\n\
28664 - movl %0, %3\n" \
28665 - insn "\n" \
28666 --"2: lock ; cmpxchgl %3, %2\n\
28667 -+"2: lock ; cmpxchgl %3, %%es:%2\n\
28668 - jnz 1b\n\
28669 --3: .section .fixup,\"ax\"\n\
28670 -+3: pushl %%ss\n\
28671 -+ popl %%es\n\
28672 -+ .section .fixup,\"ax\"\n\
28673 - 4: mov %5, %1\n\
28674 - jmp 3b\n\
28675 - .previous\n\
28676 -@@ -40,10 +46,10 @@
28677 - .previous" \
28678 - : "=&a" (oldval), "=&r" (ret), "+m" (*uaddr), \
28679 - "=&r" (tem) \
28680 -- : "r" (oparg), "i" (-EFAULT), "1" (0))
28681 -+ : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
28682 -
28683 - static inline int
28684 --futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
28685 -+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
28686 - {
28687 - int op = (encoded_op >> 28) & 7;
28688 - int cmp = (encoded_op >> 24) & 15;
28689 -@@ -59,7 +65,7 @@ futex_atomic_op_inuser (int encoded_op,
28690 - pagefault_disable();
28691 -
28692 - if (op == FUTEX_OP_SET)
28693 -- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
28694 -+ __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
28695 - else {
28696 - #ifndef CONFIG_X86_BSWAP
28697 - if (boot_cpu_data.x86 == 3)
28698 -@@ -68,7 +74,7 @@ futex_atomic_op_inuser (int encoded_op,
28699 - #endif
28700 - switch (op) {
28701 - case FUTEX_OP_ADD:
28702 -- __futex_atomic_op1("lock ; xaddl %0, %2", ret,
28703 -+ __futex_atomic_op1("lock ; xaddl %0, %%ds:%2", ret,
28704 - oldval, uaddr, oparg);
28705 - break;
28706 - case FUTEX_OP_OR:
28707 -@@ -105,15 +111,17 @@ futex_atomic_op_inuser (int encoded_op,
28708 - }
28709 -
28710 - static inline int
28711 --futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
28712 -+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
28713 - {
28714 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
28715 - return -EFAULT;
28716 -
28717 - __asm__ __volatile__(
28718 -- "1: lock ; cmpxchgl %3, %1 \n"
28719 --
28720 -- "2: .section .fixup, \"ax\" \n"
28721 -+ " movw %w5, %%ds \n"
28722 -+ "1: lock ; cmpxchgl %3, %%ds:%1 \n"
28723 -+ "2: pushl %%ss \n"
28724 -+ " popl %%ds \n"
28725 -+ " .section .fixup, \"ax\" \n"
28726 - "3: mov %2, %0 \n"
28727 - " jmp 2b \n"
28728 - " .previous \n"
28729 -@@ -124,7 +132,7 @@ futex_atomic_cmpxchg_inatomic(int __user
28730 - " .previous \n"
28731 -
28732 - : "=a" (oldval), "+m" (*uaddr)
28733 -- : "i" (-EFAULT), "r" (newval), "0" (oldval)
28734 -+ : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
28735 - : "memory"
28736 - );
28737 -
28738 -diff -urNp linux-2.6.24.4/include/asm-x86/futex_64.h linux-2.6.24.4/include/asm-x86/futex_64.h
28739 ---- linux-2.6.24.4/include/asm-x86/futex_64.h 2008-03-24 14:49:18.000000000 -0400
28740 -+++ linux-2.6.24.4/include/asm-x86/futex_64.h 2008-03-26 17:56:56.000000000 -0400
28741 -@@ -42,7 +42,7 @@
28742 - : "r" (oparg), "i" (-EFAULT), "m" (*uaddr), "1" (0))
28743 -
28744 - static inline int
28745 --futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
28746 -+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
28747 - {
28748 - int op = (encoded_op >> 28) & 7;
28749 - int cmp = (encoded_op >> 24) & 15;
28750 -@@ -95,7 +95,7 @@ futex_atomic_op_inuser (int encoded_op,
28751 - }
28752 -
28753 - static inline int
28754 --futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
28755 -+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
28756 - {
28757 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
28758 - return -EFAULT;
28759 -diff -urNp linux-2.6.24.4/include/asm-x86/i387_32.h linux-2.6.24.4/include/asm-x86/i387_32.h
28760 ---- linux-2.6.24.4/include/asm-x86/i387_32.h 2008-03-24 14:49:18.000000000 -0400
28761 -+++ linux-2.6.24.4/include/asm-x86/i387_32.h 2008-03-26 17:56:56.000000000 -0400
28762 -@@ -40,13 +40,8 @@ extern void kernel_fpu_begin(void);
28763 - #define kernel_fpu_end() do { stts(); preempt_enable(); } while(0)
28764 -
28765 - /* We need a safe address that is cheap to find and that is already
28766 -- in L1 during context switch. The best choices are unfortunately
28767 -- different for UP and SMP */
28768 --#ifdef CONFIG_SMP
28769 --#define safe_address (__per_cpu_offset[0])
28770 --#else
28771 --#define safe_address (kstat_cpu(0).cpustat.user)
28772 --#endif
28773 -+ in L1 during context switch. */
28774 -+#define safe_address (init_tss[smp_processor_id()].x86_tss.esp0)
28775 -
28776 - /*
28777 - * These must be called with preempt disabled
28778 -diff -urNp linux-2.6.24.4/include/asm-x86/io_64.h linux-2.6.24.4/include/asm-x86/io_64.h
28779 ---- linux-2.6.24.4/include/asm-x86/io_64.h 2008-03-24 14:49:18.000000000 -0400
28780 -+++ linux-2.6.24.4/include/asm-x86/io_64.h 2008-03-26 17:56:56.000000000 -0400
28781 -@@ -120,6 +120,17 @@ static inline void * phys_to_virt(unsign
28782 - }
28783 - #endif
28784 -
28785 -+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
28786 -+static inline int valid_phys_addr_range (unsigned long addr, size_t count)
28787 -+{
28788 -+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
28789 -+}
28790 -+
28791 -+static inline int valid_mmap_phys_addr_range (unsigned long pfn, size_t count)
28792 -+{
28793 -+ return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
28794 -+}
28795 -+
28796 - /*
28797 - * Change "struct page" to physical address.
28798 - */
28799 -diff -urNp linux-2.6.24.4/include/asm-x86/irqflags_32.h linux-2.6.24.4/include/asm-x86/irqflags_32.h
28800 ---- linux-2.6.24.4/include/asm-x86/irqflags_32.h 2008-03-24 14:49:18.000000000 -0400
28801 -+++ linux-2.6.24.4/include/asm-x86/irqflags_32.h 2008-03-26 17:56:56.000000000 -0400
28802 -@@ -108,6 +108,8 @@ static inline unsigned long __raw_local_
28803 - #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
28804 - #define INTERRUPT_RETURN iret
28805 - #define GET_CR0_INTO_EAX movl %cr0, %eax
28806 -+#define GET_CR0_INTO_EDX movl %cr0, %edx
28807 -+#define SET_CR0_FROM_EDX movl %edx, %cr0
28808 - #endif /* __ASSEMBLY__ */
28809 - #endif /* CONFIG_PARAVIRT */
28810 -
28811 -diff -urNp linux-2.6.24.4/include/asm-x86/kmap_types.h linux-2.6.24.4/include/asm-x86/kmap_types.h
28812 ---- linux-2.6.24.4/include/asm-x86/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
28813 -+++ linux-2.6.24.4/include/asm-x86/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
28814 -@@ -21,7 +21,8 @@ D(9) KM_IRQ0,
28815 - D(10) KM_IRQ1,
28816 - D(11) KM_SOFTIRQ0,
28817 - D(12) KM_SOFTIRQ1,
28818 --D(13) KM_TYPE_NR
28819 -+D(13) KM_CLEARPAGE,
28820 -+D(14) KM_TYPE_NR
28821 - };
28822 -
28823 - #undef D
28824 -diff -urNp linux-2.6.24.4/include/asm-x86/mach-default/apm.h linux-2.6.24.4/include/asm-x86/mach-default/apm.h
28825 ---- linux-2.6.24.4/include/asm-x86/mach-default/apm.h 2008-03-24 14:49:18.000000000 -0400
28826 -+++ linux-2.6.24.4/include/asm-x86/mach-default/apm.h 2008-03-26 17:56:56.000000000 -0400
28827 -@@ -36,7 +36,7 @@ static inline void apm_bios_call_asm(u32
28828 - __asm__ __volatile__(APM_DO_ZERO_SEGS
28829 - "pushl %%edi\n\t"
28830 - "pushl %%ebp\n\t"
28831 -- "lcall *%%cs:apm_bios_entry\n\t"
28832 -+ "lcall *%%ss:apm_bios_entry\n\t"
28833 - "setc %%al\n\t"
28834 - "popl %%ebp\n\t"
28835 - "popl %%edi\n\t"
28836 -@@ -60,7 +60,7 @@ static inline u8 apm_bios_call_simple_as
28837 - __asm__ __volatile__(APM_DO_ZERO_SEGS
28838 - "pushl %%edi\n\t"
28839 - "pushl %%ebp\n\t"
28840 -- "lcall *%%cs:apm_bios_entry\n\t"
28841 -+ "lcall *%%ss:apm_bios_entry\n\t"
28842 - "setc %%bl\n\t"
28843 - "popl %%ebp\n\t"
28844 - "popl %%edi\n\t"
28845 -diff -urNp linux-2.6.24.4/include/asm-x86/mman.h linux-2.6.24.4/include/asm-x86/mman.h
28846 ---- linux-2.6.24.4/include/asm-x86/mman.h 2008-03-24 14:49:18.000000000 -0400
28847 -+++ linux-2.6.24.4/include/asm-x86/mman.h 2008-03-26 17:56:56.000000000 -0400
28848 -@@ -16,4 +16,14 @@
28849 - #define MCL_CURRENT 1 /* lock all current mappings */
28850 - #define MCL_FUTURE 2 /* lock all future mappings */
28851 -
28852 -+#ifdef __KERNEL__
28853 -+#ifndef __ASSEMBLY__
28854 -+#ifdef CONFIG_X86_32
28855 -+#define arch_mmap_check i386_mmap_check
28856 -+int i386_mmap_check(unsigned long addr, unsigned long len,
28857 -+ unsigned long flags);
28858 -+#endif
28859 -+#endif
28860 -+#endif
28861 -+
28862 - #endif /* _ASM_X86_MMAN_H */
28863 -diff -urNp linux-2.6.24.4/include/asm-x86/mmu_context_32.h linux-2.6.24.4/include/asm-x86/mmu_context_32.h
28864 ---- linux-2.6.24.4/include/asm-x86/mmu_context_32.h 2008-03-24 14:49:18.000000000 -0400
28865 -+++ linux-2.6.24.4/include/asm-x86/mmu_context_32.h 2008-03-26 17:56:56.000000000 -0400
28866 -@@ -57,6 +57,22 @@ static inline void switch_mm(struct mm_s
28867 - */
28868 - if (unlikely(prev->context.ldt != next->context.ldt))
28869 - load_LDT_nolock(&next->context);
28870 -+
28871 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
28872 -+ if (!nx_enabled) {
28873 -+ smp_mb__before_clear_bit();
28874 -+ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
28875 -+ smp_mb__after_clear_bit();
28876 -+ cpu_set(cpu, next->context.cpu_user_cs_mask);
28877 -+ }
28878 -+#endif
28879 -+
28880 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28881 -+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
28882 -+ prev->context.user_cs_limit != next->context.user_cs_limit))
28883 -+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
28884 -+#endif
28885 -+
28886 - }
28887 - #ifdef CONFIG_SMP
28888 - else {
28889 -@@ -69,6 +85,19 @@ static inline void switch_mm(struct mm_s
28890 - */
28891 - load_cr3(next->pgd);
28892 - load_LDT_nolock(&next->context);
28893 -+
28894 -+#ifdef CONFIG_PAX_PAGEEXEC
28895 -+ if (!nx_enabled)
28896 -+ cpu_set(cpu, next->context.cpu_user_cs_mask);
28897 -+#endif
28898 -+
28899 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28900 -+#ifdef CONFIG_PAX_PAGEEXEC
28901 -+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
28902 -+#endif
28903 -+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
28904 -+#endif
28905 -+
28906 - }
28907 - }
28908 - #endif
28909 -diff -urNp linux-2.6.24.4/include/asm-x86/mmu.h linux-2.6.24.4/include/asm-x86/mmu.h
28910 ---- linux-2.6.24.4/include/asm-x86/mmu.h 2008-03-24 14:49:18.000000000 -0400
28911 -+++ linux-2.6.24.4/include/asm-x86/mmu.h 2008-03-26 17:56:56.000000000 -0400
28912 -@@ -11,13 +11,26 @@
28913 - * cpu_vm_mask is used to optimize ldt flushing.
28914 - */
28915 - typedef struct {
28916 -- void *ldt;
28917 -+ struct desc_struct *ldt;
28918 - #ifdef CONFIG_X86_64
28919 - rwlock_t ldtlock;
28920 - #endif
28921 - int size;
28922 - struct mutex lock;
28923 -- void *vdso;
28924 -+ unsigned long vdso;
28925 -+
28926 -+#ifdef CONFIG_X86_32
28927 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28928 -+ unsigned long user_cs_base;
28929 -+ unsigned long user_cs_limit;
28930 -+
28931 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
28932 -+ cpumask_t cpu_user_cs_mask;
28933 -+#endif
28934 -+
28935 -+#endif
28936 -+#endif
28937 -+
28938 - } mm_context_t;
28939 -
28940 - #endif /* _ASM_X86_MMU_H */
28941 -diff -urNp linux-2.6.24.4/include/asm-x86/module_32.h linux-2.6.24.4/include/asm-x86/module_32.h
28942 ---- linux-2.6.24.4/include/asm-x86/module_32.h 2008-03-24 14:49:18.000000000 -0400
28943 -+++ linux-2.6.24.4/include/asm-x86/module_32.h 2008-03-26 17:56:56.000000000 -0400
28944 -@@ -70,6 +70,12 @@ struct mod_arch_specific
28945 - #define MODULE_STACKSIZE ""
28946 - #endif
28947 -
28948 --#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
28949 -+#ifdef CONFIG_GRKERNSEC
28950 -+#define MODULE_GRSEC "GRSECURITY "
28951 -+#else
28952 -+#define MODULE_GRSEC ""
28953 -+#endif
28954 -+
28955 -+#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC
28956 -
28957 - #endif /* _ASM_I386_MODULE_H */
28958 -diff -urNp linux-2.6.24.4/include/asm-x86/page_32.h linux-2.6.24.4/include/asm-x86/page_32.h
28959 ---- linux-2.6.24.4/include/asm-x86/page_32.h 2008-03-24 14:49:18.000000000 -0400
28960 -+++ linux-2.6.24.4/include/asm-x86/page_32.h 2008-03-26 17:56:56.000000000 -0400
28961 -@@ -90,7 +90,6 @@ static inline pte_t native_make_pte(unsi
28962 - typedef struct { unsigned long pte_low; } pte_t;
28963 - typedef struct { unsigned long pgd; } pgd_t;
28964 - typedef struct { unsigned long pgprot; } pgprot_t;
28965 --#define boot_pte_t pte_t /* or would you rather have a typedef */
28966 -
28967 - static inline unsigned long native_pgd_val(pgd_t pgd)
28968 - {
28969 -@@ -175,6 +174,18 @@ extern int page_is_ram(unsigned long pag
28970 - #define __PAGE_OFFSET ((unsigned long)CONFIG_PAGE_OFFSET)
28971 - #endif
28972 -
28973 -+#ifdef CONFIG_PAX_KERNEXEC
28974 -+#ifndef __ASSEMBLY__
28975 -+extern unsigned char MODULES_VADDR[];
28976 -+extern unsigned char MODULES_END[];
28977 -+extern unsigned char KERNEL_TEXT_OFFSET[];
28978 -+#define ktla_ktva(addr) (addr + (unsigned long)KERNEL_TEXT_OFFSET)
28979 -+#define ktva_ktla(addr) (addr - (unsigned long)KERNEL_TEXT_OFFSET)
28980 -+#endif
28981 -+#else
28982 -+#define ktla_ktva(addr) (addr)
28983 -+#define ktva_ktla(addr) (addr)
28984 -+#endif
28985 -
28986 - #define PAGE_OFFSET ((unsigned long)__PAGE_OFFSET)
28987 - #define VMALLOC_RESERVE ((unsigned long)__VMALLOC_RESERVE)
28988 -@@ -197,6 +208,10 @@ extern int page_is_ram(unsigned long pag
28989 - ((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
28990 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
28991 -
28992 -+#ifdef CONFIG_PAX_PAGEEXEC
28993 -+#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
28994 -+#endif
28995 -+
28996 - #include <asm-generic/memory_model.h>
28997 - #include <asm-generic/page.h>
28998 -
28999 -diff -urNp linux-2.6.24.4/include/asm-x86/page_64.h linux-2.6.24.4/include/asm-x86/page_64.h
29000 ---- linux-2.6.24.4/include/asm-x86/page_64.h 2008-03-24 14:49:18.000000000 -0400
29001 -+++ linux-2.6.24.4/include/asm-x86/page_64.h 2008-03-26 17:56:56.000000000 -0400
29002 -@@ -94,6 +94,9 @@ extern unsigned long phys_base;
29003 - #define __START_KERNEL_map _AC(0xffffffff80000000, UL)
29004 - #define __PAGE_OFFSET _AC(0xffff810000000000, UL)
29005 -
29006 -+#define ktla_ktva(addr) (addr)
29007 -+#define ktva_ktla(addr) (addr)
29008 -+
29009 - /* to align the pointer to the (next) page boundary */
29010 - #define PAGE_ALIGN(addr) (((addr)+PAGE_SIZE-1)&PAGE_MASK)
29011 -
29012 -diff -urNp linux-2.6.24.4/include/asm-x86/paravirt.h linux-2.6.24.4/include/asm-x86/paravirt.h
29013 ---- linux-2.6.24.4/include/asm-x86/paravirt.h 2008-03-24 14:49:18.000000000 -0400
29014 -+++ linux-2.6.24.4/include/asm-x86/paravirt.h 2008-03-26 17:56:56.000000000 -0400
29015 -@@ -1124,23 +1124,23 @@ static inline unsigned long __raw_local_
29016 -
29017 - #define INTERRUPT_RETURN \
29018 - PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_iret), CLBR_NONE, \
29019 -- jmp *%cs:pv_cpu_ops+PV_CPU_iret)
29020 -+ jmp *%ss:pv_cpu_ops+PV_CPU_iret)
29021 -
29022 - #define DISABLE_INTERRUPTS(clobbers) \
29023 - PARA_SITE(PARA_PATCH(pv_irq_ops, PV_IRQ_irq_disable), clobbers, \
29024 - pushl %eax; pushl %ecx; pushl %edx; \
29025 -- call *%cs:pv_irq_ops+PV_IRQ_irq_disable; \
29026 -+ call *%ss:pv_irq_ops+PV_IRQ_irq_disable; \
29027 - popl %edx; popl %ecx; popl %eax) \
29028 -
29029 - #define ENABLE_INTERRUPTS(clobbers) \
29030 - PARA_SITE(PARA_PATCH(pv_irq_ops, PV_IRQ_irq_enable), clobbers, \
29031 - pushl %eax; pushl %ecx; pushl %edx; \
29032 -- call *%cs:pv_irq_ops+PV_IRQ_irq_enable; \
29033 -+ call *%ss:pv_irq_ops+PV_IRQ_irq_enable; \
29034 - popl %edx; popl %ecx; popl %eax)
29035 -
29036 - #define ENABLE_INTERRUPTS_SYSEXIT \
29037 - PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), CLBR_NONE,\
29038 -- jmp *%cs:pv_cpu_ops+PV_CPU_irq_enable_sysexit)
29039 -+ jmp *%ss:pv_cpu_ops+PV_CPU_irq_enable_sysexit)
29040 -
29041 - #define GET_CR0_INTO_EAX \
29042 - push %ecx; push %edx; \
29043 -diff -urNp linux-2.6.24.4/include/asm-x86/pda.h linux-2.6.24.4/include/asm-x86/pda.h
29044 ---- linux-2.6.24.4/include/asm-x86/pda.h 2008-03-24 14:49:18.000000000 -0400
29045 -+++ linux-2.6.24.4/include/asm-x86/pda.h 2008-03-26 17:56:56.000000000 -0400
29046 -@@ -16,11 +16,9 @@ struct x8664_pda {
29047 - unsigned long oldrsp; /* 24 user rsp for system call */
29048 - int irqcount; /* 32 Irq nesting counter. Starts with -1 */
29049 - int cpunumber; /* 36 Logical CPU number */
29050 --#ifdef CONFIG_CC_STACKPROTECTOR
29051 - unsigned long stack_canary; /* 40 stack canary value */
29052 - /* gcc-ABI: this canary MUST be at
29053 - offset 40!!! */
29054 --#endif
29055 - char *irqstackptr;
29056 - int nodenumber; /* number of current node */
29057 - unsigned int __softirq_pending;
29058 -diff -urNp linux-2.6.24.4/include/asm-x86/percpu_32.h linux-2.6.24.4/include/asm-x86/percpu_32.h
29059 ---- linux-2.6.24.4/include/asm-x86/percpu_32.h 2008-03-24 14:49:18.000000000 -0400
29060 -+++ linux-2.6.24.4/include/asm-x86/percpu_32.h 2008-03-26 17:56:56.000000000 -0400
29061 -@@ -22,7 +22,7 @@
29062 - #define PER_CPU_VAR(var) %fs:per_cpu__##var
29063 - #else /* ! SMP */
29064 - #define PER_CPU(var, reg) \
29065 -- movl $per_cpu__##var, reg
29066 -+ movl per_cpu__##var, reg
29067 - #define PER_CPU_VAR(var) per_cpu__##var
29068 - #endif /* SMP */
29069 -
29070 -@@ -42,12 +42,12 @@
29071 - */
29072 - #ifdef CONFIG_SMP
29073 - /* Same as generic implementation except for optimized local access. */
29074 --#define __GENERIC_PER_CPU
29075 -
29076 - /* This is used for other cpus to find our section. */
29077 - extern unsigned long __per_cpu_offset[];
29078 -+extern void setup_per_cpu_areas(void);
29079 -
29080 --#define per_cpu_offset(x) (__per_cpu_offset[x])
29081 -+#define per_cpu_offset(x) (__per_cpu_offset[x] - (unsigned long)__per_cpu_start)
29082 -
29083 - /* Separate out the type, so (int[3], foo) works. */
29084 - #define DECLARE_PER_CPU(type, name) extern __typeof__(type) per_cpu__##name
29085 -@@ -64,11 +64,11 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
29086 -
29087 - /* var is in discarded region: offset to particular copy we want */
29088 - #define per_cpu(var, cpu) (*({ \
29089 -- extern int simple_indentifier_##var(void); \
29090 -+ extern int simple_identifier_##var(void); \
29091 - RELOC_HIDE(&per_cpu__##var, __per_cpu_offset[cpu]); }))
29092 -
29093 - #define __raw_get_cpu_var(var) (*({ \
29094 -- extern int simple_indentifier_##var(void); \
29095 -+ extern int simple_identifier_##var(void); \
29096 - RELOC_HIDE(&per_cpu__##var, x86_read_percpu(this_cpu_off)); \
29097 - }))
29098 -
29099 -@@ -79,7 +79,7 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
29100 - do { \
29101 - unsigned int __i; \
29102 - for_each_possible_cpu(__i) \
29103 -- memcpy((pcpudst)+__per_cpu_offset[__i], \
29104 -+ memcpy((pcpudst)+per_cpu_offset(__i), \
29105 - (src), (size)); \
29106 - } while (0)
29107 -
29108 -diff -urNp linux-2.6.24.4/include/asm-x86/pgalloc_32.h linux-2.6.24.4/include/asm-x86/pgalloc_32.h
29109 ---- linux-2.6.24.4/include/asm-x86/pgalloc_32.h 2008-03-24 14:49:18.000000000 -0400
29110 -+++ linux-2.6.24.4/include/asm-x86/pgalloc_32.h 2008-03-26 17:56:56.000000000 -0400
29111 -@@ -15,11 +15,19 @@
29112 - #define paravirt_release_pd(pfn) do { } while (0)
29113 - #endif
29114 -
29115 -+#ifdef CONFIG_COMPAT_VDSO
29116 - #define pmd_populate_kernel(mm, pmd, pte) \
29117 - do { \
29118 - paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
29119 - set_pmd(pmd, __pmd(_PAGE_TABLE + __pa(pte))); \
29120 - } while (0)
29121 -+#else
29122 -+#define pmd_populate_kernel(mm, pmd, pte) \
29123 -+do { \
29124 -+ paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
29125 -+ set_pmd(pmd, __pmd(_KERNPG_TABLE + __pa(pte))); \
29126 -+} while (0)
29127 -+#endif
29128 -
29129 - #define pmd_populate(mm, pmd, pte) \
29130 - do { \
29131 -diff -urNp linux-2.6.24.4/include/asm-x86/pgalloc_64.h linux-2.6.24.4/include/asm-x86/pgalloc_64.h
29132 ---- linux-2.6.24.4/include/asm-x86/pgalloc_64.h 2008-03-24 14:49:18.000000000 -0400
29133 -+++ linux-2.6.24.4/include/asm-x86/pgalloc_64.h 2008-03-26 17:56:56.000000000 -0400
29134 -@@ -6,7 +6,7 @@
29135 - #include <linux/mm.h>
29136 -
29137 - #define pmd_populate_kernel(mm, pmd, pte) \
29138 -- set_pmd(pmd, __pmd(_PAGE_TABLE | __pa(pte)))
29139 -+ set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(pte)))
29140 - #define pud_populate(mm, pud, pmd) \
29141 - set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd)))
29142 - #define pgd_populate(mm, pgd, pud) \
29143 -diff -urNp linux-2.6.24.4/include/asm-x86/pgtable-2level.h linux-2.6.24.4/include/asm-x86/pgtable-2level.h
29144 ---- linux-2.6.24.4/include/asm-x86/pgtable-2level.h 2008-03-24 14:49:18.000000000 -0400
29145 -+++ linux-2.6.24.4/include/asm-x86/pgtable-2level.h 2008-03-26 17:56:56.000000000 -0400
29146 -@@ -22,7 +22,19 @@ static inline void native_set_pte_at(str
29147 - }
29148 - static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
29149 - {
29150 -+
29151 -+#ifdef CONFIG_PAX_KERNEXEC
29152 -+ unsigned long cr0;
29153 -+
29154 -+ pax_open_kernel(cr0);
29155 -+#endif
29156 -+
29157 - *pmdp = pmd;
29158 -+
29159 -+#ifdef CONFIG_PAX_KERNEXEC
29160 -+ pax_close_kernel(cr0);
29161 -+#endif
29162 -+
29163 - }
29164 - #ifndef CONFIG_PARAVIRT
29165 - #define set_pte(pteptr, pteval) native_set_pte(pteptr, pteval)
29166 -diff -urNp linux-2.6.24.4/include/asm-x86/pgtable_32.h linux-2.6.24.4/include/asm-x86/pgtable_32.h
29167 ---- linux-2.6.24.4/include/asm-x86/pgtable_32.h 2008-03-24 14:49:18.000000000 -0400
29168 -+++ linux-2.6.24.4/include/asm-x86/pgtable_32.h 2008-03-26 17:56:56.000000000 -0400
29169 -@@ -31,7 +31,6 @@ struct vm_area_struct;
29170 - */
29171 - #define ZERO_PAGE(vaddr) (virt_to_page(empty_zero_page))
29172 - extern unsigned long empty_zero_page[1024];
29173 --extern pgd_t swapper_pg_dir[1024];
29174 - extern struct kmem_cache *pmd_cache;
29175 - extern spinlock_t pgd_lock;
29176 - extern struct page *pgd_list;
29177 -@@ -55,6 +54,11 @@ void paging_init(void);
29178 - # include <asm/pgtable-2level-defs.h>
29179 - #endif
29180 -
29181 -+extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
29182 -+#ifdef CONFIG_X86_PAE
29183 -+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
29184 -+#endif
29185 -+
29186 - #define PGDIR_SIZE (1UL << PGDIR_SHIFT)
29187 - #define PGDIR_MASK (~(PGDIR_SIZE-1))
29188 -
29189 -@@ -64,9 +68,11 @@ void paging_init(void);
29190 - #define USER_PGD_PTRS (PAGE_OFFSET >> PGDIR_SHIFT)
29191 - #define KERNEL_PGD_PTRS (PTRS_PER_PGD-USER_PGD_PTRS)
29192 -
29193 -+#ifndef CONFIG_X86_PAE
29194 - #define TWOLEVEL_PGDIR_SHIFT 22
29195 - #define BOOT_USER_PGD_PTRS (__PAGE_OFFSET >> TWOLEVEL_PGDIR_SHIFT)
29196 - #define BOOT_KERNEL_PGD_PTRS (1024-BOOT_USER_PGD_PTRS)
29197 -+#endif
29198 -
29199 - /* Just any arbitrary offset to the start of the vmalloc VM area: the
29200 - * current 8MB value just means that there will be a 8MB "hole" after the
29201 -@@ -133,7 +139,7 @@ void paging_init(void);
29202 - #define PAGE_NONE \
29203 - __pgprot(_PAGE_PROTNONE | _PAGE_ACCESSED)
29204 - #define PAGE_SHARED \
29205 -- __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
29206 -+ __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
29207 -
29208 - #define PAGE_SHARED_EXEC \
29209 - __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
29210 -@@ -199,7 +205,7 @@ extern unsigned long long __PAGE_KERNEL,
29211 - #undef TEST_ACCESS_OK
29212 -
29213 - /* The boot page tables (all created as a single array) */
29214 --extern unsigned long pg0[];
29215 -+extern pte_t pg0[];
29216 -
29217 - #define pte_present(x) ((x).pte_low & (_PAGE_PRESENT | _PAGE_PROTNONE))
29218 -
29219 -@@ -215,30 +221,55 @@ extern unsigned long pg0[];
29220 - * The following only work if pte_present() is true.
29221 - * Undefined behaviour if not..
29222 - */
29223 -+static inline int pte_user(pte_t pte) { return (pte).pte_low & _PAGE_USER; }
29224 - static inline int pte_dirty(pte_t pte) { return (pte).pte_low & _PAGE_DIRTY; }
29225 - static inline int pte_young(pte_t pte) { return (pte).pte_low & _PAGE_ACCESSED; }
29226 - static inline int pte_write(pte_t pte) { return (pte).pte_low & _PAGE_RW; }
29227 - static inline int pte_huge(pte_t pte) { return (pte).pte_low & _PAGE_PSE; }
29228 -
29229 -+#ifdef CONFIG_X86_PAE
29230 -+# include <asm/pgtable-3level.h>
29231 -+#else
29232 -+# include <asm/pgtable-2level.h>
29233 -+#endif
29234 -+
29235 - /*
29236 - * The following only works if pte_present() is not true.
29237 - */
29238 - static inline int pte_file(pte_t pte) { return (pte).pte_low & _PAGE_FILE; }
29239 -
29240 -+static inline pte_t pte_exprotect(pte_t pte)
29241 -+{
29242 -+#ifdef CONFIG_X86_PAE
29243 -+ if (__supported_pte_mask & _PAGE_NX)
29244 -+ set_pte(&pte, __pte(pte_val(pte) | _PAGE_NX));
29245 -+ else
29246 -+#endif
29247 -+ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_USER));
29248 -+ return pte;
29249 -+}
29250 -+
29251 - static inline pte_t pte_mkclean(pte_t pte) { (pte).pte_low &= ~_PAGE_DIRTY; return pte; }
29252 - static inline pte_t pte_mkold(pte_t pte) { (pte).pte_low &= ~_PAGE_ACCESSED; return pte; }
29253 - static inline pte_t pte_wrprotect(pte_t pte) { (pte).pte_low &= ~_PAGE_RW; return pte; }
29254 -+static inline pte_t pte_mkread(pte_t pte) { (pte).pte_low |= _PAGE_USER; return pte; }
29255 -+
29256 -+static inline pte_t pte_mkexec(pte_t pte)
29257 -+{
29258 -+#ifdef CONFIG_X86_PAE
29259 -+ if (__supported_pte_mask & _PAGE_NX)
29260 -+ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_NX));
29261 -+ else
29262 -+#endif
29263 -+ set_pte(&pte, __pte(pte_val(pte) | _PAGE_USER));
29264 -+ return pte;
29265 -+}
29266 -+
29267 - static inline pte_t pte_mkdirty(pte_t pte) { (pte).pte_low |= _PAGE_DIRTY; return pte; }
29268 - static inline pte_t pte_mkyoung(pte_t pte) { (pte).pte_low |= _PAGE_ACCESSED; return pte; }
29269 - static inline pte_t pte_mkwrite(pte_t pte) { (pte).pte_low |= _PAGE_RW; return pte; }
29270 - static inline pte_t pte_mkhuge(pte_t pte) { (pte).pte_low |= _PAGE_PSE; return pte; }
29271 -
29272 --#ifdef CONFIG_X86_PAE
29273 --# include <asm/pgtable-3level.h>
29274 --#else
29275 --# include <asm/pgtable-2level.h>
29276 --#endif
29277 --
29278 - #ifndef CONFIG_PARAVIRT
29279 - /*
29280 - * Rules for using pte_update - it must be called after any PTE update which
29281 -@@ -350,7 +381,19 @@ static inline void ptep_set_wrprotect(st
29282 - */
29283 - static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
29284 - {
29285 -- memcpy(dst, src, count * sizeof(pgd_t));
29286 -+
29287 -+#ifdef CONFIG_PAX_KERNEXEC
29288 -+ unsigned long cr0;
29289 -+
29290 -+ pax_open_kernel(cr0);
29291 -+#endif
29292 -+
29293 -+ memcpy(dst, src, count * sizeof(pgd_t));
29294 -+
29295 -+#ifdef CONFIG_PAX_KERNEXEC
29296 -+ pax_close_kernel(cr0);
29297 -+#endif
29298 -+
29299 - }
29300 -
29301 - /*
29302 -@@ -497,6 +540,9 @@ static inline void paravirt_pagetable_se
29303 -
29304 - #endif /* !__ASSEMBLY__ */
29305 -
29306 -+#define HAVE_ARCH_UNMAPPED_AREA
29307 -+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
29308 -+
29309 - #ifdef CONFIG_FLATMEM
29310 - #define kern_addr_valid(addr) (1)
29311 - #endif /* CONFIG_FLATMEM */
29312 -diff -urNp linux-2.6.24.4/include/asm-x86/pgtable-3level.h linux-2.6.24.4/include/asm-x86/pgtable-3level.h
29313 ---- linux-2.6.24.4/include/asm-x86/pgtable-3level.h 2008-03-24 14:49:18.000000000 -0400
29314 -+++ linux-2.6.24.4/include/asm-x86/pgtable-3level.h 2008-03-26 17:56:56.000000000 -0400
29315 -@@ -67,11 +67,35 @@ static inline void native_set_pte_atomic
29316 - }
29317 - static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
29318 - {
29319 -+
29320 -+#ifdef CONFIG_PAX_KERNEXEC
29321 -+ unsigned long cr0;
29322 -+
29323 -+ pax_open_kernel(cr0);
29324 -+#endif
29325 -+
29326 - set_64bit((unsigned long long *)(pmdp),native_pmd_val(pmd));
29327 -+
29328 -+#ifdef CONFIG_PAX_KERNEXEC
29329 -+ pax_close_kernel(cr0);
29330 -+#endif
29331 -+
29332 - }
29333 - static inline void native_set_pud(pud_t *pudp, pud_t pud)
29334 - {
29335 -+
29336 -+#ifdef CONFIG_PAX_KERNEXEC
29337 -+ unsigned long cr0;
29338 -+
29339 -+ pax_open_kernel(cr0);
29340 -+#endif
29341 -+
29342 - *pudp = pud;
29343 -+
29344 -+#ifdef CONFIG_PAX_KERNEXEC
29345 -+ pax_close_kernel(cr0);
29346 -+#endif
29347 -+
29348 - }
29349 -
29350 - /*
29351 -diff -urNp linux-2.6.24.4/include/asm-x86/pgtable_64.h linux-2.6.24.4/include/asm-x86/pgtable_64.h
29352 ---- linux-2.6.24.4/include/asm-x86/pgtable_64.h 2008-03-24 14:49:18.000000000 -0400
29353 -+++ linux-2.6.24.4/include/asm-x86/pgtable_64.h 2008-03-26 17:56:56.000000000 -0400
29354 -@@ -79,7 +79,19 @@ static inline void set_pte(pte_t *dst, p
29355 -
29356 - static inline void set_pmd(pmd_t *dst, pmd_t val)
29357 - {
29358 -+
29359 -+#ifdef CONFIG_PAX_KERNEXEC
29360 -+ unsigned long cr0;
29361 -+
29362 -+ pax_open_kernel(cr0);
29363 -+#endif
29364 -+
29365 - pmd_val(*dst) = pmd_val(val);
29366 -+
29367 -+#ifdef CONFIG_PAX_KERNEXEC
29368 -+ pax_close_kernel(cr0);
29369 -+#endif
29370 -+
29371 - }
29372 -
29373 - static inline void set_pud(pud_t *dst, pud_t val)
29374 -@@ -180,6 +192,10 @@ static inline pte_t ptep_get_and_clear_f
29375 - #define PAGE_COPY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
29376 - #define PAGE_READONLY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
29377 - #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
29378 -+
29379 -+#define PAGE_READONLY_NOEXEC PAGE_READONLY
29380 -+#define PAGE_SHARED_NOEXEC PAGE_SHARED
29381 -+
29382 - #define __PAGE_KERNEL \
29383 - (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
29384 - #define __PAGE_KERNEL_EXEC \
29385 -@@ -188,10 +204,12 @@ static inline pte_t ptep_get_and_clear_f
29386 - (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_PCD | _PAGE_ACCESSED | _PAGE_NX)
29387 - #define __PAGE_KERNEL_RO \
29388 - (_PAGE_PRESENT | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
29389 -+#define __PAGE_KERNEL_RX \
29390 -+ (_PAGE_PRESENT | _PAGE_DIRTY | _PAGE_ACCESSED)
29391 - #define __PAGE_KERNEL_VSYSCALL \
29392 - (_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
29393 - #define __PAGE_KERNEL_VSYSCALL_NOCACHE \
29394 -- (_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_PCD)
29395 -+ (_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_PCD | _PAGE_NX)
29396 - #define __PAGE_KERNEL_LARGE \
29397 - (__PAGE_KERNEL | _PAGE_PSE)
29398 - #define __PAGE_KERNEL_LARGE_EXEC \
29399 -@@ -202,6 +220,7 @@ static inline pte_t ptep_get_and_clear_f
29400 - #define PAGE_KERNEL MAKE_GLOBAL(__PAGE_KERNEL)
29401 - #define PAGE_KERNEL_EXEC MAKE_GLOBAL(__PAGE_KERNEL_EXEC)
29402 - #define PAGE_KERNEL_RO MAKE_GLOBAL(__PAGE_KERNEL_RO)
29403 -+#define PAGE_KERNEL_RX MAKE_GLOBAL(__PAGE_KERNEL_RX)
29404 - #define PAGE_KERNEL_NOCACHE MAKE_GLOBAL(__PAGE_KERNEL_NOCACHE)
29405 - #define PAGE_KERNEL_VSYSCALL32 __pgprot(__PAGE_KERNEL_VSYSCALL)
29406 - #define PAGE_KERNEL_VSYSCALL MAKE_GLOBAL(__PAGE_KERNEL_VSYSCALL)
29407 -@@ -231,17 +250,17 @@ static inline pte_t ptep_get_and_clear_f
29408 -
29409 - static inline unsigned long pgd_bad(pgd_t pgd)
29410 - {
29411 -- return pgd_val(pgd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER);
29412 -+ return pgd_val(pgd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER | _PAGE_NX);
29413 - }
29414 -
29415 - static inline unsigned long pud_bad(pud_t pud)
29416 - {
29417 -- return pud_val(pud) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER);
29418 -+ return pud_val(pud) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER | _PAGE_NX);
29419 - }
29420 -
29421 - static inline unsigned long pmd_bad(pmd_t pmd)
29422 - {
29423 -- return pmd_val(pmd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER);
29424 -+ return pmd_val(pmd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER | _PAGE_NX);
29425 - }
29426 -
29427 - #define pte_none(x) (!pte_val(x))
29428 -diff -urNp linux-2.6.24.4/include/asm-x86/processor_32.h linux-2.6.24.4/include/asm-x86/processor_32.h
29429 ---- linux-2.6.24.4/include/asm-x86/processor_32.h 2008-03-24 14:49:18.000000000 -0400
29430 -+++ linux-2.6.24.4/include/asm-x86/processor_32.h 2008-03-26 17:56:56.000000000 -0400
29431 -@@ -100,8 +100,6 @@ struct cpuinfo_x86 {
29432 -
29433 - extern struct cpuinfo_x86 boot_cpu_data;
29434 - extern struct cpuinfo_x86 new_cpu_data;
29435 --extern struct tss_struct doublefault_tss;
29436 --DECLARE_PER_CPU(struct tss_struct, init_tss);
29437 -
29438 - #ifdef CONFIG_SMP
29439 - DECLARE_PER_CPU(struct cpuinfo_x86, cpu_info);
29440 -@@ -215,11 +213,19 @@ extern int bootloader_type;
29441 - */
29442 - #define TASK_SIZE (PAGE_OFFSET)
29443 -
29444 -+#ifdef CONFIG_PAX_SEGMEXEC
29445 -+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
29446 -+#endif
29447 -+
29448 - /* This decides where the kernel will search for a free chunk of vm
29449 - * space during mmap's.
29450 - */
29451 - #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
29452 -
29453 -+#ifdef CONFIG_PAX_SEGMEXEC
29454 -+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
29455 -+#endif
29456 -+
29457 - #define HAVE_ARCH_PICK_MMAP_LAYOUT
29458 -
29459 - extern void hard_disable_TSC(void);
29460 -@@ -344,6 +350,9 @@ struct tss_struct {
29461 -
29462 - #define ARCH_MIN_TASKALIGN 16
29463 -
29464 -+extern struct tss_struct doublefault_tss;
29465 -+extern struct tss_struct init_tss[NR_CPUS];
29466 -+
29467 - struct thread_struct {
29468 - /* cached TLS descriptors. */
29469 - struct desc_struct tls_array[GDT_ENTRY_TLS_ENTRIES];
29470 -@@ -372,7 +381,7 @@ struct thread_struct {
29471 - };
29472 -
29473 - #define INIT_THREAD { \
29474 -- .esp0 = sizeof(init_stack) + (long)&init_stack, \
29475 -+ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
29476 - .vm86_info = NULL, \
29477 - .sysenter_cs = __KERNEL_CS, \
29478 - .io_bitmap_ptr = NULL, \
29479 -@@ -387,7 +396,7 @@ struct thread_struct {
29480 - */
29481 - #define INIT_TSS { \
29482 - .x86_tss = { \
29483 -- .esp0 = sizeof(init_stack) + (long)&init_stack, \
29484 -+ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
29485 - .ss0 = __KERNEL_DS, \
29486 - .ss1 = __KERNEL_CS, \
29487 - .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
29488 -@@ -428,11 +437,7 @@ void show_trace(struct task_struct *task
29489 - unsigned long get_wchan(struct task_struct *p);
29490 -
29491 - #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
29492 --#define KSTK_TOP(info) \
29493 --({ \
29494 -- unsigned long *__ptr = (unsigned long *)(info); \
29495 -- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
29496 --})
29497 -+#define KSTK_TOP(info) ((info)->task.thread.esp0)
29498 -
29499 - /*
29500 - * The below -8 is to reserve 8 bytes on top of the ring0 stack.
29501 -@@ -447,7 +452,7 @@ unsigned long get_wchan(struct task_stru
29502 - #define task_pt_regs(task) \
29503 - ({ \
29504 - struct pt_regs *__regs__; \
29505 -- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
29506 -+ __regs__ = (struct pt_regs *)((task)->thread.esp0); \
29507 - __regs__ - 1; \
29508 - })
29509 -
29510 -diff -urNp linux-2.6.24.4/include/asm-x86/processor_64.h linux-2.6.24.4/include/asm-x86/processor_64.h
29511 ---- linux-2.6.24.4/include/asm-x86/processor_64.h 2008-03-24 14:49:18.000000000 -0400
29512 -+++ linux-2.6.24.4/include/asm-x86/processor_64.h 2008-03-26 17:56:56.000000000 -0400
29513 -@@ -142,7 +142,7 @@ static inline void clear_in_cr4 (unsigne
29514 - /* This decides where the kernel will search for a free chunk of vm
29515 - * space during mmap's.
29516 - */
29517 --#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFe000)
29518 -+#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFf000)
29519 -
29520 - #define TASK_SIZE (test_thread_flag(TIF_IA32) ? IA32_PAGE_OFFSET : TASK_SIZE64)
29521 - #define TASK_SIZE_OF(child) ((test_tsk_thread_flag(child, TIF_IA32)) ? IA32_PAGE_OFFSET : TASK_SIZE64)
29522 -@@ -201,7 +201,7 @@ struct tss_struct {
29523 -
29524 -
29525 - extern struct cpuinfo_x86 boot_cpu_data;
29526 --DECLARE_PER_CPU(struct tss_struct,init_tss);
29527 -+extern struct tss_struct init_tss[NR_CPUS];
29528 - /* Save the original ist values for checking stack pointers during debugging */
29529 - struct orig_ist {
29530 - unsigned long ist[7];
29531 -diff -urNp linux-2.6.24.4/include/asm-x86/ptrace.h linux-2.6.24.4/include/asm-x86/ptrace.h
29532 ---- linux-2.6.24.4/include/asm-x86/ptrace.h 2008-03-24 14:49:18.000000000 -0400
29533 -+++ linux-2.6.24.4/include/asm-x86/ptrace.h 2008-03-26 17:56:56.000000000 -0400
29534 -@@ -39,17 +39,18 @@ struct task_struct;
29535 - extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, int error_code);
29536 -
29537 - /*
29538 -- * user_mode_vm(regs) determines whether a register set came from user mode.
29539 -+ * user_mode(regs) determines whether a register set came from user mode.
29540 - * This is true if V8086 mode was enabled OR if the register set was from
29541 - * protected mode with RPL-3 CS value. This tricky test checks that with
29542 - * one comparison. Many places in the kernel can bypass this full check
29543 -- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
29544 -+ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
29545 -+ * be used.
29546 - */
29547 --static inline int user_mode(struct pt_regs *regs)
29548 -+static inline int user_mode_novm(struct pt_regs *regs)
29549 - {
29550 - return (regs->xcs & SEGMENT_RPL_MASK) == USER_RPL;
29551 - }
29552 --static inline int user_mode_vm(struct pt_regs *regs)
29553 -+static inline int user_mode(struct pt_regs *regs)
29554 - {
29555 - return ((regs->xcs & SEGMENT_RPL_MASK) | (regs->eflags & VM_MASK)) >= USER_RPL;
29556 - }
29557 -diff -urNp linux-2.6.24.4/include/asm-x86/reboot.h linux-2.6.24.4/include/asm-x86/reboot.h
29558 ---- linux-2.6.24.4/include/asm-x86/reboot.h 2008-03-24 14:49:18.000000000 -0400
29559 -+++ linux-2.6.24.4/include/asm-x86/reboot.h 2008-03-26 17:56:56.000000000 -0400
29560 -@@ -15,6 +15,6 @@ struct machine_ops
29561 -
29562 - extern struct machine_ops machine_ops;
29563 -
29564 --void machine_real_restart(unsigned char *code, int length);
29565 -+void machine_real_restart(const unsigned char *code, unsigned int length);
29566 -
29567 - #endif /* _ASM_REBOOT_H */
29568 -diff -urNp linux-2.6.24.4/include/asm-x86/segment_32.h linux-2.6.24.4/include/asm-x86/segment_32.h
29569 ---- linux-2.6.24.4/include/asm-x86/segment_32.h 2008-03-24 14:49:18.000000000 -0400
29570 -+++ linux-2.6.24.4/include/asm-x86/segment_32.h 2008-03-26 17:56:56.000000000 -0400
29571 -@@ -81,6 +81,12 @@
29572 - #define __KERNEL_PERCPU 0
29573 - #endif
29574 -
29575 -+#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 16)
29576 -+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
29577 -+
29578 -+#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 17)
29579 -+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
29580 -+
29581 - #define GDT_ENTRY_DOUBLEFAULT_TSS 31
29582 -
29583 - /*
29584 -@@ -140,9 +146,9 @@
29585 - #define SEGMENT_IS_KERNEL_CODE(x) (((x) & 0xfc) == GDT_ENTRY_KERNEL_CS * 8)
29586 -
29587 - /* Matches __KERNEL_CS and __USER_CS (they must be 2 entries apart) */
29588 --#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xec) == GDT_ENTRY_KERNEL_CS * 8)
29589 -+#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xFFFCU) == __KERNEL_CS || ((x) & 0xFFFCU) == __USER_CS)
29590 -
29591 - /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
29592 --#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
29593 -+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
29594 -
29595 - #endif
29596 -diff -urNp linux-2.6.24.4/include/asm-x86/system_32.h linux-2.6.24.4/include/asm-x86/system_32.h
29597 ---- linux-2.6.24.4/include/asm-x86/system_32.h 2008-03-24 14:49:18.000000000 -0400
29598 -+++ linux-2.6.24.4/include/asm-x86/system_32.h 2008-03-26 17:56:56.000000000 -0400
29599 -@@ -188,6 +188,21 @@ static inline void clflush(volatile void
29600 - /* Set the 'TS' bit */
29601 - #define stts() write_cr0(8 | read_cr0())
29602 -
29603 -+#define pax_open_kernel(cr0) \
29604 -+do { \
29605 -+ typecheck(unsigned long, cr0); \
29606 -+ preempt_disable(); \
29607 -+ cr0 = read_cr0(); \
29608 -+ write_cr0(cr0 & ~X86_CR0_WP); \
29609 -+} while (0)
29610 -+
29611 -+#define pax_close_kernel(cr0) \
29612 -+do { \
29613 -+ typecheck(unsigned long, cr0); \
29614 -+ write_cr0(cr0); \
29615 -+ preempt_enable_no_resched(); \
29616 -+} while (0)
29617 -+
29618 - #endif /* __KERNEL__ */
29619 -
29620 - static inline unsigned long get_limit(unsigned long segment)
29621 -@@ -195,7 +210,7 @@ static inline unsigned long get_limit(un
29622 - unsigned long __limit;
29623 - __asm__("lsll %1,%0"
29624 - :"=r" (__limit):"r" (segment));
29625 -- return __limit+1;
29626 -+ return __limit;
29627 - }
29628 -
29629 - #define nop() __asm__ __volatile__ ("nop")
29630 -@@ -311,7 +326,7 @@ void enable_hlt(void);
29631 - extern int es7000_plat;
29632 - void cpu_idle_wait(void);
29633 -
29634 --extern unsigned long arch_align_stack(unsigned long sp);
29635 -+#define arch_align_stack(x) (x)
29636 - extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
29637 -
29638 - void default_idle(void);
29639 -diff -urNp linux-2.6.24.4/include/asm-x86/system_64.h linux-2.6.24.4/include/asm-x86/system_64.h
29640 ---- linux-2.6.24.4/include/asm-x86/system_64.h 2008-03-24 14:49:18.000000000 -0400
29641 -+++ linux-2.6.24.4/include/asm-x86/system_64.h 2008-03-26 17:56:56.000000000 -0400
29642 -@@ -33,6 +33,8 @@
29643 - ".globl thread_return\n" \
29644 - "thread_return:\n\t" \
29645 - "movq %%gs:%P[pda_pcurrent],%%rsi\n\t" \
29646 -+ "movq %P[task_canary](%%rsi),%%r8\n\t" \
29647 -+ "movq %%r8,%%gs:%P[pda_canary]\n\t" \
29648 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
29649 - LOCK_PREFIX "btr %[tif_fork],%P[ti_flags](%%r8)\n\t" \
29650 - "movq %%rax,%%rdi\n\t" \
29651 -@@ -44,7 +46,9 @@
29652 - [ti_flags] "i" (offsetof(struct thread_info, flags)),\
29653 - [tif_fork] "i" (TIF_FORK), \
29654 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
29655 -- [pda_pcurrent] "i" (offsetof(struct x8664_pda, pcurrent)) \
29656 -+ [task_canary] "i" (offsetof(struct task_struct, stack_canary)), \
29657 -+ [pda_pcurrent] "i" (offsetof(struct x8664_pda, pcurrent)), \
29658 -+ [pda_canary] "i" (offsetof(struct x8664_pda, stack_canary)) \
29659 - : "memory", "cc" __EXTRA_CLOBBER)
29660 -
29661 - extern void load_gs_index(unsigned);
29662 -@@ -139,6 +143,21 @@ static inline void write_cr8(unsigned lo
29663 - #define wbinvd() \
29664 - __asm__ __volatile__ ("wbinvd": : :"memory")
29665 -
29666 -+#define pax_open_kernel(cr0) \
29667 -+do { \
29668 -+ typecheck(unsigned long, cr0); \
29669 -+ preempt_disable(); \
29670 -+ cr0 = read_cr0(); \
29671 -+ write_cr0(cr0 & ~X86_CR0_WP); \
29672 -+} while (0)
29673 -+
29674 -+#define pax_close_kernel(cr0) \
29675 -+do { \
29676 -+ typecheck(unsigned long, cr0); \
29677 -+ write_cr0(cr0); \
29678 -+ preempt_enable_no_resched(); \
29679 -+} while (0)
29680 -+
29681 - #endif /* __KERNEL__ */
29682 -
29683 - static inline void clflush(volatile void *__p)
29684 -@@ -179,7 +198,7 @@ static inline void clflush(volatile void
29685 -
29686 - void cpu_idle_wait(void);
29687 -
29688 --extern unsigned long arch_align_stack(unsigned long sp);
29689 -+#define arch_align_stack(x) (x)
29690 - extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
29691 -
29692 - #endif
29693 -diff -urNp linux-2.6.24.4/include/asm-x86/uaccess_32.h linux-2.6.24.4/include/asm-x86/uaccess_32.h
29694 ---- linux-2.6.24.4/include/asm-x86/uaccess_32.h 2008-03-24 14:49:18.000000000 -0400
29695 -+++ linux-2.6.24.4/include/asm-x86/uaccess_32.h 2008-03-26 17:56:56.000000000 -0400
29696 -@@ -9,6 +9,7 @@
29697 - #include <linux/prefetch.h>
29698 - #include <linux/string.h>
29699 - #include <asm/page.h>
29700 -+#include <asm/segment.h>
29701 -
29702 - #define VERIFY_READ 0
29703 - #define VERIFY_WRITE 1
29704 -@@ -29,7 +30,8 @@
29705 -
29706 - #define get_ds() (KERNEL_DS)
29707 - #define get_fs() (current_thread_info()->addr_limit)
29708 --#define set_fs(x) (current_thread_info()->addr_limit = (x))
29709 -+void __set_fs(mm_segment_t x, int cpu);
29710 -+void set_fs(mm_segment_t x);
29711 -
29712 - #define segment_eq(a,b) ((a).seg == (b).seg)
29713 -
29714 -@@ -101,6 +103,7 @@ struct exception_table_entry
29715 - };
29716 -
29717 - extern int fixup_exception(struct pt_regs *regs);
29718 -+#define ARCH_HAS_SORT_EXTABLE
29719 -
29720 - /*
29721 - * These are the main single-value transfer routines. They automatically
29722 -@@ -280,9 +283,12 @@ extern void __put_user_8(void);
29723 -
29724 - #define __put_user_u64(x, addr, err) \
29725 - __asm__ __volatile__( \
29726 -- "1: movl %%eax,0(%2)\n" \
29727 -- "2: movl %%edx,4(%2)\n" \
29728 -+ " movw %w5,%%ds\n" \
29729 -+ "1: movl %%eax,%%ds:0(%2)\n" \
29730 -+ "2: movl %%edx,%%ds:4(%2)\n" \
29731 - "3:\n" \
29732 -+ " pushl %%ss\n" \
29733 -+ " popl %%ds\n" \
29734 - ".section .fixup,\"ax\"\n" \
29735 - "4: movl %3,%0\n" \
29736 - " jmp 3b\n" \
29737 -@@ -293,7 +299,8 @@ extern void __put_user_8(void);
29738 - " .long 2b,4b\n" \
29739 - ".previous" \
29740 - : "=r"(err) \
29741 -- : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err))
29742 -+ : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err), \
29743 -+ "r"(__USER_DS))
29744 -
29745 - #ifdef CONFIG_X86_WP_WORKS_OK
29746 -
29747 -@@ -332,8 +339,11 @@ struct __large_struct { unsigned long bu
29748 - */
29749 - #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
29750 - __asm__ __volatile__( \
29751 -- "1: mov"itype" %"rtype"1,%2\n" \
29752 -+ " movw %w5,%%ds\n" \
29753 -+ "1: mov"itype" %"rtype"1,%%ds:%2\n" \
29754 - "2:\n" \
29755 -+ " pushl %%ss\n" \
29756 -+ " popl %%ds\n" \
29757 - ".section .fixup,\"ax\"\n" \
29758 - "3: movl %3,%0\n" \
29759 - " jmp 2b\n" \
29760 -@@ -343,7 +353,8 @@ struct __large_struct { unsigned long bu
29761 - " .long 1b,3b\n" \
29762 - ".previous" \
29763 - : "=r"(err) \
29764 -- : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err))
29765 -+ : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err), \
29766 -+ "r"(__USER_DS))
29767 -
29768 -
29769 - #define __get_user_nocheck(x,ptr,size) \
29770 -@@ -371,8 +382,11 @@ do { \
29771 -
29772 - #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
29773 - __asm__ __volatile__( \
29774 -- "1: mov"itype" %2,%"rtype"1\n" \
29775 -+ " movw %w5,%%ds\n" \
29776 -+ "1: mov"itype" %%ds:%2,%"rtype"1\n" \
29777 - "2:\n" \
29778 -+ " pushl %%ss\n" \
29779 -+ " popl %%ds\n" \
29780 - ".section .fixup,\"ax\"\n" \
29781 - "3: movl %3,%0\n" \
29782 - " xor"itype" %"rtype"1,%"rtype"1\n" \
29783 -@@ -383,7 +397,7 @@ do { \
29784 - " .long 1b,3b\n" \
29785 - ".previous" \
29786 - : "=r"(err), ltype (x) \
29787 -- : "m"(__m(addr)), "i"(errret), "0"(err))
29788 -+ : "m"(__m(addr)), "i"(errret), "0"(err), "r"(__USER_DS))
29789 -
29790 -
29791 - unsigned long __must_check __copy_to_user_ll(void __user *to,
29792 -diff -urNp linux-2.6.24.4/include/asm-x86/uaccess_64.h linux-2.6.24.4/include/asm-x86/uaccess_64.h
29793 ---- linux-2.6.24.4/include/asm-x86/uaccess_64.h 2008-03-24 14:49:18.000000000 -0400
29794 -+++ linux-2.6.24.4/include/asm-x86/uaccess_64.h 2008-03-26 17:56:56.000000000 -0400
29795 -@@ -66,6 +66,7 @@ struct exception_table_entry
29796 - };
29797 -
29798 - #define ARCH_HAS_SEARCH_EXTABLE
29799 -+#define ARCH_HAS_SORT_EXTABLE
29800 -
29801 - /*
29802 - * These are the main single-value transfer routines. They automatically
29803 -diff -urNp linux-2.6.24.4/include/asm-xtensa/kmap_types.h linux-2.6.24.4/include/asm-xtensa/kmap_types.h
29804 ---- linux-2.6.24.4/include/asm-xtensa/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
29805 -+++ linux-2.6.24.4/include/asm-xtensa/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
29806 -@@ -25,6 +25,7 @@ enum km_type {
29807 - KM_IRQ1,
29808 - KM_SOFTIRQ0,
29809 - KM_SOFTIRQ1,
29810 -+ KM_CLEARPAGE,
29811 - KM_TYPE_NR
29812 - };
29813 -
29814 -diff -urNp linux-2.6.24.4/include/linux/a.out.h linux-2.6.24.4/include/linux/a.out.h
29815 ---- linux-2.6.24.4/include/linux/a.out.h 2008-03-24 14:49:18.000000000 -0400
29816 -+++ linux-2.6.24.4/include/linux/a.out.h 2008-03-26 17:56:56.000000000 -0400
29817 -@@ -7,6 +7,16 @@
29818 -
29819 - #include <asm/a.out.h>
29820 -
29821 -+#ifdef CONFIG_PAX_RANDUSTACK
29822 -+#define __DELTA_STACK (current->mm->delta_stack)
29823 -+#else
29824 -+#define __DELTA_STACK 0UL
29825 -+#endif
29826 -+
29827 -+#ifndef STACK_TOP
29828 -+#define STACK_TOP (__STACK_TOP - __DELTA_STACK)
29829 -+#endif
29830 -+
29831 - #endif /* __STRUCT_EXEC_OVERRIDE__ */
29832 -
29833 - /* these go in the N_MACHTYPE field */
29834 -@@ -37,6 +47,14 @@ enum machine_type {
29835 - M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
29836 - };
29837 -
29838 -+/* Constants for the N_FLAGS field */
29839 -+#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
29840 -+#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
29841 -+#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
29842 -+#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
29843 -+/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
29844 -+#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
29845 -+
29846 - #if !defined (N_MAGIC)
29847 - #define N_MAGIC(exec) ((exec).a_info & 0xffff)
29848 - #endif
29849 -diff -urNp linux-2.6.24.4/include/linux/binfmts.h linux-2.6.24.4/include/linux/binfmts.h
29850 ---- linux-2.6.24.4/include/linux/binfmts.h 2008-03-24 14:49:18.000000000 -0400
29851 -+++ linux-2.6.24.4/include/linux/binfmts.h 2008-03-26 17:56:56.000000000 -0400
29852 -@@ -49,6 +49,7 @@ struct linux_binprm{
29853 - unsigned interp_data;
29854 - unsigned long loader, exec;
29855 - unsigned long argv_len;
29856 -+ int misc;
29857 - };
29858 -
29859 - #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
29860 -@@ -100,5 +101,8 @@ extern void compute_creds(struct linux_b
29861 - extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
29862 - extern int set_binfmt(struct linux_binfmt *new);
29863 -
29864 -+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
29865 -+void pax_report_insns(void *pc, void *sp);
29866 -+
29867 - #endif /* __KERNEL__ */
29868 - #endif /* _LINUX_BINFMTS_H */
29869 -diff -urNp linux-2.6.24.4/include/linux/cache.h linux-2.6.24.4/include/linux/cache.h
29870 ---- linux-2.6.24.4/include/linux/cache.h 2008-03-24 14:49:18.000000000 -0400
29871 -+++ linux-2.6.24.4/include/linux/cache.h 2008-03-26 17:56:56.000000000 -0400
29872 -@@ -16,6 +16,10 @@
29873 - #define __read_mostly
29874 - #endif
29875 -
29876 -+#ifndef __read_only
29877 -+#define __read_only __read_mostly
29878 -+#endif
29879 -+
29880 - #ifndef ____cacheline_aligned
29881 - #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
29882 - #endif
29883 -diff -urNp linux-2.6.24.4/include/linux/capability.h linux-2.6.24.4/include/linux/capability.h
29884 ---- linux-2.6.24.4/include/linux/capability.h 2008-03-24 14:49:18.000000000 -0400
29885 -+++ linux-2.6.24.4/include/linux/capability.h 2008-03-26 17:56:56.000000000 -0400
29886 -@@ -373,6 +373,7 @@ static inline kernel_cap_t cap_invert(ke
29887 - #define cap_is_fs_cap(c) (CAP_TO_MASK(c) & CAP_FS_MASK)
29888 -
29889 - int capable(int cap);
29890 -+int capable_nolog(int cap);
29891 - int __capable(struct task_struct *t, int cap);
29892 -
29893 - #endif /* __KERNEL__ */
29894 -diff -urNp linux-2.6.24.4/include/linux/elf.h linux-2.6.24.4/include/linux/elf.h
29895 ---- linux-2.6.24.4/include/linux/elf.h 2008-03-24 14:49:18.000000000 -0400
29896 -+++ linux-2.6.24.4/include/linux/elf.h 2008-03-26 17:56:56.000000000 -0400
29897 -@@ -7,6 +7,10 @@
29898 -
29899 - struct file;
29900 -
29901 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29902 -+#undef elf_read_implies_exec
29903 -+#endif
29904 -+
29905 - #ifndef elf_read_implies_exec
29906 - /* Executables for which elf_read_implies_exec() returns TRUE will
29907 - have the READ_IMPLIES_EXEC personality flag set automatically.
29908 -@@ -48,6 +52,16 @@ typedef __s64 Elf64_Sxword;
29909 -
29910 - #define PT_GNU_STACK (PT_LOOS + 0x474e551)
29911 -
29912 -+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
29913 -+
29914 -+/* Constants for the e_flags field */
29915 -+#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
29916 -+#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
29917 -+#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
29918 -+#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
29919 -+/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
29920 -+#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
29921 -+
29922 - /* These constants define the different elf file types */
29923 - #define ET_NONE 0
29924 - #define ET_REL 1
29925 -@@ -82,6 +96,8 @@ typedef __s64 Elf64_Sxword;
29926 - #define DT_DEBUG 21
29927 - #define DT_TEXTREL 22
29928 - #define DT_JMPREL 23
29929 -+#define DT_FLAGS 30
29930 -+ #define DF_TEXTREL 0x00000004
29931 - #define DT_ENCODING 32
29932 - #define OLD_DT_LOOS 0x60000000
29933 - #define DT_LOOS 0x6000000d
29934 -@@ -228,6 +244,19 @@ typedef struct elf64_hdr {
29935 - #define PF_W 0x2
29936 - #define PF_X 0x1
29937 -
29938 -+#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
29939 -+#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
29940 -+#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
29941 -+#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
29942 -+#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
29943 -+#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
29944 -+/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
29945 -+/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
29946 -+#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
29947 -+#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
29948 -+#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
29949 -+#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
29950 -+
29951 - typedef struct elf32_phdr{
29952 - Elf32_Word p_type;
29953 - Elf32_Off p_offset;
29954 -@@ -320,6 +349,8 @@ typedef struct elf64_shdr {
29955 - #define EI_OSABI 7
29956 - #define EI_PAD 8
29957 -
29958 -+#define EI_PAX 14
29959 -+
29960 - #define ELFMAG0 0x7f /* EI_MAG */
29961 - #define ELFMAG1 'E'
29962 - #define ELFMAG2 'L'
29963 -@@ -378,6 +409,7 @@ extern Elf32_Dyn _DYNAMIC [];
29964 - #define elf_phdr elf32_phdr
29965 - #define elf_note elf32_note
29966 - #define elf_addr_t Elf32_Off
29967 -+#define elf_dyn Elf32_Dyn
29968 -
29969 - #else
29970 -
29971 -@@ -386,6 +418,7 @@ extern Elf64_Dyn _DYNAMIC [];
29972 - #define elf_phdr elf64_phdr
29973 - #define elf_note elf64_note
29974 - #define elf_addr_t Elf64_Off
29975 -+#define elf_dyn Elf64_Dyn
29976 -
29977 - #endif
29978 -
29979 -diff -urNp linux-2.6.24.4/include/linux/ext4_fs_extents.h linux-2.6.24.4/include/linux/ext4_fs_extents.h
29980 ---- linux-2.6.24.4/include/linux/ext4_fs_extents.h 2008-03-24 14:49:18.000000000 -0400
29981 -+++ linux-2.6.24.4/include/linux/ext4_fs_extents.h 2008-03-26 17:56:56.000000000 -0400
29982 -@@ -50,7 +50,7 @@
29983 - #ifdef EXT_DEBUG
29984 - #define ext_debug(a...) printk(a)
29985 - #else
29986 --#define ext_debug(a...)
29987 -+#define ext_debug(a...) do {} while (0)
29988 - #endif
29989 -
29990 - /*
29991 -diff -urNp linux-2.6.24.4/include/linux/gracl.h linux-2.6.24.4/include/linux/gracl.h
29992 ---- linux-2.6.24.4/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
29993 -+++ linux-2.6.24.4/include/linux/gracl.h 2008-03-26 17:56:56.000000000 -0400
29994 -@@ -0,0 +1,317 @@
29995 -+#ifndef GR_ACL_H
29996 -+#define GR_ACL_H
29997 -+
29998 -+#include <linux/grdefs.h>
29999 -+#include <linux/resource.h>
30000 -+#include <linux/dcache.h>
30001 -+#include <asm/resource.h>
30002 -+
30003 -+/* Major status information */
30004 -+
30005 -+#define GR_VERSION "grsecurity 2.1.11"
30006 -+#define GRSECURITY_VERSION 0x2111
30007 -+
30008 -+enum {
30009 -+
30010 -+ SHUTDOWN = 0,
30011 -+ ENABLE = 1,
30012 -+ SPROLE = 2,
30013 -+ RELOAD = 3,
30014 -+ SEGVMOD = 4,
30015 -+ STATUS = 5,
30016 -+ UNSPROLE = 6,
30017 -+ PASSSET = 7,
30018 -+ SPROLEPAM = 8
30019 -+};
30020 -+
30021 -+/* Password setup definitions
30022 -+ * kernel/grhash.c */
30023 -+enum {
30024 -+ GR_PW_LEN = 128,
30025 -+ GR_SALT_LEN = 16,
30026 -+ GR_SHA_LEN = 32,
30027 -+};
30028 -+
30029 -+enum {
30030 -+ GR_SPROLE_LEN = 64,
30031 -+};
30032 -+
30033 -+#define GR_NLIMITS (RLIMIT_LOCKS + 2)
30034 -+
30035 -+/* Begin Data Structures */
30036 -+
30037 -+struct sprole_pw {
30038 -+ unsigned char *rolename;
30039 -+ unsigned char salt[GR_SALT_LEN];
30040 -+ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
30041 -+};
30042 -+
30043 -+struct name_entry {
30044 -+ __u32 key;
30045 -+ ino_t inode;
30046 -+ dev_t device;
30047 -+ char *name;
30048 -+ __u16 len;
30049 -+ __u8 deleted;
30050 -+ struct name_entry *prev;
30051 -+ struct name_entry *next;
30052 -+};
30053 -+
30054 -+struct inodev_entry {
30055 -+ struct name_entry *nentry;
30056 -+ struct inodev_entry *prev;
30057 -+ struct inodev_entry *next;
30058 -+};
30059 -+
30060 -+struct acl_role_db {
30061 -+ struct acl_role_label **r_hash;
30062 -+ __u32 r_size;
30063 -+};
30064 -+
30065 -+struct inodev_db {
30066 -+ struct inodev_entry **i_hash;
30067 -+ __u32 i_size;
30068 -+};
30069 -+
30070 -+struct name_db {
30071 -+ struct name_entry **n_hash;
30072 -+ __u32 n_size;
30073 -+};
30074 -+
30075 -+struct crash_uid {
30076 -+ uid_t uid;
30077 -+ unsigned long expires;
30078 -+};
30079 -+
30080 -+struct gr_hash_struct {
30081 -+ void **table;
30082 -+ void **nametable;
30083 -+ void *first;
30084 -+ __u32 table_size;
30085 -+ __u32 used_size;
30086 -+ int type;
30087 -+};
30088 -+
30089 -+/* Userspace Grsecurity ACL data structures */
30090 -+
30091 -+struct acl_subject_label {
30092 -+ char *filename;
30093 -+ ino_t inode;
30094 -+ dev_t device;
30095 -+ __u32 mode;
30096 -+ __u32 cap_mask;
30097 -+ __u32 cap_lower;
30098 -+
30099 -+ struct rlimit res[GR_NLIMITS];
30100 -+ __u16 resmask;
30101 -+
30102 -+ __u8 user_trans_type;
30103 -+ __u8 group_trans_type;
30104 -+ uid_t *user_transitions;
30105 -+ gid_t *group_transitions;
30106 -+ __u16 user_trans_num;
30107 -+ __u16 group_trans_num;
30108 -+
30109 -+ __u32 ip_proto[8];
30110 -+ __u32 ip_type;
30111 -+ struct acl_ip_label **ips;
30112 -+ __u32 ip_num;
30113 -+
30114 -+ __u32 crashes;
30115 -+ unsigned long expires;
30116 -+
30117 -+ struct acl_subject_label *parent_subject;
30118 -+ struct gr_hash_struct *hash;
30119 -+ struct acl_subject_label *prev;
30120 -+ struct acl_subject_label *next;
30121 -+
30122 -+ struct acl_object_label **obj_hash;
30123 -+ __u32 obj_hash_size;
30124 -+ __u16 pax_flags;
30125 -+};
30126 -+
30127 -+struct role_allowed_ip {
30128 -+ __u32 addr;
30129 -+ __u32 netmask;
30130 -+
30131 -+ struct role_allowed_ip *prev;
30132 -+ struct role_allowed_ip *next;
30133 -+};
30134 -+
30135 -+struct role_transition {
30136 -+ char *rolename;
30137 -+
30138 -+ struct role_transition *prev;
30139 -+ struct role_transition *next;
30140 -+};
30141 -+
30142 -+struct acl_role_label {
30143 -+ char *rolename;
30144 -+ uid_t uidgid;
30145 -+ __u16 roletype;
30146 -+
30147 -+ __u16 auth_attempts;
30148 -+ unsigned long expires;
30149 -+
30150 -+ struct acl_subject_label *root_label;
30151 -+ struct gr_hash_struct *hash;
30152 -+
30153 -+ struct acl_role_label *prev;
30154 -+ struct acl_role_label *next;
30155 -+
30156 -+ struct role_transition *transitions;
30157 -+ struct role_allowed_ip *allowed_ips;
30158 -+ uid_t *domain_children;
30159 -+ __u16 domain_child_num;
30160 -+
30161 -+ struct acl_subject_label **subj_hash;
30162 -+ __u32 subj_hash_size;
30163 -+};
30164 -+
30165 -+struct user_acl_role_db {
30166 -+ struct acl_role_label **r_table;
30167 -+ __u32 num_pointers; /* Number of allocations to track */
30168 -+ __u32 num_roles; /* Number of roles */
30169 -+ __u32 num_domain_children; /* Number of domain children */
30170 -+ __u32 num_subjects; /* Number of subjects */
30171 -+ __u32 num_objects; /* Number of objects */
30172 -+};
30173 -+
30174 -+struct acl_object_label {
30175 -+ char *filename;
30176 -+ ino_t inode;
30177 -+ dev_t device;
30178 -+ __u32 mode;
30179 -+
30180 -+ struct acl_subject_label *nested;
30181 -+ struct acl_object_label *globbed;
30182 -+
30183 -+ /* next two structures not used */
30184 -+
30185 -+ struct acl_object_label *prev;
30186 -+ struct acl_object_label *next;
30187 -+};
30188 -+
30189 -+struct acl_ip_label {
30190 -+ char *iface;
30191 -+ __u32 addr;
30192 -+ __u32 netmask;
30193 -+ __u16 low, high;
30194 -+ __u8 mode;
30195 -+ __u32 type;
30196 -+ __u32 proto[8];
30197 -+
30198 -+ /* next two structures not used */
30199 -+
30200 -+ struct acl_ip_label *prev;
30201 -+ struct acl_ip_label *next;
30202 -+};
30203 -+
30204 -+struct gr_arg {
30205 -+ struct user_acl_role_db role_db;
30206 -+ unsigned char pw[GR_PW_LEN];
30207 -+ unsigned char salt[GR_SALT_LEN];
30208 -+ unsigned char sum[GR_SHA_LEN];
30209 -+ unsigned char sp_role[GR_SPROLE_LEN];
30210 -+ struct sprole_pw *sprole_pws;
30211 -+ dev_t segv_device;
30212 -+ ino_t segv_inode;
30213 -+ uid_t segv_uid;
30214 -+ __u16 num_sprole_pws;
30215 -+ __u16 mode;
30216 -+};
30217 -+
30218 -+struct gr_arg_wrapper {
30219 -+ struct gr_arg *arg;
30220 -+ __u32 version;
30221 -+ __u32 size;
30222 -+};
30223 -+
30224 -+struct subject_map {
30225 -+ struct acl_subject_label *user;
30226 -+ struct acl_subject_label *kernel;
30227 -+ struct subject_map *prev;
30228 -+ struct subject_map *next;
30229 -+};
30230 -+
30231 -+struct acl_subj_map_db {
30232 -+ struct subject_map **s_hash;
30233 -+ __u32 s_size;
30234 -+};
30235 -+
30236 -+/* End Data Structures Section */
30237 -+
30238 -+/* Hash functions generated by empirical testing by Brad Spengler
30239 -+ Makes good use of the low bits of the inode. Generally 0-1 times
30240 -+ in loop for successful match. 0-3 for unsuccessful match.
30241 -+ Shift/add algorithm with modulus of table size and an XOR*/
30242 -+
30243 -+static __inline__ unsigned int
30244 -+rhash(const uid_t uid, const __u16 type, const unsigned int sz)
30245 -+{
30246 -+ return (((uid << type) + (uid ^ type)) % sz);
30247 -+}
30248 -+
30249 -+ static __inline__ unsigned int
30250 -+shash(const struct acl_subject_label *userp, const unsigned int sz)
30251 -+{
30252 -+ return ((const unsigned long)userp % sz);
30253 -+}
30254 -+
30255 -+static __inline__ unsigned int
30256 -+fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
30257 -+{
30258 -+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
30259 -+}
30260 -+
30261 -+static __inline__ unsigned int
30262 -+nhash(const char *name, const __u16 len, const unsigned int sz)
30263 -+{
30264 -+ return full_name_hash(name, len) % sz;
30265 -+}
30266 -+
30267 -+#define FOR_EACH_ROLE_START(role,iter) \
30268 -+ role = NULL; \
30269 -+ iter = 0; \
30270 -+ while (iter < acl_role_set.r_size) { \
30271 -+ if (role == NULL) \
30272 -+ role = acl_role_set.r_hash[iter]; \
30273 -+ if (role == NULL) { \
30274 -+ iter++; \
30275 -+ continue; \
30276 -+ }
30277 -+
30278 -+#define FOR_EACH_ROLE_END(role,iter) \
30279 -+ role = role->next; \
30280 -+ if (role == NULL) \
30281 -+ iter++; \
30282 -+ }
30283 -+
30284 -+#define FOR_EACH_SUBJECT_START(role,subj,iter) \
30285 -+ subj = NULL; \
30286 -+ iter = 0; \
30287 -+ while (iter < role->subj_hash_size) { \
30288 -+ if (subj == NULL) \
30289 -+ subj = role->subj_hash[iter]; \
30290 -+ if (subj == NULL) { \
30291 -+ iter++; \
30292 -+ continue; \
30293 -+ }
30294 -+
30295 -+#define FOR_EACH_SUBJECT_END(subj,iter) \
30296 -+ subj = subj->next; \
30297 -+ if (subj == NULL) \
30298 -+ iter++; \
30299 -+ }
30300 -+
30301 -+
30302 -+#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
30303 -+ subj = role->hash->first; \
30304 -+ while (subj != NULL) {
30305 -+
30306 -+#define FOR_EACH_NESTED_SUBJECT_END(subj) \
30307 -+ subj = subj->next; \
30308 -+ }
30309 -+
30310 -+#endif
30311 -+
30312 -diff -urNp linux-2.6.24.4/include/linux/gralloc.h linux-2.6.24.4/include/linux/gralloc.h
30313 ---- linux-2.6.24.4/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
30314 -+++ linux-2.6.24.4/include/linux/gralloc.h 2008-03-26 17:56:56.000000000 -0400
30315 -@@ -0,0 +1,8 @@
30316 -+#ifndef __GRALLOC_H
30317 -+#define __GRALLOC_H
30318 -+
30319 -+void acl_free_all(void);
30320 -+int acl_alloc_stack_init(unsigned long size);
30321 -+void *acl_alloc(unsigned long len);
30322 -+
30323 -+#endif
30324 -diff -urNp linux-2.6.24.4/include/linux/grdefs.h linux-2.6.24.4/include/linux/grdefs.h
30325 ---- linux-2.6.24.4/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
30326 -+++ linux-2.6.24.4/include/linux/grdefs.h 2008-03-26 17:56:56.000000000 -0400
30327 -@@ -0,0 +1,131 @@
30328 -+#ifndef GRDEFS_H
30329 -+#define GRDEFS_H
30330 -+
30331 -+/* Begin grsecurity status declarations */
30332 -+
30333 -+enum {
30334 -+ GR_READY = 0x01,
30335 -+ GR_STATUS_INIT = 0x00 // disabled state
30336 -+};
30337 -+
30338 -+/* Begin ACL declarations */
30339 -+
30340 -+/* Role flags */
30341 -+
30342 -+enum {
30343 -+ GR_ROLE_USER = 0x0001,
30344 -+ GR_ROLE_GROUP = 0x0002,
30345 -+ GR_ROLE_DEFAULT = 0x0004,
30346 -+ GR_ROLE_SPECIAL = 0x0008,
30347 -+ GR_ROLE_AUTH = 0x0010,
30348 -+ GR_ROLE_NOPW = 0x0020,
30349 -+ GR_ROLE_GOD = 0x0040,
30350 -+ GR_ROLE_LEARN = 0x0080,
30351 -+ GR_ROLE_TPE = 0x0100,
30352 -+ GR_ROLE_DOMAIN = 0x0200,
30353 -+ GR_ROLE_PAM = 0x0400
30354 -+};
30355 -+
30356 -+/* ACL Subject and Object mode flags */
30357 -+enum {
30358 -+ GR_DELETED = 0x80000000
30359 -+};
30360 -+
30361 -+/* ACL Object-only mode flags */
30362 -+enum {
30363 -+ GR_READ = 0x00000001,
30364 -+ GR_APPEND = 0x00000002,
30365 -+ GR_WRITE = 0x00000004,
30366 -+ GR_EXEC = 0x00000008,
30367 -+ GR_FIND = 0x00000010,
30368 -+ GR_INHERIT = 0x00000020,
30369 -+ GR_SETID = 0x00000040,
30370 -+ GR_CREATE = 0x00000080,
30371 -+ GR_DELETE = 0x00000100,
30372 -+ GR_LINK = 0x00000200,
30373 -+ GR_AUDIT_READ = 0x00000400,
30374 -+ GR_AUDIT_APPEND = 0x00000800,
30375 -+ GR_AUDIT_WRITE = 0x00001000,
30376 -+ GR_AUDIT_EXEC = 0x00002000,
30377 -+ GR_AUDIT_FIND = 0x00004000,
30378 -+ GR_AUDIT_INHERIT= 0x00008000,
30379 -+ GR_AUDIT_SETID = 0x00010000,
30380 -+ GR_AUDIT_CREATE = 0x00020000,
30381 -+ GR_AUDIT_DELETE = 0x00040000,
30382 -+ GR_AUDIT_LINK = 0x00080000,
30383 -+ GR_PTRACERD = 0x00100000,
30384 -+ GR_NOPTRACE = 0x00200000,
30385 -+ GR_SUPPRESS = 0x00400000,
30386 -+ GR_NOLEARN = 0x00800000
30387 -+};
30388 -+
30389 -+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
30390 -+ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
30391 -+ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
30392 -+
30393 -+/* ACL subject-only mode flags */
30394 -+enum {
30395 -+ GR_KILL = 0x00000001,
30396 -+ GR_VIEW = 0x00000002,
30397 -+ GR_PROTECTED = 0x00000004,
30398 -+ GR_LEARN = 0x00000008,
30399 -+ GR_OVERRIDE = 0x00000010,
30400 -+ /* just a placeholder, this mode is only used in userspace */
30401 -+ GR_DUMMY = 0x00000020,
30402 -+ GR_PROTSHM = 0x00000040,
30403 -+ GR_KILLPROC = 0x00000080,
30404 -+ GR_KILLIPPROC = 0x00000100,
30405 -+ /* just a placeholder, this mode is only used in userspace */
30406 -+ GR_NOTROJAN = 0x00000200,
30407 -+ GR_PROTPROCFD = 0x00000400,
30408 -+ GR_PROCACCT = 0x00000800,
30409 -+ GR_RELAXPTRACE = 0x00001000,
30410 -+ GR_NESTED = 0x00002000,
30411 -+ GR_INHERITLEARN = 0x00004000,
30412 -+ GR_PROCFIND = 0x00008000,
30413 -+ GR_POVERRIDE = 0x00010000,
30414 -+ GR_KERNELAUTH = 0x00020000,
30415 -+};
30416 -+
30417 -+enum {
30418 -+ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
30419 -+ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
30420 -+ GR_PAX_ENABLE_MPROTECT = 0x0004,
30421 -+ GR_PAX_ENABLE_RANDMMAP = 0x0008,
30422 -+ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
30423 -+ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
30424 -+ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
30425 -+ GR_PAX_DISABLE_MPROTECT = 0x0400,
30426 -+ GR_PAX_DISABLE_RANDMMAP = 0x0800,
30427 -+ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
30428 -+};
30429 -+
30430 -+enum {
30431 -+ GR_ID_USER = 0x01,
30432 -+ GR_ID_GROUP = 0x02,
30433 -+};
30434 -+
30435 -+enum {
30436 -+ GR_ID_ALLOW = 0x01,
30437 -+ GR_ID_DENY = 0x02,
30438 -+};
30439 -+
30440 -+#define GR_CRASH_RES 11
30441 -+#define GR_UIDTABLE_MAX 500
30442 -+
30443 -+/* begin resource learning section */
30444 -+enum {
30445 -+ GR_RLIM_CPU_BUMP = 60,
30446 -+ GR_RLIM_FSIZE_BUMP = 50000,
30447 -+ GR_RLIM_DATA_BUMP = 10000,
30448 -+ GR_RLIM_STACK_BUMP = 1000,
30449 -+ GR_RLIM_CORE_BUMP = 10000,
30450 -+ GR_RLIM_RSS_BUMP = 500000,
30451 -+ GR_RLIM_NPROC_BUMP = 1,
30452 -+ GR_RLIM_NOFILE_BUMP = 5,
30453 -+ GR_RLIM_MEMLOCK_BUMP = 50000,
30454 -+ GR_RLIM_AS_BUMP = 500000,
30455 -+ GR_RLIM_LOCKS_BUMP = 2
30456 -+};
30457 -+
30458 -+#endif
30459 -diff -urNp linux-2.6.24.4/include/linux/grinternal.h linux-2.6.24.4/include/linux/grinternal.h
30460 ---- linux-2.6.24.4/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
30461 -+++ linux-2.6.24.4/include/linux/grinternal.h 2008-03-26 17:56:56.000000000 -0400
30462 -@@ -0,0 +1,210 @@
30463 -+#ifndef __GRINTERNAL_H
30464 -+#define __GRINTERNAL_H
30465 -+
30466 -+#ifdef CONFIG_GRKERNSEC
30467 -+
30468 -+#include <linux/fs.h>
30469 -+#include <linux/gracl.h>
30470 -+#include <linux/grdefs.h>
30471 -+#include <linux/grmsg.h>
30472 -+
30473 -+void gr_add_learn_entry(const char *fmt, ...);
30474 -+__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
30475 -+ const struct vfsmount *mnt);
30476 -+__u32 gr_check_create(const struct dentry *new_dentry,
30477 -+ const struct dentry *parent,
30478 -+ const struct vfsmount *mnt, const __u32 mode);
30479 -+int gr_check_protected_task(const struct task_struct *task);
30480 -+__u32 to_gr_audit(const __u32 reqmode);
30481 -+int gr_set_acls(const int type);
30482 -+
30483 -+int gr_acl_is_enabled(void);
30484 -+char gr_roletype_to_char(void);
30485 -+
30486 -+void gr_handle_alertkill(struct task_struct *task);
30487 -+char *gr_to_filename(const struct dentry *dentry,
30488 -+ const struct vfsmount *mnt);
30489 -+char *gr_to_filename1(const struct dentry *dentry,
30490 -+ const struct vfsmount *mnt);
30491 -+char *gr_to_filename2(const struct dentry *dentry,
30492 -+ const struct vfsmount *mnt);
30493 -+char *gr_to_filename3(const struct dentry *dentry,
30494 -+ const struct vfsmount *mnt);
30495 -+
30496 -+extern int grsec_enable_link;
30497 -+extern int grsec_enable_fifo;
30498 -+extern int grsec_enable_execve;
30499 -+extern int grsec_enable_shm;
30500 -+extern int grsec_enable_execlog;
30501 -+extern int grsec_enable_signal;
30502 -+extern int grsec_enable_forkfail;
30503 -+extern int grsec_enable_time;
30504 -+extern int grsec_enable_chroot_shmat;
30505 -+extern int grsec_enable_chroot_findtask;
30506 -+extern int grsec_enable_chroot_mount;
30507 -+extern int grsec_enable_chroot_double;
30508 -+extern int grsec_enable_chroot_pivot;
30509 -+extern int grsec_enable_chroot_chdir;
30510 -+extern int grsec_enable_chroot_chmod;
30511 -+extern int grsec_enable_chroot_mknod;
30512 -+extern int grsec_enable_chroot_fchdir;
30513 -+extern int grsec_enable_chroot_nice;
30514 -+extern int grsec_enable_chroot_execlog;
30515 -+extern int grsec_enable_chroot_caps;
30516 -+extern int grsec_enable_chroot_sysctl;
30517 -+extern int grsec_enable_chroot_unix;
30518 -+extern int grsec_enable_tpe;
30519 -+extern int grsec_tpe_gid;
30520 -+extern int grsec_enable_tpe_all;
30521 -+extern int grsec_enable_sidcaps;
30522 -+extern int grsec_enable_socket_all;
30523 -+extern int grsec_socket_all_gid;
30524 -+extern int grsec_enable_socket_client;
30525 -+extern int grsec_socket_client_gid;
30526 -+extern int grsec_enable_socket_server;
30527 -+extern int grsec_socket_server_gid;
30528 -+extern int grsec_audit_gid;
30529 -+extern int grsec_enable_group;
30530 -+extern int grsec_enable_audit_ipc;
30531 -+extern int grsec_enable_audit_textrel;
30532 -+extern int grsec_enable_mount;
30533 -+extern int grsec_enable_chdir;
30534 -+extern int grsec_resource_logging;
30535 -+extern int grsec_lock;
30536 -+
30537 -+extern spinlock_t grsec_alert_lock;
30538 -+extern unsigned long grsec_alert_wtime;
30539 -+extern unsigned long grsec_alert_fyet;
30540 -+
30541 -+extern spinlock_t grsec_audit_lock;
30542 -+
30543 -+extern rwlock_t grsec_exec_file_lock;
30544 -+
30545 -+#define gr_task_fullpath(tsk) (tsk->exec_file ? \
30546 -+ gr_to_filename2(tsk->exec_file->f_dentry, \
30547 -+ tsk->exec_file->f_vfsmnt) : "/")
30548 -+
30549 -+#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
30550 -+ gr_to_filename3(tsk->parent->exec_file->f_dentry, \
30551 -+ tsk->parent->exec_file->f_vfsmnt) : "/")
30552 -+
30553 -+#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
30554 -+ gr_to_filename(tsk->exec_file->f_dentry, \
30555 -+ tsk->exec_file->f_vfsmnt) : "/")
30556 -+
30557 -+#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
30558 -+ gr_to_filename1(tsk->parent->exec_file->f_dentry, \
30559 -+ tsk->parent->exec_file->f_vfsmnt) : "/")
30560 -+
30561 -+#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && (tsk_a->fs != NULL) && \
30562 -+ ((tsk_a->fs->root->d_inode->i_sb->s_dev != \
30563 -+ tsk_a->nsproxy->pid_ns->child_reaper->fs->root->d_inode->i_sb->s_dev) || \
30564 -+ (tsk_a->fs->root->d_inode->i_ino != \
30565 -+ tsk_a->nsproxy->pid_ns->child_reaper->fs->root->d_inode->i_ino)))
30566 -+
30567 -+#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs != NULL) && (tsk_b->fs != NULL) && \
30568 -+ (tsk_a->fs->root->d_inode->i_sb->s_dev == \
30569 -+ tsk_b->fs->root->d_inode->i_sb->s_dev) && \
30570 -+ (tsk_a->fs->root->d_inode->i_ino == \
30571 -+ tsk_b->fs->root->d_inode->i_ino))
30572 -+
30573 -+#define DEFAULTSECARGS(task) gr_task_fullpath(task), task->comm, \
30574 -+ task->pid, task->uid, \
30575 -+ task->euid, task->gid, task->egid, \
30576 -+ gr_parent_task_fullpath(task), \
30577 -+ task->parent->comm, task->parent->pid, \
30578 -+ task->parent->uid, task->parent->euid, \
30579 -+ task->parent->gid, task->parent->egid
30580 -+
30581 -+#define GR_CHROOT_CAPS ( \
30582 -+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
30583 -+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
30584 -+ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
30585 -+ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
30586 -+ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
30587 -+ CAP_TO_MASK(CAP_IPC_OWNER))
30588 -+
30589 -+#define security_learn(normal_msg,args...) \
30590 -+({ \
30591 -+ read_lock(&grsec_exec_file_lock); \
30592 -+ gr_add_learn_entry(normal_msg "\n", ## args); \
30593 -+ read_unlock(&grsec_exec_file_lock); \
30594 -+})
30595 -+
30596 -+enum {
30597 -+ GR_DO_AUDIT,
30598 -+ GR_DONT_AUDIT,
30599 -+ GR_DONT_AUDIT_GOOD
30600 -+};
30601 -+
30602 -+enum {
30603 -+ GR_TTYSNIFF,
30604 -+ GR_RBAC,
30605 -+ GR_RBAC_STR,
30606 -+ GR_STR_RBAC,
30607 -+ GR_RBAC_MODE2,
30608 -+ GR_RBAC_MODE3,
30609 -+ GR_FILENAME,
30610 -+ GR_SYSCTL_HIDDEN,
30611 -+ GR_NOARGS,
30612 -+ GR_ONE_INT,
30613 -+ GR_ONE_INT_TWO_STR,
30614 -+ GR_ONE_STR,
30615 -+ GR_STR_INT,
30616 -+ GR_TWO_INT,
30617 -+ GR_THREE_INT,
30618 -+ GR_FIVE_INT_TWO_STR,
30619 -+ GR_TWO_STR,
30620 -+ GR_THREE_STR,
30621 -+ GR_FOUR_STR,
30622 -+ GR_STR_FILENAME,
30623 -+ GR_FILENAME_STR,
30624 -+ GR_FILENAME_TWO_INT,
30625 -+ GR_FILENAME_TWO_INT_STR,
30626 -+ GR_TEXTREL,
30627 -+ GR_PTRACE,
30628 -+ GR_RESOURCE,
30629 -+ GR_CAP,
30630 -+ GR_SIG,
30631 -+ GR_CRASH1,
30632 -+ GR_CRASH2,
30633 -+ GR_PSACCT
30634 -+};
30635 -+
30636 -+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
30637 -+#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
30638 -+#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
30639 -+#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
30640 -+#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
30641 -+#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
30642 -+#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
30643 -+#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
30644 -+#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
30645 -+#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
30646 -+#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
30647 -+#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
30648 -+#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
30649 -+#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
30650 -+#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
30651 -+#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
30652 -+#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
30653 -+#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
30654 -+#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
30655 -+#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
30656 -+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
30657 -+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
30658 -+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
30659 -+#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
30660 -+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
30661 -+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
30662 -+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
30663 -+#define gr_log_sig(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG, task, num)
30664 -+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
30665 -+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
30666 -+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
30667 -+
30668 -+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
30669 -+
30670 -+#endif
30671 -+
30672 -+#endif
30673 -diff -urNp linux-2.6.24.4/include/linux/grmsg.h linux-2.6.24.4/include/linux/grmsg.h
30674 ---- linux-2.6.24.4/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
30675 -+++ linux-2.6.24.4/include/linux/grmsg.h 2008-03-26 17:56:56.000000000 -0400
30676 -@@ -0,0 +1,108 @@
30677 -+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
30678 -+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
30679 -+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
30680 -+#define GR_STOPMOD_MSG "denied modification of module state by "
30681 -+#define GR_IOPERM_MSG "denied use of ioperm() by "
30682 -+#define GR_IOPL_MSG "denied use of iopl() by "
30683 -+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
30684 -+#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
30685 -+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
30686 -+#define GR_KMEM_MSG "denied write of /dev/kmem by "
30687 -+#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
30688 -+#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
30689 -+#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
30690 -+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
30691 -+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u"
30692 -+#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%u.%u.%u.%u"
30693 -+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
30694 -+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
30695 -+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
30696 -+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
30697 -+#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
30698 -+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
30699 -+#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
30700 -+#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%u.%u.%u.%u %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
30701 -+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
30702 -+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
30703 -+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
30704 -+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
30705 -+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
30706 -+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
30707 -+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
30708 -+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
30709 -+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
30710 -+#define GR_NPROC_MSG "denied overstep of process limit by "
30711 -+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
30712 -+#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
30713 -+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
30714 -+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
30715 -+#define GR_MOUNT_CHROOT_MSG "denied mount of %.30s as %.930s from chroot by "
30716 -+#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
30717 -+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
30718 -+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
30719 -+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
30720 -+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
30721 -+#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
30722 -+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
30723 -+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
30724 -+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
30725 -+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
30726 -+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
30727 -+#define GR_INITF_ACL_MSG "init_variables() failed %s by "
30728 -+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
30729 -+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
30730 -+#define GR_SHUTS_ACL_MSG "shutdown auth success for "
30731 -+#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
30732 -+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
30733 -+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
30734 -+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
30735 -+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
30736 -+#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
30737 -+#define GR_ENABLEF_ACL_MSG "unable to load %s for "
30738 -+#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
30739 -+#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
30740 -+#define GR_RELOADF_ACL_MSG "failed reload of %s for "
30741 -+#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
30742 -+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
30743 -+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
30744 -+#define GR_SPROLEF_ACL_MSG "special role %s failure for "
30745 -+#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
30746 -+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
30747 -+#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for "
30748 -+#define GR_INVMODE_ACL_MSG "invalid mode %d by "
30749 -+#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
30750 -+#define GR_FAILFORK_MSG "failed fork with errno %d by "
30751 -+#define GR_NICE_CHROOT_MSG "denied priority change by "
30752 -+#define GR_UNISIGLOG_MSG "signal %d sent to "
30753 -+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
30754 -+#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
30755 -+#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
30756 -+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
30757 -+#define GR_TIME_MSG "time set by "
30758 -+#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
30759 -+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
30760 -+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
30761 -+#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
30762 -+#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
30763 -+#define GR_BIND_MSG "denied bind() by "
30764 -+#define GR_CONNECT_MSG "denied connect() by "
30765 -+#define GR_BIND_ACL_MSG "denied bind() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
30766 -+#define GR_CONNECT_ACL_MSG "denied connect() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
30767 -+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u"
30768 -+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
30769 -+#define GR_CAP_ACL_MSG "use of %s denied for "
30770 -+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
30771 -+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
30772 -+#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by "
30773 -+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by "
30774 -+#define GR_MOUNT_AUDIT_MSG "mount of %.30s to %.64s by "
30775 -+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
30776 -+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
30777 -+#define GR_MSGQ_AUDIT_MSG "message queue created by "
30778 -+#define GR_MSGQR_AUDIT_MSG "message queue of uid:%u euid:%u removed by "
30779 -+#define GR_SEM_AUDIT_MSG "semaphore created by "
30780 -+#define GR_SEMR_AUDIT_MSG "semaphore of uid:%u euid:%u removed by "
30781 -+#define GR_SHM_AUDIT_MSG "shared memory of size %d created by "
30782 -+#define GR_SHMR_AUDIT_MSG "shared memory of uid:%u euid:%u removed by "
30783 -+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
30784 -+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
30785 -diff -urNp linux-2.6.24.4/include/linux/grsecurity.h linux-2.6.24.4/include/linux/grsecurity.h
30786 ---- linux-2.6.24.4/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
30787 -+++ linux-2.6.24.4/include/linux/grsecurity.h 2008-03-26 17:56:56.000000000 -0400
30788 -@@ -0,0 +1,197 @@
30789 -+#ifndef GR_SECURITY_H
30790 -+#define GR_SECURITY_H
30791 -+#include <linux/fs.h>
30792 -+#include <linux/binfmts.h>
30793 -+#include <linux/gracl.h>
30794 -+
30795 -+/* notify of brain-dead configs */
30796 -+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC)
30797 -+#error "CONFIG_PAX_NOEXEC enabled, but neither PAGEEXEC nor SEGMEXEC are enabled."
30798 -+#endif
30799 -+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
30800 -+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
30801 -+#endif
30802 -+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
30803 -+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
30804 -+#endif
30805 -+#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
30806 -+#error "CONFIG_PAX enabled, but no PaX options are enabled."
30807 -+#endif
30808 -+
30809 -+void gr_handle_brute_attach(struct task_struct *p);
30810 -+void gr_handle_brute_check(void);
30811 -+
30812 -+char gr_roletype_to_char(void);
30813 -+
30814 -+int gr_check_user_change(int real, int effective, int fs);
30815 -+int gr_check_group_change(int real, int effective, int fs);
30816 -+
30817 -+void gr_del_task_from_ip_table(struct task_struct *p);
30818 -+
30819 -+int gr_pid_is_chrooted(struct task_struct *p);
30820 -+int gr_handle_chroot_nice(void);
30821 -+int gr_handle_chroot_sysctl(const int op);
30822 -+int gr_handle_chroot_setpriority(struct task_struct *p,
30823 -+ const int niceval);
30824 -+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
30825 -+int gr_handle_chroot_chroot(const struct dentry *dentry,
30826 -+ const struct vfsmount *mnt);
30827 -+void gr_handle_chroot_caps(struct task_struct *task);
30828 -+void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt);
30829 -+int gr_handle_chroot_chmod(const struct dentry *dentry,
30830 -+ const struct vfsmount *mnt, const int mode);
30831 -+int gr_handle_chroot_mknod(const struct dentry *dentry,
30832 -+ const struct vfsmount *mnt, const int mode);
30833 -+int gr_handle_chroot_mount(const struct dentry *dentry,
30834 -+ const struct vfsmount *mnt,
30835 -+ const char *dev_name);
30836 -+int gr_handle_chroot_pivot(void);
30837 -+int gr_handle_chroot_unix(const pid_t pid);
30838 -+
30839 -+int gr_handle_rawio(const struct inode *inode);
30840 -+int gr_handle_nproc(void);
30841 -+
30842 -+void gr_handle_ioperm(void);
30843 -+void gr_handle_iopl(void);
30844 -+
30845 -+int gr_tpe_allow(const struct file *file);
30846 -+
30847 -+int gr_random_pid(void);
30848 -+
30849 -+void gr_log_forkfail(const int retval);
30850 -+void gr_log_timechange(void);
30851 -+void gr_log_signal(const int sig, const struct task_struct *t);
30852 -+void gr_log_chdir(const struct dentry *dentry,
30853 -+ const struct vfsmount *mnt);
30854 -+void gr_log_chroot_exec(const struct dentry *dentry,
30855 -+ const struct vfsmount *mnt);
30856 -+void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
30857 -+void gr_log_remount(const char *devname, const int retval);
30858 -+void gr_log_unmount(const char *devname, const int retval);
30859 -+void gr_log_mount(const char *from, const char *to, const int retval);
30860 -+void gr_log_msgget(const int ret, const int msgflg);
30861 -+void gr_log_msgrm(const uid_t uid, const uid_t cuid);
30862 -+void gr_log_semget(const int err, const int semflg);
30863 -+void gr_log_semrm(const uid_t uid, const uid_t cuid);
30864 -+void gr_log_shmget(const int err, const int shmflg, const size_t size);
30865 -+void gr_log_shmrm(const uid_t uid, const uid_t cuid);
30866 -+void gr_log_textrel(struct vm_area_struct *vma);
30867 -+
30868 -+int gr_handle_follow_link(const struct inode *parent,
30869 -+ const struct inode *inode,
30870 -+ const struct dentry *dentry,
30871 -+ const struct vfsmount *mnt);
30872 -+int gr_handle_fifo(const struct dentry *dentry,
30873 -+ const struct vfsmount *mnt,
30874 -+ const struct dentry *dir, const int flag,
30875 -+ const int acc_mode);
30876 -+int gr_handle_hardlink(const struct dentry *dentry,
30877 -+ const struct vfsmount *mnt,
30878 -+ struct inode *inode,
30879 -+ const int mode, const char *to);
30880 -+
30881 -+int gr_task_is_capable(struct task_struct *task, const int cap);
30882 -+int gr_is_capable_nolog(const int cap);
30883 -+void gr_learn_resource(const struct task_struct *task, const int limit,
30884 -+ const unsigned long wanted, const int gt);
30885 -+void gr_copy_label(struct task_struct *tsk);
30886 -+void gr_handle_crash(struct task_struct *task, const int sig);
30887 -+int gr_handle_signal(const struct task_struct *p, const int sig);
30888 -+int gr_check_crash_uid(const uid_t uid);
30889 -+int gr_check_protected_task(const struct task_struct *task);
30890 -+int gr_acl_handle_mmap(const struct file *file,
30891 -+ const unsigned long prot);
30892 -+int gr_acl_handle_mprotect(const struct file *file,
30893 -+ const unsigned long prot);
30894 -+int gr_check_hidden_task(const struct task_struct *tsk);
30895 -+__u32 gr_acl_handle_truncate(const struct dentry *dentry,
30896 -+ const struct vfsmount *mnt);
30897 -+__u32 gr_acl_handle_utime(const struct dentry *dentry,
30898 -+ const struct vfsmount *mnt);
30899 -+__u32 gr_acl_handle_access(const struct dentry *dentry,
30900 -+ const struct vfsmount *mnt, const int fmode);
30901 -+__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
30902 -+ const struct vfsmount *mnt, mode_t mode);
30903 -+__u32 gr_acl_handle_chmod(const struct dentry *dentry,
30904 -+ const struct vfsmount *mnt, mode_t mode);
30905 -+__u32 gr_acl_handle_chown(const struct dentry *dentry,
30906 -+ const struct vfsmount *mnt);
30907 -+int gr_handle_ptrace(struct task_struct *task, const long request);
30908 -+int gr_handle_proc_ptrace(struct task_struct *task);
30909 -+__u32 gr_acl_handle_execve(const struct dentry *dentry,
30910 -+ const struct vfsmount *mnt);
30911 -+int gr_check_crash_exec(const struct file *filp);
30912 -+int gr_acl_is_enabled(void);
30913 -+void gr_set_kernel_label(struct task_struct *task);
30914 -+void gr_set_role_label(struct task_struct *task, const uid_t uid,
30915 -+ const gid_t gid);
30916 -+int gr_set_proc_label(const struct dentry *dentry,
30917 -+ const struct vfsmount *mnt);
30918 -+__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
30919 -+ const struct vfsmount *mnt);
30920 -+__u32 gr_acl_handle_open(const struct dentry *dentry,
30921 -+ const struct vfsmount *mnt, const int fmode);
30922 -+__u32 gr_acl_handle_creat(const struct dentry *dentry,
30923 -+ const struct dentry *p_dentry,
30924 -+ const struct vfsmount *p_mnt, const int fmode,
30925 -+ const int imode);
30926 -+void gr_handle_create(const struct dentry *dentry,
30927 -+ const struct vfsmount *mnt);
30928 -+__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
30929 -+ const struct dentry *parent_dentry,
30930 -+ const struct vfsmount *parent_mnt,
30931 -+ const int mode);
30932 -+__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
30933 -+ const struct dentry *parent_dentry,
30934 -+ const struct vfsmount *parent_mnt);
30935 -+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
30936 -+ const struct vfsmount *mnt);
30937 -+void gr_handle_delete(const ino_t ino, const dev_t dev);
30938 -+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
30939 -+ const struct vfsmount *mnt);
30940 -+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
30941 -+ const struct dentry *parent_dentry,
30942 -+ const struct vfsmount *parent_mnt,
30943 -+ const char *from);
30944 -+__u32 gr_acl_handle_link(const struct dentry *new_dentry,
30945 -+ const struct dentry *parent_dentry,
30946 -+ const struct vfsmount *parent_mnt,
30947 -+ const struct dentry *old_dentry,
30948 -+ const struct vfsmount *old_mnt, const char *to);
30949 -+int gr_acl_handle_rename(struct dentry *new_dentry,
30950 -+ struct dentry *parent_dentry,
30951 -+ const struct vfsmount *parent_mnt,
30952 -+ struct dentry *old_dentry,
30953 -+ struct inode *old_parent_inode,
30954 -+ struct vfsmount *old_mnt, const char *newname);
30955 -+void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
30956 -+ struct dentry *old_dentry,
30957 -+ struct dentry *new_dentry,
30958 -+ struct vfsmount *mnt, const __u8 replace);
30959 -+__u32 gr_check_link(const struct dentry *new_dentry,
30960 -+ const struct dentry *parent_dentry,
30961 -+ const struct vfsmount *parent_mnt,
30962 -+ const struct dentry *old_dentry,
30963 -+ const struct vfsmount *old_mnt);
30964 -+int gr_acl_handle_filldir(const struct file *file, const char *name,
30965 -+ const unsigned int namelen, const ino_t ino);
30966 -+
30967 -+__u32 gr_acl_handle_unix(const struct dentry *dentry,
30968 -+ const struct vfsmount *mnt);
30969 -+void gr_acl_handle_exit(void);
30970 -+void gr_acl_handle_psacct(struct task_struct *task, const long code);
30971 -+int gr_acl_handle_procpidmem(const struct task_struct *task);
30972 -+
30973 -+#ifdef CONFIG_GRKERNSEC
30974 -+void gr_handle_mem_write(void);
30975 -+void gr_handle_kmem_write(void);
30976 -+void gr_handle_open_port(void);
30977 -+int gr_handle_mem_mmap(const unsigned long offset,
30978 -+ struct vm_area_struct *vma);
30979 -+
30980 -+extern int grsec_enable_dmesg;
30981 -+extern int grsec_enable_randsrc;
30982 -+extern int grsec_enable_shm;
30983 -+#endif
30984 -+
30985 -+#endif
30986 -diff -urNp linux-2.6.24.4/include/linux/highmem.h linux-2.6.24.4/include/linux/highmem.h
30987 ---- linux-2.6.24.4/include/linux/highmem.h 2008-03-24 14:49:18.000000000 -0400
30988 -+++ linux-2.6.24.4/include/linux/highmem.h 2008-03-26 17:56:56.000000000 -0400
30989 -@@ -124,6 +124,13 @@ static inline void clear_highpage(struct
30990 - kunmap_atomic(kaddr, KM_USER0);
30991 - }
30992 -
30993 -+static inline void sanitize_highpage(struct page *page)
30994 -+{
30995 -+ void *kaddr = kmap_atomic(page, KM_CLEARPAGE);
30996 -+ clear_page(kaddr);
30997 -+ kunmap_atomic(kaddr, KM_CLEARPAGE);
30998 -+}
30999 -+
31000 - /*
31001 - * Same but also flushes aliased cache contents to RAM.
31002 - *
31003 -@@ -132,14 +139,14 @@ static inline void clear_highpage(struct
31004 - */
31005 - #define zero_user_page(page, offset, size, km_type) \
31006 - do { \
31007 -- void *kaddr; \
31008 -+ void *__kaddr; \
31009 - \
31010 - BUG_ON((offset) + (size) > PAGE_SIZE); \
31011 - \
31012 -- kaddr = kmap_atomic(page, km_type); \
31013 -- memset((char *)kaddr + (offset), 0, (size)); \
31014 -+ __kaddr = kmap_atomic(page, km_type); \
31015 -+ memset((char *)__kaddr + (offset), 0, (size)); \
31016 - flush_dcache_page(page); \
31017 -- kunmap_atomic(kaddr, (km_type)); \
31018 -+ kunmap_atomic(__kaddr, (km_type)); \
31019 - } while (0)
31020 -
31021 - static inline void __deprecated memclear_highpage_flush(struct page *page,
31022 -diff -urNp linux-2.6.24.4/include/linux/init_task.h linux-2.6.24.4/include/linux/init_task.h
31023 ---- linux-2.6.24.4/include/linux/init_task.h 2008-03-24 14:49:18.000000000 -0400
31024 -+++ linux-2.6.24.4/include/linux/init_task.h 2008-03-26 17:56:56.000000000 -0400
31025 -@@ -121,7 +121,7 @@ extern struct group_info init_groups;
31026 - #define INIT_TASK(tsk) \
31027 - { \
31028 - .state = 0, \
31029 -- .stack = &init_thread_info, \
31030 -+ .stack = &init_thread_union, \
31031 - .usage = ATOMIC_INIT(2), \
31032 - .flags = 0, \
31033 - .lock_depth = -1, \
31034 -diff -urNp linux-2.6.24.4/include/linux/irqflags.h linux-2.6.24.4/include/linux/irqflags.h
31035 ---- linux-2.6.24.4/include/linux/irqflags.h 2008-03-24 14:49:18.000000000 -0400
31036 -+++ linux-2.6.24.4/include/linux/irqflags.h 2008-03-26 17:56:56.000000000 -0400
31037 -@@ -84,10 +84,10 @@
31038 -
31039 - #define irqs_disabled() \
31040 - ({ \
31041 -- unsigned long flags; \
31042 -+ unsigned long __flags; \
31043 - \
31044 -- raw_local_save_flags(flags); \
31045 -- raw_irqs_disabled_flags(flags); \
31046 -+ raw_local_save_flags(__flags); \
31047 -+ raw_irqs_disabled_flags(__flags); \
31048 - })
31049 -
31050 - #define irqs_disabled_flags(flags) raw_irqs_disabled_flags(flags)
31051 -diff -urNp linux-2.6.24.4/include/linux/jbd2.h linux-2.6.24.4/include/linux/jbd2.h
31052 ---- linux-2.6.24.4/include/linux/jbd2.h 2008-03-24 14:49:18.000000000 -0400
31053 -+++ linux-2.6.24.4/include/linux/jbd2.h 2008-03-26 17:56:56.000000000 -0400
31054 -@@ -68,7 +68,7 @@ extern u8 jbd2_journal_enable_debug;
31055 - } \
31056 - } while (0)
31057 - #else
31058 --#define jbd_debug(f, a...) /**/
31059 -+#define jbd_debug(f, a...) do {} while (0)
31060 - #endif
31061 -
31062 - static inline void *jbd2_alloc(size_t size, gfp_t flags)
31063 -diff -urNp linux-2.6.24.4/include/linux/jbd.h linux-2.6.24.4/include/linux/jbd.h
31064 ---- linux-2.6.24.4/include/linux/jbd.h 2008-03-24 14:49:18.000000000 -0400
31065 -+++ linux-2.6.24.4/include/linux/jbd.h 2008-03-26 17:56:56.000000000 -0400
31066 -@@ -69,7 +69,7 @@ extern u8 journal_enable_debug;
31067 - } \
31068 - } while (0)
31069 - #else
31070 --#define jbd_debug(f, a...) /**/
31071 -+#define jbd_debug(f, a...) do {} while (0)
31072 - #endif
31073 -
31074 - static inline void *jbd_alloc(size_t size, gfp_t flags)
31075 -diff -urNp linux-2.6.24.4/include/linux/libata.h linux-2.6.24.4/include/linux/libata.h
31076 ---- linux-2.6.24.4/include/linux/libata.h 2008-03-24 14:49:18.000000000 -0400
31077 -+++ linux-2.6.24.4/include/linux/libata.h 2008-03-26 17:56:56.000000000 -0400
31078 -@@ -62,11 +62,11 @@
31079 - #ifdef ATA_VERBOSE_DEBUG
31080 - #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
31081 - #else
31082 --#define VPRINTK(fmt, args...)
31083 -+#define VPRINTK(fmt, args...) do {} while (0)
31084 - #endif /* ATA_VERBOSE_DEBUG */
31085 - #else
31086 --#define DPRINTK(fmt, args...)
31087 --#define VPRINTK(fmt, args...)
31088 -+#define DPRINTK(fmt, args...) do {} while (0)
31089 -+#define VPRINTK(fmt, args...) do {} while (0)
31090 - #endif /* ATA_DEBUG */
31091 -
31092 - #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
31093 -diff -urNp linux-2.6.24.4/include/linux/mm.h linux-2.6.24.4/include/linux/mm.h
31094 ---- linux-2.6.24.4/include/linux/mm.h 2008-03-24 14:49:18.000000000 -0400
31095 -+++ linux-2.6.24.4/include/linux/mm.h 2008-03-26 17:56:56.000000000 -0400
31096 -@@ -37,6 +37,7 @@ extern int sysctl_legacy_va_layout;
31097 - #include <asm/page.h>
31098 - #include <asm/pgtable.h>
31099 - #include <asm/processor.h>
31100 -+#include <asm/mman.h>
31101 -
31102 - #define nth_page(page,n) pfn_to_page(page_to_pfn((page)) + (n))
31103 -
31104 -@@ -107,6 +108,14 @@ extern unsigned int kobjsize(const void
31105 -
31106 - #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
31107 -
31108 -+#ifdef CONFIG_PAX_PAGEEXEC
31109 -+#define VM_PAGEEXEC 0x10000000 /* vma->vm_page_prot needs special handling */
31110 -+#endif
31111 -+
31112 -+#ifdef CONFIG_PAX_MPROTECT
31113 -+#define VM_MAYNOTWRITE 0x20000000 /* vma cannot be granted VM_WRITE any more */
31114 -+#endif
31115 -+
31116 - #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
31117 - #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
31118 - #endif
31119 -@@ -792,6 +801,8 @@ struct shrinker {
31120 - extern void register_shrinker(struct shrinker *);
31121 - extern void unregister_shrinker(struct shrinker *);
31122 -
31123 -+pgprot_t vm_get_page_prot(unsigned long vm_flags);
31124 -+
31125 - int vma_wants_writenotify(struct vm_area_struct *vma);
31126 -
31127 - extern pte_t *FASTCALL(get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl));
31128 -@@ -1018,6 +1029,7 @@ out:
31129 - }
31130 -
31131 - extern int do_munmap(struct mm_struct *, unsigned long, size_t);
31132 -+extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
31133 -
31134 - extern unsigned long do_brk(unsigned long, unsigned long);
31135 -
31136 -@@ -1070,6 +1082,10 @@ extern struct vm_area_struct * find_vma(
31137 - extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
31138 - struct vm_area_struct **pprev);
31139 -
31140 -+extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
31141 -+extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
31142 -+extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
31143 -+
31144 - /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
31145 - NULL if none. Assume start_addr < end_addr. */
31146 - static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
31147 -@@ -1086,7 +1102,6 @@ static inline unsigned long vma_pages(st
31148 - return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
31149 - }
31150 -
31151 --pgprot_t vm_get_page_prot(unsigned long vm_flags);
31152 - struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
31153 - struct page *vmalloc_to_page(void *addr);
31154 - unsigned long vmalloc_to_pfn(void *addr);
31155 -@@ -1157,5 +1172,11 @@ int vmemmap_populate_basepages(struct pa
31156 - unsigned long pages, int node);
31157 - int vmemmap_populate(struct page *start_page, unsigned long pages, int node);
31158 -
31159 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
31160 -+extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
31161 -+#else
31162 -+static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
31163 -+#endif
31164 -+
31165 - #endif /* __KERNEL__ */
31166 - #endif /* _LINUX_MM_H */
31167 -diff -urNp linux-2.6.24.4/include/linux/mm_types.h linux-2.6.24.4/include/linux/mm_types.h
31168 ---- linux-2.6.24.4/include/linux/mm_types.h 2008-03-24 14:49:18.000000000 -0400
31169 -+++ linux-2.6.24.4/include/linux/mm_types.h 2008-03-26 17:56:56.000000000 -0400
31170 -@@ -151,6 +151,8 @@ struct vm_area_struct {
31171 - #ifdef CONFIG_NUMA
31172 - struct mempolicy *vm_policy; /* NUMA policy for the VMA */
31173 - #endif
31174 -+
31175 -+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
31176 - };
31177 -
31178 - struct mm_struct {
31179 -@@ -219,6 +221,24 @@ struct mm_struct {
31180 - /* aio bits */
31181 - rwlock_t ioctx_list_lock;
31182 - struct kioctx *ioctx_list;
31183 -+
31184 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
31185 -+ unsigned long pax_flags;
31186 -+#endif
31187 -+
31188 -+#ifdef CONFIG_PAX_DLRESOLVE
31189 -+ unsigned long call_dl_resolve;
31190 -+#endif
31191 -+
31192 -+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
31193 -+ unsigned long call_syscall;
31194 -+#endif
31195 -+
31196 -+#ifdef CONFIG_PAX_ASLR
31197 -+ unsigned long delta_mmap; /* randomized offset */
31198 -+ unsigned long delta_stack; /* randomized offset */
31199 -+#endif
31200 -+
31201 - };
31202 -
31203 - #endif /* _LINUX_MM_TYPES_H */
31204 -diff -urNp linux-2.6.24.4/include/linux/module.h linux-2.6.24.4/include/linux/module.h
31205 ---- linux-2.6.24.4/include/linux/module.h 2008-03-24 14:49:18.000000000 -0400
31206 -+++ linux-2.6.24.4/include/linux/module.h 2008-03-26 17:56:56.000000000 -0400
31207 -@@ -296,16 +296,16 @@ struct module
31208 - int (*init)(void);
31209 -
31210 - /* If this is non-NULL, vfree after init() returns */
31211 -- void *module_init;
31212 -+ void *module_init_rx, *module_init_rw;
31213 -
31214 - /* Here is the actual code + data, vfree'd on unload. */
31215 -- void *module_core;
31216 -+ void *module_core_rx, *module_core_rw;
31217 -
31218 - /* Here are the sizes of the init and core sections */
31219 -- unsigned long init_size, core_size;
31220 -+ unsigned long init_size_rw, core_size_rw;
31221 -
31222 - /* The size of the executable code in each section. */
31223 -- unsigned long init_text_size, core_text_size;
31224 -+ unsigned long init_size_rx, core_size_rx;
31225 -
31226 - /* The handle returned from unwind_add_table. */
31227 - void *unwind_info;
31228 -diff -urNp linux-2.6.24.4/include/linux/moduleloader.h linux-2.6.24.4/include/linux/moduleloader.h
31229 ---- linux-2.6.24.4/include/linux/moduleloader.h 2008-03-24 14:49:18.000000000 -0400
31230 -+++ linux-2.6.24.4/include/linux/moduleloader.h 2008-03-26 17:56:56.000000000 -0400
31231 -@@ -17,9 +17,21 @@ int module_frob_arch_sections(Elf_Ehdr *
31232 - sections. Returns NULL on failure. */
31233 - void *module_alloc(unsigned long size);
31234 -
31235 -+#ifdef CONFIG_PAX_KERNEXEC
31236 -+void *module_alloc_exec(unsigned long size);
31237 -+#else
31238 -+#define module_alloc_exec(x) module_alloc(x)
31239 -+#endif
31240 -+
31241 - /* Free memory returned from module_alloc. */
31242 - void module_free(struct module *mod, void *module_region);
31243 -
31244 -+#ifdef CONFIG_PAX_KERNEXEC
31245 -+void module_free_exec(struct module *mod, void *module_region);
31246 -+#else
31247 -+#define module_free_exec(x, y) module_free(x, y)
31248 -+#endif
31249 -+
31250 - /* Apply the given relocation to the (simplified) ELF. Return -error
31251 - or 0. */
31252 - int apply_relocate(Elf_Shdr *sechdrs,
31253 -diff -urNp linux-2.6.24.4/include/linux/namei.h linux-2.6.24.4/include/linux/namei.h
31254 ---- linux-2.6.24.4/include/linux/namei.h 2008-03-24 14:49:18.000000000 -0400
31255 -+++ linux-2.6.24.4/include/linux/namei.h 2008-03-26 17:56:56.000000000 -0400
31256 -@@ -21,7 +21,7 @@ struct nameidata {
31257 - unsigned int flags;
31258 - int last_type;
31259 - unsigned depth;
31260 -- char *saved_names[MAX_NESTED_LINKS + 1];
31261 -+ const char *saved_names[MAX_NESTED_LINKS + 1];
31262 -
31263 - /* Intent data */
31264 - union {
31265 -@@ -90,12 +90,12 @@ extern int follow_up(struct vfsmount **,
31266 - extern struct dentry *lock_rename(struct dentry *, struct dentry *);
31267 - extern void unlock_rename(struct dentry *, struct dentry *);
31268 -
31269 --static inline void nd_set_link(struct nameidata *nd, char *path)
31270 -+static inline void nd_set_link(struct nameidata *nd, const char *path)
31271 - {
31272 - nd->saved_names[nd->depth] = path;
31273 - }
31274 -
31275 --static inline char *nd_get_link(struct nameidata *nd)
31276 -+static inline const char *nd_get_link(struct nameidata *nd)
31277 - {
31278 - return nd->saved_names[nd->depth];
31279 - }
31280 -diff -urNp linux-2.6.24.4/include/linux/percpu.h linux-2.6.24.4/include/linux/percpu.h
31281 ---- linux-2.6.24.4/include/linux/percpu.h 2008-03-24 14:49:18.000000000 -0400
31282 -+++ linux-2.6.24.4/include/linux/percpu.h 2008-03-26 17:56:56.000000000 -0400
31283 -@@ -18,7 +18,7 @@
31284 - #endif
31285 -
31286 - #define PERCPU_ENOUGH_ROOM \
31287 -- (__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE)
31288 -+ ((unsigned long)(__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE))
31289 - #endif /* PERCPU_ENOUGH_ROOM */
31290 -
31291 - /*
31292 -diff -urNp linux-2.6.24.4/include/linux/poison.h linux-2.6.24.4/include/linux/poison.h
31293 ---- linux-2.6.24.4/include/linux/poison.h 2008-03-24 14:49:18.000000000 -0400
31294 -+++ linux-2.6.24.4/include/linux/poison.h 2008-03-26 17:56:56.000000000 -0400
31295 -@@ -7,8 +7,8 @@
31296 - * under normal circumstances, used to verify that nobody uses
31297 - * non-initialized list entries.
31298 - */
31299 --#define LIST_POISON1 ((void *) 0x00100100)
31300 --#define LIST_POISON2 ((void *) 0x00200200)
31301 -+#define LIST_POISON1 ((void *) 0xFF1001FFFF1001FFULL)
31302 -+#define LIST_POISON2 ((void *) 0xFF2002FFFF2002FFULL)
31303 -
31304 - /********** mm/slab.c **********/
31305 - /*
31306 -diff -urNp linux-2.6.24.4/include/linux/random.h linux-2.6.24.4/include/linux/random.h
31307 ---- linux-2.6.24.4/include/linux/random.h 2008-03-24 14:49:18.000000000 -0400
31308 -+++ linux-2.6.24.4/include/linux/random.h 2008-03-26 17:56:56.000000000 -0400
31309 -@@ -72,6 +72,11 @@ unsigned long randomize_range(unsigned l
31310 - u32 random32(void);
31311 - void srandom32(u32 seed);
31312 -
31313 -+static inline unsigned long pax_get_random_long(void)
31314 -+{
31315 -+ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
31316 -+}
31317 -+
31318 - #endif /* __KERNEL___ */
31319 -
31320 - #endif /* _LINUX_RANDOM_H */
31321 -diff -urNp linux-2.6.24.4/include/linux/sched.h linux-2.6.24.4/include/linux/sched.h
31322 ---- linux-2.6.24.4/include/linux/sched.h 2008-03-24 14:49:18.000000000 -0400
31323 -+++ linux-2.6.24.4/include/linux/sched.h 2008-03-26 17:56:56.000000000 -0400
31324 -@@ -94,6 +94,7 @@ struct sched_param {
31325 - struct exec_domain;
31326 - struct futex_pi_state;
31327 - struct bio;
31328 -+struct linux_binprm;
31329 -
31330 - /*
31331 - * List of flags we want to share for kernel threads,
31332 -@@ -507,6 +508,15 @@ struct signal_struct {
31333 - unsigned audit_tty;
31334 - struct tty_audit_buf *tty_audit_buf;
31335 - #endif
31336 -+
31337 -+#ifdef CONFIG_GRKERNSEC
31338 -+ u32 curr_ip;
31339 -+ u32 gr_saddr;
31340 -+ u32 gr_daddr;
31341 -+ u16 gr_sport;
31342 -+ u16 gr_dport;
31343 -+ u8 used_accept:1;
31344 -+#endif
31345 - };
31346 -
31347 - /* Context switch must be unlocked if interrupts are to be enabled */
31348 -@@ -916,7 +926,7 @@ struct sched_entity {
31349 -
31350 - struct task_struct {
31351 - volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
31352 -- void *stack;
31353 -+ union thread_union *stack;
31354 - atomic_t usage;
31355 - unsigned int flags; /* per process flags, defined below */
31356 - unsigned int ptrace;
31357 -@@ -983,10 +993,9 @@ struct task_struct {
31358 - pid_t pid;
31359 - pid_t tgid;
31360 -
31361 --#ifdef CONFIG_CC_STACKPROTECTOR
31362 - /* Canary value for the -fstack-protector gcc feature */
31363 - unsigned long stack_canary;
31364 --#endif
31365 -+
31366 - /*
31367 - * pointers to (original) parent process, youngest child, younger sibling,
31368 - * older sibling, respectively. (p->father can be replaced with
31369 -@@ -1007,8 +1016,8 @@ struct task_struct {
31370 - struct list_head thread_group;
31371 -
31372 - struct completion *vfork_done; /* for vfork() */
31373 -- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
31374 -- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
31375 -+ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
31376 -+ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
31377 -
31378 - unsigned int rt_priority;
31379 - cputime_t utime, stime, utimescaled, stimescaled;
31380 -@@ -1178,8 +1187,60 @@ struct task_struct {
31381 - int make_it_fail;
31382 - #endif
31383 - struct prop_local_single dirties;
31384 -+
31385 -+#ifdef CONFIG_GRKERNSEC
31386 -+ /* grsecurity */
31387 -+ struct acl_subject_label *acl;
31388 -+ struct acl_role_label *role;
31389 -+ struct file *exec_file;
31390 -+ u16 acl_role_id;
31391 -+ u8 acl_sp_role;
31392 -+ u8 is_writable;
31393 -+ u8 brute;
31394 -+#endif
31395 -+
31396 - };
31397 -
31398 -+#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
31399 -+#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
31400 -+#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
31401 -+#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
31402 -+/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
31403 -+#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
31404 -+
31405 -+#ifdef CONFIG_PAX_SOFTMODE
31406 -+extern unsigned int pax_softmode;
31407 -+#endif
31408 -+
31409 -+extern int pax_check_flags(unsigned long *);
31410 -+
31411 -+/* if tsk != current then task_lock must be held on it */
31412 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
31413 -+static inline unsigned long pax_get_flags(struct task_struct *tsk)
31414 -+{
31415 -+ if (likely(tsk->mm))
31416 -+ return tsk->mm->pax_flags;
31417 -+ else
31418 -+ return 0UL;
31419 -+}
31420 -+
31421 -+/* if tsk != current then task_lock must be held on it */
31422 -+static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
31423 -+{
31424 -+ if (likely(tsk->mm)) {
31425 -+ tsk->mm->pax_flags = flags;
31426 -+ return 0;
31427 -+ }
31428 -+ return -EINVAL;
31429 -+}
31430 -+#endif
31431 -+
31432 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
31433 -+extern void pax_set_initial_flags(struct linux_binprm *bprm);
31434 -+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
31435 -+extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
31436 -+#endif
31437 -+
31438 - /*
31439 - * Priority of a process goes from 0..MAX_PRIO-1, valid RT
31440 - * priority is 0..MAX_RT_PRIO-1, and SCHED_NORMAL/SCHED_BATCH
31441 -@@ -1779,8 +1840,8 @@ static inline void unlock_task_sighand(s
31442 -
31443 - #ifndef __HAVE_THREAD_FUNCTIONS
31444 -
31445 --#define task_thread_info(task) ((struct thread_info *)(task)->stack)
31446 --#define task_stack_page(task) ((task)->stack)
31447 -+#define task_thread_info(task) (&(task)->stack->thread_info)
31448 -+#define task_stack_page(task) ((void *)(task)->stack)
31449 -
31450 - static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
31451 - {
31452 -@@ -1917,6 +1978,12 @@ extern void arch_pick_mmap_layout(struct
31453 - static inline void arch_pick_mmap_layout(struct mm_struct *mm)
31454 - {
31455 - mm->mmap_base = TASK_UNMAPPED_BASE;
31456 -+
31457 -+#ifdef CONFIG_PAX_RANDMMAP
31458 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
31459 -+ mm->mmap_base += mm->delta_mmap;
31460 -+#endif
31461 -+
31462 - mm->get_unmapped_area = arch_get_unmapped_area;
31463 - mm->unmap_area = arch_unmap_area;
31464 - }
31465 -diff -urNp linux-2.6.24.4/include/linux/screen_info.h linux-2.6.24.4/include/linux/screen_info.h
31466 ---- linux-2.6.24.4/include/linux/screen_info.h 2008-03-24 14:49:18.000000000 -0400
31467 -+++ linux-2.6.24.4/include/linux/screen_info.h 2008-03-26 17:56:56.000000000 -0400
31468 -@@ -42,7 +42,8 @@ struct screen_info {
31469 - __u16 pages; /* 0x32 */
31470 - __u16 vesa_attributes; /* 0x34 */
31471 - __u32 capabilities; /* 0x36 */
31472 -- __u8 _reserved[6]; /* 0x3a */
31473 -+ __u16 vesapm_size; /* 0x3a */
31474 -+ __u8 _reserved[4]; /* 0x3c */
31475 - } __attribute__((packed));
31476 -
31477 - #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
31478 -diff -urNp linux-2.6.24.4/include/linux/security.h linux-2.6.24.4/include/linux/security.h
31479 ---- linux-2.6.24.4/include/linux/security.h 2008-03-24 14:49:18.000000000 -0400
31480 -+++ linux-2.6.24.4/include/linux/security.h 2008-03-26 17:56:56.000000000 -0400
31481 -@@ -2266,7 +2266,7 @@ static inline struct dentry *securityfs_
31482 - mode_t mode,
31483 - struct dentry *parent,
31484 - void *data,
31485 -- struct file_operations *fops)
31486 -+ const struct file_operations *fops)
31487 - {
31488 - return ERR_PTR(-ENODEV);
31489 - }
31490 -diff -urNp linux-2.6.24.4/include/linux/shm.h linux-2.6.24.4/include/linux/shm.h
31491 ---- linux-2.6.24.4/include/linux/shm.h 2008-03-24 14:49:18.000000000 -0400
31492 -+++ linux-2.6.24.4/include/linux/shm.h 2008-03-26 17:56:56.000000000 -0400
31493 -@@ -87,6 +87,10 @@ struct shmid_kernel /* private to the ke
31494 - pid_t shm_cprid;
31495 - pid_t shm_lprid;
31496 - struct user_struct *mlock_user;
31497 -+#ifdef CONFIG_GRKERNSEC
31498 -+ time_t shm_createtime;
31499 -+ pid_t shm_lapid;
31500 -+#endif
31501 - };
31502 -
31503 - /* shm_mode upper byte flags */
31504 -diff -urNp linux-2.6.24.4/include/linux/sysctl.h linux-2.6.24.4/include/linux/sysctl.h
31505 ---- linux-2.6.24.4/include/linux/sysctl.h 2008-03-24 14:49:18.000000000 -0400
31506 -+++ linux-2.6.24.4/include/linux/sysctl.h 2008-03-26 17:56:56.000000000 -0400
31507 -@@ -164,9 +164,21 @@ enum
31508 - KERN_MAX_LOCK_DEPTH=74,
31509 - KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */
31510 - KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
31511 --};
31512 -+#ifdef CONFIG_GRKERNSEC
31513 -+ KERN_GRSECURITY=98, /* grsecurity */
31514 -+#endif
31515 -+
31516 -+#ifdef CONFIG_PAX_SOFTMODE
31517 -+ KERN_PAX=99, /* PaX control */
31518 -+#endif
31519 -
31520 -+};
31521 -
31522 -+#ifdef CONFIG_PAX_SOFTMODE
31523 -+enum {
31524 -+ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
31525 -+};
31526 -+#endif
31527 -
31528 - /* CTL_VM names: */
31529 - enum
31530 -diff -urNp linux-2.6.24.4/include/linux/uaccess.h linux-2.6.24.4/include/linux/uaccess.h
31531 ---- linux-2.6.24.4/include/linux/uaccess.h 2008-03-24 14:49:18.000000000 -0400
31532 -+++ linux-2.6.24.4/include/linux/uaccess.h 2008-03-26 17:56:56.000000000 -0400
31533 -@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
31534 - long ret; \
31535 - mm_segment_t old_fs = get_fs(); \
31536 - \
31537 -- set_fs(KERNEL_DS); \
31538 - pagefault_disable(); \
31539 -+ set_fs(KERNEL_DS); \
31540 - ret = __get_user(retval, (__force typeof(retval) __user *)(addr)); \
31541 -- pagefault_enable(); \
31542 - set_fs(old_fs); \
31543 -+ pagefault_enable(); \
31544 - ret; \
31545 - })
31546 -
31547 -diff -urNp linux-2.6.24.4/include/linux/udf_fs.h linux-2.6.24.4/include/linux/udf_fs.h
31548 ---- linux-2.6.24.4/include/linux/udf_fs.h 2008-03-24 14:49:18.000000000 -0400
31549 -+++ linux-2.6.24.4/include/linux/udf_fs.h 2008-03-26 17:56:56.000000000 -0400
31550 -@@ -45,7 +45,7 @@
31551 - printk (f, ##a); \
31552 - }
31553 - #else
31554 --#define udf_debug(f, a...) /**/
31555 -+#define udf_debug(f, a...) do {} while (0)
31556 - #endif
31557 -
31558 - #define udf_info(f, a...) \
31559 -diff -urNp linux-2.6.24.4/include/net/sctp/sctp.h linux-2.6.24.4/include/net/sctp/sctp.h
31560 ---- linux-2.6.24.4/include/net/sctp/sctp.h 2008-03-24 14:49:18.000000000 -0400
31561 -+++ linux-2.6.24.4/include/net/sctp/sctp.h 2008-03-26 17:56:56.000000000 -0400
31562 -@@ -316,8 +316,8 @@ extern int sctp_debug_flag;
31563 -
31564 - #else /* SCTP_DEBUG */
31565 -
31566 --#define SCTP_DEBUG_PRINTK(whatever...)
31567 --#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
31568 -+#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
31569 -+#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
31570 - #define SCTP_ENABLE_DEBUG
31571 - #define SCTP_DISABLE_DEBUG
31572 - #define SCTP_ASSERT(expr, str, func)
31573 -diff -urNp linux-2.6.24.4/include/sound/core.h linux-2.6.24.4/include/sound/core.h
31574 ---- linux-2.6.24.4/include/sound/core.h 2008-03-24 14:49:18.000000000 -0400
31575 -+++ linux-2.6.24.4/include/sound/core.h 2008-03-26 17:56:56.000000000 -0400
31576 -@@ -396,9 +396,9 @@ void snd_verbose_printd(const char *file
31577 -
31578 - #else /* !CONFIG_SND_DEBUG */
31579 -
31580 --#define snd_printd(fmt, args...) /* nothing */
31581 -+#define snd_printd(fmt, args...) do {} while (0)
31582 - #define snd_assert(expr, args...) (void)(expr)
31583 --#define snd_BUG() /* nothing */
31584 -+#define snd_BUG() do {} while (0)
31585 -
31586 - #endif /* CONFIG_SND_DEBUG */
31587 -
31588 -@@ -412,7 +412,7 @@ void snd_verbose_printd(const char *file
31589 - */
31590 - #define snd_printdd(format, args...) snd_printk(format, ##args)
31591 - #else
31592 --#define snd_printdd(format, args...) /* nothing */
31593 -+#define snd_printdd(format, args...) do {} while (0)
31594 - #endif
31595 -
31596 -
31597 -diff -urNp linux-2.6.24.4/init/do_mounts.c linux-2.6.24.4/init/do_mounts.c
31598 ---- linux-2.6.24.4/init/do_mounts.c 2008-03-24 14:49:18.000000000 -0400
31599 -+++ linux-2.6.24.4/init/do_mounts.c 2008-03-26 17:56:56.000000000 -0400
31600 -@@ -68,11 +68,12 @@ static dev_t try_name(char *name, int pa
31601 -
31602 - /* read device number from .../dev */
31603 -
31604 -- sprintf(path, "/sys/block/%s/dev", name);
31605 -- fd = sys_open(path, 0, 0);
31606 -+ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/dev", name))
31607 -+ goto fail;
31608 -+ fd = sys_open((char __user *)path, 0, 0);
31609 - if (fd < 0)
31610 - goto fail;
31611 -- len = sys_read(fd, buf, 32);
31612 -+ len = sys_read(fd, (char __user *)buf, 32);
31613 - sys_close(fd);
31614 - if (len <= 0 || len == 32 || buf[len - 1] != '\n')
31615 - goto fail;
31616 -@@ -98,11 +99,12 @@ static dev_t try_name(char *name, int pa
31617 - return res;
31618 -
31619 - /* otherwise read range from .../range */
31620 -- sprintf(path, "/sys/block/%s/range", name);
31621 -- fd = sys_open(path, 0, 0);
31622 -+ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/range", name))
31623 -+ goto fail;
31624 -+ fd = sys_open((char __user *)path, 0, 0);
31625 - if (fd < 0)
31626 - goto fail;
31627 -- len = sys_read(fd, buf, 32);
31628 -+ len = sys_read(fd, (char __user *)buf, 32);
31629 - sys_close(fd);
31630 - if (len <= 0 || len == 32 || buf[len - 1] != '\n')
31631 - goto fail;
31632 -@@ -145,8 +147,8 @@ dev_t name_to_dev_t(char *name)
31633 - int part;
31634 -
31635 - #ifdef CONFIG_SYSFS
31636 -- int mkdir_err = sys_mkdir("/sys", 0700);
31637 -- if (sys_mount("sysfs", "/sys", "sysfs", 0, NULL) < 0)
31638 -+ int mkdir_err = sys_mkdir((char __user *)"/sys", 0700);
31639 -+ if (sys_mount((char __user *)"sysfs", (char __user *)"/sys", (char __user *)"sysfs", 0, NULL) < 0)
31640 - goto out;
31641 - #endif
31642 -
31643 -@@ -198,10 +200,10 @@ dev_t name_to_dev_t(char *name)
31644 - res = try_name(s, part);
31645 - done:
31646 - #ifdef CONFIG_SYSFS
31647 -- sys_umount("/sys", 0);
31648 -+ sys_umount((char __user *)"/sys", 0);
31649 - out:
31650 - if (!mkdir_err)
31651 -- sys_rmdir("/sys");
31652 -+ sys_rmdir((char __user *)"/sys");
31653 - #endif
31654 - return res;
31655 - fail:
31656 -@@ -281,11 +283,11 @@ static void __init get_fs_names(char *pa
31657 -
31658 - static int __init do_mount_root(char *name, char *fs, int flags, void *data)
31659 - {
31660 -- int err = sys_mount(name, "/root", fs, flags, data);
31661 -+ int err = sys_mount((char __user *)name, (char __user *)"/root", (char __user *)fs, flags, (void __user *)data);
31662 - if (err)
31663 - return err;
31664 -
31665 -- sys_chdir("/root");
31666 -+ sys_chdir((char __user *)"/root");
31667 - ROOT_DEV = current->fs->pwdmnt->mnt_sb->s_dev;
31668 - printk("VFS: Mounted root (%s filesystem)%s.\n",
31669 - current->fs->pwdmnt->mnt_sb->s_type->name,
31670 -@@ -371,18 +373,18 @@ void __init change_floppy(char *fmt, ...
31671 - va_start(args, fmt);
31672 - vsprintf(buf, fmt, args);
31673 - va_end(args);
31674 -- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
31675 -+ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
31676 - if (fd >= 0) {
31677 - sys_ioctl(fd, FDEJECT, 0);
31678 - sys_close(fd);
31679 - }
31680 - printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
31681 -- fd = sys_open("/dev/console", O_RDWR, 0);
31682 -+ fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
31683 - if (fd >= 0) {
31684 - sys_ioctl(fd, TCGETS, (long)&termios);
31685 - termios.c_lflag &= ~ICANON;
31686 - sys_ioctl(fd, TCSETSF, (long)&termios);
31687 -- sys_read(fd, &c, 1);
31688 -+ sys_read(fd, (char __user *)&c, 1);
31689 - termios.c_lflag |= ICANON;
31690 - sys_ioctl(fd, TCSETSF, (long)&termios);
31691 - sys_close(fd);
31692 -@@ -468,8 +470,8 @@ void __init prepare_namespace(void)
31693 -
31694 - mount_root();
31695 - out:
31696 -- sys_mount(".", "/", NULL, MS_MOVE, NULL);
31697 -- sys_chroot(".");
31698 -+ sys_mount((char __user *)".", (char __user *)"/", NULL, MS_MOVE, NULL);
31699 -+ sys_chroot((char __user *)".");
31700 - security_sb_post_mountroot();
31701 - }
31702 -
31703 -diff -urNp linux-2.6.24.4/init/do_mounts.h linux-2.6.24.4/init/do_mounts.h
31704 ---- linux-2.6.24.4/init/do_mounts.h 2008-03-24 14:49:18.000000000 -0400
31705 -+++ linux-2.6.24.4/init/do_mounts.h 2008-03-26 17:56:56.000000000 -0400
31706 -@@ -15,15 +15,15 @@ extern char *root_device_name;
31707 -
31708 - static inline int create_dev(char *name, dev_t dev)
31709 - {
31710 -- sys_unlink(name);
31711 -- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
31712 -+ sys_unlink((char __user *)name);
31713 -+ return sys_mknod((char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
31714 - }
31715 -
31716 - #if BITS_PER_LONG == 32
31717 - static inline u32 bstat(char *name)
31718 - {
31719 - struct stat64 stat;
31720 -- if (sys_stat64(name, &stat) != 0)
31721 -+ if (sys_stat64((char __user *)name, (struct stat64 __user *)&stat) != 0)
31722 - return 0;
31723 - if (!S_ISBLK(stat.st_mode))
31724 - return 0;
31725 -diff -urNp linux-2.6.24.4/init/do_mounts_md.c linux-2.6.24.4/init/do_mounts_md.c
31726 ---- linux-2.6.24.4/init/do_mounts_md.c 2008-03-24 14:49:18.000000000 -0400
31727 -+++ linux-2.6.24.4/init/do_mounts_md.c 2008-03-26 17:56:56.000000000 -0400
31728 -@@ -167,7 +167,7 @@ static void __init md_setup_drive(void)
31729 - partitioned ? "_d" : "", minor,
31730 - md_setup_args[ent].device_names);
31731 -
31732 -- fd = sys_open(name, 0, 0);
31733 -+ fd = sys_open((char __user *)name, 0, 0);
31734 - if (fd < 0) {
31735 - printk(KERN_ERR "md: open failed - cannot start "
31736 - "array %s\n", name);
31737 -@@ -230,7 +230,7 @@ static void __init md_setup_drive(void)
31738 - * array without it
31739 - */
31740 - sys_close(fd);
31741 -- fd = sys_open(name, 0, 0);
31742 -+ fd = sys_open((char __user *)name, 0, 0);
31743 - sys_ioctl(fd, BLKRRPART, 0);
31744 - }
31745 - sys_close(fd);
31746 -@@ -271,7 +271,7 @@ void __init md_run_setup(void)
31747 - if (raid_noautodetect)
31748 - printk(KERN_INFO "md: Skipping autodetection of RAID arrays. (raid=noautodetect)\n");
31749 - else {
31750 -- int fd = sys_open("/dev/md0", 0, 0);
31751 -+ int fd = sys_open((char __user *)"/dev/md0", 0, 0);
31752 - if (fd >= 0) {
31753 - sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
31754 - sys_close(fd);
31755 -diff -urNp linux-2.6.24.4/init/initramfs.c linux-2.6.24.4/init/initramfs.c
31756 ---- linux-2.6.24.4/init/initramfs.c 2008-03-24 14:49:18.000000000 -0400
31757 -+++ linux-2.6.24.4/init/initramfs.c 2008-03-26 17:56:56.000000000 -0400
31758 -@@ -240,7 +240,7 @@ static int __init maybe_link(void)
31759 - if (nlink >= 2) {
31760 - char *old = find_link(major, minor, ino, mode, collected);
31761 - if (old)
31762 -- return (sys_link(old, collected) < 0) ? -1 : 1;
31763 -+ return (sys_link((char __user *)old, (char __user *)collected) < 0) ? -1 : 1;
31764 - }
31765 - return 0;
31766 - }
31767 -@@ -249,11 +249,11 @@ static void __init clean_path(char *path
31768 - {
31769 - struct stat st;
31770 -
31771 -- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
31772 -+ if (!sys_newlstat((char __user *)path, (struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
31773 - if (S_ISDIR(st.st_mode))
31774 -- sys_rmdir(path);
31775 -+ sys_rmdir((char __user *)path);
31776 - else
31777 -- sys_unlink(path);
31778 -+ sys_unlink((char __user *)path);
31779 - }
31780 - }
31781 -
31782 -@@ -276,7 +276,7 @@ static int __init do_name(void)
31783 - int openflags = O_WRONLY|O_CREAT;
31784 - if (ml != 1)
31785 - openflags |= O_TRUNC;
31786 -- wfd = sys_open(collected, openflags, mode);
31787 -+ wfd = sys_open((char __user *)collected, openflags, mode);
31788 -
31789 - if (wfd >= 0) {
31790 - sys_fchown(wfd, uid, gid);
31791 -@@ -285,15 +285,15 @@ static int __init do_name(void)
31792 - }
31793 - }
31794 - } else if (S_ISDIR(mode)) {
31795 -- sys_mkdir(collected, mode);
31796 -- sys_chown(collected, uid, gid);
31797 -- sys_chmod(collected, mode);
31798 -+ sys_mkdir((char __user *)collected, mode);
31799 -+ sys_chown((char __user *)collected, uid, gid);
31800 -+ sys_chmod((char __user *)collected, mode);
31801 - } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
31802 - S_ISFIFO(mode) || S_ISSOCK(mode)) {
31803 - if (maybe_link() == 0) {
31804 -- sys_mknod(collected, mode, rdev);
31805 -- sys_chown(collected, uid, gid);
31806 -- sys_chmod(collected, mode);
31807 -+ sys_mknod((char __user *)collected, mode, rdev);
31808 -+ sys_chown((char __user *)collected, uid, gid);
31809 -+ sys_chmod((char __user *)collected, mode);
31810 - }
31811 - }
31812 - return 0;
31813 -@@ -302,13 +302,13 @@ static int __init do_name(void)
31814 - static int __init do_copy(void)
31815 - {
31816 - if (count >= body_len) {
31817 -- sys_write(wfd, victim, body_len);
31818 -+ sys_write(wfd, (char __user *)victim, body_len);
31819 - sys_close(wfd);
31820 - eat(body_len);
31821 - state = SkipIt;
31822 - return 0;
31823 - } else {
31824 -- sys_write(wfd, victim, count);
31825 -+ sys_write(wfd, (char __user *)victim, count);
31826 - body_len -= count;
31827 - eat(count);
31828 - return 1;
31829 -@@ -319,8 +319,8 @@ static int __init do_symlink(void)
31830 - {
31831 - collected[N_ALIGN(name_len) + body_len] = '\0';
31832 - clean_path(collected, 0);
31833 -- sys_symlink(collected + N_ALIGN(name_len), collected);
31834 -- sys_lchown(collected, uid, gid);
31835 -+ sys_symlink((char __user *)collected + N_ALIGN(name_len), (char __user *)collected);
31836 -+ sys_lchown((char __user *)collected, uid, gid);
31837 - state = SkipIt;
31838 - next_state = Reset;
31839 - return 0;
31840 -diff -urNp linux-2.6.24.4/init/Kconfig linux-2.6.24.4/init/Kconfig
31841 ---- linux-2.6.24.4/init/Kconfig 2008-03-24 14:49:18.000000000 -0400
31842 -+++ linux-2.6.24.4/init/Kconfig 2008-03-26 17:56:56.000000000 -0400
31843 -@@ -469,6 +469,7 @@ config SYSCTL_SYSCALL
31844 - config KALLSYMS
31845 - bool "Load all symbols for debugging/ksymoops" if EMBEDDED
31846 - default y
31847 -+ depends on !GRKERNSEC_HIDESYM
31848 - help
31849 - Say Y here to let the kernel print out symbolic crash information and
31850 - symbolic stack backtraces. This increases the size of the kernel
31851 -diff -urNp linux-2.6.24.4/init/main.c linux-2.6.24.4/init/main.c
31852 ---- linux-2.6.24.4/init/main.c 2008-03-24 14:49:18.000000000 -0400
31853 -+++ linux-2.6.24.4/init/main.c 2008-03-26 17:56:56.000000000 -0400
31854 -@@ -101,6 +101,7 @@ static inline void mark_rodata_ro(void)
31855 - #ifdef CONFIG_TC
31856 - extern void tc_init(void);
31857 - #endif
31858 -+extern void grsecurity_init(void);
31859 -
31860 - enum system_states system_state;
31861 - EXPORT_SYMBOL(system_state);
31862 -@@ -187,6 +188,17 @@ static int __init set_reset_devices(char
31863 -
31864 - __setup("reset_devices", set_reset_devices);
31865 -
31866 -+#ifdef CONFIG_PAX_SOFTMODE
31867 -+unsigned int pax_softmode;
31868 -+
31869 -+static int __init setup_pax_softmode(char *str)
31870 -+{
31871 -+ get_option(&str, &pax_softmode);
31872 -+ return 1;
31873 -+}
31874 -+__setup("pax_softmode=", setup_pax_softmode);
31875 -+#endif
31876 -+
31877 - static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
31878 - char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
31879 - static const char *panic_later, *panic_param;
31880 -@@ -847,6 +859,8 @@ static int __init kernel_init(void * unu
31881 - prepare_namespace();
31882 - }
31883 -
31884 -+ grsecurity_init();
31885 -+
31886 - /*
31887 - * Ok, we have completed the initial bootup, and
31888 - * we're essentially up and running. Get rid of the
31889 -diff -urNp linux-2.6.24.4/init/noinitramfs.c linux-2.6.24.4/init/noinitramfs.c
31890 ---- linux-2.6.24.4/init/noinitramfs.c 2008-03-24 14:49:18.000000000 -0400
31891 -+++ linux-2.6.24.4/init/noinitramfs.c 2008-03-26 17:56:56.000000000 -0400
31892 -@@ -29,7 +29,7 @@ static int __init default_rootfs(void)
31893 - {
31894 - int err;
31895 -
31896 -- err = sys_mkdir("/dev", 0755);
31897 -+ err = sys_mkdir((const char __user *)"/dev", 0755);
31898 - if (err < 0)
31899 - goto out;
31900 -
31901 -@@ -39,7 +39,7 @@ static int __init default_rootfs(void)
31902 - if (err < 0)
31903 - goto out;
31904 -
31905 -- err = sys_mkdir("/root", 0700);
31906 -+ err = sys_mkdir((const char __user *)"/root", 0700);
31907 - if (err < 0)
31908 - goto out;
31909 -
31910 -diff -urNp linux-2.6.24.4/ipc/ipc_sysctl.c linux-2.6.24.4/ipc/ipc_sysctl.c
31911 ---- linux-2.6.24.4/ipc/ipc_sysctl.c 2008-03-24 14:49:18.000000000 -0400
31912 -+++ linux-2.6.24.4/ipc/ipc_sysctl.c 2008-03-26 17:56:56.000000000 -0400
31913 -@@ -157,7 +157,7 @@ static struct ctl_table ipc_kern_table[]
31914 - .proc_handler = proc_ipc_dointvec,
31915 - .strategy = sysctl_ipc_data,
31916 - },
31917 -- {}
31918 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
31919 - };
31920 -
31921 - static struct ctl_table ipc_root_table[] = {
31922 -@@ -167,7 +167,7 @@ static struct ctl_table ipc_root_table[]
31923 - .mode = 0555,
31924 - .child = ipc_kern_table,
31925 - },
31926 -- {}
31927 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
31928 - };
31929 -
31930 - static int __init ipc_sysctl_init(void)
31931 -diff -urNp linux-2.6.24.4/ipc/msg.c linux-2.6.24.4/ipc/msg.c
31932 ---- linux-2.6.24.4/ipc/msg.c 2008-03-24 14:49:18.000000000 -0400
31933 -+++ linux-2.6.24.4/ipc/msg.c 2008-03-26 17:56:56.000000000 -0400
31934 -@@ -36,6 +36,7 @@
31935 - #include <linux/seq_file.h>
31936 - #include <linux/rwsem.h>
31937 - #include <linux/nsproxy.h>
31938 -+#include <linux/grsecurity.h>
31939 -
31940 - #include <asm/current.h>
31941 - #include <asm/uaccess.h>
31942 -@@ -315,6 +316,7 @@ asmlinkage long sys_msgget(key_t key, in
31943 - struct ipc_namespace *ns;
31944 - struct ipc_ops msg_ops;
31945 - struct ipc_params msg_params;
31946 -+ long err;
31947 -
31948 - ns = current->nsproxy->ipc_ns;
31949 -
31950 -@@ -325,7 +327,11 @@ asmlinkage long sys_msgget(key_t key, in
31951 - msg_params.key = key;
31952 - msg_params.flg = msgflg;
31953 -
31954 -- return ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params);
31955 -+ err = ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params);
31956 -+
31957 -+ gr_log_msgget(err, msgflg);
31958 -+
31959 -+ return err;
31960 - }
31961 -
31962 - static inline unsigned long
31963 -@@ -586,6 +592,7 @@ asmlinkage long sys_msgctl(int msqid, in
31964 - break;
31965 - }
31966 - case IPC_RMID:
31967 -+ gr_log_msgrm(ipcp->uid, ipcp->cuid);
31968 - freeque(ns, msq);
31969 - break;
31970 - }
31971 -diff -urNp linux-2.6.24.4/ipc/sem.c linux-2.6.24.4/ipc/sem.c
31972 ---- linux-2.6.24.4/ipc/sem.c 2008-03-24 14:49:18.000000000 -0400
31973 -+++ linux-2.6.24.4/ipc/sem.c 2008-03-26 17:56:56.000000000 -0400
31974 -@@ -82,6 +82,7 @@
31975 - #include <linux/seq_file.h>
31976 - #include <linux/rwsem.h>
31977 - #include <linux/nsproxy.h>
31978 -+#include <linux/grsecurity.h>
31979 -
31980 - #include <asm/uaccess.h>
31981 - #include "util.h"
31982 -@@ -334,6 +335,7 @@ asmlinkage long sys_semget(key_t key, in
31983 - struct ipc_namespace *ns;
31984 - struct ipc_ops sem_ops;
31985 - struct ipc_params sem_params;
31986 -+ long err;
31987 -
31988 - ns = current->nsproxy->ipc_ns;
31989 -
31990 -@@ -348,7 +350,11 @@ asmlinkage long sys_semget(key_t key, in
31991 - sem_params.flg = semflg;
31992 - sem_params.u.nsems = nsems;
31993 -
31994 -- return ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params);
31995 -+ err = ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params);
31996 -+
31997 -+ gr_log_semget(err, semflg);
31998 -+
31999 -+ return err;
32000 - }
32001 -
32002 - /* Manage the doubly linked list sma->sem_pending as a FIFO:
32003 -@@ -936,6 +942,7 @@ static int semctl_down(struct ipc_namesp
32004 -
32005 - switch(cmd){
32006 - case IPC_RMID:
32007 -+ gr_log_semrm(ipcp->uid, ipcp->cuid);
32008 - freeary(ns, sma);
32009 - err = 0;
32010 - break;
32011 -diff -urNp linux-2.6.24.4/ipc/shm.c linux-2.6.24.4/ipc/shm.c
32012 ---- linux-2.6.24.4/ipc/shm.c 2008-03-24 14:49:18.000000000 -0400
32013 -+++ linux-2.6.24.4/ipc/shm.c 2008-03-26 17:56:56.000000000 -0400
32014 -@@ -38,6 +38,7 @@
32015 - #include <linux/rwsem.h>
32016 - #include <linux/nsproxy.h>
32017 - #include <linux/mount.h>
32018 -+#include <linux/grsecurity.h>
32019 -
32020 - #include <asm/uaccess.h>
32021 -
32022 -@@ -71,6 +72,14 @@ static void shm_destroy (struct ipc_name
32023 - static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
32024 - #endif
32025 -
32026 -+#ifdef CONFIG_GRKERNSEC
32027 -+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
32028 -+ const time_t shm_createtime, const uid_t cuid,
32029 -+ const int shmid);
32030 -+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
32031 -+ const time_t shm_createtime);
32032 -+#endif
32033 -+
32034 - static void __shm_init_ns(struct ipc_namespace *ns, struct ipc_ids *ids)
32035 - {
32036 - ns->ids[IPC_SHM_IDS] = ids;
32037 -@@ -87,6 +96,8 @@ static void __shm_init_ns(struct ipc_nam
32038 - */
32039 - static void do_shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *shp)
32040 - {
32041 -+ gr_log_shmrm(shp->shm_perm.uid, shp->shm_perm.cuid);
32042 -+
32043 - if (shp->shm_nattch){
32044 - shp->shm_perm.mode |= SHM_DEST;
32045 - /* Do not find it any more */
32046 -@@ -443,6 +454,14 @@ static int newseg(struct ipc_namespace *
32047 - shp->shm_lprid = 0;
32048 - shp->shm_atim = shp->shm_dtim = 0;
32049 - shp->shm_ctim = get_seconds();
32050 -+#ifdef CONFIG_GRKERNSEC
32051 -+ {
32052 -+ struct timespec timeval;
32053 -+ do_posix_clock_monotonic_gettime(&timeval);
32054 -+
32055 -+ shp->shm_createtime = timeval.tv_sec;
32056 -+ }
32057 -+#endif
32058 - shp->shm_segsz = size;
32059 - shp->shm_nattch = 0;
32060 - shp->shm_perm.id = shm_buildid(id, shp->shm_perm.seq);
32061 -@@ -497,6 +516,7 @@ asmlinkage long sys_shmget (key_t key, s
32062 - struct ipc_namespace *ns;
32063 - struct ipc_ops shm_ops;
32064 - struct ipc_params shm_params;
32065 -+ long err;
32066 -
32067 - ns = current->nsproxy->ipc_ns;
32068 -
32069 -@@ -508,7 +528,11 @@ asmlinkage long sys_shmget (key_t key, s
32070 - shm_params.flg = shmflg;
32071 - shm_params.u.size = size;
32072 -
32073 -- return ipcget(ns, &shm_ids(ns), &shm_ops, &shm_params);
32074 -+ err = ipcget(ns, &shm_ids(ns), &shm_ops, &shm_params);
32075 -+
32076 -+ gr_log_shmget(err, shmflg, size);
32077 -+
32078 -+ return err;
32079 - }
32080 -
32081 - static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ds *in, int version)
32082 -@@ -974,9 +998,21 @@ long do_shmat(int shmid, char __user *sh
32083 - if (err)
32084 - goto out_unlock;
32085 -
32086 -+#ifdef CONFIG_GRKERNSEC
32087 -+ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
32088 -+ shp->shm_perm.cuid, shmid) ||
32089 -+ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
32090 -+ err = -EACCES;
32091 -+ goto out_unlock;
32092 -+ }
32093 -+#endif
32094 -+
32095 - path.dentry = dget(shp->shm_file->f_path.dentry);
32096 - path.mnt = shp->shm_file->f_path.mnt;
32097 - shp->shm_nattch++;
32098 -+#ifdef CONFIG_GRKERNSEC
32099 -+ shp->shm_lapid = current->pid;
32100 -+#endif
32101 - size = i_size_read(path.dentry->d_inode);
32102 - shm_unlock(shp);
32103 -
32104 -diff -urNp linux-2.6.24.4/kernel/acct.c linux-2.6.24.4/kernel/acct.c
32105 ---- linux-2.6.24.4/kernel/acct.c 2008-03-24 14:49:18.000000000 -0400
32106 -+++ linux-2.6.24.4/kernel/acct.c 2008-03-26 17:56:56.000000000 -0400
32107 -@@ -511,7 +511,7 @@ static void do_acct_process(struct file
32108 - */
32109 - flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
32110 - current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
32111 -- file->f_op->write(file, (char *)&ac,
32112 -+ file->f_op->write(file, (char __user *)&ac,
32113 - sizeof(acct_t), &file->f_pos);
32114 - current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
32115 - set_fs(fs);
32116 -diff -urNp linux-2.6.24.4/kernel/capability.c linux-2.6.24.4/kernel/capability.c
32117 ---- linux-2.6.24.4/kernel/capability.c 2008-03-24 14:49:18.000000000 -0400
32118 -+++ linux-2.6.24.4/kernel/capability.c 2008-03-26 17:56:56.000000000 -0400
32119 -@@ -13,6 +13,7 @@
32120 - #include <linux/security.h>
32121 - #include <linux/syscalls.h>
32122 - #include <linux/pid_namespace.h>
32123 -+#include <linux/grsecurity.h>
32124 - #include <asm/uaccess.h>
32125 -
32126 - /*
32127 -@@ -233,15 +234,25 @@ out:
32128 -
32129 - int __capable(struct task_struct *t, int cap)
32130 - {
32131 -- if (security_capable(t, cap) == 0) {
32132 -+ if ((security_capable(t, cap) == 0) && gr_task_is_capable(t, cap)) {
32133 - t->flags |= PF_SUPERPRIV;
32134 - return 1;
32135 - }
32136 - return 0;
32137 - }
32138 -
32139 -+int capable_nolog(int cap)
32140 -+{
32141 -+ if ((security_capable(current, cap) == 0) && gr_is_capable_nolog(cap)) {
32142 -+ current->flags |= PF_SUPERPRIV;
32143 -+ return 1;
32144 -+ }
32145 -+ return 0;
32146 -+}
32147 -+
32148 - int capable(int cap)
32149 - {
32150 - return __capable(current, cap);
32151 - }
32152 - EXPORT_SYMBOL(capable);
32153 -+EXPORT_SYMBOL(capable_nolog);
32154 -diff -urNp linux-2.6.24.4/kernel/configs.c linux-2.6.24.4/kernel/configs.c
32155 ---- linux-2.6.24.4/kernel/configs.c 2008-03-24 14:49:18.000000000 -0400
32156 -+++ linux-2.6.24.4/kernel/configs.c 2008-03-26 17:56:56.000000000 -0400
32157 -@@ -79,8 +79,16 @@ static int __init ikconfig_init(void)
32158 - struct proc_dir_entry *entry;
32159 -
32160 - /* create the current config file */
32161 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
32162 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
32163 -+ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
32164 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32165 -+ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
32166 -+#endif
32167 -+#else
32168 - entry = create_proc_entry("config.gz", S_IFREG | S_IRUGO,
32169 - &proc_root);
32170 -+#endif
32171 - if (!entry)
32172 - return -ENOMEM;
32173 -
32174 -diff -urNp linux-2.6.24.4/kernel/exit.c linux-2.6.24.4/kernel/exit.c
32175 ---- linux-2.6.24.4/kernel/exit.c 2008-03-24 14:49:18.000000000 -0400
32176 -+++ linux-2.6.24.4/kernel/exit.c 2008-03-26 17:56:56.000000000 -0400
32177 -@@ -44,6 +44,11 @@
32178 - #include <linux/resource.h>
32179 - #include <linux/blkdev.h>
32180 - #include <linux/task_io_accounting_ops.h>
32181 -+#include <linux/grsecurity.h>
32182 -+
32183 -+#ifdef CONFIG_GRKERNSEC
32184 -+extern rwlock_t grsec_exec_file_lock;
32185 -+#endif
32186 -
32187 - #include <asm/uaccess.h>
32188 - #include <asm/unistd.h>
32189 -@@ -122,6 +127,7 @@ static void __exit_signal(struct task_st
32190 -
32191 - __unhash_process(tsk);
32192 -
32193 -+ gr_del_task_from_ip_table(tsk);
32194 - tsk->signal = NULL;
32195 - tsk->sighand = NULL;
32196 - spin_unlock(&sighand->siglock);
32197 -@@ -273,12 +279,23 @@ static void reparent_to_kthreadd(void)
32198 - {
32199 - write_lock_irq(&tasklist_lock);
32200 -
32201 -+#ifdef CONFIG_GRKERNSEC
32202 -+ write_lock(&grsec_exec_file_lock);
32203 -+ if (current->exec_file) {
32204 -+ fput(current->exec_file);
32205 -+ current->exec_file = NULL;
32206 -+ }
32207 -+ write_unlock(&grsec_exec_file_lock);
32208 -+#endif
32209 -+
32210 - ptrace_unlink(current);
32211 - /* Reparent to init */
32212 - remove_parent(current);
32213 - current->real_parent = current->parent = kthreadd_task;
32214 - add_parent(current);
32215 -
32216 -+ gr_set_kernel_label(current);
32217 -+
32218 - /* Set the exit signal to SIGCHLD so we signal init on exit */
32219 - current->exit_signal = SIGCHLD;
32220 -
32221 -@@ -373,6 +390,17 @@ void daemonize(const char *name, ...)
32222 - vsnprintf(current->comm, sizeof(current->comm), name, args);
32223 - va_end(args);
32224 -
32225 -+#ifdef CONFIG_GRKERNSEC
32226 -+ write_lock(&grsec_exec_file_lock);
32227 -+ if (current->exec_file) {
32228 -+ fput(current->exec_file);
32229 -+ current->exec_file = NULL;
32230 -+ }
32231 -+ write_unlock(&grsec_exec_file_lock);
32232 -+#endif
32233 -+
32234 -+ gr_set_kernel_label(current);
32235 -+
32236 - /*
32237 - * If we were started as result of loading a module, close all of the
32238 - * user space pages. We don't need them, and if we didn't close them
32239 -@@ -990,6 +1018,9 @@ fastcall NORET_TYPE void do_exit(long co
32240 - tsk->exit_code = code;
32241 - taskstats_exit(tsk, group_dead);
32242 -
32243 -+ gr_acl_handle_psacct(tsk, code);
32244 -+ gr_acl_handle_exit();
32245 -+
32246 - exit_mm(tsk);
32247 -
32248 - if (group_dead)
32249 -@@ -1200,7 +1231,7 @@ static int wait_task_zombie(struct task_
32250 - pid_t pid = task_pid_nr_ns(p, ns);
32251 - uid_t uid = p->uid;
32252 - int exit_code = p->exit_code;
32253 -- int why, status;
32254 -+ int why;
32255 -
32256 - if (unlikely(p->exit_state != EXIT_ZOMBIE))
32257 - return 0;
32258 -diff -urNp linux-2.6.24.4/kernel/fork.c linux-2.6.24.4/kernel/fork.c
32259 ---- linux-2.6.24.4/kernel/fork.c 2008-03-24 14:49:18.000000000 -0400
32260 -+++ linux-2.6.24.4/kernel/fork.c 2008-03-26 17:56:56.000000000 -0400
32261 -@@ -51,6 +51,7 @@
32262 - #include <linux/random.h>
32263 - #include <linux/tty.h>
32264 - #include <linux/proc_fs.h>
32265 -+#include <linux/grsecurity.h>
32266 -
32267 - #include <asm/pgtable.h>
32268 - #include <asm/pgalloc.h>
32269 -@@ -180,7 +181,7 @@ static struct task_struct *dup_task_stru
32270 - }
32271 -
32272 - *tsk = *orig;
32273 -- tsk->stack = ti;
32274 -+ tsk->stack = (union thread_union *)ti;
32275 -
32276 - err = prop_local_init_single(&tsk->dirties);
32277 - if (err) {
32278 -@@ -192,7 +193,7 @@ static struct task_struct *dup_task_stru
32279 - setup_thread_stack(tsk, orig);
32280 -
32281 - #ifdef CONFIG_CC_STACKPROTECTOR
32282 -- tsk->stack_canary = get_random_int();
32283 -+ tsk->stack_canary = pax_get_random_long();
32284 - #endif
32285 -
32286 - /* One for us, one for whoever does the "release_task()" (usually parent) */
32287 -@@ -224,8 +225,8 @@ static int dup_mmap(struct mm_struct *mm
32288 - mm->locked_vm = 0;
32289 - mm->mmap = NULL;
32290 - mm->mmap_cache = NULL;
32291 -- mm->free_area_cache = oldmm->mmap_base;
32292 -- mm->cached_hole_size = ~0UL;
32293 -+ mm->free_area_cache = oldmm->free_area_cache;
32294 -+ mm->cached_hole_size = oldmm->cached_hole_size;
32295 - mm->map_count = 0;
32296 - cpus_clear(mm->cpu_vm_mask);
32297 - mm->mm_rb = RB_ROOT;
32298 -@@ -262,6 +263,7 @@ static int dup_mmap(struct mm_struct *mm
32299 - tmp->vm_flags &= ~VM_LOCKED;
32300 - tmp->vm_mm = mm;
32301 - tmp->vm_next = NULL;
32302 -+ tmp->vm_mirror = NULL;
32303 - anon_vma_link(tmp);
32304 - file = tmp->vm_file;
32305 - if (file) {
32306 -@@ -298,6 +300,31 @@ static int dup_mmap(struct mm_struct *mm
32307 - if (retval)
32308 - goto out;
32309 - }
32310 -+
32311 -+#ifdef CONFIG_PAX_SEGMEXEC
32312 -+ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
32313 -+ struct vm_area_struct *mpnt_m;
32314 -+
32315 -+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
32316 -+ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
32317 -+
32318 -+ if (!mpnt->vm_mirror)
32319 -+ continue;
32320 -+
32321 -+ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
32322 -+ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
32323 -+ mpnt->vm_mirror = mpnt_m;
32324 -+ } else {
32325 -+ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
32326 -+ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
32327 -+ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
32328 -+ mpnt->vm_mirror->vm_mirror = mpnt;
32329 -+ }
32330 -+ }
32331 -+ BUG_ON(mpnt_m);
32332 -+ }
32333 -+#endif
32334 -+
32335 - /* a new mm has just been created */
32336 - arch_dup_mmap(oldmm, mm);
32337 - retval = 0;
32338 -@@ -475,7 +502,7 @@ void mm_release(struct task_struct *tsk,
32339 - if (tsk->clear_child_tid
32340 - && !(tsk->flags & PF_SIGNALED)
32341 - && atomic_read(&mm->mm_users) > 1) {
32342 -- u32 __user * tidptr = tsk->clear_child_tid;
32343 -+ pid_t __user * tidptr = tsk->clear_child_tid;
32344 - tsk->clear_child_tid = NULL;
32345 -
32346 - /*
32347 -@@ -483,7 +510,7 @@ void mm_release(struct task_struct *tsk,
32348 - * not set up a proper pointer then tough luck.
32349 - */
32350 - put_user(0, tidptr);
32351 -- sys_futex(tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
32352 -+ sys_futex((u32 __user *)tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
32353 - }
32354 - }
32355 -
32356 -@@ -1015,6 +1042,9 @@ static struct task_struct *copy_process(
32357 - DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
32358 - #endif
32359 - retval = -EAGAIN;
32360 -+
32361 -+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
32362 -+
32363 - if (atomic_read(&p->user->processes) >=
32364 - p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
32365 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
32366 -@@ -1169,6 +1199,8 @@ static struct task_struct *copy_process(
32367 - if (clone_flags & CLONE_THREAD)
32368 - p->tgid = current->tgid;
32369 -
32370 -+ gr_copy_label(p);
32371 -+
32372 - p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
32373 - /*
32374 - * Clear TID on mm_release()?
32375 -@@ -1356,6 +1388,8 @@ bad_fork_cleanup_count:
32376 - bad_fork_free:
32377 - free_task(p);
32378 - fork_out:
32379 -+ gr_log_forkfail(retval);
32380 -+
32381 - return ERR_PTR(retval);
32382 - }
32383 -
32384 -@@ -1437,6 +1471,8 @@ long do_fork(unsigned long clone_flags,
32385 - if (clone_flags & CLONE_PARENT_SETTID)
32386 - put_user(nr, parent_tidptr);
32387 -
32388 -+ gr_handle_brute_check();
32389 -+
32390 - if (clone_flags & CLONE_VFORK) {
32391 - p->vfork_done = &vfork;
32392 - init_completion(&vfork);
32393 -diff -urNp linux-2.6.24.4/kernel/futex.c linux-2.6.24.4/kernel/futex.c
32394 ---- linux-2.6.24.4/kernel/futex.c 2008-03-24 14:49:18.000000000 -0400
32395 -+++ linux-2.6.24.4/kernel/futex.c 2008-03-26 17:56:56.000000000 -0400
32396 -@@ -192,6 +192,11 @@ static int get_futex_key(u32 __user *uad
32397 - struct page *page;
32398 - int err;
32399 -
32400 -+#ifdef CONFIG_PAX_SEGMEXEC
32401 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
32402 -+ return -EFAULT;
32403 -+#endif
32404 -+
32405 - /*
32406 - * The futex address must be "naturally" aligned.
32407 - */
32408 -@@ -218,8 +223,8 @@ static int get_futex_key(u32 __user *uad
32409 - * The futex is hashed differently depending on whether
32410 - * it's in a shared or private mapping. So check vma first.
32411 - */
32412 -- vma = find_extend_vma(mm, address);
32413 -- if (unlikely(!vma))
32414 -+ vma = find_vma(mm, address);
32415 -+ if (unlikely(!vma || address < vma->vm_start))
32416 - return -EFAULT;
32417 -
32418 - /*
32419 -@@ -1962,7 +1967,7 @@ retry:
32420 - */
32421 - static inline int fetch_robust_entry(struct robust_list __user **entry,
32422 - struct robust_list __user * __user *head,
32423 -- int *pi)
32424 -+ unsigned int *pi)
32425 - {
32426 - unsigned long uentry;
32427 -
32428 -diff -urNp linux-2.6.24.4/kernel/irq/handle.c linux-2.6.24.4/kernel/irq/handle.c
32429 ---- linux-2.6.24.4/kernel/irq/handle.c 2008-03-24 14:49:18.000000000 -0400
32430 -+++ linux-2.6.24.4/kernel/irq/handle.c 2008-03-26 17:56:56.000000000 -0400
32431 -@@ -55,7 +55,8 @@ struct irq_desc irq_desc[NR_IRQS] __cach
32432 - .depth = 1,
32433 - .lock = __SPIN_LOCK_UNLOCKED(irq_desc->lock),
32434 - #ifdef CONFIG_SMP
32435 -- .affinity = CPU_MASK_ALL
32436 -+ .affinity = CPU_MASK_ALL,
32437 -+ .cpu = 0,
32438 - #endif
32439 - }
32440 - };
32441 -diff -urNp linux-2.6.24.4/kernel/kallsyms.c linux-2.6.24.4/kernel/kallsyms.c
32442 ---- linux-2.6.24.4/kernel/kallsyms.c 2008-03-24 14:49:18.000000000 -0400
32443 -+++ linux-2.6.24.4/kernel/kallsyms.c 2008-03-26 17:56:56.000000000 -0400
32444 -@@ -70,6 +70,19 @@ static inline int is_kernel_text(unsigne
32445 -
32446 - static inline int is_kernel(unsigned long addr)
32447 - {
32448 -+
32449 -+#ifdef CONFIG_PAX_KERNEXEC
32450 -+
32451 -+#ifdef CONFIG_MODULES
32452 -+ if ((unsigned long)MODULES_VADDR <= ktla_ktva(addr) &&
32453 -+ ktla_ktva(addr) < (unsigned long)MODULES_END)
32454 -+ return 0;
32455 -+#endif
32456 -+
32457 -+ if (is_kernel_inittext(addr))
32458 -+ return 1;
32459 -+#endif
32460 -+
32461 - if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
32462 - return 1;
32463 - return in_gate_area_no_task(addr);
32464 -@@ -378,7 +391,6 @@ static unsigned long get_ksymbol_core(st
32465 -
32466 - static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
32467 - {
32468 -- iter->name[0] = '\0';
32469 - iter->nameoff = get_symbol_offset(new_pos);
32470 - iter->pos = new_pos;
32471 - }
32472 -@@ -462,7 +474,7 @@ static int kallsyms_open(struct inode *i
32473 - struct kallsym_iter *iter;
32474 - int ret;
32475 -
32476 -- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
32477 -+ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
32478 - if (!iter)
32479 - return -ENOMEM;
32480 - reset_iter(iter, 0);
32481 -@@ -486,7 +498,15 @@ static int __init kallsyms_init(void)
32482 - {
32483 - struct proc_dir_entry *entry;
32484 -
32485 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
32486 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
32487 -+ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
32488 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32489 -+ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
32490 -+#endif
32491 -+#else
32492 - entry = create_proc_entry("kallsyms", 0444, NULL);
32493 -+#endif
32494 - if (entry)
32495 - entry->proc_fops = &kallsyms_operations;
32496 - return 0;
32497 -diff -urNp linux-2.6.24.4/kernel/kmod.c linux-2.6.24.4/kernel/kmod.c
32498 ---- linux-2.6.24.4/kernel/kmod.c 2008-03-24 14:49:18.000000000 -0400
32499 -+++ linux-2.6.24.4/kernel/kmod.c 2008-03-26 17:56:56.000000000 -0400
32500 -@@ -107,7 +107,7 @@ int request_module(const char *fmt, ...)
32501 - return -ENOMEM;
32502 - }
32503 -
32504 -- ret = call_usermodehelper(modprobe_path, argv, envp, 1);
32505 -+ ret = call_usermodehelper(modprobe_path, argv, envp, UMH_WAIT_PROC);
32506 - atomic_dec(&kmod_concurrent);
32507 - return ret;
32508 - }
32509 -diff -urNp linux-2.6.24.4/kernel/kprobes.c linux-2.6.24.4/kernel/kprobes.c
32510 ---- linux-2.6.24.4/kernel/kprobes.c 2008-03-24 14:49:18.000000000 -0400
32511 -+++ linux-2.6.24.4/kernel/kprobes.c 2008-03-26 17:56:56.000000000 -0400
32512 -@@ -162,7 +162,7 @@ kprobe_opcode_t __kprobes *get_insn_slot
32513 - * kernel image and loaded module images reside. This is required
32514 - * so x86_64 can correctly handle the %rip-relative fixups.
32515 - */
32516 -- kip->insns = module_alloc(PAGE_SIZE);
32517 -+ kip->insns = module_alloc_exec(PAGE_SIZE);
32518 - if (!kip->insns) {
32519 - kfree(kip);
32520 - return NULL;
32521 -@@ -194,7 +194,7 @@ static int __kprobes collect_one_slot(st
32522 - hlist_add_head(&kip->hlist,
32523 - &kprobe_insn_pages);
32524 - } else {
32525 -- module_free(NULL, kip->insns);
32526 -+ module_free_exec(NULL, kip->insns);
32527 - kfree(kip);
32528 - }
32529 - return 1;
32530 -diff -urNp linux-2.6.24.4/kernel/module.c linux-2.6.24.4/kernel/module.c
32531 ---- linux-2.6.24.4/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
32532 -+++ linux-2.6.24.4/kernel/module.c 2008-03-26 17:56:56.000000000 -0400
32533 -@@ -45,6 +45,11 @@
32534 - #include <asm/uaccess.h>
32535 - #include <asm/semaphore.h>
32536 - #include <asm/cacheflush.h>
32537 -+
32538 -+#ifdef CONFIG_PAX_KERNEXEC
32539 -+#include <asm/desc.h>
32540 -+#endif
32541 -+
32542 - #include <linux/license.h>
32543 -
32544 - extern int module_sysfs_initialized;
32545 -@@ -69,6 +74,8 @@ static LIST_HEAD(modules);
32546 -
32547 - static BLOCKING_NOTIFIER_HEAD(module_notify_list);
32548 -
32549 -+extern int gr_check_modstop(void);
32550 -+
32551 - int register_module_notifier(struct notifier_block * nb)
32552 - {
32553 - return blocking_notifier_chain_register(&module_notify_list, nb);
32554 -@@ -349,7 +356,7 @@ static void *percpu_modalloc(unsigned lo
32555 - unsigned int i;
32556 - void *ptr;
32557 -
32558 -- if (align > PAGE_SIZE) {
32559 -+ if (align-1 >= PAGE_SIZE) {
32560 - printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
32561 - name, align, PAGE_SIZE);
32562 - align = PAGE_SIZE;
32563 -@@ -662,6 +669,9 @@ sys_delete_module(const char __user *nam
32564 - char name[MODULE_NAME_LEN];
32565 - int ret, forced = 0;
32566 -
32567 -+ if (gr_check_modstop())
32568 -+ return -EPERM;
32569 -+
32570 - if (!capable(CAP_SYS_MODULE))
32571 - return -EPERM;
32572 -
32573 -@@ -1310,16 +1320,19 @@ static void free_module(struct module *m
32574 - module_unload_free(mod);
32575 -
32576 - /* This may be NULL, but that's OK */
32577 -- module_free(mod, mod->module_init);
32578 -+ module_free(mod, mod->module_init_rw);
32579 -+ module_free_exec(mod, mod->module_init_rx);
32580 - kfree(mod->args);
32581 - if (mod->percpu)
32582 - percpu_modfree(mod->percpu);
32583 -
32584 - /* Free lock-classes: */
32585 -- lockdep_free_key_range(mod->module_core, mod->core_size);
32586 -+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
32587 -+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
32588 -
32589 - /* Finally, free the core (containing the module structure) */
32590 -- module_free(mod, mod->module_core);
32591 -+ module_free_exec(mod, mod->module_core_rx);
32592 -+ module_free(mod, mod->module_core_rw);
32593 - }
32594 -
32595 - void *__symbol_get(const char *symbol)
32596 -@@ -1380,10 +1393,14 @@ static int simplify_symbols(Elf_Shdr *se
32597 - struct module *mod)
32598 - {
32599 - Elf_Sym *sym = (void *)sechdrs[symindex].sh_addr;
32600 -- unsigned long secbase;
32601 -+ unsigned long secbase, symbol;
32602 - unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
32603 - int ret = 0;
32604 -
32605 -+#ifdef CONFIG_PAX_KERNEXEC
32606 -+ unsigned long cr0;
32607 -+#endif
32608 -+
32609 - for (i = 1; i < n; i++) {
32610 - switch (sym[i].st_shndx) {
32611 - case SHN_COMMON:
32612 -@@ -1402,10 +1419,19 @@ static int simplify_symbols(Elf_Shdr *se
32613 - break;
32614 -
32615 - case SHN_UNDEF:
32616 -- sym[i].st_value
32617 -- = resolve_symbol(sechdrs, versindex,
32618 -+ symbol = resolve_symbol(sechdrs, versindex,
32619 - strtab + sym[i].st_name, mod);
32620 -
32621 -+#ifdef CONFIG_PAX_KERNEXEC
32622 -+ pax_open_kernel(cr0);
32623 -+#endif
32624 -+
32625 -+ sym[i].st_value = symbol;
32626 -+
32627 -+#ifdef CONFIG_PAX_KERNEXEC
32628 -+ pax_close_kernel(cr0);
32629 -+#endif
32630 -+
32631 - /* Ok if resolved. */
32632 - if (sym[i].st_value != 0)
32633 - break;
32634 -@@ -1420,11 +1446,27 @@ static int simplify_symbols(Elf_Shdr *se
32635 -
32636 - default:
32637 - /* Divert to percpu allocation if a percpu var. */
32638 -- if (sym[i].st_shndx == pcpuindex)
32639 -+ if (sym[i].st_shndx == pcpuindex) {
32640 -+
32641 -+#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
32642 -+ secbase = (unsigned long)mod->percpu - (unsigned long)__per_cpu_start;
32643 -+#else
32644 - secbase = (unsigned long)mod->percpu;
32645 -- else
32646 -+#endif
32647 -+
32648 -+ } else
32649 - secbase = sechdrs[sym[i].st_shndx].sh_addr;
32650 -+
32651 -+#ifdef CONFIG_PAX_KERNEXEC
32652 -+ pax_open_kernel(cr0);
32653 -+#endif
32654 -+
32655 - sym[i].st_value += secbase;
32656 -+
32657 -+#ifdef CONFIG_PAX_KERNEXEC
32658 -+ pax_close_kernel(cr0);
32659 -+#endif
32660 -+
32661 - break;
32662 - }
32663 - }
32664 -@@ -1476,11 +1518,14 @@ static void layout_sections(struct modul
32665 - || strncmp(secstrings + s->sh_name,
32666 - ".init", 5) == 0)
32667 - continue;
32668 -- s->sh_entsize = get_offset(&mod->core_size, s);
32669 -+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
32670 -+ s->sh_entsize = get_offset(&mod->core_size_rw, s);
32671 -+ else
32672 -+ s->sh_entsize = get_offset(&mod->core_size_rx, s);
32673 - DEBUGP("\t%s\n", secstrings + s->sh_name);
32674 - }
32675 - if (m == 0)
32676 -- mod->core_text_size = mod->core_size;
32677 -+ mod->core_size_rx = mod->core_size_rx;
32678 - }
32679 -
32680 - DEBUGP("Init section allocation order:\n");
32681 -@@ -1494,12 +1539,15 @@ static void layout_sections(struct modul
32682 - || strncmp(secstrings + s->sh_name,
32683 - ".init", 5) != 0)
32684 - continue;
32685 -- s->sh_entsize = (get_offset(&mod->init_size, s)
32686 -- | INIT_OFFSET_MASK);
32687 -+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
32688 -+ s->sh_entsize = get_offset(&mod->init_size_rw, s);
32689 -+ else
32690 -+ s->sh_entsize = get_offset(&mod->init_size_rx, s);
32691 -+ s->sh_entsize |= INIT_OFFSET_MASK;
32692 - DEBUGP("\t%s\n", secstrings + s->sh_name);
32693 - }
32694 - if (m == 0)
32695 -- mod->init_text_size = mod->init_size;
32696 -+ mod->init_size_rx = mod->init_size_rx;
32697 - }
32698 - }
32699 -
32700 -@@ -1626,14 +1674,31 @@ static void add_kallsyms(struct module *
32701 - {
32702 - unsigned int i;
32703 -
32704 -+#ifdef CONFIG_PAX_KERNEXEC
32705 -+ unsigned long cr0;
32706 -+#endif
32707 -+
32708 - mod->symtab = (void *)sechdrs[symindex].sh_addr;
32709 - mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
32710 - mod->strtab = (void *)sechdrs[strindex].sh_addr;
32711 -
32712 - /* Set types up while we still have access to sections. */
32713 -- for (i = 0; i < mod->num_symtab; i++)
32714 -- mod->symtab[i].st_info
32715 -- = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
32716 -+
32717 -+ for (i = 0; i < mod->num_symtab; i++) {
32718 -+ char type = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
32719 -+
32720 -+#ifdef CONFIG_PAX_KERNEXEC
32721 -+ pax_open_kernel(cr0);
32722 -+#endif
32723 -+
32724 -+ mod->symtab[i].st_info = type;
32725 -+
32726 -+#ifdef CONFIG_PAX_KERNEXEC
32727 -+ pax_close_kernel(cr0);
32728 -+#endif
32729 -+
32730 -+ }
32731 -+
32732 - }
32733 - #else
32734 - static inline void add_kallsyms(struct module *mod,
32735 -@@ -1683,6 +1748,10 @@ static struct module *load_module(void _
32736 - struct exception_table_entry *extable;
32737 - mm_segment_t old_fs;
32738 -
32739 -+#ifdef CONFIG_PAX_KERNEXEC
32740 -+ unsigned long cr0;
32741 -+#endif
32742 -+
32743 - DEBUGP("load_module: umod=%p, len=%lu, uargs=%p\n",
32744 - umod, len, uargs);
32745 - if (len < sizeof(*hdr))
32746 -@@ -1841,21 +1910,57 @@ static struct module *load_module(void _
32747 - layout_sections(mod, hdr, sechdrs, secstrings);
32748 -
32749 - /* Do the allocs. */
32750 -- ptr = module_alloc(mod->core_size);
32751 -+ ptr = module_alloc(mod->core_size_rw);
32752 - if (!ptr) {
32753 - err = -ENOMEM;
32754 - goto free_percpu;
32755 - }
32756 -- memset(ptr, 0, mod->core_size);
32757 -- mod->module_core = ptr;
32758 -+ memset(ptr, 0, mod->core_size_rw);
32759 -+ mod->module_core_rw = ptr;
32760 -
32761 -- ptr = module_alloc(mod->init_size);
32762 -- if (!ptr && mod->init_size) {
32763 -+ ptr = module_alloc(mod->init_size_rw);
32764 -+ if (!ptr && mod->init_size_rw) {
32765 -+ err = -ENOMEM;
32766 -+ goto free_core_rw;
32767 -+ }
32768 -+ memset(ptr, 0, mod->init_size_rw);
32769 -+ mod->module_init_rw = ptr;
32770 -+
32771 -+ ptr = module_alloc_exec(mod->core_size_rx);
32772 -+ if (!ptr) {
32773 - err = -ENOMEM;
32774 -- goto free_core;
32775 -+ goto free_init_rw;
32776 - }
32777 -- memset(ptr, 0, mod->init_size);
32778 -- mod->module_init = ptr;
32779 -+
32780 -+#ifdef CONFIG_PAX_KERNEXEC
32781 -+ pax_open_kernel(cr0);
32782 -+#endif
32783 -+
32784 -+ memset(ptr, 0, mod->core_size_rx);
32785 -+
32786 -+#ifdef CONFIG_PAX_KERNEXEC
32787 -+ pax_close_kernel(cr0);
32788 -+#endif
32789 -+
32790 -+ mod->module_core_rx = ptr;
32791 -+
32792 -+ ptr = module_alloc_exec(mod->init_size_rx);
32793 -+ if (!ptr && mod->init_size_rx) {
32794 -+ err = -ENOMEM;
32795 -+ goto free_core_rx;
32796 -+ }
32797 -+
32798 -+#ifdef CONFIG_PAX_KERNEXEC
32799 -+ pax_open_kernel(cr0);
32800 -+#endif
32801 -+
32802 -+ memset(ptr, 0, mod->init_size_rx);
32803 -+
32804 -+#ifdef CONFIG_PAX_KERNEXEC
32805 -+ pax_close_kernel(cr0);
32806 -+#endif
32807 -+
32808 -+ mod->module_init_rx = ptr;
32809 -
32810 - /* Transfer each section which specifies SHF_ALLOC */
32811 - DEBUGP("final section addresses:\n");
32812 -@@ -1865,17 +1970,41 @@ static struct module *load_module(void _
32813 - if (!(sechdrs[i].sh_flags & SHF_ALLOC))
32814 - continue;
32815 -
32816 -- if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
32817 -- dest = mod->module_init
32818 -- + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
32819 -- else
32820 -- dest = mod->module_core + sechdrs[i].sh_entsize;
32821 -+ if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
32822 -+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
32823 -+ dest = mod->module_init_rw
32824 -+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
32825 -+ else
32826 -+ dest = mod->module_init_rx
32827 -+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
32828 -+ } else {
32829 -+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
32830 -+ dest = mod->module_core_rw + sechdrs[i].sh_entsize;
32831 -+ else
32832 -+ dest = mod->module_core_rx + sechdrs[i].sh_entsize;
32833 -+ }
32834 -
32835 -- if (sechdrs[i].sh_type != SHT_NOBITS)
32836 -- memcpy(dest, (void *)sechdrs[i].sh_addr,
32837 -- sechdrs[i].sh_size);
32838 -+ if (sechdrs[i].sh_type != SHT_NOBITS) {
32839 -+
32840 -+#ifdef CONFIG_PAX_KERNEXEC
32841 -+ if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
32842 -+ pax_open_kernel(cr0);
32843 -+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
32844 -+ pax_close_kernel(cr0);
32845 -+ } else
32846 -+#endif
32847 -+
32848 -+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
32849 -+ }
32850 - /* Update sh_addr to point to copy in image. */
32851 -- sechdrs[i].sh_addr = (unsigned long)dest;
32852 -+
32853 -+#ifdef CONFIG_PAX_KERNEXEC
32854 -+ if (sechdrs[i].sh_flags & SHF_EXECINSTR)
32855 -+ sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
32856 -+ else
32857 -+#endif
32858 -+
32859 -+ sechdrs[i].sh_addr = (unsigned long)dest;
32860 - DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
32861 - }
32862 - /* Module has been moved. */
32863 -@@ -2009,12 +2138,12 @@ static struct module *load_module(void _
32864 - * Do it before processing of module parameters, so the module
32865 - * can provide parameter accessor functions of its own.
32866 - */
32867 -- if (mod->module_init)
32868 -- flush_icache_range((unsigned long)mod->module_init,
32869 -- (unsigned long)mod->module_init
32870 -- + mod->init_size);
32871 -- flush_icache_range((unsigned long)mod->module_core,
32872 -- (unsigned long)mod->module_core + mod->core_size);
32873 -+ if (mod->module_init_rx)
32874 -+ flush_icache_range((unsigned long)mod->module_init_rx,
32875 -+ (unsigned long)mod->module_init_rx
32876 -+ + mod->init_size_rx);
32877 -+ flush_icache_range((unsigned long)mod->module_core_rx,
32878 -+ (unsigned long)mod->module_core_rx + mod->core_size_rx);
32879 -
32880 - set_fs(old_fs);
32881 -
32882 -@@ -2058,9 +2187,13 @@ static struct module *load_module(void _
32883 - module_arch_cleanup(mod);
32884 - cleanup:
32885 - module_unload_free(mod);
32886 -- module_free(mod, mod->module_init);
32887 -- free_core:
32888 -- module_free(mod, mod->module_core);
32889 -+ module_free_exec(mod, mod->module_init_rx);
32890 -+ free_core_rx:
32891 -+ module_free_exec(mod, mod->module_core_rx);
32892 -+ free_init_rw:
32893 -+ module_free(mod, mod->module_init_rw);
32894 -+ free_core_rw:
32895 -+ module_free(mod, mod->module_core_rw);
32896 - free_percpu:
32897 - if (percpu)
32898 - percpu_modfree(percpu);
32899 -@@ -2096,6 +2229,9 @@ sys_init_module(void __user *umod,
32900 - struct module *mod;
32901 - int ret = 0;
32902 -
32903 -+ if (gr_check_modstop())
32904 -+ return -EPERM;
32905 -+
32906 - /* Must have permission */
32907 - if (!capable(CAP_SYS_MODULE))
32908 - return -EPERM;
32909 -@@ -2142,10 +2278,12 @@ sys_init_module(void __user *umod,
32910 - /* Drop initial reference. */
32911 - module_put(mod);
32912 - unwind_remove_table(mod->unwind_info, 1);
32913 -- module_free(mod, mod->module_init);
32914 -- mod->module_init = NULL;
32915 -- mod->init_size = 0;
32916 -- mod->init_text_size = 0;
32917 -+ module_free(mod, mod->module_init_rw);
32918 -+ module_free_exec(mod, mod->module_init_rx);
32919 -+ mod->module_init_rw = NULL;
32920 -+ mod->module_init_rx = NULL;
32921 -+ mod->init_size_rw = 0;
32922 -+ mod->init_size_rx = 0;
32923 - mutex_unlock(&module_mutex);
32924 -
32925 - return 0;
32926 -@@ -2153,6 +2291,13 @@ sys_init_module(void __user *umod,
32927 -
32928 - static inline int within(unsigned long addr, void *start, unsigned long size)
32929 - {
32930 -+
32931 -+#ifdef CONFIG_PAX_KERNEXEC
32932 -+ if (ktla_ktva(addr) >= (unsigned long)start &&
32933 -+ ktla_ktva(addr) < (unsigned long)start + size)
32934 -+ return 1;
32935 -+#endif
32936 -+
32937 - return ((void *)addr >= start && (void *)addr < start + size);
32938 - }
32939 -
32940 -@@ -2176,10 +2321,14 @@ static const char *get_ksymbol(struct mo
32941 - unsigned long nextval;
32942 -
32943 - /* At worse, next value is at end of module */
32944 -- if (within(addr, mod->module_init, mod->init_size))
32945 -- nextval = (unsigned long)mod->module_init+mod->init_text_size;
32946 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx))
32947 -+ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
32948 -+ else if (within(addr, mod->module_init_rw, mod->init_size_rw))
32949 -+ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
32950 -+ else if (within(addr, mod->module_core_rx, mod->core_size_rx))
32951 -+ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
32952 - else
32953 -- nextval = (unsigned long)mod->module_core+mod->core_text_size;
32954 -+ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
32955 -
32956 - /* Scan for closest preceeding symbol, and next symbol. (ELF
32957 - starts real symbols at 1). */
32958 -@@ -2225,8 +2374,10 @@ const char *module_address_lookup(unsign
32959 -
32960 - preempt_disable();
32961 - list_for_each_entry(mod, &modules, list) {
32962 -- if (within(addr, mod->module_init, mod->init_size)
32963 -- || within(addr, mod->module_core, mod->core_size)) {
32964 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
32965 -+ within(addr, mod->module_init_rw, mod->init_size_rw) ||
32966 -+ within(addr, mod->module_core_rx, mod->core_size_rx) ||
32967 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
32968 - if (modname)
32969 - *modname = mod->name;
32970 - ret = get_ksymbol(mod, addr, size, offset);
32971 -@@ -2243,8 +2394,10 @@ int lookup_module_symbol_name(unsigned l
32972 -
32973 - preempt_disable();
32974 - list_for_each_entry(mod, &modules, list) {
32975 -- if (within(addr, mod->module_init, mod->init_size) ||
32976 -- within(addr, mod->module_core, mod->core_size)) {
32977 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
32978 -+ within(addr, mod->module_init_rw, mod->init_size_rw) ||
32979 -+ within(addr, mod->module_core_rx, mod->core_size_rx) ||
32980 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
32981 - const char *sym;
32982 -
32983 - sym = get_ksymbol(mod, addr, NULL, NULL);
32984 -@@ -2267,8 +2420,10 @@ int lookup_module_symbol_attrs(unsigned
32985 -
32986 - preempt_disable();
32987 - list_for_each_entry(mod, &modules, list) {
32988 -- if (within(addr, mod->module_init, mod->init_size) ||
32989 -- within(addr, mod->module_core, mod->core_size)) {
32990 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
32991 -+ within(addr, mod->module_init_rw, mod->init_size_rw) ||
32992 -+ within(addr, mod->module_core_rx, mod->core_size_rx) ||
32993 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
32994 - const char *sym;
32995 -
32996 - sym = get_ksymbol(mod, addr, size, offset);
32997 -@@ -2390,7 +2545,7 @@ static int m_show(struct seq_file *m, vo
32998 - char buf[8];
32999 -
33000 - seq_printf(m, "%s %lu",
33001 -- mod->name, mod->init_size + mod->core_size);
33002 -+ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
33003 - print_unload_info(m, mod);
33004 -
33005 - /* Informative for users. */
33006 -@@ -2399,7 +2554,7 @@ static int m_show(struct seq_file *m, vo
33007 - mod->state == MODULE_STATE_COMING ? "Loading":
33008 - "Live");
33009 - /* Used by oprofile and other similar tools. */
33010 -- seq_printf(m, " 0x%p", mod->module_core);
33011 -+ seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
33012 -
33013 - /* Taints info */
33014 - if (mod->taints)
33015 -@@ -2455,7 +2610,8 @@ int is_module_address(unsigned long addr
33016 - preempt_disable();
33017 -
33018 - list_for_each_entry(mod, &modules, list) {
33019 -- if (within(addr, mod->module_core, mod->core_size)) {
33020 -+ if (within(addr, mod->module_core_rx, mod->core_size_rx) ||
33021 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
33022 - preempt_enable();
33023 - return 1;
33024 - }
33025 -@@ -2473,8 +2629,8 @@ struct module *__module_text_address(uns
33026 - struct module *mod;
33027 -
33028 - list_for_each_entry(mod, &modules, list)
33029 -- if (within(addr, mod->module_init, mod->init_text_size)
33030 -- || within(addr, mod->module_core, mod->core_text_size))
33031 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx)
33032 -+ || within(addr, mod->module_core_rx, mod->core_size_rx))
33033 - return mod;
33034 - return NULL;
33035 - }
33036 -diff -urNp linux-2.6.24.4/kernel/mutex.c linux-2.6.24.4/kernel/mutex.c
33037 ---- linux-2.6.24.4/kernel/mutex.c 2008-03-24 14:49:18.000000000 -0400
33038 -+++ linux-2.6.24.4/kernel/mutex.c 2008-03-26 17:56:56.000000000 -0400
33039 -@@ -82,7 +82,7 @@ __mutex_lock_slowpath(atomic_t *lock_cou
33040 - *
33041 - * This function is similar to (but not equivalent to) down().
33042 - */
33043 --void inline fastcall __sched mutex_lock(struct mutex *lock)
33044 -+inline void fastcall __sched mutex_lock(struct mutex *lock)
33045 - {
33046 - might_sleep();
33047 - /*
33048 -diff -urNp linux-2.6.24.4/kernel/panic.c linux-2.6.24.4/kernel/panic.c
33049 ---- linux-2.6.24.4/kernel/panic.c 2008-03-24 14:49:18.000000000 -0400
33050 -+++ linux-2.6.24.4/kernel/panic.c 2008-03-26 17:56:56.000000000 -0400
33051 -@@ -20,6 +20,7 @@
33052 - #include <linux/kexec.h>
33053 - #include <linux/debug_locks.h>
33054 - #include <linux/random.h>
33055 -+#include <linux/kallsyms.h>
33056 -
33057 - int panic_on_oops;
33058 - int tainted;
33059 -@@ -299,6 +300,8 @@ void oops_exit(void)
33060 - */
33061 - void __stack_chk_fail(void)
33062 - {
33063 -+ print_symbol("stack corrupted in: %s\n", (unsigned long)__builtin_return_address(0));
33064 -+ dump_stack();
33065 - panic("stack-protector: Kernel stack is corrupted");
33066 - }
33067 - EXPORT_SYMBOL(__stack_chk_fail);
33068 -diff -urNp linux-2.6.24.4/kernel/params.c linux-2.6.24.4/kernel/params.c
33069 ---- linux-2.6.24.4/kernel/params.c 2008-03-24 14:49:18.000000000 -0400
33070 -+++ linux-2.6.24.4/kernel/params.c 2008-03-26 17:56:56.000000000 -0400
33071 -@@ -272,7 +272,7 @@ static int param_array(const char *name,
33072 - unsigned int min, unsigned int max,
33073 - void *elem, int elemsize,
33074 - int (*set)(const char *, struct kernel_param *kp),
33075 -- int *num)
33076 -+ unsigned int *num)
33077 - {
33078 - int ret;
33079 - struct kernel_param kp;
33080 -diff -urNp linux-2.6.24.4/kernel/pid.c linux-2.6.24.4/kernel/pid.c
33081 ---- linux-2.6.24.4/kernel/pid.c 2008-03-24 14:49:18.000000000 -0400
33082 -+++ linux-2.6.24.4/kernel/pid.c 2008-03-26 17:56:56.000000000 -0400
33083 -@@ -35,6 +35,7 @@
33084 - #include <linux/pid_namespace.h>
33085 - #include <linux/init_task.h>
33086 - #include <linux/syscalls.h>
33087 -+#include <linux/grsecurity.h>
33088 -
33089 - #define pid_hashfn(nr, ns) \
33090 - hash_long((unsigned long)nr + (unsigned long)ns, pidhash_shift)
33091 -@@ -45,7 +46,7 @@ static struct kmem_cache *pid_ns_cachep;
33092 -
33093 - int pid_max = PID_MAX_DEFAULT;
33094 -
33095 --#define RESERVED_PIDS 300
33096 -+#define RESERVED_PIDS 500
33097 -
33098 - int pid_max_min = RESERVED_PIDS + 1;
33099 - int pid_max_max = PID_MAX_LIMIT;
33100 -@@ -375,7 +376,14 @@ struct task_struct * fastcall pid_task(s
33101 - struct task_struct *find_task_by_pid_type_ns(int type, int nr,
33102 - struct pid_namespace *ns)
33103 - {
33104 -- return pid_task(find_pid_ns(nr, ns), type);
33105 -+ struct task_struct *task;
33106 -+
33107 -+ task = pid_task(find_pid_ns(nr, ns), type);
33108 -+
33109 -+ if (gr_pid_is_chrooted(task))
33110 -+ return NULL;
33111 -+
33112 -+ return task;
33113 - }
33114 -
33115 - EXPORT_SYMBOL(find_task_by_pid_type_ns);
33116 -diff -urNp linux-2.6.24.4/kernel/posix-cpu-timers.c linux-2.6.24.4/kernel/posix-cpu-timers.c
33117 ---- linux-2.6.24.4/kernel/posix-cpu-timers.c 2008-03-24 14:49:18.000000000 -0400
33118 -+++ linux-2.6.24.4/kernel/posix-cpu-timers.c 2008-03-26 17:56:56.000000000 -0400
33119 -@@ -6,6 +6,7 @@
33120 - #include <linux/posix-timers.h>
33121 - #include <asm/uaccess.h>
33122 - #include <linux/errno.h>
33123 -+#include <linux/grsecurity.h>
33124 -
33125 - static int check_clock(const clockid_t which_clock)
33126 - {
33127 -@@ -1144,6 +1145,7 @@ static void check_process_timers(struct
33128 - __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
33129 - return;
33130 - }
33131 -+ gr_learn_resource(tsk, RLIMIT_CPU, psecs, 1);
33132 - if (psecs >= sig->rlim[RLIMIT_CPU].rlim_cur) {
33133 - /*
33134 - * At the soft limit, send a SIGXCPU every second.
33135 -diff -urNp linux-2.6.24.4/kernel/power/poweroff.c linux-2.6.24.4/kernel/power/poweroff.c
33136 ---- linux-2.6.24.4/kernel/power/poweroff.c 2008-03-24 14:49:18.000000000 -0400
33137 -+++ linux-2.6.24.4/kernel/power/poweroff.c 2008-03-26 17:56:56.000000000 -0400
33138 -@@ -35,7 +35,7 @@ static struct sysrq_key_op sysrq_powerof
33139 - .enable_mask = SYSRQ_ENABLE_BOOT,
33140 - };
33141 -
33142 --static int pm_sysrq_init(void)
33143 -+static int __init pm_sysrq_init(void)
33144 - {
33145 - register_sysrq_key('o', &sysrq_poweroff_op);
33146 - return 0;
33147 -diff -urNp linux-2.6.24.4/kernel/printk.c linux-2.6.24.4/kernel/printk.c
33148 ---- linux-2.6.24.4/kernel/printk.c 2008-03-24 14:49:18.000000000 -0400
33149 -+++ linux-2.6.24.4/kernel/printk.c 2008-03-26 17:56:56.000000000 -0400
33150 -@@ -33,6 +33,7 @@
33151 - #include <linux/bootmem.h>
33152 - #include <linux/syscalls.h>
33153 - #include <linux/jiffies.h>
33154 -+#include <linux/grsecurity.h>
33155 -
33156 - #include <asm/uaccess.h>
33157 -
33158 -@@ -293,6 +294,11 @@ int do_syslog(int type, char __user *buf
33159 - char c;
33160 - int error = 0;
33161 -
33162 -+#ifdef CONFIG_GRKERNSEC_DMESG
33163 -+ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
33164 -+ return -EPERM;
33165 -+#endif
33166 -+
33167 - error = security_syslog(type);
33168 - if (error)
33169 - return error;
33170 -diff -urNp linux-2.6.24.4/kernel/ptrace.c linux-2.6.24.4/kernel/ptrace.c
33171 ---- linux-2.6.24.4/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
33172 -+++ linux-2.6.24.4/kernel/ptrace.c 2008-03-26 17:56:56.000000000 -0400
33173 -@@ -20,6 +20,7 @@
33174 - #include <linux/signal.h>
33175 - #include <linux/audit.h>
33176 - #include <linux/pid_namespace.h>
33177 -+#include <linux/grsecurity.h>
33178 -
33179 - #include <asm/pgtable.h>
33180 - #include <asm/uaccess.h>
33181 -@@ -139,12 +140,12 @@ int __ptrace_may_attach(struct task_stru
33182 - (current->uid != task->uid) ||
33183 - (current->gid != task->egid) ||
33184 - (current->gid != task->sgid) ||
33185 -- (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))
33186 -+ (current->gid != task->gid)) && !capable_nolog(CAP_SYS_PTRACE))
33187 - return -EPERM;
33188 - smp_rmb();
33189 - if (task->mm)
33190 - dumpable = get_dumpable(task->mm);
33191 -- if (!dumpable && !capable(CAP_SYS_PTRACE))
33192 -+ if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
33193 - return -EPERM;
33194 -
33195 - return security_ptrace(current, task);
33196 -@@ -203,7 +204,7 @@ repeat:
33197 - /* Go */
33198 - task->ptrace |= PT_PTRACED | ((task->real_parent != current)
33199 - ? PT_ATTACHED : 0);
33200 -- if (capable(CAP_SYS_PTRACE))
33201 -+ if (capable_nolog(CAP_SYS_PTRACE))
33202 - task->ptrace |= PT_PTRACE_CAP;
33203 -
33204 - __ptrace_link(task, current);
33205 -@@ -494,6 +495,11 @@ asmlinkage long sys_ptrace(long request,
33206 - if (ret < 0)
33207 - goto out_put_task_struct;
33208 -
33209 -+ if (gr_handle_ptrace(child, request)) {
33210 -+ ret = -EPERM;
33211 -+ goto out_put_task_struct;
33212 -+ }
33213 -+
33214 - ret = arch_ptrace(child, request, addr, data);
33215 - if (ret < 0)
33216 - goto out_put_task_struct;
33217 -diff -urNp linux-2.6.24.4/kernel/rcupdate.c linux-2.6.24.4/kernel/rcupdate.c
33218 ---- linux-2.6.24.4/kernel/rcupdate.c 2008-03-24 14:49:18.000000000 -0400
33219 -+++ linux-2.6.24.4/kernel/rcupdate.c 2008-03-26 17:56:56.000000000 -0400
33220 -@@ -70,11 +70,11 @@ static struct rcu_ctrlblk rcu_bh_ctrlblk
33221 - .cpumask = CPU_MASK_NONE,
33222 - };
33223 -
33224 --DEFINE_PER_CPU(struct rcu_data, rcu_data) = { 0L };
33225 --DEFINE_PER_CPU(struct rcu_data, rcu_bh_data) = { 0L };
33226 -+DEFINE_PER_CPU(struct rcu_data, rcu_data);
33227 -+DEFINE_PER_CPU(struct rcu_data, rcu_bh_data);
33228 -
33229 - /* Fake initialization required by compiler */
33230 --static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet) = {NULL};
33231 -+static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet);
33232 - static int blimit = 10;
33233 - static int qhimark = 10000;
33234 - static int qlowmark = 100;
33235 -diff -urNp linux-2.6.24.4/kernel/relay.c linux-2.6.24.4/kernel/relay.c
33236 ---- linux-2.6.24.4/kernel/relay.c 2008-03-24 14:49:18.000000000 -0400
33237 -+++ linux-2.6.24.4/kernel/relay.c 2008-03-26 17:56:56.000000000 -0400
33238 -@@ -1141,7 +1141,7 @@ static int subbuf_splice_actor(struct fi
33239 - return 0;
33240 -
33241 - ret = *nonpad_ret = splice_to_pipe(pipe, &spd);
33242 -- if (ret < 0 || ret < total_len)
33243 -+ if ((int)ret < 0 || ret < total_len)
33244 - return ret;
33245 -
33246 - if (read_start + ret == nonpad_end)
33247 -diff -urNp linux-2.6.24.4/kernel/resource.c linux-2.6.24.4/kernel/resource.c
33248 ---- linux-2.6.24.4/kernel/resource.c 2008-03-24 14:49:18.000000000 -0400
33249 -+++ linux-2.6.24.4/kernel/resource.c 2008-03-26 17:56:56.000000000 -0400
33250 -@@ -133,10 +133,27 @@ static int __init ioresources_init(void)
33251 - {
33252 - struct proc_dir_entry *entry;
33253 -
33254 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
33255 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
33256 -+ entry = create_proc_entry("ioports", S_IRUSR, NULL);
33257 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33258 -+ entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
33259 -+#endif
33260 -+#else
33261 - entry = create_proc_entry("ioports", 0, NULL);
33262 -+#endif
33263 - if (entry)
33264 - entry->proc_fops = &proc_ioports_operations;
33265 -+
33266 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
33267 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
33268 -+ entry = create_proc_entry("iomem", S_IRUSR, NULL);
33269 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33270 -+ entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
33271 -+#endif
33272 -+#else
33273 - entry = create_proc_entry("iomem", 0, NULL);
33274 -+#endif
33275 - if (entry)
33276 - entry->proc_fops = &proc_iomem_operations;
33277 - return 0;
33278 -diff -urNp linux-2.6.24.4/kernel/sched.c linux-2.6.24.4/kernel/sched.c
33279 ---- linux-2.6.24.4/kernel/sched.c 2008-03-24 14:49:18.000000000 -0400
33280 -+++ linux-2.6.24.4/kernel/sched.c 2008-03-26 17:56:56.000000000 -0400
33281 -@@ -63,6 +63,7 @@
33282 - #include <linux/reciprocal_div.h>
33283 - #include <linux/unistd.h>
33284 - #include <linux/pagemap.h>
33285 -+#include <linux/grsecurity.h>
33286 -
33287 - #include <asm/tlb.h>
33288 - #include <asm/irq_regs.h>
33289 -@@ -3619,7 +3620,7 @@ pick_next_task(struct rq *rq, struct tas
33290 - asmlinkage void __sched schedule(void)
33291 - {
33292 - struct task_struct *prev, *next;
33293 -- long *switch_count;
33294 -+ unsigned long *switch_count;
33295 - struct rq *rq;
33296 - int cpu;
33297 -
33298 -@@ -4155,7 +4156,8 @@ asmlinkage long sys_nice(int increment)
33299 - if (nice > 19)
33300 - nice = 19;
33301 -
33302 -- if (increment < 0 && !can_nice(current, nice))
33303 -+ if (increment < 0 && (!can_nice(current, nice) ||
33304 -+ gr_handle_chroot_nice()))
33305 - return -EPERM;
33306 -
33307 - retval = security_task_setnice(current, nice);
33308 -@@ -5396,7 +5398,7 @@ static struct ctl_table sd_ctl_dir[] = {
33309 - .procname = "sched_domain",
33310 - .mode = 0555,
33311 - },
33312 -- {0, },
33313 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
33314 - };
33315 -
33316 - static struct ctl_table sd_ctl_root[] = {
33317 -@@ -5406,7 +5408,7 @@ static struct ctl_table sd_ctl_root[] =
33318 - .mode = 0555,
33319 - .child = sd_ctl_dir,
33320 - },
33321 -- {0, },
33322 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
33323 - };
33324 -
33325 - static struct ctl_table *sd_alloc_ctl_entry(int n)
33326 -diff -urNp linux-2.6.24.4/kernel/signal.c linux-2.6.24.4/kernel/signal.c
33327 ---- linux-2.6.24.4/kernel/signal.c 2008-03-24 14:49:18.000000000 -0400
33328 -+++ linux-2.6.24.4/kernel/signal.c 2008-03-26 17:56:56.000000000 -0400
33329 -@@ -25,6 +25,7 @@
33330 - #include <linux/capability.h>
33331 - #include <linux/freezer.h>
33332 - #include <linux/pid_namespace.h>
33333 -+#include <linux/grsecurity.h>
33334 - #include <linux/nsproxy.h>
33335 -
33336 - #include <asm/param.h>
33337 -@@ -540,7 +541,9 @@ static int check_kill_permission(int sig
33338 - && (current->euid ^ t->suid) && (current->euid ^ t->uid)
33339 - && (current->uid ^ t->suid) && (current->uid ^ t->uid)
33340 - && !capable(CAP_KILL))
33341 -- return error;
33342 -+ return error;
33343 -+ if (gr_handle_signal(t, sig))
33344 -+ return error;
33345 - }
33346 -
33347 - return security_task_kill(t, info, sig, 0);
33348 -@@ -757,7 +760,7 @@ static int __init setup_print_fatal_sign
33349 -
33350 - __setup("print-fatal-signals=", setup_print_fatal_signals);
33351 -
33352 --static int
33353 -+int
33354 - specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
33355 - {
33356 - int ret = 0;
33357 -@@ -811,8 +814,12 @@ force_sig_info(int sig, struct siginfo *
33358 - }
33359 - }
33360 - ret = specific_send_sig_info(sig, info, t);
33361 -+
33362 - spin_unlock_irqrestore(&t->sighand->siglock, flags);
33363 -
33364 -+ gr_log_signal(sig, t);
33365 -+ gr_handle_crash(t, sig);
33366 -+
33367 - return ret;
33368 - }
33369 -
33370 -diff -urNp linux-2.6.24.4/kernel/softirq.c linux-2.6.24.4/kernel/softirq.c
33371 ---- linux-2.6.24.4/kernel/softirq.c 2008-03-24 14:49:18.000000000 -0400
33372 -+++ linux-2.6.24.4/kernel/softirq.c 2008-03-26 17:56:56.000000000 -0400
33373 -@@ -467,9 +467,9 @@ void tasklet_kill(struct tasklet_struct
33374 - printk("Attempt to kill tasklet from interrupt\n");
33375 -
33376 - while (test_and_set_bit(TASKLET_STATE_SCHED, &t->state)) {
33377 -- do
33378 -+ do {
33379 - yield();
33380 -- while (test_bit(TASKLET_STATE_SCHED, &t->state));
33381 -+ } while (test_bit(TASKLET_STATE_SCHED, &t->state));
33382 - }
33383 - tasklet_unlock_wait(t);
33384 - clear_bit(TASKLET_STATE_SCHED, &t->state);
33385 -diff -urNp linux-2.6.24.4/kernel/sys.c linux-2.6.24.4/kernel/sys.c
33386 ---- linux-2.6.24.4/kernel/sys.c 2008-03-24 14:49:18.000000000 -0400
33387 -+++ linux-2.6.24.4/kernel/sys.c 2008-03-26 17:56:56.000000000 -0400
33388 -@@ -33,6 +33,7 @@
33389 - #include <linux/task_io_accounting_ops.h>
33390 - #include <linux/seccomp.h>
33391 - #include <linux/cpu.h>
33392 -+#include <linux/grsecurity.h>
33393 -
33394 - #include <linux/compat.h>
33395 - #include <linux/syscalls.h>
33396 -@@ -119,6 +120,12 @@ static int set_one_prio(struct task_stru
33397 - error = -EACCES;
33398 - goto out;
33399 - }
33400 -+
33401 -+ if (gr_handle_chroot_setpriority(p, niceval)) {
33402 -+ error = -EACCES;
33403 -+ goto out;
33404 -+ }
33405 -+
33406 - no_nice = security_task_setnice(p, niceval);
33407 - if (no_nice) {
33408 - error = no_nice;
33409 -@@ -175,10 +182,10 @@ asmlinkage long sys_setpriority(int whic
33410 - if ((who != current->uid) && !(user = find_user(who)))
33411 - goto out_unlock; /* No processes for this user */
33412 -
33413 -- do_each_thread(g, p)
33414 -+ do_each_thread(g, p) {
33415 - if (p->uid == who)
33416 - error = set_one_prio(p, niceval, error);
33417 -- while_each_thread(g, p);
33418 -+ } while_each_thread(g, p);
33419 - if (who != current->uid)
33420 - free_uid(user); /* For find_user() */
33421 - break;
33422 -@@ -237,13 +244,13 @@ asmlinkage long sys_getpriority(int whic
33423 - if ((who != current->uid) && !(user = find_user(who)))
33424 - goto out_unlock; /* No processes for this user */
33425 -
33426 -- do_each_thread(g, p)
33427 -+ do_each_thread(g, p) {
33428 - if (p->uid == who) {
33429 - niceval = 20 - task_nice(p);
33430 - if (niceval > retval)
33431 - retval = niceval;
33432 - }
33433 -- while_each_thread(g, p);
33434 -+ } while_each_thread(g, p);
33435 - if (who != current->uid)
33436 - free_uid(user); /* for find_user() */
33437 - break;
33438 -@@ -515,6 +522,9 @@ asmlinkage long sys_setregid(gid_t rgid,
33439 - if (rgid != (gid_t) -1 ||
33440 - (egid != (gid_t) -1 && egid != old_rgid))
33441 - current->sgid = new_egid;
33442 -+
33443 -+ gr_set_role_label(current, current->uid, new_rgid);
33444 -+
33445 - current->fsgid = new_egid;
33446 - current->egid = new_egid;
33447 - current->gid = new_rgid;
33448 -@@ -542,6 +552,9 @@ asmlinkage long sys_setgid(gid_t gid)
33449 - set_dumpable(current->mm, suid_dumpable);
33450 - smp_wmb();
33451 - }
33452 -+
33453 -+ gr_set_role_label(current, current->uid, gid);
33454 -+
33455 - current->gid = current->egid = current->sgid = current->fsgid = gid;
33456 - } else if ((gid == current->gid) || (gid == current->sgid)) {
33457 - if (old_egid != gid) {
33458 -@@ -579,6 +592,9 @@ static int set_user(uid_t new_ruid, int
33459 - set_dumpable(current->mm, suid_dumpable);
33460 - smp_wmb();
33461 - }
33462 -+
33463 -+ gr_set_role_label(current, new_ruid, current->gid);
33464 -+
33465 - current->uid = new_ruid;
33466 - return 0;
33467 - }
33468 -@@ -681,6 +697,9 @@ asmlinkage long sys_setuid(uid_t uid)
33469 - } else if ((uid != current->uid) && (uid != new_suid))
33470 - return -EPERM;
33471 -
33472 -+ if (gr_check_crash_uid(uid))
33473 -+ return -EPERM;
33474 -+
33475 - if (old_euid != uid) {
33476 - set_dumpable(current->mm, suid_dumpable);
33477 - smp_wmb();
33478 -@@ -783,8 +802,10 @@ asmlinkage long sys_setresgid(gid_t rgid
33479 - current->egid = egid;
33480 - }
33481 - current->fsgid = current->egid;
33482 -- if (rgid != (gid_t) -1)
33483 -+ if (rgid != (gid_t) -1) {
33484 -+ gr_set_role_label(current, current->uid, rgid);
33485 - current->gid = rgid;
33486 -+ }
33487 - if (sgid != (gid_t) -1)
33488 - current->sgid = sgid;
33489 -
33490 -@@ -934,7 +955,10 @@ asmlinkage long sys_setpgid(pid_t pid, p
33491 - write_lock_irq(&tasklist_lock);
33492 -
33493 - err = -ESRCH;
33494 -- p = find_task_by_pid_ns(pid, ns);
33495 -+ /* grsec: replaced find_task_by_pid_ns with equivalent call which
33496 -+ lacks the chroot restriction
33497 -+ */
33498 -+ p = pid_task(find_pid_ns(pid, ns), PIDTYPE_PID);
33499 - if (!p)
33500 - goto out;
33501 -
33502 -@@ -1662,7 +1686,7 @@ asmlinkage long sys_prctl(int option, un
33503 - error = get_dumpable(current->mm);
33504 - break;
33505 - case PR_SET_DUMPABLE:
33506 -- if (arg2 < 0 || arg2 > 1) {
33507 -+ if (arg2 > 1) {
33508 - error = -EINVAL;
33509 - break;
33510 - }
33511 -diff -urNp linux-2.6.24.4/kernel/sysctl.c linux-2.6.24.4/kernel/sysctl.c
33512 ---- linux-2.6.24.4/kernel/sysctl.c 2008-03-24 14:49:18.000000000 -0400
33513 -+++ linux-2.6.24.4/kernel/sysctl.c 2008-03-26 17:56:56.000000000 -0400
33514 -@@ -58,6 +58,13 @@
33515 - static int deprecated_sysctl_warning(struct __sysctl_args *args);
33516 -
33517 - #if defined(CONFIG_SYSCTL)
33518 -+#include <linux/grsecurity.h>
33519 -+#include <linux/grinternal.h>
33520 -+
33521 -+extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
33522 -+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
33523 -+ const int op);
33524 -+extern int gr_handle_chroot_sysctl(const int op);
33525 -
33526 - /* External variables not in a header file. */
33527 - extern int C_A_D;
33528 -@@ -154,10 +161,11 @@ static int proc_do_cad_pid(struct ctl_ta
33529 - static int proc_dointvec_taint(struct ctl_table *table, int write, struct file *filp,
33530 - void __user *buffer, size_t *lenp, loff_t *ppos);
33531 - #endif
33532 -+extern ctl_table grsecurity_table[];
33533 -
33534 - static struct ctl_table root_table[];
33535 - static struct ctl_table_header root_table_header =
33536 -- { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry) };
33537 -+ { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry), 0, NULL };
33538 -
33539 - static struct ctl_table kern_table[];
33540 - static struct ctl_table vm_table[];
33541 -@@ -173,6 +181,21 @@ extern struct ctl_table inotify_table[];
33542 - int sysctl_legacy_va_layout;
33543 - #endif
33544 -
33545 -+#ifdef CONFIG_PAX_SOFTMODE
33546 -+static ctl_table pax_table[] = {
33547 -+ {
33548 -+ .ctl_name = CTL_UNNUMBERED,
33549 -+ .procname = "softmode",
33550 -+ .data = &pax_softmode,
33551 -+ .maxlen = sizeof(unsigned int),
33552 -+ .mode = 0600,
33553 -+ .proc_handler = &proc_dointvec,
33554 -+ },
33555 -+
33556 -+ { .ctl_name = 0 }
33557 -+};
33558 -+#endif
33559 -+
33560 - extern int prove_locking;
33561 - extern int lock_stat;
33562 -
33563 -@@ -217,6 +240,16 @@ static struct ctl_table root_table[] = {
33564 - .mode = 0555,
33565 - .child = dev_table,
33566 - },
33567 -+
33568 -+#ifdef CONFIG_PAX_SOFTMODE
33569 -+ {
33570 -+ .ctl_name = CTL_UNNUMBERED,
33571 -+ .procname = "pax",
33572 -+ .mode = 0500,
33573 -+ .child = pax_table,
33574 -+ },
33575 -+#endif
33576 -+
33577 - /*
33578 - * NOTE: do not add new entries to this table unless you have read
33579 - * Documentation/sysctl/ctl_unnumbered.txt
33580 -@@ -775,6 +808,14 @@ static struct ctl_table kern_table[] = {
33581 - .proc_handler = &proc_dostring,
33582 - .strategy = &sysctl_string,
33583 - },
33584 -+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
33585 -+ {
33586 -+ .ctl_name = CTL_UNNUMBERED,
33587 -+ .procname = "grsecurity",
33588 -+ .mode = 0500,
33589 -+ .child = grsecurity_table,
33590 -+ },
33591 -+#endif
33592 - /*
33593 - * NOTE: do not add new entries to this table unless you have read
33594 - * Documentation/sysctl/ctl_unnumbered.txt
33595 -@@ -1394,6 +1435,25 @@ static int test_perm(int mode, int op)
33596 - int sysctl_perm(struct ctl_table *table, int op)
33597 - {
33598 - int error;
33599 -+ if (table->parent != NULL && table->parent->procname != NULL &&
33600 -+ table->procname != NULL &&
33601 -+ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
33602 -+ return -EACCES;
33603 -+ if (gr_handle_chroot_sysctl(op))
33604 -+ return -EACCES;
33605 -+ error = gr_handle_sysctl(table, op);
33606 -+ if (error)
33607 -+ return error;
33608 -+ error = security_sysctl(table, op);
33609 -+ if (error)
33610 -+ return error;
33611 -+ return test_perm(table->mode, op);
33612 -+}
33613 -+
33614 -+int sysctl_perm_nochk(ctl_table *table, int op)
33615 -+{
33616 -+ int error;
33617 -+
33618 - error = security_sysctl(table, op);
33619 - if (error)
33620 - return error;
33621 -@@ -1418,13 +1478,14 @@ repeat:
33622 - if (n == table->ctl_name) {
33623 - int error;
33624 - if (table->child) {
33625 -- if (sysctl_perm(table, 001))
33626 -+ if (sysctl_perm_nochk(table, 001))
33627 - return -EPERM;
33628 - name++;
33629 - nlen--;
33630 - table = table->child;
33631 - goto repeat;
33632 - }
33633 -+
33634 - error = do_sysctl_strategy(table, name, nlen,
33635 - oldval, oldlenp,
33636 - newval, newlen);
33637 -diff -urNp linux-2.6.24.4/kernel/time.c linux-2.6.24.4/kernel/time.c
33638 ---- linux-2.6.24.4/kernel/time.c 2008-03-24 14:49:18.000000000 -0400
33639 -+++ linux-2.6.24.4/kernel/time.c 2008-03-26 17:56:56.000000000 -0400
33640 -@@ -35,6 +35,7 @@
33641 - #include <linux/syscalls.h>
33642 - #include <linux/security.h>
33643 - #include <linux/fs.h>
33644 -+#include <linux/grsecurity.h>
33645 -
33646 - #include <asm/uaccess.h>
33647 - #include <asm/unistd.h>
33648 -@@ -88,6 +89,9 @@ asmlinkage long sys_stime(time_t __user
33649 - return err;
33650 -
33651 - do_settimeofday(&tv);
33652 -+
33653 -+ gr_log_timechange();
33654 -+
33655 - return 0;
33656 - }
33657 -
33658 -@@ -194,6 +198,8 @@ asmlinkage long sys_settimeofday(struct
33659 - return -EFAULT;
33660 - }
33661 -
33662 -+ gr_log_timechange();
33663 -+
33664 - return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
33665 - }
33666 -
33667 -@@ -232,7 +238,7 @@ EXPORT_SYMBOL(current_fs_time);
33668 - * Avoid unnecessary multiplications/divisions in the
33669 - * two most common HZ cases:
33670 - */
33671 --unsigned int inline jiffies_to_msecs(const unsigned long j)
33672 -+inline unsigned int jiffies_to_msecs(const unsigned long j)
33673 - {
33674 - #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
33675 - return (MSEC_PER_SEC / HZ) * j;
33676 -@@ -244,7 +250,7 @@ unsigned int inline jiffies_to_msecs(con
33677 - }
33678 - EXPORT_SYMBOL(jiffies_to_msecs);
33679 -
33680 --unsigned int inline jiffies_to_usecs(const unsigned long j)
33681 -+inline unsigned int jiffies_to_usecs(const unsigned long j)
33682 - {
33683 - #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
33684 - return (USEC_PER_SEC / HZ) * j;
33685 -diff -urNp linux-2.6.24.4/kernel/utsname_sysctl.c linux-2.6.24.4/kernel/utsname_sysctl.c
33686 ---- linux-2.6.24.4/kernel/utsname_sysctl.c 2008-03-24 14:49:18.000000000 -0400
33687 -+++ linux-2.6.24.4/kernel/utsname_sysctl.c 2008-03-26 17:56:56.000000000 -0400
33688 -@@ -125,7 +125,7 @@ static struct ctl_table uts_kern_table[]
33689 - .proc_handler = proc_do_uts_string,
33690 - .strategy = sysctl_uts_string,
33691 - },
33692 -- {}
33693 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
33694 - };
33695 -
33696 - static struct ctl_table uts_root_table[] = {
33697 -@@ -135,7 +135,7 @@ static struct ctl_table uts_root_table[]
33698 - .mode = 0555,
33699 - .child = uts_kern_table,
33700 - },
33701 -- {}
33702 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
33703 - };
33704 -
33705 - static int __init utsname_sysctl_init(void)
33706 -diff -urNp linux-2.6.24.4/lib/radix-tree.c linux-2.6.24.4/lib/radix-tree.c
33707 ---- linux-2.6.24.4/lib/radix-tree.c 2008-03-24 14:49:18.000000000 -0400
33708 -+++ linux-2.6.24.4/lib/radix-tree.c 2008-03-26 17:56:56.000000000 -0400
33709 -@@ -81,7 +81,7 @@ struct radix_tree_preload {
33710 - int nr;
33711 - struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
33712 - };
33713 --DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
33714 -+DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, {NULL} };
33715 -
33716 - static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
33717 - {
33718 -diff -urNp linux-2.6.24.4/localversion-grsec linux-2.6.24.4/localversion-grsec
33719 ---- linux-2.6.24.4/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
33720 -+++ linux-2.6.24.4/localversion-grsec 2008-03-26 17:56:56.000000000 -0400
33721 -@@ -0,0 +1 @@
33722 -+-grsec
33723 -diff -urNp linux-2.6.24.4/Makefile linux-2.6.24.4/Makefile
33724 ---- linux-2.6.24.4/Makefile 2008-03-24 14:49:18.000000000 -0400
33725 -+++ linux-2.6.24.4/Makefile 2008-03-26 17:56:55.000000000 -0400
33726 -@@ -214,7 +214,7 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
33727 -
33728 - HOSTCC = gcc
33729 - HOSTCXX = g++
33730 --HOSTCFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer
33731 -+HOSTCFLAGS = -Wall -W -Wno-unused -Wno-sign-compare -Wstrict-prototypes -O2 -fomit-frame-pointer
33732 - HOSTCXXFLAGS = -O2
33733 -
33734 - # Decide whether to build built-in, modular, or both.
33735 -@@ -507,6 +507,9 @@ else
33736 - KBUILD_CFLAGS += -O2
33737 - endif
33738 -
33739 -+# Force gcc to behave correct even for buggy distributions
33740 -+KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
33741 -+
33742 - include $(srctree)/arch/$(SRCARCH)/Makefile
33743 -
33744 - ifdef CONFIG_FRAME_POINTER
33745 -@@ -520,9 +523,6 @@ KBUILD_CFLAGS += -g
33746 - KBUILD_AFLAGS += -gdwarf-2
33747 - endif
33748 -
33749 --# Force gcc to behave correct even for buggy distributions
33750 --KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
33751 --
33752 - # arch Makefile may override CC so keep this after arch Makefile is included
33753 - NOSTDINC_FLAGS += -nostdinc -isystem $(shell $(CC) -print-file-name=include)
33754 - CHECKFLAGS += $(NOSTDINC_FLAGS)
33755 -@@ -597,7 +597,7 @@ export mod_strip_cmd
33756 -
33757 -
33758 - ifeq ($(KBUILD_EXTMOD),)
33759 --core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
33760 -+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
33761 -
33762 - vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
33763 - $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
33764 -diff -urNp linux-2.6.24.4/mm/filemap.c linux-2.6.24.4/mm/filemap.c
33765 ---- linux-2.6.24.4/mm/filemap.c 2008-03-24 14:49:18.000000000 -0400
33766 -+++ linux-2.6.24.4/mm/filemap.c 2008-03-26 17:56:56.000000000 -0400
33767 -@@ -33,6 +33,7 @@
33768 - #include <linux/syscalls.h>
33769 - #include <linux/cpuset.h>
33770 - #include <linux/hardirq.h> /* for BUG_ON(!in_atomic()) only */
33771 -+#include <linux/grsecurity.h>
33772 - #include "internal.h"
33773 -
33774 - /*
33775 -@@ -1461,7 +1462,7 @@ int generic_file_mmap(struct file * file
33776 - struct address_space *mapping = file->f_mapping;
33777 -
33778 - if (!mapping->a_ops->readpage)
33779 -- return -ENOEXEC;
33780 -+ return -ENODEV;
33781 - file_accessed(file);
33782 - vma->vm_ops = &generic_file_vm_ops;
33783 - vma->vm_flags |= VM_CAN_NONLINEAR;
33784 -@@ -1810,6 +1811,7 @@ inline int generic_write_checks(struct f
33785 - *pos = i_size_read(inode);
33786 -
33787 - if (limit != RLIM_INFINITY) {
33788 -+ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
33789 - if (*pos >= limit) {
33790 - send_sig(SIGXFSZ, current, 0);
33791 - return -EFBIG;
33792 -diff -urNp linux-2.6.24.4/mm/fremap.c linux-2.6.24.4/mm/fremap.c
33793 ---- linux-2.6.24.4/mm/fremap.c 2008-03-24 14:49:18.000000000 -0400
33794 -+++ linux-2.6.24.4/mm/fremap.c 2008-03-26 17:56:56.000000000 -0400
33795 -@@ -150,6 +150,13 @@ asmlinkage long sys_remap_file_pages(uns
33796 - retry:
33797 - vma = find_vma(mm, start);
33798 -
33799 -+#ifdef CONFIG_PAX_SEGMEXEC
33800 -+ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC)) {
33801 -+ up_read(&mm->mmap_sem);
33802 -+ return err;
33803 -+ }
33804 -+#endif
33805 -+
33806 - /*
33807 - * Make sure the vma is shared, that it supports prefaulting,
33808 - * and that the remapped range is valid and fully within
33809 -diff -urNp linux-2.6.24.4/mm/hugetlb.c linux-2.6.24.4/mm/hugetlb.c
33810 ---- linux-2.6.24.4/mm/hugetlb.c 2008-03-24 14:49:18.000000000 -0400
33811 -+++ linux-2.6.24.4/mm/hugetlb.c 2008-03-26 17:56:56.000000000 -0400
33812 -@@ -797,6 +797,26 @@ void unmap_hugepage_range(struct vm_area
33813 - }
33814 - }
33815 -
33816 -+#ifdef CONFIG_PAX_SEGMEXEC
33817 -+static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
33818 -+{
33819 -+ struct mm_struct *mm = vma->vm_mm;
33820 -+ struct vm_area_struct *vma_m;
33821 -+ unsigned long address_m;
33822 -+ pte_t *ptep_m;
33823 -+
33824 -+ vma_m = pax_find_mirror_vma(vma);
33825 -+ if (!vma_m)
33826 -+ return;
33827 -+
33828 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
33829 -+ address_m = address + SEGMEXEC_TASK_SIZE;
33830 -+ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
33831 -+ get_page(page_m);
33832 -+ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
33833 -+}
33834 -+#endif
33835 -+
33836 - static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
33837 - unsigned long address, pte_t *ptep, pte_t pte)
33838 - {
33839 -@@ -830,6 +850,11 @@ static int hugetlb_cow(struct mm_struct
33840 - /* Break COW */
33841 - set_huge_pte_at(mm, address, ptep,
33842 - make_huge_pte(vma, new_page, 1));
33843 -+
33844 -+#ifdef CONFIG_PAX_SEGMEXEC
33845 -+ pax_mirror_huge_pte(vma, address, new_page);
33846 -+#endif
33847 -+
33848 - /* Make the old page be freed below */
33849 - new_page = old_page;
33850 - }
33851 -@@ -901,6 +926,10 @@ retry:
33852 - && (vma->vm_flags & VM_SHARED)));
33853 - set_huge_pte_at(mm, address, ptep, new_pte);
33854 -
33855 -+#ifdef CONFIG_PAX_SEGMEXEC
33856 -+ pax_mirror_huge_pte(vma, address, page);
33857 -+#endif
33858 -+
33859 - if (write_access && !(vma->vm_flags & VM_SHARED)) {
33860 - /* Optimization, do the COW without a second fault */
33861 - ret = hugetlb_cow(mm, vma, address, ptep, new_pte);
33862 -@@ -926,6 +955,27 @@ int hugetlb_fault(struct mm_struct *mm,
33863 - int ret;
33864 - static DEFINE_MUTEX(hugetlb_instantiation_mutex);
33865 -
33866 -+#ifdef CONFIG_PAX_SEGMEXEC
33867 -+ struct vm_area_struct *vma_m;
33868 -+
33869 -+ vma_m = pax_find_mirror_vma(vma);
33870 -+ if (vma_m) {
33871 -+ unsigned long address_m;
33872 -+
33873 -+ if (vma->vm_start > vma_m->vm_start) {
33874 -+ address_m = address;
33875 -+ address -= SEGMEXEC_TASK_SIZE;
33876 -+ vma = vma_m;
33877 -+ } else
33878 -+ address_m = address + SEGMEXEC_TASK_SIZE;
33879 -+
33880 -+ if (!huge_pte_alloc(mm, address_m))
33881 -+ return VM_FAULT_OOM;
33882 -+ address_m &= HPAGE_MASK;
33883 -+ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE);
33884 -+ }
33885 -+#endif
33886 -+
33887 - ptep = huge_pte_alloc(mm, address);
33888 - if (!ptep)
33889 - return VM_FAULT_OOM;
33890 -diff -urNp linux-2.6.24.4/mm/madvise.c linux-2.6.24.4/mm/madvise.c
33891 ---- linux-2.6.24.4/mm/madvise.c 2008-03-24 14:49:18.000000000 -0400
33892 -+++ linux-2.6.24.4/mm/madvise.c 2008-03-26 17:56:56.000000000 -0400
33893 -@@ -43,6 +43,10 @@ static long madvise_behavior(struct vm_a
33894 - pgoff_t pgoff;
33895 - int new_flags = vma->vm_flags;
33896 -
33897 -+#ifdef CONFIG_PAX_SEGMEXEC
33898 -+ struct vm_area_struct *vma_m;
33899 -+#endif
33900 -+
33901 - switch (behavior) {
33902 - case MADV_NORMAL:
33903 - new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
33904 -@@ -92,6 +96,13 @@ success:
33905 - /*
33906 - * vm_flags is protected by the mmap_sem held in write mode.
33907 - */
33908 -+
33909 -+#ifdef CONFIG_PAX_SEGMEXEC
33910 -+ vma_m = pax_find_mirror_vma(vma);
33911 -+ if (vma_m)
33912 -+ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
33913 -+#endif
33914 -+
33915 - vma->vm_flags = new_flags;
33916 -
33917 - out:
33918 -@@ -236,6 +247,17 @@ madvise_vma(struct vm_area_struct *vma,
33919 -
33920 - case MADV_DONTNEED:
33921 - error = madvise_dontneed(vma, prev, start, end);
33922 -+
33923 -+#ifdef CONFIG_PAX_SEGMEXEC
33924 -+ if (!error) {
33925 -+ struct vm_area_struct *vma_m, *prev_m;
33926 -+
33927 -+ vma_m = pax_find_mirror_vma(vma);
33928 -+ if (vma_m)
33929 -+ error = madvise_dontneed(vma_m, &prev_m, start + SEGMEXEC_TASK_SIZE, end + SEGMEXEC_TASK_SIZE);
33930 -+ }
33931 -+#endif
33932 -+
33933 - break;
33934 -
33935 - default:
33936 -@@ -308,6 +330,16 @@ asmlinkage long sys_madvise(unsigned lon
33937 - if (end < start)
33938 - goto out;
33939 -
33940 -+#ifdef CONFIG_PAX_SEGMEXEC
33941 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
33942 -+ if (end > SEGMEXEC_TASK_SIZE)
33943 -+ goto out;
33944 -+ } else
33945 -+#endif
33946 -+
33947 -+ if (end > TASK_SIZE)
33948 -+ goto out;
33949 -+
33950 - error = 0;
33951 - if (end == start)
33952 - goto out;
33953 -diff -urNp linux-2.6.24.4/mm/memory.c linux-2.6.24.4/mm/memory.c
33954 ---- linux-2.6.24.4/mm/memory.c 2008-03-24 14:49:18.000000000 -0400
33955 -+++ linux-2.6.24.4/mm/memory.c 2008-03-26 17:56:56.000000000 -0400
33956 -@@ -50,6 +50,7 @@
33957 - #include <linux/delayacct.h>
33958 - #include <linux/init.h>
33959 - #include <linux/writeback.h>
33960 -+#include <linux/grsecurity.h>
33961 -
33962 - #include <asm/pgalloc.h>
33963 - #include <asm/uaccess.h>
33964 -@@ -990,11 +991,11 @@ int get_user_pages(struct task_struct *t
33965 - vm_flags &= force ? (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
33966 - i = 0;
33967 -
33968 -- do {
33969 -+ while (len) {
33970 - struct vm_area_struct *vma;
33971 - unsigned int foll_flags;
33972 -
33973 -- vma = find_extend_vma(mm, start);
33974 -+ vma = find_vma(mm, start);
33975 - if (!vma && in_gate_area(tsk, start)) {
33976 - unsigned long pg = start & PAGE_MASK;
33977 - struct vm_area_struct *gate_vma = get_gate_vma(tsk);
33978 -@@ -1034,7 +1035,7 @@ int get_user_pages(struct task_struct *t
33979 - continue;
33980 - }
33981 -
33982 -- if (!vma || (vma->vm_flags & (VM_IO | VM_PFNMAP))
33983 -+ if (!vma || start < vma->vm_start || (vma->vm_flags & (VM_IO | VM_PFNMAP))
33984 - || !(vm_flags & vma->vm_flags))
33985 - return i ? : -EFAULT;
33986 -
33987 -@@ -1107,7 +1108,7 @@ int get_user_pages(struct task_struct *t
33988 - start += PAGE_SIZE;
33989 - len--;
33990 - } while (len && start < vma->vm_end);
33991 -- } while (len);
33992 -+ }
33993 - return i;
33994 - }
33995 - EXPORT_SYMBOL(get_user_pages);
33996 -@@ -1526,6 +1527,196 @@ static inline void cow_user_page(struct
33997 - copy_user_highpage(dst, src, va, vma);
33998 - }
33999 -
34000 -+#ifdef CONFIG_PAX_SEGMEXEC
34001 -+static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
34002 -+{
34003 -+ struct mm_struct *mm = vma->vm_mm;
34004 -+ spinlock_t *ptl;
34005 -+ pte_t *pte, entry;
34006 -+
34007 -+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
34008 -+ entry = *pte;
34009 -+ if (!pte_present(entry)) {
34010 -+ if (!pte_none(entry)) {
34011 -+ BUG_ON(pte_file(entry));
34012 -+ free_swap_and_cache(pte_to_swp_entry(entry));
34013 -+ pte_clear_not_present_full(mm, address, pte, 0);
34014 -+ }
34015 -+ } else {
34016 -+ struct page *page;
34017 -+
34018 -+ page = vm_normal_page(vma, address, entry);
34019 -+ if (page) {
34020 -+ flush_cache_page(vma, address, pte_pfn(entry));
34021 -+ flush_icache_page(vma, page);
34022 -+ }
34023 -+ ptep_clear_flush(vma, address, pte);
34024 -+ BUG_ON(pte_dirty(entry));
34025 -+ if (page) {
34026 -+ update_hiwater_rss(mm);
34027 -+ if (PageAnon(page))
34028 -+ dec_mm_counter(mm, anon_rss);
34029 -+ else
34030 -+ dec_mm_counter(mm, file_rss);
34031 -+ page_remove_rmap(page, vma);
34032 -+ page_cache_release(page);
34033 -+ }
34034 -+ }
34035 -+ pte_unmap_unlock(pte, ptl);
34036 -+}
34037 -+
34038 -+/* PaX: if vma is mirrored, synchronize the mirror's PTE
34039 -+ *
34040 -+ * the ptl of the lower mapped page is held on entry and is not released on exit
34041 -+ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
34042 -+ */
34043 -+static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
34044 -+{
34045 -+ struct mm_struct *mm = vma->vm_mm;
34046 -+ unsigned long address_m;
34047 -+ spinlock_t *ptl_m;
34048 -+ struct vm_area_struct *vma_m;
34049 -+ pmd_t *pmd_m;
34050 -+ pte_t *pte_m, entry_m;
34051 -+
34052 -+ BUG_ON(!page_m || !PageAnon(page_m));
34053 -+
34054 -+ vma_m = pax_find_mirror_vma(vma);
34055 -+ if (!vma_m)
34056 -+ return;
34057 -+
34058 -+ BUG_ON(!PageLocked(page_m));
34059 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
34060 -+ address_m = address + SEGMEXEC_TASK_SIZE;
34061 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
34062 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
34063 -+ ptl_m = pte_lockptr(mm, pmd_m);
34064 -+ if (ptl != ptl_m) {
34065 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
34066 -+ if (!pte_none(*pte_m)) {
34067 -+ spin_unlock(ptl_m);
34068 -+ pte_unmap_nested(pte_m);
34069 -+ unlock_page(page_m);
34070 -+ return;
34071 -+ }
34072 -+ }
34073 -+
34074 -+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
34075 -+ page_cache_get(page_m);
34076 -+ page_add_anon_rmap(page_m, vma_m, address_m);
34077 -+ inc_mm_counter(mm, anon_rss);
34078 -+ set_pte_at(mm, address_m, pte_m, entry_m);
34079 -+ update_mmu_cache(vma_m, address_m, entry_m);
34080 -+ if (ptl != ptl_m)
34081 -+ spin_unlock(ptl_m);
34082 -+ pte_unmap_nested(pte_m);
34083 -+ unlock_page(page_m);
34084 -+}
34085 -+
34086 -+void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
34087 -+{
34088 -+ struct mm_struct *mm = vma->vm_mm;
34089 -+ unsigned long address_m;
34090 -+ spinlock_t *ptl_m;
34091 -+ struct vm_area_struct *vma_m;
34092 -+ pmd_t *pmd_m;
34093 -+ pte_t *pte_m, entry_m;
34094 -+
34095 -+ BUG_ON(!page_m || PageAnon(page_m));
34096 -+
34097 -+ vma_m = pax_find_mirror_vma(vma);
34098 -+ if (!vma_m)
34099 -+ return;
34100 -+
34101 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
34102 -+ address_m = address + SEGMEXEC_TASK_SIZE;
34103 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
34104 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
34105 -+ ptl_m = pte_lockptr(mm, pmd_m);
34106 -+ if (ptl != ptl_m) {
34107 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
34108 -+ if (!pte_none(*pte_m)) {
34109 -+ spin_unlock(ptl_m);
34110 -+ pte_unmap_nested(pte_m);
34111 -+ return;
34112 -+ }
34113 -+ }
34114 -+
34115 -+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
34116 -+ page_cache_get(page_m);
34117 -+ page_add_file_rmap(page_m);
34118 -+ inc_mm_counter(mm, file_rss);
34119 -+ set_pte_at(mm, address_m, pte_m, entry_m);
34120 -+ update_mmu_cache(vma_m, address_m, entry_m);
34121 -+ if (ptl != ptl_m)
34122 -+ spin_unlock(ptl_m);
34123 -+ pte_unmap_nested(pte_m);
34124 -+}
34125 -+
34126 -+static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
34127 -+{
34128 -+ struct mm_struct *mm = vma->vm_mm;
34129 -+ unsigned long address_m;
34130 -+ spinlock_t *ptl_m;
34131 -+ struct vm_area_struct *vma_m;
34132 -+ pmd_t *pmd_m;
34133 -+ pte_t *pte_m, entry_m;
34134 -+
34135 -+ vma_m = pax_find_mirror_vma(vma);
34136 -+ if (!vma_m)
34137 -+ return;
34138 -+
34139 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
34140 -+ address_m = address + SEGMEXEC_TASK_SIZE;
34141 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
34142 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
34143 -+ ptl_m = pte_lockptr(mm, pmd_m);
34144 -+ if (ptl != ptl_m) {
34145 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
34146 -+ if (!pte_none(*pte_m)) {
34147 -+ spin_unlock(ptl_m);
34148 -+ pte_unmap_nested(pte_m);
34149 -+ return;
34150 -+ }
34151 -+ }
34152 -+
34153 -+ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
34154 -+ set_pte_at(mm, address_m, pte_m, entry_m);
34155 -+ if (ptl != ptl_m)
34156 -+ spin_unlock(ptl_m);
34157 -+ pte_unmap_nested(pte_m);
34158 -+}
34159 -+
34160 -+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
34161 -+{
34162 -+ struct page *page_m;
34163 -+ pte_t entry;
34164 -+
34165 -+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
34166 -+ goto out;
34167 -+
34168 -+ entry = *pte;
34169 -+ page_m = vm_normal_page(vma, address, entry);
34170 -+ if (!page_m)
34171 -+ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
34172 -+ else if (PageAnon(page_m)) {
34173 -+ if (pax_find_mirror_vma(vma)) {
34174 -+ pte_unmap_unlock(pte, ptl);
34175 -+ lock_page(page_m);
34176 -+ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
34177 -+ if (pte_same(entry, *pte))
34178 -+ pax_mirror_anon_pte(vma, address, page_m, ptl);
34179 -+ else
34180 -+ unlock_page(page_m);
34181 -+ }
34182 -+ } else
34183 -+ pax_mirror_file_pte(vma, address, page_m, ptl);
34184 -+
34185 -+out:
34186 -+ pte_unmap_unlock(pte, ptl);
34187 -+}
34188 -+#endif
34189 -+
34190 - /*
34191 - * This routine handles present pages, when users try to write
34192 - * to a shared page. It is done by copying the page to a new address
34193 -@@ -1638,6 +1829,12 @@ gotten:
34194 - */
34195 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
34196 - if (likely(pte_same(*page_table, orig_pte))) {
34197 -+
34198 -+#ifdef CONFIG_PAX_SEGMEXEC
34199 -+ if (pax_find_mirror_vma(vma))
34200 -+ BUG_ON(TestSetPageLocked(new_page));
34201 -+#endif
34202 -+
34203 - if (old_page) {
34204 - page_remove_rmap(old_page, vma);
34205 - if (!PageAnon(old_page)) {
34206 -@@ -1661,6 +1858,10 @@ gotten:
34207 - lru_cache_add_active(new_page);
34208 - page_add_new_anon_rmap(new_page, vma, address);
34209 -
34210 -+#ifdef CONFIG_PAX_SEGMEXEC
34211 -+ pax_mirror_anon_pte(vma, address, new_page, ptl);
34212 -+#endif
34213 -+
34214 - /* Free the old page.. */
34215 - new_page = old_page;
34216 - ret |= VM_FAULT_WRITE;
34217 -@@ -1941,6 +2142,7 @@ int vmtruncate(struct inode * inode, lof
34218 -
34219 - do_expand:
34220 - limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
34221 -+ gr_learn_resource(current, RLIMIT_FSIZE, offset, 1);
34222 - if (limit != RLIM_INFINITY && offset > limit)
34223 - goto out_sig;
34224 - if (offset > inode->i_sb->s_maxbytes)
34225 -@@ -2123,6 +2325,11 @@ static int do_swap_page(struct mm_struct
34226 - swap_free(entry);
34227 - if (vm_swap_full())
34228 - remove_exclusive_swap_page(page);
34229 -+
34230 -+#ifdef CONFIG_PAX_SEGMEXEC
34231 -+ if (write_access || !pax_find_mirror_vma(vma))
34232 -+#endif
34233 -+
34234 - unlock_page(page);
34235 -
34236 - if (write_access) {
34237 -@@ -2135,6 +2342,11 @@ static int do_swap_page(struct mm_struct
34238 -
34239 - /* No need to invalidate - it was non-present before */
34240 - update_mmu_cache(vma, address, pte);
34241 -+
34242 -+#ifdef CONFIG_PAX_SEGMEXEC
34243 -+ pax_mirror_anon_pte(vma, address, page, ptl);
34244 -+#endif
34245 -+
34246 - unlock:
34247 - pte_unmap_unlock(page_table, ptl);
34248 - out:
34249 -@@ -2174,6 +2386,12 @@ static int do_anonymous_page(struct mm_s
34250 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
34251 - if (!pte_none(*page_table))
34252 - goto release;
34253 -+
34254 -+#ifdef CONFIG_PAX_SEGMEXEC
34255 -+ if (pax_find_mirror_vma(vma))
34256 -+ BUG_ON(TestSetPageLocked(page));
34257 -+#endif
34258 -+
34259 - inc_mm_counter(mm, anon_rss);
34260 - lru_cache_add_active(page);
34261 - page_add_new_anon_rmap(page, vma, address);
34262 -@@ -2181,6 +2399,11 @@ static int do_anonymous_page(struct mm_s
34263 -
34264 - /* No need to invalidate - it was non-present before */
34265 - update_mmu_cache(vma, address, entry);
34266 -+
34267 -+#ifdef CONFIG_PAX_SEGMEXEC
34268 -+ pax_mirror_anon_pte(vma, address, page, ptl);
34269 -+#endif
34270 -+
34271 - unlock:
34272 - pte_unmap_unlock(page_table, ptl);
34273 - return 0;
34274 -@@ -2313,6 +2536,12 @@ static int __do_fault(struct mm_struct *
34275 - */
34276 - /* Only go through if we didn't race with anybody else... */
34277 - if (likely(pte_same(*page_table, orig_pte))) {
34278 -+
34279 -+#ifdef CONFIG_PAX_SEGMEXEC
34280 -+ if (anon && pax_find_mirror_vma(vma))
34281 -+ BUG_ON(TestSetPageLocked(page));
34282 -+#endif
34283 -+
34284 - flush_icache_page(vma, page);
34285 - entry = mk_pte(page, vma->vm_page_prot);
34286 - if (flags & FAULT_FLAG_WRITE)
34287 -@@ -2333,6 +2562,14 @@ static int __do_fault(struct mm_struct *
34288 -
34289 - /* no need to invalidate: a not-present page won't be cached */
34290 - update_mmu_cache(vma, address, entry);
34291 -+
34292 -+#ifdef CONFIG_PAX_SEGMEXEC
34293 -+ if (anon)
34294 -+ pax_mirror_anon_pte(vma, address, page, ptl);
34295 -+ else
34296 -+ pax_mirror_file_pte(vma, address, page, ptl);
34297 -+#endif
34298 -+
34299 - } else {
34300 - if (anon)
34301 - page_cache_release(page);
34302 -@@ -2415,6 +2652,11 @@ static noinline int do_no_pfn(struct mm_
34303 - if (write_access)
34304 - entry = maybe_mkwrite(pte_mkdirty(entry), vma);
34305 - set_pte_at(mm, address, page_table, entry);
34306 -+
34307 -+#ifdef CONFIG_PAX_SEGMEXEC
34308 -+ pax_mirror_pfn_pte(vma, address, pfn, ptl);
34309 -+#endif
34310 -+
34311 - }
34312 - pte_unmap_unlock(page_table, ptl);
34313 - return 0;
34314 -@@ -2517,6 +2759,12 @@ static inline int handle_pte_fault(struc
34315 - if (write_access)
34316 - flush_tlb_page(vma, address);
34317 - }
34318 -+
34319 -+#ifdef CONFIG_PAX_SEGMEXEC
34320 -+ pax_mirror_pte(vma, address, pte, pmd, ptl);
34321 -+ return 0;
34322 -+#endif
34323 -+
34324 - unlock:
34325 - pte_unmap_unlock(pte, ptl);
34326 - return 0;
34327 -@@ -2533,6 +2781,10 @@ int handle_mm_fault(struct mm_struct *mm
34328 - pmd_t *pmd;
34329 - pte_t *pte;
34330 -
34331 -+#ifdef CONFIG_PAX_SEGMEXEC
34332 -+ struct vm_area_struct *vma_m;
34333 -+#endif
34334 -+
34335 - __set_current_state(TASK_RUNNING);
34336 -
34337 - count_vm_event(PGFAULT);
34338 -@@ -2540,6 +2792,34 @@ int handle_mm_fault(struct mm_struct *mm
34339 - if (unlikely(is_vm_hugetlb_page(vma)))
34340 - return hugetlb_fault(mm, vma, address, write_access);
34341 -
34342 -+#ifdef CONFIG_PAX_SEGMEXEC
34343 -+ vma_m = pax_find_mirror_vma(vma);
34344 -+ if (vma_m) {
34345 -+ unsigned long address_m;
34346 -+ pgd_t *pgd_m;
34347 -+ pud_t *pud_m;
34348 -+ pmd_t *pmd_m;
34349 -+
34350 -+ if (vma->vm_start > vma_m->vm_start) {
34351 -+ address_m = address;
34352 -+ address -= SEGMEXEC_TASK_SIZE;
34353 -+ vma = vma_m;
34354 -+ } else
34355 -+ address_m = address + SEGMEXEC_TASK_SIZE;
34356 -+
34357 -+ pgd_m = pgd_offset(mm, address_m);
34358 -+ pud_m = pud_alloc(mm, pgd_m, address_m);
34359 -+ if (!pud_m)
34360 -+ return VM_FAULT_OOM;
34361 -+ pmd_m = pmd_alloc(mm, pud_m, address_m);
34362 -+ if (!pmd_m)
34363 -+ return VM_FAULT_OOM;
34364 -+ if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
34365 -+ return VM_FAULT_OOM;
34366 -+ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
34367 -+ }
34368 -+#endif
34369 -+
34370 - pgd = pgd_offset(mm, address);
34371 - pud = pud_alloc(mm, pgd, address);
34372 - if (!pud)
34373 -@@ -2673,7 +2953,7 @@ static int __init gate_vma_init(void)
34374 - gate_vma.vm_start = FIXADDR_USER_START;
34375 - gate_vma.vm_end = FIXADDR_USER_END;
34376 - gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
34377 -- gate_vma.vm_page_prot = __P101;
34378 -+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
34379 - /*
34380 - * Make sure the vDSO gets into every core dump.
34381 - * Dumping its contents makes post-mortem fully interpretable later
34382 -diff -urNp linux-2.6.24.4/mm/mempolicy.c linux-2.6.24.4/mm/mempolicy.c
34383 ---- linux-2.6.24.4/mm/mempolicy.c 2008-03-24 14:49:18.000000000 -0400
34384 -+++ linux-2.6.24.4/mm/mempolicy.c 2008-03-26 17:56:56.000000000 -0400
34385 -@@ -406,6 +406,10 @@ static int mbind_range(struct vm_area_st
34386 - struct vm_area_struct *next;
34387 - int err;
34388 -
34389 -+#ifdef CONFIG_PAX_SEGMEXEC
34390 -+ struct vm_area_struct *vma_m;
34391 -+#endif
34392 -+
34393 - err = 0;
34394 - for (; vma && vma->vm_start < end; vma = next) {
34395 - next = vma->vm_next;
34396 -@@ -417,6 +421,16 @@ static int mbind_range(struct vm_area_st
34397 - err = policy_vma(vma, new);
34398 - if (err)
34399 - break;
34400 -+
34401 -+#ifdef CONFIG_PAX_SEGMEXEC
34402 -+ vma_m = pax_find_mirror_vma(vma);
34403 -+ if (vma_m) {
34404 -+ err = policy_vma(vma_m, new);
34405 -+ if (err)
34406 -+ break;
34407 -+ }
34408 -+#endif
34409 -+
34410 - }
34411 - return err;
34412 - }
34413 -@@ -794,6 +808,17 @@ static long do_mbind(unsigned long start
34414 -
34415 - if (end < start)
34416 - return -EINVAL;
34417 -+
34418 -+#ifdef CONFIG_PAX_SEGMEXEC
34419 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
34420 -+ if (end > SEGMEXEC_TASK_SIZE)
34421 -+ return -EINVAL;
34422 -+ } else
34423 -+#endif
34424 -+
34425 -+ if (end > TASK_SIZE)
34426 -+ return -EINVAL;
34427 -+
34428 - if (end == start)
34429 - return 0;
34430 -
34431 -diff -urNp linux-2.6.24.4/mm/mlock.c linux-2.6.24.4/mm/mlock.c
34432 ---- linux-2.6.24.4/mm/mlock.c 2008-03-24 14:49:18.000000000 -0400
34433 -+++ linux-2.6.24.4/mm/mlock.c 2008-03-26 17:56:56.000000000 -0400
34434 -@@ -12,6 +12,7 @@
34435 - #include <linux/syscalls.h>
34436 - #include <linux/sched.h>
34437 - #include <linux/module.h>
34438 -+#include <linux/grsecurity.h>
34439 -
34440 - int can_do_mlock(void)
34441 - {
34442 -@@ -95,6 +96,17 @@ static int do_mlock(unsigned long start,
34443 - return -EINVAL;
34444 - if (end == start)
34445 - return 0;
34446 -+
34447 -+#ifdef CONFIG_PAX_SEGMEXEC
34448 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
34449 -+ if (end > SEGMEXEC_TASK_SIZE)
34450 -+ return -EINVAL;
34451 -+ } else
34452 -+#endif
34453 -+
34454 -+ if (end > TASK_SIZE)
34455 -+ return -EINVAL;
34456 -+
34457 - vma = find_vma_prev(current->mm, start, &prev);
34458 - if (!vma || vma->vm_start > start)
34459 - return -ENOMEM;
34460 -@@ -152,6 +164,7 @@ asmlinkage long sys_mlock(unsigned long
34461 - lock_limit >>= PAGE_SHIFT;
34462 -
34463 - /* check against resource limits */
34464 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
34465 - if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
34466 - error = do_mlock(start, len, 1);
34467 - up_write(&current->mm->mmap_sem);
34468 -@@ -173,10 +186,10 @@ asmlinkage long sys_munlock(unsigned lon
34469 - static int do_mlockall(int flags)
34470 - {
34471 - struct vm_area_struct * vma, * prev = NULL;
34472 -- unsigned int def_flags = 0;
34473 -+ unsigned int def_flags = current->mm->def_flags & ~VM_LOCKED;
34474 -
34475 - if (flags & MCL_FUTURE)
34476 -- def_flags = VM_LOCKED;
34477 -+ def_flags |= VM_LOCKED;
34478 - current->mm->def_flags = def_flags;
34479 - if (flags == MCL_FUTURE)
34480 - goto out;
34481 -@@ -184,6 +197,12 @@ static int do_mlockall(int flags)
34482 - for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
34483 - unsigned int newflags;
34484 -
34485 -+#ifdef CONFIG_PAX_SEGMEXEC
34486 -+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
34487 -+ break;
34488 -+#endif
34489 -+
34490 -+ BUG_ON(vma->vm_end > TASK_SIZE);
34491 - newflags = vma->vm_flags | VM_LOCKED;
34492 - if (!(flags & MCL_CURRENT))
34493 - newflags &= ~VM_LOCKED;
34494 -@@ -213,6 +232,7 @@ asmlinkage long sys_mlockall(int flags)
34495 - lock_limit >>= PAGE_SHIFT;
34496 -
34497 - ret = -ENOMEM;
34498 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
34499 - if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
34500 - capable(CAP_IPC_LOCK))
34501 - ret = do_mlockall(flags);
34502 -diff -urNp linux-2.6.24.4/mm/mmap.c linux-2.6.24.4/mm/mmap.c
34503 ---- linux-2.6.24.4/mm/mmap.c 2008-03-24 14:49:18.000000000 -0400
34504 -+++ linux-2.6.24.4/mm/mmap.c 2008-03-26 17:56:56.000000000 -0400
34505 -@@ -26,6 +26,7 @@
34506 - #include <linux/mount.h>
34507 - #include <linux/mempolicy.h>
34508 - #include <linux/rmap.h>
34509 -+#include <linux/grsecurity.h>
34510 -
34511 - #include <asm/uaccess.h>
34512 - #include <asm/cacheflush.h>
34513 -@@ -36,6 +37,16 @@
34514 - #define arch_mmap_check(addr, len, flags) (0)
34515 - #endif
34516 -
34517 -+static inline void verify_mm_writelocked(struct mm_struct *mm)
34518 -+{
34519 -+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
34520 -+ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
34521 -+ up_read(&mm->mmap_sem);
34522 -+ BUG();
34523 -+ }
34524 -+#endif
34525 -+}
34526 -+
34527 - static void unmap_region(struct mm_struct *mm,
34528 - struct vm_area_struct *vma, struct vm_area_struct *prev,
34529 - unsigned long start, unsigned long end);
34530 -@@ -61,15 +72,23 @@ static void unmap_region(struct mm_struc
34531 - * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
34532 - *
34533 - */
34534 --pgprot_t protection_map[16] = {
34535 -+pgprot_t protection_map[16] __read_only = {
34536 - __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
34537 - __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
34538 - };
34539 -
34540 - pgprot_t vm_get_page_prot(unsigned long vm_flags)
34541 - {
34542 -- return protection_map[vm_flags &
34543 -- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
34544 -+ pgprot_t prot = protection_map[vm_flags & (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
34545 -+
34546 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
34547 -+ if (!nx_enabled &&
34548 -+ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
34549 -+ (vm_flags & (VM_READ | VM_WRITE)))
34550 -+ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
34551 -+#endif
34552 -+
34553 -+ return prot;
34554 - }
34555 - EXPORT_SYMBOL(vm_get_page_prot);
34556 -
34557 -@@ -224,6 +243,7 @@ static struct vm_area_struct *remove_vma
34558 - struct vm_area_struct *next = vma->vm_next;
34559 -
34560 - might_sleep();
34561 -+ BUG_ON(vma->vm_mirror);
34562 - if (vma->vm_ops && vma->vm_ops->close)
34563 - vma->vm_ops->close(vma);
34564 - if (vma->vm_file)
34565 -@@ -251,6 +271,7 @@ asmlinkage unsigned long sys_brk(unsigne
34566 - * not page aligned -Ram Gupta
34567 - */
34568 - rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
34569 -+ gr_learn_resource(current, RLIMIT_DATA, brk - mm->start_data, 1);
34570 - if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim)
34571 - goto out;
34572 -
34573 -@@ -351,8 +372,12 @@ find_vma_prepare(struct mm_struct *mm, u
34574 -
34575 - if (vma_tmp->vm_end > addr) {
34576 - vma = vma_tmp;
34577 -- if (vma_tmp->vm_start <= addr)
34578 -- return vma;
34579 -+ if (vma_tmp->vm_start <= addr) {
34580 -+//printk("PAX: prep: %08lx-%08lx %08lx pr:%p l:%p pa:%p ",
34581 -+//vma->vm_start, vma->vm_end, addr, *pprev, *rb_link, *rb_parent);
34582 -+//__print_symbol("%s\n", __builtin_extract_return_addr(__builtin_return_address(0)));
34583 -+ break;
34584 -+ }
34585 - __rb_link = &__rb_parent->rb_left;
34586 - } else {
34587 - rb_prev = __rb_parent;
34588 -@@ -676,6 +701,12 @@ static int
34589 - can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
34590 - struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
34591 - {
34592 -+
34593 -+#ifdef CONFIG_PAX_SEGMEXEC
34594 -+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
34595 -+ return 0;
34596 -+#endif
34597 -+
34598 - if (is_mergeable_vma(vma, file, vm_flags) &&
34599 - is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
34600 - if (vma->vm_pgoff == vm_pgoff)
34601 -@@ -695,6 +726,12 @@ static int
34602 - can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
34603 - struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
34604 - {
34605 -+
34606 -+#ifdef CONFIG_PAX_SEGMEXEC
34607 -+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
34608 -+ return 0;
34609 -+#endif
34610 -+
34611 - if (is_mergeable_vma(vma, file, vm_flags) &&
34612 - is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
34613 - pgoff_t vm_pglen;
34614 -@@ -737,12 +774,19 @@ can_vma_merge_after(struct vm_area_struc
34615 - struct vm_area_struct *vma_merge(struct mm_struct *mm,
34616 - struct vm_area_struct *prev, unsigned long addr,
34617 - unsigned long end, unsigned long vm_flags,
34618 -- struct anon_vma *anon_vma, struct file *file,
34619 -+ struct anon_vma *anon_vma, struct file *file,
34620 - pgoff_t pgoff, struct mempolicy *policy)
34621 - {
34622 - pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
34623 - struct vm_area_struct *area, *next;
34624 -
34625 -+#ifdef CONFIG_PAX_SEGMEXEC
34626 -+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
34627 -+ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
34628 -+
34629 -+ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
34630 -+#endif
34631 -+
34632 - /*
34633 - * We later require that vma->vm_flags == vm_flags,
34634 - * so this tests vma->vm_flags & VM_SPECIAL, too.
34635 -@@ -758,6 +802,15 @@ struct vm_area_struct *vma_merge(struct
34636 - if (next && next->vm_end == end) /* cases 6, 7, 8 */
34637 - next = next->vm_next;
34638 -
34639 -+#ifdef CONFIG_PAX_SEGMEXEC
34640 -+ if (prev)
34641 -+ prev_m = pax_find_mirror_vma(prev);
34642 -+ if (area)
34643 -+ area_m = pax_find_mirror_vma(area);
34644 -+ if (next)
34645 -+ next_m = pax_find_mirror_vma(next);
34646 -+#endif
34647 -+
34648 - /*
34649 - * Can it merge with the predecessor?
34650 - */
34651 -@@ -777,9 +830,24 @@ struct vm_area_struct *vma_merge(struct
34652 - /* cases 1, 6 */
34653 - vma_adjust(prev, prev->vm_start,
34654 - next->vm_end, prev->vm_pgoff, NULL);
34655 -- } else /* cases 2, 5, 7 */
34656 -+
34657 -+#ifdef CONFIG_PAX_SEGMEXEC
34658 -+ if (prev_m)
34659 -+ vma_adjust(prev_m, prev_m->vm_start,
34660 -+ next_m->vm_end, prev_m->vm_pgoff, NULL);
34661 -+#endif
34662 -+
34663 -+ } else { /* cases 2, 5, 7 */
34664 - vma_adjust(prev, prev->vm_start,
34665 - end, prev->vm_pgoff, NULL);
34666 -+
34667 -+#ifdef CONFIG_PAX_SEGMEXEC
34668 -+ if (prev_m)
34669 -+ vma_adjust(prev_m, prev_m->vm_start,
34670 -+ end_m, prev_m->vm_pgoff, NULL);
34671 -+#endif
34672 -+
34673 -+ }
34674 - return prev;
34675 - }
34676 -
34677 -@@ -790,12 +858,43 @@ struct vm_area_struct *vma_merge(struct
34678 - mpol_equal(policy, vma_policy(next)) &&
34679 - can_vma_merge_before(next, vm_flags,
34680 - anon_vma, file, pgoff+pglen)) {
34681 -- if (prev && addr < prev->vm_end) /* case 4 */
34682 -+ if (prev && addr < prev->vm_end) { /* case 4 */
34683 - vma_adjust(prev, prev->vm_start,
34684 - addr, prev->vm_pgoff, NULL);
34685 -- else /* cases 3, 8 */
34686 -+
34687 -+#ifdef CONFIG_PAX_SEGMEXEC
34688 -+ if (prev_m)
34689 -+ vma_adjust(prev_m, prev_m->vm_start,
34690 -+ addr_m, prev_m->vm_pgoff, NULL);
34691 -+#endif
34692 -+
34693 -+ } else { /* cases 3, 8 */
34694 - vma_adjust(area, addr, next->vm_end,
34695 - next->vm_pgoff - pglen, NULL);
34696 -+
34697 -+#ifdef CONFIG_PAX_SEGMEXEC
34698 -+ if (area_m)
34699 -+ vma_adjust(area_m, addr_m, next_m->vm_end,
34700 -+ next_m->vm_pgoff - pglen, NULL);
34701 -+ else if (next_m) {
34702 -+ vma_adjust(next_m, addr_m, next_m->vm_end,
34703 -+ next_m->vm_pgoff - pglen, NULL);
34704 -+ BUG_ON(area == next);
34705 -+ BUG_ON(area->vm_mirror);
34706 -+ BUG_ON(next_m->anon_vma && next_m->anon_vma != area->anon_vma);
34707 -+ BUG_ON(area->vm_file != next_m->vm_file);
34708 -+ BUG_ON(area->vm_end - area->vm_start != next_m->vm_end - next_m->vm_start);
34709 -+ BUG_ON(area->vm_pgoff != next_m->vm_pgoff);
34710 -+ area->vm_mirror = next_m;
34711 -+ next_m->vm_mirror = area;
34712 -+ if (area->anon_vma && !next_m->anon_vma) {
34713 -+ next_m->anon_vma = area->anon_vma;
34714 -+ anon_vma_link(next_m);
34715 -+ }
34716 -+ }
34717 -+#endif
34718 -+
34719 -+ }
34720 - return area;
34721 - }
34722 -
34723 -@@ -870,14 +969,11 @@ none:
34724 - void vm_stat_account(struct mm_struct *mm, unsigned long flags,
34725 - struct file *file, long pages)
34726 - {
34727 -- const unsigned long stack_flags
34728 -- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
34729 --
34730 - if (file) {
34731 - mm->shared_vm += pages;
34732 - if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
34733 - mm->exec_vm += pages;
34734 -- } else if (flags & stack_flags)
34735 -+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
34736 - mm->stack_vm += pages;
34737 - if (flags & (VM_RESERVED|VM_IO))
34738 - mm->reserved_vm += pages;
34739 -@@ -905,7 +1001,7 @@ unsigned long do_mmap_pgoff(struct file
34740 - * (the exception is when the underlying filesystem is noexec
34741 - * mounted, in which case we dont add PROT_EXEC.)
34742 - */
34743 -- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
34744 -+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
34745 - if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
34746 - prot |= PROT_EXEC;
34747 -
34748 -@@ -915,15 +1011,15 @@ unsigned long do_mmap_pgoff(struct file
34749 - if (!(flags & MAP_FIXED))
34750 - addr = round_hint_to_min(addr);
34751 -
34752 -- error = arch_mmap_check(addr, len, flags);
34753 -- if (error)
34754 -- return error;
34755 --
34756 - /* Careful about overflows.. */
34757 - len = PAGE_ALIGN(len);
34758 - if (!len || len > TASK_SIZE)
34759 - return -ENOMEM;
34760 -
34761 -+ error = arch_mmap_check(addr, len, flags);
34762 -+ if (error)
34763 -+ return error;
34764 -+
34765 - /* offset overflow? */
34766 - if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
34767 - return -EOVERFLOW;
34768 -@@ -935,7 +1031,7 @@ unsigned long do_mmap_pgoff(struct file
34769 - /* Obtain the address to map to. we verify (or select) it and ensure
34770 - * that it represents a valid section of the address space.
34771 - */
34772 -- addr = get_unmapped_area(file, addr, len, pgoff, flags);
34773 -+ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
34774 - if (addr & ~PAGE_MASK)
34775 - return addr;
34776 -
34777 -@@ -946,6 +1042,26 @@ unsigned long do_mmap_pgoff(struct file
34778 - vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
34779 - mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
34780 -
34781 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
34782 -+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
34783 -+
34784 -+#ifdef CONFIG_PAX_MPROTECT
34785 -+ if (mm->pax_flags & MF_PAX_MPROTECT) {
34786 -+ if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
34787 -+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
34788 -+ else
34789 -+ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
34790 -+ }
34791 -+#endif
34792 -+
34793 -+ }
34794 -+#endif
34795 -+
34796 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
34797 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
34798 -+ vm_flags &= ~VM_PAGEEXEC;
34799 -+#endif
34800 -+
34801 - if (flags & MAP_LOCKED) {
34802 - if (!can_do_mlock())
34803 - return -EPERM;
34804 -@@ -958,6 +1074,7 @@ unsigned long do_mmap_pgoff(struct file
34805 - locked += mm->locked_vm;
34806 - lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
34807 - lock_limit >>= PAGE_SHIFT;
34808 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
34809 - if (locked > lock_limit && !capable(CAP_IPC_LOCK))
34810 - return -EAGAIN;
34811 - }
34812 -@@ -1026,6 +1143,9 @@ unsigned long do_mmap_pgoff(struct file
34813 - if (error)
34814 - return error;
34815 -
34816 -+ if (!gr_acl_handle_mmap(file, prot))
34817 -+ return -EACCES;
34818 -+
34819 - return mmap_region(file, addr, len, flags, vm_flags, pgoff,
34820 - accountable);
34821 - }
34822 -@@ -1039,10 +1159,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
34823 - */
34824 - int vma_wants_writenotify(struct vm_area_struct *vma)
34825 - {
34826 -- unsigned int vm_flags = vma->vm_flags;
34827 -+ unsigned long vm_flags = vma->vm_flags;
34828 -
34829 - /* If it was private or non-writable, the write bit is already clear */
34830 -- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
34831 -+ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
34832 - return 0;
34833 -
34834 - /* The backer wishes to know when pages are first written to? */
34835 -@@ -1077,14 +1197,24 @@ unsigned long mmap_region(struct file *f
34836 - unsigned long charged = 0;
34837 - struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
34838 -
34839 -+#ifdef CONFIG_PAX_SEGMEXEC
34840 -+ struct vm_area_struct *vma_m = NULL;
34841 -+#endif
34842 -+
34843 -+ /*
34844 -+ * mm->mmap_sem is required to protect against another thread
34845 -+ * changing the mappings in case we sleep.
34846 -+ */
34847 -+ verify_mm_writelocked(mm);
34848 -+
34849 - /* Clear old maps */
34850 - error = -ENOMEM;
34851 --munmap_back:
34852 - vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
34853 - if (vma && vma->vm_start < addr + len) {
34854 - if (do_munmap(mm, addr, len))
34855 - return -ENOMEM;
34856 -- goto munmap_back;
34857 -+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
34858 -+ BUG_ON(vma && vma->vm_start < addr + len);
34859 - }
34860 -
34861 - /* Check against address space limit. */
34862 -@@ -1128,6 +1258,16 @@ munmap_back:
34863 - goto unacct_error;
34864 - }
34865 -
34866 -+#ifdef CONFIG_PAX_SEGMEXEC
34867 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
34868 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
34869 -+ if (!vma_m) {
34870 -+ error = -ENOMEM;
34871 -+ goto free_vma;
34872 -+ }
34873 -+ }
34874 -+#endif
34875 -+
34876 - vma->vm_mm = mm;
34877 - vma->vm_start = addr;
34878 - vma->vm_end = addr + len;
34879 -@@ -1150,6 +1290,27 @@ munmap_back:
34880 - error = file->f_op->mmap(file, vma);
34881 - if (error)
34882 - goto unmap_and_free_vma;
34883 -+
34884 -+#ifdef CONFIG_PAX_SEGMEXEC
34885 -+ if (vma_m) {
34886 -+ struct mempolicy *pol;
34887 -+
34888 -+ pol = mpol_copy(vma_policy(vma));
34889 -+ if (IS_ERR(pol)) {
34890 -+ mpol_free(vma_policy(vma));
34891 -+ goto unmap_and_free_vma;
34892 -+ }
34893 -+ vma_set_policy(vma_m, pol);
34894 -+ }
34895 -+#endif
34896 -+
34897 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
34898 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
34899 -+ vma->vm_flags |= VM_PAGEEXEC;
34900 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
34901 -+ }
34902 -+#endif
34903 -+
34904 - } else if (vm_flags & VM_SHARED) {
34905 - error = shmem_zero_setup(vma);
34906 - if (error)
34907 -@@ -1180,6 +1341,12 @@ munmap_back:
34908 - vma->vm_flags, NULL, file, pgoff, vma_policy(vma))) {
34909 - file = vma->vm_file;
34910 - vma_link(mm, vma, prev, rb_link, rb_parent);
34911 -+
34912 -+#ifdef CONFIG_PAX_SEGMEXEC
34913 -+ if (vma_m)
34914 -+ pax_mirror_vma(vma_m, vma);
34915 -+#endif
34916 -+
34917 - if (correct_wcount)
34918 - atomic_inc(&inode->i_writecount);
34919 - } else {
34920 -@@ -1190,10 +1357,20 @@ munmap_back:
34921 - }
34922 - mpol_free(vma_policy(vma));
34923 - kmem_cache_free(vm_area_cachep, vma);
34924 -+ vma = NULL;
34925 -+
34926 -+#ifdef CONFIG_PAX_SEGMEXEC
34927 -+ if (vma_m) {
34928 -+ mpol_free(vma_policy(vma_m));
34929 -+ kmem_cache_free(vm_area_cachep, vma_m);
34930 -+ }
34931 -+#endif
34932 -+
34933 - }
34934 - out:
34935 - mm->total_vm += len >> PAGE_SHIFT;
34936 - vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
34937 -+ track_exec_limit(mm, addr, addr + len, vm_flags);
34938 - if (vm_flags & VM_LOCKED) {
34939 - mm->locked_vm += len >> PAGE_SHIFT;
34940 - make_pages_present(addr, addr + len);
34941 -@@ -1212,6 +1389,12 @@ unmap_and_free_vma:
34942 - unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
34943 - charged = 0;
34944 - free_vma:
34945 -+
34946 -+#ifdef CONFIG_PAX_SEGMEXEC
34947 -+ if (vma_m)
34948 -+ kmem_cache_free(vm_area_cachep, vma_m);
34949 -+#endif
34950 -+
34951 - kmem_cache_free(vm_area_cachep, vma);
34952 - unacct_error:
34953 - if (charged)
34954 -@@ -1245,6 +1428,10 @@ arch_get_unmapped_area(struct file *filp
34955 - if (flags & MAP_FIXED)
34956 - return addr;
34957 -
34958 -+#ifdef CONFIG_PAX_RANDMMAP
34959 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
34960 -+#endif
34961 -+
34962 - if (addr) {
34963 - addr = PAGE_ALIGN(addr);
34964 - vma = find_vma(mm, addr);
34965 -@@ -1253,10 +1440,10 @@ arch_get_unmapped_area(struct file *filp
34966 - return addr;
34967 - }
34968 - if (len > mm->cached_hole_size) {
34969 -- start_addr = addr = mm->free_area_cache;
34970 -+ start_addr = addr = mm->free_area_cache;
34971 - } else {
34972 -- start_addr = addr = TASK_UNMAPPED_BASE;
34973 -- mm->cached_hole_size = 0;
34974 -+ start_addr = addr = mm->mmap_base;
34975 -+ mm->cached_hole_size = 0;
34976 - }
34977 -
34978 - full_search:
34979 -@@ -1267,9 +1454,8 @@ full_search:
34980 - * Start a new search - just in case we missed
34981 - * some holes.
34982 - */
34983 -- if (start_addr != TASK_UNMAPPED_BASE) {
34984 -- addr = TASK_UNMAPPED_BASE;
34985 -- start_addr = addr;
34986 -+ if (start_addr != mm->mmap_base) {
34987 -+ start_addr = addr = mm->mmap_base;
34988 - mm->cached_hole_size = 0;
34989 - goto full_search;
34990 - }
34991 -@@ -1291,10 +1477,16 @@ full_search:
34992 -
34993 - void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
34994 - {
34995 -+
34996 -+#ifdef CONFIG_PAX_SEGMEXEC
34997 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
34998 -+ return;
34999 -+#endif
35000 -+
35001 - /*
35002 - * Is this a new hole at the lowest possible address?
35003 - */
35004 -- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
35005 -+ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
35006 - mm->free_area_cache = addr;
35007 - mm->cached_hole_size = ~0UL;
35008 - }
35009 -@@ -1312,7 +1504,7 @@ arch_get_unmapped_area_topdown(struct fi
35010 - {
35011 - struct vm_area_struct *vma;
35012 - struct mm_struct *mm = current->mm;
35013 -- unsigned long addr = addr0;
35014 -+ unsigned long base = mm->mmap_base, addr = addr0;
35015 -
35016 - /* requested length too big for entire address space */
35017 - if (len > TASK_SIZE)
35018 -@@ -1321,6 +1513,10 @@ arch_get_unmapped_area_topdown(struct fi
35019 - if (flags & MAP_FIXED)
35020 - return addr;
35021 -
35022 -+#ifdef CONFIG_PAX_RANDMMAP
35023 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
35024 -+#endif
35025 -+
35026 - /* requesting a specific address */
35027 - if (addr) {
35028 - addr = PAGE_ALIGN(addr);
35029 -@@ -1378,13 +1574,21 @@ bottomup:
35030 - * can happen with large stack limits and large mmap()
35031 - * allocations.
35032 - */
35033 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
35034 -+
35035 -+#ifdef CONFIG_PAX_RANDMMAP
35036 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
35037 -+ mm->mmap_base += mm->delta_mmap;
35038 -+#endif
35039 -+
35040 -+ mm->free_area_cache = mm->mmap_base;
35041 - mm->cached_hole_size = ~0UL;
35042 -- mm->free_area_cache = TASK_UNMAPPED_BASE;
35043 - addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
35044 - /*
35045 - * Restore the topdown base:
35046 - */
35047 -- mm->free_area_cache = mm->mmap_base;
35048 -+ mm->mmap_base = base;
35049 -+ mm->free_area_cache = base;
35050 - mm->cached_hole_size = ~0UL;
35051 -
35052 - return addr;
35053 -@@ -1393,6 +1597,12 @@ bottomup:
35054 -
35055 - void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
35056 - {
35057 -+
35058 -+#ifdef CONFIG_PAX_SEGMEXEC
35059 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
35060 -+ return;
35061 -+#endif
35062 -+
35063 - /*
35064 - * Is this a new hole at the highest possible address?
35065 - */
35066 -@@ -1400,8 +1610,10 @@ void arch_unmap_area_topdown(struct mm_s
35067 - mm->free_area_cache = addr;
35068 -
35069 - /* dont allow allocations above current base */
35070 -- if (mm->free_area_cache > mm->mmap_base)
35071 -+ if (mm->free_area_cache > mm->mmap_base) {
35072 - mm->free_area_cache = mm->mmap_base;
35073 -+ mm->cached_hole_size = ~0UL;
35074 -+ }
35075 - }
35076 -
35077 - unsigned long
35078 -@@ -1501,6 +1713,33 @@ out:
35079 - return prev ? prev->vm_next : vma;
35080 - }
35081 -
35082 -+#ifdef CONFIG_PAX_SEGMEXEC
35083 -+struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
35084 -+{
35085 -+ struct vm_area_struct *vma_m;
35086 -+
35087 -+ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
35088 -+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
35089 -+ BUG_ON(vma->vm_mirror);
35090 -+ return NULL;
35091 -+ }
35092 -+ BUG_ON(vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < vma->vm_start - SEGMEXEC_TASK_SIZE - 1);
35093 -+ vma_m = vma->vm_mirror;
35094 -+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
35095 -+ BUG_ON(vma->vm_file != vma_m->vm_file);
35096 -+ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
35097 -+ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
35098 -+
35099 -+#ifdef CONFIG_PAX_MPROTECT
35100 -+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_MAYNOTWRITE));
35101 -+#else
35102 -+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
35103 -+#endif
35104 -+
35105 -+ return vma_m;
35106 -+}
35107 -+#endif
35108 -+
35109 - /*
35110 - * Verify that the stack growth is acceptable and
35111 - * update accounting. This is shared with both the
35112 -@@ -1517,6 +1756,7 @@ static int acct_stack_growth(struct vm_a
35113 - return -ENOMEM;
35114 -
35115 - /* Stack limit test */
35116 -+ gr_learn_resource(current, RLIMIT_STACK, size, 1);
35117 - if (size > rlim[RLIMIT_STACK].rlim_cur)
35118 - return -ENOMEM;
35119 -
35120 -@@ -1526,6 +1766,7 @@ static int acct_stack_growth(struct vm_a
35121 - unsigned long limit;
35122 - locked = mm->locked_vm + grow;
35123 - limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
35124 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
35125 - if (locked > limit && !capable(CAP_IPC_LOCK))
35126 - return -ENOMEM;
35127 - }
35128 -@@ -1540,7 +1781,7 @@ static int acct_stack_growth(struct vm_a
35129 - * Overcommit.. This must be the final test, as it will
35130 - * update security statistics.
35131 - */
35132 -- if (security_vm_enough_memory(grow))
35133 -+ if (security_vm_enough_memory_mm(mm, grow))
35134 - return -ENOMEM;
35135 -
35136 - /* Ok, everything looks good - let it rip */
35137 -@@ -1561,35 +1802,40 @@ static inline
35138 - #endif
35139 - int expand_upwards(struct vm_area_struct *vma, unsigned long address)
35140 - {
35141 -- int error;
35142 -+ int error, locknext;
35143 -
35144 - if (!(vma->vm_flags & VM_GROWSUP))
35145 - return -EFAULT;
35146 -
35147 -+ /* Also guard against wrapping around to address 0. */
35148 -+ if (address < PAGE_ALIGN(address+1))
35149 -+ address = PAGE_ALIGN(address+1);
35150 -+ else
35151 -+ return -ENOMEM;
35152 -+
35153 - /*
35154 - * We must make sure the anon_vma is allocated
35155 - * so that the anon_vma locking is not a noop.
35156 - */
35157 - if (unlikely(anon_vma_prepare(vma)))
35158 - return -ENOMEM;
35159 -+ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
35160 -+ if (locknext && unlikely(anon_vma_prepare(vma->vm_next)))
35161 -+ return -ENOMEM;
35162 - anon_vma_lock(vma);
35163 -+ if (locknext)
35164 -+ anon_vma_lock(vma->vm_next);
35165 -
35166 - /*
35167 - * vma->vm_start/vm_end cannot change under us because the caller
35168 - * is required to hold the mmap_sem in read mode. We need the
35169 -- * anon_vma lock to serialize against concurrent expand_stacks.
35170 -- * Also guard against wrapping around to address 0.
35171 -+ * anon_vma locks to serialize against concurrent expand_stacks
35172 -+ * and expand_upwards.
35173 - */
35174 -- if (address < PAGE_ALIGN(address+4))
35175 -- address = PAGE_ALIGN(address+4);
35176 -- else {
35177 -- anon_vma_unlock(vma);
35178 -- return -ENOMEM;
35179 -- }
35180 - error = 0;
35181 -
35182 - /* Somebody else might have raced and expanded it already */
35183 -- if (address > vma->vm_end) {
35184 -+ if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
35185 - unsigned long size, grow;
35186 -
35187 - size = address - vma->vm_start;
35188 -@@ -1599,6 +1845,8 @@ int expand_upwards(struct vm_area_struct
35189 - if (!error)
35190 - vma->vm_end = address;
35191 - }
35192 -+ if (locknext)
35193 -+ anon_vma_unlock(vma->vm_next);
35194 - anon_vma_unlock(vma);
35195 - return error;
35196 - }
35197 -@@ -1610,7 +1858,8 @@ int expand_upwards(struct vm_area_struct
35198 - static inline int expand_downwards(struct vm_area_struct *vma,
35199 - unsigned long address)
35200 - {
35201 -- int error;
35202 -+ int error, lockprev = 0;
35203 -+ struct vm_area_struct *prev = NULL;
35204 -
35205 - /*
35206 - * We must make sure the anon_vma is allocated
35207 -@@ -1624,6 +1873,15 @@ static inline int expand_downwards(struc
35208 - if (error)
35209 - return error;
35210 -
35211 -+#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
35212 -+ find_vma_prev(address, &prev);
35213 -+ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
35214 -+#endif
35215 -+ if (lockprev && unlikely(anon_vma_prepare(prev)))
35216 -+ return -ENOMEM;
35217 -+ if (lockprev)
35218 -+ anon_vma_lock(prev);
35219 -+
35220 - anon_vma_lock(vma);
35221 -
35222 - /*
35223 -@@ -1633,9 +1891,15 @@ static inline int expand_downwards(struc
35224 - */
35225 -
35226 - /* Somebody else might have raced and expanded it already */
35227 -- if (address < vma->vm_start) {
35228 -+ if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
35229 - unsigned long size, grow;
35230 -
35231 -+#ifdef CONFIG_PAX_SEGMEXEC
35232 -+ struct vm_area_struct *vma_m;
35233 -+
35234 -+ vma_m = pax_find_mirror_vma(vma);
35235 -+#endif
35236 -+
35237 - size = vma->vm_end - address;
35238 - grow = (vma->vm_start - address) >> PAGE_SHIFT;
35239 -
35240 -@@ -1643,9 +1907,20 @@ static inline int expand_downwards(struc
35241 - if (!error) {
35242 - vma->vm_start = address;
35243 - vma->vm_pgoff -= grow;
35244 -+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
35245 -+
35246 -+#ifdef CONFIG_PAX_SEGMEXEC
35247 -+ if (vma_m) {
35248 -+ vma_m->vm_start -= grow << PAGE_SHIFT;
35249 -+ vma_m->vm_pgoff -= grow;
35250 -+ }
35251 -+#endif
35252 -+
35253 - }
35254 - }
35255 - anon_vma_unlock(vma);
35256 -+ if (lockprev)
35257 -+ anon_vma_unlock(prev);
35258 - return error;
35259 - }
35260 -
35261 -@@ -1717,6 +1992,13 @@ static void remove_vma_list(struct mm_st
35262 - do {
35263 - long nrpages = vma_pages(vma);
35264 -
35265 -+#ifdef CONFIG_PAX_SEGMEXEC
35266 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
35267 -+ vma = remove_vma(vma);
35268 -+ continue;
35269 -+ }
35270 -+#endif
35271 -+
35272 - mm->total_vm -= nrpages;
35273 - if (vma->vm_flags & VM_LOCKED)
35274 - mm->locked_vm -= nrpages;
35275 -@@ -1763,6 +2045,16 @@ detach_vmas_to_be_unmapped(struct mm_str
35276 -
35277 - insertion_point = (prev ? &prev->vm_next : &mm->mmap);
35278 - do {
35279 -+
35280 -+#ifdef CONFIG_PAX_SEGMEXEC
35281 -+ if (vma->vm_mirror) {
35282 -+ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
35283 -+ vma->vm_mirror->vm_mirror = NULL;
35284 -+ vma->vm_mirror->vm_flags &= ~VM_EXEC;
35285 -+ vma->vm_mirror = NULL;
35286 -+ }
35287 -+#endif
35288 -+
35289 - rb_erase(&vma->vm_rb, &mm->mm_rb);
35290 - mm->map_count--;
35291 - tail_vma = vma;
35292 -@@ -1782,6 +2074,112 @@ detach_vmas_to_be_unmapped(struct mm_str
35293 - * Split a vma into two pieces at address 'addr', a new vma is allocated
35294 - * either for the first part or the tail.
35295 - */
35296 -+
35297 -+#ifdef CONFIG_PAX_SEGMEXEC
35298 -+int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
35299 -+ unsigned long addr, int new_below)
35300 -+{
35301 -+ struct mempolicy *pol, *pol_m;
35302 -+ struct vm_area_struct *new, *vma_m, *new_m = NULL;
35303 -+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
35304 -+
35305 -+ if (is_vm_hugetlb_page(vma) && (addr & ~HPAGE_MASK))
35306 -+ return -EINVAL;
35307 -+
35308 -+ vma_m = pax_find_mirror_vma(vma);
35309 -+ if (vma_m) {
35310 -+ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
35311 -+ if (mm->map_count >= sysctl_max_map_count-1)
35312 -+ return -ENOMEM;
35313 -+ } else if (mm->map_count >= sysctl_max_map_count)
35314 -+ return -ENOMEM;
35315 -+
35316 -+ new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
35317 -+ if (!new)
35318 -+ return -ENOMEM;
35319 -+
35320 -+ if (vma_m) {
35321 -+ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
35322 -+ if (!new_m) {
35323 -+ kmem_cache_free(vm_area_cachep, new);
35324 -+ return -ENOMEM;
35325 -+ }
35326 -+ }
35327 -+
35328 -+ /* most fields are the same, copy all, and then fixup */
35329 -+ *new = *vma;
35330 -+
35331 -+ if (new_below)
35332 -+ new->vm_end = addr;
35333 -+ else {
35334 -+ new->vm_start = addr;
35335 -+ new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
35336 -+ }
35337 -+
35338 -+ if (vma_m) {
35339 -+ *new_m = *vma_m;
35340 -+ new_m->vm_mirror = new;
35341 -+ new->vm_mirror = new_m;
35342 -+
35343 -+ if (new_below)
35344 -+ new_m->vm_end = addr_m;
35345 -+ else {
35346 -+ new_m->vm_start = addr_m;
35347 -+ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
35348 -+ }
35349 -+ }
35350 -+
35351 -+ pol = mpol_copy(vma_policy(vma));
35352 -+ if (IS_ERR(pol)) {
35353 -+ if (new_m)
35354 -+ kmem_cache_free(vm_area_cachep, new_m);
35355 -+ kmem_cache_free(vm_area_cachep, new);
35356 -+ return PTR_ERR(pol);
35357 -+ }
35358 -+
35359 -+ if (vma_m) {
35360 -+ pol_m = mpol_copy(vma_policy(vma_m));
35361 -+ if (IS_ERR(pol_m)) {
35362 -+ mpol_free(pol);
35363 -+ kmem_cache_free(vm_area_cachep, new_m);
35364 -+ kmem_cache_free(vm_area_cachep, new);
35365 -+ return PTR_ERR(pol);
35366 -+ }
35367 -+ }
35368 -+
35369 -+ vma_set_policy(new, pol);
35370 -+
35371 -+ if (new->vm_file)
35372 -+ get_file(new->vm_file);
35373 -+
35374 -+ if (new->vm_ops && new->vm_ops->open)
35375 -+ new->vm_ops->open(new);
35376 -+
35377 -+ if (new_below)
35378 -+ vma_adjust(vma, addr, vma->vm_end, vma->vm_pgoff +
35379 -+ ((addr - new->vm_start) >> PAGE_SHIFT), new);
35380 -+ else
35381 -+ vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
35382 -+
35383 -+ if (vma_m) {
35384 -+ vma_set_policy(new_m, pol_m);
35385 -+
35386 -+ if (new_m->vm_file)
35387 -+ get_file(new_m->vm_file);
35388 -+
35389 -+ if (new_m->vm_ops && new_m->vm_ops->open)
35390 -+ new_m->vm_ops->open(new_m);
35391 -+
35392 -+ if (new_below)
35393 -+ vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
35394 -+ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
35395 -+ else
35396 -+ vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
35397 -+ }
35398 -+
35399 -+ return 0;
35400 -+}
35401 -+#else
35402 - int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
35403 - unsigned long addr, int new_below)
35404 - {
35405 -@@ -1829,17 +2227,37 @@ int split_vma(struct mm_struct * mm, str
35406 -
35407 - return 0;
35408 - }
35409 -+#endif
35410 -
35411 - /* Munmap is split into 2 main parts -- this part which finds
35412 - * what needs doing, and the areas themselves, which do the
35413 - * work. This now handles partial unmappings.
35414 - * Jeremy Fitzhardinge <jeremy@××××.org>
35415 - */
35416 -+#ifdef CONFIG_PAX_SEGMEXEC
35417 -+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
35418 -+{
35419 -+ int ret = __do_munmap(mm, start, len);
35420 -+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
35421 -+ return ret;
35422 -+
35423 -+ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
35424 -+}
35425 -+
35426 -+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
35427 -+#else
35428 - int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
35429 -+#endif
35430 - {
35431 - unsigned long end;
35432 - struct vm_area_struct *vma, *prev, *last;
35433 -
35434 -+ /*
35435 -+ * mm->mmap_sem is required to protect against another thread
35436 -+ * changing the mappings in case we sleep.
35437 -+ */
35438 -+ verify_mm_writelocked(mm);
35439 -+
35440 - if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
35441 - return -EINVAL;
35442 -
35443 -@@ -1889,6 +2307,8 @@ int do_munmap(struct mm_struct *mm, unsi
35444 - /* Fix up all other VM information */
35445 - remove_vma_list(mm, vma);
35446 -
35447 -+ track_exec_limit(mm, start, end, 0UL);
35448 -+
35449 - return 0;
35450 - }
35451 -
35452 -@@ -1901,22 +2321,18 @@ asmlinkage long sys_munmap(unsigned long
35453 -
35454 - profile_munmap(addr);
35455 -
35456 -+#ifdef CONFIG_PAX_SEGMEXEC
35457 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
35458 -+ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
35459 -+ return -EINVAL;
35460 -+#endif
35461 -+
35462 - down_write(&mm->mmap_sem);
35463 - ret = do_munmap(mm, addr, len);
35464 - up_write(&mm->mmap_sem);
35465 - return ret;
35466 - }
35467 -
35468 --static inline void verify_mm_writelocked(struct mm_struct *mm)
35469 --{
35470 --#ifdef CONFIG_DEBUG_VM
35471 -- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
35472 -- WARN_ON(1);
35473 -- up_read(&mm->mmap_sem);
35474 -- }
35475 --#endif
35476 --}
35477 --
35478 - /*
35479 - * this is really a simplified "do_mmap". it only handles
35480 - * anonymous maps. eventually we may be able to do some
35481 -@@ -1930,6 +2346,11 @@ unsigned long do_brk(unsigned long addr,
35482 - struct rb_node ** rb_link, * rb_parent;
35483 - pgoff_t pgoff = addr >> PAGE_SHIFT;
35484 - int error;
35485 -+ unsigned long charged;
35486 -+
35487 -+#ifdef CONFIG_PAX_SEGMEXEC
35488 -+ struct vm_area_struct *vma_m = NULL;
35489 -+#endif
35490 -
35491 - len = PAGE_ALIGN(len);
35492 - if (!len)
35493 -@@ -1947,19 +2368,34 @@ unsigned long do_brk(unsigned long addr,
35494 -
35495 - flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
35496 -
35497 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
35498 -+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
35499 -+ flags &= ~VM_EXEC;
35500 -+
35501 -+#ifdef CONFIG_PAX_MPROTECT
35502 -+ if (mm->pax_flags & MF_PAX_MPROTECT)
35503 -+ flags &= ~VM_MAYEXEC;
35504 -+#endif
35505 -+
35506 -+ }
35507 -+#endif
35508 -+
35509 - error = arch_mmap_check(addr, len, flags);
35510 - if (error)
35511 - return error;
35512 -
35513 -+ charged = len >> PAGE_SHIFT;
35514 -+
35515 - /*
35516 - * mlock MCL_FUTURE?
35517 - */
35518 - if (mm->def_flags & VM_LOCKED) {
35519 - unsigned long locked, lock_limit;
35520 -- locked = len >> PAGE_SHIFT;
35521 -+ locked = charged;
35522 - locked += mm->locked_vm;
35523 - lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
35524 - lock_limit >>= PAGE_SHIFT;
35525 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
35526 - if (locked > lock_limit && !capable(CAP_IPC_LOCK))
35527 - return -EAGAIN;
35528 - }
35529 -@@ -1973,22 +2409,22 @@ unsigned long do_brk(unsigned long addr,
35530 - /*
35531 - * Clear old maps. this also does some error checking for us
35532 - */
35533 -- munmap_back:
35534 - vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
35535 - if (vma && vma->vm_start < addr + len) {
35536 - if (do_munmap(mm, addr, len))
35537 - return -ENOMEM;
35538 -- goto munmap_back;
35539 -+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
35540 -+ BUG_ON(vma && vma->vm_start < addr + len);
35541 - }
35542 -
35543 - /* Check against address space limits *after* clearing old maps... */
35544 -- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
35545 -+ if (!may_expand_vm(mm, charged))
35546 - return -ENOMEM;
35547 -
35548 - if (mm->map_count > sysctl_max_map_count)
35549 - return -ENOMEM;
35550 -
35551 -- if (security_vm_enough_memory(len >> PAGE_SHIFT))
35552 -+ if (security_vm_enough_memory(charged))
35553 - return -ENOMEM;
35554 -
35555 - /* Can we just expand an old private anonymous mapping? */
35556 -@@ -2001,10 +2437,21 @@ unsigned long do_brk(unsigned long addr,
35557 - */
35558 - vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
35559 - if (!vma) {
35560 -- vm_unacct_memory(len >> PAGE_SHIFT);
35561 -+ vm_unacct_memory(charged);
35562 - return -ENOMEM;
35563 - }
35564 -
35565 -+#ifdef CONFIG_PAX_SEGMEXEC
35566 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (flags & VM_EXEC)) {
35567 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
35568 -+ if (!vma_m) {
35569 -+ kmem_cache_free(vm_area_cachep, vma);
35570 -+ vm_unacct_memory(charged);
35571 -+ return -ENOMEM;
35572 -+ }
35573 -+ }
35574 -+#endif
35575 -+
35576 - vma->vm_mm = mm;
35577 - vma->vm_start = addr;
35578 - vma->vm_end = addr + len;
35579 -@@ -2012,12 +2459,19 @@ unsigned long do_brk(unsigned long addr,
35580 - vma->vm_flags = flags;
35581 - vma->vm_page_prot = vm_get_page_prot(flags);
35582 - vma_link(mm, vma, prev, rb_link, rb_parent);
35583 -+
35584 -+#ifdef CONFIG_PAX_SEGMEXEC
35585 -+ if (vma_m)
35586 -+ pax_mirror_vma(vma_m, vma);
35587 -+#endif
35588 -+
35589 - out:
35590 -- mm->total_vm += len >> PAGE_SHIFT;
35591 -+ mm->total_vm += charged;
35592 - if (flags & VM_LOCKED) {
35593 -- mm->locked_vm += len >> PAGE_SHIFT;
35594 -+ mm->locked_vm += charged;
35595 - make_pages_present(addr, addr + len);
35596 - }
35597 -+ track_exec_limit(mm, addr, addr + len, flags);
35598 - return addr;
35599 - }
35600 -
35601 -@@ -2048,8 +2502,10 @@ void exit_mmap(struct mm_struct *mm)
35602 - * Walk the list again, actually closing and freeing it,
35603 - * with preemption enabled, without holding any MM locks.
35604 - */
35605 -- while (vma)
35606 -+ while (vma) {
35607 -+ vma->vm_mirror = NULL;
35608 - vma = remove_vma(vma);
35609 -+ }
35610 -
35611 - BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
35612 - }
35613 -@@ -2063,6 +2519,10 @@ int insert_vm_struct(struct mm_struct *
35614 - struct vm_area_struct * __vma, * prev;
35615 - struct rb_node ** rb_link, * rb_parent;
35616 -
35617 -+#ifdef CONFIG_PAX_SEGMEXEC
35618 -+ struct vm_area_struct *vma_m = NULL;
35619 -+#endif
35620 -+
35621 - /*
35622 - * The vm_pgoff of a purely anonymous vma should be irrelevant
35623 - * until its first write fault, when page's anon_vma and index
35624 -@@ -2085,7 +2545,22 @@ int insert_vm_struct(struct mm_struct *
35625 - if ((vma->vm_flags & VM_ACCOUNT) &&
35626 - security_vm_enough_memory_mm(mm, vma_pages(vma)))
35627 - return -ENOMEM;
35628 -+
35629 -+#ifdef CONFIG_PAX_SEGMEXEC
35630 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
35631 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
35632 -+ if (!vma_m)
35633 -+ return -ENOMEM;
35634 -+ }
35635 -+#endif
35636 -+
35637 - vma_link(mm, vma, prev, rb_link, rb_parent);
35638 -+
35639 -+#ifdef CONFIG_PAX_SEGMEXEC
35640 -+ if (vma_m)
35641 -+ pax_mirror_vma(vma_m, vma);
35642 -+#endif
35643 -+
35644 - return 0;
35645 - }
35646 -
35647 -@@ -2103,6 +2578,8 @@ struct vm_area_struct *copy_vma(struct v
35648 - struct rb_node **rb_link, *rb_parent;
35649 - struct mempolicy *pol;
35650 -
35651 -+ BUG_ON(vma->vm_mirror);
35652 -+
35653 - /*
35654 - * If anonymous vma has not yet been faulted, update new pgoff
35655 - * to match new location, to increase its chance of merging.
35656 -@@ -2143,6 +2620,34 @@ struct vm_area_struct *copy_vma(struct v
35657 - return new_vma;
35658 - }
35659 -
35660 -+#ifdef CONFIG_PAX_SEGMEXEC
35661 -+void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
35662 -+{
35663 -+ struct vm_area_struct *prev_m;
35664 -+ struct rb_node **rb_link_m, *rb_parent_m;
35665 -+ struct mempolicy *pol_m;
35666 -+
35667 -+ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
35668 -+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
35669 -+ BUG_ON(!vma_mpol_equal(vma, vma_m));
35670 -+ pol_m = vma_policy(vma_m);
35671 -+ *vma_m = *vma;
35672 -+ vma_set_policy(vma_m, pol_m);
35673 -+ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
35674 -+ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
35675 -+ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
35676 -+ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
35677 -+ if (vma_m->vm_file)
35678 -+ get_file(vma_m->vm_file);
35679 -+ if (vma_m->vm_ops && vma_m->vm_ops->open)
35680 -+ vma_m->vm_ops->open(vma_m);
35681 -+ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
35682 -+ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
35683 -+ vma_m->vm_mirror = vma;
35684 -+ vma->vm_mirror = vma_m;
35685 -+}
35686 -+#endif
35687 -+
35688 - /*
35689 - * Return true if the calling process may expand its vm space by the passed
35690 - * number of pages
35691 -@@ -2153,7 +2658,7 @@ int may_expand_vm(struct mm_struct *mm,
35692 - unsigned long lim;
35693 -
35694 - lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
35695 --
35696 -+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
35697 - if (cur + npages > lim)
35698 - return 0;
35699 - return 1;
35700 -@@ -2165,7 +2670,7 @@ static struct page *special_mapping_nopa
35701 - {
35702 - struct page **pages;
35703 -
35704 -- BUG_ON(address < vma->vm_start || address >= vma->vm_end);
35705 -+ BUG_ON(address < vma->vm_start || address >= vma->vm_end || (address & ~PAGE_MASK));
35706 -
35707 - address -= vma->vm_start;
35708 - for (pages = vma->vm_private_data; address > 0 && *pages; ++pages)
35709 -@@ -2215,6 +2720,15 @@ int install_special_mapping(struct mm_st
35710 - vma->vm_start = addr;
35711 - vma->vm_end = addr + len;
35712 -
35713 -+#ifdef CONFIG_PAX_MPROTECT
35714 -+ if (mm->pax_flags & MF_PAX_MPROTECT) {
35715 -+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
35716 -+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
35717 -+ else
35718 -+ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
35719 -+ }
35720 -+#endif
35721 -+
35722 - vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
35723 - vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
35724 -
35725 -diff -urNp linux-2.6.24.4/mm/mprotect.c linux-2.6.24.4/mm/mprotect.c
35726 ---- linux-2.6.24.4/mm/mprotect.c 2008-03-24 14:49:18.000000000 -0400
35727 -+++ linux-2.6.24.4/mm/mprotect.c 2008-03-26 17:56:56.000000000 -0400
35728 -@@ -21,10 +21,17 @@
35729 - #include <linux/syscalls.h>
35730 - #include <linux/swap.h>
35731 - #include <linux/swapops.h>
35732 -+#include <linux/grsecurity.h>
35733 -+
35734 -+#ifdef CONFIG_PAX_MPROTECT
35735 -+#include <linux/elf.h>
35736 -+#endif
35737 -+
35738 - #include <asm/uaccess.h>
35739 - #include <asm/pgtable.h>
35740 - #include <asm/cacheflush.h>
35741 - #include <asm/tlbflush.h>
35742 -+#include <asm/mmu_context.h>
35743 -
35744 - static void change_pte_range(struct mm_struct *mm, pmd_t *pmd,
35745 - unsigned long addr, unsigned long end, pgprot_t newprot,
35746 -@@ -127,6 +134,48 @@ static void change_protection(struct vm_
35747 - flush_tlb_range(vma, start, end);
35748 - }
35749 -
35750 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
35751 -+/* called while holding the mmap semaphor for writing except stack expansion */
35752 -+void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
35753 -+{
35754 -+ unsigned long oldlimit, newlimit = 0UL;
35755 -+
35756 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
35757 -+ return;
35758 -+
35759 -+ spin_lock(&mm->page_table_lock);
35760 -+ oldlimit = mm->context.user_cs_limit;
35761 -+ if ((prot & VM_EXEC) && oldlimit < end)
35762 -+ /* USER_CS limit moved up */
35763 -+ newlimit = end;
35764 -+ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
35765 -+ /* USER_CS limit moved down */
35766 -+ newlimit = start;
35767 -+
35768 -+ if (newlimit) {
35769 -+ mm->context.user_cs_limit = newlimit;
35770 -+
35771 -+#ifdef CONFIG_SMP
35772 -+ wmb();
35773 -+ cpus_clear(mm->context.cpu_user_cs_mask);
35774 -+ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
35775 -+#endif
35776 -+
35777 -+ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
35778 -+ }
35779 -+ spin_unlock(&mm->page_table_lock);
35780 -+ if (newlimit == end) {
35781 -+ struct vm_area_struct *vma = find_vma(mm, oldlimit);
35782 -+
35783 -+ for (; vma && vma->vm_start < end; vma = vma->vm_next)
35784 -+ if (is_vm_hugetlb_page(vma))
35785 -+ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
35786 -+ else
35787 -+ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
35788 -+ }
35789 -+}
35790 -+#endif
35791 -+
35792 - int
35793 - mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
35794 - unsigned long start, unsigned long end, unsigned long newflags)
35795 -@@ -139,11 +188,41 @@ mprotect_fixup(struct vm_area_struct *vm
35796 - int error;
35797 - int dirty_accountable = 0;
35798 -
35799 -+#ifdef CONFIG_PAX_SEGMEXEC
35800 -+ struct vm_area_struct *vma_m = NULL;
35801 -+ unsigned long start_m, end_m;
35802 -+
35803 -+ start_m = start + SEGMEXEC_TASK_SIZE;
35804 -+ end_m = end + SEGMEXEC_TASK_SIZE;
35805 -+#endif
35806 -+
35807 - if (newflags == oldflags) {
35808 - *pprev = vma;
35809 - return 0;
35810 - }
35811 -
35812 -+#ifdef CONFIG_PAX_SEGMEXEC
35813 -+ if (pax_find_mirror_vma(vma) && !(newflags & VM_EXEC)) {
35814 -+ if (start != vma->vm_start) {
35815 -+ error = split_vma(mm, vma, start, 1);
35816 -+ if (error)
35817 -+ return -ENOMEM;
35818 -+ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
35819 -+ *pprev = (*pprev)->vm_next;
35820 -+ }
35821 -+
35822 -+ if (end != vma->vm_end) {
35823 -+ error = split_vma(mm, vma, end, 0);
35824 -+ if (error)
35825 -+ return -ENOMEM;
35826 -+ }
35827 -+
35828 -+ error = __do_munmap(mm, start_m, end_m - start_m);
35829 -+ if (error)
35830 -+ return -ENOMEM;
35831 -+ }
35832 -+#endif
35833 -+
35834 - /*
35835 - * If we make a private mapping writable we increase our commit;
35836 - * but (without finer accounting) cannot reduce our commit if we
35837 -@@ -186,6 +265,25 @@ mprotect_fixup(struct vm_area_struct *vm
35838 - goto fail;
35839 - }
35840 -
35841 -+#ifdef CONFIG_PAX_SEGMEXEC
35842 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(oldflags & VM_EXEC) && (newflags & VM_EXEC)) {
35843 -+ struct mempolicy *pol;
35844 -+
35845 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
35846 -+ if (!vma_m) {
35847 -+ error = -ENOMEM;
35848 -+ goto fail;
35849 -+ }
35850 -+ pol = mpol_copy(vma_policy(vma));
35851 -+ if (IS_ERR(pol)) {
35852 -+ kmem_cache_free(vm_area_cachep, vma_m);
35853 -+ error = -ENOMEM;
35854 -+ goto fail;
35855 -+ }
35856 -+ vma_set_policy(vma_m, pol);
35857 -+ }
35858 -+#endif
35859 -+
35860 - success:
35861 - /*
35862 - * vm_flags and vm_page_prot are protected by the mmap_sem
35863 -@@ -202,6 +300,12 @@ success:
35864 - hugetlb_change_protection(vma, start, end, vma->vm_page_prot);
35865 - else
35866 - change_protection(vma, start, end, vma->vm_page_prot, dirty_accountable);
35867 -+
35868 -+#ifdef CONFIG_PAX_SEGMEXEC
35869 -+ if (vma_m)
35870 -+ pax_mirror_vma(vma_m, vma);
35871 -+#endif
35872 -+
35873 - vm_stat_account(mm, oldflags, vma->vm_file, -nrpages);
35874 - vm_stat_account(mm, newflags, vma->vm_file, nrpages);
35875 - return 0;
35876 -@@ -211,6 +315,70 @@ fail:
35877 - return error;
35878 - }
35879 -
35880 -+#ifdef CONFIG_PAX_MPROTECT
35881 -+/* PaX: non-PIC ELF libraries need relocations on their executable segments
35882 -+ * therefore we'll grant them VM_MAYWRITE once during their life.
35883 -+ *
35884 -+ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
35885 -+ * basis because we want to allow the common case and not the special ones.
35886 -+ */
35887 -+static inline void pax_handle_maywrite(struct vm_area_struct *vma, unsigned long start)
35888 -+{
35889 -+ struct elfhdr elf_h;
35890 -+ struct elf_phdr elf_p;
35891 -+ elf_addr_t dyn_offset = 0UL;
35892 -+ elf_dyn dyn;
35893 -+ unsigned long i, j = 65536UL / sizeof(struct elf_phdr);
35894 -+
35895 -+#ifndef CONFIG_PAX_NOELFRELOCS
35896 -+ if ((vma->vm_start != start) ||
35897 -+ !vma->vm_file ||
35898 -+ !(vma->vm_flags & VM_MAYEXEC) ||
35899 -+ (vma->vm_flags & VM_MAYNOTWRITE))
35900 -+#endif
35901 -+
35902 -+ return;
35903 -+
35904 -+ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
35905 -+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
35906 -+
35907 -+#ifdef CONFIG_PAX_ETEXECRELOCS
35908 -+ (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) ||
35909 -+#else
35910 -+ elf_h.e_type != ET_DYN ||
35911 -+#endif
35912 -+
35913 -+ !elf_check_arch(&elf_h) ||
35914 -+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
35915 -+ elf_h.e_phnum > j)
35916 -+ return;
35917 -+
35918 -+ for (i = 0UL; i < elf_h.e_phnum; i++) {
35919 -+ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
35920 -+ return;
35921 -+ if (elf_p.p_type == PT_DYNAMIC) {
35922 -+ dyn_offset = elf_p.p_offset;
35923 -+ j = i;
35924 -+ }
35925 -+ }
35926 -+ if (elf_h.e_phnum <= j)
35927 -+ return;
35928 -+
35929 -+ i = 0UL;
35930 -+ do {
35931 -+ if (sizeof(dyn) != kernel_read(vma->vm_file, dyn_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
35932 -+ return;
35933 -+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
35934 -+ gr_log_textrel(vma);
35935 -+ vma->vm_flags |= VM_MAYWRITE | VM_MAYNOTWRITE;
35936 -+ return;
35937 -+ }
35938 -+ i++;
35939 -+ } while (dyn.d_tag != DT_NULL);
35940 -+ return;
35941 -+}
35942 -+#endif
35943 -+
35944 - asmlinkage long
35945 - sys_mprotect(unsigned long start, size_t len, unsigned long prot)
35946 - {
35947 -@@ -230,6 +398,17 @@ sys_mprotect(unsigned long start, size_t
35948 - end = start + len;
35949 - if (end <= start)
35950 - return -ENOMEM;
35951 -+
35952 -+#ifdef CONFIG_PAX_SEGMEXEC
35953 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
35954 -+ if (end > SEGMEXEC_TASK_SIZE)
35955 -+ return -EINVAL;
35956 -+ } else
35957 -+#endif
35958 -+
35959 -+ if (end > TASK_SIZE)
35960 -+ return -EINVAL;
35961 -+
35962 - if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC | PROT_SEM))
35963 - return -EINVAL;
35964 -
35965 -@@ -237,7 +416,7 @@ sys_mprotect(unsigned long start, size_t
35966 - /*
35967 - * Does the application expect PROT_READ to imply PROT_EXEC:
35968 - */
35969 -- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
35970 -+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
35971 - prot |= PROT_EXEC;
35972 -
35973 - vm_flags = calc_vm_prot_bits(prot);
35974 -@@ -269,6 +448,16 @@ sys_mprotect(unsigned long start, size_t
35975 - if (start > vma->vm_start)
35976 - prev = vma;
35977 -
35978 -+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
35979 -+ error = -EACCES;
35980 -+ goto out;
35981 -+ }
35982 -+
35983 -+#ifdef CONFIG_PAX_MPROTECT
35984 -+ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && (prot & PROT_WRITE))
35985 -+ pax_handle_maywrite(vma, start);
35986 -+#endif
35987 -+
35988 - for (nstart = start ; ; ) {
35989 - unsigned long newflags;
35990 -
35991 -@@ -282,6 +471,12 @@ sys_mprotect(unsigned long start, size_t
35992 - goto out;
35993 - }
35994 -
35995 -+#ifdef CONFIG_PAX_MPROTECT
35996 -+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
35997 -+ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && !(prot & PROT_WRITE) && (vma->vm_flags & VM_MAYNOTWRITE))
35998 -+ newflags &= ~VM_MAYWRITE;
35999 -+#endif
36000 -+
36001 - error = security_file_mprotect(vma, reqprot, prot);
36002 - if (error)
36003 - goto out;
36004 -@@ -292,6 +487,9 @@ sys_mprotect(unsigned long start, size_t
36005 - error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
36006 - if (error)
36007 - goto out;
36008 -+
36009 -+ track_exec_limit(current->mm, nstart, tmp, vm_flags);
36010 -+
36011 - nstart = tmp;
36012 -
36013 - if (nstart < prev->vm_end)
36014 -diff -urNp linux-2.6.24.4/mm/mremap.c linux-2.6.24.4/mm/mremap.c
36015 ---- linux-2.6.24.4/mm/mremap.c 2008-03-24 14:49:18.000000000 -0400
36016 -+++ linux-2.6.24.4/mm/mremap.c 2008-03-26 17:56:56.000000000 -0400
36017 -@@ -106,6 +106,12 @@ static void move_ptes(struct vm_area_str
36018 - continue;
36019 - pte = ptep_clear_flush(vma, old_addr, old_pte);
36020 - pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
36021 -+
36022 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
36023 -+ if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
36024 -+ pte = pte_exprotect(pte);
36025 -+#endif
36026 -+
36027 - set_pte_at(mm, new_addr, new_pte, pte);
36028 - }
36029 -
36030 -@@ -254,6 +260,7 @@ unsigned long do_mremap(unsigned long ad
36031 - struct vm_area_struct *vma;
36032 - unsigned long ret = -EINVAL;
36033 - unsigned long charged = 0;
36034 -+ unsigned long task_size = TASK_SIZE;
36035 -
36036 - if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
36037 - goto out;
36038 -@@ -272,6 +279,15 @@ unsigned long do_mremap(unsigned long ad
36039 - if (!new_len)
36040 - goto out;
36041 -
36042 -+#ifdef CONFIG_PAX_SEGMEXEC
36043 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
36044 -+ task_size = SEGMEXEC_TASK_SIZE;
36045 -+#endif
36046 -+
36047 -+ if (new_len > task_size || addr > task_size-new_len ||
36048 -+ old_len > task_size || addr > task_size-old_len)
36049 -+ goto out;
36050 -+
36051 - /* new_addr is only valid if MREMAP_FIXED is specified */
36052 - if (flags & MREMAP_FIXED) {
36053 - if (new_addr & ~PAGE_MASK)
36054 -@@ -279,16 +295,13 @@ unsigned long do_mremap(unsigned long ad
36055 - if (!(flags & MREMAP_MAYMOVE))
36056 - goto out;
36057 -
36058 -- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
36059 -+ if (new_addr > task_size - new_len)
36060 - goto out;
36061 -
36062 - /* Check if the location we're moving into overlaps the
36063 - * old location at all, and fail if it does.
36064 - */
36065 -- if ((new_addr <= addr) && (new_addr+new_len) > addr)
36066 -- goto out;
36067 --
36068 -- if ((addr <= new_addr) && (addr+old_len) > new_addr)
36069 -+ if (addr + old_len > new_addr && new_addr + new_len > addr)
36070 - goto out;
36071 -
36072 - ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
36073 -@@ -326,6 +339,14 @@ unsigned long do_mremap(unsigned long ad
36074 - ret = -EINVAL;
36075 - goto out;
36076 - }
36077 -+
36078 -+#ifdef CONFIG_PAX_SEGMEXEC
36079 -+ if (pax_find_mirror_vma(vma)) {
36080 -+ ret = -EINVAL;
36081 -+ goto out;
36082 -+ }
36083 -+#endif
36084 -+
36085 - /* We can't remap across vm area boundaries */
36086 - if (old_len > vma->vm_end - addr)
36087 - goto out;
36088 -@@ -359,7 +380,7 @@ unsigned long do_mremap(unsigned long ad
36089 - if (old_len == vma->vm_end - addr &&
36090 - !((flags & MREMAP_FIXED) && (addr != new_addr)) &&
36091 - (old_len != new_len || !(flags & MREMAP_MAYMOVE))) {
36092 -- unsigned long max_addr = TASK_SIZE;
36093 -+ unsigned long max_addr = task_size;
36094 - if (vma->vm_next)
36095 - max_addr = vma->vm_next->vm_start;
36096 - /* can we just expand the current mapping? */
36097 -@@ -377,6 +398,7 @@ unsigned long do_mremap(unsigned long ad
36098 - addr + new_len);
36099 - }
36100 - ret = addr;
36101 -+ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
36102 - goto out;
36103 - }
36104 - }
36105 -@@ -387,8 +409,8 @@ unsigned long do_mremap(unsigned long ad
36106 - */
36107 - ret = -ENOMEM;
36108 - if (flags & MREMAP_MAYMOVE) {
36109 -+ unsigned long map_flags = 0;
36110 - if (!(flags & MREMAP_FIXED)) {
36111 -- unsigned long map_flags = 0;
36112 - if (vma->vm_flags & VM_MAYSHARE)
36113 - map_flags |= MAP_SHARED;
36114 -
36115 -@@ -403,7 +425,12 @@ unsigned long do_mremap(unsigned long ad
36116 - if (ret)
36117 - goto out;
36118 - }
36119 -+ map_flags = vma->vm_flags;
36120 - ret = move_vma(vma, addr, old_len, new_len, new_addr);
36121 -+ if (!(ret & ~PAGE_MASK)) {
36122 -+ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
36123 -+ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
36124 -+ }
36125 - }
36126 - out:
36127 - if (ret & ~PAGE_MASK)
36128 -diff -urNp linux-2.6.24.4/mm/nommu.c linux-2.6.24.4/mm/nommu.c
36129 ---- linux-2.6.24.4/mm/nommu.c 2008-03-24 14:49:18.000000000 -0400
36130 -+++ linux-2.6.24.4/mm/nommu.c 2008-03-26 17:56:56.000000000 -0400
36131 -@@ -377,15 +377,6 @@ struct vm_area_struct *find_vma(struct m
36132 - }
36133 - EXPORT_SYMBOL(find_vma);
36134 -
36135 --/*
36136 -- * find a VMA
36137 -- * - we don't extend stack VMAs under NOMMU conditions
36138 -- */
36139 --struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
36140 --{
36141 -- return find_vma(mm, addr);
36142 --}
36143 --
36144 - int expand_stack(struct vm_area_struct *vma, unsigned long address)
36145 - {
36146 - return -ENOMEM;
36147 -diff -urNp linux-2.6.24.4/mm/page_alloc.c linux-2.6.24.4/mm/page_alloc.c
36148 ---- linux-2.6.24.4/mm/page_alloc.c 2008-03-24 14:49:18.000000000 -0400
36149 -+++ linux-2.6.24.4/mm/page_alloc.c 2008-03-26 17:56:56.000000000 -0400
36150 -@@ -505,9 +505,20 @@ static void free_pages_bulk(struct zone
36151 -
36152 - static void free_one_page(struct zone *zone, struct page *page, int order)
36153 - {
36154 -+
36155 -+#ifdef CONFIG_PAX_MEMORY_SANITIZE
36156 -+ unsigned long index = 1UL << order;
36157 -+#endif
36158 -+
36159 - spin_lock(&zone->lock);
36160 - zone_clear_flag(zone, ZONE_ALL_UNRECLAIMABLE);
36161 - zone->pages_scanned = 0;
36162 -+
36163 -+#ifdef CONFIG_PAX_MEMORY_SANITIZE
36164 -+ for (; index; --index)
36165 -+ sanitize_highpage(page + index - 1);
36166 -+#endif
36167 -+
36168 - __free_one_page(page, zone, order);
36169 - spin_unlock(&zone->lock);
36170 - }
36171 -@@ -631,8 +642,10 @@ static int prep_new_page(struct page *pa
36172 - arch_alloc_page(page, order);
36173 - kernel_map_pages(page, 1 << order, 1);
36174 -
36175 -+#ifndef CONFIG_PAX_MEMORY_SANITIZE
36176 - if (gfp_flags & __GFP_ZERO)
36177 - prep_zero_page(page, order, gfp_flags);
36178 -+#endif
36179 -
36180 - if (order && (gfp_flags & __GFP_COMP))
36181 - prep_compound_page(page, order);
36182 -@@ -1007,6 +1020,11 @@ static void fastcall free_hot_cold_page(
36183 - list_add(&page->lru, &pcp->list);
36184 - set_page_private(page, get_pageblock_migratetype(page));
36185 - pcp->count++;
36186 -+
36187 -+#ifdef CONFIG_PAX_MEMORY_SANITIZE
36188 -+ sanitize_highpage(page);
36189 -+#endif
36190 -+
36191 - if (pcp->count >= pcp->high) {
36192 - free_pages_bulk(zone, pcp->batch, &pcp->list, 0);
36193 - pcp->count -= pcp->batch;
36194 -diff -urNp linux-2.6.24.4/mm/rmap.c linux-2.6.24.4/mm/rmap.c
36195 ---- linux-2.6.24.4/mm/rmap.c 2008-03-24 14:49:18.000000000 -0400
36196 -+++ linux-2.6.24.4/mm/rmap.c 2008-03-26 17:56:56.000000000 -0400
36197 -@@ -64,6 +64,10 @@ int anon_vma_prepare(struct vm_area_stru
36198 - struct mm_struct *mm = vma->vm_mm;
36199 - struct anon_vma *allocated, *locked;
36200 -
36201 -+#ifdef CONFIG_PAX_SEGMEXEC
36202 -+ struct vm_area_struct *vma_m;
36203 -+#endif
36204 -+
36205 - anon_vma = find_mergeable_anon_vma(vma);
36206 - if (anon_vma) {
36207 - allocated = NULL;
36208 -@@ -80,6 +84,15 @@ int anon_vma_prepare(struct vm_area_stru
36209 - /* page_table_lock to protect against threads */
36210 - spin_lock(&mm->page_table_lock);
36211 - if (likely(!vma->anon_vma)) {
36212 -+
36213 -+#ifdef CONFIG_PAX_SEGMEXEC
36214 -+ vma_m = pax_find_mirror_vma(vma);
36215 -+ if (vma_m) {
36216 -+ vma_m->anon_vma = anon_vma;
36217 -+ __anon_vma_link(vma_m);
36218 -+ }
36219 -+#endif
36220 -+
36221 - vma->anon_vma = anon_vma;
36222 - list_add_tail(&vma->anon_vma_node, &anon_vma->head);
36223 - allocated = NULL;
36224 -diff -urNp linux-2.6.24.4/mm/shmem.c linux-2.6.24.4/mm/shmem.c
36225 ---- linux-2.6.24.4/mm/shmem.c 2008-03-24 14:49:18.000000000 -0400
36226 -+++ linux-2.6.24.4/mm/shmem.c 2008-03-26 17:56:56.000000000 -0400
36227 -@@ -2462,7 +2462,7 @@ static struct file_system_type tmpfs_fs_
36228 - .get_sb = shmem_get_sb,
36229 - .kill_sb = kill_litter_super,
36230 - };
36231 --static struct vfsmount *shm_mnt;
36232 -+struct vfsmount *shm_mnt;
36233 -
36234 - static int __init init_tmpfs(void)
36235 - {
36236 -diff -urNp linux-2.6.24.4/mm/slab.c linux-2.6.24.4/mm/slab.c
36237 ---- linux-2.6.24.4/mm/slab.c 2008-03-24 14:49:18.000000000 -0400
36238 -+++ linux-2.6.24.4/mm/slab.c 2008-03-26 17:56:56.000000000 -0400
36239 -@@ -305,7 +305,7 @@ struct kmem_list3 {
36240 - * Need this for bootstrapping a per node allocator.
36241 - */
36242 - #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
36243 --struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
36244 -+struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
36245 - #define CACHE_CACHE 0
36246 - #define SIZE_AC MAX_NUMNODES
36247 - #define SIZE_L3 (2 * MAX_NUMNODES)
36248 -@@ -654,14 +654,14 @@ struct cache_names {
36249 - static struct cache_names __initdata cache_names[] = {
36250 - #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
36251 - #include <linux/kmalloc_sizes.h>
36252 -- {NULL,}
36253 -+ {NULL, NULL}
36254 - #undef CACHE
36255 - };
36256 -
36257 - static struct arraycache_init initarray_cache __initdata =
36258 -- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
36259 -+ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
36260 - static struct arraycache_init initarray_generic =
36261 -- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
36262 -+ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
36263 -
36264 - /* internal cache of cache description objs */
36265 - static struct kmem_cache cache_cache = {
36266 -@@ -3004,7 +3004,7 @@ retry:
36267 - * there must be at least one object available for
36268 - * allocation.
36269 - */
36270 -- BUG_ON(slabp->inuse < 0 || slabp->inuse >= cachep->num);
36271 -+ BUG_ON(slabp->inuse >= cachep->num);
36272 -
36273 - while (slabp->inuse < cachep->num && batchcount--) {
36274 - STATS_INC_ALLOCED(cachep);
36275 -diff -urNp linux-2.6.24.4/mm/slub.c linux-2.6.24.4/mm/slub.c
36276 ---- linux-2.6.24.4/mm/slub.c 2008-03-24 14:49:18.000000000 -0400
36277 -+++ linux-2.6.24.4/mm/slub.c 2008-03-26 17:56:56.000000000 -0400
36278 -@@ -1539,7 +1539,7 @@ debug:
36279 - *
36280 - * Otherwise we can simply pick the next object from the lockless free list.
36281 - */
36282 --static void __always_inline *slab_alloc(struct kmem_cache *s,
36283 -+static __always_inline void *slab_alloc(struct kmem_cache *s,
36284 - gfp_t gfpflags, int node, void *addr)
36285 - {
36286 - void **object;
36287 -@@ -1647,7 +1647,7 @@ debug:
36288 - * If fastpath is not possible then fall back to __slab_free where we deal
36289 - * with all sorts of special processing.
36290 - */
36291 --static void __always_inline slab_free(struct kmem_cache *s,
36292 -+static __always_inline void slab_free(struct kmem_cache *s,
36293 - struct page *page, void *x, void *addr)
36294 - {
36295 - void **object = (void *)x;
36296 -diff -urNp linux-2.6.24.4/mm/swap.c linux-2.6.24.4/mm/swap.c
36297 ---- linux-2.6.24.4/mm/swap.c 2008-03-24 14:49:18.000000000 -0400
36298 -+++ linux-2.6.24.4/mm/swap.c 2008-03-26 17:56:56.000000000 -0400
36299 -@@ -33,9 +33,9 @@
36300 - /* How many pages do we try to swap or page in/out together? */
36301 - int page_cluster;
36302 -
36303 --static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, };
36304 --static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, };
36305 --static DEFINE_PER_CPU(struct pagevec, lru_rotate_pvecs) = { 0, };
36306 -+static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, 0, {NULL} };
36307 -+static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, 0, {NULL} };
36308 -+static DEFINE_PER_CPU(struct pagevec, lru_rotate_pvecs) = { 0, 0, {NULL} };
36309 -
36310 - /*
36311 - * This path almost never happens for VM activity - pages are normally
36312 -diff -urNp linux-2.6.24.4/mm/tiny-shmem.c linux-2.6.24.4/mm/tiny-shmem.c
36313 ---- linux-2.6.24.4/mm/tiny-shmem.c 2008-03-24 14:49:18.000000000 -0400
36314 -+++ linux-2.6.24.4/mm/tiny-shmem.c 2008-03-26 17:56:56.000000000 -0400
36315 -@@ -26,7 +26,7 @@ static struct file_system_type tmpfs_fs_
36316 - .kill_sb = kill_litter_super,
36317 - };
36318 -
36319 --static struct vfsmount *shm_mnt;
36320 -+struct vfsmount *shm_mnt;
36321 -
36322 - static int __init init_tmpfs(void)
36323 - {
36324 -diff -urNp linux-2.6.24.4/mm/vmalloc.c linux-2.6.24.4/mm/vmalloc.c
36325 ---- linux-2.6.24.4/mm/vmalloc.c 2008-03-24 14:49:18.000000000 -0400
36326 -+++ linux-2.6.24.4/mm/vmalloc.c 2008-03-26 17:56:56.000000000 -0400
36327 -@@ -202,6 +202,8 @@ static struct vm_struct *__get_vm_area_n
36328 -
36329 - write_lock(&vmlist_lock);
36330 - for (p = &vmlist; (tmp = *p) != NULL ;p = &tmp->next) {
36331 -+ if (addr > end - size)
36332 -+ goto out;
36333 - if ((unsigned long)tmp->addr < addr) {
36334 - if((unsigned long)tmp->addr + tmp->size >= addr)
36335 - addr = ALIGN(tmp->size +
36336 -@@ -213,8 +215,6 @@ static struct vm_struct *__get_vm_area_n
36337 - if (size + addr <= (unsigned long)tmp->addr)
36338 - goto found;
36339 - addr = ALIGN(tmp->size + (unsigned long)tmp->addr, align);
36340 -- if (addr > end - size)
36341 -- goto out;
36342 - }
36343 -
36344 - found:
36345 -diff -urNp linux-2.6.24.4/net/bridge/br_stp_if.c linux-2.6.24.4/net/bridge/br_stp_if.c
36346 ---- linux-2.6.24.4/net/bridge/br_stp_if.c 2008-03-24 14:49:18.000000000 -0400
36347 -+++ linux-2.6.24.4/net/bridge/br_stp_if.c 2008-03-26 17:56:56.000000000 -0400
36348 -@@ -148,7 +148,7 @@ static void br_stp_stop(struct net_bridg
36349 - char *envp[] = { NULL };
36350 -
36351 - if (br->stp_enabled == BR_USER_STP) {
36352 -- r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
36353 -+ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
36354 - printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
36355 - br->dev->name, r);
36356 -
36357 -diff -urNp linux-2.6.24.4/net/core/flow.c linux-2.6.24.4/net/core/flow.c
36358 ---- linux-2.6.24.4/net/core/flow.c 2008-03-24 14:49:18.000000000 -0400
36359 -+++ linux-2.6.24.4/net/core/flow.c 2008-03-26 17:56:56.000000000 -0400
36360 -@@ -40,7 +40,7 @@ atomic_t flow_cache_genid = ATOMIC_INIT(
36361 -
36362 - static u32 flow_hash_shift;
36363 - #define flow_hash_size (1 << flow_hash_shift)
36364 --static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
36365 -+static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
36366 -
36367 - #define flow_table(cpu) (per_cpu(flow_tables, cpu))
36368 -
36369 -@@ -53,7 +53,7 @@ struct flow_percpu_info {
36370 - u32 hash_rnd;
36371 - int count;
36372 - } ____cacheline_aligned;
36373 --static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
36374 -+static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
36375 -
36376 - #define flow_hash_rnd_recalc(cpu) \
36377 - (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
36378 -@@ -70,7 +70,7 @@ struct flow_flush_info {
36379 - atomic_t cpuleft;
36380 - struct completion completion;
36381 - };
36382 --static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
36383 -+static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
36384 -
36385 - #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
36386 -
36387 -diff -urNp linux-2.6.24.4/net/dccp/ccids/ccid3.c linux-2.6.24.4/net/dccp/ccids/ccid3.c
36388 ---- linux-2.6.24.4/net/dccp/ccids/ccid3.c 2008-03-24 14:49:18.000000000 -0400
36389 -+++ linux-2.6.24.4/net/dccp/ccids/ccid3.c 2008-03-26 17:56:56.000000000 -0400
36390 -@@ -46,7 +46,7 @@
36391 - static int ccid3_debug;
36392 - #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
36393 - #else
36394 --#define ccid3_pr_debug(format, a...)
36395 -+#define ccid3_pr_debug(format, a...) do {} while (0)
36396 - #endif
36397 -
36398 - static struct dccp_tx_hist *ccid3_tx_hist;
36399 -diff -urNp linux-2.6.24.4/net/dccp/dccp.h linux-2.6.24.4/net/dccp/dccp.h
36400 ---- linux-2.6.24.4/net/dccp/dccp.h 2008-03-24 14:49:18.000000000 -0400
36401 -+++ linux-2.6.24.4/net/dccp/dccp.h 2008-03-26 17:56:56.000000000 -0400
36402 -@@ -43,8 +43,8 @@ extern int dccp_debug;
36403 - #define dccp_pr_debug(format, a...) DCCP_PR_DEBUG(dccp_debug, format, ##a)
36404 - #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
36405 - #else
36406 --#define dccp_pr_debug(format, a...)
36407 --#define dccp_pr_debug_cat(format, a...)
36408 -+#define dccp_pr_debug(format, a...) do {} while (0)
36409 -+#define dccp_pr_debug_cat(format, a...) do {} while (0)
36410 - #endif
36411 -
36412 - extern struct inet_hashinfo dccp_hashinfo;
36413 -diff -urNp linux-2.6.24.4/net/ipv4/inet_connection_sock.c linux-2.6.24.4/net/ipv4/inet_connection_sock.c
36414 ---- linux-2.6.24.4/net/ipv4/inet_connection_sock.c 2008-03-24 14:49:18.000000000 -0400
36415 -+++ linux-2.6.24.4/net/ipv4/inet_connection_sock.c 2008-03-26 17:56:56.000000000 -0400
36416 -@@ -15,6 +15,7 @@
36417 -
36418 - #include <linux/module.h>
36419 - #include <linux/jhash.h>
36420 -+#include <linux/grsecurity.h>
36421 -
36422 - #include <net/inet_connection_sock.h>
36423 - #include <net/inet_hashtables.h>
36424 -diff -urNp linux-2.6.24.4/net/ipv4/inet_hashtables.c linux-2.6.24.4/net/ipv4/inet_hashtables.c
36425 ---- linux-2.6.24.4/net/ipv4/inet_hashtables.c 2008-03-24 14:49:18.000000000 -0400
36426 -+++ linux-2.6.24.4/net/ipv4/inet_hashtables.c 2008-03-26 17:56:56.000000000 -0400
36427 -@@ -18,11 +18,14 @@
36428 - #include <linux/sched.h>
36429 - #include <linux/slab.h>
36430 - #include <linux/wait.h>
36431 -+#include <linux/grsecurity.h>
36432 -
36433 - #include <net/inet_connection_sock.h>
36434 - #include <net/inet_hashtables.h>
36435 - #include <net/ip.h>
36436 -
36437 -+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
36438 -+
36439 - /*
36440 - * Allocate and initialize a new local port bind bucket.
36441 - * The bindhash mutex for snum's hash chain must be held here.
36442 -@@ -338,6 +341,8 @@ ok:
36443 - }
36444 - spin_unlock(&head->lock);
36445 -
36446 -+ gr_update_task_in_ip_table(current, inet_sk(sk));
36447 -+
36448 - if (tw) {
36449 - inet_twsk_deschedule(tw, death_row);
36450 - inet_twsk_put(tw);
36451 -diff -urNp linux-2.6.24.4/net/ipv4/netfilter/ipt_stealth.c linux-2.6.24.4/net/ipv4/netfilter/ipt_stealth.c
36452 ---- linux-2.6.24.4/net/ipv4/netfilter/ipt_stealth.c 1969-12-31 19:00:00.000000000 -0500
36453 -+++ linux-2.6.24.4/net/ipv4/netfilter/ipt_stealth.c 2008-03-26 17:56:56.000000000 -0400
36454 -@@ -0,0 +1,114 @@
36455 -+/* Kernel module to add stealth support.
36456 -+ *
36457 -+ * Copyright (C) 2002-2006 Brad Spengler <spender@××××××××××.net>
36458 -+ *
36459 -+ */
36460 -+
36461 -+#include <linux/kernel.h>
36462 -+#include <linux/module.h>
36463 -+#include <linux/skbuff.h>
36464 -+#include <linux/net.h>
36465 -+#include <linux/sched.h>
36466 -+#include <linux/inet.h>
36467 -+#include <linux/stddef.h>
36468 -+
36469 -+#include <net/ip.h>
36470 -+#include <net/sock.h>
36471 -+#include <net/tcp.h>
36472 -+#include <net/udp.h>
36473 -+#include <net/route.h>
36474 -+#include <net/inet_common.h>
36475 -+
36476 -+#include <linux/netfilter_ipv4/ip_tables.h>
36477 -+
36478 -+MODULE_LICENSE("GPL");
36479 -+
36480 -+extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
36481 -+
36482 -+static int
36483 -+match(const struct sk_buff *skb,
36484 -+ const struct net_device *in,
36485 -+ const struct net_device *out,
36486 -+ const struct xt_match *match,
36487 -+ const void *matchinfo,
36488 -+ int offset,
36489 -+ unsigned int protoff,
36490 -+ int *hotdrop)
36491 -+{
36492 -+ struct iphdr *ip = ip_hdr(skb);
36493 -+ struct tcphdr th;
36494 -+ struct udphdr uh;
36495 -+ struct sock *sk = NULL;
36496 -+
36497 -+ if (!ip || offset) return 0;
36498 -+
36499 -+ switch(ip->protocol) {
36500 -+ case IPPROTO_TCP:
36501 -+ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &th, sizeof(th)) < 0) {
36502 -+ *hotdrop = 1;
36503 -+ return 0;
36504 -+ }
36505 -+ if (!(th.syn && !th.ack)) return 0;
36506 -+ sk = inet_lookup_listener(&tcp_hashinfo, ip->daddr, th.dest, inet_iif(skb));
36507 -+ break;
36508 -+ case IPPROTO_UDP:
36509 -+ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &uh, sizeof(uh)) < 0) {
36510 -+ *hotdrop = 1;
36511 -+ return 0;
36512 -+ }
36513 -+ sk = udp_v4_lookup(ip->saddr, uh.source, ip->daddr, uh.dest, skb->dev->ifindex);
36514 -+ break;
36515 -+ default:
36516 -+ return 0;
36517 -+ }
36518 -+
36519 -+ if(!sk) // port is being listened on, match this
36520 -+ return 1;
36521 -+ else {
36522 -+ sock_put(sk);
36523 -+ return 0;
36524 -+ }
36525 -+}
36526 -+
36527 -+/* Called when user tries to insert an entry of this type. */
36528 -+static int
36529 -+checkentry(const char *tablename,
36530 -+ const void *nip,
36531 -+ const struct xt_match *match,
36532 -+ void *matchinfo,
36533 -+ unsigned int hook_mask)
36534 -+{
36535 -+ const struct ipt_ip *ip = (const struct ipt_ip *)nip;
36536 -+
36537 -+ if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) ||
36538 -+ ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO)))
36539 -+ && (hook_mask & (1 << NF_IP_LOCAL_IN)))
36540 -+ return 1;
36541 -+
36542 -+ printk("stealth: Only works on TCP and UDP for the INPUT chain.\n");
36543 -+
36544 -+ return 0;
36545 -+}
36546 -+
36547 -+
36548 -+static struct xt_match stealth_match = {
36549 -+ .name = "stealth",
36550 -+ .family = AF_INET,
36551 -+ .match = match,
36552 -+ .checkentry = checkentry,
36553 -+ .destroy = NULL,
36554 -+ .me = THIS_MODULE
36555 -+};
36556 -+
36557 -+static int __init init(void)
36558 -+{
36559 -+ return xt_register_match(&stealth_match);
36560 -+}
36561 -+
36562 -+static void __exit fini(void)
36563 -+{
36564 -+ xt_unregister_match(&stealth_match);
36565 -+}
36566 -+
36567 -+module_init(init);
36568 -+module_exit(fini);
36569 -diff -urNp linux-2.6.24.4/net/ipv4/netfilter/Kconfig linux-2.6.24.4/net/ipv4/netfilter/Kconfig
36570 ---- linux-2.6.24.4/net/ipv4/netfilter/Kconfig 2008-03-24 14:49:18.000000000 -0400
36571 -+++ linux-2.6.24.4/net/ipv4/netfilter/Kconfig 2008-03-26 17:56:56.000000000 -0400
36572 -@@ -130,6 +130,21 @@ config IP_NF_MATCH_ADDRTYPE
36573 - If you want to compile it as a module, say M here and read
36574 - <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
36575 -
36576 -+config IP_NF_MATCH_STEALTH
36577 -+ tristate "stealth match support"
36578 -+ depends on IP_NF_IPTABLES
36579 -+ help
36580 -+ Enabling this option will drop all syn packets coming to unserved tcp
36581 -+ ports as well as all packets coming to unserved udp ports. If you
36582 -+ are using your system to route any type of packets (ie. via NAT)
36583 -+ you should put this module at the end of your ruleset, since it will
36584 -+ drop packets that aren't going to ports that are listening on your
36585 -+ machine itself, it doesn't take into account that the packet might be
36586 -+ destined for someone on your internal network if you're using NAT for
36587 -+ instance.
36588 -+
36589 -+ To compile it as a module, choose M here. If unsure, say N.
36590 -+
36591 - # `filter', generic and specific targets
36592 - config IP_NF_FILTER
36593 - tristate "Packet filtering"
36594 -@@ -403,4 +418,3 @@ config IP_NF_ARP_MANGLE
36595 - hardware and network addresses.
36596 -
36597 - endmenu
36598 --
36599 -diff -urNp linux-2.6.24.4/net/ipv4/netfilter/Makefile linux-2.6.24.4/net/ipv4/netfilter/Makefile
36600 ---- linux-2.6.24.4/net/ipv4/netfilter/Makefile 2008-03-24 14:49:18.000000000 -0400
36601 -+++ linux-2.6.24.4/net/ipv4/netfilter/Makefile 2008-03-26 17:56:56.000000000 -0400
36602 -@@ -47,6 +47,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
36603 - obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
36604 - obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
36605 - obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
36606 -+obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
36607 - obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
36608 - obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
36609 -
36610 -diff -urNp linux-2.6.24.4/net/ipv4/tcp.c linux-2.6.24.4/net/ipv4/tcp.c
36611 ---- linux-2.6.24.4/net/ipv4/tcp.c 2008-03-24 14:49:18.000000000 -0400
36612 -+++ linux-2.6.24.4/net/ipv4/tcp.c 2008-03-26 17:56:56.000000000 -0400
36613 -@@ -1054,7 +1054,8 @@ int tcp_read_sock(struct sock *sk, read_
36614 - return -ENOTCONN;
36615 - while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) {
36616 - if (offset < skb->len) {
36617 -- size_t used, len;
36618 -+ int used;
36619 -+ size_t len;
36620 -
36621 - len = skb->len - offset;
36622 - /* Stop reading if we hit a patch of urgent data */
36623 -diff -urNp linux-2.6.24.4/net/ipv4/tcp_ipv4.c linux-2.6.24.4/net/ipv4/tcp_ipv4.c
36624 ---- linux-2.6.24.4/net/ipv4/tcp_ipv4.c 2008-03-24 14:49:18.000000000 -0400
36625 -+++ linux-2.6.24.4/net/ipv4/tcp_ipv4.c 2008-03-26 17:56:56.000000000 -0400
36626 -@@ -61,6 +61,7 @@
36627 - #include <linux/jhash.h>
36628 - #include <linux/init.h>
36629 - #include <linux/times.h>
36630 -+#include <linux/grsecurity.h>
36631 -
36632 - #include <net/net_namespace.h>
36633 - #include <net/icmp.h>
36634 -diff -urNp linux-2.6.24.4/net/ipv4/udp.c linux-2.6.24.4/net/ipv4/udp.c
36635 ---- linux-2.6.24.4/net/ipv4/udp.c 2008-03-24 14:49:18.000000000 -0400
36636 -+++ linux-2.6.24.4/net/ipv4/udp.c 2008-03-26 17:56:56.000000000 -0400
36637 -@@ -98,6 +98,7 @@
36638 - #include <linux/skbuff.h>
36639 - #include <linux/proc_fs.h>
36640 - #include <linux/seq_file.h>
36641 -+#include <linux/grsecurity.h>
36642 - #include <net/net_namespace.h>
36643 - #include <net/icmp.h>
36644 - #include <net/route.h>
36645 -@@ -105,6 +106,11 @@
36646 - #include <net/xfrm.h>
36647 - #include "udp_impl.h"
36648 -
36649 -+extern int gr_search_udp_recvmsg(const struct sock *sk,
36650 -+ const struct sk_buff *skb);
36651 -+extern int gr_search_udp_sendmsg(const struct sock *sk,
36652 -+ const struct sockaddr_in *addr);
36653 -+
36654 - /*
36655 - * Snmp MIB for the UDP layer
36656 - */
36657 -@@ -295,6 +301,13 @@ static struct sock *__udp4_lib_lookup(__
36658 - return result;
36659 - }
36660 -
36661 -+struct sock *udp_v4_lookup(__be32 saddr, __be16 sport,
36662 -+ __be32 daddr, __be16 dport, int dif)
36663 -+{
36664 -+ return __udp4_lib_lookup(saddr, sport, daddr, dport, dif, udp_hash);
36665 -+}
36666 -+
36667 -+
36668 - static inline struct sock *udp_v4_mcast_next(struct sock *sk,
36669 - __be16 loc_port, __be32 loc_addr,
36670 - __be16 rmt_port, __be32 rmt_addr,
36671 -@@ -580,9 +593,16 @@ int udp_sendmsg(struct kiocb *iocb, stru
36672 - dport = usin->sin_port;
36673 - if (dport == 0)
36674 - return -EINVAL;
36675 -+
36676 -+ if (!gr_search_udp_sendmsg(sk, usin))
36677 -+ return -EPERM;
36678 - } else {
36679 - if (sk->sk_state != TCP_ESTABLISHED)
36680 - return -EDESTADDRREQ;
36681 -+
36682 -+ if (!gr_search_udp_sendmsg(sk, NULL))
36683 -+ return -EPERM;
36684 -+
36685 - daddr = inet->daddr;
36686 - dport = inet->dport;
36687 - /* Open fast path for connected socket.
36688 -@@ -842,6 +862,11 @@ try_again:
36689 - if (!skb)
36690 - goto out;
36691 -
36692 -+ if (!gr_search_udp_recvmsg(sk, skb)) {
36693 -+ err = -EPERM;
36694 -+ goto out_free;
36695 -+ }
36696 -+
36697 - ulen = skb->len - sizeof(struct udphdr);
36698 - copied = len;
36699 - if (copied > ulen)
36700 -diff -urNp linux-2.6.24.4/net/ipv6/exthdrs.c linux-2.6.24.4/net/ipv6/exthdrs.c
36701 ---- linux-2.6.24.4/net/ipv6/exthdrs.c 2008-03-24 14:49:18.000000000 -0400
36702 -+++ linux-2.6.24.4/net/ipv6/exthdrs.c 2008-03-26 17:56:56.000000000 -0400
36703 -@@ -621,7 +621,7 @@ static struct tlvtype_proc tlvprochopopt
36704 - .type = IPV6_TLV_JUMBO,
36705 - .func = ipv6_hop_jumbo,
36706 - },
36707 -- { -1, }
36708 -+ { -1, NULL }
36709 - };
36710 -
36711 - int ipv6_parse_hopopts(struct sk_buff *skb)
36712 -diff -urNp linux-2.6.24.4/net/ipv6/raw.c linux-2.6.24.4/net/ipv6/raw.c
36713 ---- linux-2.6.24.4/net/ipv6/raw.c 2008-03-24 14:49:18.000000000 -0400
36714 -+++ linux-2.6.24.4/net/ipv6/raw.c 2008-03-26 17:56:56.000000000 -0400
36715 -@@ -578,7 +578,7 @@ out:
36716 - return err;
36717 - }
36718 -
36719 --static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
36720 -+static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
36721 - struct flowi *fl, struct rt6_info *rt,
36722 - unsigned int flags)
36723 - {
36724 -diff -urNp linux-2.6.24.4/net/irda/ircomm/ircomm_tty.c linux-2.6.24.4/net/irda/ircomm/ircomm_tty.c
36725 ---- linux-2.6.24.4/net/irda/ircomm/ircomm_tty.c 2008-03-24 14:49:18.000000000 -0400
36726 -+++ linux-2.6.24.4/net/irda/ircomm/ircomm_tty.c 2008-03-26 17:56:56.000000000 -0400
36727 -@@ -371,7 +371,7 @@ static int ircomm_tty_open(struct tty_st
36728 - IRDA_DEBUG(2, "%s()\n", __FUNCTION__ );
36729 -
36730 - line = tty->index;
36731 -- if ((line < 0) || (line >= IRCOMM_TTY_PORTS)) {
36732 -+ if (line >= IRCOMM_TTY_PORTS) {
36733 - return -ENODEV;
36734 - }
36735 -
36736 -diff -urNp linux-2.6.24.4/net/mac80211/regdomain.c linux-2.6.24.4/net/mac80211/regdomain.c
36737 ---- linux-2.6.24.4/net/mac80211/regdomain.c 2008-03-24 14:49:18.000000000 -0400
36738 -+++ linux-2.6.24.4/net/mac80211/regdomain.c 2008-03-26 17:56:56.000000000 -0400
36739 -@@ -61,14 +61,14 @@ static const struct ieee80211_channel_ra
36740 - { 5180, 5240, 17, 6 } /* IEEE 802.11a, channels 36..48 */,
36741 - { 5260, 5320, 23, 6 } /* IEEE 802.11a, channels 52..64 */,
36742 - { 5745, 5825, 30, 6 } /* IEEE 802.11a, channels 149..165, outdoor */,
36743 -- { 0 }
36744 -+ { 0, 0, 0, 0 }
36745 - };
36746 -
36747 - static const struct ieee80211_channel_range ieee80211_mkk_channels[] = {
36748 - { 2412, 2472, 20, 6 } /* IEEE 802.11b/g, channels 1..13 */,
36749 - { 5170, 5240, 20, 6 } /* IEEE 802.11a, channels 34..48 */,
36750 - { 5260, 5320, 20, 6 } /* IEEE 802.11a, channels 52..64 */,
36751 -- { 0 }
36752 -+ { 0, 0, 0, 0 }
36753 - };
36754 -
36755 -
36756 -diff -urNp linux-2.6.24.4/net/sctp/socket.c linux-2.6.24.4/net/sctp/socket.c
36757 ---- linux-2.6.24.4/net/sctp/socket.c 2008-03-24 14:49:18.000000000 -0400
36758 -+++ linux-2.6.24.4/net/sctp/socket.c 2008-03-26 17:56:56.000000000 -0400
36759 -@@ -1390,7 +1390,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
36760 - struct sctp_sndrcvinfo *sinfo;
36761 - struct sctp_initmsg *sinit;
36762 - sctp_assoc_t associd = 0;
36763 -- sctp_cmsgs_t cmsgs = { NULL };
36764 -+ sctp_cmsgs_t cmsgs = { NULL, NULL };
36765 - int err;
36766 - sctp_scope_t scope;
36767 - long timeo;
36768 -diff -urNp linux-2.6.24.4/net/socket.c linux-2.6.24.4/net/socket.c
36769 ---- linux-2.6.24.4/net/socket.c 2008-03-24 14:49:18.000000000 -0400
36770 -+++ linux-2.6.24.4/net/socket.c 2008-03-26 17:56:56.000000000 -0400
36771 -@@ -85,6 +85,7 @@
36772 - #include <linux/audit.h>
36773 - #include <linux/wireless.h>
36774 - #include <linux/nsproxy.h>
36775 -+#include <linux/in.h>
36776 -
36777 - #include <asm/uaccess.h>
36778 - #include <asm/unistd.h>
36779 -@@ -94,6 +95,21 @@
36780 - #include <net/sock.h>
36781 - #include <linux/netfilter.h>
36782 -
36783 -+extern void gr_attach_curr_ip(const struct sock *sk);
36784 -+extern int gr_handle_sock_all(const int family, const int type,
36785 -+ const int protocol);
36786 -+extern int gr_handle_sock_server(const struct sockaddr *sck);
36787 -+extern int gr_handle_sock_server_other(const struct socket *sck);
36788 -+extern int gr_handle_sock_client(const struct sockaddr *sck);
36789 -+extern int gr_search_connect(const struct socket * sock,
36790 -+ const struct sockaddr_in * addr);
36791 -+extern int gr_search_bind(const struct socket * sock,
36792 -+ const struct sockaddr_in * addr);
36793 -+extern int gr_search_listen(const struct socket * sock);
36794 -+extern int gr_search_accept(const struct socket * sock);
36795 -+extern int gr_search_socket(const int domain, const int type,
36796 -+ const int protocol);
36797 -+
36798 - static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
36799 - static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
36800 - unsigned long nr_segs, loff_t pos);
36801 -@@ -293,7 +309,7 @@ static int sockfs_get_sb(struct file_sys
36802 - mnt);
36803 - }
36804 -
36805 --static struct vfsmount *sock_mnt __read_mostly;
36806 -+struct vfsmount *sock_mnt __read_mostly;
36807 -
36808 - static struct file_system_type sock_fs_type = {
36809 - .name = "sockfs",
36810 -@@ -1204,6 +1220,16 @@ asmlinkage long sys_socket(int family, i
36811 - int retval;
36812 - struct socket *sock;
36813 -
36814 -+ if(!gr_search_socket(family, type, protocol)) {
36815 -+ retval = -EACCES;
36816 -+ goto out;
36817 -+ }
36818 -+
36819 -+ if (gr_handle_sock_all(family, type, protocol)) {
36820 -+ retval = -EACCES;
36821 -+ goto out;
36822 -+ }
36823 -+
36824 - retval = sock_create(family, type, protocol, &sock);
36825 - if (retval < 0)
36826 - goto out;
36827 -@@ -1334,6 +1360,12 @@ asmlinkage long sys_bind(int fd, struct
36828 - if (sock) {
36829 - err = move_addr_to_kernel(umyaddr, addrlen, address);
36830 - if (err >= 0) {
36831 -+ if (!gr_search_bind(sock, (struct sockaddr_in *)address) ||
36832 -+ gr_handle_sock_server((struct sockaddr *)address)) {
36833 -+ err = -EACCES;
36834 -+ goto error;
36835 -+ }
36836 -+
36837 - err = security_socket_bind(sock,
36838 - (struct sockaddr *)address,
36839 - addrlen);
36840 -@@ -1342,6 +1374,7 @@ asmlinkage long sys_bind(int fd, struct
36841 - (struct sockaddr *)
36842 - address, addrlen);
36843 - }
36844 -+error:
36845 - fput_light(sock->file, fput_needed);
36846 - }
36847 - return err;
36848 -@@ -1365,10 +1398,17 @@ asmlinkage long sys_listen(int fd, int b
36849 - if ((unsigned)backlog > sysctl_somaxconn)
36850 - backlog = sysctl_somaxconn;
36851 -
36852 -+ if (gr_handle_sock_server_other(sock) ||
36853 -+ !gr_search_listen(sock)) {
36854 -+ err = -EPERM;
36855 -+ goto error;
36856 -+ }
36857 -+
36858 - err = security_socket_listen(sock, backlog);
36859 - if (!err)
36860 - err = sock->ops->listen(sock, backlog);
36861 -
36862 -+error:
36863 - fput_light(sock->file, fput_needed);
36864 - }
36865 - return err;
36866 -@@ -1405,6 +1445,13 @@ asmlinkage long sys_accept(int fd, struc
36867 - newsock->type = sock->type;
36868 - newsock->ops = sock->ops;
36869 -
36870 -+ if (gr_handle_sock_server_other(sock) ||
36871 -+ !gr_search_accept(sock)) {
36872 -+ err = -EPERM;
36873 -+ sock_release(newsock);
36874 -+ goto out_put;
36875 -+ }
36876 -+
36877 - /*
36878 - * We don't need try_module_get here, as the listening socket (sock)
36879 - * has the protocol module (sock->ops->owner) held.
36880 -@@ -1448,6 +1495,7 @@ asmlinkage long sys_accept(int fd, struc
36881 - err = newfd;
36882 -
36883 - security_socket_post_accept(sock, newsock);
36884 -+ gr_attach_curr_ip(newsock->sk);
36885 -
36886 - out_put:
36887 - fput_light(sock->file, fput_needed);
36888 -@@ -1481,6 +1529,7 @@ asmlinkage long sys_connect(int fd, stru
36889 - {
36890 - struct socket *sock;
36891 - char address[MAX_SOCK_ADDR];
36892 -+ struct sockaddr *sck;
36893 - int err, fput_needed;
36894 -
36895 - sock = sockfd_lookup_light(fd, &err, &fput_needed);
36896 -@@ -1490,6 +1539,13 @@ asmlinkage long sys_connect(int fd, stru
36897 - if (err < 0)
36898 - goto out_put;
36899 -
36900 -+ sck = (struct sockaddr *)address;
36901 -+ if (!gr_search_connect(sock, (struct sockaddr_in *)sck) ||
36902 -+ gr_handle_sock_client(sck)) {
36903 -+ err = -EACCES;
36904 -+ goto out_put;
36905 -+ }
36906 -+
36907 - err =
36908 - security_socket_connect(sock, (struct sockaddr *)address, addrlen);
36909 - if (err)
36910 -@@ -1767,6 +1823,7 @@ asmlinkage long sys_shutdown(int fd, int
36911 - err = sock->ops->shutdown(sock, how);
36912 - fput_light(sock->file, fput_needed);
36913 - }
36914 -+
36915 - return err;
36916 - }
36917 -
36918 -diff -urNp linux-2.6.24.4/net/unix/af_unix.c linux-2.6.24.4/net/unix/af_unix.c
36919 ---- linux-2.6.24.4/net/unix/af_unix.c 2008-03-24 14:49:18.000000000 -0400
36920 -+++ linux-2.6.24.4/net/unix/af_unix.c 2008-03-26 17:56:56.000000000 -0400
36921 -@@ -116,6 +116,7 @@
36922 - #include <linux/mount.h>
36923 - #include <net/checksum.h>
36924 - #include <linux/security.h>
36925 -+#include <linux/grsecurity.h>
36926 -
36927 - int sysctl_unix_max_dgram_qlen __read_mostly = 10;
36928 -
36929 -@@ -738,6 +739,11 @@ static struct sock *unix_find_other(stru
36930 - if (err)
36931 - goto put_fail;
36932 -
36933 -+ if (!gr_acl_handle_unix(nd.dentry, nd.mnt)) {
36934 -+ err = -EACCES;
36935 -+ goto put_fail;
36936 -+ }
36937 -+
36938 - err = -ECONNREFUSED;
36939 - if (!S_ISSOCK(nd.dentry->d_inode->i_mode))
36940 - goto put_fail;
36941 -@@ -761,6 +767,13 @@ static struct sock *unix_find_other(stru
36942 - if (u) {
36943 - struct dentry *dentry;
36944 - dentry = unix_sk(u)->dentry;
36945 -+
36946 -+ if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
36947 -+ err = -EPERM;
36948 -+ sock_put(u);
36949 -+ goto fail;
36950 -+ }
36951 -+
36952 - if (dentry)
36953 - touch_atime(unix_sk(u)->mnt, dentry);
36954 - } else
36955 -@@ -839,9 +852,18 @@ static int unix_bind(struct socket *sock
36956 - */
36957 - mode = S_IFSOCK |
36958 - (SOCK_INODE(sock)->i_mode & ~current->fs->umask);
36959 -+
36960 -+ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
36961 -+ err = -EACCES;
36962 -+ goto out_mknod_dput;
36963 -+ }
36964 -+
36965 - err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
36966 - if (err)
36967 - goto out_mknod_dput;
36968 -+
36969 -+ gr_handle_create(dentry, nd.mnt);
36970 -+
36971 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
36972 - dput(nd.dentry);
36973 - nd.dentry = dentry;
36974 -@@ -859,6 +881,10 @@ static int unix_bind(struct socket *sock
36975 - goto out_unlock;
36976 - }
36977 -
36978 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
36979 -+ sk->sk_peercred.pid = current->pid;
36980 -+#endif
36981 -+
36982 - list = &unix_socket_table[addr->hash];
36983 - } else {
36984 - list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
36985 -diff -urNp linux-2.6.24.4/scripts/pnmtologo.c linux-2.6.24.4/scripts/pnmtologo.c
36986 ---- linux-2.6.24.4/scripts/pnmtologo.c 2008-03-24 14:49:18.000000000 -0400
36987 -+++ linux-2.6.24.4/scripts/pnmtologo.c 2008-03-26 17:56:56.000000000 -0400
36988 -@@ -237,14 +237,14 @@ static void write_header(void)
36989 - fprintf(out, " * Linux logo %s\n", logoname);
36990 - fputs(" */\n\n", out);
36991 - fputs("#include <linux/linux_logo.h>\n\n", out);
36992 -- fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
36993 -+ fprintf(out, "static unsigned char %s_data[] = {\n",
36994 - logoname);
36995 - }
36996 -
36997 - static void write_footer(void)
36998 - {
36999 - fputs("\n};\n\n", out);
37000 -- fprintf(out, "struct linux_logo %s __initdata = {\n", logoname);
37001 -+ fprintf(out, "struct linux_logo %s = {\n", logoname);
37002 - fprintf(out, " .type\t= %s,\n", logo_types[logo_type]);
37003 - fprintf(out, " .width\t= %d,\n", logo_width);
37004 - fprintf(out, " .height\t= %d,\n", logo_height);
37005 -@@ -374,7 +374,7 @@ static void write_logo_clut224(void)
37006 - fputs("\n};\n\n", out);
37007 -
37008 - /* write logo clut */
37009 -- fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
37010 -+ fprintf(out, "static unsigned char %s_clut[] = {\n",
37011 - logoname);
37012 - write_hex_cnt = 0;
37013 - for (i = 0; i < logo_clutsize; i++) {
37014 -diff -urNp linux-2.6.24.4/security/commoncap.c linux-2.6.24.4/security/commoncap.c
37015 ---- linux-2.6.24.4/security/commoncap.c 2008-03-24 14:49:18.000000000 -0400
37016 -+++ linux-2.6.24.4/security/commoncap.c 2008-03-26 17:56:56.000000000 -0400
37017 -@@ -24,6 +24,7 @@
37018 - #include <linux/hugetlb.h>
37019 - #include <linux/mount.h>
37020 - #include <linux/sched.h>
37021 -+#include <linux/grsecurity.h>
37022 -
37023 - #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
37024 - /*
37025 -@@ -44,9 +45,11 @@ EXPORT_SYMBOL(cap_bset);
37026 - unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
37027 - EXPORT_SYMBOL(securebits);
37028 -
37029 -+extern __u32 gr_cap_rtnetlink(struct sock *sk);
37030 -+
37031 - int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
37032 - {
37033 -- NETLINK_CB(skb).eff_cap = current->cap_effective;
37034 -+ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
37035 - return 0;
37036 - }
37037 -
37038 -@@ -68,7 +71,15 @@ EXPORT_SYMBOL(cap_netlink_recv);
37039 - int cap_capable (struct task_struct *tsk, int cap)
37040 - {
37041 - /* Derived from include/linux/sched.h:capable. */
37042 -- if (cap_raised(tsk->cap_effective, cap))
37043 -+ if (cap_raised (tsk->cap_effective, cap))
37044 -+ return 0;
37045 -+ return -EPERM;
37046 -+}
37047 -+
37048 -+int cap_capable_nolog (struct task_struct *tsk, int cap)
37049 -+{
37050 -+ /* tsk = current for all callers */
37051 -+ if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
37052 - return 0;
37053 - return -EPERM;
37054 - }
37055 -@@ -343,8 +354,11 @@ void cap_bprm_apply_creds (struct linux_
37056 - }
37057 - }
37058 -
37059 -- current->suid = current->euid = current->fsuid = bprm->e_uid;
37060 -- current->sgid = current->egid = current->fsgid = bprm->e_gid;
37061 -+ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
37062 -+ current->suid = current->euid = current->fsuid = bprm->e_uid;
37063 -+
37064 -+ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
37065 -+ current->sgid = current->egid = current->fsgid = bprm->e_gid;
37066 -
37067 - /* For init, we want to retain the capabilities set
37068 - * in the init_task struct. Thus we skip the usual
37069 -@@ -355,6 +369,8 @@ void cap_bprm_apply_creds (struct linux_
37070 - new_permitted : 0;
37071 - }
37072 -
37073 -+ gr_handle_chroot_caps(current);
37074 -+
37075 - /* AUD: Audit candidate if current->cap_effective is set */
37076 -
37077 - current->keep_capabilities = 0;
37078 -@@ -602,7 +618,7 @@ int cap_vm_enough_memory(struct mm_struc
37079 - {
37080 - int cap_sys_admin = 0;
37081 -
37082 -- if (cap_capable(current, CAP_SYS_ADMIN) == 0)
37083 -+ if (cap_capable_nolog(current, CAP_SYS_ADMIN) == 0)
37084 - cap_sys_admin = 1;
37085 - return __vm_enough_memory(mm, pages, cap_sys_admin);
37086 - }
37087 -diff -urNp linux-2.6.24.4/security/dummy.c linux-2.6.24.4/security/dummy.c
37088 ---- linux-2.6.24.4/security/dummy.c 2008-03-24 14:49:18.000000000 -0400
37089 -+++ linux-2.6.24.4/security/dummy.c 2008-03-26 17:56:56.000000000 -0400
37090 -@@ -27,6 +27,7 @@
37091 - #include <linux/hugetlb.h>
37092 - #include <linux/ptrace.h>
37093 - #include <linux/file.h>
37094 -+#include <linux/grsecurity.h>
37095 -
37096 - static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
37097 - {
37098 -@@ -135,8 +136,11 @@ static void dummy_bprm_apply_creds (stru
37099 - }
37100 - }
37101 -
37102 -- current->suid = current->euid = current->fsuid = bprm->e_uid;
37103 -- current->sgid = current->egid = current->fsgid = bprm->e_gid;
37104 -+ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
37105 -+ current->suid = current->euid = current->fsuid = bprm->e_uid;
37106 -+
37107 -+ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
37108 -+ current->sgid = current->egid = current->fsgid = bprm->e_gid;
37109 -
37110 - dummy_capget(current, &current->cap_effective, &current->cap_inheritable, &current->cap_permitted);
37111 - }
37112 -diff -urNp linux-2.6.24.4/security/Kconfig linux-2.6.24.4/security/Kconfig
37113 ---- linux-2.6.24.4/security/Kconfig 2008-03-24 14:49:18.000000000 -0400
37114 -+++ linux-2.6.24.4/security/Kconfig 2008-03-26 17:56:56.000000000 -0400
37115 -@@ -4,6 +4,429 @@
37116 -
37117 - menu "Security options"
37118 -
37119 -+source grsecurity/Kconfig
37120 -+
37121 -+menu "PaX"
37122 -+
37123 -+config PAX
37124 -+ bool "Enable various PaX features"
37125 -+ depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
37126 -+ help
37127 -+ This allows you to enable various PaX features. PaX adds
37128 -+ intrusion prevention mechanisms to the kernel that reduce
37129 -+ the risks posed by exploitable memory corruption bugs.
37130 -+
37131 -+menu "PaX Control"
37132 -+ depends on PAX
37133 -+
37134 -+config PAX_SOFTMODE
37135 -+ bool 'Support soft mode'
37136 -+ help
37137 -+ Enabling this option will allow you to run PaX in soft mode, that
37138 -+ is, PaX features will not be enforced by default, only on executables
37139 -+ marked explicitly. You must also enable PT_PAX_FLAGS support as it
37140 -+ is the only way to mark executables for soft mode use.
37141 -+
37142 -+ Soft mode can be activated by using the "pax_softmode=1" kernel command
37143 -+ line option on boot. Furthermore you can control various PaX features
37144 -+ at runtime via the entries in /proc/sys/kernel/pax.
37145 -+
37146 -+config PAX_EI_PAX
37147 -+ bool 'Use legacy ELF header marking'
37148 -+ help
37149 -+ Enabling this option will allow you to control PaX features on
37150 -+ a per executable basis via the 'chpax' utility available at
37151 -+ http://pax.grsecurity.net/. The control flags will be read from
37152 -+ an otherwise reserved part of the ELF header. This marking has
37153 -+ numerous drawbacks (no support for soft-mode, toolchain does not
37154 -+ know about the non-standard use of the ELF header) therefore it
37155 -+ has been deprecated in favour of PT_PAX_FLAGS support.
37156 -+
37157 -+ If you have applications not marked by the PT_PAX_FLAGS ELF
37158 -+ program header then you MUST enable this option otherwise they
37159 -+ will not get any protection.
37160 -+
37161 -+ Note that if you enable PT_PAX_FLAGS marking support as well,
37162 -+ the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
37163 -+
37164 -+config PAX_PT_PAX_FLAGS
37165 -+ bool 'Use ELF program header marking'
37166 -+ help
37167 -+ Enabling this option will allow you to control PaX features on
37168 -+ a per executable basis via the 'paxctl' utility available at
37169 -+ http://pax.grsecurity.net/. The control flags will be read from
37170 -+ a PaX specific ELF program header (PT_PAX_FLAGS). This marking
37171 -+ has the benefits of supporting both soft mode and being fully
37172 -+ integrated into the toolchain (the binutils patch is available
37173 -+ from http://pax.grsecurity.net).
37174 -+
37175 -+ If you have applications not marked by the PT_PAX_FLAGS ELF
37176 -+ program header then you MUST enable the EI_PAX marking support
37177 -+ otherwise they will not get any protection.
37178 -+
37179 -+ Note that if you enable the legacy EI_PAX marking support as well,
37180 -+ the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
37181 -+
37182 -+choice
37183 -+ prompt 'MAC system integration'
37184 -+ default PAX_HAVE_ACL_FLAGS
37185 -+ help
37186 -+ Mandatory Access Control systems have the option of controlling
37187 -+ PaX flags on a per executable basis, choose the method supported
37188 -+ by your particular system.
37189 -+
37190 -+ - "none": if your MAC system does not interact with PaX,
37191 -+ - "direct": if your MAC system defines pax_set_initial_flags() itself,
37192 -+ - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
37193 -+
37194 -+ NOTE: this option is for developers/integrators only.
37195 -+
37196 -+ config PAX_NO_ACL_FLAGS
37197 -+ bool 'none'
37198 -+
37199 -+ config PAX_HAVE_ACL_FLAGS
37200 -+ bool 'direct'
37201 -+
37202 -+ config PAX_HOOK_ACL_FLAGS
37203 -+ bool 'hook'
37204 -+endchoice
37205 -+
37206 -+endmenu
37207 -+
37208 -+menu "Non-executable pages"
37209 -+ depends on PAX
37210 -+
37211 -+config PAX_NOEXEC
37212 -+ bool "Enforce non-executable pages"
37213 -+ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
37214 -+ help
37215 -+ By design some architectures do not allow for protecting memory
37216 -+ pages against execution or even if they do, Linux does not make
37217 -+ use of this feature. In practice this means that if a page is
37218 -+ readable (such as the stack or heap) it is also executable.
37219 -+
37220 -+ There is a well known exploit technique that makes use of this
37221 -+ fact and a common programming mistake where an attacker can
37222 -+ introduce code of his choice somewhere in the attacked program's
37223 -+ memory (typically the stack or the heap) and then execute it.
37224 -+
37225 -+ If the attacked program was running with different (typically
37226 -+ higher) privileges than that of the attacker, then he can elevate
37227 -+ his own privilege level (e.g. get a root shell, write to files for
37228 -+ which he does not have write access to, etc).
37229 -+
37230 -+ Enabling this option will let you choose from various features
37231 -+ that prevent the injection and execution of 'foreign' code in
37232 -+ a program.
37233 -+
37234 -+ This will also break programs that rely on the old behaviour and
37235 -+ expect that dynamically allocated memory via the malloc() family
37236 -+ of functions is executable (which it is not). Notable examples
37237 -+ are the XFree86 4.x server, the java runtime and wine.
37238 -+
37239 -+config PAX_PAGEEXEC
37240 -+ bool "Paging based non-executable pages"
37241 -+ depends on !COMPAT_VDSO && PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MPENTIUM4 || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2)
37242 -+ help
37243 -+ This implementation is based on the paging feature of the CPU.
37244 -+ On i386 without hardware non-executable bit support there is a
37245 -+ variable but usually low performance impact, however on Intel's
37246 -+ P4 core based CPUs it is very high so you should not enable this
37247 -+ for kernels meant to be used on such CPUs.
37248 -+
37249 -+ On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
37250 -+ with hardware non-executable bit support there is no performance
37251 -+ impact, on ppc the impact is negligible.
37252 -+
37253 -+ Note that several architectures require various emulations due to
37254 -+ badly designed userland ABIs, this will cause a performance impact
37255 -+ but will disappear as soon as userland is fixed (e.g., ppc users
37256 -+ can make use of the secure-plt feature found in binutils).
37257 -+
37258 -+config PAX_SEGMEXEC
37259 -+ bool "Segmentation based non-executable pages"
37260 -+ depends on !COMPAT_VDSO && PAX_NOEXEC && X86_32
37261 -+ help
37262 -+ This implementation is based on the segmentation feature of the
37263 -+ CPU and has a very small performance impact, however applications
37264 -+ will be limited to a 1.5 GB address space instead of the normal
37265 -+ 3 GB.
37266 -+
37267 -+config PAX_EMUTRAMP
37268 -+ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86)
37269 -+ default y if PARISC || PPC32
37270 -+ help
37271 -+ There are some programs and libraries that for one reason or
37272 -+ another attempt to execute special small code snippets from
37273 -+ non-executable memory pages. Most notable examples are the
37274 -+ signal handler return code generated by the kernel itself and
37275 -+ the GCC trampolines.
37276 -+
37277 -+ If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
37278 -+ such programs will no longer work under your kernel.
37279 -+
37280 -+ As a remedy you can say Y here and use the 'chpax' or 'paxctl'
37281 -+ utilities to enable trampoline emulation for the affected programs
37282 -+ yet still have the protection provided by the non-executable pages.
37283 -+
37284 -+ On parisc and ppc you MUST enable this option and EMUSIGRT as
37285 -+ well, otherwise your system will not even boot.
37286 -+
37287 -+ Alternatively you can say N here and use the 'chpax' or 'paxctl'
37288 -+ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
37289 -+ for the affected files.
37290 -+
37291 -+ NOTE: enabling this feature *may* open up a loophole in the
37292 -+ protection provided by non-executable pages that an attacker
37293 -+ could abuse. Therefore the best solution is to not have any
37294 -+ files on your system that would require this option. This can
37295 -+ be achieved by not using libc5 (which relies on the kernel
37296 -+ signal handler return code) and not using or rewriting programs
37297 -+ that make use of the nested function implementation of GCC.
37298 -+ Skilled users can just fix GCC itself so that it implements
37299 -+ nested function calls in a way that does not interfere with PaX.
37300 -+
37301 -+config PAX_EMUSIGRT
37302 -+ bool "Automatically emulate sigreturn trampolines"
37303 -+ depends on PAX_EMUTRAMP && (PARISC || PPC32)
37304 -+ default y
37305 -+ help
37306 -+ Enabling this option will have the kernel automatically detect
37307 -+ and emulate signal return trampolines executing on the stack
37308 -+ that would otherwise lead to task termination.
37309 -+
37310 -+ This solution is intended as a temporary one for users with
37311 -+ legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
37312 -+ Modula-3 runtime, etc) or executables linked to such, basically
37313 -+ everything that does not specify its own SA_RESTORER function in
37314 -+ normal executable memory like glibc 2.1+ does.
37315 -+
37316 -+ On parisc and ppc you MUST enable this option, otherwise your
37317 -+ system will not even boot.
37318 -+
37319 -+ NOTE: this feature cannot be disabled on a per executable basis
37320 -+ and since it *does* open up a loophole in the protection provided
37321 -+ by non-executable pages, the best solution is to not have any
37322 -+ files on your system that would require this option.
37323 -+
37324 -+config PAX_MPROTECT
37325 -+ bool "Restrict mprotect()"
37326 -+ depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && !PPC64
37327 -+ help
37328 -+ Enabling this option will prevent programs from
37329 -+ - changing the executable status of memory pages that were
37330 -+ not originally created as executable,
37331 -+ - making read-only executable pages writable again,
37332 -+ - creating executable pages from anonymous memory.
37333 -+
37334 -+ You should say Y here to complete the protection provided by
37335 -+ the enforcement of non-executable pages.
37336 -+
37337 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
37338 -+ this feature on a per file basis.
37339 -+
37340 -+config PAX_NOELFRELOCS
37341 -+ bool "Disallow ELF text relocations"
37342 -+ depends on PAX_MPROTECT && !PAX_ETEXECRELOCS && (IA64 || X86 || X86_64)
37343 -+ help
37344 -+ Non-executable pages and mprotect() restrictions are effective
37345 -+ in preventing the introduction of new executable code into an
37346 -+ attacked task's address space. There remain only two venues
37347 -+ for this kind of attack: if the attacker can execute already
37348 -+ existing code in the attacked task then he can either have it
37349 -+ create and mmap() a file containing his code or have it mmap()
37350 -+ an already existing ELF library that does not have position
37351 -+ independent code in it and use mprotect() on it to make it
37352 -+ writable and copy his code there. While protecting against
37353 -+ the former approach is beyond PaX, the latter can be prevented
37354 -+ by having only PIC ELF libraries on one's system (which do not
37355 -+ need to relocate their code). If you are sure this is your case,
37356 -+ then enable this option otherwise be careful as you may not even
37357 -+ be able to boot or log on your system (for example, some PAM
37358 -+ modules are erroneously compiled as non-PIC by default).
37359 -+
37360 -+ NOTE: if you are using dynamic ELF executables (as suggested
37361 -+ when using ASLR) then you must have made sure that you linked
37362 -+ your files using the PIC version of crt1 (the et_dyn.tar.gz package
37363 -+ referenced there has already been updated to support this).
37364 -+
37365 -+config PAX_ETEXECRELOCS
37366 -+ bool "Allow ELF ET_EXEC text relocations"
37367 -+ depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
37368 -+ default y
37369 -+ help
37370 -+ On some architectures there are incorrectly created applications
37371 -+ that require text relocations and would not work without enabling
37372 -+ this option. If you are an alpha, ia64 or parisc user, you should
37373 -+ enable this option and disable it once you have made sure that
37374 -+ none of your applications need it.
37375 -+
37376 -+config PAX_EMUPLT
37377 -+ bool "Automatically emulate ELF PLT"
37378 -+ depends on PAX_MPROTECT && (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
37379 -+ default y
37380 -+ help
37381 -+ Enabling this option will have the kernel automatically detect
37382 -+ and emulate the Procedure Linkage Table entries in ELF files.
37383 -+ On some architectures such entries are in writable memory, and
37384 -+ become non-executable leading to task termination. Therefore
37385 -+ it is mandatory that you enable this option on alpha, parisc,
37386 -+ ppc (if secure-plt is not used throughout in userland), sparc
37387 -+ and sparc64, otherwise your system would not even boot.
37388 -+
37389 -+ NOTE: this feature *does* open up a loophole in the protection
37390 -+ provided by the non-executable pages, therefore the proper
37391 -+ solution is to modify the toolchain to produce a PLT that does
37392 -+ not need to be writable.
37393 -+
37394 -+config PAX_DLRESOLVE
37395 -+ bool
37396 -+ depends on PAX_EMUPLT && (SPARC32 || SPARC64)
37397 -+ default y
37398 -+
37399 -+config PAX_SYSCALL
37400 -+ bool
37401 -+ depends on PAX_PAGEEXEC && PPC32
37402 -+ default y
37403 -+
37404 -+config PAX_KERNEXEC
37405 -+ bool "Enforce non-executable kernel pages"
37406 -+ depends on PAX_NOEXEC && X86 && !EFI && !COMPAT_VDSO && (!X86_32 || X86_WP_WORKS_OK) && !PARAVIRT
37407 -+ help
37408 -+ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
37409 -+ that is, enabling this option will make it harder to inject
37410 -+ and execute 'foreign' code in kernel memory itself.
37411 -+
37412 -+endmenu
37413 -+
37414 -+menu "Address Space Layout Randomization"
37415 -+ depends on PAX
37416 -+
37417 -+config PAX_ASLR
37418 -+ bool "Address Space Layout Randomization"
37419 -+ depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
37420 -+ help
37421 -+ Many if not most exploit techniques rely on the knowledge of
37422 -+ certain addresses in the attacked program. The following options
37423 -+ will allow the kernel to apply a certain amount of randomization
37424 -+ to specific parts of the program thereby forcing an attacker to
37425 -+ guess them in most cases. Any failed guess will most likely crash
37426 -+ the attacked program which allows the kernel to detect such attempts
37427 -+ and react on them. PaX itself provides no reaction mechanisms,
37428 -+ instead it is strongly encouraged that you make use of Nergal's
37429 -+ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
37430 -+ (http://www.grsecurity.net/) built-in crash detection features or
37431 -+ develop one yourself.
37432 -+
37433 -+ By saying Y here you can choose to randomize the following areas:
37434 -+ - top of the task's kernel stack
37435 -+ - top of the task's userland stack
37436 -+ - base address for mmap() requests that do not specify one
37437 -+ (this includes all libraries)
37438 -+ - base address of the main executable
37439 -+
37440 -+ It is strongly recommended to say Y here as address space layout
37441 -+ randomization has negligible impact on performance yet it provides
37442 -+ a very effective protection.
37443 -+
37444 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
37445 -+ this feature on a per file basis.
37446 -+
37447 -+config PAX_RANDKSTACK
37448 -+ bool "Randomize kernel stack base"
37449 -+ depends on PAX_ASLR && X86_TSC && X86_32
37450 -+ help
37451 -+ By saying Y here the kernel will randomize every task's kernel
37452 -+ stack on every system call. This will not only force an attacker
37453 -+ to guess it but also prevent him from making use of possible
37454 -+ leaked information about it.
37455 -+
37456 -+ Since the kernel stack is a rather scarce resource, randomization
37457 -+ may cause unexpected stack overflows, therefore you should very
37458 -+ carefully test your system. Note that once enabled in the kernel
37459 -+ configuration, this feature cannot be disabled on a per file basis.
37460 -+
37461 -+config PAX_RANDUSTACK
37462 -+ bool "Randomize user stack base"
37463 -+ depends on PAX_ASLR
37464 -+ help
37465 -+ By saying Y here the kernel will randomize every task's userland
37466 -+ stack. The randomization is done in two steps where the second
37467 -+ one may apply a big amount of shift to the top of the stack and
37468 -+ cause problems for programs that want to use lots of memory (more
37469 -+ than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
37470 -+ For this reason the second step can be controlled by 'chpax' or
37471 -+ 'paxctl' on a per file basis.
37472 -+
37473 -+config PAX_RANDMMAP
37474 -+ bool "Randomize mmap() base"
37475 -+ depends on PAX_ASLR
37476 -+ help
37477 -+ By saying Y here the kernel will use a randomized base address for
37478 -+ mmap() requests that do not specify one themselves. As a result
37479 -+ all dynamically loaded libraries will appear at random addresses
37480 -+ and therefore be harder to exploit by a technique where an attacker
37481 -+ attempts to execute library code for his purposes (e.g. spawn a
37482 -+ shell from an exploited program that is running at an elevated
37483 -+ privilege level).
37484 -+
37485 -+ Furthermore, if a program is relinked as a dynamic ELF file, its
37486 -+ base address will be randomized as well, completing the full
37487 -+ randomization of the address space layout. Attacking such programs
37488 -+ becomes a guess game. You can find an example of doing this at
37489 -+ http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
37490 -+ http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
37491 -+
37492 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
37493 -+ feature on a per file basis.
37494 -+
37495 -+endmenu
37496 -+
37497 -+menu "Miscellaneous hardening features"
37498 -+
37499 -+config PAX_MEMORY_SANITIZE
37500 -+ bool "Sanitize all freed memory"
37501 -+ help
37502 -+ By saying Y here the kernel will erase memory pages as soon as they
37503 -+ are freed. This in turn reduces the lifetime of data stored in the
37504 -+ pages, making it less likely that sensitive information such as
37505 -+ passwords, cryptographic secrets, etc stay in memory for too long.
37506 -+
37507 -+ This is especially useful for programs whose runtime is short, long
37508 -+ lived processes and the kernel itself benefit from this as long as
37509 -+ they operate on whole memory pages and ensure timely freeing of pages
37510 -+ that may hold sensitive information.
37511 -+
37512 -+ The tradeoff is performance impact, on a single CPU system kernel
37513 -+ compilation sees a 3% slowdown, other systems and workloads may vary
37514 -+ and you are advised to test this feature on your expected workload
37515 -+ before deploying it.
37516 -+
37517 -+ Note that this feature does not protect data stored in live pages,
37518 -+ e.g., process memory swapped to disk may stay there for a long time.
37519 -+
37520 -+config PAX_MEMORY_UDEREF
37521 -+ bool "Prevent invalid userland pointer dereference"
37522 -+ depends on X86_32 && !COMPAT_VDSO
37523 -+ help
37524 -+ By saying Y here the kernel will be prevented from dereferencing
37525 -+ userland pointers in contexts where the kernel expects only kernel
37526 -+ pointers. This is both a useful runtime debugging feature and a
37527 -+ security measure that prevents exploiting a class of kernel bugs.
37528 -+
37529 -+ The tradeoff is that some virtualization solutions may experience
37530 -+ a huge slowdown and therefore you should not enable this feature
37531 -+ for kernels meant to run in such environments. Whether a given VM
37532 -+ solution is affected or not is best determined by simply trying it
37533 -+ out, the performance impact will be obvious right on boot as this
37534 -+ mechanism engages from very early on. A good rule of thumb is that
37535 -+ VMs running on CPUs without hardware virtualization support (i.e.,
37536 -+ the majority of IA-32 CPUs) will likely experience the slowdown.
37537 -+
37538 -+endmenu
37539 -+
37540 -+endmenu
37541 -+
37542 - config KEYS
37543 - bool "Enable access key retention support"
37544 - help
37545 -diff -urNp linux-2.6.24.4/sound/core/oss/pcm_oss.c linux-2.6.24.4/sound/core/oss/pcm_oss.c
37546 ---- linux-2.6.24.4/sound/core/oss/pcm_oss.c 2008-03-24 14:49:18.000000000 -0400
37547 -+++ linux-2.6.24.4/sound/core/oss/pcm_oss.c 2008-03-26 17:56:56.000000000 -0400
37548 -@@ -2913,8 +2913,8 @@ static void snd_pcm_oss_proc_done(struct
37549 - }
37550 - }
37551 - #else /* !CONFIG_SND_VERBOSE_PROCFS */
37552 --#define snd_pcm_oss_proc_init(pcm)
37553 --#define snd_pcm_oss_proc_done(pcm)
37554 -+#define snd_pcm_oss_proc_init(pcm) do {} while (0)
37555 -+#define snd_pcm_oss_proc_done(pcm) do {} while (0)
37556 - #endif /* CONFIG_SND_VERBOSE_PROCFS */
37557 -
37558 - /*
37559 -diff -urNp linux-2.6.24.4/sound/core/seq/seq_lock.h linux-2.6.24.4/sound/core/seq/seq_lock.h
37560 ---- linux-2.6.24.4/sound/core/seq/seq_lock.h 2008-03-24 14:49:18.000000000 -0400
37561 -+++ linux-2.6.24.4/sound/core/seq/seq_lock.h 2008-03-26 17:56:56.000000000 -0400
37562 -@@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
37563 - #else /* SMP || CONFIG_SND_DEBUG */
37564 -
37565 - typedef spinlock_t snd_use_lock_t; /* dummy */
37566 --#define snd_use_lock_init(lockp) /**/
37567 --#define snd_use_lock_use(lockp) /**/
37568 --#define snd_use_lock_free(lockp) /**/
37569 --#define snd_use_lock_sync(lockp) /**/
37570 -+#define snd_use_lock_init(lockp) do {} while (0)
37571 -+#define snd_use_lock_use(lockp) do {} while (0)
37572 -+#define snd_use_lock_free(lockp) do {} while (0)
37573 -+#define snd_use_lock_sync(lockp) do {} while (0)
37574 -
37575 - #endif /* SMP || CONFIG_SND_DEBUG */
37576 -
37577 -diff -urNp linux-2.6.24.4/sound/pci/ac97/ac97_patch.c linux-2.6.24.4/sound/pci/ac97/ac97_patch.c
37578 ---- linux-2.6.24.4/sound/pci/ac97/ac97_patch.c 2008-03-24 14:49:18.000000000 -0400
37579 -+++ linux-2.6.24.4/sound/pci/ac97/ac97_patch.c 2008-03-26 17:56:56.000000000 -0400
37580 -@@ -1478,7 +1478,7 @@ static const struct snd_ac97_res_table a
37581 - { AC97_VIDEO, 0x9f1f },
37582 - { AC97_AUX, 0x9f1f },
37583 - { AC97_PCM, 0x9f1f },
37584 -- { } /* terminator */
37585 -+ { 0, 0 } /* terminator */
37586 - };
37587 -
37588 - static int patch_ad1819(struct snd_ac97 * ac97)
37589 -@@ -3537,7 +3537,7 @@ static struct snd_ac97_res_table lm4550_
37590 - { AC97_AUX, 0x1f1f },
37591 - { AC97_PCM, 0x1f1f },
37592 - { AC97_REC_GAIN, 0x0f0f },
37593 -- { } /* terminator */
37594 -+ { 0, 0 } /* terminator */
37595 - };
37596 -
37597 - static int patch_lm4550(struct snd_ac97 *ac97)
37598 -diff -urNp linux-2.6.24.4/sound/pci/ens1370.c linux-2.6.24.4/sound/pci/ens1370.c
37599 ---- linux-2.6.24.4/sound/pci/ens1370.c 2008-03-24 14:49:18.000000000 -0400
37600 -+++ linux-2.6.24.4/sound/pci/ens1370.c 2008-03-26 17:56:56.000000000 -0400
37601 -@@ -453,7 +453,7 @@ static struct pci_device_id snd_audiopci
37602 - { 0x1274, 0x5880, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* ES1373 - CT5880 */
37603 - { 0x1102, 0x8938, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* Ectiva EV1938 */
37604 - #endif
37605 -- { 0, }
37606 -+ { 0, 0, 0, 0, 0, 0, 0 }
37607 - };
37608 -
37609 - MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
37610 -diff -urNp linux-2.6.24.4/sound/pci/intel8x0.c linux-2.6.24.4/sound/pci/intel8x0.c
37611 ---- linux-2.6.24.4/sound/pci/intel8x0.c 2008-03-24 14:49:18.000000000 -0400
37612 -+++ linux-2.6.24.4/sound/pci/intel8x0.c 2008-03-26 17:56:56.000000000 -0400
37613 -@@ -436,7 +436,7 @@ static struct pci_device_id snd_intel8x0
37614 - { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
37615 - { 0x1022, 0x7445, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD768 */
37616 - { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
37617 -- { 0, }
37618 -+ { 0, 0, 0, 0, 0, 0, 0 }
37619 - };
37620 -
37621 - MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
37622 -@@ -2044,7 +2044,7 @@ static struct ac97_quirk ac97_quirks[] _
37623 - .type = AC97_TUNE_HP_ONLY
37624 - },
37625 - #endif
37626 -- { } /* terminator */
37627 -+ { 0, 0, 0, 0, NULL, 0 } /* terminator */
37628 - };
37629 -
37630 - static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
37631 -diff -urNp linux-2.6.24.4/sound/pci/intel8x0m.c linux-2.6.24.4/sound/pci/intel8x0m.c
37632 ---- linux-2.6.24.4/sound/pci/intel8x0m.c 2008-03-24 14:49:18.000000000 -0400
37633 -+++ linux-2.6.24.4/sound/pci/intel8x0m.c 2008-03-26 17:56:56.000000000 -0400
37634 -@@ -240,7 +240,7 @@ static struct pci_device_id snd_intel8x0
37635 - { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
37636 - { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
37637 - #endif
37638 -- { 0, }
37639 -+ { 0, 0, 0, 0, 0, 0, 0 }
37640 - };
37641 -
37642 - MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
37643 -@@ -1261,7 +1261,7 @@ static struct shortname_table {
37644 - { 0x5455, "ALi M5455" },
37645 - { 0x746d, "AMD AMD8111" },
37646 - #endif
37647 -- { 0 },
37648 -+ { 0, NULL },
37649 - };
37650 -
37651 - static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
37652
37653 Added: hardened-sources/2.6/trunk/2.6.24/4420_grsec-2.1.11-2.6.24.5-200804211829.patch
37654 ===================================================================
37655 --- hardened-sources/2.6/trunk/2.6.24/4420_grsec-2.1.11-2.6.24.5-200804211829.patch (rev 0)
37656 +++ hardened-sources/2.6/trunk/2.6.24/4420_grsec-2.1.11-2.6.24.5-200804211829.patch 2008-04-30 11:36:08 UTC (rev 92)
37657 @@ -0,0 +1,37587 @@
37658 +diff -urNp linux-2.6.24.5/arch/alpha/kernel/module.c linux-2.6.24.5/arch/alpha/kernel/module.c
37659 +--- linux-2.6.24.5/arch/alpha/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
37660 ++++ linux-2.6.24.5/arch/alpha/kernel/module.c 2008-03-26 20:21:07.000000000 -0400
37661 +@@ -176,7 +176,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
37662 +
37663 + /* The small sections were sorted to the end of the segment.
37664 + The following should definitely cover them. */
37665 +- gp = (u64)me->module_core + me->core_size - 0x8000;
37666 ++ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
37667 + got = sechdrs[me->arch.gotsecindex].sh_addr;
37668 +
37669 + for (i = 0; i < n; i++) {
37670 +diff -urNp linux-2.6.24.5/arch/alpha/kernel/osf_sys.c linux-2.6.24.5/arch/alpha/kernel/osf_sys.c
37671 +--- linux-2.6.24.5/arch/alpha/kernel/osf_sys.c 2008-03-24 14:49:18.000000000 -0400
37672 ++++ linux-2.6.24.5/arch/alpha/kernel/osf_sys.c 2008-03-26 20:21:07.000000000 -0400
37673 +@@ -1288,6 +1288,10 @@ arch_get_unmapped_area(struct file *filp
37674 + merely specific addresses, but regions of memory -- perhaps
37675 + this feature should be incorporated into all ports? */
37676 +
37677 ++#ifdef CONFIG_PAX_RANDMMAP
37678 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
37679 ++#endif
37680 ++
37681 + if (addr) {
37682 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
37683 + if (addr != (unsigned long) -ENOMEM)
37684 +@@ -1295,8 +1299,8 @@ arch_get_unmapped_area(struct file *filp
37685 + }
37686 +
37687 + /* Next, try allocating at TASK_UNMAPPED_BASE. */
37688 +- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
37689 +- len, limit);
37690 ++ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
37691 ++
37692 + if (addr != (unsigned long) -ENOMEM)
37693 + return addr;
37694 +
37695 +diff -urNp linux-2.6.24.5/arch/alpha/kernel/ptrace.c linux-2.6.24.5/arch/alpha/kernel/ptrace.c
37696 +--- linux-2.6.24.5/arch/alpha/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
37697 ++++ linux-2.6.24.5/arch/alpha/kernel/ptrace.c 2008-03-26 20:21:07.000000000 -0400
37698 +@@ -15,6 +15,7 @@
37699 + #include <linux/slab.h>
37700 + #include <linux/security.h>
37701 + #include <linux/signal.h>
37702 ++#include <linux/grsecurity.h>
37703 +
37704 + #include <asm/uaccess.h>
37705 + #include <asm/pgtable.h>
37706 +@@ -266,6 +267,9 @@ long arch_ptrace(struct task_struct *chi
37707 + size_t copied;
37708 + long ret;
37709 +
37710 ++ if (gr_handle_ptrace(child, request))
37711 ++ return -EPERM;
37712 ++
37713 + switch (request) {
37714 + /* When I and D space are separate, these will need to be fixed. */
37715 + case PTRACE_PEEKTEXT: /* read word at location addr. */
37716 +diff -urNp linux-2.6.24.5/arch/alpha/mm/fault.c linux-2.6.24.5/arch/alpha/mm/fault.c
37717 +--- linux-2.6.24.5/arch/alpha/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
37718 ++++ linux-2.6.24.5/arch/alpha/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
37719 +@@ -23,6 +23,7 @@
37720 + #include <linux/smp.h>
37721 + #include <linux/interrupt.h>
37722 + #include <linux/module.h>
37723 ++#include <linux/binfmts.h>
37724 +
37725 + #include <asm/system.h>
37726 + #include <asm/uaccess.h>
37727 +@@ -54,6 +55,124 @@ __load_new_mm_context(struct mm_struct *
37728 + __reload_thread(pcb);
37729 + }
37730 +
37731 ++#ifdef CONFIG_PAX_PAGEEXEC
37732 ++/*
37733 ++ * PaX: decide what to do with offenders (regs->pc = fault address)
37734 ++ *
37735 ++ * returns 1 when task should be killed
37736 ++ * 2 when patched PLT trampoline was detected
37737 ++ * 3 when unpatched PLT trampoline was detected
37738 ++ */
37739 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
37740 ++{
37741 ++
37742 ++#ifdef CONFIG_PAX_EMUPLT
37743 ++ int err;
37744 ++
37745 ++ do { /* PaX: patched PLT emulation #1 */
37746 ++ unsigned int ldah, ldq, jmp;
37747 ++
37748 ++ err = get_user(ldah, (unsigned int *)regs->pc);
37749 ++ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
37750 ++ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
37751 ++
37752 ++ if (err)
37753 ++ break;
37754 ++
37755 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
37756 ++ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
37757 ++ jmp == 0x6BFB0000U)
37758 ++ {
37759 ++ unsigned long r27, addr;
37760 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
37761 ++ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
37762 ++
37763 ++ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
37764 ++ err = get_user(r27, (unsigned long *)addr);
37765 ++ if (err)
37766 ++ break;
37767 ++
37768 ++ regs->r27 = r27;
37769 ++ regs->pc = r27;
37770 ++ return 2;
37771 ++ }
37772 ++ } while (0);
37773 ++
37774 ++ do { /* PaX: patched PLT emulation #2 */
37775 ++ unsigned int ldah, lda, br;
37776 ++
37777 ++ err = get_user(ldah, (unsigned int *)regs->pc);
37778 ++ err |= get_user(lda, (unsigned int *)(regs->pc+4));
37779 ++ err |= get_user(br, (unsigned int *)(regs->pc+8));
37780 ++
37781 ++ if (err)
37782 ++ break;
37783 ++
37784 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
37785 ++ (lda & 0xFFFF0000U) == 0xA77B0000U &&
37786 ++ (br & 0xFFE00000U) == 0xC3E00000U)
37787 ++ {
37788 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
37789 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
37790 ++ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
37791 ++
37792 ++ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
37793 ++ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
37794 ++ return 2;
37795 ++ }
37796 ++ } while (0);
37797 ++
37798 ++ do { /* PaX: unpatched PLT emulation */
37799 ++ unsigned int br;
37800 ++
37801 ++ err = get_user(br, (unsigned int *)regs->pc);
37802 ++
37803 ++ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
37804 ++ unsigned int br2, ldq, nop, jmp;
37805 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
37806 ++
37807 ++ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
37808 ++ err = get_user(br2, (unsigned int *)addr);
37809 ++ err |= get_user(ldq, (unsigned int *)(addr+4));
37810 ++ err |= get_user(nop, (unsigned int *)(addr+8));
37811 ++ err |= get_user(jmp, (unsigned int *)(addr+12));
37812 ++ err |= get_user(resolver, (unsigned long *)(addr+16));
37813 ++
37814 ++ if (err)
37815 ++ break;
37816 ++
37817 ++ if (br2 == 0xC3600000U &&
37818 ++ ldq == 0xA77B000CU &&
37819 ++ nop == 0x47FF041FU &&
37820 ++ jmp == 0x6B7B0000U)
37821 ++ {
37822 ++ regs->r28 = regs->pc+4;
37823 ++ regs->r27 = addr+16;
37824 ++ regs->pc = resolver;
37825 ++ return 3;
37826 ++ }
37827 ++ }
37828 ++ } while (0);
37829 ++#endif
37830 ++
37831 ++ return 1;
37832 ++}
37833 ++
37834 ++void pax_report_insns(void *pc, void *sp)
37835 ++{
37836 ++ unsigned long i;
37837 ++
37838 ++ printk(KERN_ERR "PAX: bytes at PC: ");
37839 ++ for (i = 0; i < 5; i++) {
37840 ++ unsigned int c;
37841 ++ if (get_user(c, (unsigned int *)pc+i))
37842 ++ printk("???????? ");
37843 ++ else
37844 ++ printk("%08x ", c);
37845 ++ }
37846 ++ printk("\n");
37847 ++}
37848 ++#endif
37849 +
37850 + /*
37851 + * This routine handles page faults. It determines the address,
37852 +@@ -131,8 +250,29 @@ do_page_fault(unsigned long address, uns
37853 + good_area:
37854 + si_code = SEGV_ACCERR;
37855 + if (cause < 0) {
37856 +- if (!(vma->vm_flags & VM_EXEC))
37857 ++ if (!(vma->vm_flags & VM_EXEC)) {
37858 ++
37859 ++#ifdef CONFIG_PAX_PAGEEXEC
37860 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
37861 ++ goto bad_area;
37862 ++
37863 ++ up_read(&mm->mmap_sem);
37864 ++ switch (pax_handle_fetch_fault(regs)) {
37865 ++
37866 ++#ifdef CONFIG_PAX_EMUPLT
37867 ++ case 2:
37868 ++ case 3:
37869 ++ return;
37870 ++#endif
37871 ++
37872 ++ }
37873 ++ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
37874 ++ do_group_exit(SIGKILL);
37875 ++#else
37876 + goto bad_area;
37877 ++#endif
37878 ++
37879 ++ }
37880 + } else if (!cause) {
37881 + /* Allow reads even for write-only mappings */
37882 + if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
37883 +diff -urNp linux-2.6.24.5/arch/arm/mm/mmap.c linux-2.6.24.5/arch/arm/mm/mmap.c
37884 +--- linux-2.6.24.5/arch/arm/mm/mmap.c 2008-03-24 14:49:18.000000000 -0400
37885 ++++ linux-2.6.24.5/arch/arm/mm/mmap.c 2008-03-26 20:21:07.000000000 -0400
37886 +@@ -60,6 +60,10 @@ arch_get_unmapped_area(struct file *filp
37887 + if (len > TASK_SIZE)
37888 + return -ENOMEM;
37889 +
37890 ++#ifdef CONFIG_PAX_RANDMMAP
37891 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
37892 ++#endif
37893 ++
37894 + if (addr) {
37895 + if (do_align)
37896 + addr = COLOUR_ALIGN(addr, pgoff);
37897 +@@ -72,10 +76,10 @@ arch_get_unmapped_area(struct file *filp
37898 + return addr;
37899 + }
37900 + if (len > mm->cached_hole_size) {
37901 +- start_addr = addr = mm->free_area_cache;
37902 ++ start_addr = addr = mm->free_area_cache;
37903 + } else {
37904 +- start_addr = addr = TASK_UNMAPPED_BASE;
37905 +- mm->cached_hole_size = 0;
37906 ++ start_addr = addr = mm->mmap_base;
37907 ++ mm->cached_hole_size = 0;
37908 + }
37909 +
37910 + full_search:
37911 +@@ -91,8 +95,8 @@ full_search:
37912 + * Start a new search - just in case we missed
37913 + * some holes.
37914 + */
37915 +- if (start_addr != TASK_UNMAPPED_BASE) {
37916 +- start_addr = addr = TASK_UNMAPPED_BASE;
37917 ++ if (start_addr != mm->mmap_base) {
37918 ++ start_addr = addr = mm->mmap_base;
37919 + mm->cached_hole_size = 0;
37920 + goto full_search;
37921 + }
37922 +diff -urNp linux-2.6.24.5/arch/avr32/mm/fault.c linux-2.6.24.5/arch/avr32/mm/fault.c
37923 +--- linux-2.6.24.5/arch/avr32/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
37924 ++++ linux-2.6.24.5/arch/avr32/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
37925 +@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
37926 +
37927 + int exception_trace = 1;
37928 +
37929 ++#ifdef CONFIG_PAX_PAGEEXEC
37930 ++void pax_report_insns(void *pc, void *sp)
37931 ++{
37932 ++ unsigned long i;
37933 ++
37934 ++ printk(KERN_ERR "PAX: bytes at PC: ");
37935 ++ for (i = 0; i < 20; i++) {
37936 ++ unsigned char c;
37937 ++ if (get_user(c, (unsigned char *)pc+i))
37938 ++ printk("???????? ");
37939 ++ else
37940 ++ printk("%02x ", c);
37941 ++ }
37942 ++ printk("\n");
37943 ++}
37944 ++#endif
37945 ++
37946 + /*
37947 + * This routine handles page faults. It determines the address and the
37948 + * problem, and then passes it off to one of the appropriate routines.
37949 +@@ -157,6 +174,16 @@ bad_area:
37950 + up_read(&mm->mmap_sem);
37951 +
37952 + if (user_mode(regs)) {
37953 ++
37954 ++#ifdef CONFIG_PAX_PAGEEXEC
37955 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
37956 ++ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
37957 ++ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
37958 ++ do_group_exit(SIGKILL);
37959 ++ }
37960 ++ }
37961 ++#endif
37962 ++
37963 + if (exception_trace && printk_ratelimit())
37964 + printk("%s%s[%d]: segfault at %08lx pc %08lx "
37965 + "sp %08lx ecr %lu\n",
37966 +diff -urNp linux-2.6.24.5/arch/ia64/ia32/binfmt_elf32.c linux-2.6.24.5/arch/ia64/ia32/binfmt_elf32.c
37967 +--- linux-2.6.24.5/arch/ia64/ia32/binfmt_elf32.c 2008-03-24 14:49:18.000000000 -0400
37968 ++++ linux-2.6.24.5/arch/ia64/ia32/binfmt_elf32.c 2008-03-26 20:21:07.000000000 -0400
37969 +@@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
37970 +
37971 + #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
37972 +
37973 ++#ifdef CONFIG_PAX_ASLR
37974 ++#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
37975 ++
37976 ++#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
37977 ++#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
37978 ++#endif
37979 ++
37980 + /* Ugly but avoids duplication */
37981 + #include "../../../fs/binfmt_elf.c"
37982 +
37983 +diff -urNp linux-2.6.24.5/arch/ia64/ia32/ia32priv.h linux-2.6.24.5/arch/ia64/ia32/ia32priv.h
37984 +--- linux-2.6.24.5/arch/ia64/ia32/ia32priv.h 2008-03-24 14:49:18.000000000 -0400
37985 ++++ linux-2.6.24.5/arch/ia64/ia32/ia32priv.h 2008-03-26 20:21:07.000000000 -0400
37986 +@@ -303,7 +303,14 @@ struct old_linux32_dirent {
37987 + #define ELF_DATA ELFDATA2LSB
37988 + #define ELF_ARCH EM_386
37989 +
37990 +-#define IA32_STACK_TOP IA32_PAGE_OFFSET
37991 ++#ifdef CONFIG_PAX_RANDUSTACK
37992 ++#define __IA32_DELTA_STACK (current->mm->delta_stack)
37993 ++#else
37994 ++#define __IA32_DELTA_STACK 0UL
37995 ++#endif
37996 ++
37997 ++#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
37998 ++
37999 + #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
38000 + #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
38001 +
38002 +diff -urNp linux-2.6.24.5/arch/ia64/kernel/module.c linux-2.6.24.5/arch/ia64/kernel/module.c
38003 +--- linux-2.6.24.5/arch/ia64/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
38004 ++++ linux-2.6.24.5/arch/ia64/kernel/module.c 2008-03-26 20:21:07.000000000 -0400
38005 +@@ -321,7 +321,7 @@ module_alloc (unsigned long size)
38006 + void
38007 + module_free (struct module *mod, void *module_region)
38008 + {
38009 +- if (mod->arch.init_unw_table && module_region == mod->module_init) {
38010 ++ if (mod->arch.init_unw_table && module_region == mod->module_init_rx) {
38011 + unw_remove_unwind_table(mod->arch.init_unw_table);
38012 + mod->arch.init_unw_table = NULL;
38013 + }
38014 +@@ -499,15 +499,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
38015 + }
38016 +
38017 + static inline int
38018 ++in_init_rx (const struct module *mod, uint64_t addr)
38019 ++{
38020 ++ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
38021 ++}
38022 ++
38023 ++static inline int
38024 ++in_init_rw (const struct module *mod, uint64_t addr)
38025 ++{
38026 ++ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
38027 ++}
38028 ++
38029 ++static inline int
38030 + in_init (const struct module *mod, uint64_t addr)
38031 + {
38032 +- return addr - (uint64_t) mod->module_init < mod->init_size;
38033 ++ return in_init_rx(mod, value) || in_init_rw(mod, value);
38034 ++}
38035 ++
38036 ++static inline int
38037 ++in_core_rx (const struct module *mod, uint64_t addr)
38038 ++{
38039 ++ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
38040 ++}
38041 ++
38042 ++static inline int
38043 ++in_core_rw (const struct module *mod, uint64_t addr)
38044 ++{
38045 ++ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
38046 + }
38047 +
38048 + static inline int
38049 + in_core (const struct module *mod, uint64_t addr)
38050 + {
38051 +- return addr - (uint64_t) mod->module_core < mod->core_size;
38052 ++ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
38053 + }
38054 +
38055 + static inline int
38056 +@@ -691,7 +715,14 @@ do_reloc (struct module *mod, uint8_t r_
38057 + break;
38058 +
38059 + case RV_BDREL:
38060 +- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
38061 ++ if (in_init_rx(mod, val))
38062 ++ val -= (uint64_t) mod->module_init_rx;
38063 ++ else if (in_init_rw(mod, val))
38064 ++ val -= (uint64_t) mod->module_init_rw;
38065 ++ else if (in_core_rx(mod, val))
38066 ++ val -= (uint64_t) mod->module_core_rx;
38067 ++ else if (in_core_rw(mod, val))
38068 ++ val -= (uint64_t) mod->module_core_rw;
38069 + break;
38070 +
38071 + case RV_LTV:
38072 +@@ -825,15 +856,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
38073 + * addresses have been selected...
38074 + */
38075 + uint64_t gp;
38076 +- if (mod->core_size > MAX_LTOFF)
38077 ++ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
38078 + /*
38079 + * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
38080 + * at the end of the module.
38081 + */
38082 +- gp = mod->core_size - MAX_LTOFF / 2;
38083 ++ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
38084 + else
38085 +- gp = mod->core_size / 2;
38086 +- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
38087 ++ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
38088 ++ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
38089 + mod->arch.gp = gp;
38090 + DEBUGP("%s: placing gp at 0x%lx\n", __FUNCTION__, gp);
38091 + }
38092 +diff -urNp linux-2.6.24.5/arch/ia64/kernel/ptrace.c linux-2.6.24.5/arch/ia64/kernel/ptrace.c
38093 +--- linux-2.6.24.5/arch/ia64/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
38094 ++++ linux-2.6.24.5/arch/ia64/kernel/ptrace.c 2008-03-26 20:21:07.000000000 -0400
38095 +@@ -17,6 +17,7 @@
38096 + #include <linux/security.h>
38097 + #include <linux/audit.h>
38098 + #include <linux/signal.h>
38099 ++#include <linux/grsecurity.h>
38100 +
38101 + #include <asm/pgtable.h>
38102 + #include <asm/processor.h>
38103 +@@ -1451,6 +1452,9 @@ sys_ptrace (long request, pid_t pid, uns
38104 + if (pid == 1) /* no messing around with init! */
38105 + goto out_tsk;
38106 +
38107 ++ if (gr_handle_ptrace(child, request))
38108 ++ goto out_tsk;
38109 ++
38110 + if (request == PTRACE_ATTACH) {
38111 + ret = ptrace_attach(child);
38112 + goto out_tsk;
38113 +diff -urNp linux-2.6.24.5/arch/ia64/kernel/sys_ia64.c linux-2.6.24.5/arch/ia64/kernel/sys_ia64.c
38114 +--- linux-2.6.24.5/arch/ia64/kernel/sys_ia64.c 2008-03-24 14:49:18.000000000 -0400
38115 ++++ linux-2.6.24.5/arch/ia64/kernel/sys_ia64.c 2008-03-26 20:21:07.000000000 -0400
38116 +@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
38117 + if (REGION_NUMBER(addr) == RGN_HPAGE)
38118 + addr = 0;
38119 + #endif
38120 ++
38121 ++#ifdef CONFIG_PAX_RANDMMAP
38122 ++ if ((mm->pax_flags & MF_PAX_RANDMMAP) && addr && filp)
38123 ++ addr = mm->free_area_cache;
38124 ++ else
38125 ++#endif
38126 ++
38127 + if (!addr)
38128 + addr = mm->free_area_cache;
38129 +
38130 +@@ -61,9 +68,9 @@ arch_get_unmapped_area (struct file *fil
38131 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
38132 + /* At this point: (!vma || addr < vma->vm_end). */
38133 + if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
38134 +- if (start_addr != TASK_UNMAPPED_BASE) {
38135 ++ if (start_addr != mm->mmap_base) {
38136 + /* Start a new search --- just in case we missed some holes. */
38137 +- addr = TASK_UNMAPPED_BASE;
38138 ++ addr = mm->mmap_base;
38139 + goto full_search;
38140 + }
38141 + return -ENOMEM;
38142 +diff -urNp linux-2.6.24.5/arch/ia64/mm/fault.c linux-2.6.24.5/arch/ia64/mm/fault.c
38143 +--- linux-2.6.24.5/arch/ia64/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
38144 ++++ linux-2.6.24.5/arch/ia64/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
38145 +@@ -10,6 +10,7 @@
38146 + #include <linux/interrupt.h>
38147 + #include <linux/kprobes.h>
38148 + #include <linux/kdebug.h>
38149 ++#include <linux/binfmts.h>
38150 +
38151 + #include <asm/pgtable.h>
38152 + #include <asm/processor.h>
38153 +@@ -72,6 +73,23 @@ mapped_kernel_page_is_present (unsigned
38154 + return pte_present(pte);
38155 + }
38156 +
38157 ++#ifdef CONFIG_PAX_PAGEEXEC
38158 ++void pax_report_insns(void *pc, void *sp)
38159 ++{
38160 ++ unsigned long i;
38161 ++
38162 ++ printk(KERN_ERR "PAX: bytes at PC: ");
38163 ++ for (i = 0; i < 8; i++) {
38164 ++ unsigned int c;
38165 ++ if (get_user(c, (unsigned int *)pc+i))
38166 ++ printk("???????? ");
38167 ++ else
38168 ++ printk("%08x ", c);
38169 ++ }
38170 ++ printk("\n");
38171 ++}
38172 ++#endif
38173 ++
38174 + void __kprobes
38175 + ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
38176 + {
38177 +@@ -145,9 +163,23 @@ ia64_do_page_fault (unsigned long addres
38178 + mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
38179 + | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
38180 +
38181 +- if ((vma->vm_flags & mask) != mask)
38182 ++ if ((vma->vm_flags & mask) != mask) {
38183 ++
38184 ++#ifdef CONFIG_PAX_PAGEEXEC
38185 ++ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
38186 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
38187 ++ goto bad_area;
38188 ++
38189 ++ up_read(&mm->mmap_sem);
38190 ++ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
38191 ++ do_group_exit(SIGKILL);
38192 ++ }
38193 ++#endif
38194 ++
38195 + goto bad_area;
38196 +
38197 ++ }
38198 ++
38199 + survive:
38200 + /*
38201 + * If for any reason at all we couldn't handle the fault, make
38202 +diff -urNp linux-2.6.24.5/arch/ia64/mm/init.c linux-2.6.24.5/arch/ia64/mm/init.c
38203 +--- linux-2.6.24.5/arch/ia64/mm/init.c 2008-03-24 14:49:18.000000000 -0400
38204 ++++ linux-2.6.24.5/arch/ia64/mm/init.c 2008-03-26 20:21:07.000000000 -0400
38205 +@@ -20,8 +20,8 @@
38206 + #include <linux/proc_fs.h>
38207 + #include <linux/bitops.h>
38208 + #include <linux/kexec.h>
38209 ++#include <linux/a.out.h>
38210 +
38211 +-#include <asm/a.out.h>
38212 + #include <asm/dma.h>
38213 + #include <asm/ia32.h>
38214 + #include <asm/io.h>
38215 +@@ -128,6 +128,19 @@ ia64_init_addr_space (void)
38216 + vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
38217 + vma->vm_end = vma->vm_start + PAGE_SIZE;
38218 + vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
38219 ++
38220 ++#ifdef CONFIG_PAX_PAGEEXEC
38221 ++ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
38222 ++ vm->vm_flags &= ~VM_EXEC;
38223 ++
38224 ++#ifdef CONFIG_PAX_MPROTECT
38225 ++ if (current->mm->pax_flags & MF_PAX_MPROTECT)
38226 ++ vma->vm_flags &= ~VM_MAYEXEC;
38227 ++#endif
38228 ++
38229 ++ }
38230 ++#endif
38231 ++
38232 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
38233 + down_write(&current->mm->mmap_sem);
38234 + if (insert_vm_struct(current->mm, vma)) {
38235 +diff -urNp linux-2.6.24.5/arch/mips/kernel/binfmt_elfn32.c linux-2.6.24.5/arch/mips/kernel/binfmt_elfn32.c
38236 +--- linux-2.6.24.5/arch/mips/kernel/binfmt_elfn32.c 2008-03-24 14:49:18.000000000 -0400
38237 ++++ linux-2.6.24.5/arch/mips/kernel/binfmt_elfn32.c 2008-03-26 20:21:07.000000000 -0400
38238 +@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
38239 + #undef ELF_ET_DYN_BASE
38240 + #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
38241 +
38242 ++#ifdef CONFIG_PAX_ASLR
38243 ++#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
38244 ++
38245 ++#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
38246 ++#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
38247 ++#endif
38248 ++
38249 + #include <asm/processor.h>
38250 + #include <linux/module.h>
38251 + #include <linux/elfcore.h>
38252 +diff -urNp linux-2.6.24.5/arch/mips/kernel/binfmt_elfo32.c linux-2.6.24.5/arch/mips/kernel/binfmt_elfo32.c
38253 +--- linux-2.6.24.5/arch/mips/kernel/binfmt_elfo32.c 2008-03-24 14:49:18.000000000 -0400
38254 ++++ linux-2.6.24.5/arch/mips/kernel/binfmt_elfo32.c 2008-03-26 20:21:07.000000000 -0400
38255 +@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
38256 + #undef ELF_ET_DYN_BASE
38257 + #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
38258 +
38259 ++#ifdef CONFIG_PAX_ASLR
38260 ++#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
38261 ++
38262 ++#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
38263 ++#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
38264 ++#endif
38265 ++
38266 + #include <asm/processor.h>
38267 + #include <linux/module.h>
38268 + #include <linux/elfcore.h>
38269 +diff -urNp linux-2.6.24.5/arch/mips/kernel/syscall.c linux-2.6.24.5/arch/mips/kernel/syscall.c
38270 +--- linux-2.6.24.5/arch/mips/kernel/syscall.c 2008-03-24 14:49:18.000000000 -0400
38271 ++++ linux-2.6.24.5/arch/mips/kernel/syscall.c 2008-03-26 20:21:07.000000000 -0400
38272 +@@ -93,6 +93,11 @@ unsigned long arch_get_unmapped_area(str
38273 + do_color_align = 0;
38274 + if (filp || (flags & MAP_SHARED))
38275 + do_color_align = 1;
38276 ++
38277 ++#ifdef CONFIG_PAX_RANDMMAP
38278 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
38279 ++#endif
38280 ++
38281 + if (addr) {
38282 + if (do_color_align)
38283 + addr = COLOUR_ALIGN(addr, pgoff);
38284 +@@ -103,7 +108,7 @@ unsigned long arch_get_unmapped_area(str
38285 + (!vmm || addr + len <= vmm->vm_start))
38286 + return addr;
38287 + }
38288 +- addr = TASK_UNMAPPED_BASE;
38289 ++ addr = current->mm->mmap_base;
38290 + if (do_color_align)
38291 + addr = COLOUR_ALIGN(addr, pgoff);
38292 + else
38293 +diff -urNp linux-2.6.24.5/arch/mips/mm/fault.c linux-2.6.24.5/arch/mips/mm/fault.c
38294 +--- linux-2.6.24.5/arch/mips/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
38295 ++++ linux-2.6.24.5/arch/mips/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
38296 +@@ -26,6 +26,23 @@
38297 + #include <asm/ptrace.h>
38298 + #include <asm/highmem.h> /* For VMALLOC_END */
38299 +
38300 ++#ifdef CONFIG_PAX_PAGEEXEC
38301 ++void pax_report_insns(void *pc)
38302 ++{
38303 ++ unsigned long i;
38304 ++
38305 ++ printk(KERN_ERR "PAX: bytes at PC: ");
38306 ++ for (i = 0; i < 5; i++) {
38307 ++ unsigned int c;
38308 ++ if (get_user(c, (unsigned int *)pc+i))
38309 ++ printk("???????? ");
38310 ++ else
38311 ++ printk("%08x ", c);
38312 ++ }
38313 ++ printk("\n");
38314 ++}
38315 ++#endif
38316 ++
38317 + /*
38318 + * This routine handles page faults. It determines the address,
38319 + * and the problem, and then passes it off to one of the appropriate
38320 +diff -urNp linux-2.6.24.5/arch/parisc/kernel/module.c linux-2.6.24.5/arch/parisc/kernel/module.c
38321 +--- linux-2.6.24.5/arch/parisc/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
38322 ++++ linux-2.6.24.5/arch/parisc/kernel/module.c 2008-03-26 20:21:07.000000000 -0400
38323 +@@ -73,16 +73,38 @@
38324 +
38325 + /* three functions to determine where in the module core
38326 + * or init pieces the location is */
38327 ++static inline int in_init_rx(struct module *me, void *loc)
38328 ++{
38329 ++ return (loc >= me->module_init_rx &&
38330 ++ loc < (me->module_init_rx + me->init_size_rx));
38331 ++}
38332 ++
38333 ++static inline int in_init_rw(struct module *me, void *loc)
38334 ++{
38335 ++ return (loc >= me->module_init_rw &&
38336 ++ loc < (me->module_init_rw + me->init_size_rw));
38337 ++}
38338 ++
38339 + static inline int in_init(struct module *me, void *loc)
38340 + {
38341 +- return (loc >= me->module_init &&
38342 +- loc <= (me->module_init + me->init_size));
38343 ++ return in_init_rx(me, loc) || in_init_rw(me, loc);
38344 ++}
38345 ++
38346 ++static inline int in_core_rx(struct module *me, void *loc)
38347 ++{
38348 ++ return (loc >= me->module_core_rx &&
38349 ++ loc < (me->module_core_rx + me->core_size_rx));
38350 ++}
38351 ++
38352 ++static inline int in_core_rw(struct module *me, void *loc)
38353 ++{
38354 ++ return (loc >= me->module_core_rw &&
38355 ++ loc < (me->module_core_rw + me->core_size_rw));
38356 + }
38357 +
38358 + static inline int in_core(struct module *me, void *loc)
38359 + {
38360 +- return (loc >= me->module_core &&
38361 +- loc <= (me->module_core + me->core_size));
38362 ++ return in_core_rx(me, loc) || in_core_rw(me, loc);
38363 + }
38364 +
38365 + static inline int in_local(struct module *me, void *loc)
38366 +@@ -296,21 +318,21 @@ int module_frob_arch_sections(CONST Elf_
38367 + }
38368 +
38369 + /* align things a bit */
38370 +- me->core_size = ALIGN(me->core_size, 16);
38371 +- me->arch.got_offset = me->core_size;
38372 +- me->core_size += gots * sizeof(struct got_entry);
38373 +-
38374 +- me->core_size = ALIGN(me->core_size, 16);
38375 +- me->arch.fdesc_offset = me->core_size;
38376 +- me->core_size += fdescs * sizeof(Elf_Fdesc);
38377 +-
38378 +- me->core_size = ALIGN(me->core_size, 16);
38379 +- me->arch.stub_offset = me->core_size;
38380 +- me->core_size += stubs * sizeof(struct stub_entry);
38381 +-
38382 +- me->init_size = ALIGN(me->init_size, 16);
38383 +- me->arch.init_stub_offset = me->init_size;
38384 +- me->init_size += init_stubs * sizeof(struct stub_entry);
38385 ++ me->core_size_rw = ALIGN(me->core_size_rw, 16);
38386 ++ me->arch.got_offset = me->core_size_rw;
38387 ++ me->core_size_rw += gots * sizeof(struct got_entry);
38388 ++
38389 ++ me->core_size_rw = ALIGN(me->core_size_rw, 16);
38390 ++ me->arch.fdesc_offset = me->core_size_rw;
38391 ++ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
38392 ++
38393 ++ me->core_size_rx = ALIGN(me->core_size_rx, 16);
38394 ++ me->arch.stub_offset = me->core_size_rx;
38395 ++ me->core_size_rx += stubs * sizeof(struct stub_entry);
38396 ++
38397 ++ me->init_size_rx = ALIGN(me->init_size_rx, 16);
38398 ++ me->arch.init_stub_offset = me->init_size_rx;
38399 ++ me->init_size_rx += init_stubs * sizeof(struct stub_entry);
38400 +
38401 + me->arch.got_max = gots;
38402 + me->arch.fdesc_max = fdescs;
38403 +@@ -330,7 +352,7 @@ static Elf64_Word get_got(struct module
38404 +
38405 + BUG_ON(value == 0);
38406 +
38407 +- got = me->module_core + me->arch.got_offset;
38408 ++ got = me->module_core_rw + me->arch.got_offset;
38409 + for (i = 0; got[i].addr; i++)
38410 + if (got[i].addr == value)
38411 + goto out;
38412 +@@ -348,7 +370,7 @@ static Elf64_Word get_got(struct module
38413 + #ifdef CONFIG_64BIT
38414 + static Elf_Addr get_fdesc(struct module *me, unsigned long value)
38415 + {
38416 +- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
38417 ++ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
38418 +
38419 + if (!value) {
38420 + printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
38421 +@@ -366,7 +388,7 @@ static Elf_Addr get_fdesc(struct module
38422 +
38423 + /* Create new one */
38424 + fdesc->addr = value;
38425 +- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
38426 ++ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
38427 + return (Elf_Addr)fdesc;
38428 + }
38429 + #endif /* CONFIG_64BIT */
38430 +@@ -386,12 +408,12 @@ static Elf_Addr get_stub(struct module *
38431 + if(init_section) {
38432 + i = me->arch.init_stub_count++;
38433 + BUG_ON(me->arch.init_stub_count > me->arch.init_stub_max);
38434 +- stub = me->module_init + me->arch.init_stub_offset +
38435 ++ stub = me->module_init_rx + me->arch.init_stub_offset +
38436 + i * sizeof(struct stub_entry);
38437 + } else {
38438 + i = me->arch.stub_count++;
38439 + BUG_ON(me->arch.stub_count > me->arch.stub_max);
38440 +- stub = me->module_core + me->arch.stub_offset +
38441 ++ stub = me->module_core_rx + me->arch.stub_offset +
38442 + i * sizeof(struct stub_entry);
38443 + }
38444 +
38445 +@@ -759,7 +781,7 @@ register_unwind_table(struct module *me,
38446 +
38447 + table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
38448 + end = table + sechdrs[me->arch.unwind_section].sh_size;
38449 +- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
38450 ++ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
38451 +
38452 + DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
38453 + me->arch.unwind_section, table, end, gp);
38454 +diff -urNp linux-2.6.24.5/arch/parisc/kernel/sys_parisc.c linux-2.6.24.5/arch/parisc/kernel/sys_parisc.c
38455 +--- linux-2.6.24.5/arch/parisc/kernel/sys_parisc.c 2008-03-24 14:49:18.000000000 -0400
38456 ++++ linux-2.6.24.5/arch/parisc/kernel/sys_parisc.c 2008-03-26 20:21:07.000000000 -0400
38457 +@@ -111,7 +111,7 @@ unsigned long arch_get_unmapped_area(str
38458 + if (flags & MAP_FIXED)
38459 + return addr;
38460 + if (!addr)
38461 +- addr = TASK_UNMAPPED_BASE;
38462 ++ addr = current->mm->mmap_base;
38463 +
38464 + if (filp) {
38465 + addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
38466 +diff -urNp linux-2.6.24.5/arch/parisc/kernel/traps.c linux-2.6.24.5/arch/parisc/kernel/traps.c
38467 +--- linux-2.6.24.5/arch/parisc/kernel/traps.c 2008-03-24 14:49:18.000000000 -0400
38468 ++++ linux-2.6.24.5/arch/parisc/kernel/traps.c 2008-03-26 20:21:07.000000000 -0400
38469 +@@ -713,9 +713,7 @@ void handle_interruption(int code, struc
38470 +
38471 + down_read(&current->mm->mmap_sem);
38472 + vma = find_vma(current->mm,regs->iaoq[0]);
38473 +- if (vma && (regs->iaoq[0] >= vma->vm_start)
38474 +- && (vma->vm_flags & VM_EXEC)) {
38475 +-
38476 ++ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
38477 + fault_address = regs->iaoq[0];
38478 + fault_space = regs->iasq[0];
38479 +
38480 +diff -urNp linux-2.6.24.5/arch/parisc/mm/fault.c linux-2.6.24.5/arch/parisc/mm/fault.c
38481 +--- linux-2.6.24.5/arch/parisc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
38482 ++++ linux-2.6.24.5/arch/parisc/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
38483 +@@ -16,6 +16,8 @@
38484 + #include <linux/sched.h>
38485 + #include <linux/interrupt.h>
38486 + #include <linux/module.h>
38487 ++#include <linux/unistd.h>
38488 ++#include <linux/binfmts.h>
38489 +
38490 + #include <asm/uaccess.h>
38491 + #include <asm/traps.h>
38492 +@@ -53,7 +55,7 @@ DEFINE_PER_CPU(struct exception_data, ex
38493 + static unsigned long
38494 + parisc_acctyp(unsigned long code, unsigned int inst)
38495 + {
38496 +- if (code == 6 || code == 16)
38497 ++ if (code == 6 || code == 7 || code == 16)
38498 + return VM_EXEC;
38499 +
38500 + switch (inst & 0xf0000000) {
38501 +@@ -139,6 +141,116 @@ parisc_acctyp(unsigned long code, unsign
38502 + }
38503 + #endif
38504 +
38505 ++#ifdef CONFIG_PAX_PAGEEXEC
38506 ++/*
38507 ++ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
38508 ++ *
38509 ++ * returns 1 when task should be killed
38510 ++ * 2 when rt_sigreturn trampoline was detected
38511 ++ * 3 when unpatched PLT trampoline was detected
38512 ++ */
38513 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
38514 ++{
38515 ++
38516 ++#ifdef CONFIG_PAX_EMUPLT
38517 ++ int err;
38518 ++
38519 ++ do { /* PaX: unpatched PLT emulation */
38520 ++ unsigned int bl, depwi;
38521 ++
38522 ++ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
38523 ++ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
38524 ++
38525 ++ if (err)
38526 ++ break;
38527 ++
38528 ++ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
38529 ++ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
38530 ++
38531 ++ err = get_user(ldw, (unsigned int *)addr);
38532 ++ err |= get_user(bv, (unsigned int *)(addr+4));
38533 ++ err |= get_user(ldw2, (unsigned int *)(addr+8));
38534 ++
38535 ++ if (err)
38536 ++ break;
38537 ++
38538 ++ if (ldw == 0x0E801096U &&
38539 ++ bv == 0xEAC0C000U &&
38540 ++ ldw2 == 0x0E881095U)
38541 ++ {
38542 ++ unsigned int resolver, map;
38543 ++
38544 ++ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
38545 ++ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
38546 ++ if (err)
38547 ++ break;
38548 ++
38549 ++ regs->gr[20] = instruction_pointer(regs)+8;
38550 ++ regs->gr[21] = map;
38551 ++ regs->gr[22] = resolver;
38552 ++ regs->iaoq[0] = resolver | 3UL;
38553 ++ regs->iaoq[1] = regs->iaoq[0] + 4;
38554 ++ return 3;
38555 ++ }
38556 ++ }
38557 ++ } while (0);
38558 ++#endif
38559 ++
38560 ++#ifdef CONFIG_PAX_EMUTRAMP
38561 ++
38562 ++#ifndef CONFIG_PAX_EMUSIGRT
38563 ++ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
38564 ++ return 1;
38565 ++#endif
38566 ++
38567 ++ do { /* PaX: rt_sigreturn emulation */
38568 ++ unsigned int ldi1, ldi2, bel, nop;
38569 ++
38570 ++ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
38571 ++ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
38572 ++ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
38573 ++ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
38574 ++
38575 ++ if (err)
38576 ++ break;
38577 ++
38578 ++ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
38579 ++ ldi2 == 0x3414015AU &&
38580 ++ bel == 0xE4008200U &&
38581 ++ nop == 0x08000240U)
38582 ++ {
38583 ++ regs->gr[25] = (ldi1 & 2) >> 1;
38584 ++ regs->gr[20] = __NR_rt_sigreturn;
38585 ++ regs->gr[31] = regs->iaoq[1] + 16;
38586 ++ regs->sr[0] = regs->iasq[1];
38587 ++ regs->iaoq[0] = 0x100UL;
38588 ++ regs->iaoq[1] = regs->iaoq[0] + 4;
38589 ++ regs->iasq[0] = regs->sr[2];
38590 ++ regs->iasq[1] = regs->sr[2];
38591 ++ return 2;
38592 ++ }
38593 ++ } while (0);
38594 ++#endif
38595 ++
38596 ++ return 1;
38597 ++}
38598 ++
38599 ++void pax_report_insns(void *pc, void *sp)
38600 ++{
38601 ++ unsigned long i;
38602 ++
38603 ++ printk(KERN_ERR "PAX: bytes at PC: ");
38604 ++ for (i = 0; i < 5; i++) {
38605 ++ unsigned int c;
38606 ++ if (get_user(c, (unsigned int *)pc+i))
38607 ++ printk("???????? ");
38608 ++ else
38609 ++ printk("%08x ", c);
38610 ++ }
38611 ++ printk("\n");
38612 ++}
38613 ++#endif
38614 ++
38615 + void do_page_fault(struct pt_regs *regs, unsigned long code,
38616 + unsigned long address)
38617 + {
38618 +@@ -165,8 +277,33 @@ good_area:
38619 +
38620 + acc_type = parisc_acctyp(code,regs->iir);
38621 +
38622 +- if ((vma->vm_flags & acc_type) != acc_type)
38623 ++ if ((vma->vm_flags & acc_type) != acc_type) {
38624 ++
38625 ++#ifdef CONFIG_PAX_PAGEEXEC
38626 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
38627 ++ (address & ~3UL) == instruction_pointer(regs))
38628 ++ {
38629 ++ up_read(&mm->mmap_sem);
38630 ++ switch (pax_handle_fetch_fault(regs)) {
38631 ++
38632 ++#ifdef CONFIG_PAX_EMUPLT
38633 ++ case 3:
38634 ++ return;
38635 ++#endif
38636 ++
38637 ++#ifdef CONFIG_PAX_EMUTRAMP
38638 ++ case 2:
38639 ++ return;
38640 ++#endif
38641 ++
38642 ++ }
38643 ++ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
38644 ++ do_group_exit(SIGKILL);
38645 ++ }
38646 ++#endif
38647 ++
38648 + goto bad_area;
38649 ++ }
38650 +
38651 + /*
38652 + * If for any reason at all we couldn't handle the fault, make
38653 +diff -urNp linux-2.6.24.5/arch/powerpc/kernel/module_32.c linux-2.6.24.5/arch/powerpc/kernel/module_32.c
38654 +--- linux-2.6.24.5/arch/powerpc/kernel/module_32.c 2008-03-24 14:49:18.000000000 -0400
38655 ++++ linux-2.6.24.5/arch/powerpc/kernel/module_32.c 2008-03-26 20:21:07.000000000 -0400
38656 +@@ -126,7 +126,7 @@ int module_frob_arch_sections(Elf32_Ehdr
38657 + me->arch.core_plt_section = i;
38658 + }
38659 + if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
38660 +- printk("Module doesn't contain .plt or .init.plt sections.\n");
38661 ++ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
38662 + return -ENOEXEC;
38663 + }
38664 +
38665 +@@ -167,11 +167,16 @@ static uint32_t do_plt_call(void *locati
38666 +
38667 + DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
38668 + /* Init, or core PLT? */
38669 +- if (location >= mod->module_core
38670 +- && location < mod->module_core + mod->core_size)
38671 ++ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
38672 ++ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
38673 + entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
38674 +- else
38675 ++ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
38676 ++ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
38677 + entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
38678 ++ else {
38679 ++ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
38680 ++ return ~0UL;
38681 ++ }
38682 +
38683 + /* Find this entry, or if that fails, the next avail. entry */
38684 + while (entry->jump[0]) {
38685 +diff -urNp linux-2.6.24.5/arch/powerpc/kernel/signal_32.c linux-2.6.24.5/arch/powerpc/kernel/signal_32.c
38686 +--- linux-2.6.24.5/arch/powerpc/kernel/signal_32.c 2008-03-24 14:49:18.000000000 -0400
38687 ++++ linux-2.6.24.5/arch/powerpc/kernel/signal_32.c 2008-03-26 20:21:07.000000000 -0400
38688 +@@ -731,7 +731,7 @@ int handle_rt_signal32(unsigned long sig
38689 + /* Save user registers on the stack */
38690 + frame = &rt_sf->uc.uc_mcontext;
38691 + addr = frame;
38692 +- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
38693 ++ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
38694 + if (save_user_regs(regs, frame, 0))
38695 + goto badframe;
38696 + regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
38697 +diff -urNp linux-2.6.24.5/arch/powerpc/kernel/signal_64.c linux-2.6.24.5/arch/powerpc/kernel/signal_64.c
38698 +--- linux-2.6.24.5/arch/powerpc/kernel/signal_64.c 2008-03-24 14:49:18.000000000 -0400
38699 ++++ linux-2.6.24.5/arch/powerpc/kernel/signal_64.c 2008-03-26 20:21:07.000000000 -0400
38700 +@@ -369,7 +369,7 @@ int handle_rt_signal64(int signr, struct
38701 + current->thread.fpscr.val = 0;
38702 +
38703 + /* Set up to return from userspace. */
38704 +- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
38705 ++ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
38706 + regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
38707 + } else {
38708 + err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
38709 +diff -urNp linux-2.6.24.5/arch/powerpc/kernel/vdso.c linux-2.6.24.5/arch/powerpc/kernel/vdso.c
38710 +--- linux-2.6.24.5/arch/powerpc/kernel/vdso.c 2008-03-24 14:49:18.000000000 -0400
38711 ++++ linux-2.6.24.5/arch/powerpc/kernel/vdso.c 2008-03-26 20:21:07.000000000 -0400
38712 +@@ -211,7 +211,7 @@ int arch_setup_additional_pages(struct l
38713 + vdso_base = VDSO32_MBASE;
38714 + #endif
38715 +
38716 +- current->mm->context.vdso_base = 0;
38717 ++ current->mm->context.vdso_base = ~0UL;
38718 +
38719 + /* vDSO has a problem and was disabled, just don't "enable" it for the
38720 + * process
38721 +@@ -228,7 +228,7 @@ int arch_setup_additional_pages(struct l
38722 + */
38723 + down_write(&mm->mmap_sem);
38724 + vdso_base = get_unmapped_area(NULL, vdso_base,
38725 +- vdso_pages << PAGE_SHIFT, 0, 0);
38726 ++ vdso_pages << PAGE_SHIFT, 0, MAP_PRIVATE | MAP_EXECUTABLE);
38727 + if (IS_ERR_VALUE(vdso_base)) {
38728 + rc = vdso_base;
38729 + goto fail_mmapsem;
38730 +diff -urNp linux-2.6.24.5/arch/powerpc/mm/fault.c linux-2.6.24.5/arch/powerpc/mm/fault.c
38731 +--- linux-2.6.24.5/arch/powerpc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
38732 ++++ linux-2.6.24.5/arch/powerpc/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
38733 +@@ -29,6 +29,12 @@
38734 + #include <linux/module.h>
38735 + #include <linux/kprobes.h>
38736 + #include <linux/kdebug.h>
38737 ++#include <linux/binfmts.h>
38738 ++#include <linux/slab.h>
38739 ++#include <linux/pagemap.h>
38740 ++#include <linux/compiler.h>
38741 ++#include <linux/binfmts.h>
38742 ++#include <linux/unistd.h>
38743 +
38744 + #include <asm/page.h>
38745 + #include <asm/pgtable.h>
38746 +@@ -62,6 +68,363 @@ static inline int notify_page_fault(stru
38747 + }
38748 + #endif
38749 +
38750 ++#ifdef CONFIG_PAX_EMUSIGRT
38751 ++void pax_syscall_close(struct vm_area_struct *vma)
38752 ++{
38753 ++ vma->vm_mm->call_syscall = 0UL;
38754 ++}
38755 ++
38756 ++static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
38757 ++{
38758 ++ struct page *page;
38759 ++ unsigned int *kaddr;
38760 ++
38761 ++ page = alloc_page(GFP_HIGHUSER);
38762 ++ if (!page)
38763 ++ return NOPAGE_OOM;
38764 ++
38765 ++ kaddr = kmap(page);
38766 ++ memset(kaddr, 0, PAGE_SIZE);
38767 ++ kaddr[0] = 0x44000002U; /* sc */
38768 ++ __flush_dcache_icache(kaddr);
38769 ++ kunmap(page);
38770 ++ if (type)
38771 ++ *type = VM_FAULT_MAJOR;
38772 ++ return page;
38773 ++}
38774 ++
38775 ++static struct vm_operations_struct pax_vm_ops = {
38776 ++ .close = pax_syscall_close,
38777 ++ .nopage = pax_syscall_nopage,
38778 ++};
38779 ++
38780 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
38781 ++{
38782 ++ int ret;
38783 ++
38784 ++ vma->vm_mm = current->mm;
38785 ++ vma->vm_start = addr;
38786 ++ vma->vm_end = addr + PAGE_SIZE;
38787 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
38788 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
38789 ++ vma->vm_ops = &pax_vm_ops;
38790 ++
38791 ++ ret = insert_vm_struct(current->mm, vma);
38792 ++ if (ret)
38793 ++ return ret;
38794 ++
38795 ++ ++current->mm->total_vm;
38796 ++ return 0;
38797 ++}
38798 ++#endif
38799 ++
38800 ++#ifdef CONFIG_PAX_PAGEEXEC
38801 ++/*
38802 ++ * PaX: decide what to do with offenders (regs->nip = fault address)
38803 ++ *
38804 ++ * returns 1 when task should be killed
38805 ++ * 2 when patched GOT trampoline was detected
38806 ++ * 3 when patched PLT trampoline was detected
38807 ++ * 4 when unpatched PLT trampoline was detected
38808 ++ * 5 when sigreturn trampoline was detected
38809 ++ * 6 when rt_sigreturn trampoline was detected
38810 ++ */
38811 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
38812 ++{
38813 ++
38814 ++#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
38815 ++ int err;
38816 ++#endif
38817 ++
38818 ++#ifdef CONFIG_PAX_EMUPLT
38819 ++ do { /* PaX: patched GOT emulation */
38820 ++ unsigned int blrl;
38821 ++
38822 ++ err = get_user(blrl, (unsigned int *)regs->nip);
38823 ++
38824 ++ if (!err && blrl == 0x4E800021U) {
38825 ++ unsigned long temp = regs->nip;
38826 ++
38827 ++ regs->nip = regs->link & 0xFFFFFFFCUL;
38828 ++ regs->link = temp + 4UL;
38829 ++ return 2;
38830 ++ }
38831 ++ } while (0);
38832 ++
38833 ++ do { /* PaX: patched PLT emulation #1 */
38834 ++ unsigned int b;
38835 ++
38836 ++ err = get_user(b, (unsigned int *)regs->nip);
38837 ++
38838 ++ if (!err && (b & 0xFC000003U) == 0x48000000U) {
38839 ++ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
38840 ++ return 3;
38841 ++ }
38842 ++ } while (0);
38843 ++
38844 ++ do { /* PaX: unpatched PLT emulation #1 */
38845 ++ unsigned int li, b;
38846 ++
38847 ++ err = get_user(li, (unsigned int *)regs->nip);
38848 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
38849 ++
38850 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
38851 ++ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
38852 ++ unsigned long addr = b | 0xFC000000UL;
38853 ++
38854 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
38855 ++ err = get_user(rlwinm, (unsigned int *)addr);
38856 ++ err |= get_user(add, (unsigned int *)(addr+4));
38857 ++ err |= get_user(li2, (unsigned int *)(addr+8));
38858 ++ err |= get_user(addis2, (unsigned int *)(addr+12));
38859 ++ err |= get_user(mtctr, (unsigned int *)(addr+16));
38860 ++ err |= get_user(li3, (unsigned int *)(addr+20));
38861 ++ err |= get_user(addis3, (unsigned int *)(addr+24));
38862 ++ err |= get_user(bctr, (unsigned int *)(addr+28));
38863 ++
38864 ++ if (err)
38865 ++ break;
38866 ++
38867 ++ if (rlwinm == 0x556C083CU &&
38868 ++ add == 0x7D6C5A14U &&
38869 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
38870 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
38871 ++ mtctr == 0x7D8903A6U &&
38872 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
38873 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
38874 ++ bctr == 0x4E800420U)
38875 ++ {
38876 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38877 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38878 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
38879 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38880 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
38881 ++ regs->nip = regs->ctr;
38882 ++ return 4;
38883 ++ }
38884 ++ }
38885 ++ } while (0);
38886 ++
38887 ++#if 0
38888 ++ do { /* PaX: unpatched PLT emulation #2 */
38889 ++ unsigned int lis, lwzu, b, bctr;
38890 ++
38891 ++ err = get_user(lis, (unsigned int *)regs->nip);
38892 ++ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
38893 ++ err |= get_user(b, (unsigned int *)(regs->nip+8));
38894 ++ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
38895 ++
38896 ++ if (err)
38897 ++ break;
38898 ++
38899 ++ if ((lis & 0xFFFF0000U) == 0x39600000U &&
38900 ++ (lwzu & 0xU) == 0xU &&
38901 ++ (b & 0xFC000003U) == 0x48000000U &&
38902 ++ bctr == 0x4E800420U)
38903 ++ {
38904 ++ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
38905 ++ unsigned long addr = b | 0xFC000000UL;
38906 ++
38907 ++ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
38908 ++ err = get_user(addis, (unsigned int*)addr);
38909 ++ err |= get_user(addi, (unsigned int*)(addr+4));
38910 ++ err |= get_user(rlwinm, (unsigned int*)(addr+8));
38911 ++ err |= get_user(add, (unsigned int*)(addr+12));
38912 ++ err |= get_user(li2, (unsigned int*)(addr+16));
38913 ++ err |= get_user(addis2, (unsigned int*)(addr+20));
38914 ++ err |= get_user(mtctr, (unsigned int*)(addr+24));
38915 ++ err |= get_user(li3, (unsigned int*)(addr+28));
38916 ++ err |= get_user(addis3, (unsigned int*)(addr+32));
38917 ++ err |= get_user(bctr, (unsigned int*)(addr+36));
38918 ++
38919 ++ if (err)
38920 ++ break;
38921 ++
38922 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
38923 ++ (addi & 0xFFFF0000U) == 0x396B0000U &&
38924 ++ rlwinm == 0x556C083CU &&
38925 ++ add == 0x7D6C5A14U &&
38926 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
38927 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
38928 ++ mtctr == 0x7D8903A6U &&
38929 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
38930 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
38931 ++ bctr == 0x4E800420U)
38932 ++ {
38933 ++ regs->gpr[PT_R11] =
38934 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38935 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38936 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
38937 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38938 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
38939 ++ regs->nip = regs->ctr;
38940 ++ return 4;
38941 ++ }
38942 ++ }
38943 ++ } while (0);
38944 ++#endif
38945 ++
38946 ++ do { /* PaX: unpatched PLT emulation #3 */
38947 ++ unsigned int li, b;
38948 ++
38949 ++ err = get_user(li, (unsigned int *)regs->nip);
38950 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
38951 ++
38952 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
38953 ++ unsigned int addis, lwz, mtctr, bctr;
38954 ++ unsigned long addr = b | 0xFC000000UL;
38955 ++
38956 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
38957 ++ err = get_user(addis, (unsigned int *)addr);
38958 ++ err |= get_user(lwz, (unsigned int *)(addr+4));
38959 ++ err |= get_user(mtctr, (unsigned int *)(addr+8));
38960 ++ err |= get_user(bctr, (unsigned int *)(addr+12));
38961 ++
38962 ++ if (err)
38963 ++ break;
38964 ++
38965 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
38966 ++ (lwz & 0xFFFF0000U) == 0x816B0000U &&
38967 ++ mtctr == 0x7D6903A6U &&
38968 ++ bctr == 0x4E800420U)
38969 ++ {
38970 ++ unsigned int r11;
38971 ++
38972 ++ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38973 ++ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38974 ++
38975 ++ err = get_user(r11, (unsigned int *)addr);
38976 ++ if (err)
38977 ++ break;
38978 ++
38979 ++ regs->gpr[PT_R11] = r11;
38980 ++ regs->ctr = r11;
38981 ++ regs->nip = r11;
38982 ++ return 4;
38983 ++ }
38984 ++ }
38985 ++ } while (0);
38986 ++#endif
38987 ++
38988 ++#ifdef CONFIG_PAX_EMUSIGRT
38989 ++ do { /* PaX: sigreturn emulation */
38990 ++ unsigned int li, sc;
38991 ++
38992 ++ err = get_user(li, (unsigned int *)regs->nip);
38993 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
38994 ++
38995 ++ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
38996 ++ struct vm_area_struct *vma;
38997 ++ unsigned long call_syscall;
38998 ++
38999 ++ down_read(&current->mm->mmap_sem);
39000 ++ call_syscall = current->mm->call_syscall;
39001 ++ up_read(&current->mm->mmap_sem);
39002 ++ if (likely(call_syscall))
39003 ++ goto emulate;
39004 ++
39005 ++ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
39006 ++
39007 ++ down_write(&current->mm->mmap_sem);
39008 ++ if (current->mm->call_syscall) {
39009 ++ call_syscall = current->mm->call_syscall;
39010 ++ up_write(&current->mm->mmap_sem);
39011 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39012 ++ goto emulate;
39013 ++ }
39014 ++
39015 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
39016 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
39017 ++ up_write(&current->mm->mmap_sem);
39018 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39019 ++ return 1;
39020 ++ }
39021 ++
39022 ++ if (pax_insert_vma(vma, call_syscall)) {
39023 ++ up_write(&current->mm->mmap_sem);
39024 ++ kmem_cache_free(vm_area_cachep, vma);
39025 ++ return 1;
39026 ++ }
39027 ++
39028 ++ current->mm->call_syscall = call_syscall;
39029 ++ up_write(&current->mm->mmap_sem);
39030 ++
39031 ++emulate:
39032 ++ regs->gpr[PT_R0] = __NR_sigreturn;
39033 ++ regs->nip = call_syscall;
39034 ++ return 5;
39035 ++ }
39036 ++ } while (0);
39037 ++
39038 ++ do { /* PaX: rt_sigreturn emulation */
39039 ++ unsigned int li, sc;
39040 ++
39041 ++ err = get_user(li, (unsigned int *)regs->nip);
39042 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
39043 ++
39044 ++ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
39045 ++ struct vm_area_struct *vma;
39046 ++ unsigned int call_syscall;
39047 ++
39048 ++ down_read(&current->mm->mmap_sem);
39049 ++ call_syscall = current->mm->call_syscall;
39050 ++ up_read(&current->mm->mmap_sem);
39051 ++ if (likely(call_syscall))
39052 ++ goto rt_emulate;
39053 ++
39054 ++ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
39055 ++
39056 ++ down_write(&current->mm->mmap_sem);
39057 ++ if (current->mm->call_syscall) {
39058 ++ call_syscall = current->mm->call_syscall;
39059 ++ up_write(&current->mm->mmap_sem);
39060 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39061 ++ goto rt_emulate;
39062 ++ }
39063 ++
39064 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
39065 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
39066 ++ up_write(&current->mm->mmap_sem);
39067 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39068 ++ return 1;
39069 ++ }
39070 ++
39071 ++ if (pax_insert_vma(vma, call_syscall)) {
39072 ++ up_write(&current->mm->mmap_sem);
39073 ++ kmem_cache_free(vm_area_cachep, vma);
39074 ++ return 1;
39075 ++ }
39076 ++
39077 ++ current->mm->call_syscall = call_syscall;
39078 ++ up_write(&current->mm->mmap_sem);
39079 ++
39080 ++rt_emulate:
39081 ++ regs->gpr[PT_R0] = __NR_rt_sigreturn;
39082 ++ regs->nip = call_syscall;
39083 ++ return 6;
39084 ++ }
39085 ++ } while (0);
39086 ++#endif
39087 ++
39088 ++ return 1;
39089 ++}
39090 ++
39091 ++void pax_report_insns(void *pc, void *sp)
39092 ++{
39093 ++ unsigned long i;
39094 ++
39095 ++ printk(KERN_ERR "PAX: bytes at PC: ");
39096 ++ for (i = 0; i < 5; i++) {
39097 ++ unsigned int c;
39098 ++ if (get_user(c, (unsigned int *)pc+i))
39099 ++ printk("???????? ");
39100 ++ else
39101 ++ printk("%08x ", c);
39102 ++ }
39103 ++ printk("\n");
39104 ++}
39105 ++#endif
39106 ++
39107 + /*
39108 + * Check whether the instruction at regs->nip is a store using
39109 + * an update addressing form which will update r1.
39110 +@@ -157,7 +520,7 @@ int __kprobes do_page_fault(struct pt_re
39111 + * indicate errors in DSISR but can validly be set in SRR1.
39112 + */
39113 + if (trap == 0x400)
39114 +- error_code &= 0x48200000;
39115 ++ error_code &= 0x58200000;
39116 + else
39117 + is_write = error_code & DSISR_ISSTORE;
39118 + #else
39119 +@@ -357,6 +720,37 @@ bad_area:
39120 + bad_area_nosemaphore:
39121 + /* User mode accesses cause a SIGSEGV */
39122 + if (user_mode(regs)) {
39123 ++
39124 ++#ifdef CONFIG_PAX_PAGEEXEC
39125 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
39126 ++#ifdef CONFIG_PPC64
39127 ++ if (is_exec && (error_code & DSISR_PROTFAULT)) {
39128 ++#else
39129 ++ if (is_exec && regs->nip == address) {
39130 ++#endif
39131 ++ switch (pax_handle_fetch_fault(regs)) {
39132 ++
39133 ++#ifdef CONFIG_PAX_EMUPLT
39134 ++ case 2:
39135 ++ case 3:
39136 ++ case 4:
39137 ++ return 0;
39138 ++#endif
39139 ++
39140 ++#ifdef CONFIG_PAX_EMUSIGRT
39141 ++ case 5:
39142 ++ case 6:
39143 ++ return 0;
39144 ++#endif
39145 ++
39146 ++ }
39147 ++
39148 ++ pax_report_fault(regs, (void*)regs->nip, (void*)regs->gpr[PT_R1]);
39149 ++ do_group_exit(SIGKILL);
39150 ++ }
39151 ++ }
39152 ++#endif
39153 ++
39154 + _exception(SIGSEGV, regs, code, address);
39155 + return 0;
39156 + }
39157 +diff -urNp linux-2.6.24.5/arch/powerpc/mm/mmap.c linux-2.6.24.5/arch/powerpc/mm/mmap.c
39158 +--- linux-2.6.24.5/arch/powerpc/mm/mmap.c 2008-03-24 14:49:18.000000000 -0400
39159 ++++ linux-2.6.24.5/arch/powerpc/mm/mmap.c 2008-03-26 20:21:07.000000000 -0400
39160 +@@ -75,10 +75,22 @@ void arch_pick_mmap_layout(struct mm_str
39161 + */
39162 + if (mmap_is_legacy()) {
39163 + mm->mmap_base = TASK_UNMAPPED_BASE;
39164 ++
39165 ++#ifdef CONFIG_PAX_RANDMMAP
39166 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
39167 ++ mm->mmap_base += mm->delta_mmap;
39168 ++#endif
39169 ++
39170 + mm->get_unmapped_area = arch_get_unmapped_area;
39171 + mm->unmap_area = arch_unmap_area;
39172 + } else {
39173 + mm->mmap_base = mmap_base();
39174 ++
39175 ++#ifdef CONFIG_PAX_RANDMMAP
39176 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
39177 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
39178 ++#endif
39179 ++
39180 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
39181 + mm->unmap_area = arch_unmap_area_topdown;
39182 + }
39183 +diff -urNp linux-2.6.24.5/arch/ppc/mm/fault.c linux-2.6.24.5/arch/ppc/mm/fault.c
39184 +--- linux-2.6.24.5/arch/ppc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
39185 ++++ linux-2.6.24.5/arch/ppc/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
39186 +@@ -25,6 +25,11 @@
39187 + #include <linux/interrupt.h>
39188 + #include <linux/highmem.h>
39189 + #include <linux/module.h>
39190 ++#include <linux/slab.h>
39191 ++#include <linux/pagemap.h>
39192 ++#include <linux/compiler.h>
39193 ++#include <linux/binfmts.h>
39194 ++#include <linux/unistd.h>
39195 +
39196 + #include <asm/page.h>
39197 + #include <asm/pgtable.h>
39198 +@@ -48,6 +53,363 @@ unsigned long pte_misses; /* updated by
39199 + unsigned long pte_errors; /* updated by do_page_fault() */
39200 + unsigned int probingmem;
39201 +
39202 ++#ifdef CONFIG_PAX_EMUSIGRT
39203 ++void pax_syscall_close(struct vm_area_struct *vma)
39204 ++{
39205 ++ vma->vm_mm->call_syscall = 0UL;
39206 ++}
39207 ++
39208 ++static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
39209 ++{
39210 ++ struct page *page;
39211 ++ unsigned int *kaddr;
39212 ++
39213 ++ page = alloc_page(GFP_HIGHUSER);
39214 ++ if (!page)
39215 ++ return NOPAGE_OOM;
39216 ++
39217 ++ kaddr = kmap(page);
39218 ++ memset(kaddr, 0, PAGE_SIZE);
39219 ++ kaddr[0] = 0x44000002U; /* sc */
39220 ++ __flush_dcache_icache(kaddr);
39221 ++ kunmap(page);
39222 ++ if (type)
39223 ++ *type = VM_FAULT_MAJOR;
39224 ++ return page;
39225 ++}
39226 ++
39227 ++static struct vm_operations_struct pax_vm_ops = {
39228 ++ .close = pax_syscall_close,
39229 ++ .nopage = pax_syscall_nopage,
39230 ++};
39231 ++
39232 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
39233 ++{
39234 ++ int ret;
39235 ++
39236 ++ vma->vm_mm = current->mm;
39237 ++ vma->vm_start = addr;
39238 ++ vma->vm_end = addr + PAGE_SIZE;
39239 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
39240 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
39241 ++ vma->vm_ops = &pax_vm_ops;
39242 ++
39243 ++ ret = insert_vm_struct(current->mm, vma);
39244 ++ if (ret)
39245 ++ return ret;
39246 ++
39247 ++ ++current->mm->total_vm;
39248 ++ return 0;
39249 ++}
39250 ++#endif
39251 ++
39252 ++#ifdef CONFIG_PAX_PAGEEXEC
39253 ++/*
39254 ++ * PaX: decide what to do with offenders (regs->nip = fault address)
39255 ++ *
39256 ++ * returns 1 when task should be killed
39257 ++ * 2 when patched GOT trampoline was detected
39258 ++ * 3 when patched PLT trampoline was detected
39259 ++ * 4 when unpatched PLT trampoline was detected
39260 ++ * 5 when sigreturn trampoline was detected
39261 ++ * 6 when rt_sigreturn trampoline was detected
39262 ++ */
39263 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
39264 ++{
39265 ++
39266 ++#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
39267 ++ int err;
39268 ++#endif
39269 ++
39270 ++#ifdef CONFIG_PAX_EMUPLT
39271 ++ do { /* PaX: patched GOT emulation */
39272 ++ unsigned int blrl;
39273 ++
39274 ++ err = get_user(blrl, (unsigned int *)regs->nip);
39275 ++
39276 ++ if (!err && blrl == 0x4E800021U) {
39277 ++ unsigned long temp = regs->nip;
39278 ++
39279 ++ regs->nip = regs->link & 0xFFFFFFFCUL;
39280 ++ regs->link = temp + 4UL;
39281 ++ return 2;
39282 ++ }
39283 ++ } while (0);
39284 ++
39285 ++ do { /* PaX: patched PLT emulation #1 */
39286 ++ unsigned int b;
39287 ++
39288 ++ err = get_user(b, (unsigned int *)regs->nip);
39289 ++
39290 ++ if (!err && (b & 0xFC000003U) == 0x48000000U) {
39291 ++ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
39292 ++ return 3;
39293 ++ }
39294 ++ } while (0);
39295 ++
39296 ++ do { /* PaX: unpatched PLT emulation #1 */
39297 ++ unsigned int li, b;
39298 ++
39299 ++ err = get_user(li, (unsigned int *)regs->nip);
39300 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
39301 ++
39302 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
39303 ++ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
39304 ++ unsigned long addr = b | 0xFC000000UL;
39305 ++
39306 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
39307 ++ err = get_user(rlwinm, (unsigned int *)addr);
39308 ++ err |= get_user(add, (unsigned int *)(addr+4));
39309 ++ err |= get_user(li2, (unsigned int *)(addr+8));
39310 ++ err |= get_user(addis2, (unsigned int *)(addr+12));
39311 ++ err |= get_user(mtctr, (unsigned int *)(addr+16));
39312 ++ err |= get_user(li3, (unsigned int *)(addr+20));
39313 ++ err |= get_user(addis3, (unsigned int *)(addr+24));
39314 ++ err |= get_user(bctr, (unsigned int *)(addr+28));
39315 ++
39316 ++ if (err)
39317 ++ break;
39318 ++
39319 ++ if (rlwinm == 0x556C083CU &&
39320 ++ add == 0x7D6C5A14U &&
39321 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
39322 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
39323 ++ mtctr == 0x7D8903A6U &&
39324 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
39325 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
39326 ++ bctr == 0x4E800420U)
39327 ++ {
39328 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39329 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39330 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
39331 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39332 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
39333 ++ regs->nip = regs->ctr;
39334 ++ return 4;
39335 ++ }
39336 ++ }
39337 ++ } while (0);
39338 ++
39339 ++#if 0
39340 ++ do { /* PaX: unpatched PLT emulation #2 */
39341 ++ unsigned int lis, lwzu, b, bctr;
39342 ++
39343 ++ err = get_user(lis, (unsigned int *)regs->nip);
39344 ++ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
39345 ++ err |= get_user(b, (unsigned int *)(regs->nip+8));
39346 ++ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
39347 ++
39348 ++ if (err)
39349 ++ break;
39350 ++
39351 ++ if ((lis & 0xFFFF0000U) == 0x39600000U &&
39352 ++ (lwzu & 0xU) == 0xU &&
39353 ++ (b & 0xFC000003U) == 0x48000000U &&
39354 ++ bctr == 0x4E800420U)
39355 ++ {
39356 ++ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
39357 ++ unsigned long addr = b | 0xFC000000UL;
39358 ++
39359 ++ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
39360 ++ err = get_user(addis, (unsigned int*)addr);
39361 ++ err |= get_user(addi, (unsigned int*)(addr+4));
39362 ++ err |= get_user(rlwinm, (unsigned int*)(addr+8));
39363 ++ err |= get_user(add, (unsigned int*)(addr+12));
39364 ++ err |= get_user(li2, (unsigned int*)(addr+16));
39365 ++ err |= get_user(addis2, (unsigned int*)(addr+20));
39366 ++ err |= get_user(mtctr, (unsigned int*)(addr+24));
39367 ++ err |= get_user(li3, (unsigned int*)(addr+28));
39368 ++ err |= get_user(addis3, (unsigned int*)(addr+32));
39369 ++ err |= get_user(bctr, (unsigned int*)(addr+36));
39370 ++
39371 ++ if (err)
39372 ++ break;
39373 ++
39374 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
39375 ++ (addi & 0xFFFF0000U) == 0x396B0000U &&
39376 ++ rlwinm == 0x556C083CU &&
39377 ++ add == 0x7D6C5A14U &&
39378 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
39379 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
39380 ++ mtctr == 0x7D8903A6U &&
39381 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
39382 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
39383 ++ bctr == 0x4E800420U)
39384 ++ {
39385 ++ regs->gpr[PT_R11] =
39386 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39387 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39388 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
39389 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39390 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
39391 ++ regs->nip = regs->ctr;
39392 ++ return 4;
39393 ++ }
39394 ++ }
39395 ++ } while (0);
39396 ++#endif
39397 ++
39398 ++ do { /* PaX: unpatched PLT emulation #3 */
39399 ++ unsigned int li, b;
39400 ++
39401 ++ err = get_user(li, (unsigned int *)regs->nip);
39402 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
39403 ++
39404 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
39405 ++ unsigned int addis, lwz, mtctr, bctr;
39406 ++ unsigned long addr = b | 0xFC000000UL;
39407 ++
39408 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
39409 ++ err = get_user(addis, (unsigned int *)addr);
39410 ++ err |= get_user(lwz, (unsigned int *)(addr+4));
39411 ++ err |= get_user(mtctr, (unsigned int *)(addr+8));
39412 ++ err |= get_user(bctr, (unsigned int *)(addr+12));
39413 ++
39414 ++ if (err)
39415 ++ break;
39416 ++
39417 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
39418 ++ (lwz & 0xFFFF0000U) == 0x816B0000U &&
39419 ++ mtctr == 0x7D6903A6U &&
39420 ++ bctr == 0x4E800420U)
39421 ++ {
39422 ++ unsigned int r11;
39423 ++
39424 ++ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39425 ++ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39426 ++
39427 ++ err = get_user(r11, (unsigned int *)addr);
39428 ++ if (err)
39429 ++ break;
39430 ++
39431 ++ regs->gpr[PT_R11] = r11;
39432 ++ regs->ctr = r11;
39433 ++ regs->nip = r11;
39434 ++ return 4;
39435 ++ }
39436 ++ }
39437 ++ } while (0);
39438 ++#endif
39439 ++
39440 ++#ifdef CONFIG_PAX_EMUSIGRT
39441 ++ do { /* PaX: sigreturn emulation */
39442 ++ unsigned int li, sc;
39443 ++
39444 ++ err = get_user(li, (unsigned int *)regs->nip);
39445 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
39446 ++
39447 ++ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
39448 ++ struct vm_area_struct *vma;
39449 ++ unsigned long call_syscall;
39450 ++
39451 ++ down_read(&current->mm->mmap_sem);
39452 ++ call_syscall = current->mm->call_syscall;
39453 ++ up_read(&current->mm->mmap_sem);
39454 ++ if (likely(call_syscall))
39455 ++ goto emulate;
39456 ++
39457 ++ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
39458 ++
39459 ++ down_write(&current->mm->mmap_sem);
39460 ++ if (current->mm->call_syscall) {
39461 ++ call_syscall = current->mm->call_syscall;
39462 ++ up_write(&current->mm->mmap_sem);
39463 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39464 ++ goto emulate;
39465 ++ }
39466 ++
39467 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
39468 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
39469 ++ up_write(&current->mm->mmap_sem);
39470 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39471 ++ return 1;
39472 ++ }
39473 ++
39474 ++ if (pax_insert_vma(vma, call_syscall)) {
39475 ++ up_write(&current->mm->mmap_sem);
39476 ++ kmem_cache_free(vm_area_cachep, vma);
39477 ++ return 1;
39478 ++ }
39479 ++
39480 ++ current->mm->call_syscall = call_syscall;
39481 ++ up_write(&current->mm->mmap_sem);
39482 ++
39483 ++emulate:
39484 ++ regs->gpr[PT_R0] = __NR_sigreturn;
39485 ++ regs->nip = call_syscall;
39486 ++ return 5;
39487 ++ }
39488 ++ } while (0);
39489 ++
39490 ++ do { /* PaX: rt_sigreturn emulation */
39491 ++ unsigned int li, sc;
39492 ++
39493 ++ err = get_user(li, (unsigned int *)regs->nip);
39494 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
39495 ++
39496 ++ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
39497 ++ struct vm_area_struct *vma;
39498 ++ unsigned int call_syscall;
39499 ++
39500 ++ down_read(&current->mm->mmap_sem);
39501 ++ call_syscall = current->mm->call_syscall;
39502 ++ up_read(&current->mm->mmap_sem);
39503 ++ if (likely(call_syscall))
39504 ++ goto rt_emulate;
39505 ++
39506 ++ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
39507 ++
39508 ++ down_write(&current->mm->mmap_sem);
39509 ++ if (current->mm->call_syscall) {
39510 ++ call_syscall = current->mm->call_syscall;
39511 ++ up_write(&current->mm->mmap_sem);
39512 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39513 ++ goto rt_emulate;
39514 ++ }
39515 ++
39516 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
39517 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
39518 ++ up_write(&current->mm->mmap_sem);
39519 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39520 ++ return 1;
39521 ++ }
39522 ++
39523 ++ if (pax_insert_vma(vma, call_syscall)) {
39524 ++ up_write(&current->mm->mmap_sem);
39525 ++ kmem_cache_free(vm_area_cachep, vma);
39526 ++ return 1;
39527 ++ }
39528 ++
39529 ++ current->mm->call_syscall = call_syscall;
39530 ++ up_write(&current->mm->mmap_sem);
39531 ++
39532 ++rt_emulate:
39533 ++ regs->gpr[PT_R0] = __NR_rt_sigreturn;
39534 ++ regs->nip = call_syscall;
39535 ++ return 6;
39536 ++ }
39537 ++ } while (0);
39538 ++#endif
39539 ++
39540 ++ return 1;
39541 ++}
39542 ++
39543 ++void pax_report_insns(void *pc, void *sp)
39544 ++{
39545 ++ unsigned long i;
39546 ++
39547 ++ printk(KERN_ERR "PAX: bytes at PC: ");
39548 ++ for (i = 0; i < 5; i++) {
39549 ++ unsigned int c;
39550 ++ if (get_user(c, (unsigned int *)pc+i))
39551 ++ printk("???????? ");
39552 ++ else
39553 ++ printk("%08x ", c);
39554 ++ }
39555 ++ printk("\n");
39556 ++}
39557 ++#endif
39558 ++
39559 + /*
39560 + * Check whether the instruction at regs->nip is a store using
39561 + * an update addressing form which will update r1.
39562 +@@ -109,7 +471,7 @@ int do_page_fault(struct pt_regs *regs,
39563 + * indicate errors in DSISR but can validly be set in SRR1.
39564 + */
39565 + if (TRAP(regs) == 0x400)
39566 +- error_code &= 0x48200000;
39567 ++ error_code &= 0x58200000;
39568 + else
39569 + is_write = error_code & 0x02000000;
39570 + #endif /* CONFIG_4xx || CONFIG_BOOKE */
39571 +@@ -204,15 +566,14 @@ good_area:
39572 + pte_t *ptep;
39573 + pmd_t *pmdp;
39574 +
39575 +-#if 0
39576 ++#if 1
39577 + /* It would be nice to actually enforce the VM execute
39578 + permission on CPUs which can do so, but far too
39579 + much stuff in userspace doesn't get the permissions
39580 + right, so we let any page be executed for now. */
39581 + if (! (vma->vm_flags & VM_EXEC))
39582 + goto bad_area;
39583 +-#endif
39584 +-
39585 ++#else
39586 + /* Since 4xx/Book-E supports per-page execute permission,
39587 + * we lazily flush dcache to icache. */
39588 + ptep = NULL;
39589 +@@ -235,6 +596,7 @@ good_area:
39590 + pte_unmap_unlock(ptep, ptl);
39591 + }
39592 + #endif
39593 ++#endif
39594 + /* a read */
39595 + } else {
39596 + /* protection fault */
39597 +@@ -278,6 +640,33 @@ bad_area:
39598 +
39599 + /* User mode accesses cause a SIGSEGV */
39600 + if (user_mode(regs)) {
39601 ++
39602 ++#ifdef CONFIG_PAX_PAGEEXEC
39603 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
39604 ++ if ((TRAP(regs) == 0x400) && (regs->nip == address)) {
39605 ++ switch (pax_handle_fetch_fault(regs)) {
39606 ++
39607 ++#ifdef CONFIG_PAX_EMUPLT
39608 ++ case 2:
39609 ++ case 3:
39610 ++ case 4:
39611 ++ return 0;
39612 ++#endif
39613 ++
39614 ++#ifdef CONFIG_PAX_EMUSIGRT
39615 ++ case 5:
39616 ++ case 6:
39617 ++ return 0;
39618 ++#endif
39619 ++
39620 ++ }
39621 ++
39622 ++ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[1]);
39623 ++ do_group_exit(SIGKILL);
39624 ++ }
39625 ++ }
39626 ++#endif
39627 ++
39628 + _exception(SIGSEGV, regs, code, address);
39629 + return 0;
39630 + }
39631 +diff -urNp linux-2.6.24.5/arch/s390/kernel/module.c linux-2.6.24.5/arch/s390/kernel/module.c
39632 +--- linux-2.6.24.5/arch/s390/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
39633 ++++ linux-2.6.24.5/arch/s390/kernel/module.c 2008-03-26 20:21:07.000000000 -0400
39634 +@@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
39635 +
39636 + /* Increase core size by size of got & plt and set start
39637 + offsets for got and plt. */
39638 +- me->core_size = ALIGN(me->core_size, 4);
39639 +- me->arch.got_offset = me->core_size;
39640 +- me->core_size += me->arch.got_size;
39641 +- me->arch.plt_offset = me->core_size;
39642 +- me->core_size += me->arch.plt_size;
39643 ++ me->core_size_rw = ALIGN(me->core_size_rw, 4);
39644 ++ me->arch.got_offset = me->core_size_rw;
39645 ++ me->core_size_rw += me->arch.got_size;
39646 ++ me->arch.plt_offset = me->core_size_rx;
39647 ++ me->core_size_rx += me->arch.plt_size;
39648 + return 0;
39649 + }
39650 +
39651 +@@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
39652 + if (info->got_initialized == 0) {
39653 + Elf_Addr *gotent;
39654 +
39655 +- gotent = me->module_core + me->arch.got_offset +
39656 ++ gotent = me->module_core_rw + me->arch.got_offset +
39657 + info->got_offset;
39658 + *gotent = val;
39659 + info->got_initialized = 1;
39660 +@@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
39661 + else if (r_type == R_390_GOTENT ||
39662 + r_type == R_390_GOTPLTENT)
39663 + *(unsigned int *) loc =
39664 +- (val + (Elf_Addr) me->module_core - loc) >> 1;
39665 ++ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
39666 + else if (r_type == R_390_GOT64 ||
39667 + r_type == R_390_GOTPLT64)
39668 + *(unsigned long *) loc = val;
39669 +@@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
39670 + case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
39671 + if (info->plt_initialized == 0) {
39672 + unsigned int *ip;
39673 +- ip = me->module_core + me->arch.plt_offset +
39674 ++ ip = me->module_core_rx + me->arch.plt_offset +
39675 + info->plt_offset;
39676 + #ifndef CONFIG_64BIT
39677 + ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
39678 +@@ -316,7 +316,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
39679 + val = me->arch.plt_offset - me->arch.got_offset +
39680 + info->plt_offset + rela->r_addend;
39681 + else
39682 +- val = (Elf_Addr) me->module_core +
39683 ++ val = (Elf_Addr) me->module_core_rx +
39684 + me->arch.plt_offset + info->plt_offset +
39685 + rela->r_addend - loc;
39686 + if (r_type == R_390_PLT16DBL)
39687 +@@ -336,7 +336,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
39688 + case R_390_GOTOFF32: /* 32 bit offset to GOT. */
39689 + case R_390_GOTOFF64: /* 64 bit offset to GOT. */
39690 + val = val + rela->r_addend -
39691 +- ((Elf_Addr) me->module_core + me->arch.got_offset);
39692 ++ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
39693 + if (r_type == R_390_GOTOFF16)
39694 + *(unsigned short *) loc = val;
39695 + else if (r_type == R_390_GOTOFF32)
39696 +@@ -346,7 +346,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
39697 + break;
39698 + case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
39699 + case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
39700 +- val = (Elf_Addr) me->module_core + me->arch.got_offset +
39701 ++ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
39702 + rela->r_addend - loc;
39703 + if (r_type == R_390_GOTPC)
39704 + *(unsigned int *) loc = val;
39705 +diff -urNp linux-2.6.24.5/arch/sparc/kernel/ptrace.c linux-2.6.24.5/arch/sparc/kernel/ptrace.c
39706 +--- linux-2.6.24.5/arch/sparc/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
39707 ++++ linux-2.6.24.5/arch/sparc/kernel/ptrace.c 2008-03-26 20:21:07.000000000 -0400
39708 +@@ -19,6 +19,7 @@
39709 + #include <linux/smp_lock.h>
39710 + #include <linux/security.h>
39711 + #include <linux/signal.h>
39712 ++#include <linux/grsecurity.h>
39713 +
39714 + #include <asm/pgtable.h>
39715 + #include <asm/system.h>
39716 +@@ -303,6 +304,11 @@ asmlinkage void do_ptrace(struct pt_regs
39717 + goto out;
39718 + }
39719 +
39720 ++ if (gr_handle_ptrace(child, request)) {
39721 ++ pt_error_return(regs, EPERM);
39722 ++ goto out_tsk;
39723 ++ }
39724 ++
39725 + if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
39726 + || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
39727 + if (ptrace_attach(child)) {
39728 +diff -urNp linux-2.6.24.5/arch/sparc/kernel/sys_sparc.c linux-2.6.24.5/arch/sparc/kernel/sys_sparc.c
39729 +--- linux-2.6.24.5/arch/sparc/kernel/sys_sparc.c 2008-03-24 14:49:18.000000000 -0400
39730 ++++ linux-2.6.24.5/arch/sparc/kernel/sys_sparc.c 2008-03-26 20:21:07.000000000 -0400
39731 +@@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
39732 + if (ARCH_SUN4C_SUN4 && len > 0x20000000)
39733 + return -ENOMEM;
39734 + if (!addr)
39735 +- addr = TASK_UNMAPPED_BASE;
39736 ++ addr = current->mm->mmap_base;
39737 +
39738 + if (flags & MAP_SHARED)
39739 + addr = COLOUR_ALIGN(addr);
39740 +diff -urNp linux-2.6.24.5/arch/sparc/Makefile linux-2.6.24.5/arch/sparc/Makefile
39741 +--- linux-2.6.24.5/arch/sparc/Makefile 2008-03-24 14:49:18.000000000 -0400
39742 ++++ linux-2.6.24.5/arch/sparc/Makefile 2008-03-26 20:21:07.000000000 -0400
39743 +@@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
39744 + # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
39745 + INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
39746 + CORE_Y := $(core-y)
39747 +-CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
39748 ++CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
39749 + CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
39750 + DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
39751 + NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
39752 +diff -urNp linux-2.6.24.5/arch/sparc/mm/fault.c linux-2.6.24.5/arch/sparc/mm/fault.c
39753 +--- linux-2.6.24.5/arch/sparc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
39754 ++++ linux-2.6.24.5/arch/sparc/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
39755 +@@ -21,6 +21,10 @@
39756 + #include <linux/interrupt.h>
39757 + #include <linux/module.h>
39758 + #include <linux/kdebug.h>
39759 ++#include <linux/slab.h>
39760 ++#include <linux/pagemap.h>
39761 ++#include <linux/compiler.h>
39762 ++#include <linux/binfmts.h>
39763 +
39764 + #include <asm/system.h>
39765 + #include <asm/page.h>
39766 +@@ -216,6 +220,251 @@ static unsigned long compute_si_addr(str
39767 + return safe_compute_effective_address(regs, insn);
39768 + }
39769 +
39770 ++#ifdef CONFIG_PAX_PAGEEXEC
39771 ++void pax_emuplt_close(struct vm_area_struct *vma)
39772 ++{
39773 ++ vma->vm_mm->call_dl_resolve = 0UL;
39774 ++}
39775 ++
39776 ++static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
39777 ++{
39778 ++ struct page *page;
39779 ++ unsigned int *kaddr;
39780 ++
39781 ++ page = alloc_page(GFP_HIGHUSER);
39782 ++ if (!page)
39783 ++ return NOPAGE_OOM;
39784 ++
39785 ++ kaddr = kmap(page);
39786 ++ memset(kaddr, 0, PAGE_SIZE);
39787 ++ kaddr[0] = 0x9DE3BFA8U; /* save */
39788 ++ flush_dcache_page(page);
39789 ++ kunmap(page);
39790 ++ if (type)
39791 ++ *type = VM_FAULT_MAJOR;
39792 ++
39793 ++ return page;
39794 ++}
39795 ++
39796 ++static struct vm_operations_struct pax_vm_ops = {
39797 ++ .close = pax_emuplt_close,
39798 ++ .nopage = pax_emuplt_nopage,
39799 ++};
39800 ++
39801 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
39802 ++{
39803 ++ int ret;
39804 ++
39805 ++ vma->vm_mm = current->mm;
39806 ++ vma->vm_start = addr;
39807 ++ vma->vm_end = addr + PAGE_SIZE;
39808 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
39809 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
39810 ++ vma->vm_ops = &pax_vm_ops;
39811 ++
39812 ++ ret = insert_vm_struct(current->mm, vma);
39813 ++ if (ret)
39814 ++ return ret;
39815 ++
39816 ++ ++current->mm->total_vm;
39817 ++ return 0;
39818 ++}
39819 ++
39820 ++/*
39821 ++ * PaX: decide what to do with offenders (regs->pc = fault address)
39822 ++ *
39823 ++ * returns 1 when task should be killed
39824 ++ * 2 when patched PLT trampoline was detected
39825 ++ * 3 when unpatched PLT trampoline was detected
39826 ++ */
39827 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
39828 ++{
39829 ++
39830 ++#ifdef CONFIG_PAX_EMUPLT
39831 ++ int err;
39832 ++
39833 ++ do { /* PaX: patched PLT emulation #1 */
39834 ++ unsigned int sethi1, sethi2, jmpl;
39835 ++
39836 ++ err = get_user(sethi1, (unsigned int *)regs->pc);
39837 ++ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
39838 ++ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
39839 ++
39840 ++ if (err)
39841 ++ break;
39842 ++
39843 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
39844 ++ (sethi2 & 0xFFC00000U) == 0x03000000U &&
39845 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U)
39846 ++ {
39847 ++ unsigned int addr;
39848 ++
39849 ++ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
39850 ++ addr = regs->u_regs[UREG_G1];
39851 ++ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
39852 ++ regs->pc = addr;
39853 ++ regs->npc = addr+4;
39854 ++ return 2;
39855 ++ }
39856 ++ } while (0);
39857 ++
39858 ++ { /* PaX: patched PLT emulation #2 */
39859 ++ unsigned int ba;
39860 ++
39861 ++ err = get_user(ba, (unsigned int *)regs->pc);
39862 ++
39863 ++ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
39864 ++ unsigned int addr;
39865 ++
39866 ++ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
39867 ++ regs->pc = addr;
39868 ++ regs->npc = addr+4;
39869 ++ return 2;
39870 ++ }
39871 ++ }
39872 ++
39873 ++ do { /* PaX: patched PLT emulation #3 */
39874 ++ unsigned int sethi, jmpl, nop;
39875 ++
39876 ++ err = get_user(sethi, (unsigned int *)regs->pc);
39877 ++ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
39878 ++ err |= get_user(nop, (unsigned int *)(regs->pc+8));
39879 ++
39880 ++ if (err)
39881 ++ break;
39882 ++
39883 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
39884 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
39885 ++ nop == 0x01000000U)
39886 ++ {
39887 ++ unsigned int addr;
39888 ++
39889 ++ addr = (sethi & 0x003FFFFFU) << 10;
39890 ++ regs->u_regs[UREG_G1] = addr;
39891 ++ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
39892 ++ regs->pc = addr;
39893 ++ regs->npc = addr+4;
39894 ++ return 2;
39895 ++ }
39896 ++ } while (0);
39897 ++
39898 ++ do { /* PaX: unpatched PLT emulation step 1 */
39899 ++ unsigned int sethi, ba, nop;
39900 ++
39901 ++ err = get_user(sethi, (unsigned int *)regs->pc);
39902 ++ err |= get_user(ba, (unsigned int *)(regs->pc+4));
39903 ++ err |= get_user(nop, (unsigned int *)(regs->pc+8));
39904 ++
39905 ++ if (err)
39906 ++ break;
39907 ++
39908 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
39909 ++ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
39910 ++ nop == 0x01000000U)
39911 ++ {
39912 ++ unsigned int addr, save, call;
39913 ++
39914 ++ if ((ba & 0xFFC00000U) == 0x30800000U)
39915 ++ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
39916 ++ else
39917 ++ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
39918 ++
39919 ++ err = get_user(save, (unsigned int *)addr);
39920 ++ err |= get_user(call, (unsigned int *)(addr+4));
39921 ++ err |= get_user(nop, (unsigned int *)(addr+8));
39922 ++ if (err)
39923 ++ break;
39924 ++
39925 ++ if (save == 0x9DE3BFA8U &&
39926 ++ (call & 0xC0000000U) == 0x40000000U &&
39927 ++ nop == 0x01000000U)
39928 ++ {
39929 ++ struct vm_area_struct *vma;
39930 ++ unsigned long call_dl_resolve;
39931 ++
39932 ++ down_read(&current->mm->mmap_sem);
39933 ++ call_dl_resolve = current->mm->call_dl_resolve;
39934 ++ up_read(&current->mm->mmap_sem);
39935 ++ if (likely(call_dl_resolve))
39936 ++ goto emulate;
39937 ++
39938 ++ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
39939 ++
39940 ++ down_write(&current->mm->mmap_sem);
39941 ++ if (current->mm->call_dl_resolve) {
39942 ++ call_dl_resolve = current->mm->call_dl_resolve;
39943 ++ up_write(&current->mm->mmap_sem);
39944 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39945 ++ goto emulate;
39946 ++ }
39947 ++
39948 ++ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
39949 ++ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
39950 ++ up_write(&current->mm->mmap_sem);
39951 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39952 ++ return 1;
39953 ++ }
39954 ++
39955 ++ if (pax_insert_vma(vma, call_dl_resolve)) {
39956 ++ up_write(&current->mm->mmap_sem);
39957 ++ kmem_cache_free(vm_area_cachep, vma);
39958 ++ return 1;
39959 ++ }
39960 ++
39961 ++ current->mm->call_dl_resolve = call_dl_resolve;
39962 ++ up_write(&current->mm->mmap_sem);
39963 ++
39964 ++emulate:
39965 ++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
39966 ++ regs->pc = call_dl_resolve;
39967 ++ regs->npc = addr+4;
39968 ++ return 3;
39969 ++ }
39970 ++ }
39971 ++ } while (0);
39972 ++
39973 ++ do { /* PaX: unpatched PLT emulation step 2 */
39974 ++ unsigned int save, call, nop;
39975 ++
39976 ++ err = get_user(save, (unsigned int *)(regs->pc-4));
39977 ++ err |= get_user(call, (unsigned int *)regs->pc);
39978 ++ err |= get_user(nop, (unsigned int *)(regs->pc+4));
39979 ++ if (err)
39980 ++ break;
39981 ++
39982 ++ if (save == 0x9DE3BFA8U &&
39983 ++ (call & 0xC0000000U) == 0x40000000U &&
39984 ++ nop == 0x01000000U)
39985 ++ {
39986 ++ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
39987 ++
39988 ++ regs->u_regs[UREG_RETPC] = regs->pc;
39989 ++ regs->pc = dl_resolve;
39990 ++ regs->npc = dl_resolve+4;
39991 ++ return 3;
39992 ++ }
39993 ++ } while (0);
39994 ++#endif
39995 ++
39996 ++ return 1;
39997 ++}
39998 ++
39999 ++void pax_report_insns(void *pc, void *sp)
40000 ++{
40001 ++ unsigned long i;
40002 ++
40003 ++ printk(KERN_ERR "PAX: bytes at PC: ");
40004 ++ for (i = 0; i < 5; i++) {
40005 ++ unsigned int c;
40006 ++ if (get_user(c, (unsigned int *)pc+i))
40007 ++ printk("???????? ");
40008 ++ else
40009 ++ printk("%08x ", c);
40010 ++ }
40011 ++ printk("\n");
40012 ++}
40013 ++#endif
40014 ++
40015 + asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
40016 + unsigned long address)
40017 + {
40018 +@@ -280,6 +529,24 @@ good_area:
40019 + if(!(vma->vm_flags & VM_WRITE))
40020 + goto bad_area;
40021 + } else {
40022 ++
40023 ++#ifdef CONFIG_PAX_PAGEEXEC
40024 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
40025 ++ up_read(&mm->mmap_sem);
40026 ++ switch (pax_handle_fetch_fault(regs)) {
40027 ++
40028 ++#ifdef CONFIG_PAX_EMUPLT
40029 ++ case 2:
40030 ++ case 3:
40031 ++ return;
40032 ++#endif
40033 ++
40034 ++ }
40035 ++ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
40036 ++ do_group_exit(SIGKILL);
40037 ++ }
40038 ++#endif
40039 ++
40040 + /* Allow reads even for write-only mappings */
40041 + if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
40042 + goto bad_area;
40043 +diff -urNp linux-2.6.24.5/arch/sparc/mm/init.c linux-2.6.24.5/arch/sparc/mm/init.c
40044 +--- linux-2.6.24.5/arch/sparc/mm/init.c 2008-03-24 14:49:18.000000000 -0400
40045 ++++ linux-2.6.24.5/arch/sparc/mm/init.c 2008-03-26 20:21:07.000000000 -0400
40046 +@@ -336,17 +336,17 @@ void __init paging_init(void)
40047 +
40048 + /* Initialize the protection map with non-constant, MMU dependent values. */
40049 + protection_map[0] = PAGE_NONE;
40050 +- protection_map[1] = PAGE_READONLY;
40051 +- protection_map[2] = PAGE_COPY;
40052 +- protection_map[3] = PAGE_COPY;
40053 ++ protection_map[1] = PAGE_READONLY_NOEXEC;
40054 ++ protection_map[2] = PAGE_COPY_NOEXEC;
40055 ++ protection_map[3] = PAGE_COPY_NOEXEC;
40056 + protection_map[4] = PAGE_READONLY;
40057 + protection_map[5] = PAGE_READONLY;
40058 + protection_map[6] = PAGE_COPY;
40059 + protection_map[7] = PAGE_COPY;
40060 + protection_map[8] = PAGE_NONE;
40061 +- protection_map[9] = PAGE_READONLY;
40062 +- protection_map[10] = PAGE_SHARED;
40063 +- protection_map[11] = PAGE_SHARED;
40064 ++ protection_map[9] = PAGE_READONLY_NOEXEC;
40065 ++ protection_map[10] = PAGE_SHARED_NOEXEC;
40066 ++ protection_map[11] = PAGE_SHARED_NOEXEC;
40067 + protection_map[12] = PAGE_READONLY;
40068 + protection_map[13] = PAGE_READONLY;
40069 + protection_map[14] = PAGE_SHARED;
40070 +diff -urNp linux-2.6.24.5/arch/sparc/mm/srmmu.c linux-2.6.24.5/arch/sparc/mm/srmmu.c
40071 +--- linux-2.6.24.5/arch/sparc/mm/srmmu.c 2008-03-24 14:49:18.000000000 -0400
40072 ++++ linux-2.6.24.5/arch/sparc/mm/srmmu.c 2008-03-26 20:21:07.000000000 -0400
40073 +@@ -2157,6 +2157,13 @@ void __init ld_mmu_srmmu(void)
40074 + PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
40075 + BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
40076 + BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
40077 ++
40078 ++#ifdef CONFIG_PAX_PAGEEXEC
40079 ++ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
40080 ++ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
40081 ++ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
40082 ++#endif
40083 ++
40084 + BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
40085 + page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
40086 +
40087 +diff -urNp linux-2.6.24.5/arch/sparc64/kernel/Makefile linux-2.6.24.5/arch/sparc64/kernel/Makefile
40088 +--- linux-2.6.24.5/arch/sparc64/kernel/Makefile 2008-03-24 14:49:18.000000000 -0400
40089 ++++ linux-2.6.24.5/arch/sparc64/kernel/Makefile 2008-03-26 20:21:07.000000000 -0400
40090 +@@ -3,7 +3,7 @@
40091 + #
40092 +
40093 + EXTRA_AFLAGS := -ansi
40094 +-EXTRA_CFLAGS := -Werror
40095 ++#EXTRA_CFLAGS := -Werror
40096 +
40097 + extra-y := head.o init_task.o vmlinux.lds
40098 +
40099 +diff -urNp linux-2.6.24.5/arch/sparc64/kernel/ptrace.c linux-2.6.24.5/arch/sparc64/kernel/ptrace.c
40100 +--- linux-2.6.24.5/arch/sparc64/kernel/ptrace.c 2008-04-17 20:05:17.000000000 -0400
40101 ++++ linux-2.6.24.5/arch/sparc64/kernel/ptrace.c 2008-04-17 20:05:00.000000000 -0400
40102 +@@ -22,6 +22,7 @@
40103 + #include <linux/seccomp.h>
40104 + #include <linux/audit.h>
40105 + #include <linux/signal.h>
40106 ++#include <linux/grsecurity.h>
40107 +
40108 + #include <asm/asi.h>
40109 + #include <asm/pgtable.h>
40110 +@@ -220,6 +221,11 @@ asmlinkage void do_ptrace(struct pt_regs
40111 + goto out;
40112 + }
40113 +
40114 ++ if (gr_handle_ptrace(child, (long)request)) {
40115 ++ pt_error_return(regs, EPERM);
40116 ++ goto out_tsk;
40117 ++ }
40118 ++
40119 + if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
40120 + || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
40121 + if (ptrace_attach(child)) {
40122 +diff -urNp linux-2.6.24.5/arch/sparc64/kernel/sys_sparc.c linux-2.6.24.5/arch/sparc64/kernel/sys_sparc.c
40123 +--- linux-2.6.24.5/arch/sparc64/kernel/sys_sparc.c 2008-03-24 14:49:18.000000000 -0400
40124 ++++ linux-2.6.24.5/arch/sparc64/kernel/sys_sparc.c 2008-03-26 20:21:07.000000000 -0400
40125 +@@ -123,7 +123,7 @@ unsigned long arch_get_unmapped_area(str
40126 + /* We do not accept a shared mapping if it would violate
40127 + * cache aliasing constraints.
40128 + */
40129 +- if ((flags & MAP_SHARED) &&
40130 ++ if ((filp || (flags & MAP_SHARED)) &&
40131 + ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
40132 + return -EINVAL;
40133 + return addr;
40134 +@@ -138,6 +138,10 @@ unsigned long arch_get_unmapped_area(str
40135 + if (filp || (flags & MAP_SHARED))
40136 + do_color_align = 1;
40137 +
40138 ++#ifdef CONFIG_PAX_RANDMMAP
40139 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
40140 ++#endif
40141 ++
40142 + if (addr) {
40143 + if (do_color_align)
40144 + addr = COLOUR_ALIGN(addr, pgoff);
40145 +@@ -151,9 +155,9 @@ unsigned long arch_get_unmapped_area(str
40146 + }
40147 +
40148 + if (len > mm->cached_hole_size) {
40149 +- start_addr = addr = mm->free_area_cache;
40150 ++ start_addr = addr = mm->free_area_cache;
40151 + } else {
40152 +- start_addr = addr = TASK_UNMAPPED_BASE;
40153 ++ start_addr = addr = mm->mmap_base;
40154 + mm->cached_hole_size = 0;
40155 + }
40156 +
40157 +@@ -173,8 +177,8 @@ full_search:
40158 + vma = find_vma(mm, VA_EXCLUDE_END);
40159 + }
40160 + if (unlikely(task_size < addr)) {
40161 +- if (start_addr != TASK_UNMAPPED_BASE) {
40162 +- start_addr = addr = TASK_UNMAPPED_BASE;
40163 ++ if (start_addr != mm->mmap_base) {
40164 ++ start_addr = addr = mm->mmap_base;
40165 + mm->cached_hole_size = 0;
40166 + goto full_search;
40167 + }
40168 +@@ -214,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
40169 + /* We do not accept a shared mapping if it would violate
40170 + * cache aliasing constraints.
40171 + */
40172 +- if ((flags & MAP_SHARED) &&
40173 ++ if ((filp || (flags & MAP_SHARED)) &&
40174 + ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
40175 + return -EINVAL;
40176 + return addr;
40177 +@@ -377,6 +381,12 @@ void arch_pick_mmap_layout(struct mm_str
40178 + current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
40179 + sysctl_legacy_va_layout) {
40180 + mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
40181 ++
40182 ++#ifdef CONFIG_PAX_RANDMMAP
40183 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
40184 ++ mm->mmap_base += mm->delta_mmap;
40185 ++#endif
40186 ++
40187 + mm->get_unmapped_area = arch_get_unmapped_area;
40188 + mm->unmap_area = arch_unmap_area;
40189 + } else {
40190 +@@ -391,6 +401,12 @@ void arch_pick_mmap_layout(struct mm_str
40191 + gap = (task_size / 6 * 5);
40192 +
40193 + mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
40194 ++
40195 ++#ifdef CONFIG_PAX_RANDMMAP
40196 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
40197 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
40198 ++#endif
40199 ++
40200 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
40201 + mm->unmap_area = arch_unmap_area_topdown;
40202 + }
40203 +diff -urNp linux-2.6.24.5/arch/sparc64/mm/fault.c linux-2.6.24.5/arch/sparc64/mm/fault.c
40204 +--- linux-2.6.24.5/arch/sparc64/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
40205 ++++ linux-2.6.24.5/arch/sparc64/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
40206 +@@ -20,6 +20,10 @@
40207 + #include <linux/kprobes.h>
40208 + #include <linux/kallsyms.h>
40209 + #include <linux/kdebug.h>
40210 ++#include <linux/slab.h>
40211 ++#include <linux/pagemap.h>
40212 ++#include <linux/compiler.h>
40213 ++#include <linux/binfmts.h>
40214 +
40215 + #include <asm/page.h>
40216 + #include <asm/pgtable.h>
40217 +@@ -262,6 +266,368 @@ cannot_handle:
40218 + unhandled_fault (address, current, regs);
40219 + }
40220 +
40221 ++#ifdef CONFIG_PAX_PAGEEXEC
40222 ++#ifdef CONFIG_PAX_EMUPLT
40223 ++static void pax_emuplt_close(struct vm_area_struct *vma)
40224 ++{
40225 ++ vma->vm_mm->call_dl_resolve = 0UL;
40226 ++}
40227 ++
40228 ++static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
40229 ++{
40230 ++ struct page *page;
40231 ++ unsigned int *kaddr;
40232 ++
40233 ++ page = alloc_page(GFP_HIGHUSER);
40234 ++ if (!page)
40235 ++ return NOPAGE_OOM;
40236 ++
40237 ++ kaddr = kmap(page);
40238 ++ memset(kaddr, 0, PAGE_SIZE);
40239 ++ kaddr[0] = 0x9DE3BFA8U; /* save */
40240 ++ flush_dcache_page(page);
40241 ++ kunmap(page);
40242 ++ if (type)
40243 ++ *type = VM_FAULT_MAJOR;
40244 ++ return page;
40245 ++}
40246 ++
40247 ++static struct vm_operations_struct pax_vm_ops = {
40248 ++ .close = pax_emuplt_close,
40249 ++ .nopage = pax_emuplt_nopage,
40250 ++};
40251 ++
40252 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
40253 ++{
40254 ++ int ret;
40255 ++
40256 ++ vma->vm_mm = current->mm;
40257 ++ vma->vm_start = addr;
40258 ++ vma->vm_end = addr + PAGE_SIZE;
40259 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
40260 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
40261 ++ vma->vm_ops = &pax_vm_ops;
40262 ++
40263 ++ ret = insert_vm_struct(current->mm, vma);
40264 ++ if (ret)
40265 ++ return ret;
40266 ++
40267 ++ ++current->mm->total_vm;
40268 ++ return 0;
40269 ++}
40270 ++#endif
40271 ++
40272 ++/*
40273 ++ * PaX: decide what to do with offenders (regs->tpc = fault address)
40274 ++ *
40275 ++ * returns 1 when task should be killed
40276 ++ * 2 when patched PLT trampoline was detected
40277 ++ * 3 when unpatched PLT trampoline was detected
40278 ++ */
40279 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
40280 ++{
40281 ++
40282 ++#ifdef CONFIG_PAX_EMUPLT
40283 ++ int err;
40284 ++
40285 ++ do { /* PaX: patched PLT emulation #1 */
40286 ++ unsigned int sethi1, sethi2, jmpl;
40287 ++
40288 ++ err = get_user(sethi1, (unsigned int *)regs->tpc);
40289 ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
40290 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
40291 ++
40292 ++ if (err)
40293 ++ break;
40294 ++
40295 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
40296 ++ (sethi2 & 0xFFC00000U) == 0x03000000U &&
40297 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U)
40298 ++ {
40299 ++ unsigned long addr;
40300 ++
40301 ++ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
40302 ++ addr = regs->u_regs[UREG_G1];
40303 ++ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
40304 ++ regs->tpc = addr;
40305 ++ regs->tnpc = addr+4;
40306 ++ return 2;
40307 ++ }
40308 ++ } while (0);
40309 ++
40310 ++ { /* PaX: patched PLT emulation #2 */
40311 ++ unsigned int ba;
40312 ++
40313 ++ err = get_user(ba, (unsigned int *)regs->tpc);
40314 ++
40315 ++ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
40316 ++ unsigned long addr;
40317 ++
40318 ++ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
40319 ++ regs->tpc = addr;
40320 ++ regs->tnpc = addr+4;
40321 ++ return 2;
40322 ++ }
40323 ++ }
40324 ++
40325 ++ do { /* PaX: patched PLT emulation #3 */
40326 ++ unsigned int sethi, jmpl, nop;
40327 ++
40328 ++ err = get_user(sethi, (unsigned int *)regs->tpc);
40329 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
40330 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
40331 ++
40332 ++ if (err)
40333 ++ break;
40334 ++
40335 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
40336 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
40337 ++ nop == 0x01000000U)
40338 ++ {
40339 ++ unsigned long addr;
40340 ++
40341 ++ addr = (sethi & 0x003FFFFFU) << 10;
40342 ++ regs->u_regs[UREG_G1] = addr;
40343 ++ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
40344 ++ regs->tpc = addr;
40345 ++ regs->tnpc = addr+4;
40346 ++ return 2;
40347 ++ }
40348 ++ } while (0);
40349 ++
40350 ++ do { /* PaX: patched PLT emulation #4 */
40351 ++ unsigned int mov1, call, mov2;
40352 ++
40353 ++ err = get_user(mov1, (unsigned int *)regs->tpc);
40354 ++ err |= get_user(call, (unsigned int *)(regs->tpc+4));
40355 ++ err |= get_user(mov2, (unsigned int *)(regs->tpc+8));
40356 ++
40357 ++ if (err)
40358 ++ break;
40359 ++
40360 ++ if (mov1 == 0x8210000FU &&
40361 ++ (call & 0xC0000000U) == 0x40000000U &&
40362 ++ mov2 == 0x9E100001U)
40363 ++ {
40364 ++ unsigned long addr;
40365 ++
40366 ++ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
40367 ++ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
40368 ++ regs->tpc = addr;
40369 ++ regs->tnpc = addr+4;
40370 ++ return 2;
40371 ++ }
40372 ++ } while (0);
40373 ++
40374 ++ do { /* PaX: patched PLT emulation #5 */
40375 ++ unsigned int sethi1, sethi2, or1, or2, sllx, jmpl, nop;
40376 ++
40377 ++ err = get_user(sethi1, (unsigned int *)regs->tpc);
40378 ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
40379 ++ err |= get_user(or1, (unsigned int *)(regs->tpc+8));
40380 ++ err |= get_user(or2, (unsigned int *)(regs->tpc+12));
40381 ++ err |= get_user(sllx, (unsigned int *)(regs->tpc+16));
40382 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
40383 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
40384 ++
40385 ++ if (err)
40386 ++ break;
40387 ++
40388 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
40389 ++ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
40390 ++ (or1 & 0xFFFFE000U) == 0x82106000U &&
40391 ++ (or2 & 0xFFFFE000U) == 0x8A116000U &&
40392 ++ sllx == 0x83287020 &&
40393 ++ jmpl == 0x81C04005U &&
40394 ++ nop == 0x01000000U)
40395 ++ {
40396 ++ unsigned long addr;
40397 ++
40398 ++ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
40399 ++ regs->u_regs[UREG_G1] <<= 32;
40400 ++ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
40401 ++ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
40402 ++ regs->tpc = addr;
40403 ++ regs->tnpc = addr+4;
40404 ++ return 2;
40405 ++ }
40406 ++ } while (0);
40407 ++
40408 ++ do { /* PaX: patched PLT emulation #6 */
40409 ++ unsigned int sethi1, sethi2, sllx, or, jmpl, nop;
40410 ++
40411 ++ err = get_user(sethi1, (unsigned int *)regs->tpc);
40412 ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
40413 ++ err |= get_user(sllx, (unsigned int *)(regs->tpc+8));
40414 ++ err |= get_user(or, (unsigned int *)(regs->tpc+12));
40415 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+16));
40416 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+20));
40417 ++
40418 ++ if (err)
40419 ++ break;
40420 ++
40421 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
40422 ++ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
40423 ++ sllx == 0x83287020 &&
40424 ++ (or & 0xFFFFE000U) == 0x8A116000U &&
40425 ++ jmpl == 0x81C04005U &&
40426 ++ nop == 0x01000000U)
40427 ++ {
40428 ++ unsigned long addr;
40429 ++
40430 ++ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
40431 ++ regs->u_regs[UREG_G1] <<= 32;
40432 ++ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
40433 ++ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
40434 ++ regs->tpc = addr;
40435 ++ regs->tnpc = addr+4;
40436 ++ return 2;
40437 ++ }
40438 ++ } while (0);
40439 ++
40440 ++ do { /* PaX: patched PLT emulation #7 */
40441 ++ unsigned int sethi, ba, nop;
40442 ++
40443 ++ err = get_user(sethi, (unsigned int *)regs->tpc);
40444 ++ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
40445 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
40446 ++
40447 ++ if (err)
40448 ++ break;
40449 ++
40450 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
40451 ++ (ba & 0xFFF00000U) == 0x30600000U &&
40452 ++ nop == 0x01000000U)
40453 ++ {
40454 ++ unsigned long addr;
40455 ++
40456 ++ addr = (sethi & 0x003FFFFFU) << 10;
40457 ++ regs->u_regs[UREG_G1] = addr;
40458 ++ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
40459 ++ regs->tpc = addr;
40460 ++ regs->tnpc = addr+4;
40461 ++ return 2;
40462 ++ }
40463 ++ } while (0);
40464 ++
40465 ++ do { /* PaX: unpatched PLT emulation step 1 */
40466 ++ unsigned int sethi, ba, nop;
40467 ++
40468 ++ err = get_user(sethi, (unsigned int *)regs->tpc);
40469 ++ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
40470 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
40471 ++
40472 ++ if (err)
40473 ++ break;
40474 ++
40475 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
40476 ++ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
40477 ++ nop == 0x01000000U)
40478 ++ {
40479 ++ unsigned long addr;
40480 ++ unsigned int save, call;
40481 ++
40482 ++ if ((ba & 0xFFC00000U) == 0x30800000U)
40483 ++ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
40484 ++ else
40485 ++ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
40486 ++
40487 ++ err = get_user(save, (unsigned int *)addr);
40488 ++ err |= get_user(call, (unsigned int *)(addr+4));
40489 ++ err |= get_user(nop, (unsigned int *)(addr+8));
40490 ++ if (err)
40491 ++ break;
40492 ++
40493 ++ if (save == 0x9DE3BFA8U &&
40494 ++ (call & 0xC0000000U) == 0x40000000U &&
40495 ++ nop == 0x01000000U)
40496 ++ {
40497 ++ struct vm_area_struct *vma;
40498 ++ unsigned long call_dl_resolve;
40499 ++
40500 ++ down_read(&current->mm->mmap_sem);
40501 ++ call_dl_resolve = current->mm->call_dl_resolve;
40502 ++ up_read(&current->mm->mmap_sem);
40503 ++ if (likely(call_dl_resolve))
40504 ++ goto emulate;
40505 ++
40506 ++ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
40507 ++
40508 ++ down_write(&current->mm->mmap_sem);
40509 ++ if (current->mm->call_dl_resolve) {
40510 ++ call_dl_resolve = current->mm->call_dl_resolve;
40511 ++ up_write(&current->mm->mmap_sem);
40512 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
40513 ++ goto emulate;
40514 ++ }
40515 ++
40516 ++ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
40517 ++ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
40518 ++ up_write(&current->mm->mmap_sem);
40519 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
40520 ++ return 1;
40521 ++ }
40522 ++
40523 ++ if (pax_insert_vma(vma, call_dl_resolve)) {
40524 ++ up_write(&current->mm->mmap_sem);
40525 ++ kmem_cache_free(vm_area_cachep, vma);
40526 ++ return 1;
40527 ++ }
40528 ++
40529 ++ current->mm->call_dl_resolve = call_dl_resolve;
40530 ++ up_write(&current->mm->mmap_sem);
40531 ++
40532 ++emulate:
40533 ++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
40534 ++ regs->tpc = call_dl_resolve;
40535 ++ regs->tnpc = addr+4;
40536 ++ return 3;
40537 ++ }
40538 ++ }
40539 ++ } while (0);
40540 ++
40541 ++ do { /* PaX: unpatched PLT emulation step 2 */
40542 ++ unsigned int save, call, nop;
40543 ++
40544 ++ err = get_user(save, (unsigned int *)(regs->tpc-4));
40545 ++ err |= get_user(call, (unsigned int *)regs->tpc);
40546 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
40547 ++ if (err)
40548 ++ break;
40549 ++
40550 ++ if (save == 0x9DE3BFA8U &&
40551 ++ (call & 0xC0000000U) == 0x40000000U &&
40552 ++ nop == 0x01000000U)
40553 ++ {
40554 ++ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
40555 ++
40556 ++ regs->u_regs[UREG_RETPC] = regs->tpc;
40557 ++ regs->tpc = dl_resolve;
40558 ++ regs->tnpc = dl_resolve+4;
40559 ++ return 3;
40560 ++ }
40561 ++ } while (0);
40562 ++#endif
40563 ++
40564 ++ return 1;
40565 ++}
40566 ++
40567 ++void pax_report_insns(void *pc, void *sp)
40568 ++{
40569 ++ unsigned long i;
40570 ++
40571 ++ printk(KERN_ERR "PAX: bytes at PC: ");
40572 ++ for (i = 0; i < 5; i++) {
40573 ++ unsigned int c;
40574 ++ if (get_user(c, (unsigned int *)pc+i))
40575 ++ printk("???????? ");
40576 ++ else
40577 ++ printk("%08x ", c);
40578 ++ }
40579 ++ printk("\n");
40580 ++}
40581 ++#endif
40582 ++
40583 + asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
40584 + {
40585 + struct mm_struct *mm = current->mm;
40586 +@@ -303,8 +669,10 @@ asmlinkage void __kprobes do_sparc64_fau
40587 + goto intr_or_no_mm;
40588 +
40589 + if (test_thread_flag(TIF_32BIT)) {
40590 +- if (!(regs->tstate & TSTATE_PRIV))
40591 ++ if (!(regs->tstate & TSTATE_PRIV)) {
40592 + regs->tpc &= 0xffffffff;
40593 ++ regs->tnpc &= 0xffffffff;
40594 ++ }
40595 + address &= 0xffffffff;
40596 + }
40597 +
40598 +@@ -321,6 +689,29 @@ asmlinkage void __kprobes do_sparc64_fau
40599 + if (!vma)
40600 + goto bad_area;
40601 +
40602 ++#ifdef CONFIG_PAX_PAGEEXEC
40603 ++ /* PaX: detect ITLB misses on non-exec pages */
40604 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
40605 ++ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
40606 ++ {
40607 ++ if (address != regs->tpc)
40608 ++ goto good_area;
40609 ++
40610 ++ up_read(&mm->mmap_sem);
40611 ++ switch (pax_handle_fetch_fault(regs)) {
40612 ++
40613 ++#ifdef CONFIG_PAX_EMUPLT
40614 ++ case 2:
40615 ++ case 3:
40616 ++ return;
40617 ++#endif
40618 ++
40619 ++ }
40620 ++ pax_report_fault(regs, (void*)regs->tpc, (void*)(regs->u_regs[UREG_FP] + STACK_BIAS));
40621 ++ do_group_exit(SIGKILL);
40622 ++ }
40623 ++#endif
40624 ++
40625 + /* Pure DTLB misses do not tell us whether the fault causing
40626 + * load/store/atomic was a write or not, it only says that there
40627 + * was no match. So in such a case we (carefully) read the
40628 +diff -urNp linux-2.6.24.5/arch/sparc64/mm/Makefile linux-2.6.24.5/arch/sparc64/mm/Makefile
40629 +--- linux-2.6.24.5/arch/sparc64/mm/Makefile 2008-03-24 14:49:18.000000000 -0400
40630 ++++ linux-2.6.24.5/arch/sparc64/mm/Makefile 2008-03-26 20:21:07.000000000 -0400
40631 +@@ -3,7 +3,7 @@
40632 + #
40633 +
40634 + EXTRA_AFLAGS := -ansi
40635 +-EXTRA_CFLAGS := -Werror
40636 ++#EXTRA_CFLAGS := -Werror
40637 +
40638 + obj-y := ultra.o tlb.o tsb.o fault.o init.o generic.o
40639 +
40640 +diff -urNp linux-2.6.24.5/arch/v850/kernel/module.c linux-2.6.24.5/arch/v850/kernel/module.c
40641 +--- linux-2.6.24.5/arch/v850/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
40642 ++++ linux-2.6.24.5/arch/v850/kernel/module.c 2008-03-26 20:21:07.000000000 -0400
40643 +@@ -150,8 +150,8 @@ static uint32_t do_plt_call (void *locat
40644 + tramp[1] = ((val >> 16) & 0xffff) + 0x610000; /* ...; jmp r1 */
40645 +
40646 + /* Init, or core PLT? */
40647 +- if (location >= mod->module_core
40648 +- && location < mod->module_core + mod->core_size)
40649 ++ if (location >= mod->module_core_rx
40650 ++ && location < mod->module_core_rx + mod->core_size_rx)
40651 + entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
40652 + else
40653 + entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
40654 +diff -urNp linux-2.6.24.5/arch/x86/boot/bitops.h linux-2.6.24.5/arch/x86/boot/bitops.h
40655 +--- linux-2.6.24.5/arch/x86/boot/bitops.h 2008-03-24 14:49:18.000000000 -0400
40656 ++++ linux-2.6.24.5/arch/x86/boot/bitops.h 2008-03-26 20:21:07.000000000 -0400
40657 +@@ -28,7 +28,7 @@ static inline int variable_test_bit(int
40658 + u8 v;
40659 + const u32 *p = (const u32 *)addr;
40660 +
40661 +- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
40662 ++ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
40663 + return v;
40664 + }
40665 +
40666 +@@ -39,7 +39,7 @@ static inline int variable_test_bit(int
40667 +
40668 + static inline void set_bit(int nr, void *addr)
40669 + {
40670 +- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
40671 ++ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
40672 + }
40673 +
40674 + #endif /* BOOT_BITOPS_H */
40675 +diff -urNp linux-2.6.24.5/arch/x86/boot/boot.h linux-2.6.24.5/arch/x86/boot/boot.h
40676 +--- linux-2.6.24.5/arch/x86/boot/boot.h 2008-03-24 14:49:18.000000000 -0400
40677 ++++ linux-2.6.24.5/arch/x86/boot/boot.h 2008-03-26 20:21:07.000000000 -0400
40678 +@@ -78,7 +78,7 @@ static inline void io_delay(void)
40679 + static inline u16 ds(void)
40680 + {
40681 + u16 seg;
40682 +- asm("movw %%ds,%0" : "=rm" (seg));
40683 ++ asm volatile("movw %%ds,%0" : "=rm" (seg));
40684 + return seg;
40685 + }
40686 +
40687 +@@ -174,7 +174,7 @@ static inline void wrgs32(u32 v, addr_t
40688 + static inline int memcmp(const void *s1, const void *s2, size_t len)
40689 + {
40690 + u8 diff;
40691 +- asm("repe; cmpsb; setnz %0"
40692 ++ asm volatile("repe; cmpsb; setnz %0"
40693 + : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
40694 + return diff;
40695 + }
40696 +diff -urNp linux-2.6.24.5/arch/x86/boot/compressed/head_32.S linux-2.6.24.5/arch/x86/boot/compressed/head_32.S
40697 +--- linux-2.6.24.5/arch/x86/boot/compressed/head_32.S 2008-03-24 14:49:18.000000000 -0400
40698 ++++ linux-2.6.24.5/arch/x86/boot/compressed/head_32.S 2008-03-26 20:21:07.000000000 -0400
40699 +@@ -70,7 +70,7 @@ startup_32:
40700 + addl $(CONFIG_PHYSICAL_ALIGN - 1), %ebx
40701 + andl $(~(CONFIG_PHYSICAL_ALIGN - 1)), %ebx
40702 + #else
40703 +- movl $LOAD_PHYSICAL_ADDR, %ebx
40704 ++ movl $____LOAD_PHYSICAL_ADDR, %ebx
40705 + #endif
40706 +
40707 + /* Replace the compressed data size with the uncompressed size */
40708 +@@ -105,7 +105,7 @@ startup_32:
40709 + addl $(CONFIG_PHYSICAL_ALIGN - 1), %ebp
40710 + andl $(~(CONFIG_PHYSICAL_ALIGN - 1)), %ebp
40711 + #else
40712 +- movl $LOAD_PHYSICAL_ADDR, %ebp
40713 ++ movl $____LOAD_PHYSICAL_ADDR, %ebp
40714 + #endif
40715 +
40716 + /*
40717 +@@ -159,16 +159,15 @@ relocated:
40718 + * and where it was actually loaded.
40719 + */
40720 + movl %ebp, %ebx
40721 +- subl $LOAD_PHYSICAL_ADDR, %ebx
40722 ++ subl $____LOAD_PHYSICAL_ADDR, %ebx
40723 + jz 2f /* Nothing to be done if loaded at compiled addr. */
40724 + /*
40725 + * Process relocations.
40726 + */
40727 +
40728 + 1: subl $4, %edi
40729 +- movl 0(%edi), %ecx
40730 +- testl %ecx, %ecx
40731 +- jz 2f
40732 ++ movl (%edi), %ecx
40733 ++ jecxz 2f
40734 + addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
40735 + jmp 1b
40736 + 2:
40737 +diff -urNp linux-2.6.24.5/arch/x86/boot/compressed/misc_32.c linux-2.6.24.5/arch/x86/boot/compressed/misc_32.c
40738 +--- linux-2.6.24.5/arch/x86/boot/compressed/misc_32.c 2008-03-24 14:49:18.000000000 -0400
40739 ++++ linux-2.6.24.5/arch/x86/boot/compressed/misc_32.c 2008-03-26 20:21:07.000000000 -0400
40740 +@@ -113,7 +113,8 @@ typedef unsigned char uch;
40741 + typedef unsigned short ush;
40742 + typedef unsigned long ulg;
40743 +
40744 +-#define WSIZE 0x80000000 /* Window size must be at least 32k,
40745 ++#define WSIZE 0x80000000
40746 ++ /* Window size must be at least 32k,
40747 + * and a power of two
40748 + * We don't actually have a window just
40749 + * a huge output buffer so I report
40750 +@@ -370,7 +371,7 @@ asmlinkage void decompress_kernel(void *
40751 + if (end > ((-__PAGE_OFFSET-(512 <<20)-1) & 0x7fffffff))
40752 + error("Destination address too large");
40753 + #ifndef CONFIG_RELOCATABLE
40754 +- if ((u32)output != LOAD_PHYSICAL_ADDR)
40755 ++ if ((u32)output != ____LOAD_PHYSICAL_ADDR)
40756 + error("Wrong destination address");
40757 + #endif
40758 +
40759 +diff -urNp linux-2.6.24.5/arch/x86/boot/compressed/relocs.c linux-2.6.24.5/arch/x86/boot/compressed/relocs.c
40760 +--- linux-2.6.24.5/arch/x86/boot/compressed/relocs.c 2008-03-24 14:49:18.000000000 -0400
40761 ++++ linux-2.6.24.5/arch/x86/boot/compressed/relocs.c 2008-03-26 20:21:07.000000000 -0400
40762 +@@ -10,9 +10,13 @@
40763 + #define USE_BSD
40764 + #include <endian.h>
40765 +
40766 ++#include "../../../../include/linux/autoconf.h"
40767 ++
40768 ++#define MAX_PHDRS 100
40769 + #define MAX_SHDRS 100
40770 + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
40771 + static Elf32_Ehdr ehdr;
40772 ++static Elf32_Phdr phdr[MAX_PHDRS];
40773 + static Elf32_Shdr shdr[MAX_SHDRS];
40774 + static Elf32_Sym *symtab[MAX_SHDRS];
40775 + static Elf32_Rel *reltab[MAX_SHDRS];
40776 +@@ -244,6 +248,34 @@ static void read_ehdr(FILE *fp)
40777 + }
40778 + }
40779 +
40780 ++static void read_phdrs(FILE *fp)
40781 ++{
40782 ++ int i;
40783 ++ if (ehdr.e_phnum > MAX_PHDRS) {
40784 ++ die("%d program headers supported: %d\n",
40785 ++ ehdr.e_phnum, MAX_PHDRS);
40786 ++ }
40787 ++ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
40788 ++ die("Seek to %d failed: %s\n",
40789 ++ ehdr.e_phoff, strerror(errno));
40790 ++ }
40791 ++ if (fread(&phdr, sizeof(phdr[0]), ehdr.e_phnum, fp) != ehdr.e_phnum) {
40792 ++ die("Cannot read ELF program headers: %s\n",
40793 ++ strerror(errno));
40794 ++ }
40795 ++ for(i = 0; i < ehdr.e_phnum; i++) {
40796 ++ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
40797 ++ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
40798 ++ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
40799 ++ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
40800 ++ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
40801 ++ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
40802 ++ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
40803 ++ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
40804 ++ }
40805 ++
40806 ++}
40807 ++
40808 + static void read_shdrs(FILE *fp)
40809 + {
40810 + int i;
40811 +@@ -330,6 +362,8 @@ static void read_symtabs(FILE *fp)
40812 + static void read_relocs(FILE *fp)
40813 + {
40814 + int i,j;
40815 ++ uint32_t base;
40816 ++
40817 + for(i = 0; i < ehdr.e_shnum; i++) {
40818 + if (shdr[i].sh_type != SHT_REL) {
40819 + continue;
40820 +@@ -347,8 +381,17 @@ static void read_relocs(FILE *fp)
40821 + die("Cannot read symbol table: %s\n",
40822 + strerror(errno));
40823 + }
40824 ++ base = 0;
40825 ++ for (j = 0; j < ehdr.e_phnum; j++) {
40826 ++ if (phdr[j].p_type != PT_LOAD )
40827 ++ continue;
40828 ++ if (shdr[shdr[i].sh_info].sh_offset < phdr[j].p_offset || shdr[shdr[i].sh_info].sh_offset > phdr[j].p_offset + phdr[j].p_filesz)
40829 ++ continue;
40830 ++ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
40831 ++ break;
40832 ++ }
40833 + for(j = 0; j < shdr[i].sh_size/sizeof(reltab[0][0]); j++) {
40834 +- reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset);
40835 ++ reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset) + base;
40836 + reltab[i][j].r_info = elf32_to_cpu(reltab[i][j].r_info);
40837 + }
40838 + }
40839 +@@ -485,6 +528,27 @@ static void walk_relocs(void (*visit)(El
40840 + if (sym->st_shndx == SHN_ABS) {
40841 + continue;
40842 + }
40843 ++ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
40844 ++ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strncmp(sym_name(sym_strtab, sym), "__per_cpu_", 10)) {
40845 ++ continue;
40846 ++ }
40847 ++#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
40848 ++ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
40849 ++ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) {
40850 ++ continue;
40851 ++ }
40852 ++ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) {
40853 ++ continue;
40854 ++ }
40855 ++ if (!strcmp(sec_name(sym->st_shndx), ".text.head")) {
40856 ++ if (strcmp(sym_name(sym_strtab, sym), "__init_end") &&
40857 ++ strcmp(sym_name(sym_strtab, sym), "KERNEL_TEXT_OFFSET"))
40858 ++ continue;
40859 ++ }
40860 ++ if (!strcmp(sec_name(sym->st_shndx), ".text")) {
40861 ++ continue;
40862 ++ }
40863 ++#endif
40864 + if (r_type == R_386_PC32) {
40865 + /* PC relative relocations don't need to be adjusted */
40866 + }
40867 +@@ -612,6 +676,7 @@ int main(int argc, char **argv)
40868 + fname, strerror(errno));
40869 + }
40870 + read_ehdr(fp);
40871 ++ read_phdrs(fp);
40872 + read_shdrs(fp);
40873 + read_strtabs(fp);
40874 + read_symtabs(fp);
40875 +diff -urNp linux-2.6.24.5/arch/x86/boot/cpucheck.c linux-2.6.24.5/arch/x86/boot/cpucheck.c
40876 +--- linux-2.6.24.5/arch/x86/boot/cpucheck.c 2008-03-24 14:49:18.000000000 -0400
40877 ++++ linux-2.6.24.5/arch/x86/boot/cpucheck.c 2008-03-26 20:21:07.000000000 -0400
40878 +@@ -84,7 +84,7 @@ static int has_fpu(void)
40879 + u16 fcw = -1, fsw = -1;
40880 + u32 cr0;
40881 +
40882 +- asm("movl %%cr0,%0" : "=r" (cr0));
40883 ++ asm volatile("movl %%cr0,%0" : "=r" (cr0));
40884 + if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
40885 + cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
40886 + asm volatile("movl %0,%%cr0" : : "r" (cr0));
40887 +@@ -100,7 +100,7 @@ static int has_eflag(u32 mask)
40888 + {
40889 + u32 f0, f1;
40890 +
40891 +- asm("pushfl ; "
40892 ++ asm volatile("pushfl ; "
40893 + "pushfl ; "
40894 + "popl %0 ; "
40895 + "movl %0,%1 ; "
40896 +@@ -125,7 +125,7 @@ static void get_flags(void)
40897 + set_bit(X86_FEATURE_FPU, cpu.flags);
40898 +
40899 + if (has_eflag(X86_EFLAGS_ID)) {
40900 +- asm("cpuid"
40901 ++ asm volatile("cpuid"
40902 + : "=a" (max_intel_level),
40903 + "=b" (cpu_vendor[0]),
40904 + "=d" (cpu_vendor[1]),
40905 +@@ -134,7 +134,7 @@ static void get_flags(void)
40906 +
40907 + if (max_intel_level >= 0x00000001 &&
40908 + max_intel_level <= 0x0000ffff) {
40909 +- asm("cpuid"
40910 ++ asm volatile("cpuid"
40911 + : "=a" (tfms),
40912 + "=c" (cpu.flags[4]),
40913 + "=d" (cpu.flags[0])
40914 +@@ -146,7 +146,7 @@ static void get_flags(void)
40915 + cpu.model += ((tfms >> 16) & 0xf) << 4;
40916 + }
40917 +
40918 +- asm("cpuid"
40919 ++ asm volatile("cpuid"
40920 + : "=a" (max_amd_level)
40921 + : "a" (0x80000000)
40922 + : "ebx", "ecx", "edx");
40923 +@@ -154,7 +154,7 @@ static void get_flags(void)
40924 + if (max_amd_level >= 0x80000001 &&
40925 + max_amd_level <= 0x8000ffff) {
40926 + u32 eax = 0x80000001;
40927 +- asm("cpuid"
40928 ++ asm volatile("cpuid"
40929 + : "+a" (eax),
40930 + "=c" (cpu.flags[6]),
40931 + "=d" (cpu.flags[1])
40932 +@@ -213,9 +213,9 @@ int check_cpu(int *cpu_level_ptr, int *r
40933 + u32 ecx = MSR_K7_HWCR;
40934 + u32 eax, edx;
40935 +
40936 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
40937 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
40938 + eax &= ~(1 << 15);
40939 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
40940 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
40941 +
40942 + get_flags(); /* Make sure it really did something */
40943 + err = check_flags();
40944 +@@ -228,9 +228,9 @@ int check_cpu(int *cpu_level_ptr, int *r
40945 + u32 ecx = MSR_VIA_FCR;
40946 + u32 eax, edx;
40947 +
40948 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
40949 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
40950 + eax |= (1<<1)|(1<<7);
40951 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
40952 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
40953 +
40954 + set_bit(X86_FEATURE_CX8, cpu.flags);
40955 + err = check_flags();
40956 +@@ -241,12 +241,12 @@ int check_cpu(int *cpu_level_ptr, int *r
40957 + u32 eax, edx;
40958 + u32 level = 1;
40959 +
40960 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
40961 +- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
40962 +- asm("cpuid"
40963 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
40964 ++ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
40965 ++ asm volatile("cpuid"
40966 + : "+a" (level), "=d" (cpu.flags[0])
40967 + : : "ecx", "ebx");
40968 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
40969 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
40970 +
40971 + err = check_flags();
40972 + }
40973 +diff -urNp linux-2.6.24.5/arch/x86/boot/edd.c linux-2.6.24.5/arch/x86/boot/edd.c
40974 +--- linux-2.6.24.5/arch/x86/boot/edd.c 2008-03-24 14:49:18.000000000 -0400
40975 ++++ linux-2.6.24.5/arch/x86/boot/edd.c 2008-03-26 20:21:07.000000000 -0400
40976 +@@ -78,7 +78,7 @@ static int get_edd_info(u8 devno, struct
40977 + ax = 0x4100;
40978 + bx = EDDMAGIC1;
40979 + dx = devno;
40980 +- asm("pushfl; stc; int $0x13; setc %%al; popfl"
40981 ++ asm volatile("pushfl; stc; int $0x13; setc %%al; popfl"
40982 + : "+a" (ax), "+b" (bx), "=c" (cx), "+d" (dx)
40983 + : : "esi", "edi");
40984 +
40985 +@@ -97,7 +97,7 @@ static int get_edd_info(u8 devno, struct
40986 + ei->params.length = sizeof(ei->params);
40987 + ax = 0x4800;
40988 + dx = devno;
40989 +- asm("pushfl; int $0x13; popfl"
40990 ++ asm volatile("pushfl; int $0x13; popfl"
40991 + : "+a" (ax), "+d" (dx), "=m" (ei->params)
40992 + : "S" (&ei->params)
40993 + : "ebx", "ecx", "edi");
40994 +@@ -108,7 +108,7 @@ static int get_edd_info(u8 devno, struct
40995 + ax = 0x0800;
40996 + dx = devno;
40997 + di = 0;
40998 +- asm("pushw %%es; "
40999 ++ asm volatile("pushw %%es; "
41000 + "movw %%di,%%es; "
41001 + "pushfl; stc; int $0x13; setc %%al; popfl; "
41002 + "popw %%es"
41003 +diff -urNp linux-2.6.24.5/arch/x86/boot/main.c linux-2.6.24.5/arch/x86/boot/main.c
41004 +--- linux-2.6.24.5/arch/x86/boot/main.c 2008-03-24 14:49:18.000000000 -0400
41005 ++++ linux-2.6.24.5/arch/x86/boot/main.c 2008-03-26 20:21:07.000000000 -0400
41006 +@@ -75,7 +75,7 @@ static void keyboard_set_repeat(void)
41007 + */
41008 + static void query_ist(void)
41009 + {
41010 +- asm("int $0x15"
41011 ++ asm volatile("int $0x15"
41012 + : "=a" (boot_params.ist_info.signature),
41013 + "=b" (boot_params.ist_info.command),
41014 + "=c" (boot_params.ist_info.event),
41015 +diff -urNp linux-2.6.24.5/arch/x86/boot/mca.c linux-2.6.24.5/arch/x86/boot/mca.c
41016 +--- linux-2.6.24.5/arch/x86/boot/mca.c 2008-03-24 14:49:18.000000000 -0400
41017 ++++ linux-2.6.24.5/arch/x86/boot/mca.c 2008-03-26 20:21:07.000000000 -0400
41018 +@@ -21,7 +21,7 @@ int query_mca(void)
41019 + u8 err;
41020 + u16 es, bx, len;
41021 +
41022 +- asm("pushw %%es ; "
41023 ++ asm volatile("pushw %%es ; "
41024 + "int $0x15 ; "
41025 + "setc %0 ; "
41026 + "movw %%es, %1 ; "
41027 +diff -urNp linux-2.6.24.5/arch/x86/boot/memory.c linux-2.6.24.5/arch/x86/boot/memory.c
41028 +--- linux-2.6.24.5/arch/x86/boot/memory.c 2008-03-24 14:49:18.000000000 -0400
41029 ++++ linux-2.6.24.5/arch/x86/boot/memory.c 2008-03-26 20:21:07.000000000 -0400
41030 +@@ -32,7 +32,7 @@ static int detect_memory_e820(void)
41031 + /* Important: %edx is clobbered by some BIOSes,
41032 + so it must be either used for the error output
41033 + or explicitly marked clobbered. */
41034 +- asm("int $0x15; setc %0"
41035 ++ asm volatile("int $0x15; setc %0"
41036 + : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
41037 + "=m" (*desc)
41038 + : "D" (desc), "d" (SMAP), "a" (0xe820));
41039 +@@ -64,7 +64,7 @@ static int detect_memory_e801(void)
41040 +
41041 + bx = cx = dx = 0;
41042 + ax = 0xe801;
41043 +- asm("stc; int $0x15; setc %0"
41044 ++ asm volatile("stc; int $0x15; setc %0"
41045 + : "=m" (err), "+a" (ax), "+b" (bx), "+c" (cx), "+d" (dx));
41046 +
41047 + if (err)
41048 +@@ -94,7 +94,7 @@ static int detect_memory_88(void)
41049 + u8 err;
41050 +
41051 + ax = 0x8800;
41052 +- asm("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
41053 ++ asm volatile("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
41054 +
41055 + boot_params.screen_info.ext_mem_k = ax;
41056 +
41057 +diff -urNp linux-2.6.24.5/arch/x86/boot/video.c linux-2.6.24.5/arch/x86/boot/video.c
41058 +--- linux-2.6.24.5/arch/x86/boot/video.c 2008-03-24 14:49:18.000000000 -0400
41059 ++++ linux-2.6.24.5/arch/x86/boot/video.c 2008-03-26 20:21:07.000000000 -0400
41060 +@@ -40,7 +40,7 @@ static void store_cursor_position(void)
41061 +
41062 + ax = 0x0300;
41063 + bx = 0;
41064 +- asm(INT10
41065 ++ asm volatile(INT10
41066 + : "=d" (curpos), "+a" (ax), "+b" (bx)
41067 + : : "ecx", "esi", "edi");
41068 +
41069 +@@ -55,7 +55,7 @@ static void store_video_mode(void)
41070 + /* N.B.: the saving of the video page here is a bit silly,
41071 + since we pretty much assume page 0 everywhere. */
41072 + ax = 0x0f00;
41073 +- asm(INT10
41074 ++ asm volatile(INT10
41075 + : "+a" (ax), "=b" (page)
41076 + : : "ecx", "edx", "esi", "edi");
41077 +
41078 +diff -urNp linux-2.6.24.5/arch/x86/boot/video-vesa.c linux-2.6.24.5/arch/x86/boot/video-vesa.c
41079 +--- linux-2.6.24.5/arch/x86/boot/video-vesa.c 2008-03-24 14:49:18.000000000 -0400
41080 ++++ linux-2.6.24.5/arch/x86/boot/video-vesa.c 2008-03-26 20:21:07.000000000 -0400
41081 +@@ -41,7 +41,7 @@ static int vesa_probe(void)
41082 +
41083 + ax = 0x4f00;
41084 + di = (size_t)&vginfo;
41085 +- asm(INT10
41086 ++ asm volatile(INT10
41087 + : "+a" (ax), "+D" (di), "=m" (vginfo)
41088 + : : "ebx", "ecx", "edx", "esi");
41089 +
41090 +@@ -68,7 +68,7 @@ static int vesa_probe(void)
41091 + ax = 0x4f01;
41092 + cx = mode;
41093 + di = (size_t)&vminfo;
41094 +- asm(INT10
41095 ++ asm volatile(INT10
41096 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
41097 + : : "ebx", "edx", "esi");
41098 +
41099 +@@ -115,7 +115,7 @@ static int vesa_set_mode(struct mode_inf
41100 + ax = 0x4f01;
41101 + cx = vesa_mode;
41102 + di = (size_t)&vminfo;
41103 +- asm(INT10
41104 ++ asm volatile(INT10
41105 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
41106 + : : "ebx", "edx", "esi");
41107 +
41108 +@@ -193,19 +193,20 @@ static void vesa_dac_set_8bits(void)
41109 + /* Save the VESA protected mode info */
41110 + static void vesa_store_pm_info(void)
41111 + {
41112 +- u16 ax, bx, di, es;
41113 ++ u16 ax, bx, cx, di, es;
41114 +
41115 + ax = 0x4f0a;
41116 +- bx = di = 0;
41117 +- asm("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
41118 +- : "=d" (es), "+a" (ax), "+b" (bx), "+D" (di)
41119 +- : : "ecx", "esi");
41120 ++ bx = cx = di = 0;
41121 ++ asm volatile("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
41122 ++ : "=d" (es), "+a" (ax), "+b" (bx), "+c" (cx), "+D" (di)
41123 ++ : : "esi");
41124 +
41125 + if (ax != 0x004f)
41126 + return;
41127 +
41128 + boot_params.screen_info.vesapm_seg = es;
41129 + boot_params.screen_info.vesapm_off = di;
41130 ++ boot_params.screen_info.vesapm_size = cx;
41131 + }
41132 +
41133 + /*
41134 +@@ -259,7 +260,7 @@ void vesa_store_edid(void)
41135 + /* Note: The VBE DDC spec is different from the main VESA spec;
41136 + we genuinely have to assume all registers are destroyed here. */
41137 +
41138 +- asm("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
41139 ++ asm volatile("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
41140 + : "+a" (ax), "+b" (bx)
41141 + : "c" (cx), "D" (di)
41142 + : "esi");
41143 +@@ -275,7 +276,7 @@ void vesa_store_edid(void)
41144 + cx = 0; /* Controller 0 */
41145 + dx = 0; /* EDID block number */
41146 + di =(size_t) &boot_params.edid_info; /* (ES:)Pointer to block */
41147 +- asm(INT10
41148 ++ asm volatile(INT10
41149 + : "+a" (ax), "+b" (bx), "+d" (dx), "=m" (boot_params.edid_info)
41150 + : "c" (cx), "D" (di)
41151 + : "esi");
41152 +diff -urNp linux-2.6.24.5/arch/x86/boot/video-vga.c linux-2.6.24.5/arch/x86/boot/video-vga.c
41153 +--- linux-2.6.24.5/arch/x86/boot/video-vga.c 2008-03-24 14:49:18.000000000 -0400
41154 ++++ linux-2.6.24.5/arch/x86/boot/video-vga.c 2008-03-26 20:21:07.000000000 -0400
41155 +@@ -225,7 +225,7 @@ static int vga_probe(void)
41156 + };
41157 + u8 vga_flag;
41158 +
41159 +- asm(INT10
41160 ++ asm volatile(INT10
41161 + : "=b" (boot_params.screen_info.orig_video_ega_bx)
41162 + : "a" (0x1200), "b" (0x10) /* Check EGA/VGA */
41163 + : "ecx", "edx", "esi", "edi");
41164 +@@ -233,7 +233,7 @@ static int vga_probe(void)
41165 + /* If we have MDA/CGA/HGC then BL will be unchanged at 0x10 */
41166 + if ((u8)boot_params.screen_info.orig_video_ega_bx != 0x10) {
41167 + /* EGA/VGA */
41168 +- asm(INT10
41169 ++ asm volatile(INT10
41170 + : "=a" (vga_flag)
41171 + : "a" (0x1a00)
41172 + : "ebx", "ecx", "edx", "esi", "edi");
41173 +diff -urNp linux-2.6.24.5/arch/x86/boot/voyager.c linux-2.6.24.5/arch/x86/boot/voyager.c
41174 +--- linux-2.6.24.5/arch/x86/boot/voyager.c 2008-03-24 14:49:18.000000000 -0400
41175 ++++ linux-2.6.24.5/arch/x86/boot/voyager.c 2008-03-26 20:21:07.000000000 -0400
41176 +@@ -27,7 +27,7 @@ int query_voyager(void)
41177 +
41178 + data_ptr[0] = 0xff; /* Flag on config not found(?) */
41179 +
41180 +- asm("pushw %%es ; "
41181 ++ asm volatile("pushw %%es ; "
41182 + "int $0x15 ; "
41183 + "setc %0 ; "
41184 + "movw %%es, %1 ; "
41185 +diff -urNp linux-2.6.24.5/arch/x86/ia32/ia32_binfmt.c linux-2.6.24.5/arch/x86/ia32/ia32_binfmt.c
41186 +--- linux-2.6.24.5/arch/x86/ia32/ia32_binfmt.c 2008-03-24 14:49:18.000000000 -0400
41187 ++++ linux-2.6.24.5/arch/x86/ia32/ia32_binfmt.c 2008-03-26 20:21:07.000000000 -0400
41188 +@@ -47,12 +47,12 @@
41189 + #define AT_SYSINFO 32
41190 + #define AT_SYSINFO_EHDR 33
41191 +
41192 +-int sysctl_vsyscall32 = 1;
41193 ++int sysctl_vsyscall32;
41194 +
41195 + #undef ARCH_DLINFO
41196 + #define ARCH_DLINFO do { \
41197 + if (sysctl_vsyscall32) { \
41198 +- current->mm->context.vdso = (void *)VSYSCALL32_BASE; \
41199 ++ current->mm->context.vdso = VSYSCALL32_BASE; \
41200 + NEW_AUX_ENT(AT_SYSINFO, (u32)(u64)VSYSCALL32_VSYSCALL); \
41201 + NEW_AUX_ENT(AT_SYSINFO_EHDR, VSYSCALL32_BASE); \
41202 + } \
41203 +@@ -66,6 +66,17 @@ struct file;
41204 +
41205 + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
41206 +
41207 ++#ifdef CONFIG_PAX_ASLR
41208 ++#undef PAX_ELF_ET_DYN_BASE
41209 ++#undef PAX_DELTA_MMAP_LEN
41210 ++#undef PAX_DELTA_STACK_LEN
41211 ++
41212 ++#define PAX_ELF_ET_DYN_BASE 0x08048000UL
41213 ++
41214 ++#define PAX_DELTA_MMAP_LEN 16
41215 ++#define PAX_DELTA_STACK_LEN 16
41216 ++#endif
41217 ++
41218 + #define jiffies_to_timeval(a,b) do { (b)->tv_usec = 0; (b)->tv_sec = (a)/HZ; }while(0)
41219 +
41220 + #define _GET_SEG(x) \
41221 +@@ -263,7 +274,7 @@ static ctl_table abi_table2[] = {
41222 + .mode = 0644,
41223 + .proc_handler = proc_dointvec
41224 + },
41225 +- {}
41226 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
41227 + };
41228 +
41229 + static ctl_table abi_root_table2[] = {
41230 +@@ -273,7 +284,7 @@ static ctl_table abi_root_table2[] = {
41231 + .mode = 0555,
41232 + .child = abi_table2
41233 + },
41234 +- {}
41235 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
41236 + };
41237 +
41238 + static __init int ia32_binfmt_init(void)
41239 +diff -urNp linux-2.6.24.5/arch/x86/ia32/ia32_signal.c linux-2.6.24.5/arch/x86/ia32/ia32_signal.c
41240 +--- linux-2.6.24.5/arch/x86/ia32/ia32_signal.c 2008-03-24 14:49:18.000000000 -0400
41241 ++++ linux-2.6.24.5/arch/x86/ia32/ia32_signal.c 2008-03-26 20:21:07.000000000 -0400
41242 +@@ -573,6 +573,7 @@ int ia32_setup_rt_frame(int sig, struct
41243 + __NR_ia32_rt_sigreturn,
41244 + 0x80cd,
41245 + 0,
41246 ++ 0
41247 + };
41248 + err |= __copy_to_user(frame->retcode, &code, 8);
41249 + }
41250 +diff -urNp linux-2.6.24.5/arch/x86/ia32/mmap32.c linux-2.6.24.5/arch/x86/ia32/mmap32.c
41251 +--- linux-2.6.24.5/arch/x86/ia32/mmap32.c 2008-03-24 14:49:18.000000000 -0400
41252 ++++ linux-2.6.24.5/arch/x86/ia32/mmap32.c 2008-03-26 20:21:07.000000000 -0400
41253 +@@ -69,10 +69,22 @@ void ia32_pick_mmap_layout(struct mm_str
41254 + (current->personality & ADDR_COMPAT_LAYOUT) ||
41255 + current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
41256 + mm->mmap_base = TASK_UNMAPPED_BASE;
41257 ++
41258 ++#ifdef CONFIG_PAX_RANDMMAP
41259 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
41260 ++ mm->mmap_base += mm->delta_mmap;
41261 ++#endif
41262 ++
41263 + mm->get_unmapped_area = arch_get_unmapped_area;
41264 + mm->unmap_area = arch_unmap_area;
41265 + } else {
41266 + mm->mmap_base = mmap_base(mm);
41267 ++
41268 ++#ifdef CONFIG_PAX_RANDMMAP
41269 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
41270 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
41271 ++#endif
41272 ++
41273 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
41274 + mm->unmap_area = arch_unmap_area_topdown;
41275 + }
41276 +diff -urNp linux-2.6.24.5/arch/x86/ia32/ptrace32.c linux-2.6.24.5/arch/x86/ia32/ptrace32.c
41277 +--- linux-2.6.24.5/arch/x86/ia32/ptrace32.c 2008-03-24 14:49:18.000000000 -0400
41278 ++++ linux-2.6.24.5/arch/x86/ia32/ptrace32.c 2008-03-26 20:21:07.000000000 -0400
41279 +@@ -382,7 +382,7 @@ asmlinkage long sys32_ptrace(long reques
41280 + /* no checking to be bug-to-bug compatible with i386. */
41281 + /* but silence warning */
41282 + if (__copy_from_user(&child->thread.i387.fxsave, u, sizeof(*u)))
41283 +- ;
41284 ++ {}
41285 + set_stopped_child_used_math(child);
41286 + child->thread.i387.fxsave.mxcsr &= mxcsr_feature_mask;
41287 + ret = 0;
41288 +diff -urNp linux-2.6.24.5/arch/x86/ia32/syscall32.c linux-2.6.24.5/arch/x86/ia32/syscall32.c
41289 +--- linux-2.6.24.5/arch/x86/ia32/syscall32.c 2008-03-24 14:49:18.000000000 -0400
41290 ++++ linux-2.6.24.5/arch/x86/ia32/syscall32.c 2008-03-26 20:21:07.000000000 -0400
41291 +@@ -30,6 +30,9 @@ int syscall32_setup_pages(struct linux_b
41292 + struct mm_struct *mm = current->mm;
41293 + int ret;
41294 +
41295 ++ if (!sysctl_vsyscall32)
41296 ++ return 0;
41297 ++
41298 + down_write(&mm->mmap_sem);
41299 + /*
41300 + * MAYWRITE to allow gdb to COW and set breakpoints
41301 +diff -urNp linux-2.6.24.5/arch/x86/Kconfig linux-2.6.24.5/arch/x86/Kconfig
41302 +--- linux-2.6.24.5/arch/x86/Kconfig 2008-03-24 14:49:18.000000000 -0400
41303 ++++ linux-2.6.24.5/arch/x86/Kconfig 2008-03-26 20:21:07.000000000 -0400
41304 +@@ -792,7 +792,7 @@ config PAGE_OFFSET
41305 + hex
41306 + default 0xB0000000 if VMSPLIT_3G_OPT
41307 + default 0x80000000 if VMSPLIT_2G
41308 +- default 0x78000000 if VMSPLIT_2G_OPT
41309 ++ default 0x70000000 if VMSPLIT_2G_OPT
41310 + default 0x40000000 if VMSPLIT_1G
41311 + default 0xC0000000
41312 + depends on X86_32
41313 +@@ -1096,8 +1096,7 @@ config CRASH_DUMP
41314 + config PHYSICAL_START
41315 + hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
41316 + default "0x1000000" if X86_NUMAQ
41317 +- default "0x200000" if X86_64
41318 +- default "0x100000"
41319 ++ default "0x200000"
41320 + help
41321 + This gives the physical address where the kernel is loaded.
41322 +
41323 +@@ -1190,8 +1189,8 @@ config HOTPLUG_CPU
41324 +
41325 + config COMPAT_VDSO
41326 + bool "Compat VDSO support"
41327 +- default y
41328 +- depends on X86_32
41329 ++ default n
41330 ++ depends on X86_32 && !PAX_NOEXEC
41331 + help
41332 + Map the VDSO to the predictable old-style address too.
41333 + ---help---
41334 +@@ -1387,7 +1386,7 @@ config PCI
41335 + choice
41336 + prompt "PCI access mode"
41337 + depends on X86_32 && PCI && !X86_VISWS
41338 +- default PCI_GOANY
41339 ++ default PCI_GODIRECT
41340 + ---help---
41341 + On PCI systems, the BIOS can be used to detect the PCI devices and
41342 + determine their configuration. However, some old PCI motherboards
41343 +diff -urNp linux-2.6.24.5/arch/x86/Kconfig.cpu linux-2.6.24.5/arch/x86/Kconfig.cpu
41344 +--- linux-2.6.24.5/arch/x86/Kconfig.cpu 2008-03-24 14:49:18.000000000 -0400
41345 ++++ linux-2.6.24.5/arch/x86/Kconfig.cpu 2008-03-26 20:21:16.000000000 -0400
41346 +@@ -328,7 +328,7 @@ config X86_PPRO_FENCE
41347 +
41348 + config X86_F00F_BUG
41349 + bool
41350 +- depends on M586MMX || M586TSC || M586 || M486 || M386
41351 ++ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
41352 + default y
41353 +
41354 + config X86_WP_WORKS_OK
41355 +@@ -353,7 +353,7 @@ config X86_POPAD_OK
41356 +
41357 + config X86_ALIGNMENT_16
41358 + bool
41359 +- depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
41360 ++ depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
41361 + default y
41362 +
41363 + config X86_GOOD_APIC
41364 +@@ -390,7 +390,7 @@ config X86_TSC
41365 + # generates cmov.
41366 + config X86_CMOV
41367 + bool
41368 +- depends on (MK7 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7)
41369 ++ depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7)
41370 + default y
41371 +
41372 + config X86_MINIMUM_CPU_FAMILY
41373 +diff -urNp linux-2.6.24.5/arch/x86/Kconfig.debug linux-2.6.24.5/arch/x86/Kconfig.debug
41374 +--- linux-2.6.24.5/arch/x86/Kconfig.debug 2008-03-24 14:49:18.000000000 -0400
41375 ++++ linux-2.6.24.5/arch/x86/Kconfig.debug 2008-03-26 20:21:07.000000000 -0400
41376 +@@ -49,7 +49,7 @@ config DEBUG_PAGEALLOC
41377 +
41378 + config DEBUG_RODATA
41379 + bool "Write protect kernel read-only data structures"
41380 +- depends on DEBUG_KERNEL
41381 ++ depends on DEBUG_KERNEL && BROKEN
41382 + help
41383 + Mark the kernel read-only data as write-protected in the pagetables,
41384 + in order to catch accidental (and incorrect) writes to such const
41385 +diff -urNp linux-2.6.24.5/arch/x86/kernel/acpi/boot.c linux-2.6.24.5/arch/x86/kernel/acpi/boot.c
41386 +--- linux-2.6.24.5/arch/x86/kernel/acpi/boot.c 2008-03-24 14:49:18.000000000 -0400
41387 ++++ linux-2.6.24.5/arch/x86/kernel/acpi/boot.c 2008-03-26 20:21:07.000000000 -0400
41388 +@@ -1155,7 +1155,7 @@ static struct dmi_system_id __initdata a
41389 + DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
41390 + },
41391 + },
41392 +- {}
41393 ++ { NULL, NULL, {{0, NULL}}, NULL}
41394 + };
41395 +
41396 + #endif /* __i386__ */
41397 +diff -urNp linux-2.6.24.5/arch/x86/kernel/acpi/sleep_32.c linux-2.6.24.5/arch/x86/kernel/acpi/sleep_32.c
41398 +--- linux-2.6.24.5/arch/x86/kernel/acpi/sleep_32.c 2008-03-24 14:49:18.000000000 -0400
41399 ++++ linux-2.6.24.5/arch/x86/kernel/acpi/sleep_32.c 2008-03-26 20:21:07.000000000 -0400
41400 +@@ -98,7 +98,7 @@ static __initdata struct dmi_system_id a
41401 + DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),
41402 + },
41403 + },
41404 +- {}
41405 ++ { NULL, NULL, {{0, NULL}}, NULL}
41406 + };
41407 +
41408 + static int __init acpisleep_dmi_init(void)
41409 +diff -urNp linux-2.6.24.5/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.24.5/arch/x86/kernel/acpi/wakeup_32.S
41410 +--- linux-2.6.24.5/arch/x86/kernel/acpi/wakeup_32.S 2008-03-24 14:49:18.000000000 -0400
41411 ++++ linux-2.6.24.5/arch/x86/kernel/acpi/wakeup_32.S 2008-03-26 20:21:07.000000000 -0400
41412 +@@ -2,6 +2,7 @@
41413 + #include <linux/linkage.h>
41414 + #include <asm/segment.h>
41415 + #include <asm/page.h>
41416 ++#include <asm/msr-index.h>
41417 +
41418 + #
41419 + # wakeup_code runs in real mode, and at unknown address (determined at run-time).
41420 +@@ -79,7 +80,7 @@ wakeup_code:
41421 + # restore efer setting
41422 + movl real_save_efer_edx - wakeup_code, %edx
41423 + movl real_save_efer_eax - wakeup_code, %eax
41424 +- mov $0xc0000080, %ecx
41425 ++ mov $MSR_EFER, %ecx
41426 + wrmsr
41427 + 4:
41428 + # make sure %cr4 is set correctly (features, etc)
41429 +@@ -196,13 +197,11 @@ wakeup_pmode_return:
41430 + # and restore the stack ... but you need gdt for this to work
41431 + movl saved_context_esp, %esp
41432 +
41433 +- movl %cs:saved_magic, %eax
41434 +- cmpl $0x12345678, %eax
41435 ++ cmpl $0x12345678, saved_magic
41436 + jne bogus_magic
41437 +
41438 + # jump to place where we left off
41439 +- movl saved_eip,%eax
41440 +- jmp *%eax
41441 ++ jmp *(saved_eip)
41442 +
41443 + bogus_magic:
41444 + jmp bogus_magic
41445 +@@ -233,7 +232,7 @@ ENTRY(acpi_copy_wakeup_routine)
41446 + # save efer setting
41447 + pushl %eax
41448 + movl %eax, %ebx
41449 +- mov $0xc0000080, %ecx
41450 ++ mov $MSR_EFER, %ecx
41451 + rdmsr
41452 + movl %edx, real_save_efer_edx - wakeup_start (%ebx)
41453 + movl %eax, real_save_efer_eax - wakeup_start (%ebx)
41454 +diff -urNp linux-2.6.24.5/arch/x86/kernel/alternative.c linux-2.6.24.5/arch/x86/kernel/alternative.c
41455 +--- linux-2.6.24.5/arch/x86/kernel/alternative.c 2008-03-24 14:49:18.000000000 -0400
41456 ++++ linux-2.6.24.5/arch/x86/kernel/alternative.c 2008-03-26 20:21:07.000000000 -0400
41457 +@@ -389,7 +389,7 @@ void apply_paravirt(struct paravirt_patc
41458 +
41459 + BUG_ON(p->len > MAX_PATCH_LEN);
41460 + /* prep the buffer with the original instructions */
41461 +- memcpy(insnbuf, p->instr, p->len);
41462 ++ memcpy(insnbuf, ktla_ktva(p->instr), p->len);
41463 + used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
41464 + (unsigned long)p->instr, p->len);
41465 +
41466 +@@ -467,7 +467,19 @@ void __init alternative_instructions(voi
41467 + */
41468 + void __kprobes text_poke(void *addr, unsigned char *opcode, int len)
41469 + {
41470 +- memcpy(addr, opcode, len);
41471 ++
41472 ++#ifdef CONFIG_PAX_KERNEXEC
41473 ++ unsigned long cr0;
41474 ++
41475 ++ pax_open_kernel(cr0);
41476 ++#endif
41477 ++
41478 ++ memcpy(ktla_ktva(addr), opcode, len);
41479 ++
41480 ++#ifdef CONFIG_PAX_KERNEXEC
41481 ++ pax_close_kernel(cr0);
41482 ++#endif
41483 ++
41484 + sync_core();
41485 + /* Could also do a CLFLUSH here to speed up CPU recovery; but
41486 + that causes hangs on some VIA CPUs. */
41487 +diff -urNp linux-2.6.24.5/arch/x86/kernel/apm_32.c linux-2.6.24.5/arch/x86/kernel/apm_32.c
41488 +--- linux-2.6.24.5/arch/x86/kernel/apm_32.c 2008-03-24 14:49:18.000000000 -0400
41489 ++++ linux-2.6.24.5/arch/x86/kernel/apm_32.c 2008-03-26 20:21:07.000000000 -0400
41490 +@@ -407,7 +407,7 @@ static DECLARE_WAIT_QUEUE_HEAD(apm_waitq
41491 + static DECLARE_WAIT_QUEUE_HEAD(apm_suspend_waitqueue);
41492 + static struct apm_user * user_list;
41493 + static DEFINE_SPINLOCK(user_list_lock);
41494 +-static const struct desc_struct bad_bios_desc = { 0, 0x00409200 };
41495 ++static const struct desc_struct bad_bios_desc = { 0, 0x00409300 };
41496 +
41497 + static const char driver_version[] = "1.16ac"; /* no spaces */
41498 +
41499 +@@ -601,19 +601,42 @@ static u8 apm_bios_call(u32 func, u32 eb
41500 + struct desc_struct save_desc_40;
41501 + struct desc_struct *gdt;
41502 +
41503 ++#ifdef CONFIG_PAX_KERNEXEC
41504 ++ unsigned long cr0;
41505 ++#endif
41506 ++
41507 + cpus = apm_save_cpus();
41508 +
41509 + cpu = get_cpu();
41510 + gdt = get_cpu_gdt_table(cpu);
41511 + save_desc_40 = gdt[0x40 / 8];
41512 ++
41513 ++#ifdef CONFIG_PAX_KERNEXEC
41514 ++ pax_open_kernel(cr0);
41515 ++#endif
41516 ++
41517 + gdt[0x40 / 8] = bad_bios_desc;
41518 +
41519 ++#ifdef CONFIG_PAX_KERNEXEC
41520 ++ pax_close_kernel(cr0);
41521 ++#endif
41522 ++
41523 + apm_irq_save(flags);
41524 + APM_DO_SAVE_SEGS;
41525 + apm_bios_call_asm(func, ebx_in, ecx_in, eax, ebx, ecx, edx, esi);
41526 + APM_DO_RESTORE_SEGS;
41527 + apm_irq_restore(flags);
41528 ++
41529 ++#ifdef CONFIG_PAX_KERNEXEC
41530 ++ pax_open_kernel(cr0);
41531 ++#endif
41532 ++
41533 + gdt[0x40 / 8] = save_desc_40;
41534 ++
41535 ++#ifdef CONFIG_PAX_KERNEXEC
41536 ++ pax_close_kernel(cr0);
41537 ++#endif
41538 ++
41539 + put_cpu();
41540 + apm_restore_cpus(cpus);
41541 +
41542 +@@ -644,19 +667,42 @@ static u8 apm_bios_call_simple(u32 func,
41543 + struct desc_struct save_desc_40;
41544 + struct desc_struct *gdt;
41545 +
41546 ++#ifdef CONFIG_PAX_KERNEXEC
41547 ++ unsigned long cr0;
41548 ++#endif
41549 ++
41550 + cpus = apm_save_cpus();
41551 +
41552 + cpu = get_cpu();
41553 + gdt = get_cpu_gdt_table(cpu);
41554 + save_desc_40 = gdt[0x40 / 8];
41555 ++
41556 ++#ifdef CONFIG_PAX_KERNEXEC
41557 ++ pax_open_kernel(cr0);
41558 ++#endif
41559 ++
41560 + gdt[0x40 / 8] = bad_bios_desc;
41561 +
41562 ++#ifdef CONFIG_PAX_KERNEXEC
41563 ++ pax_close_kernel(cr0);
41564 ++#endif
41565 ++
41566 + apm_irq_save(flags);
41567 + APM_DO_SAVE_SEGS;
41568 + error = apm_bios_call_simple_asm(func, ebx_in, ecx_in, eax);
41569 + APM_DO_RESTORE_SEGS;
41570 + apm_irq_restore(flags);
41571 ++
41572 ++#ifdef CONFIG_PAX_KERNEXEC
41573 ++ pax_open_kernel(cr0);
41574 ++#endif
41575 ++
41576 + gdt[0x40 / 8] = save_desc_40;
41577 ++
41578 ++#ifdef CONFIG_PAX_KERNEXEC
41579 ++ pax_close_kernel(cr0);
41580 ++#endif
41581 ++
41582 + put_cpu();
41583 + apm_restore_cpus(cpus);
41584 + return error;
41585 +@@ -924,7 +970,7 @@ recalc:
41586 +
41587 + static void apm_power_off(void)
41588 + {
41589 +- unsigned char po_bios_call[] = {
41590 ++ const unsigned char po_bios_call[] = {
41591 + 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
41592 + 0x8e, 0xd0, /* movw ax,ss */
41593 + 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
41594 +@@ -1864,7 +1910,10 @@ static const struct file_operations apm_
41595 + static struct miscdevice apm_device = {
41596 + APM_MINOR_DEV,
41597 + "apm_bios",
41598 +- &apm_bios_fops
41599 ++ &apm_bios_fops,
41600 ++ {NULL, NULL},
41601 ++ NULL,
41602 ++ NULL
41603 + };
41604 +
41605 +
41606 +@@ -2177,7 +2226,7 @@ static struct dmi_system_id __initdata a
41607 + { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
41608 + },
41609 +
41610 +- { }
41611 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
41612 + };
41613 +
41614 + /*
41615 +@@ -2196,6 +2245,10 @@ static int __init apm_init(void)
41616 + struct desc_struct *gdt;
41617 + int err;
41618 +
41619 ++#ifdef CONFIG_PAX_KERNEXEC
41620 ++ unsigned long cr0;
41621 ++#endif
41622 ++
41623 + dmi_check_system(apm_dmi_table);
41624 +
41625 + if (apm_info.bios.version == 0 || paravirt_enabled()) {
41626 +@@ -2269,9 +2322,18 @@ static int __init apm_init(void)
41627 + * This is for buggy BIOS's that refer to (real mode) segment 0x40
41628 + * even though they are called in protected mode.
41629 + */
41630 ++
41631 ++#ifdef CONFIG_PAX_KERNEXEC
41632 ++ pax_open_kernel(cr0);
41633 ++#endif
41634 ++
41635 + set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
41636 + _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
41637 +
41638 ++#ifdef CONFIG_PAX_KERNEXEC
41639 ++ pax_close_kernel(cr0);
41640 ++#endif
41641 ++
41642 + /*
41643 + * Set up the long jump entry point to the APM BIOS, which is called
41644 + * from inline assembly.
41645 +@@ -2290,6 +2352,11 @@ static int __init apm_init(void)
41646 + * code to that CPU.
41647 + */
41648 + gdt = get_cpu_gdt_table(0);
41649 ++
41650 ++#ifdef CONFIG_PAX_KERNEXEC
41651 ++ pax_open_kernel(cr0);
41652 ++#endif
41653 ++
41654 + set_base(gdt[APM_CS >> 3],
41655 + __va((unsigned long)apm_info.bios.cseg << 4));
41656 + set_base(gdt[APM_CS_16 >> 3],
41657 +@@ -2297,6 +2364,10 @@ static int __init apm_init(void)
41658 + set_base(gdt[APM_DS >> 3],
41659 + __va((unsigned long)apm_info.bios.dseg << 4));
41660 +
41661 ++#ifdef CONFIG_PAX_KERNEXEC
41662 ++ pax_close_kernel(cr0);
41663 ++#endif
41664 ++
41665 + apm_proc = create_proc_entry("apm", 0, NULL);
41666 + if (apm_proc)
41667 + apm_proc->proc_fops = &apm_file_ops;
41668 +diff -urNp linux-2.6.24.5/arch/x86/kernel/asm-offsets_32.c linux-2.6.24.5/arch/x86/kernel/asm-offsets_32.c
41669 +--- linux-2.6.24.5/arch/x86/kernel/asm-offsets_32.c 2008-03-24 14:49:18.000000000 -0400
41670 ++++ linux-2.6.24.5/arch/x86/kernel/asm-offsets_32.c 2008-03-26 20:21:07.000000000 -0400
41671 +@@ -110,6 +110,7 @@ void foo(void)
41672 + DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
41673 + DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
41674 + DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
41675 ++ DEFINE(PERCPU_MODULE_RESERVE, PERCPU_MODULE_RESERVE);
41676 +
41677 + DEFINE(VDSO_PRELINK_asm, VDSO_PRELINK);
41678 +
41679 +@@ -125,6 +126,7 @@ void foo(void)
41680 + OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
41681 + OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
41682 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
41683 ++ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
41684 + #endif
41685 +
41686 + #ifdef CONFIG_XEN
41687 +diff -urNp linux-2.6.24.5/arch/x86/kernel/asm-offsets_64.c linux-2.6.24.5/arch/x86/kernel/asm-offsets_64.c
41688 +--- linux-2.6.24.5/arch/x86/kernel/asm-offsets_64.c 2008-03-24 14:49:18.000000000 -0400
41689 ++++ linux-2.6.24.5/arch/x86/kernel/asm-offsets_64.c 2008-03-26 20:21:07.000000000 -0400
41690 +@@ -108,6 +108,7 @@ int main(void)
41691 + ENTRY(cr8);
41692 + BLANK();
41693 + #undef ENTRY
41694 ++ DEFINE(TSS_size, sizeof(struct tss_struct));
41695 + DEFINE(TSS_ist, offsetof(struct tss_struct, ist));
41696 + BLANK();
41697 + DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
41698 +diff -urNp linux-2.6.24.5/arch/x86/kernel/cpu/common.c linux-2.6.24.5/arch/x86/kernel/cpu/common.c
41699 +--- linux-2.6.24.5/arch/x86/kernel/cpu/common.c 2008-03-24 14:49:18.000000000 -0400
41700 ++++ linux-2.6.24.5/arch/x86/kernel/cpu/common.c 2008-03-26 20:21:07.000000000 -0400
41701 +@@ -4,7 +4,6 @@
41702 + #include <linux/smp.h>
41703 + #include <linux/module.h>
41704 + #include <linux/percpu.h>
41705 +-#include <linux/bootmem.h>
41706 + #include <asm/semaphore.h>
41707 + #include <asm/processor.h>
41708 + #include <asm/i387.h>
41709 +@@ -21,39 +20,15 @@
41710 +
41711 + #include "cpu.h"
41712 +
41713 +-DEFINE_PER_CPU(struct gdt_page, gdt_page) = { .gdt = {
41714 +- [GDT_ENTRY_KERNEL_CS] = { 0x0000ffff, 0x00cf9a00 },
41715 +- [GDT_ENTRY_KERNEL_DS] = { 0x0000ffff, 0x00cf9200 },
41716 +- [GDT_ENTRY_DEFAULT_USER_CS] = { 0x0000ffff, 0x00cffa00 },
41717 +- [GDT_ENTRY_DEFAULT_USER_DS] = { 0x0000ffff, 0x00cff200 },
41718 +- /*
41719 +- * Segments used for calling PnP BIOS have byte granularity.
41720 +- * They code segments and data segments have fixed 64k limits,
41721 +- * the transfer segment sizes are set at run time.
41722 +- */
41723 +- [GDT_ENTRY_PNPBIOS_CS32] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
41724 +- [GDT_ENTRY_PNPBIOS_CS16] = { 0x0000ffff, 0x00009a00 },/* 16-bit code */
41725 +- [GDT_ENTRY_PNPBIOS_DS] = { 0x0000ffff, 0x00009200 }, /* 16-bit data */
41726 +- [GDT_ENTRY_PNPBIOS_TS1] = { 0x00000000, 0x00009200 },/* 16-bit data */
41727 +- [GDT_ENTRY_PNPBIOS_TS2] = { 0x00000000, 0x00009200 },/* 16-bit data */
41728 +- /*
41729 +- * The APM segments have byte granularity and their bases
41730 +- * are set at run time. All have 64k limits.
41731 +- */
41732 +- [GDT_ENTRY_APMBIOS_BASE] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
41733 +- /* 16-bit code */
41734 +- [GDT_ENTRY_APMBIOS_BASE+1] = { 0x0000ffff, 0x00009a00 },
41735 +- [GDT_ENTRY_APMBIOS_BASE+2] = { 0x0000ffff, 0x00409200 }, /* data */
41736 +-
41737 +- [GDT_ENTRY_ESPFIX_SS] = { 0x00000000, 0x00c09200 },
41738 +- [GDT_ENTRY_PERCPU] = { 0x00000000, 0x00000000 },
41739 +-} };
41740 +-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
41741 +-
41742 + static int cachesize_override __cpuinitdata = -1;
41743 + static int disable_x86_fxsr __cpuinitdata;
41744 + static int disable_x86_serial_nr __cpuinitdata = 1;
41745 +-static int disable_x86_sep __cpuinitdata;
41746 ++
41747 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
41748 ++int disable_x86_sep __cpuinitdata = 1;
41749 ++#else
41750 ++int disable_x86_sep __cpuinitdata;
41751 ++#endif
41752 +
41753 + struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {};
41754 +
41755 +@@ -262,9 +237,9 @@ void __init cpu_detect(struct cpuinfo_x8
41756 + {
41757 + /* Get vendor name */
41758 + cpuid(0x00000000, &c->cpuid_level,
41759 +- (int *)&c->x86_vendor_id[0],
41760 +- (int *)&c->x86_vendor_id[8],
41761 +- (int *)&c->x86_vendor_id[4]);
41762 ++ (unsigned int *)&c->x86_vendor_id[0],
41763 ++ (unsigned int *)&c->x86_vendor_id[8],
41764 ++ (unsigned int *)&c->x86_vendor_id[4]);
41765 +
41766 + c->x86 = 4;
41767 + if (c->cpuid_level >= 0x00000001) {
41768 +@@ -304,15 +279,14 @@ static void __init early_cpu_detect(void
41769 +
41770 + static void __cpuinit generic_identify(struct cpuinfo_x86 * c)
41771 + {
41772 +- u32 tfms, xlvl;
41773 +- int ebx;
41774 ++ u32 tfms, xlvl, ebx;
41775 +
41776 + if (have_cpuid_p()) {
41777 + /* Get vendor name */
41778 + cpuid(0x00000000, &c->cpuid_level,
41779 +- (int *)&c->x86_vendor_id[0],
41780 +- (int *)&c->x86_vendor_id[8],
41781 +- (int *)&c->x86_vendor_id[4]);
41782 ++ (unsigned int *)&c->x86_vendor_id[0],
41783 ++ (unsigned int *)&c->x86_vendor_id[8],
41784 ++ (unsigned int *)&c->x86_vendor_id[4]);
41785 +
41786 + get_cpu_vendor(c, 0);
41787 + /* Initialize the standard set of capabilities */
41788 +@@ -644,7 +618,7 @@ void switch_to_new_gdt(void)
41789 + {
41790 + struct Xgt_desc_struct gdt_descr;
41791 +
41792 +- gdt_descr.address = (long)get_cpu_gdt_table(smp_processor_id());
41793 ++ gdt_descr.address = get_cpu_gdt_table(smp_processor_id());
41794 + gdt_descr.size = GDT_SIZE - 1;
41795 + load_gdt(&gdt_descr);
41796 + asm("mov %0, %%fs" : : "r" (__KERNEL_PERCPU) : "memory");
41797 +@@ -660,7 +634,7 @@ void __cpuinit cpu_init(void)
41798 + {
41799 + int cpu = smp_processor_id();
41800 + struct task_struct *curr = current;
41801 +- struct tss_struct * t = &per_cpu(init_tss, cpu);
41802 ++ struct tss_struct *t = init_tss + cpu;
41803 + struct thread_struct *thread = &curr->thread;
41804 +
41805 + if (cpu_test_and_set(cpu, cpu_initialized)) {
41806 +diff -urNp linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
41807 +--- linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-03-24 14:49:18.000000000 -0400
41808 ++++ linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-03-26 20:21:07.000000000 -0400
41809 +@@ -549,7 +549,7 @@ static const struct dmi_system_id sw_any
41810 + DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
41811 + },
41812 + },
41813 +- { }
41814 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
41815 + };
41816 + #endif
41817 +
41818 +diff -urNp linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
41819 +--- linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2008-03-24 14:49:18.000000000 -0400
41820 ++++ linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2008-03-26 20:21:07.000000000 -0400
41821 +@@ -223,7 +223,7 @@ static struct cpu_model models[] =
41822 + { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
41823 + { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
41824 +
41825 +- { NULL, }
41826 ++ { NULL, NULL, 0, NULL}
41827 + };
41828 + #undef _BANIAS
41829 + #undef BANIAS
41830 +diff -urNp linux-2.6.24.5/arch/x86/kernel/cpu/intel.c linux-2.6.24.5/arch/x86/kernel/cpu/intel.c
41831 +--- linux-2.6.24.5/arch/x86/kernel/cpu/intel.c 2008-03-24 14:49:18.000000000 -0400
41832 ++++ linux-2.6.24.5/arch/x86/kernel/cpu/intel.c 2008-03-26 20:21:07.000000000 -0400
41833 +@@ -104,6 +104,7 @@ static void __cpuinit trap_init_f00f_bug
41834 + * it uses the read-only mapped virtual address.
41835 + */
41836 + idt_descr.address = fix_to_virt(FIX_F00F_IDT);
41837 ++ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
41838 + load_idt(&idt_descr);
41839 + }
41840 + #endif
41841 +diff -urNp linux-2.6.24.5/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.24.5/arch/x86/kernel/cpu/intel_cacheinfo.c
41842 +--- linux-2.6.24.5/arch/x86/kernel/cpu/intel_cacheinfo.c 2008-03-24 14:49:18.000000000 -0400
41843 ++++ linux-2.6.24.5/arch/x86/kernel/cpu/intel_cacheinfo.c 2008-03-26 20:21:07.000000000 -0400
41844 +@@ -352,8 +352,8 @@ unsigned int __cpuinit init_intel_cachei
41845 + */
41846 + if ((num_cache_leaves == 0 || c->x86 == 15) && c->cpuid_level > 1) {
41847 + /* supports eax=2 call */
41848 +- int i, j, n;
41849 +- int regs[4];
41850 ++ int j, n;
41851 ++ unsigned int regs[4];
41852 + unsigned char *dp = (unsigned char *)regs;
41853 + int only_trace = 0;
41854 +
41855 +@@ -368,7 +368,7 @@ unsigned int __cpuinit init_intel_cachei
41856 +
41857 + /* If bit 31 is set, this is an unknown format */
41858 + for ( j = 0 ; j < 3 ; j++ ) {
41859 +- if ( regs[j] < 0 ) regs[j] = 0;
41860 ++ if ( (int)regs[j] < 0 ) regs[j] = 0;
41861 + }
41862 +
41863 + /* Byte 0 is level count, not a descriptor */
41864 +diff -urNp linux-2.6.24.5/arch/x86/kernel/cpu/mcheck/mce_64.c linux-2.6.24.5/arch/x86/kernel/cpu/mcheck/mce_64.c
41865 +--- linux-2.6.24.5/arch/x86/kernel/cpu/mcheck/mce_64.c 2008-03-24 14:49:18.000000000 -0400
41866 ++++ linux-2.6.24.5/arch/x86/kernel/cpu/mcheck/mce_64.c 2008-03-26 20:21:08.000000000 -0400
41867 +@@ -671,6 +671,7 @@ static struct miscdevice mce_log_device
41868 + MISC_MCELOG_MINOR,
41869 + "mcelog",
41870 + &mce_chrdev_ops,
41871 ++ {NULL, NULL}, NULL, NULL
41872 + };
41873 +
41874 + static unsigned long old_cr4 __initdata;
41875 +diff -urNp linux-2.6.24.5/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.24.5/arch/x86/kernel/cpu/mtrr/generic.c
41876 +--- linux-2.6.24.5/arch/x86/kernel/cpu/mtrr/generic.c 2008-03-24 14:49:18.000000000 -0400
41877 ++++ linux-2.6.24.5/arch/x86/kernel/cpu/mtrr/generic.c 2008-03-26 20:21:08.000000000 -0400
41878 +@@ -29,11 +29,11 @@ static struct fixed_range_block fixed_ra
41879 + { MTRRfix64K_00000_MSR, 1 }, /* one 64k MTRR */
41880 + { MTRRfix16K_80000_MSR, 2 }, /* two 16k MTRRs */
41881 + { MTRRfix4K_C0000_MSR, 8 }, /* eight 4k MTRRs */
41882 +- {}
41883 ++ { 0, 0 }
41884 + };
41885 +
41886 + static unsigned long smp_changes_mask;
41887 +-static struct mtrr_state mtrr_state = {};
41888 ++static struct mtrr_state mtrr_state;
41889 +
41890 + #undef MODULE_PARAM_PREFIX
41891 + #define MODULE_PARAM_PREFIX "mtrr."
41892 +diff -urNp linux-2.6.24.5/arch/x86/kernel/crash.c linux-2.6.24.5/arch/x86/kernel/crash.c
41893 +--- linux-2.6.24.5/arch/x86/kernel/crash.c 2008-03-24 14:49:18.000000000 -0400
41894 ++++ linux-2.6.24.5/arch/x86/kernel/crash.c 2008-03-26 20:21:08.000000000 -0400
41895 +@@ -62,7 +62,7 @@ static int crash_nmi_callback(struct not
41896 + local_irq_disable();
41897 +
41898 + #ifdef CONFIG_X86_32
41899 +- if (!user_mode_vm(regs)) {
41900 ++ if (!user_mode(regs)) {
41901 + crash_fixup_ss_esp(&fixed_regs, regs);
41902 + regs = &fixed_regs;
41903 + }
41904 +diff -urNp linux-2.6.24.5/arch/x86/kernel/doublefault_32.c linux-2.6.24.5/arch/x86/kernel/doublefault_32.c
41905 +--- linux-2.6.24.5/arch/x86/kernel/doublefault_32.c 2008-03-24 14:49:18.000000000 -0400
41906 ++++ linux-2.6.24.5/arch/x86/kernel/doublefault_32.c 2008-03-26 20:21:08.000000000 -0400
41907 +@@ -11,17 +11,17 @@
41908 +
41909 + #define DOUBLEFAULT_STACKSIZE (1024)
41910 + static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
41911 +-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
41912 ++#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
41913 +
41914 + #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
41915 +
41916 + static void doublefault_fn(void)
41917 + {
41918 +- struct Xgt_desc_struct gdt_desc = {0, 0};
41919 ++ struct Xgt_desc_struct gdt_desc = {0, NULL, 0};
41920 + unsigned long gdt, tss;
41921 +
41922 + store_gdt(&gdt_desc);
41923 +- gdt = gdt_desc.address;
41924 ++ gdt = (unsigned long)gdt_desc.address;
41925 +
41926 + printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
41927 +
41928 +@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cach
41929 + /* 0x2 bit is always set */
41930 + .eflags = X86_EFLAGS_SF | 0x2,
41931 + .esp = STACK_START,
41932 +- .es = __USER_DS,
41933 ++ .es = __KERNEL_DS,
41934 + .cs = __KERNEL_CS,
41935 + .ss = __KERNEL_DS,
41936 +- .ds = __USER_DS,
41937 ++ .ds = __KERNEL_DS,
41938 + .fs = __KERNEL_PERCPU,
41939 +
41940 + .__cr3 = __pa(swapper_pg_dir)
41941 +diff -urNp linux-2.6.24.5/arch/x86/kernel/efi_32.c linux-2.6.24.5/arch/x86/kernel/efi_32.c
41942 +--- linux-2.6.24.5/arch/x86/kernel/efi_32.c 2008-03-24 14:49:18.000000000 -0400
41943 ++++ linux-2.6.24.5/arch/x86/kernel/efi_32.c 2008-03-26 20:21:08.000000000 -0400
41944 +@@ -63,71 +63,38 @@ extern void * boot_ioremap(unsigned long
41945 +
41946 + static unsigned long efi_rt_eflags;
41947 + static DEFINE_SPINLOCK(efi_rt_lock);
41948 +-static pgd_t efi_bak_pg_dir_pointer[2];
41949 ++static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS] __attribute__ ((aligned (4096)));
41950 +
41951 +-static void efi_call_phys_prelog(void) __acquires(efi_rt_lock)
41952 ++static void __init efi_call_phys_prelog(void) __acquires(efi_rt_lock)
41953 + {
41954 +- unsigned long cr4;
41955 +- unsigned long temp;
41956 + struct Xgt_desc_struct gdt_descr;
41957 +
41958 + spin_lock(&efi_rt_lock);
41959 + local_irq_save(efi_rt_eflags);
41960 +
41961 +- /*
41962 +- * If I don't have PSE, I should just duplicate two entries in page
41963 +- * directory. If I have PSE, I just need to duplicate one entry in
41964 +- * page directory.
41965 +- */
41966 +- cr4 = read_cr4();
41967 +-
41968 +- if (cr4 & X86_CR4_PSE) {
41969 +- efi_bak_pg_dir_pointer[0].pgd =
41970 +- swapper_pg_dir[pgd_index(0)].pgd;
41971 +- swapper_pg_dir[0].pgd =
41972 +- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
41973 +- } else {
41974 +- efi_bak_pg_dir_pointer[0].pgd =
41975 +- swapper_pg_dir[pgd_index(0)].pgd;
41976 +- efi_bak_pg_dir_pointer[1].pgd =
41977 +- swapper_pg_dir[pgd_index(0x400000)].pgd;
41978 +- swapper_pg_dir[pgd_index(0)].pgd =
41979 +- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
41980 +- temp = PAGE_OFFSET + 0x400000;
41981 +- swapper_pg_dir[pgd_index(0x400000)].pgd =
41982 +- swapper_pg_dir[pgd_index(temp)].pgd;
41983 +- }
41984 ++ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
41985 ++ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
41986 ++ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
41987 +
41988 + /*
41989 + * After the lock is released, the original page table is restored.
41990 + */
41991 + local_flush_tlb();
41992 +
41993 +- gdt_descr.address = __pa(get_cpu_gdt_table(0));
41994 ++ gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
41995 + gdt_descr.size = GDT_SIZE - 1;
41996 + load_gdt(&gdt_descr);
41997 + }
41998 +
41999 +-static void efi_call_phys_epilog(void) __releases(efi_rt_lock)
42000 ++static void __init efi_call_phys_epilog(void) __releases(efi_rt_lock)
42001 + {
42002 +- unsigned long cr4;
42003 + struct Xgt_desc_struct gdt_descr;
42004 +
42005 +- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
42006 ++ gdt_descr.address = get_cpu_gdt_table(0);
42007 + gdt_descr.size = GDT_SIZE - 1;
42008 + load_gdt(&gdt_descr);
42009 +
42010 +- cr4 = read_cr4();
42011 +-
42012 +- if (cr4 & X86_CR4_PSE) {
42013 +- swapper_pg_dir[pgd_index(0)].pgd =
42014 +- efi_bak_pg_dir_pointer[0].pgd;
42015 +- } else {
42016 +- swapper_pg_dir[pgd_index(0)].pgd =
42017 +- efi_bak_pg_dir_pointer[0].pgd;
42018 +- swapper_pg_dir[pgd_index(0x400000)].pgd =
42019 +- efi_bak_pg_dir_pointer[1].pgd;
42020 +- }
42021 ++ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
42022 +
42023 + /*
42024 + * After the lock is released, the original page table is restored.
42025 +@@ -138,7 +105,7 @@ static void efi_call_phys_epilog(void) _
42026 + spin_unlock(&efi_rt_lock);
42027 + }
42028 +
42029 +-static efi_status_t
42030 ++static efi_status_t __init
42031 + phys_efi_set_virtual_address_map(unsigned long memory_map_size,
42032 + unsigned long descriptor_size,
42033 + u32 descriptor_version,
42034 +@@ -154,7 +121,7 @@ phys_efi_set_virtual_address_map(unsigne
42035 + return status;
42036 + }
42037 +
42038 +-static efi_status_t
42039 ++static noinline efi_status_t __init
42040 + phys_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)
42041 + {
42042 + efi_status_t status;
42043 +@@ -198,7 +165,7 @@ inline int efi_set_rtc_mmss(unsigned lon
42044 + * services have been remapped and also during suspend, therefore,
42045 + * we'll need to call both in physical and virtual modes.
42046 + */
42047 +-inline unsigned long efi_get_time(void)
42048 ++unsigned long efi_get_time(void)
42049 + {
42050 + efi_status_t status;
42051 + efi_time_t eft;
42052 +diff -urNp linux-2.6.24.5/arch/x86/kernel/efi_stub_32.S linux-2.6.24.5/arch/x86/kernel/efi_stub_32.S
42053 +--- linux-2.6.24.5/arch/x86/kernel/efi_stub_32.S 2008-03-24 14:49:18.000000000 -0400
42054 ++++ linux-2.6.24.5/arch/x86/kernel/efi_stub_32.S 2008-03-26 20:21:08.000000000 -0400
42055 +@@ -6,6 +6,7 @@
42056 + */
42057 +
42058 + #include <linux/linkage.h>
42059 ++#include <linux/init.h>
42060 + #include <asm/page.h>
42061 +
42062 + /*
42063 +@@ -20,7 +21,7 @@
42064 + * service functions will comply with gcc calling convention, too.
42065 + */
42066 +
42067 +-.text
42068 ++__INIT
42069 + ENTRY(efi_call_phys)
42070 + /*
42071 + * 0. The function can only be called in Linux kernel. So CS has been
42072 +@@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
42073 + * The mapping of lower virtual memory has been created in prelog and
42074 + * epilog.
42075 + */
42076 +- movl $1f, %edx
42077 +- subl $__PAGE_OFFSET, %edx
42078 +- jmp *%edx
42079 ++ jmp 1f-__PAGE_OFFSET
42080 + 1:
42081 +
42082 + /*
42083 +@@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
42084 + * parameter 2, ..., param n. To make things easy, we save the return
42085 + * address of efi_call_phys in a global variable.
42086 + */
42087 +- popl %edx
42088 +- movl %edx, saved_return_addr
42089 +- /* get the function pointer into ECX*/
42090 +- popl %ecx
42091 +- movl %ecx, efi_rt_function_ptr
42092 +- movl $2f, %edx
42093 +- subl $__PAGE_OFFSET, %edx
42094 +- pushl %edx
42095 ++ popl (saved_return_addr)
42096 ++ popl (efi_rt_function_ptr)
42097 +
42098 + /*
42099 + * 3. Clear PG bit in %CR0.
42100 +@@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
42101 + /*
42102 + * 5. Call the physical function.
42103 + */
42104 +- jmp *%ecx
42105 ++ call *(efi_rt_function_ptr-__PAGE_OFFSET)
42106 +
42107 +-2:
42108 + /*
42109 + * 6. After EFI runtime service returns, control will return to
42110 + * following instruction. We'd better readjust stack pointer first.
42111 +@@ -88,34 +80,27 @@ ENTRY(efi_call_phys)
42112 + movl %cr0, %edx
42113 + orl $0x80000000, %edx
42114 + movl %edx, %cr0
42115 +- jmp 1f
42116 +-1:
42117 ++
42118 + /*
42119 + * 8. Now restore the virtual mode from flat mode by
42120 + * adding EIP with PAGE_OFFSET.
42121 + */
42122 +- movl $1f, %edx
42123 +- jmp *%edx
42124 ++ jmp 1f+__PAGE_OFFSET
42125 + 1:
42126 +
42127 + /*
42128 + * 9. Balance the stack. And because EAX contain the return value,
42129 + * we'd better not clobber it.
42130 + */
42131 +- leal efi_rt_function_ptr, %edx
42132 +- movl (%edx), %ecx
42133 +- pushl %ecx
42134 ++ pushl (efi_rt_function_ptr)
42135 +
42136 + /*
42137 +- * 10. Push the saved return address onto the stack and return.
42138 ++ * 10. Return to the saved return address.
42139 + */
42140 +- leal saved_return_addr, %edx
42141 +- movl (%edx), %ecx
42142 +- pushl %ecx
42143 +- ret
42144 ++ jmpl *(saved_return_addr)
42145 + .previous
42146 +
42147 +-.data
42148 ++__INITDATA
42149 + saved_return_addr:
42150 + .long 0
42151 + efi_rt_function_ptr:
42152 +diff -urNp linux-2.6.24.5/arch/x86/kernel/entry_32.S linux-2.6.24.5/arch/x86/kernel/entry_32.S
42153 +--- linux-2.6.24.5/arch/x86/kernel/entry_32.S 2008-03-24 14:49:18.000000000 -0400
42154 ++++ linux-2.6.24.5/arch/x86/kernel/entry_32.S 2008-03-26 20:21:08.000000000 -0400
42155 +@@ -97,7 +97,7 @@ VM_MASK = 0x00020000
42156 + #define resume_userspace_sig resume_userspace
42157 + #endif
42158 +
42159 +-#define SAVE_ALL \
42160 ++#define __SAVE_ALL(_DS) \
42161 + cld; \
42162 + pushl %fs; \
42163 + CFI_ADJUST_CFA_OFFSET 4;\
42164 +@@ -129,12 +129,26 @@ VM_MASK = 0x00020000
42165 + pushl %ebx; \
42166 + CFI_ADJUST_CFA_OFFSET 4;\
42167 + CFI_REL_OFFSET ebx, 0;\
42168 +- movl $(__USER_DS), %edx; \
42169 ++ movl $(_DS), %edx; \
42170 + movl %edx, %ds; \
42171 + movl %edx, %es; \
42172 + movl $(__KERNEL_PERCPU), %edx; \
42173 + movl %edx, %fs
42174 +
42175 ++#ifdef CONFIG_PAX_KERNEXEC
42176 ++#define SAVE_ALL \
42177 ++ __SAVE_ALL(__KERNEL_DS); \
42178 ++ GET_CR0_INTO_EDX; \
42179 ++ movl %edx, %esi; \
42180 ++ orl $X86_CR0_WP, %edx; \
42181 ++ xorl %edx, %esi; \
42182 ++ SET_CR0_FROM_EDX
42183 ++#elif defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
42184 ++#define SAVE_ALL __SAVE_ALL(__KERNEL_DS)
42185 ++#else
42186 ++#define SAVE_ALL __SAVE_ALL(__USER_DS)
42187 ++#endif
42188 ++
42189 + #define RESTORE_INT_REGS \
42190 + popl %ebx; \
42191 + CFI_ADJUST_CFA_OFFSET -4;\
42192 +@@ -248,7 +262,17 @@ check_userspace:
42193 + movb PT_CS(%esp), %al
42194 + andl $(VM_MASK | SEGMENT_RPL_MASK), %eax
42195 + cmpl $USER_RPL, %eax
42196 ++
42197 ++#ifdef CONFIG_PAX_KERNEXEC
42198 ++ jae resume_userspace
42199 ++
42200 ++ GET_CR0_INTO_EDX
42201 ++ xorl %esi, %edx
42202 ++ SET_CR0_FROM_EDX
42203 ++ jmp resume_kernel
42204 ++#else
42205 + jb resume_kernel # not returning to v8086 or userspace
42206 ++#endif
42207 +
42208 + ENTRY(resume_userspace)
42209 + LOCKDEP_SYS_EXIT
42210 +@@ -308,10 +332,9 @@ sysenter_past_esp:
42211 + /*CFI_REL_OFFSET cs, 0*/
42212 + /*
42213 + * Push current_thread_info()->sysenter_return to the stack.
42214 +- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
42215 +- * pushed above; +8 corresponds to copy_thread's esp0 setting.
42216 + */
42217 +- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
42218 ++ GET_THREAD_INFO(%ebp)
42219 ++ pushl TI_sysenter_return(%ebp)
42220 + CFI_ADJUST_CFA_OFFSET 4
42221 + CFI_REL_OFFSET eip, 0
42222 +
42223 +@@ -319,9 +342,17 @@ sysenter_past_esp:
42224 + * Load the potential sixth argument from user stack.
42225 + * Careful about security.
42226 + */
42227 ++ movl 12(%esp),%ebp
42228 ++
42229 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
42230 ++ mov 16(%esp),%ds
42231 ++1: movl %ds:(%ebp),%ebp
42232 ++#else
42233 + cmpl $__PAGE_OFFSET-3,%ebp
42234 + jae syscall_fault
42235 + 1: movl (%ebp),%ebp
42236 ++#endif
42237 ++
42238 + .section __ex_table,"a"
42239 + .align 4
42240 + .long 1b,syscall_fault
42241 +@@ -345,20 +376,37 @@ sysenter_past_esp:
42242 + movl TI_flags(%ebp), %ecx
42243 + testw $_TIF_ALLWORK_MASK, %cx
42244 + jne syscall_exit_work
42245 ++
42246 ++#ifdef CONFIG_PAX_RANDKSTACK
42247 ++ pushl %eax
42248 ++ CFI_ADJUST_CFA_OFFSET 4
42249 ++ call pax_randomize_kstack
42250 ++ popl %eax
42251 ++ CFI_ADJUST_CFA_OFFSET -4
42252 ++#endif
42253 ++
42254 + /* if something modifies registers it must also disable sysexit */
42255 + movl PT_EIP(%esp), %edx
42256 + movl PT_OLDESP(%esp), %ecx
42257 + xorl %ebp,%ebp
42258 + TRACE_IRQS_ON
42259 + 1: mov PT_FS(%esp), %fs
42260 ++2: mov PT_DS(%esp), %ds
42261 ++3: mov PT_ES(%esp), %es
42262 + ENABLE_INTERRUPTS_SYSEXIT
42263 + CFI_ENDPROC
42264 + .pushsection .fixup,"ax"
42265 +-2: movl $0,PT_FS(%esp)
42266 ++4: movl $0,PT_FS(%esp)
42267 + jmp 1b
42268 ++5: movl $0,PT_DS(%esp)
42269 ++ jmp 2b
42270 ++6: movl $0,PT_ES(%esp)
42271 ++ jmp 3b
42272 + .section __ex_table,"a"
42273 + .align 4
42274 +- .long 1b,2b
42275 ++ .long 1b,4b
42276 ++ .long 2b,5b
42277 ++ .long 3b,6b
42278 + .popsection
42279 + ENDPROC(sysenter_entry)
42280 +
42281 +@@ -392,6 +440,10 @@ no_singlestep:
42282 + testw $_TIF_ALLWORK_MASK, %cx # current->work
42283 + jne syscall_exit_work
42284 +
42285 ++#ifdef CONFIG_PAX_RANDKSTACK
42286 ++ call pax_randomize_kstack
42287 ++#endif
42288 ++
42289 + restore_all:
42290 + movl PT_EFLAGS(%esp), %eax # mix EFLAGS, SS and CS
42291 + # Warning: PT_OLDSS(%esp) contains the wrong/random values if we
42292 +@@ -556,17 +608,24 @@ syscall_badsys:
42293 + END(syscall_badsys)
42294 + CFI_ENDPROC
42295 +
42296 +-#define FIXUP_ESPFIX_STACK \
42297 +- /* since we are on a wrong stack, we cant make it a C code :( */ \
42298 +- PER_CPU(gdt_page, %ebx); \
42299 +- GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah); \
42300 +- addl %esp, %eax; \
42301 +- pushl $__KERNEL_DS; \
42302 +- CFI_ADJUST_CFA_OFFSET 4; \
42303 +- pushl %eax; \
42304 +- CFI_ADJUST_CFA_OFFSET 4; \
42305 +- lss (%esp), %esp; \
42306 ++.macro FIXUP_ESPFIX_STACK
42307 ++ /* since we are on a wrong stack, we cant make it a C code :( */
42308 ++#ifdef CONFIG_SMP
42309 ++ movl PER_CPU_VAR(cpu_number), %ebx;
42310 ++ shll $PAGE_SHIFT_asm, %ebx;
42311 ++ addl $cpu_gdt_table, %ebx;
42312 ++#else
42313 ++ movl $cpu_gdt_table, %ebx;
42314 ++#endif
42315 ++ GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah);
42316 ++ addl %esp, %eax;
42317 ++ pushl $__KERNEL_DS;
42318 ++ CFI_ADJUST_CFA_OFFSET 4;
42319 ++ pushl %eax;
42320 ++ CFI_ADJUST_CFA_OFFSET 4;
42321 ++ lss (%esp), %esp;
42322 + CFI_ADJUST_CFA_OFFSET -8;
42323 ++.endm
42324 + #define UNWIND_ESPFIX_STACK \
42325 + movl %ss, %eax; \
42326 + /* see if on espfix stack */ \
42327 +@@ -583,7 +642,7 @@ END(syscall_badsys)
42328 + * Build the entry stubs and pointer table with
42329 + * some assembler magic.
42330 + */
42331 +-.data
42332 ++.section .rodata,"a",@progbits
42333 + ENTRY(interrupt)
42334 + .text
42335 +
42336 +@@ -683,12 +742,21 @@ error_code:
42337 + popl %ecx
42338 + CFI_ADJUST_CFA_OFFSET -4
42339 + /*CFI_REGISTER es, ecx*/
42340 ++
42341 ++#ifdef CONFIG_PAX_KERNEXEC
42342 ++ GET_CR0_INTO_EDX
42343 ++ movl %edx, %esi
42344 ++ orl $X86_CR0_WP, %edx
42345 ++ xorl %edx, %esi
42346 ++ SET_CR0_FROM_EDX
42347 ++#endif
42348 ++
42349 + movl PT_FS(%esp), %edi # get the function address
42350 + movl PT_ORIG_EAX(%esp), %edx # get the error code
42351 + movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
42352 + mov %ecx, PT_FS(%esp)
42353 + /*CFI_REL_OFFSET fs, ES*/
42354 +- movl $(__USER_DS), %ecx
42355 ++ movl $(__KERNEL_DS), %ecx
42356 + movl %ecx, %ds
42357 + movl %ecx, %es
42358 + movl %esp,%eax # pt_regs pointer
42359 +@@ -822,6 +890,13 @@ nmi_stack_correct:
42360 + xorl %edx,%edx # zero error code
42361 + movl %esp,%eax # pt_regs pointer
42362 + call do_nmi
42363 ++
42364 ++#ifdef CONFIG_PAX_KERNEXEC
42365 ++ GET_CR0_INTO_EDX
42366 ++ xorl %esi, %edx
42367 ++ SET_CR0_FROM_EDX
42368 ++#endif
42369 ++
42370 + jmp restore_nocheck_notrace
42371 + CFI_ENDPROC
42372 +
42373 +@@ -862,6 +937,13 @@ nmi_espfix_stack:
42374 + FIXUP_ESPFIX_STACK # %eax == %esp
42375 + xorl %edx,%edx # zero error code
42376 + call do_nmi
42377 ++
42378 ++#ifdef CONFIG_PAX_KERNEXEC
42379 ++ GET_CR0_INTO_EDX
42380 ++ xorl %esi, %edx
42381 ++ SET_CR0_FROM_EDX
42382 ++#endif
42383 ++
42384 + RESTORE_REGS
42385 + lss 12+4(%esp), %esp # back to espfix stack
42386 + CFI_ADJUST_CFA_OFFSET -24
42387 +@@ -1110,7 +1192,6 @@ ENDPROC(xen_failsafe_callback)
42388 +
42389 + #endif /* CONFIG_XEN */
42390 +
42391 +-.section .rodata,"a"
42392 + #include "syscall_table_32.S"
42393 +
42394 + syscall_table_size=(.-sys_call_table)
42395 +diff -urNp linux-2.6.24.5/arch/x86/kernel/entry_64.S linux-2.6.24.5/arch/x86/kernel/entry_64.S
42396 +--- linux-2.6.24.5/arch/x86/kernel/entry_64.S 2008-03-24 14:49:18.000000000 -0400
42397 ++++ linux-2.6.24.5/arch/x86/kernel/entry_64.S 2008-03-26 20:21:08.000000000 -0400
42398 +@@ -440,6 +440,7 @@ ENTRY(stub_execve)
42399 + CFI_REGISTER rip, r11
42400 + SAVE_REST
42401 + FIXUP_TOP_OF_STACK %r11
42402 ++ movq %rsp, %rcx
42403 + call sys_execve
42404 + RESTORE_TOP_OF_STACK %r11
42405 + movq %rax,RAX(%rsp)
42406 +@@ -735,17 +736,18 @@ END(spurious_interrupt)
42407 + xorl %ebx,%ebx
42408 + 1:
42409 + .if \ist
42410 +- movq %gs:pda_data_offset, %rbp
42411 ++ imul $TSS_size, %gs:pda_cpunumber, %ebp
42412 ++ lea init_tss(%rbp), %rbp
42413 + .endif
42414 + movq %rsp,%rdi
42415 + movq ORIG_RAX(%rsp),%rsi
42416 + movq $-1,ORIG_RAX(%rsp)
42417 + .if \ist
42418 +- subq $EXCEPTION_STKSZ, per_cpu__init_tss + TSS_ist + (\ist - 1) * 8(%rbp)
42419 ++ subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
42420 + .endif
42421 + call \sym
42422 + .if \ist
42423 +- addq $EXCEPTION_STKSZ, per_cpu__init_tss + TSS_ist + (\ist - 1) * 8(%rbp)
42424 ++ addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
42425 + .endif
42426 + cli
42427 + .if \irqtrace
42428 +@@ -1003,15 +1005,16 @@ ENDPROC(child_rip)
42429 + * rdi: name, rsi: argv, rdx: envp
42430 + *
42431 + * We want to fallback into:
42432 +- * extern long sys_execve(char *name, char **argv,char **envp, struct pt_regs regs)
42433 ++ * extern long sys_execve(char *name, char **argv,char **envp, struct pt_regs *regs)
42434 + *
42435 + * do_sys_execve asm fallback arguments:
42436 +- * rdi: name, rsi: argv, rdx: envp, fake frame on the stack
42437 ++ * rdi: name, rsi: argv, rdx: envp, rcx: fake frame on the stack
42438 + */
42439 + ENTRY(kernel_execve)
42440 + CFI_STARTPROC
42441 + FAKE_STACK_FRAME $0
42442 + SAVE_ALL
42443 ++ movq %rsp,%rcx
42444 + call sys_execve
42445 + movq %rax, RAX(%rsp)
42446 + RESTORE_REST
42447 +diff -urNp linux-2.6.24.5/arch/x86/kernel/head_32.S linux-2.6.24.5/arch/x86/kernel/head_32.S
42448 +--- linux-2.6.24.5/arch/x86/kernel/head_32.S 2008-03-24 14:49:18.000000000 -0400
42449 ++++ linux-2.6.24.5/arch/x86/kernel/head_32.S 2008-03-26 20:21:08.000000000 -0400
42450 +@@ -18,6 +18,7 @@
42451 + #include <asm/thread_info.h>
42452 + #include <asm/asm-offsets.h>
42453 + #include <asm/setup.h>
42454 ++#include <asm/msr-index.h>
42455 +
42456 + /*
42457 + * References to members of the new_cpu_data structure.
42458 +@@ -60,17 +61,22 @@ LOW_PAGES = 1<<(32-PAGE_SHIFT_asm)
42459 + LOW_PAGES = LOW_PAGES + 0x1000000
42460 + #endif
42461 +
42462 +-#if PTRS_PER_PMD > 1
42463 +-PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PMD) + PTRS_PER_PGD
42464 +-#else
42465 +-PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PGD)
42466 +-#endif
42467 ++PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PTE)
42468 + BOOTBITMAP_SIZE = LOW_PAGES / 8
42469 + ALLOCATOR_SLOP = 4
42470 +
42471 + INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE + (PAGE_TABLE_SIZE + ALLOCATOR_SLOP)*PAGE_SIZE_asm
42472 +
42473 + /*
42474 ++ * Real beginning of normal "text" segment
42475 ++ */
42476 ++ENTRY(stext)
42477 ++ENTRY(_stext)
42478 ++
42479 ++.section .text.startup,"ax",@progbits
42480 ++ ljmp $(__BOOT_CS),$phys_startup_32
42481 ++
42482 ++/*
42483 + * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
42484 + * %esi points to the real-mode code as a 32-bit pointer.
42485 + * CS and DS must be 4 GB flat segments, but we don't depend on
42486 +@@ -78,6 +84,12 @@ INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE +
42487 + * can.
42488 + */
42489 + .section .text.head,"ax",@progbits
42490 ++
42491 ++#ifdef CONFIG_PAX_KERNEXEC
42492 ++/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
42493 ++.fill 4096,1,0xcc
42494 ++#endif
42495 ++
42496 + ENTRY(startup_32)
42497 + /* check to see if KEEP_SEGMENTS flag is meaningful */
42498 + cmpw $0x207, BP_version(%esi)
42499 +@@ -99,6 +111,43 @@ ENTRY(startup_32)
42500 + movl %eax,%gs
42501 + 2:
42502 +
42503 ++ movl $__per_cpu_start,%eax
42504 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 2)
42505 ++ rorl $16,%eax
42506 ++ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 4)
42507 ++ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 7)
42508 ++ movl $__per_cpu_end + PERCPU_MODULE_RESERVE,%eax
42509 ++ subl $__per_cpu_start,%eax
42510 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 0)
42511 ++
42512 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
42513 ++ /* check for VMware */
42514 ++ movl $0x564d5868,%eax
42515 ++ xorl %ebx,%ebx
42516 ++ movl $0xa,%ecx
42517 ++ movl $0x5658,%edx
42518 ++ in (%dx),%eax
42519 ++ cmpl $0x564d5868,%ebx
42520 ++ jz 1f
42521 ++
42522 ++ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),%eax
42523 ++ movl %eax,(cpu_gdt_table - __PAGE_OFFSET + GDT_ENTRY_KERNEL_DS * 8 + 4)
42524 ++1:
42525 ++#endif
42526 ++
42527 ++#ifdef CONFIG_PAX_KERNEXEC
42528 ++ movl $KERNEL_TEXT_OFFSET,%eax
42529 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 2)
42530 ++ rorl $16,%eax
42531 ++ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 4)
42532 ++ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 7)
42533 ++
42534 ++ movb %al,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 4)
42535 ++ movb %ah,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 7)
42536 ++ rorl $16,%eax
42537 ++ movw %ax,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 2)
42538 ++#endif
42539 ++
42540 + /*
42541 + * Clear BSS first so that there are no surprises...
42542 + */
42543 +@@ -141,9 +190,7 @@ ENTRY(startup_32)
42544 + cmpl $num_subarch_entries, %eax
42545 + jae bad_subarch
42546 +
42547 +- movl subarch_entries - __PAGE_OFFSET(,%eax,4), %eax
42548 +- subl $__PAGE_OFFSET, %eax
42549 +- jmp *%eax
42550 ++ jmp *(subarch_entries - __PAGE_OFFSET)(,%eax,4)
42551 +
42552 + bad_subarch:
42553 + WEAK(lguest_entry)
42554 +@@ -151,11 +198,11 @@ WEAK(xen_entry)
42555 + /* Unknown implementation; there's really
42556 + nothing we can do at this point. */
42557 + ud2a
42558 +-.data
42559 ++.section .rodata,"a",@progbits
42560 + subarch_entries:
42561 +- .long default_entry /* normal x86/PC */
42562 +- .long lguest_entry /* lguest hypervisor */
42563 +- .long xen_entry /* Xen hypervisor */
42564 ++ .long default_entry - __PAGE_OFFSET /* normal x86/PC */
42565 ++ .long lguest_entry - __PAGE_OFFSET /* lguest hypervisor */
42566 ++ .long xen_entry - __PAGE_OFFSET /* Xen hypervisor */
42567 + num_subarch_entries = (. - subarch_entries) / 4
42568 + .previous
42569 + #endif /* CONFIG_PARAVIRT */
42570 +@@ -170,34 +217,55 @@ num_subarch_entries = (. - subarch_entri
42571 + * Warning: don't use %esi or the stack in this code. However, %esp
42572 + * can be used as a GPR if you really need it...
42573 + */
42574 +-page_pde_offset = (__PAGE_OFFSET >> 20);
42575 ++#ifdef CONFIG_X86_PAE
42576 ++page_pde_offset = ((__PAGE_OFFSET >> 21) * (PAGE_SIZE_asm / PTRS_PER_PTE));
42577 ++#else
42578 ++page_pde_offset = ((__PAGE_OFFSET >> 22) * (PAGE_SIZE_asm / PTRS_PER_PTE));
42579 ++#endif
42580 +
42581 + default_entry:
42582 + movl $(pg0 - __PAGE_OFFSET), %edi
42583 ++#ifdef CONFIG_X86_PAE
42584 ++ movl $(swapper_pm_dir - __PAGE_OFFSET), %edx
42585 ++#else
42586 + movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
42587 +- movl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
42588 ++#endif
42589 ++ movl $0x063, %eax /* 0x063 = PRESENT+RW+ACCESSED+DIRTY */
42590 + 10:
42591 +- leal 0x007(%edi),%ecx /* Create PDE entry */
42592 ++ leal 0x063(%edi),%ecx /* Create PDE entry */
42593 + movl %ecx,(%edx) /* Store identity PDE entry */
42594 + movl %ecx,page_pde_offset(%edx) /* Store kernel PDE entry */
42595 ++#ifdef CONFIG_X86_PAE
42596 ++ movl $0,4(%edx)
42597 ++ movl $0,page_pde_offset+4(%edx)
42598 ++ addl $8,%edx
42599 ++ movl $512, %ecx
42600 ++#else
42601 + addl $4,%edx
42602 + movl $1024, %ecx
42603 ++#endif
42604 + 11:
42605 + stosl
42606 ++#ifdef CONFIG_X86_PAE
42607 ++ movl $0,(%edi)
42608 ++ addl $4,%edi
42609 ++#endif
42610 + addl $0x1000,%eax
42611 + loop 11b
42612 + /* End condition: we must map up to and including INIT_MAP_BEYOND_END */
42613 +- /* bytes beyond the end of our own page tables; the +0x007 is the attribute bits */
42614 +- leal (INIT_MAP_BEYOND_END+0x007)(%edi),%ebp
42615 ++ /* bytes beyond the end of our own page tables; the +0x063 is the attribute bits */
42616 ++ leal (INIT_MAP_BEYOND_END+0x063)(%edi),%ebp
42617 + cmpl %ebp,%eax
42618 + jb 10b
42619 + movl %edi,(init_pg_tables_end - __PAGE_OFFSET)
42620 +
42621 + /* Do an early initialization of the fixmap area */
42622 +- movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
42623 +- movl $(swapper_pg_pmd - __PAGE_OFFSET), %eax
42624 +- addl $0x67, %eax /* 0x67 == _PAGE_TABLE */
42625 +- movl %eax, 4092(%edx)
42626 ++ /* 0x067 = PRESENT+RW+USER+ACCESSED+DIRTY */
42627 ++#ifdef CONFIG_X86_PAE
42628 ++ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pm_dir - __PAGE_OFFSET + 4096 - 8)
42629 ++#else
42630 ++ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pg_dir - __PAGE_OFFSET + 4096 - 4)
42631 ++#endif
42632 +
42633 + xorl %ebx,%ebx /* This is the boot CPU (BSP) */
42634 + jmp 3f
42635 +@@ -223,6 +291,11 @@ ENTRY(startup_32_smp)
42636 + movl %eax,%fs
42637 + movl %eax,%gs
42638 +
42639 ++ /* This is a secondary processor (AP) */
42640 ++ xorl %ebx,%ebx
42641 ++ incl %ebx
42642 ++#endif /* CONFIG_SMP */
42643 ++
42644 + /*
42645 + * New page tables may be in 4Mbyte page mode and may
42646 + * be using the global pages.
42647 +@@ -238,42 +311,47 @@ ENTRY(startup_32_smp)
42648 + * not yet offset PAGE_OFFSET..
42649 + */
42650 + #define cr4_bits mmu_cr4_features-__PAGE_OFFSET
42651 ++3:
42652 + movl cr4_bits,%edx
42653 + andl %edx,%edx
42654 +- jz 6f
42655 ++ jz 5f
42656 + movl %cr4,%eax # Turn on paging options (PSE,PAE,..)
42657 + orl %edx,%eax
42658 + movl %eax,%cr4
42659 +
42660 +- btl $5, %eax # check if PAE is enabled
42661 +- jnc 6f
42662 ++#ifdef CONFIG_X86_PAE
42663 ++ movl %ebx,%edi
42664 +
42665 + /* Check if extended functions are implemented */
42666 + movl $0x80000000, %eax
42667 + cpuid
42668 + cmpl $0x80000000, %eax
42669 +- jbe 6f
42670 ++ jbe 4f
42671 + mov $0x80000001, %eax
42672 + cpuid
42673 + /* Execute Disable bit supported? */
42674 + btl $20, %edx
42675 +- jnc 6f
42676 ++ jnc 4f
42677 +
42678 + /* Setup EFER (Extended Feature Enable Register) */
42679 +- movl $0xc0000080, %ecx
42680 ++ movl $MSR_EFER, %ecx
42681 + rdmsr
42682 +
42683 + btsl $11, %eax
42684 + /* Make changes effective */
42685 + wrmsr
42686 +
42687 +-6:
42688 +- /* This is a secondary processor (AP) */
42689 +- xorl %ebx,%ebx
42690 +- incl %ebx
42691 ++ btsl $63-32,__supported_pte_mask+4-__PAGE_OFFSET
42692 ++ movl $1,nx_enabled-__PAGE_OFFSET
42693 +
42694 +-#endif /* CONFIG_SMP */
42695 +-3:
42696 ++#if !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
42697 ++ movl $0,disable_x86_sep-__PAGE_OFFSET
42698 ++#endif
42699 ++
42700 ++4:
42701 ++ movl %edi,%ebx
42702 ++#endif
42703 ++5:
42704 +
42705 + /*
42706 + * Enable paging
42707 +@@ -298,9 +376,7 @@ ENTRY(startup_32_smp)
42708 +
42709 + #ifdef CONFIG_SMP
42710 + andl %ebx,%ebx
42711 +- jz 1f /* Initial CPU cleans BSS */
42712 +- jmp checkCPUtype
42713 +-1:
42714 ++ jnz checkCPUtype /* Initial CPU cleans BSS */
42715 + #endif /* CONFIG_SMP */
42716 +
42717 + /*
42718 +@@ -377,12 +453,12 @@ is386: movl $2,%ecx # set MP
42719 + ljmp $(__KERNEL_CS),$1f
42720 + 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
42721 + movl %eax,%ss # after changing gdt.
42722 +- movl %eax,%fs # gets reset once there's real percpu
42723 +-
42724 +- movl $(__USER_DS),%eax # DS/ES contains default USER segment
42725 + movl %eax,%ds
42726 + movl %eax,%es
42727 +
42728 ++ movl $(__KERNEL_PERCPU), %eax
42729 ++ movl %eax,%fs # set this cpu's percpu
42730 ++
42731 + xorl %eax,%eax # Clear GS and LDT
42732 + movl %eax,%gs
42733 + lldt %ax
42734 +@@ -393,11 +469,7 @@ is386: movl $2,%ecx # set MP
42735 + movb ready, %cl
42736 + movb $1, ready
42737 + cmpb $0,%cl # the first CPU calls start_kernel
42738 +- je 1f
42739 +- movl $(__KERNEL_PERCPU), %eax
42740 +- movl %eax,%fs # set this cpu's percpu
42741 +- jmp initialize_secondary # all other CPUs call initialize_secondary
42742 +-1:
42743 ++ jne initialize_secondary # all other CPUs call initialize_secondary
42744 + #endif /* CONFIG_SMP */
42745 + jmp start_kernel
42746 +
42747 +@@ -483,8 +555,8 @@ early_page_fault:
42748 + jmp early_fault
42749 +
42750 + early_fault:
42751 +- cld
42752 + #ifdef CONFIG_PRINTK
42753 ++ cld
42754 + pusha
42755 + movl $(__KERNEL_DS),%eax
42756 + movl %eax,%ds
42757 +@@ -509,8 +581,8 @@ hlt_loop:
42758 + /* This is the default interrupt "handler" :-) */
42759 + ALIGN
42760 + ignore_int:
42761 +- cld
42762 + #ifdef CONFIG_PRINTK
42763 ++ cld
42764 + pushl %eax
42765 + pushl %ecx
42766 + pushl %edx
42767 +@@ -541,31 +613,58 @@ ignore_int:
42768 + #endif
42769 + iret
42770 +
42771 +-.section .text
42772 +-/*
42773 +- * Real beginning of normal "text" segment
42774 +- */
42775 +-ENTRY(stext)
42776 +-ENTRY(_stext)
42777 +-
42778 + /*
42779 + * BSS section
42780 + */
42781 +-.section ".bss.page_aligned","wa"
42782 ++.section .swapper_pg_dir,"a",@progbits
42783 + .align PAGE_SIZE_asm
42784 + ENTRY(swapper_pg_dir)
42785 ++#ifdef CONFIG_X86_PAE
42786 ++ .long swapper_pm_dir-__PAGE_OFFSET+1
42787 ++ .long 0
42788 ++ .long swapper_pm_dir+512*8-__PAGE_OFFSET+1
42789 ++ .long 0
42790 ++ .long swapper_pm_dir+512*16-__PAGE_OFFSET+1
42791 ++ .long 0
42792 ++ .long swapper_pm_dir+512*24-__PAGE_OFFSET+1
42793 ++ .long 0
42794 ++#else
42795 + .fill 1024,4,0
42796 ++#endif
42797 ++
42798 ++.section .swapper_pm_dir,"a",@progbits
42799 ++#ifdef CONFIG_X86_PAE
42800 ++ENTRY(swapper_pm_dir)
42801 ++ .fill 512,8,0
42802 ++ .fill 512,8,0
42803 ++ .fill 512,8,0
42804 ++ .fill 512,8,0
42805 ++#endif
42806 ++
42807 + ENTRY(swapper_pg_pmd)
42808 + .fill 1024,4,0
42809 ++
42810 ++.section .empty_zero_page,"a",@progbits
42811 + ENTRY(empty_zero_page)
42812 + .fill 4096,1,0
42813 +
42814 + /*
42815 ++ * The IDT has to be page-aligned to simplify the Pentium
42816 ++ * F0 0F bug workaround.. We have a special link segment
42817 ++ * for this.
42818 ++ */
42819 ++.section .idt,"a",@progbits
42820 ++ENTRY(idt_table)
42821 ++ .fill 256,8,0
42822 ++
42823 ++/*
42824 + * This starts the data section.
42825 + */
42826 + .data
42827 ++
42828 ++.section .rodata,"a",@progbits
42829 + ENTRY(stack_start)
42830 +- .long init_thread_union+THREAD_SIZE
42831 ++ .long init_thread_union+THREAD_SIZE-8
42832 + .long __BOOT_DS
42833 +
42834 + ready: .byte 0
42835 +@@ -615,7 +714,7 @@ idt_descr:
42836 + .word 0 # 32 bit align gdt_desc.address
42837 + ENTRY(early_gdt_descr)
42838 + .word GDT_ENTRIES*8-1
42839 +- .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
42840 ++ .long cpu_gdt_table /* Overwritten for secondary CPUs */
42841 +
42842 + /*
42843 + * The boot_gdt must mirror the equivalent in setup.S and is
42844 +@@ -624,5 +723,61 @@ ENTRY(early_gdt_descr)
42845 + .align L1_CACHE_BYTES
42846 + ENTRY(boot_gdt)
42847 + .fill GDT_ENTRY_BOOT_CS,8,0
42848 +- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
42849 +- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
42850 ++ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
42851 ++ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
42852 ++
42853 ++ .align PAGE_SIZE_asm
42854 ++ENTRY(cpu_gdt_table)
42855 ++ .quad 0x0000000000000000 /* NULL descriptor */
42856 ++ .quad 0x0000000000000000 /* 0x0b reserved */
42857 ++ .quad 0x0000000000000000 /* 0x13 reserved */
42858 ++ .quad 0x0000000000000000 /* 0x1b reserved */
42859 ++ .quad 0x0000000000000000 /* 0x20 unused */
42860 ++ .quad 0x0000000000000000 /* 0x28 unused */
42861 ++ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
42862 ++ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
42863 ++ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
42864 ++ .quad 0x0000000000000000 /* 0x4b reserved */
42865 ++ .quad 0x0000000000000000 /* 0x53 reserved */
42866 ++ .quad 0x0000000000000000 /* 0x5b reserved */
42867 ++
42868 ++ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
42869 ++ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
42870 ++ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
42871 ++ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
42872 ++
42873 ++ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
42874 ++ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
42875 ++
42876 ++ /*
42877 ++ * Segments used for calling PnP BIOS have byte granularity.
42878 ++ * The code segments and data segments have fixed 64k limits,
42879 ++ * the transfer segment sizes are set at run time.
42880 ++ */
42881 ++ .quad 0x00409b000000ffff /* 0x90 32-bit code */
42882 ++ .quad 0x00009b000000ffff /* 0x98 16-bit code */
42883 ++ .quad 0x000093000000ffff /* 0xa0 16-bit data */
42884 ++ .quad 0x0000930000000000 /* 0xa8 16-bit data */
42885 ++ .quad 0x0000930000000000 /* 0xb0 16-bit data */
42886 ++
42887 ++ /*
42888 ++ * The APM segments have byte granularity and their bases
42889 ++ * are set at run time. All have 64k limits.
42890 ++ */
42891 ++ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
42892 ++ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
42893 ++ .quad 0x004093000000ffff /* 0xc8 APM DS data */
42894 ++
42895 ++ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
42896 ++ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
42897 ++ .quad 0x0000000000000000 /* 0xe0 - PCIBIOS_CS */
42898 ++ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_DS */
42899 ++ .quad 0x0000000000000000 /* 0xf0 - unused */
42900 ++ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
42901 ++
42902 ++ /* Be sure this is zeroed to avoid false validations in Xen */
42903 ++ .fill PAGE_SIZE_asm - GDT_ENTRIES,1,0
42904 ++
42905 ++#ifdef CONFIG_SMP
42906 ++ .fill (NR_CPUS-1) * (PAGE_SIZE_asm),1,0 /* other CPU's GDT */
42907 ++#endif
42908 +diff -urNp linux-2.6.24.5/arch/x86/kernel/head64.c linux-2.6.24.5/arch/x86/kernel/head64.c
42909 +--- linux-2.6.24.5/arch/x86/kernel/head64.c 2008-03-24 14:49:18.000000000 -0400
42910 ++++ linux-2.6.24.5/arch/x86/kernel/head64.c 2008-03-26 20:21:08.000000000 -0400
42911 +@@ -24,7 +24,7 @@ static void __init zap_identity_mappings
42912 + {
42913 + pgd_t *pgd = pgd_offset_k(0UL);
42914 + pgd_clear(pgd);
42915 +- __flush_tlb();
42916 ++ __flush_tlb_all();
42917 + }
42918 +
42919 + /* Don't add a printk in there. printk relies on the PDA which is not initialized
42920 +@@ -56,16 +56,17 @@ void __init x86_64_start_kernel(char * r
42921 + /* Make NULL pointers segfault */
42922 + zap_identity_mappings();
42923 +
42924 ++ for (i = 0; i < NR_CPUS; i++)
42925 ++ cpu_pda(i) = &boot_cpu_pda[i];
42926 ++
42927 ++ pda_init(0);
42928 ++
42929 + for (i = 0; i < IDT_ENTRIES; i++)
42930 + set_intr_gate(i, early_idt_handler);
42931 + load_idt((const struct desc_ptr *)&idt_descr);
42932 +
42933 + early_printk("Kernel alive\n");
42934 +
42935 +- for (i = 0; i < NR_CPUS; i++)
42936 +- cpu_pda(i) = &boot_cpu_pda[i];
42937 +-
42938 +- pda_init(0);
42939 + copy_bootdata(__va(real_mode_data));
42940 + #ifdef CONFIG_SMP
42941 + cpu_set(0, cpu_online_map);
42942 +diff -urNp linux-2.6.24.5/arch/x86/kernel/head_64.S linux-2.6.24.5/arch/x86/kernel/head_64.S
42943 +--- linux-2.6.24.5/arch/x86/kernel/head_64.S 2008-03-24 14:49:18.000000000 -0400
42944 ++++ linux-2.6.24.5/arch/x86/kernel/head_64.S 2008-03-26 20:21:08.000000000 -0400
42945 +@@ -173,6 +173,10 @@ ENTRY(secondary_startup_64)
42946 + btl $20,%edi /* No Execute supported? */
42947 + jnc 1f
42948 + btsl $_EFER_NX, %eax
42949 ++ movq $(init_level4_pgt), %rdi
42950 ++ addq phys_base(%rip), %rdi
42951 ++ btsq $_PAGE_BIT_NX, 8*258(%rdi)
42952 ++ btsq $_PAGE_BIT_NX, 8*388(%rdi)
42953 + 1: wrmsr /* Make changes effective */
42954 +
42955 + /* Setup cr0 */
42956 +@@ -242,24 +246,25 @@ ENTRY(secondary_startup_64)
42957 + pushq %rax # target address in negative space
42958 + lretq
42959 +
42960 ++bad_address:
42961 ++ jmp bad_address
42962 ++
42963 + /* SMP bootup changes these two */
42964 +-#ifndef CONFIG_HOTPLUG_CPU
42965 +- .pushsection .init.data
42966 ++#ifdef CONFIG_HOTPLUG_CPU
42967 ++ __INITDATA_REFOK
42968 ++#else
42969 ++ __INITDATA
42970 + #endif
42971 + .align 8
42972 + .globl initial_code
42973 + initial_code:
42974 + .quad x86_64_start_kernel
42975 +-#ifndef CONFIG_HOTPLUG_CPU
42976 +- .popsection
42977 +-#endif
42978 ++
42979 + .globl init_rsp
42980 + init_rsp:
42981 + .quad init_thread_union+THREAD_SIZE-8
42982 +
42983 +-bad_address:
42984 +- jmp bad_address
42985 +-
42986 ++ __INIT
42987 + ENTRY(early_idt_handler)
42988 + cmpl $2,early_recursion_flag(%rip)
42989 + jz 1f
42990 +@@ -280,9 +285,12 @@ ENTRY(early_idt_handler)
42991 + #endif
42992 + 1: hlt
42993 + jmp 1b
42994 ++
42995 ++ __INITDATA
42996 + early_recursion_flag:
42997 + .long 0
42998 +
42999 ++ .section .rodata,"a",@progbits
43000 + early_idt_msg:
43001 + .asciz "PANIC: early exception rip %lx error %lx cr2 %lx\n"
43002 + early_idt_ripmsg:
43003 +@@ -312,7 +320,9 @@ NEXT_PAGE(init_level4_pgt)
43004 + .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
43005 + .fill 257,8,0
43006 + .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
43007 +- .fill 252,8,0
43008 ++ .fill 129,8,0
43009 ++ .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
43010 ++ .fill 122,8,0
43011 + /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
43012 + .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
43013 +
43014 +@@ -320,6 +330,9 @@ NEXT_PAGE(level3_ident_pgt)
43015 + .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
43016 + .fill 511,8,0
43017 +
43018 ++NEXT_PAGE(level3_vmalloc_pgt)
43019 ++ .fill 512,8,0
43020 ++
43021 + NEXT_PAGE(level3_kernel_pgt)
43022 + .fill 510,8,0
43023 + /* (2^48-(2*1024*1024*1024)-((2^39)*511))/(2^30) = 510 */
43024 +@@ -355,19 +368,12 @@ NEXT_PAGE(level2_spare_pgt)
43025 + #undef PMDS
43026 + #undef NEXT_PAGE
43027 +
43028 +- .data
43029 + .align 16
43030 + .globl cpu_gdt_descr
43031 + cpu_gdt_descr:
43032 +- .word gdt_end-cpu_gdt_table-1
43033 ++ .word GDT_SIZE-1
43034 + gdt:
43035 + .quad cpu_gdt_table
43036 +-#ifdef CONFIG_SMP
43037 +- .rept NR_CPUS-1
43038 +- .word 0
43039 +- .quad 0
43040 +- .endr
43041 +-#endif
43042 +
43043 + ENTRY(phys_base)
43044 + /* This must match the first entry in level2_kernel_pgt */
43045 +@@ -377,8 +383,7 @@ ENTRY(phys_base)
43046 + * IRET will check the segment types kkeil 2000/10/28
43047 + * Also sysret mandates a special GDT layout
43048 + */
43049 +-
43050 +- .section .data.page_aligned, "aw"
43051 ++
43052 + .align PAGE_SIZE
43053 +
43054 + /* The TLS descriptors are currently at a different place compared to i386.
43055 +@@ -397,15 +402,15 @@ ENTRY(cpu_gdt_table)
43056 + .quad 0,0 /* LDT */
43057 + .quad 0,0,0 /* three TLS descriptors */
43058 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
43059 +-gdt_end:
43060 + /* asm/segment.h:GDT_ENTRIES must match this */
43061 + /* This should be a multiple of the cache line size */
43062 +- /* GDTs of other CPUs are now dynamically allocated */
43063 +
43064 + /* zero the remaining page */
43065 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
43066 ++#ifdef CONFIG_SMP
43067 ++ .fill (NR_CPUS-1) * (PAGE_SIZE),1,0 /* other CPU's GDT */
43068 ++#endif
43069 +
43070 +- .section .bss, "aw", @nobits
43071 + .align L1_CACHE_BYTES
43072 + ENTRY(idt_table)
43073 + .skip 256 * 16
43074 +diff -urNp linux-2.6.24.5/arch/x86/kernel/hpet.c linux-2.6.24.5/arch/x86/kernel/hpet.c
43075 +--- linux-2.6.24.5/arch/x86/kernel/hpet.c 2008-03-24 14:49:18.000000000 -0400
43076 ++++ linux-2.6.24.5/arch/x86/kernel/hpet.c 2008-03-26 20:21:08.000000000 -0400
43077 +@@ -137,7 +137,7 @@ static void hpet_reserve_platform_timers
43078 + hd.hd_irq[1] = HPET_LEGACY_RTC;
43079 +
43080 + for (i = 2; i < nrtimers; timer++, i++)
43081 +- hd.hd_irq[i] = (timer->hpet_config & Tn_INT_ROUTE_CNF_MASK) >>
43082 ++ hd.hd_irq[i] = (readl(&timer->hpet_config) & Tn_INT_ROUTE_CNF_MASK) >>
43083 + Tn_INT_ROUTE_CNF_SHIFT;
43084 +
43085 + hpet_alloc(&hd);
43086 +diff -urNp linux-2.6.24.5/arch/x86/kernel/i386_ksyms_32.c linux-2.6.24.5/arch/x86/kernel/i386_ksyms_32.c
43087 +--- linux-2.6.24.5/arch/x86/kernel/i386_ksyms_32.c 2008-03-24 14:49:18.000000000 -0400
43088 ++++ linux-2.6.24.5/arch/x86/kernel/i386_ksyms_32.c 2008-03-26 20:21:08.000000000 -0400
43089 +@@ -4,12 +4,16 @@
43090 + #include <asm/desc.h>
43091 + #include <asm/pgtable.h>
43092 +
43093 ++EXPORT_SYMBOL_GPL(cpu_gdt_table);
43094 ++
43095 + EXPORT_SYMBOL(__down_failed);
43096 + EXPORT_SYMBOL(__down_failed_interruptible);
43097 + EXPORT_SYMBOL(__down_failed_trylock);
43098 + EXPORT_SYMBOL(__up_wakeup);
43099 + /* Networking helper routines. */
43100 + EXPORT_SYMBOL(csum_partial_copy_generic);
43101 ++EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
43102 ++EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
43103 +
43104 + EXPORT_SYMBOL(__get_user_1);
43105 + EXPORT_SYMBOL(__get_user_2);
43106 +@@ -31,3 +35,7 @@ EXPORT_SYMBOL(__read_lock_failed);
43107 +
43108 + EXPORT_SYMBOL(csum_partial);
43109 + EXPORT_SYMBOL(empty_zero_page);
43110 ++
43111 ++#ifdef CONFIG_PAX_KERNEXEC
43112 ++EXPORT_SYMBOL(KERNEL_TEXT_OFFSET);
43113 ++#endif
43114 +diff -urNp linux-2.6.24.5/arch/x86/kernel/init_task.c linux-2.6.24.5/arch/x86/kernel/init_task.c
43115 +--- linux-2.6.24.5/arch/x86/kernel/init_task.c 2008-03-24 14:49:18.000000000 -0400
43116 ++++ linux-2.6.24.5/arch/x86/kernel/init_task.c 2008-03-26 20:21:08.000000000 -0400
43117 +@@ -43,5 +43,4 @@ EXPORT_SYMBOL(init_task);
43118 + * section. Since TSS's are completely CPU-local, we want them
43119 + * on exact cacheline boundaries, to eliminate cacheline ping-pong.
43120 + */
43121 +-DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
43122 +-
43123 ++struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
43124 +diff -urNp linux-2.6.24.5/arch/x86/kernel/ioport_32.c linux-2.6.24.5/arch/x86/kernel/ioport_32.c
43125 +--- linux-2.6.24.5/arch/x86/kernel/ioport_32.c 2008-03-24 14:49:18.000000000 -0400
43126 ++++ linux-2.6.24.5/arch/x86/kernel/ioport_32.c 2008-03-26 20:21:08.000000000 -0400
43127 +@@ -14,6 +14,7 @@
43128 + #include <linux/slab.h>
43129 + #include <linux/thread_info.h>
43130 + #include <linux/syscalls.h>
43131 ++#include <linux/grsecurity.h>
43132 +
43133 + /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
43134 + static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
43135 +@@ -62,9 +63,16 @@ asmlinkage long sys_ioperm(unsigned long
43136 +
43137 + if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
43138 + return -EINVAL;
43139 ++#ifdef CONFIG_GRKERNSEC_IO
43140 ++ if (turn_on) {
43141 ++ gr_handle_ioperm();
43142 ++#else
43143 + if (turn_on && !capable(CAP_SYS_RAWIO))
43144 ++#endif
43145 + return -EPERM;
43146 +-
43147 ++#ifdef CONFIG_GRKERNSEC_IO
43148 ++ }
43149 ++#endif
43150 + /*
43151 + * If it's the first ioperm() call in this thread's lifetime, set the
43152 + * IO bitmap up. ioperm() is much less timing critical than clone(),
43153 +@@ -87,7 +95,7 @@ asmlinkage long sys_ioperm(unsigned long
43154 + * because the ->io_bitmap_max value must match the bitmap
43155 + * contents:
43156 + */
43157 +- tss = &per_cpu(init_tss, get_cpu());
43158 ++ tss = init_tss + get_cpu();
43159 +
43160 + set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
43161 +
43162 +@@ -141,8 +149,13 @@ asmlinkage long sys_iopl(unsigned long u
43163 + return -EINVAL;
43164 + /* Trying to gain more privileges? */
43165 + if (level > old) {
43166 ++#ifdef CONFIG_GRKERNSEC_IO
43167 ++ gr_handle_iopl();
43168 ++ return -EPERM;
43169 ++#else
43170 + if (!capable(CAP_SYS_RAWIO))
43171 + return -EPERM;
43172 ++#endif
43173 + }
43174 + t->iopl = level << 12;
43175 + regs->eflags = (regs->eflags & ~X86_EFLAGS_IOPL) | t->iopl;
43176 +diff -urNp linux-2.6.24.5/arch/x86/kernel/ioport_64.c linux-2.6.24.5/arch/x86/kernel/ioport_64.c
43177 +--- linux-2.6.24.5/arch/x86/kernel/ioport_64.c 2008-03-24 14:49:18.000000000 -0400
43178 ++++ linux-2.6.24.5/arch/x86/kernel/ioport_64.c 2008-03-26 20:21:08.000000000 -0400
43179 +@@ -14,6 +14,7 @@
43180 + #include <linux/slab.h>
43181 + #include <linux/thread_info.h>
43182 + #include <linux/syscalls.h>
43183 ++#include <linux/grsecurity.h>
43184 +
43185 + /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
43186 + static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
43187 +@@ -39,8 +40,17 @@ asmlinkage long sys_ioperm(unsigned long
43188 +
43189 + if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
43190 + return -EINVAL;
43191 ++
43192 ++#ifdef CONFIG_GRKERNSEC_IO
43193 ++ if (turn_on) {
43194 ++ gr_handle_ioperm();
43195 ++#else
43196 + if (turn_on && !capable(CAP_SYS_RAWIO))
43197 ++#endif
43198 + return -EPERM;
43199 ++#ifdef CONFIG_GRKERNSEC_IO
43200 ++ }
43201 ++#endif
43202 +
43203 + /*
43204 + * If it's the first ioperm() call in this thread's lifetime, set the
43205 +@@ -64,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
43206 + * because the ->io_bitmap_max value must match the bitmap
43207 + * contents:
43208 + */
43209 +- tss = &per_cpu(init_tss, get_cpu());
43210 ++ tss = init_tss + get_cpu();
43211 +
43212 + set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
43213 +
43214 +@@ -109,8 +119,13 @@ asmlinkage long sys_iopl(unsigned int le
43215 + return -EINVAL;
43216 + /* Trying to gain more privileges? */
43217 + if (level > old) {
43218 ++#ifdef CONFIG_GRKERNSEC_IO
43219 ++ gr_handle_iopl();
43220 ++ return -EPERM;
43221 ++#else
43222 + if (!capable(CAP_SYS_RAWIO))
43223 + return -EPERM;
43224 ++#endif
43225 + }
43226 + regs->eflags = (regs->eflags &~ X86_EFLAGS_IOPL) | (level << 12);
43227 + return 0;
43228 +diff -urNp linux-2.6.24.5/arch/x86/kernel/irq_32.c linux-2.6.24.5/arch/x86/kernel/irq_32.c
43229 +--- linux-2.6.24.5/arch/x86/kernel/irq_32.c 2008-03-24 14:49:18.000000000 -0400
43230 ++++ linux-2.6.24.5/arch/x86/kernel/irq_32.c 2008-03-26 20:21:08.000000000 -0400
43231 +@@ -115,7 +115,7 @@ fastcall unsigned int do_IRQ(struct pt_r
43232 + int arg1, arg2, ebx;
43233 +
43234 + /* build the stack frame on the IRQ stack */
43235 +- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
43236 ++ isp = (u32*) ((char*)irqctx + sizeof(*irqctx) - 8);
43237 + irqctx->tinfo.task = curctx->tinfo.task;
43238 + irqctx->tinfo.previous_esp = current_stack_pointer;
43239 +
43240 +@@ -211,7 +211,7 @@ asmlinkage void do_softirq(void)
43241 + irqctx->tinfo.previous_esp = current_stack_pointer;
43242 +
43243 + /* build the stack frame on the softirq stack */
43244 +- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
43245 ++ isp = (u32*) ((char*)irqctx + sizeof(*irqctx) - 8);
43246 +
43247 + asm volatile(
43248 + " xchgl %%ebx,%%esp \n"
43249 +diff -urNp linux-2.6.24.5/arch/x86/kernel/kprobes_32.c linux-2.6.24.5/arch/x86/kernel/kprobes_32.c
43250 +--- linux-2.6.24.5/arch/x86/kernel/kprobes_32.c 2008-03-24 14:49:18.000000000 -0400
43251 ++++ linux-2.6.24.5/arch/x86/kernel/kprobes_32.c 2008-03-26 20:21:08.000000000 -0400
43252 +@@ -55,9 +55,24 @@ static __always_inline void set_jmp_op(v
43253 + char op;
43254 + long raddr;
43255 + } __attribute__((packed)) *jop;
43256 +- jop = (struct __arch_jmp_op *)from;
43257 ++
43258 ++#ifdef CONFIG_PAX_KERNEXEC
43259 ++ unsigned long cr0;
43260 ++#endif
43261 ++
43262 ++ jop = (struct __arch_jmp_op *)(ktla_ktva(from));
43263 ++
43264 ++#ifdef CONFIG_PAX_KERNEXEC
43265 ++ pax_open_kernel(cr0);
43266 ++#endif
43267 ++
43268 + jop->raddr = (long)(to) - ((long)(from) + 5);
43269 + jop->op = RELATIVEJUMP_INSTRUCTION;
43270 ++
43271 ++#ifdef CONFIG_PAX_KERNEXEC
43272 ++ pax_close_kernel(cr0);
43273 ++#endif
43274 ++
43275 + }
43276 +
43277 + /*
43278 +@@ -159,14 +174,28 @@ static int __kprobes is_IF_modifier(kpro
43279 +
43280 + int __kprobes arch_prepare_kprobe(struct kprobe *p)
43281 + {
43282 ++
43283 ++#ifdef CONFIG_PAX_KERNEXEC
43284 ++ unsigned long cr0;
43285 ++#endif
43286 ++
43287 + /* insn: must be on special executable page on i386. */
43288 + p->ainsn.insn = get_insn_slot();
43289 + if (!p->ainsn.insn)
43290 + return -ENOMEM;
43291 +
43292 +- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
43293 +- p->opcode = *p->addr;
43294 +- if (can_boost(p->addr)) {
43295 ++#ifdef CONFIG_PAX_KERNEXEC
43296 ++ pax_open_kernel(cr0);
43297 ++#endif
43298 ++
43299 ++ memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
43300 ++
43301 ++#ifdef CONFIG_PAX_KERNEXEC
43302 ++ pax_close_kernel(cr0);
43303 ++#endif
43304 ++
43305 ++ p->opcode = *(ktla_ktva(p->addr));
43306 ++ if (can_boost(ktla_ktva(p->addr))) {
43307 + p->ainsn.boostable = 0;
43308 + } else {
43309 + p->ainsn.boostable = -1;
43310 +@@ -225,7 +254,7 @@ static void __kprobes prepare_singlestep
43311 + if (p->opcode == BREAKPOINT_INSTRUCTION)
43312 + regs->eip = (unsigned long)p->addr;
43313 + else
43314 +- regs->eip = (unsigned long)p->ainsn.insn;
43315 ++ regs->eip = ktva_ktla((unsigned long)p->ainsn.insn);
43316 + }
43317 +
43318 + /* Called with kretprobe_lock held */
43319 +@@ -331,7 +360,7 @@ ss_probe:
43320 + if (p->ainsn.boostable == 1 && !p->post_handler){
43321 + /* Boost up -- we can execute copied instructions directly */
43322 + reset_current_kprobe();
43323 +- regs->eip = (unsigned long)p->ainsn.insn;
43324 ++ regs->eip = ktva_ktla((unsigned long)p->ainsn.insn);
43325 + preempt_enable_no_resched();
43326 + return 1;
43327 + }
43328 +@@ -481,7 +510,7 @@ static void __kprobes resume_execution(s
43329 + struct pt_regs *regs, struct kprobe_ctlblk *kcb)
43330 + {
43331 + unsigned long *tos = (unsigned long *)&regs->esp;
43332 +- unsigned long copy_eip = (unsigned long)p->ainsn.insn;
43333 ++ unsigned long copy_eip = ktva_ktla((unsigned long)p->ainsn.insn);
43334 + unsigned long orig_eip = (unsigned long)p->addr;
43335 +
43336 + regs->eflags &= ~TF_MASK;
43337 +@@ -655,7 +684,7 @@ int __kprobes kprobe_exceptions_notify(s
43338 + struct die_args *args = (struct die_args *)data;
43339 + int ret = NOTIFY_DONE;
43340 +
43341 +- if (args->regs && user_mode_vm(args->regs))
43342 ++ if (args->regs && user_mode(args->regs))
43343 + return ret;
43344 +
43345 + switch (val) {
43346 +diff -urNp linux-2.6.24.5/arch/x86/kernel/kprobes_64.c linux-2.6.24.5/arch/x86/kernel/kprobes_64.c
43347 +--- linux-2.6.24.5/arch/x86/kernel/kprobes_64.c 2008-03-24 14:49:18.000000000 -0400
43348 ++++ linux-2.6.24.5/arch/x86/kernel/kprobes_64.c 2008-03-26 20:21:08.000000000 -0400
43349 +@@ -190,7 +190,19 @@ static s32 __kprobes *is_riprel(u8 *insn
43350 + static void __kprobes arch_copy_kprobe(struct kprobe *p)
43351 + {
43352 + s32 *ripdisp;
43353 ++
43354 ++#ifdef CONFIG_PAX_KERNEXEC
43355 ++ unsigned long cr0;
43356 ++
43357 ++ pax_open_kernel(cr0);
43358 ++#endif
43359 ++
43360 + memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE);
43361 ++
43362 ++#ifdef CONFIG_PAX_KERNEXEC
43363 ++ pax_close_kernel(cr0);
43364 ++#endif
43365 ++
43366 + ripdisp = is_riprel(p->ainsn.insn);
43367 + if (ripdisp) {
43368 + /*
43369 +@@ -208,7 +220,17 @@ static void __kprobes arch_copy_kprobe(s
43370 + */
43371 + s64 disp = (u8 *) p->addr + *ripdisp - (u8 *) p->ainsn.insn;
43372 + BUG_ON((s64) (s32) disp != disp); /* Sanity check. */
43373 ++
43374 ++#ifdef CONFIG_PAX_KERNEXEC
43375 ++ pax_open_kernel(cr0);
43376 ++#endif
43377 ++
43378 + *ripdisp = disp;
43379 ++
43380 ++#ifdef CONFIG_PAX_KERNEXEC
43381 ++ pax_close_kernel(cr0);
43382 ++#endif
43383 ++
43384 + }
43385 + p->opcode = *p->addr;
43386 + }
43387 +diff -urNp linux-2.6.24.5/arch/x86/kernel/ldt_32.c linux-2.6.24.5/arch/x86/kernel/ldt_32.c
43388 +--- linux-2.6.24.5/arch/x86/kernel/ldt_32.c 2008-03-24 14:49:18.000000000 -0400
43389 ++++ linux-2.6.24.5/arch/x86/kernel/ldt_32.c 2008-03-26 20:21:08.000000000 -0400
43390 +@@ -56,7 +56,7 @@ static int alloc_ldt(mm_context_t *pc, i
43391 + #ifdef CONFIG_SMP
43392 + cpumask_t mask;
43393 + preempt_disable();
43394 +- load_LDT(pc);
43395 ++ load_LDT_nolock(pc);
43396 + mask = cpumask_of_cpu(smp_processor_id());
43397 + if (!cpus_equal(current->mm->cpu_vm_mask, mask))
43398 + smp_call_function(flush_ldt, NULL, 1, 1);
43399 +@@ -100,6 +100,22 @@ int init_new_context(struct task_struct
43400 + retval = copy_ldt(&mm->context, &old_mm->context);
43401 + mutex_unlock(&old_mm->context.lock);
43402 + }
43403 ++
43404 ++ if (tsk == current) {
43405 ++ mm->context.vdso = ~0UL;
43406 ++
43407 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
43408 ++ mm->context.user_cs_base = 0UL;
43409 ++ mm->context.user_cs_limit = ~0UL;
43410 ++
43411 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
43412 ++ cpus_clear(mm->context.cpu_user_cs_mask);
43413 ++#endif
43414 ++
43415 ++#endif
43416 ++
43417 ++ }
43418 ++
43419 + return retval;
43420 + }
43421 +
43422 +@@ -210,6 +226,13 @@ static int write_ldt(void __user * ptr,
43423 + }
43424 + }
43425 +
43426 ++#ifdef CONFIG_PAX_SEGMEXEC
43427 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
43428 ++ error = -EINVAL;
43429 ++ goto out_unlock;
43430 ++ }
43431 ++#endif
43432 ++
43433 + entry_1 = LDT_entry_a(&ldt_info);
43434 + entry_2 = LDT_entry_b(&ldt_info);
43435 + if (oldmode)
43436 +diff -urNp linux-2.6.24.5/arch/x86/kernel/machine_kexec_32.c linux-2.6.24.5/arch/x86/kernel/machine_kexec_32.c
43437 +--- linux-2.6.24.5/arch/x86/kernel/machine_kexec_32.c 2008-03-24 14:49:18.000000000 -0400
43438 ++++ linux-2.6.24.5/arch/x86/kernel/machine_kexec_32.c 2008-03-26 20:21:08.000000000 -0400
43439 +@@ -30,25 +30,25 @@ static u32 kexec_pmd1[1024] PAGE_ALIGNED
43440 + static u32 kexec_pte0[1024] PAGE_ALIGNED;
43441 + static u32 kexec_pte1[1024] PAGE_ALIGNED;
43442 +
43443 +-static void set_idt(void *newidt, __u16 limit)
43444 ++static void set_idt(struct desc_struct *newidt, __u16 limit)
43445 + {
43446 + struct Xgt_desc_struct curidt;
43447 +
43448 + /* ia32 supports unaliged loads & stores */
43449 + curidt.size = limit;
43450 +- curidt.address = (unsigned long)newidt;
43451 ++ curidt.address = newidt;
43452 +
43453 + load_idt(&curidt);
43454 + };
43455 +
43456 +
43457 +-static void set_gdt(void *newgdt, __u16 limit)
43458 ++static void set_gdt(struct desc_struct *newgdt, __u16 limit)
43459 + {
43460 + struct Xgt_desc_struct curgdt;
43461 +
43462 + /* ia32 supports unaligned loads & stores */
43463 + curgdt.size = limit;
43464 +- curgdt.address = (unsigned long)newgdt;
43465 ++ curgdt.address = newgdt;
43466 +
43467 + load_gdt(&curgdt);
43468 + };
43469 +@@ -111,10 +111,10 @@ NORET_TYPE void machine_kexec(struct kim
43470 + local_irq_disable();
43471 +
43472 + control_page = page_address(image->control_code_page);
43473 +- memcpy(control_page, relocate_kernel, PAGE_SIZE);
43474 ++ memcpy(control_page, ktla_ktva(relocate_kernel), PAGE_SIZE);
43475 +
43476 + page_list[PA_CONTROL_PAGE] = __pa(control_page);
43477 +- page_list[VA_CONTROL_PAGE] = (unsigned long)relocate_kernel;
43478 ++ page_list[VA_CONTROL_PAGE] = ktla_ktva((unsigned long)relocate_kernel);
43479 + page_list[PA_PGD] = __pa(kexec_pgd);
43480 + page_list[VA_PGD] = (unsigned long)kexec_pgd;
43481 + #ifdef CONFIG_X86_PAE
43482 +diff -urNp linux-2.6.24.5/arch/x86/kernel/Makefile_64 linux-2.6.24.5/arch/x86/kernel/Makefile_64
43483 +--- linux-2.6.24.5/arch/x86/kernel/Makefile_64 2008-03-24 14:49:18.000000000 -0400
43484 ++++ linux-2.6.24.5/arch/x86/kernel/Makefile_64 2008-03-26 20:21:08.000000000 -0400
43485 +@@ -42,4 +42,6 @@ obj-$(CONFIG_PCI) += early-quirks.o
43486 + obj-y += topology.o
43487 + obj-y += pcspeaker.o
43488 +
43489 +-CFLAGS_vsyscall_64.o := $(PROFILING) -g0
43490 ++CFLAGS_vsyscall_64.o := $(PROFILING) -g0 -fno-stack-protector
43491 ++CFLAGS_hpet.o := -fno-stack-protector
43492 ++CFLAGS_tsc_64.o := -fno-stack-protector
43493 +diff -urNp linux-2.6.24.5/arch/x86/kernel/module_32.c linux-2.6.24.5/arch/x86/kernel/module_32.c
43494 +--- linux-2.6.24.5/arch/x86/kernel/module_32.c 2008-03-24 14:49:18.000000000 -0400
43495 ++++ linux-2.6.24.5/arch/x86/kernel/module_32.c 2008-03-26 20:21:08.000000000 -0400
43496 +@@ -23,6 +23,8 @@
43497 + #include <linux/kernel.h>
43498 + #include <linux/bug.h>
43499 +
43500 ++#include <asm/desc.h>
43501 ++
43502 + #if 0
43503 + #define DEBUGP printk
43504 + #else
43505 +@@ -33,9 +35,30 @@ void *module_alloc(unsigned long size)
43506 + {
43507 + if (size == 0)
43508 + return NULL;
43509 ++
43510 ++#ifdef CONFIG_PAX_KERNEXEC
43511 ++ return vmalloc(size);
43512 ++#else
43513 + return vmalloc_exec(size);
43514 ++#endif
43515 ++
43516 + }
43517 +
43518 ++#ifdef CONFIG_PAX_KERNEXEC
43519 ++void *module_alloc_exec(unsigned long size)
43520 ++{
43521 ++ struct vm_struct *area;
43522 ++
43523 ++ if (size == 0)
43524 ++ return NULL;
43525 ++
43526 ++ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_VADDR, (unsigned long)&MODULES_END);
43527 ++ if (area)
43528 ++ return area->addr;
43529 ++
43530 ++ return NULL;
43531 ++}
43532 ++#endif
43533 +
43534 + /* Free memory returned from module_alloc */
43535 + void module_free(struct module *mod, void *module_region)
43536 +@@ -45,6 +68,45 @@ void module_free(struct module *mod, voi
43537 + table entries. */
43538 + }
43539 +
43540 ++#ifdef CONFIG_PAX_KERNEXEC
43541 ++void module_free_exec(struct module *mod, void *module_region)
43542 ++{
43543 ++ struct vm_struct **p, *tmp;
43544 ++
43545 ++ if (!module_region)
43546 ++ return;
43547 ++
43548 ++ if ((PAGE_SIZE-1) & (unsigned long)module_region) {
43549 ++ printk(KERN_ERR "Trying to module_free_exec() bad address (%p)\n", module_region);
43550 ++ WARN_ON(1);
43551 ++ return;
43552 ++ }
43553 ++
43554 ++ write_lock(&vmlist_lock);
43555 ++ for (p = &vmlist; (tmp = *p) != NULL; p = &tmp->next)
43556 ++ if (tmp->addr == module_region)
43557 ++ break;
43558 ++
43559 ++ if (tmp) {
43560 ++ unsigned long cr0;
43561 ++
43562 ++ pax_open_kernel(cr0);
43563 ++ memset(tmp->addr, 0xCC, tmp->size);
43564 ++ pax_close_kernel(cr0);
43565 ++
43566 ++ *p = tmp->next;
43567 ++ kfree(tmp);
43568 ++ }
43569 ++ write_unlock(&vmlist_lock);
43570 ++
43571 ++ if (!tmp) {
43572 ++ printk(KERN_ERR "Trying to module_free_exec() nonexistent vm area (%p)\n",
43573 ++ module_region);
43574 ++ WARN_ON(1);
43575 ++ }
43576 ++}
43577 ++#endif
43578 ++
43579 + /* We don't need anything special. */
43580 + int module_frob_arch_sections(Elf_Ehdr *hdr,
43581 + Elf_Shdr *sechdrs,
43582 +@@ -63,14 +125,20 @@ int apply_relocate(Elf32_Shdr *sechdrs,
43583 + unsigned int i;
43584 + Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
43585 + Elf32_Sym *sym;
43586 +- uint32_t *location;
43587 ++ uint32_t *plocation, location;
43588 ++
43589 ++#ifdef CONFIG_PAX_KERNEXEC
43590 ++ unsigned long cr0;
43591 ++#endif
43592 +
43593 + DEBUGP("Applying relocate section %u to %u\n", relsec,
43594 + sechdrs[relsec].sh_info);
43595 + for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
43596 + /* This is where to make the change */
43597 +- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
43598 +- + rel[i].r_offset;
43599 ++ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
43600 ++ location = (uint32_t)plocation;
43601 ++ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
43602 ++ plocation = ktla_ktva((void *)plocation);
43603 + /* This is the symbol it is referring to. Note that all
43604 + undefined symbols have been resolved. */
43605 + sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
43606 +@@ -78,12 +146,32 @@ int apply_relocate(Elf32_Shdr *sechdrs,
43607 +
43608 + switch (ELF32_R_TYPE(rel[i].r_info)) {
43609 + case R_386_32:
43610 ++
43611 ++#ifdef CONFIG_PAX_KERNEXEC
43612 ++ pax_open_kernel(cr0);
43613 ++#endif
43614 ++
43615 + /* We add the value into the location given */
43616 +- *location += sym->st_value;
43617 ++ *plocation += sym->st_value;
43618 ++
43619 ++#ifdef CONFIG_PAX_KERNEXEC
43620 ++ pax_close_kernel(cr0);
43621 ++#endif
43622 ++
43623 + break;
43624 + case R_386_PC32:
43625 ++
43626 ++#ifdef CONFIG_PAX_KERNEXEC
43627 ++ pax_open_kernel(cr0);
43628 ++#endif
43629 ++
43630 + /* Add the value, subtract its postition */
43631 +- *location += sym->st_value - (uint32_t)location;
43632 ++ *plocation += sym->st_value - location;
43633 ++
43634 ++#ifdef CONFIG_PAX_KERNEXEC
43635 ++ pax_close_kernel(cr0);
43636 ++#endif
43637 ++
43638 + break;
43639 + default:
43640 + printk(KERN_ERR "module %s: Unknown relocation: %u\n",
43641 +diff -urNp linux-2.6.24.5/arch/x86/kernel/module_64.c linux-2.6.24.5/arch/x86/kernel/module_64.c
43642 +--- linux-2.6.24.5/arch/x86/kernel/module_64.c 2008-03-24 14:49:18.000000000 -0400
43643 ++++ linux-2.6.24.5/arch/x86/kernel/module_64.c 2008-03-26 20:21:08.000000000 -0400
43644 +@@ -39,7 +39,7 @@ void module_free(struct module *mod, voi
43645 + table entries. */
43646 + }
43647 +
43648 +-void *module_alloc(unsigned long size)
43649 ++static void *__module_alloc(unsigned long size, pgprot_t prot)
43650 + {
43651 + struct vm_struct *area;
43652 +
43653 +@@ -53,8 +53,31 @@ void *module_alloc(unsigned long size)
43654 + if (!area)
43655 + return NULL;
43656 +
43657 +- return __vmalloc_area(area, GFP_KERNEL, PAGE_KERNEL_EXEC);
43658 ++ return __vmalloc_area(area, GFP_KERNEL | __GFP_ZERO, prot);
43659 ++}
43660 ++
43661 ++#ifdef CONFIG_PAX_KERNEXEC
43662 ++void *module_alloc(unsigned long size)
43663 ++{
43664 ++ return __module_alloc(size, PAGE_KERNEL);
43665 ++}
43666 ++
43667 ++void module_free_exec(struct module *mod, void *module_region)
43668 ++{
43669 ++ module_free(mod, module_region);
43670 ++}
43671 ++
43672 ++void *module_alloc_exec(unsigned long size)
43673 ++{
43674 ++ return __module_alloc(size, PAGE_KERNEL_RX);
43675 + }
43676 ++#else
43677 ++void *module_alloc(unsigned long size)
43678 ++{
43679 ++ return __module_alloc(size, PAGE_KERNEL_EXEC);
43680 ++}
43681 ++#endif
43682 ++
43683 + #endif
43684 +
43685 + /* We don't need anything special. */
43686 +@@ -76,7 +99,11 @@ int apply_relocate_add(Elf64_Shdr *sechd
43687 + Elf64_Rela *rel = (void *)sechdrs[relsec].sh_addr;
43688 + Elf64_Sym *sym;
43689 + void *loc;
43690 +- u64 val;
43691 ++ u64 val;
43692 ++
43693 ++#ifdef CONFIG_PAX_KERNEXEC
43694 ++ unsigned long cr0;
43695 ++#endif
43696 +
43697 + DEBUGP("Applying relocate section %u to %u\n", relsec,
43698 + sechdrs[relsec].sh_info);
43699 +@@ -100,21 +127,61 @@ int apply_relocate_add(Elf64_Shdr *sechd
43700 + case R_X86_64_NONE:
43701 + break;
43702 + case R_X86_64_64:
43703 ++
43704 ++#ifdef CONFIG_PAX_KERNEXEC
43705 ++ pax_open_kernel(cr0);
43706 ++#endif
43707 ++
43708 + *(u64 *)loc = val;
43709 ++
43710 ++#ifdef CONFIG_PAX_KERNEXEC
43711 ++ pax_close_kernel(cr0);
43712 ++#endif
43713 ++
43714 + break;
43715 + case R_X86_64_32:
43716 ++
43717 ++#ifdef CONFIG_PAX_KERNEXEC
43718 ++ pax_open_kernel(cr0);
43719 ++#endif
43720 ++
43721 + *(u32 *)loc = val;
43722 ++
43723 ++#ifdef CONFIG_PAX_KERNEXEC
43724 ++ pax_close_kernel(cr0);
43725 ++#endif
43726 ++
43727 + if (val != *(u32 *)loc)
43728 + goto overflow;
43729 + break;
43730 + case R_X86_64_32S:
43731 ++
43732 ++#ifdef CONFIG_PAX_KERNEXEC
43733 ++ pax_open_kernel(cr0);
43734 ++#endif
43735 ++
43736 + *(s32 *)loc = val;
43737 ++
43738 ++#ifdef CONFIG_PAX_KERNEXEC
43739 ++ pax_close_kernel(cr0);
43740 ++#endif
43741 ++
43742 + if ((s64)val != *(s32 *)loc)
43743 + goto overflow;
43744 + break;
43745 + case R_X86_64_PC32:
43746 + val -= (u64)loc;
43747 ++
43748 ++#ifdef CONFIG_PAX_KERNEXEC
43749 ++ pax_open_kernel(cr0);
43750 ++#endif
43751 ++
43752 + *(u32 *)loc = val;
43753 ++
43754 ++#ifdef CONFIG_PAX_KERNEXEC
43755 ++ pax_close_kernel(cr0);
43756 ++#endif
43757 ++
43758 + #if 0
43759 + if ((s64)val != *(s32 *)loc)
43760 + goto overflow;
43761 +diff -urNp linux-2.6.24.5/arch/x86/kernel/paravirt_32.c linux-2.6.24.5/arch/x86/kernel/paravirt_32.c
43762 +--- linux-2.6.24.5/arch/x86/kernel/paravirt_32.c 2008-03-24 14:49:18.000000000 -0400
43763 ++++ linux-2.6.24.5/arch/x86/kernel/paravirt_32.c 2008-03-26 20:21:08.000000000 -0400
43764 +@@ -39,7 +39,7 @@ void _paravirt_nop(void)
43765 + {
43766 + }
43767 +
43768 +-static void __init default_banner(void)
43769 ++static void default_banner(void)
43770 + {
43771 + printk(KERN_INFO "Booting paravirtualized kernel on %s\n",
43772 + pv_info.name);
43773 +@@ -206,7 +206,7 @@ unsigned paravirt_patch_insns(void *insn
43774 + if (insn_len > len || start == NULL)
43775 + insn_len = len;
43776 + else
43777 +- memcpy(insnbuf, start, insn_len);
43778 ++ memcpy(insnbuf, ktla_ktva(start), insn_len);
43779 +
43780 + return insn_len;
43781 + }
43782 +@@ -324,21 +324,21 @@ enum paravirt_lazy_mode paravirt_get_laz
43783 + return x86_read_percpu(paravirt_lazy_mode);
43784 + }
43785 +
43786 +-struct pv_info pv_info = {
43787 ++struct pv_info pv_info __read_only = {
43788 + .name = "bare hardware",
43789 + .paravirt_enabled = 0,
43790 + .kernel_rpl = 0,
43791 + .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
43792 + };
43793 +
43794 +-struct pv_init_ops pv_init_ops = {
43795 ++struct pv_init_ops pv_init_ops __read_only = {
43796 + .patch = native_patch,
43797 + .banner = default_banner,
43798 + .arch_setup = paravirt_nop,
43799 + .memory_setup = machine_specific_memory_setup,
43800 + };
43801 +
43802 +-struct pv_time_ops pv_time_ops = {
43803 ++struct pv_time_ops pv_time_ops __read_only = {
43804 + .time_init = hpet_time_init,
43805 + .get_wallclock = native_get_wallclock,
43806 + .set_wallclock = native_set_wallclock,
43807 +@@ -346,7 +346,7 @@ struct pv_time_ops pv_time_ops = {
43808 + .get_cpu_khz = native_calculate_cpu_khz,
43809 + };
43810 +
43811 +-struct pv_irq_ops pv_irq_ops = {
43812 ++struct pv_irq_ops pv_irq_ops __read_only = {
43813 + .init_IRQ = native_init_IRQ,
43814 + .save_fl = native_save_fl,
43815 + .restore_fl = native_restore_fl,
43816 +@@ -356,7 +356,7 @@ struct pv_irq_ops pv_irq_ops = {
43817 + .halt = native_halt,
43818 + };
43819 +
43820 +-struct pv_cpu_ops pv_cpu_ops = {
43821 ++struct pv_cpu_ops pv_cpu_ops __read_only = {
43822 + .cpuid = native_cpuid,
43823 + .get_debugreg = native_get_debugreg,
43824 + .set_debugreg = native_set_debugreg,
43825 +@@ -396,7 +396,7 @@ struct pv_cpu_ops pv_cpu_ops = {
43826 + },
43827 + };
43828 +
43829 +-struct pv_apic_ops pv_apic_ops = {
43830 ++struct pv_apic_ops pv_apic_ops __read_only = {
43831 + #ifdef CONFIG_X86_LOCAL_APIC
43832 + .apic_write = native_apic_write,
43833 + .apic_write_atomic = native_apic_write_atomic,
43834 +@@ -407,7 +407,7 @@ struct pv_apic_ops pv_apic_ops = {
43835 + #endif
43836 + };
43837 +
43838 +-struct pv_mmu_ops pv_mmu_ops = {
43839 ++struct pv_mmu_ops pv_mmu_ops __read_only = {
43840 + .pagetable_setup_start = native_pagetable_setup_start,
43841 + .pagetable_setup_done = native_pagetable_setup_done,
43842 +
43843 +diff -urNp linux-2.6.24.5/arch/x86/kernel/process_32.c linux-2.6.24.5/arch/x86/kernel/process_32.c
43844 +--- linux-2.6.24.5/arch/x86/kernel/process_32.c 2008-03-24 14:49:18.000000000 -0400
43845 ++++ linux-2.6.24.5/arch/x86/kernel/process_32.c 2008-03-26 20:21:08.000000000 -0400
43846 +@@ -66,15 +66,17 @@ EXPORT_SYMBOL(boot_option_idle_override)
43847 + DEFINE_PER_CPU(struct task_struct *, current_task) = &init_task;
43848 + EXPORT_PER_CPU_SYMBOL(current_task);
43849 +
43850 ++#ifdef CONFIG_SMP
43851 + DEFINE_PER_CPU(int, cpu_number);
43852 + EXPORT_PER_CPU_SYMBOL(cpu_number);
43853 ++#endif
43854 +
43855 + /*
43856 + * Return saved PC of a blocked thread.
43857 + */
43858 + unsigned long thread_saved_pc(struct task_struct *tsk)
43859 + {
43860 +- return ((unsigned long *)tsk->thread.esp)[3];
43861 ++ return tsk->thread.eip;
43862 + }
43863 +
43864 + /*
43865 +@@ -313,7 +315,7 @@ void __show_registers(struct pt_regs *re
43866 + unsigned long esp;
43867 + unsigned short ss, gs;
43868 +
43869 +- if (user_mode_vm(regs)) {
43870 ++ if (user_mode(regs)) {
43871 + esp = regs->esp;
43872 + ss = regs->xss & 0xffff;
43873 + savesegment(gs, gs);
43874 +@@ -391,8 +393,8 @@ int kernel_thread(int (*fn)(void *), voi
43875 + regs.ebx = (unsigned long) fn;
43876 + regs.edx = (unsigned long) arg;
43877 +
43878 +- regs.xds = __USER_DS;
43879 +- regs.xes = __USER_DS;
43880 ++ regs.xds = __KERNEL_DS;
43881 ++ regs.xes = __KERNEL_DS;
43882 + regs.xfs = __KERNEL_PERCPU;
43883 + regs.orig_eax = -1;
43884 + regs.eip = (unsigned long) kernel_thread_helper;
43885 +@@ -414,7 +416,7 @@ void exit_thread(void)
43886 + struct task_struct *tsk = current;
43887 + struct thread_struct *t = &tsk->thread;
43888 + int cpu = get_cpu();
43889 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
43890 ++ struct tss_struct *tss = init_tss + cpu;
43891 +
43892 + kfree(t->io_bitmap_ptr);
43893 + t->io_bitmap_ptr = NULL;
43894 +@@ -435,6 +437,7 @@ void flush_thread(void)
43895 + {
43896 + struct task_struct *tsk = current;
43897 +
43898 ++ __asm__("mov %0,%%gs\n" : : "r" (0) : "memory");
43899 + memset(tsk->thread.debugreg, 0, sizeof(unsigned long)*8);
43900 + memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
43901 + clear_tsk_thread_flag(tsk, TIF_DEBUG);
43902 +@@ -468,7 +471,7 @@ int copy_thread(int nr, unsigned long cl
43903 + struct task_struct *tsk;
43904 + int err;
43905 +
43906 +- childregs = task_pt_regs(p);
43907 ++ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
43908 + *childregs = *regs;
43909 + childregs->eax = 0;
43910 + childregs->esp = esp;
43911 +@@ -510,6 +513,11 @@ int copy_thread(int nr, unsigned long cl
43912 + if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
43913 + goto out;
43914 +
43915 ++#ifdef CONFIG_PAX_SEGMEXEC
43916 ++ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
43917 ++ goto out;
43918 ++#endif
43919 ++
43920 + desc = p->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
43921 + desc->a = LDT_entry_a(&info);
43922 + desc->b = LDT_entry_b(&info);
43923 +@@ -696,7 +704,7 @@ struct task_struct fastcall * __switch_t
43924 + struct thread_struct *prev = &prev_p->thread,
43925 + *next = &next_p->thread;
43926 + int cpu = smp_processor_id();
43927 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
43928 ++ struct tss_struct *tss = init_tss + cpu;
43929 +
43930 + /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
43931 +
43932 +@@ -724,6 +732,11 @@ struct task_struct fastcall * __switch_t
43933 + */
43934 + savesegment(gs, prev->gs);
43935 +
43936 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
43937 ++ if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
43938 ++ __set_fs(task_thread_info(next_p)->addr_limit, cpu);
43939 ++#endif
43940 ++
43941 + /*
43942 + * Load the per-thread Thread-Local Storage descriptor.
43943 + */
43944 +@@ -888,6 +901,12 @@ asmlinkage int sys_set_thread_area(struc
43945 +
43946 + if (copy_from_user(&info, u_info, sizeof(info)))
43947 + return -EFAULT;
43948 ++
43949 ++#ifdef CONFIG_PAX_SEGMEXEC
43950 ++ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
43951 ++ return -EINVAL;
43952 ++#endif
43953 ++
43954 + idx = info.entry_number;
43955 +
43956 + /*
43957 +@@ -976,9 +995,27 @@ asmlinkage int sys_get_thread_area(struc
43958 + return 0;
43959 + }
43960 +
43961 +-unsigned long arch_align_stack(unsigned long sp)
43962 ++#ifdef CONFIG_PAX_RANDKSTACK
43963 ++asmlinkage void pax_randomize_kstack(void)
43964 + {
43965 +- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
43966 +- sp -= get_random_int() % 8192;
43967 +- return sp & ~0xf;
43968 ++ struct thread_struct *thread = &current->thread;
43969 ++ unsigned long time;
43970 ++
43971 ++ if (!randomize_va_space)
43972 ++ return;
43973 ++
43974 ++ rdtscl(time);
43975 ++
43976 ++ /* P4 seems to return a 0 LSB, ignore it */
43977 ++#ifdef CONFIG_MPENTIUM4
43978 ++ time &= 0x1EUL;
43979 ++ time <<= 2;
43980 ++#else
43981 ++ time &= 0xFUL;
43982 ++ time <<= 3;
43983 ++#endif
43984 ++
43985 ++ thread->esp0 ^= time;
43986 ++ load_esp0(init_tss + smp_processor_id(), thread);
43987 + }
43988 ++#endif
43989 +diff -urNp linux-2.6.24.5/arch/x86/kernel/process_64.c linux-2.6.24.5/arch/x86/kernel/process_64.c
43990 +--- linux-2.6.24.5/arch/x86/kernel/process_64.c 2008-03-24 14:49:18.000000000 -0400
43991 ++++ linux-2.6.24.5/arch/x86/kernel/process_64.c 2008-03-26 20:21:08.000000000 -0400
43992 +@@ -210,6 +210,8 @@ static inline void play_dead(void)
43993 + void cpu_idle (void)
43994 + {
43995 + current_thread_info()->status |= TS_POLLING;
43996 ++ current->stack_canary = pax_get_random_long();
43997 ++ write_pda(stack_canary, current->stack_canary);
43998 + /* endless idle loop with no priority at all */
43999 + while (1) {
44000 + tick_nohz_stop_sched_tick();
44001 +@@ -390,7 +392,7 @@ void exit_thread(void)
44002 + struct thread_struct *t = &me->thread;
44003 +
44004 + if (me->thread.io_bitmap_ptr) {
44005 +- struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
44006 ++ struct tss_struct *tss = init_tss + get_cpu();
44007 +
44008 + kfree(t->io_bitmap_ptr);
44009 + t->io_bitmap_ptr = NULL;
44010 +@@ -597,7 +599,7 @@ __switch_to(struct task_struct *prev_p,
44011 + struct thread_struct *prev = &prev_p->thread,
44012 + *next = &next_p->thread;
44013 + int cpu = smp_processor_id();
44014 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
44015 ++ struct tss_struct *tss = init_tss + cpu;
44016 +
44017 + /* we're going to use this soon, after a few expensive things */
44018 + if (next_p->fpu_counter>5)
44019 +@@ -672,7 +674,6 @@ __switch_to(struct task_struct *prev_p,
44020 + write_pda(kernelstack,
44021 + (unsigned long)task_stack_page(next_p) + THREAD_SIZE - PDA_STACKOFFSET);
44022 + #ifdef CONFIG_CC_STACKPROTECTOR
44023 +- write_pda(stack_canary, next_p->stack_canary);
44024 + /*
44025 + * Build time only check to make sure the stack_canary is at
44026 + * offset 40 in the pda; this is a gcc ABI requirement
44027 +@@ -701,7 +702,7 @@ __switch_to(struct task_struct *prev_p,
44028 + */
44029 + asmlinkage
44030 + long sys_execve(char __user *name, char __user * __user *argv,
44031 +- char __user * __user *envp, struct pt_regs regs)
44032 ++ char __user * __user *envp, struct pt_regs *regs)
44033 + {
44034 + long error;
44035 + char * filename;
44036 +@@ -710,7 +711,7 @@ long sys_execve(char __user *name, char
44037 + error = PTR_ERR(filename);
44038 + if (IS_ERR(filename))
44039 + return error;
44040 +- error = do_execve(filename, argv, envp, &regs);
44041 ++ error = do_execve(filename, argv, envp, regs);
44042 + if (error == 0) {
44043 + task_lock(current);
44044 + current->ptrace &= ~PT_DTRACE;
44045 +@@ -906,10 +907,3 @@ int dump_task_regs(struct task_struct *t
44046 +
44047 + return 1;
44048 + }
44049 +-
44050 +-unsigned long arch_align_stack(unsigned long sp)
44051 +-{
44052 +- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
44053 +- sp -= get_random_int() % 8192;
44054 +- return sp & ~0xf;
44055 +-}
44056 +diff -urNp linux-2.6.24.5/arch/x86/kernel/ptrace_32.c linux-2.6.24.5/arch/x86/kernel/ptrace_32.c
44057 +--- linux-2.6.24.5/arch/x86/kernel/ptrace_32.c 2008-03-24 14:49:18.000000000 -0400
44058 ++++ linux-2.6.24.5/arch/x86/kernel/ptrace_32.c 2008-03-26 20:21:08.000000000 -0400
44059 +@@ -160,22 +160,20 @@ static unsigned long convert_eip_to_line
44060 + * and APM bios ones we just ignore here.
44061 + */
44062 + if (seg & LDT_SEGMENT) {
44063 +- u32 *desc;
44064 ++ struct desc_struct *desc;
44065 + unsigned long base;
44066 +
44067 +- seg &= ~7UL;
44068 ++ seg >>= 3;
44069 +
44070 + mutex_lock(&child->mm->context.lock);
44071 +- if (unlikely((seg >> 3) >= child->mm->context.size))
44072 +- addr = -1L; /* bogus selector, access would fault */
44073 ++ if (unlikely(seg >= child->mm->context.size))
44074 ++ addr = -EINVAL;
44075 + else {
44076 +- desc = child->mm->context.ldt + seg;
44077 +- base = ((desc[0] >> 16) |
44078 +- ((desc[1] & 0xff) << 16) |
44079 +- (desc[1] & 0xff000000));
44080 ++ desc = &child->mm->context.ldt[seg];
44081 ++ base = (desc->a >> 16) | ((desc->b & 0xff) << 16) | (desc->b & 0xff000000);
44082 +
44083 + /* 16-bit code segment? */
44084 +- if (!((desc[1] >> 22) & 1))
44085 ++ if (!((desc->b >> 22) & 1))
44086 + addr &= 0xffff;
44087 + addr += base;
44088 + }
44089 +@@ -190,6 +188,9 @@ static inline int is_setting_trap_flag(s
44090 + unsigned char opcode[15];
44091 + unsigned long addr = convert_eip_to_linear(child, regs);
44092 +
44093 ++ if (addr == -EINVAL)
44094 ++ return 0;
44095 ++
44096 + copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
44097 + for (i = 0; i < copied; i++) {
44098 + switch (opcode[i]) {
44099 +@@ -340,6 +341,11 @@ ptrace_set_thread_area(struct task_struc
44100 + if (copy_from_user(&info, user_desc, sizeof(info)))
44101 + return -EFAULT;
44102 +
44103 ++#ifdef CONFIG_PAX_SEGMEXEC
44104 ++ if ((child->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
44105 ++ return -EINVAL;
44106 ++#endif
44107 ++
44108 + if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
44109 + return -EINVAL;
44110 +
44111 +@@ -419,7 +425,17 @@ long arch_ptrace(struct task_struct *chi
44112 + if(addr == (long) &dummy->u_debugreg[5]) break;
44113 + if(addr < (long) &dummy->u_debugreg[4] &&
44114 + ((unsigned long) data) >= TASK_SIZE-3) break;
44115 +-
44116 ++
44117 ++#ifdef CONFIG_GRKERNSEC
44118 ++ if(addr >= (long) &dummy->u_debugreg[0] &&
44119 ++ addr <= (long) &dummy->u_debugreg[3]) {
44120 ++ long reg = (addr - (long) &dummy->u_debugreg[0]) >> 2;
44121 ++ long type = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 4*reg)) & 3;
44122 ++ long align = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 2 + 4*reg)) & 3;
44123 ++ if ((type & 1) && (data & align))
44124 ++ break;
44125 ++ }
44126 ++#endif
44127 + /* Sanity-check data. Take one half-byte at once with
44128 + * check = (val >> (16 + 4*i)) & 0xf. It contains the
44129 + * R/Wi and LENi bits; bits 0 and 1 are R/Wi, and bits
44130 +@@ -630,7 +646,7 @@ void send_sigtrap(struct task_struct *ts
44131 + info.si_code = TRAP_BRKPT;
44132 +
44133 + /* User-mode eip? */
44134 +- info.si_addr = user_mode_vm(regs) ? (void __user *) regs->eip : NULL;
44135 ++ info.si_addr = user_mode(regs) ? (void __user *) regs->eip : NULL;
44136 +
44137 + /* Send us the fake SIGTRAP */
44138 + force_sig_info(SIGTRAP, &info, tsk);
44139 +diff -urNp linux-2.6.24.5/arch/x86/kernel/ptrace_64.c linux-2.6.24.5/arch/x86/kernel/ptrace_64.c
44140 +--- linux-2.6.24.5/arch/x86/kernel/ptrace_64.c 2008-03-24 14:49:18.000000000 -0400
44141 ++++ linux-2.6.24.5/arch/x86/kernel/ptrace_64.c 2008-03-26 20:21:08.000000000 -0400
44142 +@@ -98,22 +98,20 @@ unsigned long convert_rip_to_linear(stru
44143 + * and APM bios ones we just ignore here.
44144 + */
44145 + if (seg & LDT_SEGMENT) {
44146 +- u32 *desc;
44147 ++ struct desc_struct *desc;
44148 + unsigned long base;
44149 +
44150 +- seg &= ~7UL;
44151 ++ seg >>= 3;
44152 +
44153 + mutex_lock(&child->mm->context.lock);
44154 +- if (unlikely((seg >> 3) >= child->mm->context.size))
44155 +- addr = -1L; /* bogus selector, access would fault */
44156 ++ if (unlikely(seg >= child->mm->context.size))
44157 ++ addr = -EINVAL; /* bogus selector, access would fault */
44158 + else {
44159 +- desc = child->mm->context.ldt + seg;
44160 +- base = ((desc[0] >> 16) |
44161 +- ((desc[1] & 0xff) << 16) |
44162 +- (desc[1] & 0xff000000));
44163 ++ desc = &child->mm->context.ldt[seg];
44164 ++ base = desc->base0 | (desc->base1 << 16) | (desc->base2 << 24);
44165 +
44166 + /* 16-bit code segment? */
44167 +- if (!((desc[1] >> 22) & 1))
44168 ++ if (!desc->d)
44169 + addr &= 0xffff;
44170 + addr += base;
44171 + }
44172 +@@ -129,6 +127,9 @@ static int is_setting_trap_flag(struct t
44173 + unsigned char opcode[15];
44174 + unsigned long addr = convert_rip_to_linear(child, regs);
44175 +
44176 ++ if (addr == -EINVAL)
44177 ++ return 0;
44178 ++
44179 + copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
44180 + for (i = 0; i < copied; i++) {
44181 + switch (opcode[i]) {
44182 +diff -urNp linux-2.6.24.5/arch/x86/kernel/reboot_32.c linux-2.6.24.5/arch/x86/kernel/reboot_32.c
44183 +--- linux-2.6.24.5/arch/x86/kernel/reboot_32.c 2008-03-24 14:49:18.000000000 -0400
44184 ++++ linux-2.6.24.5/arch/x86/kernel/reboot_32.c 2008-03-26 20:21:08.000000000 -0400
44185 +@@ -23,7 +23,7 @@
44186 + void (*pm_power_off)(void);
44187 + EXPORT_SYMBOL(pm_power_off);
44188 +
44189 +-static int reboot_mode;
44190 ++static unsigned short reboot_mode;
44191 + static int reboot_thru_bios;
44192 +
44193 + #ifdef CONFIG_SMP
44194 +@@ -135,7 +135,7 @@ static struct dmi_system_id __initdata r
44195 + DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq"),
44196 + },
44197 + },
44198 +- { }
44199 ++ { NULL, NULL, {{0, NULL}}, NULL}
44200 + };
44201 +
44202 + static int __init reboot_init(void)
44203 +@@ -153,18 +153,18 @@ core_initcall(reboot_init);
44204 + doesn't work with at least one type of 486 motherboard. It is easy
44205 + to stop this code working; hence the copious comments. */
44206 +
44207 +-static unsigned long long
44208 +-real_mode_gdt_entries [3] =
44209 ++static struct desc_struct
44210 ++real_mode_gdt_entries [3] __read_only =
44211 + {
44212 +- 0x0000000000000000ULL, /* Null descriptor */
44213 +- 0x00009a000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
44214 +- 0x000092000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
44215 ++ {0x00000000, 0x00000000}, /* Null descriptor */
44216 ++ {0x0000ffff, 0x00009b00}, /* 16-bit real-mode 64k code at 0x00000000 */
44217 ++ {0x0100ffff, 0x00009300} /* 16-bit real-mode 64k data at 0x00000100 */
44218 + };
44219 +
44220 +-static struct Xgt_desc_struct
44221 +-real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (long)real_mode_gdt_entries },
44222 +-real_mode_idt = { 0x3ff, 0 },
44223 +-no_idt = { 0, 0 };
44224 ++static const struct Xgt_desc_struct
44225 ++real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (struct desc_struct *)__pa(real_mode_gdt_entries), 0 },
44226 ++real_mode_idt = { 0x3ff, NULL, 0 },
44227 ++no_idt = { 0, NULL, 0 };
44228 +
44229 +
44230 + /* This is 16-bit protected mode code to disable paging and the cache,
44231 +@@ -186,7 +186,7 @@ no_idt = { 0, 0 };
44232 + More could be done here to set up the registers as if a CPU reset had
44233 + occurred; hopefully real BIOSs don't assume much. */
44234 +
44235 +-static unsigned char real_mode_switch [] =
44236 ++static const unsigned char real_mode_switch [] =
44237 + {
44238 + 0x66, 0x0f, 0x20, 0xc0, /* movl %cr0,%eax */
44239 + 0x66, 0x83, 0xe0, 0x11, /* andl $0x00000011,%eax */
44240 +@@ -200,7 +200,7 @@ static unsigned char real_mode_switch []
44241 + 0x24, 0x10, /* f: andb $0x10,al */
44242 + 0x66, 0x0f, 0x22, 0xc0 /* movl %eax,%cr0 */
44243 + };
44244 +-static unsigned char jump_to_bios [] =
44245 ++static const unsigned char jump_to_bios [] =
44246 + {
44247 + 0xea, 0x00, 0x00, 0xff, 0xff /* ljmp $0xffff,$0x0000 */
44248 + };
44249 +@@ -210,7 +210,7 @@ static unsigned char jump_to_bios [] =
44250 + * specified by the code and length parameters.
44251 + * We assume that length will aways be less that 100!
44252 + */
44253 +-void machine_real_restart(unsigned char *code, int length)
44254 ++void machine_real_restart(const unsigned char *code, unsigned int length)
44255 + {
44256 + local_irq_disable();
44257 +
44258 +@@ -232,8 +232,8 @@ void machine_real_restart(unsigned char
44259 + from the kernel segment. This assumes the kernel segment starts at
44260 + virtual address PAGE_OFFSET. */
44261 +
44262 +- memcpy (swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
44263 +- sizeof (swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
44264 ++ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
44265 ++ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
44266 +
44267 + /*
44268 + * Use `swapper_pg_dir' as our page directory.
44269 +@@ -246,7 +246,7 @@ void machine_real_restart(unsigned char
44270 + REBOOT.COM programs, and the previous reset routine did this
44271 + too. */
44272 +
44273 +- *((unsigned short *)0x472) = reboot_mode;
44274 ++ *(unsigned short *)(__va(0x472)) = reboot_mode;
44275 +
44276 + /* For the switch to real mode, copy some code to low memory. It has
44277 + to be in the first 64k because it is running in 16-bit mode, and it
44278 +@@ -254,9 +254,8 @@ void machine_real_restart(unsigned char
44279 + off paging. Copy it near the end of the first page, out of the way
44280 + of BIOS variables. */
44281 +
44282 +- memcpy ((void *) (0x1000 - sizeof (real_mode_switch) - 100),
44283 +- real_mode_switch, sizeof (real_mode_switch));
44284 +- memcpy ((void *) (0x1000 - 100), code, length);
44285 ++ memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
44286 ++ memcpy(__va(0x1000 - 100), code, length);
44287 +
44288 + /* Set up the IDT for real mode. */
44289 +
44290 +diff -urNp linux-2.6.24.5/arch/x86/kernel/setup_32.c linux-2.6.24.5/arch/x86/kernel/setup_32.c
44291 +--- linux-2.6.24.5/arch/x86/kernel/setup_32.c 2008-03-24 14:49:18.000000000 -0400
44292 ++++ linux-2.6.24.5/arch/x86/kernel/setup_32.c 2008-03-26 20:21:08.000000000 -0400
44293 +@@ -61,6 +61,7 @@
44294 + #include <setup_arch.h>
44295 + #include <bios_ebda.h>
44296 + #include <asm/cacheflush.h>
44297 ++#include <asm/boot.h>
44298 +
44299 + /* This value is set up by the early boot code to point to the value
44300 + immediately after the boot time page tables. It contains a *physical*
44301 +@@ -82,7 +83,11 @@ struct cpuinfo_x86 new_cpu_data __cpuini
44302 + struct cpuinfo_x86 boot_cpu_data __read_mostly = { 0, 0, 0, 0, -1, 1, 0, 0, -1 };
44303 + EXPORT_SYMBOL(boot_cpu_data);
44304 +
44305 ++#ifdef CONFIG_X86_PAE
44306 ++unsigned long mmu_cr4_features = X86_CR4_PAE;
44307 ++#else
44308 + unsigned long mmu_cr4_features;
44309 ++#endif
44310 +
44311 + /* for MCA, but anyone else can use it if they want */
44312 + unsigned int machine_id;
44313 +@@ -436,8 +441,8 @@ void __init setup_bootmem_allocator(void
44314 + * the (very unlikely) case of us accidentally initializing the
44315 + * bootmem allocator with an invalid RAM area.
44316 + */
44317 +- reserve_bootmem(__pa_symbol(_text), (PFN_PHYS(min_low_pfn) +
44318 +- bootmap_size + PAGE_SIZE-1) - __pa_symbol(_text));
44319 ++ reserve_bootmem(LOAD_PHYSICAL_ADDR, (PFN_PHYS(min_low_pfn) +
44320 ++ bootmap_size + PAGE_SIZE-1) - LOAD_PHYSICAL_ADDR);
44321 +
44322 + /*
44323 + * reserve physical page 0 - it's a special BIOS page on many boxes,
44324 +@@ -590,14 +595,14 @@ void __init setup_arch(char **cmdline_p)
44325 +
44326 + if (!boot_params.hdr.root_flags)
44327 + root_mountflags &= ~MS_RDONLY;
44328 +- init_mm.start_code = (unsigned long) _text;
44329 +- init_mm.end_code = (unsigned long) _etext;
44330 ++ init_mm.start_code = ktla_ktva((unsigned long) _text);
44331 ++ init_mm.end_code = ktla_ktva((unsigned long) _etext);
44332 + init_mm.end_data = (unsigned long) _edata;
44333 + init_mm.brk = init_pg_tables_end + PAGE_OFFSET;
44334 +
44335 +- code_resource.start = virt_to_phys(_text);
44336 +- code_resource.end = virt_to_phys(_etext)-1;
44337 +- data_resource.start = virt_to_phys(_etext);
44338 ++ code_resource.start = virt_to_phys(ktla_ktva(_text));
44339 ++ code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
44340 ++ data_resource.start = virt_to_phys(_data);
44341 + data_resource.end = virt_to_phys(_edata)-1;
44342 + bss_resource.start = virt_to_phys(&__bss_start);
44343 + bss_resource.end = virt_to_phys(&__bss_stop)-1;
44344 +@@ -692,3 +697,23 @@ void __init setup_arch(char **cmdline_p)
44345 + #endif
44346 + #endif
44347 + }
44348 ++
44349 ++unsigned long __per_cpu_offset[NR_CPUS] __read_only;
44350 ++
44351 ++EXPORT_SYMBOL(__per_cpu_offset);
44352 ++
44353 ++void __init setup_per_cpu_areas(void)
44354 ++{
44355 ++ unsigned long size, i;
44356 ++ char *ptr;
44357 ++
44358 ++ /* Copy section for each CPU (we discard the original) */
44359 ++ size = ALIGN(PERCPU_ENOUGH_ROOM, PAGE_SIZE);
44360 ++ ptr = alloc_bootmem_pages(size * num_possible_cpus());
44361 ++
44362 ++ for_each_possible_cpu(i) {
44363 ++ __per_cpu_offset[i] = (unsigned long)ptr;
44364 ++ memcpy(ptr, __per_cpu_start, __per_cpu_end - __per_cpu_start);
44365 ++ ptr += size;
44366 ++ }
44367 ++}
44368 +diff -urNp linux-2.6.24.5/arch/x86/kernel/setup64.c linux-2.6.24.5/arch/x86/kernel/setup64.c
44369 +--- linux-2.6.24.5/arch/x86/kernel/setup64.c 2008-03-24 14:49:18.000000000 -0400
44370 ++++ linux-2.6.24.5/arch/x86/kernel/setup64.c 2008-03-26 20:21:08.000000000 -0400
44371 +@@ -32,12 +32,12 @@ struct x8664_pda *_cpu_pda[NR_CPUS] __re
44372 + EXPORT_SYMBOL(_cpu_pda);
44373 + struct x8664_pda boot_cpu_pda[NR_CPUS] __cacheline_aligned;
44374 +
44375 +-struct desc_ptr idt_descr = { 256 * 16 - 1, (unsigned long) idt_table };
44376 ++const struct desc_ptr idt_descr = { 256 * 16 - 1, (unsigned long) idt_table };
44377 +
44378 + char boot_cpu_stack[IRQSTACKSIZE] __attribute__((section(".bss.page_aligned")));
44379 +
44380 + unsigned long __supported_pte_mask __read_mostly = ~0UL;
44381 +-static int do_not_nx __cpuinitdata = 0;
44382 ++EXPORT_SYMBOL(__supported_pte_mask);
44383 +
44384 + /* noexec=on|off
44385 + Control non executable mappings for 64bit processes.
44386 +@@ -51,16 +51,14 @@ static int __init nonx_setup(char *str)
44387 + return -EINVAL;
44388 + if (!strncmp(str, "on", 2)) {
44389 + __supported_pte_mask |= _PAGE_NX;
44390 +- do_not_nx = 0;
44391 + } else if (!strncmp(str, "off", 3)) {
44392 +- do_not_nx = 1;
44393 + __supported_pte_mask &= ~_PAGE_NX;
44394 + }
44395 + return 0;
44396 + }
44397 + early_param("noexec", nonx_setup);
44398 +
44399 +-int force_personality32 = 0;
44400 ++int force_personality32;
44401 +
44402 + /* noexec32=on|off
44403 + Control non executable heap for 32bit processes.
44404 +@@ -177,7 +175,7 @@ void __cpuinit check_efer(void)
44405 + unsigned long efer;
44406 +
44407 + rdmsrl(MSR_EFER, efer);
44408 +- if (!(efer & EFER_NX) || do_not_nx) {
44409 ++ if (!(efer & EFER_NX)) {
44410 + __supported_pte_mask &= ~_PAGE_NX;
44411 + }
44412 + }
44413 +@@ -200,12 +198,13 @@ DEFINE_PER_CPU(struct orig_ist, orig_ist
44414 + void __cpuinit cpu_init (void)
44415 + {
44416 + int cpu = stack_smp_processor_id();
44417 +- struct tss_struct *t = &per_cpu(init_tss, cpu);
44418 ++ struct tss_struct *t = init_tss + cpu;
44419 + struct orig_ist *orig_ist = &per_cpu(orig_ist, cpu);
44420 + unsigned long v;
44421 + char *estacks = NULL;
44422 + struct task_struct *me;
44423 + int i;
44424 ++ struct desc_ptr cpu_gdt_descr = { .size = GDT_SIZE - 1, .address = (unsigned long)cpu_gdt_table[cpu]};
44425 +
44426 + /* CPU 0 is initialised in head64.c */
44427 + if (cpu != 0) {
44428 +@@ -223,14 +222,12 @@ void __cpuinit cpu_init (void)
44429 + clear_in_cr4(X86_CR4_VME|X86_CR4_PVI|X86_CR4_TSD|X86_CR4_DE);
44430 +
44431 + /*
44432 +- * Initialize the per-CPU GDT with the boot GDT,
44433 +- * and set up the GDT descriptor:
44434 ++ * Initialize the per-CPU GDT with the boot GDT:
44435 + */
44436 + if (cpu)
44437 + memcpy(cpu_gdt(cpu), cpu_gdt_table, GDT_SIZE);
44438 +
44439 +- cpu_gdt_descr[cpu].size = GDT_SIZE;
44440 +- load_gdt((const struct desc_ptr *)&cpu_gdt_descr[cpu]);
44441 ++ load_gdt(&cpu_gdt_descr);
44442 + load_idt((const struct desc_ptr *)&idt_descr);
44443 +
44444 + memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
44445 +diff -urNp linux-2.6.24.5/arch/x86/kernel/signal_32.c linux-2.6.24.5/arch/x86/kernel/signal_32.c
44446 +--- linux-2.6.24.5/arch/x86/kernel/signal_32.c 2008-03-24 14:49:18.000000000 -0400
44447 ++++ linux-2.6.24.5/arch/x86/kernel/signal_32.c 2008-03-26 20:21:08.000000000 -0400
44448 +@@ -355,9 +355,9 @@ static int setup_frame(int sig, struct k
44449 + }
44450 +
44451 + if (current->binfmt->hasvdso)
44452 +- restorer = (void *)VDSO_SYM(&__kernel_sigreturn);
44453 ++ restorer = (void __user *)VDSO_SYM(&__kernel_sigreturn);
44454 + else
44455 +- restorer = (void *)&frame->retcode;
44456 ++ restorer = (void __user *)&frame->retcode;
44457 + if (ka->sa.sa_flags & SA_RESTORER)
44458 + restorer = ka->sa.sa_restorer;
44459 +
44460 +@@ -452,7 +452,7 @@ static int setup_rt_frame(int sig, struc
44461 + goto give_sigsegv;
44462 +
44463 + /* Set up to return from userspace. */
44464 +- restorer = (void *)VDSO_SYM(&__kernel_rt_sigreturn);
44465 ++ restorer = (void __user *)VDSO_SYM(&__kernel_rt_sigreturn);
44466 + if (ka->sa.sa_flags & SA_RESTORER)
44467 + restorer = ka->sa.sa_restorer;
44468 + err |= __put_user(restorer, &frame->pretcode);
44469 +@@ -584,7 +584,7 @@ static void fastcall do_signal(struct pt
44470 + * before reaching here, so testing against kernel
44471 + * CS suffices.
44472 + */
44473 +- if (!user_mode(regs))
44474 ++ if (!user_mode_novm(regs))
44475 + return;
44476 +
44477 + if (test_thread_flag(TIF_RESTORE_SIGMASK))
44478 +diff -urNp linux-2.6.24.5/arch/x86/kernel/signal_64.c linux-2.6.24.5/arch/x86/kernel/signal_64.c
44479 +--- linux-2.6.24.5/arch/x86/kernel/signal_64.c 2008-03-24 14:49:18.000000000 -0400
44480 ++++ linux-2.6.24.5/arch/x86/kernel/signal_64.c 2008-03-26 20:21:08.000000000 -0400
44481 +@@ -252,8 +252,8 @@ static int setup_rt_frame(int sig, struc
44482 + err |= setup_sigcontext(&frame->uc.uc_mcontext, regs, set->sig[0], me);
44483 + err |= __put_user(fp, &frame->uc.uc_mcontext.fpstate);
44484 + if (sizeof(*set) == 16) {
44485 +- __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
44486 +- __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
44487 ++ err |= __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
44488 ++ err |= __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
44489 + } else
44490 + err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
44491 +
44492 +diff -urNp linux-2.6.24.5/arch/x86/kernel/smp_32.c linux-2.6.24.5/arch/x86/kernel/smp_32.c
44493 +--- linux-2.6.24.5/arch/x86/kernel/smp_32.c 2008-03-24 14:49:18.000000000 -0400
44494 ++++ linux-2.6.24.5/arch/x86/kernel/smp_32.c 2008-03-26 20:21:08.000000000 -0400
44495 +@@ -104,7 +104,7 @@
44496 + * about nothing of note with C stepping upwards.
44497 + */
44498 +
44499 +-DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, };
44500 ++DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, {0} };
44501 +
44502 + /*
44503 + * the following functions deal with sending IPIs between CPUs.
44504 +diff -urNp linux-2.6.24.5/arch/x86/kernel/smpboot_32.c linux-2.6.24.5/arch/x86/kernel/smpboot_32.c
44505 +--- linux-2.6.24.5/arch/x86/kernel/smpboot_32.c 2008-03-24 14:49:18.000000000 -0400
44506 ++++ linux-2.6.24.5/arch/x86/kernel/smpboot_32.c 2008-03-26 20:21:08.000000000 -0400
44507 +@@ -781,6 +781,10 @@ static int __cpuinit do_boot_cpu(int api
44508 + unsigned long start_eip;
44509 + unsigned short nmi_high = 0, nmi_low = 0;
44510 +
44511 ++#ifdef CONFIG_PAX_KERNEXEC
44512 ++ unsigned long cr0;
44513 ++#endif
44514 ++
44515 + /*
44516 + * Save current MTRR state in case it was changed since early boot
44517 + * (e.g. by the ACPI SMI) to initialize new CPUs with MTRRs in sync:
44518 +@@ -797,7 +801,16 @@ static int __cpuinit do_boot_cpu(int api
44519 +
44520 + init_gdt(cpu);
44521 + per_cpu(current_task, cpu) = idle;
44522 +- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
44523 ++
44524 ++#ifdef CONFIG_PAX_KERNEXEC
44525 ++ pax_open_kernel(cr0);
44526 ++#endif
44527 ++
44528 ++ early_gdt_descr.address = get_cpu_gdt_table(cpu);
44529 ++
44530 ++#ifdef CONFIG_PAX_KERNEXEC
44531 ++ pax_close_kernel(cr0);
44532 ++#endif
44533 +
44534 + idle->thread.eip = (unsigned long) start_secondary;
44535 + /* start_eip had better be page-aligned! */
44536 +@@ -1122,7 +1135,7 @@ static void __init smp_boot_cpus(unsigne
44537 + * construct cpu_sibling_map, so that we can tell sibling CPUs
44538 + * efficiently.
44539 + */
44540 +- for (cpu = 0; cpu < NR_CPUS; cpu++) {
44541 ++ for_each_possible_cpu(cpu) {
44542 + cpus_clear(per_cpu(cpu_sibling_map, cpu));
44543 + cpus_clear(per_cpu(cpu_core_map, cpu));
44544 + }
44545 +diff -urNp linux-2.6.24.5/arch/x86/kernel/smpboot_64.c linux-2.6.24.5/arch/x86/kernel/smpboot_64.c
44546 +--- linux-2.6.24.5/arch/x86/kernel/smpboot_64.c 2008-03-24 14:49:18.000000000 -0400
44547 ++++ linux-2.6.24.5/arch/x86/kernel/smpboot_64.c 2008-03-26 20:21:08.000000000 -0400
44548 +@@ -549,13 +549,6 @@ static int __cpuinit do_boot_cpu(int cpu
44549 + .done = COMPLETION_INITIALIZER_ONSTACK(c_idle.done),
44550 + };
44551 +
44552 +- /* allocate memory for gdts of secondary cpus. Hotplug is considered */
44553 +- if (!cpu_gdt_descr[cpu].address &&
44554 +- !(cpu_gdt_descr[cpu].address = get_zeroed_page(GFP_KERNEL))) {
44555 +- printk(KERN_ERR "Failed to allocate GDT for CPU %d\n", cpu);
44556 +- return -1;
44557 +- }
44558 +-
44559 + /* Allocate node local memory for AP pdas */
44560 + if (cpu_pda(cpu) == &boot_cpu_pda[cpu]) {
44561 + struct x8664_pda *newpda, *pda;
44562 +@@ -614,7 +607,7 @@ do_rest:
44563 + start_rip = setup_trampoline();
44564 +
44565 + init_rsp = c_idle.idle->thread.rsp;
44566 +- per_cpu(init_tss,cpu).rsp0 = init_rsp;
44567 ++ init_tss[cpu].rsp0 = init_rsp;
44568 + initial_code = start_secondary;
44569 + clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
44570 +
44571 +diff -urNp linux-2.6.24.5/arch/x86/kernel/smpcommon_32.c linux-2.6.24.5/arch/x86/kernel/smpcommon_32.c
44572 +--- linux-2.6.24.5/arch/x86/kernel/smpcommon_32.c 2008-03-24 14:49:18.000000000 -0400
44573 ++++ linux-2.6.24.5/arch/x86/kernel/smpcommon_32.c 2008-03-26 20:21:16.000000000 -0400
44574 +@@ -3,8 +3,9 @@
44575 + */
44576 + #include <linux/module.h>
44577 + #include <asm/smp.h>
44578 ++#include <asm/sections.h>
44579 +
44580 +-DEFINE_PER_CPU(unsigned long, this_cpu_off);
44581 ++DEFINE_PER_CPU(unsigned long, this_cpu_off) = (unsigned long)__per_cpu_start;
44582 + EXPORT_PER_CPU_SYMBOL(this_cpu_off);
44583 +
44584 + /* Initialize the CPU's GDT. This is either the boot CPU doing itself
44585 +@@ -14,10 +15,29 @@ __cpuinit void init_gdt(int cpu)
44586 + {
44587 + struct desc_struct *gdt = get_cpu_gdt_table(cpu);
44588 +
44589 +- pack_descriptor((u32 *)&gdt[GDT_ENTRY_PERCPU].a,
44590 +- (u32 *)&gdt[GDT_ENTRY_PERCPU].b,
44591 +- __per_cpu_offset[cpu], 0xFFFFF,
44592 +- 0x80 | DESCTYPE_S | 0x2, 0x8);
44593 ++#ifdef CONFIG_PAX_KERNEXEC
44594 ++ unsigned long cr0;
44595 ++
44596 ++ pax_open_kernel(cr0);
44597 ++#endif
44598 ++
44599 ++ if (cpu)
44600 ++ memcpy(gdt, cpu_gdt_table, GDT_SIZE);
44601 ++
44602 ++ if (PERCPU_ENOUGH_ROOM <= 64*1024*1024)
44603 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
44604 ++ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
44605 ++ __per_cpu_offset[cpu], PERCPU_ENOUGH_ROOM-1,
44606 ++ 0x80 | DESCTYPE_S | 0x3, 0x4);
44607 ++ else
44608 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
44609 ++ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
44610 ++ __per_cpu_offset[cpu], ((PERCPU_ENOUGH_ROOM-1) >> PAGE_SHIFT),
44611 ++ 0x80 | DESCTYPE_S | 0x3, 0xC);
44612 ++
44613 ++#ifdef CONFIG_PAX_KERNEXEC
44614 ++ pax_close_kernel(cr0);
44615 ++#endif
44616 +
44617 + per_cpu(this_cpu_off, cpu) = __per_cpu_offset[cpu];
44618 + per_cpu(cpu_number, cpu) = cpu;
44619 +diff -urNp linux-2.6.24.5/arch/x86/kernel/suspend_64.c linux-2.6.24.5/arch/x86/kernel/suspend_64.c
44620 +--- linux-2.6.24.5/arch/x86/kernel/suspend_64.c 2008-03-24 14:49:18.000000000 -0400
44621 ++++ linux-2.6.24.5/arch/x86/kernel/suspend_64.c 2008-03-26 20:21:08.000000000 -0400
44622 +@@ -116,12 +116,22 @@ void restore_processor_state(void)
44623 + void fix_processor_context(void)
44624 + {
44625 + int cpu = smp_processor_id();
44626 +- struct tss_struct *t = &per_cpu(init_tss, cpu);
44627 ++ struct tss_struct *t = init_tss + cpu;
44628 ++
44629 ++#ifdef CONFIG_PAX_KERNEXEC
44630 ++ unsigned long cr0;
44631 ++
44632 ++ pax_open_kernel(cr0);
44633 ++#endif
44634 +
44635 + set_tss_desc(cpu,t); /* This just modifies memory; should not be necessary. But... This is necessary, because 386 hardware has concept of busy TSS or some similar stupidity. */
44636 +
44637 + cpu_gdt(cpu)[GDT_ENTRY_TSS].type = 9;
44638 +
44639 ++#ifdef CONFIG_PAX_KERNEXEC
44640 ++ pax_close_kernel(cr0);
44641 ++#endif
44642 ++
44643 + syscall_init(); /* This sets MSR_*STAR and related */
44644 + load_TR_desc(); /* This does ltr */
44645 + load_LDT(&current->active_mm->context); /* This does lldt */
44646 +diff -urNp linux-2.6.24.5/arch/x86/kernel/syscall_table_32.S linux-2.6.24.5/arch/x86/kernel/syscall_table_32.S
44647 +--- linux-2.6.24.5/arch/x86/kernel/syscall_table_32.S 2008-03-24 14:49:18.000000000 -0400
44648 ++++ linux-2.6.24.5/arch/x86/kernel/syscall_table_32.S 2008-03-26 20:21:08.000000000 -0400
44649 +@@ -1,3 +1,4 @@
44650 ++.section .rodata,"a",@progbits
44651 + ENTRY(sys_call_table)
44652 + .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
44653 + .long sys_exit
44654 +diff -urNp linux-2.6.24.5/arch/x86/kernel/sysenter_32.c linux-2.6.24.5/arch/x86/kernel/sysenter_32.c
44655 +--- linux-2.6.24.5/arch/x86/kernel/sysenter_32.c 2008-03-24 14:49:18.000000000 -0400
44656 ++++ linux-2.6.24.5/arch/x86/kernel/sysenter_32.c 2008-03-26 20:21:08.000000000 -0400
44657 +@@ -175,7 +175,7 @@ static __init void relocate_vdso(Elf32_E
44658 + void enable_sep_cpu(void)
44659 + {
44660 + int cpu = get_cpu();
44661 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
44662 ++ struct tss_struct *tss = init_tss + cpu;
44663 +
44664 + if (!boot_cpu_has(X86_FEATURE_SEP)) {
44665 + put_cpu();
44666 +@@ -198,7 +198,7 @@ static int __init gate_vma_init(void)
44667 + gate_vma.vm_start = FIXADDR_USER_START;
44668 + gate_vma.vm_end = FIXADDR_USER_END;
44669 + gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
44670 +- gate_vma.vm_page_prot = __P101;
44671 ++ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
44672 + /*
44673 + * Make sure the vDSO gets into every core dump.
44674 + * Dumping its contents makes post-mortem fully interpretable later
44675 +@@ -281,7 +281,7 @@ int arch_setup_additional_pages(struct l
44676 + if (compat)
44677 + addr = VDSO_HIGH_BASE;
44678 + else {
44679 +- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
44680 ++ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
44681 + if (IS_ERR_VALUE(addr)) {
44682 + ret = addr;
44683 + goto up_fail;
44684 +@@ -306,7 +306,7 @@ int arch_setup_additional_pages(struct l
44685 + goto up_fail;
44686 + }
44687 +
44688 +- current->mm->context.vdso = (void *)addr;
44689 ++ current->mm->context.vdso = addr;
44690 + current_thread_info()->sysenter_return =
44691 + (void *)VDSO_SYM(&SYSENTER_RETURN);
44692 +
44693 +@@ -318,8 +318,14 @@ int arch_setup_additional_pages(struct l
44694 +
44695 + const char *arch_vma_name(struct vm_area_struct *vma)
44696 + {
44697 +- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
44698 ++ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
44699 + return "[vdso]";
44700 ++
44701 ++#ifdef CONFIG_PAX_SEGMEXEC
44702 ++ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
44703 ++ return "[vdso]";
44704 ++#endif
44705 ++
44706 + return NULL;
44707 + }
44708 +
44709 +@@ -328,7 +334,7 @@ struct vm_area_struct *get_gate_vma(stru
44710 + struct mm_struct *mm = tsk->mm;
44711 +
44712 + /* Check to see if this task was created in compat vdso mode */
44713 +- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
44714 ++ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
44715 + return &gate_vma;
44716 + return NULL;
44717 + }
44718 +diff -urNp linux-2.6.24.5/arch/x86/kernel/sys_i386_32.c linux-2.6.24.5/arch/x86/kernel/sys_i386_32.c
44719 +--- linux-2.6.24.5/arch/x86/kernel/sys_i386_32.c 2008-03-24 14:49:18.000000000 -0400
44720 ++++ linux-2.6.24.5/arch/x86/kernel/sys_i386_32.c 2008-03-26 20:21:08.000000000 -0400
44721 +@@ -39,6 +39,21 @@ asmlinkage int sys_pipe(unsigned long __
44722 + return error;
44723 + }
44724 +
44725 ++int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
44726 ++{
44727 ++ unsigned long pax_task_size = TASK_SIZE;
44728 ++
44729 ++#ifdef CONFIG_PAX_SEGMEXEC
44730 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
44731 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
44732 ++#endif
44733 ++
44734 ++ if (len > pax_task_size || addr > pax_task_size - len)
44735 ++ return -EINVAL;
44736 ++
44737 ++ return 0;
44738 ++}
44739 ++
44740 + asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
44741 + unsigned long prot, unsigned long flags,
44742 + unsigned long fd, unsigned long pgoff)
44743 +@@ -98,6 +113,205 @@ out:
44744 + return err;
44745 + }
44746 +
44747 ++unsigned long
44748 ++arch_get_unmapped_area(struct file *filp, unsigned long addr,
44749 ++ unsigned long len, unsigned long pgoff, unsigned long flags)
44750 ++{
44751 ++ struct mm_struct *mm = current->mm;
44752 ++ struct vm_area_struct *vma;
44753 ++ unsigned long start_addr, pax_task_size = TASK_SIZE;
44754 ++
44755 ++#ifdef CONFIG_PAX_SEGMEXEC
44756 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
44757 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
44758 ++#endif
44759 ++
44760 ++ if (len > pax_task_size)
44761 ++ return -ENOMEM;
44762 ++
44763 ++ if (flags & MAP_FIXED)
44764 ++ return addr;
44765 ++
44766 ++#ifdef CONFIG_PAX_RANDMMAP
44767 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
44768 ++#endif
44769 ++
44770 ++ if (addr) {
44771 ++ addr = PAGE_ALIGN(addr);
44772 ++ vma = find_vma(mm, addr);
44773 ++ if (pax_task_size - len >= addr &&
44774 ++ (!vma || addr + len <= vma->vm_start))
44775 ++ return addr;
44776 ++ }
44777 ++ if (len > mm->cached_hole_size) {
44778 ++ start_addr = addr = mm->free_area_cache;
44779 ++ } else {
44780 ++ start_addr = addr = mm->mmap_base;
44781 ++ mm->cached_hole_size = 0;
44782 ++ }
44783 ++
44784 ++#ifdef CONFIG_PAX_PAGEEXEC
44785 ++ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
44786 ++ start_addr = 0x00110000UL;
44787 ++
44788 ++#ifdef CONFIG_PAX_RANDMMAP
44789 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
44790 ++ start_addr += mm->delta_mmap & 0x03FFF000UL;
44791 ++#endif
44792 ++
44793 ++ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
44794 ++ start_addr = addr = mm->mmap_base;
44795 ++ else
44796 ++ addr = start_addr;
44797 ++ }
44798 ++#endif
44799 ++
44800 ++full_search:
44801 ++ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
44802 ++ /* At this point: (!vma || addr < vma->vm_end). */
44803 ++ if (pax_task_size - len < addr) {
44804 ++ /*
44805 ++ * Start a new search - just in case we missed
44806 ++ * some holes.
44807 ++ */
44808 ++ if (start_addr != mm->mmap_base) {
44809 ++ start_addr = addr = mm->mmap_base;
44810 ++ mm->cached_hole_size = 0;
44811 ++ goto full_search;
44812 ++ }
44813 ++ return -ENOMEM;
44814 ++ }
44815 ++ if (!vma || addr + len <= vma->vm_start) {
44816 ++ /*
44817 ++ * Remember the place where we stopped the search:
44818 ++ */
44819 ++ mm->free_area_cache = addr + len;
44820 ++ return addr;
44821 ++ }
44822 ++ if (addr + mm->cached_hole_size < vma->vm_start)
44823 ++ mm->cached_hole_size = vma->vm_start - addr;
44824 ++ addr = vma->vm_end;
44825 ++ if (mm->start_brk <= addr && addr < mm->mmap_base) {
44826 ++ start_addr = addr = mm->mmap_base;
44827 ++ mm->cached_hole_size = 0;
44828 ++ goto full_search;
44829 ++ }
44830 ++ }
44831 ++}
44832 ++
44833 ++unsigned long
44834 ++arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
44835 ++ const unsigned long len, const unsigned long pgoff,
44836 ++ const unsigned long flags)
44837 ++{
44838 ++ struct vm_area_struct *vma;
44839 ++ struct mm_struct *mm = current->mm;
44840 ++ unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
44841 ++
44842 ++#ifdef CONFIG_PAX_SEGMEXEC
44843 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
44844 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
44845 ++#endif
44846 ++
44847 ++ /* requested length too big for entire address space */
44848 ++ if (len > pax_task_size)
44849 ++ return -ENOMEM;
44850 ++
44851 ++ if (flags & MAP_FIXED)
44852 ++ return addr;
44853 ++
44854 ++#ifdef CONFIG_PAX_PAGEEXEC
44855 ++ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
44856 ++ goto bottomup;
44857 ++#endif
44858 ++
44859 ++#ifdef CONFIG_PAX_RANDMMAP
44860 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
44861 ++#endif
44862 ++
44863 ++ /* requesting a specific address */
44864 ++ if (addr) {
44865 ++ addr = PAGE_ALIGN(addr);
44866 ++ vma = find_vma(mm, addr);
44867 ++ if (pax_task_size - len >= addr &&
44868 ++ (!vma || addr + len <= vma->vm_start))
44869 ++ return addr;
44870 ++ }
44871 ++
44872 ++ /* check if free_area_cache is useful for us */
44873 ++ if (len <= mm->cached_hole_size) {
44874 ++ mm->cached_hole_size = 0;
44875 ++ mm->free_area_cache = mm->mmap_base;
44876 ++ }
44877 ++
44878 ++ /* either no address requested or can't fit in requested address hole */
44879 ++ addr = mm->free_area_cache;
44880 ++
44881 ++ /* make sure it can fit in the remaining address space */
44882 ++ if (addr > len) {
44883 ++ vma = find_vma(mm, addr-len);
44884 ++ if (!vma || addr <= vma->vm_start)
44885 ++ /* remember the address as a hint for next time */
44886 ++ return (mm->free_area_cache = addr-len);
44887 ++ }
44888 ++
44889 ++ if (mm->mmap_base < len)
44890 ++ goto bottomup;
44891 ++
44892 ++ addr = mm->mmap_base-len;
44893 ++
44894 ++ do {
44895 ++ /*
44896 ++ * Lookup failure means no vma is above this address,
44897 ++ * else if new region fits below vma->vm_start,
44898 ++ * return with success:
44899 ++ */
44900 ++ vma = find_vma(mm, addr);
44901 ++ if (!vma || addr+len <= vma->vm_start)
44902 ++ /* remember the address as a hint for next time */
44903 ++ return (mm->free_area_cache = addr);
44904 ++
44905 ++ /* remember the largest hole we saw so far */
44906 ++ if (addr + mm->cached_hole_size < vma->vm_start)
44907 ++ mm->cached_hole_size = vma->vm_start - addr;
44908 ++
44909 ++ /* try just below the current vma->vm_start */
44910 ++ addr = vma->vm_start-len;
44911 ++ } while (len < vma->vm_start);
44912 ++
44913 ++bottomup:
44914 ++ /*
44915 ++ * A failed mmap() very likely causes application failure,
44916 ++ * so fall back to the bottom-up function here. This scenario
44917 ++ * can happen with large stack limits and large mmap()
44918 ++ * allocations.
44919 ++ */
44920 ++
44921 ++#ifdef CONFIG_PAX_SEGMEXEC
44922 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
44923 ++ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
44924 ++ else
44925 ++#endif
44926 ++
44927 ++ mm->mmap_base = TASK_UNMAPPED_BASE;
44928 ++
44929 ++#ifdef CONFIG_PAX_RANDMMAP
44930 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
44931 ++ mm->mmap_base += mm->delta_mmap;
44932 ++#endif
44933 ++
44934 ++ mm->free_area_cache = mm->mmap_base;
44935 ++ mm->cached_hole_size = ~0UL;
44936 ++ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
44937 ++ /*
44938 ++ * Restore the topdown base:
44939 ++ */
44940 ++ mm->mmap_base = base;
44941 ++ mm->free_area_cache = base;
44942 ++ mm->cached_hole_size = ~0UL;
44943 ++
44944 ++ return addr;
44945 ++}
44946 +
44947 + struct sel_arg_struct {
44948 + unsigned long n;
44949 +diff -urNp linux-2.6.24.5/arch/x86/kernel/sys_x86_64.c linux-2.6.24.5/arch/x86/kernel/sys_x86_64.c
44950 +--- linux-2.6.24.5/arch/x86/kernel/sys_x86_64.c 2008-03-24 14:49:18.000000000 -0400
44951 ++++ linux-2.6.24.5/arch/x86/kernel/sys_x86_64.c 2008-03-26 20:21:08.000000000 -0400
44952 +@@ -61,8 +61,8 @@ out:
44953 + return error;
44954 + }
44955 +
44956 +-static void find_start_end(unsigned long flags, unsigned long *begin,
44957 +- unsigned long *end)
44958 ++static void find_start_end(struct mm_struct *mm, unsigned long flags,
44959 ++ unsigned long *begin, unsigned long *end)
44960 + {
44961 + if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
44962 + /* This is usually used needed to map code in small
44963 +@@ -75,7 +75,7 @@ static void find_start_end(unsigned long
44964 + *begin = 0x40000000;
44965 + *end = 0x80000000;
44966 + } else {
44967 +- *begin = TASK_UNMAPPED_BASE;
44968 ++ *begin = mm->mmap_base;
44969 + *end = TASK_SIZE;
44970 + }
44971 + }
44972 +@@ -92,11 +92,15 @@ arch_get_unmapped_area(struct file *filp
44973 + if (flags & MAP_FIXED)
44974 + return addr;
44975 +
44976 +- find_start_end(flags, &begin, &end);
44977 ++ find_start_end(mm, flags, &begin, &end);
44978 +
44979 + if (len > end)
44980 + return -ENOMEM;
44981 +
44982 ++#ifdef CONFIG_PAX_RANDMMAP
44983 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
44984 ++#endif
44985 ++
44986 + if (addr) {
44987 + addr = PAGE_ALIGN(addr);
44988 + vma = find_vma(mm, addr);
44989 +diff -urNp linux-2.6.24.5/arch/x86/kernel/time_32.c linux-2.6.24.5/arch/x86/kernel/time_32.c
44990 +--- linux-2.6.24.5/arch/x86/kernel/time_32.c 2008-03-24 14:49:18.000000000 -0400
44991 ++++ linux-2.6.24.5/arch/x86/kernel/time_32.c 2008-03-26 20:21:08.000000000 -0400
44992 +@@ -130,20 +130,30 @@ unsigned long profile_pc(struct pt_regs
44993 + if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs) &&
44994 + in_lock_functions(pc)) {
44995 + #ifdef CONFIG_FRAME_POINTER
44996 +- return *(unsigned long *)(regs->ebp + 4);
44997 ++ return ktla_ktva(*(unsigned long *)(regs->ebp + 4));
44998 + #else
44999 + unsigned long *sp = (unsigned long *)&regs->esp;
45000 +
45001 + /* Return address is either directly at stack pointer
45002 + or above a saved eflags. Eflags has bits 22-31 zero,
45003 + kernel addresses don't. */
45004 ++
45005 ++#ifdef CONFIG_PAX_KERNEXEC
45006 ++ return ktla_ktva(sp[0]);
45007 ++#else
45008 + if (sp[0] >> 22)
45009 + return sp[0];
45010 + if (sp[1] >> 22)
45011 + return sp[1];
45012 + #endif
45013 ++
45014 ++#endif
45015 + }
45016 + #endif
45017 ++
45018 ++ if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs))
45019 ++ pc = ktla_ktva(pc);
45020 ++
45021 + return pc;
45022 + }
45023 + EXPORT_SYMBOL(profile_pc);
45024 +diff -urNp linux-2.6.24.5/arch/x86/kernel/traps_32.c linux-2.6.24.5/arch/x86/kernel/traps_32.c
45025 +--- linux-2.6.24.5/arch/x86/kernel/traps_32.c 2008-03-24 14:49:18.000000000 -0400
45026 ++++ linux-2.6.24.5/arch/x86/kernel/traps_32.c 2008-03-26 20:21:08.000000000 -0400
45027 +@@ -29,6 +29,7 @@
45028 + #include <linux/uaccess.h>
45029 + #include <linux/nmi.h>
45030 + #include <linux/bug.h>
45031 ++#include <linux/binfmts.h>
45032 +
45033 + #ifdef CONFIG_EISA
45034 + #include <linux/ioport.h>
45035 +@@ -71,12 +72,7 @@ asmlinkage int system_call(void);
45036 + /* Do we ignore FPU interrupts ? */
45037 + char ignore_fpu_irq = 0;
45038 +
45039 +-/*
45040 +- * The IDT has to be page-aligned to simplify the Pentium
45041 +- * F0 0F bug workaround.. We have a special link segment
45042 +- * for this.
45043 +- */
45044 +-struct desc_struct idt_table[256] __attribute__((__section__(".data.idt"))) = { {0, 0}, };
45045 ++extern struct desc_struct idt_table[256];
45046 +
45047 + asmlinkage void divide_error(void);
45048 + asmlinkage void debug(void);
45049 +@@ -306,22 +302,23 @@ void show_registers(struct pt_regs *regs
45050 + * When in-kernel, we also print out the stack and code at the
45051 + * time of the fault..
45052 + */
45053 +- if (!user_mode_vm(regs)) {
45054 ++ if (!user_mode(regs)) {
45055 + u8 *eip;
45056 + unsigned int code_prologue = code_bytes * 43 / 64;
45057 + unsigned int code_len = code_bytes;
45058 + unsigned char c;
45059 ++ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->xcs) >> 3]);
45060 +
45061 + printk("\n" KERN_EMERG "Stack: ");
45062 + show_stack_log_lvl(NULL, regs, &regs->esp, KERN_EMERG);
45063 +
45064 + printk(KERN_EMERG "Code: ");
45065 +
45066 +- eip = (u8 *)regs->eip - code_prologue;
45067 ++ eip = (u8 *)regs->eip - code_prologue + cs_base;
45068 + if (eip < (u8 *)PAGE_OFFSET ||
45069 + probe_kernel_address(eip, c)) {
45070 + /* try starting at EIP */
45071 +- eip = (u8 *)regs->eip;
45072 ++ eip = (u8 *)regs->eip + cs_base;
45073 + code_len = code_len - code_prologue + 1;
45074 + }
45075 + for (i = 0; i < code_len; i++, eip++) {
45076 +@@ -330,7 +327,7 @@ void show_registers(struct pt_regs *regs
45077 + printk(" Bad EIP value.");
45078 + break;
45079 + }
45080 +- if (eip == (u8 *)regs->eip)
45081 ++ if (eip == (u8 *)regs->eip + cs_base)
45082 + printk("<%02x> ", c);
45083 + else
45084 + printk("%02x ", c);
45085 +@@ -343,6 +340,7 @@ int is_valid_bugaddr(unsigned long eip)
45086 + {
45087 + unsigned short ud2;
45088 +
45089 ++ eip = ktla_ktva(eip);
45090 + if (eip < PAGE_OFFSET)
45091 + return 0;
45092 + if (probe_kernel_address((unsigned short *)eip, ud2))
45093 +@@ -444,7 +442,7 @@ void die(const char * str, struct pt_reg
45094 +
45095 + static inline void die_if_kernel(const char * str, struct pt_regs * regs, long err)
45096 + {
45097 +- if (!user_mode_vm(regs))
45098 ++ if (!user_mode(regs))
45099 + die(str, regs, err);
45100 + }
45101 +
45102 +@@ -460,7 +458,7 @@ static void __kprobes do_trap(int trapnr
45103 + goto trap_signal;
45104 + }
45105 +
45106 +- if (!user_mode(regs))
45107 ++ if (!user_mode_novm(regs))
45108 + goto kernel_trap;
45109 +
45110 + trap_signal: {
45111 +@@ -566,7 +564,7 @@ fastcall void __kprobes do_general_prote
45112 + long error_code)
45113 + {
45114 + int cpu = get_cpu();
45115 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
45116 ++ struct tss_struct *tss = &init_tss[cpu];
45117 + struct thread_struct *thread = &current->thread;
45118 +
45119 + /*
45120 +@@ -599,9 +597,25 @@ fastcall void __kprobes do_general_prote
45121 + if (regs->eflags & VM_MASK)
45122 + goto gp_in_vm86;
45123 +
45124 +- if (!user_mode(regs))
45125 ++ if (!user_mode_novm(regs))
45126 + goto gp_in_kernel;
45127 +
45128 ++#ifdef CONFIG_PAX_PAGEEXEC
45129 ++ if (!nx_enabled && current->mm && (current->mm->pax_flags & MF_PAX_PAGEEXEC)) {
45130 ++ struct mm_struct *mm = current->mm;
45131 ++ unsigned long limit;
45132 ++
45133 ++ down_write(&mm->mmap_sem);
45134 ++ limit = mm->context.user_cs_limit;
45135 ++ if (limit < TASK_SIZE) {
45136 ++ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
45137 ++ up_write(&mm->mmap_sem);
45138 ++ return;
45139 ++ }
45140 ++ up_write(&mm->mmap_sem);
45141 ++ }
45142 ++#endif
45143 ++
45144 + current->thread.error_code = error_code;
45145 + current->thread.trap_no = 13;
45146 + if (show_unhandled_signals && unhandled_signal(current, SIGSEGV) &&
45147 +@@ -626,6 +640,13 @@ gp_in_kernel:
45148 + if (notify_die(DIE_GPF, "general protection fault", regs,
45149 + error_code, 13, SIGSEGV) == NOTIFY_STOP)
45150 + return;
45151 ++
45152 ++#ifdef CONFIG_PAX_KERNEXEC
45153 ++ if ((regs->xcs & 0xFFFF) == __KERNEL_CS)
45154 ++ die("PAX: suspicious general protection fault", regs, error_code);
45155 ++ else
45156 ++#endif
45157 ++
45158 + die("general protection fault", regs, error_code);
45159 + }
45160 + }
45161 +@@ -715,7 +736,7 @@ void __kprobes die_nmi(struct pt_regs *r
45162 + /* If we are in kernel we are probably nested up pretty bad
45163 + * and might aswell get out now while we still can.
45164 + */
45165 +- if (!user_mode_vm(regs)) {
45166 ++ if (!user_mode(regs)) {
45167 + current->thread.trap_no = 2;
45168 + crash_kexec(regs);
45169 + }
45170 +@@ -866,7 +887,7 @@ fastcall void __kprobes do_debug(struct
45171 + * check for kernel mode by just checking the CPL
45172 + * of CS.
45173 + */
45174 +- if (!user_mode(regs))
45175 ++ if (!user_mode_novm(regs))
45176 + goto clear_TF_reenable;
45177 + }
45178 +
45179 +@@ -1044,18 +1065,14 @@ fastcall void do_spurious_interrupt_bug(
45180 + fastcall unsigned long patch_espfix_desc(unsigned long uesp,
45181 + unsigned long kesp)
45182 + {
45183 +- struct desc_struct *gdt = __get_cpu_var(gdt_page).gdt;
45184 + unsigned long base = (kesp - uesp) & -THREAD_SIZE;
45185 + unsigned long new_kesp = kesp - base;
45186 + unsigned long lim_pages = (new_kesp | (THREAD_SIZE - 1)) >> PAGE_SHIFT;
45187 +- __u64 desc = *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS];
45188 ++ __u32 a, b;
45189 ++
45190 + /* Set up base for espfix segment */
45191 +- desc &= 0x00f0ff0000000000ULL;
45192 +- desc |= ((((__u64)base) << 16) & 0x000000ffffff0000ULL) |
45193 +- ((((__u64)base) << 32) & 0xff00000000000000ULL) |
45194 +- ((((__u64)lim_pages) << 32) & 0x000f000000000000ULL) |
45195 +- (lim_pages & 0xffff);
45196 +- *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS] = desc;
45197 ++ pack_descriptor(&a, &b, base, lim_pages, 0x93, 0xC);
45198 ++ write_gdt_entry(get_cpu_gdt_table(smp_processor_id()), GDT_ENTRY_ESPFIX_SS, a, b);
45199 + return new_kesp;
45200 + }
45201 +
45202 +diff -urNp linux-2.6.24.5/arch/x86/kernel/tsc_32.c linux-2.6.24.5/arch/x86/kernel/tsc_32.c
45203 +--- linux-2.6.24.5/arch/x86/kernel/tsc_32.c 2008-03-24 14:49:18.000000000 -0400
45204 ++++ linux-2.6.24.5/arch/x86/kernel/tsc_32.c 2008-03-26 20:21:08.000000000 -0400
45205 +@@ -322,7 +322,7 @@ static struct dmi_system_id __initdata b
45206 + DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
45207 + },
45208 + },
45209 +- {}
45210 ++ { NULL, NULL, {{0, NULL}}, NULL}
45211 + };
45212 +
45213 + /*
45214 +diff -urNp linux-2.6.24.5/arch/x86/kernel/vm86_32.c linux-2.6.24.5/arch/x86/kernel/vm86_32.c
45215 +--- linux-2.6.24.5/arch/x86/kernel/vm86_32.c 2008-03-24 14:49:18.000000000 -0400
45216 ++++ linux-2.6.24.5/arch/x86/kernel/vm86_32.c 2008-03-26 20:21:08.000000000 -0400
45217 +@@ -146,7 +146,7 @@ struct pt_regs * fastcall save_v86_state
45218 + do_exit(SIGSEGV);
45219 + }
45220 +
45221 +- tss = &per_cpu(init_tss, get_cpu());
45222 ++ tss = init_tss + get_cpu();
45223 + current->thread.esp0 = current->thread.saved_esp0;
45224 + current->thread.sysenter_cs = __KERNEL_CS;
45225 + load_esp0(tss, &current->thread);
45226 +@@ -322,7 +322,7 @@ static void do_sys_vm86(struct kernel_vm
45227 + tsk->thread.saved_fs = info->regs32->xfs;
45228 + savesegment(gs, tsk->thread.saved_gs);
45229 +
45230 +- tss = &per_cpu(init_tss, get_cpu());
45231 ++ tss = init_tss + get_cpu();
45232 + tsk->thread.esp0 = (unsigned long) &info->VM86_TSS_ESP0;
45233 + if (cpu_has_sep)
45234 + tsk->thread.sysenter_cs = 0;
45235 +diff -urNp linux-2.6.24.5/arch/x86/kernel/vmi_32.c linux-2.6.24.5/arch/x86/kernel/vmi_32.c
45236 +--- linux-2.6.24.5/arch/x86/kernel/vmi_32.c 2008-03-24 14:49:18.000000000 -0400
45237 ++++ linux-2.6.24.5/arch/x86/kernel/vmi_32.c 2008-03-26 20:21:08.000000000 -0400
45238 +@@ -98,18 +98,43 @@ static unsigned patch_internal(int call,
45239 + {
45240 + u64 reloc;
45241 + struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
45242 ++
45243 ++#ifdef CONFIG_PAX_KERNEXEC
45244 ++ unsigned long cr0;
45245 ++#endif
45246 ++
45247 + reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
45248 + switch(rel->type) {
45249 + case VMI_RELOCATION_CALL_REL:
45250 + BUG_ON(len < 5);
45251 ++
45252 ++#ifdef CONFIG_PAX_KERNEXEC
45253 ++ pax_open_kernel(cr0);
45254 ++#endif
45255 ++
45256 + *(char *)insnbuf = MNEM_CALL;
45257 + patch_offset(insnbuf, eip, (unsigned long)rel->eip);
45258 ++
45259 ++#ifdef CONFIG_PAX_KERNEXEC
45260 ++ pax_close_kernel(cr0);
45261 ++#endif
45262 ++
45263 + return 5;
45264 +
45265 + case VMI_RELOCATION_JUMP_REL:
45266 + BUG_ON(len < 5);
45267 ++
45268 ++#ifdef CONFIG_PAX_KERNEXEC
45269 ++ pax_open_kernel(cr0);
45270 ++#endif
45271 ++
45272 + *(char *)insnbuf = MNEM_JMP;
45273 + patch_offset(insnbuf, eip, (unsigned long)rel->eip);
45274 ++
45275 ++#ifdef CONFIG_PAX_KERNEXEC
45276 ++ pax_close_kernel(cr0);
45277 ++#endif
45278 ++
45279 + return 5;
45280 +
45281 + case VMI_RELOCATION_NOP:
45282 +@@ -492,14 +517,14 @@ static void vmi_set_pud(pud_t *pudp, pud
45283 +
45284 + static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
45285 + {
45286 +- const pte_t pte = { 0 };
45287 ++ const pte_t pte = __pte(0ULL);
45288 + vmi_check_page_type(__pa(ptep) >> PAGE_SHIFT, VMI_PAGE_PTE);
45289 + vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
45290 + }
45291 +
45292 + static void vmi_pmd_clear(pmd_t *pmd)
45293 + {
45294 +- const pte_t pte = { 0 };
45295 ++ const pte_t pte = __pte(0ULL);
45296 + vmi_check_page_type(__pa(pmd) >> PAGE_SHIFT, VMI_PAGE_PMD);
45297 + vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
45298 + }
45299 +@@ -528,8 +553,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
45300 + ap.ss = __KERNEL_DS;
45301 + ap.esp = (unsigned long) start_esp;
45302 +
45303 +- ap.ds = __USER_DS;
45304 +- ap.es = __USER_DS;
45305 ++ ap.ds = __KERNEL_DS;
45306 ++ ap.es = __KERNEL_DS;
45307 + ap.fs = __KERNEL_PERCPU;
45308 + ap.gs = 0;
45309 +
45310 +@@ -724,12 +749,20 @@ static inline int __init activate_vmi(vo
45311 + u64 reloc;
45312 + const struct vmi_relocation_info *rel = (struct vmi_relocation_info *)&reloc;
45313 +
45314 ++#ifdef CONFIG_PAX_KERNEXEC
45315 ++ unsigned long cr0;
45316 ++#endif
45317 ++
45318 + if (call_vrom_func(vmi_rom, vmi_init) != 0) {
45319 + printk(KERN_ERR "VMI ROM failed to initialize!");
45320 + return 0;
45321 + }
45322 + savesegment(cs, kernel_cs);
45323 +
45324 ++#ifdef CONFIG_PAX_KERNEXEC
45325 ++ pax_open_kernel(cr0);
45326 ++#endif
45327 ++
45328 + pv_info.paravirt_enabled = 1;
45329 + pv_info.kernel_rpl = kernel_cs & SEGMENT_RPL_MASK;
45330 + pv_info.name = "vmi";
45331 +@@ -917,6 +950,10 @@ static inline int __init activate_vmi(vo
45332 +
45333 + para_fill(pv_irq_ops.safe_halt, Halt);
45334 +
45335 ++#ifdef CONFIG_PAX_KERNEXEC
45336 ++ pax_close_kernel(cr0);
45337 ++#endif
45338 ++
45339 + /*
45340 + * Alternative instruction rewriting doesn't happen soon enough
45341 + * to convert VMI_IRET to a call instead of a jump; so we have
45342 +diff -urNp linux-2.6.24.5/arch/x86/kernel/vmlinux_32.lds.S linux-2.6.24.5/arch/x86/kernel/vmlinux_32.lds.S
45343 +--- linux-2.6.24.5/arch/x86/kernel/vmlinux_32.lds.S 2008-03-24 14:49:18.000000000 -0400
45344 ++++ linux-2.6.24.5/arch/x86/kernel/vmlinux_32.lds.S 2008-03-26 20:21:08.000000000 -0400
45345 +@@ -21,6 +21,20 @@
45346 + #include <asm/page.h>
45347 + #include <asm/cache.h>
45348 + #include <asm/boot.h>
45349 ++#include <asm/segment.h>
45350 ++
45351 ++#ifdef CONFIG_X86_PAE
45352 ++#define PMD_SHIFT 21
45353 ++#else
45354 ++#define PMD_SHIFT 22
45355 ++#endif
45356 ++#define PMD_SIZE (1 << PMD_SHIFT)
45357 ++
45358 ++#ifdef CONFIG_PAX_KERNEXEC
45359 ++#define __KERNEL_TEXT_OFFSET (__PAGE_OFFSET + (((____LOAD_PHYSICAL_ADDR + 2*(PMD_SIZE - 1)) - 1) & ~(PMD_SIZE - 1)))
45360 ++#else
45361 ++#define __KERNEL_TEXT_OFFSET 0
45362 ++#endif
45363 +
45364 + OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
45365 + OUTPUT_ARCH(i386)
45366 +@@ -28,22 +42,125 @@ ENTRY(phys_startup_32)
45367 + jiffies = jiffies_64;
45368 +
45369 + PHDRS {
45370 +- text PT_LOAD FLAGS(5); /* R_E */
45371 +- data PT_LOAD FLAGS(7); /* RWE */
45372 +- note PT_NOTE FLAGS(0); /* ___ */
45373 ++ initdata PT_LOAD FLAGS(6); /* RW_ */
45374 ++ percpu PT_LOAD FLAGS(6); /* RW_ */
45375 ++ inittext PT_LOAD FLAGS(5); /* R_E */
45376 ++ text PT_LOAD FLAGS(5); /* R_E */
45377 ++ rodata PT_LOAD FLAGS(4); /* R__ */
45378 ++ data PT_LOAD FLAGS(6); /* RW_ */
45379 ++ note PT_NOTE FLAGS(0); /* ___ */
45380 + }
45381 + SECTIONS
45382 + {
45383 +- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
45384 +- phys_startup_32 = startup_32 - LOAD_OFFSET;
45385 ++ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
45386 ++
45387 ++ .text.startup : AT(ADDR(.text.startup) - LOAD_OFFSET) {
45388 ++ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET;
45389 ++ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
45390 ++ *(.text.startup)
45391 ++ } :initdata
45392 ++
45393 ++ /* might get freed after init */
45394 ++ . = ALIGN(4096);
45395 ++ .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
45396 ++ __smp_locks = .;
45397 ++ *(.smp_locks)
45398 ++ __smp_locks_end = .;
45399 ++ }
45400 ++ /* will be freed after init
45401 ++ * Following ALIGN() is required to make sure no other data falls on the
45402 ++ * same page where __smp_alt_end is pointing as that page might be freed
45403 ++ * after boot. Always make sure that ALIGN() directive is present after
45404 ++ * the section which contains __smp_alt_end.
45405 ++ */
45406 ++ . = ALIGN(4096);
45407 ++
45408 ++ /* will be freed after init */
45409 ++ .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) {
45410 ++ __init_begin = .;
45411 ++ *(.init.data)
45412 ++ }
45413 ++ . = ALIGN(16);
45414 ++ .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
45415 ++ __setup_start = .;
45416 ++ *(.init.setup)
45417 ++ __setup_end = .;
45418 ++ }
45419 ++ .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
45420 ++ __initcall_start = .;
45421 ++ INITCALLS
45422 ++ __initcall_end = .;
45423 ++ }
45424 ++ .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
45425 ++ __con_initcall_start = .;
45426 ++ *(.con_initcall.init)
45427 ++ __con_initcall_end = .;
45428 ++ }
45429 ++ SECURITY_INIT
45430 ++ . = ALIGN(4);
45431 ++ .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
45432 ++ __alt_instructions = .;
45433 ++ *(.altinstructions)
45434 ++ __alt_instructions_end = .;
45435 ++ }
45436 ++ .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
45437 ++ *(.altinstr_replacement)
45438 ++ }
45439 ++ . = ALIGN(4);
45440 ++ .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
45441 ++ __parainstructions = .;
45442 ++ *(.parainstructions)
45443 ++ __parainstructions_end = .;
45444 ++ }
45445 ++ .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
45446 ++#if defined(CONFIG_BLK_DEV_INITRD)
45447 ++ . = ALIGN(4096);
45448 ++ .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
45449 ++ __initramfs_start = .;
45450 ++ *(.init.ramfs)
45451 ++ __initramfs_end = .;
45452 ++ }
45453 ++#endif
45454 ++ . = ALIGN(4096);
45455 ++ per_cpu_start = .;
45456 ++ .data.percpu (0) : AT(ADDR(.data.percpu) - LOAD_OFFSET + per_cpu_start) {
45457 ++ __per_cpu_start = . + per_cpu_start;
45458 ++ LONG(0)
45459 ++ *(.data.percpu)
45460 ++ *(.data.percpu.shared_aligned)
45461 ++ __per_cpu_end = . + per_cpu_start;
45462 ++ } :percpu
45463 ++ . += per_cpu_start;
45464 ++
45465 ++ /* read-only */
45466 ++
45467 ++ . = ALIGN(4096); /* Init code and data */
45468 ++ .init.text (. - __KERNEL_TEXT_OFFSET) : AT(ADDR(.init.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
45469 ++ _sinittext = .;
45470 ++ *(.init.text)
45471 ++ _einittext = .;
45472 ++ } :inittext
45473 ++
45474 ++ /* .exit.text is discard at runtime, not link time, to deal with references
45475 ++ from .altinstructions and .eh_frame */
45476 ++ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) { *(.exit.text) }
45477 +
45478 +- .text.head : AT(ADDR(.text.head) - LOAD_OFFSET) {
45479 +- _text = .; /* Text and read-only data */
45480 ++ .filler : AT(ADDR(.filler) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
45481 ++ BYTE(0)
45482 ++ . = ALIGN(2*PMD_SIZE) - 1;
45483 ++ }
45484 ++
45485 ++ /* freed after init ends here */
45486 ++
45487 ++ .text.head : AT(ADDR(.text.head) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
45488 ++ __init_end = . + __KERNEL_TEXT_OFFSET;
45489 ++ KERNEL_TEXT_OFFSET = . + __KERNEL_TEXT_OFFSET;
45490 ++ _text = .; /* Text and read-only data */
45491 + *(.text.head)
45492 + } :text = 0x9090
45493 +
45494 + /* read-only */
45495 +- .text : AT(ADDR(.text) - LOAD_OFFSET) {
45496 ++ .text : AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
45497 + TEXT_TEXT
45498 + SCHED_TEXT
45499 + LOCK_TEXT
45500 +@@ -53,16 +170,17 @@ SECTIONS
45501 + _etext = .; /* End of text section */
45502 + } :text = 0x9090
45503 +
45504 +- . = ALIGN(16); /* Exception table */
45505 ++ . += __KERNEL_TEXT_OFFSET;
45506 ++ . = ALIGN(4096); /* Exception table */
45507 + __ex_table : AT(ADDR(__ex_table) - LOAD_OFFSET) {
45508 + __start___ex_table = .;
45509 + *(__ex_table)
45510 + __stop___ex_table = .;
45511 +- }
45512 ++ } :rodata
45513 +
45514 +- NOTES :text :note
45515 ++ NOTES :rodata :note
45516 +
45517 +- BUG_TABLE :text
45518 ++ BUG_TABLE :rodata
45519 +
45520 + . = ALIGN(4);
45521 + .tracedata : AT(ADDR(.tracedata) - LOAD_OFFSET) {
45522 +@@ -71,11 +189,38 @@ SECTIONS
45523 + __tracedata_end = .;
45524 + }
45525 +
45526 +- RODATA
45527 ++ RO_DATA(4096)
45528 ++
45529 ++ . = ALIGN(4096);
45530 ++ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
45531 ++ *(.idt)
45532 ++ . = ALIGN(4096);
45533 ++ *(.empty_zero_page)
45534 ++ *(.swapper_pm_dir)
45535 ++ *(.swapper_pg_dir)
45536 ++ }
45537 ++
45538 ++#ifdef CONFIG_PAX_KERNEXEC
45539 ++
45540 ++#ifdef CONFIG_MODULES
45541 ++ . = ALIGN(4096);
45542 ++ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
45543 ++ MODULES_VADDR = .;
45544 ++ BYTE(0)
45545 ++ . += (6 * 1024 * 1024);
45546 ++ . = ALIGN( PMD_SIZE) - 1;
45547 ++ MODULES_END = .;
45548 ++ }
45549 ++#else
45550 ++ . = ALIGN(PMD_SIZE) - 1;
45551 ++#endif
45552 ++
45553 ++#endif
45554 +
45555 + /* writeable */
45556 + . = ALIGN(4096);
45557 + .data : AT(ADDR(.data) - LOAD_OFFSET) { /* Data */
45558 ++ _data = .;
45559 + DATA_DATA
45560 + CONSTRUCTORS
45561 + } :data
45562 +@@ -91,7 +236,6 @@ SECTIONS
45563 + . = ALIGN(4096);
45564 + .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
45565 + *(.data.page_aligned)
45566 +- *(.data.idt)
45567 + }
45568 +
45569 + . = ALIGN(32);
45570 +@@ -111,86 +255,7 @@ SECTIONS
45571 + *(.data.init_task)
45572 + }
45573 +
45574 +- /* might get freed after init */
45575 +- . = ALIGN(4096);
45576 +- .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
45577 +- __smp_locks = .;
45578 +- *(.smp_locks)
45579 +- __smp_locks_end = .;
45580 +- }
45581 +- /* will be freed after init
45582 +- * Following ALIGN() is required to make sure no other data falls on the
45583 +- * same page where __smp_alt_end is pointing as that page might be freed
45584 +- * after boot. Always make sure that ALIGN() directive is present after
45585 +- * the section which contains __smp_alt_end.
45586 +- */
45587 +- . = ALIGN(4096);
45588 +-
45589 +- /* will be freed after init */
45590 +- . = ALIGN(4096); /* Init code and data */
45591 +- .init.text : AT(ADDR(.init.text) - LOAD_OFFSET) {
45592 +- __init_begin = .;
45593 +- _sinittext = .;
45594 +- *(.init.text)
45595 +- _einittext = .;
45596 +- }
45597 +- .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) { *(.init.data) }
45598 +- . = ALIGN(16);
45599 +- .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
45600 +- __setup_start = .;
45601 +- *(.init.setup)
45602 +- __setup_end = .;
45603 +- }
45604 +- .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
45605 +- __initcall_start = .;
45606 +- INITCALLS
45607 +- __initcall_end = .;
45608 +- }
45609 +- .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
45610 +- __con_initcall_start = .;
45611 +- *(.con_initcall.init)
45612 +- __con_initcall_end = .;
45613 +- }
45614 +- SECURITY_INIT
45615 +- . = ALIGN(4);
45616 +- .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
45617 +- __alt_instructions = .;
45618 +- *(.altinstructions)
45619 +- __alt_instructions_end = .;
45620 +- }
45621 +- .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
45622 +- *(.altinstr_replacement)
45623 +- }
45624 +- . = ALIGN(4);
45625 +- .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
45626 +- __parainstructions = .;
45627 +- *(.parainstructions)
45628 +- __parainstructions_end = .;
45629 +- }
45630 +- /* .exit.text is discard at runtime, not link time, to deal with references
45631 +- from .altinstructions and .eh_frame */
45632 +- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) { *(.exit.text) }
45633 +- .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
45634 +-#if defined(CONFIG_BLK_DEV_INITRD)
45635 +- . = ALIGN(4096);
45636 +- .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
45637 +- __initramfs_start = .;
45638 +- *(.init.ramfs)
45639 +- __initramfs_end = .;
45640 +- }
45641 +-#endif
45642 +- . = ALIGN(4096);
45643 +- .data.percpu : AT(ADDR(.data.percpu) - LOAD_OFFSET) {
45644 +- __per_cpu_start = .;
45645 +- *(.data.percpu)
45646 +- *(.data.percpu.shared_aligned)
45647 +- __per_cpu_end = .;
45648 +- }
45649 +- . = ALIGN(4096);
45650 +- /* freed after init ends here */
45651 +-
45652 + .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
45653 +- __init_end = .;
45654 + __bss_start = .; /* BSS */
45655 + *(.bss.page_aligned)
45656 + *(.bss)
45657 +diff -urNp linux-2.6.24.5/arch/x86/kernel/vmlinux_64.lds.S linux-2.6.24.5/arch/x86/kernel/vmlinux_64.lds.S
45658 +--- linux-2.6.24.5/arch/x86/kernel/vmlinux_64.lds.S 2008-03-24 14:49:18.000000000 -0400
45659 ++++ linux-2.6.24.5/arch/x86/kernel/vmlinux_64.lds.S 2008-03-26 20:21:08.000000000 -0400
45660 +@@ -16,8 +16,8 @@ jiffies_64 = jiffies;
45661 + _proxy_pda = 1;
45662 + PHDRS {
45663 + text PT_LOAD FLAGS(5); /* R_E */
45664 +- data PT_LOAD FLAGS(7); /* RWE */
45665 +- user PT_LOAD FLAGS(7); /* RWE */
45666 ++ data PT_LOAD FLAGS(6); /* RW_ */
45667 ++ user PT_LOAD FLAGS(7); /* RWX */
45668 + data.init PT_LOAD FLAGS(7); /* RWE */
45669 + note PT_NOTE FLAGS(4); /* R__ */
45670 + }
45671 +@@ -52,7 +52,7 @@ SECTIONS
45672 +
45673 + BUG_TABLE :text
45674 +
45675 +- RODATA
45676 ++ RO_DATA(4096)
45677 +
45678 + . = ALIGN(4);
45679 + .tracedata : AT(ADDR(.tracedata) - LOAD_OFFSET) {
45680 +@@ -61,15 +61,18 @@ SECTIONS
45681 + __tracedata_end = .;
45682 + }
45683 +
45684 ++#ifdef CONFIG_PAX_KERNEXEC
45685 ++ . = ALIGN(2*1024*1024); /* Align data segment to PMD size boundary */
45686 ++#else
45687 + . = ALIGN(PAGE_SIZE); /* Align data segment to page size boundary */
45688 ++#endif
45689 + /* Data */
45690 ++ _data = .;
45691 + .data : AT(ADDR(.data) - LOAD_OFFSET) {
45692 + DATA_DATA
45693 + CONSTRUCTORS
45694 + } :data
45695 +
45696 +- _edata = .; /* End of data section */
45697 +-
45698 + . = ALIGN(PAGE_SIZE);
45699 + . = ALIGN(CONFIG_X86_L1_CACHE_BYTES);
45700 + .data.cacheline_aligned : AT(ADDR(.data.cacheline_aligned) - LOAD_OFFSET) {
45701 +@@ -80,9 +83,27 @@ SECTIONS
45702 + *(.data.read_mostly)
45703 + }
45704 +
45705 ++ . = ALIGN(8192); /* init_task */
45706 ++ .data.init_task : AT(ADDR(.data.init_task) - LOAD_OFFSET) {
45707 ++ *(.data.init_task)
45708 ++ }
45709 ++
45710 ++ . = ALIGN(4096);
45711 ++ .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
45712 ++ *(.data.page_aligned)
45713 ++ }
45714 ++
45715 ++ . = ALIGN(4096);
45716 ++ __nosave_begin = .;
45717 ++ .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) { *(.data.nosave) }
45718 ++ . = ALIGN(4096);
45719 ++ __nosave_end = .;
45720 ++
45721 ++ _edata = .; /* End of data section */
45722 ++
45723 + #define VSYSCALL_ADDR (-10*1024*1024)
45724 +-#define VSYSCALL_PHYS_ADDR ((LOADADDR(.data.read_mostly) + SIZEOF(.data.read_mostly) + 4095) & ~(4095))
45725 +-#define VSYSCALL_VIRT_ADDR ((ADDR(.data.read_mostly) + SIZEOF(.data.read_mostly) + 4095) & ~(4095))
45726 ++#define VSYSCALL_PHYS_ADDR ((LOADADDR(.data_nosave) + SIZEOF(.data_nosave) + 4095) & ~(4095))
45727 ++#define VSYSCALL_VIRT_ADDR ((ADDR(.data_nosave) + SIZEOF(.data_nosave) + 4095) & ~(4095))
45728 +
45729 + #define VLOAD_OFFSET (VSYSCALL_ADDR - VSYSCALL_PHYS_ADDR)
45730 + #define VLOAD(x) (ADDR(x) - VLOAD_OFFSET)
45731 +@@ -130,23 +151,13 @@ SECTIONS
45732 + #undef VVIRT_OFFSET
45733 + #undef VVIRT
45734 +
45735 +- . = ALIGN(8192); /* init_task */
45736 +- .data.init_task : AT(ADDR(.data.init_task) - LOAD_OFFSET) {
45737 +- *(.data.init_task)
45738 +- }:data.init
45739 +-
45740 +- . = ALIGN(4096);
45741 +- .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
45742 +- *(.data.page_aligned)
45743 +- }
45744 +-
45745 + /* might get freed after init */
45746 + . = ALIGN(4096);
45747 + __smp_alt_begin = .;
45748 + __smp_locks = .;
45749 + .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
45750 + *(.smp_locks)
45751 +- }
45752 ++ } :data.init
45753 + __smp_locks_end = .;
45754 + . = ALIGN(4096);
45755 + __smp_alt_end = .;
45756 +@@ -208,12 +219,6 @@ SECTIONS
45757 + . = ALIGN(4096);
45758 + __init_end = .;
45759 +
45760 +- . = ALIGN(4096);
45761 +- __nosave_begin = .;
45762 +- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) { *(.data.nosave) }
45763 +- . = ALIGN(4096);
45764 +- __nosave_end = .;
45765 +-
45766 + __bss_start = .; /* BSS */
45767 + .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
45768 + *(.bss.page_aligned)
45769 +@@ -221,6 +226,7 @@ SECTIONS
45770 + }
45771 + __bss_stop = .;
45772 +
45773 ++ . = ALIGN(2*1024*1024);
45774 + _end = . ;
45775 +
45776 + /* Sections to be discarded */
45777 +diff -urNp linux-2.6.24.5/arch/x86/kernel/vsyscall_64.c linux-2.6.24.5/arch/x86/kernel/vsyscall_64.c
45778 +--- linux-2.6.24.5/arch/x86/kernel/vsyscall_64.c 2008-03-24 14:49:18.000000000 -0400
45779 ++++ linux-2.6.24.5/arch/x86/kernel/vsyscall_64.c 2008-03-26 20:21:08.000000000 -0400
45780 +@@ -271,13 +271,13 @@ static ctl_table kernel_table2[] = {
45781 + .data = &vsyscall_gtod_data.sysctl_enabled, .maxlen = sizeof(int),
45782 + .mode = 0644,
45783 + .proc_handler = vsyscall_sysctl_change },
45784 +- {}
45785 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
45786 + };
45787 +
45788 + static ctl_table kernel_root_table2[] = {
45789 + { .ctl_name = CTL_KERN, .procname = "kernel", .mode = 0555,
45790 + .child = kernel_table2 },
45791 +- {}
45792 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
45793 + };
45794 +
45795 + #endif
45796 +@@ -288,6 +288,11 @@ static void __cpuinit vsyscall_set_cpu(i
45797 + {
45798 + unsigned long *d;
45799 + unsigned long node = 0;
45800 ++
45801 ++#ifdef CONFIG_PAX_KERNEXEC
45802 ++ unsigned long cr0;
45803 ++#endif
45804 ++
45805 + #ifdef CONFIG_NUMA
45806 + node = cpu_to_node(cpu);
45807 + #endif
45808 +@@ -298,10 +303,20 @@ static void __cpuinit vsyscall_set_cpu(i
45809 + in user space in vgetcpu.
45810 + 12 bits for the CPU and 8 bits for the node. */
45811 + d = (unsigned long *)(cpu_gdt(cpu) + GDT_ENTRY_PER_CPU);
45812 ++
45813 ++#ifdef CONFIG_PAX_KERNEXEC
45814 ++ pax_open_kernel(cr0);
45815 ++#endif
45816 ++
45817 + *d = 0x0f40000000000ULL;
45818 + *d |= cpu;
45819 + *d |= (node & 0xf) << 12;
45820 + *d |= (node >> 4) << 48;
45821 ++
45822 ++#ifdef CONFIG_PAX_KERNEXEC
45823 ++ pax_close_kernel(cr0);
45824 ++#endif
45825 ++
45826 + }
45827 +
45828 + static void __cpuinit cpu_vsyscall_init(void *arg)
45829 +diff -urNp linux-2.6.24.5/arch/x86/lib/checksum_32.S linux-2.6.24.5/arch/x86/lib/checksum_32.S
45830 +--- linux-2.6.24.5/arch/x86/lib/checksum_32.S 2008-03-24 14:49:18.000000000 -0400
45831 ++++ linux-2.6.24.5/arch/x86/lib/checksum_32.S 2008-03-26 20:21:08.000000000 -0400
45832 +@@ -28,7 +28,8 @@
45833 + #include <linux/linkage.h>
45834 + #include <asm/dwarf2.h>
45835 + #include <asm/errno.h>
45836 +-
45837 ++#include <asm/segment.h>
45838 ++
45839 + /*
45840 + * computes a partial checksum, e.g. for TCP/UDP fragments
45841 + */
45842 +@@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
45843 +
45844 + #define ARGBASE 16
45845 + #define FP 12
45846 +-
45847 +-ENTRY(csum_partial_copy_generic)
45848 ++
45849 ++ENTRY(csum_partial_copy_generic_to_user)
45850 + CFI_STARTPROC
45851 ++ pushl $(__USER_DS)
45852 ++ CFI_ADJUST_CFA_OFFSET 4
45853 ++ popl %es
45854 ++ CFI_ADJUST_CFA_OFFSET -4
45855 ++ jmp csum_partial_copy_generic
45856 ++
45857 ++ENTRY(csum_partial_copy_generic_from_user)
45858 ++ pushl $(__USER_DS)
45859 ++ CFI_ADJUST_CFA_OFFSET 4
45860 ++ popl %ds
45861 ++ CFI_ADJUST_CFA_OFFSET -4
45862 ++
45863 ++ENTRY(csum_partial_copy_generic)
45864 + subl $4,%esp
45865 + CFI_ADJUST_CFA_OFFSET 4
45866 + pushl %edi
45867 +@@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
45868 + jmp 4f
45869 + SRC(1: movw (%esi), %bx )
45870 + addl $2, %esi
45871 +-DST( movw %bx, (%edi) )
45872 ++DST( movw %bx, %es:(%edi) )
45873 + addl $2, %edi
45874 + addw %bx, %ax
45875 + adcl $0, %eax
45876 +@@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
45877 + SRC(1: movl (%esi), %ebx )
45878 + SRC( movl 4(%esi), %edx )
45879 + adcl %ebx, %eax
45880 +-DST( movl %ebx, (%edi) )
45881 ++DST( movl %ebx, %es:(%edi) )
45882 + adcl %edx, %eax
45883 +-DST( movl %edx, 4(%edi) )
45884 ++DST( movl %edx, %es:4(%edi) )
45885 +
45886 + SRC( movl 8(%esi), %ebx )
45887 + SRC( movl 12(%esi), %edx )
45888 + adcl %ebx, %eax
45889 +-DST( movl %ebx, 8(%edi) )
45890 ++DST( movl %ebx, %es:8(%edi) )
45891 + adcl %edx, %eax
45892 +-DST( movl %edx, 12(%edi) )
45893 ++DST( movl %edx, %es:12(%edi) )
45894 +
45895 + SRC( movl 16(%esi), %ebx )
45896 + SRC( movl 20(%esi), %edx )
45897 + adcl %ebx, %eax
45898 +-DST( movl %ebx, 16(%edi) )
45899 ++DST( movl %ebx, %es:16(%edi) )
45900 + adcl %edx, %eax
45901 +-DST( movl %edx, 20(%edi) )
45902 ++DST( movl %edx, %es:20(%edi) )
45903 +
45904 + SRC( movl 24(%esi), %ebx )
45905 + SRC( movl 28(%esi), %edx )
45906 + adcl %ebx, %eax
45907 +-DST( movl %ebx, 24(%edi) )
45908 ++DST( movl %ebx, %es:24(%edi) )
45909 + adcl %edx, %eax
45910 +-DST( movl %edx, 28(%edi) )
45911 ++DST( movl %edx, %es:28(%edi) )
45912 +
45913 + lea 32(%esi), %esi
45914 + lea 32(%edi), %edi
45915 +@@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
45916 + shrl $2, %edx # This clears CF
45917 + SRC(3: movl (%esi), %ebx )
45918 + adcl %ebx, %eax
45919 +-DST( movl %ebx, (%edi) )
45920 ++DST( movl %ebx, %es:(%edi) )
45921 + lea 4(%esi), %esi
45922 + lea 4(%edi), %edi
45923 + dec %edx
45924 +@@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
45925 + jb 5f
45926 + SRC( movw (%esi), %cx )
45927 + leal 2(%esi), %esi
45928 +-DST( movw %cx, (%edi) )
45929 ++DST( movw %cx, %es:(%edi) )
45930 + leal 2(%edi), %edi
45931 + je 6f
45932 + shll $16,%ecx
45933 + SRC(5: movb (%esi), %cl )
45934 +-DST( movb %cl, (%edi) )
45935 ++DST( movb %cl, %es:(%edi) )
45936 + 6: addl %ecx, %eax
45937 + adcl $0, %eax
45938 + 7:
45939 +@@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
45940 +
45941 + 6001:
45942 + movl ARGBASE+20(%esp), %ebx # src_err_ptr
45943 +- movl $-EFAULT, (%ebx)
45944 ++ movl $-EFAULT, %ss:(%ebx)
45945 +
45946 + # zero the complete destination - computing the rest
45947 + # is too much work
45948 +@@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
45949 +
45950 + 6002:
45951 + movl ARGBASE+24(%esp), %ebx # dst_err_ptr
45952 +- movl $-EFAULT,(%ebx)
45953 ++ movl $-EFAULT,%ss:(%ebx)
45954 + jmp 5000b
45955 +
45956 + .previous
45957 +
45958 ++ pushl %ss
45959 ++ CFI_ADJUST_CFA_OFFSET 4
45960 ++ popl %ds
45961 ++ CFI_ADJUST_CFA_OFFSET -4
45962 ++ pushl %ss
45963 ++ CFI_ADJUST_CFA_OFFSET 4
45964 ++ popl %es
45965 ++ CFI_ADJUST_CFA_OFFSET -4
45966 + popl %ebx
45967 + CFI_ADJUST_CFA_OFFSET -4
45968 + CFI_RESTORE ebx
45969 +@@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
45970 + CFI_ADJUST_CFA_OFFSET -4
45971 + ret
45972 + CFI_ENDPROC
45973 +-ENDPROC(csum_partial_copy_generic)
45974 ++ENDPROC(csum_partial_copy_generic_to_user)
45975 +
45976 + #else
45977 +
45978 + /* Version for PentiumII/PPro */
45979 +
45980 + #define ROUND1(x) \
45981 ++ nop; nop; nop; \
45982 + SRC(movl x(%esi), %ebx ) ; \
45983 + addl %ebx, %eax ; \
45984 +- DST(movl %ebx, x(%edi) ) ;
45985 ++ DST(movl %ebx, %es:x(%edi)) ;
45986 +
45987 + #define ROUND(x) \
45988 ++ nop; nop; nop; \
45989 + SRC(movl x(%esi), %ebx ) ; \
45990 + adcl %ebx, %eax ; \
45991 +- DST(movl %ebx, x(%edi) ) ;
45992 ++ DST(movl %ebx, %es:x(%edi)) ;
45993 +
45994 + #define ARGBASE 12
45995 +-
45996 +-ENTRY(csum_partial_copy_generic)
45997 ++
45998 ++ENTRY(csum_partial_copy_generic_to_user)
45999 + CFI_STARTPROC
46000 ++ pushl $(__USER_DS)
46001 ++ CFI_ADJUST_CFA_OFFSET 4
46002 ++ popl %es
46003 ++ CFI_ADJUST_CFA_OFFSET -4
46004 ++ jmp csum_partial_copy_generic
46005 ++
46006 ++ENTRY(csum_partial_copy_generic_from_user)
46007 ++ pushl $(__USER_DS)
46008 ++ CFI_ADJUST_CFA_OFFSET 4
46009 ++ popl %ds
46010 ++ CFI_ADJUST_CFA_OFFSET -4
46011 ++
46012 ++ENTRY(csum_partial_copy_generic)
46013 + pushl %ebx
46014 + CFI_ADJUST_CFA_OFFSET 4
46015 + CFI_REL_OFFSET ebx, 0
46016 +@@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
46017 + subl %ebx, %edi
46018 + lea -1(%esi),%edx
46019 + andl $-32,%edx
46020 +- lea 3f(%ebx,%ebx), %ebx
46021 ++ lea 3f(%ebx,%ebx,2), %ebx
46022 + testl %esi, %esi
46023 + jmp *%ebx
46024 + 1: addl $64,%esi
46025 +@@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
46026 + jb 5f
46027 + SRC( movw (%esi), %dx )
46028 + leal 2(%esi), %esi
46029 +-DST( movw %dx, (%edi) )
46030 ++DST( movw %dx, %es:(%edi) )
46031 + leal 2(%edi), %edi
46032 + je 6f
46033 + shll $16,%edx
46034 + 5:
46035 + SRC( movb (%esi), %dl )
46036 +-DST( movb %dl, (%edi) )
46037 ++DST( movb %dl, %es:(%edi) )
46038 + 6: addl %edx, %eax
46039 + adcl $0, %eax
46040 + 7:
46041 + .section .fixup, "ax"
46042 + 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
46043 +- movl $-EFAULT, (%ebx)
46044 ++ movl $-EFAULT, %ss:(%ebx)
46045 + # zero the complete destination (computing the rest is too much work)
46046 + movl ARGBASE+8(%esp),%edi # dst
46047 + movl ARGBASE+12(%esp),%ecx # len
46048 +@@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
46049 + rep; stosb
46050 + jmp 7b
46051 + 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
46052 +- movl $-EFAULT, (%ebx)
46053 ++ movl $-EFAULT, %ss:(%ebx)
46054 + jmp 7b
46055 + .previous
46056 +
46057 ++ pushl %ss
46058 ++ CFI_ADJUST_CFA_OFFSET 4
46059 ++ popl %ds
46060 ++ CFI_ADJUST_CFA_OFFSET -4
46061 ++ pushl %ss
46062 ++ CFI_ADJUST_CFA_OFFSET 4
46063 ++ popl %es
46064 ++ CFI_ADJUST_CFA_OFFSET -4
46065 + popl %esi
46066 + CFI_ADJUST_CFA_OFFSET -4
46067 + CFI_RESTORE esi
46068 +@@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
46069 + CFI_RESTORE ebx
46070 + ret
46071 + CFI_ENDPROC
46072 +-ENDPROC(csum_partial_copy_generic)
46073 ++ENDPROC(csum_partial_copy_generic_to_user)
46074 +
46075 + #undef ROUND
46076 + #undef ROUND1
46077 +diff -urNp linux-2.6.24.5/arch/x86/lib/clear_page_64.S linux-2.6.24.5/arch/x86/lib/clear_page_64.S
46078 +--- linux-2.6.24.5/arch/x86/lib/clear_page_64.S 2008-03-24 14:49:18.000000000 -0400
46079 ++++ linux-2.6.24.5/arch/x86/lib/clear_page_64.S 2008-03-26 20:21:08.000000000 -0400
46080 +@@ -44,7 +44,7 @@ ENDPROC(clear_page)
46081 +
46082 + #include <asm/cpufeature.h>
46083 +
46084 +- .section .altinstr_replacement,"ax"
46085 ++ .section .altinstr_replacement,"a"
46086 + 1: .byte 0xeb /* jmp <disp8> */
46087 + .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
46088 + 2:
46089 +diff -urNp linux-2.6.24.5/arch/x86/lib/copy_page_64.S linux-2.6.24.5/arch/x86/lib/copy_page_64.S
46090 +--- linux-2.6.24.5/arch/x86/lib/copy_page_64.S 2008-03-24 14:49:18.000000000 -0400
46091 ++++ linux-2.6.24.5/arch/x86/lib/copy_page_64.S 2008-03-26 20:21:08.000000000 -0400
46092 +@@ -104,7 +104,7 @@ ENDPROC(copy_page)
46093 +
46094 + #include <asm/cpufeature.h>
46095 +
46096 +- .section .altinstr_replacement,"ax"
46097 ++ .section .altinstr_replacement,"a"
46098 + 1: .byte 0xeb /* jmp <disp8> */
46099 + .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
46100 + 2:
46101 +diff -urNp linux-2.6.24.5/arch/x86/lib/copy_user_64.S linux-2.6.24.5/arch/x86/lib/copy_user_64.S
46102 +--- linux-2.6.24.5/arch/x86/lib/copy_user_64.S 2008-03-24 14:49:18.000000000 -0400
46103 ++++ linux-2.6.24.5/arch/x86/lib/copy_user_64.S 2008-03-26 20:21:08.000000000 -0400
46104 +@@ -19,7 +19,7 @@
46105 + .byte 0xe9 /* 32bit jump */
46106 + .long \orig-1f /* by default jump to orig */
46107 + 1:
46108 +- .section .altinstr_replacement,"ax"
46109 ++ .section .altinstr_replacement,"a"
46110 + 2: .byte 0xe9 /* near jump with 32bit immediate */
46111 + .long \alt-1b /* offset */ /* or alternatively to alt */
46112 + .previous
46113 +diff -urNp linux-2.6.24.5/arch/x86/lib/getuser_32.S linux-2.6.24.5/arch/x86/lib/getuser_32.S
46114 +--- linux-2.6.24.5/arch/x86/lib/getuser_32.S 2008-03-24 14:49:18.000000000 -0400
46115 ++++ linux-2.6.24.5/arch/x86/lib/getuser_32.S 2008-03-26 20:21:08.000000000 -0400
46116 +@@ -11,7 +11,7 @@
46117 + #include <linux/linkage.h>
46118 + #include <asm/dwarf2.h>
46119 + #include <asm/thread_info.h>
46120 +-
46121 ++#include <asm/segment.h>
46122 +
46123 + /*
46124 + * __get_user_X
46125 +@@ -31,7 +31,11 @@ ENTRY(__get_user_1)
46126 + GET_THREAD_INFO(%edx)
46127 + cmpl TI_addr_limit(%edx),%eax
46128 + jae bad_get_user
46129 ++ pushl $(__USER_DS)
46130 ++ popl %ds
46131 + 1: movzbl (%eax),%edx
46132 ++ pushl %ss
46133 ++ pop %ds
46134 + xorl %eax,%eax
46135 + ret
46136 + CFI_ENDPROC
46137 +@@ -44,7 +48,11 @@ ENTRY(__get_user_2)
46138 + GET_THREAD_INFO(%edx)
46139 + cmpl TI_addr_limit(%edx),%eax
46140 + jae bad_get_user
46141 ++ pushl $(__USER_DS)
46142 ++ popl %ds
46143 + 2: movzwl -1(%eax),%edx
46144 ++ pushl %ss
46145 ++ pop %ds
46146 + xorl %eax,%eax
46147 + ret
46148 + CFI_ENDPROC
46149 +@@ -57,7 +65,11 @@ ENTRY(__get_user_4)
46150 + GET_THREAD_INFO(%edx)
46151 + cmpl TI_addr_limit(%edx),%eax
46152 + jae bad_get_user
46153 ++ pushl $(__USER_DS)
46154 ++ popl %ds
46155 + 3: movl -3(%eax),%edx
46156 ++ pushl %ss
46157 ++ pop %ds
46158 + xorl %eax,%eax
46159 + ret
46160 + CFI_ENDPROC
46161 +@@ -65,6 +77,8 @@ ENDPROC(__get_user_4)
46162 +
46163 + bad_get_user:
46164 + CFI_STARTPROC
46165 ++ pushl %ss
46166 ++ pop %ds
46167 + xorl %edx,%edx
46168 + movl $-14,%eax
46169 + ret
46170 +diff -urNp linux-2.6.24.5/arch/x86/lib/memcpy_64.S linux-2.6.24.5/arch/x86/lib/memcpy_64.S
46171 +--- linux-2.6.24.5/arch/x86/lib/memcpy_64.S 2008-03-24 14:49:18.000000000 -0400
46172 ++++ linux-2.6.24.5/arch/x86/lib/memcpy_64.S 2008-03-26 20:21:08.000000000 -0400
46173 +@@ -114,7 +114,7 @@ ENDPROC(__memcpy)
46174 + /* Some CPUs run faster using the string copy instructions.
46175 + It is also a lot simpler. Use this when possible */
46176 +
46177 +- .section .altinstr_replacement,"ax"
46178 ++ .section .altinstr_replacement,"a"
46179 + 1: .byte 0xeb /* jmp <disp8> */
46180 + .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
46181 + 2:
46182 +diff -urNp linux-2.6.24.5/arch/x86/lib/memset_64.S linux-2.6.24.5/arch/x86/lib/memset_64.S
46183 +--- linux-2.6.24.5/arch/x86/lib/memset_64.S 2008-03-24 14:49:18.000000000 -0400
46184 ++++ linux-2.6.24.5/arch/x86/lib/memset_64.S 2008-03-26 20:21:08.000000000 -0400
46185 +@@ -118,7 +118,7 @@ ENDPROC(__memset)
46186 +
46187 + #include <asm/cpufeature.h>
46188 +
46189 +- .section .altinstr_replacement,"ax"
46190 ++ .section .altinstr_replacement,"a"
46191 + 1: .byte 0xeb /* jmp <disp8> */
46192 + .byte (memset_c - memset) - (2f - 1b) /* offset */
46193 + 2:
46194 +diff -urNp linux-2.6.24.5/arch/x86/lib/mmx_32.c linux-2.6.24.5/arch/x86/lib/mmx_32.c
46195 +--- linux-2.6.24.5/arch/x86/lib/mmx_32.c 2008-03-24 14:49:18.000000000 -0400
46196 ++++ linux-2.6.24.5/arch/x86/lib/mmx_32.c 2008-03-26 20:21:08.000000000 -0400
46197 +@@ -30,6 +30,7 @@ void *_mmx_memcpy(void *to, const void *
46198 + {
46199 + void *p;
46200 + int i;
46201 ++ unsigned long cr0;
46202 +
46203 + if (unlikely(in_interrupt()))
46204 + return __memcpy(to, from, len);
46205 +@@ -40,52 +41,80 @@ void *_mmx_memcpy(void *to, const void *
46206 + kernel_fpu_begin();
46207 +
46208 + __asm__ __volatile__ (
46209 +- "1: prefetch (%0)\n" /* This set is 28 bytes */
46210 +- " prefetch 64(%0)\n"
46211 +- " prefetch 128(%0)\n"
46212 +- " prefetch 192(%0)\n"
46213 +- " prefetch 256(%0)\n"
46214 ++ "1: prefetch (%1)\n" /* This set is 28 bytes */
46215 ++ " prefetch 64(%1)\n"
46216 ++ " prefetch 128(%1)\n"
46217 ++ " prefetch 192(%1)\n"
46218 ++ " prefetch 256(%1)\n"
46219 + "2: \n"
46220 + ".section .fixup, \"ax\"\n"
46221 +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
46222 ++ "3: \n"
46223 ++
46224 ++#ifdef CONFIG_PAX_KERNEXEC
46225 ++ " movl %%cr0, %0\n"
46226 ++ " movl %0, %%eax\n"
46227 ++ " andl $0xFFFEFFFF, %%eax\n"
46228 ++ " movl %%eax, %%cr0\n"
46229 ++#endif
46230 ++
46231 ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
46232 ++
46233 ++#ifdef CONFIG_PAX_KERNEXEC
46234 ++ " movl %0, %%cr0\n"
46235 ++#endif
46236 ++
46237 + " jmp 2b\n"
46238 + ".previous\n"
46239 + ".section __ex_table,\"a\"\n"
46240 + " .align 4\n"
46241 + " .long 1b, 3b\n"
46242 + ".previous"
46243 +- : : "r" (from) );
46244 ++ : "=&r" (cr0) : "r" (from) : "ax");
46245 +
46246 +
46247 + for(; i>5; i--)
46248 + {
46249 + __asm__ __volatile__ (
46250 +- "1: prefetch 320(%0)\n"
46251 +- "2: movq (%0), %%mm0\n"
46252 +- " movq 8(%0), %%mm1\n"
46253 +- " movq 16(%0), %%mm2\n"
46254 +- " movq 24(%0), %%mm3\n"
46255 +- " movq %%mm0, (%1)\n"
46256 +- " movq %%mm1, 8(%1)\n"
46257 +- " movq %%mm2, 16(%1)\n"
46258 +- " movq %%mm3, 24(%1)\n"
46259 +- " movq 32(%0), %%mm0\n"
46260 +- " movq 40(%0), %%mm1\n"
46261 +- " movq 48(%0), %%mm2\n"
46262 +- " movq 56(%0), %%mm3\n"
46263 +- " movq %%mm0, 32(%1)\n"
46264 +- " movq %%mm1, 40(%1)\n"
46265 +- " movq %%mm2, 48(%1)\n"
46266 +- " movq %%mm3, 56(%1)\n"
46267 ++ "1: prefetch 320(%1)\n"
46268 ++ "2: movq (%1), %%mm0\n"
46269 ++ " movq 8(%1), %%mm1\n"
46270 ++ " movq 16(%1), %%mm2\n"
46271 ++ " movq 24(%1), %%mm3\n"
46272 ++ " movq %%mm0, (%2)\n"
46273 ++ " movq %%mm1, 8(%2)\n"
46274 ++ " movq %%mm2, 16(%2)\n"
46275 ++ " movq %%mm3, 24(%2)\n"
46276 ++ " movq 32(%1), %%mm0\n"
46277 ++ " movq 40(%1), %%mm1\n"
46278 ++ " movq 48(%1), %%mm2\n"
46279 ++ " movq 56(%1), %%mm3\n"
46280 ++ " movq %%mm0, 32(%2)\n"
46281 ++ " movq %%mm1, 40(%2)\n"
46282 ++ " movq %%mm2, 48(%2)\n"
46283 ++ " movq %%mm3, 56(%2)\n"
46284 + ".section .fixup, \"ax\"\n"
46285 +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
46286 ++ "3:\n"
46287 ++
46288 ++#ifdef CONFIG_PAX_KERNEXEC
46289 ++ " movl %%cr0, %0\n"
46290 ++ " movl %0, %%eax\n"
46291 ++ " andl $0xFFFEFFFF, %%eax\n"
46292 ++ " movl %%eax, %%cr0\n"
46293 ++#endif
46294 ++
46295 ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
46296 ++
46297 ++#ifdef CONFIG_PAX_KERNEXEC
46298 ++ " movl %0, %%cr0\n"
46299 ++#endif
46300 ++
46301 + " jmp 2b\n"
46302 + ".previous\n"
46303 + ".section __ex_table,\"a\"\n"
46304 + " .align 4\n"
46305 + " .long 1b, 3b\n"
46306 + ".previous"
46307 +- : : "r" (from), "r" (to) : "memory");
46308 ++ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
46309 + from+=64;
46310 + to+=64;
46311 + }
46312 +@@ -164,6 +193,7 @@ static void fast_clear_page(void *page)
46313 + static void fast_copy_page(void *to, void *from)
46314 + {
46315 + int i;
46316 ++ unsigned long cr0;
46317 +
46318 + kernel_fpu_begin();
46319 +
46320 +@@ -171,51 +201,79 @@ static void fast_copy_page(void *to, voi
46321 + * but that is for later. -AV
46322 + */
46323 + __asm__ __volatile__ (
46324 +- "1: prefetch (%0)\n"
46325 +- " prefetch 64(%0)\n"
46326 +- " prefetch 128(%0)\n"
46327 +- " prefetch 192(%0)\n"
46328 +- " prefetch 256(%0)\n"
46329 ++ "1: prefetch (%1)\n"
46330 ++ " prefetch 64(%1)\n"
46331 ++ " prefetch 128(%1)\n"
46332 ++ " prefetch 192(%1)\n"
46333 ++ " prefetch 256(%1)\n"
46334 + "2: \n"
46335 + ".section .fixup, \"ax\"\n"
46336 +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
46337 ++ "3: \n"
46338 ++
46339 ++#ifdef CONFIG_PAX_KERNEXEC
46340 ++ " movl %%cr0, %0\n"
46341 ++ " movl %0, %%eax\n"
46342 ++ " andl $0xFFFEFFFF, %%eax\n"
46343 ++ " movl %%eax, %%cr0\n"
46344 ++#endif
46345 ++
46346 ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
46347 ++
46348 ++#ifdef CONFIG_PAX_KERNEXEC
46349 ++ " movl %0, %%cr0\n"
46350 ++#endif
46351 ++
46352 + " jmp 2b\n"
46353 + ".previous\n"
46354 + ".section __ex_table,\"a\"\n"
46355 + " .align 4\n"
46356 + " .long 1b, 3b\n"
46357 + ".previous"
46358 +- : : "r" (from) );
46359 ++ : "=&r" (cr0) : "r" (from) : "ax");
46360 +
46361 + for(i=0; i<(4096-320)/64; i++)
46362 + {
46363 + __asm__ __volatile__ (
46364 +- "1: prefetch 320(%0)\n"
46365 +- "2: movq (%0), %%mm0\n"
46366 +- " movntq %%mm0, (%1)\n"
46367 +- " movq 8(%0), %%mm1\n"
46368 +- " movntq %%mm1, 8(%1)\n"
46369 +- " movq 16(%0), %%mm2\n"
46370 +- " movntq %%mm2, 16(%1)\n"
46371 +- " movq 24(%0), %%mm3\n"
46372 +- " movntq %%mm3, 24(%1)\n"
46373 +- " movq 32(%0), %%mm4\n"
46374 +- " movntq %%mm4, 32(%1)\n"
46375 +- " movq 40(%0), %%mm5\n"
46376 +- " movntq %%mm5, 40(%1)\n"
46377 +- " movq 48(%0), %%mm6\n"
46378 +- " movntq %%mm6, 48(%1)\n"
46379 +- " movq 56(%0), %%mm7\n"
46380 +- " movntq %%mm7, 56(%1)\n"
46381 ++ "1: prefetch 320(%1)\n"
46382 ++ "2: movq (%1), %%mm0\n"
46383 ++ " movntq %%mm0, (%2)\n"
46384 ++ " movq 8(%1), %%mm1\n"
46385 ++ " movntq %%mm1, 8(%2)\n"
46386 ++ " movq 16(%1), %%mm2\n"
46387 ++ " movntq %%mm2, 16(%2)\n"
46388 ++ " movq 24(%1), %%mm3\n"
46389 ++ " movntq %%mm3, 24(%2)\n"
46390 ++ " movq 32(%1), %%mm4\n"
46391 ++ " movntq %%mm4, 32(%2)\n"
46392 ++ " movq 40(%1), %%mm5\n"
46393 ++ " movntq %%mm5, 40(%2)\n"
46394 ++ " movq 48(%1), %%mm6\n"
46395 ++ " movntq %%mm6, 48(%2)\n"
46396 ++ " movq 56(%1), %%mm7\n"
46397 ++ " movntq %%mm7, 56(%2)\n"
46398 + ".section .fixup, \"ax\"\n"
46399 +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
46400 ++ "3:\n"
46401 ++
46402 ++#ifdef CONFIG_PAX_KERNEXEC
46403 ++ " movl %%cr0, %0\n"
46404 ++ " movl %0, %%eax\n"
46405 ++ " andl $0xFFFEFFFF, %%eax\n"
46406 ++ " movl %%eax, %%cr0\n"
46407 ++#endif
46408 ++
46409 ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
46410 ++
46411 ++#ifdef CONFIG_PAX_KERNEXEC
46412 ++ " movl %0, %%cr0\n"
46413 ++#endif
46414 ++
46415 + " jmp 2b\n"
46416 + ".previous\n"
46417 + ".section __ex_table,\"a\"\n"
46418 + " .align 4\n"
46419 + " .long 1b, 3b\n"
46420 + ".previous"
46421 +- : : "r" (from), "r" (to) : "memory");
46422 ++ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
46423 + from+=64;
46424 + to+=64;
46425 + }
46426 +@@ -296,56 +354,84 @@ static void fast_clear_page(void *page)
46427 + static void fast_copy_page(void *to, void *from)
46428 + {
46429 + int i;
46430 +-
46431 +-
46432 ++ unsigned long cr0;
46433 ++
46434 + kernel_fpu_begin();
46435 +
46436 + __asm__ __volatile__ (
46437 +- "1: prefetch (%0)\n"
46438 +- " prefetch 64(%0)\n"
46439 +- " prefetch 128(%0)\n"
46440 +- " prefetch 192(%0)\n"
46441 +- " prefetch 256(%0)\n"
46442 ++ "1: prefetch (%1)\n"
46443 ++ " prefetch 64(%1)\n"
46444 ++ " prefetch 128(%1)\n"
46445 ++ " prefetch 192(%1)\n"
46446 ++ " prefetch 256(%1)\n"
46447 + "2: \n"
46448 + ".section .fixup, \"ax\"\n"
46449 +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
46450 ++ "3: \n"
46451 ++
46452 ++#ifdef CONFIG_PAX_KERNEXEC
46453 ++ " movl %%cr0, %0\n"
46454 ++ " movl %0, %%eax\n"
46455 ++ " andl $0xFFFEFFFF, %%eax\n"
46456 ++ " movl %%eax, %%cr0\n"
46457 ++#endif
46458 ++
46459 ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
46460 ++
46461 ++#ifdef CONFIG_PAX_KERNEXEC
46462 ++ " movl %0, %%cr0\n"
46463 ++#endif
46464 ++
46465 + " jmp 2b\n"
46466 + ".previous\n"
46467 + ".section __ex_table,\"a\"\n"
46468 + " .align 4\n"
46469 + " .long 1b, 3b\n"
46470 + ".previous"
46471 +- : : "r" (from) );
46472 ++ : "=&r" (cr0) : "r" (from) : "ax");
46473 +
46474 + for(i=0; i<4096/64; i++)
46475 + {
46476 + __asm__ __volatile__ (
46477 +- "1: prefetch 320(%0)\n"
46478 +- "2: movq (%0), %%mm0\n"
46479 +- " movq 8(%0), %%mm1\n"
46480 +- " movq 16(%0), %%mm2\n"
46481 +- " movq 24(%0), %%mm3\n"
46482 +- " movq %%mm0, (%1)\n"
46483 +- " movq %%mm1, 8(%1)\n"
46484 +- " movq %%mm2, 16(%1)\n"
46485 +- " movq %%mm3, 24(%1)\n"
46486 +- " movq 32(%0), %%mm0\n"
46487 +- " movq 40(%0), %%mm1\n"
46488 +- " movq 48(%0), %%mm2\n"
46489 +- " movq 56(%0), %%mm3\n"
46490 +- " movq %%mm0, 32(%1)\n"
46491 +- " movq %%mm1, 40(%1)\n"
46492 +- " movq %%mm2, 48(%1)\n"
46493 +- " movq %%mm3, 56(%1)\n"
46494 ++ "1: prefetch 320(%1)\n"
46495 ++ "2: movq (%1), %%mm0\n"
46496 ++ " movq 8(%1), %%mm1\n"
46497 ++ " movq 16(%1), %%mm2\n"
46498 ++ " movq 24(%1), %%mm3\n"
46499 ++ " movq %%mm0, (%2)\n"
46500 ++ " movq %%mm1, 8(%2)\n"
46501 ++ " movq %%mm2, 16(%2)\n"
46502 ++ " movq %%mm3, 24(%2)\n"
46503 ++ " movq 32(%1), %%mm0\n"
46504 ++ " movq 40(%1), %%mm1\n"
46505 ++ " movq 48(%1), %%mm2\n"
46506 ++ " movq 56(%1), %%mm3\n"
46507 ++ " movq %%mm0, 32(%2)\n"
46508 ++ " movq %%mm1, 40(%2)\n"
46509 ++ " movq %%mm2, 48(%2)\n"
46510 ++ " movq %%mm3, 56(%2)\n"
46511 + ".section .fixup, \"ax\"\n"
46512 +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
46513 ++ "3:\n"
46514 ++
46515 ++#ifdef CONFIG_PAX_KERNEXEC
46516 ++ " movl %%cr0, %0\n"
46517 ++ " movl %0, %%eax\n"
46518 ++ " andl $0xFFFEFFFF, %%eax\n"
46519 ++ " movl %%eax, %%cr0\n"
46520 ++#endif
46521 ++
46522 ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
46523 ++
46524 ++#ifdef CONFIG_PAX_KERNEXEC
46525 ++ " movl %0, %%cr0\n"
46526 ++#endif
46527 ++
46528 + " jmp 2b\n"
46529 + ".previous\n"
46530 + ".section __ex_table,\"a\"\n"
46531 + " .align 4\n"
46532 + " .long 1b, 3b\n"
46533 + ".previous"
46534 +- : : "r" (from), "r" (to) : "memory");
46535 ++ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
46536 + from+=64;
46537 + to+=64;
46538 + }
46539 +diff -urNp linux-2.6.24.5/arch/x86/lib/putuser_32.S linux-2.6.24.5/arch/x86/lib/putuser_32.S
46540 +--- linux-2.6.24.5/arch/x86/lib/putuser_32.S 2008-03-24 14:49:18.000000000 -0400
46541 ++++ linux-2.6.24.5/arch/x86/lib/putuser_32.S 2008-03-26 20:21:08.000000000 -0400
46542 +@@ -11,7 +11,7 @@
46543 + #include <linux/linkage.h>
46544 + #include <asm/dwarf2.h>
46545 + #include <asm/thread_info.h>
46546 +-
46547 ++#include <asm/segment.h>
46548 +
46549 + /*
46550 + * __put_user_X
46551 +@@ -41,7 +41,11 @@ ENTRY(__put_user_1)
46552 + ENTER
46553 + cmpl TI_addr_limit(%ebx),%ecx
46554 + jae bad_put_user
46555 ++ pushl $(__USER_DS)
46556 ++ popl %ds
46557 + 1: movb %al,(%ecx)
46558 ++ pushl %ss
46559 ++ popl %ds
46560 + xorl %eax,%eax
46561 + EXIT
46562 + ENDPROC(__put_user_1)
46563 +@@ -52,7 +56,11 @@ ENTRY(__put_user_2)
46564 + subl $1,%ebx
46565 + cmpl %ebx,%ecx
46566 + jae bad_put_user
46567 ++ pushl $(__USER_DS)
46568 ++ popl %ds
46569 + 2: movw %ax,(%ecx)
46570 ++ pushl %ss
46571 ++ popl %ds
46572 + xorl %eax,%eax
46573 + EXIT
46574 + ENDPROC(__put_user_2)
46575 +@@ -63,7 +71,11 @@ ENTRY(__put_user_4)
46576 + subl $3,%ebx
46577 + cmpl %ebx,%ecx
46578 + jae bad_put_user
46579 ++ pushl $(__USER_DS)
46580 ++ popl %ds
46581 + 3: movl %eax,(%ecx)
46582 ++ pushl %ss
46583 ++ popl %ds
46584 + xorl %eax,%eax
46585 + EXIT
46586 + ENDPROC(__put_user_4)
46587 +@@ -74,8 +86,12 @@ ENTRY(__put_user_8)
46588 + subl $7,%ebx
46589 + cmpl %ebx,%ecx
46590 + jae bad_put_user
46591 ++ pushl $(__USER_DS)
46592 ++ popl %ds
46593 + 4: movl %eax,(%ecx)
46594 + 5: movl %edx,4(%ecx)
46595 ++ pushl %ss
46596 ++ popl %ds
46597 + xorl %eax,%eax
46598 + EXIT
46599 + ENDPROC(__put_user_8)
46600 +@@ -85,6 +101,10 @@ bad_put_user:
46601 + CFI_DEF_CFA esp, 2*4
46602 + CFI_OFFSET eip, -1*4
46603 + CFI_OFFSET ebx, -2*4
46604 ++ pushl %ss
46605 ++ CFI_ADJUST_CFA_OFFSET 4
46606 ++ popl %ds
46607 ++ CFI_ADJUST_CFA_OFFSET -4
46608 + movl $-14,%eax
46609 + EXIT
46610 + END(bad_put_user)
46611 +diff -urNp linux-2.6.24.5/arch/x86/lib/usercopy_32.c linux-2.6.24.5/arch/x86/lib/usercopy_32.c
46612 +--- linux-2.6.24.5/arch/x86/lib/usercopy_32.c 2008-03-24 14:49:18.000000000 -0400
46613 ++++ linux-2.6.24.5/arch/x86/lib/usercopy_32.c 2008-03-26 20:21:08.000000000 -0400
46614 +@@ -29,34 +29,41 @@ static inline int __movsl_is_ok(unsigned
46615 + * Copy a null terminated string from userspace.
46616 + */
46617 +
46618 +-#define __do_strncpy_from_user(dst,src,count,res) \
46619 +-do { \
46620 +- int __d0, __d1, __d2; \
46621 +- might_sleep(); \
46622 +- __asm__ __volatile__( \
46623 +- " testl %1,%1\n" \
46624 +- " jz 2f\n" \
46625 +- "0: lodsb\n" \
46626 +- " stosb\n" \
46627 +- " testb %%al,%%al\n" \
46628 +- " jz 1f\n" \
46629 +- " decl %1\n" \
46630 +- " jnz 0b\n" \
46631 +- "1: subl %1,%0\n" \
46632 +- "2:\n" \
46633 +- ".section .fixup,\"ax\"\n" \
46634 +- "3: movl %5,%0\n" \
46635 +- " jmp 2b\n" \
46636 +- ".previous\n" \
46637 +- ".section __ex_table,\"a\"\n" \
46638 +- " .align 4\n" \
46639 +- " .long 0b,3b\n" \
46640 +- ".previous" \
46641 +- : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1), \
46642 +- "=&D" (__d2) \
46643 +- : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
46644 +- : "memory"); \
46645 +-} while (0)
46646 ++static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
46647 ++{
46648 ++ int __d0, __d1, __d2;
46649 ++ long res = -EFAULT;
46650 ++
46651 ++ might_sleep();
46652 ++ __asm__ __volatile__(
46653 ++ " movw %w10,%%ds\n"
46654 ++ " testl %1,%1\n"
46655 ++ " jz 2f\n"
46656 ++ "0: lodsb\n"
46657 ++ " stosb\n"
46658 ++ " testb %%al,%%al\n"
46659 ++ " jz 1f\n"
46660 ++ " decl %1\n"
46661 ++ " jnz 0b\n"
46662 ++ "1: subl %1,%0\n"
46663 ++ "2:\n"
46664 ++ " pushl %%ss\n"
46665 ++ " popl %%ds\n"
46666 ++ ".section .fixup,\"ax\"\n"
46667 ++ "3: movl %5,%0\n"
46668 ++ " jmp 2b\n"
46669 ++ ".previous\n"
46670 ++ ".section __ex_table,\"a\"\n"
46671 ++ " .align 4\n"
46672 ++ " .long 0b,3b\n"
46673 ++ ".previous"
46674 ++ : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1),
46675 ++ "=&D" (__d2)
46676 ++ : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
46677 ++ "r"(__USER_DS)
46678 ++ : "memory");
46679 ++ return res;
46680 ++}
46681 +
46682 + /**
46683 + * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
46684 +@@ -81,9 +88,7 @@ do { \
46685 + long
46686 + __strncpy_from_user(char *dst, const char __user *src, long count)
46687 + {
46688 +- long res;
46689 +- __do_strncpy_from_user(dst, src, count, res);
46690 +- return res;
46691 ++ return __do_strncpy_from_user(dst, src, count);
46692 + }
46693 + EXPORT_SYMBOL(__strncpy_from_user);
46694 +
46695 +@@ -110,7 +115,7 @@ strncpy_from_user(char *dst, const char
46696 + {
46697 + long res = -EFAULT;
46698 + if (access_ok(VERIFY_READ, src, 1))
46699 +- __do_strncpy_from_user(dst, src, count, res);
46700 ++ res = __do_strncpy_from_user(dst, src, count);
46701 + return res;
46702 + }
46703 + EXPORT_SYMBOL(strncpy_from_user);
46704 +@@ -119,27 +124,33 @@ EXPORT_SYMBOL(strncpy_from_user);
46705 + * Zero Userspace
46706 + */
46707 +
46708 +-#define __do_clear_user(addr,size) \
46709 +-do { \
46710 +- int __d0; \
46711 +- might_sleep(); \
46712 +- __asm__ __volatile__( \
46713 +- "0: rep; stosl\n" \
46714 +- " movl %2,%0\n" \
46715 +- "1: rep; stosb\n" \
46716 +- "2:\n" \
46717 +- ".section .fixup,\"ax\"\n" \
46718 +- "3: lea 0(%2,%0,4),%0\n" \
46719 +- " jmp 2b\n" \
46720 +- ".previous\n" \
46721 +- ".section __ex_table,\"a\"\n" \
46722 +- " .align 4\n" \
46723 +- " .long 0b,3b\n" \
46724 +- " .long 1b,2b\n" \
46725 +- ".previous" \
46726 +- : "=&c"(size), "=&D" (__d0) \
46727 +- : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
46728 +-} while (0)
46729 ++static unsigned long __do_clear_user(void __user *addr, unsigned long size)
46730 ++{
46731 ++ int __d0;
46732 ++
46733 ++ might_sleep();
46734 ++ __asm__ __volatile__(
46735 ++ " movw %w6,%%es\n"
46736 ++ "0: rep; stosl\n"
46737 ++ " movl %2,%0\n"
46738 ++ "1: rep; stosb\n"
46739 ++ "2:\n"
46740 ++ " pushl %%ss\n"
46741 ++ " popl %%es\n"
46742 ++ ".section .fixup,\"ax\"\n"
46743 ++ "3: lea 0(%2,%0,4),%0\n"
46744 ++ " jmp 2b\n"
46745 ++ ".previous\n"
46746 ++ ".section __ex_table,\"a\"\n"
46747 ++ " .align 4\n"
46748 ++ " .long 0b,3b\n"
46749 ++ " .long 1b,2b\n"
46750 ++ ".previous"
46751 ++ : "=&c"(size), "=&D" (__d0)
46752 ++ : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
46753 ++ "r"(__USER_DS));
46754 ++ return size;
46755 ++}
46756 +
46757 + /**
46758 + * clear_user: - Zero a block of memory in user space.
46759 +@@ -156,7 +167,7 @@ clear_user(void __user *to, unsigned lon
46760 + {
46761 + might_sleep();
46762 + if (access_ok(VERIFY_WRITE, to, n))
46763 +- __do_clear_user(to, n);
46764 ++ n = __do_clear_user(to, n);
46765 + return n;
46766 + }
46767 + EXPORT_SYMBOL(clear_user);
46768 +@@ -175,8 +186,7 @@ EXPORT_SYMBOL(clear_user);
46769 + unsigned long
46770 + __clear_user(void __user *to, unsigned long n)
46771 + {
46772 +- __do_clear_user(to, n);
46773 +- return n;
46774 ++ return __do_clear_user(to, n);
46775 + }
46776 + EXPORT_SYMBOL(__clear_user);
46777 +
46778 +@@ -199,14 +209,17 @@ long strnlen_user(const char __user *s,
46779 + might_sleep();
46780 +
46781 + __asm__ __volatile__(
46782 ++ " movw %w8,%%es\n"
46783 + " testl %0, %0\n"
46784 + " jz 3f\n"
46785 +- " andl %0,%%ecx\n"
46786 ++ " movl %0,%%ecx\n"
46787 + "0: repne; scasb\n"
46788 + " setne %%al\n"
46789 + " subl %%ecx,%0\n"
46790 + " addl %0,%%eax\n"
46791 + "1:\n"
46792 ++ " pushl %%ss\n"
46793 ++ " popl %%es\n"
46794 + ".section .fixup,\"ax\"\n"
46795 + "2: xorl %%eax,%%eax\n"
46796 + " jmp 1b\n"
46797 +@@ -218,7 +231,7 @@ long strnlen_user(const char __user *s,
46798 + " .long 0b,2b\n"
46799 + ".previous"
46800 + :"=r" (n), "=D" (s), "=a" (res), "=c" (tmp)
46801 +- :"0" (n), "1" (s), "2" (0), "3" (mask)
46802 ++ :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
46803 + :"cc");
46804 + return res & mask;
46805 + }
46806 +@@ -226,10 +239,121 @@ EXPORT_SYMBOL(strnlen_user);
46807 +
46808 + #ifdef CONFIG_X86_INTEL_USERCOPY
46809 + static unsigned long
46810 +-__copy_user_intel(void __user *to, const void *from, unsigned long size)
46811 ++__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
46812 ++{
46813 ++ int d0, d1;
46814 ++ __asm__ __volatile__(
46815 ++ " movw %w6, %%es\n"
46816 ++ " .align 2,0x90\n"
46817 ++ "1: movl 32(%4), %%eax\n"
46818 ++ " cmpl $67, %0\n"
46819 ++ " jbe 3f\n"
46820 ++ "2: movl 64(%4), %%eax\n"
46821 ++ " .align 2,0x90\n"
46822 ++ "3: movl 0(%4), %%eax\n"
46823 ++ "4: movl 4(%4), %%edx\n"
46824 ++ "5: movl %%eax, %%es:0(%3)\n"
46825 ++ "6: movl %%edx, %%es:4(%3)\n"
46826 ++ "7: movl 8(%4), %%eax\n"
46827 ++ "8: movl 12(%4),%%edx\n"
46828 ++ "9: movl %%eax, %%es:8(%3)\n"
46829 ++ "10: movl %%edx, %%es:12(%3)\n"
46830 ++ "11: movl 16(%4), %%eax\n"
46831 ++ "12: movl 20(%4), %%edx\n"
46832 ++ "13: movl %%eax, %%es:16(%3)\n"
46833 ++ "14: movl %%edx, %%es:20(%3)\n"
46834 ++ "15: movl 24(%4), %%eax\n"
46835 ++ "16: movl 28(%4), %%edx\n"
46836 ++ "17: movl %%eax, %%es:24(%3)\n"
46837 ++ "18: movl %%edx, %%es:28(%3)\n"
46838 ++ "19: movl 32(%4), %%eax\n"
46839 ++ "20: movl 36(%4), %%edx\n"
46840 ++ "21: movl %%eax, %%es:32(%3)\n"
46841 ++ "22: movl %%edx, %%es:36(%3)\n"
46842 ++ "23: movl 40(%4), %%eax\n"
46843 ++ "24: movl 44(%4), %%edx\n"
46844 ++ "25: movl %%eax, %%es:40(%3)\n"
46845 ++ "26: movl %%edx, %%es:44(%3)\n"
46846 ++ "27: movl 48(%4), %%eax\n"
46847 ++ "28: movl 52(%4), %%edx\n"
46848 ++ "29: movl %%eax, %%es:48(%3)\n"
46849 ++ "30: movl %%edx, %%es:52(%3)\n"
46850 ++ "31: movl 56(%4), %%eax\n"
46851 ++ "32: movl 60(%4), %%edx\n"
46852 ++ "33: movl %%eax, %%es:56(%3)\n"
46853 ++ "34: movl %%edx, %%es:60(%3)\n"
46854 ++ " addl $-64, %0\n"
46855 ++ " addl $64, %4\n"
46856 ++ " addl $64, %3\n"
46857 ++ " cmpl $63, %0\n"
46858 ++ " ja 1b\n"
46859 ++ "35: movl %0, %%eax\n"
46860 ++ " shrl $2, %0\n"
46861 ++ " andl $3, %%eax\n"
46862 ++ " cld\n"
46863 ++ "99: rep; movsl\n"
46864 ++ "36: movl %%eax, %0\n"
46865 ++ "37: rep; movsb\n"
46866 ++ "100:\n"
46867 ++ " pushl %%ss\n"
46868 ++ " popl %%es\n"
46869 ++ ".section .fixup,\"ax\"\n"
46870 ++ "101: lea 0(%%eax,%0,4),%0\n"
46871 ++ " jmp 100b\n"
46872 ++ ".previous\n"
46873 ++ ".section __ex_table,\"a\"\n"
46874 ++ " .align 4\n"
46875 ++ " .long 1b,100b\n"
46876 ++ " .long 2b,100b\n"
46877 ++ " .long 3b,100b\n"
46878 ++ " .long 4b,100b\n"
46879 ++ " .long 5b,100b\n"
46880 ++ " .long 6b,100b\n"
46881 ++ " .long 7b,100b\n"
46882 ++ " .long 8b,100b\n"
46883 ++ " .long 9b,100b\n"
46884 ++ " .long 10b,100b\n"
46885 ++ " .long 11b,100b\n"
46886 ++ " .long 12b,100b\n"
46887 ++ " .long 13b,100b\n"
46888 ++ " .long 14b,100b\n"
46889 ++ " .long 15b,100b\n"
46890 ++ " .long 16b,100b\n"
46891 ++ " .long 17b,100b\n"
46892 ++ " .long 18b,100b\n"
46893 ++ " .long 19b,100b\n"
46894 ++ " .long 20b,100b\n"
46895 ++ " .long 21b,100b\n"
46896 ++ " .long 22b,100b\n"
46897 ++ " .long 23b,100b\n"
46898 ++ " .long 24b,100b\n"
46899 ++ " .long 25b,100b\n"
46900 ++ " .long 26b,100b\n"
46901 ++ " .long 27b,100b\n"
46902 ++ " .long 28b,100b\n"
46903 ++ " .long 29b,100b\n"
46904 ++ " .long 30b,100b\n"
46905 ++ " .long 31b,100b\n"
46906 ++ " .long 32b,100b\n"
46907 ++ " .long 33b,100b\n"
46908 ++ " .long 34b,100b\n"
46909 ++ " .long 35b,100b\n"
46910 ++ " .long 36b,100b\n"
46911 ++ " .long 37b,100b\n"
46912 ++ " .long 99b,101b\n"
46913 ++ ".previous"
46914 ++ : "=&c"(size), "=&D" (d0), "=&S" (d1)
46915 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
46916 ++ : "eax", "edx", "memory");
46917 ++ return size;
46918 ++}
46919 ++
46920 ++static unsigned long
46921 ++__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
46922 + {
46923 + int d0, d1;
46924 + __asm__ __volatile__(
46925 ++ " movw %w6, %%ds\n"
46926 + " .align 2,0x90\n"
46927 + "1: movl 32(%4), %%eax\n"
46928 + " cmpl $67, %0\n"
46929 +@@ -238,36 +362,36 @@ __copy_user_intel(void __user *to, const
46930 + " .align 2,0x90\n"
46931 + "3: movl 0(%4), %%eax\n"
46932 + "4: movl 4(%4), %%edx\n"
46933 +- "5: movl %%eax, 0(%3)\n"
46934 +- "6: movl %%edx, 4(%3)\n"
46935 ++ "5: movl %%eax, %%es:0(%3)\n"
46936 ++ "6: movl %%edx, %%es:4(%3)\n"
46937 + "7: movl 8(%4), %%eax\n"
46938 + "8: movl 12(%4),%%edx\n"
46939 +- "9: movl %%eax, 8(%3)\n"
46940 +- "10: movl %%edx, 12(%3)\n"
46941 ++ "9: movl %%eax, %%es:8(%3)\n"
46942 ++ "10: movl %%edx, %%es:12(%3)\n"
46943 + "11: movl 16(%4), %%eax\n"
46944 + "12: movl 20(%4), %%edx\n"
46945 +- "13: movl %%eax, 16(%3)\n"
46946 +- "14: movl %%edx, 20(%3)\n"
46947 ++ "13: movl %%eax, %%es:16(%3)\n"
46948 ++ "14: movl %%edx, %%es:20(%3)\n"
46949 + "15: movl 24(%4), %%eax\n"
46950 + "16: movl 28(%4), %%edx\n"
46951 +- "17: movl %%eax, 24(%3)\n"
46952 +- "18: movl %%edx, 28(%3)\n"
46953 ++ "17: movl %%eax, %%es:24(%3)\n"
46954 ++ "18: movl %%edx, %%es:28(%3)\n"
46955 + "19: movl 32(%4), %%eax\n"
46956 + "20: movl 36(%4), %%edx\n"
46957 +- "21: movl %%eax, 32(%3)\n"
46958 +- "22: movl %%edx, 36(%3)\n"
46959 ++ "21: movl %%eax, %%es:32(%3)\n"
46960 ++ "22: movl %%edx, %%es:36(%3)\n"
46961 + "23: movl 40(%4), %%eax\n"
46962 + "24: movl 44(%4), %%edx\n"
46963 +- "25: movl %%eax, 40(%3)\n"
46964 +- "26: movl %%edx, 44(%3)\n"
46965 ++ "25: movl %%eax, %%es:40(%3)\n"
46966 ++ "26: movl %%edx, %%es:44(%3)\n"
46967 + "27: movl 48(%4), %%eax\n"
46968 + "28: movl 52(%4), %%edx\n"
46969 +- "29: movl %%eax, 48(%3)\n"
46970 +- "30: movl %%edx, 52(%3)\n"
46971 ++ "29: movl %%eax, %%es:48(%3)\n"
46972 ++ "30: movl %%edx, %%es:52(%3)\n"
46973 + "31: movl 56(%4), %%eax\n"
46974 + "32: movl 60(%4), %%edx\n"
46975 +- "33: movl %%eax, 56(%3)\n"
46976 +- "34: movl %%edx, 60(%3)\n"
46977 ++ "33: movl %%eax, %%es:56(%3)\n"
46978 ++ "34: movl %%edx, %%es:60(%3)\n"
46979 + " addl $-64, %0\n"
46980 + " addl $64, %4\n"
46981 + " addl $64, %3\n"
46982 +@@ -281,6 +405,8 @@ __copy_user_intel(void __user *to, const
46983 + "36: movl %%eax, %0\n"
46984 + "37: rep; movsb\n"
46985 + "100:\n"
46986 ++ " pushl %%ss\n"
46987 ++ " popl %%ds\n"
46988 + ".section .fixup,\"ax\"\n"
46989 + "101: lea 0(%%eax,%0,4),%0\n"
46990 + " jmp 100b\n"
46991 +@@ -327,7 +453,7 @@ __copy_user_intel(void __user *to, const
46992 + " .long 99b,101b\n"
46993 + ".previous"
46994 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
46995 +- : "1"(to), "2"(from), "0"(size)
46996 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
46997 + : "eax", "edx", "memory");
46998 + return size;
46999 + }
47000 +@@ -337,6 +463,7 @@ __copy_user_zeroing_intel(void *to, cons
47001 + {
47002 + int d0, d1;
47003 + __asm__ __volatile__(
47004 ++ " movw %w6, %%ds\n"
47005 + " .align 2,0x90\n"
47006 + "0: movl 32(%4), %%eax\n"
47007 + " cmpl $67, %0\n"
47008 +@@ -345,36 +472,36 @@ __copy_user_zeroing_intel(void *to, cons
47009 + " .align 2,0x90\n"
47010 + "2: movl 0(%4), %%eax\n"
47011 + "21: movl 4(%4), %%edx\n"
47012 +- " movl %%eax, 0(%3)\n"
47013 +- " movl %%edx, 4(%3)\n"
47014 ++ " movl %%eax, %%es:0(%3)\n"
47015 ++ " movl %%edx, %%es:4(%3)\n"
47016 + "3: movl 8(%4), %%eax\n"
47017 + "31: movl 12(%4),%%edx\n"
47018 +- " movl %%eax, 8(%3)\n"
47019 +- " movl %%edx, 12(%3)\n"
47020 ++ " movl %%eax, %%es:8(%3)\n"
47021 ++ " movl %%edx, %%es:12(%3)\n"
47022 + "4: movl 16(%4), %%eax\n"
47023 + "41: movl 20(%4), %%edx\n"
47024 +- " movl %%eax, 16(%3)\n"
47025 +- " movl %%edx, 20(%3)\n"
47026 ++ " movl %%eax, %%es:16(%3)\n"
47027 ++ " movl %%edx, %%es:20(%3)\n"
47028 + "10: movl 24(%4), %%eax\n"
47029 + "51: movl 28(%4), %%edx\n"
47030 +- " movl %%eax, 24(%3)\n"
47031 +- " movl %%edx, 28(%3)\n"
47032 ++ " movl %%eax, %%es:24(%3)\n"
47033 ++ " movl %%edx, %%es:28(%3)\n"
47034 + "11: movl 32(%4), %%eax\n"
47035 + "61: movl 36(%4), %%edx\n"
47036 +- " movl %%eax, 32(%3)\n"
47037 +- " movl %%edx, 36(%3)\n"
47038 ++ " movl %%eax, %%es:32(%3)\n"
47039 ++ " movl %%edx, %%es:36(%3)\n"
47040 + "12: movl 40(%4), %%eax\n"
47041 + "71: movl 44(%4), %%edx\n"
47042 +- " movl %%eax, 40(%3)\n"
47043 +- " movl %%edx, 44(%3)\n"
47044 ++ " movl %%eax, %%es:40(%3)\n"
47045 ++ " movl %%edx, %%es:44(%3)\n"
47046 + "13: movl 48(%4), %%eax\n"
47047 + "81: movl 52(%4), %%edx\n"
47048 +- " movl %%eax, 48(%3)\n"
47049 +- " movl %%edx, 52(%3)\n"
47050 ++ " movl %%eax, %%es:48(%3)\n"
47051 ++ " movl %%edx, %%es:52(%3)\n"
47052 + "14: movl 56(%4), %%eax\n"
47053 + "91: movl 60(%4), %%edx\n"
47054 +- " movl %%eax, 56(%3)\n"
47055 +- " movl %%edx, 60(%3)\n"
47056 ++ " movl %%eax, %%es:56(%3)\n"
47057 ++ " movl %%edx, %%es:60(%3)\n"
47058 + " addl $-64, %0\n"
47059 + " addl $64, %4\n"
47060 + " addl $64, %3\n"
47061 +@@ -388,6 +515,8 @@ __copy_user_zeroing_intel(void *to, cons
47062 + " movl %%eax,%0\n"
47063 + "7: rep; movsb\n"
47064 + "8:\n"
47065 ++ " pushl %%ss\n"
47066 ++ " popl %%ds\n"
47067 + ".section .fixup,\"ax\"\n"
47068 + "9: lea 0(%%eax,%0,4),%0\n"
47069 + "16: pushl %0\n"
47070 +@@ -422,7 +551,7 @@ __copy_user_zeroing_intel(void *to, cons
47071 + " .long 7b,16b\n"
47072 + ".previous"
47073 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
47074 +- : "1"(to), "2"(from), "0"(size)
47075 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
47076 + : "eax", "edx", "memory");
47077 + return size;
47078 + }
47079 +@@ -438,6 +567,7 @@ static unsigned long __copy_user_zeroing
47080 + int d0, d1;
47081 +
47082 + __asm__ __volatile__(
47083 ++ " movw %w6, %%ds\n"
47084 + " .align 2,0x90\n"
47085 + "0: movl 32(%4), %%eax\n"
47086 + " cmpl $67, %0\n"
47087 +@@ -446,36 +576,36 @@ static unsigned long __copy_user_zeroing
47088 + " .align 2,0x90\n"
47089 + "2: movl 0(%4), %%eax\n"
47090 + "21: movl 4(%4), %%edx\n"
47091 +- " movnti %%eax, 0(%3)\n"
47092 +- " movnti %%edx, 4(%3)\n"
47093 ++ " movnti %%eax, %%es:0(%3)\n"
47094 ++ " movnti %%edx, %%es:4(%3)\n"
47095 + "3: movl 8(%4), %%eax\n"
47096 + "31: movl 12(%4),%%edx\n"
47097 +- " movnti %%eax, 8(%3)\n"
47098 +- " movnti %%edx, 12(%3)\n"
47099 ++ " movnti %%eax, %%es:8(%3)\n"
47100 ++ " movnti %%edx, %%es:12(%3)\n"
47101 + "4: movl 16(%4), %%eax\n"
47102 + "41: movl 20(%4), %%edx\n"
47103 +- " movnti %%eax, 16(%3)\n"
47104 +- " movnti %%edx, 20(%3)\n"
47105 ++ " movnti %%eax, %%es:16(%3)\n"
47106 ++ " movnti %%edx, %%es:20(%3)\n"
47107 + "10: movl 24(%4), %%eax\n"
47108 + "51: movl 28(%4), %%edx\n"
47109 +- " movnti %%eax, 24(%3)\n"
47110 +- " movnti %%edx, 28(%3)\n"
47111 ++ " movnti %%eax, %%es:24(%3)\n"
47112 ++ " movnti %%edx, %%es:28(%3)\n"
47113 + "11: movl 32(%4), %%eax\n"
47114 + "61: movl 36(%4), %%edx\n"
47115 +- " movnti %%eax, 32(%3)\n"
47116 +- " movnti %%edx, 36(%3)\n"
47117 ++ " movnti %%eax, %%es:32(%3)\n"
47118 ++ " movnti %%edx, %%es:36(%3)\n"
47119 + "12: movl 40(%4), %%eax\n"
47120 + "71: movl 44(%4), %%edx\n"
47121 +- " movnti %%eax, 40(%3)\n"
47122 +- " movnti %%edx, 44(%3)\n"
47123 ++ " movnti %%eax, %%es:40(%3)\n"
47124 ++ " movnti %%edx, %%es:44(%3)\n"
47125 + "13: movl 48(%4), %%eax\n"
47126 + "81: movl 52(%4), %%edx\n"
47127 +- " movnti %%eax, 48(%3)\n"
47128 +- " movnti %%edx, 52(%3)\n"
47129 ++ " movnti %%eax, %%es:48(%3)\n"
47130 ++ " movnti %%edx, %%es:52(%3)\n"
47131 + "14: movl 56(%4), %%eax\n"
47132 + "91: movl 60(%4), %%edx\n"
47133 +- " movnti %%eax, 56(%3)\n"
47134 +- " movnti %%edx, 60(%3)\n"
47135 ++ " movnti %%eax, %%es:56(%3)\n"
47136 ++ " movnti %%edx, %%es:60(%3)\n"
47137 + " addl $-64, %0\n"
47138 + " addl $64, %4\n"
47139 + " addl $64, %3\n"
47140 +@@ -490,6 +620,8 @@ static unsigned long __copy_user_zeroing
47141 + " movl %%eax,%0\n"
47142 + "7: rep; movsb\n"
47143 + "8:\n"
47144 ++ " pushl %%ss\n"
47145 ++ " popl %%ds\n"
47146 + ".section .fixup,\"ax\"\n"
47147 + "9: lea 0(%%eax,%0,4),%0\n"
47148 + "16: pushl %0\n"
47149 +@@ -524,7 +656,7 @@ static unsigned long __copy_user_zeroing
47150 + " .long 7b,16b\n"
47151 + ".previous"
47152 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
47153 +- : "1"(to), "2"(from), "0"(size)
47154 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
47155 + : "eax", "edx", "memory");
47156 + return size;
47157 + }
47158 +@@ -535,6 +667,7 @@ static unsigned long __copy_user_intel_n
47159 + int d0, d1;
47160 +
47161 + __asm__ __volatile__(
47162 ++ " movw %w6, %%ds\n"
47163 + " .align 2,0x90\n"
47164 + "0: movl 32(%4), %%eax\n"
47165 + " cmpl $67, %0\n"
47166 +@@ -543,36 +676,36 @@ static unsigned long __copy_user_intel_n
47167 + " .align 2,0x90\n"
47168 + "2: movl 0(%4), %%eax\n"
47169 + "21: movl 4(%4), %%edx\n"
47170 +- " movnti %%eax, 0(%3)\n"
47171 +- " movnti %%edx, 4(%3)\n"
47172 ++ " movnti %%eax, %%es:0(%3)\n"
47173 ++ " movnti %%edx, %%es:4(%3)\n"
47174 + "3: movl 8(%4), %%eax\n"
47175 + "31: movl 12(%4),%%edx\n"
47176 +- " movnti %%eax, 8(%3)\n"
47177 +- " movnti %%edx, 12(%3)\n"
47178 ++ " movnti %%eax, %%es:8(%3)\n"
47179 ++ " movnti %%edx, %%es:12(%3)\n"
47180 + "4: movl 16(%4), %%eax\n"
47181 + "41: movl 20(%4), %%edx\n"
47182 +- " movnti %%eax, 16(%3)\n"
47183 +- " movnti %%edx, 20(%3)\n"
47184 ++ " movnti %%eax, %%es:16(%3)\n"
47185 ++ " movnti %%edx, %%es:20(%3)\n"
47186 + "10: movl 24(%4), %%eax\n"
47187 + "51: movl 28(%4), %%edx\n"
47188 +- " movnti %%eax, 24(%3)\n"
47189 +- " movnti %%edx, 28(%3)\n"
47190 ++ " movnti %%eax, %%es:24(%3)\n"
47191 ++ " movnti %%edx, %%es:28(%3)\n"
47192 + "11: movl 32(%4), %%eax\n"
47193 + "61: movl 36(%4), %%edx\n"
47194 +- " movnti %%eax, 32(%3)\n"
47195 +- " movnti %%edx, 36(%3)\n"
47196 ++ " movnti %%eax, %%es:32(%3)\n"
47197 ++ " movnti %%edx, %%es:36(%3)\n"
47198 + "12: movl 40(%4), %%eax\n"
47199 + "71: movl 44(%4), %%edx\n"
47200 +- " movnti %%eax, 40(%3)\n"
47201 +- " movnti %%edx, 44(%3)\n"
47202 ++ " movnti %%eax, %%es:40(%3)\n"
47203 ++ " movnti %%edx, %%es:44(%3)\n"
47204 + "13: movl 48(%4), %%eax\n"
47205 + "81: movl 52(%4), %%edx\n"
47206 +- " movnti %%eax, 48(%3)\n"
47207 +- " movnti %%edx, 52(%3)\n"
47208 ++ " movnti %%eax, %%es:48(%3)\n"
47209 ++ " movnti %%edx, %%es:52(%3)\n"
47210 + "14: movl 56(%4), %%eax\n"
47211 + "91: movl 60(%4), %%edx\n"
47212 +- " movnti %%eax, 56(%3)\n"
47213 +- " movnti %%edx, 60(%3)\n"
47214 ++ " movnti %%eax, %%es:56(%3)\n"
47215 ++ " movnti %%edx, %%es:60(%3)\n"
47216 + " addl $-64, %0\n"
47217 + " addl $64, %4\n"
47218 + " addl $64, %3\n"
47219 +@@ -587,6 +720,8 @@ static unsigned long __copy_user_intel_n
47220 + " movl %%eax,%0\n"
47221 + "7: rep; movsb\n"
47222 + "8:\n"
47223 ++ " pushl %%ss\n"
47224 ++ " popl %%ds\n"
47225 + ".section .fixup,\"ax\"\n"
47226 + "9: lea 0(%%eax,%0,4),%0\n"
47227 + "16: jmp 8b\n"
47228 +@@ -615,7 +750,7 @@ static unsigned long __copy_user_intel_n
47229 + " .long 7b,16b\n"
47230 + ".previous"
47231 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
47232 +- : "1"(to), "2"(from), "0"(size)
47233 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
47234 + : "eax", "edx", "memory");
47235 + return size;
47236 + }
47237 +@@ -628,90 +763,146 @@ static unsigned long __copy_user_intel_n
47238 + */
47239 + unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
47240 + unsigned long size);
47241 +-unsigned long __copy_user_intel(void __user *to, const void *from,
47242 ++unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
47243 ++ unsigned long size);
47244 ++unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
47245 + unsigned long size);
47246 + unsigned long __copy_user_zeroing_intel_nocache(void *to,
47247 + const void __user *from, unsigned long size);
47248 + #endif /* CONFIG_X86_INTEL_USERCOPY */
47249 +
47250 + /* Generic arbitrary sized copy. */
47251 +-#define __copy_user(to,from,size) \
47252 +-do { \
47253 +- int __d0, __d1, __d2; \
47254 +- __asm__ __volatile__( \
47255 +- " cmp $7,%0\n" \
47256 +- " jbe 1f\n" \
47257 +- " movl %1,%0\n" \
47258 +- " negl %0\n" \
47259 +- " andl $7,%0\n" \
47260 +- " subl %0,%3\n" \
47261 +- "4: rep; movsb\n" \
47262 +- " movl %3,%0\n" \
47263 +- " shrl $2,%0\n" \
47264 +- " andl $3,%3\n" \
47265 +- " .align 2,0x90\n" \
47266 +- "0: rep; movsl\n" \
47267 +- " movl %3,%0\n" \
47268 +- "1: rep; movsb\n" \
47269 +- "2:\n" \
47270 +- ".section .fixup,\"ax\"\n" \
47271 +- "5: addl %3,%0\n" \
47272 +- " jmp 2b\n" \
47273 +- "3: lea 0(%3,%0,4),%0\n" \
47274 +- " jmp 2b\n" \
47275 +- ".previous\n" \
47276 +- ".section __ex_table,\"a\"\n" \
47277 +- " .align 4\n" \
47278 +- " .long 4b,5b\n" \
47279 +- " .long 0b,3b\n" \
47280 +- " .long 1b,2b\n" \
47281 +- ".previous" \
47282 +- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
47283 +- : "3"(size), "0"(size), "1"(to), "2"(from) \
47284 +- : "memory"); \
47285 +-} while (0)
47286 +-
47287 +-#define __copy_user_zeroing(to,from,size) \
47288 +-do { \
47289 +- int __d0, __d1, __d2; \
47290 +- __asm__ __volatile__( \
47291 +- " cmp $7,%0\n" \
47292 +- " jbe 1f\n" \
47293 +- " movl %1,%0\n" \
47294 +- " negl %0\n" \
47295 +- " andl $7,%0\n" \
47296 +- " subl %0,%3\n" \
47297 +- "4: rep; movsb\n" \
47298 +- " movl %3,%0\n" \
47299 +- " shrl $2,%0\n" \
47300 +- " andl $3,%3\n" \
47301 +- " .align 2,0x90\n" \
47302 +- "0: rep; movsl\n" \
47303 +- " movl %3,%0\n" \
47304 +- "1: rep; movsb\n" \
47305 +- "2:\n" \
47306 +- ".section .fixup,\"ax\"\n" \
47307 +- "5: addl %3,%0\n" \
47308 +- " jmp 6f\n" \
47309 +- "3: lea 0(%3,%0,4),%0\n" \
47310 +- "6: pushl %0\n" \
47311 +- " pushl %%eax\n" \
47312 +- " xorl %%eax,%%eax\n" \
47313 +- " rep; stosb\n" \
47314 +- " popl %%eax\n" \
47315 +- " popl %0\n" \
47316 +- " jmp 2b\n" \
47317 +- ".previous\n" \
47318 +- ".section __ex_table,\"a\"\n" \
47319 +- " .align 4\n" \
47320 +- " .long 4b,5b\n" \
47321 +- " .long 0b,3b\n" \
47322 +- " .long 1b,6b\n" \
47323 +- ".previous" \
47324 +- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
47325 +- : "3"(size), "0"(size), "1"(to), "2"(from) \
47326 +- : "memory"); \
47327 +-} while (0)
47328 ++static unsigned long
47329 ++__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
47330 ++{
47331 ++ int __d0, __d1, __d2;
47332 ++
47333 ++ __asm__ __volatile__(
47334 ++ " movw %w8,%%es\n"
47335 ++ " cmp $7,%0\n"
47336 ++ " jbe 1f\n"
47337 ++ " movl %1,%0\n"
47338 ++ " negl %0\n"
47339 ++ " andl $7,%0\n"
47340 ++ " subl %0,%3\n"
47341 ++ "4: rep; movsb\n"
47342 ++ " movl %3,%0\n"
47343 ++ " shrl $2,%0\n"
47344 ++ " andl $3,%3\n"
47345 ++ " .align 2,0x90\n"
47346 ++ "0: rep; movsl\n"
47347 ++ " movl %3,%0\n"
47348 ++ "1: rep; movsb\n"
47349 ++ "2:\n"
47350 ++ " pushl %%ss\n"
47351 ++ " popl %%es\n"
47352 ++ ".section .fixup,\"ax\"\n"
47353 ++ "5: addl %3,%0\n"
47354 ++ " jmp 2b\n"
47355 ++ "3: lea 0(%3,%0,4),%0\n"
47356 ++ " jmp 2b\n"
47357 ++ ".previous\n"
47358 ++ ".section __ex_table,\"a\"\n"
47359 ++ " .align 4\n"
47360 ++ " .long 4b,5b\n"
47361 ++ " .long 0b,3b\n"
47362 ++ " .long 1b,2b\n"
47363 ++ ".previous"
47364 ++ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
47365 ++ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
47366 ++ : "memory");
47367 ++ return size;
47368 ++}
47369 ++
47370 ++static unsigned long
47371 ++__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
47372 ++{
47373 ++ int __d0, __d1, __d2;
47374 ++
47375 ++ __asm__ __volatile__(
47376 ++ " movw %w8,%%ds\n"
47377 ++ " cmp $7,%0\n"
47378 ++ " jbe 1f\n"
47379 ++ " movl %1,%0\n"
47380 ++ " negl %0\n"
47381 ++ " andl $7,%0\n"
47382 ++ " subl %0,%3\n"
47383 ++ "4: rep; movsb\n"
47384 ++ " movl %3,%0\n"
47385 ++ " shrl $2,%0\n"
47386 ++ " andl $3,%3\n"
47387 ++ " .align 2,0x90\n"
47388 ++ "0: rep; movsl\n"
47389 ++ " movl %3,%0\n"
47390 ++ "1: rep; movsb\n"
47391 ++ "2:\n"
47392 ++ " pushl %%ss\n"
47393 ++ " popl %%ds\n"
47394 ++ ".section .fixup,\"ax\"\n"
47395 ++ "5: addl %3,%0\n"
47396 ++ " jmp 2b\n"
47397 ++ "3: lea 0(%3,%0,4),%0\n"
47398 ++ " jmp 2b\n"
47399 ++ ".previous\n"
47400 ++ ".section __ex_table,\"a\"\n"
47401 ++ " .align 4\n"
47402 ++ " .long 4b,5b\n"
47403 ++ " .long 0b,3b\n"
47404 ++ " .long 1b,2b\n"
47405 ++ ".previous"
47406 ++ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
47407 ++ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
47408 ++ : "memory");
47409 ++ return size;
47410 ++}
47411 ++
47412 ++static unsigned long
47413 ++__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
47414 ++{
47415 ++ int __d0, __d1, __d2;
47416 ++
47417 ++ __asm__ __volatile__(
47418 ++ " movw %w8,%%ds\n"
47419 ++ " cmp $7,%0\n"
47420 ++ " jbe 1f\n"
47421 ++ " movl %1,%0\n"
47422 ++ " negl %0\n"
47423 ++ " andl $7,%0\n"
47424 ++ " subl %0,%3\n"
47425 ++ "4: rep; movsb\n"
47426 ++ " movl %3,%0\n"
47427 ++ " shrl $2,%0\n"
47428 ++ " andl $3,%3\n"
47429 ++ " .align 2,0x90\n"
47430 ++ "0: rep; movsl\n"
47431 ++ " movl %3,%0\n"
47432 ++ "1: rep; movsb\n"
47433 ++ "2:\n"
47434 ++ " pushl %%ss\n"
47435 ++ " popl %%ds\n"
47436 ++ ".section .fixup,\"ax\"\n"
47437 ++ "5: addl %3,%0\n"
47438 ++ " jmp 6f\n"
47439 ++ "3: lea 0(%3,%0,4),%0\n"
47440 ++ "6: pushl %0\n"
47441 ++ " pushl %%eax\n"
47442 ++ " xorl %%eax,%%eax\n"
47443 ++ " rep; stosb\n"
47444 ++ " popl %%eax\n"
47445 ++ " popl %0\n"
47446 ++ " jmp 2b\n"
47447 ++ ".previous\n"
47448 ++ ".section __ex_table,\"a\"\n"
47449 ++ " .align 4\n"
47450 ++ " .long 4b,5b\n"
47451 ++ " .long 0b,3b\n"
47452 ++ " .long 1b,6b\n"
47453 ++ ".previous"
47454 ++ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
47455 ++ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
47456 ++ : "memory");
47457 ++ return size;
47458 ++}
47459 +
47460 + unsigned long __copy_to_user_ll(void __user *to, const void *from,
47461 + unsigned long n)
47462 +@@ -774,9 +965,9 @@ survive:
47463 + }
47464 + #endif
47465 + if (movsl_is_ok(to, from, n))
47466 +- __copy_user(to, from, n);
47467 ++ n = __generic_copy_to_user(to, from, n);
47468 + else
47469 +- n = __copy_user_intel(to, from, n);
47470 ++ n = __generic_copy_to_user_intel(to, from, n);
47471 + return n;
47472 + }
47473 + EXPORT_SYMBOL(__copy_to_user_ll);
47474 +@@ -785,7 +976,7 @@ unsigned long __copy_from_user_ll(void *
47475 + unsigned long n)
47476 + {
47477 + if (movsl_is_ok(to, from, n))
47478 +- __copy_user_zeroing(to, from, n);
47479 ++ n = __copy_user_zeroing(to, from, n);
47480 + else
47481 + n = __copy_user_zeroing_intel(to, from, n);
47482 + return n;
47483 +@@ -796,9 +987,9 @@ unsigned long __copy_from_user_ll_nozero
47484 + unsigned long n)
47485 + {
47486 + if (movsl_is_ok(to, from, n))
47487 +- __copy_user(to, from, n);
47488 ++ n = __generic_copy_from_user(to, from, n);
47489 + else
47490 +- n = __copy_user_intel((void __user *)to,
47491 ++ n = __generic_copy_from_user_intel((void __user *)to,
47492 + (const void *)from, n);
47493 + return n;
47494 + }
47495 +@@ -809,9 +1000,9 @@ unsigned long __copy_from_user_ll_nocach
47496 + {
47497 + #ifdef CONFIG_X86_INTEL_USERCOPY
47498 + if ( n > 64 && cpu_has_xmm2)
47499 +- n = __copy_user_zeroing_intel_nocache(to, from, n);
47500 ++ n = __copy_user_zeroing_intel_nocache(to, from, n);
47501 + else
47502 +- __copy_user_zeroing(to, from, n);
47503 ++ n = __copy_user_zeroing(to, from, n);
47504 + #else
47505 + __copy_user_zeroing(to, from, n);
47506 + #endif
47507 +@@ -823,11 +1014,11 @@ unsigned long __copy_from_user_ll_nocach
47508 + {
47509 + #ifdef CONFIG_X86_INTEL_USERCOPY
47510 + if ( n > 64 && cpu_has_xmm2)
47511 +- n = __copy_user_intel_nocache(to, from, n);
47512 ++ n = __copy_user_intel_nocache(to, from, n);
47513 + else
47514 +- __copy_user(to, from, n);
47515 ++ n = __generic_copy_from_user(to, from, n);
47516 + #else
47517 +- __copy_user(to, from, n);
47518 ++ n = __generic_copy_from_user(to, from, n);
47519 + #endif
47520 + return n;
47521 + }
47522 +@@ -880,3 +1071,30 @@ copy_from_user(void *to, const void __us
47523 + return n;
47524 + }
47525 + EXPORT_SYMBOL(copy_from_user);
47526 ++
47527 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
47528 ++void __set_fs(mm_segment_t x, int cpu)
47529 ++{
47530 ++ unsigned long limit = x.seg;
47531 ++ __u32 a, b;
47532 ++
47533 ++ current_thread_info()->addr_limit = x;
47534 ++ if (likely(limit))
47535 ++ limit = (limit - 1UL) >> PAGE_SHIFT;
47536 ++ pack_descriptor(&a, &b, 0UL, limit, 0xF3, 0xC);
47537 ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, a, b);
47538 ++}
47539 ++
47540 ++void set_fs(mm_segment_t x)
47541 ++{
47542 ++ __set_fs(x, get_cpu());
47543 ++ put_cpu_no_resched();
47544 ++}
47545 ++#else
47546 ++void set_fs(mm_segment_t x)
47547 ++{
47548 ++ current_thread_info()->addr_limit = x;
47549 ++}
47550 ++#endif
47551 ++
47552 ++EXPORT_SYMBOL(set_fs);
47553 +diff -urNp linux-2.6.24.5/arch/x86/mach-voyager/voyager_basic.c linux-2.6.24.5/arch/x86/mach-voyager/voyager_basic.c
47554 +--- linux-2.6.24.5/arch/x86/mach-voyager/voyager_basic.c 2008-03-24 14:49:18.000000000 -0400
47555 ++++ linux-2.6.24.5/arch/x86/mach-voyager/voyager_basic.c 2008-03-26 20:21:08.000000000 -0400
47556 +@@ -130,7 +130,7 @@ voyager_memory_detect(int region, __u32
47557 + __u8 cmos[4];
47558 + ClickMap_t *map;
47559 + unsigned long map_addr;
47560 +- unsigned long old;
47561 ++ pte_t old;
47562 +
47563 + if(region >= CLICK_ENTRIES) {
47564 + printk("Voyager: Illegal ClickMap region %d\n", region);
47565 +@@ -144,7 +144,7 @@ voyager_memory_detect(int region, __u32
47566 +
47567 + /* steal page 0 for this */
47568 + old = pg0[0];
47569 +- pg0[0] = ((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
47570 ++ pg0[0] = __pte((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
47571 + local_flush_tlb();
47572 + /* now clear everything out but page 0 */
47573 + map = (ClickMap_t *)(map_addr & (~PAGE_MASK));
47574 +diff -urNp linux-2.6.24.5/arch/x86/mach-voyager/voyager_smp.c linux-2.6.24.5/arch/x86/mach-voyager/voyager_smp.c
47575 +--- linux-2.6.24.5/arch/x86/mach-voyager/voyager_smp.c 2008-03-24 14:49:18.000000000 -0400
47576 ++++ linux-2.6.24.5/arch/x86/mach-voyager/voyager_smp.c 2008-03-26 20:21:08.000000000 -0400
47577 +@@ -554,6 +554,10 @@ do_boot_cpu(__u8 cpu)
47578 + __u32 *hijack_vector;
47579 + __u32 start_phys_address = setup_trampoline();
47580 +
47581 ++#ifdef CONFIG_PAX_KERNEXEC
47582 ++ unsigned long cr0;
47583 ++#endif
47584 ++
47585 + /* There's a clever trick to this: The linux trampoline is
47586 + * compiled to begin at absolute location zero, so make the
47587 + * address zero but have the data segment selector compensate
47588 +@@ -573,7 +577,17 @@ do_boot_cpu(__u8 cpu)
47589 +
47590 + init_gdt(cpu);
47591 + per_cpu(current_task, cpu) = idle;
47592 +- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
47593 ++
47594 ++#ifdef CONFIG_PAX_KERNEXEC
47595 ++ pax_open_kernel(cr0);
47596 ++#endif
47597 ++
47598 ++ early_gdt_descr.address = get_cpu_gdt_table(cpu);
47599 ++
47600 ++#ifdef CONFIG_PAX_KERNEXEC
47601 ++ pax_close_kernel(cr0);
47602 ++#endif
47603 ++
47604 + irq_ctx_init(cpu);
47605 +
47606 + /* Note: Don't modify initial ss override */
47607 +@@ -1277,7 +1291,7 @@ smp_local_timer_interrupt(void)
47608 + per_cpu(prof_counter, cpu);
47609 + }
47610 +
47611 +- update_process_times(user_mode_vm(get_irq_regs()));
47612 ++ update_process_times(user_mode(get_irq_regs()));
47613 + }
47614 +
47615 + if( ((1<<cpu) & voyager_extended_vic_processors) == 0)
47616 +diff -urNp linux-2.6.24.5/arch/x86/mm/boot_ioremap_32.c linux-2.6.24.5/arch/x86/mm/boot_ioremap_32.c
47617 +--- linux-2.6.24.5/arch/x86/mm/boot_ioremap_32.c 2008-03-24 14:49:18.000000000 -0400
47618 ++++ linux-2.6.24.5/arch/x86/mm/boot_ioremap_32.c 2008-03-26 20:21:08.000000000 -0400
47619 +@@ -7,57 +7,37 @@
47620 + * Written by Dave Hansen <haveblue@××××××.com>
47621 + */
47622 +
47623 +-
47624 +-/*
47625 +- * We need to use the 2-level pagetable functions, but CONFIG_X86_PAE
47626 +- * keeps that from happening. If anyone has a better way, I'm listening.
47627 +- *
47628 +- * boot_pte_t is defined only if this all works correctly
47629 +- */
47630 +-
47631 +-#undef CONFIG_X86_PAE
47632 + #undef CONFIG_PARAVIRT
47633 + #include <asm/page.h>
47634 + #include <asm/pgtable.h>
47635 + #include <asm/tlbflush.h>
47636 + #include <linux/init.h>
47637 + #include <linux/stddef.h>
47638 +-
47639 +-/*
47640 +- * I'm cheating here. It is known that the two boot PTE pages are
47641 +- * allocated next to each other. I'm pretending that they're just
47642 +- * one big array.
47643 +- */
47644 +-
47645 +-#define BOOT_PTE_PTRS (PTRS_PER_PTE*2)
47646 +-
47647 +-static unsigned long boot_pte_index(unsigned long vaddr)
47648 +-{
47649 +- return __pa(vaddr) >> PAGE_SHIFT;
47650 +-}
47651 +-
47652 +-static inline boot_pte_t* boot_vaddr_to_pte(void *address)
47653 +-{
47654 +- boot_pte_t* boot_pg = (boot_pte_t*)pg0;
47655 +- return &boot_pg[boot_pte_index((unsigned long)address)];
47656 +-}
47657 ++#include <linux/sched.h>
47658 +
47659 + /*
47660 + * This is only for a caller who is clever enough to page-align
47661 + * phys_addr and virtual_source, and who also has a preference
47662 + * about which virtual address from which to steal ptes
47663 + */
47664 +-static void __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
47665 +- void* virtual_source)
47666 ++static void __init __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
47667 ++ char* virtual_source)
47668 + {
47669 +- boot_pte_t* pte;
47670 +- int i;
47671 +- char *vaddr = virtual_source;
47672 ++ pgd_t *pgd;
47673 ++ pud_t *pud;
47674 ++ pmd_t *pmd;
47675 ++ pte_t* pte;
47676 ++ unsigned int i;
47677 ++ unsigned long vaddr = (unsigned long)virtual_source;
47678 ++
47679 ++ pgd = pgd_offset_k(vaddr);
47680 ++ pud = pud_offset(pgd, vaddr);
47681 ++ pmd = pmd_offset(pud, vaddr);
47682 ++ pte = pte_offset_kernel(pmd, vaddr);
47683 +
47684 +- pte = boot_vaddr_to_pte(virtual_source);
47685 + for (i=0; i < nrpages; i++, phys_addr += PAGE_SIZE, pte++) {
47686 + set_pte(pte, pfn_pte(phys_addr>>PAGE_SHIFT, PAGE_KERNEL));
47687 +- __flush_tlb_one(&vaddr[i*PAGE_SIZE]);
47688 ++ __flush_tlb_one(&virtual_source[i*PAGE_SIZE]);
47689 + }
47690 + }
47691 +
47692 +diff -urNp linux-2.6.24.5/arch/x86/mm/extable_32.c linux-2.6.24.5/arch/x86/mm/extable_32.c
47693 +--- linux-2.6.24.5/arch/x86/mm/extable_32.c 2008-03-24 14:49:18.000000000 -0400
47694 ++++ linux-2.6.24.5/arch/x86/mm/extable_32.c 2008-03-26 20:21:08.000000000 -0400
47695 +@@ -4,14 +4,63 @@
47696 +
47697 + #include <linux/module.h>
47698 + #include <linux/spinlock.h>
47699 ++#include <linux/sort.h>
47700 + #include <asm/uaccess.h>
47701 +
47702 ++/*
47703 ++ * The exception table needs to be sorted so that the binary
47704 ++ * search that we use to find entries in it works properly.
47705 ++ * This is used both for the kernel exception table and for
47706 ++ * the exception tables of modules that get loaded.
47707 ++ */
47708 ++static int cmp_ex(const void *a, const void *b)
47709 ++{
47710 ++ const struct exception_table_entry *x = a, *y = b;
47711 ++
47712 ++ /* avoid overflow */
47713 ++ if (x->insn > y->insn)
47714 ++ return 1;
47715 ++ if (x->insn < y->insn)
47716 ++ return -1;
47717 ++ return 0;
47718 ++}
47719 ++
47720 ++static void swap_ex(void *a, void *b, int size)
47721 ++{
47722 ++ struct exception_table_entry t, *x = a, *y = b;
47723 ++
47724 ++#ifdef CONFIG_PAX_KERNEXEC
47725 ++ unsigned long cr0;
47726 ++#endif
47727 ++
47728 ++ t = *x;
47729 ++
47730 ++#ifdef CONFIG_PAX_KERNEXEC
47731 ++ pax_open_kernel(cr0);
47732 ++#endif
47733 ++
47734 ++ *x = *y;
47735 ++ *y = t;
47736 ++
47737 ++#ifdef CONFIG_PAX_KERNEXEC
47738 ++ pax_close_kernel(cr0);
47739 ++#endif
47740 ++
47741 ++}
47742 ++
47743 ++void sort_extable(struct exception_table_entry *start,
47744 ++ struct exception_table_entry *finish)
47745 ++{
47746 ++ sort(start, finish - start, sizeof(struct exception_table_entry),
47747 ++ cmp_ex, swap_ex);
47748 ++}
47749 ++
47750 + int fixup_exception(struct pt_regs *regs)
47751 + {
47752 + const struct exception_table_entry *fixup;
47753 +
47754 + #ifdef CONFIG_PNPBIOS
47755 +- if (unlikely(SEGMENT_IS_PNP_CODE(regs->xcs)))
47756 ++ if (unlikely(!(regs->eflags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->xcs)))
47757 + {
47758 + extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
47759 + extern u32 pnp_bios_is_utter_crap;
47760 +diff -urNp linux-2.6.24.5/arch/x86/mm/extable_64.c linux-2.6.24.5/arch/x86/mm/extable_64.c
47761 +--- linux-2.6.24.5/arch/x86/mm/extable_64.c 2008-03-24 14:49:18.000000000 -0400
47762 ++++ linux-2.6.24.5/arch/x86/mm/extable_64.c 2008-03-26 20:21:08.000000000 -0400
47763 +@@ -4,9 +4,58 @@
47764 +
47765 + #include <linux/module.h>
47766 + #include <linux/spinlock.h>
47767 ++#include <linux/sort.h>
47768 + #include <linux/init.h>
47769 + #include <asm/uaccess.h>
47770 +
47771 ++/*
47772 ++ * The exception table needs to be sorted so that the binary
47773 ++ * search that we use to find entries in it works properly.
47774 ++ * This is used both for the kernel exception table and for
47775 ++ * the exception tables of modules that get loaded.
47776 ++ */
47777 ++static int cmp_ex(const void *a, const void *b)
47778 ++{
47779 ++ const struct exception_table_entry *x = a, *y = b;
47780 ++
47781 ++ /* avoid overflow */
47782 ++ if (x->insn > y->insn)
47783 ++ return 1;
47784 ++ if (x->insn < y->insn)
47785 ++ return -1;
47786 ++ return 0;
47787 ++}
47788 ++
47789 ++static void swap_ex(void *a, void *b, int size)
47790 ++{
47791 ++ struct exception_table_entry t, *x = a, *y = b;
47792 ++
47793 ++#ifdef CONFIG_PAX_KERNEXEC
47794 ++ unsigned long cr0;
47795 ++#endif
47796 ++
47797 ++ t = *x;
47798 ++
47799 ++#ifdef CONFIG_PAX_KERNEXEC
47800 ++ pax_open_kernel(cr0);
47801 ++#endif
47802 ++
47803 ++ *x = *y;
47804 ++ *y = t;
47805 ++
47806 ++#ifdef CONFIG_PAX_KERNEXEC
47807 ++ pax_close_kernel(cr0);
47808 ++#endif
47809 ++
47810 ++}
47811 ++
47812 ++void sort_extable(struct exception_table_entry *start,
47813 ++ struct exception_table_entry *finish)
47814 ++{
47815 ++ sort(start, finish - start, sizeof(struct exception_table_entry),
47816 ++ cmp_ex, swap_ex);
47817 ++}
47818 ++
47819 + /* Simple binary search */
47820 + const struct exception_table_entry *
47821 + search_extable(const struct exception_table_entry *first,
47822 +diff -urNp linux-2.6.24.5/arch/x86/mm/fault_32.c linux-2.6.24.5/arch/x86/mm/fault_32.c
47823 +--- linux-2.6.24.5/arch/x86/mm/fault_32.c 2008-03-24 14:49:18.000000000 -0400
47824 ++++ linux-2.6.24.5/arch/x86/mm/fault_32.c 2008-03-26 20:21:16.000000000 -0400
47825 +@@ -26,10 +26,14 @@
47826 + #include <linux/uaccess.h>
47827 + #include <linux/kdebug.h>
47828 + #include <linux/kprobes.h>
47829 ++#include <linux/unistd.h>
47830 ++#include <linux/compiler.h>
47831 ++#include <linux/binfmts.h>
47832 +
47833 + #include <asm/system.h>
47834 + #include <asm/desc.h>
47835 + #include <asm/segment.h>
47836 ++#include <asm/tlbflush.h>
47837 +
47838 + extern void die(const char *,struct pt_regs *,long);
47839 +
47840 +@@ -39,7 +43,7 @@ static inline int notify_page_fault(stru
47841 + int ret = 0;
47842 +
47843 + /* kprobe_running() needs smp_processor_id() */
47844 +- if (!user_mode_vm(regs)) {
47845 ++ if (!user_mode(regs)) {
47846 + preempt_disable();
47847 + if (kprobe_running() && kprobe_fault_handler(regs, 14))
47848 + ret = 1;
47849 +@@ -74,7 +78,8 @@ static inline unsigned long get_segment_
47850 + {
47851 + unsigned long eip = regs->eip;
47852 + unsigned seg = regs->xcs & 0xffff;
47853 +- u32 seg_ar, seg_limit, base, *desc;
47854 ++ u32 seg_ar, seg_limit, base;
47855 ++ struct desc_struct *desc;
47856 +
47857 + /* Unlikely, but must come before segment checks. */
47858 + if (unlikely(regs->eflags & VM_MASK)) {
47859 +@@ -88,7 +93,7 @@ static inline unsigned long get_segment_
47860 +
47861 + /* By far the most common cases. */
47862 + if (likely(SEGMENT_IS_FLAT_CODE(seg)))
47863 +- return eip;
47864 ++ return seg == __KERNEL_CS ? ktla_ktva(eip) : eip;
47865 +
47866 + /* Check the segment exists, is within the current LDT/GDT size,
47867 + that kernel/user (ring 0..3) has the appropriate privilege,
47868 +@@ -103,21 +108,24 @@ static inline unsigned long get_segment_
47869 + /* Get the GDT/LDT descriptor base.
47870 + When you look for races in this code remember that
47871 + LDT and other horrors are only used in user space. */
47872 +- if (seg & (1<<2)) {
47873 ++ if (seg & SEGMENT_LDT) {
47874 + /* Must lock the LDT while reading it. */
47875 + mutex_lock(&current->mm->context.lock);
47876 +- desc = current->mm->context.ldt;
47877 +- desc = (void *)desc + (seg & ~7);
47878 ++ if ((seg >> 3) >= current->mm->context.size) {
47879 ++ mutex_unlock(&current->mm->context.lock);
47880 ++ *eip_limit = 0;
47881 ++ return 1; /* So that returned eip > *eip_limit. */
47882 ++ }
47883 ++ desc = &current->mm->context.ldt[seg >> 3];
47884 + } else {
47885 + /* Must disable preemption while reading the GDT. */
47886 +- desc = (u32 *)get_cpu_gdt_table(get_cpu());
47887 +- desc = (void *)desc + (seg & ~7);
47888 ++ desc = &get_cpu_gdt_table(get_cpu())[seg >> 3];
47889 + }
47890 +
47891 + /* Decode the code segment base from the descriptor */
47892 +- base = get_desc_base((unsigned long *)desc);
47893 ++ base = get_desc_base(desc);
47894 +
47895 +- if (seg & (1<<2)) {
47896 ++ if (seg & SEGMENT_LDT) {
47897 + mutex_unlock(&current->mm->context.lock);
47898 + } else
47899 + put_cpu();
47900 +@@ -216,6 +224,30 @@ static noinline void force_sig_info_faul
47901 +
47902 + fastcall void do_invalid_op(struct pt_regs *, unsigned long);
47903 +
47904 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
47905 ++static int pax_handle_fetch_fault(struct pt_regs *regs);
47906 ++#endif
47907 ++
47908 ++#ifdef CONFIG_PAX_PAGEEXEC
47909 ++static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
47910 ++{
47911 ++ pgd_t *pgd;
47912 ++ pud_t *pud;
47913 ++ pmd_t *pmd;
47914 ++
47915 ++ pgd = pgd_offset(mm, address);
47916 ++ if (!pgd_present(*pgd))
47917 ++ return NULL;
47918 ++ pud = pud_offset(pgd, address);
47919 ++ if (!pud_present(*pud))
47920 ++ return NULL;
47921 ++ pmd = pmd_offset(pud, address);
47922 ++ if (!pmd_present(*pmd))
47923 ++ return NULL;
47924 ++ return pmd;
47925 ++}
47926 ++#endif
47927 ++
47928 + static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address)
47929 + {
47930 + unsigned index = pgd_index(address);
47931 +@@ -299,19 +331,26 @@ fastcall void __kprobes do_page_fault(st
47932 + struct task_struct *tsk;
47933 + struct mm_struct *mm;
47934 + struct vm_area_struct * vma;
47935 +- unsigned long address;
47936 + int write, si_code;
47937 + int fault;
47938 ++ pte_t *pte;
47939 ++
47940 ++#ifdef CONFIG_PAX_PAGEEXEC
47941 ++ pmd_t *pmd;
47942 ++ spinlock_t *ptl;
47943 ++ unsigned char pte_mask;
47944 ++#endif
47945 ++
47946 ++ /* get the address */
47947 ++ const unsigned long address = read_cr2();
47948 +
47949 + /*
47950 + * We can fault from pretty much anywhere, with unknown IRQ state.
47951 + */
47952 + trace_hardirqs_fixup();
47953 +
47954 +- /* get the address */
47955 +- address = read_cr2();
47956 +-
47957 + tsk = current;
47958 ++ mm = tsk->mm;
47959 +
47960 + si_code = SEGV_MAPERR;
47961 +
47962 +@@ -348,14 +387,12 @@ fastcall void __kprobes do_page_fault(st
47963 + if (regs->eflags & (X86_EFLAGS_IF|VM_MASK))
47964 + local_irq_enable();
47965 +
47966 +- mm = tsk->mm;
47967 +-
47968 + /*
47969 + * If we're in an interrupt, have no user context or are running in an
47970 + * atomic region then we must not take the fault..
47971 + */
47972 + if (in_atomic() || !mm)
47973 +- goto bad_area_nosemaphore;
47974 ++ goto bad_area_nopax;
47975 +
47976 + /* When running in the kernel we expect faults to occur only to
47977 + * addresses in user space. All other faults represent errors in the
47978 +@@ -375,10 +412,104 @@ fastcall void __kprobes do_page_fault(st
47979 + if (!down_read_trylock(&mm->mmap_sem)) {
47980 + if ((error_code & 4) == 0 &&
47981 + !search_exception_tables(regs->eip))
47982 +- goto bad_area_nosemaphore;
47983 ++ goto bad_area_nopax;
47984 + down_read(&mm->mmap_sem);
47985 + }
47986 +
47987 ++#ifdef CONFIG_PAX_PAGEEXEC
47988 ++ if (nx_enabled || (error_code & 5) != 5 || (regs->eflags & X86_EFLAGS_VM) ||
47989 ++ !(mm->pax_flags & MF_PAX_PAGEEXEC))
47990 ++ goto not_pax_fault;
47991 ++
47992 ++ /* PaX: it's our fault, let's handle it if we can */
47993 ++
47994 ++ /* PaX: take a look at read faults before acquiring any locks */
47995 ++ if (unlikely(!(error_code & 2) && (regs->eip == address))) {
47996 ++ /* instruction fetch attempt from a protected page in user mode */
47997 ++ up_read(&mm->mmap_sem);
47998 ++
47999 ++#ifdef CONFIG_PAX_EMUTRAMP
48000 ++ switch (pax_handle_fetch_fault(regs)) {
48001 ++ case 2:
48002 ++ return;
48003 ++ }
48004 ++#endif
48005 ++
48006 ++ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
48007 ++ do_group_exit(SIGKILL);
48008 ++ }
48009 ++
48010 ++ pmd = pax_get_pmd(mm, address);
48011 ++ if (unlikely(!pmd))
48012 ++ goto not_pax_fault;
48013 ++
48014 ++ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
48015 ++ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
48016 ++ pte_unmap_unlock(pte, ptl);
48017 ++ goto not_pax_fault;
48018 ++ }
48019 ++
48020 ++ if (unlikely((error_code & 2) && !pte_write(*pte))) {
48021 ++ /* write attempt to a protected page in user mode */
48022 ++ pte_unmap_unlock(pte, ptl);
48023 ++ goto not_pax_fault;
48024 ++ }
48025 ++
48026 ++#ifdef CONFIG_SMP
48027 ++ if (likely(address > get_limit(regs->xcs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
48028 ++#else
48029 ++ if (likely(address > get_limit(regs->xcs)))
48030 ++#endif
48031 ++ {
48032 ++ set_pte(pte, pte_mkread(*pte));
48033 ++ __flush_tlb_one(address);
48034 ++ pte_unmap_unlock(pte, ptl);
48035 ++ up_read(&mm->mmap_sem);
48036 ++ return;
48037 ++ }
48038 ++
48039 ++ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & 2) << (_PAGE_BIT_DIRTY-1));
48040 ++
48041 ++ /*
48042 ++ * PaX: fill DTLB with user rights and retry
48043 ++ */
48044 ++ __asm__ __volatile__ (
48045 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
48046 ++ "movw %w4,%%es\n"
48047 ++#endif
48048 ++ "orb %2,(%1)\n"
48049 ++#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
48050 ++/*
48051 ++ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
48052 ++ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
48053 ++ * page fault when examined during a TLB load attempt. this is true not only
48054 ++ * for PTEs holding a non-present entry but also present entries that will
48055 ++ * raise a page fault (such as those set up by PaX, or the copy-on-write
48056 ++ * mechanism). in effect it means that we do *not* need to flush the TLBs
48057 ++ * for our target pages since their PTEs are simply not in the TLBs at all.
48058 ++
48059 ++ * the best thing in omitting it is that we gain around 15-20% speed in the
48060 ++ * fast path of the page fault handler and can get rid of tracing since we
48061 ++ * can no longer flush unintended entries.
48062 ++ */
48063 ++ "invlpg (%0)\n"
48064 ++#endif
48065 ++ "testb $0,%%es:(%0)\n"
48066 ++ "xorb %3,(%1)\n"
48067 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
48068 ++ "pushl %%ss\n"
48069 ++ "popl %%es\n"
48070 ++#endif
48071 ++ :
48072 ++ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
48073 ++ : "memory", "cc");
48074 ++ pte_unmap_unlock(pte, ptl);
48075 ++ up_read(&mm->mmap_sem);
48076 ++ return;
48077 ++
48078 ++not_pax_fault:
48079 ++#endif
48080 ++
48081 + vma = find_vma(mm, address);
48082 + if (!vma)
48083 + goto bad_area;
48084 +@@ -396,6 +527,12 @@ fastcall void __kprobes do_page_fault(st
48085 + if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp)
48086 + goto bad_area;
48087 + }
48088 ++
48089 ++#ifdef CONFIG_PAX_SEGMEXEC
48090 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)
48091 ++ goto bad_area;
48092 ++#endif
48093 ++
48094 + if (expand_stack(vma, address))
48095 + goto bad_area;
48096 + /*
48097 +@@ -405,6 +542,8 @@ fastcall void __kprobes do_page_fault(st
48098 + good_area:
48099 + si_code = SEGV_ACCERR;
48100 + write = 0;
48101 ++ if (nx_enabled && (error_code & 16) && !(vma->vm_flags & VM_EXEC))
48102 ++ goto bad_area;
48103 + switch (error_code & 3) {
48104 + default: /* 3: write, present */
48105 + /* fall through */
48106 +@@ -458,6 +597,49 @@ bad_area:
48107 + up_read(&mm->mmap_sem);
48108 +
48109 + bad_area_nosemaphore:
48110 ++
48111 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
48112 ++ if (mm && (error_code & 4) && !(regs->eflags & X86_EFLAGS_VM)) {
48113 ++ /*
48114 ++ * It's possible to have interrupts off here.
48115 ++ */
48116 ++ local_irq_enable();
48117 ++
48118 ++#ifdef CONFIG_PAX_PAGEEXEC
48119 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
48120 ++ ((nx_enabled && ((error_code & 16) || !(error_code & 3)) && (regs->eip == address)))) {
48121 ++
48122 ++#ifdef CONFIG_PAX_EMUTRAMP
48123 ++ switch (pax_handle_fetch_fault(regs)) {
48124 ++ case 2:
48125 ++ return;
48126 ++ }
48127 ++#endif
48128 ++
48129 ++ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
48130 ++ do_group_exit(SIGKILL);
48131 ++ }
48132 ++#endif
48133 ++
48134 ++#ifdef CONFIG_PAX_SEGMEXEC
48135 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & 3) && (regs->eip + SEGMEXEC_TASK_SIZE == address)) {
48136 ++
48137 ++#ifdef CONFIG_PAX_EMUTRAMP
48138 ++ switch (pax_handle_fetch_fault(regs)) {
48139 ++ case 2:
48140 ++ return;
48141 ++ }
48142 ++#endif
48143 ++
48144 ++ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
48145 ++ do_group_exit(SIGKILL);
48146 ++ }
48147 ++#endif
48148 ++
48149 ++ }
48150 ++#endif
48151 ++
48152 ++bad_area_nopax:
48153 + /* User mode accesses just cause a SIGSEGV */
48154 + if (error_code & 4) {
48155 + /*
48156 +@@ -495,7 +677,7 @@ bad_area_nosemaphore:
48157 + if (boot_cpu_data.f00f_bug) {
48158 + unsigned long nr;
48159 +
48160 +- nr = (address - idt_descr.address) >> 3;
48161 ++ nr = (address - (unsigned long)idt_descr.address) >> 3;
48162 +
48163 + if (nr == 6) {
48164 + do_invalid_op(regs, 0);
48165 +@@ -528,18 +710,34 @@ no_context:
48166 + __typeof__(pte_val(__pte(0))) page;
48167 +
48168 + #ifdef CONFIG_X86_PAE
48169 +- if (error_code & 16) {
48170 +- pte_t *pte = lookup_address(address);
48171 ++ if (nx_enabled && (error_code & 16)) {
48172 ++ pte = lookup_address(address);
48173 +
48174 + if (pte && pte_present(*pte) && !pte_exec_kernel(*pte))
48175 + printk(KERN_CRIT "kernel tried to execute "
48176 + "NX-protected page - exploit attempt? "
48177 +- "(uid: %d)\n", current->uid);
48178 ++ "(uid: %d, task: %s, pid: %d)\n",
48179 ++ tsk->uid, tsk->comm, task_pid_nr(tsk));
48180 + }
48181 + #endif
48182 + if (address < PAGE_SIZE)
48183 + printk(KERN_ALERT "BUG: unable to handle kernel NULL "
48184 + "pointer dereference");
48185 ++
48186 ++#ifdef CONFIG_PAX_KERNEXEC
48187 ++#ifdef CONFIG_MODULES
48188 ++ else if (init_mm.start_code <= address && address < (unsigned long)MODULES_END)
48189 ++#else
48190 ++ else if (init_mm.start_code <= address && address < init_mm.end_code)
48191 ++#endif
48192 ++ if (tsk->signal->curr_ip)
48193 ++ printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
48194 ++ NIPQUAD(tsk->signal->curr_ip), tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
48195 ++ else
48196 ++ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
48197 ++ tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
48198 ++#endif
48199 ++
48200 + else
48201 + printk(KERN_ALERT "BUG: unable to handle kernel paging"
48202 + " request");
48203 +@@ -585,19 +783,18 @@ no_context:
48204 + tsk->thread.error_code = error_code;
48205 + die("Oops", regs, error_code);
48206 + bust_spinlocks(0);
48207 +- do_exit(SIGKILL);
48208 ++ do_group_exit(SIGKILL);
48209 +
48210 + /*
48211 + * We ran out of memory, or some other thing happened to us that made
48212 + * us unable to handle the page fault gracefully.
48213 + */
48214 + out_of_memory:
48215 +- up_read(&mm->mmap_sem);
48216 + if (is_global_init(tsk)) {
48217 + yield();
48218 +- down_read(&mm->mmap_sem);
48219 + goto survive;
48220 + }
48221 ++ up_read(&mm->mmap_sem);
48222 + printk("VM: killing process %s\n", tsk->comm);
48223 + if (error_code & 4)
48224 + do_group_exit(SIGKILL);
48225 +@@ -657,3 +854,92 @@ void vmalloc_sync_all(void)
48226 + start = address + PGDIR_SIZE;
48227 + }
48228 + }
48229 ++
48230 ++#ifdef CONFIG_PAX_EMUTRAMP
48231 ++/*
48232 ++ * PaX: decide what to do with offenders (regs->eip = fault address)
48233 ++ *
48234 ++ * returns 1 when task should be killed
48235 ++ * 2 when gcc trampoline was detected
48236 ++ */
48237 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
48238 ++{
48239 ++ int err;
48240 ++
48241 ++ if (regs->eflags & X86_EFLAGS_VM)
48242 ++ return 1;
48243 ++
48244 ++ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
48245 ++ return 1;
48246 ++
48247 ++ do { /* PaX: gcc trampoline emulation #1 */
48248 ++ unsigned char mov1, mov2;
48249 ++ unsigned short jmp;
48250 ++ unsigned long addr1, addr2;
48251 ++
48252 ++ err = get_user(mov1, (unsigned char __user *)regs->eip);
48253 ++ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
48254 ++ err |= get_user(mov2, (unsigned char __user *)(regs->eip + 5));
48255 ++ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
48256 ++ err |= get_user(jmp, (unsigned short __user *)(regs->eip + 10));
48257 ++
48258 ++ if (err)
48259 ++ break;
48260 ++
48261 ++ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
48262 ++ regs->ecx = addr1;
48263 ++ regs->eax = addr2;
48264 ++ regs->eip = addr2;
48265 ++ return 2;
48266 ++ }
48267 ++ } while (0);
48268 ++
48269 ++ do { /* PaX: gcc trampoline emulation #2 */
48270 ++ unsigned char mov, jmp;
48271 ++ unsigned long addr1, addr2;
48272 ++
48273 ++ err = get_user(mov, (unsigned char __user *)regs->eip);
48274 ++ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
48275 ++ err |= get_user(jmp, (unsigned char __user *)(regs->eip + 5));
48276 ++ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
48277 ++
48278 ++ if (err)
48279 ++ break;
48280 ++
48281 ++ if (mov == 0xB9 && jmp == 0xE9) {
48282 ++ regs->ecx = addr1;
48283 ++ regs->eip += addr2 + 10;
48284 ++ return 2;
48285 ++ }
48286 ++ } while (0);
48287 ++
48288 ++ return 1; /* PaX in action */
48289 ++}
48290 ++#endif
48291 ++
48292 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
48293 ++void pax_report_insns(void *pc, void *sp)
48294 ++{
48295 ++ long i;
48296 ++
48297 ++ printk(KERN_ERR "PAX: bytes at PC: ");
48298 ++ for (i = 0; i < 20; i++) {
48299 ++ unsigned char c;
48300 ++ if (get_user(c, (unsigned char __user *)pc+i))
48301 ++ printk("?? ");
48302 ++ else
48303 ++ printk("%02x ", c);
48304 ++ }
48305 ++ printk("\n");
48306 ++
48307 ++ printk(KERN_ERR "PAX: bytes at SP-4: ");
48308 ++ for (i = -1; i < 20; i++) {
48309 ++ unsigned long c;
48310 ++ if (get_user(c, (unsigned long __user *)sp+i))
48311 ++ printk("???????? ");
48312 ++ else
48313 ++ printk("%08lx ", c);
48314 ++ }
48315 ++ printk("\n");
48316 ++}
48317 ++#endif
48318 +diff -urNp linux-2.6.24.5/arch/x86/mm/fault_64.c linux-2.6.24.5/arch/x86/mm/fault_64.c
48319 +--- linux-2.6.24.5/arch/x86/mm/fault_64.c 2008-03-24 14:49:18.000000000 -0400
48320 ++++ linux-2.6.24.5/arch/x86/mm/fault_64.c 2008-03-26 20:21:08.000000000 -0400
48321 +@@ -26,6 +26,7 @@
48322 + #include <linux/uaccess.h>
48323 + #include <linux/kdebug.h>
48324 + #include <linux/kprobes.h>
48325 ++#include <linux/binfmts.h>
48326 +
48327 + #include <asm/system.h>
48328 + #include <asm/pgalloc.h>
48329 +@@ -285,6 +286,163 @@ static int vmalloc_fault(unsigned long a
48330 + return 0;
48331 + }
48332 +
48333 ++#ifdef CONFIG_PAX_EMUTRAMP
48334 ++static int pax_handle_fetch_fault_32(struct pt_regs *regs)
48335 ++{
48336 ++ int err;
48337 ++
48338 ++ do { /* PaX: gcc trampoline emulation #1 */
48339 ++ unsigned char mov1, mov2;
48340 ++ unsigned short jmp;
48341 ++ unsigned int addr1, addr2;
48342 ++
48343 ++ if ((regs->rip + 11) >> 32)
48344 ++ break;
48345 ++
48346 ++ err = get_user(mov1, (unsigned char __user *)regs->rip);
48347 ++ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
48348 ++ err |= get_user(mov2, (unsigned char __user *)(regs->rip + 5));
48349 ++ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
48350 ++ err |= get_user(jmp, (unsigned short __user *)(regs->rip + 10));
48351 ++
48352 ++ if (err)
48353 ++ break;
48354 ++
48355 ++ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
48356 ++ regs->rcx = addr1;
48357 ++ regs->rax = addr2;
48358 ++ regs->rip = addr2;
48359 ++ return 2;
48360 ++ }
48361 ++ } while (0);
48362 ++
48363 ++ do { /* PaX: gcc trampoline emulation #2 */
48364 ++ unsigned char mov, jmp;
48365 ++ unsigned int addr1, addr2;
48366 ++
48367 ++ if ((regs->rip + 9) >> 32)
48368 ++ break;
48369 ++
48370 ++ err = get_user(mov, (unsigned char __user *)regs->rip);
48371 ++ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
48372 ++ err |= get_user(jmp, (unsigned char __user *)(regs->rip + 5));
48373 ++ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
48374 ++
48375 ++ if (err)
48376 ++ break;
48377 ++
48378 ++ if (mov == 0xB9 && jmp == 0xE9) {
48379 ++ regs->rcx = addr1;
48380 ++ regs->rip = (unsigned int)(regs->rip + addr2 + 10);
48381 ++ return 2;
48382 ++ }
48383 ++ } while (0);
48384 ++
48385 ++ return 1; /* PaX in action */
48386 ++}
48387 ++
48388 ++static int pax_handle_fetch_fault_64(struct pt_regs *regs)
48389 ++{
48390 ++ int err;
48391 ++
48392 ++ do { /* PaX: gcc trampoline emulation #1 */
48393 ++ unsigned short mov1, mov2, jmp1;
48394 ++ unsigned char jmp2;
48395 ++ unsigned int addr1;
48396 ++ unsigned long addr2;
48397 ++
48398 ++ err = get_user(mov1, (unsigned short __user *)regs->rip);
48399 ++ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 2));
48400 ++ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 6));
48401 ++ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 8));
48402 ++ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 16));
48403 ++ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 18));
48404 ++
48405 ++ if (err)
48406 ++ break;
48407 ++
48408 ++ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
48409 ++ regs->r11 = addr1;
48410 ++ regs->r10 = addr2;
48411 ++ regs->rip = addr1;
48412 ++ return 2;
48413 ++ }
48414 ++ } while (0);
48415 ++
48416 ++ do { /* PaX: gcc trampoline emulation #2 */
48417 ++ unsigned short mov1, mov2, jmp1;
48418 ++ unsigned char jmp2;
48419 ++ unsigned long addr1, addr2;
48420 ++
48421 ++ err = get_user(mov1, (unsigned short __user *)regs->rip);
48422 ++ err |= get_user(addr1, (unsigned long __user *)(regs->rip + 2));
48423 ++ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 10));
48424 ++ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 12));
48425 ++ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 20));
48426 ++ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 22));
48427 ++
48428 ++ if (err)
48429 ++ break;
48430 ++
48431 ++ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
48432 ++ regs->r11 = addr1;
48433 ++ regs->r10 = addr2;
48434 ++ regs->rip = addr1;
48435 ++ return 2;
48436 ++ }
48437 ++ } while (0);
48438 ++
48439 ++ return 1; /* PaX in action */
48440 ++}
48441 ++
48442 ++/*
48443 ++ * PaX: decide what to do with offenders (regs->rip = fault address)
48444 ++ *
48445 ++ * returns 1 when task should be killed
48446 ++ * 2 when gcc trampoline was detected
48447 ++ */
48448 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
48449 ++{
48450 ++ if (regs->eflags & X86_EFLAGS_VM)
48451 ++ return 1;
48452 ++
48453 ++ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
48454 ++ return 1;
48455 ++
48456 ++ if (regs->cs == __USER32_CS || (regs->cs & (1<<2)))
48457 ++ return pax_handle_fetch_fault_32(regs);
48458 ++ else
48459 ++ return pax_handle_fetch_fault_64(regs);
48460 ++}
48461 ++#endif
48462 ++
48463 ++#ifdef CONFIG_PAX_PAGEEXEC
48464 ++void pax_report_insns(void *pc, void *sp)
48465 ++{
48466 ++ long i;
48467 ++
48468 ++ printk(KERN_ERR "PAX: bytes at PC: ");
48469 ++ for (i = 0; i < 20; i++) {
48470 ++ unsigned char c;
48471 ++ if (get_user(c, (unsigned char __user *)pc+i))
48472 ++ printk("?? ");
48473 ++ else
48474 ++ printk("%02x ", c);
48475 ++ }
48476 ++ printk("\n");
48477 ++
48478 ++ printk(KERN_ERR "PAX: bytes at SP-8: ");
48479 ++ for (i = -1; i < 10; i++) {
48480 ++ unsigned long c;
48481 ++ if (get_user(c, (unsigned long __user *)sp+i))
48482 ++ printk("???????????????? ");
48483 ++ else
48484 ++ printk("%016lx ", c);
48485 ++ }
48486 ++ printk("\n");
48487 ++}
48488 ++#endif
48489 ++
48490 + int show_unhandled_signals = 1;
48491 +
48492 + /*
48493 +@@ -405,7 +563,7 @@ asmlinkage void __kprobes do_page_fault(
48494 + goto good_area;
48495 + if (!(vma->vm_flags & VM_GROWSDOWN))
48496 + goto bad_area;
48497 +- if (error_code & 4) {
48498 ++ if (error_code & PF_USER) {
48499 + /* Allow userspace just enough access below the stack pointer
48500 + * to let the 'enter' instruction work.
48501 + */
48502 +@@ -421,6 +579,8 @@ asmlinkage void __kprobes do_page_fault(
48503 + good_area:
48504 + info.si_code = SEGV_ACCERR;
48505 + write = 0;
48506 ++ if ((error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
48507 ++ goto bad_area;
48508 + switch (error_code & (PF_PROT|PF_WRITE)) {
48509 + default: /* 3: write, present */
48510 + /* fall through */
48511 +@@ -472,6 +632,21 @@ bad_area_nosemaphore:
48512 + */
48513 + local_irq_enable();
48514 +
48515 ++#ifdef CONFIG_PAX_PAGEEXEC
48516 ++ if (mm && (mm->pax_flags & MF_PAX_PAGEEXEC) && (error_code & PF_INSTR)) {
48517 ++
48518 ++#ifdef CONFIG_PAX_EMUTRAMP
48519 ++ switch (pax_handle_fetch_fault(regs)) {
48520 ++ case 2:
48521 ++ return;
48522 ++ }
48523 ++#endif
48524 ++
48525 ++ pax_report_fault(regs, (void*)regs->rip, (void*)regs->rsp);
48526 ++ do_group_exit(SIGKILL);
48527 ++ }
48528 ++#endif
48529 ++
48530 + if (is_prefetch(regs, address, error_code))
48531 + return;
48532 +
48533 +@@ -489,8 +664,8 @@ bad_area_nosemaphore:
48534 + printk_ratelimit()) {
48535 + printk(
48536 + "%s%s[%d]: segfault at %lx rip %lx rsp %lx error %lx\n",
48537 +- tsk->pid > 1 ? KERN_INFO : KERN_EMERG,
48538 +- tsk->comm, tsk->pid, address, regs->rip,
48539 ++ task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
48540 ++ tsk->comm, task_pid_nr(tsk), address, regs->rip,
48541 + regs->rsp, error_code);
48542 + }
48543 +
48544 +@@ -534,6 +709,9 @@ no_context:
48545 +
48546 + if (address < PAGE_SIZE)
48547 + printk(KERN_ALERT "Unable to handle kernel NULL pointer dereference");
48548 ++ else if (error_code & PF_INSTR)
48549 ++ printk(KERN_ALERT "PAX: %s:%d, uid/euid: %u/%u, invalid execution attempt",
48550 ++ tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
48551 + else
48552 + printk(KERN_ALERT "Unable to handle kernel paging request");
48553 + printk(" at %016lx RIP: \n" KERN_ALERT,address);
48554 +@@ -546,7 +724,7 @@ no_context:
48555 + /* Executive summary in case the body of the oops scrolled away */
48556 + printk(KERN_EMERG "CR2: %016lx\n", address);
48557 + oops_end(flags);
48558 +- do_exit(SIGKILL);
48559 ++ do_group_exit(SIGKILL);
48560 +
48561 + /*
48562 + * We ran out of memory, or some other thing happened to us that made
48563 +diff -urNp linux-2.6.24.5/arch/x86/mm/highmem_32.c linux-2.6.24.5/arch/x86/mm/highmem_32.c
48564 +--- linux-2.6.24.5/arch/x86/mm/highmem_32.c 2008-03-24 14:49:18.000000000 -0400
48565 ++++ linux-2.6.24.5/arch/x86/mm/highmem_32.c 2008-03-26 20:21:08.000000000 -0400
48566 +@@ -31,6 +31,10 @@ void *kmap_atomic_prot(struct page *page
48567 + enum fixed_addresses idx;
48568 + unsigned long vaddr;
48569 +
48570 ++#ifdef CONFIG_PAX_KERNEXEC
48571 ++ unsigned long cr0;
48572 ++#endif
48573 ++
48574 + /* even !CONFIG_PREEMPT needs this, for in_atomic in do_page_fault */
48575 + pagefault_disable();
48576 +
48577 +@@ -40,7 +44,17 @@ void *kmap_atomic_prot(struct page *page
48578 + idx = type + KM_TYPE_NR*smp_processor_id();
48579 + vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
48580 + BUG_ON(!pte_none(*(kmap_pte-idx)));
48581 ++
48582 ++#ifdef CONFIG_PAX_KERNEXEC
48583 ++ pax_open_kernel(cr0);
48584 ++#endif
48585 ++
48586 + set_pte(kmap_pte-idx, mk_pte(page, prot));
48587 ++
48588 ++#ifdef CONFIG_PAX_KERNEXEC
48589 ++ pax_close_kernel(cr0);
48590 ++#endif
48591 ++
48592 + arch_flush_lazy_mmu_mode();
48593 +
48594 + return (void *)vaddr;
48595 +@@ -56,15 +70,29 @@ void kunmap_atomic(void *kvaddr, enum km
48596 + unsigned long vaddr = (unsigned long) kvaddr & PAGE_MASK;
48597 + enum fixed_addresses idx = type + KM_TYPE_NR*smp_processor_id();
48598 +
48599 ++#ifdef CONFIG_PAX_KERNEXEC
48600 ++ unsigned long cr0;
48601 ++#endif
48602 ++
48603 + /*
48604 + * Force other mappings to Oops if they'll try to access this pte
48605 + * without first remap it. Keeping stale mappings around is a bad idea
48606 + * also, in case the page changes cacheability attributes or becomes
48607 + * a protected page in a hypervisor.
48608 + */
48609 +- if (vaddr == __fix_to_virt(FIX_KMAP_BEGIN+idx))
48610 ++ if (vaddr == __fix_to_virt(FIX_KMAP_BEGIN+idx)) {
48611 ++
48612 ++#ifdef CONFIG_PAX_KERNEXEC
48613 ++ pax_open_kernel(cr0);
48614 ++#endif
48615 ++
48616 + kpte_clear_flush(kmap_pte-idx, vaddr);
48617 +- else {
48618 ++
48619 ++#ifdef CONFIG_PAX_KERNEXEC
48620 ++ pax_close_kernel(cr0);
48621 ++#endif
48622 ++
48623 ++ } else {
48624 + #ifdef CONFIG_DEBUG_HIGHMEM
48625 + BUG_ON(vaddr < PAGE_OFFSET);
48626 + BUG_ON(vaddr >= (unsigned long)high_memory);
48627 +@@ -83,11 +111,25 @@ void *kmap_atomic_pfn(unsigned long pfn,
48628 + enum fixed_addresses idx;
48629 + unsigned long vaddr;
48630 +
48631 ++#ifdef CONFIG_PAX_KERNEXEC
48632 ++ unsigned long cr0;
48633 ++#endif
48634 ++
48635 + pagefault_disable();
48636 +
48637 + idx = type + KM_TYPE_NR*smp_processor_id();
48638 + vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
48639 ++
48640 ++#ifdef CONFIG_PAX_KERNEXEC
48641 ++ pax_open_kernel(cr0);
48642 ++#endif
48643 ++
48644 + set_pte(kmap_pte-idx, pfn_pte(pfn, kmap_prot));
48645 ++
48646 ++#ifdef CONFIG_PAX_KERNEXEC
48647 ++ pax_close_kernel(cr0);
48648 ++#endif
48649 ++
48650 + arch_flush_lazy_mmu_mode();
48651 +
48652 + return (void*) vaddr;
48653 +diff -urNp linux-2.6.24.5/arch/x86/mm/hugetlbpage.c linux-2.6.24.5/arch/x86/mm/hugetlbpage.c
48654 +--- linux-2.6.24.5/arch/x86/mm/hugetlbpage.c 2008-03-24 14:49:18.000000000 -0400
48655 ++++ linux-2.6.24.5/arch/x86/mm/hugetlbpage.c 2008-03-26 20:21:08.000000000 -0400
48656 +@@ -229,13 +229,18 @@ static unsigned long hugetlb_get_unmappe
48657 + {
48658 + struct mm_struct *mm = current->mm;
48659 + struct vm_area_struct *vma;
48660 +- unsigned long start_addr;
48661 ++ unsigned long start_addr, pax_task_size = TASK_SIZE;
48662 ++
48663 ++#ifdef CONFIG_PAX_SEGMEXEC
48664 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
48665 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
48666 ++#endif
48667 +
48668 + if (len > mm->cached_hole_size) {
48669 +- start_addr = mm->free_area_cache;
48670 ++ start_addr = mm->free_area_cache;
48671 + } else {
48672 +- start_addr = TASK_UNMAPPED_BASE;
48673 +- mm->cached_hole_size = 0;
48674 ++ start_addr = mm->mmap_base;
48675 ++ mm->cached_hole_size = 0;
48676 + }
48677 +
48678 + full_search:
48679 +@@ -243,13 +248,13 @@ full_search:
48680 +
48681 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
48682 + /* At this point: (!vma || addr < vma->vm_end). */
48683 +- if (TASK_SIZE - len < addr) {
48684 ++ if (pax_task_size - len < addr) {
48685 + /*
48686 + * Start a new search - just in case we missed
48687 + * some holes.
48688 + */
48689 +- if (start_addr != TASK_UNMAPPED_BASE) {
48690 +- start_addr = TASK_UNMAPPED_BASE;
48691 ++ if (start_addr != mm->mmap_base) {
48692 ++ start_addr = mm->mmap_base;
48693 + mm->cached_hole_size = 0;
48694 + goto full_search;
48695 + }
48696 +@@ -271,9 +276,8 @@ static unsigned long hugetlb_get_unmappe
48697 + {
48698 + struct mm_struct *mm = current->mm;
48699 + struct vm_area_struct *vma, *prev_vma;
48700 +- unsigned long base = mm->mmap_base, addr = addr0;
48701 ++ unsigned long base = mm->mmap_base, addr;
48702 + unsigned long largest_hole = mm->cached_hole_size;
48703 +- int first_time = 1;
48704 +
48705 + /* don't allow allocations above current base */
48706 + if (mm->free_area_cache > base)
48707 +@@ -283,7 +287,7 @@ static unsigned long hugetlb_get_unmappe
48708 + largest_hole = 0;
48709 + mm->free_area_cache = base;
48710 + }
48711 +-try_again:
48712 ++
48713 + /* make sure it can fit in the remaining address space */
48714 + if (mm->free_area_cache < len)
48715 + goto fail;
48716 +@@ -325,22 +329,26 @@ try_again:
48717 +
48718 + fail:
48719 + /*
48720 +- * if hint left us with no space for the requested
48721 +- * mapping then try again:
48722 +- */
48723 +- if (first_time) {
48724 +- mm->free_area_cache = base;
48725 +- largest_hole = 0;
48726 +- first_time = 0;
48727 +- goto try_again;
48728 +- }
48729 +- /*
48730 + * A failed mmap() very likely causes application failure,
48731 + * so fall back to the bottom-up function here. This scenario
48732 + * can happen with large stack limits and large mmap()
48733 + * allocations.
48734 + */
48735 +- mm->free_area_cache = TASK_UNMAPPED_BASE;
48736 ++
48737 ++#ifdef CONFIG_PAX_SEGMEXEC
48738 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
48739 ++ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
48740 ++ else
48741 ++#endif
48742 ++
48743 ++ mm->mmap_base = TASK_UNMAPPED_BASE;
48744 ++
48745 ++#ifdef CONFIG_PAX_RANDMMAP
48746 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
48747 ++ mm->mmap_base += mm->delta_mmap;
48748 ++#endif
48749 ++
48750 ++ mm->free_area_cache = mm->mmap_base;
48751 + mm->cached_hole_size = ~0UL;
48752 + addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
48753 + len, pgoff, flags);
48754 +@@ -348,6 +356,7 @@ fail:
48755 + /*
48756 + * Restore the topdown base:
48757 + */
48758 ++ mm->mmap_base = base;
48759 + mm->free_area_cache = base;
48760 + mm->cached_hole_size = ~0UL;
48761 +
48762 +@@ -360,10 +369,17 @@ hugetlb_get_unmapped_area(struct file *f
48763 + {
48764 + struct mm_struct *mm = current->mm;
48765 + struct vm_area_struct *vma;
48766 ++ unsigned long pax_task_size = TASK_SIZE;
48767 +
48768 + if (len & ~HPAGE_MASK)
48769 + return -EINVAL;
48770 +- if (len > TASK_SIZE)
48771 ++
48772 ++#ifdef CONFIG_PAX_SEGMEXEC
48773 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
48774 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
48775 ++#endif
48776 ++
48777 ++ if (len > pax_task_size)
48778 + return -ENOMEM;
48779 +
48780 + if (flags & MAP_FIXED) {
48781 +@@ -375,7 +391,7 @@ hugetlb_get_unmapped_area(struct file *f
48782 + if (addr) {
48783 + addr = ALIGN(addr, HPAGE_SIZE);
48784 + vma = find_vma(mm, addr);
48785 +- if (TASK_SIZE - len >= addr &&
48786 ++ if (pax_task_size - len >= addr &&
48787 + (!vma || addr + len <= vma->vm_start))
48788 + return addr;
48789 + }
48790 +diff -urNp linux-2.6.24.5/arch/x86/mm/init_32.c linux-2.6.24.5/arch/x86/mm/init_32.c
48791 +--- linux-2.6.24.5/arch/x86/mm/init_32.c 2008-03-24 14:49:18.000000000 -0400
48792 ++++ linux-2.6.24.5/arch/x86/mm/init_32.c 2008-03-26 20:21:08.000000000 -0400
48793 +@@ -44,6 +44,7 @@
48794 + #include <asm/tlbflush.h>
48795 + #include <asm/sections.h>
48796 + #include <asm/paravirt.h>
48797 ++#include <asm/desc.h>
48798 +
48799 + unsigned int __VMALLOC_RESERVE = 128 << 20;
48800 +
48801 +@@ -53,32 +54,6 @@ unsigned long highstart_pfn, highend_pfn
48802 + static int noinline do_test_wp_bit(void);
48803 +
48804 + /*
48805 +- * Creates a middle page table and puts a pointer to it in the
48806 +- * given global directory entry. This only returns the gd entry
48807 +- * in non-PAE compilation mode, since the middle layer is folded.
48808 +- */
48809 +-static pmd_t * __init one_md_table_init(pgd_t *pgd)
48810 +-{
48811 +- pud_t *pud;
48812 +- pmd_t *pmd_table;
48813 +-
48814 +-#ifdef CONFIG_X86_PAE
48815 +- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
48816 +- pmd_table = (pmd_t *) alloc_bootmem_low_pages(PAGE_SIZE);
48817 +-
48818 +- paravirt_alloc_pd(__pa(pmd_table) >> PAGE_SHIFT);
48819 +- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
48820 +- pud = pud_offset(pgd, 0);
48821 +- if (pmd_table != pmd_offset(pud, 0))
48822 +- BUG();
48823 +- }
48824 +-#endif
48825 +- pud = pud_offset(pgd, 0);
48826 +- pmd_table = pmd_offset(pud, 0);
48827 +- return pmd_table;
48828 +-}
48829 +-
48830 +-/*
48831 + * Create a page table and place a pointer to it in a middle page
48832 + * directory entry.
48833 + */
48834 +@@ -95,7 +70,11 @@ static pte_t * __init one_page_table_ini
48835 + (pte_t *)alloc_bootmem_low_pages(PAGE_SIZE);
48836 +
48837 + paravirt_alloc_pt(&init_mm, __pa(page_table) >> PAGE_SHIFT);
48838 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
48839 ++ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
48840 ++#else
48841 + set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
48842 ++#endif
48843 + BUG_ON(page_table != pte_offset_kernel(pmd, 0));
48844 + }
48845 +
48846 +@@ -116,6 +95,7 @@ static pte_t * __init one_page_table_ini
48847 + static void __init page_table_range_init (unsigned long start, unsigned long end, pgd_t *pgd_base)
48848 + {
48849 + pgd_t *pgd;
48850 ++ pud_t *pud;
48851 + pmd_t *pmd;
48852 + int pgd_idx, pmd_idx;
48853 + unsigned long vaddr;
48854 +@@ -126,8 +106,13 @@ static void __init page_table_range_init
48855 + pgd = pgd_base + pgd_idx;
48856 +
48857 + for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
48858 +- pmd = one_md_table_init(pgd);
48859 +- pmd = pmd + pmd_index(vaddr);
48860 ++ pud = pud_offset(pgd, vaddr);
48861 ++ pmd = pmd_offset(pud, vaddr);
48862 ++
48863 ++#ifdef CONFIG_X86_PAE
48864 ++ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
48865 ++#endif
48866 ++
48867 + for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end); pmd++, pmd_idx++) {
48868 + one_page_table_init(pmd);
48869 +
48870 +@@ -137,11 +122,23 @@ static void __init page_table_range_init
48871 + }
48872 + }
48873 +
48874 +-static inline int is_kernel_text(unsigned long addr)
48875 ++static inline int is_kernel_text(unsigned long start, unsigned long end)
48876 + {
48877 +- if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
48878 +- return 1;
48879 +- return 0;
48880 ++ unsigned long etext;
48881 ++
48882 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
48883 ++ etext = ktva_ktla((unsigned long)&MODULES_END);
48884 ++#else
48885 ++ etext = (unsigned long)&_etext;
48886 ++#endif
48887 ++
48888 ++ if ((start > ktla_ktva(etext) ||
48889 ++ end <= ktla_ktva((unsigned long)_stext)) &&
48890 ++ (start > ktla_ktva((unsigned long)_einittext) ||
48891 ++ end <= ktla_ktva((unsigned long)_sinittext)) &&
48892 ++ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
48893 ++ return 0;
48894 ++ return 1;
48895 + }
48896 +
48897 + /*
48898 +@@ -153,25 +150,29 @@ static void __init kernel_physical_mappi
48899 + {
48900 + unsigned long pfn;
48901 + pgd_t *pgd;
48902 ++ pud_t *pud;
48903 + pmd_t *pmd;
48904 + pte_t *pte;
48905 +- int pgd_idx, pmd_idx, pte_ofs;
48906 ++ unsigned int pgd_idx, pmd_idx, pte_ofs;
48907 +
48908 + pgd_idx = pgd_index(PAGE_OFFSET);
48909 + pgd = pgd_base + pgd_idx;
48910 + pfn = 0;
48911 +
48912 +- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
48913 +- pmd = one_md_table_init(pgd);
48914 +- if (pfn >= max_low_pfn)
48915 +- continue;
48916 ++ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
48917 ++ pud = pud_offset(pgd, 0);
48918 ++ pmd = pmd_offset(pud, 0);
48919 ++
48920 ++#ifdef CONFIG_X86_PAE
48921 ++ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
48922 ++#endif
48923 ++
48924 + for (pmd_idx = 0; pmd_idx < PTRS_PER_PMD && pfn < max_low_pfn; pmd++, pmd_idx++) {
48925 +- unsigned int address = pfn * PAGE_SIZE + PAGE_OFFSET;
48926 ++ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
48927 +
48928 + /* Map with big pages if possible, otherwise create normal page tables. */
48929 +- if (cpu_has_pse) {
48930 +- unsigned int address2 = (pfn + PTRS_PER_PTE - 1) * PAGE_SIZE + PAGE_OFFSET + PAGE_SIZE-1;
48931 +- if (is_kernel_text(address) || is_kernel_text(address2))
48932 ++ if (cpu_has_pse && address >= (unsigned long)__va(0x100000)) {
48933 ++ if (is_kernel_text(address, address + PMD_SIZE))
48934 + set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE_EXEC));
48935 + else
48936 + set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE));
48937 +@@ -183,7 +184,7 @@ static void __init kernel_physical_mappi
48938 + for (pte_ofs = 0;
48939 + pte_ofs < PTRS_PER_PTE && pfn < max_low_pfn;
48940 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
48941 +- if (is_kernel_text(address))
48942 ++ if (is_kernel_text(address, address + PAGE_SIZE))
48943 + set_pte(pte, pfn_pte(pfn, PAGE_KERNEL_EXEC));
48944 + else
48945 + set_pte(pte, pfn_pte(pfn, PAGE_KERNEL));
48946 +@@ -338,9 +339,9 @@ static void __init set_highmem_pages_ini
48947 + #define set_highmem_pages_init(bad_ppro) do { } while (0)
48948 + #endif /* CONFIG_HIGHMEM */
48949 +
48950 +-unsigned long long __PAGE_KERNEL = _PAGE_KERNEL;
48951 ++unsigned long long __PAGE_KERNEL __read_only = _PAGE_KERNEL;
48952 + EXPORT_SYMBOL(__PAGE_KERNEL);
48953 +-unsigned long long __PAGE_KERNEL_EXEC = _PAGE_KERNEL_EXEC;
48954 ++unsigned long long __PAGE_KERNEL_EXEC __read_only = _PAGE_KERNEL_EXEC;
48955 +
48956 + #ifdef CONFIG_NUMA
48957 + extern void __init remap_numa_kva(void);
48958 +@@ -351,26 +352,10 @@ extern void __init remap_numa_kva(void);
48959 + void __init native_pagetable_setup_start(pgd_t *base)
48960 + {
48961 + #ifdef CONFIG_X86_PAE
48962 +- int i;
48963 +-
48964 +- /*
48965 +- * Init entries of the first-level page table to the
48966 +- * zero page, if they haven't already been set up.
48967 +- *
48968 +- * In a normal native boot, we'll be running on a
48969 +- * pagetable rooted in swapper_pg_dir, but not in PAE
48970 +- * mode, so this will end up clobbering the mappings
48971 +- * for the lower 24Mbytes of the address space,
48972 +- * without affecting the kernel address space.
48973 +- */
48974 +- for (i = 0; i < USER_PTRS_PER_PGD; i++)
48975 +- set_pgd(&base[i],
48976 +- __pgd(__pa(empty_zero_page) | _PAGE_PRESENT));
48977 ++ unsigned int i;
48978 +
48979 +- /* Make sure kernel address space is empty so that a pagetable
48980 +- will be allocated for it. */
48981 +- memset(&base[USER_PTRS_PER_PGD], 0,
48982 +- KERNEL_PGD_PTRS * sizeof(pgd_t));
48983 ++ for (i = 0; i < PTRS_PER_PGD; i++)
48984 ++ paravirt_alloc_pd(__pa(swapper_pm_dir + i) >> PAGE_SHIFT);
48985 + #else
48986 + paravirt_alloc_pd(__pa(swapper_pg_dir) >> PAGE_SHIFT);
48987 + #endif
48988 +@@ -378,16 +363,6 @@ void __init native_pagetable_setup_start
48989 +
48990 + void __init native_pagetable_setup_done(pgd_t *base)
48991 + {
48992 +-#ifdef CONFIG_X86_PAE
48993 +- /*
48994 +- * Add low memory identity-mappings - SMP needs it when
48995 +- * starting up on an AP from real-mode. In the non-PAE
48996 +- * case we already have these mappings through head.S.
48997 +- * All user-space mappings are explicitly cleared after
48998 +- * SMP startup.
48999 +- */
49000 +- set_pgd(&base[0], base[USER_PTRS_PER_PGD]);
49001 +-#endif
49002 + }
49003 +
49004 + /*
49005 +@@ -449,12 +424,12 @@ static void __init pagetable_init (void)
49006 + * Swap suspend & friends need this for resume because things like the intel-agp
49007 + * driver might have split up a kernel 4MB mapping.
49008 + */
49009 +-char __nosavedata swsusp_pg_dir[PAGE_SIZE]
49010 ++pgd_t __nosavedata swsusp_pg_dir[PTRS_PER_PGD]
49011 + __attribute__ ((aligned (PAGE_SIZE)));
49012 +
49013 + static inline void save_pg_dir(void)
49014 + {
49015 +- memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
49016 ++ clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
49017 + }
49018 + #else
49019 + static inline void save_pg_dir(void)
49020 +@@ -483,12 +458,11 @@ void zap_low_mappings (void)
49021 + flush_tlb_all();
49022 + }
49023 +
49024 +-int nx_enabled = 0;
49025 ++int nx_enabled;
49026 +
49027 + #ifdef CONFIG_X86_PAE
49028 +
49029 +-static int disable_nx __initdata = 0;
49030 +-u64 __supported_pte_mask __read_mostly = ~_PAGE_NX;
49031 ++u64 __supported_pte_mask __read_only = ~_PAGE_NX;
49032 + EXPORT_SYMBOL_GPL(__supported_pte_mask);
49033 +
49034 + /*
49035 +@@ -499,36 +473,31 @@ EXPORT_SYMBOL_GPL(__supported_pte_mask);
49036 + * on Enable
49037 + * off Disable
49038 + */
49039 ++#if !defined(CONFIG_PAX_PAGEEXEC)
49040 + static int __init noexec_setup(char *str)
49041 + {
49042 + if (!str || !strcmp(str, "on")) {
49043 +- if (cpu_has_nx) {
49044 +- __supported_pte_mask |= _PAGE_NX;
49045 +- disable_nx = 0;
49046 +- }
49047 ++ if (cpu_has_nx)
49048 ++ nx_enabled = 1;
49049 + } else if (!strcmp(str,"off")) {
49050 +- disable_nx = 1;
49051 +- __supported_pte_mask &= ~_PAGE_NX;
49052 ++ nx_enabled = 0;
49053 + } else
49054 + return -EINVAL;
49055 +
49056 + return 0;
49057 + }
49058 + early_param("noexec", noexec_setup);
49059 ++#endif
49060 +
49061 + static void __init set_nx(void)
49062 + {
49063 +- unsigned int v[4], l, h;
49064 ++ if (!nx_enabled && cpu_has_nx) {
49065 ++ unsigned l, h;
49066 +
49067 +- if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
49068 +- cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
49069 +- if ((v[3] & (1 << 20)) && !disable_nx) {
49070 +- rdmsr(MSR_EFER, l, h);
49071 +- l |= EFER_NX;
49072 +- wrmsr(MSR_EFER, l, h);
49073 +- nx_enabled = 1;
49074 +- __supported_pte_mask |= _PAGE_NX;
49075 +- }
49076 ++ __supported_pte_mask &= ~_PAGE_NX;
49077 ++ rdmsr(MSR_EFER, l, h);
49078 ++ l &= ~EFER_NX;
49079 ++ wrmsr(MSR_EFER, l, h);
49080 + }
49081 + }
49082 +
49083 +@@ -581,14 +550,6 @@ void __init paging_init(void)
49084 +
49085 + load_cr3(swapper_pg_dir);
49086 +
49087 +-#ifdef CONFIG_X86_PAE
49088 +- /*
49089 +- * We will bail out later - printk doesn't work right now so
49090 +- * the user would just see a hanging kernel.
49091 +- */
49092 +- if (cpu_has_pae)
49093 +- set_in_cr4(X86_CR4_PAE);
49094 +-#endif
49095 + __flush_tlb_all();
49096 +
49097 + kmap_init();
49098 +@@ -659,7 +620,7 @@ void __init mem_init(void)
49099 + set_highmem_pages_init(bad_ppro);
49100 +
49101 + codesize = (unsigned long) &_etext - (unsigned long) &_text;
49102 +- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
49103 ++ datasize = (unsigned long) &_edata - (unsigned long) &_data;
49104 + initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
49105 +
49106 + kclist_add(&kcore_mem, __va(0), max_low_pfn << PAGE_SHIFT);
49107 +@@ -704,10 +665,10 @@ void __init mem_init(void)
49108 + (unsigned long)&__init_begin, (unsigned long)&__init_end,
49109 + ((unsigned long)&__init_end - (unsigned long)&__init_begin) >> 10,
49110 +
49111 +- (unsigned long)&_etext, (unsigned long)&_edata,
49112 +- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
49113 ++ (unsigned long)&_data, (unsigned long)&_edata,
49114 ++ ((unsigned long)&_edata - (unsigned long)&_data) >> 10,
49115 +
49116 +- (unsigned long)&_text, (unsigned long)&_etext,
49117 ++ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
49118 + ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
49119 +
49120 + #ifdef CONFIG_HIGHMEM
49121 +@@ -718,10 +679,6 @@ void __init mem_init(void)
49122 + BUG_ON((unsigned long)high_memory > VMALLOC_START);
49123 + #endif /* double-sanity-check paranoia */
49124 +
49125 +-#ifdef CONFIG_X86_PAE
49126 +- if (!cpu_has_pae)
49127 +- panic("cannot execute a PAE-enabled kernel on a PAE-less CPU!");
49128 +-#endif
49129 + if (boot_cpu_data.wp_works_ok < 0)
49130 + test_wp_bit();
49131 +
49132 +@@ -839,6 +796,46 @@ void free_init_pages(char *what, unsigne
49133 +
49134 + void free_initmem(void)
49135 + {
49136 ++
49137 ++#ifdef CONFIG_PAX_KERNEXEC
49138 ++ /* PaX: limit KERNEL_CS to actual size */
49139 ++ unsigned long addr, limit;
49140 ++ __u32 a, b;
49141 ++ int cpu;
49142 ++ pgd_t *pgd;
49143 ++ pud_t *pud;
49144 ++ pmd_t *pmd;
49145 ++
49146 ++#ifdef CONFIG_MODULES
49147 ++ limit = ktva_ktla((unsigned long)&MODULES_END);
49148 ++#else
49149 ++ limit = (unsigned long)&_etext;
49150 ++#endif
49151 ++ limit = (limit - 1UL) >> PAGE_SHIFT;
49152 ++
49153 ++ for (cpu = 0; cpu < NR_CPUS; cpu++) {
49154 ++ pack_descriptor(&a, &b, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
49155 ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, a, b);
49156 ++ }
49157 ++
49158 ++ /* PaX: make KERNEL_CS read-only */
49159 ++ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_data; addr += PMD_SIZE) {
49160 ++ pgd = pgd_offset_k(addr);
49161 ++ pud = pud_offset(pgd, addr);
49162 ++ pmd = pmd_offset(pud, addr);
49163 ++ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
49164 ++ }
49165 ++#ifdef CONFIG_X86_PAE
49166 ++ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
49167 ++ pgd = pgd_offset_k(addr);
49168 ++ pud = pud_offset(pgd, addr);
49169 ++ pmd = pmd_offset(pud, addr);
49170 ++ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
49171 ++ }
49172 ++#endif
49173 ++ flush_tlb_all();
49174 ++#endif
49175 ++
49176 + free_init_pages("unused kernel memory",
49177 + (unsigned long)(&__init_begin),
49178 + (unsigned long)(&__init_end));
49179 +diff -urNp linux-2.6.24.5/arch/x86/mm/init_64.c linux-2.6.24.5/arch/x86/mm/init_64.c
49180 +--- linux-2.6.24.5/arch/x86/mm/init_64.c 2008-03-24 14:49:18.000000000 -0400
49181 ++++ linux-2.6.24.5/arch/x86/mm/init_64.c 2008-03-26 20:21:08.000000000 -0400
49182 +@@ -45,7 +45,7 @@
49183 + #include <asm/sections.h>
49184 +
49185 + #ifndef Dprintk
49186 +-#define Dprintk(x...)
49187 ++#define Dprintk(x...) do {} while (0)
49188 + #endif
49189 +
49190 + const struct dma_mapping_ops* dma_ops;
49191 +@@ -121,6 +121,10 @@ static __init void set_pte_phys(unsigned
49192 + pmd_t *pmd;
49193 + pte_t *pte, new_pte;
49194 +
49195 ++#ifdef CONFIG_PAX_KERNEXEC
49196 ++ unsigned long cr0;
49197 ++#endif
49198 ++
49199 + Dprintk("set_pte_phys %lx to %lx\n", vaddr, phys);
49200 +
49201 + pgd = pgd_offset_k(vaddr);
49202 +@@ -131,7 +135,7 @@ static __init void set_pte_phys(unsigned
49203 + pud = pud_offset(pgd, vaddr);
49204 + if (pud_none(*pud)) {
49205 + pmd = (pmd_t *) spp_getpage();
49206 +- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE | _PAGE_USER));
49207 ++ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
49208 + if (pmd != pmd_offset(pud, 0)) {
49209 + printk("PAGETABLE BUG #01! %p <-> %p\n", pmd, pmd_offset(pud,0));
49210 + return;
49211 +@@ -140,7 +144,7 @@ static __init void set_pte_phys(unsigned
49212 + pmd = pmd_offset(pud, vaddr);
49213 + if (pmd_none(*pmd)) {
49214 + pte = (pte_t *) spp_getpage();
49215 +- set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE | _PAGE_USER));
49216 ++ set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
49217 + if (pte != pte_offset_kernel(pmd, 0)) {
49218 + printk("PAGETABLE BUG #02!\n");
49219 + return;
49220 +@@ -152,8 +156,17 @@ static __init void set_pte_phys(unsigned
49221 + if (!pte_none(*pte) &&
49222 + pte_val(*pte) != (pte_val(new_pte) & __supported_pte_mask))
49223 + pte_ERROR(*pte);
49224 ++
49225 ++#ifdef CONFIG_PAX_KERNEXEC
49226 ++ pax_open_kernel(cr0);
49227 ++#endif
49228 ++
49229 + set_pte(pte, new_pte);
49230 +
49231 ++#ifdef CONFIG_PAX_KERNEXEC
49232 ++ pax_close_kernel(cr0);
49233 ++#endif
49234 ++
49235 + /*
49236 + * It's enough to flush this one mapping.
49237 + * (PGE mappings get flushed as well)
49238 +@@ -225,7 +238,7 @@ __meminit void *early_ioremap(unsigned l
49239 + addr &= PMD_MASK;
49240 + for (i = 0; i < pmds; i++, addr += PMD_SIZE)
49241 + set_pmd(pmd + i,__pmd(addr | _KERNPG_TABLE | _PAGE_PSE));
49242 +- __flush_tlb();
49243 ++ __flush_tlb_all();
49244 + return (void *)vaddr;
49245 + next:
49246 + ;
49247 +@@ -246,7 +259,7 @@ __meminit void early_iounmap(void *addr,
49248 + pmd = level2_kernel_pgt + pmd_index(vaddr);
49249 + for (i = 0; i < pmds; i++)
49250 + pmd_clear(pmd + i);
49251 +- __flush_tlb();
49252 ++ __flush_tlb_all();
49253 + }
49254 +
49255 + static void __meminit
49256 +@@ -314,7 +327,7 @@ static void __meminit phys_pud_init(pud_
49257 + spin_unlock(&init_mm.page_table_lock);
49258 + unmap_low_page(pmd);
49259 + }
49260 +- __flush_tlb();
49261 ++ __flush_tlb_all();
49262 + }
49263 +
49264 + static void __init find_early_table_space(unsigned long end)
49265 +@@ -583,6 +596,39 @@ void free_init_pages(char *what, unsigne
49266 +
49267 + void free_initmem(void)
49268 + {
49269 ++
49270 ++#ifdef CONFIG_PAX_KERNEXEC
49271 ++ unsigned long addr, end;
49272 ++ pgd_t *pgd;
49273 ++ pud_t *pud;
49274 ++ pmd_t *pmd;
49275 ++
49276 ++ /* PaX: make kernel code/rodata read-only, rest non-executable */
49277 ++ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_TEXT_SIZE; addr += PMD_SIZE) {
49278 ++ pgd = pgd_offset_k(addr);
49279 ++ pud = pud_offset(pgd, addr);
49280 ++ pmd = pmd_offset(pud, addr);
49281 ++ if ((unsigned long)_text <= addr && addr < (unsigned long)_data)
49282 ++ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
49283 ++ else
49284 ++ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
49285 ++ }
49286 ++
49287 ++ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
49288 ++ end = addr + KERNEL_TEXT_SIZE;
49289 ++ for (; addr < end; addr += PMD_SIZE) {
49290 ++ pgd = pgd_offset_k(addr);
49291 ++ pud = pud_offset(pgd, addr);
49292 ++ pmd = pmd_offset(pud, addr);
49293 ++ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_data)))
49294 ++ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
49295 ++ else
49296 ++ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
49297 ++ }
49298 ++
49299 ++ flush_tlb_all();
49300 ++#endif
49301 ++
49302 + free_init_pages("unused kernel memory",
49303 + (unsigned long)(&__init_begin),
49304 + (unsigned long)(&__init_end));
49305 +@@ -730,7 +776,7 @@ int in_gate_area_no_task(unsigned long a
49306 +
49307 + const char *arch_vma_name(struct vm_area_struct *vma)
49308 + {
49309 +- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
49310 ++ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
49311 + return "[vdso]";
49312 + if (vma == &gate_vma)
49313 + return "[vsyscall]";
49314 +diff -urNp linux-2.6.24.5/arch/x86/mm/ioremap_32.c linux-2.6.24.5/arch/x86/mm/ioremap_32.c
49315 +--- linux-2.6.24.5/arch/x86/mm/ioremap_32.c 2008-03-24 14:49:18.000000000 -0400
49316 ++++ linux-2.6.24.5/arch/x86/mm/ioremap_32.c 2008-03-26 20:21:08.000000000 -0400
49317 +@@ -67,8 +67,11 @@ void __iomem * __ioremap(unsigned long p
49318 + return NULL;
49319 + }
49320 +
49321 +- prot = __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY
49322 +- | _PAGE_ACCESSED | flags);
49323 ++#ifdef CONFIG_X86_PAE
49324 ++ prot = __pgprot((__PAGE_KERNEL | _PAGE_GLOBAL | flags) & __supported_pte_mask);
49325 ++#else
49326 ++ prot = __pgprot(__PAGE_KERNEL | _PAGE_GLOBAL | flags);
49327 ++#endif
49328 +
49329 + /*
49330 + * Mappings have to be page-aligned
49331 +diff -urNp linux-2.6.24.5/arch/x86/mm/ioremap_64.c linux-2.6.24.5/arch/x86/mm/ioremap_64.c
49332 +--- linux-2.6.24.5/arch/x86/mm/ioremap_64.c 2008-03-24 14:49:18.000000000 -0400
49333 ++++ linux-2.6.24.5/arch/x86/mm/ioremap_64.c 2008-03-26 20:21:08.000000000 -0400
49334 +@@ -48,7 +48,7 @@ ioremap_change_attr(unsigned long phys_a
49335 + * Must use a address here and not struct page because the phys addr
49336 + * can be a in hole between nodes and not have an memmap entry.
49337 + */
49338 +- err = change_page_attr_addr(vaddr,npages,__pgprot(__PAGE_KERNEL|flags));
49339 ++ err = change_page_attr_addr(vaddr,npages,__pgprot((__PAGE_KERNEL|_PAGE_GLOBAL|flags) & __supported_pte_mask));
49340 + if (!err)
49341 + global_flush_tlb();
49342 + }
49343 +@@ -103,8 +103,8 @@ void __iomem * __ioremap(unsigned long p
49344 + }
49345 + #endif
49346 +
49347 +- pgprot = __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_GLOBAL
49348 +- | _PAGE_DIRTY | _PAGE_ACCESSED | flags);
49349 ++ pgprot = __pgprot((__PAGE_KERNEL | _PAGE_GLOBAL | flags) & __supported_pte_mask);
49350 ++
49351 + /*
49352 + * Mappings have to be page-aligned
49353 + */
49354 +@@ -126,7 +126,7 @@ void __iomem * __ioremap(unsigned long p
49355 + return NULL;
49356 + }
49357 + if (flags && ioremap_change_attr(phys_addr, size, flags) < 0) {
49358 +- area->flags &= 0xffffff;
49359 ++ area->flags &= 0xfffff;
49360 + vunmap(addr);
49361 + return NULL;
49362 + }
49363 +@@ -199,7 +199,7 @@ void iounmap(volatile void __iomem *addr
49364 +
49365 + /* Reset the direct mapping. Can block */
49366 + if (p->flags >> 20)
49367 +- ioremap_change_attr(p->phys_addr, p->size, 0);
49368 ++ ioremap_change_attr(p->phys_addr, p->size - PAGE_SIZE, 0);
49369 +
49370 + /* Finally remove it */
49371 + o = remove_vm_area((void *)addr);
49372 +diff -urNp linux-2.6.24.5/arch/x86/mm/mmap_32.c linux-2.6.24.5/arch/x86/mm/mmap_32.c
49373 +--- linux-2.6.24.5/arch/x86/mm/mmap_32.c 2008-03-24 14:49:18.000000000 -0400
49374 ++++ linux-2.6.24.5/arch/x86/mm/mmap_32.c 2008-03-26 20:21:08.000000000 -0400
49375 +@@ -35,12 +35,18 @@
49376 + * Leave an at least ~128 MB hole.
49377 + */
49378 + #define MIN_GAP (128*1024*1024)
49379 +-#define MAX_GAP (TASK_SIZE/6*5)
49380 ++#define MAX_GAP (pax_task_size/6*5)
49381 +
49382 + static inline unsigned long mmap_base(struct mm_struct *mm)
49383 + {
49384 + unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
49385 + unsigned long random_factor = 0;
49386 ++ unsigned long pax_task_size = TASK_SIZE;
49387 ++
49388 ++#ifdef CONFIG_PAX_SEGMEXEC
49389 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
49390 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
49391 ++#endif
49392 +
49393 + if (current->flags & PF_RANDOMIZE)
49394 + random_factor = get_random_int() % (1024*1024);
49395 +@@ -50,7 +56,7 @@ static inline unsigned long mmap_base(st
49396 + else if (gap > MAX_GAP)
49397 + gap = MAX_GAP;
49398 +
49399 +- return PAGE_ALIGN(TASK_SIZE - gap - random_factor);
49400 ++ return PAGE_ALIGN(pax_task_size - gap - random_factor);
49401 + }
49402 +
49403 + /*
49404 +@@ -66,11 +72,30 @@ void arch_pick_mmap_layout(struct mm_str
49405 + if (sysctl_legacy_va_layout ||
49406 + (current->personality & ADDR_COMPAT_LAYOUT) ||
49407 + current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
49408 ++
49409 ++#ifdef CONFIG_PAX_SEGMEXEC
49410 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
49411 ++ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
49412 ++ else
49413 ++#endif
49414 ++
49415 + mm->mmap_base = TASK_UNMAPPED_BASE;
49416 ++
49417 ++#ifdef CONFIG_PAX_RANDMMAP
49418 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
49419 ++ mm->mmap_base += mm->delta_mmap;
49420 ++#endif
49421 ++
49422 + mm->get_unmapped_area = arch_get_unmapped_area;
49423 + mm->unmap_area = arch_unmap_area;
49424 + } else {
49425 + mm->mmap_base = mmap_base(mm);
49426 ++
49427 ++#ifdef CONFIG_PAX_RANDMMAP
49428 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
49429 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
49430 ++#endif
49431 ++
49432 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
49433 + mm->unmap_area = arch_unmap_area_topdown;
49434 + }
49435 +diff -urNp linux-2.6.24.5/arch/x86/mm/mmap_64.c linux-2.6.24.5/arch/x86/mm/mmap_64.c
49436 +--- linux-2.6.24.5/arch/x86/mm/mmap_64.c 2008-03-24 14:49:18.000000000 -0400
49437 ++++ linux-2.6.24.5/arch/x86/mm/mmap_64.c 2008-03-26 20:21:08.000000000 -0400
49438 +@@ -23,6 +23,12 @@ void arch_pick_mmap_layout(struct mm_str
49439 + unsigned rnd = get_random_int() & 0xfffffff;
49440 + mm->mmap_base += ((unsigned long)rnd) << PAGE_SHIFT;
49441 + }
49442 ++
49443 ++#ifdef CONFIG_PAX_RANDMMAP
49444 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
49445 ++ mm->mmap_base += mm->delta_mmap;
49446 ++#endif
49447 ++
49448 + mm->get_unmapped_area = arch_get_unmapped_area;
49449 + mm->unmap_area = arch_unmap_area;
49450 + }
49451 +diff -urNp linux-2.6.24.5/arch/x86/mm/numa_64.c linux-2.6.24.5/arch/x86/mm/numa_64.c
49452 +--- linux-2.6.24.5/arch/x86/mm/numa_64.c 2008-03-24 14:49:18.000000000 -0400
49453 ++++ linux-2.6.24.5/arch/x86/mm/numa_64.c 2008-03-26 20:21:08.000000000 -0400
49454 +@@ -19,7 +19,7 @@
49455 + #include <asm/acpi.h>
49456 +
49457 + #ifndef Dprintk
49458 +-#define Dprintk(x...)
49459 ++#define Dprintk(x...) do {} while (0)
49460 + #endif
49461 +
49462 + struct pglist_data *node_data[MAX_NUMNODES] __read_mostly;
49463 +diff -urNp linux-2.6.24.5/arch/x86/mm/pageattr_32.c linux-2.6.24.5/arch/x86/mm/pageattr_32.c
49464 +--- linux-2.6.24.5/arch/x86/mm/pageattr_32.c 2008-03-24 14:49:18.000000000 -0400
49465 ++++ linux-2.6.24.5/arch/x86/mm/pageattr_32.c 2008-03-26 20:21:08.000000000 -0400
49466 +@@ -13,6 +13,7 @@
49467 + #include <asm/tlbflush.h>
49468 + #include <asm/pgalloc.h>
49469 + #include <asm/sections.h>
49470 ++#include <asm/desc.h>
49471 +
49472 + static DEFINE_SPINLOCK(cpa_lock);
49473 + static struct list_head df_list = LIST_HEAD_INIT(df_list);
49474 +@@ -37,16 +38,16 @@ pte_t *lookup_address(unsigned long addr
49475 + }
49476 +
49477 + static struct page *split_large_page(unsigned long address, pgprot_t prot,
49478 +- pgprot_t ref_prot)
49479 ++ pgprot_t ref_prot, unsigned long flags)
49480 + {
49481 + int i;
49482 + unsigned long addr;
49483 + struct page *base;
49484 + pte_t *pbase;
49485 +
49486 +- spin_unlock_irq(&cpa_lock);
49487 ++ spin_unlock_irqrestore(&cpa_lock, flags);
49488 + base = alloc_pages(GFP_KERNEL, 0);
49489 +- spin_lock_irq(&cpa_lock);
49490 ++ spin_lock_irqsave(&cpa_lock, flags);
49491 + if (!base)
49492 + return NULL;
49493 +
49494 +@@ -99,7 +100,18 @@ static void set_pmd_pte(pte_t *kpte, uns
49495 + struct page *page;
49496 + unsigned long flags;
49497 +
49498 ++#ifdef CONFIG_PAX_KERNEXEC
49499 ++ unsigned long cr0;
49500 ++
49501 ++ pax_open_kernel(cr0);
49502 ++#endif
49503 ++
49504 + set_pte_atomic(kpte, pte); /* change init_mm */
49505 ++
49506 ++#ifdef CONFIG_PAX_KERNEXEC
49507 ++ pax_close_kernel(cr0);
49508 ++#endif
49509 ++
49510 + if (SHARED_KERNEL_PMD)
49511 + return;
49512 +
49513 +@@ -126,7 +138,7 @@ static inline void revert_page(struct pa
49514 + pte_t *linear;
49515 +
49516 + ref_prot =
49517 +- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
49518 ++ ((address & LARGE_PAGE_MASK) < ktla_ktva((unsigned long)&_etext))
49519 + ? PAGE_KERNEL_LARGE_EXEC : PAGE_KERNEL_LARGE;
49520 +
49521 + linear = (pte_t *)
49522 +@@ -143,7 +155,7 @@ static inline void save_page(struct page
49523 + }
49524 +
49525 + static int
49526 +-__change_page_attr(struct page *page, pgprot_t prot)
49527 ++__change_page_attr(struct page *page, pgprot_t prot, unsigned long flags)
49528 + {
49529 + pte_t *kpte;
49530 + unsigned long address;
49531 +@@ -167,13 +179,20 @@ __change_page_attr(struct page *page, pg
49532 + struct page *split;
49533 +
49534 + ref_prot =
49535 +- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
49536 ++ ((address & LARGE_PAGE_MASK) < ktla_ktva((unsigned long)&_etext))
49537 + ? PAGE_KERNEL_EXEC : PAGE_KERNEL;
49538 +- split = split_large_page(address, prot, ref_prot);
49539 ++ split = split_large_page(address, prot, ref_prot, flags);
49540 + if (!split)
49541 + return -ENOMEM;
49542 +- set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
49543 +- kpte_page = split;
49544 ++ if (pte_huge(*kpte)) {
49545 ++ set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
49546 ++ kpte_page = split;
49547 ++ } else {
49548 ++ __free_pages(split, 0);
49549 ++ kpte = lookup_address(address);
49550 ++ kpte_page = virt_to_page(kpte);
49551 ++ set_pte_atomic(kpte, mk_pte(page, prot));
49552 ++ }
49553 + }
49554 + page_private(kpte_page)++;
49555 + } else if (!pte_huge(*kpte)) {
49556 +@@ -225,7 +244,7 @@ int change_page_attr(struct page *page,
49557 +
49558 + spin_lock_irqsave(&cpa_lock, flags);
49559 + for (i = 0; i < numpages; i++, page++) {
49560 +- err = __change_page_attr(page, prot);
49561 ++ err = __change_page_attr(page, prot, flags);
49562 + if (err)
49563 + break;
49564 + }
49565 +diff -urNp linux-2.6.24.5/arch/x86/mm/pageattr_64.c linux-2.6.24.5/arch/x86/mm/pageattr_64.c
49566 +--- linux-2.6.24.5/arch/x86/mm/pageattr_64.c 2008-03-24 14:49:18.000000000 -0400
49567 ++++ linux-2.6.24.5/arch/x86/mm/pageattr_64.c 2008-03-26 20:21:08.000000000 -0400
49568 +@@ -110,6 +110,10 @@ static void revert_page(unsigned long ad
49569 + pte_t large_pte;
49570 + unsigned long pfn;
49571 +
49572 ++#ifdef CONFIG_PAX_KERNEXEC
49573 ++ unsigned long cr0;
49574 ++#endif
49575 ++
49576 + pgd = pgd_offset_k(address);
49577 + BUG_ON(pgd_none(*pgd));
49578 + pud = pud_offset(pgd,address);
49579 +@@ -119,8 +123,18 @@ static void revert_page(unsigned long ad
49580 + pfn = (__pa(address) & LARGE_PAGE_MASK) >> PAGE_SHIFT;
49581 + large_pte = pfn_pte(pfn, ref_prot);
49582 + large_pte = pte_mkhuge(large_pte);
49583 ++
49584 ++#ifdef CONFIG_PAX_KERNEXEC
49585 ++ pax_open_kernel(cr0);
49586 ++#endif
49587 ++
49588 + set_pte((pte_t *)pmd, large_pte);
49589 +-}
49590 ++
49591 ++#ifdef CONFIG_PAX_KERNEXEC
49592 ++ pax_close_kernel(cr0);
49593 ++#endif
49594 ++
49595 ++}
49596 +
49597 + static int
49598 + __change_page_attr(unsigned long address, unsigned long pfn, pgprot_t prot,
49599 +@@ -136,22 +150,36 @@ __change_page_attr(unsigned long address
49600 + BUG_ON(PageLRU(kpte_page));
49601 + BUG_ON(PageCompound(kpte_page));
49602 + if (pgprot_val(prot) != pgprot_val(ref_prot)) {
49603 +- if (!pte_huge(*kpte)) {
49604 +- set_pte(kpte, pfn_pte(pfn, prot));
49605 +- } else {
49606 ++ if (pte_huge(*kpte)) {
49607 + /*
49608 + * split_large_page will take the reference for this
49609 + * change_page_attr on the split page.
49610 + */
49611 + struct page *split;
49612 ++
49613 ++#ifdef CONFIG_PAX_KERNEXEC
49614 ++ unsigned long cr0;
49615 ++#endif
49616 ++
49617 + ref_prot2 = pte_pgprot(pte_clrhuge(*kpte));
49618 + split = split_large_page(address, prot, ref_prot2);
49619 + if (!split)
49620 + return -ENOMEM;
49621 + pgprot_val(ref_prot2) &= ~_PAGE_NX;
49622 ++
49623 ++#ifdef CONFIG_PAX_KERNEXEC
49624 ++ pax_open_kernel(cr0);
49625 ++#endif
49626 ++
49627 + set_pte(kpte, mk_pte(split, ref_prot2));
49628 ++
49629 ++#ifdef CONFIG_PAX_KERNEXEC
49630 ++ pax_close_kernel(cr0);
49631 ++#endif
49632 ++
49633 + kpte_page = split;
49634 +- }
49635 ++ } else
49636 ++ set_pte(kpte, pfn_pte(pfn, prot));
49637 + page_private(kpte_page)++;
49638 + } else if (!pte_huge(*kpte)) {
49639 + set_pte(kpte, pfn_pte(pfn, ref_prot));
49640 +diff -urNp linux-2.6.24.5/arch/x86/mm/pgtable_32.c linux-2.6.24.5/arch/x86/mm/pgtable_32.c
49641 +--- linux-2.6.24.5/arch/x86/mm/pgtable_32.c 2008-03-24 14:49:18.000000000 -0400
49642 ++++ linux-2.6.24.5/arch/x86/mm/pgtable_32.c 2008-03-26 20:21:08.000000000 -0400
49643 +@@ -83,6 +83,10 @@ static void set_pte_pfn(unsigned long va
49644 + pmd_t *pmd;
49645 + pte_t *pte;
49646 +
49647 ++#ifdef CONFIG_PAX_KERNEXEC
49648 ++ unsigned long cr0;
49649 ++#endif
49650 ++
49651 + pgd = swapper_pg_dir + pgd_index(vaddr);
49652 + if (pgd_none(*pgd)) {
49653 + BUG();
49654 +@@ -99,11 +103,20 @@ static void set_pte_pfn(unsigned long va
49655 + return;
49656 + }
49657 + pte = pte_offset_kernel(pmd, vaddr);
49658 ++
49659 ++#ifdef CONFIG_PAX_KERNEXEC
49660 ++ pax_open_kernel(cr0);
49661 ++#endif
49662 ++
49663 + if (pgprot_val(flags))
49664 + set_pte_present(&init_mm, vaddr, pte, pfn_pte(pfn, flags));
49665 + else
49666 + pte_clear(&init_mm, vaddr, pte);
49667 +
49668 ++#ifdef CONFIG_PAX_KERNEXEC
49669 ++ pax_close_kernel(cr0);
49670 ++#endif
49671 ++
49672 + /*
49673 + * It's enough to flush this one mapping.
49674 + * (PGE mappings get flushed as well)
49675 +diff -urNp linux-2.6.24.5/arch/x86/oprofile/backtrace.c linux-2.6.24.5/arch/x86/oprofile/backtrace.c
49676 +--- linux-2.6.24.5/arch/x86/oprofile/backtrace.c 2008-03-24 14:49:18.000000000 -0400
49677 ++++ linux-2.6.24.5/arch/x86/oprofile/backtrace.c 2008-03-26 20:21:08.000000000 -0400
49678 +@@ -37,7 +37,7 @@ static void backtrace_address(void *data
49679 + unsigned int *depth = data;
49680 +
49681 + if ((*depth)--)
49682 +- oprofile_add_trace(addr);
49683 ++ oprofile_add_trace(ktla_ktva(addr));
49684 + }
49685 +
49686 + static struct stacktrace_ops backtrace_ops = {
49687 +@@ -79,7 +79,7 @@ x86_backtrace(struct pt_regs * const reg
49688 + struct frame_head *head = (struct frame_head *)frame_pointer(regs);
49689 + unsigned long stack = stack_pointer(regs);
49690 +
49691 +- if (!user_mode_vm(regs)) {
49692 ++ if (!user_mode(regs)) {
49693 + if (depth)
49694 + dump_trace(NULL, regs, (unsigned long *)stack,
49695 + &backtrace_ops, &depth);
49696 +diff -urNp linux-2.6.24.5/arch/x86/oprofile/op_model_p4.c linux-2.6.24.5/arch/x86/oprofile/op_model_p4.c
49697 +--- linux-2.6.24.5/arch/x86/oprofile/op_model_p4.c 2008-03-24 14:49:18.000000000 -0400
49698 ++++ linux-2.6.24.5/arch/x86/oprofile/op_model_p4.c 2008-03-26 20:21:08.000000000 -0400
49699 +@@ -47,7 +47,7 @@ static inline void setup_num_counters(vo
49700 + #endif
49701 + }
49702 +
49703 +-static int inline addr_increment(void)
49704 ++static inline int addr_increment(void)
49705 + {
49706 + #ifdef CONFIG_SMP
49707 + return smp_num_siblings == 2 ? 2 : 1;
49708 +diff -urNp linux-2.6.24.5/arch/x86/pci/common.c linux-2.6.24.5/arch/x86/pci/common.c
49709 +--- linux-2.6.24.5/arch/x86/pci/common.c 2008-03-24 14:49:18.000000000 -0400
49710 ++++ linux-2.6.24.5/arch/x86/pci/common.c 2008-03-26 20:21:08.000000000 -0400
49711 +@@ -331,7 +331,7 @@ static struct dmi_system_id __devinitdat
49712 + DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
49713 + },
49714 + },
49715 +- {}
49716 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
49717 + };
49718 +
49719 + struct pci_bus * __devinit pcibios_scan_root(int busnum)
49720 +diff -urNp linux-2.6.24.5/arch/x86/pci/early.c linux-2.6.24.5/arch/x86/pci/early.c
49721 +--- linux-2.6.24.5/arch/x86/pci/early.c 2008-03-24 14:49:18.000000000 -0400
49722 ++++ linux-2.6.24.5/arch/x86/pci/early.c 2008-03-26 20:21:08.000000000 -0400
49723 +@@ -7,7 +7,7 @@
49724 + /* Direct PCI access. This is used for PCI accesses in early boot before
49725 + the PCI subsystem works. */
49726 +
49727 +-#define PDprintk(x...)
49728 ++#define PDprintk(x...) do {} while (0)
49729 +
49730 + u32 read_pci_config(u8 bus, u8 slot, u8 func, u8 offset)
49731 + {
49732 +diff -urNp linux-2.6.24.5/arch/x86/pci/fixup.c linux-2.6.24.5/arch/x86/pci/fixup.c
49733 +--- linux-2.6.24.5/arch/x86/pci/fixup.c 2008-03-24 14:49:18.000000000 -0400
49734 ++++ linux-2.6.24.5/arch/x86/pci/fixup.c 2008-03-26 20:21:08.000000000 -0400
49735 +@@ -362,7 +362,7 @@ static struct dmi_system_id __devinitdat
49736 + DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
49737 + },
49738 + },
49739 +- {}
49740 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
49741 + };
49742 +
49743 + /*
49744 +@@ -433,7 +433,7 @@ static struct dmi_system_id __devinitdat
49745 + DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
49746 + },
49747 + },
49748 +- { }
49749 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
49750 + };
49751 +
49752 + static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
49753 +diff -urNp linux-2.6.24.5/arch/x86/pci/irq.c linux-2.6.24.5/arch/x86/pci/irq.c
49754 +--- linux-2.6.24.5/arch/x86/pci/irq.c 2008-03-24 14:49:18.000000000 -0400
49755 ++++ linux-2.6.24.5/arch/x86/pci/irq.c 2008-03-26 20:21:08.000000000 -0400
49756 +@@ -528,7 +528,7 @@ static __init int intel_router_probe(str
49757 + static struct pci_device_id __initdata pirq_440gx[] = {
49758 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
49759 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
49760 +- { },
49761 ++ { PCI_DEVICE(0, 0) }
49762 + };
49763 +
49764 + /* 440GX has a proprietary PIRQ router -- don't use it */
49765 +@@ -1090,7 +1090,7 @@ static struct dmi_system_id __initdata p
49766 + DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
49767 + },
49768 + },
49769 +- { }
49770 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
49771 + };
49772 +
49773 + static int __init pcibios_irq_init(void)
49774 +diff -urNp linux-2.6.24.5/arch/x86/pci/pcbios.c linux-2.6.24.5/arch/x86/pci/pcbios.c
49775 +--- linux-2.6.24.5/arch/x86/pci/pcbios.c 2008-03-24 14:49:18.000000000 -0400
49776 ++++ linux-2.6.24.5/arch/x86/pci/pcbios.c 2008-03-26 20:21:08.000000000 -0400
49777 +@@ -57,50 +57,124 @@ union bios32 {
49778 + static struct {
49779 + unsigned long address;
49780 + unsigned short segment;
49781 +-} bios32_indirect = { 0, __KERNEL_CS };
49782 ++} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
49783 +
49784 + /*
49785 + * Returns the entry point for the given service, NULL on error
49786 + */
49787 +
49788 +-static unsigned long bios32_service(unsigned long service)
49789 ++static unsigned long __devinit bios32_service(unsigned long service)
49790 + {
49791 + unsigned char return_code; /* %al */
49792 + unsigned long address; /* %ebx */
49793 + unsigned long length; /* %ecx */
49794 + unsigned long entry; /* %edx */
49795 + unsigned long flags;
49796 ++ struct desc_struct *gdt;
49797 ++
49798 ++#ifdef CONFIG_PAX_KERNEXEC
49799 ++ unsigned long cr0;
49800 ++#endif
49801 +
49802 + local_irq_save(flags);
49803 +- __asm__("lcall *(%%edi); cld"
49804 ++
49805 ++ gdt = get_cpu_gdt_table(smp_processor_id());
49806 ++
49807 ++#ifdef CONFIG_PAX_KERNEXEC
49808 ++ pax_open_kernel(cr0);
49809 ++#endif
49810 ++
49811 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
49812 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
49813 ++ 0UL, 0xFFFFFUL, 0x9B, 0xC);
49814 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
49815 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
49816 ++ 0UL, 0xFFFFFUL, 0x93, 0xC);
49817 ++
49818 ++#ifdef CONFIG_PAX_KERNEXEC
49819 ++ pax_close_kernel(cr0);
49820 ++#endif
49821 ++
49822 ++ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
49823 + : "=a" (return_code),
49824 + "=b" (address),
49825 + "=c" (length),
49826 + "=d" (entry)
49827 + : "0" (service),
49828 + "1" (0),
49829 +- "D" (&bios32_indirect));
49830 ++ "D" (&bios32_indirect),
49831 ++ "r"(__PCIBIOS_DS)
49832 ++ : "memory");
49833 ++
49834 ++#ifdef CONFIG_PAX_KERNEXEC
49835 ++ pax_open_kernel(cr0);
49836 ++#endif
49837 ++
49838 ++ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
49839 ++ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
49840 ++ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
49841 ++ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
49842 ++
49843 ++#ifdef CONFIG_PAX_KERNEXEC
49844 ++ pax_close_kernel(cr0);
49845 ++#endif
49846 ++
49847 + local_irq_restore(flags);
49848 +
49849 + switch (return_code) {
49850 +- case 0:
49851 +- return address + entry;
49852 +- case 0x80: /* Not present */
49853 +- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
49854 +- return 0;
49855 +- default: /* Shouldn't happen */
49856 +- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
49857 +- service, return_code);
49858 ++ case 0: {
49859 ++ int cpu;
49860 ++ unsigned char flags;
49861 ++
49862 ++ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
49863 ++ if (address >= 0xFFFF0 || length >= 0xFFFF0 - address || length <= entry) {
49864 ++ printk(KERN_WARNING "bios32_service: not valid\n");
49865 + return 0;
49866 ++ }
49867 ++ address = address + PAGE_OFFSET;
49868 ++ length += 16UL; /* some BIOSs underreport this... */
49869 ++ flags = 4;
49870 ++ if (length >= 64*1024*1024) {
49871 ++ length >>= PAGE_SHIFT;
49872 ++ flags |= 8;
49873 ++ }
49874 ++
49875 ++#ifdef CONFIG_PAX_KERNEXEC
49876 ++ pax_open_kernel(cr0);
49877 ++#endif
49878 ++
49879 ++ for (cpu = 0; cpu < NR_CPUS; cpu++) {
49880 ++ gdt = get_cpu_gdt_table(cpu);
49881 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
49882 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
49883 ++ address, length, 0x9b, flags);
49884 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
49885 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
49886 ++ address, length, 0x93, flags);
49887 ++ }
49888 ++
49889 ++#ifdef CONFIG_PAX_KERNEXEC
49890 ++ pax_close_kernel(cr0);
49891 ++#endif
49892 ++
49893 ++ return entry;
49894 ++ }
49895 ++ case 0x80: /* Not present */
49896 ++ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
49897 ++ return 0;
49898 ++ default: /* Shouldn't happen */
49899 ++ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
49900 ++ service, return_code);
49901 ++ return 0;
49902 + }
49903 + }
49904 +
49905 + static struct {
49906 + unsigned long address;
49907 + unsigned short segment;
49908 +-} pci_indirect = { 0, __KERNEL_CS };
49909 ++} pci_indirect __read_only = { 0, __PCIBIOS_CS };
49910 +
49911 +-static int pci_bios_present;
49912 ++static int pci_bios_present __read_only;
49913 +
49914 + static int __devinit check_pcibios(void)
49915 + {
49916 +@@ -109,11 +183,13 @@ static int __devinit check_pcibios(void)
49917 + unsigned long flags, pcibios_entry;
49918 +
49919 + if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
49920 +- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
49921 ++ pci_indirect.address = pcibios_entry;
49922 +
49923 + local_irq_save(flags);
49924 +- __asm__(
49925 +- "lcall *(%%edi); cld\n\t"
49926 ++ __asm__("movw %w6, %%ds\n\t"
49927 ++ "lcall *%%ss:(%%edi); cld\n\t"
49928 ++ "push %%ss\n\t"
49929 ++ "pop %%ds\n\t"
49930 + "jc 1f\n\t"
49931 + "xor %%ah, %%ah\n"
49932 + "1:"
49933 +@@ -122,7 +198,8 @@ static int __devinit check_pcibios(void)
49934 + "=b" (ebx),
49935 + "=c" (ecx)
49936 + : "1" (PCIBIOS_PCI_BIOS_PRESENT),
49937 +- "D" (&pci_indirect)
49938 ++ "D" (&pci_indirect),
49939 ++ "r" (__PCIBIOS_DS)
49940 + : "memory");
49941 + local_irq_restore(flags);
49942 +
49943 +@@ -158,7 +235,10 @@ static int __devinit pci_bios_find_devic
49944 + unsigned short bx;
49945 + unsigned short ret;
49946 +
49947 +- __asm__("lcall *(%%edi); cld\n\t"
49948 ++ __asm__("movw %w7, %%ds\n\t"
49949 ++ "lcall *%%ss:(%%edi); cld\n\t"
49950 ++ "push %%ss\n\t"
49951 ++ "pop %%ds\n\t"
49952 + "jc 1f\n\t"
49953 + "xor %%ah, %%ah\n"
49954 + "1:"
49955 +@@ -168,7 +248,8 @@ static int __devinit pci_bios_find_devic
49956 + "c" (device_id),
49957 + "d" (vendor),
49958 + "S" ((int) index),
49959 +- "D" (&pci_indirect));
49960 ++ "D" (&pci_indirect),
49961 ++ "r" (__PCIBIOS_DS));
49962 + *bus = (bx >> 8) & 0xff;
49963 + *device_fn = bx & 0xff;
49964 + return (int) (ret & 0xff00) >> 8;
49965 +@@ -188,7 +269,10 @@ static int pci_bios_read(unsigned int se
49966 +
49967 + switch (len) {
49968 + case 1:
49969 +- __asm__("lcall *(%%esi); cld\n\t"
49970 ++ __asm__("movw %w6, %%ds\n\t"
49971 ++ "lcall *%%ss:(%%esi); cld\n\t"
49972 ++ "push %%ss\n\t"
49973 ++ "pop %%ds\n\t"
49974 + "jc 1f\n\t"
49975 + "xor %%ah, %%ah\n"
49976 + "1:"
49977 +@@ -197,10 +281,14 @@ static int pci_bios_read(unsigned int se
49978 + : "1" (PCIBIOS_READ_CONFIG_BYTE),
49979 + "b" (bx),
49980 + "D" ((long)reg),
49981 +- "S" (&pci_indirect));
49982 ++ "S" (&pci_indirect),
49983 ++ "r" (__PCIBIOS_DS));
49984 + break;
49985 + case 2:
49986 +- __asm__("lcall *(%%esi); cld\n\t"
49987 ++ __asm__("movw %w6, %%ds\n\t"
49988 ++ "lcall *%%ss:(%%esi); cld\n\t"
49989 ++ "push %%ss\n\t"
49990 ++ "pop %%ds\n\t"
49991 + "jc 1f\n\t"
49992 + "xor %%ah, %%ah\n"
49993 + "1:"
49994 +@@ -209,10 +297,14 @@ static int pci_bios_read(unsigned int se
49995 + : "1" (PCIBIOS_READ_CONFIG_WORD),
49996 + "b" (bx),
49997 + "D" ((long)reg),
49998 +- "S" (&pci_indirect));
49999 ++ "S" (&pci_indirect),
50000 ++ "r" (__PCIBIOS_DS));
50001 + break;
50002 + case 4:
50003 +- __asm__("lcall *(%%esi); cld\n\t"
50004 ++ __asm__("movw %w6, %%ds\n\t"
50005 ++ "lcall *%%ss:(%%esi); cld\n\t"
50006 ++ "push %%ss\n\t"
50007 ++ "pop %%ds\n\t"
50008 + "jc 1f\n\t"
50009 + "xor %%ah, %%ah\n"
50010 + "1:"
50011 +@@ -221,7 +313,8 @@ static int pci_bios_read(unsigned int se
50012 + : "1" (PCIBIOS_READ_CONFIG_DWORD),
50013 + "b" (bx),
50014 + "D" ((long)reg),
50015 +- "S" (&pci_indirect));
50016 ++ "S" (&pci_indirect),
50017 ++ "r" (__PCIBIOS_DS));
50018 + break;
50019 + }
50020 +
50021 +@@ -244,7 +337,10 @@ static int pci_bios_write(unsigned int s
50022 +
50023 + switch (len) {
50024 + case 1:
50025 +- __asm__("lcall *(%%esi); cld\n\t"
50026 ++ __asm__("movw %w6, %%ds\n\t"
50027 ++ "lcall *%%ss:(%%esi); cld\n\t"
50028 ++ "push %%ss\n\t"
50029 ++ "pop %%ds\n\t"
50030 + "jc 1f\n\t"
50031 + "xor %%ah, %%ah\n"
50032 + "1:"
50033 +@@ -253,10 +349,14 @@ static int pci_bios_write(unsigned int s
50034 + "c" (value),
50035 + "b" (bx),
50036 + "D" ((long)reg),
50037 +- "S" (&pci_indirect));
50038 ++ "S" (&pci_indirect),
50039 ++ "r" (__PCIBIOS_DS));
50040 + break;
50041 + case 2:
50042 +- __asm__("lcall *(%%esi); cld\n\t"
50043 ++ __asm__("movw %w6, %%ds\n\t"
50044 ++ "lcall *%%ss:(%%esi); cld\n\t"
50045 ++ "push %%ss\n\t"
50046 ++ "pop %%ds\n\t"
50047 + "jc 1f\n\t"
50048 + "xor %%ah, %%ah\n"
50049 + "1:"
50050 +@@ -265,10 +365,14 @@ static int pci_bios_write(unsigned int s
50051 + "c" (value),
50052 + "b" (bx),
50053 + "D" ((long)reg),
50054 +- "S" (&pci_indirect));
50055 ++ "S" (&pci_indirect),
50056 ++ "r" (__PCIBIOS_DS));
50057 + break;
50058 + case 4:
50059 +- __asm__("lcall *(%%esi); cld\n\t"
50060 ++ __asm__("movw %w6, %%ds\n\t"
50061 ++ "lcall *%%ss:(%%esi); cld\n\t"
50062 ++ "push %%ss\n\t"
50063 ++ "pop %%ds\n\t"
50064 + "jc 1f\n\t"
50065 + "xor %%ah, %%ah\n"
50066 + "1:"
50067 +@@ -277,7 +381,8 @@ static int pci_bios_write(unsigned int s
50068 + "c" (value),
50069 + "b" (bx),
50070 + "D" ((long)reg),
50071 +- "S" (&pci_indirect));
50072 ++ "S" (&pci_indirect),
50073 ++ "r" (__PCIBIOS_DS));
50074 + break;
50075 + }
50076 +
50077 +@@ -430,10 +535,13 @@ struct irq_routing_table * pcibios_get_i
50078 +
50079 + DBG("PCI: Fetching IRQ routing table... ");
50080 + __asm__("push %%es\n\t"
50081 ++ "movw %w8, %%ds\n\t"
50082 + "push %%ds\n\t"
50083 + "pop %%es\n\t"
50084 +- "lcall *(%%esi); cld\n\t"
50085 ++ "lcall *%%ss:(%%esi); cld\n\t"
50086 + "pop %%es\n\t"
50087 ++ "push %%ss\n\t"
50088 ++ "pop %%ds\n"
50089 + "jc 1f\n\t"
50090 + "xor %%ah, %%ah\n"
50091 + "1:"
50092 +@@ -444,7 +552,8 @@ struct irq_routing_table * pcibios_get_i
50093 + "1" (0),
50094 + "D" ((long) &opt),
50095 + "S" (&pci_indirect),
50096 +- "m" (opt)
50097 ++ "m" (opt),
50098 ++ "r" (__PCIBIOS_DS)
50099 + : "memory");
50100 + DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
50101 + if (ret & 0xff00)
50102 +@@ -468,7 +577,10 @@ int pcibios_set_irq_routing(struct pci_d
50103 + {
50104 + int ret;
50105 +
50106 +- __asm__("lcall *(%%esi); cld\n\t"
50107 ++ __asm__("movw %w5, %%ds\n\t"
50108 ++ "lcall *%%ss:(%%esi); cld\n\t"
50109 ++ "push %%ss\n\t"
50110 ++ "pop %%ds\n"
50111 + "jc 1f\n\t"
50112 + "xor %%ah, %%ah\n"
50113 + "1:"
50114 +@@ -476,7 +588,8 @@ int pcibios_set_irq_routing(struct pci_d
50115 + : "0" (PCIBIOS_SET_PCI_HW_INT),
50116 + "b" ((dev->bus->number << 8) | dev->devfn),
50117 + "c" ((irq << 8) | (pin + 10)),
50118 +- "S" (&pci_indirect));
50119 ++ "S" (&pci_indirect),
50120 ++ "r" (__PCIBIOS_DS));
50121 + return !(ret & 0xff00);
50122 + }
50123 + EXPORT_SYMBOL(pcibios_set_irq_routing);
50124 +diff -urNp linux-2.6.24.5/arch/x86/power/cpu.c linux-2.6.24.5/arch/x86/power/cpu.c
50125 +--- linux-2.6.24.5/arch/x86/power/cpu.c 2008-03-24 14:49:18.000000000 -0400
50126 ++++ linux-2.6.24.5/arch/x86/power/cpu.c 2008-03-26 20:21:08.000000000 -0400
50127 +@@ -64,10 +64,20 @@ static void do_fpu_end(void)
50128 + static void fix_processor_context(void)
50129 + {
50130 + int cpu = smp_processor_id();
50131 +- struct tss_struct * t = &per_cpu(init_tss, cpu);
50132 ++ struct tss_struct *t = init_tss + cpu;
50133 ++
50134 ++#ifdef CONFIG_PAX_KERNEXEC
50135 ++ unsigned long cr0;
50136 ++
50137 ++ pax_open_kernel(cr0);
50138 ++#endif
50139 +
50140 + set_tss_desc(cpu,t); /* This just modifies memory; should not be necessary. But... This is necessary, because 386 hardware has concept of busy TSS or some similar stupidity. */
50141 +
50142 ++#ifdef CONFIG_PAX_KERNEXEC
50143 ++ pax_close_kernel(cr0);
50144 ++#endif
50145 ++
50146 + load_TR_desc(); /* This does ltr */
50147 + load_LDT(&current->active_mm->context); /* This does lldt */
50148 +
50149 +diff -urNp linux-2.6.24.5/arch/x86/vdso/vma.c linux-2.6.24.5/arch/x86/vdso/vma.c
50150 +--- linux-2.6.24.5/arch/x86/vdso/vma.c 2008-03-24 14:49:18.000000000 -0400
50151 ++++ linux-2.6.24.5/arch/x86/vdso/vma.c 2008-03-26 20:21:08.000000000 -0400
50152 +@@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
50153 + if (ret)
50154 + goto up_fail;
50155 +
50156 +- current->mm->context.vdso = (void *)addr;
50157 ++ current->mm->context.vdso = addr;
50158 + up_fail:
50159 + up_write(&mm->mmap_sem);
50160 + return ret;
50161 +diff -urNp linux-2.6.24.5/arch/x86/xen/enlighten.c linux-2.6.24.5/arch/x86/xen/enlighten.c
50162 +--- linux-2.6.24.5/arch/x86/xen/enlighten.c 2008-04-17 20:05:17.000000000 -0400
50163 ++++ linux-2.6.24.5/arch/x86/xen/enlighten.c 2008-04-17 20:05:01.000000000 -0400
50164 +@@ -300,7 +300,7 @@ static void xen_set_ldt(const void *addr
50165 + static void xen_load_gdt(const struct Xgt_desc_struct *dtr)
50166 + {
50167 + unsigned long *frames;
50168 +- unsigned long va = dtr->address;
50169 ++ unsigned long va = (unsigned long)dtr->address;
50170 + unsigned int size = dtr->size + 1;
50171 + unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
50172 + int f;
50173 +@@ -315,7 +315,7 @@ static void xen_load_gdt(const struct Xg
50174 + mcs = xen_mc_entry(sizeof(*frames) * pages);
50175 + frames = mcs.args;
50176 +
50177 +- for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
50178 ++ for (f = 0; va < (unsigned long)dtr->address + size; va += PAGE_SIZE, f++) {
50179 + frames[f] = virt_to_mfn(va);
50180 + make_lowmem_page_readonly((void *)va);
50181 + }
50182 +@@ -409,7 +409,7 @@ static void xen_write_idt_entry(struct d
50183 +
50184 + preempt_disable();
50185 +
50186 +- start = __get_cpu_var(idt_desc).address;
50187 ++ start = (unsigned long)__get_cpu_var(idt_desc).address;
50188 + end = start + __get_cpu_var(idt_desc).size + 1;
50189 +
50190 + xen_mc_flush();
50191 +diff -urNp linux-2.6.24.5/arch/x86/xen/smp.c linux-2.6.24.5/arch/x86/xen/smp.c
50192 +--- linux-2.6.24.5/arch/x86/xen/smp.c 2008-03-24 14:49:18.000000000 -0400
50193 ++++ linux-2.6.24.5/arch/x86/xen/smp.c 2008-03-26 20:21:08.000000000 -0400
50194 +@@ -144,7 +144,7 @@ void __init xen_smp_prepare_boot_cpu(voi
50195 +
50196 + /* We've switched to the "real" per-cpu gdt, so make sure the
50197 + old memory can be recycled */
50198 +- make_lowmem_page_readwrite(&per_cpu__gdt_page);
50199 ++ make_lowmem_page_readwrite(get_cpu_gdt_table(smp_processor_id()));
50200 +
50201 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
50202 + cpus_clear(per_cpu(cpu_sibling_map, cpu));
50203 +@@ -208,7 +208,7 @@ static __cpuinit int
50204 + cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
50205 + {
50206 + struct vcpu_guest_context *ctxt;
50207 +- struct gdt_page *gdt = &per_cpu(gdt_page, cpu);
50208 ++ struct desc_struct *gdt = get_cpu_gdt_table(cpu);
50209 +
50210 + if (cpu_test_and_set(cpu, cpu_initialized_map))
50211 + return 0;
50212 +@@ -218,8 +218,8 @@ cpu_initialize_context(unsigned int cpu,
50213 + return -ENOMEM;
50214 +
50215 + ctxt->flags = VGCF_IN_KERNEL;
50216 +- ctxt->user_regs.ds = __USER_DS;
50217 +- ctxt->user_regs.es = __USER_DS;
50218 ++ ctxt->user_regs.ds = __KERNEL_DS;
50219 ++ ctxt->user_regs.es = __KERNEL_DS;
50220 + ctxt->user_regs.fs = __KERNEL_PERCPU;
50221 + ctxt->user_regs.gs = 0;
50222 + ctxt->user_regs.ss = __KERNEL_DS;
50223 +@@ -232,11 +232,11 @@ cpu_initialize_context(unsigned int cpu,
50224 +
50225 + ctxt->ldt_ents = 0;
50226 +
50227 +- BUG_ON((unsigned long)gdt->gdt & ~PAGE_MASK);
50228 +- make_lowmem_page_readonly(gdt->gdt);
50229 ++ BUG_ON((unsigned long)gdt & ~PAGE_MASK);
50230 ++ make_lowmem_page_readonly(gdt);
50231 +
50232 +- ctxt->gdt_frames[0] = virt_to_mfn(gdt->gdt);
50233 +- ctxt->gdt_ents = ARRAY_SIZE(gdt->gdt);
50234 ++ ctxt->gdt_frames[0] = virt_to_mfn(gdt);
50235 ++ ctxt->gdt_ents = GDT_ENTRIES;
50236 +
50237 + ctxt->user_regs.cs = __KERNEL_CS;
50238 + ctxt->user_regs.esp = idle->thread.esp0 - sizeof(struct pt_regs);
50239 +diff -urNp linux-2.6.24.5/crypto/async_tx/async_tx.c linux-2.6.24.5/crypto/async_tx/async_tx.c
50240 +--- linux-2.6.24.5/crypto/async_tx/async_tx.c 2008-03-24 14:49:18.000000000 -0400
50241 ++++ linux-2.6.24.5/crypto/async_tx/async_tx.c 2008-03-26 20:21:08.000000000 -0400
50242 +@@ -342,8 +342,8 @@ async_tx_init(void)
50243 + err:
50244 + printk(KERN_ERR "async_tx: initialization failure\n");
50245 +
50246 +- while (--cap >= 0)
50247 +- free_percpu(channel_table[cap]);
50248 ++ while (cap)
50249 ++ free_percpu(channel_table[--cap]);
50250 +
50251 + return 1;
50252 + }
50253 +diff -urNp linux-2.6.24.5/crypto/lrw.c linux-2.6.24.5/crypto/lrw.c
50254 +--- linux-2.6.24.5/crypto/lrw.c 2008-03-24 14:49:18.000000000 -0400
50255 ++++ linux-2.6.24.5/crypto/lrw.c 2008-03-26 20:21:08.000000000 -0400
50256 +@@ -54,7 +54,7 @@ static int setkey(struct crypto_tfm *par
50257 + struct priv *ctx = crypto_tfm_ctx(parent);
50258 + struct crypto_cipher *child = ctx->child;
50259 + int err, i;
50260 +- be128 tmp = { 0 };
50261 ++ be128 tmp = { 0, 0 };
50262 + int bsize = crypto_cipher_blocksize(child);
50263 +
50264 + crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
50265 +diff -urNp linux-2.6.24.5/Documentation/dontdiff linux-2.6.24.5/Documentation/dontdiff
50266 +--- linux-2.6.24.5/Documentation/dontdiff 2008-03-24 14:49:18.000000000 -0400
50267 ++++ linux-2.6.24.5/Documentation/dontdiff 2008-03-26 20:21:08.000000000 -0400
50268 +@@ -3,6 +3,7 @@
50269 + *.bin
50270 + *.cpio
50271 + *.css
50272 ++*.dbg
50273 + *.dvi
50274 + *.eps
50275 + *.gif
50276 +@@ -183,11 +184,14 @@ version.h*
50277 + vmlinux
50278 + vmlinux-*
50279 + vmlinux.aout
50280 +-vmlinux*.lds*
50281 ++vmlinux.bin.all
50282 ++vmlinux*.lds
50283 ++vmlinux.relocs
50284 + vmlinux*.scr
50285 +-vsyscall.lds
50286 ++vsyscall*.lds
50287 + wanxlfw.inc
50288 + uImage
50289 + unifdef
50290 ++utsrelease.h
50291 + zImage*
50292 + zconf.hash.c
50293 +diff -urNp linux-2.6.24.5/drivers/acpi/blacklist.c linux-2.6.24.5/drivers/acpi/blacklist.c
50294 +--- linux-2.6.24.5/drivers/acpi/blacklist.c 2008-03-24 14:49:18.000000000 -0400
50295 ++++ linux-2.6.24.5/drivers/acpi/blacklist.c 2008-03-26 20:21:08.000000000 -0400
50296 +@@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
50297 + {"ASUS\0\0", "P2B-S ", 0, ACPI_SIG_DSDT, all_versions,
50298 + "Bogus PCI routing", 1},
50299 +
50300 +- {""}
50301 ++ {"", "", 0, 0, 0, all_versions, 0}
50302 + };
50303 +
50304 + #if CONFIG_ACPI_BLACKLIST_YEAR
50305 +diff -urNp linux-2.6.24.5/drivers/acpi/osl.c linux-2.6.24.5/drivers/acpi/osl.c
50306 +--- linux-2.6.24.5/drivers/acpi/osl.c 2008-03-24 14:49:18.000000000 -0400
50307 ++++ linux-2.6.24.5/drivers/acpi/osl.c 2008-03-26 20:21:08.000000000 -0400
50308 +@@ -470,6 +470,8 @@ acpi_os_read_memory(acpi_physical_addres
50309 + void __iomem *virt_addr;
50310 +
50311 + virt_addr = ioremap(phys_addr, width);
50312 ++ if (!virt_addr)
50313 ++ return AE_NO_MEMORY;
50314 + if (!value)
50315 + value = &dummy;
50316 +
50317 +@@ -498,6 +500,8 @@ acpi_os_write_memory(acpi_physical_addre
50318 + void __iomem *virt_addr;
50319 +
50320 + virt_addr = ioremap(phys_addr, width);
50321 ++ if (!virt_addr)
50322 ++ return AE_NO_MEMORY;
50323 +
50324 + switch (width) {
50325 + case 8:
50326 +@@ -520,7 +524,7 @@ acpi_os_write_memory(acpi_physical_addre
50327 +
50328 + acpi_status
50329 + acpi_os_read_pci_configuration(struct acpi_pci_id * pci_id, u32 reg,
50330 +- void *value, u32 width)
50331 ++ u32 *value, u32 width)
50332 + {
50333 + int result, size;
50334 +
50335 +@@ -592,7 +596,7 @@ static void acpi_os_derive_pci_id_2(acpi
50336 + acpi_status status;
50337 + unsigned long temp;
50338 + acpi_object_type type;
50339 +- u8 tu8;
50340 ++ u32 tu8;
50341 +
50342 + acpi_get_parent(chandle, &handle);
50343 + if (handle != rhandle) {
50344 +diff -urNp linux-2.6.24.5/drivers/acpi/processor_core.c linux-2.6.24.5/drivers/acpi/processor_core.c
50345 +--- linux-2.6.24.5/drivers/acpi/processor_core.c 2008-04-17 20:05:17.000000000 -0400
50346 ++++ linux-2.6.24.5/drivers/acpi/processor_core.c 2008-04-17 20:05:01.000000000 -0400
50347 +@@ -632,7 +632,7 @@ static int __cpuinit acpi_processor_star
50348 + return 0;
50349 + }
50350 +
50351 +- BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
50352 ++ BUG_ON(pr->id >= nr_cpu_ids);
50353 +
50354 + /*
50355 + * Buggy BIOS check
50356 +diff -urNp linux-2.6.24.5/drivers/acpi/processor_idle.c linux-2.6.24.5/drivers/acpi/processor_idle.c
50357 +--- linux-2.6.24.5/drivers/acpi/processor_idle.c 2008-03-24 14:49:18.000000000 -0400
50358 ++++ linux-2.6.24.5/drivers/acpi/processor_idle.c 2008-03-26 20:21:08.000000000 -0400
50359 +@@ -178,7 +178,7 @@ static struct dmi_system_id __cpuinitdat
50360 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
50361 + DMI_MATCH(DMI_BIOS_VERSION,"SHE845M0.86C.0013.D.0302131307")},
50362 + (void *)2},
50363 +- {},
50364 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
50365 + };
50366 +
50367 + static inline u32 ticks_elapsed(u32 t1, u32 t2)
50368 +diff -urNp linux-2.6.24.5/drivers/acpi/sleep/main.c linux-2.6.24.5/drivers/acpi/sleep/main.c
50369 +--- linux-2.6.24.5/drivers/acpi/sleep/main.c 2008-03-24 14:49:18.000000000 -0400
50370 ++++ linux-2.6.24.5/drivers/acpi/sleep/main.c 2008-03-26 20:21:08.000000000 -0400
50371 +@@ -224,7 +224,7 @@ static struct dmi_system_id __initdata a
50372 + .ident = "Toshiba Satellite 4030cdt",
50373 + .matches = {DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),},
50374 + },
50375 +- {},
50376 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
50377 + };
50378 + #endif /* CONFIG_SUSPEND */
50379 +
50380 +diff -urNp linux-2.6.24.5/drivers/acpi/tables/tbfadt.c linux-2.6.24.5/drivers/acpi/tables/tbfadt.c
50381 +--- linux-2.6.24.5/drivers/acpi/tables/tbfadt.c 2008-03-24 14:49:18.000000000 -0400
50382 ++++ linux-2.6.24.5/drivers/acpi/tables/tbfadt.c 2008-03-26 20:21:08.000000000 -0400
50383 +@@ -48,7 +48,7 @@
50384 + ACPI_MODULE_NAME("tbfadt")
50385 +
50386 + /* Local prototypes */
50387 +-static void inline
50388 ++static inline void
50389 + acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
50390 + u8 bit_width, u64 address);
50391 +
50392 +@@ -122,7 +122,7 @@ static struct acpi_fadt_info fadt_info_t
50393 + *
50394 + ******************************************************************************/
50395 +
50396 +-static void inline
50397 ++static inline void
50398 + acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
50399 + u8 bit_width, u64 address)
50400 + {
50401 +diff -urNp linux-2.6.24.5/drivers/acpi/tables/tbxface.c linux-2.6.24.5/drivers/acpi/tables/tbxface.c
50402 +--- linux-2.6.24.5/drivers/acpi/tables/tbxface.c 2008-03-24 14:49:18.000000000 -0400
50403 ++++ linux-2.6.24.5/drivers/acpi/tables/tbxface.c 2008-03-26 20:21:08.000000000 -0400
50404 +@@ -540,7 +540,7 @@ static acpi_status acpi_tb_load_namespac
50405 + acpi_tb_print_table_header(0, table);
50406 +
50407 + if (no_auto_ssdt == 0) {
50408 +- printk(KERN_WARNING "ACPI: DSDT override uses original SSDTs unless \"acpi_no_auto_ssdt\"");
50409 ++ printk(KERN_WARNING "ACPI: DSDT override uses original SSDTs unless \"acpi_no_auto_ssdt\"\n");
50410 + }
50411 + }
50412 +
50413 +diff -urNp linux-2.6.24.5/drivers/ata/ahci.c linux-2.6.24.5/drivers/ata/ahci.c
50414 +--- linux-2.6.24.5/drivers/ata/ahci.c 2008-03-24 14:49:18.000000000 -0400
50415 ++++ linux-2.6.24.5/drivers/ata/ahci.c 2008-03-26 20:21:08.000000000 -0400
50416 +@@ -563,7 +563,7 @@ static const struct pci_device_id ahci_p
50417 + { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
50418 + PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
50419 +
50420 +- { } /* terminate list */
50421 ++ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
50422 + };
50423 +
50424 +
50425 +diff -urNp linux-2.6.24.5/drivers/ata/ata_piix.c linux-2.6.24.5/drivers/ata/ata_piix.c
50426 +--- linux-2.6.24.5/drivers/ata/ata_piix.c 2008-03-24 14:49:18.000000000 -0400
50427 ++++ linux-2.6.24.5/drivers/ata/ata_piix.c 2008-03-26 20:21:08.000000000 -0400
50428 +@@ -264,7 +264,7 @@ static const struct pci_device_id piix_p
50429 + /* SATA Controller IDE (Tolapai) */
50430 + { 0x8086, 0x5028, PCI_ANY_ID, PCI_ANY_ID, 0, 0, tolapai_sata_ahci },
50431 +
50432 +- { } /* terminate list */
50433 ++ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
50434 + };
50435 +
50436 + static struct pci_driver piix_pci_driver = {
50437 +@@ -701,7 +701,7 @@ static const struct ich_laptop ich_lapto
50438 + { 0x27DF, 0x103C, 0x30A1 }, /* ICH7 on HP Compaq nc2400 */
50439 + { 0x24CA, 0x1025, 0x0061 }, /* ICH4 on ACER Aspire 2023WLMi */
50440 + /* end marker */
50441 +- { 0, }
50442 ++ { 0, 0, 0 }
50443 + };
50444 +
50445 + /**
50446 +@@ -1097,7 +1097,7 @@ static int piix_broken_suspend(void)
50447 + },
50448 + },
50449 +
50450 +- { } /* terminate list */
50451 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL } /* terminate list */
50452 + };
50453 + static const char *oemstrs[] = {
50454 + "Tecra M3,",
50455 +diff -urNp linux-2.6.24.5/drivers/ata/libata-core.c linux-2.6.24.5/drivers/ata/libata-core.c
50456 +--- linux-2.6.24.5/drivers/ata/libata-core.c 2008-04-17 20:05:17.000000000 -0400
50457 ++++ linux-2.6.24.5/drivers/ata/libata-core.c 2008-04-17 20:05:01.000000000 -0400
50458 +@@ -489,7 +489,7 @@ static const struct ata_xfer_ent {
50459 + { ATA_SHIFT_PIO, ATA_BITS_PIO, XFER_PIO_0 },
50460 + { ATA_SHIFT_MWDMA, ATA_BITS_MWDMA, XFER_MW_DMA_0 },
50461 + { ATA_SHIFT_UDMA, ATA_BITS_UDMA, XFER_UDMA_0 },
50462 +- { -1, },
50463 ++ { -1, 0, 0 },
50464 + };
50465 +
50466 + /**
50467 +@@ -2824,7 +2824,7 @@ static const struct ata_timing ata_timin
50468 +
50469 + /* { XFER_PIO_SLOW, 120, 290, 240, 960, 290, 240, 960, 0 }, */
50470 +
50471 +- { 0xFF }
50472 ++ { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
50473 + };
50474 +
50475 + #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
50476 +@@ -4188,7 +4188,7 @@ static const struct ata_blacklist_entry
50477 + { "TSSTcorp CDDVDW SH-S202N", "SB01", ATA_HORKAGE_IVB, },
50478 +
50479 + /* End Marker */
50480 +- { }
50481 ++ { NULL, NULL, 0 }
50482 + };
50483 +
50484 + static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
50485 +diff -urNp linux-2.6.24.5/drivers/char/agp/frontend.c linux-2.6.24.5/drivers/char/agp/frontend.c
50486 +--- linux-2.6.24.5/drivers/char/agp/frontend.c 2008-03-24 14:49:18.000000000 -0400
50487 ++++ linux-2.6.24.5/drivers/char/agp/frontend.c 2008-03-26 20:21:08.000000000 -0400
50488 +@@ -820,7 +820,7 @@ static int agpioc_reserve_wrap(struct ag
50489 + if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
50490 + return -EFAULT;
50491 +
50492 +- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
50493 ++ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
50494 + return -EFAULT;
50495 +
50496 + client = agp_find_client_by_pid(reserve.pid);
50497 +diff -urNp linux-2.6.24.5/drivers/char/agp/intel-agp.c linux-2.6.24.5/drivers/char/agp/intel-agp.c
50498 +--- linux-2.6.24.5/drivers/char/agp/intel-agp.c 2008-03-24 14:49:18.000000000 -0400
50499 ++++ linux-2.6.24.5/drivers/char/agp/intel-agp.c 2008-03-26 20:21:08.000000000 -0400
50500 +@@ -2080,7 +2080,7 @@ static struct pci_device_id agp_intel_pc
50501 + ID(PCI_DEVICE_ID_INTEL_G33_HB),
50502 + ID(PCI_DEVICE_ID_INTEL_Q35_HB),
50503 + ID(PCI_DEVICE_ID_INTEL_Q33_HB),
50504 +- { }
50505 ++ { 0, 0, 0, 0, 0, 0, 0 }
50506 + };
50507 +
50508 + MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
50509 +diff -urNp linux-2.6.24.5/drivers/char/drm/drm_pciids.h linux-2.6.24.5/drivers/char/drm/drm_pciids.h
50510 +--- linux-2.6.24.5/drivers/char/drm/drm_pciids.h 2008-03-24 14:49:18.000000000 -0400
50511 ++++ linux-2.6.24.5/drivers/char/drm/drm_pciids.h 2008-03-26 20:21:08.000000000 -0400
50512 +@@ -249,7 +249,7 @@
50513 + {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
50514 + {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
50515 + {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
50516 +- {0, 0, 0}
50517 ++ {0, 0, 0, 0, 0, 0, 0 }
50518 +
50519 + #define i830_PCI_IDS \
50520 + {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
50521 +diff -urNp linux-2.6.24.5/drivers/char/hpet.c linux-2.6.24.5/drivers/char/hpet.c
50522 +--- linux-2.6.24.5/drivers/char/hpet.c 2008-03-24 14:49:18.000000000 -0400
50523 ++++ linux-2.6.24.5/drivers/char/hpet.c 2008-03-26 20:21:08.000000000 -0400
50524 +@@ -1028,7 +1028,7 @@ static struct acpi_driver hpet_acpi_driv
50525 + },
50526 + };
50527 +
50528 +-static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
50529 ++static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
50530 +
50531 + static int __init hpet_init(void)
50532 + {
50533 +diff -urNp linux-2.6.24.5/drivers/char/keyboard.c linux-2.6.24.5/drivers/char/keyboard.c
50534 +--- linux-2.6.24.5/drivers/char/keyboard.c 2008-03-24 14:49:18.000000000 -0400
50535 ++++ linux-2.6.24.5/drivers/char/keyboard.c 2008-03-26 20:21:08.000000000 -0400
50536 +@@ -631,6 +631,16 @@ static void k_spec(struct vc_data *vc, u
50537 + kbd->kbdmode == VC_MEDIUMRAW) &&
50538 + value != KVAL(K_SAK))
50539 + return; /* SAK is allowed even in raw mode */
50540 ++
50541 ++#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50542 ++ {
50543 ++ void *func = fn_handler[value];
50544 ++ if (func == fn_show_state || func == fn_show_ptregs ||
50545 ++ func == fn_show_mem)
50546 ++ return;
50547 ++ }
50548 ++#endif
50549 ++
50550 + fn_handler[value](vc);
50551 + }
50552 +
50553 +@@ -1385,7 +1395,7 @@ static const struct input_device_id kbd_
50554 + .evbit = { BIT_MASK(EV_SND) },
50555 + },
50556 +
50557 +- { }, /* Terminating entry */
50558 ++ { 0 }, /* Terminating entry */
50559 + };
50560 +
50561 + MODULE_DEVICE_TABLE(input, kbd_ids);
50562 +diff -urNp linux-2.6.24.5/drivers/char/mem.c linux-2.6.24.5/drivers/char/mem.c
50563 +--- linux-2.6.24.5/drivers/char/mem.c 2008-03-24 14:49:18.000000000 -0400
50564 ++++ linux-2.6.24.5/drivers/char/mem.c 2008-03-26 20:21:08.000000000 -0400
50565 +@@ -26,6 +26,7 @@
50566 + #include <linux/bootmem.h>
50567 + #include <linux/splice.h>
50568 + #include <linux/pfn.h>
50569 ++#include <linux/grsecurity.h>
50570 +
50571 + #include <asm/uaccess.h>
50572 + #include <asm/io.h>
50573 +@@ -34,6 +35,10 @@
50574 + # include <linux/efi.h>
50575 + #endif
50576 +
50577 ++#ifdef CONFIG_GRKERNSEC
50578 ++extern struct file_operations grsec_fops;
50579 ++#endif
50580 ++
50581 + /*
50582 + * Architectures vary in how they handle caching for addresses
50583 + * outside of main memory.
50584 +@@ -180,6 +185,11 @@ static ssize_t write_mem(struct file * f
50585 + if (!valid_phys_addr_range(p, count))
50586 + return -EFAULT;
50587 +
50588 ++#ifdef CONFIG_GRKERNSEC_KMEM
50589 ++ gr_handle_mem_write();
50590 ++ return -EPERM;
50591 ++#endif
50592 ++
50593 + written = 0;
50594 +
50595 + #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
50596 +@@ -281,6 +291,11 @@ static int mmap_mem(struct file * file,
50597 + if (!private_mapping_ok(vma))
50598 + return -ENOSYS;
50599 +
50600 ++#ifdef CONFIG_GRKERNSEC_KMEM
50601 ++ if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
50602 ++ return -EPERM;
50603 ++#endif
50604 ++
50605 + vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
50606 + size,
50607 + vma->vm_page_prot);
50608 +@@ -512,6 +527,11 @@ static ssize_t write_kmem(struct file *
50609 + ssize_t written;
50610 + char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
50611 +
50612 ++#ifdef CONFIG_GRKERNSEC_KMEM
50613 ++ gr_handle_kmem_write();
50614 ++ return -EPERM;
50615 ++#endif
50616 ++
50617 + if (p < (unsigned long) high_memory) {
50618 +
50619 + wrote = count;
50620 +@@ -714,6 +734,16 @@ static loff_t memory_lseek(struct file *
50621 +
50622 + static int open_port(struct inode * inode, struct file * filp)
50623 + {
50624 ++#ifdef CONFIG_GRKERNSEC_KMEM
50625 ++ gr_handle_open_port();
50626 ++ return -EPERM;
50627 ++#endif
50628 ++
50629 ++ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
50630 ++}
50631 ++
50632 ++static int open_mem(struct inode * inode, struct file * filp)
50633 ++{
50634 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
50635 + }
50636 +
50637 +@@ -721,7 +751,6 @@ static int open_port(struct inode * inod
50638 + #define full_lseek null_lseek
50639 + #define write_zero write_null
50640 + #define read_full read_zero
50641 +-#define open_mem open_port
50642 + #define open_kmem open_mem
50643 + #define open_oldmem open_mem
50644 +
50645 +@@ -854,6 +883,11 @@ static int memory_open(struct inode * in
50646 + filp->f_op = &oldmem_fops;
50647 + break;
50648 + #endif
50649 ++#ifdef CONFIG_GRKERNSEC
50650 ++ case 13:
50651 ++ filp->f_op = &grsec_fops;
50652 ++ break;
50653 ++#endif
50654 + default:
50655 + return -ENXIO;
50656 + }
50657 +@@ -886,6 +920,9 @@ static const struct {
50658 + #ifdef CONFIG_CRASH_DUMP
50659 + {12,"oldmem", S_IRUSR | S_IWUSR | S_IRGRP, &oldmem_fops},
50660 + #endif
50661 ++#ifdef CONFIG_GRKERNSEC
50662 ++ {13,"grsec", S_IRUSR | S_IWUGO, &grsec_fops},
50663 ++#endif
50664 + };
50665 +
50666 + static struct class *mem_class;
50667 +diff -urNp linux-2.6.24.5/drivers/char/nvram.c linux-2.6.24.5/drivers/char/nvram.c
50668 +--- linux-2.6.24.5/drivers/char/nvram.c 2008-03-24 14:49:18.000000000 -0400
50669 ++++ linux-2.6.24.5/drivers/char/nvram.c 2008-03-26 20:21:08.000000000 -0400
50670 +@@ -430,7 +430,10 @@ static const struct file_operations nvra
50671 + static struct miscdevice nvram_dev = {
50672 + NVRAM_MINOR,
50673 + "nvram",
50674 +- &nvram_fops
50675 ++ &nvram_fops,
50676 ++ {NULL, NULL},
50677 ++ NULL,
50678 ++ NULL
50679 + };
50680 +
50681 + static int __init
50682 +diff -urNp linux-2.6.24.5/drivers/char/random.c linux-2.6.24.5/drivers/char/random.c
50683 +--- linux-2.6.24.5/drivers/char/random.c 2008-03-24 14:49:18.000000000 -0400
50684 ++++ linux-2.6.24.5/drivers/char/random.c 2008-03-26 20:21:08.000000000 -0400
50685 +@@ -248,8 +248,13 @@
50686 + /*
50687 + * Configuration information
50688 + */
50689 ++#ifdef CONFIG_GRKERNSEC_RANDNET
50690 ++#define INPUT_POOL_WORDS 512
50691 ++#define OUTPUT_POOL_WORDS 128
50692 ++#else
50693 + #define INPUT_POOL_WORDS 128
50694 + #define OUTPUT_POOL_WORDS 32
50695 ++#endif
50696 + #define SEC_XFER_SIZE 512
50697 +
50698 + /*
50699 +@@ -286,10 +291,17 @@ static struct poolinfo {
50700 + int poolwords;
50701 + int tap1, tap2, tap3, tap4, tap5;
50702 + } poolinfo_table[] = {
50703 ++#ifdef CONFIG_GRKERNSEC_RANDNET
50704 ++ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
50705 ++ { 512, 411, 308, 208, 104, 1 },
50706 ++ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
50707 ++ { 128, 103, 76, 51, 25, 1 },
50708 ++#else
50709 + /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
50710 + { 128, 103, 76, 51, 25, 1 },
50711 + /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
50712 + { 32, 26, 20, 14, 7, 1 },
50713 ++#endif
50714 + #if 0
50715 + /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
50716 + { 2048, 1638, 1231, 819, 411, 1 },
50717 +@@ -1172,7 +1184,7 @@ EXPORT_SYMBOL(generate_random_uuid);
50718 + #include <linux/sysctl.h>
50719 +
50720 + static int min_read_thresh = 8, min_write_thresh;
50721 +-static int max_read_thresh = INPUT_POOL_WORDS * 32;
50722 ++static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
50723 + static int max_write_thresh = INPUT_POOL_WORDS * 32;
50724 + static char sysctl_bootid[16];
50725 +
50726 +diff -urNp linux-2.6.24.5/drivers/char/vt_ioctl.c linux-2.6.24.5/drivers/char/vt_ioctl.c
50727 +--- linux-2.6.24.5/drivers/char/vt_ioctl.c 2008-03-24 14:49:18.000000000 -0400
50728 ++++ linux-2.6.24.5/drivers/char/vt_ioctl.c 2008-03-26 20:21:08.000000000 -0400
50729 +@@ -96,6 +96,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
50730 + case KDSKBENT:
50731 + if (!perm)
50732 + return -EPERM;
50733 ++
50734 ++#ifdef CONFIG_GRKERNSEC
50735 ++ if (!capable(CAP_SYS_TTY_CONFIG))
50736 ++ return -EPERM;
50737 ++#endif
50738 ++
50739 + if (!i && v == K_NOSUCHMAP) {
50740 + /* deallocate map */
50741 + key_map = key_maps[s];
50742 +@@ -236,6 +242,13 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
50743 + goto reterr;
50744 + }
50745 +
50746 ++#ifdef CONFIG_GRKERNSEC
50747 ++ if (!capable(CAP_SYS_TTY_CONFIG)) {
50748 ++ ret = -EPERM;
50749 ++ goto reterr;
50750 ++ }
50751 ++#endif
50752 ++
50753 + q = func_table[i];
50754 + first_free = funcbufptr + (funcbufsize - funcbufleft);
50755 + for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
50756 +diff -urNp linux-2.6.24.5/drivers/edac/edac_core.h linux-2.6.24.5/drivers/edac/edac_core.h
50757 +--- linux-2.6.24.5/drivers/edac/edac_core.h 2008-03-24 14:49:18.000000000 -0400
50758 ++++ linux-2.6.24.5/drivers/edac/edac_core.h 2008-03-26 20:21:08.000000000 -0400
50759 +@@ -86,11 +86,11 @@ extern int edac_debug_level;
50760 +
50761 + #else /* !CONFIG_EDAC_DEBUG */
50762 +
50763 +-#define debugf0( ... )
50764 +-#define debugf1( ... )
50765 +-#define debugf2( ... )
50766 +-#define debugf3( ... )
50767 +-#define debugf4( ... )
50768 ++#define debugf0( ... ) do {} while (0)
50769 ++#define debugf1( ... ) do {} while (0)
50770 ++#define debugf2( ... ) do {} while (0)
50771 ++#define debugf3( ... ) do {} while (0)
50772 ++#define debugf4( ... ) do {} while (0)
50773 +
50774 + #endif /* !CONFIG_EDAC_DEBUG */
50775 +
50776 +diff -urNp linux-2.6.24.5/drivers/firmware/dmi_scan.c linux-2.6.24.5/drivers/firmware/dmi_scan.c
50777 +--- linux-2.6.24.5/drivers/firmware/dmi_scan.c 2008-04-17 20:05:17.000000000 -0400
50778 ++++ linux-2.6.24.5/drivers/firmware/dmi_scan.c 2008-04-17 20:05:01.000000000 -0400
50779 +@@ -318,21 +318,19 @@ void __init dmi_scan_machine(void)
50780 + }
50781 + }
50782 + else {
50783 +- /*
50784 +- * no iounmap() for that ioremap(); it would be a no-op, but
50785 +- * it's so early in setup that sucker gets confused into doing
50786 +- * what it shouldn't if we actually call it.
50787 +- */
50788 + p = dmi_ioremap(0xF0000, 0x10000);
50789 + if (p == NULL)
50790 + goto out;
50791 +
50792 + for (q = p; q < p + 0x10000; q += 16) {
50793 + rc = dmi_present(q);
50794 +- if (!rc) {
50795 +- dmi_available = 1;
50796 +- return;
50797 +- }
50798 ++ if (!rc)
50799 ++ break;
50800 ++ }
50801 ++ dmi_iounmap(p, 0x10000);
50802 ++ if (!rc) {
50803 ++ dmi_available = 1;
50804 ++ return;
50805 + }
50806 + }
50807 + out: printk(KERN_INFO "DMI not present or invalid.\n");
50808 +diff -urNp linux-2.6.24.5/drivers/hwmon/fscpos.c linux-2.6.24.5/drivers/hwmon/fscpos.c
50809 +--- linux-2.6.24.5/drivers/hwmon/fscpos.c 2008-03-24 14:49:18.000000000 -0400
50810 ++++ linux-2.6.24.5/drivers/hwmon/fscpos.c 2008-03-26 20:21:08.000000000 -0400
50811 +@@ -231,7 +231,6 @@ static ssize_t set_pwm(struct i2c_client
50812 + unsigned long v = simple_strtoul(buf, NULL, 10);
50813 +
50814 + /* Range: 0..255 */
50815 +- if (v < 0) v = 0;
50816 + if (v > 255) v = 255;
50817 +
50818 + mutex_lock(&data->update_lock);
50819 +diff -urNp linux-2.6.24.5/drivers/hwmon/k8temp.c linux-2.6.24.5/drivers/hwmon/k8temp.c
50820 +--- linux-2.6.24.5/drivers/hwmon/k8temp.c 2008-03-24 14:49:18.000000000 -0400
50821 ++++ linux-2.6.24.5/drivers/hwmon/k8temp.c 2008-03-26 20:21:08.000000000 -0400
50822 +@@ -130,7 +130,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
50823 +
50824 + static struct pci_device_id k8temp_ids[] = {
50825 + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
50826 +- { 0 },
50827 ++ { 0, 0, 0, 0, 0, 0, 0 },
50828 + };
50829 +
50830 + MODULE_DEVICE_TABLE(pci, k8temp_ids);
50831 +diff -urNp linux-2.6.24.5/drivers/hwmon/sis5595.c linux-2.6.24.5/drivers/hwmon/sis5595.c
50832 +--- linux-2.6.24.5/drivers/hwmon/sis5595.c 2008-03-24 14:49:18.000000000 -0400
50833 ++++ linux-2.6.24.5/drivers/hwmon/sis5595.c 2008-03-26 20:21:08.000000000 -0400
50834 +@@ -698,7 +698,7 @@ static struct sis5595_data *sis5595_upda
50835 +
50836 + static struct pci_device_id sis5595_pci_ids[] = {
50837 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
50838 +- { 0, }
50839 ++ { 0, 0, 0, 0, 0, 0, 0 }
50840 + };
50841 +
50842 + MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
50843 +diff -urNp linux-2.6.24.5/drivers/hwmon/thmc50.c linux-2.6.24.5/drivers/hwmon/thmc50.c
50844 +--- linux-2.6.24.5/drivers/hwmon/thmc50.c 2008-03-24 14:49:18.000000000 -0400
50845 ++++ linux-2.6.24.5/drivers/hwmon/thmc50.c 2008-03-26 20:21:08.000000000 -0400
50846 +@@ -52,9 +52,9 @@ I2C_CLIENT_MODULE_PARM(adm1022_temp3, "L
50847 + */
50848 + #define THMC50_REG_INTR 0x41
50849 +
50850 +-const static u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
50851 +-const static u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
50852 +-const static u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
50853 ++static const u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
50854 ++static const u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
50855 ++static const u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
50856 +
50857 + #define THMC50_REG_CONF_nFANOFF 0x20
50858 +
50859 +diff -urNp linux-2.6.24.5/drivers/hwmon/via686a.c linux-2.6.24.5/drivers/hwmon/via686a.c
50860 +--- linux-2.6.24.5/drivers/hwmon/via686a.c 2008-03-24 14:49:18.000000000 -0400
50861 ++++ linux-2.6.24.5/drivers/hwmon/via686a.c 2008-03-26 20:21:08.000000000 -0400
50862 +@@ -740,7 +740,7 @@ static struct via686a_data *via686a_upda
50863 +
50864 + static struct pci_device_id via686a_pci_ids[] = {
50865 + { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
50866 +- { 0, }
50867 ++ { 0, 0, 0, 0, 0, 0, 0 }
50868 + };
50869 +
50870 + MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
50871 +diff -urNp linux-2.6.24.5/drivers/hwmon/vt8231.c linux-2.6.24.5/drivers/hwmon/vt8231.c
50872 +--- linux-2.6.24.5/drivers/hwmon/vt8231.c 2008-03-24 14:49:18.000000000 -0400
50873 ++++ linux-2.6.24.5/drivers/hwmon/vt8231.c 2008-03-26 20:21:08.000000000 -0400
50874 +@@ -662,7 +662,7 @@ static struct platform_driver vt8231_dri
50875 +
50876 + static struct pci_device_id vt8231_pci_ids[] = {
50877 + { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
50878 +- { 0, }
50879 ++ { 0, 0, 0, 0, 0, 0, 0 }
50880 + };
50881 +
50882 + MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
50883 +diff -urNp linux-2.6.24.5/drivers/hwmon/w83791d.c linux-2.6.24.5/drivers/hwmon/w83791d.c
50884 +--- linux-2.6.24.5/drivers/hwmon/w83791d.c 2008-03-24 14:49:18.000000000 -0400
50885 ++++ linux-2.6.24.5/drivers/hwmon/w83791d.c 2008-03-26 20:21:08.000000000 -0400
50886 +@@ -289,8 +289,8 @@ static int w83791d_attach_adapter(struct
50887 + static int w83791d_detect(struct i2c_adapter *adapter, int address, int kind);
50888 + static int w83791d_detach_client(struct i2c_client *client);
50889 +
50890 +-static int w83791d_read(struct i2c_client *client, u8 register);
50891 +-static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
50892 ++static int w83791d_read(struct i2c_client *client, u8 reg);
50893 ++static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
50894 + static struct w83791d_data *w83791d_update_device(struct device *dev);
50895 +
50896 + #ifdef DEBUG
50897 +diff -urNp linux-2.6.24.5/drivers/i2c/busses/i2c-i801.c linux-2.6.24.5/drivers/i2c/busses/i2c-i801.c
50898 +--- linux-2.6.24.5/drivers/i2c/busses/i2c-i801.c 2008-03-24 14:49:18.000000000 -0400
50899 ++++ linux-2.6.24.5/drivers/i2c/busses/i2c-i801.c 2008-03-26 20:21:08.000000000 -0400
50900 +@@ -545,7 +545,7 @@ static struct pci_device_id i801_ids[] =
50901 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH8_5) },
50902 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH9_6) },
50903 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_TOLAPAI_1) },
50904 +- { 0, }
50905 ++ { 0, 0, 0, 0, 0, 0, 0 }
50906 + };
50907 +
50908 + MODULE_DEVICE_TABLE (pci, i801_ids);
50909 +diff -urNp linux-2.6.24.5/drivers/i2c/busses/i2c-i810.c linux-2.6.24.5/drivers/i2c/busses/i2c-i810.c
50910 +--- linux-2.6.24.5/drivers/i2c/busses/i2c-i810.c 2008-03-24 14:49:18.000000000 -0400
50911 ++++ linux-2.6.24.5/drivers/i2c/busses/i2c-i810.c 2008-03-26 20:21:08.000000000 -0400
50912 +@@ -198,7 +198,7 @@ static struct pci_device_id i810_ids[] _
50913 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82810E_IG) },
50914 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC) },
50915 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82845G_IG) },
50916 +- { 0, },
50917 ++ { 0, 0, 0, 0, 0, 0, 0 },
50918 + };
50919 +
50920 + MODULE_DEVICE_TABLE (pci, i810_ids);
50921 +diff -urNp linux-2.6.24.5/drivers/i2c/busses/i2c-piix4.c linux-2.6.24.5/drivers/i2c/busses/i2c-piix4.c
50922 +--- linux-2.6.24.5/drivers/i2c/busses/i2c-piix4.c 2008-03-24 14:49:18.000000000 -0400
50923 ++++ linux-2.6.24.5/drivers/i2c/busses/i2c-piix4.c 2008-03-26 20:21:08.000000000 -0400
50924 +@@ -113,7 +113,7 @@ static struct dmi_system_id __devinitdat
50925 + .ident = "IBM",
50926 + .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
50927 + },
50928 +- { },
50929 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL },
50930 + };
50931 +
50932 + static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
50933 +@@ -411,7 +411,7 @@ static struct pci_device_id piix4_ids[]
50934 + .driver_data = 3 },
50935 + { PCI_DEVICE(PCI_VENDOR_ID_EFAR, PCI_DEVICE_ID_EFAR_SLC90E66_3),
50936 + .driver_data = 0 },
50937 +- { 0, }
50938 ++ { 0, 0, 0, 0, 0, 0, 0 }
50939 + };
50940 +
50941 + MODULE_DEVICE_TABLE (pci, piix4_ids);
50942 +diff -urNp linux-2.6.24.5/drivers/i2c/busses/i2c-sis630.c linux-2.6.24.5/drivers/i2c/busses/i2c-sis630.c
50943 +--- linux-2.6.24.5/drivers/i2c/busses/i2c-sis630.c 2008-03-24 14:49:18.000000000 -0400
50944 ++++ linux-2.6.24.5/drivers/i2c/busses/i2c-sis630.c 2008-03-26 20:21:08.000000000 -0400
50945 +@@ -465,7 +465,7 @@ static struct i2c_adapter sis630_adapter
50946 + static struct pci_device_id sis630_ids[] __devinitdata = {
50947 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
50948 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
50949 +- { 0, }
50950 ++ { 0, 0, 0, 0, 0, 0, 0 }
50951 + };
50952 +
50953 + MODULE_DEVICE_TABLE (pci, sis630_ids);
50954 +diff -urNp linux-2.6.24.5/drivers/i2c/busses/i2c-sis96x.c linux-2.6.24.5/drivers/i2c/busses/i2c-sis96x.c
50955 +--- linux-2.6.24.5/drivers/i2c/busses/i2c-sis96x.c 2008-03-24 14:49:18.000000000 -0400
50956 ++++ linux-2.6.24.5/drivers/i2c/busses/i2c-sis96x.c 2008-03-26 20:21:08.000000000 -0400
50957 +@@ -255,7 +255,7 @@ static struct i2c_adapter sis96x_adapter
50958 +
50959 + static struct pci_device_id sis96x_ids[] = {
50960 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
50961 +- { 0, }
50962 ++ { 0, 0, 0, 0, 0, 0, 0 }
50963 + };
50964 +
50965 + MODULE_DEVICE_TABLE (pci, sis96x_ids);
50966 +diff -urNp linux-2.6.24.5/drivers/ide/ide-cd.c linux-2.6.24.5/drivers/ide/ide-cd.c
50967 +--- linux-2.6.24.5/drivers/ide/ide-cd.c 2008-03-24 14:49:18.000000000 -0400
50968 ++++ linux-2.6.24.5/drivers/ide/ide-cd.c 2008-03-26 20:21:08.000000000 -0400
50969 +@@ -457,8 +457,6 @@ void cdrom_analyze_sense_data(ide_drive_
50970 + sector &= ~(bio_sectors -1);
50971 + valid = (sector - failed_command->sector) << 9;
50972 +
50973 +- if (valid < 0)
50974 +- valid = 0;
50975 + if (sector < get_capacity(info->disk) &&
50976 + drive->probed_capacity - sector < 4 * 75) {
50977 + set_capacity(info->disk, sector);
50978 +diff -urNp linux-2.6.24.5/drivers/ieee1394/dv1394.c linux-2.6.24.5/drivers/ieee1394/dv1394.c
50979 +--- linux-2.6.24.5/drivers/ieee1394/dv1394.c 2008-03-24 14:49:18.000000000 -0400
50980 ++++ linux-2.6.24.5/drivers/ieee1394/dv1394.c 2008-03-26 20:21:08.000000000 -0400
50981 +@@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
50982 + based upon DIF section and sequence
50983 + */
50984 +
50985 +-static void inline
50986 ++static inline void
50987 + frame_put_packet (struct frame *f, struct packet *p)
50988 + {
50989 + int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
50990 +@@ -918,7 +918,7 @@ static int do_dv1394_init(struct video_c
50991 + /* default SYT offset is 3 cycles */
50992 + init->syt_offset = 3;
50993 +
50994 +- if ( (init->channel > 63) || (init->channel < 0) )
50995 ++ if (init->channel > 63)
50996 + init->channel = 63;
50997 +
50998 + chan_mask = (u64)1 << init->channel;
50999 +@@ -2173,7 +2173,7 @@ static struct ieee1394_device_id dv1394_
51000 + .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
51001 + .version = AVC_SW_VERSION_ENTRY & 0xffffff
51002 + },
51003 +- { }
51004 ++ { 0, 0, 0, 0, 0, 0 }
51005 + };
51006 +
51007 + MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
51008 +diff -urNp linux-2.6.24.5/drivers/ieee1394/eth1394.c linux-2.6.24.5/drivers/ieee1394/eth1394.c
51009 +--- linux-2.6.24.5/drivers/ieee1394/eth1394.c 2008-03-24 14:49:18.000000000 -0400
51010 ++++ linux-2.6.24.5/drivers/ieee1394/eth1394.c 2008-03-26 20:21:08.000000000 -0400
51011 +@@ -451,7 +451,7 @@ static struct ieee1394_device_id eth1394
51012 + .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
51013 + .version = ETHER1394_GASP_VERSION,
51014 + },
51015 +- {}
51016 ++ { 0, 0, 0, 0, 0, 0 }
51017 + };
51018 +
51019 + MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
51020 +diff -urNp linux-2.6.24.5/drivers/ieee1394/hosts.c linux-2.6.24.5/drivers/ieee1394/hosts.c
51021 +--- linux-2.6.24.5/drivers/ieee1394/hosts.c 2008-03-24 14:49:18.000000000 -0400
51022 ++++ linux-2.6.24.5/drivers/ieee1394/hosts.c 2008-03-26 20:21:08.000000000 -0400
51023 +@@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
51024 + }
51025 +
51026 + static struct hpsb_host_driver dummy_driver = {
51027 ++ .name = "dummy",
51028 + .transmit_packet = dummy_transmit_packet,
51029 + .devctl = dummy_devctl,
51030 + .isoctl = dummy_isoctl
51031 +diff -urNp linux-2.6.24.5/drivers/ieee1394/ohci1394.c linux-2.6.24.5/drivers/ieee1394/ohci1394.c
51032 +--- linux-2.6.24.5/drivers/ieee1394/ohci1394.c 2008-03-24 14:49:18.000000000 -0400
51033 ++++ linux-2.6.24.5/drivers/ieee1394/ohci1394.c 2008-03-26 20:21:08.000000000 -0400
51034 +@@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
51035 + printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
51036 +
51037 + /* Module Parameters */
51038 +-static int phys_dma = 1;
51039 ++static int phys_dma;
51040 + module_param(phys_dma, int, 0444);
51041 +-MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 1).");
51042 ++MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 0).");
51043 +
51044 + static void dma_trm_tasklet(unsigned long data);
51045 + static void dma_trm_reset(struct dma_trm_ctx *d);
51046 +@@ -3396,7 +3396,7 @@ static struct pci_device_id ohci1394_pci
51047 + .subvendor = PCI_ANY_ID,
51048 + .subdevice = PCI_ANY_ID,
51049 + },
51050 +- { 0, },
51051 ++ { 0, 0, 0, 0, 0, 0, 0 },
51052 + };
51053 +
51054 + MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
51055 +diff -urNp linux-2.6.24.5/drivers/ieee1394/raw1394.c linux-2.6.24.5/drivers/ieee1394/raw1394.c
51056 +--- linux-2.6.24.5/drivers/ieee1394/raw1394.c 2008-03-24 14:49:18.000000000 -0400
51057 ++++ linux-2.6.24.5/drivers/ieee1394/raw1394.c 2008-03-26 20:21:08.000000000 -0400
51058 +@@ -2952,7 +2952,7 @@ static struct ieee1394_device_id raw1394
51059 + .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
51060 + .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
51061 + .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
51062 +- {}
51063 ++ { 0, 0, 0, 0, 0, 0 }
51064 + };
51065 +
51066 + MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
51067 +diff -urNp linux-2.6.24.5/drivers/ieee1394/sbp2.c linux-2.6.24.5/drivers/ieee1394/sbp2.c
51068 +--- linux-2.6.24.5/drivers/ieee1394/sbp2.c 2008-03-24 14:49:18.000000000 -0400
51069 ++++ linux-2.6.24.5/drivers/ieee1394/sbp2.c 2008-03-26 20:21:08.000000000 -0400
51070 +@@ -274,7 +274,7 @@ static struct ieee1394_device_id sbp2_id
51071 + .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
51072 + .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
51073 + .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
51074 +- {}
51075 ++ { 0, 0, 0, 0, 0, 0 }
51076 + };
51077 + MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
51078 +
51079 +@@ -2078,7 +2078,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
51080 + MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
51081 + MODULE_LICENSE("GPL");
51082 +
51083 +-static int sbp2_module_init(void)
51084 ++static int __init sbp2_module_init(void)
51085 + {
51086 + int ret;
51087 +
51088 +diff -urNp linux-2.6.24.5/drivers/ieee1394/video1394.c linux-2.6.24.5/drivers/ieee1394/video1394.c
51089 +--- linux-2.6.24.5/drivers/ieee1394/video1394.c 2008-03-24 14:49:18.000000000 -0400
51090 ++++ linux-2.6.24.5/drivers/ieee1394/video1394.c 2008-03-26 20:21:08.000000000 -0400
51091 +@@ -893,7 +893,7 @@ static long video1394_ioctl(struct file
51092 + if (unlikely(d == NULL))
51093 + return -EFAULT;
51094 +
51095 +- if (unlikely((v.buffer<0) || (v.buffer>=d->num_desc - 1))) {
51096 ++ if (unlikely(v.buffer>=d->num_desc - 1)) {
51097 + PRINT(KERN_ERR, ohci->host->id,
51098 + "Buffer %d out of range",v.buffer);
51099 + return -EINVAL;
51100 +@@ -959,7 +959,7 @@ static long video1394_ioctl(struct file
51101 + if (unlikely(d == NULL))
51102 + return -EFAULT;
51103 +
51104 +- if (unlikely((v.buffer<0) || (v.buffer>d->num_desc - 1))) {
51105 ++ if (unlikely(v.buffer>d->num_desc - 1)) {
51106 + PRINT(KERN_ERR, ohci->host->id,
51107 + "Buffer %d out of range",v.buffer);
51108 + return -EINVAL;
51109 +@@ -1030,7 +1030,7 @@ static long video1394_ioctl(struct file
51110 + d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
51111 + if (d == NULL) return -EFAULT;
51112 +
51113 +- if ((v.buffer<0) || (v.buffer>=d->num_desc - 1)) {
51114 ++ if (v.buffer>=d->num_desc - 1) {
51115 + PRINT(KERN_ERR, ohci->host->id,
51116 + "Buffer %d out of range",v.buffer);
51117 + return -EINVAL;
51118 +@@ -1137,7 +1137,7 @@ static long video1394_ioctl(struct file
51119 + d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
51120 + if (d == NULL) return -EFAULT;
51121 +
51122 +- if ((v.buffer<0) || (v.buffer>=d->num_desc-1)) {
51123 ++ if (v.buffer>=d->num_desc-1) {
51124 + PRINT(KERN_ERR, ohci->host->id,
51125 + "Buffer %d out of range",v.buffer);
51126 + return -EINVAL;
51127 +@@ -1309,7 +1309,7 @@ static struct ieee1394_device_id video13
51128 + .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
51129 + .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
51130 + },
51131 +- { }
51132 ++ { 0, 0, 0, 0, 0, 0 }
51133 + };
51134 +
51135 + MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
51136 +diff -urNp linux-2.6.24.5/drivers/input/keyboard/atkbd.c linux-2.6.24.5/drivers/input/keyboard/atkbd.c
51137 +--- linux-2.6.24.5/drivers/input/keyboard/atkbd.c 2008-03-24 14:49:18.000000000 -0400
51138 ++++ linux-2.6.24.5/drivers/input/keyboard/atkbd.c 2008-03-26 20:21:08.000000000 -0400
51139 +@@ -1080,7 +1080,7 @@ static struct serio_device_id atkbd_seri
51140 + .id = SERIO_ANY,
51141 + .extra = SERIO_ANY,
51142 + },
51143 +- { 0 }
51144 ++ { 0, 0, 0, 0 }
51145 + };
51146 +
51147 + MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
51148 +diff -urNp linux-2.6.24.5/drivers/input/mouse/lifebook.c linux-2.6.24.5/drivers/input/mouse/lifebook.c
51149 +--- linux-2.6.24.5/drivers/input/mouse/lifebook.c 2008-03-24 14:49:18.000000000 -0400
51150 ++++ linux-2.6.24.5/drivers/input/mouse/lifebook.c 2008-03-26 20:21:08.000000000 -0400
51151 +@@ -110,7 +110,7 @@ static const struct dmi_system_id lifebo
51152 + DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
51153 + },
51154 + },
51155 +- { }
51156 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
51157 + };
51158 +
51159 + static psmouse_ret_t lifebook_process_byte(struct psmouse *psmouse)
51160 +diff -urNp linux-2.6.24.5/drivers/input/mouse/psmouse-base.c linux-2.6.24.5/drivers/input/mouse/psmouse-base.c
51161 +--- linux-2.6.24.5/drivers/input/mouse/psmouse-base.c 2008-03-24 14:49:18.000000000 -0400
51162 ++++ linux-2.6.24.5/drivers/input/mouse/psmouse-base.c 2008-03-26 20:21:08.000000000 -0400
51163 +@@ -1329,7 +1329,7 @@ static struct serio_device_id psmouse_se
51164 + .id = SERIO_ANY,
51165 + .extra = SERIO_ANY,
51166 + },
51167 +- { 0 }
51168 ++ { 0, 0, 0, 0 }
51169 + };
51170 +
51171 + MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
51172 +diff -urNp linux-2.6.24.5/drivers/input/mouse/synaptics.c linux-2.6.24.5/drivers/input/mouse/synaptics.c
51173 +--- linux-2.6.24.5/drivers/input/mouse/synaptics.c 2008-03-24 14:49:18.000000000 -0400
51174 ++++ linux-2.6.24.5/drivers/input/mouse/synaptics.c 2008-03-26 20:21:08.000000000 -0400
51175 +@@ -417,7 +417,7 @@ static void synaptics_process_packet(str
51176 + break;
51177 + case 2:
51178 + if (SYN_MODEL_PEN(priv->model_id))
51179 +- ; /* Nothing, treat a pen as a single finger */
51180 ++ break; /* Nothing, treat a pen as a single finger */
51181 + break;
51182 + case 4 ... 15:
51183 + if (SYN_CAP_PALMDETECT(priv->capabilities))
51184 +@@ -624,7 +624,7 @@ static const struct dmi_system_id toshib
51185 + DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
51186 + },
51187 + },
51188 +- { }
51189 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
51190 + };
51191 + #endif
51192 +
51193 +diff -urNp linux-2.6.24.5/drivers/input/mousedev.c linux-2.6.24.5/drivers/input/mousedev.c
51194 +--- linux-2.6.24.5/drivers/input/mousedev.c 2008-03-24 14:49:18.000000000 -0400
51195 ++++ linux-2.6.24.5/drivers/input/mousedev.c 2008-03-26 20:21:08.000000000 -0400
51196 +@@ -1056,7 +1056,7 @@ static struct input_handler mousedev_han
51197 +
51198 + #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
51199 + static struct miscdevice psaux_mouse = {
51200 +- PSMOUSE_MINOR, "psaux", &mousedev_fops
51201 ++ PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
51202 + };
51203 + static int psaux_registered;
51204 + #endif
51205 +diff -urNp linux-2.6.24.5/drivers/input/serio/i8042-x86ia64io.h linux-2.6.24.5/drivers/input/serio/i8042-x86ia64io.h
51206 +--- linux-2.6.24.5/drivers/input/serio/i8042-x86ia64io.h 2008-03-24 14:49:18.000000000 -0400
51207 ++++ linux-2.6.24.5/drivers/input/serio/i8042-x86ia64io.h 2008-03-26 20:21:08.000000000 -0400
51208 +@@ -118,7 +118,7 @@ static struct dmi_system_id __initdata i
51209 + DMI_MATCH(DMI_PRODUCT_VERSION, "VS2005R2"),
51210 + },
51211 + },
51212 +- { }
51213 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
51214 + };
51215 +
51216 + /*
51217 +@@ -270,7 +270,7 @@ static struct dmi_system_id __initdata i
51218 + DMI_MATCH(DMI_PRODUCT_NAME, "M636/A737 platform"),
51219 + },
51220 + },
51221 +- { }
51222 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
51223 + };
51224 +
51225 +
51226 +diff -urNp linux-2.6.24.5/drivers/input/serio/serio_raw.c linux-2.6.24.5/drivers/input/serio/serio_raw.c
51227 +--- linux-2.6.24.5/drivers/input/serio/serio_raw.c 2008-03-24 14:49:18.000000000 -0400
51228 ++++ linux-2.6.24.5/drivers/input/serio/serio_raw.c 2008-03-26 20:21:08.000000000 -0400
51229 +@@ -369,7 +369,7 @@ static struct serio_device_id serio_raw_
51230 + .id = SERIO_ANY,
51231 + .extra = SERIO_ANY,
51232 + },
51233 +- { 0 }
51234 ++ { 0, 0, 0, 0 }
51235 + };
51236 +
51237 + MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
51238 +diff -urNp linux-2.6.24.5/drivers/kvm/kvm_main.c linux-2.6.24.5/drivers/kvm/kvm_main.c
51239 +--- linux-2.6.24.5/drivers/kvm/kvm_main.c 2008-03-24 14:49:18.000000000 -0400
51240 ++++ linux-2.6.24.5/drivers/kvm/kvm_main.c 2008-03-26 20:21:08.000000000 -0400
51241 +@@ -67,22 +67,22 @@ static struct kvm_stats_debugfs_item {
51242 + int offset;
51243 + struct dentry *dentry;
51244 + } debugfs_entries[] = {
51245 +- { "pf_fixed", STAT_OFFSET(pf_fixed) },
51246 +- { "pf_guest", STAT_OFFSET(pf_guest) },
51247 +- { "tlb_flush", STAT_OFFSET(tlb_flush) },
51248 +- { "invlpg", STAT_OFFSET(invlpg) },
51249 +- { "exits", STAT_OFFSET(exits) },
51250 +- { "io_exits", STAT_OFFSET(io_exits) },
51251 +- { "mmio_exits", STAT_OFFSET(mmio_exits) },
51252 +- { "signal_exits", STAT_OFFSET(signal_exits) },
51253 +- { "irq_window", STAT_OFFSET(irq_window_exits) },
51254 +- { "halt_exits", STAT_OFFSET(halt_exits) },
51255 +- { "halt_wakeup", STAT_OFFSET(halt_wakeup) },
51256 +- { "request_irq", STAT_OFFSET(request_irq_exits) },
51257 +- { "irq_exits", STAT_OFFSET(irq_exits) },
51258 +- { "light_exits", STAT_OFFSET(light_exits) },
51259 +- { "efer_reload", STAT_OFFSET(efer_reload) },
51260 +- { NULL }
51261 ++ { "pf_fixed", STAT_OFFSET(pf_fixed), NULL },
51262 ++ { "pf_guest", STAT_OFFSET(pf_guest), NULL },
51263 ++ { "tlb_flush", STAT_OFFSET(tlb_flush), NULL },
51264 ++ { "invlpg", STAT_OFFSET(invlpg), NULL },
51265 ++ { "exits", STAT_OFFSET(exits), NULL },
51266 ++ { "io_exits", STAT_OFFSET(io_exits), NULL },
51267 ++ { "mmio_exits", STAT_OFFSET(mmio_exits), NULL },
51268 ++ { "signal_exits", STAT_OFFSET(signal_exits), NULL },
51269 ++ { "irq_window", STAT_OFFSET(irq_window_exits), NULL },
51270 ++ { "halt_exits", STAT_OFFSET(halt_exits), NULL },
51271 ++ { "halt_wakeup", STAT_OFFSET(halt_wakeup), NULL },
51272 ++ { "request_irq", STAT_OFFSET(request_irq_exits), NULL },
51273 ++ { "irq_exits", STAT_OFFSET(irq_exits), NULL },
51274 ++ { "light_exits", STAT_OFFSET(light_exits), NULL },
51275 ++ { "efer_reload", STAT_OFFSET(efer_reload), NULL },
51276 ++ { NULL, 0, NULL }
51277 + };
51278 +
51279 + static struct dentry *debugfs_dir;
51280 +@@ -2505,7 +2505,7 @@ static int kvm_vcpu_ioctl_translate(stru
51281 + static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
51282 + struct kvm_interrupt *irq)
51283 + {
51284 +- if (irq->irq < 0 || irq->irq >= 256)
51285 ++ if (irq->irq >= 256)
51286 + return -EINVAL;
51287 + if (irqchip_in_kernel(vcpu->kvm))
51288 + return -ENXIO;
51289 +@@ -3250,6 +3250,9 @@ static struct miscdevice kvm_dev = {
51290 + KVM_MINOR,
51291 + "kvm",
51292 + &kvm_chardev_ops,
51293 ++ {NULL, NULL},
51294 ++ NULL,
51295 ++ NULL
51296 + };
51297 +
51298 + /*
51299 +diff -urNp linux-2.6.24.5/drivers/kvm/svm.c linux-2.6.24.5/drivers/kvm/svm.c
51300 +--- linux-2.6.24.5/drivers/kvm/svm.c 2008-03-24 14:49:18.000000000 -0400
51301 ++++ linux-2.6.24.5/drivers/kvm/svm.c 2008-03-26 20:21:08.000000000 -0400
51302 +@@ -1307,8 +1307,20 @@ static void reload_tss(struct kvm_vcpu *
51303 + int cpu = raw_smp_processor_id();
51304 +
51305 + struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
51306 ++
51307 ++#ifdef CONFIG_PAX_KERNEXEC
51308 ++ unsigned long cr0;
51309 ++
51310 ++ pax_open_kernel(cr0);
51311 ++#endif
51312 ++
51313 + svm_data->tss_desc->type = 9; //available 32/64-bit TSS
51314 + load_TR_desc();
51315 ++
51316 ++#ifdef CONFIG_PAX_KERNEXEC
51317 ++ pax_close_kernel(cr0);
51318 ++#endif
51319 ++
51320 + }
51321 +
51322 + static void pre_svm_run(struct vcpu_svm *svm)
51323 +diff -urNp linux-2.6.24.5/drivers/kvm/vmx.c linux-2.6.24.5/drivers/kvm/vmx.c
51324 +--- linux-2.6.24.5/drivers/kvm/vmx.c 2008-03-24 14:49:18.000000000 -0400
51325 ++++ linux-2.6.24.5/drivers/kvm/vmx.c 2008-03-26 20:21:08.000000000 -0400
51326 +@@ -335,10 +335,24 @@ static void reload_tss(void)
51327 + struct descriptor_table gdt;
51328 + struct segment_descriptor *descs;
51329 +
51330 ++#ifdef CONFIG_PAX_KERNEXEC
51331 ++ unsigned long cr0;
51332 ++#endif
51333 ++
51334 + get_gdt(&gdt);
51335 + descs = (void *)gdt.base;
51336 ++
51337 ++#ifdef CONFIG_PAX_KERNEXEC
51338 ++ pax_open_kernel(cr0);
51339 ++#endif
51340 ++
51341 + descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
51342 + load_TR_desc();
51343 ++
51344 ++#ifdef CONFIG_PAX_KERNEXEC
51345 ++ pax_close_kernel(cr0);
51346 ++#endif
51347 ++
51348 + #endif
51349 + }
51350 +
51351 +@@ -2322,7 +2336,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
51352 +
51353 + vcpu->interrupt_window_open = (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & 3) == 0;
51354 +
51355 +- asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
51356 ++ asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
51357 + vmx->launched = 1;
51358 +
51359 + intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
51360 +diff -urNp linux-2.6.24.5/drivers/md/bitmap.c linux-2.6.24.5/drivers/md/bitmap.c
51361 +--- linux-2.6.24.5/drivers/md/bitmap.c 2008-03-24 14:49:18.000000000 -0400
51362 ++++ linux-2.6.24.5/drivers/md/bitmap.c 2008-03-26 20:21:08.000000000 -0400
51363 +@@ -57,7 +57,7 @@
51364 + # if DEBUG > 0
51365 + # define PRINTK(x...) printk(KERN_DEBUG x)
51366 + # else
51367 +-# define PRINTK(x...)
51368 ++# define PRINTK(x...) do {} while (0)
51369 + # endif
51370 + #endif
51371 +
51372 +diff -urNp linux-2.6.24.5/drivers/mtd/devices/doc2000.c linux-2.6.24.5/drivers/mtd/devices/doc2000.c
51373 +--- linux-2.6.24.5/drivers/mtd/devices/doc2000.c 2008-03-24 14:49:18.000000000 -0400
51374 ++++ linux-2.6.24.5/drivers/mtd/devices/doc2000.c 2008-03-26 20:21:08.000000000 -0400
51375 +@@ -632,7 +632,7 @@ static int doc_read(struct mtd_info *mtd
51376 + len = ((from | 0x1ff) + 1) - from;
51377 +
51378 + /* The ECC will not be calculated correctly if less than 512 is read */
51379 +- if (len != 0x200 && eccbuf)
51380 ++ if (len != 0x200)
51381 + printk(KERN_WARNING
51382 + "ECC needs a full sector read (adr: %lx size %lx)\n",
51383 + (long) from, (long) len);
51384 +diff -urNp linux-2.6.24.5/drivers/mtd/devices/doc2001.c linux-2.6.24.5/drivers/mtd/devices/doc2001.c
51385 +--- linux-2.6.24.5/drivers/mtd/devices/doc2001.c 2008-03-24 14:49:18.000000000 -0400
51386 ++++ linux-2.6.24.5/drivers/mtd/devices/doc2001.c 2008-03-26 20:21:08.000000000 -0400
51387 +@@ -398,6 +398,8 @@ static int doc_read (struct mtd_info *mt
51388 + /* Don't allow read past end of device */
51389 + if (from >= this->totlen)
51390 + return -EINVAL;
51391 ++ if (!len)
51392 ++ return -EINVAL;
51393 +
51394 + /* Don't allow a single read to cross a 512-byte block boundary */
51395 + if (from + len > ((from | 0x1ff) + 1))
51396 +diff -urNp linux-2.6.24.5/drivers/mtd/devices/doc2001plus.c linux-2.6.24.5/drivers/mtd/devices/doc2001plus.c
51397 +--- linux-2.6.24.5/drivers/mtd/devices/doc2001plus.c 2008-03-24 14:49:18.000000000 -0400
51398 ++++ linux-2.6.24.5/drivers/mtd/devices/doc2001plus.c 2008-03-26 20:21:08.000000000 -0400
51399 +@@ -748,7 +748,7 @@ static int doc_write(struct mtd_info *mt
51400 + WriteDOC(DoC_GetDataOffset(mtd, &fto), docptr, Mplus_FlashCmd);
51401 +
51402 + /* On interleaved devices the flags for 2nd half 512 are before data */
51403 +- if (eccbuf && before)
51404 ++ if (before)
51405 + fto -= 2;
51406 +
51407 + /* issue the Serial Data In command to initial the Page Program process */
51408 +diff -urNp linux-2.6.24.5/drivers/mtd/devices/slram.c linux-2.6.24.5/drivers/mtd/devices/slram.c
51409 +--- linux-2.6.24.5/drivers/mtd/devices/slram.c 2008-03-24 14:49:18.000000000 -0400
51410 ++++ linux-2.6.24.5/drivers/mtd/devices/slram.c 2008-03-26 20:21:08.000000000 -0400
51411 +@@ -270,7 +270,7 @@ static int parse_cmdline(char *devname,
51412 + }
51413 + T("slram: devname=%s, devstart=0x%lx, devlength=0x%lx\n",
51414 + devname, devstart, devlength);
51415 +- if ((devstart < 0) || (devlength < 0) || (devlength % SLRAM_BLK_SZ != 0)) {
51416 ++ if (devlength % SLRAM_BLK_SZ != 0) {
51417 + E("slram: Illegal start / length parameter.\n");
51418 + return(-EINVAL);
51419 + }
51420 +diff -urNp linux-2.6.24.5/drivers/mtd/ubi/build.c linux-2.6.24.5/drivers/mtd/ubi/build.c
51421 +--- linux-2.6.24.5/drivers/mtd/ubi/build.c 2008-03-24 14:49:18.000000000 -0400
51422 ++++ linux-2.6.24.5/drivers/mtd/ubi/build.c 2008-03-26 20:21:08.000000000 -0400
51423 +@@ -753,7 +753,7 @@ static int __init bytes_str_to_int(const
51424 + unsigned long result;
51425 +
51426 + result = simple_strtoul(str, &endp, 0);
51427 +- if (str == endp || result < 0) {
51428 ++ if (str == endp) {
51429 + printk("UBI error: incorrect bytes count: \"%s\"\n", str);
51430 + return -EINVAL;
51431 + }
51432 +diff -urNp linux-2.6.24.5/drivers/net/eepro100.c linux-2.6.24.5/drivers/net/eepro100.c
51433 +--- linux-2.6.24.5/drivers/net/eepro100.c 2008-03-24 14:49:18.000000000 -0400
51434 ++++ linux-2.6.24.5/drivers/net/eepro100.c 2008-03-26 20:21:08.000000000 -0400
51435 +@@ -47,7 +47,7 @@ static int rxdmacount /* = 0 */;
51436 + # define rx_align(skb) skb_reserve((skb), 2)
51437 + # define RxFD_ALIGNMENT __attribute__ ((aligned (2), packed))
51438 + #else
51439 +-# define rx_align(skb)
51440 ++# define rx_align(skb) do {} while (0)
51441 + # define RxFD_ALIGNMENT
51442 + #endif
51443 +
51444 +@@ -2340,33 +2340,33 @@ static void __devexit eepro100_remove_on
51445 + }
51446 +
51447 + static struct pci_device_id eepro100_pci_tbl[] = {
51448 +- { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, },
51449 +- { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, },
51450 +- { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, },
51451 +- { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, },
51452 +- { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, },
51453 +- { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, },
51454 +- { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, },
51455 +- { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, },
51456 +- { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, },
51457 +- { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, },
51458 +- { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, },
51459 +- { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, },
51460 +- { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, },
51461 +- { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, },
51462 +- { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, },
51463 +- { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, },
51464 +- { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, },
51465 +- { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, },
51466 +- { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, },
51467 +- { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, },
51468 +- { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, },
51469 +- { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, },
51470 +- { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, },
51471 +- { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, },
51472 +- { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, },
51473 +- { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, },
51474 +- { 0,}
51475 ++ { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51476 ++ { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51477 ++ { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51478 ++ { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51479 ++ { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51480 ++ { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51481 ++ { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51482 ++ { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51483 ++ { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51484 ++ { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51485 ++ { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51486 ++ { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51487 ++ { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51488 ++ { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51489 ++ { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51490 ++ { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51491 ++ { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51492 ++ { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51493 ++ { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51494 ++ { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51495 ++ { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51496 ++ { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51497 ++ { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51498 ++ { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51499 ++ { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51500 ++ { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51501 ++ { 0, 0, 0, 0, 0, 0, 0 }
51502 + };
51503 + MODULE_DEVICE_TABLE(pci, eepro100_pci_tbl);
51504 +
51505 +diff -urNp linux-2.6.24.5/drivers/net/irda/vlsi_ir.c linux-2.6.24.5/drivers/net/irda/vlsi_ir.c
51506 +--- linux-2.6.24.5/drivers/net/irda/vlsi_ir.c 2008-03-24 14:49:18.000000000 -0400
51507 ++++ linux-2.6.24.5/drivers/net/irda/vlsi_ir.c 2008-03-26 20:21:08.000000000 -0400
51508 +@@ -906,13 +906,12 @@ static int vlsi_hard_start_xmit(struct s
51509 + /* no race - tx-ring already empty */
51510 + vlsi_set_baud(idev, iobase);
51511 + netif_wake_queue(ndev);
51512 +- }
51513 +- else
51514 +- ;
51515 ++ } else {
51516 + /* keep the speed change pending like it would
51517 + * for any len>0 packet. tx completion interrupt
51518 + * will apply it when the tx ring becomes empty.
51519 + */
51520 ++ }
51521 + spin_unlock_irqrestore(&idev->lock, flags);
51522 + dev_kfree_skb_any(skb);
51523 + return 0;
51524 +diff -urNp linux-2.6.24.5/drivers/net/pcnet32.c linux-2.6.24.5/drivers/net/pcnet32.c
51525 +--- linux-2.6.24.5/drivers/net/pcnet32.c 2008-03-24 14:49:18.000000000 -0400
51526 ++++ linux-2.6.24.5/drivers/net/pcnet32.c 2008-03-26 20:21:08.000000000 -0400
51527 +@@ -82,7 +82,7 @@ static int cards_found;
51528 + /*
51529 + * VLB I/O addresses
51530 + */
51531 +-static unsigned int pcnet32_portlist[] __initdata =
51532 ++static unsigned int pcnet32_portlist[] __devinitdata =
51533 + { 0x300, 0x320, 0x340, 0x360, 0 };
51534 +
51535 + static int pcnet32_debug = 0;
51536 +diff -urNp linux-2.6.24.5/drivers/net/tg3.h linux-2.6.24.5/drivers/net/tg3.h
51537 +--- linux-2.6.24.5/drivers/net/tg3.h 2008-03-24 14:49:18.000000000 -0400
51538 ++++ linux-2.6.24.5/drivers/net/tg3.h 2008-03-26 20:21:08.000000000 -0400
51539 +@@ -102,6 +102,7 @@
51540 + #define CHIPREV_ID_5750_A0 0x4000
51541 + #define CHIPREV_ID_5750_A1 0x4001
51542 + #define CHIPREV_ID_5750_A3 0x4003
51543 ++#define CHIPREV_ID_5750_C1 0x4201
51544 + #define CHIPREV_ID_5750_C2 0x4202
51545 + #define CHIPREV_ID_5752_A0_HW 0x5000
51546 + #define CHIPREV_ID_5752_A0 0x6000
51547 +diff -urNp linux-2.6.24.5/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.24.5/drivers/pci/hotplug/cpqphp_nvram.c
51548 +--- linux-2.6.24.5/drivers/pci/hotplug/cpqphp_nvram.c 2008-03-24 14:49:18.000000000 -0400
51549 ++++ linux-2.6.24.5/drivers/pci/hotplug/cpqphp_nvram.c 2008-03-26 20:21:08.000000000 -0400
51550 +@@ -425,9 +425,13 @@ static u32 store_HRT (void __iomem *rom_
51551 +
51552 + void compaq_nvram_init (void __iomem *rom_start)
51553 + {
51554 ++
51555 ++#ifndef CONFIG_PAX_KERNEXEC
51556 + if (rom_start) {
51557 + compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
51558 + }
51559 ++#endif
51560 ++
51561 + dbg("int15 entry = %p\n", compaq_int15_entry_point);
51562 +
51563 + /* initialize our int15 lock */
51564 +diff -urNp linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv.c linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv.c
51565 +--- linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv.c 2008-03-24 14:49:18.000000000 -0400
51566 ++++ linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv.c 2008-03-26 20:21:08.000000000 -0400
51567 +@@ -58,7 +58,7 @@ static struct pcie_port_service_id aer_i
51568 + .port_type = PCIE_RC_PORT,
51569 + .service_type = PCIE_PORT_SERVICE_AER,
51570 + },
51571 +- { /* end: all zeroes */ }
51572 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0 }
51573 + };
51574 +
51575 + static struct pci_error_handlers aer_error_handlers = {
51576 +diff -urNp linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv_core.c linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv_core.c
51577 +--- linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv_core.c 2008-03-24 14:49:18.000000000 -0400
51578 ++++ linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv_core.c 2008-03-26 20:21:08.000000000 -0400
51579 +@@ -661,7 +661,7 @@ static void aer_isr_one_error(struct pci
51580 + struct aer_err_source *e_src)
51581 + {
51582 + struct device *s_device;
51583 +- struct aer_err_info e_info = {0, 0, 0,};
51584 ++ struct aer_err_info e_info = {0, 0, 0, {0, 0, 0, 0}};
51585 + int i;
51586 + u16 id;
51587 +
51588 +diff -urNp linux-2.6.24.5/drivers/pci/pcie/portdrv_pci.c linux-2.6.24.5/drivers/pci/pcie/portdrv_pci.c
51589 +--- linux-2.6.24.5/drivers/pci/pcie/portdrv_pci.c 2008-03-24 14:49:18.000000000 -0400
51590 ++++ linux-2.6.24.5/drivers/pci/pcie/portdrv_pci.c 2008-03-26 20:21:08.000000000 -0400
51591 +@@ -265,7 +265,7 @@ static void pcie_portdrv_err_resume(stru
51592 + static const struct pci_device_id port_pci_ids[] = { {
51593 + /* handle any PCI-Express port */
51594 + PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
51595 +- }, { /* end: all zeroes */ }
51596 ++ }, { 0, 0, 0, 0, 0, 0, 0 }
51597 + };
51598 + MODULE_DEVICE_TABLE(pci, port_pci_ids);
51599 +
51600 +diff -urNp linux-2.6.24.5/drivers/pci/proc.c linux-2.6.24.5/drivers/pci/proc.c
51601 +--- linux-2.6.24.5/drivers/pci/proc.c 2008-03-24 14:49:18.000000000 -0400
51602 ++++ linux-2.6.24.5/drivers/pci/proc.c 2008-03-26 20:21:08.000000000 -0400
51603 +@@ -467,7 +467,15 @@ static int __init pci_proc_init(void)
51604 + {
51605 + struct proc_dir_entry *entry;
51606 + struct pci_dev *dev = NULL;
51607 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
51608 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
51609 ++ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
51610 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51611 ++ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
51612 ++#endif
51613 ++#else
51614 + proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
51615 ++#endif
51616 + entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
51617 + if (entry)
51618 + entry->proc_fops = &proc_bus_pci_dev_operations;
51619 +diff -urNp linux-2.6.24.5/drivers/pcmcia/ti113x.h linux-2.6.24.5/drivers/pcmcia/ti113x.h
51620 +--- linux-2.6.24.5/drivers/pcmcia/ti113x.h 2008-03-24 14:49:18.000000000 -0400
51621 ++++ linux-2.6.24.5/drivers/pcmcia/ti113x.h 2008-03-26 20:21:08.000000000 -0400
51622 +@@ -897,7 +897,7 @@ static struct pci_device_id ene_tune_tbl
51623 + DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
51624 + ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
51625 +
51626 +- {}
51627 ++ { 0, 0, 0, 0, 0, 0, 0 }
51628 + };
51629 +
51630 + static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
51631 +diff -urNp linux-2.6.24.5/drivers/pcmcia/yenta_socket.c linux-2.6.24.5/drivers/pcmcia/yenta_socket.c
51632 +--- linux-2.6.24.5/drivers/pcmcia/yenta_socket.c 2008-03-24 14:49:18.000000000 -0400
51633 ++++ linux-2.6.24.5/drivers/pcmcia/yenta_socket.c 2008-03-26 20:21:08.000000000 -0400
51634 +@@ -1358,7 +1358,7 @@ static struct pci_device_id yenta_table
51635 +
51636 + /* match any cardbus bridge */
51637 + CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
51638 +- { /* all zeroes */ }
51639 ++ { 0, 0, 0, 0, 0, 0, 0 }
51640 + };
51641 + MODULE_DEVICE_TABLE(pci, yenta_table);
51642 +
51643 +diff -urNp linux-2.6.24.5/drivers/pnp/pnpbios/bioscalls.c linux-2.6.24.5/drivers/pnp/pnpbios/bioscalls.c
51644 +--- linux-2.6.24.5/drivers/pnp/pnpbios/bioscalls.c 2008-03-24 14:49:18.000000000 -0400
51645 ++++ linux-2.6.24.5/drivers/pnp/pnpbios/bioscalls.c 2008-03-26 20:21:08.000000000 -0400
51646 +@@ -61,7 +61,7 @@ set_base(gdt[(selname) >> 3], (u32)(addr
51647 + set_limit(gdt[(selname) >> 3], size); \
51648 + } while(0)
51649 +
51650 +-static struct desc_struct bad_bios_desc = { 0, 0x00409200 };
51651 ++static struct desc_struct bad_bios_desc __read_only = { 0, 0x00409300 };
51652 +
51653 + /*
51654 + * At some point we want to use this stack frame pointer to unwind
51655 +@@ -88,6 +88,10 @@ static inline u16 call_pnp_bios(u16 func
51656 + struct desc_struct save_desc_40;
51657 + int cpu;
51658 +
51659 ++#ifdef CONFIG_PAX_KERNEXEC
51660 ++ unsigned long cr0;
51661 ++#endif
51662 ++
51663 + /*
51664 + * PnP BIOSes are generally not terribly re-entrant.
51665 + * Also, don't rely on them to save everything correctly.
51666 +@@ -97,8 +101,17 @@ static inline u16 call_pnp_bios(u16 func
51667 +
51668 + cpu = get_cpu();
51669 + save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
51670 ++
51671 ++#ifdef CONFIG_PAX_KERNEXEC
51672 ++ pax_open_kernel(cr0);
51673 ++#endif
51674 ++
51675 + get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
51676 +
51677 ++#ifdef CONFIG_PAX_KERNEXEC
51678 ++ pax_close_kernel(cr0);
51679 ++#endif
51680 ++
51681 + /* On some boxes IRQ's during PnP BIOS calls are deadly. */
51682 + spin_lock_irqsave(&pnp_bios_lock, flags);
51683 +
51684 +@@ -135,7 +148,16 @@ static inline u16 call_pnp_bios(u16 func
51685 + :"memory");
51686 + spin_unlock_irqrestore(&pnp_bios_lock, flags);
51687 +
51688 ++#ifdef CONFIG_PAX_KERNEXEC
51689 ++ pax_open_kernel(cr0);
51690 ++#endif
51691 ++
51692 + get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
51693 ++
51694 ++#ifdef CONFIG_PAX_KERNEXEC
51695 ++ pax_close_kernel(cr0);
51696 ++#endif
51697 ++
51698 + put_cpu();
51699 +
51700 + /* If we get here and this is set then the PnP BIOS faulted on us. */
51701 +@@ -469,14 +491,22 @@ int pnp_bios_read_escd(char *data, u32 n
51702 + return status;
51703 + }
51704 +
51705 +-void pnpbios_calls_init(union pnp_bios_install_struct *header)
51706 ++void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
51707 + {
51708 + int i;
51709 +
51710 ++#ifdef CONFIG_PAX_KERNEXEC
51711 ++ unsigned long cr0;
51712 ++#endif
51713 ++
51714 + spin_lock_init(&pnp_bios_lock);
51715 + pnp_bios_callpoint.offset = header->fields.pm16offset;
51716 + pnp_bios_callpoint.segment = PNP_CS16;
51717 +
51718 ++#ifdef CONFIG_PAX_KERNEXEC
51719 ++ pax_open_kernel(cr0);
51720 ++#endif
51721 ++
51722 + set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
51723 + _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
51724 + for (i = 0; i < NR_CPUS; i++) {
51725 +@@ -489,4 +519,9 @@ void pnpbios_calls_init(union pnp_bios_i
51726 + set_base(gdt[GDT_ENTRY_PNPBIOS_DS],
51727 + __va(header->fields.pm16dseg));
51728 + }
51729 ++
51730 ++#ifdef CONFIG_PAX_KERNEXEC
51731 ++ pax_close_kernel(cr0);
51732 ++#endif
51733 ++
51734 + }
51735 +diff -urNp linux-2.6.24.5/drivers/pnp/quirks.c linux-2.6.24.5/drivers/pnp/quirks.c
51736 +--- linux-2.6.24.5/drivers/pnp/quirks.c 2008-03-24 14:49:18.000000000 -0400
51737 ++++ linux-2.6.24.5/drivers/pnp/quirks.c 2008-03-26 20:21:08.000000000 -0400
51738 +@@ -128,7 +128,7 @@ static struct pnp_fixup pnp_fixups[] = {
51739 + {"CTL0043", quirk_sb16audio_resources},
51740 + {"CTL0044", quirk_sb16audio_resources},
51741 + {"CTL0045", quirk_sb16audio_resources},
51742 +- {""}
51743 ++ {"", NULL}
51744 + };
51745 +
51746 + void pnp_fixup_device(struct pnp_dev *dev)
51747 +diff -urNp linux-2.6.24.5/drivers/pnp/resource.c linux-2.6.24.5/drivers/pnp/resource.c
51748 +--- linux-2.6.24.5/drivers/pnp/resource.c 2008-03-24 14:49:18.000000000 -0400
51749 ++++ linux-2.6.24.5/drivers/pnp/resource.c 2008-03-26 20:21:08.000000000 -0400
51750 +@@ -345,7 +345,7 @@ int pnp_check_irq(struct pnp_dev *dev, i
51751 + return 1;
51752 +
51753 + /* check if the resource is valid */
51754 +- if (*irq < 0 || *irq > 15)
51755 ++ if (*irq > 15)
51756 + return 0;
51757 +
51758 + /* check if the resource is reserved */
51759 +@@ -414,7 +414,7 @@ int pnp_check_dma(struct pnp_dev *dev, i
51760 + return 1;
51761 +
51762 + /* check if the resource is valid */
51763 +- if (*dma < 0 || *dma == 4 || *dma > 7)
51764 ++ if (*dma == 4 || *dma > 7)
51765 + return 0;
51766 +
51767 + /* check if the resource is reserved */
51768 +diff -urNp linux-2.6.24.5/drivers/scsi/scsi_logging.h linux-2.6.24.5/drivers/scsi/scsi_logging.h
51769 +--- linux-2.6.24.5/drivers/scsi/scsi_logging.h 2008-03-24 14:49:18.000000000 -0400
51770 ++++ linux-2.6.24.5/drivers/scsi/scsi_logging.h 2008-03-26 20:21:08.000000000 -0400
51771 +@@ -51,7 +51,7 @@ do { \
51772 + } while (0); \
51773 + } while (0)
51774 + #else
51775 +-#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
51776 ++#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
51777 + #endif /* CONFIG_SCSI_LOGGING */
51778 +
51779 + /*
51780 +diff -urNp linux-2.6.24.5/drivers/serial/8250_pci.c linux-2.6.24.5/drivers/serial/8250_pci.c
51781 +--- linux-2.6.24.5/drivers/serial/8250_pci.c 2008-03-24 14:49:18.000000000 -0400
51782 ++++ linux-2.6.24.5/drivers/serial/8250_pci.c 2008-03-26 20:21:08.000000000 -0400
51783 +@@ -2712,7 +2712,7 @@ static struct pci_device_id serial_pci_t
51784 + PCI_ANY_ID, PCI_ANY_ID,
51785 + PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
51786 + 0xffff00, pbn_default },
51787 +- { 0, }
51788 ++ { 0, 0, 0, 0, 0, 0, 0 }
51789 + };
51790 +
51791 + static struct pci_driver serial_pci_driver = {
51792 +diff -urNp linux-2.6.24.5/drivers/usb/class/cdc-acm.c linux-2.6.24.5/drivers/usb/class/cdc-acm.c
51793 +--- linux-2.6.24.5/drivers/usb/class/cdc-acm.c 2008-03-24 14:49:18.000000000 -0400
51794 ++++ linux-2.6.24.5/drivers/usb/class/cdc-acm.c 2008-03-26 20:21:08.000000000 -0400
51795 +@@ -1199,7 +1199,7 @@ static struct usb_device_id acm_ids[] =
51796 + USB_CDC_ACM_PROTO_AT_CDMA) },
51797 +
51798 + /* NOTE: COMM/ACM/0xff is likely MSFT RNDIS ... NOT a modem!! */
51799 +- { }
51800 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
51801 + };
51802 +
51803 + MODULE_DEVICE_TABLE (usb, acm_ids);
51804 +diff -urNp linux-2.6.24.5/drivers/usb/class/usblp.c linux-2.6.24.5/drivers/usb/class/usblp.c
51805 +--- linux-2.6.24.5/drivers/usb/class/usblp.c 2008-03-24 14:49:18.000000000 -0400
51806 ++++ linux-2.6.24.5/drivers/usb/class/usblp.c 2008-03-26 20:21:08.000000000 -0400
51807 +@@ -227,7 +227,7 @@ static const struct quirk_printer_struct
51808 + { 0x0409, 0xf1be, USBLP_QUIRK_BIDIR }, /* NEC Picty800 (HP OEM) */
51809 + { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@×××.de> */
51810 + { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
51811 +- { 0, 0 }
51812 ++ { 0, 0, 0 }
51813 + };
51814 +
51815 + static int usblp_wwait(struct usblp *usblp, int nonblock);
51816 +@@ -1401,7 +1401,7 @@ static struct usb_device_id usblp_ids []
51817 + { USB_INTERFACE_INFO(7, 1, 2) },
51818 + { USB_INTERFACE_INFO(7, 1, 3) },
51819 + { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
51820 +- { } /* Terminating entry */
51821 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
51822 + };
51823 +
51824 + MODULE_DEVICE_TABLE (usb, usblp_ids);
51825 +diff -urNp linux-2.6.24.5/drivers/usb/core/hub.c linux-2.6.24.5/drivers/usb/core/hub.c
51826 +--- linux-2.6.24.5/drivers/usb/core/hub.c 2008-03-24 14:49:18.000000000 -0400
51827 ++++ linux-2.6.24.5/drivers/usb/core/hub.c 2008-03-26 20:21:08.000000000 -0400
51828 +@@ -2884,7 +2884,7 @@ static struct usb_device_id hub_id_table
51829 + .bDeviceClass = USB_CLASS_HUB},
51830 + { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
51831 + .bInterfaceClass = USB_CLASS_HUB},
51832 +- { } /* Terminating entry */
51833 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
51834 + };
51835 +
51836 + MODULE_DEVICE_TABLE (usb, hub_id_table);
51837 +diff -urNp linux-2.6.24.5/drivers/usb/host/ehci-pci.c linux-2.6.24.5/drivers/usb/host/ehci-pci.c
51838 +--- linux-2.6.24.5/drivers/usb/host/ehci-pci.c 2008-03-24 14:49:18.000000000 -0400
51839 ++++ linux-2.6.24.5/drivers/usb/host/ehci-pci.c 2008-03-26 20:21:08.000000000 -0400
51840 +@@ -374,7 +374,7 @@ static const struct pci_device_id pci_id
51841 + PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
51842 + .driver_data = (unsigned long) &ehci_pci_hc_driver,
51843 + },
51844 +- { /* end: all zeroes */ }
51845 ++ { 0, 0, 0, 0, 0, 0, 0 }
51846 + };
51847 + MODULE_DEVICE_TABLE(pci, pci_ids);
51848 +
51849 +diff -urNp linux-2.6.24.5/drivers/usb/host/uhci-hcd.c linux-2.6.24.5/drivers/usb/host/uhci-hcd.c
51850 +--- linux-2.6.24.5/drivers/usb/host/uhci-hcd.c 2008-03-24 14:49:18.000000000 -0400
51851 ++++ linux-2.6.24.5/drivers/usb/host/uhci-hcd.c 2008-03-26 20:21:08.000000000 -0400
51852 +@@ -893,7 +893,7 @@ static const struct pci_device_id uhci_p
51853 + /* handle any USB UHCI controller */
51854 + PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
51855 + .driver_data = (unsigned long) &uhci_driver,
51856 +- }, { /* end: all zeroes */ }
51857 ++ }, { 0, 0, 0, 0, 0, 0, 0 }
51858 + };
51859 +
51860 + MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
51861 +diff -urNp linux-2.6.24.5/drivers/usb/storage/debug.h linux-2.6.24.5/drivers/usb/storage/debug.h
51862 +--- linux-2.6.24.5/drivers/usb/storage/debug.h 2008-03-24 14:49:18.000000000 -0400
51863 ++++ linux-2.6.24.5/drivers/usb/storage/debug.h 2008-03-26 20:21:08.000000000 -0400
51864 +@@ -56,9 +56,9 @@ void usb_stor_show_sense( unsigned char
51865 + #define US_DEBUGPX(x...) printk( x )
51866 + #define US_DEBUG(x) x
51867 + #else
51868 +-#define US_DEBUGP(x...)
51869 +-#define US_DEBUGPX(x...)
51870 +-#define US_DEBUG(x)
51871 ++#define US_DEBUGP(x...) do {} while (0)
51872 ++#define US_DEBUGPX(x...) do {} while (0)
51873 ++#define US_DEBUG(x) do {} while (0)
51874 + #endif
51875 +
51876 + #endif
51877 +diff -urNp linux-2.6.24.5/drivers/usb/storage/usb.c linux-2.6.24.5/drivers/usb/storage/usb.c
51878 +--- linux-2.6.24.5/drivers/usb/storage/usb.c 2008-03-24 14:49:18.000000000 -0400
51879 ++++ linux-2.6.24.5/drivers/usb/storage/usb.c 2008-03-26 20:21:08.000000000 -0400
51880 +@@ -134,7 +134,7 @@ static struct usb_device_id storage_usb_
51881 + #undef UNUSUAL_DEV
51882 + #undef USUAL_DEV
51883 + /* Terminating entry */
51884 +- { }
51885 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
51886 + };
51887 +
51888 + MODULE_DEVICE_TABLE (usb, storage_usb_ids);
51889 +@@ -174,7 +174,7 @@ static struct us_unusual_dev us_unusual_
51890 + # undef USUAL_DEV
51891 +
51892 + /* Terminating entry */
51893 +- { NULL }
51894 ++ { NULL, NULL, 0, 0, NULL }
51895 + };
51896 +
51897 +
51898 +diff -urNp linux-2.6.24.5/drivers/video/fbcmap.c linux-2.6.24.5/drivers/video/fbcmap.c
51899 +--- linux-2.6.24.5/drivers/video/fbcmap.c 2008-03-24 14:49:18.000000000 -0400
51900 ++++ linux-2.6.24.5/drivers/video/fbcmap.c 2008-03-26 20:21:08.000000000 -0400
51901 +@@ -250,8 +250,7 @@ int fb_set_user_cmap(struct fb_cmap_user
51902 + int rc, size = cmap->len * sizeof(u16);
51903 + struct fb_cmap umap;
51904 +
51905 +- if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
51906 +- !info->fbops->fb_setcmap))
51907 ++ if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap)
51908 + return -EINVAL;
51909 +
51910 + memset(&umap, 0, sizeof(struct fb_cmap));
51911 +diff -urNp linux-2.6.24.5/drivers/video/fbmem.c linux-2.6.24.5/drivers/video/fbmem.c
51912 +--- linux-2.6.24.5/drivers/video/fbmem.c 2008-04-17 20:05:17.000000000 -0400
51913 ++++ linux-2.6.24.5/drivers/video/fbmem.c 2008-04-17 20:05:01.000000000 -0400
51914 +@@ -394,7 +394,7 @@ static void fb_do_show_logo(struct fb_in
51915 + image->dx += image->width + 8;
51916 + }
51917 + } else if (rotate == FB_ROTATE_UD) {
51918 +- for (x = 0; x < num && image->dx >= 0; x++) {
51919 ++ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
51920 + info->fbops->fb_imageblit(info, image);
51921 + image->dx -= image->width + 8;
51922 + }
51923 +@@ -406,7 +406,7 @@ static void fb_do_show_logo(struct fb_in
51924 + image->dy += image->height + 8;
51925 + }
51926 + } else if (rotate == FB_ROTATE_CCW) {
51927 +- for (x = 0; x < num && image->dy >= 0; x++) {
51928 ++ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
51929 + info->fbops->fb_imageblit(info, image);
51930 + image->dy -= image->height + 8;
51931 + }
51932 +@@ -1057,9 +1057,9 @@ fb_ioctl(struct inode *inode, struct fil
51933 + case FBIOPUT_CON2FBMAP:
51934 + if (copy_from_user(&con2fb, argp, sizeof(con2fb)))
51935 + return - EFAULT;
51936 +- if (con2fb.console < 0 || con2fb.console > MAX_NR_CONSOLES)
51937 ++ if (con2fb.console > MAX_NR_CONSOLES)
51938 + return -EINVAL;
51939 +- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
51940 ++ if (con2fb.framebuffer >= FB_MAX)
51941 + return -EINVAL;
51942 + #ifdef CONFIG_KMOD
51943 + if (!registered_fb[con2fb.framebuffer])
51944 +diff -urNp linux-2.6.24.5/drivers/video/fbmon.c linux-2.6.24.5/drivers/video/fbmon.c
51945 +--- linux-2.6.24.5/drivers/video/fbmon.c 2008-03-24 14:49:18.000000000 -0400
51946 ++++ linux-2.6.24.5/drivers/video/fbmon.c 2008-03-26 20:21:08.000000000 -0400
51947 +@@ -45,7 +45,7 @@
51948 + #ifdef DEBUG
51949 + #define DPRINTK(fmt, args...) printk(fmt,## args)
51950 + #else
51951 +-#define DPRINTK(fmt, args...)
51952 ++#define DPRINTK(fmt, args...) do {} while (0)
51953 + #endif
51954 +
51955 + #define FBMON_FIX_HEADER 1
51956 +diff -urNp linux-2.6.24.5/drivers/video/i810/i810_accel.c linux-2.6.24.5/drivers/video/i810/i810_accel.c
51957 +--- linux-2.6.24.5/drivers/video/i810/i810_accel.c 2008-03-24 14:49:18.000000000 -0400
51958 ++++ linux-2.6.24.5/drivers/video/i810/i810_accel.c 2008-03-26 20:21:08.000000000 -0400
51959 +@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
51960 + }
51961 + }
51962 + printk("ringbuffer lockup!!!\n");
51963 ++ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
51964 + i810_report_error(mmio);
51965 + par->dev_flags |= LOCKUP;
51966 + info->pixmap.scan_align = 1;
51967 +diff -urNp linux-2.6.24.5/drivers/video/i810/i810_main.c linux-2.6.24.5/drivers/video/i810/i810_main.c
51968 +--- linux-2.6.24.5/drivers/video/i810/i810_main.c 2008-03-24 14:49:18.000000000 -0400
51969 ++++ linux-2.6.24.5/drivers/video/i810/i810_main.c 2008-03-26 20:21:08.000000000 -0400
51970 +@@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
51971 + PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
51972 + { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
51973 + PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
51974 +- { 0 },
51975 ++ { 0, 0, 0, 0, 0, 0, 0 },
51976 + };
51977 +
51978 + static struct pci_driver i810fb_driver = {
51979 +@@ -1509,7 +1509,7 @@ static int i810fb_cursor(struct fb_info
51980 + int size = ((cursor->image.width + 7) >> 3) *
51981 + cursor->image.height;
51982 + int i;
51983 +- u8 *data = kmalloc(64 * 8, GFP_ATOMIC);
51984 ++ u8 *data = kmalloc(64 * 8, GFP_KERNEL);
51985 +
51986 + if (data == NULL)
51987 + return -ENOMEM;
51988 +diff -urNp linux-2.6.24.5/drivers/video/modedb.c linux-2.6.24.5/drivers/video/modedb.c
51989 +--- linux-2.6.24.5/drivers/video/modedb.c 2008-03-24 14:49:18.000000000 -0400
51990 ++++ linux-2.6.24.5/drivers/video/modedb.c 2008-03-26 20:21:08.000000000 -0400
51991 +@@ -37,232 +37,232 @@ static const struct fb_videomode modedb[
51992 + {
51993 + /* 640x400 @ 70 Hz, 31.5 kHz hsync */
51994 + NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
51995 +- 0, FB_VMODE_NONINTERLACED
51996 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
51997 + }, {
51998 + /* 640x480 @ 60 Hz, 31.5 kHz hsync */
51999 + NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
52000 +- 0, FB_VMODE_NONINTERLACED
52001 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52002 + }, {
52003 + /* 800x600 @ 56 Hz, 35.15 kHz hsync */
52004 + NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
52005 +- 0, FB_VMODE_NONINTERLACED
52006 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52007 + }, {
52008 + /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
52009 + NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
52010 +- 0, FB_VMODE_INTERLACED
52011 ++ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
52012 + }, {
52013 + /* 640x400 @ 85 Hz, 37.86 kHz hsync */
52014 + NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
52015 +- FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52016 ++ FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52017 + }, {
52018 + /* 640x480 @ 72 Hz, 36.5 kHz hsync */
52019 + NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
52020 +- 0, FB_VMODE_NONINTERLACED
52021 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52022 + }, {
52023 + /* 640x480 @ 75 Hz, 37.50 kHz hsync */
52024 + NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
52025 +- 0, FB_VMODE_NONINTERLACED
52026 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52027 + }, {
52028 + /* 800x600 @ 60 Hz, 37.8 kHz hsync */
52029 + NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
52030 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52031 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52032 + }, {
52033 + /* 640x480 @ 85 Hz, 43.27 kHz hsync */
52034 + NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
52035 +- 0, FB_VMODE_NONINTERLACED
52036 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52037 + }, {
52038 + /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
52039 + NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
52040 +- 0, FB_VMODE_INTERLACED
52041 ++ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
52042 + }, {
52043 + /* 800x600 @ 72 Hz, 48.0 kHz hsync */
52044 + NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
52045 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52046 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52047 + }, {
52048 + /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
52049 + NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
52050 +- 0, FB_VMODE_NONINTERLACED
52051 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52052 + }, {
52053 + /* 640x480 @ 100 Hz, 53.01 kHz hsync */
52054 + NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
52055 +- 0, FB_VMODE_NONINTERLACED
52056 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52057 + }, {
52058 + /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
52059 + NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
52060 +- 0, FB_VMODE_NONINTERLACED
52061 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52062 + }, {
52063 + /* 800x600 @ 85 Hz, 55.84 kHz hsync */
52064 + NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
52065 +- 0, FB_VMODE_NONINTERLACED
52066 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52067 + }, {
52068 + /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
52069 + NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
52070 +- 0, FB_VMODE_NONINTERLACED
52071 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52072 + }, {
52073 + /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
52074 + NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
52075 +- 0, FB_VMODE_INTERLACED
52076 ++ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
52077 + }, {
52078 + /* 800x600 @ 100 Hz, 64.02 kHz hsync */
52079 + NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
52080 +- 0, FB_VMODE_NONINTERLACED
52081 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52082 + }, {
52083 + /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
52084 + NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
52085 +- 0, FB_VMODE_NONINTERLACED
52086 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52087 + }, {
52088 + /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
52089 + NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
52090 +- 0, FB_VMODE_NONINTERLACED
52091 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52092 + }, {
52093 + /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
52094 + NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
52095 +- 0, FB_VMODE_NONINTERLACED
52096 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52097 + }, {
52098 + /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
52099 + NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
52100 +- 0, FB_VMODE_NONINTERLACED
52101 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52102 + }, {
52103 + /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
52104 + NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
52105 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52106 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52107 + }, {
52108 + /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
52109 + NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
52110 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52111 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52112 + }, {
52113 + /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
52114 + NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
52115 +- 0, FB_VMODE_NONINTERLACED
52116 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52117 + }, {
52118 + /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
52119 + NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
52120 +- 0, FB_VMODE_NONINTERLACED
52121 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52122 + }, {
52123 + /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
52124 + NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
52125 +- 0, FB_VMODE_NONINTERLACED
52126 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52127 + }, {
52128 + /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
52129 + NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
52130 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52131 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52132 + }, {
52133 + /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
52134 + NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
52135 +- 0, FB_VMODE_NONINTERLACED
52136 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52137 + }, {
52138 + /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
52139 + NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
52140 +- 0, FB_VMODE_NONINTERLACED
52141 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52142 + }, {
52143 + /* 1024x768 @ 100Hz, 80.21 kHz hsync */
52144 + NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
52145 +- 0, FB_VMODE_NONINTERLACED
52146 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52147 + }, {
52148 + /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
52149 + NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
52150 +- 0, FB_VMODE_NONINTERLACED
52151 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52152 + }, {
52153 + /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
52154 + NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
52155 +- 0, FB_VMODE_NONINTERLACED
52156 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52157 + }, {
52158 + /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
52159 + NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
52160 +- 0, FB_VMODE_NONINTERLACED
52161 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52162 + }, {
52163 + /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
52164 + NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
52165 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52166 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52167 + }, {
52168 + /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
52169 + NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
52170 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52171 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52172 + }, {
52173 + /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
52174 + NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
52175 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52176 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52177 + }, {
52178 + /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
52179 + NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
52180 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52181 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52182 + }, {
52183 + /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
52184 + NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
52185 +- 0, FB_VMODE_NONINTERLACED
52186 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52187 + }, {
52188 + /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
52189 + NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
52190 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52191 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52192 + }, {
52193 + /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
52194 + NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
52195 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52196 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52197 + }, {
52198 + /* 512x384 @ 78 Hz, 31.50 kHz hsync */
52199 + NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
52200 +- 0, FB_VMODE_NONINTERLACED
52201 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52202 + }, {
52203 + /* 512x384 @ 85 Hz, 34.38 kHz hsync */
52204 + NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
52205 +- 0, FB_VMODE_NONINTERLACED
52206 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52207 + }, {
52208 + /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
52209 + NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
52210 +- 0, FB_VMODE_DOUBLE
52211 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52212 + }, {
52213 + /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
52214 + NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
52215 +- 0, FB_VMODE_DOUBLE
52216 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52217 + }, {
52218 + /* 320x240 @ 72 Hz, 36.5 kHz hsync */
52219 + NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
52220 +- 0, FB_VMODE_DOUBLE
52221 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52222 + }, {
52223 + /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
52224 + NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
52225 +- 0, FB_VMODE_DOUBLE
52226 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52227 + }, {
52228 + /* 400x300 @ 60 Hz, 37.8 kHz hsync */
52229 + NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
52230 +- 0, FB_VMODE_DOUBLE
52231 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52232 + }, {
52233 + /* 400x300 @ 72 Hz, 48.0 kHz hsync */
52234 + NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
52235 +- 0, FB_VMODE_DOUBLE
52236 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52237 + }, {
52238 + /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
52239 + NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
52240 +- 0, FB_VMODE_DOUBLE
52241 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52242 + }, {
52243 + /* 480x300 @ 60 Hz, 37.8 kHz hsync */
52244 + NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
52245 +- 0, FB_VMODE_DOUBLE
52246 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52247 + }, {
52248 + /* 480x300 @ 63 Hz, 39.6 kHz hsync */
52249 + NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
52250 +- 0, FB_VMODE_DOUBLE
52251 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52252 + }, {
52253 + /* 480x300 @ 72 Hz, 48.0 kHz hsync */
52254 + NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
52255 +- 0, FB_VMODE_DOUBLE
52256 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52257 + }, {
52258 + /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
52259 + NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
52260 + FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
52261 +- FB_VMODE_NONINTERLACED
52262 ++ FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52263 + }, {
52264 + /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
52265 + NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
52266 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52267 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52268 + }, {
52269 + /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
52270 + NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
52271 +- 0, FB_VMODE_NONINTERLACED
52272 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52273 + }, {
52274 + /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
52275 + NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
52276 +- 0, FB_VMODE_NONINTERLACED
52277 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52278 + },
52279 + };
52280 +
52281 +diff -urNp linux-2.6.24.5/drivers/video/uvesafb.c linux-2.6.24.5/drivers/video/uvesafb.c
52282 +--- linux-2.6.24.5/drivers/video/uvesafb.c 2008-03-24 14:49:18.000000000 -0400
52283 ++++ linux-2.6.24.5/drivers/video/uvesafb.c 2008-03-26 20:21:08.000000000 -0400
52284 +@@ -117,7 +117,7 @@ static int uvesafb_helper_start(void)
52285 + NULL,
52286 + };
52287 +
52288 +- return call_usermodehelper(v86d_path, argv, envp, 1);
52289 ++ return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
52290 + }
52291 +
52292 + /*
52293 +diff -urNp linux-2.6.24.5/drivers/video/vesafb.c linux-2.6.24.5/drivers/video/vesafb.c
52294 +--- linux-2.6.24.5/drivers/video/vesafb.c 2008-03-24 14:49:18.000000000 -0400
52295 ++++ linux-2.6.24.5/drivers/video/vesafb.c 2008-03-26 20:21:08.000000000 -0400
52296 +@@ -9,6 +9,7 @@
52297 + */
52298 +
52299 + #include <linux/module.h>
52300 ++#include <linux/moduleloader.h>
52301 + #include <linux/kernel.h>
52302 + #include <linux/errno.h>
52303 + #include <linux/string.h>
52304 +@@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
52305 + static int vram_total __initdata; /* Set total amount of memory */
52306 + static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
52307 + static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
52308 +-static void (*pmi_start)(void) __read_mostly;
52309 +-static void (*pmi_pal) (void) __read_mostly;
52310 ++static void (*pmi_start)(void) __read_only;
52311 ++static void (*pmi_pal) (void) __read_only;
52312 + static int depth __read_mostly;
52313 + static int vga_compat __read_mostly;
52314 + /* --------------------------------------------------------------------- */
52315 +@@ -224,6 +225,7 @@ static int __init vesafb_probe(struct pl
52316 + unsigned int size_vmode;
52317 + unsigned int size_remap;
52318 + unsigned int size_total;
52319 ++ void *pmi_code = NULL;
52320 +
52321 + if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
52322 + return -ENODEV;
52323 +@@ -266,10 +268,6 @@ static int __init vesafb_probe(struct pl
52324 + size_remap = size_total;
52325 + vesafb_fix.smem_len = size_remap;
52326 +
52327 +-#ifndef __i386__
52328 +- screen_info.vesapm_seg = 0;
52329 +-#endif
52330 +-
52331 + if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
52332 + printk(KERN_WARNING
52333 + "vesafb: cannot reserve video memory at 0x%lx\n",
52334 +@@ -302,9 +300,21 @@ static int __init vesafb_probe(struct pl
52335 + printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
52336 + vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
52337 +
52338 ++#ifdef __i386__
52339 ++
52340 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
52341 ++ pmi_code = module_alloc_exec(screen_info.vesapm_size);
52342 ++ if (!pmi_code)
52343 ++#elif !defined(CONFIG_PAX_KERNEXEC)
52344 ++ if (0)
52345 ++#endif
52346 ++
52347 ++#endif
52348 ++ screen_info.vesapm_seg = 0;
52349 ++
52350 + if (screen_info.vesapm_seg) {
52351 +- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
52352 +- screen_info.vesapm_seg,screen_info.vesapm_off);
52353 ++ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
52354 ++ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
52355 + }
52356 +
52357 + if (screen_info.vesapm_seg < 0xc000)
52358 +@@ -312,9 +322,29 @@ static int __init vesafb_probe(struct pl
52359 +
52360 + if (ypan || pmi_setpal) {
52361 + unsigned short *pmi_base;
52362 +- pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
52363 +- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
52364 +- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
52365 ++
52366 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
52367 ++ unsigned long cr0;
52368 ++#endif
52369 ++
52370 ++ pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
52371 ++
52372 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
52373 ++ pax_open_kernel(cr0);
52374 ++ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
52375 ++#else
52376 ++ pmi_code = pmi_base;
52377 ++#endif
52378 ++
52379 ++ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
52380 ++ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
52381 ++
52382 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
52383 ++ pmi_start = ktva_ktla(pmi_start);
52384 ++ pmi_pal = ktva_ktla(pmi_pal);
52385 ++ pax_close_kernel(cr0);
52386 ++#endif
52387 ++
52388 + printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
52389 + if (pmi_base[3]) {
52390 + printk(KERN_INFO "vesafb: pmi: ports = ");
52391 +@@ -456,6 +486,11 @@ static int __init vesafb_probe(struct pl
52392 + info->node, info->fix.id);
52393 + return 0;
52394 + err:
52395 ++
52396 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
52397 ++ module_free_exec(NULL, pmi_code);
52398 ++#endif
52399 ++
52400 + if (info->screen_base)
52401 + iounmap(info->screen_base);
52402 + framebuffer_release(info);
52403 +diff -urNp linux-2.6.24.5/fs/9p/vfs_inode.c linux-2.6.24.5/fs/9p/vfs_inode.c
52404 +--- linux-2.6.24.5/fs/9p/vfs_inode.c 2008-03-24 14:49:18.000000000 -0400
52405 ++++ linux-2.6.24.5/fs/9p/vfs_inode.c 2008-03-26 20:21:08.000000000 -0400
52406 +@@ -996,7 +996,7 @@ static void *v9fs_vfs_follow_link(struct
52407 +
52408 + static void v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
52409 + {
52410 +- char *s = nd_get_link(nd);
52411 ++ const char *s = nd_get_link(nd);
52412 +
52413 + P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name, s);
52414 + if (!IS_ERR(s))
52415 +diff -urNp linux-2.6.24.5/fs/aio.c linux-2.6.24.5/fs/aio.c
52416 +--- linux-2.6.24.5/fs/aio.c 2008-03-24 14:49:18.000000000 -0400
52417 ++++ linux-2.6.24.5/fs/aio.c 2008-03-26 20:21:08.000000000 -0400
52418 +@@ -114,7 +114,7 @@ static int aio_setup_ring(struct kioctx
52419 + size += sizeof(struct io_event) * nr_events;
52420 + nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
52421 +
52422 +- if (nr_pages < 0)
52423 ++ if (nr_pages <= 0)
52424 + return -EINVAL;
52425 +
52426 + nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
52427 +diff -urNp linux-2.6.24.5/fs/autofs4/symlink.c linux-2.6.24.5/fs/autofs4/symlink.c
52428 +--- linux-2.6.24.5/fs/autofs4/symlink.c 2008-03-24 14:49:18.000000000 -0400
52429 ++++ linux-2.6.24.5/fs/autofs4/symlink.c 2008-03-26 20:21:08.000000000 -0400
52430 +@@ -15,7 +15,7 @@
52431 + static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
52432 + {
52433 + struct autofs_info *ino = autofs4_dentry_ino(dentry);
52434 +- nd_set_link(nd, (char *)ino->u.symlink);
52435 ++ nd_set_link(nd, ino->u.symlink);
52436 + return NULL;
52437 + }
52438 +
52439 +diff -urNp linux-2.6.24.5/fs/befs/linuxvfs.c linux-2.6.24.5/fs/befs/linuxvfs.c
52440 +--- linux-2.6.24.5/fs/befs/linuxvfs.c 2008-03-24 14:49:18.000000000 -0400
52441 ++++ linux-2.6.24.5/fs/befs/linuxvfs.c 2008-03-26 20:21:08.000000000 -0400
52442 +@@ -482,7 +482,7 @@ static void befs_put_link(struct dentry
52443 + {
52444 + befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
52445 + if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
52446 +- char *p = nd_get_link(nd);
52447 ++ const char *p = nd_get_link(nd);
52448 + if (!IS_ERR(p))
52449 + kfree(p);
52450 + }
52451 +diff -urNp linux-2.6.24.5/fs/binfmt_aout.c linux-2.6.24.5/fs/binfmt_aout.c
52452 +--- linux-2.6.24.5/fs/binfmt_aout.c 2008-03-24 14:49:18.000000000 -0400
52453 ++++ linux-2.6.24.5/fs/binfmt_aout.c 2008-03-26 20:21:08.000000000 -0400
52454 +@@ -24,6 +24,7 @@
52455 + #include <linux/binfmts.h>
52456 + #include <linux/personality.h>
52457 + #include <linux/init.h>
52458 ++#include <linux/grsecurity.h>
52459 +
52460 + #include <asm/system.h>
52461 + #include <asm/uaccess.h>
52462 +@@ -123,18 +124,22 @@ static int aout_core_dump(long signr, st
52463 + /* If the size of the dump file exceeds the rlimit, then see what would happen
52464 + if we wrote the stack, but not the data area. */
52465 + #ifdef __sparc__
52466 ++ gr_learn_resource(current, RLIMIT_CORE, dump.u_dsize + dump.u_ssize, 1);
52467 + if ((dump.u_dsize + dump.u_ssize) > limit)
52468 + dump.u_dsize = 0;
52469 + #else
52470 ++ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
52471 + if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > limit)
52472 + dump.u_dsize = 0;
52473 + #endif
52474 +
52475 + /* Make sure we have enough room to write the stack and data areas. */
52476 + #ifdef __sparc__
52477 ++ gr_learn_resource(current, RLIMIT_CORE, dump.u_ssize, 1);
52478 + if (dump.u_ssize > limit)
52479 + dump.u_ssize = 0;
52480 + #else
52481 ++ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
52482 + if ((dump.u_ssize + 1) * PAGE_SIZE > limit)
52483 + dump.u_ssize = 0;
52484 + #endif
52485 +@@ -290,6 +295,8 @@ static int load_aout_binary(struct linux
52486 + rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
52487 + if (rlim >= RLIM_INFINITY)
52488 + rlim = ~0;
52489 ++
52490 ++ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
52491 + if (ex.a_data + ex.a_bss > rlim)
52492 + return -ENOMEM;
52493 +
52494 +@@ -321,6 +328,28 @@ static int load_aout_binary(struct linux
52495 +
52496 + compute_creds(bprm);
52497 + current->flags &= ~PF_FORKNOEXEC;
52498 ++
52499 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
52500 ++ current->mm->pax_flags = 0UL;
52501 ++#endif
52502 ++
52503 ++#ifdef CONFIG_PAX_PAGEEXEC
52504 ++ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
52505 ++ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
52506 ++
52507 ++#ifdef CONFIG_PAX_EMUTRAMP
52508 ++ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
52509 ++ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
52510 ++#endif
52511 ++
52512 ++#ifdef CONFIG_PAX_MPROTECT
52513 ++ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
52514 ++ current->mm->pax_flags |= MF_PAX_MPROTECT;
52515 ++#endif
52516 ++
52517 ++ }
52518 ++#endif
52519 ++
52520 + #ifdef __sparc__
52521 + if (N_MAGIC(ex) == NMAGIC) {
52522 + loff_t pos = fd_offset;
52523 +@@ -416,7 +445,7 @@ static int load_aout_binary(struct linux
52524 +
52525 + down_write(&current->mm->mmap_sem);
52526 + error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
52527 +- PROT_READ | PROT_WRITE | PROT_EXEC,
52528 ++ PROT_READ | PROT_WRITE,
52529 + MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
52530 + fd_offset + ex.a_text);
52531 + up_write(&current->mm->mmap_sem);
52532 +diff -urNp linux-2.6.24.5/fs/binfmt_elf.c linux-2.6.24.5/fs/binfmt_elf.c
52533 +--- linux-2.6.24.5/fs/binfmt_elf.c 2008-03-24 14:49:18.000000000 -0400
52534 ++++ linux-2.6.24.5/fs/binfmt_elf.c 2008-03-26 20:21:08.000000000 -0400
52535 +@@ -39,10 +39,16 @@
52536 + #include <linux/random.h>
52537 + #include <linux/elf.h>
52538 + #include <linux/utsname.h>
52539 ++#include <linux/grsecurity.h>
52540 ++
52541 + #include <asm/uaccess.h>
52542 + #include <asm/param.h>
52543 + #include <asm/page.h>
52544 +
52545 ++#ifdef CONFIG_PAX_SEGMEXEC
52546 ++#include <asm/desc.h>
52547 ++#endif
52548 ++
52549 + static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs);
52550 + static int load_elf_library(struct file *);
52551 + static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int);
52552 +@@ -84,6 +90,8 @@ static struct linux_binfmt elf_format =
52553 +
52554 + static int set_brk(unsigned long start, unsigned long end)
52555 + {
52556 ++ unsigned long e = end;
52557 ++
52558 + start = ELF_PAGEALIGN(start);
52559 + end = ELF_PAGEALIGN(end);
52560 + if (end > start) {
52561 +@@ -94,7 +102,7 @@ static int set_brk(unsigned long start,
52562 + if (BAD_ADDR(addr))
52563 + return addr;
52564 + }
52565 +- current->mm->start_brk = current->mm->brk = end;
52566 ++ current->mm->start_brk = current->mm->brk = e;
52567 + return 0;
52568 + }
52569 +
52570 +@@ -328,10 +336,9 @@ static unsigned long load_elf_interp(str
52571 + {
52572 + struct elf_phdr *elf_phdata;
52573 + struct elf_phdr *eppnt;
52574 +- unsigned long load_addr = 0;
52575 +- int load_addr_set = 0;
52576 ++ unsigned long load_addr = 0, min_addr, max_addr, pax_task_size = TASK_SIZE;
52577 + unsigned long last_bss = 0, elf_bss = 0;
52578 +- unsigned long error = ~0UL;
52579 ++ unsigned long error = -EINVAL;
52580 + int retval, i, size;
52581 +
52582 + /* First of all, some simple consistency checks */
52583 +@@ -370,66 +377,86 @@ static unsigned long load_elf_interp(str
52584 + goto out_close;
52585 + }
52586 +
52587 ++#ifdef CONFIG_PAX_SEGMEXEC
52588 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
52589 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
52590 ++#endif
52591 ++
52592 + eppnt = elf_phdata;
52593 ++ min_addr = pax_task_size;
52594 ++ max_addr = 0;
52595 ++ error = -ENOMEM;
52596 ++
52597 + for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
52598 +- if (eppnt->p_type == PT_LOAD) {
52599 +- int elf_type = MAP_PRIVATE | MAP_DENYWRITE;
52600 +- int elf_prot = 0;
52601 +- unsigned long vaddr = 0;
52602 +- unsigned long k, map_addr;
52603 +-
52604 +- if (eppnt->p_flags & PF_R)
52605 +- elf_prot = PROT_READ;
52606 +- if (eppnt->p_flags & PF_W)
52607 +- elf_prot |= PROT_WRITE;
52608 +- if (eppnt->p_flags & PF_X)
52609 +- elf_prot |= PROT_EXEC;
52610 +- vaddr = eppnt->p_vaddr;
52611 +- if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
52612 +- elf_type |= MAP_FIXED;
52613 +-
52614 +- map_addr = elf_map(interpreter, load_addr + vaddr,
52615 +- eppnt, elf_prot, elf_type);
52616 +- error = map_addr;
52617 +- if (BAD_ADDR(map_addr))
52618 +- goto out_close;
52619 +-
52620 +- if (!load_addr_set &&
52621 +- interp_elf_ex->e_type == ET_DYN) {
52622 +- load_addr = map_addr - ELF_PAGESTART(vaddr);
52623 +- load_addr_set = 1;
52624 +- }
52625 ++ if (eppnt->p_type != PT_LOAD)
52626 ++ continue;
52627 +
52628 +- /*
52629 +- * Check to see if the section's size will overflow the
52630 +- * allowed task size. Note that p_filesz must always be
52631 +- * <= p_memsize so it's only necessary to check p_memsz.
52632 +- */
52633 +- k = load_addr + eppnt->p_vaddr;
52634 +- if (BAD_ADDR(k) ||
52635 +- eppnt->p_filesz > eppnt->p_memsz ||
52636 +- eppnt->p_memsz > TASK_SIZE ||
52637 +- TASK_SIZE - eppnt->p_memsz < k) {
52638 +- error = -ENOMEM;
52639 +- goto out_close;
52640 +- }
52641 ++ /*
52642 ++ * Check to see if the section's size will overflow the
52643 ++ * allowed task size. Note that p_filesz must always be
52644 ++ * <= p_memsize so it is only necessary to check p_memsz.
52645 ++ */
52646 ++ if (eppnt->p_filesz > eppnt->p_memsz || eppnt->p_vaddr >= eppnt->p_vaddr + eppnt->p_memsz)
52647 ++ goto out_close;
52648 +
52649 +- /*
52650 +- * Find the end of the file mapping for this phdr, and
52651 +- * keep track of the largest address we see for this.
52652 +- */
52653 +- k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
52654 +- if (k > elf_bss)
52655 +- elf_bss = k;
52656 ++ if (min_addr > ELF_PAGESTART(eppnt->p_vaddr))
52657 ++ min_addr = ELF_PAGESTART(eppnt->p_vaddr);
52658 ++ if (max_addr < ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz))
52659 ++ max_addr = ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz);
52660 ++ }
52661 ++ if (min_addr >= max_addr || max_addr > pax_task_size)
52662 ++ goto out_close;
52663 +
52664 +- /*
52665 +- * Do the same thing for the memory mapping - between
52666 +- * elf_bss and last_bss is the bss section.
52667 +- */
52668 +- k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
52669 +- if (k > last_bss)
52670 +- last_bss = k;
52671 +- }
52672 ++ if (interp_elf_ex->e_type == ET_DYN) {
52673 ++ load_addr = get_unmapped_area(interpreter, 0, max_addr - min_addr, 0, MAP_PRIVATE | MAP_EXECUTABLE);
52674 ++
52675 ++ if (load_addr >= pax_task_size)
52676 ++ goto out_close;
52677 ++
52678 ++ load_addr -= min_addr;
52679 ++ }
52680 ++
52681 ++ eppnt = elf_phdata;
52682 ++ for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
52683 ++ int elf_type = MAP_PRIVATE | MAP_DENYWRITE | MAP_FIXED;
52684 ++ int elf_prot = 0;
52685 ++ unsigned long vaddr = 0;
52686 ++ unsigned long k, map_addr;
52687 ++
52688 ++ if (eppnt->p_type != PT_LOAD)
52689 ++ continue;
52690 ++
52691 ++ if (eppnt->p_flags & PF_R)
52692 ++ elf_prot = PROT_READ;
52693 ++ if (eppnt->p_flags & PF_W)
52694 ++ elf_prot |= PROT_WRITE;
52695 ++ if (eppnt->p_flags & PF_X)
52696 ++ elf_prot |= PROT_EXEC;
52697 ++ vaddr = eppnt->p_vaddr;
52698 ++
52699 ++ map_addr = elf_map(interpreter, load_addr + vaddr,
52700 ++ eppnt, elf_prot, elf_type);
52701 ++ error = map_addr;
52702 ++ if (BAD_ADDR(map_addr))
52703 ++ goto out_close;
52704 ++
52705 ++ k = load_addr + eppnt->p_vaddr;
52706 ++
52707 ++ /*
52708 ++ * Find the end of the file mapping for this phdr, and
52709 ++ * keep track of the largest address we see for this.
52710 ++ */
52711 ++ k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
52712 ++ if (k > elf_bss)
52713 ++ elf_bss = k;
52714 ++
52715 ++ /*
52716 ++ * Do the same thing for the memory mapping - between
52717 ++ * elf_bss and last_bss is the bss section.
52718 ++ */
52719 ++ k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
52720 ++ if (k > last_bss)
52721 ++ last_bss = k;
52722 + }
52723 +
52724 + /*
52725 +@@ -457,6 +484,8 @@ static unsigned long load_elf_interp(str
52726 +
52727 + *interp_load_addr = load_addr;
52728 + error = ((unsigned long)interp_elf_ex->e_entry) + load_addr;
52729 ++ if (BAD_ADDR(error))
52730 ++ error = -EFAULT;
52731 +
52732 + out_close:
52733 + kfree(elf_phdata);
52734 +@@ -467,7 +496,7 @@ out:
52735 + static unsigned long load_aout_interp(struct exec *interp_ex,
52736 + struct file *interpreter)
52737 + {
52738 +- unsigned long text_data, elf_entry = ~0UL;
52739 ++ unsigned long text_data, elf_entry = -EINVAL;
52740 + char __user * addr;
52741 + loff_t offset;
52742 +
52743 +@@ -510,6 +539,177 @@ out:
52744 + return elf_entry;
52745 + }
52746 +
52747 ++#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
52748 ++static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
52749 ++{
52750 ++ unsigned long pax_flags = 0UL;
52751 ++
52752 ++#ifdef CONFIG_PAX_PAGEEXEC
52753 ++ if (elf_phdata->p_flags & PF_PAGEEXEC)
52754 ++ pax_flags |= MF_PAX_PAGEEXEC;
52755 ++#endif
52756 ++
52757 ++#ifdef CONFIG_PAX_SEGMEXEC
52758 ++ if (elf_phdata->p_flags & PF_SEGMEXEC)
52759 ++ pax_flags |= MF_PAX_SEGMEXEC;
52760 ++#endif
52761 ++
52762 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
52763 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
52764 ++ if (nx_enabled)
52765 ++ pax_flags &= ~MF_PAX_SEGMEXEC;
52766 ++ else
52767 ++ pax_flags &= ~MF_PAX_PAGEEXEC;
52768 ++ }
52769 ++#endif
52770 ++
52771 ++#ifdef CONFIG_PAX_EMUTRAMP
52772 ++ if (elf_phdata->p_flags & PF_EMUTRAMP)
52773 ++ pax_flags |= MF_PAX_EMUTRAMP;
52774 ++#endif
52775 ++
52776 ++#ifdef CONFIG_PAX_MPROTECT
52777 ++ if (elf_phdata->p_flags & PF_MPROTECT)
52778 ++ pax_flags |= MF_PAX_MPROTECT;
52779 ++#endif
52780 ++
52781 ++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
52782 ++ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
52783 ++ pax_flags |= MF_PAX_RANDMMAP;
52784 ++#endif
52785 ++
52786 ++ return pax_flags;
52787 ++}
52788 ++#endif
52789 ++
52790 ++#ifdef CONFIG_PAX_PT_PAX_FLAGS
52791 ++static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
52792 ++{
52793 ++ unsigned long pax_flags = 0UL;
52794 ++
52795 ++#ifdef CONFIG_PAX_PAGEEXEC
52796 ++ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
52797 ++ pax_flags |= MF_PAX_PAGEEXEC;
52798 ++#endif
52799 ++
52800 ++#ifdef CONFIG_PAX_SEGMEXEC
52801 ++ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
52802 ++ pax_flags |= MF_PAX_SEGMEXEC;
52803 ++#endif
52804 ++
52805 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
52806 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
52807 ++ if (nx_enabled)
52808 ++ pax_flags &= ~MF_PAX_SEGMEXEC;
52809 ++ else
52810 ++ pax_flags &= ~MF_PAX_PAGEEXEC;
52811 ++ }
52812 ++#endif
52813 ++
52814 ++#ifdef CONFIG_PAX_EMUTRAMP
52815 ++ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
52816 ++ pax_flags |= MF_PAX_EMUTRAMP;
52817 ++#endif
52818 ++
52819 ++#ifdef CONFIG_PAX_MPROTECT
52820 ++ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
52821 ++ pax_flags |= MF_PAX_MPROTECT;
52822 ++#endif
52823 ++
52824 ++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
52825 ++ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
52826 ++ pax_flags |= MF_PAX_RANDMMAP;
52827 ++#endif
52828 ++
52829 ++ return pax_flags;
52830 ++}
52831 ++#endif
52832 ++
52833 ++#ifdef CONFIG_PAX_EI_PAX
52834 ++static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
52835 ++{
52836 ++ unsigned long pax_flags = 0UL;
52837 ++
52838 ++#ifdef CONFIG_PAX_PAGEEXEC
52839 ++ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
52840 ++ pax_flags |= MF_PAX_PAGEEXEC;
52841 ++#endif
52842 ++
52843 ++#ifdef CONFIG_PAX_SEGMEXEC
52844 ++ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
52845 ++ pax_flags |= MF_PAX_SEGMEXEC;
52846 ++#endif
52847 ++
52848 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
52849 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
52850 ++ if (nx_enabled)
52851 ++ pax_flags &= ~MF_PAX_SEGMEXEC;
52852 ++ else
52853 ++ pax_flags &= ~MF_PAX_PAGEEXEC;
52854 ++ }
52855 ++#endif
52856 ++
52857 ++#ifdef CONFIG_PAX_EMUTRAMP
52858 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
52859 ++ pax_flags |= MF_PAX_EMUTRAMP;
52860 ++#endif
52861 ++
52862 ++#ifdef CONFIG_PAX_MPROTECT
52863 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
52864 ++ pax_flags |= MF_PAX_MPROTECT;
52865 ++#endif
52866 ++
52867 ++#ifdef CONFIG_PAX_ASLR
52868 ++ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
52869 ++ pax_flags |= MF_PAX_RANDMMAP;
52870 ++#endif
52871 ++
52872 ++ return pax_flags;
52873 ++}
52874 ++#endif
52875 ++
52876 ++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
52877 ++static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
52878 ++{
52879 ++ unsigned long pax_flags = 0UL;
52880 ++
52881 ++#ifdef CONFIG_PAX_PT_PAX_FLAGS
52882 ++ unsigned long i;
52883 ++#endif
52884 ++
52885 ++#ifdef CONFIG_PAX_EI_PAX
52886 ++ pax_flags = pax_parse_ei_pax(elf_ex);
52887 ++#endif
52888 ++
52889 ++#ifdef CONFIG_PAX_PT_PAX_FLAGS
52890 ++ for (i = 0UL; i < elf_ex->e_phnum; i++)
52891 ++ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
52892 ++ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
52893 ++ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
52894 ++ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
52895 ++ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
52896 ++ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
52897 ++ return -EINVAL;
52898 ++
52899 ++#ifdef CONFIG_PAX_SOFTMODE
52900 ++ if (pax_softmode)
52901 ++ pax_flags = pax_parse_softmode(&elf_phdata[i]);
52902 ++ else
52903 ++#endif
52904 ++
52905 ++ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
52906 ++ break;
52907 ++ }
52908 ++#endif
52909 ++
52910 ++ if (0 > pax_check_flags(&pax_flags))
52911 ++ return -EINVAL;
52912 ++
52913 ++ current->mm->pax_flags = pax_flags;
52914 ++ return 0;
52915 ++}
52916 ++#endif
52917 ++
52918 + /*
52919 + * These are the functions used to load ELF style executables and shared
52920 + * libraries. There is no binary dependent code anywhere else.
52921 +@@ -547,7 +747,7 @@ static int load_elf_binary(struct linux_
52922 + char * elf_interpreter = NULL;
52923 + unsigned int interpreter_type = INTERPRETER_NONE;
52924 + unsigned char ibcs2_interpreter = 0;
52925 +- unsigned long error;
52926 ++ unsigned long error = 0;
52927 + struct elf_phdr *elf_ppnt, *elf_phdata;
52928 + unsigned long elf_bss, elf_brk;
52929 + int elf_exec_fileno;
52930 +@@ -559,12 +759,12 @@ static int load_elf_binary(struct linux_
52931 + char passed_fileno[6];
52932 + struct files_struct *files;
52933 + int executable_stack = EXSTACK_DEFAULT;
52934 +- unsigned long def_flags = 0;
52935 + struct {
52936 + struct elfhdr elf_ex;
52937 + struct elfhdr interp_elf_ex;
52938 + struct exec interp_ex;
52939 + } *loc;
52940 ++ unsigned long pax_task_size = TASK_SIZE;
52941 +
52942 + loc = kmalloc(sizeof(*loc), GFP_KERNEL);
52943 + if (!loc) {
52944 +@@ -799,14 +999,89 @@ static int load_elf_binary(struct linux_
52945 +
52946 + /* OK, This is the point of no return */
52947 + current->flags &= ~PF_FORKNOEXEC;
52948 +- current->mm->def_flags = def_flags;
52949 ++
52950 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
52951 ++ current->mm->pax_flags = 0UL;
52952 ++#endif
52953 ++
52954 ++#ifdef CONFIG_PAX_DLRESOLVE
52955 ++ current->mm->call_dl_resolve = 0UL;
52956 ++#endif
52957 ++
52958 ++#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
52959 ++ current->mm->call_syscall = 0UL;
52960 ++#endif
52961 ++
52962 ++#ifdef CONFIG_PAX_ASLR
52963 ++ current->mm->delta_mmap = 0UL;
52964 ++ current->mm->delta_stack = 0UL;
52965 ++#endif
52966 ++
52967 ++ current->mm->def_flags = 0;
52968 ++
52969 ++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
52970 ++ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
52971 ++ send_sig(SIGKILL, current, 0);
52972 ++ goto out_free_dentry;
52973 ++ }
52974 ++#endif
52975 ++
52976 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
52977 ++ pax_set_initial_flags(bprm);
52978 ++#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
52979 ++ if (pax_set_initial_flags_func)
52980 ++ (pax_set_initial_flags_func)(bprm);
52981 ++#endif
52982 ++
52983 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52984 ++ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
52985 ++ current->mm->context.user_cs_limit = PAGE_SIZE;
52986 ++ current->mm->def_flags |= VM_PAGEEXEC;
52987 ++ }
52988 ++#endif
52989 ++
52990 ++#ifdef CONFIG_PAX_SEGMEXEC
52991 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
52992 ++ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
52993 ++ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
52994 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
52995 ++ }
52996 ++#endif
52997 ++
52998 ++#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
52999 ++ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
53000 ++ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
53001 ++ put_cpu_no_resched();
53002 ++ }
53003 ++#endif
53004 ++
53005 ++#ifdef CONFIG_PAX_ASLR
53006 ++ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
53007 ++ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
53008 ++ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
53009 ++ }
53010 ++#endif
53011 ++
53012 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
53013 ++ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
53014 ++ executable_stack = EXSTACK_DEFAULT;
53015 ++#endif
53016 +
53017 + /* Do this immediately, since STACK_TOP as used in setup_arg_pages
53018 + may depend on the personality. */
53019 + SET_PERSONALITY(loc->elf_ex, ibcs2_interpreter);
53020 ++
53021 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
53022 ++ if (!(current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
53023 ++#endif
53024 ++
53025 + if (elf_read_implies_exec(loc->elf_ex, executable_stack))
53026 + current->personality |= READ_IMPLIES_EXEC;
53027 +
53028 ++#ifdef CONFIG_PAX_ASLR
53029 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
53030 ++#endif
53031 ++
53032 + if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
53033 + current->flags |= PF_RANDOMIZE;
53034 + arch_pick_mmap_layout(current->mm);
53035 +@@ -882,6 +1157,20 @@ static int load_elf_binary(struct linux_
53036 + * might try to exec. This is because the brk will
53037 + * follow the loader, and is not movable. */
53038 + load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
53039 ++
53040 ++#ifdef CONFIG_PAX_RANDMMAP
53041 ++ /* PaX: randomize base address at the default exe base if requested */
53042 ++ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
53043 ++#ifdef CONFIG_SPARC64
53044 ++ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
53045 ++#else
53046 ++ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
53047 ++#endif
53048 ++ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
53049 ++ elf_flags |= MAP_FIXED;
53050 ++ }
53051 ++#endif
53052 ++
53053 + }
53054 +
53055 + error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
53056 +@@ -914,9 +1203,9 @@ static int load_elf_binary(struct linux_
53057 + * allowed task size. Note that p_filesz must always be
53058 + * <= p_memsz so it is only necessary to check p_memsz.
53059 + */
53060 +- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
53061 +- elf_ppnt->p_memsz > TASK_SIZE ||
53062 +- TASK_SIZE - elf_ppnt->p_memsz < k) {
53063 ++ if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
53064 ++ elf_ppnt->p_memsz > pax_task_size ||
53065 ++ pax_task_size - elf_ppnt->p_memsz < k) {
53066 + /* set_brk can never work. Avoid overflows. */
53067 + send_sig(SIGKILL, current, 0);
53068 + retval = -EINVAL;
53069 +@@ -944,6 +1233,11 @@ static int load_elf_binary(struct linux_
53070 + start_data += load_bias;
53071 + end_data += load_bias;
53072 +
53073 ++#ifdef CONFIG_PAX_RANDMMAP
53074 ++ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
53075 ++ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
53076 ++#endif
53077 ++
53078 + /* Calling set_brk effectively mmaps the pages that we need
53079 + * for the bss and break sections. We must do this before
53080 + * mapping in the interpreter, to make sure it doesn't wind
53081 +@@ -955,9 +1249,11 @@ static int load_elf_binary(struct linux_
53082 + goto out_free_dentry;
53083 + }
53084 + if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
53085 +- send_sig(SIGSEGV, current, 0);
53086 +- retval = -EFAULT; /* Nobody gets to see this, but.. */
53087 +- goto out_free_dentry;
53088 ++ /*
53089 ++ * This bss-zeroing can fail if the ELF
53090 ++ * file specifies odd protections. So
53091 ++ * we don't check the return value
53092 ++ */
53093 + }
53094 +
53095 + if (elf_interpreter) {
53096 +@@ -1194,8 +1490,10 @@ static int dump_seek(struct file *file,
53097 + unsigned long n = off;
53098 + if (n > PAGE_SIZE)
53099 + n = PAGE_SIZE;
53100 +- if (!dump_write(file, buf, n))
53101 ++ if (!dump_write(file, buf, n)) {
53102 ++ free_page((unsigned long)buf);
53103 + return 0;
53104 ++ }
53105 + off -= n;
53106 + }
53107 + free_page((unsigned long)buf);
53108 +@@ -1207,7 +1505,7 @@ static int dump_seek(struct file *file,
53109 + * Decide what to dump of a segment, part, all or none.
53110 + */
53111 + static unsigned long vma_dump_size(struct vm_area_struct *vma,
53112 +- unsigned long mm_flags)
53113 ++ unsigned long mm_flags, long signr)
53114 + {
53115 + /* The vma can be set up to tell us the answer directly. */
53116 + if (vma->vm_flags & VM_ALWAYSDUMP)
53117 +@@ -1233,7 +1531,7 @@ static unsigned long vma_dump_size(struc
53118 + if (vma->vm_file == NULL)
53119 + return 0;
53120 +
53121 +- if (FILTER(MAPPED_PRIVATE))
53122 ++ if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
53123 + goto whole;
53124 +
53125 + /*
53126 +@@ -1319,8 +1617,11 @@ static int writenote(struct memelfnote *
53127 + #undef DUMP_WRITE
53128 +
53129 + #define DUMP_WRITE(addr, nr) \
53130 ++ do { \
53131 ++ gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
53132 + if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
53133 +- goto end_coredump;
53134 ++ goto end_coredump; \
53135 ++ } while (0);
53136 + #define DUMP_SEEK(off) \
53137 + if (!dump_seek(file, (off))) \
53138 + goto end_coredump;
53139 +@@ -1710,7 +2011,7 @@ static int elf_core_dump(long signr, str
53140 + phdr.p_offset = offset;
53141 + phdr.p_vaddr = vma->vm_start;
53142 + phdr.p_paddr = 0;
53143 +- phdr.p_filesz = vma_dump_size(vma, mm_flags);
53144 ++ phdr.p_filesz = vma_dump_size(vma, mm_flags, signr);
53145 + phdr.p_memsz = vma->vm_end - vma->vm_start;
53146 + offset += phdr.p_filesz;
53147 + phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
53148 +@@ -1753,7 +2054,7 @@ static int elf_core_dump(long signr, str
53149 + unsigned long addr;
53150 + unsigned long end;
53151 +
53152 +- end = vma->vm_start + vma_dump_size(vma, mm_flags);
53153 ++ end = vma->vm_start + vma_dump_size(vma, mm_flags, signr);
53154 +
53155 + for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
53156 + struct page *page;
53157 +@@ -1773,6 +2074,7 @@ static int elf_core_dump(long signr, str
53158 + flush_cache_page(vma, addr,
53159 + page_to_pfn(page));
53160 + kaddr = kmap(page);
53161 ++ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
53162 + if ((size += PAGE_SIZE) > limit ||
53163 + !dump_write(file, kaddr,
53164 + PAGE_SIZE)) {
53165 +diff -urNp linux-2.6.24.5/fs/binfmt_flat.c linux-2.6.24.5/fs/binfmt_flat.c
53166 +--- linux-2.6.24.5/fs/binfmt_flat.c 2008-03-24 14:49:18.000000000 -0400
53167 ++++ linux-2.6.24.5/fs/binfmt_flat.c 2008-03-26 20:21:08.000000000 -0400
53168 +@@ -561,7 +561,9 @@ static int load_flat_file(struct linux_b
53169 + realdatastart = (unsigned long) -ENOMEM;
53170 + printk("Unable to allocate RAM for process data, errno %d\n",
53171 + (int)-realdatastart);
53172 ++ down_write(&current->mm->mmap_sem);
53173 + do_munmap(current->mm, textpos, text_len);
53174 ++ up_write(&current->mm->mmap_sem);
53175 + ret = realdatastart;
53176 + goto err;
53177 + }
53178 +@@ -583,8 +585,10 @@ static int load_flat_file(struct linux_b
53179 + }
53180 + if (result >= (unsigned long)-4096) {
53181 + printk("Unable to read data+bss, errno %d\n", (int)-result);
53182 ++ down_write(&current->mm->mmap_sem);
53183 + do_munmap(current->mm, textpos, text_len);
53184 + do_munmap(current->mm, realdatastart, data_len + extra);
53185 ++ up_write(&current->mm->mmap_sem);
53186 + ret = result;
53187 + goto err;
53188 + }
53189 +@@ -657,8 +661,10 @@ static int load_flat_file(struct linux_b
53190 + }
53191 + if (result >= (unsigned long)-4096) {
53192 + printk("Unable to read code+data+bss, errno %d\n",(int)-result);
53193 ++ down_write(&current->mm->mmap_sem);
53194 + do_munmap(current->mm, textpos, text_len + data_len + extra +
53195 + MAX_SHARED_LIBS * sizeof(unsigned long));
53196 ++ up_write(&current->mm->mmap_sem);
53197 + ret = result;
53198 + goto err;
53199 + }
53200 +diff -urNp linux-2.6.24.5/fs/binfmt_misc.c linux-2.6.24.5/fs/binfmt_misc.c
53201 +--- linux-2.6.24.5/fs/binfmt_misc.c 2008-03-24 14:49:18.000000000 -0400
53202 ++++ linux-2.6.24.5/fs/binfmt_misc.c 2008-03-26 20:21:08.000000000 -0400
53203 +@@ -113,9 +113,11 @@ static int load_misc_binary(struct linux
53204 + struct files_struct *files = NULL;
53205 +
53206 + retval = -ENOEXEC;
53207 +- if (!enabled)
53208 ++ if (!enabled || bprm->misc)
53209 + goto _ret;
53210 +
53211 ++ bprm->misc++;
53212 ++
53213 + /* to keep locking time low, we copy the interpreter string */
53214 + read_lock(&entries_lock);
53215 + fmt = check_file(bprm);
53216 +@@ -720,7 +722,7 @@ static int bm_fill_super(struct super_bl
53217 + static struct tree_descr bm_files[] = {
53218 + [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
53219 + [3] = {"register", &bm_register_operations, S_IWUSR},
53220 +- /* last one */ {""}
53221 ++ /* last one */ {"", NULL, 0}
53222 + };
53223 + int err = simple_fill_super(sb, 0x42494e4d, bm_files);
53224 + if (!err)
53225 +diff -urNp linux-2.6.24.5/fs/buffer.c linux-2.6.24.5/fs/buffer.c
53226 +--- linux-2.6.24.5/fs/buffer.c 2008-04-17 20:05:17.000000000 -0400
53227 ++++ linux-2.6.24.5/fs/buffer.c 2008-04-17 20:05:01.000000000 -0400
53228 +@@ -41,6 +41,7 @@
53229 + #include <linux/bitops.h>
53230 + #include <linux/mpage.h>
53231 + #include <linux/bit_spinlock.h>
53232 ++#include <linux/grsecurity.h>
53233 +
53234 + static int fsync_buffers_list(spinlock_t *lock, struct list_head *list);
53235 +
53236 +@@ -2170,6 +2171,7 @@ int generic_cont_expand_simple(struct in
53237 +
53238 + err = -EFBIG;
53239 + limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
53240 ++ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long) size, 1);
53241 + if (limit != RLIM_INFINITY && size > (loff_t)limit) {
53242 + send_sig(SIGXFSZ, current, 0);
53243 + goto out;
53244 +diff -urNp linux-2.6.24.5/fs/cifs/cifs_uniupr.h linux-2.6.24.5/fs/cifs/cifs_uniupr.h
53245 +--- linux-2.6.24.5/fs/cifs/cifs_uniupr.h 2008-03-24 14:49:18.000000000 -0400
53246 ++++ linux-2.6.24.5/fs/cifs/cifs_uniupr.h 2008-03-26 20:21:08.000000000 -0400
53247 +@@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
53248 + {0x0490, 0x04cc, UniCaseRangeU0490},
53249 + {0x1e00, 0x1ffc, UniCaseRangeU1e00},
53250 + {0xff40, 0xff5a, UniCaseRangeUff40},
53251 +- {0}
53252 ++ {0, 0, NULL}
53253 + };
53254 + #endif
53255 +
53256 +diff -urNp linux-2.6.24.5/fs/cifs/link.c linux-2.6.24.5/fs/cifs/link.c
53257 +--- linux-2.6.24.5/fs/cifs/link.c 2008-03-24 14:49:18.000000000 -0400
53258 ++++ linux-2.6.24.5/fs/cifs/link.c 2008-03-26 20:21:08.000000000 -0400
53259 +@@ -355,7 +355,7 @@ cifs_readlink(struct dentry *direntry, c
53260 +
53261 + void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
53262 + {
53263 +- char *p = nd_get_link(nd);
53264 ++ const char *p = nd_get_link(nd);
53265 + if (!IS_ERR(p))
53266 + kfree(p);
53267 + }
53268 +diff -urNp linux-2.6.24.5/fs/compat.c linux-2.6.24.5/fs/compat.c
53269 +--- linux-2.6.24.5/fs/compat.c 2008-03-24 14:49:18.000000000 -0400
53270 ++++ linux-2.6.24.5/fs/compat.c 2008-03-26 20:21:08.000000000 -0400
53271 +@@ -50,6 +50,7 @@
53272 + #include <linux/poll.h>
53273 + #include <linux/mm.h>
53274 + #include <linux/eventpoll.h>
53275 ++#include <linux/grsecurity.h>
53276 +
53277 + #include <asm/uaccess.h>
53278 + #include <asm/mmu_context.h>
53279 +@@ -1300,14 +1301,12 @@ static int compat_copy_strings(int argc,
53280 + if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
53281 + struct page *page;
53282 +
53283 +-#ifdef CONFIG_STACK_GROWSUP
53284 + ret = expand_stack_downwards(bprm->vma, pos);
53285 + if (ret < 0) {
53286 + /* We've exceed the stack rlimit. */
53287 + ret = -E2BIG;
53288 + goto out;
53289 + }
53290 +-#endif
53291 + ret = get_user_pages(current, bprm->mm, pos,
53292 + 1, 1, 1, &page, NULL);
53293 + if (ret <= 0) {
53294 +@@ -1353,6 +1352,11 @@ int compat_do_execve(char * filename,
53295 + compat_uptr_t __user *envp,
53296 + struct pt_regs * regs)
53297 + {
53298 ++#ifdef CONFIG_GRKERNSEC
53299 ++ struct file *old_exec_file;
53300 ++ struct acl_subject_label *old_acl;
53301 ++ struct rlimit old_rlim[RLIM_NLIMITS];
53302 ++#endif
53303 + struct linux_binprm *bprm;
53304 + struct file *file;
53305 + int retval;
53306 +@@ -1373,6 +1377,14 @@ int compat_do_execve(char * filename,
53307 + bprm->filename = filename;
53308 + bprm->interp = filename;
53309 +
53310 ++ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
53311 ++ retval = -EAGAIN;
53312 ++ if (gr_handle_nproc())
53313 ++ goto out_file;
53314 ++ retval = -EACCES;
53315 ++ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
53316 ++ goto out_file;
53317 ++
53318 + retval = bprm_mm_init(bprm);
53319 + if (retval)
53320 + goto out_file;
53321 +@@ -1406,8 +1418,36 @@ int compat_do_execve(char * filename,
53322 + if (retval < 0)
53323 + goto out;
53324 +
53325 ++ if (!gr_tpe_allow(file)) {
53326 ++ retval = -EACCES;
53327 ++ goto out;
53328 ++ }
53329 ++
53330 ++ if (gr_check_crash_exec(file)) {
53331 ++ retval = -EACCES;
53332 ++ goto out;
53333 ++ }
53334 ++
53335 ++ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
53336 ++
53337 ++ gr_handle_exec_args(bprm, (char __user * __user *)argv);
53338 ++
53339 ++#ifdef CONFIG_GRKERNSEC
53340 ++ old_acl = current->acl;
53341 ++ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
53342 ++ old_exec_file = current->exec_file;
53343 ++ get_file(file);
53344 ++ current->exec_file = file;
53345 ++#endif
53346 ++
53347 ++ gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
53348 ++
53349 + retval = search_binary_handler(bprm, regs);
53350 + if (retval >= 0) {
53351 ++#ifdef CONFIG_GRKERNSEC
53352 ++ if (old_exec_file)
53353 ++ fput(old_exec_file);
53354 ++#endif
53355 + /* execve success */
53356 + security_bprm_free(bprm);
53357 + acct_update_integrals(current);
53358 +@@ -1415,6 +1455,13 @@ int compat_do_execve(char * filename,
53359 + return retval;
53360 + }
53361 +
53362 ++#ifdef CONFIG_GRKERNSEC
53363 ++ current->acl = old_acl;
53364 ++ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
53365 ++ fput(current->exec_file);
53366 ++ current->exec_file = old_exec_file;
53367 ++#endif
53368 ++
53369 + out:
53370 + if (bprm->security)
53371 + security_bprm_free(bprm);
53372 +diff -urNp linux-2.6.24.5/fs/compat_ioctl.c linux-2.6.24.5/fs/compat_ioctl.c
53373 +--- linux-2.6.24.5/fs/compat_ioctl.c 2008-03-24 14:49:18.000000000 -0400
53374 ++++ linux-2.6.24.5/fs/compat_ioctl.c 2008-03-26 20:21:08.000000000 -0400
53375 +@@ -1890,15 +1890,15 @@ struct ioctl_trans {
53376 + };
53377 +
53378 + #define HANDLE_IOCTL(cmd,handler) \
53379 +- { (cmd), (ioctl_trans_handler_t)(handler) },
53380 ++ { (cmd), (ioctl_trans_handler_t)(handler), NULL },
53381 +
53382 + /* pointer to compatible structure or no argument */
53383 + #define COMPATIBLE_IOCTL(cmd) \
53384 +- { (cmd), do_ioctl32_pointer },
53385 ++ { (cmd), do_ioctl32_pointer, NULL },
53386 +
53387 + /* argument is an unsigned long integer, not a pointer */
53388 + #define ULONG_IOCTL(cmd) \
53389 +- { (cmd), (ioctl_trans_handler_t)sys_ioctl },
53390 ++ { (cmd), (ioctl_trans_handler_t)sys_ioctl, NULL },
53391 +
53392 + /* ioctl should not be warned about even if it's not implemented.
53393 + Valid reasons to use this:
53394 +diff -urNp linux-2.6.24.5/fs/debugfs/inode.c linux-2.6.24.5/fs/debugfs/inode.c
53395 +--- linux-2.6.24.5/fs/debugfs/inode.c 2008-03-24 14:49:18.000000000 -0400
53396 ++++ linux-2.6.24.5/fs/debugfs/inode.c 2008-03-26 20:21:08.000000000 -0400
53397 +@@ -125,7 +125,7 @@ static inline int debugfs_positive(struc
53398 +
53399 + static int debug_fill_super(struct super_block *sb, void *data, int silent)
53400 + {
53401 +- static struct tree_descr debug_files[] = {{""}};
53402 ++ static struct tree_descr debug_files[] = {{"", NULL, 0}};
53403 +
53404 + return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
53405 + }
53406 +diff -urNp linux-2.6.24.5/fs/exec.c linux-2.6.24.5/fs/exec.c
53407 +--- linux-2.6.24.5/fs/exec.c 2008-03-24 14:49:18.000000000 -0400
53408 ++++ linux-2.6.24.5/fs/exec.c 2008-03-26 20:21:08.000000000 -0400
53409 +@@ -51,6 +51,8 @@
53410 + #include <linux/tsacct_kern.h>
53411 + #include <linux/cn_proc.h>
53412 + #include <linux/audit.h>
53413 ++#include <linux/random.h>
53414 ++#include <linux/grsecurity.h>
53415 +
53416 + #include <asm/uaccess.h>
53417 + #include <asm/mmu_context.h>
53418 +@@ -60,6 +62,11 @@
53419 + #include <linux/kmod.h>
53420 + #endif
53421 +
53422 ++#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
53423 ++void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
53424 ++EXPORT_SYMBOL(pax_set_initial_flags_func);
53425 ++#endif
53426 ++
53427 + int core_uses_pid;
53428 + char core_pattern[CORENAME_MAX_SIZE] = "core";
53429 + int suid_dumpable = 0;
53430 +@@ -158,18 +165,10 @@ static struct page *get_arg_page(struct
53431 + int write)
53432 + {
53433 + struct page *page;
53434 +- int ret;
53435 +
53436 +-#ifdef CONFIG_STACK_GROWSUP
53437 +- if (write) {
53438 +- ret = expand_stack_downwards(bprm->vma, pos);
53439 +- if (ret < 0)
53440 +- return NULL;
53441 +- }
53442 +-#endif
53443 +- ret = get_user_pages(current, bprm->mm, pos,
53444 +- 1, write, 1, &page, NULL);
53445 +- if (ret <= 0)
53446 ++ if (0 > expand_stack_downwards(bprm->vma, pos))
53447 ++ return NULL;
53448 ++ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
53449 + return NULL;
53450 +
53451 + if (write) {
53452 +@@ -234,6 +233,11 @@ static int __bprm_mm_init(struct linux_b
53453 + vma->vm_start = vma->vm_end - PAGE_SIZE;
53454 +
53455 + vma->vm_flags = VM_STACK_FLAGS;
53456 ++
53457 ++#ifdef CONFIG_PAX_SEGMEXEC
53458 ++ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
53459 ++#endif
53460 ++
53461 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
53462 + err = insert_vm_struct(mm, vma);
53463 + if (err) {
53464 +@@ -246,6 +250,11 @@ static int __bprm_mm_init(struct linux_b
53465 +
53466 + bprm->p = vma->vm_end - sizeof(void *);
53467 +
53468 ++#ifdef CONFIG_PAX_RANDUSTACK
53469 ++ if (randomize_va_space)
53470 ++ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
53471 ++#endif
53472 ++
53473 + return 0;
53474 +
53475 + err:
53476 +@@ -369,7 +378,7 @@ static int count(char __user * __user *
53477 + if (!p)
53478 + break;
53479 + argv++;
53480 +- if(++i > max)
53481 ++ if (++i > max)
53482 + return -E2BIG;
53483 + cond_resched();
53484 + }
53485 +@@ -509,6 +518,10 @@ static int shift_arg_pages(struct vm_are
53486 + if (vma != find_vma(mm, new_start))
53487 + return -EFAULT;
53488 +
53489 ++#ifdef CONFIG_PAX_SEGMEXEC
53490 ++ BUG_ON(pax_find_mirror_vma(vma));
53491 ++#endif
53492 ++
53493 + /*
53494 + * cover the whole range: [new_start, old_end)
53495 + */
53496 +@@ -597,6 +610,14 @@ int setup_arg_pages(struct linux_binprm
53497 + bprm->exec -= stack_shift;
53498 +
53499 + down_write(&mm->mmap_sem);
53500 ++
53501 ++ /* Move stack pages down in memory. */
53502 ++ if (stack_shift) {
53503 ++ ret = shift_arg_pages(vma, stack_shift);
53504 ++ if (ret)
53505 ++ goto out_unlock;
53506 ++ }
53507 ++
53508 + vm_flags = vma->vm_flags;
53509 +
53510 + /*
53511 +@@ -608,23 +629,28 @@ int setup_arg_pages(struct linux_binprm
53512 + vm_flags |= VM_EXEC;
53513 + else if (executable_stack == EXSTACK_DISABLE_X)
53514 + vm_flags &= ~VM_EXEC;
53515 ++ else
53516 ++ vm_flags = VM_STACK_FLAGS;
53517 + vm_flags |= mm->def_flags;
53518 +
53519 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
53520 ++ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
53521 ++ vm_flags &= ~VM_EXEC;
53522 ++
53523 ++#ifdef CONFIG_PAX_MPROTECT
53524 ++ if (mm->pax_flags & MF_PAX_MPROTECT)
53525 ++ vm_flags &= ~VM_MAYEXEC;
53526 ++#endif
53527 ++
53528 ++ }
53529 ++#endif
53530 ++
53531 + ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
53532 + vm_flags);
53533 + if (ret)
53534 + goto out_unlock;
53535 + BUG_ON(prev != vma);
53536 +
53537 +- /* Move stack pages down in memory. */
53538 +- if (stack_shift) {
53539 +- ret = shift_arg_pages(vma, stack_shift);
53540 +- if (ret) {
53541 +- up_write(&mm->mmap_sem);
53542 +- return ret;
53543 +- }
53544 +- }
53545 +-
53546 + #ifdef CONFIG_STACK_GROWSUP
53547 + stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE;
53548 + #else
53549 +@@ -636,7 +662,7 @@ int setup_arg_pages(struct linux_binprm
53550 +
53551 + out_unlock:
53552 + up_write(&mm->mmap_sem);
53553 +- return 0;
53554 ++ return ret;
53555 + }
53556 + EXPORT_SYMBOL(setup_arg_pages);
53557 +
53558 +@@ -655,7 +681,7 @@ struct file *open_exec(const char *name)
53559 + struct inode *inode = nd.dentry->d_inode;
53560 + file = ERR_PTR(-EACCES);
53561 + if (S_ISREG(inode->i_mode)) {
53562 +- int err = vfs_permission(&nd, MAY_EXEC);
53563 ++ err = vfs_permission(&nd, MAY_EXEC);
53564 + file = ERR_PTR(err);
53565 + if (!err) {
53566 + file = nameidata_to_filp(&nd, O_RDONLY);
53567 +@@ -1293,6 +1319,11 @@ int do_execve(char * filename,
53568 + char __user *__user *envp,
53569 + struct pt_regs * regs)
53570 + {
53571 ++#ifdef CONFIG_GRKERNSEC
53572 ++ struct file *old_exec_file;
53573 ++ struct acl_subject_label *old_acl;
53574 ++ struct rlimit old_rlim[RLIM_NLIMITS];
53575 ++#endif
53576 + struct linux_binprm *bprm;
53577 + struct file *file;
53578 + unsigned long env_p;
53579 +@@ -1308,6 +1339,20 @@ int do_execve(char * filename,
53580 + if (IS_ERR(file))
53581 + goto out_kfree;
53582 +
53583 ++ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
53584 ++
53585 ++ if (gr_handle_nproc()) {
53586 ++ allow_write_access(file);
53587 ++ fput(file);
53588 ++ return -EAGAIN;
53589 ++ }
53590 ++
53591 ++ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
53592 ++ allow_write_access(file);
53593 ++ fput(file);
53594 ++ return -EACCES;
53595 ++ }
53596 ++
53597 + sched_exec();
53598 +
53599 + bprm->file = file;
53600 +@@ -1349,8 +1394,38 @@ int do_execve(char * filename,
53601 + goto out;
53602 + bprm->argv_len = env_p - bprm->p;
53603 +
53604 ++ if (!gr_tpe_allow(file)) {
53605 ++ retval = -EACCES;
53606 ++ goto out;
53607 ++ }
53608 ++
53609 ++ if (gr_check_crash_exec(file)) {
53610 ++ retval = -EACCES;
53611 ++ goto out;
53612 ++ }
53613 ++
53614 ++ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
53615 ++
53616 ++ gr_handle_exec_args(bprm, argv);
53617 ++
53618 ++#ifdef CONFIG_GRKERNSEC
53619 ++ old_acl = current->acl;
53620 ++ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
53621 ++ old_exec_file = current->exec_file;
53622 ++ get_file(file);
53623 ++ current->exec_file = file;
53624 ++#endif
53625 ++
53626 ++ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
53627 ++ if (retval < 0)
53628 ++ goto out_fail;
53629 ++
53630 + retval = search_binary_handler(bprm,regs);
53631 + if (retval >= 0) {
53632 ++#ifdef CONFIG_GRKERNSEC
53633 ++ if (old_exec_file)
53634 ++ fput(old_exec_file);
53635 ++#endif
53636 + /* execve success */
53637 + free_arg_pages(bprm);
53638 + security_bprm_free(bprm);
53639 +@@ -1359,6 +1434,14 @@ int do_execve(char * filename,
53640 + return retval;
53641 + }
53642 +
53643 ++out_fail:
53644 ++#ifdef CONFIG_GRKERNSEC
53645 ++ current->acl = old_acl;
53646 ++ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
53647 ++ fput(current->exec_file);
53648 ++ current->exec_file = old_exec_file;
53649 ++#endif
53650 ++
53651 + out:
53652 + free_arg_pages(bprm);
53653 + if (bprm->security)
53654 +@@ -1523,6 +1606,114 @@ out:
53655 + return ispipe;
53656 + }
53657 +
53658 ++int pax_check_flags(unsigned long *flags)
53659 ++{
53660 ++ int retval = 0;
53661 ++
53662 ++#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
53663 ++ if (*flags & MF_PAX_SEGMEXEC)
53664 ++ {
53665 ++ *flags &= ~MF_PAX_SEGMEXEC;
53666 ++ retval = -EINVAL;
53667 ++ }
53668 ++#endif
53669 ++
53670 ++ if ((*flags & MF_PAX_PAGEEXEC)
53671 ++
53672 ++#ifdef CONFIG_PAX_PAGEEXEC
53673 ++ && (*flags & MF_PAX_SEGMEXEC)
53674 ++#endif
53675 ++
53676 ++ )
53677 ++ {
53678 ++ *flags &= ~MF_PAX_PAGEEXEC;
53679 ++ retval = -EINVAL;
53680 ++ }
53681 ++
53682 ++ if ((*flags & MF_PAX_MPROTECT)
53683 ++
53684 ++#ifdef CONFIG_PAX_MPROTECT
53685 ++ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
53686 ++#endif
53687 ++
53688 ++ )
53689 ++ {
53690 ++ *flags &= ~MF_PAX_MPROTECT;
53691 ++ retval = -EINVAL;
53692 ++ }
53693 ++
53694 ++ if ((*flags & MF_PAX_EMUTRAMP)
53695 ++
53696 ++#ifdef CONFIG_PAX_EMUTRAMP
53697 ++ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
53698 ++#endif
53699 ++
53700 ++ )
53701 ++ {
53702 ++ *flags &= ~MF_PAX_EMUTRAMP;
53703 ++ retval = -EINVAL;
53704 ++ }
53705 ++
53706 ++ return retval;
53707 ++}
53708 ++
53709 ++EXPORT_SYMBOL(pax_check_flags);
53710 ++
53711 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
53712 ++void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
53713 ++{
53714 ++ struct task_struct *tsk = current;
53715 ++ struct mm_struct *mm = current->mm;
53716 ++ char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
53717 ++ char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
53718 ++ char *path_exec = NULL;
53719 ++ char *path_fault = NULL;
53720 ++ unsigned long start = 0UL, end = 0UL, offset = 0UL;
53721 ++
53722 ++ if (buffer_exec && buffer_fault) {
53723 ++ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
53724 ++
53725 ++ down_read(&mm->mmap_sem);
53726 ++ vma = mm->mmap;
53727 ++ while (vma && (!vma_exec || !vma_fault)) {
53728 ++ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
53729 ++ vma_exec = vma;
53730 ++ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
53731 ++ vma_fault = vma;
53732 ++ vma = vma->vm_next;
53733 ++ }
53734 ++ if (vma_exec) {
53735 ++ path_exec = d_path(vma_exec->vm_file->f_path.dentry, vma_exec->vm_file->f_path.mnt, buffer_exec, PAGE_SIZE);
53736 ++ if (IS_ERR(path_exec))
53737 ++ path_exec = "<path too long>";
53738 ++ }
53739 ++ if (vma_fault) {
53740 ++ start = vma_fault->vm_start;
53741 ++ end = vma_fault->vm_end;
53742 ++ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
53743 ++ if (vma_fault->vm_file) {
53744 ++ path_fault = d_path(vma_fault->vm_file->f_path.dentry, vma_fault->vm_file->f_path.mnt, buffer_fault, PAGE_SIZE);
53745 ++ if (IS_ERR(path_fault))
53746 ++ path_fault = "<path too long>";
53747 ++ } else
53748 ++ path_fault = "<anonymous mapping>";
53749 ++ }
53750 ++ up_read(&mm->mmap_sem);
53751 ++ }
53752 ++ if (tsk->signal->curr_ip)
53753 ++ printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
53754 ++ else
53755 ++ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
53756 ++ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
53757 ++ "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
53758 ++ tsk->uid, tsk->euid, pc, sp);
53759 ++ free_page((unsigned long)buffer_exec);
53760 ++ free_page((unsigned long)buffer_fault);
53761 ++ pax_report_insns(pc, sp);
53762 ++ do_coredump(SIGKILL, SIGKILL, regs);
53763 ++}
53764 ++#endif
53765 ++
53766 + static void zap_process(struct task_struct *start)
53767 + {
53768 + struct task_struct *t;
53769 +@@ -1720,6 +1911,10 @@ int do_coredump(long signr, int exit_cod
53770 + */
53771 + clear_thread_flag(TIF_SIGPENDING);
53772 +
53773 ++ if (signr == SIGKILL || signr == SIGILL)
53774 ++ gr_handle_brute_attach(current);
53775 ++ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
53776 ++
53777 + /*
53778 + * lock_kernel() because format_corename() is controlled by sysctl, which
53779 + * uses lock_kernel()
53780 +@@ -1740,6 +1935,8 @@ int do_coredump(long signr, int exit_cod
53781 +
53782 + if (ispipe) {
53783 + helper_argv = argv_split(GFP_KERNEL, corename+1, &helper_argc);
53784 ++ if (!helper_argv)
53785 ++ goto fail_unlock;
53786 + /* Terminate the string before the first option */
53787 + delimit = strchr(corename, ' ');
53788 + if (delimit)
53789 +diff -urNp linux-2.6.24.5/fs/ext2/balloc.c linux-2.6.24.5/fs/ext2/balloc.c
53790 +--- linux-2.6.24.5/fs/ext2/balloc.c 2008-03-24 14:49:18.000000000 -0400
53791 ++++ linux-2.6.24.5/fs/ext2/balloc.c 2008-03-26 20:21:08.000000000 -0400
53792 +@@ -1127,7 +1127,7 @@ static int ext2_has_free_blocks(struct e
53793 +
53794 + free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
53795 + root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
53796 +- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
53797 ++ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
53798 + sbi->s_resuid != current->fsuid &&
53799 + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
53800 + return 0;
53801 +diff -urNp linux-2.6.24.5/fs/ext3/balloc.c linux-2.6.24.5/fs/ext3/balloc.c
53802 +--- linux-2.6.24.5/fs/ext3/balloc.c 2008-03-24 14:49:18.000000000 -0400
53803 ++++ linux-2.6.24.5/fs/ext3/balloc.c 2008-03-26 20:21:08.000000000 -0400
53804 +@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
53805 +
53806 + free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
53807 + root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
53808 +- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
53809 ++ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
53810 + sbi->s_resuid != current->fsuid &&
53811 + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
53812 + return 0;
53813 +diff -urNp linux-2.6.24.5/fs/ext3/namei.c linux-2.6.24.5/fs/ext3/namei.c
53814 +--- linux-2.6.24.5/fs/ext3/namei.c 2008-03-24 14:49:18.000000000 -0400
53815 ++++ linux-2.6.24.5/fs/ext3/namei.c 2008-03-26 20:21:08.000000000 -0400
53816 +@@ -1181,9 +1181,9 @@ static struct ext3_dir_entry_2 *do_split
53817 + u32 hash2;
53818 + struct dx_map_entry *map;
53819 + char *data1 = (*bh)->b_data, *data2;
53820 +- unsigned split, move, size, i;
53821 ++ unsigned split, move, size;
53822 + struct ext3_dir_entry_2 *de = NULL, *de2;
53823 +- int err = 0;
53824 ++ int i, err = 0;
53825 +
53826 + bh2 = ext3_append (handle, dir, &newblock, &err);
53827 + if (!(bh2)) {
53828 +diff -urNp linux-2.6.24.5/fs/ext3/xattr.c linux-2.6.24.5/fs/ext3/xattr.c
53829 +--- linux-2.6.24.5/fs/ext3/xattr.c 2008-03-24 14:49:18.000000000 -0400
53830 ++++ linux-2.6.24.5/fs/ext3/xattr.c 2008-03-26 20:21:08.000000000 -0400
53831 +@@ -89,8 +89,8 @@
53832 + printk("\n"); \
53833 + } while (0)
53834 + #else
53835 +-# define ea_idebug(f...)
53836 +-# define ea_bdebug(f...)
53837 ++# define ea_idebug(f...) do {} while (0)
53838 ++# define ea_bdebug(f...) do {} while (0)
53839 + #endif
53840 +
53841 + static void ext3_xattr_cache_insert(struct buffer_head *);
53842 +diff -urNp linux-2.6.24.5/fs/ext4/balloc.c linux-2.6.24.5/fs/ext4/balloc.c
53843 +--- linux-2.6.24.5/fs/ext4/balloc.c 2008-03-24 14:49:18.000000000 -0400
53844 ++++ linux-2.6.24.5/fs/ext4/balloc.c 2008-03-26 20:21:08.000000000 -0400
53845 +@@ -1479,7 +1479,7 @@ static int ext4_has_free_blocks(struct e
53846 +
53847 + free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
53848 + root_blocks = ext4_r_blocks_count(sbi->s_es);
53849 +- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
53850 ++ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
53851 + sbi->s_resuid != current->fsuid &&
53852 + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
53853 + return 0;
53854 +diff -urNp linux-2.6.24.5/fs/ext4/namei.c linux-2.6.24.5/fs/ext4/namei.c
53855 +--- linux-2.6.24.5/fs/ext4/namei.c 2008-03-24 14:49:18.000000000 -0400
53856 ++++ linux-2.6.24.5/fs/ext4/namei.c 2008-03-26 20:21:08.000000000 -0400
53857 +@@ -1178,9 +1178,9 @@ static struct ext4_dir_entry_2 *do_split
53858 + u32 hash2;
53859 + struct dx_map_entry *map;
53860 + char *data1 = (*bh)->b_data, *data2;
53861 +- unsigned split, move, size, i;
53862 ++ unsigned split, move, size;
53863 + struct ext4_dir_entry_2 *de = NULL, *de2;
53864 +- int err = 0;
53865 ++ int i, err = 0;
53866 +
53867 + bh2 = ext4_append (handle, dir, &newblock, &err);
53868 + if (!(bh2)) {
53869 +diff -urNp linux-2.6.24.5/fs/fcntl.c linux-2.6.24.5/fs/fcntl.c
53870 +--- linux-2.6.24.5/fs/fcntl.c 2008-03-24 14:49:18.000000000 -0400
53871 ++++ linux-2.6.24.5/fs/fcntl.c 2008-03-26 20:21:08.000000000 -0400
53872 +@@ -19,6 +19,7 @@
53873 + #include <linux/signal.h>
53874 + #include <linux/rcupdate.h>
53875 + #include <linux/pid_namespace.h>
53876 ++#include <linux/grsecurity.h>
53877 +
53878 + #include <asm/poll.h>
53879 + #include <asm/siginfo.h>
53880 +@@ -64,6 +65,7 @@ static int locate_fd(struct files_struct
53881 + struct fdtable *fdt;
53882 +
53883 + error = -EINVAL;
53884 ++ gr_learn_resource(current, RLIMIT_NOFILE, orig_start, 0);
53885 + if (orig_start >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
53886 + goto out;
53887 +
53888 +@@ -83,6 +85,7 @@ repeat:
53889 + fdt->max_fds, start);
53890 +
53891 + error = -EMFILE;
53892 ++ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
53893 + if (newfd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
53894 + goto out;
53895 +
53896 +@@ -144,6 +147,8 @@ asmlinkage long sys_dup2(unsigned int ol
53897 + struct files_struct * files = current->files;
53898 + struct fdtable *fdt;
53899 +
53900 ++ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
53901 ++
53902 + spin_lock(&files->file_lock);
53903 + if (!(file = fcheck(oldfd)))
53904 + goto out_unlock;
53905 +@@ -463,7 +468,8 @@ static inline int sigio_perm(struct task
53906 + return (((fown->euid == 0) ||
53907 + (fown->euid == p->suid) || (fown->euid == p->uid) ||
53908 + (fown->uid == p->suid) || (fown->uid == p->uid)) &&
53909 +- !security_file_send_sigiotask(p, fown, sig));
53910 ++ !security_file_send_sigiotask(p, fown, sig) &&
53911 ++ !gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
53912 + }
53913 +
53914 + static void send_sigio_to_task(struct task_struct *p,
53915 +diff -urNp linux-2.6.24.5/fs/fuse/control.c linux-2.6.24.5/fs/fuse/control.c
53916 +--- linux-2.6.24.5/fs/fuse/control.c 2008-03-24 14:49:18.000000000 -0400
53917 ++++ linux-2.6.24.5/fs/fuse/control.c 2008-03-26 20:21:08.000000000 -0400
53918 +@@ -159,7 +159,7 @@ void fuse_ctl_remove_conn(struct fuse_co
53919 +
53920 + static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
53921 + {
53922 +- struct tree_descr empty_descr = {""};
53923 ++ struct tree_descr empty_descr = {"", NULL, 0};
53924 + struct fuse_conn *fc;
53925 + int err;
53926 +
53927 +diff -urNp linux-2.6.24.5/fs/fuse/dir.c linux-2.6.24.5/fs/fuse/dir.c
53928 +--- linux-2.6.24.5/fs/fuse/dir.c 2008-03-24 14:49:18.000000000 -0400
53929 ++++ linux-2.6.24.5/fs/fuse/dir.c 2008-03-26 20:21:08.000000000 -0400
53930 +@@ -1030,7 +1030,7 @@ static char *read_link(struct dentry *de
53931 + return link;
53932 + }
53933 +
53934 +-static void free_link(char *link)
53935 ++static void free_link(const char *link)
53936 + {
53937 + if (!IS_ERR(link))
53938 + free_page((unsigned long) link);
53939 +diff -urNp linux-2.6.24.5/fs/hfs/inode.c linux-2.6.24.5/fs/hfs/inode.c
53940 +--- linux-2.6.24.5/fs/hfs/inode.c 2008-03-24 14:49:18.000000000 -0400
53941 ++++ linux-2.6.24.5/fs/hfs/inode.c 2008-03-26 20:21:08.000000000 -0400
53942 +@@ -419,7 +419,7 @@ int hfs_write_inode(struct inode *inode,
53943 +
53944 + if (S_ISDIR(main_inode->i_mode)) {
53945 + if (fd.entrylength < sizeof(struct hfs_cat_dir))
53946 +- /* panic? */;
53947 ++ {/* panic? */}
53948 + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
53949 + sizeof(struct hfs_cat_dir));
53950 + if (rec.type != HFS_CDR_DIR ||
53951 +@@ -440,7 +440,7 @@ int hfs_write_inode(struct inode *inode,
53952 + sizeof(struct hfs_cat_file));
53953 + } else {
53954 + if (fd.entrylength < sizeof(struct hfs_cat_file))
53955 +- /* panic? */;
53956 ++ {/* panic? */}
53957 + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
53958 + sizeof(struct hfs_cat_file));
53959 + if (rec.type != HFS_CDR_FIL ||
53960 +diff -urNp linux-2.6.24.5/fs/hfsplus/inode.c linux-2.6.24.5/fs/hfsplus/inode.c
53961 +--- linux-2.6.24.5/fs/hfsplus/inode.c 2008-03-24 14:49:18.000000000 -0400
53962 ++++ linux-2.6.24.5/fs/hfsplus/inode.c 2008-03-26 20:21:08.000000000 -0400
53963 +@@ -422,7 +422,7 @@ int hfsplus_cat_read_inode(struct inode
53964 + struct hfsplus_cat_folder *folder = &entry.folder;
53965 +
53966 + if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
53967 +- /* panic? */;
53968 ++ {/* panic? */}
53969 + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
53970 + sizeof(struct hfsplus_cat_folder));
53971 + hfsplus_get_perms(inode, &folder->permissions, 1);
53972 +@@ -439,7 +439,7 @@ int hfsplus_cat_read_inode(struct inode
53973 + struct hfsplus_cat_file *file = &entry.file;
53974 +
53975 + if (fd->entrylength < sizeof(struct hfsplus_cat_file))
53976 +- /* panic? */;
53977 ++ {/* panic? */}
53978 + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
53979 + sizeof(struct hfsplus_cat_file));
53980 +
53981 +@@ -495,7 +495,7 @@ int hfsplus_cat_write_inode(struct inode
53982 + struct hfsplus_cat_folder *folder = &entry.folder;
53983 +
53984 + if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
53985 +- /* panic? */;
53986 ++ {/* panic? */}
53987 + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
53988 + sizeof(struct hfsplus_cat_folder));
53989 + /* simple node checks? */
53990 +@@ -517,7 +517,7 @@ int hfsplus_cat_write_inode(struct inode
53991 + struct hfsplus_cat_file *file = &entry.file;
53992 +
53993 + if (fd.entrylength < sizeof(struct hfsplus_cat_file))
53994 +- /* panic? */;
53995 ++ {/* panic? */}
53996 + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
53997 + sizeof(struct hfsplus_cat_file));
53998 + hfsplus_inode_write_fork(inode, &file->data_fork);
53999 +diff -urNp linux-2.6.24.5/fs/jffs2/debug.h linux-2.6.24.5/fs/jffs2/debug.h
54000 +--- linux-2.6.24.5/fs/jffs2/debug.h 2008-03-24 14:49:18.000000000 -0400
54001 ++++ linux-2.6.24.5/fs/jffs2/debug.h 2008-03-26 20:21:08.000000000 -0400
54002 +@@ -51,13 +51,13 @@
54003 + #if CONFIG_JFFS2_FS_DEBUG > 0
54004 + #define D1(x) x
54005 + #else
54006 +-#define D1(x)
54007 ++#define D1(x) do {} while (0);
54008 + #endif
54009 +
54010 + #if CONFIG_JFFS2_FS_DEBUG > 1
54011 + #define D2(x) x
54012 + #else
54013 +-#define D2(x)
54014 ++#define D2(x) do {} while (0);
54015 + #endif
54016 +
54017 + /* The prefixes of JFFS2 messages */
54018 +@@ -113,68 +113,68 @@
54019 + #ifdef JFFS2_DBG_READINODE_MESSAGES
54020 + #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54021 + #else
54022 +-#define dbg_readinode(fmt, ...)
54023 ++#define dbg_readinode(fmt, ...) do {} while (0)
54024 + #endif
54025 +
54026 + /* Fragtree build debugging messages */
54027 + #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
54028 + #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54029 + #else
54030 +-#define dbg_fragtree(fmt, ...)
54031 ++#define dbg_fragtree(fmt, ...) do {} while (0)
54032 + #endif
54033 + #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
54034 + #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54035 + #else
54036 +-#define dbg_fragtree2(fmt, ...)
54037 ++#define dbg_fragtree2(fmt, ...) do {} while (0)
54038 + #endif
54039 +
54040 + /* Directory entry list manilulation debugging messages */
54041 + #ifdef JFFS2_DBG_DENTLIST_MESSAGES
54042 + #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54043 + #else
54044 +-#define dbg_dentlist(fmt, ...)
54045 ++#define dbg_dentlist(fmt, ...) do {} while (0)
54046 + #endif
54047 +
54048 + /* Print the messages about manipulating node_refs */
54049 + #ifdef JFFS2_DBG_NODEREF_MESSAGES
54050 + #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54051 + #else
54052 +-#define dbg_noderef(fmt, ...)
54053 ++#define dbg_noderef(fmt, ...) do {} while (0)
54054 + #endif
54055 +
54056 + /* Manipulations with the list of inodes (JFFS2 inocache) */
54057 + #ifdef JFFS2_DBG_INOCACHE_MESSAGES
54058 + #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54059 + #else
54060 +-#define dbg_inocache(fmt, ...)
54061 ++#define dbg_inocache(fmt, ...) do {} while (0)
54062 + #endif
54063 +
54064 + /* Summary debugging messages */
54065 + #ifdef JFFS2_DBG_SUMMARY_MESSAGES
54066 + #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54067 + #else
54068 +-#define dbg_summary(fmt, ...)
54069 ++#define dbg_summary(fmt, ...) do {} while (0)
54070 + #endif
54071 +
54072 + /* File system build messages */
54073 + #ifdef JFFS2_DBG_FSBUILD_MESSAGES
54074 + #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54075 + #else
54076 +-#define dbg_fsbuild(fmt, ...)
54077 ++#define dbg_fsbuild(fmt, ...) do {} while (0)
54078 + #endif
54079 +
54080 + /* Watch the object allocations */
54081 + #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
54082 + #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54083 + #else
54084 +-#define dbg_memalloc(fmt, ...)
54085 ++#define dbg_memalloc(fmt, ...) do {} while (0)
54086 + #endif
54087 +
54088 + /* Watch the XATTR subsystem */
54089 + #ifdef JFFS2_DBG_XATTR_MESSAGES
54090 + #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54091 + #else
54092 +-#define dbg_xattr(fmt, ...)
54093 ++#define dbg_xattr(fmt, ...) do {} while (0)
54094 + #endif
54095 +
54096 + /* "Sanity" checks */
54097 +diff -urNp linux-2.6.24.5/fs/jffs2/erase.c linux-2.6.24.5/fs/jffs2/erase.c
54098 +--- linux-2.6.24.5/fs/jffs2/erase.c 2008-03-24 14:49:18.000000000 -0400
54099 ++++ linux-2.6.24.5/fs/jffs2/erase.c 2008-03-26 20:21:08.000000000 -0400
54100 +@@ -428,7 +428,8 @@ static void jffs2_mark_erased_block(stru
54101 + struct jffs2_unknown_node marker = {
54102 + .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
54103 + .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
54104 +- .totlen = cpu_to_je32(c->cleanmarker_size)
54105 ++ .totlen = cpu_to_je32(c->cleanmarker_size),
54106 ++ .hdr_crc = cpu_to_je32(0)
54107 + };
54108 +
54109 + jffs2_prealloc_raw_node_refs(c, jeb, 1);
54110 +diff -urNp linux-2.6.24.5/fs/jffs2/summary.h linux-2.6.24.5/fs/jffs2/summary.h
54111 +--- linux-2.6.24.5/fs/jffs2/summary.h 2008-03-24 14:49:18.000000000 -0400
54112 ++++ linux-2.6.24.5/fs/jffs2/summary.h 2008-03-26 20:21:08.000000000 -0400
54113 +@@ -188,18 +188,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
54114 +
54115 + #define jffs2_sum_active() (0)
54116 + #define jffs2_sum_init(a) (0)
54117 +-#define jffs2_sum_exit(a)
54118 +-#define jffs2_sum_disable_collecting(a)
54119 ++#define jffs2_sum_exit(a) do {} while (0)
54120 ++#define jffs2_sum_disable_collecting(a) do {} while (0)
54121 + #define jffs2_sum_is_disabled(a) (0)
54122 +-#define jffs2_sum_reset_collected(a)
54123 ++#define jffs2_sum_reset_collected(a) do {} while (0)
54124 + #define jffs2_sum_add_kvec(a,b,c,d) (0)
54125 +-#define jffs2_sum_move_collected(a,b)
54126 ++#define jffs2_sum_move_collected(a,b) do {} while (0)
54127 + #define jffs2_sum_write_sumnode(a) (0)
54128 +-#define jffs2_sum_add_padding_mem(a,b)
54129 +-#define jffs2_sum_add_inode_mem(a,b,c)
54130 +-#define jffs2_sum_add_dirent_mem(a,b,c)
54131 +-#define jffs2_sum_add_xattr_mem(a,b,c)
54132 +-#define jffs2_sum_add_xref_mem(a,b,c)
54133 ++#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
54134 ++#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
54135 ++#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
54136 ++#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
54137 ++#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
54138 + #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
54139 +
54140 + #endif /* CONFIG_JFFS2_SUMMARY */
54141 +diff -urNp linux-2.6.24.5/fs/jffs2/wbuf.c linux-2.6.24.5/fs/jffs2/wbuf.c
54142 +--- linux-2.6.24.5/fs/jffs2/wbuf.c 2008-03-24 14:49:18.000000000 -0400
54143 ++++ linux-2.6.24.5/fs/jffs2/wbuf.c 2008-03-26 20:21:08.000000000 -0400
54144 +@@ -1015,7 +1015,8 @@ static const struct jffs2_unknown_node o
54145 + {
54146 + .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
54147 + .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
54148 +- .totlen = constant_cpu_to_je32(8)
54149 ++ .totlen = constant_cpu_to_je32(8),
54150 ++ .hdr_crc = constant_cpu_to_je32(0)
54151 + };
54152 +
54153 + /*
54154 +diff -urNp linux-2.6.24.5/fs/Kconfig linux-2.6.24.5/fs/Kconfig
54155 +--- linux-2.6.24.5/fs/Kconfig 2008-03-24 14:49:18.000000000 -0400
54156 ++++ linux-2.6.24.5/fs/Kconfig 2008-03-26 20:21:08.000000000 -0400
54157 +@@ -937,7 +937,7 @@ config PROC_FS
54158 +
54159 + config PROC_KCORE
54160 + bool "/proc/kcore support" if !ARM
54161 +- depends on PROC_FS && MMU
54162 ++ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
54163 +
54164 + config PROC_VMCORE
54165 + bool "/proc/vmcore support (EXPERIMENTAL)"
54166 +diff -urNp linux-2.6.24.5/fs/namei.c linux-2.6.24.5/fs/namei.c
54167 +--- linux-2.6.24.5/fs/namei.c 2008-03-24 14:49:18.000000000 -0400
54168 ++++ linux-2.6.24.5/fs/namei.c 2008-03-26 20:21:08.000000000 -0400
54169 +@@ -30,6 +30,7 @@
54170 + #include <linux/capability.h>
54171 + #include <linux/file.h>
54172 + #include <linux/fcntl.h>
54173 ++#include <linux/grsecurity.h>
54174 + #include <asm/namei.h>
54175 + #include <asm/uaccess.h>
54176 +
54177 +@@ -621,7 +622,7 @@ static __always_inline int __do_follow_l
54178 + cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
54179 + error = PTR_ERR(cookie);
54180 + if (!IS_ERR(cookie)) {
54181 +- char *s = nd_get_link(nd);
54182 ++ const char *s = nd_get_link(nd);
54183 + error = 0;
54184 + if (s)
54185 + error = __vfs_follow_link(nd, s);
54186 +@@ -653,6 +654,13 @@ static inline int do_follow_link(struct
54187 + err = security_inode_follow_link(path->dentry, nd);
54188 + if (err)
54189 + goto loop;
54190 ++
54191 ++ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
54192 ++ path->dentry->d_inode, path->dentry, nd->mnt)) {
54193 ++ err = -EACCES;
54194 ++ goto loop;
54195 ++ }
54196 ++
54197 + current->link_count++;
54198 + current->total_link_count++;
54199 + nd->depth++;
54200 +@@ -998,11 +1006,18 @@ return_reval:
54201 + break;
54202 + }
54203 + return_base:
54204 ++ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt)) {
54205 ++ path_release(nd);
54206 ++ return -ENOENT;
54207 ++ }
54208 + return 0;
54209 + out_dput:
54210 + dput_path(&next, nd);
54211 + break;
54212 + }
54213 ++ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt))
54214 ++ err = -ENOENT;
54215 ++
54216 + path_release(nd);
54217 + return_err:
54218 + return err;
54219 +@@ -1680,9 +1695,17 @@ static int open_namei_create(struct name
54220 + int error;
54221 + struct dentry *dir = nd->dentry;
54222 +
54223 ++ if (!gr_acl_handle_creat(path->dentry, nd->dentry, nd->mnt, flag, mode)) {
54224 ++ error = -EACCES;
54225 ++ goto out_unlock_dput;
54226 ++ }
54227 ++
54228 + if (!IS_POSIXACL(dir->d_inode))
54229 + mode &= ~current->fs->umask;
54230 + error = vfs_create(dir->d_inode, path->dentry, mode, nd);
54231 ++ if (!error)
54232 ++ gr_handle_create(path->dentry, nd->mnt);
54233 ++out_unlock_dput:
54234 + mutex_unlock(&dir->d_inode->i_mutex);
54235 + dput(nd->dentry);
54236 + nd->dentry = path->dentry;
54237 +@@ -1733,6 +1756,17 @@ int open_namei(int dfd, const char *path
54238 + nd, flag);
54239 + if (error)
54240 + return error;
54241 ++
54242 ++ if (gr_handle_rawio(nd->dentry->d_inode)) {
54243 ++ error = -EPERM;
54244 ++ goto exit;
54245 ++ }
54246 ++
54247 ++ if (!gr_acl_handle_open(nd->dentry, nd->mnt, flag)) {
54248 ++ error = -EACCES;
54249 ++ goto exit;
54250 ++ }
54251 ++
54252 + goto ok;
54253 + }
54254 +
54255 +@@ -1782,6 +1816,23 @@ do_last:
54256 + /*
54257 + * It already exists.
54258 + */
54259 ++
54260 ++ if (gr_handle_rawio(path.dentry->d_inode)) {
54261 ++ mutex_unlock(&dir->d_inode->i_mutex);
54262 ++ error = -EPERM;
54263 ++ goto exit_dput;
54264 ++ }
54265 ++ if (!gr_acl_handle_open(path.dentry, nd->mnt, flag)) {
54266 ++ mutex_unlock(&dir->d_inode->i_mutex);
54267 ++ error = -EACCES;
54268 ++ goto exit_dput;
54269 ++ }
54270 ++ if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) {
54271 ++ mutex_unlock(&dir->d_inode->i_mutex);
54272 ++ error = -EACCES;
54273 ++ goto exit_dput;
54274 ++ }
54275 ++
54276 + mutex_unlock(&dir->d_inode->i_mutex);
54277 + audit_inode(pathname, path.dentry);
54278 +
54279 +@@ -1837,6 +1888,13 @@ do_link:
54280 + error = security_inode_follow_link(path.dentry, nd);
54281 + if (error)
54282 + goto exit_dput;
54283 ++
54284 ++ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
54285 ++ path.dentry, nd->mnt)) {
54286 ++ error = -EACCES;
54287 ++ goto exit_dput;
54288 ++ }
54289 ++
54290 + error = __do_follow_link(&path, nd);
54291 + if (error) {
54292 + /* Does someone understand code flow here? Or it is only
54293 +@@ -1965,6 +2023,22 @@ asmlinkage long sys_mknodat(int dfd, con
54294 + if (!IS_POSIXACL(nd.dentry->d_inode))
54295 + mode &= ~current->fs->umask;
54296 + if (!IS_ERR(dentry)) {
54297 ++ if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) {
54298 ++ error = -EPERM;
54299 ++ dput(dentry);
54300 ++ mutex_unlock(&nd.dentry->d_inode->i_mutex);
54301 ++ path_release(&nd);
54302 ++ goto out;
54303 ++ }
54304 ++
54305 ++ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
54306 ++ error = -EACCES;
54307 ++ dput(dentry);
54308 ++ mutex_unlock(&nd.dentry->d_inode->i_mutex);
54309 ++ path_release(&nd);
54310 ++ goto out;
54311 ++ }
54312 ++
54313 + switch (mode & S_IFMT) {
54314 + case 0: case S_IFREG:
54315 + error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd);
54316 +@@ -1982,6 +2056,10 @@ asmlinkage long sys_mknodat(int dfd, con
54317 + default:
54318 + error = -EINVAL;
54319 + }
54320 ++
54321 ++ if (!error)
54322 ++ gr_handle_create(dentry, nd.mnt);
54323 ++
54324 + dput(dentry);
54325 + }
54326 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
54327 +@@ -2039,9 +2117,18 @@ asmlinkage long sys_mkdirat(int dfd, con
54328 + if (IS_ERR(dentry))
54329 + goto out_unlock;
54330 +
54331 ++ if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt)) {
54332 ++ error = -EACCES;
54333 ++ goto out_unlock_dput;
54334 ++ }
54335 ++
54336 + if (!IS_POSIXACL(nd.dentry->d_inode))
54337 + mode &= ~current->fs->umask;
54338 + error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
54339 ++
54340 ++ if (!error)
54341 ++ gr_handle_create(dentry, nd.mnt);
54342 ++out_unlock_dput:
54343 + dput(dentry);
54344 + out_unlock:
54345 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
54346 +@@ -2123,6 +2210,8 @@ static long do_rmdir(int dfd, const char
54347 + char * name;
54348 + struct dentry *dentry;
54349 + struct nameidata nd;
54350 ++ ino_t saved_ino = 0;
54351 ++ dev_t saved_dev = 0;
54352 +
54353 + name = getname(pathname);
54354 + if(IS_ERR(name))
54355 +@@ -2148,7 +2237,22 @@ static long do_rmdir(int dfd, const char
54356 + error = PTR_ERR(dentry);
54357 + if (IS_ERR(dentry))
54358 + goto exit2;
54359 ++
54360 ++ if (dentry->d_inode != NULL) {
54361 ++ if (dentry->d_inode->i_nlink <= 1) {
54362 ++ saved_ino = dentry->d_inode->i_ino;
54363 ++ saved_dev = dentry->d_inode->i_sb->s_dev;
54364 ++ }
54365 ++
54366 ++ if (!gr_acl_handle_rmdir(dentry, nd.mnt)) {
54367 ++ error = -EACCES;
54368 ++ goto dput_exit2;
54369 ++ }
54370 ++ }
54371 + error = vfs_rmdir(nd.dentry->d_inode, dentry);
54372 ++ if (!error && (saved_dev || saved_ino))
54373 ++ gr_handle_delete(saved_ino, saved_dev);
54374 ++dput_exit2:
54375 + dput(dentry);
54376 + exit2:
54377 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
54378 +@@ -2207,6 +2311,8 @@ static long do_unlinkat(int dfd, const c
54379 + struct dentry *dentry;
54380 + struct nameidata nd;
54381 + struct inode *inode = NULL;
54382 ++ ino_t saved_ino = 0;
54383 ++ dev_t saved_dev = 0;
54384 +
54385 + name = getname(pathname);
54386 + if(IS_ERR(name))
54387 +@@ -2222,13 +2328,26 @@ static long do_unlinkat(int dfd, const c
54388 + dentry = lookup_hash(&nd);
54389 + error = PTR_ERR(dentry);
54390 + if (!IS_ERR(dentry)) {
54391 ++ error = 0;
54392 + /* Why not before? Because we want correct error value */
54393 + if (nd.last.name[nd.last.len])
54394 + goto slashes;
54395 + inode = dentry->d_inode;
54396 +- if (inode)
54397 ++ if (inode) {
54398 ++ if (inode->i_nlink <= 1) {
54399 ++ saved_ino = inode->i_ino;
54400 ++ saved_dev = inode->i_sb->s_dev;
54401 ++ }
54402 ++
54403 ++ if (!gr_acl_handle_unlink(dentry, nd.mnt))
54404 ++ error = -EACCES;
54405 ++
54406 + atomic_inc(&inode->i_count);
54407 +- error = vfs_unlink(nd.dentry->d_inode, dentry);
54408 ++ }
54409 ++ if (!error)
54410 ++ error = vfs_unlink(nd.dentry->d_inode, dentry);
54411 ++ if (!error && (saved_ino || saved_dev))
54412 ++ gr_handle_delete(saved_ino, saved_dev);
54413 + exit2:
54414 + dput(dentry);
54415 + }
54416 +@@ -2309,7 +2428,16 @@ asmlinkage long sys_symlinkat(const char
54417 + if (IS_ERR(dentry))
54418 + goto out_unlock;
54419 +
54420 ++ if (!gr_acl_handle_symlink(dentry, nd.dentry, nd.mnt, from)) {
54421 ++ error = -EACCES;
54422 ++ goto out_dput_unlock;
54423 ++ }
54424 ++
54425 + error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
54426 ++
54427 ++ if (!error)
54428 ++ gr_handle_create(dentry, nd.mnt);
54429 ++out_dput_unlock:
54430 + dput(dentry);
54431 + out_unlock:
54432 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
54433 +@@ -2404,7 +2532,25 @@ asmlinkage long sys_linkat(int olddfd, c
54434 + error = PTR_ERR(new_dentry);
54435 + if (IS_ERR(new_dentry))
54436 + goto out_unlock;
54437 ++
54438 ++ if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
54439 ++ old_nd.dentry->d_inode,
54440 ++ old_nd.dentry->d_inode->i_mode, to)) {
54441 ++ error = -EACCES;
54442 ++ goto out_unlock_dput;
54443 ++ }
54444 ++
54445 ++ if (!gr_acl_handle_link(new_dentry, nd.dentry, nd.mnt,
54446 ++ old_nd.dentry, old_nd.mnt, to)) {
54447 ++ error = -EACCES;
54448 ++ goto out_unlock_dput;
54449 ++ }
54450 ++
54451 + error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
54452 ++
54453 ++ if (!error)
54454 ++ gr_handle_create(new_dentry, nd.mnt);
54455 ++out_unlock_dput:
54456 + dput(new_dentry);
54457 + out_unlock:
54458 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
54459 +@@ -2630,8 +2776,16 @@ static int do_rename(int olddfd, const c
54460 + if (new_dentry == trap)
54461 + goto exit5;
54462 +
54463 +- error = vfs_rename(old_dir->d_inode, old_dentry,
54464 ++ error = gr_acl_handle_rename(new_dentry, newnd.dentry, newnd.mnt,
54465 ++ old_dentry, old_dir->d_inode, oldnd.mnt,
54466 ++ newname);
54467 ++
54468 ++ if (!error)
54469 ++ error = vfs_rename(old_dir->d_inode, old_dentry,
54470 + new_dir->d_inode, new_dentry);
54471 ++ if (!error)
54472 ++ gr_handle_rename(old_dir->d_inode, newnd.dentry->d_inode, old_dentry,
54473 ++ new_dentry, oldnd.mnt, new_dentry->d_inode ? 1 : 0);
54474 + exit5:
54475 + dput(new_dentry);
54476 + exit4:
54477 +diff -urNp linux-2.6.24.5/fs/namespace.c linux-2.6.24.5/fs/namespace.c
54478 +--- linux-2.6.24.5/fs/namespace.c 2008-03-24 14:49:18.000000000 -0400
54479 ++++ linux-2.6.24.5/fs/namespace.c 2008-03-26 20:21:08.000000000 -0400
54480 +@@ -25,6 +25,7 @@
54481 + #include <linux/security.h>
54482 + #include <linux/mount.h>
54483 + #include <linux/ramfs.h>
54484 ++#include <linux/grsecurity.h>
54485 + #include <asm/uaccess.h>
54486 + #include <asm/unistd.h>
54487 + #include "pnode.h"
54488 +@@ -597,6 +598,8 @@ static int do_umount(struct vfsmount *mn
54489 + DQUOT_OFF(sb);
54490 + retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
54491 + unlock_kernel();
54492 ++
54493 ++ gr_log_remount(mnt->mnt_devname, retval);
54494 + }
54495 + up_write(&sb->s_umount);
54496 + return retval;
54497 +@@ -617,6 +620,9 @@ static int do_umount(struct vfsmount *mn
54498 + security_sb_umount_busy(mnt);
54499 + up_write(&namespace_sem);
54500 + release_mounts(&umount_list);
54501 ++
54502 ++ gr_log_unmount(mnt->mnt_devname, retval);
54503 ++
54504 + return retval;
54505 + }
54506 +
54507 +@@ -1442,6 +1448,11 @@ long do_mount(char *dev_name, char *dir_
54508 + if (retval)
54509 + goto dput_out;
54510 +
54511 ++ if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) {
54512 ++ retval = -EPERM;
54513 ++ goto dput_out;
54514 ++ }
54515 ++
54516 + if (flags & MS_REMOUNT)
54517 + retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
54518 + data_page);
54519 +@@ -1456,6 +1467,9 @@ long do_mount(char *dev_name, char *dir_
54520 + dev_name, data_page);
54521 + dput_out:
54522 + path_release(&nd);
54523 ++
54524 ++ gr_log_mount(dev_name, dir_name, retval);
54525 ++
54526 + return retval;
54527 + }
54528 +
54529 +@@ -1693,6 +1707,9 @@ asmlinkage long sys_pivot_root(const cha
54530 + if (!capable(CAP_SYS_ADMIN))
54531 + return -EPERM;
54532 +
54533 ++ if (gr_handle_chroot_pivot())
54534 ++ return -EPERM;
54535 ++
54536 + lock_kernel();
54537 +
54538 + error = __user_walk(new_root, LOOKUP_FOLLOW | LOOKUP_DIRECTORY,
54539 +diff -urNp linux-2.6.24.5/fs/nfs/callback_xdr.c linux-2.6.24.5/fs/nfs/callback_xdr.c
54540 +--- linux-2.6.24.5/fs/nfs/callback_xdr.c 2008-03-24 14:49:18.000000000 -0400
54541 ++++ linux-2.6.24.5/fs/nfs/callback_xdr.c 2008-03-26 20:21:08.000000000 -0400
54542 +@@ -139,7 +139,7 @@ static __be32 decode_compound_hdr_arg(st
54543 + if (unlikely(status != 0))
54544 + return status;
54545 + /* We do not like overly long tags! */
54546 +- if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12 || hdr->taglen < 0) {
54547 ++ if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12) {
54548 + printk("NFSv4 CALLBACK %s: client sent tag of length %u\n",
54549 + __FUNCTION__, hdr->taglen);
54550 + return htonl(NFS4ERR_RESOURCE);
54551 +diff -urNp linux-2.6.24.5/fs/nfs/nfs4proc.c linux-2.6.24.5/fs/nfs/nfs4proc.c
54552 +--- linux-2.6.24.5/fs/nfs/nfs4proc.c 2008-03-24 14:49:18.000000000 -0400
54553 ++++ linux-2.6.24.5/fs/nfs/nfs4proc.c 2008-03-26 20:21:08.000000000 -0400
54554 +@@ -656,7 +656,7 @@ static int _nfs4_do_open_reclaim(struct
54555 + static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
54556 + {
54557 + struct nfs_server *server = NFS_SERVER(state->inode);
54558 +- struct nfs4_exception exception = { };
54559 ++ struct nfs4_exception exception = {0, 0};
54560 + int err;
54561 + do {
54562 + err = _nfs4_do_open_reclaim(ctx, state);
54563 +@@ -698,7 +698,7 @@ static int _nfs4_open_delegation_recall(
54564 +
54565 + int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
54566 + {
54567 +- struct nfs4_exception exception = { };
54568 ++ struct nfs4_exception exception = {0, 0};
54569 + struct nfs_server *server = NFS_SERVER(state->inode);
54570 + int err;
54571 + do {
54572 +@@ -987,7 +987,7 @@ static int _nfs4_open_expired(struct nfs
54573 + static inline int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
54574 + {
54575 + struct nfs_server *server = NFS_SERVER(state->inode);
54576 +- struct nfs4_exception exception = { };
54577 ++ struct nfs4_exception exception = {0, 0};
54578 + int err;
54579 +
54580 + do {
54581 +@@ -1089,7 +1089,7 @@ out_err:
54582 +
54583 + static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, int flags, struct iattr *sattr, struct rpc_cred *cred)
54584 + {
54585 +- struct nfs4_exception exception = { };
54586 ++ struct nfs4_exception exception = {0, 0};
54587 + struct nfs4_state *res;
54588 + int status;
54589 +
54590 +@@ -1178,7 +1178,7 @@ static int nfs4_do_setattr(struct inode
54591 + struct iattr *sattr, struct nfs4_state *state)
54592 + {
54593 + struct nfs_server *server = NFS_SERVER(inode);
54594 +- struct nfs4_exception exception = { };
54595 ++ struct nfs4_exception exception = {0, 0};
54596 + int err;
54597 + do {
54598 + err = nfs4_handle_exception(server,
54599 +@@ -1484,7 +1484,7 @@ static int _nfs4_server_capabilities(str
54600 +
54601 + int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
54602 + {
54603 +- struct nfs4_exception exception = { };
54604 ++ struct nfs4_exception exception = {0, 0};
54605 + int err;
54606 + do {
54607 + err = nfs4_handle_exception(server,
54608 +@@ -1517,7 +1517,7 @@ static int _nfs4_lookup_root(struct nfs_
54609 + static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
54610 + struct nfs_fsinfo *info)
54611 + {
54612 +- struct nfs4_exception exception = { };
54613 ++ struct nfs4_exception exception = {0, 0};
54614 + int err;
54615 + do {
54616 + err = nfs4_handle_exception(server,
54617 +@@ -1606,7 +1606,7 @@ static int _nfs4_proc_getattr(struct nfs
54618 +
54619 + static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
54620 + {
54621 +- struct nfs4_exception exception = { };
54622 ++ struct nfs4_exception exception = {0, 0};
54623 + int err;
54624 + do {
54625 + err = nfs4_handle_exception(server,
54626 +@@ -1696,7 +1696,7 @@ static int nfs4_proc_lookupfh(struct nfs
54627 + struct qstr *name, struct nfs_fh *fhandle,
54628 + struct nfs_fattr *fattr)
54629 + {
54630 +- struct nfs4_exception exception = { };
54631 ++ struct nfs4_exception exception = {0, 0};
54632 + int err;
54633 + do {
54634 + err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
54635 +@@ -1725,7 +1725,7 @@ static int _nfs4_proc_lookup(struct inod
54636 +
54637 + static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
54638 + {
54639 +- struct nfs4_exception exception = { };
54640 ++ struct nfs4_exception exception = {0, 0};
54641 + int err;
54642 + do {
54643 + err = nfs4_handle_exception(NFS_SERVER(dir),
54644 +@@ -1789,7 +1789,7 @@ static int _nfs4_proc_access(struct inod
54645 +
54646 + static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
54647 + {
54648 +- struct nfs4_exception exception = { };
54649 ++ struct nfs4_exception exception = {0, 0};
54650 + int err;
54651 + do {
54652 + err = nfs4_handle_exception(NFS_SERVER(inode),
54653 +@@ -1844,7 +1844,7 @@ static int _nfs4_proc_readlink(struct in
54654 + static int nfs4_proc_readlink(struct inode *inode, struct page *page,
54655 + unsigned int pgbase, unsigned int pglen)
54656 + {
54657 +- struct nfs4_exception exception = { };
54658 ++ struct nfs4_exception exception = {0, 0};
54659 + int err;
54660 + do {
54661 + err = nfs4_handle_exception(NFS_SERVER(inode),
54662 +@@ -1940,7 +1940,7 @@ static int _nfs4_proc_remove(struct inod
54663 +
54664 + static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
54665 + {
54666 +- struct nfs4_exception exception = { };
54667 ++ struct nfs4_exception exception = {0, 0};
54668 + int err;
54669 + do {
54670 + err = nfs4_handle_exception(NFS_SERVER(dir),
54671 +@@ -2012,7 +2012,7 @@ static int _nfs4_proc_rename(struct inod
54672 + static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
54673 + struct inode *new_dir, struct qstr *new_name)
54674 + {
54675 +- struct nfs4_exception exception = { };
54676 ++ struct nfs4_exception exception = {0, 0};
54677 + int err;
54678 + do {
54679 + err = nfs4_handle_exception(NFS_SERVER(old_dir),
54680 +@@ -2059,7 +2059,7 @@ static int _nfs4_proc_link(struct inode
54681 +
54682 + static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
54683 + {
54684 +- struct nfs4_exception exception = { };
54685 ++ struct nfs4_exception exception = {0, 0};
54686 + int err;
54687 + do {
54688 + err = nfs4_handle_exception(NFS_SERVER(inode),
54689 +@@ -2116,7 +2116,7 @@ static int _nfs4_proc_symlink(struct ino
54690 + static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
54691 + struct page *page, unsigned int len, struct iattr *sattr)
54692 + {
54693 +- struct nfs4_exception exception = { };
54694 ++ struct nfs4_exception exception = {0, 0};
54695 + int err;
54696 + do {
54697 + err = nfs4_handle_exception(NFS_SERVER(dir),
54698 +@@ -2169,7 +2169,7 @@ static int _nfs4_proc_mkdir(struct inode
54699 + static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
54700 + struct iattr *sattr)
54701 + {
54702 +- struct nfs4_exception exception = { };
54703 ++ struct nfs4_exception exception = {0, 0};
54704 + int err;
54705 + do {
54706 + err = nfs4_handle_exception(NFS_SERVER(dir),
54707 +@@ -2218,7 +2218,7 @@ static int _nfs4_proc_readdir(struct den
54708 + static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
54709 + u64 cookie, struct page *page, unsigned int count, int plus)
54710 + {
54711 +- struct nfs4_exception exception = { };
54712 ++ struct nfs4_exception exception = {0, 0};
54713 + int err;
54714 + do {
54715 + err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
54716 +@@ -2288,7 +2288,7 @@ static int _nfs4_proc_mknod(struct inode
54717 + static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
54718 + struct iattr *sattr, dev_t rdev)
54719 + {
54720 +- struct nfs4_exception exception = { };
54721 ++ struct nfs4_exception exception = {0, 0};
54722 + int err;
54723 + do {
54724 + err = nfs4_handle_exception(NFS_SERVER(dir),
54725 +@@ -2317,7 +2317,7 @@ static int _nfs4_proc_statfs(struct nfs_
54726 +
54727 + static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
54728 + {
54729 +- struct nfs4_exception exception = { };
54730 ++ struct nfs4_exception exception = {0, 0};
54731 + int err;
54732 + do {
54733 + err = nfs4_handle_exception(server,
54734 +@@ -2345,7 +2345,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
54735 +
54736 + static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
54737 + {
54738 +- struct nfs4_exception exception = { };
54739 ++ struct nfs4_exception exception = {0, 0};
54740 + int err;
54741 +
54742 + do {
54743 +@@ -2388,7 +2388,7 @@ static int _nfs4_proc_pathconf(struct nf
54744 + static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
54745 + struct nfs_pathconf *pathconf)
54746 + {
54747 +- struct nfs4_exception exception = { };
54748 ++ struct nfs4_exception exception = {0, 0};
54749 + int err;
54750 +
54751 + do {
54752 +@@ -2708,7 +2708,7 @@ out_free:
54753 +
54754 + static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
54755 + {
54756 +- struct nfs4_exception exception = { };
54757 ++ struct nfs4_exception exception = {0, 0};
54758 + ssize_t ret;
54759 + do {
54760 + ret = __nfs4_get_acl_uncached(inode, buf, buflen);
54761 +@@ -2762,7 +2762,7 @@ static int __nfs4_proc_set_acl(struct in
54762 +
54763 + static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
54764 + {
54765 +- struct nfs4_exception exception = { };
54766 ++ struct nfs4_exception exception = {0, 0};
54767 + int err;
54768 + do {
54769 + err = nfs4_handle_exception(NFS_SERVER(inode),
54770 +@@ -3059,7 +3059,7 @@ static int _nfs4_proc_delegreturn(struct
54771 + int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid)
54772 + {
54773 + struct nfs_server *server = NFS_SERVER(inode);
54774 +- struct nfs4_exception exception = { };
54775 ++ struct nfs4_exception exception = {0, 0};
54776 + int err;
54777 + do {
54778 + err = _nfs4_proc_delegreturn(inode, cred, stateid);
54779 +@@ -3134,7 +3134,7 @@ out:
54780 +
54781 + static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
54782 + {
54783 +- struct nfs4_exception exception = { };
54784 ++ struct nfs4_exception exception = {0, 0};
54785 + int err;
54786 +
54787 + do {
54788 +@@ -3476,7 +3476,7 @@ static int _nfs4_do_setlk(struct nfs4_st
54789 + static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
54790 + {
54791 + struct nfs_server *server = NFS_SERVER(state->inode);
54792 +- struct nfs4_exception exception = { };
54793 ++ struct nfs4_exception exception = {0, 0};
54794 + int err;
54795 +
54796 + do {
54797 +@@ -3494,7 +3494,7 @@ static int nfs4_lock_reclaim(struct nfs4
54798 + static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
54799 + {
54800 + struct nfs_server *server = NFS_SERVER(state->inode);
54801 +- struct nfs4_exception exception = { };
54802 ++ struct nfs4_exception exception = {0, 0};
54803 + int err;
54804 +
54805 + err = nfs4_set_lock_state(state, request);
54806 +@@ -3555,7 +3555,7 @@ out:
54807 +
54808 + static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
54809 + {
54810 +- struct nfs4_exception exception = { };
54811 ++ struct nfs4_exception exception = {0, 0};
54812 + int err;
54813 +
54814 + do {
54815 +@@ -3605,7 +3605,7 @@ nfs4_proc_lock(struct file *filp, int cm
54816 + int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
54817 + {
54818 + struct nfs_server *server = NFS_SERVER(state->inode);
54819 +- struct nfs4_exception exception = { };
54820 ++ struct nfs4_exception exception = {0, 0};
54821 + int err;
54822 +
54823 + err = nfs4_set_lock_state(state, fl);
54824 +diff -urNp linux-2.6.24.5/fs/nfsd/export.c linux-2.6.24.5/fs/nfsd/export.c
54825 +--- linux-2.6.24.5/fs/nfsd/export.c 2008-03-24 14:49:18.000000000 -0400
54826 ++++ linux-2.6.24.5/fs/nfsd/export.c 2008-03-26 20:21:08.000000000 -0400
54827 +@@ -476,7 +476,7 @@ static int secinfo_parse(char **mesg, ch
54828 + * probably discover the problem when someone fails to
54829 + * authenticate.
54830 + */
54831 +- if (f->pseudoflavor < 0)
54832 ++ if ((s32)f->pseudoflavor < 0)
54833 + return -EINVAL;
54834 + err = get_int(mesg, &f->flags);
54835 + if (err)
54836 +diff -urNp linux-2.6.24.5/fs/nfsd/nfs4state.c linux-2.6.24.5/fs/nfsd/nfs4state.c
54837 +--- linux-2.6.24.5/fs/nfsd/nfs4state.c 2008-03-24 14:49:18.000000000 -0400
54838 ++++ linux-2.6.24.5/fs/nfsd/nfs4state.c 2008-03-26 20:21:08.000000000 -0400
54839 +@@ -1233,7 +1233,7 @@ static int access_valid(u32 x)
54840 +
54841 + static int deny_valid(u32 x)
54842 + {
54843 +- return (x >= 0 && x < 5);
54844 ++ return (x < 5);
54845 + }
54846 +
54847 + static void
54848 +diff -urNp linux-2.6.24.5/fs/nls/nls_base.c linux-2.6.24.5/fs/nls/nls_base.c
54849 +--- linux-2.6.24.5/fs/nls/nls_base.c 2008-03-24 14:49:18.000000000 -0400
54850 ++++ linux-2.6.24.5/fs/nls/nls_base.c 2008-03-26 20:21:08.000000000 -0400
54851 +@@ -42,7 +42,7 @@ static const struct utf8_table utf8_tabl
54852 + {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
54853 + {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
54854 + {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
54855 +- {0, /* end of table */}
54856 ++ {0, 0, 0, 0, 0, /* end of table */}
54857 + };
54858 +
54859 + int
54860 +diff -urNp linux-2.6.24.5/fs/ntfs/file.c linux-2.6.24.5/fs/ntfs/file.c
54861 +--- linux-2.6.24.5/fs/ntfs/file.c 2008-03-24 14:49:18.000000000 -0400
54862 ++++ linux-2.6.24.5/fs/ntfs/file.c 2008-03-26 20:21:08.000000000 -0400
54863 +@@ -2293,6 +2293,6 @@ const struct inode_operations ntfs_file_
54864 + #endif /* NTFS_RW */
54865 + };
54866 +
54867 +-const struct file_operations ntfs_empty_file_ops = {};
54868 ++const struct file_operations ntfs_empty_file_ops;
54869 +
54870 +-const struct inode_operations ntfs_empty_inode_ops = {};
54871 ++const struct inode_operations ntfs_empty_inode_ops;
54872 +diff -urNp linux-2.6.24.5/fs/open.c linux-2.6.24.5/fs/open.c
54873 +--- linux-2.6.24.5/fs/open.c 2008-03-24 14:49:18.000000000 -0400
54874 ++++ linux-2.6.24.5/fs/open.c 2008-03-26 20:21:08.000000000 -0400
54875 +@@ -27,6 +27,7 @@
54876 + #include <linux/rcupdate.h>
54877 + #include <linux/audit.h>
54878 + #include <linux/falloc.h>
54879 ++#include <linux/grsecurity.h>
54880 +
54881 + int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
54882 + {
54883 +@@ -204,6 +205,9 @@ int do_truncate(struct dentry *dentry, l
54884 + if (length < 0)
54885 + return -EINVAL;
54886 +
54887 ++ if (filp && !gr_acl_handle_truncate(dentry, filp->f_vfsmnt))
54888 ++ return -EACCES;
54889 ++
54890 + newattrs.ia_size = length;
54891 + newattrs.ia_valid = ATTR_SIZE | time_attrs;
54892 + if (filp) {
54893 +@@ -461,6 +465,9 @@ asmlinkage long sys_faccessat(int dfd, c
54894 + if(IS_RDONLY(nd.dentry->d_inode))
54895 + res = -EROFS;
54896 +
54897 ++ if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode))
54898 ++ res = -EACCES;
54899 ++
54900 + out_path_release:
54901 + path_release(&nd);
54902 + out:
54903 +@@ -490,6 +497,8 @@ asmlinkage long sys_chdir(const char __u
54904 + if (error)
54905 + goto dput_and_out;
54906 +
54907 ++ gr_log_chdir(nd.dentry, nd.mnt);
54908 ++
54909 + set_fs_pwd(current->fs, nd.mnt, nd.dentry);
54910 +
54911 + dput_and_out:
54912 +@@ -520,6 +529,13 @@ asmlinkage long sys_fchdir(unsigned int
54913 + goto out_putf;
54914 +
54915 + error = file_permission(file, MAY_EXEC);
54916 ++
54917 ++ if (!error && !gr_chroot_fchdir(dentry, mnt))
54918 ++ error = -EPERM;
54919 ++
54920 ++ if (!error)
54921 ++ gr_log_chdir(dentry, mnt);
54922 ++
54923 + if (!error)
54924 + set_fs_pwd(current->fs, mnt, dentry);
54925 + out_putf:
54926 +@@ -545,8 +561,16 @@ asmlinkage long sys_chroot(const char __
54927 + if (!capable(CAP_SYS_CHROOT))
54928 + goto dput_and_out;
54929 +
54930 ++ if (gr_handle_chroot_chroot(nd.dentry, nd.mnt))
54931 ++ goto dput_and_out;
54932 ++
54933 + set_fs_root(current->fs, nd.mnt, nd.dentry);
54934 + set_fs_altroot();
54935 ++
54936 ++ gr_handle_chroot_caps(current);
54937 ++
54938 ++ gr_handle_chroot_chdir(nd.dentry, nd.mnt);
54939 ++
54940 + error = 0;
54941 + dput_and_out:
54942 + path_release(&nd);
54943 +@@ -577,9 +601,22 @@ asmlinkage long sys_fchmod(unsigned int
54944 + err = -EPERM;
54945 + if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
54946 + goto out_putf;
54947 ++
54948 ++ if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
54949 ++ err = -EACCES;
54950 ++ goto out_putf;
54951 ++ }
54952 ++
54953 + mutex_lock(&inode->i_mutex);
54954 + if (mode == (mode_t) -1)
54955 + mode = inode->i_mode;
54956 ++
54957 ++ if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
54958 ++ err = -EPERM;
54959 ++ mutex_unlock(&inode->i_mutex);
54960 ++ goto out_putf;
54961 ++ }
54962 ++
54963 + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
54964 + newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
54965 + err = notify_change(dentry, &newattrs);
54966 +@@ -612,9 +649,21 @@ asmlinkage long sys_fchmodat(int dfd, co
54967 + if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
54968 + goto dput_and_out;
54969 +
54970 ++ if (!gr_acl_handle_chmod(nd.dentry, nd.mnt, mode)) {
54971 ++ error = -EACCES;
54972 ++ goto dput_and_out;
54973 ++ };
54974 ++
54975 + mutex_lock(&inode->i_mutex);
54976 + if (mode == (mode_t) -1)
54977 + mode = inode->i_mode;
54978 ++
54979 ++ if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) {
54980 ++ error = -EACCES;
54981 ++ mutex_unlock(&inode->i_mutex);
54982 ++ goto dput_and_out;
54983 ++ }
54984 ++
54985 + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
54986 + newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
54987 + error = notify_change(nd.dentry, &newattrs);
54988 +@@ -631,7 +680,7 @@ asmlinkage long sys_chmod(const char __u
54989 + return sys_fchmodat(AT_FDCWD, filename, mode);
54990 + }
54991 +
54992 +-static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
54993 ++static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
54994 + {
54995 + struct inode * inode;
54996 + int error;
54997 +@@ -648,6 +697,12 @@ static int chown_common(struct dentry *
54998 + error = -EPERM;
54999 + if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
55000 + goto out;
55001 ++
55002 ++ if (!gr_acl_handle_chown(dentry, mnt)) {
55003 ++ error = -EACCES;
55004 ++ goto out;
55005 ++ }
55006 ++
55007 + newattrs.ia_valid = ATTR_CTIME;
55008 + if (user != (uid_t) -1) {
55009 + newattrs.ia_valid |= ATTR_UID;
55010 +@@ -675,7 +730,7 @@ asmlinkage long sys_chown(const char __u
55011 + error = user_path_walk(filename, &nd);
55012 + if (error)
55013 + goto out;
55014 +- error = chown_common(nd.dentry, user, group);
55015 ++ error = chown_common(nd.dentry, user, group, nd.mnt);
55016 + path_release(&nd);
55017 + out:
55018 + return error;
55019 +@@ -695,7 +750,7 @@ asmlinkage long sys_fchownat(int dfd, co
55020 + error = __user_walk_fd(dfd, filename, follow, &nd);
55021 + if (error)
55022 + goto out;
55023 +- error = chown_common(nd.dentry, user, group);
55024 ++ error = chown_common(nd.dentry, user, group, nd.mnt);
55025 + path_release(&nd);
55026 + out:
55027 + return error;
55028 +@@ -709,7 +764,7 @@ asmlinkage long sys_lchown(const char __
55029 + error = user_path_walk_link(filename, &nd);
55030 + if (error)
55031 + goto out;
55032 +- error = chown_common(nd.dentry, user, group);
55033 ++ error = chown_common(nd.dentry, user, group, nd.mnt);
55034 + path_release(&nd);
55035 + out:
55036 + return error;
55037 +@@ -728,7 +783,7 @@ asmlinkage long sys_fchown(unsigned int
55038 +
55039 + dentry = file->f_path.dentry;
55040 + audit_inode(NULL, dentry);
55041 +- error = chown_common(dentry, user, group);
55042 ++ error = chown_common(dentry, user, group, file->f_vfsmnt);
55043 + fput(file);
55044 + out:
55045 + return error;
55046 +@@ -939,6 +994,7 @@ repeat:
55047 + * N.B. For clone tasks sharing a files structure, this test
55048 + * will limit the total number of files that can be opened.
55049 + */
55050 ++ gr_learn_resource(current, RLIMIT_NOFILE, fd, 0);
55051 + if (fd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
55052 + goto out;
55053 +
55054 +diff -urNp linux-2.6.24.5/fs/partitions/efi.c linux-2.6.24.5/fs/partitions/efi.c
55055 +--- linux-2.6.24.5/fs/partitions/efi.c 2008-03-24 14:49:18.000000000 -0400
55056 ++++ linux-2.6.24.5/fs/partitions/efi.c 2008-03-26 20:21:08.000000000 -0400
55057 +@@ -99,7 +99,7 @@
55058 + #ifdef EFI_DEBUG
55059 + #define Dprintk(x...) printk(KERN_DEBUG x)
55060 + #else
55061 +-#define Dprintk(x...)
55062 ++#define Dprintk(x...) do {} while (0)
55063 + #endif
55064 +
55065 + /* This allows a kernel command line option 'gpt' to override
55066 +diff -urNp linux-2.6.24.5/fs/pipe.c linux-2.6.24.5/fs/pipe.c
55067 +--- linux-2.6.24.5/fs/pipe.c 2008-03-24 14:49:18.000000000 -0400
55068 ++++ linux-2.6.24.5/fs/pipe.c 2008-03-26 20:21:08.000000000 -0400
55069 +@@ -887,7 +887,7 @@ void free_pipe_info(struct inode *inode)
55070 + inode->i_pipe = NULL;
55071 + }
55072 +
55073 +-static struct vfsmount *pipe_mnt __read_mostly;
55074 ++struct vfsmount *pipe_mnt __read_mostly;
55075 + static int pipefs_delete_dentry(struct dentry *dentry)
55076 + {
55077 + /*
55078 +diff -urNp linux-2.6.24.5/fs/proc/array.c linux-2.6.24.5/fs/proc/array.c
55079 +--- linux-2.6.24.5/fs/proc/array.c 2008-03-24 14:49:18.000000000 -0400
55080 ++++ linux-2.6.24.5/fs/proc/array.c 2008-03-26 20:21:08.000000000 -0400
55081 +@@ -305,6 +305,21 @@ static inline char *task_context_switch_
55082 + p->nivcsw);
55083 + }
55084 +
55085 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
55086 ++static inline char *task_pax(struct task_struct *p, char *buffer)
55087 ++{
55088 ++ if (p->mm)
55089 ++ return buffer + sprintf(buffer, "PaX:\t%c%c%c%c%c\n",
55090 ++ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
55091 ++ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
55092 ++ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
55093 ++ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
55094 ++ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
55095 ++ else
55096 ++ return buffer + sprintf(buffer, "PaX:\t-----\n");
55097 ++}
55098 ++#endif
55099 ++
55100 + int proc_pid_status(struct task_struct *task, char *buffer)
55101 + {
55102 + char *orig = buffer;
55103 +@@ -324,6 +339,11 @@ int proc_pid_status(struct task_struct *
55104 + buffer = task_show_regs(task, buffer);
55105 + #endif
55106 + buffer = task_context_switch_counts(task, buffer);
55107 ++
55108 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
55109 ++ buffer = task_pax(task, buffer);
55110 ++#endif
55111 ++
55112 + return buffer - orig;
55113 + }
55114 +
55115 +@@ -386,6 +406,12 @@ static cputime_t task_gtime(struct task_
55116 + return p->gtime;
55117 + }
55118 +
55119 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
55120 ++#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
55121 ++ (_mm->pax_flags & MF_PAX_RANDMMAP || \
55122 ++ _mm->pax_flags & MF_PAX_SEGMEXEC))
55123 ++#endif
55124 ++
55125 + static int do_task_stat(struct task_struct *task, char *buffer, int whole)
55126 + {
55127 + unsigned long vsize, eip, esp, wchan = ~0UL;
55128 +@@ -481,6 +507,19 @@ static int do_task_stat(struct task_stru
55129 + gtime = task_gtime(task);
55130 + }
55131 +
55132 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
55133 ++ if (PAX_RAND_FLAGS(mm)) {
55134 ++ eip = 0;
55135 ++ esp = 0;
55136 ++ wchan = 0;
55137 ++ }
55138 ++#endif
55139 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
55140 ++ wchan = 0;
55141 ++ eip =0;
55142 ++ esp =0;
55143 ++#endif
55144 ++
55145 + /* scale priority and nice values from timeslices to -20..20 */
55146 + /* to make it look like a "normal" Unix priority/nice value */
55147 + priority = task_prio(task);
55148 +@@ -521,9 +560,15 @@ static int do_task_stat(struct task_stru
55149 + vsize,
55150 + mm ? get_mm_rss(mm) : 0,
55151 + rsslim,
55152 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
55153 ++ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
55154 ++ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
55155 ++ PAX_RAND_FLAGS(mm) ? 0 : (mm ? mm->start_stack : 0),
55156 ++#else
55157 + mm ? mm->start_code : 0,
55158 + mm ? mm->end_code : 0,
55159 + mm ? mm->start_stack : 0,
55160 ++#endif
55161 + esp,
55162 + eip,
55163 + /* The signal information here is obsolete.
55164 +@@ -572,3 +617,14 @@ int proc_pid_statm(struct task_struct *t
55165 + return sprintf(buffer, "%d %d %d %d %d %d %d\n",
55166 + size, resident, shared, text, lib, data, 0);
55167 + }
55168 ++
55169 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
55170 ++int proc_pid_ipaddr(struct task_struct *task, char * buffer)
55171 ++{
55172 ++ int len;
55173 ++
55174 ++ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
55175 ++ return len;
55176 ++}
55177 ++#endif
55178 ++
55179 +diff -urNp linux-2.6.24.5/fs/proc/base.c linux-2.6.24.5/fs/proc/base.c
55180 +--- linux-2.6.24.5/fs/proc/base.c 2008-03-24 14:49:18.000000000 -0400
55181 ++++ linux-2.6.24.5/fs/proc/base.c 2008-03-26 20:21:08.000000000 -0400
55182 +@@ -76,6 +76,8 @@
55183 + #include <linux/oom.h>
55184 + #include <linux/elf.h>
55185 + #include <linux/pid_namespace.h>
55186 ++#include <linux/grsecurity.h>
55187 ++
55188 + #include "internal.h"
55189 +
55190 + /* NOTE:
55191 +@@ -126,7 +128,7 @@ struct pid_entry {
55192 + NULL, &proc_info_file_operations, \
55193 + { .proc_read = &proc_##OTYPE } )
55194 +
55195 +-int maps_protect;
55196 ++int maps_protect = 1;
55197 + EXPORT_SYMBOL(maps_protect);
55198 +
55199 + static struct fs_struct *get_fs_struct(struct task_struct *task)
55200 +@@ -200,7 +202,7 @@ static int proc_root_link(struct inode *
55201 + (task->parent == current && \
55202 + (task->ptrace & PT_PTRACED) && \
55203 + (task->state == TASK_STOPPED || task->state == TASK_TRACED) && \
55204 +- security_ptrace(current,task) == 0))
55205 ++ security_ptrace(current,task) == 0 && !gr_handle_proc_ptrace(task)))
55206 +
55207 + struct mm_struct *mm_for_maps(struct task_struct *task)
55208 + {
55209 +@@ -265,9 +267,9 @@ static int proc_pid_auxv(struct task_str
55210 + struct mm_struct *mm = get_task_mm(task);
55211 + if (mm) {
55212 + unsigned int nwords = 0;
55213 +- do
55214 ++ do {
55215 + nwords += 2;
55216 +- while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
55217 ++ } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
55218 + res = nwords * sizeof(mm->saved_auxv[0]);
55219 + if (res > PAGE_SIZE)
55220 + res = PAGE_SIZE;
55221 +@@ -609,7 +611,7 @@ static ssize_t mem_read(struct file * fi
55222 + if (!task)
55223 + goto out_no_task;
55224 +
55225 +- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
55226 ++ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
55227 + goto out;
55228 +
55229 + ret = -ENOMEM;
55230 +@@ -679,7 +681,7 @@ static ssize_t mem_write(struct file * f
55231 + if (!task)
55232 + goto out_no_task;
55233 +
55234 +- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
55235 ++ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
55236 + goto out;
55237 +
55238 + copied = -ENOMEM;
55239 +@@ -1202,7 +1204,11 @@ static struct inode *proc_pid_make_inode
55240 + inode->i_gid = 0;
55241 + if (task_dumpable(task)) {
55242 + inode->i_uid = task->euid;
55243 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55244 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
55245 ++#else
55246 + inode->i_gid = task->egid;
55247 ++#endif
55248 + }
55249 + security_task_to_inode(task, inode);
55250 +
55251 +@@ -1218,17 +1224,45 @@ static int pid_getattr(struct vfsmount *
55252 + {
55253 + struct inode *inode = dentry->d_inode;
55254 + struct task_struct *task;
55255 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55256 ++ struct task_struct *tmp = current;
55257 ++#endif
55258 ++
55259 + generic_fillattr(inode, stat);
55260 +
55261 + rcu_read_lock();
55262 + stat->uid = 0;
55263 + stat->gid = 0;
55264 + task = pid_task(proc_pid(inode), PIDTYPE_PID);
55265 +- if (task) {
55266 ++
55267 ++ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
55268 ++ rcu_read_unlock();
55269 ++ return -ENOENT;
55270 ++ }
55271 ++
55272 ++
55273 ++ if (task
55274 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55275 ++ && (!tmp->uid || (tmp->uid == task->uid)
55276 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55277 ++ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
55278 ++#endif
55279 ++ )
55280 ++#endif
55281 ++ ) {
55282 + if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
55283 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
55284 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
55285 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55286 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
55287 ++#endif
55288 + task_dumpable(task)) {
55289 + stat->uid = task->euid;
55290 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55291 ++ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
55292 ++#else
55293 + stat->gid = task->egid;
55294 ++#endif
55295 + }
55296 + }
55297 + rcu_read_unlock();
55298 +@@ -1256,11 +1290,21 @@ static int pid_revalidate(struct dentry
55299 + {
55300 + struct inode *inode = dentry->d_inode;
55301 + struct task_struct *task = get_proc_task(inode);
55302 ++
55303 + if (task) {
55304 + if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
55305 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
55306 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
55307 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55308 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
55309 ++#endif
55310 + task_dumpable(task)) {
55311 + inode->i_uid = task->euid;
55312 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55313 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
55314 ++#else
55315 + inode->i_gid = task->egid;
55316 ++#endif
55317 + } else {
55318 + inode->i_uid = 0;
55319 + inode->i_gid = 0;
55320 +@@ -1633,12 +1677,22 @@ static int proc_fd_permission(struct ino
55321 + struct nameidata *nd)
55322 + {
55323 + int rv;
55324 ++ struct task_struct *task;
55325 +
55326 + rv = generic_permission(inode, mask, NULL);
55327 +- if (rv == 0)
55328 +- return 0;
55329 ++
55330 + if (task_pid(current) == proc_pid(inode))
55331 + rv = 0;
55332 ++
55333 ++ task = get_proc_task(inode);
55334 ++ if (task == NULL)
55335 ++ return rv;
55336 ++
55337 ++ if (gr_acl_handle_procpidmem(task))
55338 ++ rv = -EACCES;
55339 ++
55340 ++ put_task_struct(task);
55341 ++
55342 + return rv;
55343 + }
55344 +
55345 +@@ -1749,6 +1803,9 @@ static struct dentry *proc_pident_lookup
55346 + if (!task)
55347 + goto out_no_task;
55348 +
55349 ++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
55350 ++ goto out;
55351 ++
55352 + /*
55353 + * Yes, it does not scale. And it should not. Don't add
55354 + * new entries into /proc/<tgid>/ without very good reasons.
55355 +@@ -1793,6 +1850,9 @@ static int proc_pident_readdir(struct fi
55356 + if (!task)
55357 + goto out_no_task;
55358 +
55359 ++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
55360 ++ goto out;
55361 ++
55362 + ret = 0;
55363 + i = filp->f_pos;
55364 + switch (i) {
55365 +@@ -2147,6 +2207,9 @@ static struct dentry *proc_base_lookup(s
55366 + if (p > last)
55367 + goto out;
55368 +
55369 ++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
55370 ++ goto out;
55371 ++
55372 + error = proc_base_instantiate(dir, dentry, task, p);
55373 +
55374 + out:
55375 +@@ -2250,6 +2313,9 @@ static const struct pid_entry tgid_base_
55376 + #ifdef CONFIG_TASK_IO_ACCOUNTING
55377 + INF("io", S_IRUGO, pid_io_accounting),
55378 + #endif
55379 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
55380 ++ INF("ipaddr", S_IRUSR, pid_ipaddr),
55381 ++#endif
55382 + };
55383 +
55384 + static int proc_tgid_base_readdir(struct file * filp,
55385 +@@ -2378,7 +2444,14 @@ static struct dentry *proc_pid_instantia
55386 + if (!inode)
55387 + goto out;
55388 +
55389 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
55390 ++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
55391 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55392 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
55393 ++ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
55394 ++#else
55395 + inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
55396 ++#endif
55397 + inode->i_op = &proc_tgid_base_inode_operations;
55398 + inode->i_fop = &proc_tgid_base_operations;
55399 + inode->i_flags|=S_IMMUTABLE;
55400 +@@ -2421,7 +2494,11 @@ struct dentry *proc_pid_lookup(struct in
55401 + if (!task)
55402 + goto out;
55403 +
55404 ++ if (gr_check_hidden_task(task))
55405 ++ goto out_put_task;
55406 ++
55407 + result = proc_pid_instantiate(dir, dentry, task, NULL);
55408 ++out_put_task:
55409 + put_task_struct(task);
55410 + out:
55411 + return result;
55412 +@@ -2486,6 +2563,9 @@ int proc_pid_readdir(struct file * filp,
55413 + {
55414 + unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
55415 + struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
55416 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55417 ++ struct task_struct *tmp = current;
55418 ++#endif
55419 + struct tgid_iter iter;
55420 + struct pid_namespace *ns;
55421 +
55422 +@@ -2504,6 +2584,17 @@ int proc_pid_readdir(struct file * filp,
55423 + for (iter = next_tgid(ns, iter);
55424 + iter.task;
55425 + iter.tgid += 1, iter = next_tgid(ns, iter)) {
55426 ++ if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
55427 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55428 ++ || (tmp->uid && (iter.task->uid != tmp->uid)
55429 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55430 ++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
55431 ++#endif
55432 ++ )
55433 ++#endif
55434 ++ )
55435 ++ continue;
55436 ++
55437 + filp->f_pos = iter.tgid + TGID_OFFSET;
55438 + if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
55439 + put_task_struct(iter.task);
55440 +diff -urNp linux-2.6.24.5/fs/proc/inode.c linux-2.6.24.5/fs/proc/inode.c
55441 +--- linux-2.6.24.5/fs/proc/inode.c 2008-03-24 14:49:18.000000000 -0400
55442 ++++ linux-2.6.24.5/fs/proc/inode.c 2008-03-26 20:21:08.000000000 -0400
55443 +@@ -411,7 +411,11 @@ struct inode *proc_get_inode(struct supe
55444 + if (de->mode) {
55445 + inode->i_mode = de->mode;
55446 + inode->i_uid = de->uid;
55447 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55448 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
55449 ++#else
55450 + inode->i_gid = de->gid;
55451 ++#endif
55452 + }
55453 + if (de->size)
55454 + inode->i_size = de->size;
55455 +diff -urNp linux-2.6.24.5/fs/proc/internal.h linux-2.6.24.5/fs/proc/internal.h
55456 +--- linux-2.6.24.5/fs/proc/internal.h 2008-03-24 14:49:18.000000000 -0400
55457 ++++ linux-2.6.24.5/fs/proc/internal.h 2008-03-26 20:21:08.000000000 -0400
55458 +@@ -52,6 +52,9 @@ extern int proc_tid_stat(struct task_str
55459 + extern int proc_tgid_stat(struct task_struct *, char *);
55460 + extern int proc_pid_status(struct task_struct *, char *);
55461 + extern int proc_pid_statm(struct task_struct *, char *);
55462 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
55463 ++extern int proc_pid_ipaddr(struct task_struct*,char*);
55464 ++#endif
55465 +
55466 + extern const struct file_operations proc_maps_operations;
55467 + extern const struct file_operations proc_numa_maps_operations;
55468 +diff -urNp linux-2.6.24.5/fs/proc/proc_misc.c linux-2.6.24.5/fs/proc/proc_misc.c
55469 +--- linux-2.6.24.5/fs/proc/proc_misc.c 2008-03-24 14:49:18.000000000 -0400
55470 ++++ linux-2.6.24.5/fs/proc/proc_misc.c 2008-03-26 20:21:08.000000000 -0400
55471 +@@ -687,6 +687,8 @@ void create_seq_entry(char *name, mode_t
55472 +
55473 + void __init proc_misc_init(void)
55474 + {
55475 ++ int gr_mode = 0;
55476 ++
55477 + static struct {
55478 + char *name;
55479 + int (*read_proc)(char*,char**,off_t,int,int*,void*);
55480 +@@ -702,13 +704,24 @@ void __init proc_misc_init(void)
55481 + {"stram", stram_read_proc},
55482 + #endif
55483 + {"filesystems", filesystems_read_proc},
55484 ++#ifndef CONFIG_GRKERNSEC_PROC_ADD
55485 + {"cmdline", cmdline_read_proc},
55486 ++#endif
55487 + {"execdomains", execdomains_read_proc},
55488 + {NULL,}
55489 + };
55490 + for (p = simple_ones; p->name; p++)
55491 + create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
55492 +
55493 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
55494 ++ gr_mode = S_IRUSR;
55495 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55496 ++ gr_mode = S_IRUSR | S_IRGRP;
55497 ++#endif
55498 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
55499 ++ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
55500 ++#endif
55501 ++
55502 + proc_symlink("mounts", NULL, "self/mounts");
55503 +
55504 + /* And now for trickier ones */
55505 +@@ -721,7 +734,11 @@ void __init proc_misc_init(void)
55506 + }
55507 + #endif
55508 + create_seq_entry("locks", 0, &proc_locks_operations);
55509 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
55510 ++ create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
55511 ++#else
55512 + create_seq_entry("devices", 0, &proc_devinfo_operations);
55513 ++#endif
55514 + create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
55515 + #ifdef CONFIG_BLOCK
55516 + create_seq_entry("partitions", 0, &proc_partitions_operations);
55517 +@@ -729,7 +746,11 @@ void __init proc_misc_init(void)
55518 + create_seq_entry("stat", 0, &proc_stat_operations);
55519 + create_seq_entry("interrupts", 0, &proc_interrupts_operations);
55520 + #ifdef CONFIG_SLABINFO
55521 ++#ifdef CONFIG_GRKRENSEC_PROC_ADD
55522 ++ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
55523 ++#else
55524 + create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
55525 ++#endif
55526 + #ifdef CONFIG_DEBUG_SLAB_LEAK
55527 + create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
55528 + #endif
55529 +@@ -747,7 +768,7 @@ void __init proc_misc_init(void)
55530 + #ifdef CONFIG_SCHEDSTATS
55531 + create_seq_entry("schedstat", 0, &proc_schedstat_operations);
55532 + #endif
55533 +-#ifdef CONFIG_PROC_KCORE
55534 ++#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
55535 + proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
55536 + if (proc_root_kcore) {
55537 + proc_root_kcore->proc_fops = &proc_kcore_operations;
55538 +diff -urNp linux-2.6.24.5/fs/proc/proc_net.c linux-2.6.24.5/fs/proc/proc_net.c
55539 +--- linux-2.6.24.5/fs/proc/proc_net.c 2008-03-24 14:49:18.000000000 -0400
55540 ++++ linux-2.6.24.5/fs/proc/proc_net.c 2008-03-26 20:21:08.000000000 -0400
55541 +@@ -69,7 +69,13 @@ static __net_init int proc_net_ns_init(s
55542 + goto out;
55543 +
55544 + err = -EEXIST;
55545 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
55546 ++ netd = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, root);
55547 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55548 ++ netd = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, root);
55549 ++#else
55550 + netd = proc_mkdir("net", root);
55551 ++#endif
55552 + if (!netd)
55553 + goto free_root;
55554 +
55555 +diff -urNp linux-2.6.24.5/fs/proc/proc_sysctl.c linux-2.6.24.5/fs/proc/proc_sysctl.c
55556 +--- linux-2.6.24.5/fs/proc/proc_sysctl.c 2008-03-24 14:49:18.000000000 -0400
55557 ++++ linux-2.6.24.5/fs/proc/proc_sysctl.c 2008-03-26 20:21:08.000000000 -0400
55558 +@@ -7,6 +7,8 @@
55559 + #include <linux/security.h>
55560 + #include "internal.h"
55561 +
55562 ++extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
55563 ++
55564 + static struct dentry_operations proc_sys_dentry_operations;
55565 + static const struct file_operations proc_sys_file_operations;
55566 + static struct inode_operations proc_sys_inode_operations;
55567 +@@ -151,6 +153,9 @@ static struct dentry *proc_sys_lookup(st
55568 + if (!table)
55569 + goto out;
55570 +
55571 ++ if (gr_handle_sysctl(table, 001))
55572 ++ goto out;
55573 ++
55574 + err = ERR_PTR(-ENOMEM);
55575 + inode = proc_sys_make_inode(dir, table);
55576 + if (!inode)
55577 +@@ -360,6 +365,9 @@ static int proc_sys_readdir(struct file
55578 + if (pos < filp->f_pos)
55579 + continue;
55580 +
55581 ++ if (gr_handle_sysctl(table, 0))
55582 ++ continue;
55583 ++
55584 + if (proc_sys_fill_cache(filp, dirent, filldir, table) < 0)
55585 + goto out;
55586 + filp->f_pos = pos + 1;
55587 +@@ -422,6 +430,30 @@ out:
55588 + return error;
55589 + }
55590 +
55591 ++/* Eric Biederman is to blame */
55592 ++static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
55593 ++{
55594 ++ int error = 0;
55595 ++ struct ctl_table_header *head;
55596 ++ struct ctl_table *table;
55597 ++
55598 ++ table = do_proc_sys_lookup(dentry->d_parent, &dentry->d_name, &head);
55599 ++ /* Has the sysctl entry disappeared on us? */
55600 ++ if (!table)
55601 ++ goto out;
55602 ++
55603 ++ if (gr_handle_sysctl(table, 001)) {
55604 ++ error = -ENOENT;
55605 ++ goto out;
55606 ++ }
55607 ++
55608 ++out:
55609 ++ sysctl_head_finish(head);
55610 ++
55611 ++ generic_fillattr(dentry->d_inode, stat);
55612 ++
55613 ++ return error;
55614 ++}
55615 + static int proc_sys_setattr(struct dentry *dentry, struct iattr *attr)
55616 + {
55617 + struct inode *inode = dentry->d_inode;
55618 +@@ -450,6 +482,7 @@ static struct inode_operations proc_sys_
55619 + .lookup = proc_sys_lookup,
55620 + .permission = proc_sys_permission,
55621 + .setattr = proc_sys_setattr,
55622 ++ .getattr = proc_sys_getattr,
55623 + };
55624 +
55625 + static int proc_sys_revalidate(struct dentry *dentry, struct nameidata *nd)
55626 +diff -urNp linux-2.6.24.5/fs/proc/root.c linux-2.6.24.5/fs/proc/root.c
55627 +--- linux-2.6.24.5/fs/proc/root.c 2008-03-24 14:49:18.000000000 -0400
55628 ++++ linux-2.6.24.5/fs/proc/root.c 2008-03-26 20:21:08.000000000 -0400
55629 +@@ -137,7 +137,15 @@ void __init proc_root_init(void)
55630 + #ifdef CONFIG_PROC_DEVICETREE
55631 + proc_device_tree_init();
55632 + #endif
55633 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
55634 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
55635 ++ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
55636 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55637 ++ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
55638 ++#endif
55639 ++#else
55640 + proc_bus = proc_mkdir("bus", NULL);
55641 ++#endif
55642 + proc_sys_init();
55643 + }
55644 +
55645 +diff -urNp linux-2.6.24.5/fs/proc/task_mmu.c linux-2.6.24.5/fs/proc/task_mmu.c
55646 +--- linux-2.6.24.5/fs/proc/task_mmu.c 2008-03-24 14:49:18.000000000 -0400
55647 ++++ linux-2.6.24.5/fs/proc/task_mmu.c 2008-03-26 20:21:08.000000000 -0400
55648 +@@ -44,15 +44,27 @@ char *task_mem(struct mm_struct *mm, cha
55649 + "VmStk:\t%8lu kB\n"
55650 + "VmExe:\t%8lu kB\n"
55651 + "VmLib:\t%8lu kB\n"
55652 +- "VmPTE:\t%8lu kB\n",
55653 +- hiwater_vm << (PAGE_SHIFT-10),
55654 ++ "VmPTE:\t%8lu kB\n"
55655 ++
55656 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
55657 ++ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
55658 ++#endif
55659 ++
55660 ++ ,hiwater_vm << (PAGE_SHIFT-10),
55661 + (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
55662 + mm->locked_vm << (PAGE_SHIFT-10),
55663 + hiwater_rss << (PAGE_SHIFT-10),
55664 + total_rss << (PAGE_SHIFT-10),
55665 + data << (PAGE_SHIFT-10),
55666 + mm->stack_vm << (PAGE_SHIFT-10), text, lib,
55667 +- (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
55668 ++ (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
55669 ++
55670 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
55671 ++ , mm->context.user_cs_base, mm->context.user_cs_limit
55672 ++#endif
55673 ++
55674 ++ );
55675 ++
55676 + return buffer;
55677 + }
55678 +
55679 +@@ -131,6 +143,12 @@ struct pmd_walker {
55680 + unsigned long, void *);
55681 + };
55682 +
55683 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
55684 ++#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
55685 ++ (_mm->pax_flags & MF_PAX_RANDMMAP || \
55686 ++ _mm->pax_flags & MF_PAX_SEGMEXEC))
55687 ++#endif
55688 ++
55689 + static int show_map_internal(struct seq_file *m, void *v, struct mem_size_stats *mss)
55690 + {
55691 + struct proc_maps_private *priv = m->private;
55692 +@@ -153,13 +171,22 @@ static int show_map_internal(struct seq_
55693 + }
55694 +
55695 + seq_printf(m, "%08lx-%08lx %c%c%c%c %08lx %02x:%02x %lu %n",
55696 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
55697 ++ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
55698 ++ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
55699 ++#else
55700 + vma->vm_start,
55701 + vma->vm_end,
55702 ++#endif
55703 + flags & VM_READ ? 'r' : '-',
55704 + flags & VM_WRITE ? 'w' : '-',
55705 + flags & VM_EXEC ? 'x' : '-',
55706 + flags & VM_MAYSHARE ? 's' : 'p',
55707 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
55708 ++ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_pgoff << PAGE_SHIFT,
55709 ++#else
55710 + vma->vm_pgoff << PAGE_SHIFT,
55711 ++#endif
55712 + MAJOR(dev), MINOR(dev), ino, &len);
55713 +
55714 + /*
55715 +@@ -173,11 +200,11 @@ static int show_map_internal(struct seq_
55716 + const char *name = arch_vma_name(vma);
55717 + if (!name) {
55718 + if (mm) {
55719 +- if (vma->vm_start <= mm->start_brk &&
55720 +- vma->vm_end >= mm->brk) {
55721 ++ if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
55722 + name = "[heap]";
55723 +- } else if (vma->vm_start <= mm->start_stack &&
55724 +- vma->vm_end >= mm->start_stack) {
55725 ++ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
55726 ++ (vma->vm_start <= mm->start_stack &&
55727 ++ vma->vm_end >= mm->start_stack)) {
55728 + name = "[stack]";
55729 + }
55730 + } else {
55731 +@@ -191,7 +218,27 @@ static int show_map_internal(struct seq_
55732 + }
55733 + seq_putc(m, '\n');
55734 +
55735 +- if (mss)
55736 ++
55737 ++ if (mss) {
55738 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
55739 ++ if (PAX_RAND_FLAGS(mm))
55740 ++ seq_printf(m,
55741 ++ "Size: %8lu kB\n"
55742 ++ "Rss: %8lu kB\n"
55743 ++ "Shared_Clean: %8lu kB\n"
55744 ++ "Shared_Dirty: %8lu kB\n"
55745 ++ "Private_Clean: %8lu kB\n"
55746 ++ "Private_Dirty: %8lu kB\n",
55747 ++ "Referenced: %8lu kB\n",
55748 ++ 0UL,
55749 ++ 0UL,
55750 ++ 0UL,
55751 ++ 0UL,
55752 ++ 0UL,
55753 ++ 0UL,
55754 ++ 0UL);
55755 ++ else
55756 ++#endif
55757 + seq_printf(m,
55758 + "Size: %8lu kB\n"
55759 + "Rss: %8lu kB\n"
55760 +@@ -207,6 +254,7 @@ static int show_map_internal(struct seq_
55761 + mss->private_clean >> 10,
55762 + mss->private_dirty >> 10,
55763 + mss->referenced >> 10);
55764 ++ }
55765 +
55766 + if (m->count < m->size) /* vma is copied successfully */
55767 + m->version = (vma != get_gate_vma(task))? vma->vm_start: 0;
55768 +diff -urNp linux-2.6.24.5/fs/readdir.c linux-2.6.24.5/fs/readdir.c
55769 +--- linux-2.6.24.5/fs/readdir.c 2008-03-24 14:49:18.000000000 -0400
55770 ++++ linux-2.6.24.5/fs/readdir.c 2008-03-26 20:21:08.000000000 -0400
55771 +@@ -16,6 +16,8 @@
55772 + #include <linux/security.h>
55773 + #include <linux/syscalls.h>
55774 + #include <linux/unistd.h>
55775 ++#include <linux/namei.h>
55776 ++#include <linux/grsecurity.h>
55777 +
55778 + #include <asm/uaccess.h>
55779 +
55780 +@@ -64,6 +66,7 @@ struct old_linux_dirent {
55781 +
55782 + struct readdir_callback {
55783 + struct old_linux_dirent __user * dirent;
55784 ++ struct file * file;
55785 + int result;
55786 + };
55787 +
55788 +@@ -79,6 +82,10 @@ static int fillonedir(void * __buf, cons
55789 + d_ino = ino;
55790 + if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
55791 + return -EOVERFLOW;
55792 ++
55793 ++ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
55794 ++ return 0;
55795 ++
55796 + buf->result++;
55797 + dirent = buf->dirent;
55798 + if (!access_ok(VERIFY_WRITE, dirent,
55799 +@@ -110,6 +117,7 @@ asmlinkage long old_readdir(unsigned int
55800 +
55801 + buf.result = 0;
55802 + buf.dirent = dirent;
55803 ++ buf.file = file;
55804 +
55805 + error = vfs_readdir(file, fillonedir, &buf);
55806 + if (error >= 0)
55807 +@@ -136,6 +144,7 @@ struct linux_dirent {
55808 + struct getdents_callback {
55809 + struct linux_dirent __user * current_dir;
55810 + struct linux_dirent __user * previous;
55811 ++ struct file * file;
55812 + int count;
55813 + int error;
55814 + };
55815 +@@ -154,6 +163,10 @@ static int filldir(void * __buf, const c
55816 + d_ino = ino;
55817 + if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
55818 + return -EOVERFLOW;
55819 ++
55820 ++ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
55821 ++ return 0;
55822 ++
55823 + dirent = buf->previous;
55824 + if (dirent) {
55825 + if (__put_user(offset, &dirent->d_off))
55826 +@@ -200,6 +213,7 @@ asmlinkage long sys_getdents(unsigned in
55827 + buf.previous = NULL;
55828 + buf.count = count;
55829 + buf.error = 0;
55830 ++ buf.file = file;
55831 +
55832 + error = vfs_readdir(file, filldir, &buf);
55833 + if (error < 0)
55834 +@@ -222,6 +236,7 @@ out:
55835 + struct getdents_callback64 {
55836 + struct linux_dirent64 __user * current_dir;
55837 + struct linux_dirent64 __user * previous;
55838 ++ struct file *file;
55839 + int count;
55840 + int error;
55841 + };
55842 +@@ -236,6 +251,10 @@ static int filldir64(void * __buf, const
55843 + buf->error = -EINVAL; /* only used if we fail.. */
55844 + if (reclen > buf->count)
55845 + return -EINVAL;
55846 ++
55847 ++ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
55848 ++ return 0;
55849 ++
55850 + dirent = buf->previous;
55851 + if (dirent) {
55852 + if (__put_user(offset, &dirent->d_off))
55853 +@@ -282,6 +301,7 @@ asmlinkage long sys_getdents64(unsigned
55854 +
55855 + buf.current_dir = dirent;
55856 + buf.previous = NULL;
55857 ++ buf.file = file;
55858 + buf.count = count;
55859 + buf.error = 0;
55860 +
55861 +diff -urNp linux-2.6.24.5/fs/smbfs/symlink.c linux-2.6.24.5/fs/smbfs/symlink.c
55862 +--- linux-2.6.24.5/fs/smbfs/symlink.c 2008-03-24 14:49:18.000000000 -0400
55863 ++++ linux-2.6.24.5/fs/smbfs/symlink.c 2008-03-26 20:21:08.000000000 -0400
55864 +@@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
55865 +
55866 + static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
55867 + {
55868 +- char *s = nd_get_link(nd);
55869 ++ const char *s = nd_get_link(nd);
55870 + if (!IS_ERR(s))
55871 + __putname(s);
55872 + }
55873 +diff -urNp linux-2.6.24.5/fs/sysfs/symlink.c linux-2.6.24.5/fs/sysfs/symlink.c
55874 +--- linux-2.6.24.5/fs/sysfs/symlink.c 2008-03-24 14:49:18.000000000 -0400
55875 ++++ linux-2.6.24.5/fs/sysfs/symlink.c 2008-03-26 20:21:08.000000000 -0400
55876 +@@ -172,7 +172,7 @@ static void *sysfs_follow_link(struct de
55877 +
55878 + static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
55879 + {
55880 +- char *page = nd_get_link(nd);
55881 ++ const char *page = nd_get_link(nd);
55882 + if (!IS_ERR(page))
55883 + free_page((unsigned long)page);
55884 + }
55885 +diff -urNp linux-2.6.24.5/fs/udf/balloc.c linux-2.6.24.5/fs/udf/balloc.c
55886 +--- linux-2.6.24.5/fs/udf/balloc.c 2008-03-24 14:49:18.000000000 -0400
55887 ++++ linux-2.6.24.5/fs/udf/balloc.c 2008-03-26 20:21:08.000000000 -0400
55888 +@@ -154,8 +154,7 @@ static void udf_bitmap_free_blocks(struc
55889 + unsigned long overflow;
55890 +
55891 + mutex_lock(&sbi->s_alloc_mutex);
55892 +- if (bloc.logicalBlockNum < 0 ||
55893 +- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
55894 ++ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
55895 + udf_debug("%d < %d || %d + %d > %d\n",
55896 + bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
55897 + UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
55898 +@@ -221,7 +220,7 @@ static int udf_bitmap_prealloc_blocks(st
55899 + struct buffer_head *bh;
55900 +
55901 + mutex_lock(&sbi->s_alloc_mutex);
55902 +- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
55903 ++ if (first_block >= UDF_SB_PARTLEN(sb, partition))
55904 + goto out;
55905 +
55906 + if (first_block + block_count > UDF_SB_PARTLEN(sb, partition))
55907 +@@ -287,7 +286,7 @@ static int udf_bitmap_new_block(struct s
55908 + mutex_lock(&sbi->s_alloc_mutex);
55909 +
55910 + repeat:
55911 +- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
55912 ++ if (goal >= UDF_SB_PARTLEN(sb, partition))
55913 + goal = 0;
55914 +
55915 + nr_groups = bitmap->s_nr_groups;
55916 +@@ -420,8 +419,7 @@ static void udf_table_free_blocks(struct
55917 + int i;
55918 +
55919 + mutex_lock(&sbi->s_alloc_mutex);
55920 +- if (bloc.logicalBlockNum < 0 ||
55921 +- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
55922 ++ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
55923 + udf_debug("%d < %d || %d + %d > %d\n",
55924 + bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
55925 + UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
55926 +@@ -627,7 +625,7 @@ static int udf_table_prealloc_blocks(str
55927 + struct extent_position epos;
55928 + int8_t etype = -1;
55929 +
55930 +- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
55931 ++ if (first_block >= UDF_SB_PARTLEN(sb, partition))
55932 + return 0;
55933 +
55934 + if (UDF_I_ALLOCTYPE(table) == ICBTAG_FLAG_AD_SHORT)
55935 +@@ -703,7 +701,7 @@ static int udf_table_new_block(struct su
55936 + return newblock;
55937 +
55938 + mutex_lock(&sbi->s_alloc_mutex);
55939 +- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
55940 ++ if (goal >= UDF_SB_PARTLEN(sb, partition))
55941 + goal = 0;
55942 +
55943 + /* We search for the closest matching block to goal. If we find a exact hit,
55944 +diff -urNp linux-2.6.24.5/fs/udf/inode.c linux-2.6.24.5/fs/udf/inode.c
55945 +--- linux-2.6.24.5/fs/udf/inode.c 2008-03-24 14:49:18.000000000 -0400
55946 ++++ linux-2.6.24.5/fs/udf/inode.c 2008-03-26 20:21:08.000000000 -0400
55947 +@@ -311,9 +311,6 @@ static int udf_get_block(struct inode *i
55948 +
55949 + lock_kernel();
55950 +
55951 +- if (block < 0)
55952 +- goto abort_negative;
55953 +-
55954 + if (block == UDF_I_NEXT_ALLOC_BLOCK(inode) + 1) {
55955 + UDF_I_NEXT_ALLOC_BLOCK(inode)++;
55956 + UDF_I_NEXT_ALLOC_GOAL(inode)++;
55957 +@@ -334,10 +331,6 @@ static int udf_get_block(struct inode *i
55958 + abort:
55959 + unlock_kernel();
55960 + return err;
55961 +-
55962 +-abort_negative:
55963 +- udf_warning(inode->i_sb, "udf_get_block", "block < 0");
55964 +- goto abort;
55965 + }
55966 +
55967 + static struct buffer_head *udf_getblk(struct inode *inode, long block,
55968 +diff -urNp linux-2.6.24.5/fs/ufs/inode.c linux-2.6.24.5/fs/ufs/inode.c
55969 +--- linux-2.6.24.5/fs/ufs/inode.c 2008-03-24 14:49:18.000000000 -0400
55970 ++++ linux-2.6.24.5/fs/ufs/inode.c 2008-03-26 20:21:08.000000000 -0400
55971 +@@ -56,9 +56,7 @@ static int ufs_block_to_path(struct inod
55972 +
55973 +
55974 + UFSD("ptrs=uspi->s_apb = %d,double_blocks=%ld \n",ptrs,double_blocks);
55975 +- if (i_block < 0) {
55976 +- ufs_warning(inode->i_sb, "ufs_block_to_path", "block < 0");
55977 +- } else if (i_block < direct_blocks) {
55978 ++ if (i_block < direct_blocks) {
55979 + offsets[n++] = i_block;
55980 + } else if ((i_block -= direct_blocks) < indirect_blocks) {
55981 + offsets[n++] = UFS_IND_BLOCK;
55982 +@@ -440,8 +438,6 @@ int ufs_getfrag_block(struct inode *inod
55983 + lock_kernel();
55984 +
55985 + UFSD("ENTER, ino %lu, fragment %llu\n", inode->i_ino, (unsigned long long)fragment);
55986 +- if (fragment < 0)
55987 +- goto abort_negative;
55988 + if (fragment >
55989 + ((UFS_NDADDR + uspi->s_apb + uspi->s_2apb + uspi->s_3apb)
55990 + << uspi->s_fpbshift))
55991 +@@ -504,10 +500,6 @@ abort:
55992 + unlock_kernel();
55993 + return err;
55994 +
55995 +-abort_negative:
55996 +- ufs_warning(sb, "ufs_get_block", "block < 0");
55997 +- goto abort;
55998 +-
55999 + abort_too_big:
56000 + ufs_warning(sb, "ufs_get_block", "block > big");
56001 + goto abort;
56002 +diff -urNp linux-2.6.24.5/fs/utimes.c linux-2.6.24.5/fs/utimes.c
56003 +--- linux-2.6.24.5/fs/utimes.c 2008-03-24 14:49:18.000000000 -0400
56004 ++++ linux-2.6.24.5/fs/utimes.c 2008-03-26 20:21:08.000000000 -0400
56005 +@@ -6,6 +6,7 @@
56006 + #include <linux/sched.h>
56007 + #include <linux/stat.h>
56008 + #include <linux/utime.h>
56009 ++#include <linux/grsecurity.h>
56010 + #include <asm/uaccess.h>
56011 + #include <asm/unistd.h>
56012 +
56013 +@@ -55,6 +56,7 @@ long do_utimes(int dfd, char __user *fil
56014 + int error;
56015 + struct nameidata nd;
56016 + struct dentry *dentry;
56017 ++ struct vfsmount *mnt;
56018 + struct inode *inode;
56019 + struct iattr newattrs;
56020 + struct file *f = NULL;
56021 +@@ -78,12 +80,14 @@ long do_utimes(int dfd, char __user *fil
56022 + if (!f)
56023 + goto out;
56024 + dentry = f->f_path.dentry;
56025 ++ mnt = f->f_path.mnt;
56026 + } else {
56027 + error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd);
56028 + if (error)
56029 + goto out;
56030 +
56031 + dentry = nd.dentry;
56032 ++ mnt = nd.mnt;
56033 + }
56034 +
56035 + inode = dentry->d_inode;
56036 +@@ -130,6 +134,12 @@ long do_utimes(int dfd, char __user *fil
56037 + }
56038 + }
56039 + }
56040 ++
56041 ++ if (!gr_acl_handle_utime(dentry, mnt)) {
56042 ++ error = -EACCES;
56043 ++ goto dput_and_out;
56044 ++ }
56045 ++
56046 + mutex_lock(&inode->i_mutex);
56047 + error = notify_change(dentry, &newattrs);
56048 + mutex_unlock(&inode->i_mutex);
56049 +diff -urNp linux-2.6.24.5/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.24.5/fs/xfs/linux-2.6/xfs_iops.c
56050 +--- linux-2.6.24.5/fs/xfs/linux-2.6/xfs_iops.c 2008-03-24 14:49:18.000000000 -0400
56051 ++++ linux-2.6.24.5/fs/xfs/linux-2.6/xfs_iops.c 2008-03-26 20:21:09.000000000 -0400
56052 +@@ -534,7 +534,7 @@ xfs_vn_put_link(
56053 + struct nameidata *nd,
56054 + void *p)
56055 + {
56056 +- char *s = nd_get_link(nd);
56057 ++ const char *s = nd_get_link(nd);
56058 +
56059 + if (!IS_ERR(s))
56060 + kfree(s);
56061 +diff -urNp linux-2.6.24.5/fs/xfs/xfs_bmap.c linux-2.6.24.5/fs/xfs/xfs_bmap.c
56062 +--- linux-2.6.24.5/fs/xfs/xfs_bmap.c 2008-03-24 14:49:18.000000000 -0400
56063 ++++ linux-2.6.24.5/fs/xfs/xfs_bmap.c 2008-03-26 20:21:09.000000000 -0400
56064 +@@ -360,7 +360,7 @@ xfs_bmap_validate_ret(
56065 + int nmap,
56066 + int ret_nmap);
56067 + #else
56068 +-#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
56069 ++#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
56070 + #endif /* DEBUG */
56071 +
56072 + #if defined(XFS_RW_TRACE)
56073 +diff -urNp linux-2.6.24.5/grsecurity/gracl_alloc.c linux-2.6.24.5/grsecurity/gracl_alloc.c
56074 +--- linux-2.6.24.5/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
56075 ++++ linux-2.6.24.5/grsecurity/gracl_alloc.c 2008-03-26 20:21:09.000000000 -0400
56076 +@@ -0,0 +1,91 @@
56077 ++#include <linux/kernel.h>
56078 ++#include <linux/mm.h>
56079 ++#include <linux/slab.h>
56080 ++#include <linux/vmalloc.h>
56081 ++#include <linux/gracl.h>
56082 ++#include <linux/grsecurity.h>
56083 ++
56084 ++static unsigned long alloc_stack_next = 1;
56085 ++static unsigned long alloc_stack_size = 1;
56086 ++static void **alloc_stack;
56087 ++
56088 ++static __inline__ int
56089 ++alloc_pop(void)
56090 ++{
56091 ++ if (alloc_stack_next == 1)
56092 ++ return 0;
56093 ++
56094 ++ kfree(alloc_stack[alloc_stack_next - 2]);
56095 ++
56096 ++ alloc_stack_next--;
56097 ++
56098 ++ return 1;
56099 ++}
56100 ++
56101 ++static __inline__ void
56102 ++alloc_push(void *buf)
56103 ++{
56104 ++ if (alloc_stack_next >= alloc_stack_size)
56105 ++ BUG();
56106 ++
56107 ++ alloc_stack[alloc_stack_next - 1] = buf;
56108 ++
56109 ++ alloc_stack_next++;
56110 ++
56111 ++ return;
56112 ++}
56113 ++
56114 ++void *
56115 ++acl_alloc(unsigned long len)
56116 ++{
56117 ++ void *ret;
56118 ++
56119 ++ if (len > PAGE_SIZE)
56120 ++ BUG();
56121 ++
56122 ++ ret = kmalloc(len, GFP_KERNEL);
56123 ++
56124 ++ if (ret)
56125 ++ alloc_push(ret);
56126 ++
56127 ++ return ret;
56128 ++}
56129 ++
56130 ++void
56131 ++acl_free_all(void)
56132 ++{
56133 ++ if (gr_acl_is_enabled() || !alloc_stack)
56134 ++ return;
56135 ++
56136 ++ while (alloc_pop()) ;
56137 ++
56138 ++ if (alloc_stack) {
56139 ++ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
56140 ++ kfree(alloc_stack);
56141 ++ else
56142 ++ vfree(alloc_stack);
56143 ++ }
56144 ++
56145 ++ alloc_stack = NULL;
56146 ++ alloc_stack_size = 1;
56147 ++ alloc_stack_next = 1;
56148 ++
56149 ++ return;
56150 ++}
56151 ++
56152 ++int
56153 ++acl_alloc_stack_init(unsigned long size)
56154 ++{
56155 ++ if ((size * sizeof (void *)) <= PAGE_SIZE)
56156 ++ alloc_stack =
56157 ++ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
56158 ++ else
56159 ++ alloc_stack = (void **) vmalloc(size * sizeof (void *));
56160 ++
56161 ++ alloc_stack_size = size;
56162 ++
56163 ++ if (!alloc_stack)
56164 ++ return 0;
56165 ++ else
56166 ++ return 1;
56167 ++}
56168 +diff -urNp linux-2.6.24.5/grsecurity/gracl.c linux-2.6.24.5/grsecurity/gracl.c
56169 +--- linux-2.6.24.5/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
56170 ++++ linux-2.6.24.5/grsecurity/gracl.c 2008-03-26 20:21:09.000000000 -0400
56171 +@@ -0,0 +1,3722 @@
56172 ++#include <linux/kernel.h>
56173 ++#include <linux/module.h>
56174 ++#include <linux/sched.h>
56175 ++#include <linux/mm.h>
56176 ++#include <linux/file.h>
56177 ++#include <linux/fs.h>
56178 ++#include <linux/namei.h>
56179 ++#include <linux/mount.h>
56180 ++#include <linux/tty.h>
56181 ++#include <linux/proc_fs.h>
56182 ++#include <linux/smp_lock.h>
56183 ++#include <linux/slab.h>
56184 ++#include <linux/vmalloc.h>
56185 ++#include <linux/types.h>
56186 ++#include <linux/capability.h>
56187 ++#include <linux/sysctl.h>
56188 ++#include <linux/netdevice.h>
56189 ++#include <linux/ptrace.h>
56190 ++#include <linux/gracl.h>
56191 ++#include <linux/gralloc.h>
56192 ++#include <linux/grsecurity.h>
56193 ++#include <linux/grinternal.h>
56194 ++#include <linux/pid_namespace.h>
56195 ++#include <linux/percpu.h>
56196 ++
56197 ++#include <asm/uaccess.h>
56198 ++#include <asm/errno.h>
56199 ++#include <asm/mman.h>
56200 ++
56201 ++static struct acl_role_db acl_role_set;
56202 ++static struct name_db name_set;
56203 ++static struct inodev_db inodev_set;
56204 ++
56205 ++/* for keeping track of userspace pointers used for subjects, so we
56206 ++ can share references in the kernel as well
56207 ++*/
56208 ++
56209 ++static struct dentry *real_root;
56210 ++static struct vfsmount *real_root_mnt;
56211 ++
56212 ++static struct acl_subj_map_db subj_map_set;
56213 ++
56214 ++static struct acl_role_label *default_role;
56215 ++
56216 ++static u16 acl_sp_role_value;
56217 ++
56218 ++extern char *gr_shared_page[4];
56219 ++static DECLARE_MUTEX(gr_dev_sem);
56220 ++rwlock_t gr_inode_lock = RW_LOCK_UNLOCKED;
56221 ++
56222 ++struct gr_arg *gr_usermode;
56223 ++
56224 ++static unsigned int gr_status = GR_STATUS_INIT;
56225 ++
56226 ++extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
56227 ++extern void gr_clear_learn_entries(void);
56228 ++
56229 ++#ifdef CONFIG_GRKERNSEC_RESLOG
56230 ++extern void gr_log_resource(const struct task_struct *task,
56231 ++ const int res, const unsigned long wanted, const int gt);
56232 ++#endif
56233 ++
56234 ++unsigned char *gr_system_salt;
56235 ++unsigned char *gr_system_sum;
56236 ++
56237 ++static struct sprole_pw **acl_special_roles = NULL;
56238 ++static __u16 num_sprole_pws = 0;
56239 ++
56240 ++static struct acl_role_label *kernel_role = NULL;
56241 ++
56242 ++static unsigned int gr_auth_attempts = 0;
56243 ++static unsigned long gr_auth_expires = 0UL;
56244 ++
56245 ++extern struct vfsmount *sock_mnt;
56246 ++extern struct vfsmount *pipe_mnt;
56247 ++extern struct vfsmount *shm_mnt;
56248 ++static struct acl_object_label *fakefs_obj;
56249 ++
56250 ++extern int gr_init_uidset(void);
56251 ++extern void gr_free_uidset(void);
56252 ++extern void gr_remove_uid(uid_t uid);
56253 ++extern int gr_find_uid(uid_t uid);
56254 ++
56255 ++__inline__ int
56256 ++gr_acl_is_enabled(void)
56257 ++{
56258 ++ return (gr_status & GR_READY);
56259 ++}
56260 ++
56261 ++char gr_roletype_to_char(void)
56262 ++{
56263 ++ switch (current->role->roletype &
56264 ++ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
56265 ++ GR_ROLE_SPECIAL)) {
56266 ++ case GR_ROLE_DEFAULT:
56267 ++ return 'D';
56268 ++ case GR_ROLE_USER:
56269 ++ return 'U';
56270 ++ case GR_ROLE_GROUP:
56271 ++ return 'G';
56272 ++ case GR_ROLE_SPECIAL:
56273 ++ return 'S';
56274 ++ }
56275 ++
56276 ++ return 'X';
56277 ++}
56278 ++
56279 ++__inline__ int
56280 ++gr_acl_tpe_check(void)
56281 ++{
56282 ++ if (unlikely(!(gr_status & GR_READY)))
56283 ++ return 0;
56284 ++ if (current->role->roletype & GR_ROLE_TPE)
56285 ++ return 1;
56286 ++ else
56287 ++ return 0;
56288 ++}
56289 ++
56290 ++int
56291 ++gr_handle_rawio(const struct inode *inode)
56292 ++{
56293 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
56294 ++ if (inode && S_ISBLK(inode->i_mode) &&
56295 ++ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
56296 ++ !capable(CAP_SYS_RAWIO))
56297 ++ return 1;
56298 ++#endif
56299 ++ return 0;
56300 ++}
56301 ++
56302 ++static int
56303 ++gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
56304 ++{
56305 ++ int i;
56306 ++ unsigned long *l1;
56307 ++ unsigned long *l2;
56308 ++ unsigned char *c1;
56309 ++ unsigned char *c2;
56310 ++ int num_longs;
56311 ++
56312 ++ if (likely(lena != lenb))
56313 ++ return 0;
56314 ++
56315 ++ l1 = (unsigned long *)a;
56316 ++ l2 = (unsigned long *)b;
56317 ++
56318 ++ num_longs = lena / sizeof(unsigned long);
56319 ++
56320 ++ for (i = num_longs; i--; l1++, l2++) {
56321 ++ if (unlikely(*l1 != *l2))
56322 ++ return 0;
56323 ++ }
56324 ++
56325 ++ c1 = (unsigned char *) l1;
56326 ++ c2 = (unsigned char *) l2;
56327 ++
56328 ++ i = lena - (num_longs * sizeof(unsigned long));
56329 ++
56330 ++ for (; i--; c1++, c2++) {
56331 ++ if (unlikely(*c1 != *c2))
56332 ++ return 0;
56333 ++ }
56334 ++
56335 ++ return 1;
56336 ++}
56337 ++
56338 ++static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
56339 ++ struct dentry *root, struct vfsmount *rootmnt,
56340 ++ char *buffer, int buflen)
56341 ++{
56342 ++ char * end = buffer+buflen;
56343 ++ char * retval;
56344 ++ int namelen;
56345 ++
56346 ++ *--end = '\0';
56347 ++ buflen--;
56348 ++
56349 ++ if (buflen < 1)
56350 ++ goto Elong;
56351 ++ /* Get '/' right */
56352 ++ retval = end-1;
56353 ++ *retval = '/';
56354 ++
56355 ++ for (;;) {
56356 ++ struct dentry * parent;
56357 ++
56358 ++ if (dentry == root && vfsmnt == rootmnt)
56359 ++ break;
56360 ++ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
56361 ++ /* Global root? */
56362 ++ spin_lock(&vfsmount_lock);
56363 ++ if (vfsmnt->mnt_parent == vfsmnt) {
56364 ++ spin_unlock(&vfsmount_lock);
56365 ++ goto global_root;
56366 ++ }
56367 ++ dentry = vfsmnt->mnt_mountpoint;
56368 ++ vfsmnt = vfsmnt->mnt_parent;
56369 ++ spin_unlock(&vfsmount_lock);
56370 ++ continue;
56371 ++ }
56372 ++ parent = dentry->d_parent;
56373 ++ prefetch(parent);
56374 ++ namelen = dentry->d_name.len;
56375 ++ buflen -= namelen + 1;
56376 ++ if (buflen < 0)
56377 ++ goto Elong;
56378 ++ end -= namelen;
56379 ++ memcpy(end, dentry->d_name.name, namelen);
56380 ++ *--end = '/';
56381 ++ retval = end;
56382 ++ dentry = parent;
56383 ++ }
56384 ++
56385 ++ return retval;
56386 ++
56387 ++global_root:
56388 ++ namelen = dentry->d_name.len;
56389 ++ buflen -= namelen;
56390 ++ if (buflen < 0)
56391 ++ goto Elong;
56392 ++ retval -= namelen-1; /* hit the slash */
56393 ++ memcpy(retval, dentry->d_name.name, namelen);
56394 ++ return retval;
56395 ++Elong:
56396 ++ return ERR_PTR(-ENAMETOOLONG);
56397 ++}
56398 ++
56399 ++static char *
56400 ++gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
56401 ++ struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
56402 ++{
56403 ++ char *retval;
56404 ++
56405 ++ retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
56406 ++ if (unlikely(IS_ERR(retval)))
56407 ++ retval = strcpy(buf, "<path too long>");
56408 ++ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
56409 ++ retval[1] = '\0';
56410 ++
56411 ++ return retval;
56412 ++}
56413 ++
56414 ++static char *
56415 ++__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
56416 ++ char *buf, int buflen)
56417 ++{
56418 ++ char *res;
56419 ++
56420 ++ /* we can use real_root, real_root_mnt, because this is only called
56421 ++ by the RBAC system */
56422 ++ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
56423 ++
56424 ++ return res;
56425 ++}
56426 ++
56427 ++static char *
56428 ++d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
56429 ++ char *buf, int buflen)
56430 ++{
56431 ++ char *res;
56432 ++ struct dentry *root;
56433 ++ struct vfsmount *rootmnt;
56434 ++ struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
56435 ++
56436 ++ /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
56437 ++ read_lock(&reaper->fs->lock);
56438 ++ root = dget(reaper->fs->root);
56439 ++ rootmnt = mntget(reaper->fs->rootmnt);
56440 ++ read_unlock(&reaper->fs->lock);
56441 ++
56442 ++ spin_lock(&dcache_lock);
56443 ++ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
56444 ++ spin_unlock(&dcache_lock);
56445 ++
56446 ++ dput(root);
56447 ++ mntput(rootmnt);
56448 ++ return res;
56449 ++}
56450 ++
56451 ++static char *
56452 ++gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
56453 ++{
56454 ++ char *ret;
56455 ++ spin_lock(&dcache_lock);
56456 ++ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
56457 ++ PAGE_SIZE);
56458 ++ spin_unlock(&dcache_lock);
56459 ++ return ret;
56460 ++}
56461 ++
56462 ++char *
56463 ++gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
56464 ++{
56465 ++ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
56466 ++ PAGE_SIZE);
56467 ++}
56468 ++
56469 ++char *
56470 ++gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
56471 ++{
56472 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
56473 ++ PAGE_SIZE);
56474 ++}
56475 ++
56476 ++char *
56477 ++gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
56478 ++{
56479 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
56480 ++ PAGE_SIZE);
56481 ++}
56482 ++
56483 ++char *
56484 ++gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
56485 ++{
56486 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
56487 ++ PAGE_SIZE);
56488 ++}
56489 ++
56490 ++char *
56491 ++gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
56492 ++{
56493 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
56494 ++ PAGE_SIZE);
56495 ++}
56496 ++
56497 ++__inline__ __u32
56498 ++to_gr_audit(const __u32 reqmode)
56499 ++{
56500 ++ /* masks off auditable permission flags, then shifts them to create
56501 ++ auditing flags, and adds the special case of append auditing if
56502 ++ we're requesting write */
56503 ++ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
56504 ++}
56505 ++
56506 ++struct acl_subject_label *
56507 ++lookup_subject_map(const struct acl_subject_label *userp)
56508 ++{
56509 ++ unsigned int index = shash(userp, subj_map_set.s_size);
56510 ++ struct subject_map *match;
56511 ++
56512 ++ match = subj_map_set.s_hash[index];
56513 ++
56514 ++ while (match && match->user != userp)
56515 ++ match = match->next;
56516 ++
56517 ++ if (match != NULL)
56518 ++ return match->kernel;
56519 ++ else
56520 ++ return NULL;
56521 ++}
56522 ++
56523 ++static void
56524 ++insert_subj_map_entry(struct subject_map *subjmap)
56525 ++{
56526 ++ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
56527 ++ struct subject_map **curr;
56528 ++
56529 ++ subjmap->prev = NULL;
56530 ++
56531 ++ curr = &subj_map_set.s_hash[index];
56532 ++ if (*curr != NULL)
56533 ++ (*curr)->prev = subjmap;
56534 ++
56535 ++ subjmap->next = *curr;
56536 ++ *curr = subjmap;
56537 ++
56538 ++ return;
56539 ++}
56540 ++
56541 ++static struct acl_role_label *
56542 ++lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
56543 ++ const gid_t gid)
56544 ++{
56545 ++ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
56546 ++ struct acl_role_label *match;
56547 ++ struct role_allowed_ip *ipp;
56548 ++ unsigned int x;
56549 ++
56550 ++ match = acl_role_set.r_hash[index];
56551 ++
56552 ++ while (match) {
56553 ++ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
56554 ++ for (x = 0; x < match->domain_child_num; x++) {
56555 ++ if (match->domain_children[x] == uid)
56556 ++ goto found;
56557 ++ }
56558 ++ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
56559 ++ break;
56560 ++ match = match->next;
56561 ++ }
56562 ++found:
56563 ++ if (match == NULL) {
56564 ++ try_group:
56565 ++ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
56566 ++ match = acl_role_set.r_hash[index];
56567 ++
56568 ++ while (match) {
56569 ++ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
56570 ++ for (x = 0; x < match->domain_child_num; x++) {
56571 ++ if (match->domain_children[x] == gid)
56572 ++ goto found2;
56573 ++ }
56574 ++ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
56575 ++ break;
56576 ++ match = match->next;
56577 ++ }
56578 ++found2:
56579 ++ if (match == NULL)
56580 ++ match = default_role;
56581 ++ if (match->allowed_ips == NULL)
56582 ++ return match;
56583 ++ else {
56584 ++ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
56585 ++ if (likely
56586 ++ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
56587 ++ (ntohl(ipp->addr) & ipp->netmask)))
56588 ++ return match;
56589 ++ }
56590 ++ match = default_role;
56591 ++ }
56592 ++ } else if (match->allowed_ips == NULL) {
56593 ++ return match;
56594 ++ } else {
56595 ++ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
56596 ++ if (likely
56597 ++ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
56598 ++ (ntohl(ipp->addr) & ipp->netmask)))
56599 ++ return match;
56600 ++ }
56601 ++ goto try_group;
56602 ++ }
56603 ++
56604 ++ return match;
56605 ++}
56606 ++
56607 ++struct acl_subject_label *
56608 ++lookup_acl_subj_label(const ino_t ino, const dev_t dev,
56609 ++ const struct acl_role_label *role)
56610 ++{
56611 ++ unsigned int index = fhash(ino, dev, role->subj_hash_size);
56612 ++ struct acl_subject_label *match;
56613 ++
56614 ++ match = role->subj_hash[index];
56615 ++
56616 ++ while (match && (match->inode != ino || match->device != dev ||
56617 ++ (match->mode & GR_DELETED))) {
56618 ++ match = match->next;
56619 ++ }
56620 ++
56621 ++ if (match && !(match->mode & GR_DELETED))
56622 ++ return match;
56623 ++ else
56624 ++ return NULL;
56625 ++}
56626 ++
56627 ++static struct acl_object_label *
56628 ++lookup_acl_obj_label(const ino_t ino, const dev_t dev,
56629 ++ const struct acl_subject_label *subj)
56630 ++{
56631 ++ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
56632 ++ struct acl_object_label *match;
56633 ++
56634 ++ match = subj->obj_hash[index];
56635 ++
56636 ++ while (match && (match->inode != ino || match->device != dev ||
56637 ++ (match->mode & GR_DELETED))) {
56638 ++ match = match->next;
56639 ++ }
56640 ++
56641 ++ if (match && !(match->mode & GR_DELETED))
56642 ++ return match;
56643 ++ else
56644 ++ return NULL;
56645 ++}
56646 ++
56647 ++static struct acl_object_label *
56648 ++lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
56649 ++ const struct acl_subject_label *subj)
56650 ++{
56651 ++ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
56652 ++ struct acl_object_label *match;
56653 ++
56654 ++ match = subj->obj_hash[index];
56655 ++
56656 ++ while (match && (match->inode != ino || match->device != dev ||
56657 ++ !(match->mode & GR_DELETED))) {
56658 ++ match = match->next;
56659 ++ }
56660 ++
56661 ++ if (match && (match->mode & GR_DELETED))
56662 ++ return match;
56663 ++
56664 ++ match = subj->obj_hash[index];
56665 ++
56666 ++ while (match && (match->inode != ino || match->device != dev ||
56667 ++ (match->mode & GR_DELETED))) {
56668 ++ match = match->next;
56669 ++ }
56670 ++
56671 ++ if (match && !(match->mode & GR_DELETED))
56672 ++ return match;
56673 ++ else
56674 ++ return NULL;
56675 ++}
56676 ++
56677 ++static struct name_entry *
56678 ++lookup_name_entry(const char *name)
56679 ++{
56680 ++ unsigned int len = strlen(name);
56681 ++ unsigned int key = full_name_hash(name, len);
56682 ++ unsigned int index = key % name_set.n_size;
56683 ++ struct name_entry *match;
56684 ++
56685 ++ match = name_set.n_hash[index];
56686 ++
56687 ++ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
56688 ++ match = match->next;
56689 ++
56690 ++ return match;
56691 ++}
56692 ++
56693 ++static struct name_entry *
56694 ++lookup_name_entry_create(const char *name)
56695 ++{
56696 ++ unsigned int len = strlen(name);
56697 ++ unsigned int key = full_name_hash(name, len);
56698 ++ unsigned int index = key % name_set.n_size;
56699 ++ struct name_entry *match;
56700 ++
56701 ++ match = name_set.n_hash[index];
56702 ++
56703 ++ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
56704 ++ !match->deleted))
56705 ++ match = match->next;
56706 ++
56707 ++ if (match && match->deleted)
56708 ++ return match;
56709 ++
56710 ++ match = name_set.n_hash[index];
56711 ++
56712 ++ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
56713 ++ match->deleted))
56714 ++ match = match->next;
56715 ++
56716 ++ if (match && !match->deleted)
56717 ++ return match;
56718 ++ else
56719 ++ return NULL;
56720 ++}
56721 ++
56722 ++static struct inodev_entry *
56723 ++lookup_inodev_entry(const ino_t ino, const dev_t dev)
56724 ++{
56725 ++ unsigned int index = fhash(ino, dev, inodev_set.i_size);
56726 ++ struct inodev_entry *match;
56727 ++
56728 ++ match = inodev_set.i_hash[index];
56729 ++
56730 ++ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
56731 ++ match = match->next;
56732 ++
56733 ++ return match;
56734 ++}
56735 ++
56736 ++static void
56737 ++insert_inodev_entry(struct inodev_entry *entry)
56738 ++{
56739 ++ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
56740 ++ inodev_set.i_size);
56741 ++ struct inodev_entry **curr;
56742 ++
56743 ++ entry->prev = NULL;
56744 ++
56745 ++ curr = &inodev_set.i_hash[index];
56746 ++ if (*curr != NULL)
56747 ++ (*curr)->prev = entry;
56748 ++
56749 ++ entry->next = *curr;
56750 ++ *curr = entry;
56751 ++
56752 ++ return;
56753 ++}
56754 ++
56755 ++static void
56756 ++__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
56757 ++{
56758 ++ unsigned int index =
56759 ++ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
56760 ++ struct acl_role_label **curr;
56761 ++
56762 ++ role->prev = NULL;
56763 ++
56764 ++ curr = &acl_role_set.r_hash[index];
56765 ++ if (*curr != NULL)
56766 ++ (*curr)->prev = role;
56767 ++
56768 ++ role->next = *curr;
56769 ++ *curr = role;
56770 ++
56771 ++ return;
56772 ++}
56773 ++
56774 ++static void
56775 ++insert_acl_role_label(struct acl_role_label *role)
56776 ++{
56777 ++ int i;
56778 ++
56779 ++ if (role->roletype & GR_ROLE_DOMAIN) {
56780 ++ for (i = 0; i < role->domain_child_num; i++)
56781 ++ __insert_acl_role_label(role, role->domain_children[i]);
56782 ++ } else
56783 ++ __insert_acl_role_label(role, role->uidgid);
56784 ++}
56785 ++
56786 ++static int
56787 ++insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
56788 ++{
56789 ++ struct name_entry **curr, *nentry;
56790 ++ struct inodev_entry *ientry;
56791 ++ unsigned int len = strlen(name);
56792 ++ unsigned int key = full_name_hash(name, len);
56793 ++ unsigned int index = key % name_set.n_size;
56794 ++
56795 ++ curr = &name_set.n_hash[index];
56796 ++
56797 ++ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
56798 ++ curr = &((*curr)->next);
56799 ++
56800 ++ if (*curr != NULL)
56801 ++ return 1;
56802 ++
56803 ++ nentry = acl_alloc(sizeof (struct name_entry));
56804 ++ if (nentry == NULL)
56805 ++ return 0;
56806 ++ ientry = acl_alloc(sizeof (struct inodev_entry));
56807 ++ if (ientry == NULL)
56808 ++ return 0;
56809 ++ ientry->nentry = nentry;
56810 ++
56811 ++ nentry->key = key;
56812 ++ nentry->name = name;
56813 ++ nentry->inode = inode;
56814 ++ nentry->device = device;
56815 ++ nentry->len = len;
56816 ++ nentry->deleted = deleted;
56817 ++
56818 ++ nentry->prev = NULL;
56819 ++ curr = &name_set.n_hash[index];
56820 ++ if (*curr != NULL)
56821 ++ (*curr)->prev = nentry;
56822 ++ nentry->next = *curr;
56823 ++ *curr = nentry;
56824 ++
56825 ++ /* insert us into the table searchable by inode/dev */
56826 ++ insert_inodev_entry(ientry);
56827 ++
56828 ++ return 1;
56829 ++}
56830 ++
56831 ++static void
56832 ++insert_acl_obj_label(struct acl_object_label *obj,
56833 ++ struct acl_subject_label *subj)
56834 ++{
56835 ++ unsigned int index =
56836 ++ fhash(obj->inode, obj->device, subj->obj_hash_size);
56837 ++ struct acl_object_label **curr;
56838 ++
56839 ++
56840 ++ obj->prev = NULL;
56841 ++
56842 ++ curr = &subj->obj_hash[index];
56843 ++ if (*curr != NULL)
56844 ++ (*curr)->prev = obj;
56845 ++
56846 ++ obj->next = *curr;
56847 ++ *curr = obj;
56848 ++
56849 ++ return;
56850 ++}
56851 ++
56852 ++static void
56853 ++insert_acl_subj_label(struct acl_subject_label *obj,
56854 ++ struct acl_role_label *role)
56855 ++{
56856 ++ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
56857 ++ struct acl_subject_label **curr;
56858 ++
56859 ++ obj->prev = NULL;
56860 ++
56861 ++ curr = &role->subj_hash[index];
56862 ++ if (*curr != NULL)
56863 ++ (*curr)->prev = obj;
56864 ++
56865 ++ obj->next = *curr;
56866 ++ *curr = obj;
56867 ++
56868 ++ return;
56869 ++}
56870 ++
56871 ++/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
56872 ++
56873 ++static void *
56874 ++create_table(__u32 * len, int elementsize)
56875 ++{
56876 ++ unsigned int table_sizes[] = {
56877 ++ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
56878 ++ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
56879 ++ 4194301, 8388593, 16777213, 33554393, 67108859, 134217689,
56880 ++ 268435399, 536870909, 1073741789, 2147483647
56881 ++ };
56882 ++ void *newtable = NULL;
56883 ++ unsigned int pwr = 0;
56884 ++
56885 ++ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
56886 ++ table_sizes[pwr] <= *len)
56887 ++ pwr++;
56888 ++
56889 ++ if (table_sizes[pwr] <= *len)
56890 ++ return newtable;
56891 ++
56892 ++ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
56893 ++ newtable =
56894 ++ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
56895 ++ else
56896 ++ newtable = vmalloc(table_sizes[pwr] * elementsize);
56897 ++
56898 ++ *len = table_sizes[pwr];
56899 ++
56900 ++ return newtable;
56901 ++}
56902 ++
56903 ++static int
56904 ++init_variables(const struct gr_arg *arg)
56905 ++{
56906 ++ struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
56907 ++ unsigned int stacksize;
56908 ++
56909 ++ subj_map_set.s_size = arg->role_db.num_subjects;
56910 ++ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
56911 ++ name_set.n_size = arg->role_db.num_objects;
56912 ++ inodev_set.i_size = arg->role_db.num_objects;
56913 ++
56914 ++ if (!subj_map_set.s_size || !acl_role_set.r_size ||
56915 ++ !name_set.n_size || !inodev_set.i_size)
56916 ++ return 1;
56917 ++
56918 ++ if (!gr_init_uidset())
56919 ++ return 1;
56920 ++
56921 ++ /* set up the stack that holds allocation info */
56922 ++
56923 ++ stacksize = arg->role_db.num_pointers + 5;
56924 ++
56925 ++ if (!acl_alloc_stack_init(stacksize))
56926 ++ return 1;
56927 ++
56928 ++ /* grab reference for the real root dentry and vfsmount */
56929 ++ read_lock(&reaper->fs->lock);
56930 ++ real_root_mnt = mntget(reaper->fs->rootmnt);
56931 ++ real_root = dget(reaper->fs->root);
56932 ++ read_unlock(&reaper->fs->lock);
56933 ++
56934 ++ fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
56935 ++ if (fakefs_obj == NULL)
56936 ++ return 1;
56937 ++ fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
56938 ++
56939 ++ subj_map_set.s_hash =
56940 ++ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
56941 ++ acl_role_set.r_hash =
56942 ++ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
56943 ++ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
56944 ++ inodev_set.i_hash =
56945 ++ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
56946 ++
56947 ++ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
56948 ++ !name_set.n_hash || !inodev_set.i_hash)
56949 ++ return 1;
56950 ++
56951 ++ memset(subj_map_set.s_hash, 0,
56952 ++ sizeof(struct subject_map *) * subj_map_set.s_size);
56953 ++ memset(acl_role_set.r_hash, 0,
56954 ++ sizeof (struct acl_role_label *) * acl_role_set.r_size);
56955 ++ memset(name_set.n_hash, 0,
56956 ++ sizeof (struct name_entry *) * name_set.n_size);
56957 ++ memset(inodev_set.i_hash, 0,
56958 ++ sizeof (struct inodev_entry *) * inodev_set.i_size);
56959 ++
56960 ++ return 0;
56961 ++}
56962 ++
56963 ++/* free information not needed after startup
56964 ++ currently contains user->kernel pointer mappings for subjects
56965 ++*/
56966 ++
56967 ++static void
56968 ++free_init_variables(void)
56969 ++{
56970 ++ __u32 i;
56971 ++
56972 ++ if (subj_map_set.s_hash) {
56973 ++ for (i = 0; i < subj_map_set.s_size; i++) {
56974 ++ if (subj_map_set.s_hash[i]) {
56975 ++ kfree(subj_map_set.s_hash[i]);
56976 ++ subj_map_set.s_hash[i] = NULL;
56977 ++ }
56978 ++ }
56979 ++
56980 ++ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
56981 ++ PAGE_SIZE)
56982 ++ kfree(subj_map_set.s_hash);
56983 ++ else
56984 ++ vfree(subj_map_set.s_hash);
56985 ++ }
56986 ++
56987 ++ return;
56988 ++}
56989 ++
56990 ++static void
56991 ++free_variables(void)
56992 ++{
56993 ++ struct acl_subject_label *s;
56994 ++ struct acl_role_label *r;
56995 ++ struct task_struct *task, *task2;
56996 ++ unsigned int i, x;
56997 ++
56998 ++ gr_clear_learn_entries();
56999 ++
57000 ++ read_lock(&tasklist_lock);
57001 ++ do_each_thread(task2, task) {
57002 ++ task->acl_sp_role = 0;
57003 ++ task->acl_role_id = 0;
57004 ++ task->acl = NULL;
57005 ++ task->role = NULL;
57006 ++ } while_each_thread(task2, task);
57007 ++ read_unlock(&tasklist_lock);
57008 ++
57009 ++ /* release the reference to the real root dentry and vfsmount */
57010 ++ if (real_root)
57011 ++ dput(real_root);
57012 ++ real_root = NULL;
57013 ++ if (real_root_mnt)
57014 ++ mntput(real_root_mnt);
57015 ++ real_root_mnt = NULL;
57016 ++
57017 ++ /* free all object hash tables */
57018 ++
57019 ++ FOR_EACH_ROLE_START(r, i)
57020 ++ if (r->subj_hash == NULL)
57021 ++ break;
57022 ++ FOR_EACH_SUBJECT_START(r, s, x)
57023 ++ if (s->obj_hash == NULL)
57024 ++ break;
57025 ++ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
57026 ++ kfree(s->obj_hash);
57027 ++ else
57028 ++ vfree(s->obj_hash);
57029 ++ FOR_EACH_SUBJECT_END(s, x)
57030 ++ FOR_EACH_NESTED_SUBJECT_START(r, s)
57031 ++ if (s->obj_hash == NULL)
57032 ++ break;
57033 ++ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
57034 ++ kfree(s->obj_hash);
57035 ++ else
57036 ++ vfree(s->obj_hash);
57037 ++ FOR_EACH_NESTED_SUBJECT_END(s)
57038 ++ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
57039 ++ kfree(r->subj_hash);
57040 ++ else
57041 ++ vfree(r->subj_hash);
57042 ++ r->subj_hash = NULL;
57043 ++ FOR_EACH_ROLE_END(r,i)
57044 ++
57045 ++ acl_free_all();
57046 ++
57047 ++ if (acl_role_set.r_hash) {
57048 ++ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
57049 ++ PAGE_SIZE)
57050 ++ kfree(acl_role_set.r_hash);
57051 ++ else
57052 ++ vfree(acl_role_set.r_hash);
57053 ++ }
57054 ++ if (name_set.n_hash) {
57055 ++ if ((name_set.n_size * sizeof (struct name_entry *)) <=
57056 ++ PAGE_SIZE)
57057 ++ kfree(name_set.n_hash);
57058 ++ else
57059 ++ vfree(name_set.n_hash);
57060 ++ }
57061 ++
57062 ++ if (inodev_set.i_hash) {
57063 ++ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
57064 ++ PAGE_SIZE)
57065 ++ kfree(inodev_set.i_hash);
57066 ++ else
57067 ++ vfree(inodev_set.i_hash);
57068 ++ }
57069 ++
57070 ++ gr_free_uidset();
57071 ++
57072 ++ memset(&name_set, 0, sizeof (struct name_db));
57073 ++ memset(&inodev_set, 0, sizeof (struct inodev_db));
57074 ++ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
57075 ++ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
57076 ++
57077 ++ default_role = NULL;
57078 ++
57079 ++ return;
57080 ++}
57081 ++
57082 ++static __u32
57083 ++count_user_objs(struct acl_object_label *userp)
57084 ++{
57085 ++ struct acl_object_label o_tmp;
57086 ++ __u32 num = 0;
57087 ++
57088 ++ while (userp) {
57089 ++ if (copy_from_user(&o_tmp, userp,
57090 ++ sizeof (struct acl_object_label)))
57091 ++ break;
57092 ++
57093 ++ userp = o_tmp.prev;
57094 ++ num++;
57095 ++ }
57096 ++
57097 ++ return num;
57098 ++}
57099 ++
57100 ++static struct acl_subject_label *
57101 ++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
57102 ++
57103 ++static int
57104 ++copy_user_glob(struct acl_object_label *obj)
57105 ++{
57106 ++ struct acl_object_label *g_tmp, **guser;
57107 ++ unsigned int len;
57108 ++ char *tmp;
57109 ++
57110 ++ if (obj->globbed == NULL)
57111 ++ return 0;
57112 ++
57113 ++ guser = &obj->globbed;
57114 ++ while (*guser) {
57115 ++ g_tmp = (struct acl_object_label *)
57116 ++ acl_alloc(sizeof (struct acl_object_label));
57117 ++ if (g_tmp == NULL)
57118 ++ return -ENOMEM;
57119 ++
57120 ++ if (copy_from_user(g_tmp, *guser,
57121 ++ sizeof (struct acl_object_label)))
57122 ++ return -EFAULT;
57123 ++
57124 ++ len = strnlen_user(g_tmp->filename, PATH_MAX);
57125 ++
57126 ++ if (!len || len >= PATH_MAX)
57127 ++ return -EINVAL;
57128 ++
57129 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
57130 ++ return -ENOMEM;
57131 ++
57132 ++ if (copy_from_user(tmp, g_tmp->filename, len))
57133 ++ return -EFAULT;
57134 ++
57135 ++ g_tmp->filename = tmp;
57136 ++
57137 ++ *guser = g_tmp;
57138 ++ guser = &(g_tmp->next);
57139 ++ }
57140 ++
57141 ++ return 0;
57142 ++}
57143 ++
57144 ++static int
57145 ++copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
57146 ++ struct acl_role_label *role)
57147 ++{
57148 ++ struct acl_object_label *o_tmp;
57149 ++ unsigned int len;
57150 ++ int ret;
57151 ++ char *tmp;
57152 ++
57153 ++ while (userp) {
57154 ++ if ((o_tmp = (struct acl_object_label *)
57155 ++ acl_alloc(sizeof (struct acl_object_label))) == NULL)
57156 ++ return -ENOMEM;
57157 ++
57158 ++ if (copy_from_user(o_tmp, userp,
57159 ++ sizeof (struct acl_object_label)))
57160 ++ return -EFAULT;
57161 ++
57162 ++ userp = o_tmp->prev;
57163 ++
57164 ++ len = strnlen_user(o_tmp->filename, PATH_MAX);
57165 ++
57166 ++ if (!len || len >= PATH_MAX)
57167 ++ return -EINVAL;
57168 ++
57169 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
57170 ++ return -ENOMEM;
57171 ++
57172 ++ if (copy_from_user(tmp, o_tmp->filename, len))
57173 ++ return -EFAULT;
57174 ++
57175 ++ o_tmp->filename = tmp;
57176 ++
57177 ++ insert_acl_obj_label(o_tmp, subj);
57178 ++ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
57179 ++ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
57180 ++ return -ENOMEM;
57181 ++
57182 ++ ret = copy_user_glob(o_tmp);
57183 ++ if (ret)
57184 ++ return ret;
57185 ++
57186 ++ if (o_tmp->nested) {
57187 ++ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
57188 ++ if (IS_ERR(o_tmp->nested))
57189 ++ return PTR_ERR(o_tmp->nested);
57190 ++
57191 ++ /* insert into nested subject list */
57192 ++ o_tmp->nested->next = role->hash->first;
57193 ++ role->hash->first = o_tmp->nested;
57194 ++ }
57195 ++ }
57196 ++
57197 ++ return 0;
57198 ++}
57199 ++
57200 ++static __u32
57201 ++count_user_subjs(struct acl_subject_label *userp)
57202 ++{
57203 ++ struct acl_subject_label s_tmp;
57204 ++ __u32 num = 0;
57205 ++
57206 ++ while (userp) {
57207 ++ if (copy_from_user(&s_tmp, userp,
57208 ++ sizeof (struct acl_subject_label)))
57209 ++ break;
57210 ++
57211 ++ userp = s_tmp.prev;
57212 ++ /* do not count nested subjects against this count, since
57213 ++ they are not included in the hash table, but are
57214 ++ attached to objects. We have already counted
57215 ++ the subjects in userspace for the allocation
57216 ++ stack
57217 ++ */
57218 ++ if (!(s_tmp.mode & GR_NESTED))
57219 ++ num++;
57220 ++ }
57221 ++
57222 ++ return num;
57223 ++}
57224 ++
57225 ++static int
57226 ++copy_user_allowedips(struct acl_role_label *rolep)
57227 ++{
57228 ++ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
57229 ++
57230 ++ ruserip = rolep->allowed_ips;
57231 ++
57232 ++ while (ruserip) {
57233 ++ rlast = rtmp;
57234 ++
57235 ++ if ((rtmp = (struct role_allowed_ip *)
57236 ++ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
57237 ++ return -ENOMEM;
57238 ++
57239 ++ if (copy_from_user(rtmp, ruserip,
57240 ++ sizeof (struct role_allowed_ip)))
57241 ++ return -EFAULT;
57242 ++
57243 ++ ruserip = rtmp->prev;
57244 ++
57245 ++ if (!rlast) {
57246 ++ rtmp->prev = NULL;
57247 ++ rolep->allowed_ips = rtmp;
57248 ++ } else {
57249 ++ rlast->next = rtmp;
57250 ++ rtmp->prev = rlast;
57251 ++ }
57252 ++
57253 ++ if (!ruserip)
57254 ++ rtmp->next = NULL;
57255 ++ }
57256 ++
57257 ++ return 0;
57258 ++}
57259 ++
57260 ++static int
57261 ++copy_user_transitions(struct acl_role_label *rolep)
57262 ++{
57263 ++ struct role_transition *rusertp, *rtmp = NULL, *rlast;
57264 ++
57265 ++ unsigned int len;
57266 ++ char *tmp;
57267 ++
57268 ++ rusertp = rolep->transitions;
57269 ++
57270 ++ while (rusertp) {
57271 ++ rlast = rtmp;
57272 ++
57273 ++ if ((rtmp = (struct role_transition *)
57274 ++ acl_alloc(sizeof (struct role_transition))) == NULL)
57275 ++ return -ENOMEM;
57276 ++
57277 ++ if (copy_from_user(rtmp, rusertp,
57278 ++ sizeof (struct role_transition)))
57279 ++ return -EFAULT;
57280 ++
57281 ++ rusertp = rtmp->prev;
57282 ++
57283 ++ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
57284 ++
57285 ++ if (!len || len >= GR_SPROLE_LEN)
57286 ++ return -EINVAL;
57287 ++
57288 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
57289 ++ return -ENOMEM;
57290 ++
57291 ++ if (copy_from_user(tmp, rtmp->rolename, len))
57292 ++ return -EFAULT;
57293 ++
57294 ++ rtmp->rolename = tmp;
57295 ++
57296 ++ if (!rlast) {
57297 ++ rtmp->prev = NULL;
57298 ++ rolep->transitions = rtmp;
57299 ++ } else {
57300 ++ rlast->next = rtmp;
57301 ++ rtmp->prev = rlast;
57302 ++ }
57303 ++
57304 ++ if (!rusertp)
57305 ++ rtmp->next = NULL;
57306 ++ }
57307 ++
57308 ++ return 0;
57309 ++}
57310 ++
57311 ++static struct acl_subject_label *
57312 ++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
57313 ++{
57314 ++ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
57315 ++ unsigned int len;
57316 ++ char *tmp;
57317 ++ __u32 num_objs;
57318 ++ struct acl_ip_label **i_tmp, *i_utmp2;
57319 ++ struct gr_hash_struct ghash;
57320 ++ struct subject_map *subjmap;
57321 ++ unsigned int i_num;
57322 ++ int err;
57323 ++
57324 ++ s_tmp = lookup_subject_map(userp);
57325 ++
57326 ++ /* we've already copied this subject into the kernel, just return
57327 ++ the reference to it, and don't copy it over again
57328 ++ */
57329 ++ if (s_tmp)
57330 ++ return(s_tmp);
57331 ++
57332 ++ if ((s_tmp = (struct acl_subject_label *)
57333 ++ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
57334 ++ return ERR_PTR(-ENOMEM);
57335 ++
57336 ++ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
57337 ++ if (subjmap == NULL)
57338 ++ return ERR_PTR(-ENOMEM);
57339 ++
57340 ++ subjmap->user = userp;
57341 ++ subjmap->kernel = s_tmp;
57342 ++ insert_subj_map_entry(subjmap);
57343 ++
57344 ++ if (copy_from_user(s_tmp, userp,
57345 ++ sizeof (struct acl_subject_label)))
57346 ++ return ERR_PTR(-EFAULT);
57347 ++
57348 ++ len = strnlen_user(s_tmp->filename, PATH_MAX);
57349 ++
57350 ++ if (!len || len >= PATH_MAX)
57351 ++ return ERR_PTR(-EINVAL);
57352 ++
57353 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
57354 ++ return ERR_PTR(-ENOMEM);
57355 ++
57356 ++ if (copy_from_user(tmp, s_tmp->filename, len))
57357 ++ return ERR_PTR(-EFAULT);
57358 ++
57359 ++ s_tmp->filename = tmp;
57360 ++
57361 ++ if (!strcmp(s_tmp->filename, "/"))
57362 ++ role->root_label = s_tmp;
57363 ++
57364 ++ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
57365 ++ return ERR_PTR(-EFAULT);
57366 ++
57367 ++ /* copy user and group transition tables */
57368 ++
57369 ++ if (s_tmp->user_trans_num) {
57370 ++ uid_t *uidlist;
57371 ++
57372 ++ uidlist = (uid_t *)acl_alloc(s_tmp->user_trans_num * sizeof(uid_t));
57373 ++ if (uidlist == NULL)
57374 ++ return ERR_PTR(-ENOMEM);
57375 ++ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
57376 ++ return ERR_PTR(-EFAULT);
57377 ++
57378 ++ s_tmp->user_transitions = uidlist;
57379 ++ }
57380 ++
57381 ++ if (s_tmp->group_trans_num) {
57382 ++ gid_t *gidlist;
57383 ++
57384 ++ gidlist = (gid_t *)acl_alloc(s_tmp->group_trans_num * sizeof(gid_t));
57385 ++ if (gidlist == NULL)
57386 ++ return ERR_PTR(-ENOMEM);
57387 ++ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
57388 ++ return ERR_PTR(-EFAULT);
57389 ++
57390 ++ s_tmp->group_transitions = gidlist;
57391 ++ }
57392 ++
57393 ++ /* set up object hash table */
57394 ++ num_objs = count_user_objs(ghash.first);
57395 ++
57396 ++ s_tmp->obj_hash_size = num_objs;
57397 ++ s_tmp->obj_hash =
57398 ++ (struct acl_object_label **)
57399 ++ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
57400 ++
57401 ++ if (!s_tmp->obj_hash)
57402 ++ return ERR_PTR(-ENOMEM);
57403 ++
57404 ++ memset(s_tmp->obj_hash, 0,
57405 ++ s_tmp->obj_hash_size *
57406 ++ sizeof (struct acl_object_label *));
57407 ++
57408 ++ /* add in objects */
57409 ++ err = copy_user_objs(ghash.first, s_tmp, role);
57410 ++
57411 ++ if (err)
57412 ++ return ERR_PTR(err);
57413 ++
57414 ++ /* set pointer for parent subject */
57415 ++ if (s_tmp->parent_subject) {
57416 ++ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
57417 ++
57418 ++ if (IS_ERR(s_tmp2))
57419 ++ return s_tmp2;
57420 ++
57421 ++ s_tmp->parent_subject = s_tmp2;
57422 ++ }
57423 ++
57424 ++ /* add in ip acls */
57425 ++
57426 ++ if (!s_tmp->ip_num) {
57427 ++ s_tmp->ips = NULL;
57428 ++ goto insert;
57429 ++ }
57430 ++
57431 ++ i_tmp =
57432 ++ (struct acl_ip_label **) acl_alloc(s_tmp->ip_num *
57433 ++ sizeof (struct
57434 ++ acl_ip_label *));
57435 ++
57436 ++ if (!i_tmp)
57437 ++ return ERR_PTR(-ENOMEM);
57438 ++
57439 ++ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
57440 ++ *(i_tmp + i_num) =
57441 ++ (struct acl_ip_label *)
57442 ++ acl_alloc(sizeof (struct acl_ip_label));
57443 ++ if (!*(i_tmp + i_num))
57444 ++ return ERR_PTR(-ENOMEM);
57445 ++
57446 ++ if (copy_from_user
57447 ++ (&i_utmp2, s_tmp->ips + i_num,
57448 ++ sizeof (struct acl_ip_label *)))
57449 ++ return ERR_PTR(-EFAULT);
57450 ++
57451 ++ if (copy_from_user
57452 ++ (*(i_tmp + i_num), i_utmp2,
57453 ++ sizeof (struct acl_ip_label)))
57454 ++ return ERR_PTR(-EFAULT);
57455 ++
57456 ++ if ((*(i_tmp + i_num))->iface == NULL)
57457 ++ continue;
57458 ++
57459 ++ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
57460 ++ if (!len || len >= IFNAMSIZ)
57461 ++ return ERR_PTR(-EINVAL);
57462 ++ tmp = acl_alloc(len);
57463 ++ if (tmp == NULL)
57464 ++ return ERR_PTR(-ENOMEM);
57465 ++ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
57466 ++ return ERR_PTR(-EFAULT);
57467 ++ (*(i_tmp + i_num))->iface = tmp;
57468 ++ }
57469 ++
57470 ++ s_tmp->ips = i_tmp;
57471 ++
57472 ++insert:
57473 ++ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
57474 ++ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
57475 ++ return ERR_PTR(-ENOMEM);
57476 ++
57477 ++ return s_tmp;
57478 ++}
57479 ++
57480 ++static int
57481 ++copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
57482 ++{
57483 ++ struct acl_subject_label s_pre;
57484 ++ struct acl_subject_label * ret;
57485 ++ int err;
57486 ++
57487 ++ while (userp) {
57488 ++ if (copy_from_user(&s_pre, userp,
57489 ++ sizeof (struct acl_subject_label)))
57490 ++ return -EFAULT;
57491 ++
57492 ++ /* do not add nested subjects here, add
57493 ++ while parsing objects
57494 ++ */
57495 ++
57496 ++ if (s_pre.mode & GR_NESTED) {
57497 ++ userp = s_pre.prev;
57498 ++ continue;
57499 ++ }
57500 ++
57501 ++ ret = do_copy_user_subj(userp, role);
57502 ++
57503 ++ err = PTR_ERR(ret);
57504 ++ if (IS_ERR(ret))
57505 ++ return err;
57506 ++
57507 ++ insert_acl_subj_label(ret, role);
57508 ++
57509 ++ userp = s_pre.prev;
57510 ++ }
57511 ++
57512 ++ return 0;
57513 ++}
57514 ++
57515 ++static int
57516 ++copy_user_acl(struct gr_arg *arg)
57517 ++{
57518 ++ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
57519 ++ struct sprole_pw *sptmp;
57520 ++ struct gr_hash_struct *ghash;
57521 ++ uid_t *domainlist;
57522 ++ unsigned int r_num;
57523 ++ unsigned int len;
57524 ++ char *tmp;
57525 ++ int err = 0;
57526 ++ __u16 i;
57527 ++ __u32 num_subjs;
57528 ++
57529 ++ /* we need a default and kernel role */
57530 ++ if (arg->role_db.num_roles < 2)
57531 ++ return -EINVAL;
57532 ++
57533 ++ /* copy special role authentication info from userspace */
57534 ++
57535 ++ num_sprole_pws = arg->num_sprole_pws;
57536 ++ acl_special_roles = (struct sprole_pw **) acl_alloc(num_sprole_pws * sizeof(struct sprole_pw *));
57537 ++
57538 ++ if (!acl_special_roles) {
57539 ++ err = -ENOMEM;
57540 ++ goto cleanup;
57541 ++ }
57542 ++
57543 ++ for (i = 0; i < num_sprole_pws; i++) {
57544 ++ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
57545 ++ if (!sptmp) {
57546 ++ err = -ENOMEM;
57547 ++ goto cleanup;
57548 ++ }
57549 ++ if (copy_from_user(sptmp, arg->sprole_pws + i,
57550 ++ sizeof (struct sprole_pw))) {
57551 ++ err = -EFAULT;
57552 ++ goto cleanup;
57553 ++ }
57554 ++
57555 ++ len =
57556 ++ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
57557 ++
57558 ++ if (!len || len >= GR_SPROLE_LEN) {
57559 ++ err = -EINVAL;
57560 ++ goto cleanup;
57561 ++ }
57562 ++
57563 ++ if ((tmp = (char *) acl_alloc(len)) == NULL) {
57564 ++ err = -ENOMEM;
57565 ++ goto cleanup;
57566 ++ }
57567 ++
57568 ++ if (copy_from_user(tmp, sptmp->rolename, len)) {
57569 ++ err = -EFAULT;
57570 ++ goto cleanup;
57571 ++ }
57572 ++
57573 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
57574 ++ printk(KERN_ALERT "Copying special role %s\n", tmp);
57575 ++#endif
57576 ++ sptmp->rolename = tmp;
57577 ++ acl_special_roles[i] = sptmp;
57578 ++ }
57579 ++
57580 ++ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
57581 ++
57582 ++ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
57583 ++ r_tmp = acl_alloc(sizeof (struct acl_role_label));
57584 ++
57585 ++ if (!r_tmp) {
57586 ++ err = -ENOMEM;
57587 ++ goto cleanup;
57588 ++ }
57589 ++
57590 ++ if (copy_from_user(&r_utmp2, r_utmp + r_num,
57591 ++ sizeof (struct acl_role_label *))) {
57592 ++ err = -EFAULT;
57593 ++ goto cleanup;
57594 ++ }
57595 ++
57596 ++ if (copy_from_user(r_tmp, r_utmp2,
57597 ++ sizeof (struct acl_role_label))) {
57598 ++ err = -EFAULT;
57599 ++ goto cleanup;
57600 ++ }
57601 ++
57602 ++ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
57603 ++
57604 ++ if (!len || len >= PATH_MAX) {
57605 ++ err = -EINVAL;
57606 ++ goto cleanup;
57607 ++ }
57608 ++
57609 ++ if ((tmp = (char *) acl_alloc(len)) == NULL) {
57610 ++ err = -ENOMEM;
57611 ++ goto cleanup;
57612 ++ }
57613 ++ if (copy_from_user(tmp, r_tmp->rolename, len)) {
57614 ++ err = -EFAULT;
57615 ++ goto cleanup;
57616 ++ }
57617 ++ r_tmp->rolename = tmp;
57618 ++
57619 ++ if (!strcmp(r_tmp->rolename, "default")
57620 ++ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
57621 ++ default_role = r_tmp;
57622 ++ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
57623 ++ kernel_role = r_tmp;
57624 ++ }
57625 ++
57626 ++ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
57627 ++ err = -ENOMEM;
57628 ++ goto cleanup;
57629 ++ }
57630 ++ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
57631 ++ err = -EFAULT;
57632 ++ goto cleanup;
57633 ++ }
57634 ++
57635 ++ r_tmp->hash = ghash;
57636 ++
57637 ++ num_subjs = count_user_subjs(r_tmp->hash->first);
57638 ++
57639 ++ r_tmp->subj_hash_size = num_subjs;
57640 ++ r_tmp->subj_hash =
57641 ++ (struct acl_subject_label **)
57642 ++ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
57643 ++
57644 ++ if (!r_tmp->subj_hash) {
57645 ++ err = -ENOMEM;
57646 ++ goto cleanup;
57647 ++ }
57648 ++
57649 ++ err = copy_user_allowedips(r_tmp);
57650 ++ if (err)
57651 ++ goto cleanup;
57652 ++
57653 ++ /* copy domain info */
57654 ++ if (r_tmp->domain_children != NULL) {
57655 ++ domainlist = acl_alloc(r_tmp->domain_child_num * sizeof(uid_t));
57656 ++ if (domainlist == NULL) {
57657 ++ err = -ENOMEM;
57658 ++ goto cleanup;
57659 ++ }
57660 ++ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
57661 ++ err = -EFAULT;
57662 ++ goto cleanup;
57663 ++ }
57664 ++ r_tmp->domain_children = domainlist;
57665 ++ }
57666 ++
57667 ++ err = copy_user_transitions(r_tmp);
57668 ++ if (err)
57669 ++ goto cleanup;
57670 ++
57671 ++ memset(r_tmp->subj_hash, 0,
57672 ++ r_tmp->subj_hash_size *
57673 ++ sizeof (struct acl_subject_label *));
57674 ++
57675 ++ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
57676 ++
57677 ++ if (err)
57678 ++ goto cleanup;
57679 ++
57680 ++ /* set nested subject list to null */
57681 ++ r_tmp->hash->first = NULL;
57682 ++
57683 ++ insert_acl_role_label(r_tmp);
57684 ++ }
57685 ++
57686 ++ goto return_err;
57687 ++ cleanup:
57688 ++ free_variables();
57689 ++ return_err:
57690 ++ return err;
57691 ++
57692 ++}
57693 ++
57694 ++static int
57695 ++gracl_init(struct gr_arg *args)
57696 ++{
57697 ++ int error = 0;
57698 ++
57699 ++ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
57700 ++ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
57701 ++
57702 ++ if (init_variables(args)) {
57703 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
57704 ++ error = -ENOMEM;
57705 ++ free_variables();
57706 ++ goto out;
57707 ++ }
57708 ++
57709 ++ error = copy_user_acl(args);
57710 ++ free_init_variables();
57711 ++ if (error) {
57712 ++ free_variables();
57713 ++ goto out;
57714 ++ }
57715 ++
57716 ++ if ((error = gr_set_acls(0))) {
57717 ++ free_variables();
57718 ++ goto out;
57719 ++ }
57720 ++
57721 ++ gr_status |= GR_READY;
57722 ++ out:
57723 ++ return error;
57724 ++}
57725 ++
57726 ++/* derived from glibc fnmatch() 0: match, 1: no match*/
57727 ++
57728 ++static int
57729 ++glob_match(const char *p, const char *n)
57730 ++{
57731 ++ char c;
57732 ++
57733 ++ while ((c = *p++) != '\0') {
57734 ++ switch (c) {
57735 ++ case '?':
57736 ++ if (*n == '\0')
57737 ++ return 1;
57738 ++ else if (*n == '/')
57739 ++ return 1;
57740 ++ break;
57741 ++ case '\\':
57742 ++ if (*n != c)
57743 ++ return 1;
57744 ++ break;
57745 ++ case '*':
57746 ++ for (c = *p++; c == '?' || c == '*'; c = *p++) {
57747 ++ if (*n == '/')
57748 ++ return 1;
57749 ++ else if (c == '?') {
57750 ++ if (*n == '\0')
57751 ++ return 1;
57752 ++ else
57753 ++ ++n;
57754 ++ }
57755 ++ }
57756 ++ if (c == '\0') {
57757 ++ return 0;
57758 ++ } else {
57759 ++ const char *endp;
57760 ++
57761 ++ if ((endp = strchr(n, '/')) == NULL)
57762 ++ endp = n + strlen(n);
57763 ++
57764 ++ if (c == '[') {
57765 ++ for (--p; n < endp; ++n)
57766 ++ if (!glob_match(p, n))
57767 ++ return 0;
57768 ++ } else if (c == '/') {
57769 ++ while (*n != '\0' && *n != '/')
57770 ++ ++n;
57771 ++ if (*n == '/' && !glob_match(p, n + 1))
57772 ++ return 0;
57773 ++ } else {
57774 ++ for (--p; n < endp; ++n)
57775 ++ if (*n == c && !glob_match(p, n))
57776 ++ return 0;
57777 ++ }
57778 ++
57779 ++ return 1;
57780 ++ }
57781 ++ case '[':
57782 ++ {
57783 ++ int not;
57784 ++ char cold;
57785 ++
57786 ++ if (*n == '\0' || *n == '/')
57787 ++ return 1;
57788 ++
57789 ++ not = (*p == '!' || *p == '^');
57790 ++ if (not)
57791 ++ ++p;
57792 ++
57793 ++ c = *p++;
57794 ++ for (;;) {
57795 ++ unsigned char fn = (unsigned char)*n;
57796 ++
57797 ++ if (c == '\0')
57798 ++ return 1;
57799 ++ else {
57800 ++ if (c == fn)
57801 ++ goto matched;
57802 ++ cold = c;
57803 ++ c = *p++;
57804 ++
57805 ++ if (c == '-' && *p != ']') {
57806 ++ unsigned char cend = *p++;
57807 ++
57808 ++ if (cend == '\0')
57809 ++ return 1;
57810 ++
57811 ++ if (cold <= fn && fn <= cend)
57812 ++ goto matched;
57813 ++
57814 ++ c = *p++;
57815 ++ }
57816 ++ }
57817 ++
57818 ++ if (c == ']')
57819 ++ break;
57820 ++ }
57821 ++ if (!not)
57822 ++ return 1;
57823 ++ break;
57824 ++ matched:
57825 ++ while (c != ']') {
57826 ++ if (c == '\0')
57827 ++ return 1;
57828 ++
57829 ++ c = *p++;
57830 ++ }
57831 ++ if (not)
57832 ++ return 1;
57833 ++ }
57834 ++ break;
57835 ++ default:
57836 ++ if (c != *n)
57837 ++ return 1;
57838 ++ }
57839 ++
57840 ++ ++n;
57841 ++ }
57842 ++
57843 ++ if (*n == '\0')
57844 ++ return 0;
57845 ++
57846 ++ if (*n == '/')
57847 ++ return 0;
57848 ++
57849 ++ return 1;
57850 ++}
57851 ++
57852 ++static struct acl_object_label *
57853 ++chk_glob_label(struct acl_object_label *globbed,
57854 ++ struct dentry *dentry, struct vfsmount *mnt, char **path)
57855 ++{
57856 ++ struct acl_object_label *tmp;
57857 ++
57858 ++ if (*path == NULL)
57859 ++ *path = gr_to_filename_nolock(dentry, mnt);
57860 ++
57861 ++ tmp = globbed;
57862 ++
57863 ++ while (tmp) {
57864 ++ if (!glob_match(tmp->filename, *path))
57865 ++ return tmp;
57866 ++ tmp = tmp->next;
57867 ++ }
57868 ++
57869 ++ return NULL;
57870 ++}
57871 ++
57872 ++static struct acl_object_label *
57873 ++__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
57874 ++ const ino_t curr_ino, const dev_t curr_dev,
57875 ++ const struct acl_subject_label *subj, char **path)
57876 ++{
57877 ++ struct acl_subject_label *tmpsubj;
57878 ++ struct acl_object_label *retval;
57879 ++ struct acl_object_label *retval2;
57880 ++
57881 ++ tmpsubj = (struct acl_subject_label *) subj;
57882 ++ read_lock(&gr_inode_lock);
57883 ++ do {
57884 ++ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
57885 ++ if (retval) {
57886 ++ if (retval->globbed) {
57887 ++ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
57888 ++ (struct vfsmount *)orig_mnt, path);
57889 ++ if (retval2)
57890 ++ retval = retval2;
57891 ++ }
57892 ++ break;
57893 ++ }
57894 ++ } while ((tmpsubj = tmpsubj->parent_subject));
57895 ++ read_unlock(&gr_inode_lock);
57896 ++
57897 ++ return retval;
57898 ++}
57899 ++
57900 ++static __inline__ struct acl_object_label *
57901 ++full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
57902 ++ const struct dentry *curr_dentry,
57903 ++ const struct acl_subject_label *subj, char **path)
57904 ++{
57905 ++ return __full_lookup(orig_dentry, orig_mnt,
57906 ++ curr_dentry->d_inode->i_ino,
57907 ++ curr_dentry->d_inode->i_sb->s_dev, subj, path);
57908 ++}
57909 ++
57910 ++static struct acl_object_label *
57911 ++__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
57912 ++ const struct acl_subject_label *subj, char *path)
57913 ++{
57914 ++ struct dentry *dentry = (struct dentry *) l_dentry;
57915 ++ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
57916 ++ struct acl_object_label *retval;
57917 ++
57918 ++ spin_lock(&dcache_lock);
57919 ++
57920 ++ if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
57921 ++ /* ignore Eric Biederman */
57922 ++ IS_PRIVATE(l_dentry->d_inode))) {
57923 ++ retval = fakefs_obj;
57924 ++ goto out;
57925 ++ }
57926 ++
57927 ++ for (;;) {
57928 ++ if (dentry == real_root && mnt == real_root_mnt)
57929 ++ break;
57930 ++
57931 ++ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
57932 ++ if (mnt->mnt_parent == mnt)
57933 ++ break;
57934 ++
57935 ++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
57936 ++ if (retval != NULL)
57937 ++ goto out;
57938 ++
57939 ++ dentry = mnt->mnt_mountpoint;
57940 ++ mnt = mnt->mnt_parent;
57941 ++ continue;
57942 ++ }
57943 ++
57944 ++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
57945 ++ if (retval != NULL)
57946 ++ goto out;
57947 ++
57948 ++ dentry = dentry->d_parent;
57949 ++ }
57950 ++
57951 ++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
57952 ++
57953 ++ if (retval == NULL)
57954 ++ retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path);
57955 ++out:
57956 ++ spin_unlock(&dcache_lock);
57957 ++ return retval;
57958 ++}
57959 ++
57960 ++static __inline__ struct acl_object_label *
57961 ++chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
57962 ++ const struct acl_subject_label *subj)
57963 ++{
57964 ++ char *path = NULL;
57965 ++ return __chk_obj_label(l_dentry, l_mnt, subj, path);
57966 ++}
57967 ++
57968 ++static __inline__ struct acl_object_label *
57969 ++chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
57970 ++ const struct acl_subject_label *subj, char *path)
57971 ++{
57972 ++ return __chk_obj_label(l_dentry, l_mnt, subj, path);
57973 ++}
57974 ++
57975 ++static struct acl_subject_label *
57976 ++chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
57977 ++ const struct acl_role_label *role)
57978 ++{
57979 ++ struct dentry *dentry = (struct dentry *) l_dentry;
57980 ++ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
57981 ++ struct acl_subject_label *retval;
57982 ++
57983 ++ spin_lock(&dcache_lock);
57984 ++
57985 ++ for (;;) {
57986 ++ if (dentry == real_root && mnt == real_root_mnt)
57987 ++ break;
57988 ++ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
57989 ++ if (mnt->mnt_parent == mnt)
57990 ++ break;
57991 ++
57992 ++ read_lock(&gr_inode_lock);
57993 ++ retval =
57994 ++ lookup_acl_subj_label(dentry->d_inode->i_ino,
57995 ++ dentry->d_inode->i_sb->s_dev, role);
57996 ++ read_unlock(&gr_inode_lock);
57997 ++ if (retval != NULL)
57998 ++ goto out;
57999 ++
58000 ++ dentry = mnt->mnt_mountpoint;
58001 ++ mnt = mnt->mnt_parent;
58002 ++ continue;
58003 ++ }
58004 ++
58005 ++ read_lock(&gr_inode_lock);
58006 ++ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
58007 ++ dentry->d_inode->i_sb->s_dev, role);
58008 ++ read_unlock(&gr_inode_lock);
58009 ++ if (retval != NULL)
58010 ++ goto out;
58011 ++
58012 ++ dentry = dentry->d_parent;
58013 ++ }
58014 ++
58015 ++ read_lock(&gr_inode_lock);
58016 ++ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
58017 ++ dentry->d_inode->i_sb->s_dev, role);
58018 ++ read_unlock(&gr_inode_lock);
58019 ++
58020 ++ if (unlikely(retval == NULL)) {
58021 ++ read_lock(&gr_inode_lock);
58022 ++ retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
58023 ++ real_root->d_inode->i_sb->s_dev, role);
58024 ++ read_unlock(&gr_inode_lock);
58025 ++ }
58026 ++out:
58027 ++ spin_unlock(&dcache_lock);
58028 ++
58029 ++ return retval;
58030 ++}
58031 ++
58032 ++static void
58033 ++gr_log_learn(const struct task_struct *task, const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
58034 ++{
58035 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
58036 ++ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
58037 ++ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
58038 ++ 1, 1, gr_to_filename(dentry, mnt), (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
58039 ++
58040 ++ return;
58041 ++}
58042 ++
58043 ++static void
58044 ++gr_log_learn_sysctl(const struct task_struct *task, const char *path, const __u32 mode)
58045 ++{
58046 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
58047 ++ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
58048 ++ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
58049 ++ 1, 1, path, (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
58050 ++
58051 ++ return;
58052 ++}
58053 ++
58054 ++static void
58055 ++gr_log_learn_id_change(const struct task_struct *task, const char type, const unsigned int real,
58056 ++ const unsigned int effective, const unsigned int fs)
58057 ++{
58058 ++ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
58059 ++ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
58060 ++ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
58061 ++ type, real, effective, fs, NIPQUAD(task->signal->curr_ip));
58062 ++
58063 ++ return;
58064 ++}
58065 ++
58066 ++__u32
58067 ++gr_check_link(const struct dentry * new_dentry,
58068 ++ const struct dentry * parent_dentry,
58069 ++ const struct vfsmount * parent_mnt,
58070 ++ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
58071 ++{
58072 ++ struct acl_object_label *obj;
58073 ++ __u32 oldmode, newmode;
58074 ++ __u32 needmode;
58075 ++
58076 ++ if (unlikely(!(gr_status & GR_READY)))
58077 ++ return (GR_CREATE | GR_LINK);
58078 ++
58079 ++ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
58080 ++ oldmode = obj->mode;
58081 ++
58082 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
58083 ++ oldmode |= (GR_CREATE | GR_LINK);
58084 ++
58085 ++ needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
58086 ++ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
58087 ++ needmode |= GR_SETID | GR_AUDIT_SETID;
58088 ++
58089 ++ newmode =
58090 ++ gr_check_create(new_dentry, parent_dentry, parent_mnt,
58091 ++ oldmode | needmode);
58092 ++
58093 ++ needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
58094 ++ GR_SETID | GR_READ | GR_FIND | GR_DELETE |
58095 ++ GR_INHERIT | GR_AUDIT_INHERIT);
58096 ++
58097 ++ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
58098 ++ goto bad;
58099 ++
58100 ++ if ((oldmode & needmode) != needmode)
58101 ++ goto bad;
58102 ++
58103 ++ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
58104 ++ if ((newmode & needmode) != needmode)
58105 ++ goto bad;
58106 ++
58107 ++ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
58108 ++ return newmode;
58109 ++bad:
58110 ++ needmode = oldmode;
58111 ++ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
58112 ++ needmode |= GR_SETID;
58113 ++
58114 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
58115 ++ gr_log_learn(current, old_dentry, old_mnt, needmode);
58116 ++ return (GR_CREATE | GR_LINK);
58117 ++ } else if (newmode & GR_SUPPRESS)
58118 ++ return GR_SUPPRESS;
58119 ++ else
58120 ++ return 0;
58121 ++}
58122 ++
58123 ++__u32
58124 ++gr_search_file(const struct dentry * dentry, const __u32 mode,
58125 ++ const struct vfsmount * mnt)
58126 ++{
58127 ++ __u32 retval = mode;
58128 ++ struct acl_subject_label *curracl;
58129 ++ struct acl_object_label *currobj;
58130 ++
58131 ++ if (unlikely(!(gr_status & GR_READY)))
58132 ++ return (mode & ~GR_AUDITS);
58133 ++
58134 ++ curracl = current->acl;
58135 ++
58136 ++ currobj = chk_obj_label(dentry, mnt, curracl);
58137 ++ retval = currobj->mode & mode;
58138 ++
58139 ++ if (unlikely
58140 ++ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
58141 ++ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
58142 ++ __u32 new_mode = mode;
58143 ++
58144 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
58145 ++
58146 ++ retval = new_mode;
58147 ++
58148 ++ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
58149 ++ new_mode |= GR_INHERIT;
58150 ++
58151 ++ if (!(mode & GR_NOLEARN))
58152 ++ gr_log_learn(current, dentry, mnt, new_mode);
58153 ++ }
58154 ++
58155 ++ return retval;
58156 ++}
58157 ++
58158 ++__u32
58159 ++gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
58160 ++ const struct vfsmount * mnt, const __u32 mode)
58161 ++{
58162 ++ struct name_entry *match;
58163 ++ struct acl_object_label *matchpo;
58164 ++ struct acl_subject_label *curracl;
58165 ++ char *path;
58166 ++ __u32 retval;
58167 ++
58168 ++ if (unlikely(!(gr_status & GR_READY)))
58169 ++ return (mode & ~GR_AUDITS);
58170 ++
58171 ++ preempt_disable();
58172 ++ path = gr_to_filename_rbac(new_dentry, mnt);
58173 ++ match = lookup_name_entry_create(path);
58174 ++
58175 ++ if (!match)
58176 ++ goto check_parent;
58177 ++
58178 ++ curracl = current->acl;
58179 ++
58180 ++ read_lock(&gr_inode_lock);
58181 ++ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
58182 ++ read_unlock(&gr_inode_lock);
58183 ++
58184 ++ if (matchpo) {
58185 ++ if ((matchpo->mode & mode) !=
58186 ++ (mode & ~(GR_AUDITS | GR_SUPPRESS))
58187 ++ && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
58188 ++ __u32 new_mode = mode;
58189 ++
58190 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
58191 ++
58192 ++ gr_log_learn(current, new_dentry, mnt, new_mode);
58193 ++
58194 ++ preempt_enable();
58195 ++ return new_mode;
58196 ++ }
58197 ++ preempt_enable();
58198 ++ return (matchpo->mode & mode);
58199 ++ }
58200 ++
58201 ++ check_parent:
58202 ++ curracl = current->acl;
58203 ++
58204 ++ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
58205 ++ retval = matchpo->mode & mode;
58206 ++
58207 ++ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
58208 ++ && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
58209 ++ __u32 new_mode = mode;
58210 ++
58211 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
58212 ++
58213 ++ gr_log_learn(current, new_dentry, mnt, new_mode);
58214 ++ preempt_enable();
58215 ++ return new_mode;
58216 ++ }
58217 ++
58218 ++ preempt_enable();
58219 ++ return retval;
58220 ++}
58221 ++
58222 ++int
58223 ++gr_check_hidden_task(const struct task_struct *task)
58224 ++{
58225 ++ if (unlikely(!(gr_status & GR_READY)))
58226 ++ return 0;
58227 ++
58228 ++ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
58229 ++ return 1;
58230 ++
58231 ++ return 0;
58232 ++}
58233 ++
58234 ++int
58235 ++gr_check_protected_task(const struct task_struct *task)
58236 ++{
58237 ++ if (unlikely(!(gr_status & GR_READY) || !task))
58238 ++ return 0;
58239 ++
58240 ++ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
58241 ++ task->acl != current->acl)
58242 ++ return 1;
58243 ++
58244 ++ return 0;
58245 ++}
58246 ++
58247 ++void
58248 ++gr_copy_label(struct task_struct *tsk)
58249 ++{
58250 ++ tsk->signal->used_accept = 0;
58251 ++ tsk->acl_sp_role = 0;
58252 ++ tsk->acl_role_id = current->acl_role_id;
58253 ++ tsk->acl = current->acl;
58254 ++ tsk->role = current->role;
58255 ++ tsk->signal->curr_ip = current->signal->curr_ip;
58256 ++ if (current->exec_file)
58257 ++ get_file(current->exec_file);
58258 ++ tsk->exec_file = current->exec_file;
58259 ++ tsk->is_writable = current->is_writable;
58260 ++ if (unlikely(current->signal->used_accept))
58261 ++ current->signal->curr_ip = 0;
58262 ++
58263 ++ return;
58264 ++}
58265 ++
58266 ++static void
58267 ++gr_set_proc_res(struct task_struct *task)
58268 ++{
58269 ++ struct acl_subject_label *proc;
58270 ++ unsigned short i;
58271 ++
58272 ++ proc = task->acl;
58273 ++
58274 ++ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
58275 ++ return;
58276 ++
58277 ++ for (i = 0; i < (GR_NLIMITS - 1); i++) {
58278 ++ if (!(proc->resmask & (1 << i)))
58279 ++ continue;
58280 ++
58281 ++ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
58282 ++ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
58283 ++ }
58284 ++
58285 ++ return;
58286 ++}
58287 ++
58288 ++int
58289 ++gr_check_user_change(int real, int effective, int fs)
58290 ++{
58291 ++ unsigned int i;
58292 ++ __u16 num;
58293 ++ uid_t *uidlist;
58294 ++ int curuid;
58295 ++ int realok = 0;
58296 ++ int effectiveok = 0;
58297 ++ int fsok = 0;
58298 ++
58299 ++ if (unlikely(!(gr_status & GR_READY)))
58300 ++ return 0;
58301 ++
58302 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
58303 ++ gr_log_learn_id_change(current, 'u', real, effective, fs);
58304 ++
58305 ++ num = current->acl->user_trans_num;
58306 ++ uidlist = current->acl->user_transitions;
58307 ++
58308 ++ if (uidlist == NULL)
58309 ++ return 0;
58310 ++
58311 ++ if (real == -1)
58312 ++ realok = 1;
58313 ++ if (effective == -1)
58314 ++ effectiveok = 1;
58315 ++ if (fs == -1)
58316 ++ fsok = 1;
58317 ++
58318 ++ if (current->acl->user_trans_type & GR_ID_ALLOW) {
58319 ++ for (i = 0; i < num; i++) {
58320 ++ curuid = (int)uidlist[i];
58321 ++ if (real == curuid)
58322 ++ realok = 1;
58323 ++ if (effective == curuid)
58324 ++ effectiveok = 1;
58325 ++ if (fs == curuid)
58326 ++ fsok = 1;
58327 ++ }
58328 ++ } else if (current->acl->user_trans_type & GR_ID_DENY) {
58329 ++ for (i = 0; i < num; i++) {
58330 ++ curuid = (int)uidlist[i];
58331 ++ if (real == curuid)
58332 ++ break;
58333 ++ if (effective == curuid)
58334 ++ break;
58335 ++ if (fs == curuid)
58336 ++ break;
58337 ++ }
58338 ++ /* not in deny list */
58339 ++ if (i == num) {
58340 ++ realok = 1;
58341 ++ effectiveok = 1;
58342 ++ fsok = 1;
58343 ++ }
58344 ++ }
58345 ++
58346 ++ if (realok && effectiveok && fsok)
58347 ++ return 0;
58348 ++ else {
58349 ++ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
58350 ++ return 1;
58351 ++ }
58352 ++}
58353 ++
58354 ++int
58355 ++gr_check_group_change(int real, int effective, int fs)
58356 ++{
58357 ++ unsigned int i;
58358 ++ __u16 num;
58359 ++ gid_t *gidlist;
58360 ++ int curgid;
58361 ++ int realok = 0;
58362 ++ int effectiveok = 0;
58363 ++ int fsok = 0;
58364 ++
58365 ++ if (unlikely(!(gr_status & GR_READY)))
58366 ++ return 0;
58367 ++
58368 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
58369 ++ gr_log_learn_id_change(current, 'g', real, effective, fs);
58370 ++
58371 ++ num = current->acl->group_trans_num;
58372 ++ gidlist = current->acl->group_transitions;
58373 ++
58374 ++ if (gidlist == NULL)
58375 ++ return 0;
58376 ++
58377 ++ if (real == -1)
58378 ++ realok = 1;
58379 ++ if (effective == -1)
58380 ++ effectiveok = 1;
58381 ++ if (fs == -1)
58382 ++ fsok = 1;
58383 ++
58384 ++ if (current->acl->group_trans_type & GR_ID_ALLOW) {
58385 ++ for (i = 0; i < num; i++) {
58386 ++ curgid = (int)gidlist[i];
58387 ++ if (real == curgid)
58388 ++ realok = 1;
58389 ++ if (effective == curgid)
58390 ++ effectiveok = 1;
58391 ++ if (fs == curgid)
58392 ++ fsok = 1;
58393 ++ }
58394 ++ } else if (current->acl->group_trans_type & GR_ID_DENY) {
58395 ++ for (i = 0; i < num; i++) {
58396 ++ curgid = (int)gidlist[i];
58397 ++ if (real == curgid)
58398 ++ break;
58399 ++ if (effective == curgid)
58400 ++ break;
58401 ++ if (fs == curgid)
58402 ++ break;
58403 ++ }
58404 ++ /* not in deny list */
58405 ++ if (i == num) {
58406 ++ realok = 1;
58407 ++ effectiveok = 1;
58408 ++ fsok = 1;
58409 ++ }
58410 ++ }
58411 ++
58412 ++ if (realok && effectiveok && fsok)
58413 ++ return 0;
58414 ++ else {
58415 ++ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
58416 ++ return 1;
58417 ++ }
58418 ++}
58419 ++
58420 ++void
58421 ++gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
58422 ++{
58423 ++ struct acl_role_label *role = task->role;
58424 ++ struct acl_subject_label *subj = NULL;
58425 ++ struct acl_object_label *obj;
58426 ++ struct file *filp;
58427 ++
58428 ++ if (unlikely(!(gr_status & GR_READY)))
58429 ++ return;
58430 ++
58431 ++ filp = task->exec_file;
58432 ++
58433 ++ /* kernel process, we'll give them the kernel role */
58434 ++ if (unlikely(!filp)) {
58435 ++ task->role = kernel_role;
58436 ++ task->acl = kernel_role->root_label;
58437 ++ return;
58438 ++ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
58439 ++ role = lookup_acl_role_label(task, uid, gid);
58440 ++
58441 ++ /* perform subject lookup in possibly new role
58442 ++ we can use this result below in the case where role == task->role
58443 ++ */
58444 ++ subj = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, role);
58445 ++
58446 ++ /* if we changed uid/gid, but result in the same role
58447 ++ and are using inheritance, don't lose the inherited subject
58448 ++ if current subject is other than what normal lookup
58449 ++ would result in, we arrived via inheritance, don't
58450 ++ lose subject
58451 ++ */
58452 ++ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
58453 ++ (subj == task->acl)))
58454 ++ task->acl = subj;
58455 ++
58456 ++ task->role = role;
58457 ++
58458 ++ task->is_writable = 0;
58459 ++
58460 ++ /* ignore additional mmap checks for processes that are writable
58461 ++ by the default ACL */
58462 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
58463 ++ if (unlikely(obj->mode & GR_WRITE))
58464 ++ task->is_writable = 1;
58465 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
58466 ++ if (unlikely(obj->mode & GR_WRITE))
58467 ++ task->is_writable = 1;
58468 ++
58469 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
58470 ++ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
58471 ++#endif
58472 ++
58473 ++ gr_set_proc_res(task);
58474 ++
58475 ++ return;
58476 ++}
58477 ++
58478 ++int
58479 ++gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
58480 ++{
58481 ++ struct task_struct *task = current;
58482 ++ struct acl_subject_label *newacl;
58483 ++ struct acl_object_label *obj;
58484 ++ __u32 retmode;
58485 ++
58486 ++ if (unlikely(!(gr_status & GR_READY)))
58487 ++ return 0;
58488 ++
58489 ++ newacl = chk_subj_label(dentry, mnt, task->role);
58490 ++
58491 ++ task_lock(task);
58492 ++ if (((task->ptrace & PT_PTRACED) && !(task->acl->mode &
58493 ++ GR_POVERRIDE) && (task->acl != newacl) &&
58494 ++ !(task->role->roletype & GR_ROLE_GOD) &&
58495 ++ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
58496 ++ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN))) ||
58497 ++ (atomic_read(&task->fs->count) > 1 ||
58498 ++ atomic_read(&task->files->count) > 1 ||
58499 ++ atomic_read(&task->sighand->count) > 1)) {
58500 ++ task_unlock(task);
58501 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
58502 ++ return -EACCES;
58503 ++ }
58504 ++ task_unlock(task);
58505 ++
58506 ++ obj = chk_obj_label(dentry, mnt, task->acl);
58507 ++ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
58508 ++
58509 ++ if (!(task->acl->mode & GR_INHERITLEARN) &&
58510 ++ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
58511 ++ if (obj->nested)
58512 ++ task->acl = obj->nested;
58513 ++ else
58514 ++ task->acl = newacl;
58515 ++ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
58516 ++ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
58517 ++
58518 ++ task->is_writable = 0;
58519 ++
58520 ++ /* ignore additional mmap checks for processes that are writable
58521 ++ by the default ACL */
58522 ++ obj = chk_obj_label(dentry, mnt, default_role->root_label);
58523 ++ if (unlikely(obj->mode & GR_WRITE))
58524 ++ task->is_writable = 1;
58525 ++ obj = chk_obj_label(dentry, mnt, task->role->root_label);
58526 ++ if (unlikely(obj->mode & GR_WRITE))
58527 ++ task->is_writable = 1;
58528 ++
58529 ++ gr_set_proc_res(task);
58530 ++
58531 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
58532 ++ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
58533 ++#endif
58534 ++ return 0;
58535 ++}
58536 ++
58537 ++/* always called with valid inodev ptr */
58538 ++static void
58539 ++do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
58540 ++{
58541 ++ struct acl_object_label *matchpo;
58542 ++ struct acl_subject_label *matchps;
58543 ++ struct acl_subject_label *subj;
58544 ++ struct acl_role_label *role;
58545 ++ unsigned int i, x;
58546 ++
58547 ++ FOR_EACH_ROLE_START(role, i)
58548 ++ FOR_EACH_SUBJECT_START(role, subj, x)
58549 ++ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
58550 ++ matchpo->mode |= GR_DELETED;
58551 ++ FOR_EACH_SUBJECT_END(subj,x)
58552 ++ FOR_EACH_NESTED_SUBJECT_START(role, subj)
58553 ++ if (subj->inode == ino && subj->device == dev)
58554 ++ subj->mode |= GR_DELETED;
58555 ++ FOR_EACH_NESTED_SUBJECT_END(subj)
58556 ++ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
58557 ++ matchps->mode |= GR_DELETED;
58558 ++ FOR_EACH_ROLE_END(role,i)
58559 ++
58560 ++ inodev->nentry->deleted = 1;
58561 ++
58562 ++ return;
58563 ++}
58564 ++
58565 ++void
58566 ++gr_handle_delete(const ino_t ino, const dev_t dev)
58567 ++{
58568 ++ struct inodev_entry *inodev;
58569 ++
58570 ++ if (unlikely(!(gr_status & GR_READY)))
58571 ++ return;
58572 ++
58573 ++ write_lock(&gr_inode_lock);
58574 ++ inodev = lookup_inodev_entry(ino, dev);
58575 ++ if (inodev != NULL)
58576 ++ do_handle_delete(inodev, ino, dev);
58577 ++ write_unlock(&gr_inode_lock);
58578 ++
58579 ++ return;
58580 ++}
58581 ++
58582 ++static void
58583 ++update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
58584 ++ const ino_t newinode, const dev_t newdevice,
58585 ++ struct acl_subject_label *subj)
58586 ++{
58587 ++ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
58588 ++ struct acl_object_label *match;
58589 ++
58590 ++ match = subj->obj_hash[index];
58591 ++
58592 ++ while (match && (match->inode != oldinode ||
58593 ++ match->device != olddevice ||
58594 ++ !(match->mode & GR_DELETED)))
58595 ++ match = match->next;
58596 ++
58597 ++ if (match && (match->inode == oldinode)
58598 ++ && (match->device == olddevice)
58599 ++ && (match->mode & GR_DELETED)) {
58600 ++ if (match->prev == NULL) {
58601 ++ subj->obj_hash[index] = match->next;
58602 ++ if (match->next != NULL)
58603 ++ match->next->prev = NULL;
58604 ++ } else {
58605 ++ match->prev->next = match->next;
58606 ++ if (match->next != NULL)
58607 ++ match->next->prev = match->prev;
58608 ++ }
58609 ++ match->prev = NULL;
58610 ++ match->next = NULL;
58611 ++ match->inode = newinode;
58612 ++ match->device = newdevice;
58613 ++ match->mode &= ~GR_DELETED;
58614 ++
58615 ++ insert_acl_obj_label(match, subj);
58616 ++ }
58617 ++
58618 ++ return;
58619 ++}
58620 ++
58621 ++static void
58622 ++update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
58623 ++ const ino_t newinode, const dev_t newdevice,
58624 ++ struct acl_role_label *role)
58625 ++{
58626 ++ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
58627 ++ struct acl_subject_label *match;
58628 ++
58629 ++ match = role->subj_hash[index];
58630 ++
58631 ++ while (match && (match->inode != oldinode ||
58632 ++ match->device != olddevice ||
58633 ++ !(match->mode & GR_DELETED)))
58634 ++ match = match->next;
58635 ++
58636 ++ if (match && (match->inode == oldinode)
58637 ++ && (match->device == olddevice)
58638 ++ && (match->mode & GR_DELETED)) {
58639 ++ if (match->prev == NULL) {
58640 ++ role->subj_hash[index] = match->next;
58641 ++ if (match->next != NULL)
58642 ++ match->next->prev = NULL;
58643 ++ } else {
58644 ++ match->prev->next = match->next;
58645 ++ if (match->next != NULL)
58646 ++ match->next->prev = match->prev;
58647 ++ }
58648 ++ match->prev = NULL;
58649 ++ match->next = NULL;
58650 ++ match->inode = newinode;
58651 ++ match->device = newdevice;
58652 ++ match->mode &= ~GR_DELETED;
58653 ++
58654 ++ insert_acl_subj_label(match, role);
58655 ++ }
58656 ++
58657 ++ return;
58658 ++}
58659 ++
58660 ++static void
58661 ++update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
58662 ++ const ino_t newinode, const dev_t newdevice)
58663 ++{
58664 ++ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
58665 ++ struct inodev_entry *match;
58666 ++
58667 ++ match = inodev_set.i_hash[index];
58668 ++
58669 ++ while (match && (match->nentry->inode != oldinode ||
58670 ++ match->nentry->device != olddevice || !match->nentry->deleted))
58671 ++ match = match->next;
58672 ++
58673 ++ if (match && (match->nentry->inode == oldinode)
58674 ++ && (match->nentry->device == olddevice) &&
58675 ++ match->nentry->deleted) {
58676 ++ if (match->prev == NULL) {
58677 ++ inodev_set.i_hash[index] = match->next;
58678 ++ if (match->next != NULL)
58679 ++ match->next->prev = NULL;
58680 ++ } else {
58681 ++ match->prev->next = match->next;
58682 ++ if (match->next != NULL)
58683 ++ match->next->prev = match->prev;
58684 ++ }
58685 ++ match->prev = NULL;
58686 ++ match->next = NULL;
58687 ++ match->nentry->inode = newinode;
58688 ++ match->nentry->device = newdevice;
58689 ++ match->nentry->deleted = 0;
58690 ++
58691 ++ insert_inodev_entry(match);
58692 ++ }
58693 ++
58694 ++ return;
58695 ++}
58696 ++
58697 ++static void
58698 ++do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
58699 ++ const struct vfsmount *mnt)
58700 ++{
58701 ++ struct acl_subject_label *subj;
58702 ++ struct acl_role_label *role;
58703 ++ unsigned int i, x;
58704 ++
58705 ++ FOR_EACH_ROLE_START(role, i)
58706 ++ update_acl_subj_label(matchn->inode, matchn->device,
58707 ++ dentry->d_inode->i_ino,
58708 ++ dentry->d_inode->i_sb->s_dev, role);
58709 ++
58710 ++ FOR_EACH_NESTED_SUBJECT_START(role, subj)
58711 ++ if ((subj->inode == dentry->d_inode->i_ino) &&
58712 ++ (subj->device == dentry->d_inode->i_sb->s_dev)) {
58713 ++ subj->inode = dentry->d_inode->i_ino;
58714 ++ subj->device = dentry->d_inode->i_sb->s_dev;
58715 ++ }
58716 ++ FOR_EACH_NESTED_SUBJECT_END(subj)
58717 ++ FOR_EACH_SUBJECT_START(role, subj, x)
58718 ++ update_acl_obj_label(matchn->inode, matchn->device,
58719 ++ dentry->d_inode->i_ino,
58720 ++ dentry->d_inode->i_sb->s_dev, subj);
58721 ++ FOR_EACH_SUBJECT_END(subj,x)
58722 ++ FOR_EACH_ROLE_END(role,i)
58723 ++
58724 ++ update_inodev_entry(matchn->inode, matchn->device,
58725 ++ dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
58726 ++
58727 ++ return;
58728 ++}
58729 ++
58730 ++void
58731 ++gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
58732 ++{
58733 ++ struct name_entry *matchn;
58734 ++
58735 ++ if (unlikely(!(gr_status & GR_READY)))
58736 ++ return;
58737 ++
58738 ++ preempt_disable();
58739 ++ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
58740 ++
58741 ++ if (unlikely((unsigned long)matchn)) {
58742 ++ write_lock(&gr_inode_lock);
58743 ++ do_handle_create(matchn, dentry, mnt);
58744 ++ write_unlock(&gr_inode_lock);
58745 ++ }
58746 ++ preempt_enable();
58747 ++
58748 ++ return;
58749 ++}
58750 ++
58751 ++void
58752 ++gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
58753 ++ struct dentry *old_dentry,
58754 ++ struct dentry *new_dentry,
58755 ++ struct vfsmount *mnt, const __u8 replace)
58756 ++{
58757 ++ struct name_entry *matchn;
58758 ++ struct inodev_entry *inodev;
58759 ++
58760 ++ /* vfs_rename swaps the name and parent link for old_dentry and
58761 ++ new_dentry
58762 ++ at this point, old_dentry has the new name, parent link, and inode
58763 ++ for the renamed file
58764 ++ if a file is being replaced by a rename, new_dentry has the inode
58765 ++ and name for the replaced file
58766 ++ */
58767 ++
58768 ++ if (unlikely(!(gr_status & GR_READY)))
58769 ++ return;
58770 ++
58771 ++ preempt_disable();
58772 ++ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
58773 ++
58774 ++ /* we wouldn't have to check d_inode if it weren't for
58775 ++ NFS silly-renaming
58776 ++ */
58777 ++
58778 ++ write_lock(&gr_inode_lock);
58779 ++ if (unlikely(replace && new_dentry->d_inode)) {
58780 ++ inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
58781 ++ new_dentry->d_inode->i_sb->s_dev);
58782 ++ if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
58783 ++ do_handle_delete(inodev, new_dentry->d_inode->i_ino,
58784 ++ new_dentry->d_inode->i_sb->s_dev);
58785 ++ }
58786 ++
58787 ++ inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
58788 ++ old_dentry->d_inode->i_sb->s_dev);
58789 ++ if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
58790 ++ do_handle_delete(inodev, old_dentry->d_inode->i_ino,
58791 ++ old_dentry->d_inode->i_sb->s_dev);
58792 ++
58793 ++ if (unlikely((unsigned long)matchn))
58794 ++ do_handle_create(matchn, old_dentry, mnt);
58795 ++
58796 ++ write_unlock(&gr_inode_lock);
58797 ++ preempt_enable();
58798 ++
58799 ++ return;
58800 ++}
58801 ++
58802 ++static int
58803 ++lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
58804 ++ unsigned char **sum)
58805 ++{
58806 ++ struct acl_role_label *r;
58807 ++ struct role_allowed_ip *ipp;
58808 ++ struct role_transition *trans;
58809 ++ unsigned int i;
58810 ++ int found = 0;
58811 ++
58812 ++ /* check transition table */
58813 ++
58814 ++ for (trans = current->role->transitions; trans; trans = trans->next) {
58815 ++ if (!strcmp(rolename, trans->rolename)) {
58816 ++ found = 1;
58817 ++ break;
58818 ++ }
58819 ++ }
58820 ++
58821 ++ if (!found)
58822 ++ return 0;
58823 ++
58824 ++ /* handle special roles that do not require authentication
58825 ++ and check ip */
58826 ++
58827 ++ FOR_EACH_ROLE_START(r, i)
58828 ++ if (!strcmp(rolename, r->rolename) &&
58829 ++ (r->roletype & GR_ROLE_SPECIAL)) {
58830 ++ found = 0;
58831 ++ if (r->allowed_ips != NULL) {
58832 ++ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
58833 ++ if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
58834 ++ (ntohl(ipp->addr) & ipp->netmask))
58835 ++ found = 1;
58836 ++ }
58837 ++ } else
58838 ++ found = 2;
58839 ++ if (!found)
58840 ++ return 0;
58841 ++
58842 ++ if (((mode == SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
58843 ++ ((mode == SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
58844 ++ *salt = NULL;
58845 ++ *sum = NULL;
58846 ++ return 1;
58847 ++ }
58848 ++ }
58849 ++ FOR_EACH_ROLE_END(r,i)
58850 ++
58851 ++ for (i = 0; i < num_sprole_pws; i++) {
58852 ++ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
58853 ++ *salt = acl_special_roles[i]->salt;
58854 ++ *sum = acl_special_roles[i]->sum;
58855 ++ return 1;
58856 ++ }
58857 ++ }
58858 ++
58859 ++ return 0;
58860 ++}
58861 ++
58862 ++static void
58863 ++assign_special_role(char *rolename)
58864 ++{
58865 ++ struct acl_object_label *obj;
58866 ++ struct acl_role_label *r;
58867 ++ struct acl_role_label *assigned = NULL;
58868 ++ struct task_struct *tsk;
58869 ++ struct file *filp;
58870 ++ unsigned int i;
58871 ++
58872 ++ FOR_EACH_ROLE_START(r, i)
58873 ++ if (!strcmp(rolename, r->rolename) &&
58874 ++ (r->roletype & GR_ROLE_SPECIAL))
58875 ++ assigned = r;
58876 ++ FOR_EACH_ROLE_END(r,i)
58877 ++
58878 ++ if (!assigned)
58879 ++ return;
58880 ++
58881 ++ read_lock(&tasklist_lock);
58882 ++ read_lock(&grsec_exec_file_lock);
58883 ++
58884 ++ tsk = current->parent;
58885 ++ if (tsk == NULL)
58886 ++ goto out_unlock;
58887 ++
58888 ++ filp = tsk->exec_file;
58889 ++ if (filp == NULL)
58890 ++ goto out_unlock;
58891 ++
58892 ++ tsk->is_writable = 0;
58893 ++
58894 ++ tsk->acl_sp_role = 1;
58895 ++ tsk->acl_role_id = ++acl_sp_role_value;
58896 ++ tsk->role = assigned;
58897 ++ tsk->acl = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role);
58898 ++
58899 ++ /* ignore additional mmap checks for processes that are writable
58900 ++ by the default ACL */
58901 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
58902 ++ if (unlikely(obj->mode & GR_WRITE))
58903 ++ tsk->is_writable = 1;
58904 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role->root_label);
58905 ++ if (unlikely(obj->mode & GR_WRITE))
58906 ++ tsk->is_writable = 1;
58907 ++
58908 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
58909 ++ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
58910 ++#endif
58911 ++
58912 ++out_unlock:
58913 ++ read_unlock(&grsec_exec_file_lock);
58914 ++ read_unlock(&tasklist_lock);
58915 ++ return;
58916 ++}
58917 ++
58918 ++int gr_check_secure_terminal(struct task_struct *task)
58919 ++{
58920 ++ struct task_struct *p, *p2, *p3;
58921 ++ struct files_struct *files;
58922 ++ struct fdtable *fdt;
58923 ++ struct file *our_file = NULL, *file;
58924 ++ int i;
58925 ++
58926 ++ if (task->signal->tty == NULL)
58927 ++ return 1;
58928 ++
58929 ++ files = get_files_struct(task);
58930 ++ if (files != NULL) {
58931 ++ rcu_read_lock();
58932 ++ fdt = files_fdtable(files);
58933 ++ for (i=0; i < fdt->max_fds; i++) {
58934 ++ file = fcheck_files(files, i);
58935 ++ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
58936 ++ get_file(file);
58937 ++ our_file = file;
58938 ++ }
58939 ++ }
58940 ++ rcu_read_unlock();
58941 ++ put_files_struct(files);
58942 ++ }
58943 ++
58944 ++ if (our_file == NULL)
58945 ++ return 1;
58946 ++
58947 ++ read_lock(&tasklist_lock);
58948 ++ do_each_thread(p2, p) {
58949 ++ files = get_files_struct(p);
58950 ++ if (files == NULL ||
58951 ++ (p->signal && p->signal->tty == task->signal->tty)) {
58952 ++ if (files != NULL)
58953 ++ put_files_struct(files);
58954 ++ continue;
58955 ++ }
58956 ++ rcu_read_lock();
58957 ++ fdt = files_fdtable(files);
58958 ++ for (i=0; i < fdt->max_fds; i++) {
58959 ++ file = fcheck_files(files, i);
58960 ++ if (file && S_ISCHR(file->f_dentry->d_inode->i_mode) &&
58961 ++ file->f_dentry->d_inode->i_rdev == our_file->f_dentry->d_inode->i_rdev) {
58962 ++ p3 = task;
58963 ++ while (p3->pid > 0) {
58964 ++ if (p3 == p)
58965 ++ break;
58966 ++ p3 = p3->parent;
58967 ++ }
58968 ++ if (p3 == p)
58969 ++ break;
58970 ++ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
58971 ++ gr_handle_alertkill(p);
58972 ++ rcu_read_unlock();
58973 ++ put_files_struct(files);
58974 ++ read_unlock(&tasklist_lock);
58975 ++ fput(our_file);
58976 ++ return 0;
58977 ++ }
58978 ++ }
58979 ++ rcu_read_unlock();
58980 ++ put_files_struct(files);
58981 ++ } while_each_thread(p2, p);
58982 ++ read_unlock(&tasklist_lock);
58983 ++
58984 ++ fput(our_file);
58985 ++ return 1;
58986 ++}
58987 ++
58988 ++ssize_t
58989 ++write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
58990 ++{
58991 ++ struct gr_arg_wrapper uwrap;
58992 ++ unsigned char *sprole_salt;
58993 ++ unsigned char *sprole_sum;
58994 ++ int error = sizeof (struct gr_arg_wrapper);
58995 ++ int error2 = 0;
58996 ++
58997 ++ down(&gr_dev_sem);
58998 ++
58999 ++ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
59000 ++ error = -EPERM;
59001 ++ goto out;
59002 ++ }
59003 ++
59004 ++ if (count != sizeof (struct gr_arg_wrapper)) {
59005 ++ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
59006 ++ error = -EINVAL;
59007 ++ goto out;
59008 ++ }
59009 ++
59010 ++
59011 ++ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
59012 ++ gr_auth_expires = 0;
59013 ++ gr_auth_attempts = 0;
59014 ++ }
59015 ++
59016 ++ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
59017 ++ error = -EFAULT;
59018 ++ goto out;
59019 ++ }
59020 ++
59021 ++ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
59022 ++ error = -EINVAL;
59023 ++ goto out;
59024 ++ }
59025 ++
59026 ++ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
59027 ++ error = -EFAULT;
59028 ++ goto out;
59029 ++ }
59030 ++
59031 ++ if (gr_usermode->mode != SPROLE && gr_usermode->mode != SPROLEPAM &&
59032 ++ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
59033 ++ time_after(gr_auth_expires, get_seconds())) {
59034 ++ error = -EBUSY;
59035 ++ goto out;
59036 ++ }
59037 ++
59038 ++ /* if non-root trying to do anything other than use a special role,
59039 ++ do not attempt authentication, do not count towards authentication
59040 ++ locking
59041 ++ */
59042 ++
59043 ++ if (gr_usermode->mode != SPROLE && gr_usermode->mode != STATUS &&
59044 ++ gr_usermode->mode != UNSPROLE && gr_usermode->mode != SPROLEPAM &&
59045 ++ current->uid) {
59046 ++ error = -EPERM;
59047 ++ goto out;
59048 ++ }
59049 ++
59050 ++ /* ensure pw and special role name are null terminated */
59051 ++
59052 ++ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
59053 ++ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
59054 ++
59055 ++ /* Okay.
59056 ++ * We have our enough of the argument structure..(we have yet
59057 ++ * to copy_from_user the tables themselves) . Copy the tables
59058 ++ * only if we need them, i.e. for loading operations. */
59059 ++
59060 ++ switch (gr_usermode->mode) {
59061 ++ case STATUS:
59062 ++ if (gr_status & GR_READY) {
59063 ++ error = 1;
59064 ++ if (!gr_check_secure_terminal(current))
59065 ++ error = 3;
59066 ++ } else
59067 ++ error = 2;
59068 ++ goto out;
59069 ++ case SHUTDOWN:
59070 ++ if ((gr_status & GR_READY)
59071 ++ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
59072 ++ gr_status &= ~GR_READY;
59073 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
59074 ++ free_variables();
59075 ++ memset(gr_usermode, 0, sizeof (struct gr_arg));
59076 ++ memset(gr_system_salt, 0, GR_SALT_LEN);
59077 ++ memset(gr_system_sum, 0, GR_SHA_LEN);
59078 ++ } else if (gr_status & GR_READY) {
59079 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
59080 ++ error = -EPERM;
59081 ++ } else {
59082 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
59083 ++ error = -EAGAIN;
59084 ++ }
59085 ++ break;
59086 ++ case ENABLE:
59087 ++ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
59088 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
59089 ++ else {
59090 ++ if (gr_status & GR_READY)
59091 ++ error = -EAGAIN;
59092 ++ else
59093 ++ error = error2;
59094 ++ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
59095 ++ }
59096 ++ break;
59097 ++ case RELOAD:
59098 ++ if (!(gr_status & GR_READY)) {
59099 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
59100 ++ error = -EAGAIN;
59101 ++ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
59102 ++ lock_kernel();
59103 ++ gr_status &= ~GR_READY;
59104 ++ free_variables();
59105 ++ if (!(error2 = gracl_init(gr_usermode))) {
59106 ++ unlock_kernel();
59107 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
59108 ++ } else {
59109 ++ unlock_kernel();
59110 ++ error = error2;
59111 ++ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
59112 ++ }
59113 ++ } else {
59114 ++ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
59115 ++ error = -EPERM;
59116 ++ }
59117 ++ break;
59118 ++ case SEGVMOD:
59119 ++ if (unlikely(!(gr_status & GR_READY))) {
59120 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
59121 ++ error = -EAGAIN;
59122 ++ break;
59123 ++ }
59124 ++
59125 ++ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
59126 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
59127 ++ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
59128 ++ struct acl_subject_label *segvacl;
59129 ++ segvacl =
59130 ++ lookup_acl_subj_label(gr_usermode->segv_inode,
59131 ++ gr_usermode->segv_device,
59132 ++ current->role);
59133 ++ if (segvacl) {
59134 ++ segvacl->crashes = 0;
59135 ++ segvacl->expires = 0;
59136 ++ }
59137 ++ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
59138 ++ gr_remove_uid(gr_usermode->segv_uid);
59139 ++ }
59140 ++ } else {
59141 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
59142 ++ error = -EPERM;
59143 ++ }
59144 ++ break;
59145 ++ case SPROLE:
59146 ++ case SPROLEPAM:
59147 ++ if (unlikely(!(gr_status & GR_READY))) {
59148 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
59149 ++ error = -EAGAIN;
59150 ++ break;
59151 ++ }
59152 ++
59153 ++ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
59154 ++ current->role->expires = 0;
59155 ++ current->role->auth_attempts = 0;
59156 ++ }
59157 ++
59158 ++ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
59159 ++ time_after(current->role->expires, get_seconds())) {
59160 ++ error = -EBUSY;
59161 ++ goto out;
59162 ++ }
59163 ++
59164 ++ if (lookup_special_role_auth
59165 ++ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
59166 ++ && ((!sprole_salt && !sprole_sum)
59167 ++ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
59168 ++ char *p = "";
59169 ++ assign_special_role(gr_usermode->sp_role);
59170 ++ read_lock(&tasklist_lock);
59171 ++ if (current->parent)
59172 ++ p = current->parent->role->rolename;
59173 ++ read_unlock(&tasklist_lock);
59174 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
59175 ++ p, acl_sp_role_value);
59176 ++ } else {
59177 ++ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
59178 ++ error = -EPERM;
59179 ++ if(!(current->role->auth_attempts++))
59180 ++ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
59181 ++
59182 ++ goto out;
59183 ++ }
59184 ++ break;
59185 ++ case UNSPROLE:
59186 ++ if (unlikely(!(gr_status & GR_READY))) {
59187 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
59188 ++ error = -EAGAIN;
59189 ++ break;
59190 ++ }
59191 ++
59192 ++ if (current->role->roletype & GR_ROLE_SPECIAL) {
59193 ++ char *p = "";
59194 ++ int i = 0;
59195 ++
59196 ++ read_lock(&tasklist_lock);
59197 ++ if (current->parent) {
59198 ++ p = current->parent->role->rolename;
59199 ++ i = current->parent->acl_role_id;
59200 ++ }
59201 ++ read_unlock(&tasklist_lock);
59202 ++
59203 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
59204 ++ gr_set_acls(1);
59205 ++ } else {
59206 ++ gr_log_str(GR_DONT_AUDIT, GR_UNSPROLEF_ACL_MSG, current->role->rolename);
59207 ++ error = -EPERM;
59208 ++ goto out;
59209 ++ }
59210 ++ break;
59211 ++ default:
59212 ++ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
59213 ++ error = -EINVAL;
59214 ++ break;
59215 ++ }
59216 ++
59217 ++ if (error != -EPERM)
59218 ++ goto out;
59219 ++
59220 ++ if(!(gr_auth_attempts++))
59221 ++ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
59222 ++
59223 ++ out:
59224 ++ up(&gr_dev_sem);
59225 ++ return error;
59226 ++}
59227 ++
59228 ++int
59229 ++gr_set_acls(const int type)
59230 ++{
59231 ++ struct acl_object_label *obj;
59232 ++ struct task_struct *task, *task2;
59233 ++ struct file *filp;
59234 ++ struct acl_role_label *role = current->role;
59235 ++ __u16 acl_role_id = current->acl_role_id;
59236 ++
59237 ++ read_lock(&tasklist_lock);
59238 ++ read_lock(&grsec_exec_file_lock);
59239 ++ do_each_thread(task2, task) {
59240 ++ /* check to see if we're called from the exit handler,
59241 ++ if so, only replace ACLs that have inherited the admin
59242 ++ ACL */
59243 ++
59244 ++ if (type && (task->role != role ||
59245 ++ task->acl_role_id != acl_role_id))
59246 ++ continue;
59247 ++
59248 ++ task->acl_role_id = 0;
59249 ++ task->acl_sp_role = 0;
59250 ++
59251 ++ if ((filp = task->exec_file)) {
59252 ++ task->role = lookup_acl_role_label(task, task->uid, task->gid);
59253 ++
59254 ++ task->acl =
59255 ++ chk_subj_label(filp->f_dentry, filp->f_vfsmnt,
59256 ++ task->role);
59257 ++ if (task->acl) {
59258 ++ struct acl_subject_label *curr;
59259 ++ curr = task->acl;
59260 ++
59261 ++ task->is_writable = 0;
59262 ++ /* ignore additional mmap checks for processes that are writable
59263 ++ by the default ACL */
59264 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
59265 ++ if (unlikely(obj->mode & GR_WRITE))
59266 ++ task->is_writable = 1;
59267 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
59268 ++ if (unlikely(obj->mode & GR_WRITE))
59269 ++ task->is_writable = 1;
59270 ++
59271 ++ gr_set_proc_res(task);
59272 ++
59273 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
59274 ++ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
59275 ++#endif
59276 ++ } else {
59277 ++ read_unlock(&grsec_exec_file_lock);
59278 ++ read_unlock(&tasklist_lock);
59279 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
59280 ++ return 1;
59281 ++ }
59282 ++ } else {
59283 ++ // it's a kernel process
59284 ++ task->role = kernel_role;
59285 ++ task->acl = kernel_role->root_label;
59286 ++#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
59287 ++ task->acl->mode &= ~GR_PROCFIND;
59288 ++#endif
59289 ++ }
59290 ++ } while_each_thread(task2, task);
59291 ++ read_unlock(&grsec_exec_file_lock);
59292 ++ read_unlock(&tasklist_lock);
59293 ++ return 0;
59294 ++}
59295 ++
59296 ++void
59297 ++gr_learn_resource(const struct task_struct *task,
59298 ++ const int res, const unsigned long wanted, const int gt)
59299 ++{
59300 ++ struct acl_subject_label *acl;
59301 ++
59302 ++ if (unlikely((gr_status & GR_READY) &&
59303 ++ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
59304 ++ goto skip_reslog;
59305 ++
59306 ++#ifdef CONFIG_GRKERNSEC_RESLOG
59307 ++ gr_log_resource(task, res, wanted, gt);
59308 ++#endif
59309 ++ skip_reslog:
59310 ++
59311 ++ if (unlikely(!(gr_status & GR_READY) || !wanted))
59312 ++ return;
59313 ++
59314 ++ acl = task->acl;
59315 ++
59316 ++ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
59317 ++ !(acl->resmask & (1 << (unsigned short) res))))
59318 ++ return;
59319 ++
59320 ++ if (wanted >= acl->res[res].rlim_cur) {
59321 ++ unsigned long res_add;
59322 ++
59323 ++ res_add = wanted;
59324 ++ switch (res) {
59325 ++ case RLIMIT_CPU:
59326 ++ res_add += GR_RLIM_CPU_BUMP;
59327 ++ break;
59328 ++ case RLIMIT_FSIZE:
59329 ++ res_add += GR_RLIM_FSIZE_BUMP;
59330 ++ break;
59331 ++ case RLIMIT_DATA:
59332 ++ res_add += GR_RLIM_DATA_BUMP;
59333 ++ break;
59334 ++ case RLIMIT_STACK:
59335 ++ res_add += GR_RLIM_STACK_BUMP;
59336 ++ break;
59337 ++ case RLIMIT_CORE:
59338 ++ res_add += GR_RLIM_CORE_BUMP;
59339 ++ break;
59340 ++ case RLIMIT_RSS:
59341 ++ res_add += GR_RLIM_RSS_BUMP;
59342 ++ break;
59343 ++ case RLIMIT_NPROC:
59344 ++ res_add += GR_RLIM_NPROC_BUMP;
59345 ++ break;
59346 ++ case RLIMIT_NOFILE:
59347 ++ res_add += GR_RLIM_NOFILE_BUMP;
59348 ++ break;
59349 ++ case RLIMIT_MEMLOCK:
59350 ++ res_add += GR_RLIM_MEMLOCK_BUMP;
59351 ++ break;
59352 ++ case RLIMIT_AS:
59353 ++ res_add += GR_RLIM_AS_BUMP;
59354 ++ break;
59355 ++ case RLIMIT_LOCKS:
59356 ++ res_add += GR_RLIM_LOCKS_BUMP;
59357 ++ break;
59358 ++ }
59359 ++
59360 ++ acl->res[res].rlim_cur = res_add;
59361 ++
59362 ++ if (wanted > acl->res[res].rlim_max)
59363 ++ acl->res[res].rlim_max = res_add;
59364 ++
59365 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
59366 ++ task->role->roletype, acl->filename,
59367 ++ acl->res[res].rlim_cur, acl->res[res].rlim_max,
59368 ++ "", (unsigned long) res);
59369 ++ }
59370 ++
59371 ++ return;
59372 ++}
59373 ++
59374 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
59375 ++void
59376 ++pax_set_initial_flags(struct linux_binprm *bprm)
59377 ++{
59378 ++ struct task_struct *task = current;
59379 ++ struct acl_subject_label *proc;
59380 ++ unsigned long flags;
59381 ++
59382 ++ if (unlikely(!(gr_status & GR_READY)))
59383 ++ return;
59384 ++
59385 ++ flags = pax_get_flags(task);
59386 ++
59387 ++ proc = task->acl;
59388 ++
59389 ++ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
59390 ++ flags &= ~MF_PAX_PAGEEXEC;
59391 ++ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
59392 ++ flags &= ~MF_PAX_SEGMEXEC;
59393 ++ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
59394 ++ flags &= ~MF_PAX_RANDMMAP;
59395 ++ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
59396 ++ flags &= ~MF_PAX_EMUTRAMP;
59397 ++ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
59398 ++ flags &= ~MF_PAX_MPROTECT;
59399 ++
59400 ++ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
59401 ++ flags |= MF_PAX_PAGEEXEC;
59402 ++ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
59403 ++ flags |= MF_PAX_SEGMEXEC;
59404 ++ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
59405 ++ flags |= MF_PAX_RANDMMAP;
59406 ++ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
59407 ++ flags |= MF_PAX_EMUTRAMP;
59408 ++ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
59409 ++ flags |= MF_PAX_MPROTECT;
59410 ++
59411 ++ pax_set_flags(task, flags);
59412 ++
59413 ++ return;
59414 ++}
59415 ++#endif
59416 ++
59417 ++#ifdef CONFIG_SYSCTL
59418 ++/* Eric Biederman likes breaking userland ABI and every inode-based security
59419 ++ system to save 35kb of memory */
59420 ++
59421 ++/* we modify the passed in filename, but adjust it back before returning */
59422 ++static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
59423 ++{
59424 ++ struct name_entry *nmatch;
59425 ++ char *p, *lastp = NULL;
59426 ++ struct acl_object_label *obj = NULL, *tmp;
59427 ++ struct acl_subject_label *tmpsubj;
59428 ++ char c = '\0';
59429 ++
59430 ++ read_lock(&gr_inode_lock);
59431 ++
59432 ++ p = name + len - 1;
59433 ++ do {
59434 ++ nmatch = lookup_name_entry(name);
59435 ++ if (lastp != NULL)
59436 ++ *lastp = c;
59437 ++
59438 ++ if (nmatch == NULL)
59439 ++ goto next_component;
59440 ++ tmpsubj = current->acl;
59441 ++ do {
59442 ++ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
59443 ++ if (obj != NULL) {
59444 ++ tmp = obj->globbed;
59445 ++ while (tmp) {
59446 ++ if (!glob_match(tmp->filename, name)) {
59447 ++ obj = tmp;
59448 ++ goto found_obj;
59449 ++ }
59450 ++ tmp = tmp->next;
59451 ++ }
59452 ++ goto found_obj;
59453 ++ }
59454 ++ } while ((tmpsubj = tmpsubj->parent_subject));
59455 ++next_component:
59456 ++ /* end case */
59457 ++ if (p == name)
59458 ++ break;
59459 ++
59460 ++ while (*p != '/')
59461 ++ p--;
59462 ++ if (p == name)
59463 ++ lastp = p + 1;
59464 ++ else {
59465 ++ lastp = p;
59466 ++ p--;
59467 ++ }
59468 ++ c = *lastp;
59469 ++ *lastp = '\0';
59470 ++ } while (1);
59471 ++found_obj:
59472 ++ read_unlock(&gr_inode_lock);
59473 ++ /* obj returned will always be non-null */
59474 ++ return obj;
59475 ++}
59476 ++
59477 ++/* returns 0 when allowing, non-zero on error
59478 ++ op of 0 is used for readdir, so we don't log the names of hidden files
59479 ++*/
59480 ++__u32
59481 ++gr_handle_sysctl(const struct ctl_table *table, const int op)
59482 ++{
59483 ++ ctl_table *tmp;
59484 ++ const char *proc_sys = "/proc/sys";
59485 ++ char *path;
59486 ++ struct acl_object_label *obj;
59487 ++ unsigned short len = 0, pos = 0, depth = 0, i;
59488 ++ __u32 err = 0;
59489 ++ __u32 mode = 0;
59490 ++
59491 ++ if (unlikely(!(gr_status & GR_READY)))
59492 ++ return 0;
59493 ++
59494 ++ /* for now, ignore operations on non-sysctl entries if it's not a
59495 ++ readdir*/
59496 ++ if (table->child != NULL && op != 0)
59497 ++ return 0;
59498 ++
59499 ++ mode |= GR_FIND;
59500 ++ /* it's only a read if it's an entry, read on dirs is for readdir */
59501 ++ if (op & 004)
59502 ++ mode |= GR_READ;
59503 ++ if (op & 002)
59504 ++ mode |= GR_WRITE;
59505 ++
59506 ++ preempt_disable();
59507 ++
59508 ++ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
59509 ++
59510 ++ /* it's only a read/write if it's an actual entry, not a dir
59511 ++ (which are opened for readdir)
59512 ++ */
59513 ++
59514 ++ /* convert the requested sysctl entry into a pathname */
59515 ++
59516 ++ for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
59517 ++ len += strlen(tmp->procname);
59518 ++ len++;
59519 ++ depth++;
59520 ++ }
59521 ++
59522 ++ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
59523 ++ /* deny */
59524 ++ goto out;
59525 ++ }
59526 ++
59527 ++ memset(path, 0, PAGE_SIZE);
59528 ++
59529 ++ memcpy(path, proc_sys, strlen(proc_sys));
59530 ++
59531 ++ pos += strlen(proc_sys);
59532 ++
59533 ++ for (; depth > 0; depth--) {
59534 ++ path[pos] = '/';
59535 ++ pos++;
59536 ++ for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
59537 ++ if (depth == i) {
59538 ++ memcpy(path + pos, tmp->procname,
59539 ++ strlen(tmp->procname));
59540 ++ pos += strlen(tmp->procname);
59541 ++ }
59542 ++ i++;
59543 ++ }
59544 ++ }
59545 ++
59546 ++ obj = gr_lookup_by_name(path, pos);
59547 ++ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
59548 ++
59549 ++ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
59550 ++ ((err & mode) != mode))) {
59551 ++ __u32 new_mode = mode;
59552 ++
59553 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
59554 ++
59555 ++ err = 0;
59556 ++ gr_log_learn_sysctl(current, path, new_mode);
59557 ++ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
59558 ++ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
59559 ++ err = -ENOENT;
59560 ++ } else if (!(err & GR_FIND)) {
59561 ++ err = -ENOENT;
59562 ++ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
59563 ++ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
59564 ++ path, (mode & GR_READ) ? " reading" : "",
59565 ++ (mode & GR_WRITE) ? " writing" : "");
59566 ++ err = -EACCES;
59567 ++ } else if ((err & mode) != mode) {
59568 ++ err = -EACCES;
59569 ++ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
59570 ++ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
59571 ++ path, (mode & GR_READ) ? " reading" : "",
59572 ++ (mode & GR_WRITE) ? " writing" : "");
59573 ++ err = 0;
59574 ++ } else
59575 ++ err = 0;
59576 ++
59577 ++ out:
59578 ++ preempt_enable();
59579 ++
59580 ++ return err;
59581 ++}
59582 ++#endif
59583 ++
59584 ++int
59585 ++gr_handle_proc_ptrace(struct task_struct *task)
59586 ++{
59587 ++ struct file *filp;
59588 ++ struct task_struct *tmp = task;
59589 ++ struct task_struct *curtemp = current;
59590 ++ __u32 retmode;
59591 ++
59592 ++ if (unlikely(!(gr_status & GR_READY)))
59593 ++ return 0;
59594 ++
59595 ++ read_lock(&tasklist_lock);
59596 ++ read_lock(&grsec_exec_file_lock);
59597 ++ filp = task->exec_file;
59598 ++
59599 ++ while (tmp->pid > 0) {
59600 ++ if (tmp == curtemp)
59601 ++ break;
59602 ++ tmp = tmp->parent;
59603 ++ }
59604 ++
59605 ++ if (!filp || (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE))) {
59606 ++ read_unlock(&grsec_exec_file_lock);
59607 ++ read_unlock(&tasklist_lock);
59608 ++ return 1;
59609 ++ }
59610 ++
59611 ++ retmode = gr_search_file(filp->f_dentry, GR_NOPTRACE, filp->f_vfsmnt);
59612 ++ read_unlock(&grsec_exec_file_lock);
59613 ++ read_unlock(&tasklist_lock);
59614 ++
59615 ++ if (retmode & GR_NOPTRACE)
59616 ++ return 1;
59617 ++
59618 ++ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
59619 ++ && (current->acl != task->acl || (current->acl != current->role->root_label
59620 ++ && current->pid != task->pid)))
59621 ++ return 1;
59622 ++
59623 ++ return 0;
59624 ++}
59625 ++
59626 ++int
59627 ++gr_handle_ptrace(struct task_struct *task, const long request)
59628 ++{
59629 ++ struct task_struct *tmp = task;
59630 ++ struct task_struct *curtemp = current;
59631 ++ __u32 retmode;
59632 ++
59633 ++ if (unlikely(!(gr_status & GR_READY)))
59634 ++ return 0;
59635 ++
59636 ++ read_lock(&tasklist_lock);
59637 ++ while (tmp->pid > 0) {
59638 ++ if (tmp == curtemp)
59639 ++ break;
59640 ++ tmp = tmp->parent;
59641 ++ }
59642 ++
59643 ++ if (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE)) {
59644 ++ read_unlock(&tasklist_lock);
59645 ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
59646 ++ return 1;
59647 ++ }
59648 ++ read_unlock(&tasklist_lock);
59649 ++
59650 ++ read_lock(&grsec_exec_file_lock);
59651 ++ if (unlikely(!task->exec_file)) {
59652 ++ read_unlock(&grsec_exec_file_lock);
59653 ++ return 0;
59654 ++ }
59655 ++
59656 ++ retmode = gr_search_file(task->exec_file->f_dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_vfsmnt);
59657 ++ read_unlock(&grsec_exec_file_lock);
59658 ++
59659 ++ if (retmode & GR_NOPTRACE) {
59660 ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
59661 ++ return 1;
59662 ++ }
59663 ++
59664 ++ if (retmode & GR_PTRACERD) {
59665 ++ switch (request) {
59666 ++ case PTRACE_POKETEXT:
59667 ++ case PTRACE_POKEDATA:
59668 ++ case PTRACE_POKEUSR:
59669 ++#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
59670 ++ case PTRACE_SETREGS:
59671 ++ case PTRACE_SETFPREGS:
59672 ++#endif
59673 ++#ifdef CONFIG_X86
59674 ++ case PTRACE_SETFPXREGS:
59675 ++#endif
59676 ++#ifdef CONFIG_ALTIVEC
59677 ++ case PTRACE_SETVRREGS:
59678 ++#endif
59679 ++ return 1;
59680 ++ default:
59681 ++ return 0;
59682 ++ }
59683 ++ } else if (!(current->acl->mode & GR_POVERRIDE) &&
59684 ++ !(current->role->roletype & GR_ROLE_GOD) &&
59685 ++ (current->acl != task->acl)) {
59686 ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
59687 ++ return 1;
59688 ++ }
59689 ++
59690 ++ return 0;
59691 ++}
59692 ++
59693 ++static int is_writable_mmap(const struct file *filp)
59694 ++{
59695 ++ struct task_struct *task = current;
59696 ++ struct acl_object_label *obj, *obj2;
59697 ++
59698 ++ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
59699 ++ !task->is_writable && S_ISREG(filp->f_dentry->d_inode->i_mode)) {
59700 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
59701 ++ obj2 = chk_obj_label(filp->f_dentry, filp->f_vfsmnt,
59702 ++ task->role->root_label);
59703 ++ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
59704 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_dentry, filp->f_vfsmnt);
59705 ++ return 1;
59706 ++ }
59707 ++ }
59708 ++ return 0;
59709 ++}
59710 ++
59711 ++int
59712 ++gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
59713 ++{
59714 ++ __u32 mode;
59715 ++
59716 ++ if (unlikely(!file || !(prot & PROT_EXEC)))
59717 ++ return 1;
59718 ++
59719 ++ if (is_writable_mmap(file))
59720 ++ return 0;
59721 ++
59722 ++ mode =
59723 ++ gr_search_file(file->f_dentry,
59724 ++ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
59725 ++ file->f_vfsmnt);
59726 ++
59727 ++ if (!gr_tpe_allow(file))
59728 ++ return 0;
59729 ++
59730 ++ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
59731 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
59732 ++ return 0;
59733 ++ } else if (unlikely(!(mode & GR_EXEC))) {
59734 ++ return 0;
59735 ++ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
59736 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
59737 ++ return 1;
59738 ++ }
59739 ++
59740 ++ return 1;
59741 ++}
59742 ++
59743 ++int
59744 ++gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
59745 ++{
59746 ++ __u32 mode;
59747 ++
59748 ++ if (unlikely(!file || !(prot & PROT_EXEC)))
59749 ++ return 1;
59750 ++
59751 ++ if (is_writable_mmap(file))
59752 ++ return 0;
59753 ++
59754 ++ mode =
59755 ++ gr_search_file(file->f_dentry,
59756 ++ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
59757 ++ file->f_vfsmnt);
59758 ++
59759 ++ if (!gr_tpe_allow(file))
59760 ++ return 0;
59761 ++
59762 ++ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
59763 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
59764 ++ return 0;
59765 ++ } else if (unlikely(!(mode & GR_EXEC))) {
59766 ++ return 0;
59767 ++ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
59768 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
59769 ++ return 1;
59770 ++ }
59771 ++
59772 ++ return 1;
59773 ++}
59774 ++
59775 ++void
59776 ++gr_acl_handle_psacct(struct task_struct *task, const long code)
59777 ++{
59778 ++ unsigned long runtime;
59779 ++ unsigned long cputime;
59780 ++ unsigned int wday, cday;
59781 ++ __u8 whr, chr;
59782 ++ __u8 wmin, cmin;
59783 ++ __u8 wsec, csec;
59784 ++ struct timespec timeval;
59785 ++
59786 ++ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
59787 ++ !(task->acl->mode & GR_PROCACCT)))
59788 ++ return;
59789 ++
59790 ++ do_posix_clock_monotonic_gettime(&timeval);
59791 ++ runtime = timeval.tv_sec - task->start_time.tv_sec;
59792 ++ wday = runtime / (3600 * 24);
59793 ++ runtime -= wday * (3600 * 24);
59794 ++ whr = runtime / 3600;
59795 ++ runtime -= whr * 3600;
59796 ++ wmin = runtime / 60;
59797 ++ runtime -= wmin * 60;
59798 ++ wsec = runtime;
59799 ++
59800 ++ cputime = (task->utime + task->stime) / HZ;
59801 ++ cday = cputime / (3600 * 24);
59802 ++ cputime -= cday * (3600 * 24);
59803 ++ chr = cputime / 3600;
59804 ++ cputime -= chr * 3600;
59805 ++ cmin = cputime / 60;
59806 ++ cputime -= cmin * 60;
59807 ++ csec = cputime;
59808 ++
59809 ++ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
59810 ++
59811 ++ return;
59812 ++}
59813 ++
59814 ++void gr_set_kernel_label(struct task_struct *task)
59815 ++{
59816 ++ if (gr_status & GR_READY) {
59817 ++ task->role = kernel_role;
59818 ++ task->acl = kernel_role->root_label;
59819 ++ }
59820 ++ return;
59821 ++}
59822 ++
59823 ++int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
59824 ++{
59825 ++ struct task_struct *task = current;
59826 ++ struct dentry *dentry = file->f_dentry;
59827 ++ struct vfsmount *mnt = file->f_vfsmnt;
59828 ++ struct acl_object_label *obj, *tmp;
59829 ++ struct acl_subject_label *subj;
59830 ++ unsigned int bufsize;
59831 ++ int is_not_root;
59832 ++ char *path;
59833 ++
59834 ++ if (unlikely(!(gr_status & GR_READY)))
59835 ++ return 1;
59836 ++
59837 ++ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
59838 ++ return 1;
59839 ++
59840 ++ /* ignore Eric Biederman */
59841 ++ if (IS_PRIVATE(dentry->d_inode))
59842 ++ return 1;
59843 ++
59844 ++ subj = task->acl;
59845 ++ do {
59846 ++ obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
59847 ++ if (obj != NULL)
59848 ++ return (obj->mode & GR_FIND) ? 1 : 0;
59849 ++ } while ((subj = subj->parent_subject));
59850 ++
59851 ++ obj = chk_obj_label(dentry, mnt, task->acl);
59852 ++ if (obj->globbed == NULL)
59853 ++ return (obj->mode & GR_FIND) ? 1 : 0;
59854 ++
59855 ++ is_not_root = ((obj->filename[0] == '/') &&
59856 ++ (obj->filename[1] == '\0')) ? 0 : 1;
59857 ++ bufsize = PAGE_SIZE - namelen - is_not_root;
59858 ++
59859 ++ /* check bufsize > PAGE_SIZE || bufsize == 0 */
59860 ++ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
59861 ++ return 1;
59862 ++
59863 ++ preempt_disable();
59864 ++ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
59865 ++ bufsize);
59866 ++
59867 ++ bufsize = strlen(path);
59868 ++
59869 ++ /* if base is "/", don't append an additional slash */
59870 ++ if (is_not_root)
59871 ++ *(path + bufsize) = '/';
59872 ++ memcpy(path + bufsize + is_not_root, name, namelen);
59873 ++ *(path + bufsize + namelen + is_not_root) = '\0';
59874 ++
59875 ++ tmp = obj->globbed;
59876 ++ while (tmp) {
59877 ++ if (!glob_match(tmp->filename, path)) {
59878 ++ preempt_enable();
59879 ++ return (tmp->mode & GR_FIND) ? 1 : 0;
59880 ++ }
59881 ++ tmp = tmp->next;
59882 ++ }
59883 ++ preempt_enable();
59884 ++ return (obj->mode & GR_FIND) ? 1 : 0;
59885 ++}
59886 ++
59887 ++EXPORT_SYMBOL(gr_learn_resource);
59888 ++EXPORT_SYMBOL(gr_set_kernel_label);
59889 ++#ifdef CONFIG_SECURITY
59890 ++EXPORT_SYMBOL(gr_check_user_change);
59891 ++EXPORT_SYMBOL(gr_check_group_change);
59892 ++#endif
59893 ++
59894 +diff -urNp linux-2.6.24.5/grsecurity/gracl_cap.c linux-2.6.24.5/grsecurity/gracl_cap.c
59895 +--- linux-2.6.24.5/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
59896 ++++ linux-2.6.24.5/grsecurity/gracl_cap.c 2008-03-26 23:01:12.000000000 -0400
59897 +@@ -0,0 +1,113 @@
59898 ++#include <linux/kernel.h>
59899 ++#include <linux/module.h>
59900 ++#include <linux/sched.h>
59901 ++#include <linux/capability.h>
59902 ++#include <linux/gracl.h>
59903 ++#include <linux/grsecurity.h>
59904 ++#include <linux/grinternal.h>
59905 ++
59906 ++static const char *captab_log[] = {
59907 ++ "CAP_CHOWN",
59908 ++ "CAP_DAC_OVERRIDE",
59909 ++ "CAP_DAC_READ_SEARCH",
59910 ++ "CAP_FOWNER",
59911 ++ "CAP_FSETID",
59912 ++ "CAP_KILL",
59913 ++ "CAP_SETGID",
59914 ++ "CAP_SETUID",
59915 ++ "CAP_SETPCAP",
59916 ++ "CAP_LINUX_IMMUTABLE",
59917 ++ "CAP_NET_BIND_SERVICE",
59918 ++ "CAP_NET_BROADCAST",
59919 ++ "CAP_NET_ADMIN",
59920 ++ "CAP_NET_RAW",
59921 ++ "CAP_IPC_LOCK",
59922 ++ "CAP_IPC_OWNER",
59923 ++ "CAP_SYS_MODULE",
59924 ++ "CAP_SYS_RAWIO",
59925 ++ "CAP_SYS_CHROOT",
59926 ++ "CAP_SYS_PTRACE",
59927 ++ "CAP_SYS_PACCT",
59928 ++ "CAP_SYS_ADMIN",
59929 ++ "CAP_SYS_BOOT",
59930 ++ "CAP_SYS_NICE",
59931 ++ "CAP_SYS_RESOURCE",
59932 ++ "CAP_SYS_TIME",
59933 ++ "CAP_SYS_TTY_CONFIG",
59934 ++ "CAP_MKNOD",
59935 ++ "CAP_LEASE",
59936 ++ "CAP_AUDIT_WRITE",
59937 ++ "CAP_AUDIT_CONTROL",
59938 ++ "CAP_SETFCAP"
59939 ++};
59940 ++
59941 ++EXPORT_SYMBOL(gr_task_is_capable);
59942 ++EXPORT_SYMBOL(gr_is_capable_nolog);
59943 ++
59944 ++int
59945 ++gr_task_is_capable(struct task_struct *task, const int cap)
59946 ++{
59947 ++ struct acl_subject_label *curracl;
59948 ++ __u32 cap_drop = 0, cap_mask = 0;
59949 ++
59950 ++ if (!gr_acl_is_enabled())
59951 ++ return 1;
59952 ++
59953 ++ curracl = task->acl;
59954 ++
59955 ++ cap_drop = curracl->cap_lower;
59956 ++ cap_mask = curracl->cap_mask;
59957 ++
59958 ++ while ((curracl = curracl->parent_subject)) {
59959 ++ if (!(cap_mask & (1 << cap)) && (curracl->cap_mask & (1 << cap)))
59960 ++ cap_drop |= curracl->cap_lower & (1 << cap);
59961 ++ cap_mask |= curracl->cap_mask;
59962 ++ }
59963 ++
59964 ++ if (!cap_raised(cap_drop, cap))
59965 ++ return 1;
59966 ++
59967 ++ curracl = task->acl;
59968 ++
59969 ++ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
59970 ++ && cap_raised(task->cap_effective, cap)) {
59971 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
59972 ++ task->role->roletype, task->uid,
59973 ++ task->gid, task->exec_file ?
59974 ++ gr_to_filename(task->exec_file->f_dentry,
59975 ++ task->exec_file->f_vfsmnt) : curracl->filename,
59976 ++ curracl->filename, 0UL,
59977 ++ 0UL, "", (unsigned long) cap, NIPQUAD(task->signal->curr_ip));
59978 ++ return 1;
59979 ++ }
59980 ++
59981 ++ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(task->cap_effective, cap))
59982 ++ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
59983 ++ return 0;
59984 ++}
59985 ++
59986 ++int
59987 ++gr_is_capable_nolog(const int cap)
59988 ++{
59989 ++ struct acl_subject_label *curracl;
59990 ++ __u32 cap_drop = 0, cap_mask = 0;
59991 ++
59992 ++ if (!gr_acl_is_enabled())
59993 ++ return 1;
59994 ++
59995 ++ curracl = current->acl;
59996 ++
59997 ++ cap_drop = curracl->cap_lower;
59998 ++ cap_mask = curracl->cap_mask;
59999 ++
60000 ++ while ((curracl = curracl->parent_subject)) {
60001 ++ cap_drop |= curracl->cap_lower & (cap_mask & ~curracl->cap_mask);
60002 ++ cap_mask |= curracl->cap_mask;
60003 ++ }
60004 ++
60005 ++ if (!cap_raised(cap_drop, cap))
60006 ++ return 1;
60007 ++
60008 ++ return 0;
60009 ++}
60010 ++
60011 +diff -urNp linux-2.6.24.5/grsecurity/gracl_fs.c linux-2.6.24.5/grsecurity/gracl_fs.c
60012 +--- linux-2.6.24.5/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
60013 ++++ linux-2.6.24.5/grsecurity/gracl_fs.c 2008-03-26 20:21:09.000000000 -0400
60014 +@@ -0,0 +1,423 @@
60015 ++#include <linux/kernel.h>
60016 ++#include <linux/sched.h>
60017 ++#include <linux/types.h>
60018 ++#include <linux/fs.h>
60019 ++#include <linux/file.h>
60020 ++#include <linux/stat.h>
60021 ++#include <linux/grsecurity.h>
60022 ++#include <linux/grinternal.h>
60023 ++#include <linux/gracl.h>
60024 ++
60025 ++__u32
60026 ++gr_acl_handle_hidden_file(const struct dentry * dentry,
60027 ++ const struct vfsmount * mnt)
60028 ++{
60029 ++ __u32 mode;
60030 ++
60031 ++ if (unlikely(!dentry->d_inode))
60032 ++ return GR_FIND;
60033 ++
60034 ++ mode =
60035 ++ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
60036 ++
60037 ++ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
60038 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
60039 ++ return mode;
60040 ++ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
60041 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
60042 ++ return 0;
60043 ++ } else if (unlikely(!(mode & GR_FIND)))
60044 ++ return 0;
60045 ++
60046 ++ return GR_FIND;
60047 ++}
60048 ++
60049 ++__u32
60050 ++gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
60051 ++ const int fmode)
60052 ++{
60053 ++ __u32 reqmode = GR_FIND;
60054 ++ __u32 mode;
60055 ++
60056 ++ if (unlikely(!dentry->d_inode))
60057 ++ return reqmode;
60058 ++
60059 ++ if (unlikely(fmode & O_APPEND))
60060 ++ reqmode |= GR_APPEND;
60061 ++ else if (unlikely(fmode & FMODE_WRITE))
60062 ++ reqmode |= GR_WRITE;
60063 ++ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
60064 ++ reqmode |= GR_READ;
60065 ++
60066 ++ mode =
60067 ++ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
60068 ++ mnt);
60069 ++
60070 ++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
60071 ++ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
60072 ++ reqmode & GR_READ ? " reading" : "",
60073 ++ reqmode & GR_WRITE ? " writing" : reqmode &
60074 ++ GR_APPEND ? " appending" : "");
60075 ++ return reqmode;
60076 ++ } else
60077 ++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
60078 ++ {
60079 ++ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
60080 ++ reqmode & GR_READ ? " reading" : "",
60081 ++ reqmode & GR_WRITE ? " writing" : reqmode &
60082 ++ GR_APPEND ? " appending" : "");
60083 ++ return 0;
60084 ++ } else if (unlikely((mode & reqmode) != reqmode))
60085 ++ return 0;
60086 ++
60087 ++ return reqmode;
60088 ++}
60089 ++
60090 ++__u32
60091 ++gr_acl_handle_creat(const struct dentry * dentry,
60092 ++ const struct dentry * p_dentry,
60093 ++ const struct vfsmount * p_mnt, const int fmode,
60094 ++ const int imode)
60095 ++{
60096 ++ __u32 reqmode = GR_WRITE | GR_CREATE;
60097 ++ __u32 mode;
60098 ++
60099 ++ if (unlikely(fmode & O_APPEND))
60100 ++ reqmode |= GR_APPEND;
60101 ++ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
60102 ++ reqmode |= GR_READ;
60103 ++ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
60104 ++ reqmode |= GR_SETID;
60105 ++
60106 ++ mode =
60107 ++ gr_check_create(dentry, p_dentry, p_mnt,
60108 ++ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
60109 ++
60110 ++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
60111 ++ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
60112 ++ reqmode & GR_READ ? " reading" : "",
60113 ++ reqmode & GR_WRITE ? " writing" : reqmode &
60114 ++ GR_APPEND ? " appending" : "");
60115 ++ return reqmode;
60116 ++ } else
60117 ++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
60118 ++ {
60119 ++ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
60120 ++ reqmode & GR_READ ? " reading" : "",
60121 ++ reqmode & GR_WRITE ? " writing" : reqmode &
60122 ++ GR_APPEND ? " appending" : "");
60123 ++ return 0;
60124 ++ } else if (unlikely((mode & reqmode) != reqmode))
60125 ++ return 0;
60126 ++
60127 ++ return reqmode;
60128 ++}
60129 ++
60130 ++__u32
60131 ++gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
60132 ++ const int fmode)
60133 ++{
60134 ++ __u32 mode, reqmode = GR_FIND;
60135 ++
60136 ++ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
60137 ++ reqmode |= GR_EXEC;
60138 ++ if (fmode & S_IWOTH)
60139 ++ reqmode |= GR_WRITE;
60140 ++ if (fmode & S_IROTH)
60141 ++ reqmode |= GR_READ;
60142 ++
60143 ++ mode =
60144 ++ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
60145 ++ mnt);
60146 ++
60147 ++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
60148 ++ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
60149 ++ reqmode & GR_READ ? " reading" : "",
60150 ++ reqmode & GR_WRITE ? " writing" : "",
60151 ++ reqmode & GR_EXEC ? " executing" : "");
60152 ++ return reqmode;
60153 ++ } else
60154 ++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
60155 ++ {
60156 ++ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
60157 ++ reqmode & GR_READ ? " reading" : "",
60158 ++ reqmode & GR_WRITE ? " writing" : "",
60159 ++ reqmode & GR_EXEC ? " executing" : "");
60160 ++ return 0;
60161 ++ } else if (unlikely((mode & reqmode) != reqmode))
60162 ++ return 0;
60163 ++
60164 ++ return reqmode;
60165 ++}
60166 ++
60167 ++static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
60168 ++{
60169 ++ __u32 mode;
60170 ++
60171 ++ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
60172 ++
60173 ++ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
60174 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
60175 ++ return mode;
60176 ++ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
60177 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
60178 ++ return 0;
60179 ++ } else if (unlikely((mode & (reqmode)) != (reqmode)))
60180 ++ return 0;
60181 ++
60182 ++ return (reqmode);
60183 ++}
60184 ++
60185 ++__u32
60186 ++gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
60187 ++{
60188 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
60189 ++}
60190 ++
60191 ++__u32
60192 ++gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
60193 ++{
60194 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
60195 ++}
60196 ++
60197 ++__u32
60198 ++gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
60199 ++{
60200 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
60201 ++}
60202 ++
60203 ++__u32
60204 ++gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
60205 ++{
60206 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
60207 ++}
60208 ++
60209 ++__u32
60210 ++gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
60211 ++ mode_t mode)
60212 ++{
60213 ++ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
60214 ++ return 1;
60215 ++
60216 ++ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
60217 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
60218 ++ GR_FCHMOD_ACL_MSG);
60219 ++ } else {
60220 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
60221 ++ }
60222 ++}
60223 ++
60224 ++__u32
60225 ++gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
60226 ++ mode_t mode)
60227 ++{
60228 ++ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
60229 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
60230 ++ GR_CHMOD_ACL_MSG);
60231 ++ } else {
60232 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
60233 ++ }
60234 ++}
60235 ++
60236 ++__u32
60237 ++gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
60238 ++{
60239 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
60240 ++}
60241 ++
60242 ++__u32
60243 ++gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
60244 ++{
60245 ++ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
60246 ++}
60247 ++
60248 ++__u32
60249 ++gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
60250 ++{
60251 ++ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
60252 ++ GR_UNIXCONNECT_ACL_MSG);
60253 ++}
60254 ++
60255 ++/* hardlinks require at minimum create permission,
60256 ++ any additional privilege required is based on the
60257 ++ privilege of the file being linked to
60258 ++*/
60259 ++__u32
60260 ++gr_acl_handle_link(const struct dentry * new_dentry,
60261 ++ const struct dentry * parent_dentry,
60262 ++ const struct vfsmount * parent_mnt,
60263 ++ const struct dentry * old_dentry,
60264 ++ const struct vfsmount * old_mnt, const char *to)
60265 ++{
60266 ++ __u32 mode;
60267 ++ __u32 needmode = GR_CREATE | GR_LINK;
60268 ++ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
60269 ++
60270 ++ mode =
60271 ++ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
60272 ++ old_mnt);
60273 ++
60274 ++ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
60275 ++ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
60276 ++ return mode;
60277 ++ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
60278 ++ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
60279 ++ return 0;
60280 ++ } else if (unlikely((mode & needmode) != needmode))
60281 ++ return 0;
60282 ++
60283 ++ return 1;
60284 ++}
60285 ++
60286 ++__u32
60287 ++gr_acl_handle_symlink(const struct dentry * new_dentry,
60288 ++ const struct dentry * parent_dentry,
60289 ++ const struct vfsmount * parent_mnt, const char *from)
60290 ++{
60291 ++ __u32 needmode = GR_WRITE | GR_CREATE;
60292 ++ __u32 mode;
60293 ++
60294 ++ mode =
60295 ++ gr_check_create(new_dentry, parent_dentry, parent_mnt,
60296 ++ GR_CREATE | GR_AUDIT_CREATE |
60297 ++ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
60298 ++
60299 ++ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
60300 ++ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
60301 ++ return mode;
60302 ++ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
60303 ++ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
60304 ++ return 0;
60305 ++ } else if (unlikely((mode & needmode) != needmode))
60306 ++ return 0;
60307 ++
60308 ++ return (GR_WRITE | GR_CREATE);
60309 ++}
60310 ++
60311 ++static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
60312 ++{
60313 ++ __u32 mode;
60314 ++
60315 ++ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
60316 ++
60317 ++ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
60318 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
60319 ++ return mode;
60320 ++ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
60321 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
60322 ++ return 0;
60323 ++ } else if (unlikely((mode & (reqmode)) != (reqmode)))
60324 ++ return 0;
60325 ++
60326 ++ return (reqmode);
60327 ++}
60328 ++
60329 ++__u32
60330 ++gr_acl_handle_mknod(const struct dentry * new_dentry,
60331 ++ const struct dentry * parent_dentry,
60332 ++ const struct vfsmount * parent_mnt,
60333 ++ const int mode)
60334 ++{
60335 ++ __u32 reqmode = GR_WRITE | GR_CREATE;
60336 ++ if (unlikely(mode & (S_ISUID | S_ISGID)))
60337 ++ reqmode |= GR_SETID;
60338 ++
60339 ++ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
60340 ++ reqmode, GR_MKNOD_ACL_MSG);
60341 ++}
60342 ++
60343 ++__u32
60344 ++gr_acl_handle_mkdir(const struct dentry *new_dentry,
60345 ++ const struct dentry *parent_dentry,
60346 ++ const struct vfsmount *parent_mnt)
60347 ++{
60348 ++ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
60349 ++ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
60350 ++}
60351 ++
60352 ++#define RENAME_CHECK_SUCCESS(old, new) \
60353 ++ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
60354 ++ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
60355 ++
60356 ++int
60357 ++gr_acl_handle_rename(struct dentry *new_dentry,
60358 ++ struct dentry *parent_dentry,
60359 ++ const struct vfsmount *parent_mnt,
60360 ++ struct dentry *old_dentry,
60361 ++ struct inode *old_parent_inode,
60362 ++ struct vfsmount *old_mnt, const char *newname)
60363 ++{
60364 ++ __u32 comp1, comp2;
60365 ++ int error = 0;
60366 ++
60367 ++ if (unlikely(!gr_acl_is_enabled()))
60368 ++ return 0;
60369 ++
60370 ++ if (!new_dentry->d_inode) {
60371 ++ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
60372 ++ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
60373 ++ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
60374 ++ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
60375 ++ GR_DELETE | GR_AUDIT_DELETE |
60376 ++ GR_AUDIT_READ | GR_AUDIT_WRITE |
60377 ++ GR_SUPPRESS, old_mnt);
60378 ++ } else {
60379 ++ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
60380 ++ GR_CREATE | GR_DELETE |
60381 ++ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
60382 ++ GR_AUDIT_READ | GR_AUDIT_WRITE |
60383 ++ GR_SUPPRESS, parent_mnt);
60384 ++ comp2 =
60385 ++ gr_search_file(old_dentry,
60386 ++ GR_READ | GR_WRITE | GR_AUDIT_READ |
60387 ++ GR_DELETE | GR_AUDIT_DELETE |
60388 ++ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
60389 ++ }
60390 ++
60391 ++ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
60392 ++ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
60393 ++ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
60394 ++ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
60395 ++ && !(comp2 & GR_SUPPRESS)) {
60396 ++ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
60397 ++ error = -EACCES;
60398 ++ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
60399 ++ error = -EACCES;
60400 ++
60401 ++ return error;
60402 ++}
60403 ++
60404 ++void
60405 ++gr_acl_handle_exit(void)
60406 ++{
60407 ++ u16 id;
60408 ++ char *rolename;
60409 ++ struct file *exec_file;
60410 ++
60411 ++ if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
60412 ++ id = current->acl_role_id;
60413 ++ rolename = current->role->rolename;
60414 ++ gr_set_acls(1);
60415 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
60416 ++ }
60417 ++
60418 ++ write_lock(&grsec_exec_file_lock);
60419 ++ exec_file = current->exec_file;
60420 ++ current->exec_file = NULL;
60421 ++ write_unlock(&grsec_exec_file_lock);
60422 ++
60423 ++ if (exec_file)
60424 ++ fput(exec_file);
60425 ++}
60426 ++
60427 ++int
60428 ++gr_acl_handle_procpidmem(const struct task_struct *task)
60429 ++{
60430 ++ if (unlikely(!gr_acl_is_enabled()))
60431 ++ return 0;
60432 ++
60433 ++ if (task != current && task->acl->mode & GR_PROTPROCFD)
60434 ++ return -EACCES;
60435 ++
60436 ++ return 0;
60437 ++}
60438 +diff -urNp linux-2.6.24.5/grsecurity/gracl_ip.c linux-2.6.24.5/grsecurity/gracl_ip.c
60439 +--- linux-2.6.24.5/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
60440 ++++ linux-2.6.24.5/grsecurity/gracl_ip.c 2008-03-26 20:21:09.000000000 -0400
60441 +@@ -0,0 +1,313 @@
60442 ++#include <linux/kernel.h>
60443 ++#include <asm/uaccess.h>
60444 ++#include <asm/errno.h>
60445 ++#include <net/sock.h>
60446 ++#include <linux/file.h>
60447 ++#include <linux/fs.h>
60448 ++#include <linux/net.h>
60449 ++#include <linux/in.h>
60450 ++#include <linux/skbuff.h>
60451 ++#include <linux/ip.h>
60452 ++#include <linux/udp.h>
60453 ++#include <linux/smp_lock.h>
60454 ++#include <linux/types.h>
60455 ++#include <linux/sched.h>
60456 ++#include <linux/netdevice.h>
60457 ++#include <linux/inetdevice.h>
60458 ++#include <linux/gracl.h>
60459 ++#include <linux/grsecurity.h>
60460 ++#include <linux/grinternal.h>
60461 ++
60462 ++#define GR_BIND 0x01
60463 ++#define GR_CONNECT 0x02
60464 ++#define GR_INVERT 0x04
60465 ++
60466 ++static const char * gr_protocols[256] = {
60467 ++ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
60468 ++ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
60469 ++ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
60470 ++ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
60471 ++ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
60472 ++ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
60473 ++ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
60474 ++ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
60475 ++ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
60476 ++ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
60477 ++ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
60478 ++ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
60479 ++ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
60480 ++ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
60481 ++ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
60482 ++ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
60483 ++ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
60484 ++ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
60485 ++ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
60486 ++ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
60487 ++ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
60488 ++ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
60489 ++ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
60490 ++ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
60491 ++ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
60492 ++ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
60493 ++ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
60494 ++ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
60495 ++ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
60496 ++ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
60497 ++ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
60498 ++ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
60499 ++ };
60500 ++
60501 ++static const char * gr_socktypes[11] = {
60502 ++ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
60503 ++ "unknown:7", "unknown:8", "unknown:9", "packet"
60504 ++ };
60505 ++
60506 ++const char *
60507 ++gr_proto_to_name(unsigned char proto)
60508 ++{
60509 ++ return gr_protocols[proto];
60510 ++}
60511 ++
60512 ++const char *
60513 ++gr_socktype_to_name(unsigned char type)
60514 ++{
60515 ++ return gr_socktypes[type];
60516 ++}
60517 ++
60518 ++int
60519 ++gr_search_socket(const int domain, const int type, const int protocol)
60520 ++{
60521 ++ struct acl_subject_label *curr;
60522 ++
60523 ++ if (unlikely(!gr_acl_is_enabled()))
60524 ++ goto exit;
60525 ++
60526 ++ if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
60527 ++ || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
60528 ++ goto exit; // let the kernel handle it
60529 ++
60530 ++ curr = current->acl;
60531 ++
60532 ++ if (!curr->ips)
60533 ++ goto exit;
60534 ++
60535 ++ if ((curr->ip_type & (1 << type)) &&
60536 ++ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
60537 ++ goto exit;
60538 ++
60539 ++ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
60540 ++ /* we don't place acls on raw sockets , and sometimes
60541 ++ dgram/ip sockets are opened for ioctl and not
60542 ++ bind/connect, so we'll fake a bind learn log */
60543 ++ if (type == SOCK_RAW || type == SOCK_PACKET) {
60544 ++ __u32 fakeip = 0;
60545 ++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
60546 ++ current->role->roletype, current->uid,
60547 ++ current->gid, current->exec_file ?
60548 ++ gr_to_filename(current->exec_file->f_dentry,
60549 ++ current->exec_file->f_vfsmnt) :
60550 ++ curr->filename, curr->filename,
60551 ++ NIPQUAD(fakeip), 0, type,
60552 ++ protocol, GR_CONNECT,
60553 ++NIPQUAD(current->signal->curr_ip));
60554 ++ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
60555 ++ __u32 fakeip = 0;
60556 ++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
60557 ++ current->role->roletype, current->uid,
60558 ++ current->gid, current->exec_file ?
60559 ++ gr_to_filename(current->exec_file->f_dentry,
60560 ++ current->exec_file->f_vfsmnt) :
60561 ++ curr->filename, curr->filename,
60562 ++ NIPQUAD(fakeip), 0, type,
60563 ++ protocol, GR_BIND, NIPQUAD(current->signal->curr_ip));
60564 ++ }
60565 ++ /* we'll log when they use connect or bind */
60566 ++ goto exit;
60567 ++ }
60568 ++
60569 ++ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
60570 ++ gr_socktype_to_name(type), gr_proto_to_name(protocol));
60571 ++
60572 ++ return 0;
60573 ++ exit:
60574 ++ return 1;
60575 ++}
60576 ++
60577 ++int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
60578 ++{
60579 ++ if ((ip->mode & mode) &&
60580 ++ (ip_port >= ip->low) &&
60581 ++ (ip_port <= ip->high) &&
60582 ++ ((ntohl(ip_addr) & our_netmask) ==
60583 ++ (ntohl(our_addr) & our_netmask))
60584 ++ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
60585 ++ && (ip->type & (1 << type))) {
60586 ++ if (ip->mode & GR_INVERT)
60587 ++ return 2; // specifically denied
60588 ++ else
60589 ++ return 1; // allowed
60590 ++ }
60591 ++
60592 ++ return 0; // not specifically allowed, may continue parsing
60593 ++}
60594 ++
60595 ++static int
60596 ++gr_search_connectbind(const int mode, const struct sock *sk,
60597 ++ const struct sockaddr_in *addr, const int type)
60598 ++{
60599 ++ char iface[IFNAMSIZ] = {0};
60600 ++ struct acl_subject_label *curr;
60601 ++ struct acl_ip_label *ip;
60602 ++ struct net_device *dev;
60603 ++ struct in_device *idev;
60604 ++ unsigned long i;
60605 ++ int ret;
60606 ++ __u32 ip_addr = 0;
60607 ++ __u32 our_addr;
60608 ++ __u32 our_netmask;
60609 ++ char *p;
60610 ++ __u16 ip_port = 0;
60611 ++
60612 ++ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
60613 ++ return 1;
60614 ++
60615 ++ curr = current->acl;
60616 ++
60617 ++ if (!curr->ips)
60618 ++ return 1;
60619 ++
60620 ++ ip_addr = addr->sin_addr.s_addr;
60621 ++ ip_port = ntohs(addr->sin_port);
60622 ++
60623 ++ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
60624 ++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
60625 ++ current->role->roletype, current->uid,
60626 ++ current->gid, current->exec_file ?
60627 ++ gr_to_filename(current->exec_file->f_dentry,
60628 ++ current->exec_file->f_vfsmnt) :
60629 ++ curr->filename, curr->filename,
60630 ++ NIPQUAD(ip_addr), ip_port, type,
60631 ++ sk->sk_protocol, mode, NIPQUAD(current->signal->curr_ip));
60632 ++ return 1;
60633 ++ }
60634 ++
60635 ++ for (i = 0; i < curr->ip_num; i++) {
60636 ++ ip = *(curr->ips + i);
60637 ++ if (ip->iface != NULL) {
60638 ++ strncpy(iface, ip->iface, IFNAMSIZ - 1);
60639 ++ p = strchr(iface, ':');
60640 ++ if (p != NULL)
60641 ++ *p = '\0';
60642 ++ dev = dev_get_by_name(sk->sk_net, iface);
60643 ++ if (dev == NULL)
60644 ++ continue;
60645 ++ idev = in_dev_get(dev);
60646 ++ if (idev == NULL) {
60647 ++ dev_put(dev);
60648 ++ continue;
60649 ++ }
60650 ++ rcu_read_lock();
60651 ++ for_ifa(idev) {
60652 ++ if (!strcmp(ip->iface, ifa->ifa_label)) {
60653 ++ our_addr = ifa->ifa_address;
60654 ++ our_netmask = 0xffffffff;
60655 ++ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
60656 ++ if (ret == 1) {
60657 ++ rcu_read_unlock();
60658 ++ in_dev_put(idev);
60659 ++ dev_put(dev);
60660 ++ return 1;
60661 ++ } else if (ret == 2) {
60662 ++ rcu_read_unlock();
60663 ++ in_dev_put(idev);
60664 ++ dev_put(dev);
60665 ++ goto denied;
60666 ++ }
60667 ++ }
60668 ++ } endfor_ifa(idev);
60669 ++ rcu_read_unlock();
60670 ++ in_dev_put(idev);
60671 ++ dev_put(dev);
60672 ++ } else {
60673 ++ our_addr = ip->addr;
60674 ++ our_netmask = ip->netmask;
60675 ++ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
60676 ++ if (ret == 1)
60677 ++ return 1;
60678 ++ else if (ret == 2)
60679 ++ goto denied;
60680 ++ }
60681 ++ }
60682 ++
60683 ++denied:
60684 ++ if (mode == GR_BIND)
60685 ++ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
60686 ++ else if (mode == GR_CONNECT)
60687 ++ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
60688 ++
60689 ++ return 0;
60690 ++}
60691 ++
60692 ++int
60693 ++gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
60694 ++{
60695 ++ return gr_search_connectbind(GR_CONNECT, sock->sk, addr, sock->type);
60696 ++}
60697 ++
60698 ++int
60699 ++gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
60700 ++{
60701 ++ return gr_search_connectbind(GR_BIND, sock->sk, addr, sock->type);
60702 ++}
60703 ++
60704 ++int gr_search_listen(const struct socket *sock)
60705 ++{
60706 ++ struct sock *sk = sock->sk;
60707 ++ struct sockaddr_in addr;
60708 ++
60709 ++ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
60710 ++ addr.sin_port = inet_sk(sk)->sport;
60711 ++
60712 ++ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
60713 ++}
60714 ++
60715 ++int gr_search_accept(const struct socket *sock)
60716 ++{
60717 ++ struct sock *sk = sock->sk;
60718 ++ struct sockaddr_in addr;
60719 ++
60720 ++ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
60721 ++ addr.sin_port = inet_sk(sk)->sport;
60722 ++
60723 ++ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
60724 ++}
60725 ++
60726 ++int
60727 ++gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
60728 ++{
60729 ++ if (addr)
60730 ++ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
60731 ++ else {
60732 ++ struct sockaddr_in sin;
60733 ++ const struct inet_sock *inet = inet_sk(sk);
60734 ++
60735 ++ sin.sin_addr.s_addr = inet->daddr;
60736 ++ sin.sin_port = inet->dport;
60737 ++
60738 ++ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
60739 ++ }
60740 ++}
60741 ++
60742 ++int
60743 ++gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
60744 ++{
60745 ++ struct sockaddr_in sin;
60746 ++
60747 ++ if (unlikely(skb->len < sizeof (struct udphdr)))
60748 ++ return 1; // skip this packet
60749 ++
60750 ++ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
60751 ++ sin.sin_port = udp_hdr(skb)->source;
60752 ++
60753 ++ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
60754 ++}
60755 +diff -urNp linux-2.6.24.5/grsecurity/gracl_learn.c linux-2.6.24.5/grsecurity/gracl_learn.c
60756 +--- linux-2.6.24.5/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
60757 ++++ linux-2.6.24.5/grsecurity/gracl_learn.c 2008-03-26 20:21:09.000000000 -0400
60758 +@@ -0,0 +1,211 @@
60759 ++#include <linux/kernel.h>
60760 ++#include <linux/mm.h>
60761 ++#include <linux/sched.h>
60762 ++#include <linux/poll.h>
60763 ++#include <linux/smp_lock.h>
60764 ++#include <linux/string.h>
60765 ++#include <linux/file.h>
60766 ++#include <linux/types.h>
60767 ++#include <linux/vmalloc.h>
60768 ++#include <linux/grinternal.h>
60769 ++
60770 ++extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
60771 ++ size_t count, loff_t *ppos);
60772 ++extern int gr_acl_is_enabled(void);
60773 ++
60774 ++static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
60775 ++static int gr_learn_attached;
60776 ++
60777 ++/* use a 512k buffer */
60778 ++#define LEARN_BUFFER_SIZE (512 * 1024)
60779 ++
60780 ++static spinlock_t gr_learn_lock = SPIN_LOCK_UNLOCKED;
60781 ++static DECLARE_MUTEX(gr_learn_user_sem);
60782 ++
60783 ++/* we need to maintain two buffers, so that the kernel context of grlearn
60784 ++ uses a semaphore around the userspace copying, and the other kernel contexts
60785 ++ use a spinlock when copying into the buffer, since they cannot sleep
60786 ++*/
60787 ++static char *learn_buffer;
60788 ++static char *learn_buffer_user;
60789 ++static int learn_buffer_len;
60790 ++static int learn_buffer_user_len;
60791 ++
60792 ++static ssize_t
60793 ++read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
60794 ++{
60795 ++ DECLARE_WAITQUEUE(wait, current);
60796 ++ ssize_t retval = 0;
60797 ++
60798 ++ add_wait_queue(&learn_wait, &wait);
60799 ++ set_current_state(TASK_INTERRUPTIBLE);
60800 ++ do {
60801 ++ down(&gr_learn_user_sem);
60802 ++ spin_lock(&gr_learn_lock);
60803 ++ if (learn_buffer_len)
60804 ++ break;
60805 ++ spin_unlock(&gr_learn_lock);
60806 ++ up(&gr_learn_user_sem);
60807 ++ if (file->f_flags & O_NONBLOCK) {
60808 ++ retval = -EAGAIN;
60809 ++ goto out;
60810 ++ }
60811 ++ if (signal_pending(current)) {
60812 ++ retval = -ERESTARTSYS;
60813 ++ goto out;
60814 ++ }
60815 ++
60816 ++ schedule();
60817 ++ } while (1);
60818 ++
60819 ++ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
60820 ++ learn_buffer_user_len = learn_buffer_len;
60821 ++ retval = learn_buffer_len;
60822 ++ learn_buffer_len = 0;
60823 ++
60824 ++ spin_unlock(&gr_learn_lock);
60825 ++
60826 ++ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
60827 ++ retval = -EFAULT;
60828 ++
60829 ++ up(&gr_learn_user_sem);
60830 ++out:
60831 ++ set_current_state(TASK_RUNNING);
60832 ++ remove_wait_queue(&learn_wait, &wait);
60833 ++ return retval;
60834 ++}
60835 ++
60836 ++static unsigned int
60837 ++poll_learn(struct file * file, poll_table * wait)
60838 ++{
60839 ++ poll_wait(file, &learn_wait, wait);
60840 ++
60841 ++ if (learn_buffer_len)
60842 ++ return (POLLIN | POLLRDNORM);
60843 ++
60844 ++ return 0;
60845 ++}
60846 ++
60847 ++void
60848 ++gr_clear_learn_entries(void)
60849 ++{
60850 ++ char *tmp;
60851 ++
60852 ++ down(&gr_learn_user_sem);
60853 ++ if (learn_buffer != NULL) {
60854 ++ spin_lock(&gr_learn_lock);
60855 ++ tmp = learn_buffer;
60856 ++ learn_buffer = NULL;
60857 ++ spin_unlock(&gr_learn_lock);
60858 ++ vfree(learn_buffer);
60859 ++ }
60860 ++ if (learn_buffer_user != NULL) {
60861 ++ vfree(learn_buffer_user);
60862 ++ learn_buffer_user = NULL;
60863 ++ }
60864 ++ learn_buffer_len = 0;
60865 ++ up(&gr_learn_user_sem);
60866 ++
60867 ++ return;
60868 ++}
60869 ++
60870 ++void
60871 ++gr_add_learn_entry(const char *fmt, ...)
60872 ++{
60873 ++ va_list args;
60874 ++ unsigned int len;
60875 ++
60876 ++ if (!gr_learn_attached)
60877 ++ return;
60878 ++
60879 ++ spin_lock(&gr_learn_lock);
60880 ++
60881 ++ /* leave a gap at the end so we know when it's "full" but don't have to
60882 ++ compute the exact length of the string we're trying to append
60883 ++ */
60884 ++ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
60885 ++ spin_unlock(&gr_learn_lock);
60886 ++ wake_up_interruptible(&learn_wait);
60887 ++ return;
60888 ++ }
60889 ++ if (learn_buffer == NULL) {
60890 ++ spin_unlock(&gr_learn_lock);
60891 ++ return;
60892 ++ }
60893 ++
60894 ++ va_start(args, fmt);
60895 ++ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
60896 ++ va_end(args);
60897 ++
60898 ++ learn_buffer_len += len + 1;
60899 ++
60900 ++ spin_unlock(&gr_learn_lock);
60901 ++ wake_up_interruptible(&learn_wait);
60902 ++
60903 ++ return;
60904 ++}
60905 ++
60906 ++static int
60907 ++open_learn(struct inode *inode, struct file *file)
60908 ++{
60909 ++ if (file->f_mode & FMODE_READ && gr_learn_attached)
60910 ++ return -EBUSY;
60911 ++ if (file->f_mode & FMODE_READ) {
60912 ++ int retval = 0;
60913 ++ down(&gr_learn_user_sem);
60914 ++ if (learn_buffer == NULL)
60915 ++ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
60916 ++ if (learn_buffer_user == NULL)
60917 ++ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
60918 ++ if (learn_buffer == NULL) {
60919 ++ retval = -ENOMEM;
60920 ++ goto out_error;
60921 ++ }
60922 ++ if (learn_buffer_user == NULL) {
60923 ++ retval = -ENOMEM;
60924 ++ goto out_error;
60925 ++ }
60926 ++ learn_buffer_len = 0;
60927 ++ learn_buffer_user_len = 0;
60928 ++ gr_learn_attached = 1;
60929 ++out_error:
60930 ++ up(&gr_learn_user_sem);
60931 ++ return retval;
60932 ++ }
60933 ++ return 0;
60934 ++}
60935 ++
60936 ++static int
60937 ++close_learn(struct inode *inode, struct file *file)
60938 ++{
60939 ++ char *tmp;
60940 ++
60941 ++ if (file->f_mode & FMODE_READ) {
60942 ++ down(&gr_learn_user_sem);
60943 ++ if (learn_buffer != NULL) {
60944 ++ spin_lock(&gr_learn_lock);
60945 ++ tmp = learn_buffer;
60946 ++ learn_buffer = NULL;
60947 ++ spin_unlock(&gr_learn_lock);
60948 ++ vfree(tmp);
60949 ++ }
60950 ++ if (learn_buffer_user != NULL) {
60951 ++ vfree(learn_buffer_user);
60952 ++ learn_buffer_user = NULL;
60953 ++ }
60954 ++ learn_buffer_len = 0;
60955 ++ learn_buffer_user_len = 0;
60956 ++ gr_learn_attached = 0;
60957 ++ up(&gr_learn_user_sem);
60958 ++ }
60959 ++
60960 ++ return 0;
60961 ++}
60962 ++
60963 ++struct file_operations grsec_fops = {
60964 ++ .read = read_learn,
60965 ++ .write = write_grsec_handler,
60966 ++ .open = open_learn,
60967 ++ .release = close_learn,
60968 ++ .poll = poll_learn,
60969 ++};
60970 +diff -urNp linux-2.6.24.5/grsecurity/gracl_res.c linux-2.6.24.5/grsecurity/gracl_res.c
60971 +--- linux-2.6.24.5/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
60972 ++++ linux-2.6.24.5/grsecurity/gracl_res.c 2008-03-26 20:21:09.000000000 -0400
60973 +@@ -0,0 +1,45 @@
60974 ++#include <linux/kernel.h>
60975 ++#include <linux/sched.h>
60976 ++#include <linux/gracl.h>
60977 ++#include <linux/grinternal.h>
60978 ++
60979 ++static const char *restab_log[] = {
60980 ++ [RLIMIT_CPU] = "RLIMIT_CPU",
60981 ++ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
60982 ++ [RLIMIT_DATA] = "RLIMIT_DATA",
60983 ++ [RLIMIT_STACK] = "RLIMIT_STACK",
60984 ++ [RLIMIT_CORE] = "RLIMIT_CORE",
60985 ++ [RLIMIT_RSS] = "RLIMIT_RSS",
60986 ++ [RLIMIT_NPROC] = "RLIMIT_NPROC",
60987 ++ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
60988 ++ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
60989 ++ [RLIMIT_AS] = "RLIMIT_AS",
60990 ++ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
60991 ++ [RLIMIT_LOCKS + 1] = "RLIMIT_CRASH"
60992 ++};
60993 ++
60994 ++void
60995 ++gr_log_resource(const struct task_struct *task,
60996 ++ const int res, const unsigned long wanted, const int gt)
60997 ++{
60998 ++ if (res == RLIMIT_NPROC &&
60999 ++ (cap_raised(task->cap_effective, CAP_SYS_ADMIN) ||
61000 ++ cap_raised(task->cap_effective, CAP_SYS_RESOURCE)))
61001 ++ return;
61002 ++ else if (res == RLIMIT_MEMLOCK &&
61003 ++ cap_raised(task->cap_effective, CAP_IPC_LOCK))
61004 ++ return;
61005 ++
61006 ++ if (!gr_acl_is_enabled() && !grsec_resource_logging)
61007 ++ return;
61008 ++
61009 ++ preempt_disable();
61010 ++
61011 ++ if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
61012 ++ (!gt && wanted >= task->signal->rlim[res].rlim_cur)) &&
61013 ++ task->signal->rlim[res].rlim_cur != RLIM_INFINITY))
61014 ++ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur);
61015 ++ preempt_enable_no_resched();
61016 ++
61017 ++ return;
61018 ++}
61019 +diff -urNp linux-2.6.24.5/grsecurity/gracl_segv.c linux-2.6.24.5/grsecurity/gracl_segv.c
61020 +--- linux-2.6.24.5/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
61021 ++++ linux-2.6.24.5/grsecurity/gracl_segv.c 2008-03-26 20:21:09.000000000 -0400
61022 +@@ -0,0 +1,301 @@
61023 ++#include <linux/kernel.h>
61024 ++#include <linux/mm.h>
61025 ++#include <asm/uaccess.h>
61026 ++#include <asm/errno.h>
61027 ++#include <asm/mman.h>
61028 ++#include <net/sock.h>
61029 ++#include <linux/file.h>
61030 ++#include <linux/fs.h>
61031 ++#include <linux/net.h>
61032 ++#include <linux/in.h>
61033 ++#include <linux/smp_lock.h>
61034 ++#include <linux/slab.h>
61035 ++#include <linux/types.h>
61036 ++#include <linux/sched.h>
61037 ++#include <linux/timer.h>
61038 ++#include <linux/gracl.h>
61039 ++#include <linux/grsecurity.h>
61040 ++#include <linux/grinternal.h>
61041 ++
61042 ++static struct crash_uid *uid_set;
61043 ++static unsigned short uid_used;
61044 ++static spinlock_t gr_uid_lock = SPIN_LOCK_UNLOCKED;
61045 ++extern rwlock_t gr_inode_lock;
61046 ++extern struct acl_subject_label *
61047 ++ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
61048 ++ struct acl_role_label *role);
61049 ++extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
61050 ++
61051 ++int
61052 ++gr_init_uidset(void)
61053 ++{
61054 ++ uid_set =
61055 ++ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
61056 ++ uid_used = 0;
61057 ++
61058 ++ return uid_set ? 1 : 0;
61059 ++}
61060 ++
61061 ++void
61062 ++gr_free_uidset(void)
61063 ++{
61064 ++ if (uid_set)
61065 ++ kfree(uid_set);
61066 ++
61067 ++ return;
61068 ++}
61069 ++
61070 ++int
61071 ++gr_find_uid(const uid_t uid)
61072 ++{
61073 ++ struct crash_uid *tmp = uid_set;
61074 ++ uid_t buid;
61075 ++ int low = 0, high = uid_used - 1, mid;
61076 ++
61077 ++ while (high >= low) {
61078 ++ mid = (low + high) >> 1;
61079 ++ buid = tmp[mid].uid;
61080 ++ if (buid == uid)
61081 ++ return mid;
61082 ++ if (buid > uid)
61083 ++ high = mid - 1;
61084 ++ if (buid < uid)
61085 ++ low = mid + 1;
61086 ++ }
61087 ++
61088 ++ return -1;
61089 ++}
61090 ++
61091 ++static __inline__ void
61092 ++gr_insertsort(void)
61093 ++{
61094 ++ unsigned short i, j;
61095 ++ struct crash_uid index;
61096 ++
61097 ++ for (i = 1; i < uid_used; i++) {
61098 ++ index = uid_set[i];
61099 ++ j = i;
61100 ++ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
61101 ++ uid_set[j] = uid_set[j - 1];
61102 ++ j--;
61103 ++ }
61104 ++ uid_set[j] = index;
61105 ++ }
61106 ++
61107 ++ return;
61108 ++}
61109 ++
61110 ++static __inline__ void
61111 ++gr_insert_uid(const uid_t uid, const unsigned long expires)
61112 ++{
61113 ++ int loc;
61114 ++
61115 ++ if (uid_used == GR_UIDTABLE_MAX)
61116 ++ return;
61117 ++
61118 ++ loc = gr_find_uid(uid);
61119 ++
61120 ++ if (loc >= 0) {
61121 ++ uid_set[loc].expires = expires;
61122 ++ return;
61123 ++ }
61124 ++
61125 ++ uid_set[uid_used].uid = uid;
61126 ++ uid_set[uid_used].expires = expires;
61127 ++ uid_used++;
61128 ++
61129 ++ gr_insertsort();
61130 ++
61131 ++ return;
61132 ++}
61133 ++
61134 ++void
61135 ++gr_remove_uid(const unsigned short loc)
61136 ++{
61137 ++ unsigned short i;
61138 ++
61139 ++ for (i = loc + 1; i < uid_used; i++)
61140 ++ uid_set[i - 1] = uid_set[i];
61141 ++
61142 ++ uid_used--;
61143 ++
61144 ++ return;
61145 ++}
61146 ++
61147 ++int
61148 ++gr_check_crash_uid(const uid_t uid)
61149 ++{
61150 ++ int loc;
61151 ++ int ret = 0;
61152 ++
61153 ++ if (unlikely(!gr_acl_is_enabled()))
61154 ++ return 0;
61155 ++
61156 ++ spin_lock(&gr_uid_lock);
61157 ++ loc = gr_find_uid(uid);
61158 ++
61159 ++ if (loc < 0)
61160 ++ goto out_unlock;
61161 ++
61162 ++ if (time_before_eq(uid_set[loc].expires, get_seconds()))
61163 ++ gr_remove_uid(loc);
61164 ++ else
61165 ++ ret = 1;
61166 ++
61167 ++out_unlock:
61168 ++ spin_unlock(&gr_uid_lock);
61169 ++ return ret;
61170 ++}
61171 ++
61172 ++static __inline__ int
61173 ++proc_is_setxid(const struct task_struct *task)
61174 ++{
61175 ++ if (task->uid != task->euid || task->uid != task->suid ||
61176 ++ task->uid != task->fsuid)
61177 ++ return 1;
61178 ++ if (task->gid != task->egid || task->gid != task->sgid ||
61179 ++ task->gid != task->fsgid)
61180 ++ return 1;
61181 ++
61182 ++ return 0;
61183 ++}
61184 ++static __inline__ int
61185 ++gr_fake_force_sig(int sig, struct task_struct *t)
61186 ++{
61187 ++ unsigned long int flags;
61188 ++ int ret, blocked, ignored;
61189 ++ struct k_sigaction *action;
61190 ++
61191 ++ spin_lock_irqsave(&t->sighand->siglock, flags);
61192 ++ action = &t->sighand->action[sig-1];
61193 ++ ignored = action->sa.sa_handler == SIG_IGN;
61194 ++ blocked = sigismember(&t->blocked, sig);
61195 ++ if (blocked || ignored) {
61196 ++ action->sa.sa_handler = SIG_DFL;
61197 ++ if (blocked) {
61198 ++ sigdelset(&t->blocked, sig);
61199 ++ recalc_sigpending_and_wake(t);
61200 ++ }
61201 ++ }
61202 ++ ret = specific_send_sig_info(sig, (void*)1L, t);
61203 ++ spin_unlock_irqrestore(&t->sighand->siglock, flags);
61204 ++
61205 ++ return ret;
61206 ++}
61207 ++
61208 ++void
61209 ++gr_handle_crash(struct task_struct *task, const int sig)
61210 ++{
61211 ++ struct acl_subject_label *curr;
61212 ++ struct acl_subject_label *curr2;
61213 ++ struct task_struct *tsk, *tsk2;
61214 ++
61215 ++ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
61216 ++ return;
61217 ++
61218 ++ if (unlikely(!gr_acl_is_enabled()))
61219 ++ return;
61220 ++
61221 ++ curr = task->acl;
61222 ++
61223 ++ if (!(curr->resmask & (1 << GR_CRASH_RES)))
61224 ++ return;
61225 ++
61226 ++ if (time_before_eq(curr->expires, get_seconds())) {
61227 ++ curr->expires = 0;
61228 ++ curr->crashes = 0;
61229 ++ }
61230 ++
61231 ++ curr->crashes++;
61232 ++
61233 ++ if (!curr->expires)
61234 ++ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
61235 ++
61236 ++ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
61237 ++ time_after(curr->expires, get_seconds())) {
61238 ++ if (task->uid && proc_is_setxid(task)) {
61239 ++ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
61240 ++ spin_lock(&gr_uid_lock);
61241 ++ gr_insert_uid(task->uid, curr->expires);
61242 ++ spin_unlock(&gr_uid_lock);
61243 ++ curr->expires = 0;
61244 ++ curr->crashes = 0;
61245 ++ read_lock(&tasklist_lock);
61246 ++ do_each_thread(tsk2, tsk) {
61247 ++ if (tsk != task && tsk->uid == task->uid)
61248 ++ gr_fake_force_sig(SIGKILL, tsk);
61249 ++ } while_each_thread(tsk2, tsk);
61250 ++ read_unlock(&tasklist_lock);
61251 ++ } else {
61252 ++ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
61253 ++ read_lock(&tasklist_lock);
61254 ++ do_each_thread(tsk2, tsk) {
61255 ++ if (likely(tsk != task)) {
61256 ++ curr2 = tsk->acl;
61257 ++
61258 ++ if (curr2->device == curr->device &&
61259 ++ curr2->inode == curr->inode)
61260 ++ gr_fake_force_sig(SIGKILL, tsk);
61261 ++ }
61262 ++ } while_each_thread(tsk2, tsk);
61263 ++ read_unlock(&tasklist_lock);
61264 ++ }
61265 ++ }
61266 ++
61267 ++ return;
61268 ++}
61269 ++
61270 ++int
61271 ++gr_check_crash_exec(const struct file *filp)
61272 ++{
61273 ++ struct acl_subject_label *curr;
61274 ++
61275 ++ if (unlikely(!gr_acl_is_enabled()))
61276 ++ return 0;
61277 ++
61278 ++ read_lock(&gr_inode_lock);
61279 ++ curr = lookup_acl_subj_label(filp->f_dentry->d_inode->i_ino,
61280 ++ filp->f_dentry->d_inode->i_sb->s_dev,
61281 ++ current->role);
61282 ++ read_unlock(&gr_inode_lock);
61283 ++
61284 ++ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
61285 ++ (!curr->crashes && !curr->expires))
61286 ++ return 0;
61287 ++
61288 ++ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
61289 ++ time_after(curr->expires, get_seconds()))
61290 ++ return 1;
61291 ++ else if (time_before_eq(curr->expires, get_seconds())) {
61292 ++ curr->crashes = 0;
61293 ++ curr->expires = 0;
61294 ++ }
61295 ++
61296 ++ return 0;
61297 ++}
61298 ++
61299 ++void
61300 ++gr_handle_alertkill(struct task_struct *task)
61301 ++{
61302 ++ struct acl_subject_label *curracl;
61303 ++ __u32 curr_ip;
61304 ++ struct task_struct *p, *p2;
61305 ++
61306 ++ if (unlikely(!gr_acl_is_enabled()))
61307 ++ return;
61308 ++
61309 ++ curracl = task->acl;
61310 ++ curr_ip = task->signal->curr_ip;
61311 ++
61312 ++ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
61313 ++ read_lock(&tasklist_lock);
61314 ++ do_each_thread(p2, p) {
61315 ++ if (p->signal->curr_ip == curr_ip)
61316 ++ gr_fake_force_sig(SIGKILL, p);
61317 ++ } while_each_thread(p2, p);
61318 ++ read_unlock(&tasklist_lock);
61319 ++ } else if (curracl->mode & GR_KILLPROC)
61320 ++ gr_fake_force_sig(SIGKILL, task);
61321 ++
61322 ++ return;
61323 ++}
61324 +diff -urNp linux-2.6.24.5/grsecurity/gracl_shm.c linux-2.6.24.5/grsecurity/gracl_shm.c
61325 +--- linux-2.6.24.5/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
61326 ++++ linux-2.6.24.5/grsecurity/gracl_shm.c 2008-03-26 20:21:09.000000000 -0400
61327 +@@ -0,0 +1,33 @@
61328 ++#include <linux/kernel.h>
61329 ++#include <linux/mm.h>
61330 ++#include <linux/sched.h>
61331 ++#include <linux/file.h>
61332 ++#include <linux/ipc.h>
61333 ++#include <linux/gracl.h>
61334 ++#include <linux/grsecurity.h>
61335 ++#include <linux/grinternal.h>
61336 ++
61337 ++int
61338 ++gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
61339 ++ const time_t shm_createtime, const uid_t cuid, const int shmid)
61340 ++{
61341 ++ struct task_struct *task;
61342 ++
61343 ++ if (!gr_acl_is_enabled())
61344 ++ return 1;
61345 ++
61346 ++ task = find_task_by_pid(shm_cprid);
61347 ++
61348 ++ if (unlikely(!task))
61349 ++ task = find_task_by_pid(shm_lapid);
61350 ++
61351 ++ if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
61352 ++ (task->pid == shm_lapid)) &&
61353 ++ (task->acl->mode & GR_PROTSHM) &&
61354 ++ (task->acl != current->acl))) {
61355 ++ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
61356 ++ return 0;
61357 ++ }
61358 ++
61359 ++ return 1;
61360 ++}
61361 +diff -urNp linux-2.6.24.5/grsecurity/grsec_chdir.c linux-2.6.24.5/grsecurity/grsec_chdir.c
61362 +--- linux-2.6.24.5/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
61363 ++++ linux-2.6.24.5/grsecurity/grsec_chdir.c 2008-03-26 20:21:09.000000000 -0400
61364 +@@ -0,0 +1,19 @@
61365 ++#include <linux/kernel.h>
61366 ++#include <linux/sched.h>
61367 ++#include <linux/fs.h>
61368 ++#include <linux/file.h>
61369 ++#include <linux/grsecurity.h>
61370 ++#include <linux/grinternal.h>
61371 ++
61372 ++void
61373 ++gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
61374 ++{
61375 ++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
61376 ++ if ((grsec_enable_chdir && grsec_enable_group &&
61377 ++ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
61378 ++ !grsec_enable_group)) {
61379 ++ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
61380 ++ }
61381 ++#endif
61382 ++ return;
61383 ++}
61384 +diff -urNp linux-2.6.24.5/grsecurity/grsec_chroot.c linux-2.6.24.5/grsecurity/grsec_chroot.c
61385 +--- linux-2.6.24.5/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
61386 ++++ linux-2.6.24.5/grsecurity/grsec_chroot.c 2008-03-26 20:21:09.000000000 -0400
61387 +@@ -0,0 +1,335 @@
61388 ++#include <linux/kernel.h>
61389 ++#include <linux/module.h>
61390 ++#include <linux/sched.h>
61391 ++#include <linux/file.h>
61392 ++#include <linux/fs.h>
61393 ++#include <linux/mount.h>
61394 ++#include <linux/types.h>
61395 ++#include <linux/pid_namespace.h>
61396 ++#include <linux/grsecurity.h>
61397 ++#include <linux/grinternal.h>
61398 ++
61399 ++int
61400 ++gr_handle_chroot_unix(const pid_t pid)
61401 ++{
61402 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
61403 ++ struct pid *spid = NULL;
61404 ++
61405 ++ if (unlikely(!grsec_enable_chroot_unix))
61406 ++ return 1;
61407 ++
61408 ++ if (likely(!proc_is_chrooted(current)))
61409 ++ return 1;
61410 ++
61411 ++ read_lock(&tasklist_lock);
61412 ++
61413 ++ spid = find_pid(pid);
61414 ++ if (spid) {
61415 ++ struct task_struct *p;
61416 ++ p = pid_task(spid, PIDTYPE_PID);
61417 ++ task_lock(p);
61418 ++ if (unlikely(!have_same_root(current, p))) {
61419 ++ task_unlock(p);
61420 ++ read_unlock(&tasklist_lock);
61421 ++ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
61422 ++ return 0;
61423 ++ }
61424 ++ task_unlock(p);
61425 ++ }
61426 ++ read_unlock(&tasklist_lock);
61427 ++#endif
61428 ++ return 1;
61429 ++}
61430 ++
61431 ++int
61432 ++gr_handle_chroot_nice(void)
61433 ++{
61434 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
61435 ++ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
61436 ++ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
61437 ++ return -EPERM;
61438 ++ }
61439 ++#endif
61440 ++ return 0;
61441 ++}
61442 ++
61443 ++int
61444 ++gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
61445 ++{
61446 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
61447 ++ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
61448 ++ && proc_is_chrooted(current)) {
61449 ++ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
61450 ++ return -EACCES;
61451 ++ }
61452 ++#endif
61453 ++ return 0;
61454 ++}
61455 ++
61456 ++int
61457 ++gr_handle_chroot_rawio(const struct inode *inode)
61458 ++{
61459 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
61460 ++ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
61461 ++ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
61462 ++ return 1;
61463 ++#endif
61464 ++ return 0;
61465 ++}
61466 ++
61467 ++int
61468 ++gr_pid_is_chrooted(struct task_struct *p)
61469 ++{
61470 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
61471 ++ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
61472 ++ return 0;
61473 ++
61474 ++ task_lock(p);
61475 ++ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
61476 ++ !have_same_root(current, p)) {
61477 ++ task_unlock(p);
61478 ++ return 1;
61479 ++ }
61480 ++ task_unlock(p);
61481 ++#endif
61482 ++ return 0;
61483 ++}
61484 ++
61485 ++EXPORT_SYMBOL(gr_pid_is_chrooted);
61486 ++
61487 ++#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
61488 ++int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
61489 ++{
61490 ++ struct dentry *dentry = (struct dentry *)u_dentry;
61491 ++ struct vfsmount *mnt = (struct vfsmount *)u_mnt;
61492 ++ struct dentry *realroot;
61493 ++ struct vfsmount *realrootmnt;
61494 ++ struct dentry *currentroot;
61495 ++ struct vfsmount *currentmnt;
61496 ++ struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
61497 ++ int ret = 1;
61498 ++
61499 ++ read_lock(&reaper->fs->lock);
61500 ++ realrootmnt = mntget(reaper->fs->rootmnt);
61501 ++ realroot = dget(reaper->fs->root);
61502 ++ read_unlock(&reaper->fs->lock);
61503 ++
61504 ++ read_lock(&current->fs->lock);
61505 ++ currentmnt = mntget(current->fs->rootmnt);
61506 ++ currentroot = dget(current->fs->root);
61507 ++ read_unlock(&current->fs->lock);
61508 ++
61509 ++ spin_lock(&dcache_lock);
61510 ++ for (;;) {
61511 ++ if (unlikely((dentry == realroot && mnt == realrootmnt)
61512 ++ || (dentry == currentroot && mnt == currentmnt)))
61513 ++ break;
61514 ++ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
61515 ++ if (mnt->mnt_parent == mnt)
61516 ++ break;
61517 ++ dentry = mnt->mnt_mountpoint;
61518 ++ mnt = mnt->mnt_parent;
61519 ++ continue;
61520 ++ }
61521 ++ dentry = dentry->d_parent;
61522 ++ }
61523 ++ spin_unlock(&dcache_lock);
61524 ++
61525 ++ dput(currentroot);
61526 ++ mntput(currentmnt);
61527 ++
61528 ++ /* access is outside of chroot */
61529 ++ if (dentry == realroot && mnt == realrootmnt)
61530 ++ ret = 0;
61531 ++
61532 ++ dput(realroot);
61533 ++ mntput(realrootmnt);
61534 ++ return ret;
61535 ++}
61536 ++#endif
61537 ++
61538 ++int
61539 ++gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
61540 ++{
61541 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
61542 ++ if (!grsec_enable_chroot_fchdir)
61543 ++ return 1;
61544 ++
61545 ++ if (!proc_is_chrooted(current))
61546 ++ return 1;
61547 ++ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
61548 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
61549 ++ return 0;
61550 ++ }
61551 ++#endif
61552 ++ return 1;
61553 ++}
61554 ++
61555 ++int
61556 ++gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
61557 ++ const time_t shm_createtime)
61558 ++{
61559 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
61560 ++ struct pid *pid = NULL;
61561 ++ time_t starttime;
61562 ++
61563 ++ if (unlikely(!grsec_enable_chroot_shmat))
61564 ++ return 1;
61565 ++
61566 ++ if (likely(!proc_is_chrooted(current)))
61567 ++ return 1;
61568 ++
61569 ++ read_lock(&tasklist_lock);
61570 ++
61571 ++ pid = find_pid(shm_cprid);
61572 ++ if (pid) {
61573 ++ struct task_struct *p;
61574 ++ p = pid_task(pid, PIDTYPE_PID);
61575 ++ task_lock(p);
61576 ++ starttime = p->start_time.tv_sec;
61577 ++ if (unlikely(!have_same_root(current, p) &&
61578 ++ time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
61579 ++ task_unlock(p);
61580 ++ read_unlock(&tasklist_lock);
61581 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
61582 ++ return 0;
61583 ++ }
61584 ++ task_unlock(p);
61585 ++ } else {
61586 ++ pid = find_pid(shm_lapid);
61587 ++ if (pid) {
61588 ++ struct task_struct *p;
61589 ++ p = pid_task(pid, PIDTYPE_PID);
61590 ++ task_lock(p);
61591 ++ if (unlikely(!have_same_root(current, p))) {
61592 ++ task_unlock(p);
61593 ++ read_unlock(&tasklist_lock);
61594 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
61595 ++ return 0;
61596 ++ }
61597 ++ task_unlock(p);
61598 ++ }
61599 ++ }
61600 ++
61601 ++ read_unlock(&tasklist_lock);
61602 ++#endif
61603 ++ return 1;
61604 ++}
61605 ++
61606 ++void
61607 ++gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
61608 ++{
61609 ++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
61610 ++ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
61611 ++ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
61612 ++#endif
61613 ++ return;
61614 ++}
61615 ++
61616 ++int
61617 ++gr_handle_chroot_mknod(const struct dentry *dentry,
61618 ++ const struct vfsmount *mnt, const int mode)
61619 ++{
61620 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
61621 ++ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
61622 ++ proc_is_chrooted(current)) {
61623 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
61624 ++ return -EPERM;
61625 ++ }
61626 ++#endif
61627 ++ return 0;
61628 ++}
61629 ++
61630 ++int
61631 ++gr_handle_chroot_mount(const struct dentry *dentry,
61632 ++ const struct vfsmount *mnt, const char *dev_name)
61633 ++{
61634 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
61635 ++ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
61636 ++ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
61637 ++ return -EPERM;
61638 ++ }
61639 ++#endif
61640 ++ return 0;
61641 ++}
61642 ++
61643 ++int
61644 ++gr_handle_chroot_pivot(void)
61645 ++{
61646 ++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
61647 ++ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
61648 ++ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
61649 ++ return -EPERM;
61650 ++ }
61651 ++#endif
61652 ++ return 0;
61653 ++}
61654 ++
61655 ++int
61656 ++gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
61657 ++{
61658 ++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
61659 ++ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
61660 ++ !gr_is_outside_chroot(dentry, mnt)) {
61661 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
61662 ++ return -EPERM;
61663 ++ }
61664 ++#endif
61665 ++ return 0;
61666 ++}
61667 ++
61668 ++void
61669 ++gr_handle_chroot_caps(struct task_struct *task)
61670 ++{
61671 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
61672 ++ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
61673 ++ task->cap_permitted =
61674 ++ cap_drop(task->cap_permitted, GR_CHROOT_CAPS);
61675 ++ task->cap_inheritable =
61676 ++ cap_drop(task->cap_inheritable, GR_CHROOT_CAPS);
61677 ++ task->cap_effective =
61678 ++ cap_drop(task->cap_effective, GR_CHROOT_CAPS);
61679 ++ }
61680 ++#endif
61681 ++ return;
61682 ++}
61683 ++
61684 ++int
61685 ++gr_handle_chroot_sysctl(const int op)
61686 ++{
61687 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
61688 ++ if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
61689 ++ && (op & 002))
61690 ++ return -EACCES;
61691 ++#endif
61692 ++ return 0;
61693 ++}
61694 ++
61695 ++void
61696 ++gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt)
61697 ++{
61698 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
61699 ++ if (grsec_enable_chroot_chdir)
61700 ++ set_fs_pwd(current->fs, mnt, dentry);
61701 ++#endif
61702 ++ return;
61703 ++}
61704 ++
61705 ++int
61706 ++gr_handle_chroot_chmod(const struct dentry *dentry,
61707 ++ const struct vfsmount *mnt, const int mode)
61708 ++{
61709 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
61710 ++ if (grsec_enable_chroot_chmod &&
61711 ++ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
61712 ++ proc_is_chrooted(current)) {
61713 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
61714 ++ return -EPERM;
61715 ++ }
61716 ++#endif
61717 ++ return 0;
61718 ++}
61719 ++
61720 ++#ifdef CONFIG_SECURITY
61721 ++EXPORT_SYMBOL(gr_handle_chroot_caps);
61722 ++#endif
61723 +diff -urNp linux-2.6.24.5/grsecurity/grsec_disabled.c linux-2.6.24.5/grsecurity/grsec_disabled.c
61724 +--- linux-2.6.24.5/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
61725 ++++ linux-2.6.24.5/grsecurity/grsec_disabled.c 2008-03-26 20:21:09.000000000 -0400
61726 +@@ -0,0 +1,418 @@
61727 ++#include <linux/kernel.h>
61728 ++#include <linux/module.h>
61729 ++#include <linux/sched.h>
61730 ++#include <linux/file.h>
61731 ++#include <linux/fs.h>
61732 ++#include <linux/kdev_t.h>
61733 ++#include <linux/net.h>
61734 ++#include <linux/in.h>
61735 ++#include <linux/ip.h>
61736 ++#include <linux/skbuff.h>
61737 ++#include <linux/sysctl.h>
61738 ++
61739 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
61740 ++void
61741 ++pax_set_initial_flags(struct linux_binprm *bprm)
61742 ++{
61743 ++ return;
61744 ++}
61745 ++#endif
61746 ++
61747 ++#ifdef CONFIG_SYSCTL
61748 ++__u32
61749 ++gr_handle_sysctl(const struct ctl_table * table, const int op)
61750 ++{
61751 ++ return 0;
61752 ++}
61753 ++#endif
61754 ++
61755 ++int
61756 ++gr_acl_is_enabled(void)
61757 ++{
61758 ++ return 0;
61759 ++}
61760 ++
61761 ++int
61762 ++gr_handle_rawio(const struct inode *inode)
61763 ++{
61764 ++ return 0;
61765 ++}
61766 ++
61767 ++void
61768 ++gr_acl_handle_psacct(struct task_struct *task, const long code)
61769 ++{
61770 ++ return;
61771 ++}
61772 ++
61773 ++int
61774 ++gr_handle_ptrace(struct task_struct *task, const long request)
61775 ++{
61776 ++ return 0;
61777 ++}
61778 ++
61779 ++int
61780 ++gr_handle_proc_ptrace(struct task_struct *task)
61781 ++{
61782 ++ return 0;
61783 ++}
61784 ++
61785 ++void
61786 ++gr_learn_resource(const struct task_struct *task,
61787 ++ const int res, const unsigned long wanted, const int gt)
61788 ++{
61789 ++ return;
61790 ++}
61791 ++
61792 ++int
61793 ++gr_set_acls(const int type)
61794 ++{
61795 ++ return 0;
61796 ++}
61797 ++
61798 ++int
61799 ++gr_check_hidden_task(const struct task_struct *tsk)
61800 ++{
61801 ++ return 0;
61802 ++}
61803 ++
61804 ++int
61805 ++gr_check_protected_task(const struct task_struct *task)
61806 ++{
61807 ++ return 0;
61808 ++}
61809 ++
61810 ++void
61811 ++gr_copy_label(struct task_struct *tsk)
61812 ++{
61813 ++ return;
61814 ++}
61815 ++
61816 ++void
61817 ++gr_set_pax_flags(struct task_struct *task)
61818 ++{
61819 ++ return;
61820 ++}
61821 ++
61822 ++int
61823 ++gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
61824 ++{
61825 ++ return 0;
61826 ++}
61827 ++
61828 ++void
61829 ++gr_handle_delete(const ino_t ino, const dev_t dev)
61830 ++{
61831 ++ return;
61832 ++}
61833 ++
61834 ++void
61835 ++gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
61836 ++{
61837 ++ return;
61838 ++}
61839 ++
61840 ++void
61841 ++gr_handle_crash(struct task_struct *task, const int sig)
61842 ++{
61843 ++ return;
61844 ++}
61845 ++
61846 ++int
61847 ++gr_check_crash_exec(const struct file *filp)
61848 ++{
61849 ++ return 0;
61850 ++}
61851 ++
61852 ++int
61853 ++gr_check_crash_uid(const uid_t uid)
61854 ++{
61855 ++ return 0;
61856 ++}
61857 ++
61858 ++void
61859 ++gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
61860 ++ struct dentry *old_dentry,
61861 ++ struct dentry *new_dentry,
61862 ++ struct vfsmount *mnt, const __u8 replace)
61863 ++{
61864 ++ return;
61865 ++}
61866 ++
61867 ++int
61868 ++gr_search_socket(const int family, const int type, const int protocol)
61869 ++{
61870 ++ return 1;
61871 ++}
61872 ++
61873 ++int
61874 ++gr_search_connectbind(const int mode, const struct socket *sock,
61875 ++ const struct sockaddr_in *addr)
61876 ++{
61877 ++ return 1;
61878 ++}
61879 ++
61880 ++int
61881 ++gr_task_is_capable(struct task_struct *task, const int cap)
61882 ++{
61883 ++ return 1;
61884 ++}
61885 ++
61886 ++int
61887 ++gr_is_capable_nolog(const int cap)
61888 ++{
61889 ++ return 1;
61890 ++}
61891 ++
61892 ++void
61893 ++gr_handle_alertkill(struct task_struct *task)
61894 ++{
61895 ++ return;
61896 ++}
61897 ++
61898 ++__u32
61899 ++gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
61900 ++{
61901 ++ return 1;
61902 ++}
61903 ++
61904 ++__u32
61905 ++gr_acl_handle_hidden_file(const struct dentry * dentry,
61906 ++ const struct vfsmount * mnt)
61907 ++{
61908 ++ return 1;
61909 ++}
61910 ++
61911 ++__u32
61912 ++gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
61913 ++ const int fmode)
61914 ++{
61915 ++ return 1;
61916 ++}
61917 ++
61918 ++__u32
61919 ++gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
61920 ++{
61921 ++ return 1;
61922 ++}
61923 ++
61924 ++__u32
61925 ++gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
61926 ++{
61927 ++ return 1;
61928 ++}
61929 ++
61930 ++int
61931 ++gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
61932 ++ unsigned int *vm_flags)
61933 ++{
61934 ++ return 1;
61935 ++}
61936 ++
61937 ++__u32
61938 ++gr_acl_handle_truncate(const struct dentry * dentry,
61939 ++ const struct vfsmount * mnt)
61940 ++{
61941 ++ return 1;
61942 ++}
61943 ++
61944 ++__u32
61945 ++gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
61946 ++{
61947 ++ return 1;
61948 ++}
61949 ++
61950 ++__u32
61951 ++gr_acl_handle_access(const struct dentry * dentry,
61952 ++ const struct vfsmount * mnt, const int fmode)
61953 ++{
61954 ++ return 1;
61955 ++}
61956 ++
61957 ++__u32
61958 ++gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
61959 ++ mode_t mode)
61960 ++{
61961 ++ return 1;
61962 ++}
61963 ++
61964 ++__u32
61965 ++gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
61966 ++ mode_t mode)
61967 ++{
61968 ++ return 1;
61969 ++}
61970 ++
61971 ++__u32
61972 ++gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
61973 ++{
61974 ++ return 1;
61975 ++}
61976 ++
61977 ++void
61978 ++grsecurity_init(void)
61979 ++{
61980 ++ return;
61981 ++}
61982 ++
61983 ++__u32
61984 ++gr_acl_handle_mknod(const struct dentry * new_dentry,
61985 ++ const struct dentry * parent_dentry,
61986 ++ const struct vfsmount * parent_mnt,
61987 ++ const int mode)
61988 ++{
61989 ++ return 1;
61990 ++}
61991 ++
61992 ++__u32
61993 ++gr_acl_handle_mkdir(const struct dentry * new_dentry,
61994 ++ const struct dentry * parent_dentry,
61995 ++ const struct vfsmount * parent_mnt)
61996 ++{
61997 ++ return 1;
61998 ++}
61999 ++
62000 ++__u32
62001 ++gr_acl_handle_symlink(const struct dentry * new_dentry,
62002 ++ const struct dentry * parent_dentry,
62003 ++ const struct vfsmount * parent_mnt, const char *from)
62004 ++{
62005 ++ return 1;
62006 ++}
62007 ++
62008 ++__u32
62009 ++gr_acl_handle_link(const struct dentry * new_dentry,
62010 ++ const struct dentry * parent_dentry,
62011 ++ const struct vfsmount * parent_mnt,
62012 ++ const struct dentry * old_dentry,
62013 ++ const struct vfsmount * old_mnt, const char *to)
62014 ++{
62015 ++ return 1;
62016 ++}
62017 ++
62018 ++int
62019 ++gr_acl_handle_rename(const struct dentry *new_dentry,
62020 ++ const struct dentry *parent_dentry,
62021 ++ const struct vfsmount *parent_mnt,
62022 ++ const struct dentry *old_dentry,
62023 ++ const struct inode *old_parent_inode,
62024 ++ const struct vfsmount *old_mnt, const char *newname)
62025 ++{
62026 ++ return 0;
62027 ++}
62028 ++
62029 ++int
62030 ++gr_acl_handle_filldir(const struct file *file, const char *name,
62031 ++ const int namelen, const ino_t ino)
62032 ++{
62033 ++ return 1;
62034 ++}
62035 ++
62036 ++int
62037 ++gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
62038 ++ const time_t shm_createtime, const uid_t cuid, const int shmid)
62039 ++{
62040 ++ return 1;
62041 ++}
62042 ++
62043 ++int
62044 ++gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
62045 ++{
62046 ++ return 1;
62047 ++}
62048 ++
62049 ++int
62050 ++gr_search_accept(const struct socket *sock)
62051 ++{
62052 ++ return 1;
62053 ++}
62054 ++
62055 ++int
62056 ++gr_search_listen(const struct socket *sock)
62057 ++{
62058 ++ return 1;
62059 ++}
62060 ++
62061 ++int
62062 ++gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
62063 ++{
62064 ++ return 1;
62065 ++}
62066 ++
62067 ++__u32
62068 ++gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
62069 ++{
62070 ++ return 1;
62071 ++}
62072 ++
62073 ++__u32
62074 ++gr_acl_handle_creat(const struct dentry * dentry,
62075 ++ const struct dentry * p_dentry,
62076 ++ const struct vfsmount * p_mnt, const int fmode,
62077 ++ const int imode)
62078 ++{
62079 ++ return 1;
62080 ++}
62081 ++
62082 ++void
62083 ++gr_acl_handle_exit(void)
62084 ++{
62085 ++ return;
62086 ++}
62087 ++
62088 ++int
62089 ++gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
62090 ++{
62091 ++ return 1;
62092 ++}
62093 ++
62094 ++void
62095 ++gr_set_role_label(const uid_t uid, const gid_t gid)
62096 ++{
62097 ++ return;
62098 ++}
62099 ++
62100 ++int
62101 ++gr_acl_handle_procpidmem(const struct task_struct *task)
62102 ++{
62103 ++ return 0;
62104 ++}
62105 ++
62106 ++int
62107 ++gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
62108 ++{
62109 ++ return 1;
62110 ++}
62111 ++
62112 ++int
62113 ++gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
62114 ++{
62115 ++ return 1;
62116 ++}
62117 ++
62118 ++void
62119 ++gr_set_kernel_label(struct task_struct *task)
62120 ++{
62121 ++ return;
62122 ++}
62123 ++
62124 ++int
62125 ++gr_check_user_change(int real, int effective, int fs)
62126 ++{
62127 ++ return 0;
62128 ++}
62129 ++
62130 ++int
62131 ++gr_check_group_change(int real, int effective, int fs)
62132 ++{
62133 ++ return 0;
62134 ++}
62135 ++
62136 ++
62137 ++EXPORT_SYMBOL(gr_task_is_capable);
62138 ++EXPORT_SYMBOL(gr_is_capable_nolog);
62139 ++EXPORT_SYMBOL(gr_learn_resource);
62140 ++EXPORT_SYMBOL(gr_set_kernel_label);
62141 ++#ifdef CONFIG_SECURITY
62142 ++EXPORT_SYMBOL(gr_check_user_change);
62143 ++EXPORT_SYMBOL(gr_check_group_change);
62144 ++#endif
62145 +diff -urNp linux-2.6.24.5/grsecurity/grsec_exec.c linux-2.6.24.5/grsecurity/grsec_exec.c
62146 +--- linux-2.6.24.5/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
62147 ++++ linux-2.6.24.5/grsecurity/grsec_exec.c 2008-03-26 20:21:09.000000000 -0400
62148 +@@ -0,0 +1,88 @@
62149 ++#include <linux/kernel.h>
62150 ++#include <linux/sched.h>
62151 ++#include <linux/file.h>
62152 ++#include <linux/binfmts.h>
62153 ++#include <linux/smp_lock.h>
62154 ++#include <linux/fs.h>
62155 ++#include <linux/types.h>
62156 ++#include <linux/grdefs.h>
62157 ++#include <linux/grinternal.h>
62158 ++#include <linux/capability.h>
62159 ++
62160 ++#include <asm/uaccess.h>
62161 ++
62162 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
62163 ++static char gr_exec_arg_buf[132];
62164 ++static DECLARE_MUTEX(gr_exec_arg_sem);
62165 ++#endif
62166 ++
62167 ++int
62168 ++gr_handle_nproc(void)
62169 ++{
62170 ++#ifdef CONFIG_GRKERNSEC_EXECVE
62171 ++ if (grsec_enable_execve && current->user &&
62172 ++ (atomic_read(&current->user->processes) >
62173 ++ current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
62174 ++ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
62175 ++ gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
62176 ++ return -EAGAIN;
62177 ++ }
62178 ++#endif
62179 ++ return 0;
62180 ++}
62181 ++
62182 ++void
62183 ++gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
62184 ++{
62185 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
62186 ++ char *grarg = gr_exec_arg_buf;
62187 ++ unsigned int i, x, execlen = 0;
62188 ++ char c;
62189 ++
62190 ++ if (!((grsec_enable_execlog && grsec_enable_group &&
62191 ++ in_group_p(grsec_audit_gid))
62192 ++ || (grsec_enable_execlog && !grsec_enable_group)))
62193 ++ return;
62194 ++
62195 ++ down(&gr_exec_arg_sem);
62196 ++ memset(grarg, 0, sizeof(gr_exec_arg_buf));
62197 ++
62198 ++ if (unlikely(argv == NULL))
62199 ++ goto log;
62200 ++
62201 ++ for (i = 0; i < bprm->argc && execlen < 128; i++) {
62202 ++ const char __user *p;
62203 ++ unsigned int len;
62204 ++
62205 ++ if (copy_from_user(&p, argv + i, sizeof(p)))
62206 ++ goto log;
62207 ++ if (!p)
62208 ++ goto log;
62209 ++ len = strnlen_user(p, 128 - execlen);
62210 ++ if (len > 128 - execlen)
62211 ++ len = 128 - execlen;
62212 ++ else if (len > 0)
62213 ++ len--;
62214 ++ if (copy_from_user(grarg + execlen, p, len))
62215 ++ goto log;
62216 ++
62217 ++ /* rewrite unprintable characters */
62218 ++ for (x = 0; x < len; x++) {
62219 ++ c = *(grarg + execlen + x);
62220 ++ if (c < 32 || c > 126)
62221 ++ *(grarg + execlen + x) = ' ';
62222 ++ }
62223 ++
62224 ++ execlen += len;
62225 ++ *(grarg + execlen) = ' ';
62226 ++ *(grarg + execlen + 1) = '\0';
62227 ++ execlen++;
62228 ++ }
62229 ++
62230 ++ log:
62231 ++ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_dentry,
62232 ++ bprm->file->f_vfsmnt, grarg);
62233 ++ up(&gr_exec_arg_sem);
62234 ++#endif
62235 ++ return;
62236 ++}
62237 +diff -urNp linux-2.6.24.5/grsecurity/grsec_fifo.c linux-2.6.24.5/grsecurity/grsec_fifo.c
62238 +--- linux-2.6.24.5/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
62239 ++++ linux-2.6.24.5/grsecurity/grsec_fifo.c 2008-03-26 20:21:09.000000000 -0400
62240 +@@ -0,0 +1,22 @@
62241 ++#include <linux/kernel.h>
62242 ++#include <linux/sched.h>
62243 ++#include <linux/fs.h>
62244 ++#include <linux/file.h>
62245 ++#include <linux/grinternal.h>
62246 ++
62247 ++int
62248 ++gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
62249 ++ const struct dentry *dir, const int flag, const int acc_mode)
62250 ++{
62251 ++#ifdef CONFIG_GRKERNSEC_FIFO
62252 ++ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
62253 ++ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
62254 ++ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
62255 ++ (current->fsuid != dentry->d_inode->i_uid)) {
62256 ++ if (!generic_permission(dentry->d_inode, acc_mode, NULL))
62257 ++ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
62258 ++ return -EACCES;
62259 ++ }
62260 ++#endif
62261 ++ return 0;
62262 ++}
62263 +diff -urNp linux-2.6.24.5/grsecurity/grsec_fork.c linux-2.6.24.5/grsecurity/grsec_fork.c
62264 +--- linux-2.6.24.5/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
62265 ++++ linux-2.6.24.5/grsecurity/grsec_fork.c 2008-03-26 20:21:09.000000000 -0400
62266 +@@ -0,0 +1,15 @@
62267 ++#include <linux/kernel.h>
62268 ++#include <linux/sched.h>
62269 ++#include <linux/grsecurity.h>
62270 ++#include <linux/grinternal.h>
62271 ++#include <linux/errno.h>
62272 ++
62273 ++void
62274 ++gr_log_forkfail(const int retval)
62275 ++{
62276 ++#ifdef CONFIG_GRKERNSEC_FORKFAIL
62277 ++ if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
62278 ++ gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
62279 ++#endif
62280 ++ return;
62281 ++}
62282 +diff -urNp linux-2.6.24.5/grsecurity/grsec_init.c linux-2.6.24.5/grsecurity/grsec_init.c
62283 +--- linux-2.6.24.5/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
62284 ++++ linux-2.6.24.5/grsecurity/grsec_init.c 2008-03-26 20:21:09.000000000 -0400
62285 +@@ -0,0 +1,226 @@
62286 ++#include <linux/kernel.h>
62287 ++#include <linux/sched.h>
62288 ++#include <linux/mm.h>
62289 ++#include <linux/smp_lock.h>
62290 ++#include <linux/gracl.h>
62291 ++#include <linux/slab.h>
62292 ++#include <linux/vmalloc.h>
62293 ++#include <linux/percpu.h>
62294 ++
62295 ++int grsec_enable_link;
62296 ++int grsec_enable_dmesg;
62297 ++int grsec_enable_fifo;
62298 ++int grsec_enable_execve;
62299 ++int grsec_enable_execlog;
62300 ++int grsec_enable_signal;
62301 ++int grsec_enable_forkfail;
62302 ++int grsec_enable_time;
62303 ++int grsec_enable_audit_textrel;
62304 ++int grsec_enable_group;
62305 ++int grsec_audit_gid;
62306 ++int grsec_enable_chdir;
62307 ++int grsec_enable_audit_ipc;
62308 ++int grsec_enable_mount;
62309 ++int grsec_enable_chroot_findtask;
62310 ++int grsec_enable_chroot_mount;
62311 ++int grsec_enable_chroot_shmat;
62312 ++int grsec_enable_chroot_fchdir;
62313 ++int grsec_enable_chroot_double;
62314 ++int grsec_enable_chroot_pivot;
62315 ++int grsec_enable_chroot_chdir;
62316 ++int grsec_enable_chroot_chmod;
62317 ++int grsec_enable_chroot_mknod;
62318 ++int grsec_enable_chroot_nice;
62319 ++int grsec_enable_chroot_execlog;
62320 ++int grsec_enable_chroot_caps;
62321 ++int grsec_enable_chroot_sysctl;
62322 ++int grsec_enable_chroot_unix;
62323 ++int grsec_enable_tpe;
62324 ++int grsec_tpe_gid;
62325 ++int grsec_enable_tpe_all;
62326 ++int grsec_enable_socket_all;
62327 ++int grsec_socket_all_gid;
62328 ++int grsec_enable_socket_client;
62329 ++int grsec_socket_client_gid;
62330 ++int grsec_enable_socket_server;
62331 ++int grsec_socket_server_gid;
62332 ++int grsec_resource_logging;
62333 ++int grsec_lock;
62334 ++
62335 ++spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED;
62336 ++unsigned long grsec_alert_wtime = 0;
62337 ++unsigned long grsec_alert_fyet = 0;
62338 ++
62339 ++spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED;
62340 ++
62341 ++rwlock_t grsec_exec_file_lock = RW_LOCK_UNLOCKED;
62342 ++
62343 ++char *gr_shared_page[4];
62344 ++
62345 ++char *gr_alert_log_fmt;
62346 ++char *gr_audit_log_fmt;
62347 ++char *gr_alert_log_buf;
62348 ++char *gr_audit_log_buf;
62349 ++
62350 ++extern struct gr_arg *gr_usermode;
62351 ++extern unsigned char *gr_system_salt;
62352 ++extern unsigned char *gr_system_sum;
62353 ++
62354 ++void
62355 ++grsecurity_init(void)
62356 ++{
62357 ++ int j;
62358 ++ /* create the per-cpu shared pages */
62359 ++
62360 ++ for (j = 0; j < 4; j++) {
62361 ++ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE);
62362 ++ if (gr_shared_page[j] == NULL) {
62363 ++ panic("Unable to allocate grsecurity shared page");
62364 ++ return;
62365 ++ }
62366 ++ }
62367 ++
62368 ++ /* allocate log buffers */
62369 ++ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
62370 ++ if (!gr_alert_log_fmt) {
62371 ++ panic("Unable to allocate grsecurity alert log format buffer");
62372 ++ return;
62373 ++ }
62374 ++ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
62375 ++ if (!gr_audit_log_fmt) {
62376 ++ panic("Unable to allocate grsecurity audit log format buffer");
62377 ++ return;
62378 ++ }
62379 ++ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
62380 ++ if (!gr_alert_log_buf) {
62381 ++ panic("Unable to allocate grsecurity alert log buffer");
62382 ++ return;
62383 ++ }
62384 ++ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
62385 ++ if (!gr_audit_log_buf) {
62386 ++ panic("Unable to allocate grsecurity audit log buffer");
62387 ++ return;
62388 ++ }
62389 ++
62390 ++ /* allocate memory for authentication structure */
62391 ++ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
62392 ++ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
62393 ++ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
62394 ++
62395 ++ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
62396 ++ panic("Unable to allocate grsecurity authentication structure");
62397 ++ return;
62398 ++ }
62399 ++
62400 ++#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
62401 ++#ifndef CONFIG_GRKERNSEC_SYSCTL
62402 ++ grsec_lock = 1;
62403 ++#endif
62404 ++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
62405 ++ grsec_enable_audit_textrel = 1;
62406 ++#endif
62407 ++#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
62408 ++ grsec_enable_group = 1;
62409 ++ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
62410 ++#endif
62411 ++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
62412 ++ grsec_enable_chdir = 1;
62413 ++#endif
62414 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
62415 ++ grsec_enable_audit_ipc = 1;
62416 ++#endif
62417 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
62418 ++ grsec_enable_mount = 1;
62419 ++#endif
62420 ++#ifdef CONFIG_GRKERNSEC_LINK
62421 ++ grsec_enable_link = 1;
62422 ++#endif
62423 ++#ifdef CONFIG_GRKERNSEC_DMESG
62424 ++ grsec_enable_dmesg = 1;
62425 ++#endif
62426 ++#ifdef CONFIG_GRKERNSEC_FIFO
62427 ++ grsec_enable_fifo = 1;
62428 ++#endif
62429 ++#ifdef CONFIG_GRKERNSEC_EXECVE
62430 ++ grsec_enable_execve = 1;
62431 ++#endif
62432 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
62433 ++ grsec_enable_execlog = 1;
62434 ++#endif
62435 ++#ifdef CONFIG_GRKERNSEC_SIGNAL
62436 ++ grsec_enable_signal = 1;
62437 ++#endif
62438 ++#ifdef CONFIG_GRKERNSEC_FORKFAIL
62439 ++ grsec_enable_forkfail = 1;
62440 ++#endif
62441 ++#ifdef CONFIG_GRKERNSEC_TIME
62442 ++ grsec_enable_time = 1;
62443 ++#endif
62444 ++#ifdef CONFIG_GRKERNSEC_RESLOG
62445 ++ grsec_resource_logging = 1;
62446 ++#endif
62447 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
62448 ++ grsec_enable_chroot_findtask = 1;
62449 ++#endif
62450 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
62451 ++ grsec_enable_chroot_unix = 1;
62452 ++#endif
62453 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
62454 ++ grsec_enable_chroot_mount = 1;
62455 ++#endif
62456 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
62457 ++ grsec_enable_chroot_fchdir = 1;
62458 ++#endif
62459 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
62460 ++ grsec_enable_chroot_shmat = 1;
62461 ++#endif
62462 ++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
62463 ++ grsec_enable_chroot_double = 1;
62464 ++#endif
62465 ++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
62466 ++ grsec_enable_chroot_pivot = 1;
62467 ++#endif
62468 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
62469 ++ grsec_enable_chroot_chdir = 1;
62470 ++#endif
62471 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
62472 ++ grsec_enable_chroot_chmod = 1;
62473 ++#endif
62474 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
62475 ++ grsec_enable_chroot_mknod = 1;
62476 ++#endif
62477 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
62478 ++ grsec_enable_chroot_nice = 1;
62479 ++#endif
62480 ++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
62481 ++ grsec_enable_chroot_execlog = 1;
62482 ++#endif
62483 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
62484 ++ grsec_enable_chroot_caps = 1;
62485 ++#endif
62486 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
62487 ++ grsec_enable_chroot_sysctl = 1;
62488 ++#endif
62489 ++#ifdef CONFIG_GRKERNSEC_TPE
62490 ++ grsec_enable_tpe = 1;
62491 ++ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
62492 ++#ifdef CONFIG_GRKERNSEC_TPE_ALL
62493 ++ grsec_enable_tpe_all = 1;
62494 ++#endif
62495 ++#endif
62496 ++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
62497 ++ grsec_enable_socket_all = 1;
62498 ++ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
62499 ++#endif
62500 ++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
62501 ++ grsec_enable_socket_client = 1;
62502 ++ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
62503 ++#endif
62504 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
62505 ++ grsec_enable_socket_server = 1;
62506 ++ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
62507 ++#endif
62508 ++#endif
62509 ++
62510 ++ return;
62511 ++}
62512 +diff -urNp linux-2.6.24.5/grsecurity/grsec_ipc.c linux-2.6.24.5/grsecurity/grsec_ipc.c
62513 +--- linux-2.6.24.5/grsecurity/grsec_ipc.c 1969-12-31 19:00:00.000000000 -0500
62514 ++++ linux-2.6.24.5/grsecurity/grsec_ipc.c 2008-03-26 20:21:09.000000000 -0400
62515 +@@ -0,0 +1,81 @@
62516 ++#include <linux/kernel.h>
62517 ++#include <linux/sched.h>
62518 ++#include <linux/types.h>
62519 ++#include <linux/ipc.h>
62520 ++#include <linux/grsecurity.h>
62521 ++#include <linux/grinternal.h>
62522 ++
62523 ++void
62524 ++gr_log_msgget(const int ret, const int msgflg)
62525 ++{
62526 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
62527 ++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
62528 ++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
62529 ++ !grsec_enable_group)) && (ret >= 0)
62530 ++ && (msgflg & IPC_CREAT))
62531 ++ gr_log_noargs(GR_DO_AUDIT, GR_MSGQ_AUDIT_MSG);
62532 ++#endif
62533 ++ return;
62534 ++}
62535 ++
62536 ++void
62537 ++gr_log_msgrm(const uid_t uid, const uid_t cuid)
62538 ++{
62539 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
62540 ++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
62541 ++ grsec_enable_audit_ipc) ||
62542 ++ (grsec_enable_audit_ipc && !grsec_enable_group))
62543 ++ gr_log_int_int(GR_DO_AUDIT, GR_MSGQR_AUDIT_MSG, uid, cuid);
62544 ++#endif
62545 ++ return;
62546 ++}
62547 ++
62548 ++void
62549 ++gr_log_semget(const int err, const int semflg)
62550 ++{
62551 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
62552 ++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
62553 ++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
62554 ++ !grsec_enable_group)) && (err >= 0)
62555 ++ && (semflg & IPC_CREAT))
62556 ++ gr_log_noargs(GR_DO_AUDIT, GR_SEM_AUDIT_MSG);
62557 ++#endif
62558 ++ return;
62559 ++}
62560 ++
62561 ++void
62562 ++gr_log_semrm(const uid_t uid, const uid_t cuid)
62563 ++{
62564 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
62565 ++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
62566 ++ grsec_enable_audit_ipc) ||
62567 ++ (grsec_enable_audit_ipc && !grsec_enable_group))
62568 ++ gr_log_int_int(GR_DO_AUDIT, GR_SEMR_AUDIT_MSG, uid, cuid);
62569 ++#endif
62570 ++ return;
62571 ++}
62572 ++
62573 ++void
62574 ++gr_log_shmget(const int err, const int shmflg, const size_t size)
62575 ++{
62576 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
62577 ++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
62578 ++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
62579 ++ !grsec_enable_group)) && (err >= 0)
62580 ++ && (shmflg & IPC_CREAT))
62581 ++ gr_log_int(GR_DO_AUDIT, GR_SHM_AUDIT_MSG, size);
62582 ++#endif
62583 ++ return;
62584 ++}
62585 ++
62586 ++void
62587 ++gr_log_shmrm(const uid_t uid, const uid_t cuid)
62588 ++{
62589 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
62590 ++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
62591 ++ grsec_enable_audit_ipc) ||
62592 ++ (grsec_enable_audit_ipc && !grsec_enable_group))
62593 ++ gr_log_int_int(GR_DO_AUDIT, GR_SHMR_AUDIT_MSG, uid, cuid);
62594 ++#endif
62595 ++ return;
62596 ++}
62597 +diff -urNp linux-2.6.24.5/grsecurity/grsec_link.c linux-2.6.24.5/grsecurity/grsec_link.c
62598 +--- linux-2.6.24.5/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
62599 ++++ linux-2.6.24.5/grsecurity/grsec_link.c 2008-03-26 20:21:09.000000000 -0400
62600 +@@ -0,0 +1,39 @@
62601 ++#include <linux/kernel.h>
62602 ++#include <linux/sched.h>
62603 ++#include <linux/fs.h>
62604 ++#include <linux/file.h>
62605 ++#include <linux/grinternal.h>
62606 ++
62607 ++int
62608 ++gr_handle_follow_link(const struct inode *parent,
62609 ++ const struct inode *inode,
62610 ++ const struct dentry *dentry, const struct vfsmount *mnt)
62611 ++{
62612 ++#ifdef CONFIG_GRKERNSEC_LINK
62613 ++ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
62614 ++ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
62615 ++ (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
62616 ++ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
62617 ++ return -EACCES;
62618 ++ }
62619 ++#endif
62620 ++ return 0;
62621 ++}
62622 ++
62623 ++int
62624 ++gr_handle_hardlink(const struct dentry *dentry,
62625 ++ const struct vfsmount *mnt,
62626 ++ struct inode *inode, const int mode, const char *to)
62627 ++{
62628 ++#ifdef CONFIG_GRKERNSEC_LINK
62629 ++ if (grsec_enable_link && current->fsuid != inode->i_uid &&
62630 ++ (!S_ISREG(mode) || (mode & S_ISUID) ||
62631 ++ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
62632 ++ (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
62633 ++ !capable(CAP_FOWNER) && current->uid) {
62634 ++ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
62635 ++ return -EPERM;
62636 ++ }
62637 ++#endif
62638 ++ return 0;
62639 ++}
62640 +diff -urNp linux-2.6.24.5/grsecurity/grsec_log.c linux-2.6.24.5/grsecurity/grsec_log.c
62641 +--- linux-2.6.24.5/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
62642 ++++ linux-2.6.24.5/grsecurity/grsec_log.c 2008-03-26 20:21:09.000000000 -0400
62643 +@@ -0,0 +1,269 @@
62644 ++#include <linux/kernel.h>
62645 ++#include <linux/sched.h>
62646 ++#include <linux/file.h>
62647 ++#include <linux/tty.h>
62648 ++#include <linux/fs.h>
62649 ++#include <linux/grinternal.h>
62650 ++
62651 ++#define BEGIN_LOCKS(x) \
62652 ++ read_lock(&tasklist_lock); \
62653 ++ read_lock(&grsec_exec_file_lock); \
62654 ++ if (x != GR_DO_AUDIT) \
62655 ++ spin_lock(&grsec_alert_lock); \
62656 ++ else \
62657 ++ spin_lock(&grsec_audit_lock)
62658 ++
62659 ++#define END_LOCKS(x) \
62660 ++ if (x != GR_DO_AUDIT) \
62661 ++ spin_unlock(&grsec_alert_lock); \
62662 ++ else \
62663 ++ spin_unlock(&grsec_audit_lock); \
62664 ++ read_unlock(&grsec_exec_file_lock); \
62665 ++ read_unlock(&tasklist_lock); \
62666 ++ if (x == GR_DONT_AUDIT) \
62667 ++ gr_handle_alertkill(current)
62668 ++
62669 ++enum {
62670 ++ FLOODING,
62671 ++ NO_FLOODING
62672 ++};
62673 ++
62674 ++extern char *gr_alert_log_fmt;
62675 ++extern char *gr_audit_log_fmt;
62676 ++extern char *gr_alert_log_buf;
62677 ++extern char *gr_audit_log_buf;
62678 ++
62679 ++static int gr_log_start(int audit)
62680 ++{
62681 ++ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
62682 ++ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
62683 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
62684 ++
62685 ++ if (audit == GR_DO_AUDIT)
62686 ++ goto set_fmt;
62687 ++
62688 ++ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
62689 ++ grsec_alert_wtime = jiffies;
62690 ++ grsec_alert_fyet = 0;
62691 ++ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
62692 ++ grsec_alert_fyet++;
62693 ++ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
62694 ++ grsec_alert_wtime = jiffies;
62695 ++ grsec_alert_fyet++;
62696 ++ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
62697 ++ return FLOODING;
62698 ++ } else return FLOODING;
62699 ++
62700 ++set_fmt:
62701 ++ memset(buf, 0, PAGE_SIZE);
62702 ++ if (current->signal->curr_ip && gr_acl_is_enabled()) {
62703 ++ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: (%.64s:%c:%.950s) ");
62704 ++ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip), current->role->rolename, gr_roletype_to_char(), current->acl->filename);
62705 ++ } else if (current->signal->curr_ip) {
62706 ++ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: ");
62707 ++ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip));
62708 ++ } else if (gr_acl_is_enabled()) {
62709 ++ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
62710 ++ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
62711 ++ } else {
62712 ++ sprintf(fmt, "%s%s", loglevel, "grsec: ");
62713 ++ strcpy(buf, fmt);
62714 ++ }
62715 ++
62716 ++ return NO_FLOODING;
62717 ++}
62718 ++
62719 ++static void gr_log_middle(int audit, const char *msg, va_list ap)
62720 ++{
62721 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
62722 ++ unsigned int len = strlen(buf);
62723 ++
62724 ++ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
62725 ++
62726 ++ return;
62727 ++}
62728 ++
62729 ++static void gr_log_middle_varargs(int audit, const char *msg, ...)
62730 ++{
62731 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
62732 ++ unsigned int len = strlen(buf);
62733 ++ va_list ap;
62734 ++
62735 ++ va_start(ap, msg);
62736 ++ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
62737 ++ va_end(ap);
62738 ++
62739 ++ return;
62740 ++}
62741 ++
62742 ++static void gr_log_end(int audit)
62743 ++{
62744 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
62745 ++ unsigned int len = strlen(buf);
62746 ++
62747 ++ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current));
62748 ++ printk("%s\n", buf);
62749 ++
62750 ++ return;
62751 ++}
62752 ++
62753 ++void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
62754 ++{
62755 ++ int logtype;
62756 ++ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
62757 ++ char *str1, *str2, *str3;
62758 ++ int num1, num2;
62759 ++ unsigned long ulong1, ulong2;
62760 ++ struct dentry *dentry;
62761 ++ struct vfsmount *mnt;
62762 ++ struct file *file;
62763 ++ struct task_struct *task;
62764 ++ va_list ap;
62765 ++
62766 ++ BEGIN_LOCKS(audit);
62767 ++ logtype = gr_log_start(audit);
62768 ++ if (logtype == FLOODING) {
62769 ++ END_LOCKS(audit);
62770 ++ return;
62771 ++ }
62772 ++ va_start(ap, argtypes);
62773 ++ switch (argtypes) {
62774 ++ case GR_TTYSNIFF:
62775 ++ task = va_arg(ap, struct task_struct *);
62776 ++ gr_log_middle_varargs(audit, msg, NIPQUAD(task->signal->curr_ip), gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
62777 ++ break;
62778 ++ case GR_SYSCTL_HIDDEN:
62779 ++ str1 = va_arg(ap, char *);
62780 ++ gr_log_middle_varargs(audit, msg, result, str1);
62781 ++ break;
62782 ++ case GR_RBAC:
62783 ++ dentry = va_arg(ap, struct dentry *);
62784 ++ mnt = va_arg(ap, struct vfsmount *);
62785 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
62786 ++ break;
62787 ++ case GR_RBAC_STR:
62788 ++ dentry = va_arg(ap, struct dentry *);
62789 ++ mnt = va_arg(ap, struct vfsmount *);
62790 ++ str1 = va_arg(ap, char *);
62791 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
62792 ++ break;
62793 ++ case GR_STR_RBAC:
62794 ++ str1 = va_arg(ap, char *);
62795 ++ dentry = va_arg(ap, struct dentry *);
62796 ++ mnt = va_arg(ap, struct vfsmount *);
62797 ++ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
62798 ++ break;
62799 ++ case GR_RBAC_MODE2:
62800 ++ dentry = va_arg(ap, struct dentry *);
62801 ++ mnt = va_arg(ap, struct vfsmount *);
62802 ++ str1 = va_arg(ap, char *);
62803 ++ str2 = va_arg(ap, char *);
62804 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
62805 ++ break;
62806 ++ case GR_RBAC_MODE3:
62807 ++ dentry = va_arg(ap, struct dentry *);
62808 ++ mnt = va_arg(ap, struct vfsmount *);
62809 ++ str1 = va_arg(ap, char *);
62810 ++ str2 = va_arg(ap, char *);
62811 ++ str3 = va_arg(ap, char *);
62812 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
62813 ++ break;
62814 ++ case GR_FILENAME:
62815 ++ dentry = va_arg(ap, struct dentry *);
62816 ++ mnt = va_arg(ap, struct vfsmount *);
62817 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
62818 ++ break;
62819 ++ case GR_STR_FILENAME:
62820 ++ str1 = va_arg(ap, char *);
62821 ++ dentry = va_arg(ap, struct dentry *);
62822 ++ mnt = va_arg(ap, struct vfsmount *);
62823 ++ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
62824 ++ break;
62825 ++ case GR_FILENAME_STR:
62826 ++ dentry = va_arg(ap, struct dentry *);
62827 ++ mnt = va_arg(ap, struct vfsmount *);
62828 ++ str1 = va_arg(ap, char *);
62829 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
62830 ++ break;
62831 ++ case GR_FILENAME_TWO_INT:
62832 ++ dentry = va_arg(ap, struct dentry *);
62833 ++ mnt = va_arg(ap, struct vfsmount *);
62834 ++ num1 = va_arg(ap, int);
62835 ++ num2 = va_arg(ap, int);
62836 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
62837 ++ break;
62838 ++ case GR_FILENAME_TWO_INT_STR:
62839 ++ dentry = va_arg(ap, struct dentry *);
62840 ++ mnt = va_arg(ap, struct vfsmount *);
62841 ++ num1 = va_arg(ap, int);
62842 ++ num2 = va_arg(ap, int);
62843 ++ str1 = va_arg(ap, char *);
62844 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
62845 ++ break;
62846 ++ case GR_TEXTREL:
62847 ++ file = va_arg(ap, struct file *);
62848 ++ ulong1 = va_arg(ap, unsigned long);
62849 ++ ulong2 = va_arg(ap, unsigned long);
62850 ++ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_dentry, file->f_vfsmnt) : "<anonymous mapping>", ulong1, ulong2);
62851 ++ break;
62852 ++ case GR_PTRACE:
62853 ++ task = va_arg(ap, struct task_struct *);
62854 ++ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_dentry, task->exec_file->f_vfsmnt) : "(none)", task->comm, task->pid);
62855 ++ break;
62856 ++ case GR_RESOURCE:
62857 ++ task = va_arg(ap, struct task_struct *);
62858 ++ ulong1 = va_arg(ap, unsigned long);
62859 ++ str1 = va_arg(ap, char *);
62860 ++ ulong2 = va_arg(ap, unsigned long);
62861 ++ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
62862 ++ break;
62863 ++ case GR_CAP:
62864 ++ task = va_arg(ap, struct task_struct *);
62865 ++ str1 = va_arg(ap, char *);
62866 ++ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
62867 ++ break;
62868 ++ case GR_SIG:
62869 ++ task = va_arg(ap, struct task_struct *);
62870 ++ num1 = va_arg(ap, int);
62871 ++ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
62872 ++ break;
62873 ++ case GR_CRASH1:
62874 ++ task = va_arg(ap, struct task_struct *);
62875 ++ ulong1 = va_arg(ap, unsigned long);
62876 ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, task->uid, ulong1);
62877 ++ break;
62878 ++ case GR_CRASH2:
62879 ++ task = va_arg(ap, struct task_struct *);
62880 ++ ulong1 = va_arg(ap, unsigned long);
62881 ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, ulong1);
62882 ++ break;
62883 ++ case GR_PSACCT:
62884 ++ {
62885 ++ unsigned int wday, cday;
62886 ++ __u8 whr, chr;
62887 ++ __u8 wmin, cmin;
62888 ++ __u8 wsec, csec;
62889 ++ char cur_tty[64] = { 0 };
62890 ++ char parent_tty[64] = { 0 };
62891 ++
62892 ++ task = va_arg(ap, struct task_struct *);
62893 ++ wday = va_arg(ap, unsigned int);
62894 ++ cday = va_arg(ap, unsigned int);
62895 ++ whr = va_arg(ap, int);
62896 ++ chr = va_arg(ap, int);
62897 ++ wmin = va_arg(ap, int);
62898 ++ cmin = va_arg(ap, int);
62899 ++ wsec = va_arg(ap, int);
62900 ++ csec = va_arg(ap, int);
62901 ++ ulong1 = va_arg(ap, unsigned long);
62902 ++
62903 ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, NIPQUAD(task->signal->curr_ip), tty_name(task->signal->tty, cur_tty), task->uid, task->euid, task->gid, task->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, NIPQUAD(task->parent->signal->curr_ip), tty_name(task->parent->signal->tty, parent_tty), task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
62904 ++ }
62905 ++ break;
62906 ++ default:
62907 ++ gr_log_middle(audit, msg, ap);
62908 ++ }
62909 ++ va_end(ap);
62910 ++ gr_log_end(audit);
62911 ++ END_LOCKS(audit);
62912 ++}
62913 +diff -urNp linux-2.6.24.5/grsecurity/grsec_mem.c linux-2.6.24.5/grsecurity/grsec_mem.c
62914 +--- linux-2.6.24.5/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
62915 ++++ linux-2.6.24.5/grsecurity/grsec_mem.c 2008-03-26 20:21:09.000000000 -0400
62916 +@@ -0,0 +1,71 @@
62917 ++#include <linux/kernel.h>
62918 ++#include <linux/sched.h>
62919 ++#include <linux/mm.h>
62920 ++#include <linux/mman.h>
62921 ++#include <linux/grinternal.h>
62922 ++
62923 ++void
62924 ++gr_handle_ioperm(void)
62925 ++{
62926 ++ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
62927 ++ return;
62928 ++}
62929 ++
62930 ++void
62931 ++gr_handle_iopl(void)
62932 ++{
62933 ++ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
62934 ++ return;
62935 ++}
62936 ++
62937 ++void
62938 ++gr_handle_mem_write(void)
62939 ++{
62940 ++ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
62941 ++ return;
62942 ++}
62943 ++
62944 ++void
62945 ++gr_handle_kmem_write(void)
62946 ++{
62947 ++ gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
62948 ++ return;
62949 ++}
62950 ++
62951 ++void
62952 ++gr_handle_open_port(void)
62953 ++{
62954 ++ gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
62955 ++ return;
62956 ++}
62957 ++
62958 ++int
62959 ++gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
62960 ++{
62961 ++ unsigned long start, end;
62962 ++
62963 ++ start = offset;
62964 ++ end = start + vma->vm_end - vma->vm_start;
62965 ++
62966 ++ if (start > end) {
62967 ++ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
62968 ++ return -EPERM;
62969 ++ }
62970 ++
62971 ++ /* allowed ranges : ISA I/O BIOS */
62972 ++ if ((start >= __pa(high_memory))
62973 ++#ifdef CONFIG_X86
62974 ++ || (start >= 0x000a0000 && end <= 0x00100000)
62975 ++ || (start >= 0x00000000 && end <= 0x00001000)
62976 ++#endif
62977 ++ )
62978 ++ return 0;
62979 ++
62980 ++ if (vma->vm_flags & VM_WRITE) {
62981 ++ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
62982 ++ return -EPERM;
62983 ++ } else
62984 ++ vma->vm_flags &= ~VM_MAYWRITE;
62985 ++
62986 ++ return 0;
62987 ++}
62988 +diff -urNp linux-2.6.24.5/grsecurity/grsec_mount.c linux-2.6.24.5/grsecurity/grsec_mount.c
62989 +--- linux-2.6.24.5/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
62990 ++++ linux-2.6.24.5/grsecurity/grsec_mount.c 2008-03-26 20:21:09.000000000 -0400
62991 +@@ -0,0 +1,34 @@
62992 ++#include <linux/kernel.h>
62993 ++#include <linux/sched.h>
62994 ++#include <linux/grsecurity.h>
62995 ++#include <linux/grinternal.h>
62996 ++
62997 ++void
62998 ++gr_log_remount(const char *devname, const int retval)
62999 ++{
63000 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
63001 ++ if (grsec_enable_mount && (retval >= 0))
63002 ++ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
63003 ++#endif
63004 ++ return;
63005 ++}
63006 ++
63007 ++void
63008 ++gr_log_unmount(const char *devname, const int retval)
63009 ++{
63010 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
63011 ++ if (grsec_enable_mount && (retval >= 0))
63012 ++ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
63013 ++#endif
63014 ++ return;
63015 ++}
63016 ++
63017 ++void
63018 ++gr_log_mount(const char *from, const char *to, const int retval)
63019 ++{
63020 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
63021 ++ if (grsec_enable_mount && (retval >= 0))
63022 ++ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
63023 ++#endif
63024 ++ return;
63025 ++}
63026 +diff -urNp linux-2.6.24.5/grsecurity/grsec_sig.c linux-2.6.24.5/grsecurity/grsec_sig.c
63027 +--- linux-2.6.24.5/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
63028 ++++ linux-2.6.24.5/grsecurity/grsec_sig.c 2008-03-26 20:21:09.000000000 -0400
63029 +@@ -0,0 +1,58 @@
63030 ++#include <linux/kernel.h>
63031 ++#include <linux/sched.h>
63032 ++#include <linux/delay.h>
63033 ++#include <linux/grsecurity.h>
63034 ++#include <linux/grinternal.h>
63035 ++
63036 ++void
63037 ++gr_log_signal(const int sig, const struct task_struct *t)
63038 ++{
63039 ++#ifdef CONFIG_GRKERNSEC_SIGNAL
63040 ++ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
63041 ++ (sig == SIGABRT) || (sig == SIGBUS))) {
63042 ++ if (t->pid == current->pid) {
63043 ++ gr_log_int(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, sig);
63044 ++ } else {
63045 ++ gr_log_sig(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
63046 ++ }
63047 ++ }
63048 ++#endif
63049 ++ return;
63050 ++}
63051 ++
63052 ++int
63053 ++gr_handle_signal(const struct task_struct *p, const int sig)
63054 ++{
63055 ++#ifdef CONFIG_GRKERNSEC
63056 ++ if (current->pid > 1 && gr_check_protected_task(p)) {
63057 ++ gr_log_sig(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
63058 ++ return -EPERM;
63059 ++ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
63060 ++ return -EPERM;
63061 ++ }
63062 ++#endif
63063 ++ return 0;
63064 ++}
63065 ++
63066 ++void gr_handle_brute_attach(struct task_struct *p)
63067 ++{
63068 ++#ifdef CONFIG_GRKERNSEC_BRUTE
63069 ++ read_lock(&tasklist_lock);
63070 ++ read_lock(&grsec_exec_file_lock);
63071 ++ if (p->parent && p->parent->exec_file == p->exec_file)
63072 ++ p->parent->brute = 1;
63073 ++ read_unlock(&grsec_exec_file_lock);
63074 ++ read_unlock(&tasklist_lock);
63075 ++#endif
63076 ++ return;
63077 ++}
63078 ++
63079 ++void gr_handle_brute_check(void)
63080 ++{
63081 ++#ifdef CONFIG_GRKERNSEC_BRUTE
63082 ++ if (current->brute)
63083 ++ msleep(30 * 1000);
63084 ++#endif
63085 ++ return;
63086 ++}
63087 ++
63088 +diff -urNp linux-2.6.24.5/grsecurity/grsec_sock.c linux-2.6.24.5/grsecurity/grsec_sock.c
63089 +--- linux-2.6.24.5/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
63090 ++++ linux-2.6.24.5/grsecurity/grsec_sock.c 2008-03-26 20:21:09.000000000 -0400
63091 +@@ -0,0 +1,274 @@
63092 ++#include <linux/kernel.h>
63093 ++#include <linux/module.h>
63094 ++#include <linux/sched.h>
63095 ++#include <linux/file.h>
63096 ++#include <linux/net.h>
63097 ++#include <linux/in.h>
63098 ++#include <linux/ip.h>
63099 ++#include <net/sock.h>
63100 ++#include <net/inet_sock.h>
63101 ++#include <linux/grsecurity.h>
63102 ++#include <linux/grinternal.h>
63103 ++#include <linux/gracl.h>
63104 ++
63105 ++#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE)
63106 ++extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
63107 ++EXPORT_SYMBOL(udp_v4_lookup);
63108 ++#endif
63109 ++
63110 ++__u32 gr_cap_rtnetlink(struct sock *sock);
63111 ++EXPORT_SYMBOL(gr_cap_rtnetlink);
63112 ++
63113 ++extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
63114 ++extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
63115 ++
63116 ++EXPORT_SYMBOL(gr_search_udp_recvmsg);
63117 ++EXPORT_SYMBOL(gr_search_udp_sendmsg);
63118 ++
63119 ++#ifdef CONFIG_UNIX_MODULE
63120 ++EXPORT_SYMBOL(gr_acl_handle_unix);
63121 ++EXPORT_SYMBOL(gr_acl_handle_mknod);
63122 ++EXPORT_SYMBOL(gr_handle_chroot_unix);
63123 ++EXPORT_SYMBOL(gr_handle_create);
63124 ++#endif
63125 ++
63126 ++#ifdef CONFIG_GRKERNSEC
63127 ++#define gr_conn_table_size 32749
63128 ++struct conn_table_entry {
63129 ++ struct conn_table_entry *next;
63130 ++ struct signal_struct *sig;
63131 ++};
63132 ++
63133 ++struct conn_table_entry *gr_conn_table[gr_conn_table_size];
63134 ++spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
63135 ++
63136 ++extern const char * gr_socktype_to_name(unsigned char type);
63137 ++extern const char * gr_proto_to_name(unsigned char proto);
63138 ++
63139 ++static __inline__ int
63140 ++conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
63141 ++{
63142 ++ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
63143 ++}
63144 ++
63145 ++static __inline__ int
63146 ++conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
63147 ++ __u16 sport, __u16 dport)
63148 ++{
63149 ++ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
63150 ++ sig->gr_sport == sport && sig->gr_dport == dport))
63151 ++ return 1;
63152 ++ else
63153 ++ return 0;
63154 ++}
63155 ++
63156 ++static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
63157 ++{
63158 ++ struct conn_table_entry **match;
63159 ++ unsigned int index;
63160 ++
63161 ++ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
63162 ++ sig->gr_sport, sig->gr_dport,
63163 ++ gr_conn_table_size);
63164 ++
63165 ++ newent->sig = sig;
63166 ++
63167 ++ match = &gr_conn_table[index];
63168 ++ newent->next = *match;
63169 ++ *match = newent;
63170 ++
63171 ++ return;
63172 ++}
63173 ++
63174 ++static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
63175 ++{
63176 ++ struct conn_table_entry *match, *last = NULL;
63177 ++ unsigned int index;
63178 ++
63179 ++ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
63180 ++ sig->gr_sport, sig->gr_dport,
63181 ++ gr_conn_table_size);
63182 ++
63183 ++ match = gr_conn_table[index];
63184 ++ while (match && !conn_match(match->sig,
63185 ++ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
63186 ++ sig->gr_dport)) {
63187 ++ last = match;
63188 ++ match = match->next;
63189 ++ }
63190 ++
63191 ++ if (match) {
63192 ++ if (last)
63193 ++ last->next = match->next;
63194 ++ else
63195 ++ gr_conn_table[index] = NULL;
63196 ++ kfree(match);
63197 ++ }
63198 ++
63199 ++ return;
63200 ++}
63201 ++
63202 ++static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
63203 ++ __u16 sport, __u16 dport)
63204 ++{
63205 ++ struct conn_table_entry *match;
63206 ++ unsigned int index;
63207 ++
63208 ++ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
63209 ++
63210 ++ match = gr_conn_table[index];
63211 ++ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
63212 ++ match = match->next;
63213 ++
63214 ++ if (match)
63215 ++ return match->sig;
63216 ++ else
63217 ++ return NULL;
63218 ++}
63219 ++
63220 ++#endif
63221 ++
63222 ++void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
63223 ++{
63224 ++#ifdef CONFIG_GRKERNSEC
63225 ++ struct signal_struct *sig = task->signal;
63226 ++ struct conn_table_entry *newent;
63227 ++
63228 ++ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
63229 ++ if (newent == NULL)
63230 ++ return;
63231 ++ /* no bh lock needed since we are called with bh disabled */
63232 ++ spin_lock(&gr_conn_table_lock);
63233 ++ gr_del_task_from_ip_table_nolock(sig);
63234 ++ sig->gr_saddr = inet->rcv_saddr;
63235 ++ sig->gr_daddr = inet->daddr;
63236 ++ sig->gr_sport = inet->sport;
63237 ++ sig->gr_dport = inet->dport;
63238 ++ gr_add_to_task_ip_table_nolock(sig, newent);
63239 ++ spin_unlock(&gr_conn_table_lock);
63240 ++#endif
63241 ++ return;
63242 ++}
63243 ++
63244 ++void gr_del_task_from_ip_table(struct task_struct *task)
63245 ++{
63246 ++#ifdef CONFIG_GRKERNSEC
63247 ++ spin_lock(&gr_conn_table_lock);
63248 ++ gr_del_task_from_ip_table_nolock(task->signal);
63249 ++ spin_unlock(&gr_conn_table_lock);
63250 ++#endif
63251 ++ return;
63252 ++}
63253 ++
63254 ++void
63255 ++gr_attach_curr_ip(const struct sock *sk)
63256 ++{
63257 ++#ifdef CONFIG_GRKERNSEC
63258 ++ struct signal_struct *p, *set;
63259 ++ const struct inet_sock *inet = inet_sk(sk);
63260 ++
63261 ++ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
63262 ++ return;
63263 ++
63264 ++ set = current->signal;
63265 ++
63266 ++ spin_lock_bh(&gr_conn_table_lock);
63267 ++ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
63268 ++ inet->dport, inet->sport);
63269 ++ if (unlikely(p != NULL)) {
63270 ++ set->curr_ip = p->curr_ip;
63271 ++ set->used_accept = 1;
63272 ++ gr_del_task_from_ip_table_nolock(p);
63273 ++ spin_unlock_bh(&gr_conn_table_lock);
63274 ++ return;
63275 ++ }
63276 ++ spin_unlock_bh(&gr_conn_table_lock);
63277 ++
63278 ++ set->curr_ip = inet->daddr;
63279 ++ set->used_accept = 1;
63280 ++#endif
63281 ++ return;
63282 ++}
63283 ++
63284 ++int
63285 ++gr_handle_sock_all(const int family, const int type, const int protocol)
63286 ++{
63287 ++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
63288 ++ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
63289 ++ (family != AF_UNIX) && (family != AF_LOCAL)) {
63290 ++ gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
63291 ++ return -EACCES;
63292 ++ }
63293 ++#endif
63294 ++ return 0;
63295 ++}
63296 ++
63297 ++int
63298 ++gr_handle_sock_server(const struct sockaddr *sck)
63299 ++{
63300 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
63301 ++ if (grsec_enable_socket_server &&
63302 ++ in_group_p(grsec_socket_server_gid) &&
63303 ++ sck && (sck->sa_family != AF_UNIX) &&
63304 ++ (sck->sa_family != AF_LOCAL)) {
63305 ++ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
63306 ++ return -EACCES;
63307 ++ }
63308 ++#endif
63309 ++ return 0;
63310 ++}
63311 ++
63312 ++int
63313 ++gr_handle_sock_server_other(const struct sock *sck)
63314 ++{
63315 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
63316 ++ if (grsec_enable_socket_server &&
63317 ++ in_group_p(grsec_socket_server_gid) &&
63318 ++ sck && (sck->sk_family != AF_UNIX) &&
63319 ++ (sck->sk_family != AF_LOCAL)) {
63320 ++ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
63321 ++ return -EACCES;
63322 ++ }
63323 ++#endif
63324 ++ return 0;
63325 ++}
63326 ++
63327 ++int
63328 ++gr_handle_sock_client(const struct sockaddr *sck)
63329 ++{
63330 ++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
63331 ++ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
63332 ++ sck && (sck->sa_family != AF_UNIX) &&
63333 ++ (sck->sa_family != AF_LOCAL)) {
63334 ++ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
63335 ++ return -EACCES;
63336 ++ }
63337 ++#endif
63338 ++ return 0;
63339 ++}
63340 ++
63341 ++__u32
63342 ++gr_cap_rtnetlink(struct sock *sock)
63343 ++{
63344 ++#ifdef CONFIG_GRKERNSEC
63345 ++ if (!gr_acl_is_enabled())
63346 ++ return current->cap_effective;
63347 ++ else if (sock->sk_protocol == NETLINK_ISCSI &&
63348 ++ cap_raised(current->cap_effective, CAP_SYS_ADMIN) &&
63349 ++ gr_task_is_capable(current, CAP_SYS_ADMIN))
63350 ++ return current->cap_effective;
63351 ++ else if (sock->sk_protocol == NETLINK_AUDIT &&
63352 ++ cap_raised(current->cap_effective, CAP_AUDIT_WRITE) &&
63353 ++ gr_task_is_capable(current, CAP_AUDIT_WRITE) &&
63354 ++ cap_raised(current->cap_effective, CAP_AUDIT_CONTROL) &&
63355 ++ gr_task_is_capable(current, CAP_AUDIT_CONTROL))
63356 ++ return current->cap_effective;
63357 ++ else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
63358 ++ gr_task_is_capable(current, CAP_NET_ADMIN))
63359 ++ return current->cap_effective;
63360 ++ else
63361 ++ return 0;
63362 ++#else
63363 ++ return current->cap_effective;
63364 ++#endif
63365 ++}
63366 +diff -urNp linux-2.6.24.5/grsecurity/grsec_sysctl.c linux-2.6.24.5/grsecurity/grsec_sysctl.c
63367 +--- linux-2.6.24.5/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
63368 ++++ linux-2.6.24.5/grsecurity/grsec_sysctl.c 2008-03-26 20:21:09.000000000 -0400
63369 +@@ -0,0 +1,435 @@
63370 ++#include <linux/kernel.h>
63371 ++#include <linux/sched.h>
63372 ++#include <linux/sysctl.h>
63373 ++#include <linux/grsecurity.h>
63374 ++#include <linux/grinternal.h>
63375 ++
63376 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
63377 ++int grsec_modstop;
63378 ++#endif
63379 ++
63380 ++int
63381 ++gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
63382 ++{
63383 ++#ifdef CONFIG_GRKERNSEC_SYSCTL
63384 ++ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
63385 ++ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
63386 ++ return -EACCES;
63387 ++ }
63388 ++#endif
63389 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
63390 ++ if (!strcmp(dirname, "grsecurity") && !strcmp(name, "disable_modules") &&
63391 ++ grsec_modstop && (op & 002)) {
63392 ++ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
63393 ++ return -EACCES;
63394 ++ }
63395 ++#endif
63396 ++ return 0;
63397 ++}
63398 ++
63399 ++#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
63400 ++ctl_table grsecurity_table[] = {
63401 ++#ifdef CONFIG_GRKERNSEC_SYSCTL
63402 ++#ifdef CONFIG_GRKERNSEC_LINK
63403 ++ {
63404 ++ .ctl_name = CTL_UNNUMBERED,
63405 ++ .procname = "linking_restrictions",
63406 ++ .data = &grsec_enable_link,
63407 ++ .maxlen = sizeof(int),
63408 ++ .mode = 0600,
63409 ++ .proc_handler = &proc_dointvec,
63410 ++ },
63411 ++#endif
63412 ++#ifdef CONFIG_GRKERNSEC_FIFO
63413 ++ {
63414 ++ .ctl_name = CTL_UNNUMBERED,
63415 ++ .procname = "fifo_restrictions",
63416 ++ .data = &grsec_enable_fifo,
63417 ++ .maxlen = sizeof(int),
63418 ++ .mode = 0600,
63419 ++ .proc_handler = &proc_dointvec,
63420 ++ },
63421 ++#endif
63422 ++#ifdef CONFIG_GRKERNSEC_EXECVE
63423 ++ {
63424 ++ .ctl_name = CTL_UNNUMBERED,
63425 ++ .procname = "execve_limiting",
63426 ++ .data = &grsec_enable_execve,
63427 ++ .maxlen = sizeof(int),
63428 ++ .mode = 0600,
63429 ++ .proc_handler = &proc_dointvec,
63430 ++ },
63431 ++#endif
63432 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
63433 ++ {
63434 ++ .ctl_name = CTL_UNNUMBERED,
63435 ++ .procname = "exec_logging",
63436 ++ .data = &grsec_enable_execlog,
63437 ++ .maxlen = sizeof(int),
63438 ++ .mode = 0600,
63439 ++ .proc_handler = &proc_dointvec,
63440 ++ },
63441 ++#endif
63442 ++#ifdef CONFIG_GRKERNSEC_SIGNAL
63443 ++ {
63444 ++ .ctl_name = CTL_UNNUMBERED,
63445 ++ .procname = "signal_logging",
63446 ++ .data = &grsec_enable_signal,
63447 ++ .maxlen = sizeof(int),
63448 ++ .mode = 0600,
63449 ++ .proc_handler = &proc_dointvec,
63450 ++ },
63451 ++#endif
63452 ++#ifdef CONFIG_GRKERNSEC_FORKFAIL
63453 ++ {
63454 ++ .ctl_name = CTL_UNNUMBERED,
63455 ++ .procname = "forkfail_logging",
63456 ++ .data = &grsec_enable_forkfail,
63457 ++ .maxlen = sizeof(int),
63458 ++ .mode = 0600,
63459 ++ .proc_handler = &proc_dointvec,
63460 ++ },
63461 ++#endif
63462 ++#ifdef CONFIG_GRKERNSEC_TIME
63463 ++ {
63464 ++ .ctl_name = CTL_UNNUMBERED,
63465 ++ .procname = "timechange_logging",
63466 ++ .data = &grsec_enable_time,
63467 ++ .maxlen = sizeof(int),
63468 ++ .mode = 0600,
63469 ++ .proc_handler = &proc_dointvec,
63470 ++ },
63471 ++#endif
63472 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
63473 ++ {
63474 ++ .ctl_name = CTL_UNNUMBERED,
63475 ++ .procname = "chroot_deny_shmat",
63476 ++ .data = &grsec_enable_chroot_shmat,
63477 ++ .maxlen = sizeof(int),
63478 ++ .mode = 0600,
63479 ++ .proc_handler = &proc_dointvec,
63480 ++ },
63481 ++#endif
63482 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
63483 ++ {
63484 ++ .ctl_name = CTL_UNNUMBERED,
63485 ++ .procname = "chroot_deny_unix",
63486 ++ .data = &grsec_enable_chroot_unix,
63487 ++ .maxlen = sizeof(int),
63488 ++ .mode = 0600,
63489 ++ .proc_handler = &proc_dointvec,
63490 ++ },
63491 ++#endif
63492 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
63493 ++ {
63494 ++ .ctl_name = CTL_UNNUMBERED,
63495 ++ .procname = "chroot_deny_mount",
63496 ++ .data = &grsec_enable_chroot_mount,
63497 ++ .maxlen = sizeof(int),
63498 ++ .mode = 0600,
63499 ++ .proc_handler = &proc_dointvec,
63500 ++ },
63501 ++#endif
63502 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
63503 ++ {
63504 ++ .ctl_name = CTL_UNNUMBERED,
63505 ++ .procname = "chroot_deny_fchdir",
63506 ++ .data = &grsec_enable_chroot_fchdir,
63507 ++ .maxlen = sizeof(int),
63508 ++ .mode = 0600,
63509 ++ .proc_handler = &proc_dointvec,
63510 ++ },
63511 ++#endif
63512 ++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
63513 ++ {
63514 ++ .ctl_name = CTL_UNNUMBERED,
63515 ++ .procname = "chroot_deny_chroot",
63516 ++ .data = &grsec_enable_chroot_double,
63517 ++ .maxlen = sizeof(int),
63518 ++ .mode = 0600,
63519 ++ .proc_handler = &proc_dointvec,
63520 ++ },
63521 ++#endif
63522 ++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
63523 ++ {
63524 ++ .ctl_name = CTL_UNNUMBERED,
63525 ++ .procname = "chroot_deny_pivot",
63526 ++ .data = &grsec_enable_chroot_pivot,
63527 ++ .maxlen = sizeof(int),
63528 ++ .mode = 0600,
63529 ++ .proc_handler = &proc_dointvec,
63530 ++ },
63531 ++#endif
63532 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
63533 ++ {
63534 ++ .ctl_name = CTL_UNNUMBERED,
63535 ++ .procname = "chroot_enforce_chdir",
63536 ++ .data = &grsec_enable_chroot_chdir,
63537 ++ .maxlen = sizeof(int),
63538 ++ .mode = 0600,
63539 ++ .proc_handler = &proc_dointvec,
63540 ++ },
63541 ++#endif
63542 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
63543 ++ {
63544 ++ .ctl_name = CTL_UNNUMBERED,
63545 ++ .procname = "chroot_deny_chmod",
63546 ++ .data = &grsec_enable_chroot_chmod,
63547 ++ .maxlen = sizeof(int),
63548 ++ .mode = 0600,
63549 ++ .proc_handler = &proc_dointvec,
63550 ++ },
63551 ++#endif
63552 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
63553 ++ {
63554 ++ .ctl_name = CTL_UNNUMBERED,
63555 ++ .procname = "chroot_deny_mknod",
63556 ++ .data = &grsec_enable_chroot_mknod,
63557 ++ .maxlen = sizeof(int),
63558 ++ .mode = 0600,
63559 ++ .proc_handler = &proc_dointvec,
63560 ++ },
63561 ++#endif
63562 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
63563 ++ {
63564 ++ .ctl_name = CTL_UNNUMBERED,
63565 ++ .procname = "chroot_restrict_nice",
63566 ++ .data = &grsec_enable_chroot_nice,
63567 ++ .maxlen = sizeof(int),
63568 ++ .mode = 0600,
63569 ++ .proc_handler = &proc_dointvec,
63570 ++ },
63571 ++#endif
63572 ++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
63573 ++ {
63574 ++ .ctl_name = CTL_UNNUMBERED,
63575 ++ .procname = "chroot_execlog",
63576 ++ .data = &grsec_enable_chroot_execlog,
63577 ++ .maxlen = sizeof(int),
63578 ++ .mode = 0600,
63579 ++ .proc_handler = &proc_dointvec,
63580 ++ },
63581 ++#endif
63582 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
63583 ++ {
63584 ++ .ctl_name = CTL_UNNUMBERED,
63585 ++ .procname = "chroot_caps",
63586 ++ .data = &grsec_enable_chroot_caps,
63587 ++ .maxlen = sizeof(int),
63588 ++ .mode = 0600,
63589 ++ .proc_handler = &proc_dointvec,
63590 ++ },
63591 ++#endif
63592 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
63593 ++ {
63594 ++ .ctl_name = CTL_UNNUMBERED,
63595 ++ .procname = "chroot_deny_sysctl",
63596 ++ .data = &grsec_enable_chroot_sysctl,
63597 ++ .maxlen = sizeof(int),
63598 ++ .mode = 0600,
63599 ++ .proc_handler = &proc_dointvec,
63600 ++ },
63601 ++#endif
63602 ++#ifdef CONFIG_GRKERNSEC_TPE
63603 ++ {
63604 ++ .ctl_name = CTL_UNNUMBERED,
63605 ++ .procname = "tpe",
63606 ++ .data = &grsec_enable_tpe,
63607 ++ .maxlen = sizeof(int),
63608 ++ .mode = 0600,
63609 ++ .proc_handler = &proc_dointvec,
63610 ++ },
63611 ++ {
63612 ++ .ctl_name = CTL_UNNUMBERED,
63613 ++ .procname = "tpe_gid",
63614 ++ .data = &grsec_tpe_gid,
63615 ++ .maxlen = sizeof(int),
63616 ++ .mode = 0600,
63617 ++ .proc_handler = &proc_dointvec,
63618 ++ },
63619 ++#endif
63620 ++#ifdef CONFIG_GRKERNSEC_TPE_ALL
63621 ++ {
63622 ++ .ctl_name = CTL_UNNUMBERED,
63623 ++ .procname = "tpe_restrict_all",
63624 ++ .data = &grsec_enable_tpe_all,
63625 ++ .maxlen = sizeof(int),
63626 ++ .mode = 0600,
63627 ++ .proc_handler = &proc_dointvec,
63628 ++ },
63629 ++#endif
63630 ++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
63631 ++ {
63632 ++ .ctl_name = CTL_UNNUMBERED,
63633 ++ .procname = "socket_all",
63634 ++ .data = &grsec_enable_socket_all,
63635 ++ .maxlen = sizeof(int),
63636 ++ .mode = 0600,
63637 ++ .proc_handler = &proc_dointvec,
63638 ++ },
63639 ++ {
63640 ++ .ctl_name = CTL_UNNUMBERED,
63641 ++ .procname = "socket_all_gid",
63642 ++ .data = &grsec_socket_all_gid,
63643 ++ .maxlen = sizeof(int),
63644 ++ .mode = 0600,
63645 ++ .proc_handler = &proc_dointvec,
63646 ++ },
63647 ++#endif
63648 ++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
63649 ++ {
63650 ++ .ctl_name = CTL_UNNUMBERED,
63651 ++ .procname = "socket_client",
63652 ++ .data = &grsec_enable_socket_client,
63653 ++ .maxlen = sizeof(int),
63654 ++ .mode = 0600,
63655 ++ .proc_handler = &proc_dointvec,
63656 ++ },
63657 ++ {
63658 ++ .ctl_name = CTL_UNNUMBERED,
63659 ++ .procname = "socket_client_gid",
63660 ++ .data = &grsec_socket_client_gid,
63661 ++ .maxlen = sizeof(int),
63662 ++ .mode = 0600,
63663 ++ .proc_handler = &proc_dointvec,
63664 ++ },
63665 ++#endif
63666 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
63667 ++ {
63668 ++ .ctl_name = CTL_UNNUMBERED,
63669 ++ .procname = "socket_server",
63670 ++ .data = &grsec_enable_socket_server,
63671 ++ .maxlen = sizeof(int),
63672 ++ .mode = 0600,
63673 ++ .proc_handler = &proc_dointvec,
63674 ++ },
63675 ++ {
63676 ++ .ctl_name = CTL_UNNUMBERED,
63677 ++ .procname = "socket_server_gid",
63678 ++ .data = &grsec_socket_server_gid,
63679 ++ .maxlen = sizeof(int),
63680 ++ .mode = 0600,
63681 ++ .proc_handler = &proc_dointvec,
63682 ++ },
63683 ++#endif
63684 ++#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
63685 ++ {
63686 ++ .ctl_name = CTL_UNNUMBERED,
63687 ++ .procname = "audit_group",
63688 ++ .data = &grsec_enable_group,
63689 ++ .maxlen = sizeof(int),
63690 ++ .mode = 0600,
63691 ++ .proc_handler = &proc_dointvec,
63692 ++ },
63693 ++ {
63694 ++ .ctl_name = CTL_UNNUMBERED,
63695 ++ .procname = "audit_gid",
63696 ++ .data = &grsec_audit_gid,
63697 ++ .maxlen = sizeof(int),
63698 ++ .mode = 0600,
63699 ++ .proc_handler = &proc_dointvec,
63700 ++ },
63701 ++#endif
63702 ++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
63703 ++ {
63704 ++ .ctl_name = CTL_UNNUMBERED,
63705 ++ .procname = "audit_chdir",
63706 ++ .data = &grsec_enable_chdir,
63707 ++ .maxlen = sizeof(int),
63708 ++ .mode = 0600,
63709 ++ .proc_handler = &proc_dointvec,
63710 ++ },
63711 ++#endif
63712 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
63713 ++ {
63714 ++ .ctl_name = CTL_UNNUMBERED,
63715 ++ .procname = "audit_mount",
63716 ++ .data = &grsec_enable_mount,
63717 ++ .maxlen = sizeof(int),
63718 ++ .mode = 0600,
63719 ++ .proc_handler = &proc_dointvec,
63720 ++ },
63721 ++#endif
63722 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
63723 ++ {
63724 ++ .ctl_name = CTL_UNNUMBERED,
63725 ++ .procname = "audit_ipc",
63726 ++ .data = &grsec_enable_audit_ipc,
63727 ++ .maxlen = sizeof(int),
63728 ++ .mode = 0600,
63729 ++ .proc_handler = &proc_dointvec,
63730 ++ },
63731 ++#endif
63732 ++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
63733 ++ {
63734 ++ .ctl_name = CTL_UNNUMBERED,
63735 ++ .procname = "audit_textrel",
63736 ++ .data = &grsec_enable_audit_textrel,
63737 ++ .maxlen = sizeof(int),
63738 ++ .mode = 0600,
63739 ++ .proc_handler = &proc_dointvec,
63740 ++ },
63741 ++#endif
63742 ++#ifdef CONFIG_GRKERNSEC_DMESG
63743 ++ {
63744 ++ .ctl_name = CTL_UNNUMBERED,
63745 ++ .procname = "dmesg",
63746 ++ .data = &grsec_enable_dmesg,
63747 ++ .maxlen = sizeof(int),
63748 ++ .mode = 0600,
63749 ++ .proc_handler = &proc_dointvec,
63750 ++ },
63751 ++#endif
63752 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
63753 ++ {
63754 ++ .ctl_name = CTL_UNNUMBERED,
63755 ++ .procname = "chroot_findtask",
63756 ++ .data = &grsec_enable_chroot_findtask,
63757 ++ .maxlen = sizeof(int),
63758 ++ .mode = 0600,
63759 ++ .proc_handler = &proc_dointvec,
63760 ++ },
63761 ++#endif
63762 ++#ifdef CONFIG_GRKERNSEC_RESLOG
63763 ++ {
63764 ++ .ctl_name = CTL_UNNUMBERED,
63765 ++ .procname = "resource_logging",
63766 ++ .data = &grsec_resource_logging,
63767 ++ .maxlen = sizeof(int),
63768 ++ .mode = 0600,
63769 ++ .proc_handler = &proc_dointvec,
63770 ++ },
63771 ++#endif
63772 ++ {
63773 ++ .ctl_name = CTL_UNNUMBERED,
63774 ++ .procname = "grsec_lock",
63775 ++ .data = &grsec_lock,
63776 ++ .maxlen = sizeof(int),
63777 ++ .mode = 0600,
63778 ++ .proc_handler = &proc_dointvec,
63779 ++ },
63780 ++#endif
63781 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
63782 ++ {
63783 ++ .ctl_name = CTL_UNNUMBERED,
63784 ++ .procname = "disable_modules",
63785 ++ .data = &grsec_modstop,
63786 ++ .maxlen = sizeof(int),
63787 ++ .mode = 0600,
63788 ++ .proc_handler = &proc_dointvec,
63789 ++ },
63790 ++#endif
63791 ++ { .ctl_name = 0 }
63792 ++};
63793 ++#endif
63794 ++
63795 ++int gr_check_modstop(void)
63796 ++{
63797 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
63798 ++ if (grsec_modstop == 1) {
63799 ++ gr_log_noargs(GR_DONT_AUDIT, GR_STOPMOD_MSG);
63800 ++ return 1;
63801 ++ }
63802 ++#endif
63803 ++ return 0;
63804 ++}
63805 +diff -urNp linux-2.6.24.5/grsecurity/grsec_textrel.c linux-2.6.24.5/grsecurity/grsec_textrel.c
63806 +--- linux-2.6.24.5/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
63807 ++++ linux-2.6.24.5/grsecurity/grsec_textrel.c 2008-03-26 20:21:09.000000000 -0400
63808 +@@ -0,0 +1,16 @@
63809 ++#include <linux/kernel.h>
63810 ++#include <linux/sched.h>
63811 ++#include <linux/mm.h>
63812 ++#include <linux/file.h>
63813 ++#include <linux/grinternal.h>
63814 ++#include <linux/grsecurity.h>
63815 ++
63816 ++void
63817 ++gr_log_textrel(struct vm_area_struct * vma)
63818 ++{
63819 ++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
63820 ++ if (grsec_enable_audit_textrel)
63821 ++ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
63822 ++#endif
63823 ++ return;
63824 ++}
63825 +diff -urNp linux-2.6.24.5/grsecurity/grsec_time.c linux-2.6.24.5/grsecurity/grsec_time.c
63826 +--- linux-2.6.24.5/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
63827 ++++ linux-2.6.24.5/grsecurity/grsec_time.c 2008-03-26 20:21:09.000000000 -0400
63828 +@@ -0,0 +1,13 @@
63829 ++#include <linux/kernel.h>
63830 ++#include <linux/sched.h>
63831 ++#include <linux/grinternal.h>
63832 ++
63833 ++void
63834 ++gr_log_timechange(void)
63835 ++{
63836 ++#ifdef CONFIG_GRKERNSEC_TIME
63837 ++ if (grsec_enable_time)
63838 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
63839 ++#endif
63840 ++ return;
63841 ++}
63842 +diff -urNp linux-2.6.24.5/grsecurity/grsec_tpe.c linux-2.6.24.5/grsecurity/grsec_tpe.c
63843 +--- linux-2.6.24.5/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
63844 ++++ linux-2.6.24.5/grsecurity/grsec_tpe.c 2008-03-26 20:21:09.000000000 -0400
63845 +@@ -0,0 +1,37 @@
63846 ++#include <linux/kernel.h>
63847 ++#include <linux/sched.h>
63848 ++#include <linux/file.h>
63849 ++#include <linux/fs.h>
63850 ++#include <linux/grinternal.h>
63851 ++
63852 ++extern int gr_acl_tpe_check(void);
63853 ++
63854 ++int
63855 ++gr_tpe_allow(const struct file *file)
63856 ++{
63857 ++#ifdef CONFIG_GRKERNSEC
63858 ++ struct inode *inode = file->f_dentry->d_parent->d_inode;
63859 ++
63860 ++ if (current->uid && ((grsec_enable_tpe &&
63861 ++#ifdef CONFIG_GRKERNSEC_TPE_INVERT
63862 ++ !in_group_p(grsec_tpe_gid)
63863 ++#else
63864 ++ in_group_p(grsec_tpe_gid)
63865 ++#endif
63866 ++ ) || gr_acl_tpe_check()) &&
63867 ++ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
63868 ++ (inode->i_mode & S_IWOTH))))) {
63869 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
63870 ++ return 0;
63871 ++ }
63872 ++#ifdef CONFIG_GRKERNSEC_TPE_ALL
63873 ++ if (current->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
63874 ++ ((inode->i_uid && (inode->i_uid != current->uid)) ||
63875 ++ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
63876 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
63877 ++ return 0;
63878 ++ }
63879 ++#endif
63880 ++#endif
63881 ++ return 1;
63882 ++}
63883 +diff -urNp linux-2.6.24.5/grsecurity/grsum.c linux-2.6.24.5/grsecurity/grsum.c
63884 +--- linux-2.6.24.5/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
63885 ++++ linux-2.6.24.5/grsecurity/grsum.c 2008-03-26 20:21:09.000000000 -0400
63886 +@@ -0,0 +1,59 @@
63887 ++#include <linux/err.h>
63888 ++#include <linux/kernel.h>
63889 ++#include <linux/sched.h>
63890 ++#include <linux/mm.h>
63891 ++#include <linux/scatterlist.h>
63892 ++#include <linux/crypto.h>
63893 ++#include <linux/gracl.h>
63894 ++
63895 ++
63896 ++#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
63897 ++#error "crypto and sha256 must be built into the kernel"
63898 ++#endif
63899 ++
63900 ++int
63901 ++chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
63902 ++{
63903 ++ char *p;
63904 ++ struct crypto_hash *tfm;
63905 ++ struct hash_desc desc;
63906 ++ struct scatterlist sg;
63907 ++ unsigned char temp_sum[GR_SHA_LEN];
63908 ++ volatile int retval = 0;
63909 ++ volatile int dummy = 0;
63910 ++ unsigned int i;
63911 ++
63912 ++ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
63913 ++ if (IS_ERR(tfm)) {
63914 ++ /* should never happen, since sha256 should be built in */
63915 ++ return 1;
63916 ++ }
63917 ++
63918 ++ desc.tfm = tfm;
63919 ++ desc.flags = 0;
63920 ++
63921 ++ crypto_hash_init(&desc);
63922 ++
63923 ++ p = salt;
63924 ++ sg_set_buf(&sg, p, GR_SALT_LEN);
63925 ++ crypto_hash_update(&desc, &sg, sg.length);
63926 ++
63927 ++ p = entry->pw;
63928 ++ sg_set_buf(&sg, p, strlen(p));
63929 ++
63930 ++ crypto_hash_update(&desc, &sg, sg.length);
63931 ++
63932 ++ crypto_hash_final(&desc, temp_sum);
63933 ++
63934 ++ memset(entry->pw, 0, GR_PW_LEN);
63935 ++
63936 ++ for (i = 0; i < GR_SHA_LEN; i++)
63937 ++ if (sum[i] != temp_sum[i])
63938 ++ retval = 1;
63939 ++ else
63940 ++ dummy = 1; // waste a cycle
63941 ++
63942 ++ crypto_free_hash(tfm);
63943 ++
63944 ++ return retval;
63945 ++}
63946 +diff -urNp linux-2.6.24.5/grsecurity/Kconfig linux-2.6.24.5/grsecurity/Kconfig
63947 +--- linux-2.6.24.5/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
63948 ++++ linux-2.6.24.5/grsecurity/Kconfig 2008-03-26 20:21:09.000000000 -0400
63949 +@@ -0,0 +1,861 @@
63950 ++#
63951 ++# grecurity configuration
63952 ++#
63953 ++
63954 ++menu "Grsecurity"
63955 ++
63956 ++config GRKERNSEC
63957 ++ bool "Grsecurity"
63958 ++ select CRYPTO
63959 ++ select CRYPTO_SHA256
63960 ++ select SECURITY
63961 ++ select SECURITY_CAPABILITIES
63962 ++ help
63963 ++ If you say Y here, you will be able to configure many features
63964 ++ that will enhance the security of your system. It is highly
63965 ++ recommended that you say Y here and read through the help
63966 ++ for each option so that you fully understand the features and
63967 ++ can evaluate their usefulness for your machine.
63968 ++
63969 ++choice
63970 ++ prompt "Security Level"
63971 ++ depends on GRKERNSEC
63972 ++ default GRKERNSEC_CUSTOM
63973 ++
63974 ++config GRKERNSEC_LOW
63975 ++ bool "Low"
63976 ++ select GRKERNSEC_LINK
63977 ++ select GRKERNSEC_FIFO
63978 ++ select GRKERNSEC_EXECVE
63979 ++ select GRKERNSEC_RANDNET
63980 ++ select GRKERNSEC_DMESG
63981 ++ select GRKERNSEC_CHROOT_CHDIR
63982 ++ select GRKERNSEC_MODSTOP if (MODULES)
63983 ++
63984 ++ help
63985 ++ If you choose this option, several of the grsecurity options will
63986 ++ be enabled that will give you greater protection against a number
63987 ++ of attacks, while assuring that none of your software will have any
63988 ++ conflicts with the additional security measures. If you run a lot
63989 ++ of unusual software, or you are having problems with the higher
63990 ++ security levels, you should say Y here. With this option, the
63991 ++ following features are enabled:
63992 ++
63993 ++ - Linking restrictions
63994 ++ - FIFO restrictions
63995 ++ - Enforcing RLIMIT_NPROC on execve
63996 ++ - Restricted dmesg
63997 ++ - Enforced chdir("/") on chroot
63998 ++ - Runtime module disabling
63999 ++
64000 ++config GRKERNSEC_MEDIUM
64001 ++ bool "Medium"
64002 ++ select PAX
64003 ++ select PAX_EI_PAX
64004 ++ select PAX_PT_PAX_FLAGS
64005 ++ select PAX_HAVE_ACL_FLAGS
64006 ++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
64007 ++ select GRKERNSEC_CHROOT_SYSCTL
64008 ++ select GRKERNSEC_LINK
64009 ++ select GRKERNSEC_FIFO
64010 ++ select GRKERNSEC_EXECVE
64011 ++ select GRKERNSEC_DMESG
64012 ++ select GRKERNSEC_RANDNET
64013 ++ select GRKERNSEC_FORKFAIL
64014 ++ select GRKERNSEC_TIME
64015 ++ select GRKERNSEC_SIGNAL
64016 ++ select GRKERNSEC_CHROOT
64017 ++ select GRKERNSEC_CHROOT_UNIX
64018 ++ select GRKERNSEC_CHROOT_MOUNT
64019 ++ select GRKERNSEC_CHROOT_PIVOT
64020 ++ select GRKERNSEC_CHROOT_DOUBLE
64021 ++ select GRKERNSEC_CHROOT_CHDIR
64022 ++ select GRKERNSEC_CHROOT_MKNOD
64023 ++ select GRKERNSEC_PROC
64024 ++ select GRKERNSEC_PROC_USERGROUP
64025 ++ select GRKERNSEC_MODSTOP if (MODULES)
64026 ++ select PAX_RANDUSTACK
64027 ++ select PAX_ASLR
64028 ++ select PAX_RANDMMAP
64029 ++
64030 ++ help
64031 ++ If you say Y here, several features in addition to those included
64032 ++ in the low additional security level will be enabled. These
64033 ++ features provide even more security to your system, though in rare
64034 ++ cases they may be incompatible with very old or poorly written
64035 ++ software. If you enable this option, make sure that your auth
64036 ++ service (identd) is running as gid 1001. With this option,
64037 ++ the following features (in addition to those provided in the
64038 ++ low additional security level) will be enabled:
64039 ++
64040 ++ - Failed fork logging
64041 ++ - Time change logging
64042 ++ - Signal logging
64043 ++ - Deny mounts in chroot
64044 ++ - Deny double chrooting
64045 ++ - Deny sysctl writes in chroot
64046 ++ - Deny mknod in chroot
64047 ++ - Deny access to abstract AF_UNIX sockets out of chroot
64048 ++ - Deny pivot_root in chroot
64049 ++ - Denied writes of /dev/kmem, /dev/mem, and /dev/port
64050 ++ - /proc restrictions with special GID set to 10 (usually wheel)
64051 ++ - Address Space Layout Randomization (ASLR)
64052 ++
64053 ++config GRKERNSEC_HIGH
64054 ++ bool "High"
64055 ++ select GRKERNSEC_LINK
64056 ++ select GRKERNSEC_FIFO
64057 ++ select GRKERNSEC_EXECVE
64058 ++ select GRKERNSEC_DMESG
64059 ++ select GRKERNSEC_FORKFAIL
64060 ++ select GRKERNSEC_TIME
64061 ++ select GRKERNSEC_SIGNAL
64062 ++ select GRKERNSEC_CHROOT_SHMAT
64063 ++ select GRKERNSEC_CHROOT_UNIX
64064 ++ select GRKERNSEC_CHROOT_MOUNT
64065 ++ select GRKERNSEC_CHROOT_FCHDIR
64066 ++ select GRKERNSEC_CHROOT_PIVOT
64067 ++ select GRKERNSEC_CHROOT_DOUBLE
64068 ++ select GRKERNSEC_CHROOT_CHDIR
64069 ++ select GRKERNSEC_CHROOT_MKNOD
64070 ++ select GRKERNSEC_CHROOT_CAPS
64071 ++ select GRKERNSEC_CHROOT_SYSCTL
64072 ++ select GRKERNSEC_CHROOT_FINDTASK
64073 ++ select GRKERNSEC_PROC
64074 ++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
64075 ++ select GRKERNSEC_HIDESYM
64076 ++ select GRKERNSEC_BRUTE
64077 ++ select GRKERNSEC_PROC_USERGROUP
64078 ++ select GRKERNSEC_KMEM
64079 ++ select GRKERNSEC_RESLOG
64080 ++ select GRKERNSEC_RANDNET
64081 ++ select GRKERNSEC_PROC_ADD
64082 ++ select GRKERNSEC_CHROOT_CHMOD
64083 ++ select GRKERNSEC_CHROOT_NICE
64084 ++ select GRKERNSEC_AUDIT_MOUNT
64085 ++ select GRKERNSEC_MODSTOP if (MODULES)
64086 ++ select PAX
64087 ++ select PAX_RANDUSTACK
64088 ++ select PAX_ASLR
64089 ++ select PAX_RANDMMAP
64090 ++ select PAX_NOEXEC
64091 ++ select PAX_MPROTECT
64092 ++ select PAX_EI_PAX
64093 ++ select PAX_PT_PAX_FLAGS
64094 ++ select PAX_HAVE_ACL_FLAGS
64095 ++ select PAX_KERNEXEC if (X86 && !EFI && !COMPAT_VDSO && !PARAVIRT && (!X86_32 || X86_WP_WORKS_OK))
64096 ++ select PAX_MEMORY_UDEREF if (!X86_64 && !COMPAT_VDSO)
64097 ++ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
64098 ++ select PAX_SEGMEXEC if (X86 && !X86_64)
64099 ++ select PAX_PAGEEXEC if (!X86)
64100 ++ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
64101 ++ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
64102 ++ select PAX_SYSCALL if (PPC32)
64103 ++ select PAX_EMUTRAMP if (PARISC)
64104 ++ select PAX_EMUSIGRT if (PARISC)
64105 ++ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
64106 ++ help
64107 ++ If you say Y here, many of the features of grsecurity will be
64108 ++ enabled, which will protect you against many kinds of attacks
64109 ++ against your system. The heightened security comes at a cost
64110 ++ of an increased chance of incompatibilities with rare software
64111 ++ on your machine. Since this security level enables PaX, you should
64112 ++ view <http://pax.grsecurity.net> and read about the PaX
64113 ++ project. While you are there, download chpax and run it on
64114 ++ binaries that cause problems with PaX. Also remember that
64115 ++ since the /proc restrictions are enabled, you must run your
64116 ++ identd as gid 1001. This security level enables the following
64117 ++ features in addition to those listed in the low and medium
64118 ++ security levels:
64119 ++
64120 ++ - Additional /proc restrictions
64121 ++ - Chmod restrictions in chroot
64122 ++ - No signals, ptrace, or viewing of processes outside of chroot
64123 ++ - Capability restrictions in chroot
64124 ++ - Deny fchdir out of chroot
64125 ++ - Priority restrictions in chroot
64126 ++ - Segmentation-based implementation of PaX
64127 ++ - Mprotect restrictions
64128 ++ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
64129 ++ - Kernel stack randomization
64130 ++ - Mount/unmount/remount logging
64131 ++ - Kernel symbol hiding
64132 ++ - Prevention of memory exhaustion-based exploits
64133 ++config GRKERNSEC_CUSTOM
64134 ++ bool "Custom"
64135 ++ help
64136 ++ If you say Y here, you will be able to configure every grsecurity
64137 ++ option, which allows you to enable many more features that aren't
64138 ++ covered in the basic security levels. These additional features
64139 ++ include TPE, socket restrictions, and the sysctl system for
64140 ++ grsecurity. It is advised that you read through the help for
64141 ++ each option to determine its usefulness in your situation.
64142 ++
64143 ++endchoice
64144 ++
64145 ++menu "Address Space Protection"
64146 ++depends on GRKERNSEC
64147 ++
64148 ++config GRKERNSEC_KMEM
64149 ++ bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
64150 ++ help
64151 ++ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
64152 ++ be written to via mmap or otherwise to modify the running kernel.
64153 ++ /dev/port will also not be allowed to be opened. If you have module
64154 ++ support disabled, enabling this will close up four ways that are
64155 ++ currently used to insert malicious code into the running kernel.
64156 ++ Even with all these features enabled, we still highly recommend that
64157 ++ you use the RBAC system, as it is still possible for an attacker to
64158 ++ modify the running kernel through privileged I/O granted by ioperm/iopl.
64159 ++ If you are not using XFree86, you may be able to stop this additional
64160 ++ case by enabling the 'Disable privileged I/O' option. Though nothing
64161 ++ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
64162 ++ but only to video memory, which is the only writing we allow in this
64163 ++ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
64164 ++ not be allowed to mprotect it with PROT_WRITE later.
64165 ++ It is highly recommended that you say Y here if you meet all the
64166 ++ conditions above.
64167 ++
64168 ++config GRKERNSEC_IO
64169 ++ bool "Disable privileged I/O"
64170 ++ depends on X86
64171 ++ select RTC
64172 ++ help
64173 ++ If you say Y here, all ioperm and iopl calls will return an error.
64174 ++ Ioperm and iopl can be used to modify the running kernel.
64175 ++ Unfortunately, some programs need this access to operate properly,
64176 ++ the most notable of which are XFree86 and hwclock. hwclock can be
64177 ++ remedied by having RTC support in the kernel, so CONFIG_RTC is
64178 ++ enabled if this option is enabled, to ensure that hwclock operates
64179 ++ correctly. XFree86 still will not operate correctly with this option
64180 ++ enabled, so DO NOT CHOOSE Y IF YOU USE XFree86. If you use XFree86
64181 ++ and you still want to protect your kernel against modification,
64182 ++ use the RBAC system.
64183 ++
64184 ++config GRKERNSEC_PROC_MEMMAP
64185 ++ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
64186 ++ depends on PAX_NOEXEC || PAX_ASLR
64187 ++ help
64188 ++ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
64189 ++ give no information about the addresses of its mappings if
64190 ++ PaX features that rely on random addresses are enabled on the task.
64191 ++ If you use PaX it is greatly recommended that you say Y here as it
64192 ++ closes up a hole that makes the full ASLR useless for suid
64193 ++ binaries.
64194 ++
64195 ++config GRKERNSEC_BRUTE
64196 ++ bool "Deter exploit bruteforcing"
64197 ++ help
64198 ++ If you say Y here, attempts to bruteforce exploits against forking
64199 ++ daemons such as apache or sshd will be deterred. When a child of a
64200 ++ forking daemon is killed by PaX or crashes due to an illegal
64201 ++ instruction, the parent process will be delayed 30 seconds upon every
64202 ++ subsequent fork until the administrator is able to assess the
64203 ++ situation and restart the daemon. It is recommended that you also
64204 ++ enable signal logging in the auditing section so that logs are
64205 ++ generated when a process performs an illegal instruction.
64206 ++
64207 ++config GRKERNSEC_MODSTOP
64208 ++ bool "Runtime module disabling"
64209 ++ depends on MODULES
64210 ++ help
64211 ++ If you say Y here, you will be able to disable the ability to (un)load
64212 ++ modules at runtime. This feature is useful if you need the ability
64213 ++ to load kernel modules at boot time, but do not want to allow an
64214 ++ attacker to load a rootkit kernel module into the system, or to remove
64215 ++ a loaded kernel module important to system functioning. You should
64216 ++ enable the /dev/mem protection feature as well, since rootkits can be
64217 ++ inserted into the kernel via other methods than kernel modules. Since
64218 ++ an untrusted module could still be loaded by modifying init scripts and
64219 ++ rebooting the system, it is also recommended that you enable the RBAC
64220 ++ system. If you enable this option, a sysctl option with name
64221 ++ "disable_modules" will be created. Setting this option to "1" disables
64222 ++ module loading. After this option is set, no further writes to it are
64223 ++ allowed until the system is rebooted.
64224 ++
64225 ++config GRKERNSEC_HIDESYM
64226 ++ bool "Hide kernel symbols"
64227 ++ help
64228 ++ If you say Y here, getting information on loaded modules, and
64229 ++ displaying all kernel symbols through a syscall will be restricted
64230 ++ to users with CAP_SYS_MODULE. This option is only effective
64231 ++ provided the following conditions are met:
64232 ++ 1) The kernel using grsecurity is not precompiled by some distribution
64233 ++ 2) You are using the RBAC system and hiding other files such as your
64234 ++ kernel image and System.map
64235 ++ 3) You have the additional /proc restrictions enabled, which removes
64236 ++ /proc/kcore
64237 ++ If the above conditions are met, this option will aid to provide a
64238 ++ useful protection against local and remote kernel exploitation of
64239 ++ overflows and arbitrary read/write vulnerabilities.
64240 ++
64241 ++endmenu
64242 ++menu "Role Based Access Control Options"
64243 ++depends on GRKERNSEC
64244 ++
64245 ++config GRKERNSEC_ACL_HIDEKERN
64246 ++ bool "Hide kernel processes"
64247 ++ help
64248 ++ If you say Y here, all kernel threads will be hidden to all
64249 ++ processes but those whose subject has the "view hidden processes"
64250 ++ flag.
64251 ++
64252 ++config GRKERNSEC_ACL_MAXTRIES
64253 ++ int "Maximum tries before password lockout"
64254 ++ default 3
64255 ++ help
64256 ++ This option enforces the maximum number of times a user can attempt
64257 ++ to authorize themselves with the grsecurity RBAC system before being
64258 ++ denied the ability to attempt authorization again for a specified time.
64259 ++ The lower the number, the harder it will be to brute-force a password.
64260 ++
64261 ++config GRKERNSEC_ACL_TIMEOUT
64262 ++ int "Time to wait after max password tries, in seconds"
64263 ++ default 30
64264 ++ help
64265 ++ This option specifies the time the user must wait after attempting to
64266 ++ authorize to the RBAC system with the maximum number of invalid
64267 ++ passwords. The higher the number, the harder it will be to brute-force
64268 ++ a password.
64269 ++
64270 ++endmenu
64271 ++menu "Filesystem Protections"
64272 ++depends on GRKERNSEC
64273 ++
64274 ++config GRKERNSEC_PROC
64275 ++ bool "Proc restrictions"
64276 ++ help
64277 ++ If you say Y here, the permissions of the /proc filesystem
64278 ++ will be altered to enhance system security and privacy. You MUST
64279 ++ choose either a user only restriction or a user and group restriction.
64280 ++ Depending upon the option you choose, you can either restrict users to
64281 ++ see only the processes they themselves run, or choose a group that can
64282 ++ view all processes and files normally restricted to root if you choose
64283 ++ the "restrict to user only" option. NOTE: If you're running identd as
64284 ++ a non-root user, you will have to run it as the group you specify here.
64285 ++
64286 ++config GRKERNSEC_PROC_USER
64287 ++ bool "Restrict /proc to user only"
64288 ++ depends on GRKERNSEC_PROC
64289 ++ help
64290 ++ If you say Y here, non-root users will only be able to view their own
64291 ++ processes, and restricts them from viewing network-related information,
64292 ++ and viewing kernel symbol and module information.
64293 ++
64294 ++config GRKERNSEC_PROC_USERGROUP
64295 ++ bool "Allow special group"
64296 ++ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
64297 ++ help
64298 ++ If you say Y here, you will be able to select a group that will be
64299 ++ able to view all processes, network-related information, and
64300 ++ kernel and symbol information. This option is useful if you want
64301 ++ to run identd as a non-root user.
64302 ++
64303 ++config GRKERNSEC_PROC_GID
64304 ++ int "GID for special group"
64305 ++ depends on GRKERNSEC_PROC_USERGROUP
64306 ++ default 1001
64307 ++
64308 ++config GRKERNSEC_PROC_ADD
64309 ++ bool "Additional restrictions"
64310 ++ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
64311 ++ help
64312 ++ If you say Y here, additional restrictions will be placed on
64313 ++ /proc that keep normal users from viewing device information and
64314 ++ slabinfo information that could be useful for exploits.
64315 ++
64316 ++config GRKERNSEC_LINK
64317 ++ bool "Linking restrictions"
64318 ++ help
64319 ++ If you say Y here, /tmp race exploits will be prevented, since users
64320 ++ will no longer be able to follow symlinks owned by other users in
64321 ++ world-writable +t directories (i.e. /tmp), unless the owner of the
64322 ++ symlink is the owner of the directory. users will also not be
64323 ++ able to hardlink to files they do not own. If the sysctl option is
64324 ++ enabled, a sysctl option with name "linking_restrictions" is created.
64325 ++
64326 ++config GRKERNSEC_FIFO
64327 ++ bool "FIFO restrictions"
64328 ++ help
64329 ++ If you say Y here, users will not be able to write to FIFOs they don't
64330 ++ own in world-writable +t directories (i.e. /tmp), unless the owner of
64331 ++ the FIFO is the same owner of the directory it's held in. If the sysctl
64332 ++ option is enabled, a sysctl option with name "fifo_restrictions" is
64333 ++ created.
64334 ++
64335 ++config GRKERNSEC_CHROOT
64336 ++ bool "Chroot jail restrictions"
64337 ++ help
64338 ++ If you say Y here, you will be able to choose several options that will
64339 ++ make breaking out of a chrooted jail much more difficult. If you
64340 ++ encounter no software incompatibilities with the following options, it
64341 ++ is recommended that you enable each one.
64342 ++
64343 ++config GRKERNSEC_CHROOT_MOUNT
64344 ++ bool "Deny mounts"
64345 ++ depends on GRKERNSEC_CHROOT
64346 ++ help
64347 ++ If you say Y here, processes inside a chroot will not be able to
64348 ++ mount or remount filesystems. If the sysctl option is enabled, a
64349 ++ sysctl option with name "chroot_deny_mount" is created.
64350 ++
64351 ++config GRKERNSEC_CHROOT_DOUBLE
64352 ++ bool "Deny double-chroots"
64353 ++ depends on GRKERNSEC_CHROOT
64354 ++ help
64355 ++ If you say Y here, processes inside a chroot will not be able to chroot
64356 ++ again outside the chroot. This is a widely used method of breaking
64357 ++ out of a chroot jail and should not be allowed. If the sysctl
64358 ++ option is enabled, a sysctl option with name
64359 ++ "chroot_deny_chroot" is created.
64360 ++
64361 ++config GRKERNSEC_CHROOT_PIVOT
64362 ++ bool "Deny pivot_root in chroot"
64363 ++ depends on GRKERNSEC_CHROOT
64364 ++ help
64365 ++ If you say Y here, processes inside a chroot will not be able to use
64366 ++ a function called pivot_root() that was introduced in Linux 2.3.41. It
64367 ++ works similar to chroot in that it changes the root filesystem. This
64368 ++ function could be misused in a chrooted process to attempt to break out
64369 ++ of the chroot, and therefore should not be allowed. If the sysctl
64370 ++ option is enabled, a sysctl option with name "chroot_deny_pivot" is
64371 ++ created.
64372 ++
64373 ++config GRKERNSEC_CHROOT_CHDIR
64374 ++ bool "Enforce chdir(\"/\") on all chroots"
64375 ++ depends on GRKERNSEC_CHROOT
64376 ++ help
64377 ++ If you say Y here, the current working directory of all newly-chrooted
64378 ++ applications will be set to the the root directory of the chroot.
64379 ++ The man page on chroot(2) states:
64380 ++ Note that this call does not change the current working
64381 ++ directory, so that `.' can be outside the tree rooted at
64382 ++ `/'. In particular, the super-user can escape from a
64383 ++ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
64384 ++
64385 ++ It is recommended that you say Y here, since it's not known to break
64386 ++ any software. If the sysctl option is enabled, a sysctl option with
64387 ++ name "chroot_enforce_chdir" is created.
64388 ++
64389 ++config GRKERNSEC_CHROOT_CHMOD
64390 ++ bool "Deny (f)chmod +s"
64391 ++ depends on GRKERNSEC_CHROOT
64392 ++ help
64393 ++ If you say Y here, processes inside a chroot will not be able to chmod
64394 ++ or fchmod files to make them have suid or sgid bits. This protects
64395 ++ against another published method of breaking a chroot. If the sysctl
64396 ++ option is enabled, a sysctl option with name "chroot_deny_chmod" is
64397 ++ created.
64398 ++
64399 ++config GRKERNSEC_CHROOT_FCHDIR
64400 ++ bool "Deny fchdir out of chroot"
64401 ++ depends on GRKERNSEC_CHROOT
64402 ++ help
64403 ++ If you say Y here, a well-known method of breaking chroots by fchdir'ing
64404 ++ to a file descriptor of the chrooting process that points to a directory
64405 ++ outside the filesystem will be stopped. If the sysctl option
64406 ++ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
64407 ++
64408 ++config GRKERNSEC_CHROOT_MKNOD
64409 ++ bool "Deny mknod"
64410 ++ depends on GRKERNSEC_CHROOT
64411 ++ help
64412 ++ If you say Y here, processes inside a chroot will not be allowed to
64413 ++ mknod. The problem with using mknod inside a chroot is that it
64414 ++ would allow an attacker to create a device entry that is the same
64415 ++ as one on the physical root of your system, which could range from
64416 ++ anything from the console device to a device for your harddrive (which
64417 ++ they could then use to wipe the drive or steal data). It is recommended
64418 ++ that you say Y here, unless you run into software incompatibilities.
64419 ++ If the sysctl option is enabled, a sysctl option with name
64420 ++ "chroot_deny_mknod" is created.
64421 ++
64422 ++config GRKERNSEC_CHROOT_SHMAT
64423 ++ bool "Deny shmat() out of chroot"
64424 ++ depends on GRKERNSEC_CHROOT
64425 ++ help
64426 ++ If you say Y here, processes inside a chroot will not be able to attach
64427 ++ to shared memory segments that were created outside of the chroot jail.
64428 ++ It is recommended that you say Y here. If the sysctl option is enabled,
64429 ++ a sysctl option with name "chroot_deny_shmat" is created.
64430 ++
64431 ++config GRKERNSEC_CHROOT_UNIX
64432 ++ bool "Deny access to abstract AF_UNIX sockets out of chroot"
64433 ++ depends on GRKERNSEC_CHROOT
64434 ++ help
64435 ++ If you say Y here, processes inside a chroot will not be able to
64436 ++ connect to abstract (meaning not belonging to a filesystem) Unix
64437 ++ domain sockets that were bound outside of a chroot. It is recommended
64438 ++ that you say Y here. If the sysctl option is enabled, a sysctl option
64439 ++ with name "chroot_deny_unix" is created.
64440 ++
64441 ++config GRKERNSEC_CHROOT_FINDTASK
64442 ++ bool "Protect outside processes"
64443 ++ depends on GRKERNSEC_CHROOT
64444 ++ help
64445 ++ If you say Y here, processes inside a chroot will not be able to
64446 ++ kill, send signals with fcntl, ptrace, capget, getpgid, getsid,
64447 ++ or view any process outside of the chroot. If the sysctl
64448 ++ option is enabled, a sysctl option with name "chroot_findtask" is
64449 ++ created.
64450 ++
64451 ++config GRKERNSEC_CHROOT_NICE
64452 ++ bool "Restrict priority changes"
64453 ++ depends on GRKERNSEC_CHROOT
64454 ++ help
64455 ++ If you say Y here, processes inside a chroot will not be able to raise
64456 ++ the priority of processes in the chroot, or alter the priority of
64457 ++ processes outside the chroot. This provides more security than simply
64458 ++ removing CAP_SYS_NICE from the process' capability set. If the
64459 ++ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
64460 ++ is created.
64461 ++
64462 ++config GRKERNSEC_CHROOT_SYSCTL
64463 ++ bool "Deny sysctl writes"
64464 ++ depends on GRKERNSEC_CHROOT
64465 ++ help
64466 ++ If you say Y here, an attacker in a chroot will not be able to
64467 ++ write to sysctl entries, either by sysctl(2) or through a /proc
64468 ++ interface. It is strongly recommended that you say Y here. If the
64469 ++ sysctl option is enabled, a sysctl option with name
64470 ++ "chroot_deny_sysctl" is created.
64471 ++
64472 ++config GRKERNSEC_CHROOT_CAPS
64473 ++ bool "Capability restrictions"
64474 ++ depends on GRKERNSEC_CHROOT
64475 ++ help
64476 ++ If you say Y here, the capabilities on all root processes within a
64477 ++ chroot jail will be lowered to stop module insertion, raw i/o,
64478 ++ system and net admin tasks, rebooting the system, modifying immutable
64479 ++ files, modifying IPC owned by another, and changing the system time.
64480 ++ This is left an option because it can break some apps. Disable this
64481 ++ if your chrooted apps are having problems performing those kinds of
64482 ++ tasks. If the sysctl option is enabled, a sysctl option with
64483 ++ name "chroot_caps" is created.
64484 ++
64485 ++endmenu
64486 ++menu "Kernel Auditing"
64487 ++depends on GRKERNSEC
64488 ++
64489 ++config GRKERNSEC_AUDIT_GROUP
64490 ++ bool "Single group for auditing"
64491 ++ help
64492 ++ If you say Y here, the exec, chdir, (un)mount, and ipc logging features
64493 ++ will only operate on a group you specify. This option is recommended
64494 ++ if you only want to watch certain users instead of having a large
64495 ++ amount of logs from the entire system. If the sysctl option is enabled,
64496 ++ a sysctl option with name "audit_group" is created.
64497 ++
64498 ++config GRKERNSEC_AUDIT_GID
64499 ++ int "GID for auditing"
64500 ++ depends on GRKERNSEC_AUDIT_GROUP
64501 ++ default 1007
64502 ++
64503 ++config GRKERNSEC_EXECLOG
64504 ++ bool "Exec logging"
64505 ++ help
64506 ++ If you say Y here, all execve() calls will be logged (since the
64507 ++ other exec*() calls are frontends to execve(), all execution
64508 ++ will be logged). Useful for shell-servers that like to keep track
64509 ++ of their users. If the sysctl option is enabled, a sysctl option with
64510 ++ name "exec_logging" is created.
64511 ++ WARNING: This option when enabled will produce a LOT of logs, especially
64512 ++ on an active system.
64513 ++
64514 ++config GRKERNSEC_RESLOG
64515 ++ bool "Resource logging"
64516 ++ help
64517 ++ If you say Y here, all attempts to overstep resource limits will
64518 ++ be logged with the resource name, the requested size, and the current
64519 ++ limit. It is highly recommended that you say Y here. If the sysctl
64520 ++ option is enabled, a sysctl option with name "resource_logging" is
64521 ++ created. If the RBAC system is enabled, the sysctl value is ignored.
64522 ++
64523 ++config GRKERNSEC_CHROOT_EXECLOG
64524 ++ bool "Log execs within chroot"
64525 ++ help
64526 ++ If you say Y here, all executions inside a chroot jail will be logged
64527 ++ to syslog. This can cause a large amount of logs if certain
64528 ++ applications (eg. djb's daemontools) are installed on the system, and
64529 ++ is therefore left as an option. If the sysctl option is enabled, a
64530 ++ sysctl option with name "chroot_execlog" is created.
64531 ++
64532 ++config GRKERNSEC_AUDIT_CHDIR
64533 ++ bool "Chdir logging"
64534 ++ help
64535 ++ If you say Y here, all chdir() calls will be logged. If the sysctl
64536 ++ option is enabled, a sysctl option with name "audit_chdir" is created.
64537 ++
64538 ++config GRKERNSEC_AUDIT_MOUNT
64539 ++ bool "(Un)Mount logging"
64540 ++ help
64541 ++ If you say Y here, all mounts and unmounts will be logged. If the
64542 ++ sysctl option is enabled, a sysctl option with name "audit_mount" is
64543 ++ created.
64544 ++
64545 ++config GRKERNSEC_AUDIT_IPC
64546 ++ bool "IPC logging"
64547 ++ help
64548 ++ If you say Y here, creation and removal of message queues, semaphores,
64549 ++ and shared memory will be logged. If the sysctl option is enabled, a
64550 ++ sysctl option with name "audit_ipc" is created.
64551 ++
64552 ++config GRKERNSEC_SIGNAL
64553 ++ bool "Signal logging"
64554 ++ help
64555 ++ If you say Y here, certain important signals will be logged, such as
64556 ++ SIGSEGV, which will as a result inform you of when a error in a program
64557 ++ occurred, which in some cases could mean a possible exploit attempt.
64558 ++ If the sysctl option is enabled, a sysctl option with name
64559 ++ "signal_logging" is created.
64560 ++
64561 ++config GRKERNSEC_FORKFAIL
64562 ++ bool "Fork failure logging"
64563 ++ help
64564 ++ If you say Y here, all failed fork() attempts will be logged.
64565 ++ This could suggest a fork bomb, or someone attempting to overstep
64566 ++ their process limit. If the sysctl option is enabled, a sysctl option
64567 ++ with name "forkfail_logging" is created.
64568 ++
64569 ++config GRKERNSEC_TIME
64570 ++ bool "Time change logging"
64571 ++ help
64572 ++ If you say Y here, any changes of the system clock will be logged.
64573 ++ If the sysctl option is enabled, a sysctl option with name
64574 ++ "timechange_logging" is created.
64575 ++
64576 ++config GRKERNSEC_PROC_IPADDR
64577 ++ bool "/proc/<pid>/ipaddr support"
64578 ++ help
64579 ++ If you say Y here, a new entry will be added to each /proc/<pid>
64580 ++ directory that contains the IP address of the person using the task.
64581 ++ The IP is carried across local TCP and AF_UNIX stream sockets.
64582 ++ This information can be useful for IDS/IPSes to perform remote response
64583 ++ to a local attack. The entry is readable by only the owner of the
64584 ++ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
64585 ++ the RBAC system), and thus does not create privacy concerns.
64586 ++
64587 ++config GRKERNSEC_AUDIT_TEXTREL
64588 ++ bool 'ELF text relocations logging (READ HELP)'
64589 ++ depends on PAX_MPROTECT
64590 ++ help
64591 ++ If you say Y here, text relocations will be logged with the filename
64592 ++ of the offending library or binary. The purpose of the feature is
64593 ++ to help Linux distribution developers get rid of libraries and
64594 ++ binaries that need text relocations which hinder the future progress
64595 ++ of PaX. Only Linux distribution developers should say Y here, and
64596 ++ never on a production machine, as this option creates an information
64597 ++ leak that could aid an attacker in defeating the randomization of
64598 ++ a single memory region. If the sysctl option is enabled, a sysctl
64599 ++ option with name "audit_textrel" is created.
64600 ++
64601 ++endmenu
64602 ++
64603 ++menu "Executable Protections"
64604 ++depends on GRKERNSEC
64605 ++
64606 ++config GRKERNSEC_EXECVE
64607 ++ bool "Enforce RLIMIT_NPROC on execs"
64608 ++ help
64609 ++ If you say Y here, users with a resource limit on processes will
64610 ++ have the value checked during execve() calls. The current system
64611 ++ only checks the system limit during fork() calls. If the sysctl option
64612 ++ is enabled, a sysctl option with name "execve_limiting" is created.
64613 ++
64614 ++config GRKERNSEC_DMESG
64615 ++ bool "Dmesg(8) restriction"
64616 ++ help
64617 ++ If you say Y here, non-root users will not be able to use dmesg(8)
64618 ++ to view up to the last 4kb of messages in the kernel's log buffer.
64619 ++ If the sysctl option is enabled, a sysctl option with name "dmesg" is
64620 ++ created.
64621 ++
64622 ++config GRKERNSEC_TPE
64623 ++ bool "Trusted Path Execution (TPE)"
64624 ++ help
64625 ++ If you say Y here, you will be able to choose a gid to add to the
64626 ++ supplementary groups of users you want to mark as "untrusted."
64627 ++ These users will not be able to execute any files that are not in
64628 ++ root-owned directories writable only by root. If the sysctl option
64629 ++ is enabled, a sysctl option with name "tpe" is created.
64630 ++
64631 ++config GRKERNSEC_TPE_ALL
64632 ++ bool "Partially restrict non-root users"
64633 ++ depends on GRKERNSEC_TPE
64634 ++ help
64635 ++ If you say Y here, All non-root users other than the ones in the
64636 ++ group specified in the main TPE option will only be allowed to
64637 ++ execute files in directories they own that are not group or
64638 ++ world-writable, or in directories owned by root and writable only by
64639 ++ root. If the sysctl option is enabled, a sysctl option with name
64640 ++ "tpe_restrict_all" is created.
64641 ++
64642 ++config GRKERNSEC_TPE_INVERT
64643 ++ bool "Invert GID option"
64644 ++ depends on GRKERNSEC_TPE
64645 ++ help
64646 ++ If you say Y here, the group you specify in the TPE configuration will
64647 ++ decide what group TPE restrictions will be *disabled* for. This
64648 ++ option is useful if you want TPE restrictions to be applied to most
64649 ++ users on the system.
64650 ++
64651 ++config GRKERNSEC_TPE_GID
64652 ++ int "GID for untrusted users"
64653 ++ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
64654 ++ default 1005
64655 ++ help
64656 ++ If you have selected the "Invert GID option" above, setting this
64657 ++ GID determines what group TPE restrictions will be *disabled* for.
64658 ++ If you have not selected the "Invert GID option" above, setting this
64659 ++ GID determines what group TPE restrictions will be *enabled* for.
64660 ++ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
64661 ++ is created.
64662 ++
64663 ++config GRKERNSEC_TPE_GID
64664 ++ int "GID for trusted users"
64665 ++ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
64666 ++ default 1005
64667 ++ help
64668 ++ If you have selected the "Invert GID option" above, setting this
64669 ++ GID determines what group TPE restrictions will be *disabled* for.
64670 ++ If you have not selected the "Invert GID option" above, setting this
64671 ++ GID determines what group TPE restrictions will be *enabled* for.
64672 ++ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
64673 ++ is created.
64674 ++
64675 ++endmenu
64676 ++menu "Network Protections"
64677 ++depends on GRKERNSEC
64678 ++
64679 ++config GRKERNSEC_RANDNET
64680 ++ bool "Larger entropy pools"
64681 ++ help
64682 ++ If you say Y here, the entropy pools used for many features of Linux
64683 ++ and grsecurity will be doubled in size. Since several grsecurity
64684 ++ features use additional randomness, it is recommended that you say Y
64685 ++ here. Saying Y here has a similar effect as modifying
64686 ++ /proc/sys/kernel/random/poolsize.
64687 ++
64688 ++config GRKERNSEC_SOCKET
64689 ++ bool "Socket restrictions"
64690 ++ help
64691 ++ If you say Y here, you will be able to choose from several options.
64692 ++ If you assign a GID on your system and add it to the supplementary
64693 ++ groups of users you want to restrict socket access to, this patch
64694 ++ will perform up to three things, based on the option(s) you choose.
64695 ++
64696 ++config GRKERNSEC_SOCKET_ALL
64697 ++ bool "Deny any sockets to group"
64698 ++ depends on GRKERNSEC_SOCKET
64699 ++ help
64700 ++ If you say Y here, you will be able to choose a GID of whose users will
64701 ++ be unable to connect to other hosts from your machine or run server
64702 ++ applications from your machine. If the sysctl option is enabled, a
64703 ++ sysctl option with name "socket_all" is created.
64704 ++
64705 ++config GRKERNSEC_SOCKET_ALL_GID
64706 ++ int "GID to deny all sockets for"
64707 ++ depends on GRKERNSEC_SOCKET_ALL
64708 ++ default 1004
64709 ++ help
64710 ++ Here you can choose the GID to disable socket access for. Remember to
64711 ++ add the users you want socket access disabled for to the GID
64712 ++ specified here. If the sysctl option is enabled, a sysctl option
64713 ++ with name "socket_all_gid" is created.
64714 ++
64715 ++config GRKERNSEC_SOCKET_CLIENT
64716 ++ bool "Deny client sockets to group"
64717 ++ depends on GRKERNSEC_SOCKET
64718 ++ help
64719 ++ If you say Y here, you will be able to choose a GID of whose users will
64720 ++ be unable to connect to other hosts from your machine, but will be
64721 ++ able to run servers. If this option is enabled, all users in the group
64722 ++ you specify will have to use passive mode when initiating ftp transfers
64723 ++ from the shell on your machine. If the sysctl option is enabled, a
64724 ++ sysctl option with name "socket_client" is created.
64725 ++
64726 ++config GRKERNSEC_SOCKET_CLIENT_GID
64727 ++ int "GID to deny client sockets for"
64728 ++ depends on GRKERNSEC_SOCKET_CLIENT
64729 ++ default 1003
64730 ++ help
64731 ++ Here you can choose the GID to disable client socket access for.
64732 ++ Remember to add the users you want client socket access disabled for to
64733 ++ the GID specified here. If the sysctl option is enabled, a sysctl
64734 ++ option with name "socket_client_gid" is created.
64735 ++
64736 ++config GRKERNSEC_SOCKET_SERVER
64737 ++ bool "Deny server sockets to group"
64738 ++ depends on GRKERNSEC_SOCKET
64739 ++ help
64740 ++ If you say Y here, you will be able to choose a GID of whose users will
64741 ++ be unable to run server applications from your machine. If the sysctl
64742 ++ option is enabled, a sysctl option with name "socket_server" is created.
64743 ++
64744 ++config GRKERNSEC_SOCKET_SERVER_GID
64745 ++ int "GID to deny server sockets for"
64746 ++ depends on GRKERNSEC_SOCKET_SERVER
64747 ++ default 1002
64748 ++ help
64749 ++ Here you can choose the GID to disable server socket access for.
64750 ++ Remember to add the users you want server socket access disabled for to
64751 ++ the GID specified here. If the sysctl option is enabled, a sysctl
64752 ++ option with name "socket_server_gid" is created.
64753 ++
64754 ++endmenu
64755 ++menu "Sysctl support"
64756 ++depends on GRKERNSEC && SYSCTL
64757 ++
64758 ++config GRKERNSEC_SYSCTL
64759 ++ bool "Sysctl support"
64760 ++ help
64761 ++ If you say Y here, you will be able to change the options that
64762 ++ grsecurity runs with at bootup, without having to recompile your
64763 ++ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
64764 ++ to enable (1) or disable (0) various features. All the sysctl entries
64765 ++ are mutable until the "grsec_lock" entry is set to a non-zero value.
64766 ++ All features enabled in the kernel configuration are disabled at boot
64767 ++ if you do not say Y to the "Turn on features by default" option.
64768 ++ All options should be set at startup, and the grsec_lock entry should
64769 ++ be set to a non-zero value after all the options are set.
64770 ++ *THIS IS EXTREMELY IMPORTANT*
64771 ++
64772 ++config GRKERNSEC_SYSCTL_ON
64773 ++ bool "Turn on features by default"
64774 ++ depends on GRKERNSEC_SYSCTL
64775 ++ help
64776 ++ If you say Y here, instead of having all features enabled in the
64777 ++ kernel configuration disabled at boot time, the features will be
64778 ++ enabled at boot time. It is recommended you say Y here unless
64779 ++ there is some reason you would want all sysctl-tunable features to
64780 ++ be disabled by default. As mentioned elsewhere, it is important
64781 ++ to enable the grsec_lock entry once you have finished modifying
64782 ++ the sysctl entries.
64783 ++
64784 ++endmenu
64785 ++menu "Logging Options"
64786 ++depends on GRKERNSEC
64787 ++
64788 ++config GRKERNSEC_FLOODTIME
64789 ++ int "Seconds in between log messages (minimum)"
64790 ++ default 10
64791 ++ help
64792 ++ This option allows you to enforce the number of seconds between
64793 ++ grsecurity log messages. The default should be suitable for most
64794 ++ people, however, if you choose to change it, choose a value small enough
64795 ++ to allow informative logs to be produced, but large enough to
64796 ++ prevent flooding.
64797 ++
64798 ++config GRKERNSEC_FLOODBURST
64799 ++ int "Number of messages in a burst (maximum)"
64800 ++ default 4
64801 ++ help
64802 ++ This option allows you to choose the maximum number of messages allowed
64803 ++ within the flood time interval you chose in a separate option. The
64804 ++ default should be suitable for most people, however if you find that
64805 ++ many of your logs are being interpreted as flooding, you may want to
64806 ++ raise this value.
64807 ++
64808 ++endmenu
64809 ++
64810 ++endmenu
64811 +diff -urNp linux-2.6.24.5/grsecurity/Makefile linux-2.6.24.5/grsecurity/Makefile
64812 +--- linux-2.6.24.5/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
64813 ++++ linux-2.6.24.5/grsecurity/Makefile 2008-03-26 20:21:09.000000000 -0400
64814 +@@ -0,0 +1,20 @@
64815 ++# grsecurity's ACL system was originally written in 2001 by Michael Dalton
64816 ++# during 2001-2005 it has been completely redesigned by Brad Spengler
64817 ++# into an RBAC system
64818 ++#
64819 ++# All code in this directory and various hooks inserted throughout the kernel
64820 ++# are copyright Brad Spengler, and released under the GPL v2 or higher
64821 ++
64822 ++obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
64823 ++ grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
64824 ++ grsec_time.o grsec_tpe.o grsec_ipc.o grsec_link.o grsec_textrel.o
64825 ++
64826 ++obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
64827 ++ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
64828 ++ gracl_learn.o grsec_log.o
64829 ++obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
64830 ++
64831 ++ifndef CONFIG_GRKERNSEC
64832 ++obj-y += grsec_disabled.o
64833 ++endif
64834 ++
64835 +diff -urNp linux-2.6.24.5/include/acpi/acpiosxf.h linux-2.6.24.5/include/acpi/acpiosxf.h
64836 +--- linux-2.6.24.5/include/acpi/acpiosxf.h 2008-03-24 14:49:18.000000000 -0400
64837 ++++ linux-2.6.24.5/include/acpi/acpiosxf.h 2008-03-26 20:21:09.000000000 -0400
64838 +@@ -219,7 +219,7 @@ acpi_os_write_memory(acpi_physical_addre
64839 + */
64840 + acpi_status
64841 + acpi_os_read_pci_configuration(struct acpi_pci_id *pci_id,
64842 +- u32 reg, void *value, u32 width);
64843 ++ u32 reg, u32 *value, u32 width);
64844 +
64845 + acpi_status
64846 + acpi_os_write_pci_configuration(struct acpi_pci_id *pci_id,
64847 +diff -urNp linux-2.6.24.5/include/asm-alpha/a.out.h linux-2.6.24.5/include/asm-alpha/a.out.h
64848 +--- linux-2.6.24.5/include/asm-alpha/a.out.h 2008-03-24 14:49:18.000000000 -0400
64849 ++++ linux-2.6.24.5/include/asm-alpha/a.out.h 2008-03-26 20:21:09.000000000 -0400
64850 +@@ -98,7 +98,7 @@ struct exec
64851 + set_personality (((BFPM->sh_bang || EX.ah.entry < 0x100000000L \
64852 + ? ADDR_LIMIT_32BIT : 0) | PER_OSF4))
64853 +
64854 +-#define STACK_TOP \
64855 ++#define __STACK_TOP \
64856 + (current->personality & ADDR_LIMIT_32BIT ? 0x80000000 : 0x00120000000UL)
64857 +
64858 + #define STACK_TOP_MAX 0x00120000000UL
64859 +diff -urNp linux-2.6.24.5/include/asm-alpha/elf.h linux-2.6.24.5/include/asm-alpha/elf.h
64860 +--- linux-2.6.24.5/include/asm-alpha/elf.h 2008-03-24 14:49:18.000000000 -0400
64861 ++++ linux-2.6.24.5/include/asm-alpha/elf.h 2008-03-26 20:21:09.000000000 -0400
64862 +@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
64863 +
64864 + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
64865 +
64866 ++#ifdef CONFIG_PAX_ASLR
64867 ++#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
64868 ++
64869 ++#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
64870 ++#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
64871 ++#endif
64872 ++
64873 + /* $0 is set by ld.so to a pointer to a function which might be
64874 + registered using atexit. This provides a mean for the dynamic
64875 + linker to call DT_FINI functions for shared libraries that have
64876 +diff -urNp linux-2.6.24.5/include/asm-alpha/kmap_types.h linux-2.6.24.5/include/asm-alpha/kmap_types.h
64877 +--- linux-2.6.24.5/include/asm-alpha/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
64878 ++++ linux-2.6.24.5/include/asm-alpha/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
64879 +@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
64880 + D(10) KM_IRQ1,
64881 + D(11) KM_SOFTIRQ0,
64882 + D(12) KM_SOFTIRQ1,
64883 +-D(13) KM_TYPE_NR
64884 ++D(13) KM_CLEARPAGE,
64885 ++D(14) KM_TYPE_NR
64886 + };
64887 +
64888 + #undef D
64889 +diff -urNp linux-2.6.24.5/include/asm-alpha/pgtable.h linux-2.6.24.5/include/asm-alpha/pgtable.h
64890 +--- linux-2.6.24.5/include/asm-alpha/pgtable.h 2008-03-24 14:49:18.000000000 -0400
64891 ++++ linux-2.6.24.5/include/asm-alpha/pgtable.h 2008-03-26 20:21:09.000000000 -0400
64892 +@@ -101,6 +101,17 @@ struct vm_area_struct;
64893 + #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
64894 + #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
64895 + #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
64896 ++
64897 ++#ifdef CONFIG_PAX_PAGEEXEC
64898 ++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
64899 ++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
64900 ++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
64901 ++#else
64902 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
64903 ++# define PAGE_COPY_NOEXEC PAGE_COPY
64904 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
64905 ++#endif
64906 ++
64907 + #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
64908 +
64909 + #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
64910 +diff -urNp linux-2.6.24.5/include/asm-arm/a.out.h linux-2.6.24.5/include/asm-arm/a.out.h
64911 +--- linux-2.6.24.5/include/asm-arm/a.out.h 2008-03-24 14:49:18.000000000 -0400
64912 ++++ linux-2.6.24.5/include/asm-arm/a.out.h 2008-03-26 20:21:09.000000000 -0400
64913 +@@ -28,7 +28,7 @@ struct exec
64914 + #define M_ARM 103
64915 +
64916 + #ifdef __KERNEL__
64917 +-#define STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
64918 ++#define __STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
64919 + TASK_SIZE : TASK_SIZE_26)
64920 + #define STACK_TOP_MAX TASK_SIZE
64921 + #endif
64922 +diff -urNp linux-2.6.24.5/include/asm-arm/elf.h linux-2.6.24.5/include/asm-arm/elf.h
64923 +--- linux-2.6.24.5/include/asm-arm/elf.h 2008-03-24 14:49:18.000000000 -0400
64924 ++++ linux-2.6.24.5/include/asm-arm/elf.h 2008-03-26 20:21:09.000000000 -0400
64925 +@@ -88,7 +88,14 @@ extern char elf_platform[];
64926 + the loader. We need to make sure that it is out of the way of the program
64927 + that it will "exec", and that there is sufficient room for the brk. */
64928 +
64929 +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
64930 ++#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
64931 ++
64932 ++#ifdef CONFIG_PAX_ASLR
64933 ++#define PAX_ELF_ET_DYN_BASE 0x00008000UL
64934 ++
64935 ++#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
64936 ++#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
64937 ++#endif
64938 +
64939 + /* When the program starts, a1 contains a pointer to a function to be
64940 + registered with atexit, as per the SVR4 ABI. A value of 0 means we
64941 +diff -urNp linux-2.6.24.5/include/asm-arm/kmap_types.h linux-2.6.24.5/include/asm-arm/kmap_types.h
64942 +--- linux-2.6.24.5/include/asm-arm/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
64943 ++++ linux-2.6.24.5/include/asm-arm/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
64944 +@@ -18,6 +18,7 @@ enum km_type {
64945 + KM_IRQ1,
64946 + KM_SOFTIRQ0,
64947 + KM_SOFTIRQ1,
64948 ++ KM_CLEARPAGE,
64949 + KM_TYPE_NR
64950 + };
64951 +
64952 +diff -urNp linux-2.6.24.5/include/asm-avr32/a.out.h linux-2.6.24.5/include/asm-avr32/a.out.h
64953 +--- linux-2.6.24.5/include/asm-avr32/a.out.h 2008-03-24 14:49:18.000000000 -0400
64954 ++++ linux-2.6.24.5/include/asm-avr32/a.out.h 2008-03-26 20:21:09.000000000 -0400
64955 +@@ -19,8 +19,8 @@ struct exec
64956 +
64957 + #ifdef __KERNEL__
64958 +
64959 +-#define STACK_TOP TASK_SIZE
64960 +-#define STACK_TOP_MAX STACK_TOP
64961 ++#define __STACK_TOP TASK_SIZE
64962 ++#define STACK_TOP_MAX __STACK_TOP
64963 +
64964 + #endif
64965 +
64966 +diff -urNp linux-2.6.24.5/include/asm-avr32/elf.h linux-2.6.24.5/include/asm-avr32/elf.h
64967 +--- linux-2.6.24.5/include/asm-avr32/elf.h 2008-03-24 14:49:18.000000000 -0400
64968 ++++ linux-2.6.24.5/include/asm-avr32/elf.h 2008-03-26 20:21:09.000000000 -0400
64969 +@@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
64970 + the loader. We need to make sure that it is out of the way of the program
64971 + that it will "exec", and that there is sufficient room for the brk. */
64972 +
64973 +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
64974 ++#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
64975 +
64976 ++#ifdef CONFIG_PAX_ASLR
64977 ++#define PAX_ELF_ET_DYN_BASE 0x00001000UL
64978 ++
64979 ++#define PAX_DELTA_MMAP_LEN 15
64980 ++#define PAX_DELTA_STACK_LEN 15
64981 ++#endif
64982 +
64983 + /* This yields a mask that user programs can use to figure out what
64984 + instruction set this CPU supports. This could be done in user space,
64985 +diff -urNp linux-2.6.24.5/include/asm-avr32/kmap_types.h linux-2.6.24.5/include/asm-avr32/kmap_types.h
64986 +--- linux-2.6.24.5/include/asm-avr32/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
64987 ++++ linux-2.6.24.5/include/asm-avr32/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
64988 +@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
64989 + D(11) KM_IRQ1,
64990 + D(12) KM_SOFTIRQ0,
64991 + D(13) KM_SOFTIRQ1,
64992 +-D(14) KM_TYPE_NR
64993 ++D(14) KM_CLEARPAGE,
64994 ++D(15) KM_TYPE_NR
64995 + };
64996 +
64997 + #undef D
64998 +diff -urNp linux-2.6.24.5/include/asm-blackfin/kmap_types.h linux-2.6.24.5/include/asm-blackfin/kmap_types.h
64999 +--- linux-2.6.24.5/include/asm-blackfin/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65000 ++++ linux-2.6.24.5/include/asm-blackfin/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65001 +@@ -15,6 +15,7 @@ enum km_type {
65002 + KM_IRQ1,
65003 + KM_SOFTIRQ0,
65004 + KM_SOFTIRQ1,
65005 ++ KM_CLEARPAGE,
65006 + KM_TYPE_NR
65007 + };
65008 +
65009 +diff -urNp linux-2.6.24.5/include/asm-cris/kmap_types.h linux-2.6.24.5/include/asm-cris/kmap_types.h
65010 +--- linux-2.6.24.5/include/asm-cris/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65011 ++++ linux-2.6.24.5/include/asm-cris/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65012 +@@ -19,6 +19,7 @@ enum km_type {
65013 + KM_IRQ1,
65014 + KM_SOFTIRQ0,
65015 + KM_SOFTIRQ1,
65016 ++ KM_CLEARPAGE,
65017 + KM_TYPE_NR
65018 + };
65019 +
65020 +diff -urNp linux-2.6.24.5/include/asm-frv/kmap_types.h linux-2.6.24.5/include/asm-frv/kmap_types.h
65021 +--- linux-2.6.24.5/include/asm-frv/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65022 ++++ linux-2.6.24.5/include/asm-frv/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65023 +@@ -23,6 +23,7 @@ enum km_type {
65024 + KM_IRQ1,
65025 + KM_SOFTIRQ0,
65026 + KM_SOFTIRQ1,
65027 ++ KM_CLEARPAGE,
65028 + KM_TYPE_NR
65029 + };
65030 +
65031 +diff -urNp linux-2.6.24.5/include/asm-generic/futex.h linux-2.6.24.5/include/asm-generic/futex.h
65032 +--- linux-2.6.24.5/include/asm-generic/futex.h 2008-03-24 14:49:18.000000000 -0400
65033 ++++ linux-2.6.24.5/include/asm-generic/futex.h 2008-03-26 20:21:09.000000000 -0400
65034 +@@ -8,7 +8,7 @@
65035 + #include <asm/uaccess.h>
65036 +
65037 + static inline int
65038 +-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
65039 ++futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
65040 + {
65041 + int op = (encoded_op >> 28) & 7;
65042 + int cmp = (encoded_op >> 24) & 15;
65043 +@@ -50,7 +50,7 @@ futex_atomic_op_inuser (int encoded_op,
65044 + }
65045 +
65046 + static inline int
65047 +-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
65048 ++futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
65049 + {
65050 + return -ENOSYS;
65051 + }
65052 +diff -urNp linux-2.6.24.5/include/asm-generic/vmlinux.lds.h linux-2.6.24.5/include/asm-generic/vmlinux.lds.h
65053 +--- linux-2.6.24.5/include/asm-generic/vmlinux.lds.h 2008-03-24 14:49:18.000000000 -0400
65054 ++++ linux-2.6.24.5/include/asm-generic/vmlinux.lds.h 2008-03-26 20:21:09.000000000 -0400
65055 +@@ -23,6 +23,7 @@
65056 + .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
65057 + VMLINUX_SYMBOL(__start_rodata) = .; \
65058 + *(.rodata) *(.rodata.*) \
65059 ++ *(.data.read_only) \
65060 + *(__vermagic) /* Kernel version magic */ \
65061 + *(__markers_strings) /* Markers: strings */ \
65062 + } \
65063 +diff -urNp linux-2.6.24.5/include/asm-h8300/kmap_types.h linux-2.6.24.5/include/asm-h8300/kmap_types.h
65064 +--- linux-2.6.24.5/include/asm-h8300/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65065 ++++ linux-2.6.24.5/include/asm-h8300/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65066 +@@ -15,6 +15,7 @@ enum km_type {
65067 + KM_IRQ1,
65068 + KM_SOFTIRQ0,
65069 + KM_SOFTIRQ1,
65070 ++ KM_CLEARPAGE,
65071 + KM_TYPE_NR
65072 + };
65073 +
65074 +diff -urNp linux-2.6.24.5/include/asm-ia64/elf.h linux-2.6.24.5/include/asm-ia64/elf.h
65075 +--- linux-2.6.24.5/include/asm-ia64/elf.h 2008-03-24 14:49:18.000000000 -0400
65076 ++++ linux-2.6.24.5/include/asm-ia64/elf.h 2008-03-26 20:21:09.000000000 -0400
65077 +@@ -162,7 +162,12 @@ typedef elf_greg_t elf_gregset_t[ELF_NGR
65078 + typedef struct ia64_fpreg elf_fpreg_t;
65079 + typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
65080 +
65081 ++#ifdef CONFIG_PAX_ASLR
65082 ++#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
65083 +
65084 ++#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
65085 ++#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
65086 ++#endif
65087 +
65088 + struct pt_regs; /* forward declaration... */
65089 + extern void ia64_elf_core_copy_regs (struct pt_regs *src, elf_gregset_t dst);
65090 +diff -urNp linux-2.6.24.5/include/asm-ia64/kmap_types.h linux-2.6.24.5/include/asm-ia64/kmap_types.h
65091 +--- linux-2.6.24.5/include/asm-ia64/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65092 ++++ linux-2.6.24.5/include/asm-ia64/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65093 +@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
65094 + D(10) KM_IRQ1,
65095 + D(11) KM_SOFTIRQ0,
65096 + D(12) KM_SOFTIRQ1,
65097 +-D(13) KM_TYPE_NR
65098 ++D(13) KM_CLEARPAGE,
65099 ++D(14) KM_TYPE_NR
65100 + };
65101 +
65102 + #undef D
65103 +diff -urNp linux-2.6.24.5/include/asm-ia64/pgtable.h linux-2.6.24.5/include/asm-ia64/pgtable.h
65104 +--- linux-2.6.24.5/include/asm-ia64/pgtable.h 2008-03-24 14:49:18.000000000 -0400
65105 ++++ linux-2.6.24.5/include/asm-ia64/pgtable.h 2008-03-26 20:21:09.000000000 -0400
65106 +@@ -143,6 +143,17 @@
65107 + #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
65108 + #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
65109 + #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
65110 ++
65111 ++#ifdef CONFIG_PAX_PAGEEXEC
65112 ++# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
65113 ++# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
65114 ++# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
65115 ++#else
65116 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
65117 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
65118 ++# define PAGE_COPY_NOEXEC PAGE_COPY
65119 ++#endif
65120 ++
65121 + #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
65122 + #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
65123 + #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
65124 +diff -urNp linux-2.6.24.5/include/asm-ia64/processor.h linux-2.6.24.5/include/asm-ia64/processor.h
65125 +--- linux-2.6.24.5/include/asm-ia64/processor.h 2008-03-24 14:49:18.000000000 -0400
65126 ++++ linux-2.6.24.5/include/asm-ia64/processor.h 2008-03-26 20:21:09.000000000 -0400
65127 +@@ -275,7 +275,7 @@ struct thread_struct {
65128 + .on_ustack = 0, \
65129 + .ksp = 0, \
65130 + .map_base = DEFAULT_MAP_BASE, \
65131 +- .rbs_bot = STACK_TOP - DEFAULT_USER_STACK_SIZE, \
65132 ++ .rbs_bot = __STACK_TOP - DEFAULT_USER_STACK_SIZE, \
65133 + .task_size = DEFAULT_TASK_SIZE, \
65134 + .last_fph_cpu = -1, \
65135 + INIT_THREAD_IA32 \
65136 +diff -urNp linux-2.6.24.5/include/asm-ia64/ustack.h linux-2.6.24.5/include/asm-ia64/ustack.h
65137 +--- linux-2.6.24.5/include/asm-ia64/ustack.h 2008-03-24 14:49:18.000000000 -0400
65138 ++++ linux-2.6.24.5/include/asm-ia64/ustack.h 2008-03-26 20:21:09.000000000 -0400
65139 +@@ -10,8 +10,8 @@
65140 +
65141 + /* The absolute hard limit for stack size is 1/2 of the mappable space in the region */
65142 + #define MAX_USER_STACK_SIZE (RGN_MAP_LIMIT/2)
65143 +-#define STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
65144 +-#define STACK_TOP_MAX STACK_TOP
65145 ++#define __STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
65146 ++#define STACK_TOP_MAX __STACK_TOP
65147 + #endif
65148 +
65149 + /* Make a default stack size of 2GiB */
65150 +diff -urNp linux-2.6.24.5/include/asm-m32r/kmap_types.h linux-2.6.24.5/include/asm-m32r/kmap_types.h
65151 +--- linux-2.6.24.5/include/asm-m32r/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65152 ++++ linux-2.6.24.5/include/asm-m32r/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65153 +@@ -21,7 +21,8 @@ D(9) KM_IRQ0,
65154 + D(10) KM_IRQ1,
65155 + D(11) KM_SOFTIRQ0,
65156 + D(12) KM_SOFTIRQ1,
65157 +-D(13) KM_TYPE_NR
65158 ++D(13) KM_CLEARPAGE,
65159 ++D(14) KM_TYPE_NR
65160 + };
65161 +
65162 + #undef D
65163 +diff -urNp linux-2.6.24.5/include/asm-m68k/kmap_types.h linux-2.6.24.5/include/asm-m68k/kmap_types.h
65164 +--- linux-2.6.24.5/include/asm-m68k/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65165 ++++ linux-2.6.24.5/include/asm-m68k/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65166 +@@ -15,6 +15,7 @@ enum km_type {
65167 + KM_IRQ1,
65168 + KM_SOFTIRQ0,
65169 + KM_SOFTIRQ1,
65170 ++ KM_CLEARPAGE,
65171 + KM_TYPE_NR
65172 + };
65173 +
65174 +diff -urNp linux-2.6.24.5/include/asm-m68knommu/kmap_types.h linux-2.6.24.5/include/asm-m68knommu/kmap_types.h
65175 +--- linux-2.6.24.5/include/asm-m68knommu/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65176 ++++ linux-2.6.24.5/include/asm-m68knommu/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65177 +@@ -15,6 +15,7 @@ enum km_type {
65178 + KM_IRQ1,
65179 + KM_SOFTIRQ0,
65180 + KM_SOFTIRQ1,
65181 ++ KM_CLEARPAGE,
65182 + KM_TYPE_NR
65183 + };
65184 +
65185 +diff -urNp linux-2.6.24.5/include/asm-mips/a.out.h linux-2.6.24.5/include/asm-mips/a.out.h
65186 +--- linux-2.6.24.5/include/asm-mips/a.out.h 2008-03-24 14:49:18.000000000 -0400
65187 ++++ linux-2.6.24.5/include/asm-mips/a.out.h 2008-03-26 20:21:09.000000000 -0400
65188 +@@ -35,10 +35,10 @@ struct exec
65189 + #ifdef __KERNEL__
65190 +
65191 + #ifdef CONFIG_32BIT
65192 +-#define STACK_TOP TASK_SIZE
65193 ++#define __STACK_TOP TASK_SIZE
65194 + #endif
65195 + #ifdef CONFIG_64BIT
65196 +-#define STACK_TOP \
65197 ++#define __STACK_TOP \
65198 + (test_thread_flag(TIF_32BIT_ADDR) ? TASK_SIZE32 : TASK_SIZE)
65199 + #endif
65200 + #define STACK_TOP_MAX TASK_SIZE
65201 +diff -urNp linux-2.6.24.5/include/asm-mips/elf.h linux-2.6.24.5/include/asm-mips/elf.h
65202 +--- linux-2.6.24.5/include/asm-mips/elf.h 2008-03-24 14:49:18.000000000 -0400
65203 ++++ linux-2.6.24.5/include/asm-mips/elf.h 2008-03-26 20:21:09.000000000 -0400
65204 +@@ -372,4 +372,11 @@ extern int dump_task_fpu(struct task_str
65205 + #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
65206 + #endif
65207 +
65208 ++#ifdef CONFIG_PAX_ASLR
65209 ++#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
65210 ++
65211 ++#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
65212 ++#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
65213 ++#endif
65214 ++
65215 + #endif /* _ASM_ELF_H */
65216 +diff -urNp linux-2.6.24.5/include/asm-mips/kmap_types.h linux-2.6.24.5/include/asm-mips/kmap_types.h
65217 +--- linux-2.6.24.5/include/asm-mips/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65218 ++++ linux-2.6.24.5/include/asm-mips/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65219 +@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
65220 + D(10) KM_IRQ1,
65221 + D(11) KM_SOFTIRQ0,
65222 + D(12) KM_SOFTIRQ1,
65223 +-D(13) KM_TYPE_NR
65224 ++D(13) KM_CLEARPAGE,
65225 ++D(14) KM_TYPE_NR
65226 + };
65227 +
65228 + #undef D
65229 +diff -urNp linux-2.6.24.5/include/asm-mips/page.h linux-2.6.24.5/include/asm-mips/page.h
65230 +--- linux-2.6.24.5/include/asm-mips/page.h 2008-03-24 14:49:18.000000000 -0400
65231 ++++ linux-2.6.24.5/include/asm-mips/page.h 2008-03-26 20:21:09.000000000 -0400
65232 +@@ -82,7 +82,7 @@ extern void copy_user_highpage(struct pa
65233 + #ifdef CONFIG_CPU_MIPS32
65234 + typedef struct { unsigned long pte_low, pte_high; } pte_t;
65235 + #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
65236 +- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
65237 ++ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
65238 + #else
65239 + typedef struct { unsigned long long pte; } pte_t;
65240 + #define pte_val(x) ((x).pte)
65241 +diff -urNp linux-2.6.24.5/include/asm-mips/system.h linux-2.6.24.5/include/asm-mips/system.h
65242 +--- linux-2.6.24.5/include/asm-mips/system.h 2008-03-24 14:49:18.000000000 -0400
65243 ++++ linux-2.6.24.5/include/asm-mips/system.h 2008-03-26 20:21:09.000000000 -0400
65244 +@@ -215,6 +215,6 @@ extern void per_cpu_trap_init(void);
65245 + */
65246 + #define __ARCH_WANT_UNLOCKED_CTXSW
65247 +
65248 +-extern unsigned long arch_align_stack(unsigned long sp);
65249 ++#define arch_align_stack(x) (x)
65250 +
65251 + #endif /* _ASM_SYSTEM_H */
65252 +diff -urNp linux-2.6.24.5/include/asm-parisc/a.out.h linux-2.6.24.5/include/asm-parisc/a.out.h
65253 +--- linux-2.6.24.5/include/asm-parisc/a.out.h 2008-03-24 14:49:18.000000000 -0400
65254 ++++ linux-2.6.24.5/include/asm-parisc/a.out.h 2008-03-26 20:21:09.000000000 -0400
65255 +@@ -22,7 +22,7 @@ struct exec
65256 + /* XXX: STACK_TOP actually should be STACK_BOTTOM for parisc.
65257 + * prumpf */
65258 +
65259 +-#define STACK_TOP TASK_SIZE
65260 ++#define __STACK_TOP TASK_SIZE
65261 + #define STACK_TOP_MAX DEFAULT_TASK_SIZE
65262 +
65263 + #endif
65264 +diff -urNp linux-2.6.24.5/include/asm-parisc/elf.h linux-2.6.24.5/include/asm-parisc/elf.h
65265 +--- linux-2.6.24.5/include/asm-parisc/elf.h 2008-03-24 14:49:18.000000000 -0400
65266 ++++ linux-2.6.24.5/include/asm-parisc/elf.h 2008-03-26 20:21:09.000000000 -0400
65267 +@@ -337,6 +337,13 @@ struct pt_regs; /* forward declaration..
65268 +
65269 + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
65270 +
65271 ++#ifdef CONFIG_PAX_ASLR
65272 ++#define PAX_ELF_ET_DYN_BASE 0x10000UL
65273 ++
65274 ++#define PAX_DELTA_MMAP_LEN 16
65275 ++#define PAX_DELTA_STACK_LEN 16
65276 ++#endif
65277 ++
65278 + /* This yields a mask that user programs can use to figure out what
65279 + instruction set this CPU supports. This could be done in user space,
65280 + but it's not easy, and we've already done it here. */
65281 +diff -urNp linux-2.6.24.5/include/asm-parisc/kmap_types.h linux-2.6.24.5/include/asm-parisc/kmap_types.h
65282 +--- linux-2.6.24.5/include/asm-parisc/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65283 ++++ linux-2.6.24.5/include/asm-parisc/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65284 +@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
65285 + D(10) KM_IRQ1,
65286 + D(11) KM_SOFTIRQ0,
65287 + D(12) KM_SOFTIRQ1,
65288 +-D(13) KM_TYPE_NR
65289 ++D(13) KM_CLEARPAGE,
65290 ++D(14) KM_TYPE_NR
65291 + };
65292 +
65293 + #undef D
65294 +diff -urNp linux-2.6.24.5/include/asm-parisc/pgtable.h linux-2.6.24.5/include/asm-parisc/pgtable.h
65295 +--- linux-2.6.24.5/include/asm-parisc/pgtable.h 2008-03-24 14:49:18.000000000 -0400
65296 ++++ linux-2.6.24.5/include/asm-parisc/pgtable.h 2008-03-26 20:21:09.000000000 -0400
65297 +@@ -210,6 +210,17 @@ extern void *vmalloc_start;
65298 + #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
65299 + #define PAGE_COPY PAGE_EXECREAD
65300 + #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
65301 ++
65302 ++#ifdef CONFIG_PAX_PAGEEXEC
65303 ++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
65304 ++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
65305 ++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
65306 ++#else
65307 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
65308 ++# define PAGE_COPY_NOEXEC PAGE_COPY
65309 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
65310 ++#endif
65311 ++
65312 + #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
65313 + #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
65314 + #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
65315 +diff -urNp linux-2.6.24.5/include/asm-powerpc/a.out.h linux-2.6.24.5/include/asm-powerpc/a.out.h
65316 +--- linux-2.6.24.5/include/asm-powerpc/a.out.h 2008-03-24 14:49:18.000000000 -0400
65317 ++++ linux-2.6.24.5/include/asm-powerpc/a.out.h 2008-03-26 20:21:09.000000000 -0400
65318 +@@ -23,15 +23,15 @@ struct exec
65319 + #define STACK_TOP_USER64 TASK_SIZE_USER64
65320 + #define STACK_TOP_USER32 TASK_SIZE_USER32
65321 +
65322 +-#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
65323 ++#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
65324 + STACK_TOP_USER32 : STACK_TOP_USER64)
65325 +
65326 + #define STACK_TOP_MAX STACK_TOP_USER64
65327 +
65328 + #else /* __powerpc64__ */
65329 +
65330 +-#define STACK_TOP TASK_SIZE
65331 +-#define STACK_TOP_MAX STACK_TOP
65332 ++#define __STACK_TOP TASK_SIZE
65333 ++#define STACK_TOP_MAX __STACK_TOP
65334 +
65335 + #endif /* __powerpc64__ */
65336 + #endif /* __KERNEL__ */
65337 +diff -urNp linux-2.6.24.5/include/asm-powerpc/elf.h linux-2.6.24.5/include/asm-powerpc/elf.h
65338 +--- linux-2.6.24.5/include/asm-powerpc/elf.h 2008-03-24 14:49:18.000000000 -0400
65339 ++++ linux-2.6.24.5/include/asm-powerpc/elf.h 2008-03-26 20:21:09.000000000 -0400
65340 +@@ -160,6 +160,18 @@ typedef elf_vrreg_t elf_vrregset_t[ELF_N
65341 + typedef elf_vrreg_t elf_vrregset_t32[ELF_NVRREG32];
65342 + #endif
65343 +
65344 ++#ifdef CONFIG_PAX_ASLR
65345 ++#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
65346 ++
65347 ++#ifdef __powerpc64__
65348 ++#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
65349 ++#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
65350 ++#else
65351 ++#define PAX_DELTA_MMAP_LEN 15
65352 ++#define PAX_DELTA_STACK_LEN 15
65353 ++#endif
65354 ++#endif
65355 ++
65356 + #ifdef __KERNEL__
65357 + /*
65358 + * This is used to ensure we don't load something for the wrong architecture.
65359 +diff -urNp linux-2.6.24.5/include/asm-powerpc/kmap_types.h linux-2.6.24.5/include/asm-powerpc/kmap_types.h
65360 +--- linux-2.6.24.5/include/asm-powerpc/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65361 ++++ linux-2.6.24.5/include/asm-powerpc/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65362 +@@ -26,6 +26,7 @@ enum km_type {
65363 + KM_SOFTIRQ1,
65364 + KM_PPC_SYNC_PAGE,
65365 + KM_PPC_SYNC_ICACHE,
65366 ++ KM_CLEARPAGE,
65367 + KM_TYPE_NR
65368 + };
65369 +
65370 +diff -urNp linux-2.6.24.5/include/asm-powerpc/page_64.h linux-2.6.24.5/include/asm-powerpc/page_64.h
65371 +--- linux-2.6.24.5/include/asm-powerpc/page_64.h 2008-03-24 14:49:18.000000000 -0400
65372 ++++ linux-2.6.24.5/include/asm-powerpc/page_64.h 2008-03-26 20:21:09.000000000 -0400
65373 +@@ -171,15 +171,18 @@ do { \
65374 + * stack by default, so in the absense of a PT_GNU_STACK program header
65375 + * we turn execute permission off.
65376 + */
65377 +-#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
65378 +- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
65379 ++#define VM_STACK_DEFAULT_FLAGS32 \
65380 ++ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
65381 ++ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
65382 +
65383 + #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
65384 + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
65385 +
65386 ++#ifndef CONFIG_PAX_PAGEEXEC
65387 + #define VM_STACK_DEFAULT_FLAGS \
65388 + (test_thread_flag(TIF_32BIT) ? \
65389 + VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
65390 ++#endif
65391 +
65392 + #include <asm-generic/page.h>
65393 +
65394 +diff -urNp linux-2.6.24.5/include/asm-powerpc/page.h linux-2.6.24.5/include/asm-powerpc/page.h
65395 +--- linux-2.6.24.5/include/asm-powerpc/page.h 2008-03-24 14:49:18.000000000 -0400
65396 ++++ linux-2.6.24.5/include/asm-powerpc/page.h 2008-03-26 20:21:09.000000000 -0400
65397 +@@ -71,8 +71,9 @@
65398 + * and needs to be executable. This means the whole heap ends
65399 + * up being executable.
65400 + */
65401 +-#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
65402 +- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
65403 ++#define VM_DATA_DEFAULT_FLAGS32 \
65404 ++ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
65405 ++ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
65406 +
65407 + #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
65408 + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
65409 +diff -urNp linux-2.6.24.5/include/asm-ppc/mmu_context.h linux-2.6.24.5/include/asm-ppc/mmu_context.h
65410 +--- linux-2.6.24.5/include/asm-ppc/mmu_context.h 2008-03-24 14:49:18.000000000 -0400
65411 ++++ linux-2.6.24.5/include/asm-ppc/mmu_context.h 2008-03-26 20:21:09.000000000 -0400
65412 +@@ -146,7 +146,8 @@ static inline void get_mmu_context(struc
65413 + static inline int init_new_context(struct task_struct *t, struct mm_struct *mm)
65414 + {
65415 + mm->context.id = NO_CONTEXT;
65416 +- mm->context.vdso_base = 0;
65417 ++ if (t == current)
65418 ++ mm->context.vdso_base = ~0UL;
65419 + return 0;
65420 + }
65421 +
65422 +diff -urNp linux-2.6.24.5/include/asm-ppc/pgtable.h linux-2.6.24.5/include/asm-ppc/pgtable.h
65423 +--- linux-2.6.24.5/include/asm-ppc/pgtable.h 2008-03-24 14:49:18.000000000 -0400
65424 ++++ linux-2.6.24.5/include/asm-ppc/pgtable.h 2008-03-26 20:21:09.000000000 -0400
65425 +@@ -440,11 +440,21 @@ extern unsigned long ioremap_bot, iorema
65426 +
65427 + #define PAGE_NONE __pgprot(_PAGE_BASE)
65428 + #define PAGE_READONLY __pgprot(_PAGE_BASE | _PAGE_USER)
65429 +-#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
65430 ++#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
65431 + #define PAGE_SHARED __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW)
65432 +-#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC)
65433 ++#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC | _PAGE_HWEXEC)
65434 + #define PAGE_COPY __pgprot(_PAGE_BASE | _PAGE_USER)
65435 +-#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
65436 ++#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
65437 ++
65438 ++#if defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_40x) && !defined(CONFIG_44x)
65439 ++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_GUARDED)
65440 ++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
65441 ++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
65442 ++#else
65443 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
65444 ++# define PAGE_COPY_NOEXEC PAGE_COPY
65445 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
65446 ++#endif
65447 +
65448 + #define PAGE_KERNEL __pgprot(_PAGE_RAM)
65449 + #define PAGE_KERNEL_NOCACHE __pgprot(_PAGE_IO)
65450 +@@ -456,21 +466,21 @@ extern unsigned long ioremap_bot, iorema
65451 + * This is the closest we can get..
65452 + */
65453 + #define __P000 PAGE_NONE
65454 +-#define __P001 PAGE_READONLY_X
65455 +-#define __P010 PAGE_COPY
65456 +-#define __P011 PAGE_COPY_X
65457 +-#define __P100 PAGE_READONLY
65458 ++#define __P001 PAGE_READONLY_NOEXEC
65459 ++#define __P010 PAGE_COPY_NOEXEC
65460 ++#define __P011 PAGE_COPY_NOEXEC
65461 ++#define __P100 PAGE_READONLY_X
65462 + #define __P101 PAGE_READONLY_X
65463 +-#define __P110 PAGE_COPY
65464 ++#define __P110 PAGE_COPY_X
65465 + #define __P111 PAGE_COPY_X
65466 +
65467 + #define __S000 PAGE_NONE
65468 +-#define __S001 PAGE_READONLY_X
65469 +-#define __S010 PAGE_SHARED
65470 +-#define __S011 PAGE_SHARED_X
65471 +-#define __S100 PAGE_READONLY
65472 ++#define __S001 PAGE_READONLY_NOEXEC
65473 ++#define __S010 PAGE_SHARED_NOEXEC
65474 ++#define __S011 PAGE_SHARED_NOEXEC
65475 ++#define __S100 PAGE_READONLY_X
65476 + #define __S101 PAGE_READONLY_X
65477 +-#define __S110 PAGE_SHARED
65478 ++#define __S110 PAGE_SHARED_X
65479 + #define __S111 PAGE_SHARED_X
65480 +
65481 + #ifndef __ASSEMBLY__
65482 +diff -urNp linux-2.6.24.5/include/asm-s390/kmap_types.h linux-2.6.24.5/include/asm-s390/kmap_types.h
65483 +--- linux-2.6.24.5/include/asm-s390/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65484 ++++ linux-2.6.24.5/include/asm-s390/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65485 +@@ -16,6 +16,7 @@ enum km_type {
65486 + KM_IRQ1,
65487 + KM_SOFTIRQ0,
65488 + KM_SOFTIRQ1,
65489 ++ KM_CLEARPAGE,
65490 + KM_TYPE_NR
65491 + };
65492 +
65493 +diff -urNp linux-2.6.24.5/include/asm-sh/kmap_types.h linux-2.6.24.5/include/asm-sh/kmap_types.h
65494 +--- linux-2.6.24.5/include/asm-sh/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65495 ++++ linux-2.6.24.5/include/asm-sh/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65496 +@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
65497 + D(10) KM_IRQ1,
65498 + D(11) KM_SOFTIRQ0,
65499 + D(12) KM_SOFTIRQ1,
65500 +-D(13) KM_TYPE_NR
65501 ++D(13) KM_CLEARPAGE,
65502 ++D(14) KM_TYPE_NR
65503 + };
65504 +
65505 + #undef D
65506 +diff -urNp linux-2.6.24.5/include/asm-sparc/a.out.h linux-2.6.24.5/include/asm-sparc/a.out.h
65507 +--- linux-2.6.24.5/include/asm-sparc/a.out.h 2008-03-24 14:49:18.000000000 -0400
65508 ++++ linux-2.6.24.5/include/asm-sparc/a.out.h 2008-03-26 20:21:09.000000000 -0400
65509 +@@ -91,8 +91,8 @@ struct relocation_info /* used when head
65510 +
65511 + #include <asm/page.h>
65512 +
65513 +-#define STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
65514 +-#define STACK_TOP_MAX STACK_TOP
65515 ++#define __STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
65516 ++#define STACK_TOP_MAX __STACK_TOP
65517 +
65518 + #endif /* __KERNEL__ */
65519 +
65520 +diff -urNp linux-2.6.24.5/include/asm-sparc/elf.h linux-2.6.24.5/include/asm-sparc/elf.h
65521 +--- linux-2.6.24.5/include/asm-sparc/elf.h 2008-03-24 14:49:18.000000000 -0400
65522 ++++ linux-2.6.24.5/include/asm-sparc/elf.h 2008-03-26 20:21:09.000000000 -0400
65523 +@@ -143,6 +143,13 @@ do { unsigned long *dest = &(__elf_regs[
65524 +
65525 + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
65526 +
65527 ++#ifdef CONFIG_PAX_ASLR
65528 ++#define PAX_ELF_ET_DYN_BASE 0x10000UL
65529 ++
65530 ++#define PAX_DELTA_MMAP_LEN 16
65531 ++#define PAX_DELTA_STACK_LEN 16
65532 ++#endif
65533 ++
65534 + /* This yields a mask that user programs can use to figure out what
65535 + instruction set this cpu supports. This can NOT be done in userspace
65536 + on Sparc. */
65537 +diff -urNp linux-2.6.24.5/include/asm-sparc/kmap_types.h linux-2.6.24.5/include/asm-sparc/kmap_types.h
65538 +--- linux-2.6.24.5/include/asm-sparc/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65539 ++++ linux-2.6.24.5/include/asm-sparc/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65540 +@@ -15,6 +15,7 @@ enum km_type {
65541 + KM_IRQ1,
65542 + KM_SOFTIRQ0,
65543 + KM_SOFTIRQ1,
65544 ++ KM_CLEARPAGE,
65545 + KM_TYPE_NR
65546 + };
65547 +
65548 +diff -urNp linux-2.6.24.5/include/asm-sparc/pgtable.h linux-2.6.24.5/include/asm-sparc/pgtable.h
65549 +--- linux-2.6.24.5/include/asm-sparc/pgtable.h 2008-03-24 14:49:18.000000000 -0400
65550 ++++ linux-2.6.24.5/include/asm-sparc/pgtable.h 2008-03-26 20:21:09.000000000 -0400
65551 +@@ -69,6 +69,16 @@ extern pgprot_t PAGE_SHARED;
65552 + #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
65553 + #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
65554 +
65555 ++#ifdef CONFIG_PAX_PAGEEXEC
65556 ++extern pgprot_t PAGE_SHARED_NOEXEC;
65557 ++# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
65558 ++# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
65559 ++#else
65560 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
65561 ++# define PAGE_COPY_NOEXEC PAGE_COPY
65562 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
65563 ++#endif
65564 ++
65565 + extern unsigned long page_kernel;
65566 +
65567 + #ifdef MODULE
65568 +diff -urNp linux-2.6.24.5/include/asm-sparc/pgtsrmmu.h linux-2.6.24.5/include/asm-sparc/pgtsrmmu.h
65569 +--- linux-2.6.24.5/include/asm-sparc/pgtsrmmu.h 2008-03-24 14:49:18.000000000 -0400
65570 ++++ linux-2.6.24.5/include/asm-sparc/pgtsrmmu.h 2008-03-26 20:21:09.000000000 -0400
65571 +@@ -115,6 +115,16 @@
65572 + SRMMU_EXEC | SRMMU_REF)
65573 + #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
65574 + SRMMU_EXEC | SRMMU_REF)
65575 ++
65576 ++#ifdef CONFIG_PAX_PAGEEXEC
65577 ++#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
65578 ++ SRMMU_WRITE | SRMMU_REF)
65579 ++#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
65580 ++ SRMMU_REF)
65581 ++#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
65582 ++ SRMMU_REF)
65583 ++#endif
65584 ++
65585 + #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
65586 + SRMMU_DIRTY | SRMMU_REF)
65587 +
65588 +diff -urNp linux-2.6.24.5/include/asm-sparc/uaccess.h linux-2.6.24.5/include/asm-sparc/uaccess.h
65589 +--- linux-2.6.24.5/include/asm-sparc/uaccess.h 2008-03-24 14:49:18.000000000 -0400
65590 ++++ linux-2.6.24.5/include/asm-sparc/uaccess.h 2008-03-26 20:21:09.000000000 -0400
65591 +@@ -41,7 +41,7 @@
65592 + * No one can read/write anything from userland in the kernel space by setting
65593 + * large size and address near to PAGE_OFFSET - a fault will break his intentions.
65594 + */
65595 +-#define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
65596 ++#define __user_ok(addr, size) ({ (void)(size); (addr) < __STACK_TOP; })
65597 + #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
65598 + #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size)))
65599 + #define access_ok(type, addr, size) \
65600 +diff -urNp linux-2.6.24.5/include/asm-sparc64/a.out.h linux-2.6.24.5/include/asm-sparc64/a.out.h
65601 +--- linux-2.6.24.5/include/asm-sparc64/a.out.h 2008-03-24 14:49:18.000000000 -0400
65602 ++++ linux-2.6.24.5/include/asm-sparc64/a.out.h 2008-03-26 20:21:09.000000000 -0400
65603 +@@ -98,7 +98,7 @@ struct relocation_info /* used when head
65604 + #define STACK_TOP32 ((1UL << 32UL) - PAGE_SIZE)
65605 + #define STACK_TOP64 (0x0000080000000000UL - (1UL << 32UL))
65606 +
65607 +-#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
65608 ++#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
65609 + STACK_TOP32 : STACK_TOP64)
65610 +
65611 + #define STACK_TOP_MAX STACK_TOP64
65612 +diff -urNp linux-2.6.24.5/include/asm-sparc64/elf.h linux-2.6.24.5/include/asm-sparc64/elf.h
65613 +--- linux-2.6.24.5/include/asm-sparc64/elf.h 2008-03-24 14:49:18.000000000 -0400
65614 ++++ linux-2.6.24.5/include/asm-sparc64/elf.h 2008-03-26 20:21:09.000000000 -0400
65615 +@@ -143,6 +143,12 @@ typedef struct {
65616 + #define ELF_ET_DYN_BASE 0x0000010000000000UL
65617 + #endif
65618 +
65619 ++#ifdef CONFIG_PAX_ASLR
65620 ++#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
65621 ++
65622 ++#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28 )
65623 ++#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29 )
65624 ++#endif
65625 +
65626 + /* This yields a mask that user programs can use to figure out what
65627 + instruction set this cpu supports. */
65628 +diff -urNp linux-2.6.24.5/include/asm-sparc64/kmap_types.h linux-2.6.24.5/include/asm-sparc64/kmap_types.h
65629 +--- linux-2.6.24.5/include/asm-sparc64/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65630 ++++ linux-2.6.24.5/include/asm-sparc64/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65631 +@@ -19,6 +19,7 @@ enum km_type {
65632 + KM_IRQ1,
65633 + KM_SOFTIRQ0,
65634 + KM_SOFTIRQ1,
65635 ++ KM_CLEARPAGE,
65636 + KM_TYPE_NR
65637 + };
65638 +
65639 +diff -urNp linux-2.6.24.5/include/asm-um/kmap_types.h linux-2.6.24.5/include/asm-um/kmap_types.h
65640 +--- linux-2.6.24.5/include/asm-um/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65641 ++++ linux-2.6.24.5/include/asm-um/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65642 +@@ -23,6 +23,7 @@ enum km_type {
65643 + KM_IRQ1,
65644 + KM_SOFTIRQ0,
65645 + KM_SOFTIRQ1,
65646 ++ KM_CLEARPAGE,
65647 + KM_TYPE_NR
65648 + };
65649 +
65650 +diff -urNp linux-2.6.24.5/include/asm-v850/kmap_types.h linux-2.6.24.5/include/asm-v850/kmap_types.h
65651 +--- linux-2.6.24.5/include/asm-v850/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65652 ++++ linux-2.6.24.5/include/asm-v850/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65653 +@@ -13,6 +13,7 @@ enum km_type {
65654 + KM_PTE1,
65655 + KM_IRQ0,
65656 + KM_IRQ1,
65657 ++ KM_CLEARPAGE,
65658 + KM_TYPE_NR
65659 + };
65660 +
65661 +diff -urNp linux-2.6.24.5/include/asm-x86/alternative_32.h linux-2.6.24.5/include/asm-x86/alternative_32.h
65662 +--- linux-2.6.24.5/include/asm-x86/alternative_32.h 2008-03-24 14:49:18.000000000 -0400
65663 ++++ linux-2.6.24.5/include/asm-x86/alternative_32.h 2008-03-26 20:21:09.000000000 -0400
65664 +@@ -54,7 +54,7 @@ static inline void alternatives_smp_swit
65665 + " .byte 662b-661b\n" /* sourcelen */ \
65666 + " .byte 664f-663f\n" /* replacementlen */ \
65667 + ".previous\n" \
65668 +- ".section .altinstr_replacement,\"ax\"\n" \
65669 ++ ".section .altinstr_replacement,\"a\"\n" \
65670 + "663:\n\t" newinstr "\n664:\n" /* replacement */\
65671 + ".previous" :: "i" (feature) : "memory")
65672 +
65673 +@@ -78,7 +78,7 @@ static inline void alternatives_smp_swit
65674 + " .byte 662b-661b\n" /* sourcelen */ \
65675 + " .byte 664f-663f\n" /* replacementlen */ \
65676 + ".previous\n" \
65677 +- ".section .altinstr_replacement,\"ax\"\n" \
65678 ++ ".section .altinstr_replacement,\"a\"\n" \
65679 + "663:\n\t" newinstr "\n664:\n" /* replacement */\
65680 + ".previous" :: "i" (feature), ##input)
65681 +
65682 +@@ -93,7 +93,7 @@ static inline void alternatives_smp_swit
65683 + " .byte 662b-661b\n" /* sourcelen */ \
65684 + " .byte 664f-663f\n" /* replacementlen */ \
65685 + ".previous\n" \
65686 +- ".section .altinstr_replacement,\"ax\"\n" \
65687 ++ ".section .altinstr_replacement,\"a\"\n" \
65688 + "663:\n\t" newinstr "\n664:\n" /* replacement */ \
65689 + ".previous" : output : [feat] "i" (feature), ##input)
65690 +
65691 +diff -urNp linux-2.6.24.5/include/asm-x86/alternative_64.h linux-2.6.24.5/include/asm-x86/alternative_64.h
65692 +--- linux-2.6.24.5/include/asm-x86/alternative_64.h 2008-03-24 14:49:18.000000000 -0400
65693 ++++ linux-2.6.24.5/include/asm-x86/alternative_64.h 2008-03-26 20:21:09.000000000 -0400
65694 +@@ -94,7 +94,7 @@ static inline void alternatives_smp_swit
65695 + " .byte 662b-661b\n" /* sourcelen */ \
65696 + " .byte 664f-663f\n" /* replacementlen */ \
65697 + ".previous\n" \
65698 +- ".section .altinstr_replacement,\"ax\"\n" \
65699 ++ ".section .altinstr_replacement,\"a\"\n" \
65700 + "663:\n\t" newinstr "\n664:\n" /* replacement */ \
65701 + ".previous" :: "i" (feature) : "memory")
65702 +
65703 +@@ -118,7 +118,7 @@ static inline void alternatives_smp_swit
65704 + " .byte 662b-661b\n" /* sourcelen */ \
65705 + " .byte 664f-663f\n" /* replacementlen */ \
65706 + ".previous\n" \
65707 +- ".section .altinstr_replacement,\"ax\"\n" \
65708 ++ ".section .altinstr_replacement,\"a\"\n" \
65709 + "663:\n\t" newinstr "\n664:\n" /* replacement */ \
65710 + ".previous" :: "i" (feature), ##input)
65711 +
65712 +@@ -133,7 +133,7 @@ static inline void alternatives_smp_swit
65713 + " .byte 662b-661b\n" /* sourcelen */ \
65714 + " .byte 664f-663f\n" /* replacementlen */ \
65715 + ".previous\n" \
65716 +- ".section .altinstr_replacement,\"ax\"\n" \
65717 ++ ".section .altinstr_replacement,\"a\"\n" \
65718 + "663:\n\t" newinstr "\n664:\n" /* replacement */ \
65719 + ".previous" : output : [feat] "i" (feature), ##input)
65720 +
65721 +diff -urNp linux-2.6.24.5/include/asm-x86/a.out.h linux-2.6.24.5/include/asm-x86/a.out.h
65722 +--- linux-2.6.24.5/include/asm-x86/a.out.h 2008-03-24 14:49:18.000000000 -0400
65723 ++++ linux-2.6.24.5/include/asm-x86/a.out.h 2008-03-26 20:21:09.000000000 -0400
65724 +@@ -19,9 +19,13 @@ struct exec
65725 +
65726 + #ifdef __KERNEL__
65727 + # include <linux/thread_info.h>
65728 +-# define STACK_TOP TASK_SIZE
65729 ++# ifdef CONFIG_PAX_SEGMEXEC
65730 ++# define __STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?TASK_SIZE/2:TASK_SIZE)
65731 ++# else
65732 ++# define __STACK_TOP TASK_SIZE
65733 ++# endif
65734 + # ifdef CONFIG_X86_32
65735 +-# define STACK_TOP_MAX STACK_TOP
65736 ++# define STACK_TOP_MAX TASK_SIZE
65737 + # else
65738 + # define STACK_TOP_MAX TASK_SIZE64
65739 + # endif
65740 +diff -urNp linux-2.6.24.5/include/asm-x86/apic_32.h linux-2.6.24.5/include/asm-x86/apic_32.h
65741 +--- linux-2.6.24.5/include/asm-x86/apic_32.h 2008-03-24 14:49:18.000000000 -0400
65742 ++++ linux-2.6.24.5/include/asm-x86/apic_32.h 2008-03-26 20:21:09.000000000 -0400
65743 +@@ -8,7 +8,7 @@
65744 + #include <asm/processor.h>
65745 + #include <asm/system.h>
65746 +
65747 +-#define Dprintk(x...)
65748 ++#define Dprintk(x...) do {} while (0)
65749 +
65750 + /*
65751 + * Debugging macros
65752 +diff -urNp linux-2.6.24.5/include/asm-x86/apic_64.h linux-2.6.24.5/include/asm-x86/apic_64.h
65753 +--- linux-2.6.24.5/include/asm-x86/apic_64.h 2008-03-24 14:49:18.000000000 -0400
65754 ++++ linux-2.6.24.5/include/asm-x86/apic_64.h 2008-03-26 20:21:09.000000000 -0400
65755 +@@ -7,7 +7,7 @@
65756 + #include <asm/apicdef.h>
65757 + #include <asm/system.h>
65758 +
65759 +-#define Dprintk(x...)
65760 ++#define Dprintk(x...) do {} while (0)
65761 +
65762 + /*
65763 + * Debugging macros
65764 +diff -urNp linux-2.6.24.5/include/asm-x86/boot.h linux-2.6.24.5/include/asm-x86/boot.h
65765 +--- linux-2.6.24.5/include/asm-x86/boot.h 2008-03-24 14:49:18.000000000 -0400
65766 ++++ linux-2.6.24.5/include/asm-x86/boot.h 2008-03-26 20:21:09.000000000 -0400
65767 +@@ -13,8 +13,13 @@
65768 + #define ASK_VGA 0xfffd /* ask for it at bootup */
65769 +
65770 + /* Physical address where kernel should be loaded. */
65771 +-#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
65772 ++#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
65773 + + (CONFIG_PHYSICAL_ALIGN - 1)) \
65774 + & ~(CONFIG_PHYSICAL_ALIGN - 1))
65775 +
65776 ++#ifndef __ASSEMBLY__
65777 ++extern unsigned char __LOAD_PHYSICAL_ADDR[];
65778 ++#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
65779 ++#endif
65780 ++
65781 + #endif /* _ASM_BOOT_H */
65782 +diff -urNp linux-2.6.24.5/include/asm-x86/cache.h linux-2.6.24.5/include/asm-x86/cache.h
65783 +--- linux-2.6.24.5/include/asm-x86/cache.h 2008-03-24 14:49:18.000000000 -0400
65784 ++++ linux-2.6.24.5/include/asm-x86/cache.h 2008-03-26 20:21:09.000000000 -0400
65785 +@@ -6,6 +6,7 @@
65786 + #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
65787 +
65788 + #define __read_mostly __attribute__((__section__(".data.read_mostly")))
65789 ++#define __read_only __attribute__((__section__(".data.read_only")))
65790 +
65791 + #ifdef CONFIG_X86_VSMP
65792 + /* vSMP Internode cacheline shift */
65793 +diff -urNp linux-2.6.24.5/include/asm-x86/checksum_32.h linux-2.6.24.5/include/asm-x86/checksum_32.h
65794 +--- linux-2.6.24.5/include/asm-x86/checksum_32.h 2008-03-24 14:49:18.000000000 -0400
65795 ++++ linux-2.6.24.5/include/asm-x86/checksum_32.h 2008-03-26 20:21:09.000000000 -0400
65796 +@@ -30,6 +30,12 @@ asmlinkage __wsum csum_partial(const voi
65797 + asmlinkage __wsum csum_partial_copy_generic(const void *src, void *dst,
65798 + int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
65799 +
65800 ++asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
65801 ++ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
65802 ++
65803 ++asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
65804 ++ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
65805 ++
65806 + /*
65807 + * Note: when you get a NULL pointer exception here this means someone
65808 + * passed in an incorrect kernel address to one of these functions.
65809 +@@ -49,7 +55,7 @@ __wsum csum_partial_copy_from_user(const
65810 + int len, __wsum sum, int *err_ptr)
65811 + {
65812 + might_sleep();
65813 +- return csum_partial_copy_generic((__force void *)src, dst,
65814 ++ return csum_partial_copy_generic_from_user((__force void *)src, dst,
65815 + len, sum, err_ptr, NULL);
65816 + }
65817 +
65818 +@@ -180,7 +186,7 @@ static __inline__ __wsum csum_and_copy_t
65819 + {
65820 + might_sleep();
65821 + if (access_ok(VERIFY_WRITE, dst, len))
65822 +- return csum_partial_copy_generic(src, (__force void *)dst, len, sum, NULL, err_ptr);
65823 ++ return csum_partial_copy_generic_to_user(src, (__force void *)dst, len, sum, NULL, err_ptr);
65824 +
65825 + if (len)
65826 + *err_ptr = -EFAULT;
65827 +diff -urNp linux-2.6.24.5/include/asm-x86/desc_32.h linux-2.6.24.5/include/asm-x86/desc_32.h
65828 +--- linux-2.6.24.5/include/asm-x86/desc_32.h 2008-03-24 14:49:18.000000000 -0400
65829 ++++ linux-2.6.24.5/include/asm-x86/desc_32.h 2008-03-26 20:21:09.000000000 -0400
65830 +@@ -7,30 +7,26 @@
65831 + #ifndef __ASSEMBLY__
65832 +
65833 + #include <linux/preempt.h>
65834 +-#include <linux/smp.h>
65835 + #include <linux/percpu.h>
65836 ++#include <linux/smp.h>
65837 +
65838 + #include <asm/mmu.h>
65839 +
65840 ++extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
65841 ++
65842 + struct Xgt_desc_struct {
65843 + unsigned short size;
65844 +- unsigned long address __attribute__((packed));
65845 ++ struct desc_struct *address __attribute__((packed));
65846 + unsigned short pad;
65847 + } __attribute__ ((packed));
65848 +
65849 +-struct gdt_page
65850 +-{
65851 +- struct desc_struct gdt[GDT_ENTRIES];
65852 +-} __attribute__((aligned(PAGE_SIZE)));
65853 +-DECLARE_PER_CPU(struct gdt_page, gdt_page);
65854 +-
65855 + static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
65856 + {
65857 +- return per_cpu(gdt_page, cpu).gdt;
65858 ++ return cpu_gdt_table[cpu];
65859 + }
65860 +
65861 + extern struct Xgt_desc_struct idt_descr;
65862 +-extern struct desc_struct idt_table[];
65863 ++extern struct desc_struct idt_table[256];
65864 + extern void set_intr_gate(unsigned int irq, void * addr);
65865 +
65866 + static inline void pack_descriptor(__u32 *a, __u32 *b,
65867 +@@ -81,8 +77,20 @@ static inline void pack_gate(__u32 *a, _
65868 + static inline void write_dt_entry(struct desc_struct *dt,
65869 + int entry, u32 entry_low, u32 entry_high)
65870 + {
65871 ++
65872 ++#ifdef CONFIG_PAX_KERNEXEC
65873 ++ unsigned long cr0;
65874 ++
65875 ++ pax_open_kernel(cr0);
65876 ++#endif
65877 ++
65878 + dt[entry].a = entry_low;
65879 + dt[entry].b = entry_high;
65880 ++
65881 ++#ifdef CONFIG_PAX_KERNEXEC
65882 ++ pax_close_kernel(cr0);
65883 ++#endif
65884 ++
65885 + }
65886 +
65887 + static inline void native_set_ldt(const void *addr, unsigned int entries)
65888 +@@ -139,8 +147,19 @@ static inline void native_load_tls(struc
65889 + unsigned int i;
65890 + struct desc_struct *gdt = get_cpu_gdt_table(cpu);
65891 +
65892 ++#ifdef CONFIG_PAX_KERNEXEC
65893 ++ unsigned long cr0;
65894 ++
65895 ++ pax_open_kernel(cr0);
65896 ++#endif
65897 ++
65898 + for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
65899 + gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
65900 ++
65901 ++#ifdef CONFIG_PAX_KERNEXEC
65902 ++ pax_close_kernel(cr0);
65903 ++#endif
65904 ++
65905 + }
65906 +
65907 + static inline void _set_gate(int gate, unsigned int type, void *addr, unsigned short seg)
65908 +@@ -175,7 +194,7 @@ static inline void __set_tss_desc(unsign
65909 + ((info)->seg_32bit << 22) | \
65910 + ((info)->limit_in_pages << 23) | \
65911 + ((info)->useable << 20) | \
65912 +- 0x7000)
65913 ++ 0x7100)
65914 +
65915 + #define LDT_empty(info) (\
65916 + (info)->base_addr == 0 && \
65917 +@@ -207,15 +226,25 @@ static inline void load_LDT(mm_context_t
65918 + preempt_enable();
65919 + }
65920 +
65921 +-static inline unsigned long get_desc_base(unsigned long *desc)
65922 ++static inline unsigned long get_desc_base(struct desc_struct *desc)
65923 + {
65924 + unsigned long base;
65925 +- base = ((desc[0] >> 16) & 0x0000ffff) |
65926 +- ((desc[1] << 16) & 0x00ff0000) |
65927 +- (desc[1] & 0xff000000);
65928 ++ base = ((desc->a >> 16) & 0x0000ffff) |
65929 ++ ((desc->b << 16) & 0x00ff0000) |
65930 ++ (desc->b & 0xff000000);
65931 + return base;
65932 + }
65933 +
65934 ++static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
65935 ++{
65936 ++ __u32 a, b;
65937 ++
65938 ++ if (likely(limit))
65939 ++ limit = (limit - 1UL) >> PAGE_SHIFT;
65940 ++ pack_descriptor(&a, &b, base, limit, 0xFB, 0xC);
65941 ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, a, b);
65942 ++}
65943 ++
65944 + #else /* __ASSEMBLY__ */
65945 +
65946 + /*
65947 +diff -urNp linux-2.6.24.5/include/asm-x86/desc_64.h linux-2.6.24.5/include/asm-x86/desc_64.h
65948 +--- linux-2.6.24.5/include/asm-x86/desc_64.h 2008-03-24 14:49:18.000000000 -0400
65949 ++++ linux-2.6.24.5/include/asm-x86/desc_64.h 2008-03-26 20:21:09.000000000 -0400
65950 +@@ -14,7 +14,7 @@
65951 + #include <asm/segment.h>
65952 + #include <asm/mmu.h>
65953 +
65954 +-extern struct desc_struct cpu_gdt_table[GDT_ENTRIES];
65955 ++extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
65956 +
65957 + #define load_TR_desc() asm volatile("ltr %w0"::"r" (GDT_ENTRY_TSS*8))
65958 + #define load_LDT_desc() asm volatile("lldt %w0"::"r" (GDT_ENTRY_LDT*8))
65959 +@@ -34,12 +34,10 @@ static inline unsigned long __store_tr(v
65960 + * This is the ldt that every process will get unless we need
65961 + * something other than this.
65962 + */
65963 +-extern struct desc_struct default_ldt[];
65964 + extern struct gate_struct idt_table[];
65965 +-extern struct desc_ptr cpu_gdt_descr[];
65966 +
65967 + /* the cpu gdt accessor */
65968 +-#define cpu_gdt(_cpu) ((struct desc_struct *)cpu_gdt_descr[_cpu].address)
65969 ++#define cpu_gdt(_cpu) (cpu_gdt_table[_cpu])
65970 +
65971 + static inline void load_gdt(const struct desc_ptr *ptr)
65972 + {
65973 +@@ -54,6 +52,11 @@ static inline void store_gdt(struct desc
65974 + static inline void _set_gate(void *adr, unsigned type, unsigned long func, unsigned dpl, unsigned ist)
65975 + {
65976 + struct gate_struct s;
65977 ++
65978 ++#ifdef CONFIG_PAX_KERNEXEC
65979 ++ unsigned long cr0;
65980 ++#endif
65981 ++
65982 + s.offset_low = PTR_LOW(func);
65983 + s.segment = __KERNEL_CS;
65984 + s.ist = ist;
65985 +@@ -65,7 +68,17 @@ static inline void _set_gate(void *adr,
65986 + s.offset_middle = PTR_MIDDLE(func);
65987 + s.offset_high = PTR_HIGH(func);
65988 + /* does not need to be atomic because it is only done once at setup time */
65989 ++
65990 ++#ifdef CONFIG_PAX_KERNEXEC
65991 ++ pax_open_kernel(cr0);
65992 ++#endif
65993 ++
65994 + memcpy(adr, &s, 16);
65995 ++
65996 ++#ifdef CONFIG_PAX_KERNEXEC
65997 ++ pax_close_kernel(cr0);
65998 ++#endif
65999 ++
66000 + }
66001 +
66002 + static inline void set_intr_gate(int nr, void *func)
66003 +@@ -105,6 +118,11 @@ static inline void set_tssldt_descriptor
66004 + unsigned size)
66005 + {
66006 + struct ldttss_desc d;
66007 ++
66008 ++#ifdef CONFIG_PAX_KERNEXEC
66009 ++ unsigned long cr0;
66010 ++#endif
66011 ++
66012 + memset(&d,0,sizeof(d));
66013 + d.limit0 = size & 0xFFFF;
66014 + d.base0 = PTR_LOW(tss);
66015 +@@ -114,7 +132,17 @@ static inline void set_tssldt_descriptor
66016 + d.limit1 = (size >> 16) & 0xF;
66017 + d.base2 = (PTR_MIDDLE(tss) >> 8) & 0xFF;
66018 + d.base3 = PTR_HIGH(tss);
66019 ++
66020 ++#ifdef CONFIG_PAX_KERNEXEC
66021 ++ pax_open_kernel(cr0);
66022 ++#endif
66023 ++
66024 + memcpy(ptr, &d, 16);
66025 ++
66026 ++#ifdef CONFIG_PAX_KERNEXEC
66027 ++ pax_close_kernel(cr0);
66028 ++#endif
66029 ++
66030 + }
66031 +
66032 + static inline void set_tss_desc(unsigned cpu, void *addr)
66033 +@@ -152,7 +180,7 @@ static inline void set_ldt_desc(unsigned
66034 + ((info)->limit_in_pages << 23) | \
66035 + ((info)->useable << 20) | \
66036 + /* ((info)->lm << 21) | */ \
66037 +- 0x7000)
66038 ++ 0x7100)
66039 +
66040 + #define LDT_empty(info) (\
66041 + (info)->base_addr == 0 && \
66042 +@@ -170,8 +198,19 @@ static inline void load_TLS(struct threa
66043 + unsigned int i;
66044 + u64 *gdt = (u64 *)(cpu_gdt(cpu) + GDT_ENTRY_TLS_MIN);
66045 +
66046 ++#ifdef CONFIG_PAX_KERNEXEC
66047 ++ unsigned long cr0;
66048 ++
66049 ++ pax_open_kernel(cr0);
66050 ++#endif
66051 ++
66052 + for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
66053 + gdt[i] = t->tls_array[i];
66054 ++
66055 ++#ifdef CONFIG_PAX_KERNEXEC
66056 ++ pax_close_kernel(cr0);
66057 ++#endif
66058 ++
66059 + }
66060 +
66061 + /*
66062 +@@ -197,7 +236,7 @@ static inline void load_LDT(mm_context_t
66063 + put_cpu();
66064 + }
66065 +
66066 +-extern struct desc_ptr idt_descr;
66067 ++extern const struct desc_ptr idt_descr;
66068 +
66069 + #endif /* !__ASSEMBLY__ */
66070 +
66071 +diff -urNp linux-2.6.24.5/include/asm-x86/elf.h linux-2.6.24.5/include/asm-x86/elf.h
66072 +--- linux-2.6.24.5/include/asm-x86/elf.h 2008-03-24 14:49:18.000000000 -0400
66073 ++++ linux-2.6.24.5/include/asm-x86/elf.h 2008-03-26 20:21:09.000000000 -0400
66074 +@@ -206,7 +206,25 @@ extern int vdso_enabled;
66075 + the loader. We need to make sure that it is out of the way of the program
66076 + that it will "exec", and that there is sufficient room for the brk. */
66077 +
66078 ++#ifdef CONFIG_PAX_SEGMEXEC
66079 ++#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
66080 ++#else
66081 + #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
66082 ++#endif
66083 ++
66084 ++#ifdef CONFIG_PAX_ASLR
66085 ++#ifdef CONFIG_X86_32
66086 ++#define PAX_ELF_ET_DYN_BASE 0x10000000UL
66087 ++
66088 ++#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
66089 ++#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
66090 ++#else
66091 ++#define PAX_ELF_ET_DYN_BASE 0x400000UL
66092 ++
66093 ++#define PAX_DELTA_MMAP_LEN 32
66094 ++#define PAX_DELTA_STACK_LEN 32
66095 ++#endif
66096 ++#endif
66097 +
66098 + /* This yields a mask that user programs can use to figure out what
66099 + instruction set this CPU supports. This could be done in user space,
66100 +@@ -246,7 +264,7 @@ extern int dump_task_extended_fpu (struc
66101 + #define ELF_CORE_XFPREG_TYPE NT_PRXFPREG
66102 +
66103 + #define VDSO_HIGH_BASE (__fix_to_virt(FIX_VDSO))
66104 +-#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
66105 ++#define VDSO_CURRENT_BASE (current->mm->context.vdso)
66106 + #define VDSO_PRELINK 0
66107 +
66108 + #define VDSO_SYM(x) \
66109 +@@ -274,7 +292,7 @@ do if (vdso_enabled) { \
66110 +
66111 + #define ARCH_DLINFO \
66112 + do if (vdso_enabled) { \
66113 +- NEW_AUX_ENT(AT_SYSINFO_EHDR,(unsigned long)current->mm->context.vdso);\
66114 ++ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
66115 + } while (0)
66116 +
66117 + #endif /* !CONFIG_X86_32 */
66118 +diff -urNp linux-2.6.24.5/include/asm-x86/futex_32.h linux-2.6.24.5/include/asm-x86/futex_32.h
66119 +--- linux-2.6.24.5/include/asm-x86/futex_32.h 2008-03-24 14:49:18.000000000 -0400
66120 ++++ linux-2.6.24.5/include/asm-x86/futex_32.h 2008-03-26 20:21:09.000000000 -0400
66121 +@@ -11,8 +11,11 @@
66122 +
66123 + #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
66124 + __asm__ __volatile ( \
66125 ++ "movw %w6, %%ds\n"\
66126 + "1: " insn "\n" \
66127 +-"2: .section .fixup,\"ax\"\n\
66128 ++"2: pushl %%ss\n\
66129 ++ popl %%ds\n\
66130 ++ .section .fixup,\"ax\"\n\
66131 + 3: mov %3, %1\n\
66132 + jmp 2b\n\
66133 + .previous\n\
66134 +@@ -21,16 +24,19 @@
66135 + .long 1b,3b\n\
66136 + .previous" \
66137 + : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
66138 +- : "i" (-EFAULT), "0" (oparg), "1" (0))
66139 ++ : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
66140 +
66141 + #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
66142 + __asm__ __volatile ( \
66143 +-"1: movl %2, %0\n\
66144 ++" movw %w7, %%es\n\
66145 ++1: movl %%es:%2, %0\n\
66146 + movl %0, %3\n" \
66147 + insn "\n" \
66148 +-"2: lock ; cmpxchgl %3, %2\n\
66149 ++"2: lock ; cmpxchgl %3, %%es:%2\n\
66150 + jnz 1b\n\
66151 +-3: .section .fixup,\"ax\"\n\
66152 ++3: pushl %%ss\n\
66153 ++ popl %%es\n\
66154 ++ .section .fixup,\"ax\"\n\
66155 + 4: mov %5, %1\n\
66156 + jmp 3b\n\
66157 + .previous\n\
66158 +@@ -40,10 +46,10 @@
66159 + .previous" \
66160 + : "=&a" (oldval), "=&r" (ret), "+m" (*uaddr), \
66161 + "=&r" (tem) \
66162 +- : "r" (oparg), "i" (-EFAULT), "1" (0))
66163 ++ : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
66164 +
66165 + static inline int
66166 +-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
66167 ++futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
66168 + {
66169 + int op = (encoded_op >> 28) & 7;
66170 + int cmp = (encoded_op >> 24) & 15;
66171 +@@ -59,7 +65,7 @@ futex_atomic_op_inuser (int encoded_op,
66172 + pagefault_disable();
66173 +
66174 + if (op == FUTEX_OP_SET)
66175 +- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
66176 ++ __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
66177 + else {
66178 + #ifndef CONFIG_X86_BSWAP
66179 + if (boot_cpu_data.x86 == 3)
66180 +@@ -68,7 +74,7 @@ futex_atomic_op_inuser (int encoded_op,
66181 + #endif
66182 + switch (op) {
66183 + case FUTEX_OP_ADD:
66184 +- __futex_atomic_op1("lock ; xaddl %0, %2", ret,
66185 ++ __futex_atomic_op1("lock ; xaddl %0, %%ds:%2", ret,
66186 + oldval, uaddr, oparg);
66187 + break;
66188 + case FUTEX_OP_OR:
66189 +@@ -105,15 +111,17 @@ futex_atomic_op_inuser (int encoded_op,
66190 + }
66191 +
66192 + static inline int
66193 +-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
66194 ++futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
66195 + {
66196 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
66197 + return -EFAULT;
66198 +
66199 + __asm__ __volatile__(
66200 +- "1: lock ; cmpxchgl %3, %1 \n"
66201 +-
66202 +- "2: .section .fixup, \"ax\" \n"
66203 ++ " movw %w5, %%ds \n"
66204 ++ "1: lock ; cmpxchgl %3, %%ds:%1 \n"
66205 ++ "2: pushl %%ss \n"
66206 ++ " popl %%ds \n"
66207 ++ " .section .fixup, \"ax\" \n"
66208 + "3: mov %2, %0 \n"
66209 + " jmp 2b \n"
66210 + " .previous \n"
66211 +@@ -124,7 +132,7 @@ futex_atomic_cmpxchg_inatomic(int __user
66212 + " .previous \n"
66213 +
66214 + : "=a" (oldval), "+m" (*uaddr)
66215 +- : "i" (-EFAULT), "r" (newval), "0" (oldval)
66216 ++ : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
66217 + : "memory"
66218 + );
66219 +
66220 +diff -urNp linux-2.6.24.5/include/asm-x86/futex_64.h linux-2.6.24.5/include/asm-x86/futex_64.h
66221 +--- linux-2.6.24.5/include/asm-x86/futex_64.h 2008-03-24 14:49:18.000000000 -0400
66222 ++++ linux-2.6.24.5/include/asm-x86/futex_64.h 2008-03-26 20:21:09.000000000 -0400
66223 +@@ -42,7 +42,7 @@
66224 + : "r" (oparg), "i" (-EFAULT), "m" (*uaddr), "1" (0))
66225 +
66226 + static inline int
66227 +-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
66228 ++futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
66229 + {
66230 + int op = (encoded_op >> 28) & 7;
66231 + int cmp = (encoded_op >> 24) & 15;
66232 +@@ -95,7 +95,7 @@ futex_atomic_op_inuser (int encoded_op,
66233 + }
66234 +
66235 + static inline int
66236 +-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
66237 ++futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
66238 + {
66239 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
66240 + return -EFAULT;
66241 +diff -urNp linux-2.6.24.5/include/asm-x86/i387_32.h linux-2.6.24.5/include/asm-x86/i387_32.h
66242 +--- linux-2.6.24.5/include/asm-x86/i387_32.h 2008-03-24 14:49:18.000000000 -0400
66243 ++++ linux-2.6.24.5/include/asm-x86/i387_32.h 2008-03-26 20:21:09.000000000 -0400
66244 +@@ -40,13 +40,8 @@ extern void kernel_fpu_begin(void);
66245 + #define kernel_fpu_end() do { stts(); preempt_enable(); } while(0)
66246 +
66247 + /* We need a safe address that is cheap to find and that is already
66248 +- in L1 during context switch. The best choices are unfortunately
66249 +- different for UP and SMP */
66250 +-#ifdef CONFIG_SMP
66251 +-#define safe_address (__per_cpu_offset[0])
66252 +-#else
66253 +-#define safe_address (kstat_cpu(0).cpustat.user)
66254 +-#endif
66255 ++ in L1 during context switch. */
66256 ++#define safe_address (init_tss[smp_processor_id()].x86_tss.esp0)
66257 +
66258 + /*
66259 + * These must be called with preempt disabled
66260 +diff -urNp linux-2.6.24.5/include/asm-x86/io_64.h linux-2.6.24.5/include/asm-x86/io_64.h
66261 +--- linux-2.6.24.5/include/asm-x86/io_64.h 2008-03-24 14:49:18.000000000 -0400
66262 ++++ linux-2.6.24.5/include/asm-x86/io_64.h 2008-03-26 20:21:09.000000000 -0400
66263 +@@ -120,6 +120,17 @@ static inline void * phys_to_virt(unsign
66264 + }
66265 + #endif
66266 +
66267 ++#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
66268 ++static inline int valid_phys_addr_range (unsigned long addr, size_t count)
66269 ++{
66270 ++ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
66271 ++}
66272 ++
66273 ++static inline int valid_mmap_phys_addr_range (unsigned long pfn, size_t count)
66274 ++{
66275 ++ return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
66276 ++}
66277 ++
66278 + /*
66279 + * Change "struct page" to physical address.
66280 + */
66281 +diff -urNp linux-2.6.24.5/include/asm-x86/irqflags_32.h linux-2.6.24.5/include/asm-x86/irqflags_32.h
66282 +--- linux-2.6.24.5/include/asm-x86/irqflags_32.h 2008-03-24 14:49:18.000000000 -0400
66283 ++++ linux-2.6.24.5/include/asm-x86/irqflags_32.h 2008-03-26 20:21:09.000000000 -0400
66284 +@@ -108,6 +108,8 @@ static inline unsigned long __raw_local_
66285 + #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
66286 + #define INTERRUPT_RETURN iret
66287 + #define GET_CR0_INTO_EAX movl %cr0, %eax
66288 ++#define GET_CR0_INTO_EDX movl %cr0, %edx
66289 ++#define SET_CR0_FROM_EDX movl %edx, %cr0
66290 + #endif /* __ASSEMBLY__ */
66291 + #endif /* CONFIG_PARAVIRT */
66292 +
66293 +diff -urNp linux-2.6.24.5/include/asm-x86/kmap_types.h linux-2.6.24.5/include/asm-x86/kmap_types.h
66294 +--- linux-2.6.24.5/include/asm-x86/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
66295 ++++ linux-2.6.24.5/include/asm-x86/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
66296 +@@ -21,7 +21,8 @@ D(9) KM_IRQ0,
66297 + D(10) KM_IRQ1,
66298 + D(11) KM_SOFTIRQ0,
66299 + D(12) KM_SOFTIRQ1,
66300 +-D(13) KM_TYPE_NR
66301 ++D(13) KM_CLEARPAGE,
66302 ++D(14) KM_TYPE_NR
66303 + };
66304 +
66305 + #undef D
66306 +diff -urNp linux-2.6.24.5/include/asm-x86/mach-default/apm.h linux-2.6.24.5/include/asm-x86/mach-default/apm.h
66307 +--- linux-2.6.24.5/include/asm-x86/mach-default/apm.h 2008-03-24 14:49:18.000000000 -0400
66308 ++++ linux-2.6.24.5/include/asm-x86/mach-default/apm.h 2008-03-26 20:21:09.000000000 -0400
66309 +@@ -36,7 +36,7 @@ static inline void apm_bios_call_asm(u32
66310 + __asm__ __volatile__(APM_DO_ZERO_SEGS
66311 + "pushl %%edi\n\t"
66312 + "pushl %%ebp\n\t"
66313 +- "lcall *%%cs:apm_bios_entry\n\t"
66314 ++ "lcall *%%ss:apm_bios_entry\n\t"
66315 + "setc %%al\n\t"
66316 + "popl %%ebp\n\t"
66317 + "popl %%edi\n\t"
66318 +@@ -60,7 +60,7 @@ static inline u8 apm_bios_call_simple_as
66319 + __asm__ __volatile__(APM_DO_ZERO_SEGS
66320 + "pushl %%edi\n\t"
66321 + "pushl %%ebp\n\t"
66322 +- "lcall *%%cs:apm_bios_entry\n\t"
66323 ++ "lcall *%%ss:apm_bios_entry\n\t"
66324 + "setc %%bl\n\t"
66325 + "popl %%ebp\n\t"
66326 + "popl %%edi\n\t"
66327 +diff -urNp linux-2.6.24.5/include/asm-x86/mman.h linux-2.6.24.5/include/asm-x86/mman.h
66328 +--- linux-2.6.24.5/include/asm-x86/mman.h 2008-03-24 14:49:18.000000000 -0400
66329 ++++ linux-2.6.24.5/include/asm-x86/mman.h 2008-03-26 20:21:09.000000000 -0400
66330 +@@ -16,4 +16,14 @@
66331 + #define MCL_CURRENT 1 /* lock all current mappings */
66332 + #define MCL_FUTURE 2 /* lock all future mappings */
66333 +
66334 ++#ifdef __KERNEL__
66335 ++#ifndef __ASSEMBLY__
66336 ++#ifdef CONFIG_X86_32
66337 ++#define arch_mmap_check i386_mmap_check
66338 ++int i386_mmap_check(unsigned long addr, unsigned long len,
66339 ++ unsigned long flags);
66340 ++#endif
66341 ++#endif
66342 ++#endif
66343 ++
66344 + #endif /* _ASM_X86_MMAN_H */
66345 +diff -urNp linux-2.6.24.5/include/asm-x86/mmu_context_32.h linux-2.6.24.5/include/asm-x86/mmu_context_32.h
66346 +--- linux-2.6.24.5/include/asm-x86/mmu_context_32.h 2008-03-24 14:49:18.000000000 -0400
66347 ++++ linux-2.6.24.5/include/asm-x86/mmu_context_32.h 2008-03-26 20:21:09.000000000 -0400
66348 +@@ -57,6 +57,22 @@ static inline void switch_mm(struct mm_s
66349 + */
66350 + if (unlikely(prev->context.ldt != next->context.ldt))
66351 + load_LDT_nolock(&next->context);
66352 ++
66353 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
66354 ++ if (!nx_enabled) {
66355 ++ smp_mb__before_clear_bit();
66356 ++ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
66357 ++ smp_mb__after_clear_bit();
66358 ++ cpu_set(cpu, next->context.cpu_user_cs_mask);
66359 ++ }
66360 ++#endif
66361 ++
66362 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
66363 ++ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
66364 ++ prev->context.user_cs_limit != next->context.user_cs_limit))
66365 ++ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
66366 ++#endif
66367 ++
66368 + }
66369 + #ifdef CONFIG_SMP
66370 + else {
66371 +@@ -69,6 +85,19 @@ static inline void switch_mm(struct mm_s
66372 + */
66373 + load_cr3(next->pgd);
66374 + load_LDT_nolock(&next->context);
66375 ++
66376 ++#ifdef CONFIG_PAX_PAGEEXEC
66377 ++ if (!nx_enabled)
66378 ++ cpu_set(cpu, next->context.cpu_user_cs_mask);
66379 ++#endif
66380 ++
66381 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
66382 ++#ifdef CONFIG_PAX_PAGEEXEC
66383 ++ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
66384 ++#endif
66385 ++ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
66386 ++#endif
66387 ++
66388 + }
66389 + }
66390 + #endif
66391 +diff -urNp linux-2.6.24.5/include/asm-x86/mmu.h linux-2.6.24.5/include/asm-x86/mmu.h
66392 +--- linux-2.6.24.5/include/asm-x86/mmu.h 2008-03-24 14:49:18.000000000 -0400
66393 ++++ linux-2.6.24.5/include/asm-x86/mmu.h 2008-03-26 20:21:09.000000000 -0400
66394 +@@ -11,13 +11,26 @@
66395 + * cpu_vm_mask is used to optimize ldt flushing.
66396 + */
66397 + typedef struct {
66398 +- void *ldt;
66399 ++ struct desc_struct *ldt;
66400 + #ifdef CONFIG_X86_64
66401 + rwlock_t ldtlock;
66402 + #endif
66403 + int size;
66404 + struct mutex lock;
66405 +- void *vdso;
66406 ++ unsigned long vdso;
66407 ++
66408 ++#ifdef CONFIG_X86_32
66409 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
66410 ++ unsigned long user_cs_base;
66411 ++ unsigned long user_cs_limit;
66412 ++
66413 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
66414 ++ cpumask_t cpu_user_cs_mask;
66415 ++#endif
66416 ++
66417 ++#endif
66418 ++#endif
66419 ++
66420 + } mm_context_t;
66421 +
66422 + #endif /* _ASM_X86_MMU_H */
66423 +diff -urNp linux-2.6.24.5/include/asm-x86/module_32.h linux-2.6.24.5/include/asm-x86/module_32.h
66424 +--- linux-2.6.24.5/include/asm-x86/module_32.h 2008-03-24 14:49:18.000000000 -0400
66425 ++++ linux-2.6.24.5/include/asm-x86/module_32.h 2008-03-26 20:21:09.000000000 -0400
66426 +@@ -70,6 +70,12 @@ struct mod_arch_specific
66427 + #define MODULE_STACKSIZE ""
66428 + #endif
66429 +
66430 +-#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
66431 ++#ifdef CONFIG_GRKERNSEC
66432 ++#define MODULE_GRSEC "GRSECURITY "
66433 ++#else
66434 ++#define MODULE_GRSEC ""
66435 ++#endif
66436 ++
66437 ++#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC
66438 +
66439 + #endif /* _ASM_I386_MODULE_H */
66440 +diff -urNp linux-2.6.24.5/include/asm-x86/page_32.h linux-2.6.24.5/include/asm-x86/page_32.h
66441 +--- linux-2.6.24.5/include/asm-x86/page_32.h 2008-03-24 14:49:18.000000000 -0400
66442 ++++ linux-2.6.24.5/include/asm-x86/page_32.h 2008-03-26 20:21:09.000000000 -0400
66443 +@@ -90,7 +90,6 @@ static inline pte_t native_make_pte(unsi
66444 + typedef struct { unsigned long pte_low; } pte_t;
66445 + typedef struct { unsigned long pgd; } pgd_t;
66446 + typedef struct { unsigned long pgprot; } pgprot_t;
66447 +-#define boot_pte_t pte_t /* or would you rather have a typedef */
66448 +
66449 + static inline unsigned long native_pgd_val(pgd_t pgd)
66450 + {
66451 +@@ -175,6 +174,18 @@ extern int page_is_ram(unsigned long pag
66452 + #define __PAGE_OFFSET ((unsigned long)CONFIG_PAGE_OFFSET)
66453 + #endif
66454 +
66455 ++#ifdef CONFIG_PAX_KERNEXEC
66456 ++#ifndef __ASSEMBLY__
66457 ++extern unsigned char MODULES_VADDR[];
66458 ++extern unsigned char MODULES_END[];
66459 ++extern unsigned char KERNEL_TEXT_OFFSET[];
66460 ++#define ktla_ktva(addr) (addr + (unsigned long)KERNEL_TEXT_OFFSET)
66461 ++#define ktva_ktla(addr) (addr - (unsigned long)KERNEL_TEXT_OFFSET)
66462 ++#endif
66463 ++#else
66464 ++#define ktla_ktva(addr) (addr)
66465 ++#define ktva_ktla(addr) (addr)
66466 ++#endif
66467 +
66468 + #define PAGE_OFFSET ((unsigned long)__PAGE_OFFSET)
66469 + #define VMALLOC_RESERVE ((unsigned long)__VMALLOC_RESERVE)
66470 +@@ -197,6 +208,10 @@ extern int page_is_ram(unsigned long pag
66471 + ((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
66472 + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
66473 +
66474 ++#ifdef CONFIG_PAX_PAGEEXEC
66475 ++#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
66476 ++#endif
66477 ++
66478 + #include <asm-generic/memory_model.h>
66479 + #include <asm-generic/page.h>
66480 +
66481 +diff -urNp linux-2.6.24.5/include/asm-x86/page_64.h linux-2.6.24.5/include/asm-x86/page_64.h
66482 +--- linux-2.6.24.5/include/asm-x86/page_64.h 2008-03-24 14:49:18.000000000 -0400
66483 ++++ linux-2.6.24.5/include/asm-x86/page_64.h 2008-03-26 20:21:09.000000000 -0400
66484 +@@ -94,6 +94,9 @@ extern unsigned long phys_base;
66485 + #define __START_KERNEL_map _AC(0xffffffff80000000, UL)
66486 + #define __PAGE_OFFSET _AC(0xffff810000000000, UL)
66487 +
66488 ++#define ktla_ktva(addr) (addr)
66489 ++#define ktva_ktla(addr) (addr)
66490 ++
66491 + /* to align the pointer to the (next) page boundary */
66492 + #define PAGE_ALIGN(addr) (((addr)+PAGE_SIZE-1)&PAGE_MASK)
66493 +
66494 +diff -urNp linux-2.6.24.5/include/asm-x86/paravirt.h linux-2.6.24.5/include/asm-x86/paravirt.h
66495 +--- linux-2.6.24.5/include/asm-x86/paravirt.h 2008-03-24 14:49:18.000000000 -0400
66496 ++++ linux-2.6.24.5/include/asm-x86/paravirt.h 2008-03-26 20:21:09.000000000 -0400
66497 +@@ -1124,23 +1124,23 @@ static inline unsigned long __raw_local_
66498 +
66499 + #define INTERRUPT_RETURN \
66500 + PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_iret), CLBR_NONE, \
66501 +- jmp *%cs:pv_cpu_ops+PV_CPU_iret)
66502 ++ jmp *%ss:pv_cpu_ops+PV_CPU_iret)
66503 +
66504 + #define DISABLE_INTERRUPTS(clobbers) \
66505 + PARA_SITE(PARA_PATCH(pv_irq_ops, PV_IRQ_irq_disable), clobbers, \
66506 + pushl %eax; pushl %ecx; pushl %edx; \
66507 +- call *%cs:pv_irq_ops+PV_IRQ_irq_disable; \
66508 ++ call *%ss:pv_irq_ops+PV_IRQ_irq_disable; \
66509 + popl %edx; popl %ecx; popl %eax) \
66510 +
66511 + #define ENABLE_INTERRUPTS(clobbers) \
66512 + PARA_SITE(PARA_PATCH(pv_irq_ops, PV_IRQ_irq_enable), clobbers, \
66513 + pushl %eax; pushl %ecx; pushl %edx; \
66514 +- call *%cs:pv_irq_ops+PV_IRQ_irq_enable; \
66515 ++ call *%ss:pv_irq_ops+PV_IRQ_irq_enable; \
66516 + popl %edx; popl %ecx; popl %eax)
66517 +
66518 + #define ENABLE_INTERRUPTS_SYSEXIT \
66519 + PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), CLBR_NONE,\
66520 +- jmp *%cs:pv_cpu_ops+PV_CPU_irq_enable_sysexit)
66521 ++ jmp *%ss:pv_cpu_ops+PV_CPU_irq_enable_sysexit)
66522 +
66523 + #define GET_CR0_INTO_EAX \
66524 + push %ecx; push %edx; \
66525 +diff -urNp linux-2.6.24.5/include/asm-x86/pda.h linux-2.6.24.5/include/asm-x86/pda.h
66526 +--- linux-2.6.24.5/include/asm-x86/pda.h 2008-03-24 14:49:18.000000000 -0400
66527 ++++ linux-2.6.24.5/include/asm-x86/pda.h 2008-03-26 20:21:09.000000000 -0400
66528 +@@ -16,11 +16,9 @@ struct x8664_pda {
66529 + unsigned long oldrsp; /* 24 user rsp for system call */
66530 + int irqcount; /* 32 Irq nesting counter. Starts with -1 */
66531 + int cpunumber; /* 36 Logical CPU number */
66532 +-#ifdef CONFIG_CC_STACKPROTECTOR
66533 + unsigned long stack_canary; /* 40 stack canary value */
66534 + /* gcc-ABI: this canary MUST be at
66535 + offset 40!!! */
66536 +-#endif
66537 + char *irqstackptr;
66538 + int nodenumber; /* number of current node */
66539 + unsigned int __softirq_pending;
66540 +diff -urNp linux-2.6.24.5/include/asm-x86/percpu_32.h linux-2.6.24.5/include/asm-x86/percpu_32.h
66541 +--- linux-2.6.24.5/include/asm-x86/percpu_32.h 2008-03-24 14:49:18.000000000 -0400
66542 ++++ linux-2.6.24.5/include/asm-x86/percpu_32.h 2008-03-26 20:21:16.000000000 -0400
66543 +@@ -42,12 +42,12 @@
66544 + */
66545 + #ifdef CONFIG_SMP
66546 + /* Same as generic implementation except for optimized local access. */
66547 +-#define __GENERIC_PER_CPU
66548 +
66549 + /* This is used for other cpus to find our section. */
66550 + extern unsigned long __per_cpu_offset[];
66551 ++extern void setup_per_cpu_areas(void);
66552 +
66553 +-#define per_cpu_offset(x) (__per_cpu_offset[x])
66554 ++#define per_cpu_offset(x) (__per_cpu_offset[x] - (unsigned long)__per_cpu_start)
66555 +
66556 + /* Separate out the type, so (int[3], foo) works. */
66557 + #define DECLARE_PER_CPU(type, name) extern __typeof__(type) per_cpu__##name
66558 +@@ -64,11 +64,11 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
66559 +
66560 + /* var is in discarded region: offset to particular copy we want */
66561 + #define per_cpu(var, cpu) (*({ \
66562 +- extern int simple_indentifier_##var(void); \
66563 ++ extern int simple_identifier_##var(void); \
66564 + RELOC_HIDE(&per_cpu__##var, __per_cpu_offset[cpu]); }))
66565 +
66566 + #define __raw_get_cpu_var(var) (*({ \
66567 +- extern int simple_indentifier_##var(void); \
66568 ++ extern int simple_identifier_##var(void); \
66569 + RELOC_HIDE(&per_cpu__##var, x86_read_percpu(this_cpu_off)); \
66570 + }))
66571 +
66572 +@@ -79,7 +79,7 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
66573 + do { \
66574 + unsigned int __i; \
66575 + for_each_possible_cpu(__i) \
66576 +- memcpy((pcpudst)+__per_cpu_offset[__i], \
66577 ++ memcpy((pcpudst)+per_cpu_offset(__i), \
66578 + (src), (size)); \
66579 + } while (0)
66580 +
66581 +diff -urNp linux-2.6.24.5/include/asm-x86/pgalloc_32.h linux-2.6.24.5/include/asm-x86/pgalloc_32.h
66582 +--- linux-2.6.24.5/include/asm-x86/pgalloc_32.h 2008-03-24 14:49:18.000000000 -0400
66583 ++++ linux-2.6.24.5/include/asm-x86/pgalloc_32.h 2008-03-26 20:21:09.000000000 -0400
66584 +@@ -15,11 +15,19 @@
66585 + #define paravirt_release_pd(pfn) do { } while (0)
66586 + #endif
66587 +
66588 ++#ifdef CONFIG_COMPAT_VDSO
66589 + #define pmd_populate_kernel(mm, pmd, pte) \
66590 + do { \
66591 + paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
66592 + set_pmd(pmd, __pmd(_PAGE_TABLE + __pa(pte))); \
66593 + } while (0)
66594 ++#else
66595 ++#define pmd_populate_kernel(mm, pmd, pte) \
66596 ++do { \
66597 ++ paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
66598 ++ set_pmd(pmd, __pmd(_KERNPG_TABLE + __pa(pte))); \
66599 ++} while (0)
66600 ++#endif
66601 +
66602 + #define pmd_populate(mm, pmd, pte) \
66603 + do { \
66604 +diff -urNp linux-2.6.24.5/include/asm-x86/pgalloc_64.h linux-2.6.24.5/include/asm-x86/pgalloc_64.h
66605 +--- linux-2.6.24.5/include/asm-x86/pgalloc_64.h 2008-03-24 14:49:18.000000000 -0400
66606 ++++ linux-2.6.24.5/include/asm-x86/pgalloc_64.h 2008-03-26 20:21:09.000000000 -0400
66607 +@@ -6,7 +6,7 @@
66608 + #include <linux/mm.h>
66609 +
66610 + #define pmd_populate_kernel(mm, pmd, pte) \
66611 +- set_pmd(pmd, __pmd(_PAGE_TABLE | __pa(pte)))
66612 ++ set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(pte)))
66613 + #define pud_populate(mm, pud, pmd) \
66614 + set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd)))
66615 + #define pgd_populate(mm, pgd, pud) \
66616 +diff -urNp linux-2.6.24.5/include/asm-x86/pgtable-2level.h linux-2.6.24.5/include/asm-x86/pgtable-2level.h
66617 +--- linux-2.6.24.5/include/asm-x86/pgtable-2level.h 2008-03-24 14:49:18.000000000 -0400
66618 ++++ linux-2.6.24.5/include/asm-x86/pgtable-2level.h 2008-03-26 20:21:09.000000000 -0400
66619 +@@ -22,7 +22,19 @@ static inline void native_set_pte_at(str
66620 + }
66621 + static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
66622 + {
66623 ++
66624 ++#ifdef CONFIG_PAX_KERNEXEC
66625 ++ unsigned long cr0;
66626 ++
66627 ++ pax_open_kernel(cr0);
66628 ++#endif
66629 ++
66630 + *pmdp = pmd;
66631 ++
66632 ++#ifdef CONFIG_PAX_KERNEXEC
66633 ++ pax_close_kernel(cr0);
66634 ++#endif
66635 ++
66636 + }
66637 + #ifndef CONFIG_PARAVIRT
66638 + #define set_pte(pteptr, pteval) native_set_pte(pteptr, pteval)
66639 +diff -urNp linux-2.6.24.5/include/asm-x86/pgtable_32.h linux-2.6.24.5/include/asm-x86/pgtable_32.h
66640 +--- linux-2.6.24.5/include/asm-x86/pgtable_32.h 2008-03-24 14:49:18.000000000 -0400
66641 ++++ linux-2.6.24.5/include/asm-x86/pgtable_32.h 2008-03-26 20:21:09.000000000 -0400
66642 +@@ -31,7 +31,6 @@ struct vm_area_struct;
66643 + */
66644 + #define ZERO_PAGE(vaddr) (virt_to_page(empty_zero_page))
66645 + extern unsigned long empty_zero_page[1024];
66646 +-extern pgd_t swapper_pg_dir[1024];
66647 + extern struct kmem_cache *pmd_cache;
66648 + extern spinlock_t pgd_lock;
66649 + extern struct page *pgd_list;
66650 +@@ -55,6 +54,11 @@ void paging_init(void);
66651 + # include <asm/pgtable-2level-defs.h>
66652 + #endif
66653 +
66654 ++extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
66655 ++#ifdef CONFIG_X86_PAE
66656 ++extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
66657 ++#endif
66658 ++
66659 + #define PGDIR_SIZE (1UL << PGDIR_SHIFT)
66660 + #define PGDIR_MASK (~(PGDIR_SIZE-1))
66661 +
66662 +@@ -64,9 +68,11 @@ void paging_init(void);
66663 + #define USER_PGD_PTRS (PAGE_OFFSET >> PGDIR_SHIFT)
66664 + #define KERNEL_PGD_PTRS (PTRS_PER_PGD-USER_PGD_PTRS)
66665 +
66666 ++#ifndef CONFIG_X86_PAE
66667 + #define TWOLEVEL_PGDIR_SHIFT 22
66668 + #define BOOT_USER_PGD_PTRS (__PAGE_OFFSET >> TWOLEVEL_PGDIR_SHIFT)
66669 + #define BOOT_KERNEL_PGD_PTRS (1024-BOOT_USER_PGD_PTRS)
66670 ++#endif
66671 +
66672 + /* Just any arbitrary offset to the start of the vmalloc VM area: the
66673 + * current 8MB value just means that there will be a 8MB "hole" after the
66674 +@@ -133,7 +139,7 @@ void paging_init(void);
66675 + #define PAGE_NONE \
66676 + __pgprot(_PAGE_PROTNONE | _PAGE_ACCESSED)
66677 + #define PAGE_SHARED \
66678 +- __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
66679 ++ __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
66680 +
66681 + #define PAGE_SHARED_EXEC \
66682 + __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
66683 +@@ -199,7 +205,7 @@ extern unsigned long long __PAGE_KERNEL,
66684 + #undef TEST_ACCESS_OK
66685 +
66686 + /* The boot page tables (all created as a single array) */
66687 +-extern unsigned long pg0[];
66688 ++extern pte_t pg0[];
66689 +
66690 + #define pte_present(x) ((x).pte_low & (_PAGE_PRESENT | _PAGE_PROTNONE))
66691 +
66692 +@@ -215,30 +221,55 @@ extern unsigned long pg0[];
66693 + * The following only work if pte_present() is true.
66694 + * Undefined behaviour if not..
66695 + */
66696 ++static inline int pte_user(pte_t pte) { return (pte).pte_low & _PAGE_USER; }
66697 + static inline int pte_dirty(pte_t pte) { return (pte).pte_low & _PAGE_DIRTY; }
66698 + static inline int pte_young(pte_t pte) { return (pte).pte_low & _PAGE_ACCESSED; }
66699 + static inline int pte_write(pte_t pte) { return (pte).pte_low & _PAGE_RW; }
66700 + static inline int pte_huge(pte_t pte) { return (pte).pte_low & _PAGE_PSE; }
66701 +
66702 ++#ifdef CONFIG_X86_PAE
66703 ++# include <asm/pgtable-3level.h>
66704 ++#else
66705 ++# include <asm/pgtable-2level.h>
66706 ++#endif
66707 ++
66708 + /*
66709 + * The following only works if pte_present() is not true.
66710 + */
66711 + static inline int pte_file(pte_t pte) { return (pte).pte_low & _PAGE_FILE; }
66712 +
66713 ++static inline pte_t pte_exprotect(pte_t pte)
66714 ++{
66715 ++#ifdef CONFIG_X86_PAE
66716 ++ if (__supported_pte_mask & _PAGE_NX)
66717 ++ set_pte(&pte, __pte(pte_val(pte) | _PAGE_NX));
66718 ++ else
66719 ++#endif
66720 ++ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_USER));
66721 ++ return pte;
66722 ++}
66723 ++
66724 + static inline pte_t pte_mkclean(pte_t pte) { (pte).pte_low &= ~_PAGE_DIRTY; return pte; }
66725 + static inline pte_t pte_mkold(pte_t pte) { (pte).pte_low &= ~_PAGE_ACCESSED; return pte; }
66726 + static inline pte_t pte_wrprotect(pte_t pte) { (pte).pte_low &= ~_PAGE_RW; return pte; }
66727 ++static inline pte_t pte_mkread(pte_t pte) { (pte).pte_low |= _PAGE_USER; return pte; }
66728 ++
66729 ++static inline pte_t pte_mkexec(pte_t pte)
66730 ++{
66731 ++#ifdef CONFIG_X86_PAE
66732 ++ if (__supported_pte_mask & _PAGE_NX)
66733 ++ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_NX));
66734 ++ else
66735 ++#endif
66736 ++ set_pte(&pte, __pte(pte_val(pte) | _PAGE_USER));
66737 ++ return pte;
66738 ++}
66739 ++
66740 + static inline pte_t pte_mkdirty(pte_t pte) { (pte).pte_low |= _PAGE_DIRTY; return pte; }
66741 + static inline pte_t pte_mkyoung(pte_t pte) { (pte).pte_low |= _PAGE_ACCESSED; return pte; }
66742 + static inline pte_t pte_mkwrite(pte_t pte) { (pte).pte_low |= _PAGE_RW; return pte; }
66743 + static inline pte_t pte_mkhuge(pte_t pte) { (pte).pte_low |= _PAGE_PSE; return pte; }
66744 +
66745 +-#ifdef CONFIG_X86_PAE
66746 +-# include <asm/pgtable-3level.h>
66747 +-#else
66748 +-# include <asm/pgtable-2level.h>
66749 +-#endif
66750 +-
66751 + #ifndef CONFIG_PARAVIRT
66752 + /*
66753 + * Rules for using pte_update - it must be called after any PTE update which
66754 +@@ -350,7 +381,19 @@ static inline void ptep_set_wrprotect(st
66755 + */
66756 + static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
66757 + {
66758 +- memcpy(dst, src, count * sizeof(pgd_t));
66759 ++
66760 ++#ifdef CONFIG_PAX_KERNEXEC
66761 ++ unsigned long cr0;
66762 ++
66763 ++ pax_open_kernel(cr0);
66764 ++#endif
66765 ++
66766 ++ memcpy(dst, src, count * sizeof(pgd_t));
66767 ++
66768 ++#ifdef CONFIG_PAX_KERNEXEC
66769 ++ pax_close_kernel(cr0);
66770 ++#endif
66771 ++
66772 + }
66773 +
66774 + /*
66775 +@@ -497,6 +540,9 @@ static inline void paravirt_pagetable_se
66776 +
66777 + #endif /* !__ASSEMBLY__ */
66778 +
66779 ++#define HAVE_ARCH_UNMAPPED_AREA
66780 ++#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
66781 ++
66782 + #ifdef CONFIG_FLATMEM
66783 + #define kern_addr_valid(addr) (1)
66784 + #endif /* CONFIG_FLATMEM */
66785 +diff -urNp linux-2.6.24.5/include/asm-x86/pgtable-3level.h linux-2.6.24.5/include/asm-x86/pgtable-3level.h
66786 +--- linux-2.6.24.5/include/asm-x86/pgtable-3level.h 2008-03-24 14:49:18.000000000 -0400
66787 ++++ linux-2.6.24.5/include/asm-x86/pgtable-3level.h 2008-03-26 20:21:09.000000000 -0400
66788 +@@ -67,11 +67,35 @@ static inline void native_set_pte_atomic
66789 + }
66790 + static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
66791 + {
66792 ++
66793 ++#ifdef CONFIG_PAX_KERNEXEC
66794 ++ unsigned long cr0;
66795 ++
66796 ++ pax_open_kernel(cr0);
66797 ++#endif
66798 ++
66799 + set_64bit((unsigned long long *)(pmdp),native_pmd_val(pmd));
66800 ++
66801 ++#ifdef CONFIG_PAX_KERNEXEC
66802 ++ pax_close_kernel(cr0);
66803 ++#endif
66804 ++
66805 + }
66806 + static inline void native_set_pud(pud_t *pudp, pud_t pud)
66807 + {
66808 ++
66809 ++#ifdef CONFIG_PAX_KERNEXEC
66810 ++ unsigned long cr0;
66811 ++
66812 ++ pax_open_kernel(cr0);
66813 ++#endif
66814 ++
66815 + *pudp = pud;
66816 ++
66817 ++#ifdef CONFIG_PAX_KERNEXEC
66818 ++ pax_close_kernel(cr0);
66819 ++#endif
66820 ++
66821 + }
66822 +
66823 + /*
66824 +diff -urNp linux-2.6.24.5/include/asm-x86/pgtable_64.h linux-2.6.24.5/include/asm-x86/pgtable_64.h
66825 +--- linux-2.6.24.5/include/asm-x86/pgtable_64.h 2008-03-24 14:49:18.000000000 -0400
66826 ++++ linux-2.6.24.5/include/asm-x86/pgtable_64.h 2008-03-26 20:21:09.000000000 -0400
66827 +@@ -79,7 +79,19 @@ static inline void set_pte(pte_t *dst, p
66828 +
66829 + static inline void set_pmd(pmd_t *dst, pmd_t val)
66830 + {
66831 ++
66832 ++#ifdef CONFIG_PAX_KERNEXEC
66833 ++ unsigned long cr0;
66834 ++
66835 ++ pax_open_kernel(cr0);
66836 ++#endif
66837 ++
66838 + pmd_val(*dst) = pmd_val(val);
66839 ++
66840 ++#ifdef CONFIG_PAX_KERNEXEC
66841 ++ pax_close_kernel(cr0);
66842 ++#endif
66843 ++
66844 + }
66845 +
66846 + static inline void set_pud(pud_t *dst, pud_t val)
66847 +@@ -180,6 +192,10 @@ static inline pte_t ptep_get_and_clear_f
66848 + #define PAGE_COPY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
66849 + #define PAGE_READONLY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
66850 + #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
66851 ++
66852 ++#define PAGE_READONLY_NOEXEC PAGE_READONLY
66853 ++#define PAGE_SHARED_NOEXEC PAGE_SHARED
66854 ++
66855 + #define __PAGE_KERNEL \
66856 + (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
66857 + #define __PAGE_KERNEL_EXEC \
66858 +@@ -188,10 +204,12 @@ static inline pte_t ptep_get_and_clear_f
66859 + (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_PCD | _PAGE_ACCESSED | _PAGE_NX)
66860 + #define __PAGE_KERNEL_RO \
66861 + (_PAGE_PRESENT | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
66862 ++#define __PAGE_KERNEL_RX \
66863 ++ (_PAGE_PRESENT | _PAGE_DIRTY | _PAGE_ACCESSED)
66864 + #define __PAGE_KERNEL_VSYSCALL \
66865 + (_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
66866 + #define __PAGE_KERNEL_VSYSCALL_NOCACHE \
66867 +- (_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_PCD)
66868 ++ (_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_PCD | _PAGE_NX)
66869 + #define __PAGE_KERNEL_LARGE \
66870 + (__PAGE_KERNEL | _PAGE_PSE)
66871 + #define __PAGE_KERNEL_LARGE_EXEC \
66872 +@@ -202,6 +220,7 @@ static inline pte_t ptep_get_and_clear_f
66873 + #define PAGE_KERNEL MAKE_GLOBAL(__PAGE_KERNEL)
66874 + #define PAGE_KERNEL_EXEC MAKE_GLOBAL(__PAGE_KERNEL_EXEC)
66875 + #define PAGE_KERNEL_RO MAKE_GLOBAL(__PAGE_KERNEL_RO)
66876 ++#define PAGE_KERNEL_RX MAKE_GLOBAL(__PAGE_KERNEL_RX)
66877 + #define PAGE_KERNEL_NOCACHE MAKE_GLOBAL(__PAGE_KERNEL_NOCACHE)
66878 + #define PAGE_KERNEL_VSYSCALL32 __pgprot(__PAGE_KERNEL_VSYSCALL)
66879 + #define PAGE_KERNEL_VSYSCALL MAKE_GLOBAL(__PAGE_KERNEL_VSYSCALL)
66880 +@@ -231,17 +250,17 @@ static inline pte_t ptep_get_and_clear_f
66881 +
66882 + static inline unsigned long pgd_bad(pgd_t pgd)
66883 + {
66884 +- return pgd_val(pgd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER);
66885 ++ return pgd_val(pgd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER | _PAGE_NX);
66886 + }
66887 +
66888 + static inline unsigned long pud_bad(pud_t pud)
66889 + {
66890 +- return pud_val(pud) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER);
66891 ++ return pud_val(pud) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER | _PAGE_NX);
66892 + }
66893 +
66894 + static inline unsigned long pmd_bad(pmd_t pmd)
66895 + {
66896 +- return pmd_val(pmd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER);
66897 ++ return pmd_val(pmd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER | _PAGE_NX);
66898 + }
66899 +
66900 + #define pte_none(x) (!pte_val(x))
66901 +diff -urNp linux-2.6.24.5/include/asm-x86/processor_32.h linux-2.6.24.5/include/asm-x86/processor_32.h
66902 +--- linux-2.6.24.5/include/asm-x86/processor_32.h 2008-03-24 14:49:18.000000000 -0400
66903 ++++ linux-2.6.24.5/include/asm-x86/processor_32.h 2008-03-26 20:21:09.000000000 -0400
66904 +@@ -100,8 +100,6 @@ struct cpuinfo_x86 {
66905 +
66906 + extern struct cpuinfo_x86 boot_cpu_data;
66907 + extern struct cpuinfo_x86 new_cpu_data;
66908 +-extern struct tss_struct doublefault_tss;
66909 +-DECLARE_PER_CPU(struct tss_struct, init_tss);
66910 +
66911 + #ifdef CONFIG_SMP
66912 + DECLARE_PER_CPU(struct cpuinfo_x86, cpu_info);
66913 +@@ -215,11 +213,19 @@ extern int bootloader_type;
66914 + */
66915 + #define TASK_SIZE (PAGE_OFFSET)
66916 +
66917 ++#ifdef CONFIG_PAX_SEGMEXEC
66918 ++#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
66919 ++#endif
66920 ++
66921 + /* This decides where the kernel will search for a free chunk of vm
66922 + * space during mmap's.
66923 + */
66924 + #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
66925 +
66926 ++#ifdef CONFIG_PAX_SEGMEXEC
66927 ++#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
66928 ++#endif
66929 ++
66930 + #define HAVE_ARCH_PICK_MMAP_LAYOUT
66931 +
66932 + extern void hard_disable_TSC(void);
66933 +@@ -344,6 +350,9 @@ struct tss_struct {
66934 +
66935 + #define ARCH_MIN_TASKALIGN 16
66936 +
66937 ++extern struct tss_struct doublefault_tss;
66938 ++extern struct tss_struct init_tss[NR_CPUS];
66939 ++
66940 + struct thread_struct {
66941 + /* cached TLS descriptors. */
66942 + struct desc_struct tls_array[GDT_ENTRY_TLS_ENTRIES];
66943 +@@ -372,7 +381,7 @@ struct thread_struct {
66944 + };
66945 +
66946 + #define INIT_THREAD { \
66947 +- .esp0 = sizeof(init_stack) + (long)&init_stack, \
66948 ++ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
66949 + .vm86_info = NULL, \
66950 + .sysenter_cs = __KERNEL_CS, \
66951 + .io_bitmap_ptr = NULL, \
66952 +@@ -387,7 +396,7 @@ struct thread_struct {
66953 + */
66954 + #define INIT_TSS { \
66955 + .x86_tss = { \
66956 +- .esp0 = sizeof(init_stack) + (long)&init_stack, \
66957 ++ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
66958 + .ss0 = __KERNEL_DS, \
66959 + .ss1 = __KERNEL_CS, \
66960 + .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
66961 +@@ -428,11 +437,7 @@ void show_trace(struct task_struct *task
66962 + unsigned long get_wchan(struct task_struct *p);
66963 +
66964 + #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
66965 +-#define KSTK_TOP(info) \
66966 +-({ \
66967 +- unsigned long *__ptr = (unsigned long *)(info); \
66968 +- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
66969 +-})
66970 ++#define KSTK_TOP(info) ((info)->task.thread.esp0)
66971 +
66972 + /*
66973 + * The below -8 is to reserve 8 bytes on top of the ring0 stack.
66974 +@@ -447,7 +452,7 @@ unsigned long get_wchan(struct task_stru
66975 + #define task_pt_regs(task) \
66976 + ({ \
66977 + struct pt_regs *__regs__; \
66978 +- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
66979 ++ __regs__ = (struct pt_regs *)((task)->thread.esp0); \
66980 + __regs__ - 1; \
66981 + })
66982 +
66983 +diff -urNp linux-2.6.24.5/include/asm-x86/processor_64.h linux-2.6.24.5/include/asm-x86/processor_64.h
66984 +--- linux-2.6.24.5/include/asm-x86/processor_64.h 2008-03-24 14:49:18.000000000 -0400
66985 ++++ linux-2.6.24.5/include/asm-x86/processor_64.h 2008-03-26 20:21:09.000000000 -0400
66986 +@@ -142,7 +142,7 @@ static inline void clear_in_cr4 (unsigne
66987 + /* This decides where the kernel will search for a free chunk of vm
66988 + * space during mmap's.
66989 + */
66990 +-#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFe000)
66991 ++#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFf000)
66992 +
66993 + #define TASK_SIZE (test_thread_flag(TIF_IA32) ? IA32_PAGE_OFFSET : TASK_SIZE64)
66994 + #define TASK_SIZE_OF(child) ((test_tsk_thread_flag(child, TIF_IA32)) ? IA32_PAGE_OFFSET : TASK_SIZE64)
66995 +@@ -201,7 +201,7 @@ struct tss_struct {
66996 +
66997 +
66998 + extern struct cpuinfo_x86 boot_cpu_data;
66999 +-DECLARE_PER_CPU(struct tss_struct,init_tss);
67000 ++extern struct tss_struct init_tss[NR_CPUS];
67001 + /* Save the original ist values for checking stack pointers during debugging */
67002 + struct orig_ist {
67003 + unsigned long ist[7];
67004 +diff -urNp linux-2.6.24.5/include/asm-x86/ptrace.h linux-2.6.24.5/include/asm-x86/ptrace.h
67005 +--- linux-2.6.24.5/include/asm-x86/ptrace.h 2008-03-24 14:49:18.000000000 -0400
67006 ++++ linux-2.6.24.5/include/asm-x86/ptrace.h 2008-03-26 20:21:09.000000000 -0400
67007 +@@ -39,17 +39,18 @@ struct task_struct;
67008 + extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, int error_code);
67009 +
67010 + /*
67011 +- * user_mode_vm(regs) determines whether a register set came from user mode.
67012 ++ * user_mode(regs) determines whether a register set came from user mode.
67013 + * This is true if V8086 mode was enabled OR if the register set was from
67014 + * protected mode with RPL-3 CS value. This tricky test checks that with
67015 + * one comparison. Many places in the kernel can bypass this full check
67016 +- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
67017 ++ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
67018 ++ * be used.
67019 + */
67020 +-static inline int user_mode(struct pt_regs *regs)
67021 ++static inline int user_mode_novm(struct pt_regs *regs)
67022 + {
67023 + return (regs->xcs & SEGMENT_RPL_MASK) == USER_RPL;
67024 + }
67025 +-static inline int user_mode_vm(struct pt_regs *regs)
67026 ++static inline int user_mode(struct pt_regs *regs)
67027 + {
67028 + return ((regs->xcs & SEGMENT_RPL_MASK) | (regs->eflags & VM_MASK)) >= USER_RPL;
67029 + }
67030 +diff -urNp linux-2.6.24.5/include/asm-x86/reboot.h linux-2.6.24.5/include/asm-x86/reboot.h
67031 +--- linux-2.6.24.5/include/asm-x86/reboot.h 2008-03-24 14:49:18.000000000 -0400
67032 ++++ linux-2.6.24.5/include/asm-x86/reboot.h 2008-03-26 20:21:09.000000000 -0400
67033 +@@ -15,6 +15,6 @@ struct machine_ops
67034 +
67035 + extern struct machine_ops machine_ops;
67036 +
67037 +-void machine_real_restart(unsigned char *code, int length);
67038 ++void machine_real_restart(const unsigned char *code, unsigned int length);
67039 +
67040 + #endif /* _ASM_REBOOT_H */
67041 +diff -urNp linux-2.6.24.5/include/asm-x86/segment_32.h linux-2.6.24.5/include/asm-x86/segment_32.h
67042 +--- linux-2.6.24.5/include/asm-x86/segment_32.h 2008-03-24 14:49:18.000000000 -0400
67043 ++++ linux-2.6.24.5/include/asm-x86/segment_32.h 2008-03-26 20:21:09.000000000 -0400
67044 +@@ -81,6 +81,12 @@
67045 + #define __KERNEL_PERCPU 0
67046 + #endif
67047 +
67048 ++#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 16)
67049 ++#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
67050 ++
67051 ++#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 17)
67052 ++#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
67053 ++
67054 + #define GDT_ENTRY_DOUBLEFAULT_TSS 31
67055 +
67056 + /*
67057 +@@ -140,9 +146,9 @@
67058 + #define SEGMENT_IS_KERNEL_CODE(x) (((x) & 0xfc) == GDT_ENTRY_KERNEL_CS * 8)
67059 +
67060 + /* Matches __KERNEL_CS and __USER_CS (they must be 2 entries apart) */
67061 +-#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xec) == GDT_ENTRY_KERNEL_CS * 8)
67062 ++#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xFFFCU) == __KERNEL_CS || ((x) & 0xFFFCU) == __USER_CS)
67063 +
67064 + /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
67065 +-#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
67066 ++#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
67067 +
67068 + #endif
67069 +diff -urNp linux-2.6.24.5/include/asm-x86/system_32.h linux-2.6.24.5/include/asm-x86/system_32.h
67070 +--- linux-2.6.24.5/include/asm-x86/system_32.h 2008-03-24 14:49:18.000000000 -0400
67071 ++++ linux-2.6.24.5/include/asm-x86/system_32.h 2008-03-26 20:21:09.000000000 -0400
67072 +@@ -188,6 +188,21 @@ static inline void clflush(volatile void
67073 + /* Set the 'TS' bit */
67074 + #define stts() write_cr0(8 | read_cr0())
67075 +
67076 ++#define pax_open_kernel(cr0) \
67077 ++do { \
67078 ++ typecheck(unsigned long, cr0); \
67079 ++ preempt_disable(); \
67080 ++ cr0 = read_cr0(); \
67081 ++ write_cr0(cr0 & ~X86_CR0_WP); \
67082 ++} while (0)
67083 ++
67084 ++#define pax_close_kernel(cr0) \
67085 ++do { \
67086 ++ typecheck(unsigned long, cr0); \
67087 ++ write_cr0(cr0); \
67088 ++ preempt_enable_no_resched(); \
67089 ++} while (0)
67090 ++
67091 + #endif /* __KERNEL__ */
67092 +
67093 + static inline unsigned long get_limit(unsigned long segment)
67094 +@@ -195,7 +210,7 @@ static inline unsigned long get_limit(un
67095 + unsigned long __limit;
67096 + __asm__("lsll %1,%0"
67097 + :"=r" (__limit):"r" (segment));
67098 +- return __limit+1;
67099 ++ return __limit;
67100 + }
67101 +
67102 + #define nop() __asm__ __volatile__ ("nop")
67103 +@@ -311,7 +326,7 @@ void enable_hlt(void);
67104 + extern int es7000_plat;
67105 + void cpu_idle_wait(void);
67106 +
67107 +-extern unsigned long arch_align_stack(unsigned long sp);
67108 ++#define arch_align_stack(x) (x)
67109 + extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
67110 +
67111 + void default_idle(void);
67112 +diff -urNp linux-2.6.24.5/include/asm-x86/system_64.h linux-2.6.24.5/include/asm-x86/system_64.h
67113 +--- linux-2.6.24.5/include/asm-x86/system_64.h 2008-03-24 14:49:18.000000000 -0400
67114 ++++ linux-2.6.24.5/include/asm-x86/system_64.h 2008-03-26 20:21:09.000000000 -0400
67115 +@@ -33,6 +33,8 @@
67116 + ".globl thread_return\n" \
67117 + "thread_return:\n\t" \
67118 + "movq %%gs:%P[pda_pcurrent],%%rsi\n\t" \
67119 ++ "movq %P[task_canary](%%rsi),%%r8\n\t" \
67120 ++ "movq %%r8,%%gs:%P[pda_canary]\n\t" \
67121 + "movq %P[thread_info](%%rsi),%%r8\n\t" \
67122 + LOCK_PREFIX "btr %[tif_fork],%P[ti_flags](%%r8)\n\t" \
67123 + "movq %%rax,%%rdi\n\t" \
67124 +@@ -44,7 +46,9 @@
67125 + [ti_flags] "i" (offsetof(struct thread_info, flags)),\
67126 + [tif_fork] "i" (TIF_FORK), \
67127 + [thread_info] "i" (offsetof(struct task_struct, stack)), \
67128 +- [pda_pcurrent] "i" (offsetof(struct x8664_pda, pcurrent)) \
67129 ++ [task_canary] "i" (offsetof(struct task_struct, stack_canary)), \
67130 ++ [pda_pcurrent] "i" (offsetof(struct x8664_pda, pcurrent)), \
67131 ++ [pda_canary] "i" (offsetof(struct x8664_pda, stack_canary)) \
67132 + : "memory", "cc" __EXTRA_CLOBBER)
67133 +
67134 + extern void load_gs_index(unsigned);
67135 +@@ -139,6 +143,21 @@ static inline void write_cr8(unsigned lo
67136 + #define wbinvd() \
67137 + __asm__ __volatile__ ("wbinvd": : :"memory")
67138 +
67139 ++#define pax_open_kernel(cr0) \
67140 ++do { \
67141 ++ typecheck(unsigned long, cr0); \
67142 ++ preempt_disable(); \
67143 ++ cr0 = read_cr0(); \
67144 ++ write_cr0(cr0 & ~X86_CR0_WP); \
67145 ++} while (0)
67146 ++
67147 ++#define pax_close_kernel(cr0) \
67148 ++do { \
67149 ++ typecheck(unsigned long, cr0); \
67150 ++ write_cr0(cr0); \
67151 ++ preempt_enable_no_resched(); \
67152 ++} while (0)
67153 ++
67154 + #endif /* __KERNEL__ */
67155 +
67156 + static inline void clflush(volatile void *__p)
67157 +@@ -179,7 +198,7 @@ static inline void clflush(volatile void
67158 +
67159 + void cpu_idle_wait(void);
67160 +
67161 +-extern unsigned long arch_align_stack(unsigned long sp);
67162 ++#define arch_align_stack(x) (x)
67163 + extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
67164 +
67165 + #endif
67166 +diff -urNp linux-2.6.24.5/include/asm-x86/uaccess_32.h linux-2.6.24.5/include/asm-x86/uaccess_32.h
67167 +--- linux-2.6.24.5/include/asm-x86/uaccess_32.h 2008-03-24 14:49:18.000000000 -0400
67168 ++++ linux-2.6.24.5/include/asm-x86/uaccess_32.h 2008-03-26 20:21:09.000000000 -0400
67169 +@@ -9,6 +9,7 @@
67170 + #include <linux/prefetch.h>
67171 + #include <linux/string.h>
67172 + #include <asm/page.h>
67173 ++#include <asm/segment.h>
67174 +
67175 + #define VERIFY_READ 0
67176 + #define VERIFY_WRITE 1
67177 +@@ -29,7 +30,8 @@
67178 +
67179 + #define get_ds() (KERNEL_DS)
67180 + #define get_fs() (current_thread_info()->addr_limit)
67181 +-#define set_fs(x) (current_thread_info()->addr_limit = (x))
67182 ++void __set_fs(mm_segment_t x, int cpu);
67183 ++void set_fs(mm_segment_t x);
67184 +
67185 + #define segment_eq(a,b) ((a).seg == (b).seg)
67186 +
67187 +@@ -101,6 +103,7 @@ struct exception_table_entry
67188 + };
67189 +
67190 + extern int fixup_exception(struct pt_regs *regs);
67191 ++#define ARCH_HAS_SORT_EXTABLE
67192 +
67193 + /*
67194 + * These are the main single-value transfer routines. They automatically
67195 +@@ -280,9 +283,12 @@ extern void __put_user_8(void);
67196 +
67197 + #define __put_user_u64(x, addr, err) \
67198 + __asm__ __volatile__( \
67199 +- "1: movl %%eax,0(%2)\n" \
67200 +- "2: movl %%edx,4(%2)\n" \
67201 ++ " movw %w5,%%ds\n" \
67202 ++ "1: movl %%eax,%%ds:0(%2)\n" \
67203 ++ "2: movl %%edx,%%ds:4(%2)\n" \
67204 + "3:\n" \
67205 ++ " pushl %%ss\n" \
67206 ++ " popl %%ds\n" \
67207 + ".section .fixup,\"ax\"\n" \
67208 + "4: movl %3,%0\n" \
67209 + " jmp 3b\n" \
67210 +@@ -293,7 +299,8 @@ extern void __put_user_8(void);
67211 + " .long 2b,4b\n" \
67212 + ".previous" \
67213 + : "=r"(err) \
67214 +- : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err))
67215 ++ : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err), \
67216 ++ "r"(__USER_DS))
67217 +
67218 + #ifdef CONFIG_X86_WP_WORKS_OK
67219 +
67220 +@@ -332,8 +339,11 @@ struct __large_struct { unsigned long bu
67221 + */
67222 + #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
67223 + __asm__ __volatile__( \
67224 +- "1: mov"itype" %"rtype"1,%2\n" \
67225 ++ " movw %w5,%%ds\n" \
67226 ++ "1: mov"itype" %"rtype"1,%%ds:%2\n" \
67227 + "2:\n" \
67228 ++ " pushl %%ss\n" \
67229 ++ " popl %%ds\n" \
67230 + ".section .fixup,\"ax\"\n" \
67231 + "3: movl %3,%0\n" \
67232 + " jmp 2b\n" \
67233 +@@ -343,7 +353,8 @@ struct __large_struct { unsigned long bu
67234 + " .long 1b,3b\n" \
67235 + ".previous" \
67236 + : "=r"(err) \
67237 +- : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err))
67238 ++ : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err), \
67239 ++ "r"(__USER_DS))
67240 +
67241 +
67242 + #define __get_user_nocheck(x,ptr,size) \
67243 +@@ -371,8 +382,11 @@ do { \
67244 +
67245 + #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
67246 + __asm__ __volatile__( \
67247 +- "1: mov"itype" %2,%"rtype"1\n" \
67248 ++ " movw %w5,%%ds\n" \
67249 ++ "1: mov"itype" %%ds:%2,%"rtype"1\n" \
67250 + "2:\n" \
67251 ++ " pushl %%ss\n" \
67252 ++ " popl %%ds\n" \
67253 + ".section .fixup,\"ax\"\n" \
67254 + "3: movl %3,%0\n" \
67255 + " xor"itype" %"rtype"1,%"rtype"1\n" \
67256 +@@ -383,7 +397,7 @@ do { \
67257 + " .long 1b,3b\n" \
67258 + ".previous" \
67259 + : "=r"(err), ltype (x) \
67260 +- : "m"(__m(addr)), "i"(errret), "0"(err))
67261 ++ : "m"(__m(addr)), "i"(errret), "0"(err), "r"(__USER_DS))
67262 +
67263 +
67264 + unsigned long __must_check __copy_to_user_ll(void __user *to,
67265 +diff -urNp linux-2.6.24.5/include/asm-x86/uaccess_64.h linux-2.6.24.5/include/asm-x86/uaccess_64.h
67266 +--- linux-2.6.24.5/include/asm-x86/uaccess_64.h 2008-03-24 14:49:18.000000000 -0400
67267 ++++ linux-2.6.24.5/include/asm-x86/uaccess_64.h 2008-03-26 20:21:09.000000000 -0400
67268 +@@ -66,6 +66,7 @@ struct exception_table_entry
67269 + };
67270 +
67271 + #define ARCH_HAS_SEARCH_EXTABLE
67272 ++#define ARCH_HAS_SORT_EXTABLE
67273 +
67274 + /*
67275 + * These are the main single-value transfer routines. They automatically
67276 +diff -urNp linux-2.6.24.5/include/asm-xtensa/kmap_types.h linux-2.6.24.5/include/asm-xtensa/kmap_types.h
67277 +--- linux-2.6.24.5/include/asm-xtensa/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
67278 ++++ linux-2.6.24.5/include/asm-xtensa/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
67279 +@@ -25,6 +25,7 @@ enum km_type {
67280 + KM_IRQ1,
67281 + KM_SOFTIRQ0,
67282 + KM_SOFTIRQ1,
67283 ++ KM_CLEARPAGE,
67284 + KM_TYPE_NR
67285 + };
67286 +
67287 +diff -urNp linux-2.6.24.5/include/linux/a.out.h linux-2.6.24.5/include/linux/a.out.h
67288 +--- linux-2.6.24.5/include/linux/a.out.h 2008-03-24 14:49:18.000000000 -0400
67289 ++++ linux-2.6.24.5/include/linux/a.out.h 2008-03-26 20:21:09.000000000 -0400
67290 +@@ -7,6 +7,16 @@
67291 +
67292 + #include <asm/a.out.h>
67293 +
67294 ++#ifdef CONFIG_PAX_RANDUSTACK
67295 ++#define __DELTA_STACK (current->mm->delta_stack)
67296 ++#else
67297 ++#define __DELTA_STACK 0UL
67298 ++#endif
67299 ++
67300 ++#ifndef STACK_TOP
67301 ++#define STACK_TOP (__STACK_TOP - __DELTA_STACK)
67302 ++#endif
67303 ++
67304 + #endif /* __STRUCT_EXEC_OVERRIDE__ */
67305 +
67306 + /* these go in the N_MACHTYPE field */
67307 +@@ -37,6 +47,14 @@ enum machine_type {
67308 + M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
67309 + };
67310 +
67311 ++/* Constants for the N_FLAGS field */
67312 ++#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
67313 ++#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
67314 ++#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
67315 ++#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
67316 ++/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
67317 ++#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
67318 ++
67319 + #if !defined (N_MAGIC)
67320 + #define N_MAGIC(exec) ((exec).a_info & 0xffff)
67321 + #endif
67322 +diff -urNp linux-2.6.24.5/include/linux/binfmts.h linux-2.6.24.5/include/linux/binfmts.h
67323 +--- linux-2.6.24.5/include/linux/binfmts.h 2008-03-24 14:49:18.000000000 -0400
67324 ++++ linux-2.6.24.5/include/linux/binfmts.h 2008-03-26 20:21:09.000000000 -0400
67325 +@@ -49,6 +49,7 @@ struct linux_binprm{
67326 + unsigned interp_data;
67327 + unsigned long loader, exec;
67328 + unsigned long argv_len;
67329 ++ int misc;
67330 + };
67331 +
67332 + #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
67333 +@@ -100,5 +101,8 @@ extern void compute_creds(struct linux_b
67334 + extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
67335 + extern int set_binfmt(struct linux_binfmt *new);
67336 +
67337 ++void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
67338 ++void pax_report_insns(void *pc, void *sp);
67339 ++
67340 + #endif /* __KERNEL__ */
67341 + #endif /* _LINUX_BINFMTS_H */
67342 +diff -urNp linux-2.6.24.5/include/linux/cache.h linux-2.6.24.5/include/linux/cache.h
67343 +--- linux-2.6.24.5/include/linux/cache.h 2008-03-24 14:49:18.000000000 -0400
67344 ++++ linux-2.6.24.5/include/linux/cache.h 2008-03-26 20:21:09.000000000 -0400
67345 +@@ -16,6 +16,10 @@
67346 + #define __read_mostly
67347 + #endif
67348 +
67349 ++#ifndef __read_only
67350 ++#define __read_only __read_mostly
67351 ++#endif
67352 ++
67353 + #ifndef ____cacheline_aligned
67354 + #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
67355 + #endif
67356 +diff -urNp linux-2.6.24.5/include/linux/capability.h linux-2.6.24.5/include/linux/capability.h
67357 +--- linux-2.6.24.5/include/linux/capability.h 2008-03-24 14:49:18.000000000 -0400
67358 ++++ linux-2.6.24.5/include/linux/capability.h 2008-03-26 20:21:09.000000000 -0400
67359 +@@ -373,6 +373,7 @@ static inline kernel_cap_t cap_invert(ke
67360 + #define cap_is_fs_cap(c) (CAP_TO_MASK(c) & CAP_FS_MASK)
67361 +
67362 + int capable(int cap);
67363 ++int capable_nolog(int cap);
67364 + int __capable(struct task_struct *t, int cap);
67365 +
67366 + #endif /* __KERNEL__ */
67367 +diff -urNp linux-2.6.24.5/include/linux/elf.h linux-2.6.24.5/include/linux/elf.h
67368 +--- linux-2.6.24.5/include/linux/elf.h 2008-03-24 14:49:18.000000000 -0400
67369 ++++ linux-2.6.24.5/include/linux/elf.h 2008-03-26 20:21:09.000000000 -0400
67370 +@@ -7,6 +7,10 @@
67371 +
67372 + struct file;
67373 +
67374 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
67375 ++#undef elf_read_implies_exec
67376 ++#endif
67377 ++
67378 + #ifndef elf_read_implies_exec
67379 + /* Executables for which elf_read_implies_exec() returns TRUE will
67380 + have the READ_IMPLIES_EXEC personality flag set automatically.
67381 +@@ -48,6 +52,16 @@ typedef __s64 Elf64_Sxword;
67382 +
67383 + #define PT_GNU_STACK (PT_LOOS + 0x474e551)
67384 +
67385 ++#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
67386 ++
67387 ++/* Constants for the e_flags field */
67388 ++#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
67389 ++#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
67390 ++#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
67391 ++#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
67392 ++/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
67393 ++#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
67394 ++
67395 + /* These constants define the different elf file types */
67396 + #define ET_NONE 0
67397 + #define ET_REL 1
67398 +@@ -82,6 +96,8 @@ typedef __s64 Elf64_Sxword;
67399 + #define DT_DEBUG 21
67400 + #define DT_TEXTREL 22
67401 + #define DT_JMPREL 23
67402 ++#define DT_FLAGS 30
67403 ++ #define DF_TEXTREL 0x00000004
67404 + #define DT_ENCODING 32
67405 + #define OLD_DT_LOOS 0x60000000
67406 + #define DT_LOOS 0x6000000d
67407 +@@ -228,6 +244,19 @@ typedef struct elf64_hdr {
67408 + #define PF_W 0x2
67409 + #define PF_X 0x1
67410 +
67411 ++#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
67412 ++#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
67413 ++#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
67414 ++#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
67415 ++#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
67416 ++#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
67417 ++/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
67418 ++/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
67419 ++#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
67420 ++#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
67421 ++#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
67422 ++#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
67423 ++
67424 + typedef struct elf32_phdr{
67425 + Elf32_Word p_type;
67426 + Elf32_Off p_offset;
67427 +@@ -320,6 +349,8 @@ typedef struct elf64_shdr {
67428 + #define EI_OSABI 7
67429 + #define EI_PAD 8
67430 +
67431 ++#define EI_PAX 14
67432 ++
67433 + #define ELFMAG0 0x7f /* EI_MAG */
67434 + #define ELFMAG1 'E'
67435 + #define ELFMAG2 'L'
67436 +@@ -378,6 +409,7 @@ extern Elf32_Dyn _DYNAMIC [];
67437 + #define elf_phdr elf32_phdr
67438 + #define elf_note elf32_note
67439 + #define elf_addr_t Elf32_Off
67440 ++#define elf_dyn Elf32_Dyn
67441 +
67442 + #else
67443 +
67444 +@@ -386,6 +418,7 @@ extern Elf64_Dyn _DYNAMIC [];
67445 + #define elf_phdr elf64_phdr
67446 + #define elf_note elf64_note
67447 + #define elf_addr_t Elf64_Off
67448 ++#define elf_dyn Elf64_Dyn
67449 +
67450 + #endif
67451 +
67452 +diff -urNp linux-2.6.24.5/include/linux/ext4_fs_extents.h linux-2.6.24.5/include/linux/ext4_fs_extents.h
67453 +--- linux-2.6.24.5/include/linux/ext4_fs_extents.h 2008-03-24 14:49:18.000000000 -0400
67454 ++++ linux-2.6.24.5/include/linux/ext4_fs_extents.h 2008-03-26 20:21:09.000000000 -0400
67455 +@@ -50,7 +50,7 @@
67456 + #ifdef EXT_DEBUG
67457 + #define ext_debug(a...) printk(a)
67458 + #else
67459 +-#define ext_debug(a...)
67460 ++#define ext_debug(a...) do {} while (0)
67461 + #endif
67462 +
67463 + /*
67464 +diff -urNp linux-2.6.24.5/include/linux/gracl.h linux-2.6.24.5/include/linux/gracl.h
67465 +--- linux-2.6.24.5/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
67466 ++++ linux-2.6.24.5/include/linux/gracl.h 2008-03-26 20:21:09.000000000 -0400
67467 +@@ -0,0 +1,317 @@
67468 ++#ifndef GR_ACL_H
67469 ++#define GR_ACL_H
67470 ++
67471 ++#include <linux/grdefs.h>
67472 ++#include <linux/resource.h>
67473 ++#include <linux/dcache.h>
67474 ++#include <asm/resource.h>
67475 ++
67476 ++/* Major status information */
67477 ++
67478 ++#define GR_VERSION "grsecurity 2.1.11"
67479 ++#define GRSECURITY_VERSION 0x2111
67480 ++
67481 ++enum {
67482 ++
67483 ++ SHUTDOWN = 0,
67484 ++ ENABLE = 1,
67485 ++ SPROLE = 2,
67486 ++ RELOAD = 3,
67487 ++ SEGVMOD = 4,
67488 ++ STATUS = 5,
67489 ++ UNSPROLE = 6,
67490 ++ PASSSET = 7,
67491 ++ SPROLEPAM = 8
67492 ++};
67493 ++
67494 ++/* Password setup definitions
67495 ++ * kernel/grhash.c */
67496 ++enum {
67497 ++ GR_PW_LEN = 128,
67498 ++ GR_SALT_LEN = 16,
67499 ++ GR_SHA_LEN = 32,
67500 ++};
67501 ++
67502 ++enum {
67503 ++ GR_SPROLE_LEN = 64,
67504 ++};
67505 ++
67506 ++#define GR_NLIMITS (RLIMIT_LOCKS + 2)
67507 ++
67508 ++/* Begin Data Structures */
67509 ++
67510 ++struct sprole_pw {
67511 ++ unsigned char *rolename;
67512 ++ unsigned char salt[GR_SALT_LEN];
67513 ++ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
67514 ++};
67515 ++
67516 ++struct name_entry {
67517 ++ __u32 key;
67518 ++ ino_t inode;
67519 ++ dev_t device;
67520 ++ char *name;
67521 ++ __u16 len;
67522 ++ __u8 deleted;
67523 ++ struct name_entry *prev;
67524 ++ struct name_entry *next;
67525 ++};
67526 ++
67527 ++struct inodev_entry {
67528 ++ struct name_entry *nentry;
67529 ++ struct inodev_entry *prev;
67530 ++ struct inodev_entry *next;
67531 ++};
67532 ++
67533 ++struct acl_role_db {
67534 ++ struct acl_role_label **r_hash;
67535 ++ __u32 r_size;
67536 ++};
67537 ++
67538 ++struct inodev_db {
67539 ++ struct inodev_entry **i_hash;
67540 ++ __u32 i_size;
67541 ++};
67542 ++
67543 ++struct name_db {
67544 ++ struct name_entry **n_hash;
67545 ++ __u32 n_size;
67546 ++};
67547 ++
67548 ++struct crash_uid {
67549 ++ uid_t uid;
67550 ++ unsigned long expires;
67551 ++};
67552 ++
67553 ++struct gr_hash_struct {
67554 ++ void **table;
67555 ++ void **nametable;
67556 ++ void *first;
67557 ++ __u32 table_size;
67558 ++ __u32 used_size;
67559 ++ int type;
67560 ++};
67561 ++
67562 ++/* Userspace Grsecurity ACL data structures */
67563 ++
67564 ++struct acl_subject_label {
67565 ++ char *filename;
67566 ++ ino_t inode;
67567 ++ dev_t device;
67568 ++ __u32 mode;
67569 ++ __u32 cap_mask;
67570 ++ __u32 cap_lower;
67571 ++
67572 ++ struct rlimit res[GR_NLIMITS];
67573 ++ __u16 resmask;
67574 ++
67575 ++ __u8 user_trans_type;
67576 ++ __u8 group_trans_type;
67577 ++ uid_t *user_transitions;
67578 ++ gid_t *group_transitions;
67579 ++ __u16 user_trans_num;
67580 ++ __u16 group_trans_num;
67581 ++
67582 ++ __u32 ip_proto[8];
67583 ++ __u32 ip_type;
67584 ++ struct acl_ip_label **ips;
67585 ++ __u32 ip_num;
67586 ++
67587 ++ __u32 crashes;
67588 ++ unsigned long expires;
67589 ++
67590 ++ struct acl_subject_label *parent_subject;
67591 ++ struct gr_hash_struct *hash;
67592 ++ struct acl_subject_label *prev;
67593 ++ struct acl_subject_label *next;
67594 ++
67595 ++ struct acl_object_label **obj_hash;
67596 ++ __u32 obj_hash_size;
67597 ++ __u16 pax_flags;
67598 ++};
67599 ++
67600 ++struct role_allowed_ip {
67601 ++ __u32 addr;
67602 ++ __u32 netmask;
67603 ++
67604 ++ struct role_allowed_ip *prev;
67605 ++ struct role_allowed_ip *next;
67606 ++};
67607 ++
67608 ++struct role_transition {
67609 ++ char *rolename;
67610 ++
67611 ++ struct role_transition *prev;
67612 ++ struct role_transition *next;
67613 ++};
67614 ++
67615 ++struct acl_role_label {
67616 ++ char *rolename;
67617 ++ uid_t uidgid;
67618 ++ __u16 roletype;
67619 ++
67620 ++ __u16 auth_attempts;
67621 ++ unsigned long expires;
67622 ++
67623 ++ struct acl_subject_label *root_label;
67624 ++ struct gr_hash_struct *hash;
67625 ++
67626 ++ struct acl_role_label *prev;
67627 ++ struct acl_role_label *next;
67628 ++
67629 ++ struct role_transition *transitions;
67630 ++ struct role_allowed_ip *allowed_ips;
67631 ++ uid_t *domain_children;
67632 ++ __u16 domain_child_num;
67633 ++
67634 ++ struct acl_subject_label **subj_hash;
67635 ++ __u32 subj_hash_size;
67636 ++};
67637 ++
67638 ++struct user_acl_role_db {
67639 ++ struct acl_role_label **r_table;
67640 ++ __u32 num_pointers; /* Number of allocations to track */
67641 ++ __u32 num_roles; /* Number of roles */
67642 ++ __u32 num_domain_children; /* Number of domain children */
67643 ++ __u32 num_subjects; /* Number of subjects */
67644 ++ __u32 num_objects; /* Number of objects */
67645 ++};
67646 ++
67647 ++struct acl_object_label {
67648 ++ char *filename;
67649 ++ ino_t inode;
67650 ++ dev_t device;
67651 ++ __u32 mode;
67652 ++
67653 ++ struct acl_subject_label *nested;
67654 ++ struct acl_object_label *globbed;
67655 ++
67656 ++ /* next two structures not used */
67657 ++
67658 ++ struct acl_object_label *prev;
67659 ++ struct acl_object_label *next;
67660 ++};
67661 ++
67662 ++struct acl_ip_label {
67663 ++ char *iface;
67664 ++ __u32 addr;
67665 ++ __u32 netmask;
67666 ++ __u16 low, high;
67667 ++ __u8 mode;
67668 ++ __u32 type;
67669 ++ __u32 proto[8];
67670 ++
67671 ++ /* next two structures not used */
67672 ++
67673 ++ struct acl_ip_label *prev;
67674 ++ struct acl_ip_label *next;
67675 ++};
67676 ++
67677 ++struct gr_arg {
67678 ++ struct user_acl_role_db role_db;
67679 ++ unsigned char pw[GR_PW_LEN];
67680 ++ unsigned char salt[GR_SALT_LEN];
67681 ++ unsigned char sum[GR_SHA_LEN];
67682 ++ unsigned char sp_role[GR_SPROLE_LEN];
67683 ++ struct sprole_pw *sprole_pws;
67684 ++ dev_t segv_device;
67685 ++ ino_t segv_inode;
67686 ++ uid_t segv_uid;
67687 ++ __u16 num_sprole_pws;
67688 ++ __u16 mode;
67689 ++};
67690 ++
67691 ++struct gr_arg_wrapper {
67692 ++ struct gr_arg *arg;
67693 ++ __u32 version;
67694 ++ __u32 size;
67695 ++};
67696 ++
67697 ++struct subject_map {
67698 ++ struct acl_subject_label *user;
67699 ++ struct acl_subject_label *kernel;
67700 ++ struct subject_map *prev;
67701 ++ struct subject_map *next;
67702 ++};
67703 ++
67704 ++struct acl_subj_map_db {
67705 ++ struct subject_map **s_hash;
67706 ++ __u32 s_size;
67707 ++};
67708 ++
67709 ++/* End Data Structures Section */
67710 ++
67711 ++/* Hash functions generated by empirical testing by Brad Spengler
67712 ++ Makes good use of the low bits of the inode. Generally 0-1 times
67713 ++ in loop for successful match. 0-3 for unsuccessful match.
67714 ++ Shift/add algorithm with modulus of table size and an XOR*/
67715 ++
67716 ++static __inline__ unsigned int
67717 ++rhash(const uid_t uid, const __u16 type, const unsigned int sz)
67718 ++{
67719 ++ return (((uid << type) + (uid ^ type)) % sz);
67720 ++}
67721 ++
67722 ++ static __inline__ unsigned int
67723 ++shash(const struct acl_subject_label *userp, const unsigned int sz)
67724 ++{
67725 ++ return ((const unsigned long)userp % sz);
67726 ++}
67727 ++
67728 ++static __inline__ unsigned int
67729 ++fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
67730 ++{
67731 ++ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
67732 ++}
67733 ++
67734 ++static __inline__ unsigned int
67735 ++nhash(const char *name, const __u16 len, const unsigned int sz)
67736 ++{
67737 ++ return full_name_hash(name, len) % sz;
67738 ++}
67739 ++
67740 ++#define FOR_EACH_ROLE_START(role,iter) \
67741 ++ role = NULL; \
67742 ++ iter = 0; \
67743 ++ while (iter < acl_role_set.r_size) { \
67744 ++ if (role == NULL) \
67745 ++ role = acl_role_set.r_hash[iter]; \
67746 ++ if (role == NULL) { \
67747 ++ iter++; \
67748 ++ continue; \
67749 ++ }
67750 ++
67751 ++#define FOR_EACH_ROLE_END(role,iter) \
67752 ++ role = role->next; \
67753 ++ if (role == NULL) \
67754 ++ iter++; \
67755 ++ }
67756 ++
67757 ++#define FOR_EACH_SUBJECT_START(role,subj,iter) \
67758 ++ subj = NULL; \
67759 ++ iter = 0; \
67760 ++ while (iter < role->subj_hash_size) { \
67761 ++ if (subj == NULL) \
67762 ++ subj = role->subj_hash[iter]; \
67763 ++ if (subj == NULL) { \
67764 ++ iter++; \
67765 ++ continue; \
67766 ++ }
67767 ++
67768 ++#define FOR_EACH_SUBJECT_END(subj,iter) \
67769 ++ subj = subj->next; \
67770 ++ if (subj == NULL) \
67771 ++ iter++; \
67772 ++ }
67773 ++
67774 ++
67775 ++#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
67776 ++ subj = role->hash->first; \
67777 ++ while (subj != NULL) {
67778 ++
67779 ++#define FOR_EACH_NESTED_SUBJECT_END(subj) \
67780 ++ subj = subj->next; \
67781 ++ }
67782 ++
67783 ++#endif
67784 ++
67785 +diff -urNp linux-2.6.24.5/include/linux/gralloc.h linux-2.6.24.5/include/linux/gralloc.h
67786 +--- linux-2.6.24.5/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
67787 ++++ linux-2.6.24.5/include/linux/gralloc.h 2008-03-26 20:21:09.000000000 -0400
67788 +@@ -0,0 +1,8 @@
67789 ++#ifndef __GRALLOC_H
67790 ++#define __GRALLOC_H
67791 ++
67792 ++void acl_free_all(void);
67793 ++int acl_alloc_stack_init(unsigned long size);
67794 ++void *acl_alloc(unsigned long len);
67795 ++
67796 ++#endif
67797 +diff -urNp linux-2.6.24.5/include/linux/grdefs.h linux-2.6.24.5/include/linux/grdefs.h
67798 +--- linux-2.6.24.5/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
67799 ++++ linux-2.6.24.5/include/linux/grdefs.h 2008-03-26 20:21:09.000000000 -0400
67800 +@@ -0,0 +1,131 @@
67801 ++#ifndef GRDEFS_H
67802 ++#define GRDEFS_H
67803 ++
67804 ++/* Begin grsecurity status declarations */
67805 ++
67806 ++enum {
67807 ++ GR_READY = 0x01,
67808 ++ GR_STATUS_INIT = 0x00 // disabled state
67809 ++};
67810 ++
67811 ++/* Begin ACL declarations */
67812 ++
67813 ++/* Role flags */
67814 ++
67815 ++enum {
67816 ++ GR_ROLE_USER = 0x0001,
67817 ++ GR_ROLE_GROUP = 0x0002,
67818 ++ GR_ROLE_DEFAULT = 0x0004,
67819 ++ GR_ROLE_SPECIAL = 0x0008,
67820 ++ GR_ROLE_AUTH = 0x0010,
67821 ++ GR_ROLE_NOPW = 0x0020,
67822 ++ GR_ROLE_GOD = 0x0040,
67823 ++ GR_ROLE_LEARN = 0x0080,
67824 ++ GR_ROLE_TPE = 0x0100,
67825 ++ GR_ROLE_DOMAIN = 0x0200,
67826 ++ GR_ROLE_PAM = 0x0400
67827 ++};
67828 ++
67829 ++/* ACL Subject and Object mode flags */
67830 ++enum {
67831 ++ GR_DELETED = 0x80000000
67832 ++};
67833 ++
67834 ++/* ACL Object-only mode flags */
67835 ++enum {
67836 ++ GR_READ = 0x00000001,
67837 ++ GR_APPEND = 0x00000002,
67838 ++ GR_WRITE = 0x00000004,
67839 ++ GR_EXEC = 0x00000008,
67840 ++ GR_FIND = 0x00000010,
67841 ++ GR_INHERIT = 0x00000020,
67842 ++ GR_SETID = 0x00000040,
67843 ++ GR_CREATE = 0x00000080,
67844 ++ GR_DELETE = 0x00000100,
67845 ++ GR_LINK = 0x00000200,
67846 ++ GR_AUDIT_READ = 0x00000400,
67847 ++ GR_AUDIT_APPEND = 0x00000800,
67848 ++ GR_AUDIT_WRITE = 0x00001000,
67849 ++ GR_AUDIT_EXEC = 0x00002000,
67850 ++ GR_AUDIT_FIND = 0x00004000,
67851 ++ GR_AUDIT_INHERIT= 0x00008000,
67852 ++ GR_AUDIT_SETID = 0x00010000,
67853 ++ GR_AUDIT_CREATE = 0x00020000,
67854 ++ GR_AUDIT_DELETE = 0x00040000,
67855 ++ GR_AUDIT_LINK = 0x00080000,
67856 ++ GR_PTRACERD = 0x00100000,
67857 ++ GR_NOPTRACE = 0x00200000,
67858 ++ GR_SUPPRESS = 0x00400000,
67859 ++ GR_NOLEARN = 0x00800000
67860 ++};
67861 ++
67862 ++#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
67863 ++ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
67864 ++ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
67865 ++
67866 ++/* ACL subject-only mode flags */
67867 ++enum {
67868 ++ GR_KILL = 0x00000001,
67869 ++ GR_VIEW = 0x00000002,
67870 ++ GR_PROTECTED = 0x00000004,
67871 ++ GR_LEARN = 0x00000008,
67872 ++ GR_OVERRIDE = 0x00000010,
67873 ++ /* just a placeholder, this mode is only used in userspace */
67874 ++ GR_DUMMY = 0x00000020,
67875 ++ GR_PROTSHM = 0x00000040,
67876 ++ GR_KILLPROC = 0x00000080,
67877 ++ GR_KILLIPPROC = 0x00000100,
67878 ++ /* just a placeholder, this mode is only used in userspace */
67879 ++ GR_NOTROJAN = 0x00000200,
67880 ++ GR_PROTPROCFD = 0x00000400,
67881 ++ GR_PROCACCT = 0x00000800,
67882 ++ GR_RELAXPTRACE = 0x00001000,
67883 ++ GR_NESTED = 0x00002000,
67884 ++ GR_INHERITLEARN = 0x00004000,
67885 ++ GR_PROCFIND = 0x00008000,
67886 ++ GR_POVERRIDE = 0x00010000,
67887 ++ GR_KERNELAUTH = 0x00020000,
67888 ++};
67889 ++
67890 ++enum {
67891 ++ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
67892 ++ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
67893 ++ GR_PAX_ENABLE_MPROTECT = 0x0004,
67894 ++ GR_PAX_ENABLE_RANDMMAP = 0x0008,
67895 ++ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
67896 ++ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
67897 ++ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
67898 ++ GR_PAX_DISABLE_MPROTECT = 0x0400,
67899 ++ GR_PAX_DISABLE_RANDMMAP = 0x0800,
67900 ++ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
67901 ++};
67902 ++
67903 ++enum {
67904 ++ GR_ID_USER = 0x01,
67905 ++ GR_ID_GROUP = 0x02,
67906 ++};
67907 ++
67908 ++enum {
67909 ++ GR_ID_ALLOW = 0x01,
67910 ++ GR_ID_DENY = 0x02,
67911 ++};
67912 ++
67913 ++#define GR_CRASH_RES 11
67914 ++#define GR_UIDTABLE_MAX 500
67915 ++
67916 ++/* begin resource learning section */
67917 ++enum {
67918 ++ GR_RLIM_CPU_BUMP = 60,
67919 ++ GR_RLIM_FSIZE_BUMP = 50000,
67920 ++ GR_RLIM_DATA_BUMP = 10000,
67921 ++ GR_RLIM_STACK_BUMP = 1000,
67922 ++ GR_RLIM_CORE_BUMP = 10000,
67923 ++ GR_RLIM_RSS_BUMP = 500000,
67924 ++ GR_RLIM_NPROC_BUMP = 1,
67925 ++ GR_RLIM_NOFILE_BUMP = 5,
67926 ++ GR_RLIM_MEMLOCK_BUMP = 50000,
67927 ++ GR_RLIM_AS_BUMP = 500000,
67928 ++ GR_RLIM_LOCKS_BUMP = 2
67929 ++};
67930 ++
67931 ++#endif
67932 +diff -urNp linux-2.6.24.5/include/linux/grinternal.h linux-2.6.24.5/include/linux/grinternal.h
67933 +--- linux-2.6.24.5/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
67934 ++++ linux-2.6.24.5/include/linux/grinternal.h 2008-03-26 20:21:09.000000000 -0400
67935 +@@ -0,0 +1,210 @@
67936 ++#ifndef __GRINTERNAL_H
67937 ++#define __GRINTERNAL_H
67938 ++
67939 ++#ifdef CONFIG_GRKERNSEC
67940 ++
67941 ++#include <linux/fs.h>
67942 ++#include <linux/gracl.h>
67943 ++#include <linux/grdefs.h>
67944 ++#include <linux/grmsg.h>
67945 ++
67946 ++void gr_add_learn_entry(const char *fmt, ...);
67947 ++__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
67948 ++ const struct vfsmount *mnt);
67949 ++__u32 gr_check_create(const struct dentry *new_dentry,
67950 ++ const struct dentry *parent,
67951 ++ const struct vfsmount *mnt, const __u32 mode);
67952 ++int gr_check_protected_task(const struct task_struct *task);
67953 ++__u32 to_gr_audit(const __u32 reqmode);
67954 ++int gr_set_acls(const int type);
67955 ++
67956 ++int gr_acl_is_enabled(void);
67957 ++char gr_roletype_to_char(void);
67958 ++
67959 ++void gr_handle_alertkill(struct task_struct *task);
67960 ++char *gr_to_filename(const struct dentry *dentry,
67961 ++ const struct vfsmount *mnt);
67962 ++char *gr_to_filename1(const struct dentry *dentry,
67963 ++ const struct vfsmount *mnt);
67964 ++char *gr_to_filename2(const struct dentry *dentry,
67965 ++ const struct vfsmount *mnt);
67966 ++char *gr_to_filename3(const struct dentry *dentry,
67967 ++ const struct vfsmount *mnt);
67968 ++
67969 ++extern int grsec_enable_link;
67970 ++extern int grsec_enable_fifo;
67971 ++extern int grsec_enable_execve;
67972 ++extern int grsec_enable_shm;
67973 ++extern int grsec_enable_execlog;
67974 ++extern int grsec_enable_signal;
67975 ++extern int grsec_enable_forkfail;
67976 ++extern int grsec_enable_time;
67977 ++extern int grsec_enable_chroot_shmat;
67978 ++extern int grsec_enable_chroot_findtask;
67979 ++extern int grsec_enable_chroot_mount;
67980 ++extern int grsec_enable_chroot_double;
67981 ++extern int grsec_enable_chroot_pivot;
67982 ++extern int grsec_enable_chroot_chdir;
67983 ++extern int grsec_enable_chroot_chmod;
67984 ++extern int grsec_enable_chroot_mknod;
67985 ++extern int grsec_enable_chroot_fchdir;
67986 ++extern int grsec_enable_chroot_nice;
67987 ++extern int grsec_enable_chroot_execlog;
67988 ++extern int grsec_enable_chroot_caps;
67989 ++extern int grsec_enable_chroot_sysctl;
67990 ++extern int grsec_enable_chroot_unix;
67991 ++extern int grsec_enable_tpe;
67992 ++extern int grsec_tpe_gid;
67993 ++extern int grsec_enable_tpe_all;
67994 ++extern int grsec_enable_sidcaps;
67995 ++extern int grsec_enable_socket_all;
67996 ++extern int grsec_socket_all_gid;
67997 ++extern int grsec_enable_socket_client;
67998 ++extern int grsec_socket_client_gid;
67999 ++extern int grsec_enable_socket_server;
68000 ++extern int grsec_socket_server_gid;
68001 ++extern int grsec_audit_gid;
68002 ++extern int grsec_enable_group;
68003 ++extern int grsec_enable_audit_ipc;
68004 ++extern int grsec_enable_audit_textrel;
68005 ++extern int grsec_enable_mount;
68006 ++extern int grsec_enable_chdir;
68007 ++extern int grsec_resource_logging;
68008 ++extern int grsec_lock;
68009 ++
68010 ++extern spinlock_t grsec_alert_lock;
68011 ++extern unsigned long grsec_alert_wtime;
68012 ++extern unsigned long grsec_alert_fyet;
68013 ++
68014 ++extern spinlock_t grsec_audit_lock;
68015 ++
68016 ++extern rwlock_t grsec_exec_file_lock;
68017 ++
68018 ++#define gr_task_fullpath(tsk) (tsk->exec_file ? \
68019 ++ gr_to_filename2(tsk->exec_file->f_dentry, \
68020 ++ tsk->exec_file->f_vfsmnt) : "/")
68021 ++
68022 ++#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
68023 ++ gr_to_filename3(tsk->parent->exec_file->f_dentry, \
68024 ++ tsk->parent->exec_file->f_vfsmnt) : "/")
68025 ++
68026 ++#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
68027 ++ gr_to_filename(tsk->exec_file->f_dentry, \
68028 ++ tsk->exec_file->f_vfsmnt) : "/")
68029 ++
68030 ++#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
68031 ++ gr_to_filename1(tsk->parent->exec_file->f_dentry, \
68032 ++ tsk->parent->exec_file->f_vfsmnt) : "/")
68033 ++
68034 ++#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && (tsk_a->fs != NULL) && \
68035 ++ ((tsk_a->fs->root->d_inode->i_sb->s_dev != \
68036 ++ tsk_a->nsproxy->pid_ns->child_reaper->fs->root->d_inode->i_sb->s_dev) || \
68037 ++ (tsk_a->fs->root->d_inode->i_ino != \
68038 ++ tsk_a->nsproxy->pid_ns->child_reaper->fs->root->d_inode->i_ino)))
68039 ++
68040 ++#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs != NULL) && (tsk_b->fs != NULL) && \
68041 ++ (tsk_a->fs->root->d_inode->i_sb->s_dev == \
68042 ++ tsk_b->fs->root->d_inode->i_sb->s_dev) && \
68043 ++ (tsk_a->fs->root->d_inode->i_ino == \
68044 ++ tsk_b->fs->root->d_inode->i_ino))
68045 ++
68046 ++#define DEFAULTSECARGS(task) gr_task_fullpath(task), task->comm, \
68047 ++ task->pid, task->uid, \
68048 ++ task->euid, task->gid, task->egid, \
68049 ++ gr_parent_task_fullpath(task), \
68050 ++ task->parent->comm, task->parent->pid, \
68051 ++ task->parent->uid, task->parent->euid, \
68052 ++ task->parent->gid, task->parent->egid
68053 ++
68054 ++#define GR_CHROOT_CAPS ( \
68055 ++ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
68056 ++ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
68057 ++ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
68058 ++ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
68059 ++ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
68060 ++ CAP_TO_MASK(CAP_IPC_OWNER))
68061 ++
68062 ++#define security_learn(normal_msg,args...) \
68063 ++({ \
68064 ++ read_lock(&grsec_exec_file_lock); \
68065 ++ gr_add_learn_entry(normal_msg "\n", ## args); \
68066 ++ read_unlock(&grsec_exec_file_lock); \
68067 ++})
68068 ++
68069 ++enum {
68070 ++ GR_DO_AUDIT,
68071 ++ GR_DONT_AUDIT,
68072 ++ GR_DONT_AUDIT_GOOD
68073 ++};
68074 ++
68075 ++enum {
68076 ++ GR_TTYSNIFF,
68077 ++ GR_RBAC,
68078 ++ GR_RBAC_STR,
68079 ++ GR_STR_RBAC,
68080 ++ GR_RBAC_MODE2,
68081 ++ GR_RBAC_MODE3,
68082 ++ GR_FILENAME,
68083 ++ GR_SYSCTL_HIDDEN,
68084 ++ GR_NOARGS,
68085 ++ GR_ONE_INT,
68086 ++ GR_ONE_INT_TWO_STR,
68087 ++ GR_ONE_STR,
68088 ++ GR_STR_INT,
68089 ++ GR_TWO_INT,
68090 ++ GR_THREE_INT,
68091 ++ GR_FIVE_INT_TWO_STR,
68092 ++ GR_TWO_STR,
68093 ++ GR_THREE_STR,
68094 ++ GR_FOUR_STR,
68095 ++ GR_STR_FILENAME,
68096 ++ GR_FILENAME_STR,
68097 ++ GR_FILENAME_TWO_INT,
68098 ++ GR_FILENAME_TWO_INT_STR,
68099 ++ GR_TEXTREL,
68100 ++ GR_PTRACE,
68101 ++ GR_RESOURCE,
68102 ++ GR_CAP,
68103 ++ GR_SIG,
68104 ++ GR_CRASH1,
68105 ++ GR_CRASH2,
68106 ++ GR_PSACCT
68107 ++};
68108 ++
68109 ++#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
68110 ++#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
68111 ++#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
68112 ++#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
68113 ++#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
68114 ++#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
68115 ++#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
68116 ++#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
68117 ++#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
68118 ++#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
68119 ++#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
68120 ++#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
68121 ++#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
68122 ++#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
68123 ++#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
68124 ++#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
68125 ++#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
68126 ++#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
68127 ++#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
68128 ++#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
68129 ++#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
68130 ++#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
68131 ++#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
68132 ++#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
68133 ++#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
68134 ++#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
68135 ++#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
68136 ++#define gr_log_sig(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG, task, num)
68137 ++#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
68138 ++#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
68139 ++#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
68140 ++
68141 ++void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
68142 ++
68143 ++#endif
68144 ++
68145 ++#endif
68146 +diff -urNp linux-2.6.24.5/include/linux/grmsg.h linux-2.6.24.5/include/linux/grmsg.h
68147 +--- linux-2.6.24.5/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
68148 ++++ linux-2.6.24.5/include/linux/grmsg.h 2008-03-26 20:21:09.000000000 -0400
68149 +@@ -0,0 +1,108 @@
68150 ++#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
68151 ++#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
68152 ++#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
68153 ++#define GR_STOPMOD_MSG "denied modification of module state by "
68154 ++#define GR_IOPERM_MSG "denied use of ioperm() by "
68155 ++#define GR_IOPL_MSG "denied use of iopl() by "
68156 ++#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
68157 ++#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
68158 ++#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
68159 ++#define GR_KMEM_MSG "denied write of /dev/kmem by "
68160 ++#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
68161 ++#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
68162 ++#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
68163 ++#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
68164 ++#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u"
68165 ++#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%u.%u.%u.%u"
68166 ++#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
68167 ++#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
68168 ++#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
68169 ++#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
68170 ++#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
68171 ++#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
68172 ++#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
68173 ++#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%u.%u.%u.%u %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
68174 ++#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
68175 ++#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
68176 ++#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
68177 ++#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
68178 ++#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
68179 ++#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
68180 ++#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
68181 ++#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
68182 ++#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
68183 ++#define GR_NPROC_MSG "denied overstep of process limit by "
68184 ++#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
68185 ++#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
68186 ++#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
68187 ++#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
68188 ++#define GR_MOUNT_CHROOT_MSG "denied mount of %.30s as %.930s from chroot by "
68189 ++#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
68190 ++#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
68191 ++#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
68192 ++#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
68193 ++#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
68194 ++#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
68195 ++#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
68196 ++#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
68197 ++#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
68198 ++#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
68199 ++#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
68200 ++#define GR_INITF_ACL_MSG "init_variables() failed %s by "
68201 ++#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
68202 ++#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
68203 ++#define GR_SHUTS_ACL_MSG "shutdown auth success for "
68204 ++#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
68205 ++#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
68206 ++#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
68207 ++#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
68208 ++#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
68209 ++#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
68210 ++#define GR_ENABLEF_ACL_MSG "unable to load %s for "
68211 ++#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
68212 ++#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
68213 ++#define GR_RELOADF_ACL_MSG "failed reload of %s for "
68214 ++#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
68215 ++#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
68216 ++#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
68217 ++#define GR_SPROLEF_ACL_MSG "special role %s failure for "
68218 ++#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
68219 ++#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
68220 ++#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for "
68221 ++#define GR_INVMODE_ACL_MSG "invalid mode %d by "
68222 ++#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
68223 ++#define GR_FAILFORK_MSG "failed fork with errno %d by "
68224 ++#define GR_NICE_CHROOT_MSG "denied priority change by "
68225 ++#define GR_UNISIGLOG_MSG "signal %d sent to "
68226 ++#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
68227 ++#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
68228 ++#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
68229 ++#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
68230 ++#define GR_TIME_MSG "time set by "
68231 ++#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
68232 ++#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
68233 ++#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
68234 ++#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
68235 ++#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
68236 ++#define GR_BIND_MSG "denied bind() by "
68237 ++#define GR_CONNECT_MSG "denied connect() by "
68238 ++#define GR_BIND_ACL_MSG "denied bind() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
68239 ++#define GR_CONNECT_ACL_MSG "denied connect() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
68240 ++#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u"
68241 ++#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
68242 ++#define GR_CAP_ACL_MSG "use of %s denied for "
68243 ++#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
68244 ++#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
68245 ++#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by "
68246 ++#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by "
68247 ++#define GR_MOUNT_AUDIT_MSG "mount of %.30s to %.64s by "
68248 ++#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
68249 ++#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
68250 ++#define GR_MSGQ_AUDIT_MSG "message queue created by "
68251 ++#define GR_MSGQR_AUDIT_MSG "message queue of uid:%u euid:%u removed by "
68252 ++#define GR_SEM_AUDIT_MSG "semaphore created by "
68253 ++#define GR_SEMR_AUDIT_MSG "semaphore of uid:%u euid:%u removed by "
68254 ++#define GR_SHM_AUDIT_MSG "shared memory of size %d created by "
68255 ++#define GR_SHMR_AUDIT_MSG "shared memory of uid:%u euid:%u removed by "
68256 ++#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
68257 ++#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
68258 +diff -urNp linux-2.6.24.5/include/linux/grsecurity.h linux-2.6.24.5/include/linux/grsecurity.h
68259 +--- linux-2.6.24.5/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
68260 ++++ linux-2.6.24.5/include/linux/grsecurity.h 2008-03-26 20:21:09.000000000 -0400
68261 +@@ -0,0 +1,197 @@
68262 ++#ifndef GR_SECURITY_H
68263 ++#define GR_SECURITY_H
68264 ++#include <linux/fs.h>
68265 ++#include <linux/binfmts.h>
68266 ++#include <linux/gracl.h>
68267 ++
68268 ++/* notify of brain-dead configs */
68269 ++#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC)
68270 ++#error "CONFIG_PAX_NOEXEC enabled, but neither PAGEEXEC nor SEGMEXEC are enabled."
68271 ++#endif
68272 ++#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
68273 ++#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
68274 ++#endif
68275 ++#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
68276 ++#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
68277 ++#endif
68278 ++#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
68279 ++#error "CONFIG_PAX enabled, but no PaX options are enabled."
68280 ++#endif
68281 ++
68282 ++void gr_handle_brute_attach(struct task_struct *p);
68283 ++void gr_handle_brute_check(void);
68284 ++
68285 ++char gr_roletype_to_char(void);
68286 ++
68287 ++int gr_check_user_change(int real, int effective, int fs);
68288 ++int gr_check_group_change(int real, int effective, int fs);
68289 ++
68290 ++void gr_del_task_from_ip_table(struct task_struct *p);
68291 ++
68292 ++int gr_pid_is_chrooted(struct task_struct *p);
68293 ++int gr_handle_chroot_nice(void);
68294 ++int gr_handle_chroot_sysctl(const int op);
68295 ++int gr_handle_chroot_setpriority(struct task_struct *p,
68296 ++ const int niceval);
68297 ++int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
68298 ++int gr_handle_chroot_chroot(const struct dentry *dentry,
68299 ++ const struct vfsmount *mnt);
68300 ++void gr_handle_chroot_caps(struct task_struct *task);
68301 ++void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt);
68302 ++int gr_handle_chroot_chmod(const struct dentry *dentry,
68303 ++ const struct vfsmount *mnt, const int mode);
68304 ++int gr_handle_chroot_mknod(const struct dentry *dentry,
68305 ++ const struct vfsmount *mnt, const int mode);
68306 ++int gr_handle_chroot_mount(const struct dentry *dentry,
68307 ++ const struct vfsmount *mnt,
68308 ++ const char *dev_name);
68309 ++int gr_handle_chroot_pivot(void);
68310 ++int gr_handle_chroot_unix(const pid_t pid);
68311 ++
68312 ++int gr_handle_rawio(const struct inode *inode);
68313 ++int gr_handle_nproc(void);
68314 ++
68315 ++void gr_handle_ioperm(void);
68316 ++void gr_handle_iopl(void);
68317 ++
68318 ++int gr_tpe_allow(const struct file *file);
68319 ++
68320 ++int gr_random_pid(void);
68321 ++
68322 ++void gr_log_forkfail(const int retval);
68323 ++void gr_log_timechange(void);
68324 ++void gr_log_signal(const int sig, const struct task_struct *t);
68325 ++void gr_log_chdir(const struct dentry *dentry,
68326 ++ const struct vfsmount *mnt);
68327 ++void gr_log_chroot_exec(const struct dentry *dentry,
68328 ++ const struct vfsmount *mnt);
68329 ++void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
68330 ++void gr_log_remount(const char *devname, const int retval);
68331 ++void gr_log_unmount(const char *devname, const int retval);
68332 ++void gr_log_mount(const char *from, const char *to, const int retval);
68333 ++void gr_log_msgget(const int ret, const int msgflg);
68334 ++void gr_log_msgrm(const uid_t uid, const uid_t cuid);
68335 ++void gr_log_semget(const int err, const int semflg);
68336 ++void gr_log_semrm(const uid_t uid, const uid_t cuid);
68337 ++void gr_log_shmget(const int err, const int shmflg, const size_t size);
68338 ++void gr_log_shmrm(const uid_t uid, const uid_t cuid);
68339 ++void gr_log_textrel(struct vm_area_struct *vma);
68340 ++
68341 ++int gr_handle_follow_link(const struct inode *parent,
68342 ++ const struct inode *inode,
68343 ++ const struct dentry *dentry,
68344 ++ const struct vfsmount *mnt);
68345 ++int gr_handle_fifo(const struct dentry *dentry,
68346 ++ const struct vfsmount *mnt,
68347 ++ const struct dentry *dir, const int flag,
68348 ++ const int acc_mode);
68349 ++int gr_handle_hardlink(const struct dentry *dentry,
68350 ++ const struct vfsmount *mnt,
68351 ++ struct inode *inode,
68352 ++ const int mode, const char *to);
68353 ++
68354 ++int gr_task_is_capable(struct task_struct *task, const int cap);
68355 ++int gr_is_capable_nolog(const int cap);
68356 ++void gr_learn_resource(const struct task_struct *task, const int limit,
68357 ++ const unsigned long wanted, const int gt);
68358 ++void gr_copy_label(struct task_struct *tsk);
68359 ++void gr_handle_crash(struct task_struct *task, const int sig);
68360 ++int gr_handle_signal(const struct task_struct *p, const int sig);
68361 ++int gr_check_crash_uid(const uid_t uid);
68362 ++int gr_check_protected_task(const struct task_struct *task);
68363 ++int gr_acl_handle_mmap(const struct file *file,
68364 ++ const unsigned long prot);
68365 ++int gr_acl_handle_mprotect(const struct file *file,
68366 ++ const unsigned long prot);
68367 ++int gr_check_hidden_task(const struct task_struct *tsk);
68368 ++__u32 gr_acl_handle_truncate(const struct dentry *dentry,
68369 ++ const struct vfsmount *mnt);
68370 ++__u32 gr_acl_handle_utime(const struct dentry *dentry,
68371 ++ const struct vfsmount *mnt);
68372 ++__u32 gr_acl_handle_access(const struct dentry *dentry,
68373 ++ const struct vfsmount *mnt, const int fmode);
68374 ++__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
68375 ++ const struct vfsmount *mnt, mode_t mode);
68376 ++__u32 gr_acl_handle_chmod(const struct dentry *dentry,
68377 ++ const struct vfsmount *mnt, mode_t mode);
68378 ++__u32 gr_acl_handle_chown(const struct dentry *dentry,
68379 ++ const struct vfsmount *mnt);
68380 ++int gr_handle_ptrace(struct task_struct *task, const long request);
68381 ++int gr_handle_proc_ptrace(struct task_struct *task);
68382 ++__u32 gr_acl_handle_execve(const struct dentry *dentry,
68383 ++ const struct vfsmount *mnt);
68384 ++int gr_check_crash_exec(const struct file *filp);
68385 ++int gr_acl_is_enabled(void);
68386 ++void gr_set_kernel_label(struct task_struct *task);
68387 ++void gr_set_role_label(struct task_struct *task, const uid_t uid,
68388 ++ const gid_t gid);
68389 ++int gr_set_proc_label(const struct dentry *dentry,
68390 ++ const struct vfsmount *mnt);
68391 ++__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
68392 ++ const struct vfsmount *mnt);
68393 ++__u32 gr_acl_handle_open(const struct dentry *dentry,
68394 ++ const struct vfsmount *mnt, const int fmode);
68395 ++__u32 gr_acl_handle_creat(const struct dentry *dentry,
68396 ++ const struct dentry *p_dentry,
68397 ++ const struct vfsmount *p_mnt, const int fmode,
68398 ++ const int imode);
68399 ++void gr_handle_create(const struct dentry *dentry,
68400 ++ const struct vfsmount *mnt);
68401 ++__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
68402 ++ const struct dentry *parent_dentry,
68403 ++ const struct vfsmount *parent_mnt,
68404 ++ const int mode);
68405 ++__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
68406 ++ const struct dentry *parent_dentry,
68407 ++ const struct vfsmount *parent_mnt);
68408 ++__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
68409 ++ const struct vfsmount *mnt);
68410 ++void gr_handle_delete(const ino_t ino, const dev_t dev);
68411 ++__u32 gr_acl_handle_unlink(const struct dentry *dentry,
68412 ++ const struct vfsmount *mnt);
68413 ++__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
68414 ++ const struct dentry *parent_dentry,
68415 ++ const struct vfsmount *parent_mnt,
68416 ++ const char *from);
68417 ++__u32 gr_acl_handle_link(const struct dentry *new_dentry,
68418 ++ const struct dentry *parent_dentry,
68419 ++ const struct vfsmount *parent_mnt,
68420 ++ const struct dentry *old_dentry,
68421 ++ const struct vfsmount *old_mnt, const char *to);
68422 ++int gr_acl_handle_rename(struct dentry *new_dentry,
68423 ++ struct dentry *parent_dentry,
68424 ++ const struct vfsmount *parent_mnt,
68425 ++ struct dentry *old_dentry,
68426 ++ struct inode *old_parent_inode,
68427 ++ struct vfsmount *old_mnt, const char *newname);
68428 ++void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
68429 ++ struct dentry *old_dentry,
68430 ++ struct dentry *new_dentry,
68431 ++ struct vfsmount *mnt, const __u8 replace);
68432 ++__u32 gr_check_link(const struct dentry *new_dentry,
68433 ++ const struct dentry *parent_dentry,
68434 ++ const struct vfsmount *parent_mnt,
68435 ++ const struct dentry *old_dentry,
68436 ++ const struct vfsmount *old_mnt);
68437 ++int gr_acl_handle_filldir(const struct file *file, const char *name,
68438 ++ const unsigned int namelen, const ino_t ino);
68439 ++
68440 ++__u32 gr_acl_handle_unix(const struct dentry *dentry,
68441 ++ const struct vfsmount *mnt);
68442 ++void gr_acl_handle_exit(void);
68443 ++void gr_acl_handle_psacct(struct task_struct *task, const long code);
68444 ++int gr_acl_handle_procpidmem(const struct task_struct *task);
68445 ++
68446 ++#ifdef CONFIG_GRKERNSEC
68447 ++void gr_handle_mem_write(void);
68448 ++void gr_handle_kmem_write(void);
68449 ++void gr_handle_open_port(void);
68450 ++int gr_handle_mem_mmap(const unsigned long offset,
68451 ++ struct vm_area_struct *vma);
68452 ++
68453 ++extern int grsec_enable_dmesg;
68454 ++extern int grsec_enable_randsrc;
68455 ++extern int grsec_enable_shm;
68456 ++#endif
68457 ++
68458 ++#endif
68459 +diff -urNp linux-2.6.24.5/include/linux/highmem.h linux-2.6.24.5/include/linux/highmem.h
68460 +--- linux-2.6.24.5/include/linux/highmem.h 2008-03-24 14:49:18.000000000 -0400
68461 ++++ linux-2.6.24.5/include/linux/highmem.h 2008-03-26 20:21:09.000000000 -0400
68462 +@@ -124,6 +124,13 @@ static inline void clear_highpage(struct
68463 + kunmap_atomic(kaddr, KM_USER0);
68464 + }
68465 +
68466 ++static inline void sanitize_highpage(struct page *page)
68467 ++{
68468 ++ void *kaddr = kmap_atomic(page, KM_CLEARPAGE);
68469 ++ clear_page(kaddr);
68470 ++ kunmap_atomic(kaddr, KM_CLEARPAGE);
68471 ++}
68472 ++
68473 + /*
68474 + * Same but also flushes aliased cache contents to RAM.
68475 + *
68476 +@@ -132,14 +139,14 @@ static inline void clear_highpage(struct
68477 + */
68478 + #define zero_user_page(page, offset, size, km_type) \
68479 + do { \
68480 +- void *kaddr; \
68481 ++ void *__kaddr; \
68482 + \
68483 + BUG_ON((offset) + (size) > PAGE_SIZE); \
68484 + \
68485 +- kaddr = kmap_atomic(page, km_type); \
68486 +- memset((char *)kaddr + (offset), 0, (size)); \
68487 ++ __kaddr = kmap_atomic(page, km_type); \
68488 ++ memset((char *)__kaddr + (offset), 0, (size)); \
68489 + flush_dcache_page(page); \
68490 +- kunmap_atomic(kaddr, (km_type)); \
68491 ++ kunmap_atomic(__kaddr, (km_type)); \
68492 + } while (0)
68493 +
68494 + static inline void __deprecated memclear_highpage_flush(struct page *page,
68495 +diff -urNp linux-2.6.24.5/include/linux/init_task.h linux-2.6.24.5/include/linux/init_task.h
68496 +--- linux-2.6.24.5/include/linux/init_task.h 2008-03-24 14:49:18.000000000 -0400
68497 ++++ linux-2.6.24.5/include/linux/init_task.h 2008-03-26 20:21:09.000000000 -0400
68498 +@@ -121,7 +121,7 @@ extern struct group_info init_groups;
68499 + #define INIT_TASK(tsk) \
68500 + { \
68501 + .state = 0, \
68502 +- .stack = &init_thread_info, \
68503 ++ .stack = &init_thread_union, \
68504 + .usage = ATOMIC_INIT(2), \
68505 + .flags = 0, \
68506 + .lock_depth = -1, \
68507 +diff -urNp linux-2.6.24.5/include/linux/irqflags.h linux-2.6.24.5/include/linux/irqflags.h
68508 +--- linux-2.6.24.5/include/linux/irqflags.h 2008-03-24 14:49:18.000000000 -0400
68509 ++++ linux-2.6.24.5/include/linux/irqflags.h 2008-03-26 20:21:09.000000000 -0400
68510 +@@ -84,10 +84,10 @@
68511 +
68512 + #define irqs_disabled() \
68513 + ({ \
68514 +- unsigned long flags; \
68515 ++ unsigned long __flags; \
68516 + \
68517 +- raw_local_save_flags(flags); \
68518 +- raw_irqs_disabled_flags(flags); \
68519 ++ raw_local_save_flags(__flags); \
68520 ++ raw_irqs_disabled_flags(__flags); \
68521 + })
68522 +
68523 + #define irqs_disabled_flags(flags) raw_irqs_disabled_flags(flags)
68524 +diff -urNp linux-2.6.24.5/include/linux/jbd2.h linux-2.6.24.5/include/linux/jbd2.h
68525 +--- linux-2.6.24.5/include/linux/jbd2.h 2008-03-24 14:49:18.000000000 -0400
68526 ++++ linux-2.6.24.5/include/linux/jbd2.h 2008-03-26 20:21:09.000000000 -0400
68527 +@@ -68,7 +68,7 @@ extern u8 jbd2_journal_enable_debug;
68528 + } \
68529 + } while (0)
68530 + #else
68531 +-#define jbd_debug(f, a...) /**/
68532 ++#define jbd_debug(f, a...) do {} while (0)
68533 + #endif
68534 +
68535 + static inline void *jbd2_alloc(size_t size, gfp_t flags)
68536 +diff -urNp linux-2.6.24.5/include/linux/jbd.h linux-2.6.24.5/include/linux/jbd.h
68537 +--- linux-2.6.24.5/include/linux/jbd.h 2008-03-24 14:49:18.000000000 -0400
68538 ++++ linux-2.6.24.5/include/linux/jbd.h 2008-03-26 20:21:09.000000000 -0400
68539 +@@ -69,7 +69,7 @@ extern u8 journal_enable_debug;
68540 + } \
68541 + } while (0)
68542 + #else
68543 +-#define jbd_debug(f, a...) /**/
68544 ++#define jbd_debug(f, a...) do {} while (0)
68545 + #endif
68546 +
68547 + static inline void *jbd_alloc(size_t size, gfp_t flags)
68548 +diff -urNp linux-2.6.24.5/include/linux/libata.h linux-2.6.24.5/include/linux/libata.h
68549 +--- linux-2.6.24.5/include/linux/libata.h 2008-03-24 14:49:18.000000000 -0400
68550 ++++ linux-2.6.24.5/include/linux/libata.h 2008-03-26 20:21:09.000000000 -0400
68551 +@@ -62,11 +62,11 @@
68552 + #ifdef ATA_VERBOSE_DEBUG
68553 + #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
68554 + #else
68555 +-#define VPRINTK(fmt, args...)
68556 ++#define VPRINTK(fmt, args...) do {} while (0)
68557 + #endif /* ATA_VERBOSE_DEBUG */
68558 + #else
68559 +-#define DPRINTK(fmt, args...)
68560 +-#define VPRINTK(fmt, args...)
68561 ++#define DPRINTK(fmt, args...) do {} while (0)
68562 ++#define VPRINTK(fmt, args...) do {} while (0)
68563 + #endif /* ATA_DEBUG */
68564 +
68565 + #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
68566 +diff -urNp linux-2.6.24.5/include/linux/mm.h linux-2.6.24.5/include/linux/mm.h
68567 +--- linux-2.6.24.5/include/linux/mm.h 2008-03-24 14:49:18.000000000 -0400
68568 ++++ linux-2.6.24.5/include/linux/mm.h 2008-03-26 20:21:09.000000000 -0400
68569 +@@ -37,6 +37,7 @@ extern int sysctl_legacy_va_layout;
68570 + #include <asm/page.h>
68571 + #include <asm/pgtable.h>
68572 + #include <asm/processor.h>
68573 ++#include <asm/mman.h>
68574 +
68575 + #define nth_page(page,n) pfn_to_page(page_to_pfn((page)) + (n))
68576 +
68577 +@@ -107,6 +108,14 @@ extern unsigned int kobjsize(const void
68578 +
68579 + #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
68580 +
68581 ++#ifdef CONFIG_PAX_PAGEEXEC
68582 ++#define VM_PAGEEXEC 0x10000000 /* vma->vm_page_prot needs special handling */
68583 ++#endif
68584 ++
68585 ++#ifdef CONFIG_PAX_MPROTECT
68586 ++#define VM_MAYNOTWRITE 0x20000000 /* vma cannot be granted VM_WRITE any more */
68587 ++#endif
68588 ++
68589 + #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
68590 + #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
68591 + #endif
68592 +@@ -792,6 +801,8 @@ struct shrinker {
68593 + extern void register_shrinker(struct shrinker *);
68594 + extern void unregister_shrinker(struct shrinker *);
68595 +
68596 ++pgprot_t vm_get_page_prot(unsigned long vm_flags);
68597 ++
68598 + int vma_wants_writenotify(struct vm_area_struct *vma);
68599 +
68600 + extern pte_t *FASTCALL(get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl));
68601 +@@ -1018,6 +1029,7 @@ out:
68602 + }
68603 +
68604 + extern int do_munmap(struct mm_struct *, unsigned long, size_t);
68605 ++extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
68606 +
68607 + extern unsigned long do_brk(unsigned long, unsigned long);
68608 +
68609 +@@ -1070,6 +1082,10 @@ extern struct vm_area_struct * find_vma(
68610 + extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
68611 + struct vm_area_struct **pprev);
68612 +
68613 ++extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
68614 ++extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
68615 ++extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
68616 ++
68617 + /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
68618 + NULL if none. Assume start_addr < end_addr. */
68619 + static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
68620 +@@ -1086,7 +1102,6 @@ static inline unsigned long vma_pages(st
68621 + return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
68622 + }
68623 +
68624 +-pgprot_t vm_get_page_prot(unsigned long vm_flags);
68625 + struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
68626 + struct page *vmalloc_to_page(void *addr);
68627 + unsigned long vmalloc_to_pfn(void *addr);
68628 +@@ -1157,5 +1172,11 @@ int vmemmap_populate_basepages(struct pa
68629 + unsigned long pages, int node);
68630 + int vmemmap_populate(struct page *start_page, unsigned long pages, int node);
68631 +
68632 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
68633 ++extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
68634 ++#else
68635 ++static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
68636 ++#endif
68637 ++
68638 + #endif /* __KERNEL__ */
68639 + #endif /* _LINUX_MM_H */
68640 +diff -urNp linux-2.6.24.5/include/linux/mm_types.h linux-2.6.24.5/include/linux/mm_types.h
68641 +--- linux-2.6.24.5/include/linux/mm_types.h 2008-03-24 14:49:18.000000000 -0400
68642 ++++ linux-2.6.24.5/include/linux/mm_types.h 2008-03-26 20:21:09.000000000 -0400
68643 +@@ -151,6 +151,8 @@ struct vm_area_struct {
68644 + #ifdef CONFIG_NUMA
68645 + struct mempolicy *vm_policy; /* NUMA policy for the VMA */
68646 + #endif
68647 ++
68648 ++ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
68649 + };
68650 +
68651 + struct mm_struct {
68652 +@@ -219,6 +221,24 @@ struct mm_struct {
68653 + /* aio bits */
68654 + rwlock_t ioctx_list_lock;
68655 + struct kioctx *ioctx_list;
68656 ++
68657 ++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
68658 ++ unsigned long pax_flags;
68659 ++#endif
68660 ++
68661 ++#ifdef CONFIG_PAX_DLRESOLVE
68662 ++ unsigned long call_dl_resolve;
68663 ++#endif
68664 ++
68665 ++#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
68666 ++ unsigned long call_syscall;
68667 ++#endif
68668 ++
68669 ++#ifdef CONFIG_PAX_ASLR
68670 ++ unsigned long delta_mmap; /* randomized offset */
68671 ++ unsigned long delta_stack; /* randomized offset */
68672 ++#endif
68673 ++
68674 + };
68675 +
68676 + #endif /* _LINUX_MM_TYPES_H */
68677 +diff -urNp linux-2.6.24.5/include/linux/module.h linux-2.6.24.5/include/linux/module.h
68678 +--- linux-2.6.24.5/include/linux/module.h 2008-03-24 14:49:18.000000000 -0400
68679 ++++ linux-2.6.24.5/include/linux/module.h 2008-03-26 20:21:09.000000000 -0400
68680 +@@ -296,16 +296,16 @@ struct module
68681 + int (*init)(void);
68682 +
68683 + /* If this is non-NULL, vfree after init() returns */
68684 +- void *module_init;
68685 ++ void *module_init_rx, *module_init_rw;
68686 +
68687 + /* Here is the actual code + data, vfree'd on unload. */
68688 +- void *module_core;
68689 ++ void *module_core_rx, *module_core_rw;
68690 +
68691 + /* Here are the sizes of the init and core sections */
68692 +- unsigned long init_size, core_size;
68693 ++ unsigned long init_size_rw, core_size_rw;
68694 +
68695 + /* The size of the executable code in each section. */
68696 +- unsigned long init_text_size, core_text_size;
68697 ++ unsigned long init_size_rx, core_size_rx;
68698 +
68699 + /* The handle returned from unwind_add_table. */
68700 + void *unwind_info;
68701 +diff -urNp linux-2.6.24.5/include/linux/moduleloader.h linux-2.6.24.5/include/linux/moduleloader.h
68702 +--- linux-2.6.24.5/include/linux/moduleloader.h 2008-03-24 14:49:18.000000000 -0400
68703 ++++ linux-2.6.24.5/include/linux/moduleloader.h 2008-03-26 20:21:09.000000000 -0400
68704 +@@ -17,9 +17,21 @@ int module_frob_arch_sections(Elf_Ehdr *
68705 + sections. Returns NULL on failure. */
68706 + void *module_alloc(unsigned long size);
68707 +
68708 ++#ifdef CONFIG_PAX_KERNEXEC
68709 ++void *module_alloc_exec(unsigned long size);
68710 ++#else
68711 ++#define module_alloc_exec(x) module_alloc(x)
68712 ++#endif
68713 ++
68714 + /* Free memory returned from module_alloc. */
68715 + void module_free(struct module *mod, void *module_region);
68716 +
68717 ++#ifdef CONFIG_PAX_KERNEXEC
68718 ++void module_free_exec(struct module *mod, void *module_region);
68719 ++#else
68720 ++#define module_free_exec(x, y) module_free(x, y)
68721 ++#endif
68722 ++
68723 + /* Apply the given relocation to the (simplified) ELF. Return -error
68724 + or 0. */
68725 + int apply_relocate(Elf_Shdr *sechdrs,
68726 +diff -urNp linux-2.6.24.5/include/linux/namei.h linux-2.6.24.5/include/linux/namei.h
68727 +--- linux-2.6.24.5/include/linux/namei.h 2008-03-24 14:49:18.000000000 -0400
68728 ++++ linux-2.6.24.5/include/linux/namei.h 2008-03-26 20:21:09.000000000 -0400
68729 +@@ -21,7 +21,7 @@ struct nameidata {
68730 + unsigned int flags;
68731 + int last_type;
68732 + unsigned depth;
68733 +- char *saved_names[MAX_NESTED_LINKS + 1];
68734 ++ const char *saved_names[MAX_NESTED_LINKS + 1];
68735 +
68736 + /* Intent data */
68737 + union {
68738 +@@ -90,12 +90,12 @@ extern int follow_up(struct vfsmount **,
68739 + extern struct dentry *lock_rename(struct dentry *, struct dentry *);
68740 + extern void unlock_rename(struct dentry *, struct dentry *);
68741 +
68742 +-static inline void nd_set_link(struct nameidata *nd, char *path)
68743 ++static inline void nd_set_link(struct nameidata *nd, const char *path)
68744 + {
68745 + nd->saved_names[nd->depth] = path;
68746 + }
68747 +
68748 +-static inline char *nd_get_link(struct nameidata *nd)
68749 ++static inline const char *nd_get_link(struct nameidata *nd)
68750 + {
68751 + return nd->saved_names[nd->depth];
68752 + }
68753 +diff -urNp linux-2.6.24.5/include/linux/percpu.h linux-2.6.24.5/include/linux/percpu.h
68754 +--- linux-2.6.24.5/include/linux/percpu.h 2008-04-17 20:05:17.000000000 -0400
68755 ++++ linux-2.6.24.5/include/linux/percpu.h 2008-04-17 20:05:01.000000000 -0400
68756 +@@ -18,7 +18,7 @@
68757 + #endif
68758 +
68759 + #define PERCPU_ENOUGH_ROOM \
68760 +- (__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE)
68761 ++ ((unsigned long)(__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE))
68762 + #endif /* PERCPU_ENOUGH_ROOM */
68763 +
68764 + /*
68765 +diff -urNp linux-2.6.24.5/include/linux/poison.h linux-2.6.24.5/include/linux/poison.h
68766 +--- linux-2.6.24.5/include/linux/poison.h 2008-03-24 14:49:18.000000000 -0400
68767 ++++ linux-2.6.24.5/include/linux/poison.h 2008-03-26 20:21:09.000000000 -0400
68768 +@@ -7,8 +7,8 @@
68769 + * under normal circumstances, used to verify that nobody uses
68770 + * non-initialized list entries.
68771 + */
68772 +-#define LIST_POISON1 ((void *) 0x00100100)
68773 +-#define LIST_POISON2 ((void *) 0x00200200)
68774 ++#define LIST_POISON1 ((void *) 0xFF1001FFFF1001FFULL)
68775 ++#define LIST_POISON2 ((void *) 0xFF2002FFFF2002FFULL)
68776 +
68777 + /********** mm/slab.c **********/
68778 + /*
68779 +diff -urNp linux-2.6.24.5/include/linux/random.h linux-2.6.24.5/include/linux/random.h
68780 +--- linux-2.6.24.5/include/linux/random.h 2008-03-24 14:49:18.000000000 -0400
68781 ++++ linux-2.6.24.5/include/linux/random.h 2008-03-26 20:21:09.000000000 -0400
68782 +@@ -72,6 +72,11 @@ unsigned long randomize_range(unsigned l
68783 + u32 random32(void);
68784 + void srandom32(u32 seed);
68785 +
68786 ++static inline unsigned long pax_get_random_long(void)
68787 ++{
68788 ++ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
68789 ++}
68790 ++
68791 + #endif /* __KERNEL___ */
68792 +
68793 + #endif /* _LINUX_RANDOM_H */
68794 +diff -urNp linux-2.6.24.5/include/linux/sched.h linux-2.6.24.5/include/linux/sched.h
68795 +--- linux-2.6.24.5/include/linux/sched.h 2008-04-17 20:05:17.000000000 -0400
68796 ++++ linux-2.6.24.5/include/linux/sched.h 2008-04-17 20:05:01.000000000 -0400
68797 +@@ -94,6 +94,7 @@ struct sched_param {
68798 + struct exec_domain;
68799 + struct futex_pi_state;
68800 + struct bio;
68801 ++struct linux_binprm;
68802 +
68803 + /*
68804 + * List of flags we want to share for kernel threads,
68805 +@@ -507,6 +508,15 @@ struct signal_struct {
68806 + unsigned audit_tty;
68807 + struct tty_audit_buf *tty_audit_buf;
68808 + #endif
68809 ++
68810 ++#ifdef CONFIG_GRKERNSEC
68811 ++ u32 curr_ip;
68812 ++ u32 gr_saddr;
68813 ++ u32 gr_daddr;
68814 ++ u16 gr_sport;
68815 ++ u16 gr_dport;
68816 ++ u8 used_accept:1;
68817 ++#endif
68818 + };
68819 +
68820 + /* Context switch must be unlocked if interrupts are to be enabled */
68821 +@@ -916,7 +926,7 @@ struct sched_entity {
68822 +
68823 + struct task_struct {
68824 + volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
68825 +- void *stack;
68826 ++ union thread_union *stack;
68827 + atomic_t usage;
68828 + unsigned int flags; /* per process flags, defined below */
68829 + unsigned int ptrace;
68830 +@@ -983,10 +993,9 @@ struct task_struct {
68831 + pid_t pid;
68832 + pid_t tgid;
68833 +
68834 +-#ifdef CONFIG_CC_STACKPROTECTOR
68835 + /* Canary value for the -fstack-protector gcc feature */
68836 + unsigned long stack_canary;
68837 +-#endif
68838 ++
68839 + /*
68840 + * pointers to (original) parent process, youngest child, younger sibling,
68841 + * older sibling, respectively. (p->father can be replaced with
68842 +@@ -1007,8 +1016,8 @@ struct task_struct {
68843 + struct list_head thread_group;
68844 +
68845 + struct completion *vfork_done; /* for vfork() */
68846 +- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
68847 +- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
68848 ++ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
68849 ++ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
68850 +
68851 + unsigned int rt_priority;
68852 + cputime_t utime, stime, utimescaled, stimescaled;
68853 +@@ -1178,8 +1187,60 @@ struct task_struct {
68854 + int make_it_fail;
68855 + #endif
68856 + struct prop_local_single dirties;
68857 ++
68858 ++#ifdef CONFIG_GRKERNSEC
68859 ++ /* grsecurity */
68860 ++ struct acl_subject_label *acl;
68861 ++ struct acl_role_label *role;
68862 ++ struct file *exec_file;
68863 ++ u16 acl_role_id;
68864 ++ u8 acl_sp_role;
68865 ++ u8 is_writable;
68866 ++ u8 brute;
68867 ++#endif
68868 ++
68869 + };
68870 +
68871 ++#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
68872 ++#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
68873 ++#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
68874 ++#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
68875 ++/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
68876 ++#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
68877 ++
68878 ++#ifdef CONFIG_PAX_SOFTMODE
68879 ++extern unsigned int pax_softmode;
68880 ++#endif
68881 ++
68882 ++extern int pax_check_flags(unsigned long *);
68883 ++
68884 ++/* if tsk != current then task_lock must be held on it */
68885 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
68886 ++static inline unsigned long pax_get_flags(struct task_struct *tsk)
68887 ++{
68888 ++ if (likely(tsk->mm))
68889 ++ return tsk->mm->pax_flags;
68890 ++ else
68891 ++ return 0UL;
68892 ++}
68893 ++
68894 ++/* if tsk != current then task_lock must be held on it */
68895 ++static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
68896 ++{
68897 ++ if (likely(tsk->mm)) {
68898 ++ tsk->mm->pax_flags = flags;
68899 ++ return 0;
68900 ++ }
68901 ++ return -EINVAL;
68902 ++}
68903 ++#endif
68904 ++
68905 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
68906 ++extern void pax_set_initial_flags(struct linux_binprm *bprm);
68907 ++#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
68908 ++extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
68909 ++#endif
68910 ++
68911 + /*
68912 + * Priority of a process goes from 0..MAX_PRIO-1, valid RT
68913 + * priority is 0..MAX_RT_PRIO-1, and SCHED_NORMAL/SCHED_BATCH
68914 +@@ -1683,7 +1744,7 @@ extern void __cleanup_signal(struct sign
68915 + extern void __cleanup_sighand(struct sighand_struct *);
68916 + extern void exit_itimers(struct signal_struct *);
68917 +
68918 +-extern NORET_TYPE void do_group_exit(int);
68919 ++extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
68920 +
68921 + extern void daemonize(const char *, ...);
68922 + extern int allow_signal(int);
68923 +@@ -1785,8 +1846,8 @@ static inline void unlock_task_sighand(s
68924 +
68925 + #ifndef __HAVE_THREAD_FUNCTIONS
68926 +
68927 +-#define task_thread_info(task) ((struct thread_info *)(task)->stack)
68928 +-#define task_stack_page(task) ((task)->stack)
68929 ++#define task_thread_info(task) (&(task)->stack->thread_info)
68930 ++#define task_stack_page(task) ((void *)(task)->stack)
68931 +
68932 + static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
68933 + {
68934 +@@ -1923,6 +1984,12 @@ extern void arch_pick_mmap_layout(struct
68935 + static inline void arch_pick_mmap_layout(struct mm_struct *mm)
68936 + {
68937 + mm->mmap_base = TASK_UNMAPPED_BASE;
68938 ++
68939 ++#ifdef CONFIG_PAX_RANDMMAP
68940 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
68941 ++ mm->mmap_base += mm->delta_mmap;
68942 ++#endif
68943 ++
68944 + mm->get_unmapped_area = arch_get_unmapped_area;
68945 + mm->unmap_area = arch_unmap_area;
68946 + }
68947 +diff -urNp linux-2.6.24.5/include/linux/screen_info.h linux-2.6.24.5/include/linux/screen_info.h
68948 +--- linux-2.6.24.5/include/linux/screen_info.h 2008-03-24 14:49:18.000000000 -0400
68949 ++++ linux-2.6.24.5/include/linux/screen_info.h 2008-03-26 20:21:09.000000000 -0400
68950 +@@ -42,7 +42,8 @@ struct screen_info {
68951 + __u16 pages; /* 0x32 */
68952 + __u16 vesa_attributes; /* 0x34 */
68953 + __u32 capabilities; /* 0x36 */
68954 +- __u8 _reserved[6]; /* 0x3a */
68955 ++ __u16 vesapm_size; /* 0x3a */
68956 ++ __u8 _reserved[4]; /* 0x3c */
68957 + } __attribute__((packed));
68958 +
68959 + #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
68960 +diff -urNp linux-2.6.24.5/include/linux/security.h linux-2.6.24.5/include/linux/security.h
68961 +--- linux-2.6.24.5/include/linux/security.h 2008-04-17 20:05:17.000000000 -0400
68962 ++++ linux-2.6.24.5/include/linux/security.h 2008-04-17 20:05:01.000000000 -0400
68963 +@@ -2265,7 +2265,7 @@ static inline struct dentry *securityfs_
68964 + mode_t mode,
68965 + struct dentry *parent,
68966 + void *data,
68967 +- struct file_operations *fops)
68968 ++ const struct file_operations *fops)
68969 + {
68970 + return ERR_PTR(-ENODEV);
68971 + }
68972 +diff -urNp linux-2.6.24.5/include/linux/shm.h linux-2.6.24.5/include/linux/shm.h
68973 +--- linux-2.6.24.5/include/linux/shm.h 2008-03-24 14:49:18.000000000 -0400
68974 ++++ linux-2.6.24.5/include/linux/shm.h 2008-03-26 20:21:09.000000000 -0400
68975 +@@ -87,6 +87,10 @@ struct shmid_kernel /* private to the ke
68976 + pid_t shm_cprid;
68977 + pid_t shm_lprid;
68978 + struct user_struct *mlock_user;
68979 ++#ifdef CONFIG_GRKERNSEC
68980 ++ time_t shm_createtime;
68981 ++ pid_t shm_lapid;
68982 ++#endif
68983 + };
68984 +
68985 + /* shm_mode upper byte flags */
68986 +diff -urNp linux-2.6.24.5/include/linux/sysctl.h linux-2.6.24.5/include/linux/sysctl.h
68987 +--- linux-2.6.24.5/include/linux/sysctl.h 2008-03-24 14:49:18.000000000 -0400
68988 ++++ linux-2.6.24.5/include/linux/sysctl.h 2008-03-26 20:21:09.000000000 -0400
68989 +@@ -164,9 +164,21 @@ enum
68990 + KERN_MAX_LOCK_DEPTH=74,
68991 + KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */
68992 + KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
68993 +-};
68994 ++#ifdef CONFIG_GRKERNSEC
68995 ++ KERN_GRSECURITY=98, /* grsecurity */
68996 ++#endif
68997 ++
68998 ++#ifdef CONFIG_PAX_SOFTMODE
68999 ++ KERN_PAX=99, /* PaX control */
69000 ++#endif
69001 +
69002 ++};
69003 +
69004 ++#ifdef CONFIG_PAX_SOFTMODE
69005 ++enum {
69006 ++ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
69007 ++};
69008 ++#endif
69009 +
69010 + /* CTL_VM names: */
69011 + enum
69012 +diff -urNp linux-2.6.24.5/include/linux/uaccess.h linux-2.6.24.5/include/linux/uaccess.h
69013 +--- linux-2.6.24.5/include/linux/uaccess.h 2008-03-24 14:49:18.000000000 -0400
69014 ++++ linux-2.6.24.5/include/linux/uaccess.h 2008-03-26 20:21:09.000000000 -0400
69015 +@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
69016 + long ret; \
69017 + mm_segment_t old_fs = get_fs(); \
69018 + \
69019 +- set_fs(KERNEL_DS); \
69020 + pagefault_disable(); \
69021 ++ set_fs(KERNEL_DS); \
69022 + ret = __get_user(retval, (__force typeof(retval) __user *)(addr)); \
69023 +- pagefault_enable(); \
69024 + set_fs(old_fs); \
69025 ++ pagefault_enable(); \
69026 + ret; \
69027 + })
69028 +
69029 +diff -urNp linux-2.6.24.5/include/linux/udf_fs.h linux-2.6.24.5/include/linux/udf_fs.h
69030 +--- linux-2.6.24.5/include/linux/udf_fs.h 2008-03-24 14:49:18.000000000 -0400
69031 ++++ linux-2.6.24.5/include/linux/udf_fs.h 2008-03-26 20:21:09.000000000 -0400
69032 +@@ -45,7 +45,7 @@
69033 + printk (f, ##a); \
69034 + }
69035 + #else
69036 +-#define udf_debug(f, a...) /**/
69037 ++#define udf_debug(f, a...) do {} while (0)
69038 + #endif
69039 +
69040 + #define udf_info(f, a...) \
69041 +diff -urNp linux-2.6.24.5/include/net/sctp/sctp.h linux-2.6.24.5/include/net/sctp/sctp.h
69042 +--- linux-2.6.24.5/include/net/sctp/sctp.h 2008-03-24 14:49:18.000000000 -0400
69043 ++++ linux-2.6.24.5/include/net/sctp/sctp.h 2008-03-26 20:21:09.000000000 -0400
69044 +@@ -316,8 +316,8 @@ extern int sctp_debug_flag;
69045 +
69046 + #else /* SCTP_DEBUG */
69047 +
69048 +-#define SCTP_DEBUG_PRINTK(whatever...)
69049 +-#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
69050 ++#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
69051 ++#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
69052 + #define SCTP_ENABLE_DEBUG
69053 + #define SCTP_DISABLE_DEBUG
69054 + #define SCTP_ASSERT(expr, str, func)
69055 +diff -urNp linux-2.6.24.5/include/sound/core.h linux-2.6.24.5/include/sound/core.h
69056 +--- linux-2.6.24.5/include/sound/core.h 2008-03-24 14:49:18.000000000 -0400
69057 ++++ linux-2.6.24.5/include/sound/core.h 2008-03-26 20:21:09.000000000 -0400
69058 +@@ -396,9 +396,9 @@ void snd_verbose_printd(const char *file
69059 +
69060 + #else /* !CONFIG_SND_DEBUG */
69061 +
69062 +-#define snd_printd(fmt, args...) /* nothing */
69063 ++#define snd_printd(fmt, args...) do {} while (0)
69064 + #define snd_assert(expr, args...) (void)(expr)
69065 +-#define snd_BUG() /* nothing */
69066 ++#define snd_BUG() do {} while (0)
69067 +
69068 + #endif /* CONFIG_SND_DEBUG */
69069 +
69070 +@@ -412,7 +412,7 @@ void snd_verbose_printd(const char *file
69071 + */
69072 + #define snd_printdd(format, args...) snd_printk(format, ##args)
69073 + #else
69074 +-#define snd_printdd(format, args...) /* nothing */
69075 ++#define snd_printdd(format, args...) do {} while (0)
69076 + #endif
69077 +
69078 +
69079 +diff -urNp linux-2.6.24.5/init/do_mounts.c linux-2.6.24.5/init/do_mounts.c
69080 +--- linux-2.6.24.5/init/do_mounts.c 2008-03-24 14:49:18.000000000 -0400
69081 ++++ linux-2.6.24.5/init/do_mounts.c 2008-03-26 20:21:09.000000000 -0400
69082 +@@ -68,11 +68,12 @@ static dev_t try_name(char *name, int pa
69083 +
69084 + /* read device number from .../dev */
69085 +
69086 +- sprintf(path, "/sys/block/%s/dev", name);
69087 +- fd = sys_open(path, 0, 0);
69088 ++ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/dev", name))
69089 ++ goto fail;
69090 ++ fd = sys_open((char __user *)path, 0, 0);
69091 + if (fd < 0)
69092 + goto fail;
69093 +- len = sys_read(fd, buf, 32);
69094 ++ len = sys_read(fd, (char __user *)buf, 32);
69095 + sys_close(fd);
69096 + if (len <= 0 || len == 32 || buf[len - 1] != '\n')
69097 + goto fail;
69098 +@@ -98,11 +99,12 @@ static dev_t try_name(char *name, int pa
69099 + return res;
69100 +
69101 + /* otherwise read range from .../range */
69102 +- sprintf(path, "/sys/block/%s/range", name);
69103 +- fd = sys_open(path, 0, 0);
69104 ++ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/range", name))
69105 ++ goto fail;
69106 ++ fd = sys_open((char __user *)path, 0, 0);
69107 + if (fd < 0)
69108 + goto fail;
69109 +- len = sys_read(fd, buf, 32);
69110 ++ len = sys_read(fd, (char __user *)buf, 32);
69111 + sys_close(fd);
69112 + if (len <= 0 || len == 32 || buf[len - 1] != '\n')
69113 + goto fail;
69114 +@@ -145,8 +147,8 @@ dev_t name_to_dev_t(char *name)
69115 + int part;
69116 +
69117 + #ifdef CONFIG_SYSFS
69118 +- int mkdir_err = sys_mkdir("/sys", 0700);
69119 +- if (sys_mount("sysfs", "/sys", "sysfs", 0, NULL) < 0)
69120 ++ int mkdir_err = sys_mkdir((char __user *)"/sys", 0700);
69121 ++ if (sys_mount((char __user *)"sysfs", (char __user *)"/sys", (char __user *)"sysfs", 0, NULL) < 0)
69122 + goto out;
69123 + #endif
69124 +
69125 +@@ -198,10 +200,10 @@ dev_t name_to_dev_t(char *name)
69126 + res = try_name(s, part);
69127 + done:
69128 + #ifdef CONFIG_SYSFS
69129 +- sys_umount("/sys", 0);
69130 ++ sys_umount((char __user *)"/sys", 0);
69131 + out:
69132 + if (!mkdir_err)
69133 +- sys_rmdir("/sys");
69134 ++ sys_rmdir((char __user *)"/sys");
69135 + #endif
69136 + return res;
69137 + fail:
69138 +@@ -281,11 +283,11 @@ static void __init get_fs_names(char *pa
69139 +
69140 + static int __init do_mount_root(char *name, char *fs, int flags, void *data)
69141 + {
69142 +- int err = sys_mount(name, "/root", fs, flags, data);
69143 ++ int err = sys_mount((char __user *)name, (char __user *)"/root", (char __user *)fs, flags, (void __user *)data);
69144 + if (err)
69145 + return err;
69146 +
69147 +- sys_chdir("/root");
69148 ++ sys_chdir((char __user *)"/root");
69149 + ROOT_DEV = current->fs->pwdmnt->mnt_sb->s_dev;
69150 + printk("VFS: Mounted root (%s filesystem)%s.\n",
69151 + current->fs->pwdmnt->mnt_sb->s_type->name,
69152 +@@ -371,18 +373,18 @@ void __init change_floppy(char *fmt, ...
69153 + va_start(args, fmt);
69154 + vsprintf(buf, fmt, args);
69155 + va_end(args);
69156 +- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
69157 ++ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
69158 + if (fd >= 0) {
69159 + sys_ioctl(fd, FDEJECT, 0);
69160 + sys_close(fd);
69161 + }
69162 + printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
69163 +- fd = sys_open("/dev/console", O_RDWR, 0);
69164 ++ fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
69165 + if (fd >= 0) {
69166 + sys_ioctl(fd, TCGETS, (long)&termios);
69167 + termios.c_lflag &= ~ICANON;
69168 + sys_ioctl(fd, TCSETSF, (long)&termios);
69169 +- sys_read(fd, &c, 1);
69170 ++ sys_read(fd, (char __user *)&c, 1);
69171 + termios.c_lflag |= ICANON;
69172 + sys_ioctl(fd, TCSETSF, (long)&termios);
69173 + sys_close(fd);
69174 +@@ -468,8 +470,8 @@ void __init prepare_namespace(void)
69175 +
69176 + mount_root();
69177 + out:
69178 +- sys_mount(".", "/", NULL, MS_MOVE, NULL);
69179 +- sys_chroot(".");
69180 ++ sys_mount((char __user *)".", (char __user *)"/", NULL, MS_MOVE, NULL);
69181 ++ sys_chroot((char __user *)".");
69182 + security_sb_post_mountroot();
69183 + }
69184 +
69185 +diff -urNp linux-2.6.24.5/init/do_mounts.h linux-2.6.24.5/init/do_mounts.h
69186 +--- linux-2.6.24.5/init/do_mounts.h 2008-03-24 14:49:18.000000000 -0400
69187 ++++ linux-2.6.24.5/init/do_mounts.h 2008-03-26 20:21:09.000000000 -0400
69188 +@@ -15,15 +15,15 @@ extern char *root_device_name;
69189 +
69190 + static inline int create_dev(char *name, dev_t dev)
69191 + {
69192 +- sys_unlink(name);
69193 +- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
69194 ++ sys_unlink((char __user *)name);
69195 ++ return sys_mknod((char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
69196 + }
69197 +
69198 + #if BITS_PER_LONG == 32
69199 + static inline u32 bstat(char *name)
69200 + {
69201 + struct stat64 stat;
69202 +- if (sys_stat64(name, &stat) != 0)
69203 ++ if (sys_stat64((char __user *)name, (struct stat64 __user *)&stat) != 0)
69204 + return 0;
69205 + if (!S_ISBLK(stat.st_mode))
69206 + return 0;
69207 +diff -urNp linux-2.6.24.5/init/do_mounts_md.c linux-2.6.24.5/init/do_mounts_md.c
69208 +--- linux-2.6.24.5/init/do_mounts_md.c 2008-03-24 14:49:18.000000000 -0400
69209 ++++ linux-2.6.24.5/init/do_mounts_md.c 2008-03-26 20:21:09.000000000 -0400
69210 +@@ -167,7 +167,7 @@ static void __init md_setup_drive(void)
69211 + partitioned ? "_d" : "", minor,
69212 + md_setup_args[ent].device_names);
69213 +
69214 +- fd = sys_open(name, 0, 0);
69215 ++ fd = sys_open((char __user *)name, 0, 0);
69216 + if (fd < 0) {
69217 + printk(KERN_ERR "md: open failed - cannot start "
69218 + "array %s\n", name);
69219 +@@ -230,7 +230,7 @@ static void __init md_setup_drive(void)
69220 + * array without it
69221 + */
69222 + sys_close(fd);
69223 +- fd = sys_open(name, 0, 0);
69224 ++ fd = sys_open((char __user *)name, 0, 0);
69225 + sys_ioctl(fd, BLKRRPART, 0);
69226 + }
69227 + sys_close(fd);
69228 +@@ -271,7 +271,7 @@ void __init md_run_setup(void)
69229 + if (raid_noautodetect)
69230 + printk(KERN_INFO "md: Skipping autodetection of RAID arrays. (raid=noautodetect)\n");
69231 + else {
69232 +- int fd = sys_open("/dev/md0", 0, 0);
69233 ++ int fd = sys_open((char __user *)"/dev/md0", 0, 0);
69234 + if (fd >= 0) {
69235 + sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
69236 + sys_close(fd);
69237 +diff -urNp linux-2.6.24.5/init/initramfs.c linux-2.6.24.5/init/initramfs.c
69238 +--- linux-2.6.24.5/init/initramfs.c 2008-03-24 14:49:18.000000000 -0400
69239 ++++ linux-2.6.24.5/init/initramfs.c 2008-03-26 20:21:09.000000000 -0400
69240 +@@ -240,7 +240,7 @@ static int __init maybe_link(void)
69241 + if (nlink >= 2) {
69242 + char *old = find_link(major, minor, ino, mode, collected);
69243 + if (old)
69244 +- return (sys_link(old, collected) < 0) ? -1 : 1;
69245 ++ return (sys_link((char __user *)old, (char __user *)collected) < 0) ? -1 : 1;
69246 + }
69247 + return 0;
69248 + }
69249 +@@ -249,11 +249,11 @@ static void __init clean_path(char *path
69250 + {
69251 + struct stat st;
69252 +
69253 +- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
69254 ++ if (!sys_newlstat((char __user *)path, (struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
69255 + if (S_ISDIR(st.st_mode))
69256 +- sys_rmdir(path);
69257 ++ sys_rmdir((char __user *)path);
69258 + else
69259 +- sys_unlink(path);
69260 ++ sys_unlink((char __user *)path);
69261 + }
69262 + }
69263 +
69264 +@@ -276,7 +276,7 @@ static int __init do_name(void)
69265 + int openflags = O_WRONLY|O_CREAT;
69266 + if (ml != 1)
69267 + openflags |= O_TRUNC;
69268 +- wfd = sys_open(collected, openflags, mode);
69269 ++ wfd = sys_open((char __user *)collected, openflags, mode);
69270 +
69271 + if (wfd >= 0) {
69272 + sys_fchown(wfd, uid, gid);
69273 +@@ -285,15 +285,15 @@ static int __init do_name(void)
69274 + }
69275 + }
69276 + } else if (S_ISDIR(mode)) {
69277 +- sys_mkdir(collected, mode);
69278 +- sys_chown(collected, uid, gid);
69279 +- sys_chmod(collected, mode);
69280 ++ sys_mkdir((char __user *)collected, mode);
69281 ++ sys_chown((char __user *)collected, uid, gid);
69282 ++ sys_chmod((char __user *)collected, mode);
69283 + } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
69284 + S_ISFIFO(mode) || S_ISSOCK(mode)) {
69285 + if (maybe_link() == 0) {
69286 +- sys_mknod(collected, mode, rdev);
69287 +- sys_chown(collected, uid, gid);
69288 +- sys_chmod(collected, mode);
69289 ++ sys_mknod((char __user *)collected, mode, rdev);
69290 ++ sys_chown((char __user *)collected, uid, gid);
69291 ++ sys_chmod((char __user *)collected, mode);
69292 + }
69293 + }
69294 + return 0;
69295 +@@ -302,13 +302,13 @@ static int __init do_name(void)
69296 + static int __init do_copy(void)
69297 + {
69298 + if (count >= body_len) {
69299 +- sys_write(wfd, victim, body_len);
69300 ++ sys_write(wfd, (char __user *)victim, body_len);
69301 + sys_close(wfd);
69302 + eat(body_len);
69303 + state = SkipIt;
69304 + return 0;
69305 + } else {
69306 +- sys_write(wfd, victim, count);
69307 ++ sys_write(wfd, (char __user *)victim, count);
69308 + body_len -= count;
69309 + eat(count);
69310 + return 1;
69311 +@@ -319,8 +319,8 @@ static int __init do_symlink(void)
69312 + {
69313 + collected[N_ALIGN(name_len) + body_len] = '\0';
69314 + clean_path(collected, 0);
69315 +- sys_symlink(collected + N_ALIGN(name_len), collected);
69316 +- sys_lchown(collected, uid, gid);
69317 ++ sys_symlink((char __user *)collected + N_ALIGN(name_len), (char __user *)collected);
69318 ++ sys_lchown((char __user *)collected, uid, gid);
69319 + state = SkipIt;
69320 + next_state = Reset;
69321 + return 0;
69322 +diff -urNp linux-2.6.24.5/init/Kconfig linux-2.6.24.5/init/Kconfig
69323 +--- linux-2.6.24.5/init/Kconfig 2008-03-24 14:49:18.000000000 -0400
69324 ++++ linux-2.6.24.5/init/Kconfig 2008-03-26 20:21:09.000000000 -0400
69325 +@@ -469,6 +469,7 @@ config SYSCTL_SYSCALL
69326 + config KALLSYMS
69327 + bool "Load all symbols for debugging/ksymoops" if EMBEDDED
69328 + default y
69329 ++ depends on !GRKERNSEC_HIDESYM
69330 + help
69331 + Say Y here to let the kernel print out symbolic crash information and
69332 + symbolic stack backtraces. This increases the size of the kernel
69333 +diff -urNp linux-2.6.24.5/init/main.c linux-2.6.24.5/init/main.c
69334 +--- linux-2.6.24.5/init/main.c 2008-03-24 14:49:18.000000000 -0400
69335 ++++ linux-2.6.24.5/init/main.c 2008-03-26 20:21:09.000000000 -0400
69336 +@@ -101,6 +101,7 @@ static inline void mark_rodata_ro(void)
69337 + #ifdef CONFIG_TC
69338 + extern void tc_init(void);
69339 + #endif
69340 ++extern void grsecurity_init(void);
69341 +
69342 + enum system_states system_state;
69343 + EXPORT_SYMBOL(system_state);
69344 +@@ -187,6 +188,17 @@ static int __init set_reset_devices(char
69345 +
69346 + __setup("reset_devices", set_reset_devices);
69347 +
69348 ++#ifdef CONFIG_PAX_SOFTMODE
69349 ++unsigned int pax_softmode;
69350 ++
69351 ++static int __init setup_pax_softmode(char *str)
69352 ++{
69353 ++ get_option(&str, &pax_softmode);
69354 ++ return 1;
69355 ++}
69356 ++__setup("pax_softmode=", setup_pax_softmode);
69357 ++#endif
69358 ++
69359 + static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
69360 + char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
69361 + static const char *panic_later, *panic_param;
69362 +@@ -847,6 +859,8 @@ static int __init kernel_init(void * unu
69363 + prepare_namespace();
69364 + }
69365 +
69366 ++ grsecurity_init();
69367 ++
69368 + /*
69369 + * Ok, we have completed the initial bootup, and
69370 + * we're essentially up and running. Get rid of the
69371 +diff -urNp linux-2.6.24.5/init/noinitramfs.c linux-2.6.24.5/init/noinitramfs.c
69372 +--- linux-2.6.24.5/init/noinitramfs.c 2008-03-24 14:49:18.000000000 -0400
69373 ++++ linux-2.6.24.5/init/noinitramfs.c 2008-03-26 20:21:09.000000000 -0400
69374 +@@ -29,7 +29,7 @@ static int __init default_rootfs(void)
69375 + {
69376 + int err;
69377 +
69378 +- err = sys_mkdir("/dev", 0755);
69379 ++ err = sys_mkdir((const char __user *)"/dev", 0755);
69380 + if (err < 0)
69381 + goto out;
69382 +
69383 +@@ -39,7 +39,7 @@ static int __init default_rootfs(void)
69384 + if (err < 0)
69385 + goto out;
69386 +
69387 +- err = sys_mkdir("/root", 0700);
69388 ++ err = sys_mkdir((const char __user *)"/root", 0700);
69389 + if (err < 0)
69390 + goto out;
69391 +
69392 +diff -urNp linux-2.6.24.5/ipc/ipc_sysctl.c linux-2.6.24.5/ipc/ipc_sysctl.c
69393 +--- linux-2.6.24.5/ipc/ipc_sysctl.c 2008-03-24 14:49:18.000000000 -0400
69394 ++++ linux-2.6.24.5/ipc/ipc_sysctl.c 2008-03-26 20:21:09.000000000 -0400
69395 +@@ -157,7 +157,7 @@ static struct ctl_table ipc_kern_table[]
69396 + .proc_handler = proc_ipc_dointvec,
69397 + .strategy = sysctl_ipc_data,
69398 + },
69399 +- {}
69400 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
69401 + };
69402 +
69403 + static struct ctl_table ipc_root_table[] = {
69404 +@@ -167,7 +167,7 @@ static struct ctl_table ipc_root_table[]
69405 + .mode = 0555,
69406 + .child = ipc_kern_table,
69407 + },
69408 +- {}
69409 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
69410 + };
69411 +
69412 + static int __init ipc_sysctl_init(void)
69413 +diff -urNp linux-2.6.24.5/ipc/msg.c linux-2.6.24.5/ipc/msg.c
69414 +--- linux-2.6.24.5/ipc/msg.c 2008-03-24 14:49:18.000000000 -0400
69415 ++++ linux-2.6.24.5/ipc/msg.c 2008-03-26 20:21:09.000000000 -0400
69416 +@@ -36,6 +36,7 @@
69417 + #include <linux/seq_file.h>
69418 + #include <linux/rwsem.h>
69419 + #include <linux/nsproxy.h>
69420 ++#include <linux/grsecurity.h>
69421 +
69422 + #include <asm/current.h>
69423 + #include <asm/uaccess.h>
69424 +@@ -315,6 +316,7 @@ asmlinkage long sys_msgget(key_t key, in
69425 + struct ipc_namespace *ns;
69426 + struct ipc_ops msg_ops;
69427 + struct ipc_params msg_params;
69428 ++ long err;
69429 +
69430 + ns = current->nsproxy->ipc_ns;
69431 +
69432 +@@ -325,7 +327,11 @@ asmlinkage long sys_msgget(key_t key, in
69433 + msg_params.key = key;
69434 + msg_params.flg = msgflg;
69435 +
69436 +- return ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params);
69437 ++ err = ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params);
69438 ++
69439 ++ gr_log_msgget(err, msgflg);
69440 ++
69441 ++ return err;
69442 + }
69443 +
69444 + static inline unsigned long
69445 +@@ -586,6 +592,7 @@ asmlinkage long sys_msgctl(int msqid, in
69446 + break;
69447 + }
69448 + case IPC_RMID:
69449 ++ gr_log_msgrm(ipcp->uid, ipcp->cuid);
69450 + freeque(ns, msq);
69451 + break;
69452 + }
69453 +diff -urNp linux-2.6.24.5/ipc/sem.c linux-2.6.24.5/ipc/sem.c
69454 +--- linux-2.6.24.5/ipc/sem.c 2008-03-24 14:49:18.000000000 -0400
69455 ++++ linux-2.6.24.5/ipc/sem.c 2008-03-26 20:21:09.000000000 -0400
69456 +@@ -82,6 +82,7 @@
69457 + #include <linux/seq_file.h>
69458 + #include <linux/rwsem.h>
69459 + #include <linux/nsproxy.h>
69460 ++#include <linux/grsecurity.h>
69461 +
69462 + #include <asm/uaccess.h>
69463 + #include "util.h"
69464 +@@ -334,6 +335,7 @@ asmlinkage long sys_semget(key_t key, in
69465 + struct ipc_namespace *ns;
69466 + struct ipc_ops sem_ops;
69467 + struct ipc_params sem_params;
69468 ++ long err;
69469 +
69470 + ns = current->nsproxy->ipc_ns;
69471 +
69472 +@@ -348,7 +350,11 @@ asmlinkage long sys_semget(key_t key, in
69473 + sem_params.flg = semflg;
69474 + sem_params.u.nsems = nsems;
69475 +
69476 +- return ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params);
69477 ++ err = ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params);
69478 ++
69479 ++ gr_log_semget(err, semflg);
69480 ++
69481 ++ return err;
69482 + }
69483 +
69484 + /* Manage the doubly linked list sma->sem_pending as a FIFO:
69485 +@@ -936,6 +942,7 @@ static int semctl_down(struct ipc_namesp
69486 +
69487 + switch(cmd){
69488 + case IPC_RMID:
69489 ++ gr_log_semrm(ipcp->uid, ipcp->cuid);
69490 + freeary(ns, sma);
69491 + err = 0;
69492 + break;
69493 +diff -urNp linux-2.6.24.5/ipc/shm.c linux-2.6.24.5/ipc/shm.c
69494 +--- linux-2.6.24.5/ipc/shm.c 2008-03-24 14:49:18.000000000 -0400
69495 ++++ linux-2.6.24.5/ipc/shm.c 2008-03-26 20:21:09.000000000 -0400
69496 +@@ -38,6 +38,7 @@
69497 + #include <linux/rwsem.h>
69498 + #include <linux/nsproxy.h>
69499 + #include <linux/mount.h>
69500 ++#include <linux/grsecurity.h>
69501 +
69502 + #include <asm/uaccess.h>
69503 +
69504 +@@ -71,6 +72,14 @@ static void shm_destroy (struct ipc_name
69505 + static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
69506 + #endif
69507 +
69508 ++#ifdef CONFIG_GRKERNSEC
69509 ++extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
69510 ++ const time_t shm_createtime, const uid_t cuid,
69511 ++ const int shmid);
69512 ++extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
69513 ++ const time_t shm_createtime);
69514 ++#endif
69515 ++
69516 + static void __shm_init_ns(struct ipc_namespace *ns, struct ipc_ids *ids)
69517 + {
69518 + ns->ids[IPC_SHM_IDS] = ids;
69519 +@@ -87,6 +96,8 @@ static void __shm_init_ns(struct ipc_nam
69520 + */
69521 + static void do_shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *shp)
69522 + {
69523 ++ gr_log_shmrm(shp->shm_perm.uid, shp->shm_perm.cuid);
69524 ++
69525 + if (shp->shm_nattch){
69526 + shp->shm_perm.mode |= SHM_DEST;
69527 + /* Do not find it any more */
69528 +@@ -443,6 +454,14 @@ static int newseg(struct ipc_namespace *
69529 + shp->shm_lprid = 0;
69530 + shp->shm_atim = shp->shm_dtim = 0;
69531 + shp->shm_ctim = get_seconds();
69532 ++#ifdef CONFIG_GRKERNSEC
69533 ++ {
69534 ++ struct timespec timeval;
69535 ++ do_posix_clock_monotonic_gettime(&timeval);
69536 ++
69537 ++ shp->shm_createtime = timeval.tv_sec;
69538 ++ }
69539 ++#endif
69540 + shp->shm_segsz = size;
69541 + shp->shm_nattch = 0;
69542 + shp->shm_perm.id = shm_buildid(id, shp->shm_perm.seq);
69543 +@@ -497,6 +516,7 @@ asmlinkage long sys_shmget (key_t key, s
69544 + struct ipc_namespace *ns;
69545 + struct ipc_ops shm_ops;
69546 + struct ipc_params shm_params;
69547 ++ long err;
69548 +
69549 + ns = current->nsproxy->ipc_ns;
69550 +
69551 +@@ -508,7 +528,11 @@ asmlinkage long sys_shmget (key_t key, s
69552 + shm_params.flg = shmflg;
69553 + shm_params.u.size = size;
69554 +
69555 +- return ipcget(ns, &shm_ids(ns), &shm_ops, &shm_params);
69556 ++ err = ipcget(ns, &shm_ids(ns), &shm_ops, &shm_params);
69557 ++
69558 ++ gr_log_shmget(err, shmflg, size);
69559 ++
69560 ++ return err;
69561 + }
69562 +
69563 + static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ds *in, int version)
69564 +@@ -974,9 +998,21 @@ long do_shmat(int shmid, char __user *sh
69565 + if (err)
69566 + goto out_unlock;
69567 +
69568 ++#ifdef CONFIG_GRKERNSEC
69569 ++ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
69570 ++ shp->shm_perm.cuid, shmid) ||
69571 ++ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
69572 ++ err = -EACCES;
69573 ++ goto out_unlock;
69574 ++ }
69575 ++#endif
69576 ++
69577 + path.dentry = dget(shp->shm_file->f_path.dentry);
69578 + path.mnt = shp->shm_file->f_path.mnt;
69579 + shp->shm_nattch++;
69580 ++#ifdef CONFIG_GRKERNSEC
69581 ++ shp->shm_lapid = current->pid;
69582 ++#endif
69583 + size = i_size_read(path.dentry->d_inode);
69584 + shm_unlock(shp);
69585 +
69586 +diff -urNp linux-2.6.24.5/kernel/acct.c linux-2.6.24.5/kernel/acct.c
69587 +--- linux-2.6.24.5/kernel/acct.c 2008-03-24 14:49:18.000000000 -0400
69588 ++++ linux-2.6.24.5/kernel/acct.c 2008-03-26 20:21:09.000000000 -0400
69589 +@@ -511,7 +511,7 @@ static void do_acct_process(struct file
69590 + */
69591 + flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
69592 + current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
69593 +- file->f_op->write(file, (char *)&ac,
69594 ++ file->f_op->write(file, (char __user *)&ac,
69595 + sizeof(acct_t), &file->f_pos);
69596 + current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
69597 + set_fs(fs);
69598 +diff -urNp linux-2.6.24.5/kernel/capability.c linux-2.6.24.5/kernel/capability.c
69599 +--- linux-2.6.24.5/kernel/capability.c 2008-03-24 14:49:18.000000000 -0400
69600 ++++ linux-2.6.24.5/kernel/capability.c 2008-03-26 20:21:09.000000000 -0400
69601 +@@ -13,6 +13,7 @@
69602 + #include <linux/security.h>
69603 + #include <linux/syscalls.h>
69604 + #include <linux/pid_namespace.h>
69605 ++#include <linux/grsecurity.h>
69606 + #include <asm/uaccess.h>
69607 +
69608 + /*
69609 +@@ -233,15 +234,25 @@ out:
69610 +
69611 + int __capable(struct task_struct *t, int cap)
69612 + {
69613 +- if (security_capable(t, cap) == 0) {
69614 ++ if ((security_capable(t, cap) == 0) && gr_task_is_capable(t, cap)) {
69615 + t->flags |= PF_SUPERPRIV;
69616 + return 1;
69617 + }
69618 + return 0;
69619 + }
69620 +
69621 ++int capable_nolog(int cap)
69622 ++{
69623 ++ if ((security_capable(current, cap) == 0) && gr_is_capable_nolog(cap)) {
69624 ++ current->flags |= PF_SUPERPRIV;
69625 ++ return 1;
69626 ++ }
69627 ++ return 0;
69628 ++}
69629 ++
69630 + int capable(int cap)
69631 + {
69632 + return __capable(current, cap);
69633 + }
69634 + EXPORT_SYMBOL(capable);
69635 ++EXPORT_SYMBOL(capable_nolog);
69636 +diff -urNp linux-2.6.24.5/kernel/configs.c linux-2.6.24.5/kernel/configs.c
69637 +--- linux-2.6.24.5/kernel/configs.c 2008-03-24 14:49:18.000000000 -0400
69638 ++++ linux-2.6.24.5/kernel/configs.c 2008-03-26 20:21:09.000000000 -0400
69639 +@@ -79,8 +79,16 @@ static int __init ikconfig_init(void)
69640 + struct proc_dir_entry *entry;
69641 +
69642 + /* create the current config file */
69643 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
69644 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
69645 ++ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
69646 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
69647 ++ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
69648 ++#endif
69649 ++#else
69650 + entry = create_proc_entry("config.gz", S_IFREG | S_IRUGO,
69651 + &proc_root);
69652 ++#endif
69653 + if (!entry)
69654 + return -ENOMEM;
69655 +
69656 +diff -urNp linux-2.6.24.5/kernel/cpu.c linux-2.6.24.5/kernel/cpu.c
69657 +--- linux-2.6.24.5/kernel/cpu.c 2008-03-24 14:49:18.000000000 -0400
69658 ++++ linux-2.6.24.5/kernel/cpu.c 2008-03-26 20:21:16.000000000 -0400
69659 +@@ -19,7 +19,7 @@
69660 + static DEFINE_MUTEX(cpu_add_remove_lock);
69661 + static DEFINE_MUTEX(cpu_bitmask_lock);
69662 +
69663 +-static __cpuinitdata RAW_NOTIFIER_HEAD(cpu_chain);
69664 ++static RAW_NOTIFIER_HEAD(cpu_chain);
69665 +
69666 + /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
69667 + * Should always be manipulated under cpu_add_remove_lock
69668 +@@ -66,7 +66,7 @@ EXPORT_SYMBOL_GPL(unlock_cpu_hotplug);
69669 + #endif /* CONFIG_HOTPLUG_CPU */
69670 +
69671 + /* Need to know about CPUs going up/down? */
69672 +-int __cpuinit register_cpu_notifier(struct notifier_block *nb)
69673 ++int register_cpu_notifier(struct notifier_block *nb)
69674 + {
69675 + int ret;
69676 + mutex_lock(&cpu_add_remove_lock);
69677 +diff -urNp linux-2.6.24.5/kernel/exit.c linux-2.6.24.5/kernel/exit.c
69678 +--- linux-2.6.24.5/kernel/exit.c 2008-03-24 14:49:18.000000000 -0400
69679 ++++ linux-2.6.24.5/kernel/exit.c 2008-03-26 20:21:09.000000000 -0400
69680 +@@ -44,6 +44,11 @@
69681 + #include <linux/resource.h>
69682 + #include <linux/blkdev.h>
69683 + #include <linux/task_io_accounting_ops.h>
69684 ++#include <linux/grsecurity.h>
69685 ++
69686 ++#ifdef CONFIG_GRKERNSEC
69687 ++extern rwlock_t grsec_exec_file_lock;
69688 ++#endif
69689 +
69690 + #include <asm/uaccess.h>
69691 + #include <asm/unistd.h>
69692 +@@ -122,6 +127,7 @@ static void __exit_signal(struct task_st
69693 +
69694 + __unhash_process(tsk);
69695 +
69696 ++ gr_del_task_from_ip_table(tsk);
69697 + tsk->signal = NULL;
69698 + tsk->sighand = NULL;
69699 + spin_unlock(&sighand->siglock);
69700 +@@ -273,12 +279,23 @@ static void reparent_to_kthreadd(void)
69701 + {
69702 + write_lock_irq(&tasklist_lock);
69703 +
69704 ++#ifdef CONFIG_GRKERNSEC
69705 ++ write_lock(&grsec_exec_file_lock);
69706 ++ if (current->exec_file) {
69707 ++ fput(current->exec_file);
69708 ++ current->exec_file = NULL;
69709 ++ }
69710 ++ write_unlock(&grsec_exec_file_lock);
69711 ++#endif
69712 ++
69713 + ptrace_unlink(current);
69714 + /* Reparent to init */
69715 + remove_parent(current);
69716 + current->real_parent = current->parent = kthreadd_task;
69717 + add_parent(current);
69718 +
69719 ++ gr_set_kernel_label(current);
69720 ++
69721 + /* Set the exit signal to SIGCHLD so we signal init on exit */
69722 + current->exit_signal = SIGCHLD;
69723 +
69724 +@@ -373,6 +390,17 @@ void daemonize(const char *name, ...)
69725 + vsnprintf(current->comm, sizeof(current->comm), name, args);
69726 + va_end(args);
69727 +
69728 ++#ifdef CONFIG_GRKERNSEC
69729 ++ write_lock(&grsec_exec_file_lock);
69730 ++ if (current->exec_file) {
69731 ++ fput(current->exec_file);
69732 ++ current->exec_file = NULL;
69733 ++ }
69734 ++ write_unlock(&grsec_exec_file_lock);
69735 ++#endif
69736 ++
69737 ++ gr_set_kernel_label(current);
69738 ++
69739 + /*
69740 + * If we were started as result of loading a module, close all of the
69741 + * user space pages. We don't need them, and if we didn't close them
69742 +@@ -990,6 +1018,9 @@ fastcall NORET_TYPE void do_exit(long co
69743 + tsk->exit_code = code;
69744 + taskstats_exit(tsk, group_dead);
69745 +
69746 ++ gr_acl_handle_psacct(tsk, code);
69747 ++ gr_acl_handle_exit();
69748 ++
69749 + exit_mm(tsk);
69750 +
69751 + if (group_dead)
69752 +@@ -1200,7 +1231,7 @@ static int wait_task_zombie(struct task_
69753 + pid_t pid = task_pid_nr_ns(p, ns);
69754 + uid_t uid = p->uid;
69755 + int exit_code = p->exit_code;
69756 +- int why, status;
69757 ++ int why;
69758 +
69759 + if (unlikely(p->exit_state != EXIT_ZOMBIE))
69760 + return 0;
69761 +diff -urNp linux-2.6.24.5/kernel/fork.c linux-2.6.24.5/kernel/fork.c
69762 +--- linux-2.6.24.5/kernel/fork.c 2008-03-24 14:49:18.000000000 -0400
69763 ++++ linux-2.6.24.5/kernel/fork.c 2008-03-26 20:21:09.000000000 -0400
69764 +@@ -51,6 +51,7 @@
69765 + #include <linux/random.h>
69766 + #include <linux/tty.h>
69767 + #include <linux/proc_fs.h>
69768 ++#include <linux/grsecurity.h>
69769 +
69770 + #include <asm/pgtable.h>
69771 + #include <asm/pgalloc.h>
69772 +@@ -180,7 +181,7 @@ static struct task_struct *dup_task_stru
69773 + }
69774 +
69775 + *tsk = *orig;
69776 +- tsk->stack = ti;
69777 ++ tsk->stack = (union thread_union *)ti;
69778 +
69779 + err = prop_local_init_single(&tsk->dirties);
69780 + if (err) {
69781 +@@ -192,7 +193,7 @@ static struct task_struct *dup_task_stru
69782 + setup_thread_stack(tsk, orig);
69783 +
69784 + #ifdef CONFIG_CC_STACKPROTECTOR
69785 +- tsk->stack_canary = get_random_int();
69786 ++ tsk->stack_canary = pax_get_random_long();
69787 + #endif
69788 +
69789 + /* One for us, one for whoever does the "release_task()" (usually parent) */
69790 +@@ -224,8 +225,8 @@ static int dup_mmap(struct mm_struct *mm
69791 + mm->locked_vm = 0;
69792 + mm->mmap = NULL;
69793 + mm->mmap_cache = NULL;
69794 +- mm->free_area_cache = oldmm->mmap_base;
69795 +- mm->cached_hole_size = ~0UL;
69796 ++ mm->free_area_cache = oldmm->free_area_cache;
69797 ++ mm->cached_hole_size = oldmm->cached_hole_size;
69798 + mm->map_count = 0;
69799 + cpus_clear(mm->cpu_vm_mask);
69800 + mm->mm_rb = RB_ROOT;
69801 +@@ -262,6 +263,7 @@ static int dup_mmap(struct mm_struct *mm
69802 + tmp->vm_flags &= ~VM_LOCKED;
69803 + tmp->vm_mm = mm;
69804 + tmp->vm_next = NULL;
69805 ++ tmp->vm_mirror = NULL;
69806 + anon_vma_link(tmp);
69807 + file = tmp->vm_file;
69808 + if (file) {
69809 +@@ -298,6 +300,31 @@ static int dup_mmap(struct mm_struct *mm
69810 + if (retval)
69811 + goto out;
69812 + }
69813 ++
69814 ++#ifdef CONFIG_PAX_SEGMEXEC
69815 ++ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
69816 ++ struct vm_area_struct *mpnt_m;
69817 ++
69818 ++ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
69819 ++ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
69820 ++
69821 ++ if (!mpnt->vm_mirror)
69822 ++ continue;
69823 ++
69824 ++ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
69825 ++ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
69826 ++ mpnt->vm_mirror = mpnt_m;
69827 ++ } else {
69828 ++ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
69829 ++ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
69830 ++ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
69831 ++ mpnt->vm_mirror->vm_mirror = mpnt;
69832 ++ }
69833 ++ }
69834 ++ BUG_ON(mpnt_m);
69835 ++ }
69836 ++#endif
69837 ++
69838 + /* a new mm has just been created */
69839 + arch_dup_mmap(oldmm, mm);
69840 + retval = 0;
69841 +@@ -475,7 +502,7 @@ void mm_release(struct task_struct *tsk,
69842 + if (tsk->clear_child_tid
69843 + && !(tsk->flags & PF_SIGNALED)
69844 + && atomic_read(&mm->mm_users) > 1) {
69845 +- u32 __user * tidptr = tsk->clear_child_tid;
69846 ++ pid_t __user * tidptr = tsk->clear_child_tid;
69847 + tsk->clear_child_tid = NULL;
69848 +
69849 + /*
69850 +@@ -483,7 +510,7 @@ void mm_release(struct task_struct *tsk,
69851 + * not set up a proper pointer then tough luck.
69852 + */
69853 + put_user(0, tidptr);
69854 +- sys_futex(tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
69855 ++ sys_futex((u32 __user *)tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
69856 + }
69857 + }
69858 +
69859 +@@ -1015,6 +1042,9 @@ static struct task_struct *copy_process(
69860 + DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
69861 + #endif
69862 + retval = -EAGAIN;
69863 ++
69864 ++ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
69865 ++
69866 + if (atomic_read(&p->user->processes) >=
69867 + p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
69868 + if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
69869 +@@ -1169,6 +1199,8 @@ static struct task_struct *copy_process(
69870 + if (clone_flags & CLONE_THREAD)
69871 + p->tgid = current->tgid;
69872 +
69873 ++ gr_copy_label(p);
69874 ++
69875 + p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
69876 + /*
69877 + * Clear TID on mm_release()?
69878 +@@ -1356,6 +1388,8 @@ bad_fork_cleanup_count:
69879 + bad_fork_free:
69880 + free_task(p);
69881 + fork_out:
69882 ++ gr_log_forkfail(retval);
69883 ++
69884 + return ERR_PTR(retval);
69885 + }
69886 +
69887 +@@ -1437,6 +1471,8 @@ long do_fork(unsigned long clone_flags,
69888 + if (clone_flags & CLONE_PARENT_SETTID)
69889 + put_user(nr, parent_tidptr);
69890 +
69891 ++ gr_handle_brute_check();
69892 ++
69893 + if (clone_flags & CLONE_VFORK) {
69894 + p->vfork_done = &vfork;
69895 + init_completion(&vfork);
69896 +diff -urNp linux-2.6.24.5/kernel/futex.c linux-2.6.24.5/kernel/futex.c
69897 +--- linux-2.6.24.5/kernel/futex.c 2008-03-24 14:49:18.000000000 -0400
69898 ++++ linux-2.6.24.5/kernel/futex.c 2008-03-26 20:21:09.000000000 -0400
69899 +@@ -192,6 +192,11 @@ static int get_futex_key(u32 __user *uad
69900 + struct page *page;
69901 + int err;
69902 +
69903 ++#ifdef CONFIG_PAX_SEGMEXEC
69904 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
69905 ++ return -EFAULT;
69906 ++#endif
69907 ++
69908 + /*
69909 + * The futex address must be "naturally" aligned.
69910 + */
69911 +@@ -218,8 +223,8 @@ static int get_futex_key(u32 __user *uad
69912 + * The futex is hashed differently depending on whether
69913 + * it's in a shared or private mapping. So check vma first.
69914 + */
69915 +- vma = find_extend_vma(mm, address);
69916 +- if (unlikely(!vma))
69917 ++ vma = find_vma(mm, address);
69918 ++ if (unlikely(!vma || address < vma->vm_start))
69919 + return -EFAULT;
69920 +
69921 + /*
69922 +@@ -1962,7 +1967,7 @@ retry:
69923 + */
69924 + static inline int fetch_robust_entry(struct robust_list __user **entry,
69925 + struct robust_list __user * __user *head,
69926 +- int *pi)
69927 ++ unsigned int *pi)
69928 + {
69929 + unsigned long uentry;
69930 +
69931 +diff -urNp linux-2.6.24.5/kernel/irq/handle.c linux-2.6.24.5/kernel/irq/handle.c
69932 +--- linux-2.6.24.5/kernel/irq/handle.c 2008-03-24 14:49:18.000000000 -0400
69933 ++++ linux-2.6.24.5/kernel/irq/handle.c 2008-03-26 20:21:09.000000000 -0400
69934 +@@ -55,7 +55,8 @@ struct irq_desc irq_desc[NR_IRQS] __cach
69935 + .depth = 1,
69936 + .lock = __SPIN_LOCK_UNLOCKED(irq_desc->lock),
69937 + #ifdef CONFIG_SMP
69938 +- .affinity = CPU_MASK_ALL
69939 ++ .affinity = CPU_MASK_ALL,
69940 ++ .cpu = 0,
69941 + #endif
69942 + }
69943 + };
69944 +diff -urNp linux-2.6.24.5/kernel/kallsyms.c linux-2.6.24.5/kernel/kallsyms.c
69945 +--- linux-2.6.24.5/kernel/kallsyms.c 2008-03-24 14:49:18.000000000 -0400
69946 ++++ linux-2.6.24.5/kernel/kallsyms.c 2008-03-26 20:21:09.000000000 -0400
69947 +@@ -70,6 +70,19 @@ static inline int is_kernel_text(unsigne
69948 +
69949 + static inline int is_kernel(unsigned long addr)
69950 + {
69951 ++
69952 ++#ifdef CONFIG_PAX_KERNEXEC
69953 ++
69954 ++#ifdef CONFIG_MODULES
69955 ++ if ((unsigned long)MODULES_VADDR <= ktla_ktva(addr) &&
69956 ++ ktla_ktva(addr) < (unsigned long)MODULES_END)
69957 ++ return 0;
69958 ++#endif
69959 ++
69960 ++ if (is_kernel_inittext(addr))
69961 ++ return 1;
69962 ++#endif
69963 ++
69964 + if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
69965 + return 1;
69966 + return in_gate_area_no_task(addr);
69967 +@@ -378,7 +391,6 @@ static unsigned long get_ksymbol_core(st
69968 +
69969 + static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
69970 + {
69971 +- iter->name[0] = '\0';
69972 + iter->nameoff = get_symbol_offset(new_pos);
69973 + iter->pos = new_pos;
69974 + }
69975 +@@ -462,7 +474,7 @@ static int kallsyms_open(struct inode *i
69976 + struct kallsym_iter *iter;
69977 + int ret;
69978 +
69979 +- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
69980 ++ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
69981 + if (!iter)
69982 + return -ENOMEM;
69983 + reset_iter(iter, 0);
69984 +@@ -486,7 +498,15 @@ static int __init kallsyms_init(void)
69985 + {
69986 + struct proc_dir_entry *entry;
69987 +
69988 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
69989 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
69990 ++ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
69991 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
69992 ++ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
69993 ++#endif
69994 ++#else
69995 + entry = create_proc_entry("kallsyms", 0444, NULL);
69996 ++#endif
69997 + if (entry)
69998 + entry->proc_fops = &kallsyms_operations;
69999 + return 0;
70000 +diff -urNp linux-2.6.24.5/kernel/kmod.c linux-2.6.24.5/kernel/kmod.c
70001 +--- linux-2.6.24.5/kernel/kmod.c 2008-03-24 14:49:18.000000000 -0400
70002 ++++ linux-2.6.24.5/kernel/kmod.c 2008-03-26 20:21:09.000000000 -0400
70003 +@@ -107,7 +107,7 @@ int request_module(const char *fmt, ...)
70004 + return -ENOMEM;
70005 + }
70006 +
70007 +- ret = call_usermodehelper(modprobe_path, argv, envp, 1);
70008 ++ ret = call_usermodehelper(modprobe_path, argv, envp, UMH_WAIT_PROC);
70009 + atomic_dec(&kmod_concurrent);
70010 + return ret;
70011 + }
70012 +diff -urNp linux-2.6.24.5/kernel/kprobes.c linux-2.6.24.5/kernel/kprobes.c
70013 +--- linux-2.6.24.5/kernel/kprobes.c 2008-03-24 14:49:18.000000000 -0400
70014 ++++ linux-2.6.24.5/kernel/kprobes.c 2008-03-26 20:21:09.000000000 -0400
70015 +@@ -162,7 +162,7 @@ kprobe_opcode_t __kprobes *get_insn_slot
70016 + * kernel image and loaded module images reside. This is required
70017 + * so x86_64 can correctly handle the %rip-relative fixups.
70018 + */
70019 +- kip->insns = module_alloc(PAGE_SIZE);
70020 ++ kip->insns = module_alloc_exec(PAGE_SIZE);
70021 + if (!kip->insns) {
70022 + kfree(kip);
70023 + return NULL;
70024 +@@ -194,7 +194,7 @@ static int __kprobes collect_one_slot(st
70025 + hlist_add_head(&kip->hlist,
70026 + &kprobe_insn_pages);
70027 + } else {
70028 +- module_free(NULL, kip->insns);
70029 ++ module_free_exec(NULL, kip->insns);
70030 + kfree(kip);
70031 + }
70032 + return 1;
70033 +diff -urNp linux-2.6.24.5/kernel/lockdep.c linux-2.6.24.5/kernel/lockdep.c
70034 +--- linux-2.6.24.5/kernel/lockdep.c 2008-03-24 14:49:18.000000000 -0400
70035 ++++ linux-2.6.24.5/kernel/lockdep.c 2008-03-26 20:21:16.000000000 -0400
70036 +@@ -598,6 +598,10 @@ static int static_obj(void *obj)
70037 + int i;
70038 + #endif
70039 +
70040 ++#ifdef CONFIG_PAX_KERNEXEC
70041 ++ start = (unsigned long )&_data;
70042 ++#endif
70043 ++
70044 + /*
70045 + * static variable?
70046 + */
70047 +diff -urNp linux-2.6.24.5/kernel/module.c linux-2.6.24.5/kernel/module.c
70048 +--- linux-2.6.24.5/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
70049 ++++ linux-2.6.24.5/kernel/module.c 2008-03-26 20:21:09.000000000 -0400
70050 +@@ -45,6 +45,11 @@
70051 + #include <asm/uaccess.h>
70052 + #include <asm/semaphore.h>
70053 + #include <asm/cacheflush.h>
70054 ++
70055 ++#ifdef CONFIG_PAX_KERNEXEC
70056 ++#include <asm/desc.h>
70057 ++#endif
70058 ++
70059 + #include <linux/license.h>
70060 +
70061 + extern int module_sysfs_initialized;
70062 +@@ -69,6 +74,8 @@ static LIST_HEAD(modules);
70063 +
70064 + static BLOCKING_NOTIFIER_HEAD(module_notify_list);
70065 +
70066 ++extern int gr_check_modstop(void);
70067 ++
70068 + int register_module_notifier(struct notifier_block * nb)
70069 + {
70070 + return blocking_notifier_chain_register(&module_notify_list, nb);
70071 +@@ -349,7 +356,7 @@ static void *percpu_modalloc(unsigned lo
70072 + unsigned int i;
70073 + void *ptr;
70074 +
70075 +- if (align > PAGE_SIZE) {
70076 ++ if (align-1 >= PAGE_SIZE) {
70077 + printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
70078 + name, align, PAGE_SIZE);
70079 + align = PAGE_SIZE;
70080 +@@ -662,6 +669,9 @@ sys_delete_module(const char __user *nam
70081 + char name[MODULE_NAME_LEN];
70082 + int ret, forced = 0;
70083 +
70084 ++ if (gr_check_modstop())
70085 ++ return -EPERM;
70086 ++
70087 + if (!capable(CAP_SYS_MODULE))
70088 + return -EPERM;
70089 +
70090 +@@ -1310,16 +1320,19 @@ static void free_module(struct module *m
70091 + module_unload_free(mod);
70092 +
70093 + /* This may be NULL, but that's OK */
70094 +- module_free(mod, mod->module_init);
70095 ++ module_free(mod, mod->module_init_rw);
70096 ++ module_free_exec(mod, mod->module_init_rx);
70097 + kfree(mod->args);
70098 + if (mod->percpu)
70099 + percpu_modfree(mod->percpu);
70100 +
70101 + /* Free lock-classes: */
70102 +- lockdep_free_key_range(mod->module_core, mod->core_size);
70103 ++ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
70104 ++ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
70105 +
70106 + /* Finally, free the core (containing the module structure) */
70107 +- module_free(mod, mod->module_core);
70108 ++ module_free_exec(mod, mod->module_core_rx);
70109 ++ module_free(mod, mod->module_core_rw);
70110 + }
70111 +
70112 + void *__symbol_get(const char *symbol)
70113 +@@ -1380,10 +1393,14 @@ static int simplify_symbols(Elf_Shdr *se
70114 + struct module *mod)
70115 + {
70116 + Elf_Sym *sym = (void *)sechdrs[symindex].sh_addr;
70117 +- unsigned long secbase;
70118 ++ unsigned long secbase, symbol;
70119 + unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
70120 + int ret = 0;
70121 +
70122 ++#ifdef CONFIG_PAX_KERNEXEC
70123 ++ unsigned long cr0;
70124 ++#endif
70125 ++
70126 + for (i = 1; i < n; i++) {
70127 + switch (sym[i].st_shndx) {
70128 + case SHN_COMMON:
70129 +@@ -1402,10 +1419,19 @@ static int simplify_symbols(Elf_Shdr *se
70130 + break;
70131 +
70132 + case SHN_UNDEF:
70133 +- sym[i].st_value
70134 +- = resolve_symbol(sechdrs, versindex,
70135 ++ symbol = resolve_symbol(sechdrs, versindex,
70136 + strtab + sym[i].st_name, mod);
70137 +
70138 ++#ifdef CONFIG_PAX_KERNEXEC
70139 ++ pax_open_kernel(cr0);
70140 ++#endif
70141 ++
70142 ++ sym[i].st_value = symbol;
70143 ++
70144 ++#ifdef CONFIG_PAX_KERNEXEC
70145 ++ pax_close_kernel(cr0);
70146 ++#endif
70147 ++
70148 + /* Ok if resolved. */
70149 + if (sym[i].st_value != 0)
70150 + break;
70151 +@@ -1420,11 +1446,27 @@ static int simplify_symbols(Elf_Shdr *se
70152 +
70153 + default:
70154 + /* Divert to percpu allocation if a percpu var. */
70155 +- if (sym[i].st_shndx == pcpuindex)
70156 ++ if (sym[i].st_shndx == pcpuindex) {
70157 ++
70158 ++#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
70159 ++ secbase = (unsigned long)mod->percpu - (unsigned long)__per_cpu_start;
70160 ++#else
70161 + secbase = (unsigned long)mod->percpu;
70162 +- else
70163 ++#endif
70164 ++
70165 ++ } else
70166 + secbase = sechdrs[sym[i].st_shndx].sh_addr;
70167 ++
70168 ++#ifdef CONFIG_PAX_KERNEXEC
70169 ++ pax_open_kernel(cr0);
70170 ++#endif
70171 ++
70172 + sym[i].st_value += secbase;
70173 ++
70174 ++#ifdef CONFIG_PAX_KERNEXEC
70175 ++ pax_close_kernel(cr0);
70176 ++#endif
70177 ++
70178 + break;
70179 + }
70180 + }
70181 +@@ -1476,11 +1518,14 @@ static void layout_sections(struct modul
70182 + || strncmp(secstrings + s->sh_name,
70183 + ".init", 5) == 0)
70184 + continue;
70185 +- s->sh_entsize = get_offset(&mod->core_size, s);
70186 ++ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
70187 ++ s->sh_entsize = get_offset(&mod->core_size_rw, s);
70188 ++ else
70189 ++ s->sh_entsize = get_offset(&mod->core_size_rx, s);
70190 + DEBUGP("\t%s\n", secstrings + s->sh_name);
70191 + }
70192 + if (m == 0)
70193 +- mod->core_text_size = mod->core_size;
70194 ++ mod->core_size_rx = mod->core_size_rx;
70195 + }
70196 +
70197 + DEBUGP("Init section allocation order:\n");
70198 +@@ -1494,12 +1539,15 @@ static void layout_sections(struct modul
70199 + || strncmp(secstrings + s->sh_name,
70200 + ".init", 5) != 0)
70201 + continue;
70202 +- s->sh_entsize = (get_offset(&mod->init_size, s)
70203 +- | INIT_OFFSET_MASK);
70204 ++ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
70205 ++ s->sh_entsize = get_offset(&mod->init_size_rw, s);
70206 ++ else
70207 ++ s->sh_entsize = get_offset(&mod->init_size_rx, s);
70208 ++ s->sh_entsize |= INIT_OFFSET_MASK;
70209 + DEBUGP("\t%s\n", secstrings + s->sh_name);
70210 + }
70211 + if (m == 0)
70212 +- mod->init_text_size = mod->init_size;
70213 ++ mod->init_size_rx = mod->init_size_rx;
70214 + }
70215 + }
70216 +
70217 +@@ -1626,14 +1674,31 @@ static void add_kallsyms(struct module *
70218 + {
70219 + unsigned int i;
70220 +
70221 ++#ifdef CONFIG_PAX_KERNEXEC
70222 ++ unsigned long cr0;
70223 ++#endif
70224 ++
70225 + mod->symtab = (void *)sechdrs[symindex].sh_addr;
70226 + mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
70227 + mod->strtab = (void *)sechdrs[strindex].sh_addr;
70228 +
70229 + /* Set types up while we still have access to sections. */
70230 +- for (i = 0; i < mod->num_symtab; i++)
70231 +- mod->symtab[i].st_info
70232 +- = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
70233 ++
70234 ++ for (i = 0; i < mod->num_symtab; i++) {
70235 ++ char type = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
70236 ++
70237 ++#ifdef CONFIG_PAX_KERNEXEC
70238 ++ pax_open_kernel(cr0);
70239 ++#endif
70240 ++
70241 ++ mod->symtab[i].st_info = type;
70242 ++
70243 ++#ifdef CONFIG_PAX_KERNEXEC
70244 ++ pax_close_kernel(cr0);
70245 ++#endif
70246 ++
70247 ++ }
70248 ++
70249 + }
70250 + #else
70251 + static inline void add_kallsyms(struct module *mod,
70252 +@@ -1683,6 +1748,10 @@ static struct module *load_module(void _
70253 + struct exception_table_entry *extable;
70254 + mm_segment_t old_fs;
70255 +
70256 ++#ifdef CONFIG_PAX_KERNEXEC
70257 ++ unsigned long cr0;
70258 ++#endif
70259 ++
70260 + DEBUGP("load_module: umod=%p, len=%lu, uargs=%p\n",
70261 + umod, len, uargs);
70262 + if (len < sizeof(*hdr))
70263 +@@ -1841,21 +1910,57 @@ static struct module *load_module(void _
70264 + layout_sections(mod, hdr, sechdrs, secstrings);
70265 +
70266 + /* Do the allocs. */
70267 +- ptr = module_alloc(mod->core_size);
70268 ++ ptr = module_alloc(mod->core_size_rw);
70269 + if (!ptr) {
70270 + err = -ENOMEM;
70271 + goto free_percpu;
70272 + }
70273 +- memset(ptr, 0, mod->core_size);
70274 +- mod->module_core = ptr;
70275 ++ memset(ptr, 0, mod->core_size_rw);
70276 ++ mod->module_core_rw = ptr;
70277 +
70278 +- ptr = module_alloc(mod->init_size);
70279 +- if (!ptr && mod->init_size) {
70280 ++ ptr = module_alloc(mod->init_size_rw);
70281 ++ if (!ptr && mod->init_size_rw) {
70282 ++ err = -ENOMEM;
70283 ++ goto free_core_rw;
70284 ++ }
70285 ++ memset(ptr, 0, mod->init_size_rw);
70286 ++ mod->module_init_rw = ptr;
70287 ++
70288 ++ ptr = module_alloc_exec(mod->core_size_rx);
70289 ++ if (!ptr) {
70290 + err = -ENOMEM;
70291 +- goto free_core;
70292 ++ goto free_init_rw;
70293 + }
70294 +- memset(ptr, 0, mod->init_size);
70295 +- mod->module_init = ptr;
70296 ++
70297 ++#ifdef CONFIG_PAX_KERNEXEC
70298 ++ pax_open_kernel(cr0);
70299 ++#endif
70300 ++
70301 ++ memset(ptr, 0, mod->core_size_rx);
70302 ++
70303 ++#ifdef CONFIG_PAX_KERNEXEC
70304 ++ pax_close_kernel(cr0);
70305 ++#endif
70306 ++
70307 ++ mod->module_core_rx = ptr;
70308 ++
70309 ++ ptr = module_alloc_exec(mod->init_size_rx);
70310 ++ if (!ptr && mod->init_size_rx) {
70311 ++ err = -ENOMEM;
70312 ++ goto free_core_rx;
70313 ++ }
70314 ++
70315 ++#ifdef CONFIG_PAX_KERNEXEC
70316 ++ pax_open_kernel(cr0);
70317 ++#endif
70318 ++
70319 ++ memset(ptr, 0, mod->init_size_rx);
70320 ++
70321 ++#ifdef CONFIG_PAX_KERNEXEC
70322 ++ pax_close_kernel(cr0);
70323 ++#endif
70324 ++
70325 ++ mod->module_init_rx = ptr;
70326 +
70327 + /* Transfer each section which specifies SHF_ALLOC */
70328 + DEBUGP("final section addresses:\n");
70329 +@@ -1865,17 +1970,41 @@ static struct module *load_module(void _
70330 + if (!(sechdrs[i].sh_flags & SHF_ALLOC))
70331 + continue;
70332 +
70333 +- if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
70334 +- dest = mod->module_init
70335 +- + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
70336 +- else
70337 +- dest = mod->module_core + sechdrs[i].sh_entsize;
70338 ++ if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
70339 ++ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
70340 ++ dest = mod->module_init_rw
70341 ++ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
70342 ++ else
70343 ++ dest = mod->module_init_rx
70344 ++ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
70345 ++ } else {
70346 ++ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
70347 ++ dest = mod->module_core_rw + sechdrs[i].sh_entsize;
70348 ++ else
70349 ++ dest = mod->module_core_rx + sechdrs[i].sh_entsize;
70350 ++ }
70351 +
70352 +- if (sechdrs[i].sh_type != SHT_NOBITS)
70353 +- memcpy(dest, (void *)sechdrs[i].sh_addr,
70354 +- sechdrs[i].sh_size);
70355 ++ if (sechdrs[i].sh_type != SHT_NOBITS) {
70356 ++
70357 ++#ifdef CONFIG_PAX_KERNEXEC
70358 ++ if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
70359 ++ pax_open_kernel(cr0);
70360 ++ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
70361 ++ pax_close_kernel(cr0);
70362 ++ } else
70363 ++#endif
70364 ++
70365 ++ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
70366 ++ }
70367 + /* Update sh_addr to point to copy in image. */
70368 +- sechdrs[i].sh_addr = (unsigned long)dest;
70369 ++
70370 ++#ifdef CONFIG_PAX_KERNEXEC
70371 ++ if (sechdrs[i].sh_flags & SHF_EXECINSTR)
70372 ++ sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
70373 ++ else
70374 ++#endif
70375 ++
70376 ++ sechdrs[i].sh_addr = (unsigned long)dest;
70377 + DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
70378 + }
70379 + /* Module has been moved. */
70380 +@@ -2009,12 +2138,12 @@ static struct module *load_module(void _
70381 + * Do it before processing of module parameters, so the module
70382 + * can provide parameter accessor functions of its own.
70383 + */
70384 +- if (mod->module_init)
70385 +- flush_icache_range((unsigned long)mod->module_init,
70386 +- (unsigned long)mod->module_init
70387 +- + mod->init_size);
70388 +- flush_icache_range((unsigned long)mod->module_core,
70389 +- (unsigned long)mod->module_core + mod->core_size);
70390 ++ if (mod->module_init_rx)
70391 ++ flush_icache_range((unsigned long)mod->module_init_rx,
70392 ++ (unsigned long)mod->module_init_rx
70393 ++ + mod->init_size_rx);
70394 ++ flush_icache_range((unsigned long)mod->module_core_rx,
70395 ++ (unsigned long)mod->module_core_rx + mod->core_size_rx);
70396 +
70397 + set_fs(old_fs);
70398 +
70399 +@@ -2058,9 +2187,13 @@ static struct module *load_module(void _
70400 + module_arch_cleanup(mod);
70401 + cleanup:
70402 + module_unload_free(mod);
70403 +- module_free(mod, mod->module_init);
70404 +- free_core:
70405 +- module_free(mod, mod->module_core);
70406 ++ module_free_exec(mod, mod->module_init_rx);
70407 ++ free_core_rx:
70408 ++ module_free_exec(mod, mod->module_core_rx);
70409 ++ free_init_rw:
70410 ++ module_free(mod, mod->module_init_rw);
70411 ++ free_core_rw:
70412 ++ module_free(mod, mod->module_core_rw);
70413 + free_percpu:
70414 + if (percpu)
70415 + percpu_modfree(percpu);
70416 +@@ -2096,6 +2229,9 @@ sys_init_module(void __user *umod,
70417 + struct module *mod;
70418 + int ret = 0;
70419 +
70420 ++ if (gr_check_modstop())
70421 ++ return -EPERM;
70422 ++
70423 + /* Must have permission */
70424 + if (!capable(CAP_SYS_MODULE))
70425 + return -EPERM;
70426 +@@ -2142,10 +2278,12 @@ sys_init_module(void __user *umod,
70427 + /* Drop initial reference. */
70428 + module_put(mod);
70429 + unwind_remove_table(mod->unwind_info, 1);
70430 +- module_free(mod, mod->module_init);
70431 +- mod->module_init = NULL;
70432 +- mod->init_size = 0;
70433 +- mod->init_text_size = 0;
70434 ++ module_free(mod, mod->module_init_rw);
70435 ++ module_free_exec(mod, mod->module_init_rx);
70436 ++ mod->module_init_rw = NULL;
70437 ++ mod->module_init_rx = NULL;
70438 ++ mod->init_size_rw = 0;
70439 ++ mod->init_size_rx = 0;
70440 + mutex_unlock(&module_mutex);
70441 +
70442 + return 0;
70443 +@@ -2153,6 +2291,13 @@ sys_init_module(void __user *umod,
70444 +
70445 + static inline int within(unsigned long addr, void *start, unsigned long size)
70446 + {
70447 ++
70448 ++#ifdef CONFIG_PAX_KERNEXEC
70449 ++ if (ktla_ktva(addr) >= (unsigned long)start &&
70450 ++ ktla_ktva(addr) < (unsigned long)start + size)
70451 ++ return 1;
70452 ++#endif
70453 ++
70454 + return ((void *)addr >= start && (void *)addr < start + size);
70455 + }
70456 +
70457 +@@ -2176,10 +2321,14 @@ static const char *get_ksymbol(struct mo
70458 + unsigned long nextval;
70459 +
70460 + /* At worse, next value is at end of module */
70461 +- if (within(addr, mod->module_init, mod->init_size))
70462 +- nextval = (unsigned long)mod->module_init+mod->init_text_size;
70463 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx))
70464 ++ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
70465 ++ else if (within(addr, mod->module_init_rw, mod->init_size_rw))
70466 ++ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
70467 ++ else if (within(addr, mod->module_core_rx, mod->core_size_rx))
70468 ++ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
70469 + else
70470 +- nextval = (unsigned long)mod->module_core+mod->core_text_size;
70471 ++ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
70472 +
70473 + /* Scan for closest preceeding symbol, and next symbol. (ELF
70474 + starts real symbols at 1). */
70475 +@@ -2225,8 +2374,10 @@ const char *module_address_lookup(unsign
70476 +
70477 + preempt_disable();
70478 + list_for_each_entry(mod, &modules, list) {
70479 +- if (within(addr, mod->module_init, mod->init_size)
70480 +- || within(addr, mod->module_core, mod->core_size)) {
70481 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
70482 ++ within(addr, mod->module_init_rw, mod->init_size_rw) ||
70483 ++ within(addr, mod->module_core_rx, mod->core_size_rx) ||
70484 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
70485 + if (modname)
70486 + *modname = mod->name;
70487 + ret = get_ksymbol(mod, addr, size, offset);
70488 +@@ -2243,8 +2394,10 @@ int lookup_module_symbol_name(unsigned l
70489 +
70490 + preempt_disable();
70491 + list_for_each_entry(mod, &modules, list) {
70492 +- if (within(addr, mod->module_init, mod->init_size) ||
70493 +- within(addr, mod->module_core, mod->core_size)) {
70494 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
70495 ++ within(addr, mod->module_init_rw, mod->init_size_rw) ||
70496 ++ within(addr, mod->module_core_rx, mod->core_size_rx) ||
70497 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
70498 + const char *sym;
70499 +
70500 + sym = get_ksymbol(mod, addr, NULL, NULL);
70501 +@@ -2267,8 +2420,10 @@ int lookup_module_symbol_attrs(unsigned
70502 +
70503 + preempt_disable();
70504 + list_for_each_entry(mod, &modules, list) {
70505 +- if (within(addr, mod->module_init, mod->init_size) ||
70506 +- within(addr, mod->module_core, mod->core_size)) {
70507 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
70508 ++ within(addr, mod->module_init_rw, mod->init_size_rw) ||
70509 ++ within(addr, mod->module_core_rx, mod->core_size_rx) ||
70510 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
70511 + const char *sym;
70512 +
70513 + sym = get_ksymbol(mod, addr, size, offset);
70514 +@@ -2390,7 +2545,7 @@ static int m_show(struct seq_file *m, vo
70515 + char buf[8];
70516 +
70517 + seq_printf(m, "%s %lu",
70518 +- mod->name, mod->init_size + mod->core_size);
70519 ++ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
70520 + print_unload_info(m, mod);
70521 +
70522 + /* Informative for users. */
70523 +@@ -2399,7 +2554,7 @@ static int m_show(struct seq_file *m, vo
70524 + mod->state == MODULE_STATE_COMING ? "Loading":
70525 + "Live");
70526 + /* Used by oprofile and other similar tools. */
70527 +- seq_printf(m, " 0x%p", mod->module_core);
70528 ++ seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
70529 +
70530 + /* Taints info */
70531 + if (mod->taints)
70532 +@@ -2455,7 +2610,8 @@ int is_module_address(unsigned long addr
70533 + preempt_disable();
70534 +
70535 + list_for_each_entry(mod, &modules, list) {
70536 +- if (within(addr, mod->module_core, mod->core_size)) {
70537 ++ if (within(addr, mod->module_core_rx, mod->core_size_rx) ||
70538 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
70539 + preempt_enable();
70540 + return 1;
70541 + }
70542 +@@ -2473,8 +2629,8 @@ struct module *__module_text_address(uns
70543 + struct module *mod;
70544 +
70545 + list_for_each_entry(mod, &modules, list)
70546 +- if (within(addr, mod->module_init, mod->init_text_size)
70547 +- || within(addr, mod->module_core, mod->core_text_size))
70548 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx)
70549 ++ || within(addr, mod->module_core_rx, mod->core_size_rx))
70550 + return mod;
70551 + return NULL;
70552 + }
70553 +diff -urNp linux-2.6.24.5/kernel/mutex.c linux-2.6.24.5/kernel/mutex.c
70554 +--- linux-2.6.24.5/kernel/mutex.c 2008-03-24 14:49:18.000000000 -0400
70555 ++++ linux-2.6.24.5/kernel/mutex.c 2008-03-26 20:21:09.000000000 -0400
70556 +@@ -82,7 +82,7 @@ __mutex_lock_slowpath(atomic_t *lock_cou
70557 + *
70558 + * This function is similar to (but not equivalent to) down().
70559 + */
70560 +-void inline fastcall __sched mutex_lock(struct mutex *lock)
70561 ++inline void fastcall __sched mutex_lock(struct mutex *lock)
70562 + {
70563 + might_sleep();
70564 + /*
70565 +diff -urNp linux-2.6.24.5/kernel/panic.c linux-2.6.24.5/kernel/panic.c
70566 +--- linux-2.6.24.5/kernel/panic.c 2008-03-24 14:49:18.000000000 -0400
70567 ++++ linux-2.6.24.5/kernel/panic.c 2008-03-26 20:21:09.000000000 -0400
70568 +@@ -20,6 +20,7 @@
70569 + #include <linux/kexec.h>
70570 + #include <linux/debug_locks.h>
70571 + #include <linux/random.h>
70572 ++#include <linux/kallsyms.h>
70573 +
70574 + int panic_on_oops;
70575 + int tainted;
70576 +@@ -299,6 +300,8 @@ void oops_exit(void)
70577 + */
70578 + void __stack_chk_fail(void)
70579 + {
70580 ++ print_symbol("stack corrupted in: %s\n", (unsigned long)__builtin_return_address(0));
70581 ++ dump_stack();
70582 + panic("stack-protector: Kernel stack is corrupted");
70583 + }
70584 + EXPORT_SYMBOL(__stack_chk_fail);
70585 +diff -urNp linux-2.6.24.5/kernel/params.c linux-2.6.24.5/kernel/params.c
70586 +--- linux-2.6.24.5/kernel/params.c 2008-03-24 14:49:18.000000000 -0400
70587 ++++ linux-2.6.24.5/kernel/params.c 2008-03-26 20:21:09.000000000 -0400
70588 +@@ -272,7 +272,7 @@ static int param_array(const char *name,
70589 + unsigned int min, unsigned int max,
70590 + void *elem, int elemsize,
70591 + int (*set)(const char *, struct kernel_param *kp),
70592 +- int *num)
70593 ++ unsigned int *num)
70594 + {
70595 + int ret;
70596 + struct kernel_param kp;
70597 +diff -urNp linux-2.6.24.5/kernel/pid.c linux-2.6.24.5/kernel/pid.c
70598 +--- linux-2.6.24.5/kernel/pid.c 2008-03-24 14:49:18.000000000 -0400
70599 ++++ linux-2.6.24.5/kernel/pid.c 2008-03-26 20:21:09.000000000 -0400
70600 +@@ -35,6 +35,7 @@
70601 + #include <linux/pid_namespace.h>
70602 + #include <linux/init_task.h>
70603 + #include <linux/syscalls.h>
70604 ++#include <linux/grsecurity.h>
70605 +
70606 + #define pid_hashfn(nr, ns) \
70607 + hash_long((unsigned long)nr + (unsigned long)ns, pidhash_shift)
70608 +@@ -45,7 +46,7 @@ static struct kmem_cache *pid_ns_cachep;
70609 +
70610 + int pid_max = PID_MAX_DEFAULT;
70611 +
70612 +-#define RESERVED_PIDS 300
70613 ++#define RESERVED_PIDS 500
70614 +
70615 + int pid_max_min = RESERVED_PIDS + 1;
70616 + int pid_max_max = PID_MAX_LIMIT;
70617 +@@ -375,7 +376,14 @@ struct task_struct * fastcall pid_task(s
70618 + struct task_struct *find_task_by_pid_type_ns(int type, int nr,
70619 + struct pid_namespace *ns)
70620 + {
70621 +- return pid_task(find_pid_ns(nr, ns), type);
70622 ++ struct task_struct *task;
70623 ++
70624 ++ task = pid_task(find_pid_ns(nr, ns), type);
70625 ++
70626 ++ if (gr_pid_is_chrooted(task))
70627 ++ return NULL;
70628 ++
70629 ++ return task;
70630 + }
70631 +
70632 + EXPORT_SYMBOL(find_task_by_pid_type_ns);
70633 +diff -urNp linux-2.6.24.5/kernel/posix-cpu-timers.c linux-2.6.24.5/kernel/posix-cpu-timers.c
70634 +--- linux-2.6.24.5/kernel/posix-cpu-timers.c 2008-03-24 14:49:18.000000000 -0400
70635 ++++ linux-2.6.24.5/kernel/posix-cpu-timers.c 2008-03-26 20:21:09.000000000 -0400
70636 +@@ -6,6 +6,7 @@
70637 + #include <linux/posix-timers.h>
70638 + #include <asm/uaccess.h>
70639 + #include <linux/errno.h>
70640 ++#include <linux/grsecurity.h>
70641 +
70642 + static int check_clock(const clockid_t which_clock)
70643 + {
70644 +@@ -1144,6 +1145,7 @@ static void check_process_timers(struct
70645 + __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
70646 + return;
70647 + }
70648 ++ gr_learn_resource(tsk, RLIMIT_CPU, psecs, 1);
70649 + if (psecs >= sig->rlim[RLIMIT_CPU].rlim_cur) {
70650 + /*
70651 + * At the soft limit, send a SIGXCPU every second.
70652 +diff -urNp linux-2.6.24.5/kernel/power/poweroff.c linux-2.6.24.5/kernel/power/poweroff.c
70653 +--- linux-2.6.24.5/kernel/power/poweroff.c 2008-03-24 14:49:18.000000000 -0400
70654 ++++ linux-2.6.24.5/kernel/power/poweroff.c 2008-03-26 20:21:09.000000000 -0400
70655 +@@ -35,7 +35,7 @@ static struct sysrq_key_op sysrq_powerof
70656 + .enable_mask = SYSRQ_ENABLE_BOOT,
70657 + };
70658 +
70659 +-static int pm_sysrq_init(void)
70660 ++static int __init pm_sysrq_init(void)
70661 + {
70662 + register_sysrq_key('o', &sysrq_poweroff_op);
70663 + return 0;
70664 +diff -urNp linux-2.6.24.5/kernel/printk.c linux-2.6.24.5/kernel/printk.c
70665 +--- linux-2.6.24.5/kernel/printk.c 2008-03-24 14:49:18.000000000 -0400
70666 ++++ linux-2.6.24.5/kernel/printk.c 2008-03-26 20:21:09.000000000 -0400
70667 +@@ -33,6 +33,7 @@
70668 + #include <linux/bootmem.h>
70669 + #include <linux/syscalls.h>
70670 + #include <linux/jiffies.h>
70671 ++#include <linux/grsecurity.h>
70672 +
70673 + #include <asm/uaccess.h>
70674 +
70675 +@@ -293,6 +294,11 @@ int do_syslog(int type, char __user *buf
70676 + char c;
70677 + int error = 0;
70678 +
70679 ++#ifdef CONFIG_GRKERNSEC_DMESG
70680 ++ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
70681 ++ return -EPERM;
70682 ++#endif
70683 ++
70684 + error = security_syslog(type);
70685 + if (error)
70686 + return error;
70687 +diff -urNp linux-2.6.24.5/kernel/ptrace.c linux-2.6.24.5/kernel/ptrace.c
70688 +--- linux-2.6.24.5/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
70689 ++++ linux-2.6.24.5/kernel/ptrace.c 2008-03-26 20:21:09.000000000 -0400
70690 +@@ -20,6 +20,7 @@
70691 + #include <linux/signal.h>
70692 + #include <linux/audit.h>
70693 + #include <linux/pid_namespace.h>
70694 ++#include <linux/grsecurity.h>
70695 +
70696 + #include <asm/pgtable.h>
70697 + #include <asm/uaccess.h>
70698 +@@ -139,12 +140,12 @@ int __ptrace_may_attach(struct task_stru
70699 + (current->uid != task->uid) ||
70700 + (current->gid != task->egid) ||
70701 + (current->gid != task->sgid) ||
70702 +- (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))
70703 ++ (current->gid != task->gid)) && !capable_nolog(CAP_SYS_PTRACE))
70704 + return -EPERM;
70705 + smp_rmb();
70706 + if (task->mm)
70707 + dumpable = get_dumpable(task->mm);
70708 +- if (!dumpable && !capable(CAP_SYS_PTRACE))
70709 ++ if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
70710 + return -EPERM;
70711 +
70712 + return security_ptrace(current, task);
70713 +@@ -203,7 +204,7 @@ repeat:
70714 + /* Go */
70715 + task->ptrace |= PT_PTRACED | ((task->real_parent != current)
70716 + ? PT_ATTACHED : 0);
70717 +- if (capable(CAP_SYS_PTRACE))
70718 ++ if (capable_nolog(CAP_SYS_PTRACE))
70719 + task->ptrace |= PT_PTRACE_CAP;
70720 +
70721 + __ptrace_link(task, current);
70722 +@@ -494,6 +495,11 @@ asmlinkage long sys_ptrace(long request,
70723 + if (ret < 0)
70724 + goto out_put_task_struct;
70725 +
70726 ++ if (gr_handle_ptrace(child, request)) {
70727 ++ ret = -EPERM;
70728 ++ goto out_put_task_struct;
70729 ++ }
70730 ++
70731 + ret = arch_ptrace(child, request, addr, data);
70732 + if (ret < 0)
70733 + goto out_put_task_struct;
70734 +diff -urNp linux-2.6.24.5/kernel/rcupdate.c linux-2.6.24.5/kernel/rcupdate.c
70735 +--- linux-2.6.24.5/kernel/rcupdate.c 2008-03-24 14:49:18.000000000 -0400
70736 ++++ linux-2.6.24.5/kernel/rcupdate.c 2008-03-26 20:21:09.000000000 -0400
70737 +@@ -70,11 +70,11 @@ static struct rcu_ctrlblk rcu_bh_ctrlblk
70738 + .cpumask = CPU_MASK_NONE,
70739 + };
70740 +
70741 +-DEFINE_PER_CPU(struct rcu_data, rcu_data) = { 0L };
70742 +-DEFINE_PER_CPU(struct rcu_data, rcu_bh_data) = { 0L };
70743 ++DEFINE_PER_CPU(struct rcu_data, rcu_data);
70744 ++DEFINE_PER_CPU(struct rcu_data, rcu_bh_data);
70745 +
70746 + /* Fake initialization required by compiler */
70747 +-static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet) = {NULL};
70748 ++static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet);
70749 + static int blimit = 10;
70750 + static int qhimark = 10000;
70751 + static int qlowmark = 100;
70752 +diff -urNp linux-2.6.24.5/kernel/relay.c linux-2.6.24.5/kernel/relay.c
70753 +--- linux-2.6.24.5/kernel/relay.c 2008-03-24 14:49:18.000000000 -0400
70754 ++++ linux-2.6.24.5/kernel/relay.c 2008-03-26 20:21:09.000000000 -0400
70755 +@@ -1141,7 +1141,7 @@ static int subbuf_splice_actor(struct fi
70756 + return 0;
70757 +
70758 + ret = *nonpad_ret = splice_to_pipe(pipe, &spd);
70759 +- if (ret < 0 || ret < total_len)
70760 ++ if ((int)ret < 0 || ret < total_len)
70761 + return ret;
70762 +
70763 + if (read_start + ret == nonpad_end)
70764 +diff -urNp linux-2.6.24.5/kernel/resource.c linux-2.6.24.5/kernel/resource.c
70765 +--- linux-2.6.24.5/kernel/resource.c 2008-03-24 14:49:18.000000000 -0400
70766 ++++ linux-2.6.24.5/kernel/resource.c 2008-03-26 20:21:09.000000000 -0400
70767 +@@ -133,10 +133,27 @@ static int __init ioresources_init(void)
70768 + {
70769 + struct proc_dir_entry *entry;
70770 +
70771 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
70772 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
70773 ++ entry = create_proc_entry("ioports", S_IRUSR, NULL);
70774 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
70775 ++ entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
70776 ++#endif
70777 ++#else
70778 + entry = create_proc_entry("ioports", 0, NULL);
70779 ++#endif
70780 + if (entry)
70781 + entry->proc_fops = &proc_ioports_operations;
70782 ++
70783 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
70784 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
70785 ++ entry = create_proc_entry("iomem", S_IRUSR, NULL);
70786 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
70787 ++ entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
70788 ++#endif
70789 ++#else
70790 + entry = create_proc_entry("iomem", 0, NULL);
70791 ++#endif
70792 + if (entry)
70793 + entry->proc_fops = &proc_iomem_operations;
70794 + return 0;
70795 +diff -urNp linux-2.6.24.5/kernel/sched.c linux-2.6.24.5/kernel/sched.c
70796 +--- linux-2.6.24.5/kernel/sched.c 2008-04-17 20:05:17.000000000 -0400
70797 ++++ linux-2.6.24.5/kernel/sched.c 2008-04-17 20:05:01.000000000 -0400
70798 +@@ -63,6 +63,7 @@
70799 + #include <linux/reciprocal_div.h>
70800 + #include <linux/unistd.h>
70801 + #include <linux/pagemap.h>
70802 ++#include <linux/grsecurity.h>
70803 +
70804 + #include <asm/tlb.h>
70805 + #include <asm/irq_regs.h>
70806 +@@ -3662,7 +3663,7 @@ pick_next_task(struct rq *rq, struct tas
70807 + asmlinkage void __sched schedule(void)
70808 + {
70809 + struct task_struct *prev, *next;
70810 +- long *switch_count;
70811 ++ unsigned long *switch_count;
70812 + struct rq *rq;
70813 + int cpu;
70814 +
70815 +@@ -4198,7 +4199,8 @@ asmlinkage long sys_nice(int increment)
70816 + if (nice > 19)
70817 + nice = 19;
70818 +
70819 +- if (increment < 0 && !can_nice(current, nice))
70820 ++ if (increment < 0 && (!can_nice(current, nice) ||
70821 ++ gr_handle_chroot_nice()))
70822 + return -EPERM;
70823 +
70824 + retval = security_task_setnice(current, nice);
70825 +@@ -5439,7 +5441,7 @@ static struct ctl_table sd_ctl_dir[] = {
70826 + .procname = "sched_domain",
70827 + .mode = 0555,
70828 + },
70829 +- {0, },
70830 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
70831 + };
70832 +
70833 + static struct ctl_table sd_ctl_root[] = {
70834 +@@ -5449,7 +5451,7 @@ static struct ctl_table sd_ctl_root[] =
70835 + .mode = 0555,
70836 + .child = sd_ctl_dir,
70837 + },
70838 +- {0, },
70839 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
70840 + };
70841 +
70842 + static struct ctl_table *sd_alloc_ctl_entry(int n)
70843 +diff -urNp linux-2.6.24.5/kernel/signal.c linux-2.6.24.5/kernel/signal.c
70844 +--- linux-2.6.24.5/kernel/signal.c 2008-03-24 14:49:18.000000000 -0400
70845 ++++ linux-2.6.24.5/kernel/signal.c 2008-03-26 20:21:09.000000000 -0400
70846 +@@ -25,6 +25,7 @@
70847 + #include <linux/capability.h>
70848 + #include <linux/freezer.h>
70849 + #include <linux/pid_namespace.h>
70850 ++#include <linux/grsecurity.h>
70851 + #include <linux/nsproxy.h>
70852 +
70853 + #include <asm/param.h>
70854 +@@ -540,7 +541,9 @@ static int check_kill_permission(int sig
70855 + && (current->euid ^ t->suid) && (current->euid ^ t->uid)
70856 + && (current->uid ^ t->suid) && (current->uid ^ t->uid)
70857 + && !capable(CAP_KILL))
70858 +- return error;
70859 ++ return error;
70860 ++ if (gr_handle_signal(t, sig))
70861 ++ return error;
70862 + }
70863 +
70864 + return security_task_kill(t, info, sig, 0);
70865 +@@ -757,7 +760,7 @@ static int __init setup_print_fatal_sign
70866 +
70867 + __setup("print-fatal-signals=", setup_print_fatal_signals);
70868 +
70869 +-static int
70870 ++int
70871 + specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
70872 + {
70873 + int ret = 0;
70874 +@@ -811,8 +814,12 @@ force_sig_info(int sig, struct siginfo *
70875 + }
70876 + }
70877 + ret = specific_send_sig_info(sig, info, t);
70878 ++
70879 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
70880 +
70881 ++ gr_log_signal(sig, t);
70882 ++ gr_handle_crash(t, sig);
70883 ++
70884 + return ret;
70885 + }
70886 +
70887 +diff -urNp linux-2.6.24.5/kernel/softirq.c linux-2.6.24.5/kernel/softirq.c
70888 +--- linux-2.6.24.5/kernel/softirq.c 2008-03-24 14:49:18.000000000 -0400
70889 ++++ linux-2.6.24.5/kernel/softirq.c 2008-03-26 20:21:09.000000000 -0400
70890 +@@ -467,9 +467,9 @@ void tasklet_kill(struct tasklet_struct
70891 + printk("Attempt to kill tasklet from interrupt\n");
70892 +
70893 + while (test_and_set_bit(TASKLET_STATE_SCHED, &t->state)) {
70894 +- do
70895 ++ do {
70896 + yield();
70897 +- while (test_bit(TASKLET_STATE_SCHED, &t->state));
70898 ++ } while (test_bit(TASKLET_STATE_SCHED, &t->state));
70899 + }
70900 + tasklet_unlock_wait(t);
70901 + clear_bit(TASKLET_STATE_SCHED, &t->state);
70902 +diff -urNp linux-2.6.24.5/kernel/sys.c linux-2.6.24.5/kernel/sys.c
70903 +--- linux-2.6.24.5/kernel/sys.c 2008-03-24 14:49:18.000000000 -0400
70904 ++++ linux-2.6.24.5/kernel/sys.c 2008-04-17 20:47:54.000000000 -0400
70905 +@@ -33,6 +33,7 @@
70906 + #include <linux/task_io_accounting_ops.h>
70907 + #include <linux/seccomp.h>
70908 + #include <linux/cpu.h>
70909 ++#include <linux/grsecurity.h>
70910 +
70911 + #include <linux/compat.h>
70912 + #include <linux/syscalls.h>
70913 +@@ -119,6 +120,12 @@ static int set_one_prio(struct task_stru
70914 + error = -EACCES;
70915 + goto out;
70916 + }
70917 ++
70918 ++ if (gr_handle_chroot_setpriority(p, niceval)) {
70919 ++ error = -EACCES;
70920 ++ goto out;
70921 ++ }
70922 ++
70923 + no_nice = security_task_setnice(p, niceval);
70924 + if (no_nice) {
70925 + error = no_nice;
70926 +@@ -175,10 +182,10 @@ asmlinkage long sys_setpriority(int whic
70927 + if ((who != current->uid) && !(user = find_user(who)))
70928 + goto out_unlock; /* No processes for this user */
70929 +
70930 +- do_each_thread(g, p)
70931 ++ do_each_thread(g, p) {
70932 + if (p->uid == who)
70933 + error = set_one_prio(p, niceval, error);
70934 +- while_each_thread(g, p);
70935 ++ } while_each_thread(g, p);
70936 + if (who != current->uid)
70937 + free_uid(user); /* For find_user() */
70938 + break;
70939 +@@ -237,13 +244,13 @@ asmlinkage long sys_getpriority(int whic
70940 + if ((who != current->uid) && !(user = find_user(who)))
70941 + goto out_unlock; /* No processes for this user */
70942 +
70943 +- do_each_thread(g, p)
70944 ++ do_each_thread(g, p) {
70945 + if (p->uid == who) {
70946 + niceval = 20 - task_nice(p);
70947 + if (niceval > retval)
70948 + retval = niceval;
70949 + }
70950 +- while_each_thread(g, p);
70951 ++ } while_each_thread(g, p);
70952 + if (who != current->uid)
70953 + free_uid(user); /* for find_user() */
70954 + break;
70955 +@@ -508,6 +515,10 @@ asmlinkage long sys_setregid(gid_t rgid,
70956 + else
70957 + return -EPERM;
70958 + }
70959 ++
70960 ++ if (gr_check_group_change(new_rgid, new_egid, -1))
70961 ++ return -EPERM;
70962 ++
70963 + if (new_egid != old_egid) {
70964 + set_dumpable(current->mm, suid_dumpable);
70965 + smp_wmb();
70966 +@@ -515,6 +526,9 @@ asmlinkage long sys_setregid(gid_t rgid,
70967 + if (rgid != (gid_t) -1 ||
70968 + (egid != (gid_t) -1 && egid != old_rgid))
70969 + current->sgid = new_egid;
70970 ++
70971 ++ gr_set_role_label(current, current->uid, new_rgid);
70972 ++
70973 + current->fsgid = new_egid;
70974 + current->egid = new_egid;
70975 + current->gid = new_rgid;
70976 +@@ -537,11 +551,17 @@ asmlinkage long sys_setgid(gid_t gid)
70977 + if (retval)
70978 + return retval;
70979 +
70980 ++ if (gr_check_group_change(gid, gid, gid))
70981 ++ return -EPERM;
70982 ++
70983 + if (capable(CAP_SETGID)) {
70984 + if (old_egid != gid) {
70985 + set_dumpable(current->mm, suid_dumpable);
70986 + smp_wmb();
70987 + }
70988 ++
70989 ++ gr_set_role_label(current, current->uid, gid);
70990 ++
70991 + current->gid = current->egid = current->sgid = current->fsgid = gid;
70992 + } else if ((gid == current->gid) || (gid == current->sgid)) {
70993 + if (old_egid != gid) {
70994 +@@ -579,6 +599,9 @@ static int set_user(uid_t new_ruid, int
70995 + set_dumpable(current->mm, suid_dumpable);
70996 + smp_wmb();
70997 + }
70998 ++
70999 ++ gr_set_role_label(current, new_ruid, current->gid);
71000 ++
71001 + current->uid = new_ruid;
71002 + return 0;
71003 + }
71004 +@@ -628,6 +651,9 @@ asmlinkage long sys_setreuid(uid_t ruid,
71005 + return -EPERM;
71006 + }
71007 +
71008 ++ if (gr_check_user_change(new_ruid, new_euid, -1))
71009 ++ return -EPERM;
71010 ++
71011 + if (new_ruid != old_ruid && set_user(new_ruid, new_euid != old_euid) < 0)
71012 + return -EAGAIN;
71013 +
71014 +@@ -674,6 +700,12 @@ asmlinkage long sys_setuid(uid_t uid)
71015 + old_suid = current->suid;
71016 + new_suid = old_suid;
71017 +
71018 ++ if (gr_check_crash_uid(uid))
71019 ++ return -EPERM;
71020 ++
71021 ++ if (gr_check_user_change(uid, uid, uid))
71022 ++ return -EPERM;
71023 ++
71024 + if (capable(CAP_SETUID)) {
71025 + if (uid != old_ruid && set_user(uid, old_euid != uid) < 0)
71026 + return -EAGAIN;
71027 +@@ -721,6 +753,10 @@ asmlinkage long sys_setresuid(uid_t ruid
71028 + (suid != current->euid) && (suid != current->suid))
71029 + return -EPERM;
71030 + }
71031 ++
71032 ++ if (gr_check_user_change(ruid, euid, -1))
71033 ++ return -EPERM;
71034 ++
71035 + if (ruid != (uid_t) -1) {
71036 + if (ruid != current->uid && set_user(ruid, euid != current->euid) < 0)
71037 + return -EAGAIN;
71038 +@@ -775,6 +811,10 @@ asmlinkage long sys_setresgid(gid_t rgid
71039 + (sgid != current->egid) && (sgid != current->sgid))
71040 + return -EPERM;
71041 + }
71042 ++
71043 ++ if (gr_check_group_change(rgid, egid, -1))
71044 ++ return -EPERM;
71045 ++
71046 + if (egid != (gid_t) -1) {
71047 + if (egid != current->egid) {
71048 + set_dumpable(current->mm, suid_dumpable);
71049 +@@ -783,8 +823,10 @@ asmlinkage long sys_setresgid(gid_t rgid
71050 + current->egid = egid;
71051 + }
71052 + current->fsgid = current->egid;
71053 +- if (rgid != (gid_t) -1)
71054 ++ if (rgid != (gid_t) -1) {
71055 ++ gr_set_role_label(current, current->uid, rgid);
71056 + current->gid = rgid;
71057 ++ }
71058 + if (sgid != (gid_t) -1)
71059 + current->sgid = sgid;
71060 +
71061 +@@ -819,6 +861,9 @@ asmlinkage long sys_setfsuid(uid_t uid)
71062 + if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS))
71063 + return old_fsuid;
71064 +
71065 ++ if (gr_check_user_change(-1, -1, uid))
71066 ++ return old_fsuid;
71067 ++
71068 + if (uid == current->uid || uid == current->euid ||
71069 + uid == current->suid || uid == current->fsuid ||
71070 + capable(CAP_SETUID)) {
71071 +@@ -851,6 +896,9 @@ asmlinkage long sys_setfsgid(gid_t gid)
71072 + if (gid == current->gid || gid == current->egid ||
71073 + gid == current->sgid || gid == current->fsgid ||
71074 + capable(CAP_SETGID)) {
71075 ++ if (gr_check_group_change(-1, -1, gid))
71076 ++ return old_fsgid;
71077 ++
71078 + if (gid != old_fsgid) {
71079 + set_dumpable(current->mm, suid_dumpable);
71080 + smp_wmb();
71081 +@@ -934,7 +982,10 @@ asmlinkage long sys_setpgid(pid_t pid, p
71082 + write_lock_irq(&tasklist_lock);
71083 +
71084 + err = -ESRCH;
71085 +- p = find_task_by_pid_ns(pid, ns);
71086 ++ /* grsec: replaced find_task_by_pid_ns with equivalent call which
71087 ++ lacks the chroot restriction
71088 ++ */
71089 ++ p = pid_task(find_pid_ns(pid, ns), PIDTYPE_PID);
71090 + if (!p)
71091 + goto out;
71092 +
71093 +@@ -962,7 +1013,10 @@ asmlinkage long sys_setpgid(pid_t pid, p
71094 + if (pgid != pid) {
71095 + struct task_struct *g;
71096 +
71097 +- g = find_task_by_pid_type_ns(PIDTYPE_PGID, pgid, ns);
71098 ++ /* grsec: replaced find_task_by_pid_type_ns with equivalent
71099 ++ call which lacks the chroot restriction
71100 ++ */
71101 ++ g = pid_task(find_pid_ns(pgid, ns), PIDTYPE_PGID);
71102 + if (!g || task_session(g) != task_session(group_leader))
71103 + goto out;
71104 + }
71105 +@@ -1662,7 +1716,7 @@ asmlinkage long sys_prctl(int option, un
71106 + error = get_dumpable(current->mm);
71107 + break;
71108 + case PR_SET_DUMPABLE:
71109 +- if (arg2 < 0 || arg2 > 1) {
71110 ++ if (arg2 > 1) {
71111 + error = -EINVAL;
71112 + break;
71113 + }
71114 +diff -urNp linux-2.6.24.5/kernel/sysctl.c linux-2.6.24.5/kernel/sysctl.c
71115 +--- linux-2.6.24.5/kernel/sysctl.c 2008-03-24 14:49:18.000000000 -0400
71116 ++++ linux-2.6.24.5/kernel/sysctl.c 2008-03-26 20:21:09.000000000 -0400
71117 +@@ -58,6 +58,13 @@
71118 + static int deprecated_sysctl_warning(struct __sysctl_args *args);
71119 +
71120 + #if defined(CONFIG_SYSCTL)
71121 ++#include <linux/grsecurity.h>
71122 ++#include <linux/grinternal.h>
71123 ++
71124 ++extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
71125 ++extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
71126 ++ const int op);
71127 ++extern int gr_handle_chroot_sysctl(const int op);
71128 +
71129 + /* External variables not in a header file. */
71130 + extern int C_A_D;
71131 +@@ -154,10 +161,11 @@ static int proc_do_cad_pid(struct ctl_ta
71132 + static int proc_dointvec_taint(struct ctl_table *table, int write, struct file *filp,
71133 + void __user *buffer, size_t *lenp, loff_t *ppos);
71134 + #endif
71135 ++extern ctl_table grsecurity_table[];
71136 +
71137 + static struct ctl_table root_table[];
71138 + static struct ctl_table_header root_table_header =
71139 +- { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry) };
71140 ++ { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry), 0, NULL };
71141 +
71142 + static struct ctl_table kern_table[];
71143 + static struct ctl_table vm_table[];
71144 +@@ -173,6 +181,21 @@ extern struct ctl_table inotify_table[];
71145 + int sysctl_legacy_va_layout;
71146 + #endif
71147 +
71148 ++#ifdef CONFIG_PAX_SOFTMODE
71149 ++static ctl_table pax_table[] = {
71150 ++ {
71151 ++ .ctl_name = CTL_UNNUMBERED,
71152 ++ .procname = "softmode",
71153 ++ .data = &pax_softmode,
71154 ++ .maxlen = sizeof(unsigned int),
71155 ++ .mode = 0600,
71156 ++ .proc_handler = &proc_dointvec,
71157 ++ },
71158 ++
71159 ++ { .ctl_name = 0 }
71160 ++};
71161 ++#endif
71162 ++
71163 + extern int prove_locking;
71164 + extern int lock_stat;
71165 +
71166 +@@ -217,6 +240,16 @@ static struct ctl_table root_table[] = {
71167 + .mode = 0555,
71168 + .child = dev_table,
71169 + },
71170 ++
71171 ++#ifdef CONFIG_PAX_SOFTMODE
71172 ++ {
71173 ++ .ctl_name = CTL_UNNUMBERED,
71174 ++ .procname = "pax",
71175 ++ .mode = 0500,
71176 ++ .child = pax_table,
71177 ++ },
71178 ++#endif
71179 ++
71180 + /*
71181 + * NOTE: do not add new entries to this table unless you have read
71182 + * Documentation/sysctl/ctl_unnumbered.txt
71183 +@@ -775,6 +808,14 @@ static struct ctl_table kern_table[] = {
71184 + .proc_handler = &proc_dostring,
71185 + .strategy = &sysctl_string,
71186 + },
71187 ++#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
71188 ++ {
71189 ++ .ctl_name = CTL_UNNUMBERED,
71190 ++ .procname = "grsecurity",
71191 ++ .mode = 0500,
71192 ++ .child = grsecurity_table,
71193 ++ },
71194 ++#endif
71195 + /*
71196 + * NOTE: do not add new entries to this table unless you have read
71197 + * Documentation/sysctl/ctl_unnumbered.txt
71198 +@@ -1394,6 +1435,25 @@ static int test_perm(int mode, int op)
71199 + int sysctl_perm(struct ctl_table *table, int op)
71200 + {
71201 + int error;
71202 ++ if (table->parent != NULL && table->parent->procname != NULL &&
71203 ++ table->procname != NULL &&
71204 ++ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
71205 ++ return -EACCES;
71206 ++ if (gr_handle_chroot_sysctl(op))
71207 ++ return -EACCES;
71208 ++ error = gr_handle_sysctl(table, op);
71209 ++ if (error)
71210 ++ return error;
71211 ++ error = security_sysctl(table, op);
71212 ++ if (error)
71213 ++ return error;
71214 ++ return test_perm(table->mode, op);
71215 ++}
71216 ++
71217 ++int sysctl_perm_nochk(ctl_table *table, int op)
71218 ++{
71219 ++ int error;
71220 ++
71221 + error = security_sysctl(table, op);
71222 + if (error)
71223 + return error;
71224 +@@ -1418,13 +1478,14 @@ repeat:
71225 + if (n == table->ctl_name) {
71226 + int error;
71227 + if (table->child) {
71228 +- if (sysctl_perm(table, 001))
71229 ++ if (sysctl_perm_nochk(table, 001))
71230 + return -EPERM;
71231 + name++;
71232 + nlen--;
71233 + table = table->child;
71234 + goto repeat;
71235 + }
71236 ++
71237 + error = do_sysctl_strategy(table, name, nlen,
71238 + oldval, oldlenp,
71239 + newval, newlen);
71240 +diff -urNp linux-2.6.24.5/kernel/time.c linux-2.6.24.5/kernel/time.c
71241 +--- linux-2.6.24.5/kernel/time.c 2008-03-24 14:49:18.000000000 -0400
71242 ++++ linux-2.6.24.5/kernel/time.c 2008-03-26 20:21:09.000000000 -0400
71243 +@@ -35,6 +35,7 @@
71244 + #include <linux/syscalls.h>
71245 + #include <linux/security.h>
71246 + #include <linux/fs.h>
71247 ++#include <linux/grsecurity.h>
71248 +
71249 + #include <asm/uaccess.h>
71250 + #include <asm/unistd.h>
71251 +@@ -88,6 +89,9 @@ asmlinkage long sys_stime(time_t __user
71252 + return err;
71253 +
71254 + do_settimeofday(&tv);
71255 ++
71256 ++ gr_log_timechange();
71257 ++
71258 + return 0;
71259 + }
71260 +
71261 +@@ -194,6 +198,8 @@ asmlinkage long sys_settimeofday(struct
71262 + return -EFAULT;
71263 + }
71264 +
71265 ++ gr_log_timechange();
71266 ++
71267 + return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
71268 + }
71269 +
71270 +@@ -232,7 +238,7 @@ EXPORT_SYMBOL(current_fs_time);
71271 + * Avoid unnecessary multiplications/divisions in the
71272 + * two most common HZ cases:
71273 + */
71274 +-unsigned int inline jiffies_to_msecs(const unsigned long j)
71275 ++inline unsigned int jiffies_to_msecs(const unsigned long j)
71276 + {
71277 + #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
71278 + return (MSEC_PER_SEC / HZ) * j;
71279 +@@ -244,7 +250,7 @@ unsigned int inline jiffies_to_msecs(con
71280 + }
71281 + EXPORT_SYMBOL(jiffies_to_msecs);
71282 +
71283 +-unsigned int inline jiffies_to_usecs(const unsigned long j)
71284 ++inline unsigned int jiffies_to_usecs(const unsigned long j)
71285 + {
71286 + #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
71287 + return (USEC_PER_SEC / HZ) * j;
71288 +diff -urNp linux-2.6.24.5/kernel/utsname_sysctl.c linux-2.6.24.5/kernel/utsname_sysctl.c
71289 +--- linux-2.6.24.5/kernel/utsname_sysctl.c 2008-03-24 14:49:18.000000000 -0400
71290 ++++ linux-2.6.24.5/kernel/utsname_sysctl.c 2008-03-26 20:21:09.000000000 -0400
71291 +@@ -125,7 +125,7 @@ static struct ctl_table uts_kern_table[]
71292 + .proc_handler = proc_do_uts_string,
71293 + .strategy = sysctl_uts_string,
71294 + },
71295 +- {}
71296 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
71297 + };
71298 +
71299 + static struct ctl_table uts_root_table[] = {
71300 +@@ -135,7 +135,7 @@ static struct ctl_table uts_root_table[]
71301 + .mode = 0555,
71302 + .child = uts_kern_table,
71303 + },
71304 +- {}
71305 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
71306 + };
71307 +
71308 + static int __init utsname_sysctl_init(void)
71309 +diff -urNp linux-2.6.24.5/lib/radix-tree.c linux-2.6.24.5/lib/radix-tree.c
71310 +--- linux-2.6.24.5/lib/radix-tree.c 2008-03-24 14:49:18.000000000 -0400
71311 ++++ linux-2.6.24.5/lib/radix-tree.c 2008-03-26 20:21:09.000000000 -0400
71312 +@@ -81,7 +81,7 @@ struct radix_tree_preload {
71313 + int nr;
71314 + struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
71315 + };
71316 +-DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
71317 ++DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, {NULL} };
71318 +
71319 + static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
71320 + {
71321 +diff -urNp linux-2.6.24.5/localversion-grsec linux-2.6.24.5/localversion-grsec
71322 +--- linux-2.6.24.5/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
71323 ++++ linux-2.6.24.5/localversion-grsec 2008-03-26 20:21:09.000000000 -0400
71324 +@@ -0,0 +1 @@
71325 ++-grsec
71326 +diff -urNp linux-2.6.24.5/Makefile linux-2.6.24.5/Makefile
71327 +--- linux-2.6.24.5/Makefile 2008-04-17 20:05:17.000000000 -0400
71328 ++++ linux-2.6.24.5/Makefile 2008-04-17 20:05:00.000000000 -0400
71329 +@@ -214,7 +214,7 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
71330 +
71331 + HOSTCC = gcc
71332 + HOSTCXX = g++
71333 +-HOSTCFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer
71334 ++HOSTCFLAGS = -Wall -W -Wno-unused -Wno-sign-compare -Wstrict-prototypes -O2 -fomit-frame-pointer
71335 + HOSTCXXFLAGS = -O2
71336 +
71337 + # Decide whether to build built-in, modular, or both.
71338 +@@ -507,6 +507,9 @@ else
71339 + KBUILD_CFLAGS += -O2
71340 + endif
71341 +
71342 ++# Force gcc to behave correct even for buggy distributions
71343 ++KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
71344 ++
71345 + include $(srctree)/arch/$(SRCARCH)/Makefile
71346 +
71347 + ifdef CONFIG_FRAME_POINTER
71348 +@@ -520,9 +523,6 @@ KBUILD_CFLAGS += -g
71349 + KBUILD_AFLAGS += -gdwarf-2
71350 + endif
71351 +
71352 +-# Force gcc to behave correct even for buggy distributions
71353 +-KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
71354 +-
71355 + # arch Makefile may override CC so keep this after arch Makefile is included
71356 + NOSTDINC_FLAGS += -nostdinc -isystem $(shell $(CC) -print-file-name=include)
71357 + CHECKFLAGS += $(NOSTDINC_FLAGS)
71358 +@@ -597,7 +597,7 @@ export mod_strip_cmd
71359 +
71360 +
71361 + ifeq ($(KBUILD_EXTMOD),)
71362 +-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
71363 ++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
71364 +
71365 + vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
71366 + $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
71367 +diff -urNp linux-2.6.24.5/mm/filemap.c linux-2.6.24.5/mm/filemap.c
71368 +--- linux-2.6.24.5/mm/filemap.c 2008-03-24 14:49:18.000000000 -0400
71369 ++++ linux-2.6.24.5/mm/filemap.c 2008-03-26 20:21:09.000000000 -0400
71370 +@@ -33,6 +33,7 @@
71371 + #include <linux/syscalls.h>
71372 + #include <linux/cpuset.h>
71373 + #include <linux/hardirq.h> /* for BUG_ON(!in_atomic()) only */
71374 ++#include <linux/grsecurity.h>
71375 + #include "internal.h"
71376 +
71377 + /*
71378 +@@ -1461,7 +1462,7 @@ int generic_file_mmap(struct file * file
71379 + struct address_space *mapping = file->f_mapping;
71380 +
71381 + if (!mapping->a_ops->readpage)
71382 +- return -ENOEXEC;
71383 ++ return -ENODEV;
71384 + file_accessed(file);
71385 + vma->vm_ops = &generic_file_vm_ops;
71386 + vma->vm_flags |= VM_CAN_NONLINEAR;
71387 +@@ -1810,6 +1811,7 @@ inline int generic_write_checks(struct f
71388 + *pos = i_size_read(inode);
71389 +
71390 + if (limit != RLIM_INFINITY) {
71391 ++ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
71392 + if (*pos >= limit) {
71393 + send_sig(SIGXFSZ, current, 0);
71394 + return -EFBIG;
71395 +diff -urNp linux-2.6.24.5/mm/fremap.c linux-2.6.24.5/mm/fremap.c
71396 +--- linux-2.6.24.5/mm/fremap.c 2008-03-24 14:49:18.000000000 -0400
71397 ++++ linux-2.6.24.5/mm/fremap.c 2008-03-26 20:21:09.000000000 -0400
71398 +@@ -150,6 +150,13 @@ asmlinkage long sys_remap_file_pages(uns
71399 + retry:
71400 + vma = find_vma(mm, start);
71401 +
71402 ++#ifdef CONFIG_PAX_SEGMEXEC
71403 ++ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC)) {
71404 ++ up_read(&mm->mmap_sem);
71405 ++ return err;
71406 ++ }
71407 ++#endif
71408 ++
71409 + /*
71410 + * Make sure the vma is shared, that it supports prefaulting,
71411 + * and that the remapped range is valid and fully within
71412 +diff -urNp linux-2.6.24.5/mm/hugetlb.c linux-2.6.24.5/mm/hugetlb.c
71413 +--- linux-2.6.24.5/mm/hugetlb.c 2008-03-24 14:49:18.000000000 -0400
71414 ++++ linux-2.6.24.5/mm/hugetlb.c 2008-03-26 20:21:09.000000000 -0400
71415 +@@ -797,6 +797,26 @@ void unmap_hugepage_range(struct vm_area
71416 + }
71417 + }
71418 +
71419 ++#ifdef CONFIG_PAX_SEGMEXEC
71420 ++static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
71421 ++{
71422 ++ struct mm_struct *mm = vma->vm_mm;
71423 ++ struct vm_area_struct *vma_m;
71424 ++ unsigned long address_m;
71425 ++ pte_t *ptep_m;
71426 ++
71427 ++ vma_m = pax_find_mirror_vma(vma);
71428 ++ if (!vma_m)
71429 ++ return;
71430 ++
71431 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71432 ++ address_m = address + SEGMEXEC_TASK_SIZE;
71433 ++ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
71434 ++ get_page(page_m);
71435 ++ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
71436 ++}
71437 ++#endif
71438 ++
71439 + static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
71440 + unsigned long address, pte_t *ptep, pte_t pte)
71441 + {
71442 +@@ -830,6 +850,11 @@ static int hugetlb_cow(struct mm_struct
71443 + /* Break COW */
71444 + set_huge_pte_at(mm, address, ptep,
71445 + make_huge_pte(vma, new_page, 1));
71446 ++
71447 ++#ifdef CONFIG_PAX_SEGMEXEC
71448 ++ pax_mirror_huge_pte(vma, address, new_page);
71449 ++#endif
71450 ++
71451 + /* Make the old page be freed below */
71452 + new_page = old_page;
71453 + }
71454 +@@ -901,6 +926,10 @@ retry:
71455 + && (vma->vm_flags & VM_SHARED)));
71456 + set_huge_pte_at(mm, address, ptep, new_pte);
71457 +
71458 ++#ifdef CONFIG_PAX_SEGMEXEC
71459 ++ pax_mirror_huge_pte(vma, address, page);
71460 ++#endif
71461 ++
71462 + if (write_access && !(vma->vm_flags & VM_SHARED)) {
71463 + /* Optimization, do the COW without a second fault */
71464 + ret = hugetlb_cow(mm, vma, address, ptep, new_pte);
71465 +@@ -926,6 +955,27 @@ int hugetlb_fault(struct mm_struct *mm,
71466 + int ret;
71467 + static DEFINE_MUTEX(hugetlb_instantiation_mutex);
71468 +
71469 ++#ifdef CONFIG_PAX_SEGMEXEC
71470 ++ struct vm_area_struct *vma_m;
71471 ++
71472 ++ vma_m = pax_find_mirror_vma(vma);
71473 ++ if (vma_m) {
71474 ++ unsigned long address_m;
71475 ++
71476 ++ if (vma->vm_start > vma_m->vm_start) {
71477 ++ address_m = address;
71478 ++ address -= SEGMEXEC_TASK_SIZE;
71479 ++ vma = vma_m;
71480 ++ } else
71481 ++ address_m = address + SEGMEXEC_TASK_SIZE;
71482 ++
71483 ++ if (!huge_pte_alloc(mm, address_m))
71484 ++ return VM_FAULT_OOM;
71485 ++ address_m &= HPAGE_MASK;
71486 ++ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE);
71487 ++ }
71488 ++#endif
71489 ++
71490 + ptep = huge_pte_alloc(mm, address);
71491 + if (!ptep)
71492 + return VM_FAULT_OOM;
71493 +diff -urNp linux-2.6.24.5/mm/madvise.c linux-2.6.24.5/mm/madvise.c
71494 +--- linux-2.6.24.5/mm/madvise.c 2008-03-24 14:49:18.000000000 -0400
71495 ++++ linux-2.6.24.5/mm/madvise.c 2008-03-26 20:21:09.000000000 -0400
71496 +@@ -43,6 +43,10 @@ static long madvise_behavior(struct vm_a
71497 + pgoff_t pgoff;
71498 + int new_flags = vma->vm_flags;
71499 +
71500 ++#ifdef CONFIG_PAX_SEGMEXEC
71501 ++ struct vm_area_struct *vma_m;
71502 ++#endif
71503 ++
71504 + switch (behavior) {
71505 + case MADV_NORMAL:
71506 + new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
71507 +@@ -92,6 +96,13 @@ success:
71508 + /*
71509 + * vm_flags is protected by the mmap_sem held in write mode.
71510 + */
71511 ++
71512 ++#ifdef CONFIG_PAX_SEGMEXEC
71513 ++ vma_m = pax_find_mirror_vma(vma);
71514 ++ if (vma_m)
71515 ++ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
71516 ++#endif
71517 ++
71518 + vma->vm_flags = new_flags;
71519 +
71520 + out:
71521 +@@ -236,6 +247,17 @@ madvise_vma(struct vm_area_struct *vma,
71522 +
71523 + case MADV_DONTNEED:
71524 + error = madvise_dontneed(vma, prev, start, end);
71525 ++
71526 ++#ifdef CONFIG_PAX_SEGMEXEC
71527 ++ if (!error) {
71528 ++ struct vm_area_struct *vma_m, *prev_m;
71529 ++
71530 ++ vma_m = pax_find_mirror_vma(vma);
71531 ++ if (vma_m)
71532 ++ error = madvise_dontneed(vma_m, &prev_m, start + SEGMEXEC_TASK_SIZE, end + SEGMEXEC_TASK_SIZE);
71533 ++ }
71534 ++#endif
71535 ++
71536 + break;
71537 +
71538 + default:
71539 +@@ -308,6 +330,16 @@ asmlinkage long sys_madvise(unsigned lon
71540 + if (end < start)
71541 + goto out;
71542 +
71543 ++#ifdef CONFIG_PAX_SEGMEXEC
71544 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
71545 ++ if (end > SEGMEXEC_TASK_SIZE)
71546 ++ goto out;
71547 ++ } else
71548 ++#endif
71549 ++
71550 ++ if (end > TASK_SIZE)
71551 ++ goto out;
71552 ++
71553 + error = 0;
71554 + if (end == start)
71555 + goto out;
71556 +diff -urNp linux-2.6.24.5/mm/memory.c linux-2.6.24.5/mm/memory.c
71557 +--- linux-2.6.24.5/mm/memory.c 2008-03-24 14:49:18.000000000 -0400
71558 ++++ linux-2.6.24.5/mm/memory.c 2008-03-26 20:21:16.000000000 -0400
71559 +@@ -50,6 +50,7 @@
71560 + #include <linux/delayacct.h>
71561 + #include <linux/init.h>
71562 + #include <linux/writeback.h>
71563 ++#include <linux/grsecurity.h>
71564 +
71565 + #include <asm/pgalloc.h>
71566 + #include <asm/uaccess.h>
71567 +@@ -990,11 +991,11 @@ int get_user_pages(struct task_struct *t
71568 + vm_flags &= force ? (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
71569 + i = 0;
71570 +
71571 +- do {
71572 ++ while (len) {
71573 + struct vm_area_struct *vma;
71574 + unsigned int foll_flags;
71575 +
71576 +- vma = find_extend_vma(mm, start);
71577 ++ vma = find_vma(mm, start);
71578 + if (!vma && in_gate_area(tsk, start)) {
71579 + unsigned long pg = start & PAGE_MASK;
71580 + struct vm_area_struct *gate_vma = get_gate_vma(tsk);
71581 +@@ -1034,7 +1035,7 @@ int get_user_pages(struct task_struct *t
71582 + continue;
71583 + }
71584 +
71585 +- if (!vma || (vma->vm_flags & (VM_IO | VM_PFNMAP))
71586 ++ if (!vma || start < vma->vm_start || (vma->vm_flags & (VM_IO | VM_PFNMAP))
71587 + || !(vm_flags & vma->vm_flags))
71588 + return i ? : -EFAULT;
71589 +
71590 +@@ -1107,7 +1108,7 @@ int get_user_pages(struct task_struct *t
71591 + start += PAGE_SIZE;
71592 + len--;
71593 + } while (len && start < vma->vm_end);
71594 +- } while (len);
71595 ++ }
71596 + return i;
71597 + }
71598 + EXPORT_SYMBOL(get_user_pages);
71599 +@@ -1526,6 +1527,186 @@ static inline void cow_user_page(struct
71600 + copy_user_highpage(dst, src, va, vma);
71601 + }
71602 +
71603 ++#ifdef CONFIG_PAX_SEGMEXEC
71604 ++static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
71605 ++{
71606 ++ struct mm_struct *mm = vma->vm_mm;
71607 ++ spinlock_t *ptl;
71608 ++ pte_t *pte, entry;
71609 ++
71610 ++ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
71611 ++ entry = *pte;
71612 ++ if (!pte_present(entry)) {
71613 ++ if (!pte_none(entry)) {
71614 ++ BUG_ON(pte_file(entry));
71615 ++ free_swap_and_cache(pte_to_swp_entry(entry));
71616 ++ pte_clear_not_present_full(mm, address, pte, 0);
71617 ++ }
71618 ++ } else {
71619 ++ struct page *page;
71620 ++
71621 ++ flush_cache_page(vma, address, pte_pfn(entry));
71622 ++ entry = ptep_clear_flush(vma, address, pte);
71623 ++ BUG_ON(pte_dirty(entry));
71624 ++ page = vm_normal_page(vma, address, entry);
71625 ++ if (page) {
71626 ++ update_hiwater_rss(mm);
71627 ++ if (PageAnon(page))
71628 ++ dec_mm_counter(mm, anon_rss);
71629 ++ else
71630 ++ dec_mm_counter(mm, file_rss);
71631 ++ page_remove_rmap(page, vma);
71632 ++ page_cache_release(page);
71633 ++ }
71634 ++ }
71635 ++ pte_unmap_unlock(pte, ptl);
71636 ++}
71637 ++
71638 ++/* PaX: if vma is mirrored, synchronize the mirror's PTE
71639 ++ *
71640 ++ * the ptl of the lower mapped page is held on entry and is not released on exit
71641 ++ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
71642 ++ */
71643 ++static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
71644 ++{
71645 ++ struct mm_struct *mm = vma->vm_mm;
71646 ++ unsigned long address_m;
71647 ++ spinlock_t *ptl_m;
71648 ++ struct vm_area_struct *vma_m;
71649 ++ pmd_t *pmd_m;
71650 ++ pte_t *pte_m, entry_m;
71651 ++
71652 ++ BUG_ON(!page_m || !PageAnon(page_m));
71653 ++
71654 ++ vma_m = pax_find_mirror_vma(vma);
71655 ++ if (!vma_m)
71656 ++ return;
71657 ++
71658 ++ BUG_ON(!PageLocked(page_m));
71659 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71660 ++ address_m = address + SEGMEXEC_TASK_SIZE;
71661 ++ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
71662 ++ pte_m = pte_offset_map_nested(pmd_m, address_m);
71663 ++ ptl_m = pte_lockptr(mm, pmd_m);
71664 ++ if (ptl != ptl_m) {
71665 ++ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
71666 ++ if (!pte_none(*pte_m))
71667 ++ goto out;
71668 ++ }
71669 ++
71670 ++ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
71671 ++ page_cache_get(page_m);
71672 ++ page_add_anon_rmap(page_m, vma_m, address_m);
71673 ++ inc_mm_counter(mm, anon_rss);
71674 ++ set_pte_at(mm, address_m, pte_m, entry_m);
71675 ++ update_mmu_cache(vma_m, address_m, entry_m);
71676 ++out:
71677 ++ if (ptl != ptl_m)
71678 ++ spin_unlock(ptl_m);
71679 ++ pte_unmap_nested(pte_m);
71680 ++ unlock_page(page_m);
71681 ++}
71682 ++
71683 ++void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
71684 ++{
71685 ++ struct mm_struct *mm = vma->vm_mm;
71686 ++ unsigned long address_m;
71687 ++ spinlock_t *ptl_m;
71688 ++ struct vm_area_struct *vma_m;
71689 ++ pmd_t *pmd_m;
71690 ++ pte_t *pte_m, entry_m;
71691 ++
71692 ++ BUG_ON(!page_m || PageAnon(page_m));
71693 ++
71694 ++ vma_m = pax_find_mirror_vma(vma);
71695 ++ if (!vma_m)
71696 ++ return;
71697 ++
71698 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71699 ++ address_m = address + SEGMEXEC_TASK_SIZE;
71700 ++ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
71701 ++ pte_m = pte_offset_map_nested(pmd_m, address_m);
71702 ++ ptl_m = pte_lockptr(mm, pmd_m);
71703 ++ if (ptl != ptl_m) {
71704 ++ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
71705 ++ if (!pte_none(*pte_m))
71706 ++ goto out;
71707 ++ }
71708 ++
71709 ++ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
71710 ++ page_cache_get(page_m);
71711 ++ page_add_file_rmap(page_m);
71712 ++ inc_mm_counter(mm, file_rss);
71713 ++ set_pte_at(mm, address_m, pte_m, entry_m);
71714 ++ update_mmu_cache(vma_m, address_m, entry_m);
71715 ++out:
71716 ++ if (ptl != ptl_m)
71717 ++ spin_unlock(ptl_m);
71718 ++ pte_unmap_nested(pte_m);
71719 ++}
71720 ++
71721 ++static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
71722 ++{
71723 ++ struct mm_struct *mm = vma->vm_mm;
71724 ++ unsigned long address_m;
71725 ++ spinlock_t *ptl_m;
71726 ++ struct vm_area_struct *vma_m;
71727 ++ pmd_t *pmd_m;
71728 ++ pte_t *pte_m, entry_m;
71729 ++
71730 ++ vma_m = pax_find_mirror_vma(vma);
71731 ++ if (!vma_m)
71732 ++ return;
71733 ++
71734 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71735 ++ address_m = address + SEGMEXEC_TASK_SIZE;
71736 ++ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
71737 ++ pte_m = pte_offset_map_nested(pmd_m, address_m);
71738 ++ ptl_m = pte_lockptr(mm, pmd_m);
71739 ++ if (ptl != ptl_m) {
71740 ++ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
71741 ++ if (!pte_none(*pte_m))
71742 ++ goto out;
71743 ++ }
71744 ++
71745 ++ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
71746 ++ set_pte_at(mm, address_m, pte_m, entry_m);
71747 ++out:
71748 ++ if (ptl != ptl_m)
71749 ++ spin_unlock(ptl_m);
71750 ++ pte_unmap_nested(pte_m);
71751 ++}
71752 ++
71753 ++static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
71754 ++{
71755 ++ struct page *page_m;
71756 ++ pte_t entry;
71757 ++
71758 ++ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
71759 ++ goto out;
71760 ++
71761 ++ entry = *pte;
71762 ++ page_m = vm_normal_page(vma, address, entry);
71763 ++ if (!page_m)
71764 ++ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
71765 ++ else if (PageAnon(page_m)) {
71766 ++ if (pax_find_mirror_vma(vma)) {
71767 ++ pte_unmap_unlock(pte, ptl);
71768 ++ lock_page(page_m);
71769 ++ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
71770 ++ if (pte_same(entry, *pte))
71771 ++ pax_mirror_anon_pte(vma, address, page_m, ptl);
71772 ++ else
71773 ++ unlock_page(page_m);
71774 ++ }
71775 ++ } else
71776 ++ pax_mirror_file_pte(vma, address, page_m, ptl);
71777 ++
71778 ++out:
71779 ++ pte_unmap_unlock(pte, ptl);
71780 ++}
71781 ++#endif
71782 ++
71783 + /*
71784 + * This routine handles present pages, when users try to write
71785 + * to a shared page. It is done by copying the page to a new address
71786 +@@ -1638,6 +1819,12 @@ gotten:
71787 + */
71788 + page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
71789 + if (likely(pte_same(*page_table, orig_pte))) {
71790 ++
71791 ++#ifdef CONFIG_PAX_SEGMEXEC
71792 ++ if (pax_find_mirror_vma(vma))
71793 ++ BUG_ON(TestSetPageLocked(new_page));
71794 ++#endif
71795 ++
71796 + if (old_page) {
71797 + page_remove_rmap(old_page, vma);
71798 + if (!PageAnon(old_page)) {
71799 +@@ -1661,6 +1848,10 @@ gotten:
71800 + lru_cache_add_active(new_page);
71801 + page_add_new_anon_rmap(new_page, vma, address);
71802 +
71803 ++#ifdef CONFIG_PAX_SEGMEXEC
71804 ++ pax_mirror_anon_pte(vma, address, new_page, ptl);
71805 ++#endif
71806 ++
71807 + /* Free the old page.. */
71808 + new_page = old_page;
71809 + ret |= VM_FAULT_WRITE;
71810 +@@ -1941,6 +2132,7 @@ int vmtruncate(struct inode * inode, lof
71811 +
71812 + do_expand:
71813 + limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
71814 ++ gr_learn_resource(current, RLIMIT_FSIZE, offset, 1);
71815 + if (limit != RLIM_INFINITY && offset > limit)
71816 + goto out_sig;
71817 + if (offset > inode->i_sb->s_maxbytes)
71818 +@@ -2123,6 +2315,11 @@ static int do_swap_page(struct mm_struct
71819 + swap_free(entry);
71820 + if (vm_swap_full())
71821 + remove_exclusive_swap_page(page);
71822 ++
71823 ++#ifdef CONFIG_PAX_SEGMEXEC
71824 ++ if (write_access || !pax_find_mirror_vma(vma))
71825 ++#endif
71826 ++
71827 + unlock_page(page);
71828 +
71829 + if (write_access) {
71830 +@@ -2135,6 +2332,11 @@ static int do_swap_page(struct mm_struct
71831 +
71832 + /* No need to invalidate - it was non-present before */
71833 + update_mmu_cache(vma, address, pte);
71834 ++
71835 ++#ifdef CONFIG_PAX_SEGMEXEC
71836 ++ pax_mirror_anon_pte(vma, address, page, ptl);
71837 ++#endif
71838 ++
71839 + unlock:
71840 + pte_unmap_unlock(page_table, ptl);
71841 + out:
71842 +@@ -2174,6 +2376,12 @@ static int do_anonymous_page(struct mm_s
71843 + page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
71844 + if (!pte_none(*page_table))
71845 + goto release;
71846 ++
71847 ++#ifdef CONFIG_PAX_SEGMEXEC
71848 ++ if (pax_find_mirror_vma(vma))
71849 ++ BUG_ON(TestSetPageLocked(page));
71850 ++#endif
71851 ++
71852 + inc_mm_counter(mm, anon_rss);
71853 + lru_cache_add_active(page);
71854 + page_add_new_anon_rmap(page, vma, address);
71855 +@@ -2181,6 +2389,11 @@ static int do_anonymous_page(struct mm_s
71856 +
71857 + /* No need to invalidate - it was non-present before */
71858 + update_mmu_cache(vma, address, entry);
71859 ++
71860 ++#ifdef CONFIG_PAX_SEGMEXEC
71861 ++ pax_mirror_anon_pte(vma, address, page, ptl);
71862 ++#endif
71863 ++
71864 + unlock:
71865 + pte_unmap_unlock(page_table, ptl);
71866 + return 0;
71867 +@@ -2313,6 +2526,12 @@ static int __do_fault(struct mm_struct *
71868 + */
71869 + /* Only go through if we didn't race with anybody else... */
71870 + if (likely(pte_same(*page_table, orig_pte))) {
71871 ++
71872 ++#ifdef CONFIG_PAX_SEGMEXEC
71873 ++ if (anon && pax_find_mirror_vma(vma))
71874 ++ BUG_ON(TestSetPageLocked(page));
71875 ++#endif
71876 ++
71877 + flush_icache_page(vma, page);
71878 + entry = mk_pte(page, vma->vm_page_prot);
71879 + if (flags & FAULT_FLAG_WRITE)
71880 +@@ -2333,6 +2552,14 @@ static int __do_fault(struct mm_struct *
71881 +
71882 + /* no need to invalidate: a not-present page won't be cached */
71883 + update_mmu_cache(vma, address, entry);
71884 ++
71885 ++#ifdef CONFIG_PAX_SEGMEXEC
71886 ++ if (anon)
71887 ++ pax_mirror_anon_pte(vma, address, page, ptl);
71888 ++ else
71889 ++ pax_mirror_file_pte(vma, address, page, ptl);
71890 ++#endif
71891 ++
71892 + } else {
71893 + if (anon)
71894 + page_cache_release(page);
71895 +@@ -2415,6 +2642,11 @@ static noinline int do_no_pfn(struct mm_
71896 + if (write_access)
71897 + entry = maybe_mkwrite(pte_mkdirty(entry), vma);
71898 + set_pte_at(mm, address, page_table, entry);
71899 ++
71900 ++#ifdef CONFIG_PAX_SEGMEXEC
71901 ++ pax_mirror_pfn_pte(vma, address, pfn, ptl);
71902 ++#endif
71903 ++
71904 + }
71905 + pte_unmap_unlock(page_table, ptl);
71906 + return 0;
71907 +@@ -2517,6 +2749,12 @@ static inline int handle_pte_fault(struc
71908 + if (write_access)
71909 + flush_tlb_page(vma, address);
71910 + }
71911 ++
71912 ++#ifdef CONFIG_PAX_SEGMEXEC
71913 ++ pax_mirror_pte(vma, address, pte, pmd, ptl);
71914 ++ return 0;
71915 ++#endif
71916 ++
71917 + unlock:
71918 + pte_unmap_unlock(pte, ptl);
71919 + return 0;
71920 +@@ -2533,6 +2771,10 @@ int handle_mm_fault(struct mm_struct *mm
71921 + pmd_t *pmd;
71922 + pte_t *pte;
71923 +
71924 ++#ifdef CONFIG_PAX_SEGMEXEC
71925 ++ struct vm_area_struct *vma_m;
71926 ++#endif
71927 ++
71928 + __set_current_state(TASK_RUNNING);
71929 +
71930 + count_vm_event(PGFAULT);
71931 +@@ -2540,6 +2782,34 @@ int handle_mm_fault(struct mm_struct *mm
71932 + if (unlikely(is_vm_hugetlb_page(vma)))
71933 + return hugetlb_fault(mm, vma, address, write_access);
71934 +
71935 ++#ifdef CONFIG_PAX_SEGMEXEC
71936 ++ vma_m = pax_find_mirror_vma(vma);
71937 ++ if (vma_m) {
71938 ++ unsigned long address_m;
71939 ++ pgd_t *pgd_m;
71940 ++ pud_t *pud_m;
71941 ++ pmd_t *pmd_m;
71942 ++
71943 ++ if (vma->vm_start > vma_m->vm_start) {
71944 ++ address_m = address;
71945 ++ address -= SEGMEXEC_TASK_SIZE;
71946 ++ vma = vma_m;
71947 ++ } else
71948 ++ address_m = address + SEGMEXEC_TASK_SIZE;
71949 ++
71950 ++ pgd_m = pgd_offset(mm, address_m);
71951 ++ pud_m = pud_alloc(mm, pgd_m, address_m);
71952 ++ if (!pud_m)
71953 ++ return VM_FAULT_OOM;
71954 ++ pmd_m = pmd_alloc(mm, pud_m, address_m);
71955 ++ if (!pmd_m)
71956 ++ return VM_FAULT_OOM;
71957 ++ if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
71958 ++ return VM_FAULT_OOM;
71959 ++ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
71960 ++ }
71961 ++#endif
71962 ++
71963 + pgd = pgd_offset(mm, address);
71964 + pud = pud_alloc(mm, pgd, address);
71965 + if (!pud)
71966 +@@ -2673,7 +2943,7 @@ static int __init gate_vma_init(void)
71967 + gate_vma.vm_start = FIXADDR_USER_START;
71968 + gate_vma.vm_end = FIXADDR_USER_END;
71969 + gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
71970 +- gate_vma.vm_page_prot = __P101;
71971 ++ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
71972 + /*
71973 + * Make sure the vDSO gets into every core dump.
71974 + * Dumping its contents makes post-mortem fully interpretable later
71975 +diff -urNp linux-2.6.24.5/mm/mempolicy.c linux-2.6.24.5/mm/mempolicy.c
71976 +--- linux-2.6.24.5/mm/mempolicy.c 2008-03-24 14:49:18.000000000 -0400
71977 ++++ linux-2.6.24.5/mm/mempolicy.c 2008-03-26 20:21:09.000000000 -0400
71978 +@@ -406,6 +406,10 @@ static int mbind_range(struct vm_area_st
71979 + struct vm_area_struct *next;
71980 + int err;
71981 +
71982 ++#ifdef CONFIG_PAX_SEGMEXEC
71983 ++ struct vm_area_struct *vma_m;
71984 ++#endif
71985 ++
71986 + err = 0;
71987 + for (; vma && vma->vm_start < end; vma = next) {
71988 + next = vma->vm_next;
71989 +@@ -417,6 +421,16 @@ static int mbind_range(struct vm_area_st
71990 + err = policy_vma(vma, new);
71991 + if (err)
71992 + break;
71993 ++
71994 ++#ifdef CONFIG_PAX_SEGMEXEC
71995 ++ vma_m = pax_find_mirror_vma(vma);
71996 ++ if (vma_m) {
71997 ++ err = policy_vma(vma_m, new);
71998 ++ if (err)
71999 ++ break;
72000 ++ }
72001 ++#endif
72002 ++
72003 + }
72004 + return err;
72005 + }
72006 +@@ -794,6 +808,17 @@ static long do_mbind(unsigned long start
72007 +
72008 + if (end < start)
72009 + return -EINVAL;
72010 ++
72011 ++#ifdef CONFIG_PAX_SEGMEXEC
72012 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
72013 ++ if (end > SEGMEXEC_TASK_SIZE)
72014 ++ return -EINVAL;
72015 ++ } else
72016 ++#endif
72017 ++
72018 ++ if (end > TASK_SIZE)
72019 ++ return -EINVAL;
72020 ++
72021 + if (end == start)
72022 + return 0;
72023 +
72024 +diff -urNp linux-2.6.24.5/mm/mlock.c linux-2.6.24.5/mm/mlock.c
72025 +--- linux-2.6.24.5/mm/mlock.c 2008-03-24 14:49:18.000000000 -0400
72026 ++++ linux-2.6.24.5/mm/mlock.c 2008-03-26 20:21:09.000000000 -0400
72027 +@@ -12,6 +12,7 @@
72028 + #include <linux/syscalls.h>
72029 + #include <linux/sched.h>
72030 + #include <linux/module.h>
72031 ++#include <linux/grsecurity.h>
72032 +
72033 + int can_do_mlock(void)
72034 + {
72035 +@@ -95,6 +96,17 @@ static int do_mlock(unsigned long start,
72036 + return -EINVAL;
72037 + if (end == start)
72038 + return 0;
72039 ++
72040 ++#ifdef CONFIG_PAX_SEGMEXEC
72041 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
72042 ++ if (end > SEGMEXEC_TASK_SIZE)
72043 ++ return -EINVAL;
72044 ++ } else
72045 ++#endif
72046 ++
72047 ++ if (end > TASK_SIZE)
72048 ++ return -EINVAL;
72049 ++
72050 + vma = find_vma_prev(current->mm, start, &prev);
72051 + if (!vma || vma->vm_start > start)
72052 + return -ENOMEM;
72053 +@@ -152,6 +164,7 @@ asmlinkage long sys_mlock(unsigned long
72054 + lock_limit >>= PAGE_SHIFT;
72055 +
72056 + /* check against resource limits */
72057 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
72058 + if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
72059 + error = do_mlock(start, len, 1);
72060 + up_write(&current->mm->mmap_sem);
72061 +@@ -173,10 +186,10 @@ asmlinkage long sys_munlock(unsigned lon
72062 + static int do_mlockall(int flags)
72063 + {
72064 + struct vm_area_struct * vma, * prev = NULL;
72065 +- unsigned int def_flags = 0;
72066 ++ unsigned int def_flags = current->mm->def_flags & ~VM_LOCKED;
72067 +
72068 + if (flags & MCL_FUTURE)
72069 +- def_flags = VM_LOCKED;
72070 ++ def_flags |= VM_LOCKED;
72071 + current->mm->def_flags = def_flags;
72072 + if (flags == MCL_FUTURE)
72073 + goto out;
72074 +@@ -184,6 +197,12 @@ static int do_mlockall(int flags)
72075 + for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
72076 + unsigned int newflags;
72077 +
72078 ++#ifdef CONFIG_PAX_SEGMEXEC
72079 ++ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
72080 ++ break;
72081 ++#endif
72082 ++
72083 ++ BUG_ON(vma->vm_end > TASK_SIZE);
72084 + newflags = vma->vm_flags | VM_LOCKED;
72085 + if (!(flags & MCL_CURRENT))
72086 + newflags &= ~VM_LOCKED;
72087 +@@ -213,6 +232,7 @@ asmlinkage long sys_mlockall(int flags)
72088 + lock_limit >>= PAGE_SHIFT;
72089 +
72090 + ret = -ENOMEM;
72091 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
72092 + if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
72093 + capable(CAP_IPC_LOCK))
72094 + ret = do_mlockall(flags);
72095 +diff -urNp linux-2.6.24.5/mm/mmap.c linux-2.6.24.5/mm/mmap.c
72096 +--- linux-2.6.24.5/mm/mmap.c 2008-03-24 14:49:18.000000000 -0400
72097 ++++ linux-2.6.24.5/mm/mmap.c 2008-03-26 20:21:09.000000000 -0400
72098 +@@ -26,6 +26,7 @@
72099 + #include <linux/mount.h>
72100 + #include <linux/mempolicy.h>
72101 + #include <linux/rmap.h>
72102 ++#include <linux/grsecurity.h>
72103 +
72104 + #include <asm/uaccess.h>
72105 + #include <asm/cacheflush.h>
72106 +@@ -36,6 +37,16 @@
72107 + #define arch_mmap_check(addr, len, flags) (0)
72108 + #endif
72109 +
72110 ++static inline void verify_mm_writelocked(struct mm_struct *mm)
72111 ++{
72112 ++#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
72113 ++ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
72114 ++ up_read(&mm->mmap_sem);
72115 ++ BUG();
72116 ++ }
72117 ++#endif
72118 ++}
72119 ++
72120 + static void unmap_region(struct mm_struct *mm,
72121 + struct vm_area_struct *vma, struct vm_area_struct *prev,
72122 + unsigned long start, unsigned long end);
72123 +@@ -61,15 +72,23 @@ static void unmap_region(struct mm_struc
72124 + * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
72125 + *
72126 + */
72127 +-pgprot_t protection_map[16] = {
72128 ++pgprot_t protection_map[16] __read_only = {
72129 + __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
72130 + __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
72131 + };
72132 +
72133 + pgprot_t vm_get_page_prot(unsigned long vm_flags)
72134 + {
72135 +- return protection_map[vm_flags &
72136 +- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
72137 ++ pgprot_t prot = protection_map[vm_flags & (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
72138 ++
72139 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72140 ++ if (!nx_enabled &&
72141 ++ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
72142 ++ (vm_flags & (VM_READ | VM_WRITE)))
72143 ++ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
72144 ++#endif
72145 ++
72146 ++ return prot;
72147 + }
72148 + EXPORT_SYMBOL(vm_get_page_prot);
72149 +
72150 +@@ -224,6 +243,7 @@ static struct vm_area_struct *remove_vma
72151 + struct vm_area_struct *next = vma->vm_next;
72152 +
72153 + might_sleep();
72154 ++ BUG_ON(vma->vm_mirror);
72155 + if (vma->vm_ops && vma->vm_ops->close)
72156 + vma->vm_ops->close(vma);
72157 + if (vma->vm_file)
72158 +@@ -251,6 +271,7 @@ asmlinkage unsigned long sys_brk(unsigne
72159 + * not page aligned -Ram Gupta
72160 + */
72161 + rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
72162 ++ gr_learn_resource(current, RLIMIT_DATA, brk - mm->start_data, 1);
72163 + if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim)
72164 + goto out;
72165 +
72166 +@@ -351,8 +372,12 @@ find_vma_prepare(struct mm_struct *mm, u
72167 +
72168 + if (vma_tmp->vm_end > addr) {
72169 + vma = vma_tmp;
72170 +- if (vma_tmp->vm_start <= addr)
72171 +- return vma;
72172 ++ if (vma_tmp->vm_start <= addr) {
72173 ++//printk("PAX: prep: %08lx-%08lx %08lx pr:%p l:%p pa:%p ",
72174 ++//vma->vm_start, vma->vm_end, addr, *pprev, *rb_link, *rb_parent);
72175 ++//__print_symbol("%s\n", __builtin_extract_return_addr(__builtin_return_address(0)));
72176 ++ break;
72177 ++ }
72178 + __rb_link = &__rb_parent->rb_left;
72179 + } else {
72180 + rb_prev = __rb_parent;
72181 +@@ -676,6 +701,12 @@ static int
72182 + can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
72183 + struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
72184 + {
72185 ++
72186 ++#ifdef CONFIG_PAX_SEGMEXEC
72187 ++ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
72188 ++ return 0;
72189 ++#endif
72190 ++
72191 + if (is_mergeable_vma(vma, file, vm_flags) &&
72192 + is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
72193 + if (vma->vm_pgoff == vm_pgoff)
72194 +@@ -695,6 +726,12 @@ static int
72195 + can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
72196 + struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
72197 + {
72198 ++
72199 ++#ifdef CONFIG_PAX_SEGMEXEC
72200 ++ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
72201 ++ return 0;
72202 ++#endif
72203 ++
72204 + if (is_mergeable_vma(vma, file, vm_flags) &&
72205 + is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
72206 + pgoff_t vm_pglen;
72207 +@@ -737,12 +774,19 @@ can_vma_merge_after(struct vm_area_struc
72208 + struct vm_area_struct *vma_merge(struct mm_struct *mm,
72209 + struct vm_area_struct *prev, unsigned long addr,
72210 + unsigned long end, unsigned long vm_flags,
72211 +- struct anon_vma *anon_vma, struct file *file,
72212 ++ struct anon_vma *anon_vma, struct file *file,
72213 + pgoff_t pgoff, struct mempolicy *policy)
72214 + {
72215 + pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
72216 + struct vm_area_struct *area, *next;
72217 +
72218 ++#ifdef CONFIG_PAX_SEGMEXEC
72219 ++ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
72220 ++ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
72221 ++
72222 ++ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
72223 ++#endif
72224 ++
72225 + /*
72226 + * We later require that vma->vm_flags == vm_flags,
72227 + * so this tests vma->vm_flags & VM_SPECIAL, too.
72228 +@@ -758,6 +802,15 @@ struct vm_area_struct *vma_merge(struct
72229 + if (next && next->vm_end == end) /* cases 6, 7, 8 */
72230 + next = next->vm_next;
72231 +
72232 ++#ifdef CONFIG_PAX_SEGMEXEC
72233 ++ if (prev)
72234 ++ prev_m = pax_find_mirror_vma(prev);
72235 ++ if (area)
72236 ++ area_m = pax_find_mirror_vma(area);
72237 ++ if (next)
72238 ++ next_m = pax_find_mirror_vma(next);
72239 ++#endif
72240 ++
72241 + /*
72242 + * Can it merge with the predecessor?
72243 + */
72244 +@@ -777,9 +830,24 @@ struct vm_area_struct *vma_merge(struct
72245 + /* cases 1, 6 */
72246 + vma_adjust(prev, prev->vm_start,
72247 + next->vm_end, prev->vm_pgoff, NULL);
72248 +- } else /* cases 2, 5, 7 */
72249 ++
72250 ++#ifdef CONFIG_PAX_SEGMEXEC
72251 ++ if (prev_m)
72252 ++ vma_adjust(prev_m, prev_m->vm_start,
72253 ++ next_m->vm_end, prev_m->vm_pgoff, NULL);
72254 ++#endif
72255 ++
72256 ++ } else { /* cases 2, 5, 7 */
72257 + vma_adjust(prev, prev->vm_start,
72258 + end, prev->vm_pgoff, NULL);
72259 ++
72260 ++#ifdef CONFIG_PAX_SEGMEXEC
72261 ++ if (prev_m)
72262 ++ vma_adjust(prev_m, prev_m->vm_start,
72263 ++ end_m, prev_m->vm_pgoff, NULL);
72264 ++#endif
72265 ++
72266 ++ }
72267 + return prev;
72268 + }
72269 +
72270 +@@ -790,12 +858,43 @@ struct vm_area_struct *vma_merge(struct
72271 + mpol_equal(policy, vma_policy(next)) &&
72272 + can_vma_merge_before(next, vm_flags,
72273 + anon_vma, file, pgoff+pglen)) {
72274 +- if (prev && addr < prev->vm_end) /* case 4 */
72275 ++ if (prev && addr < prev->vm_end) { /* case 4 */
72276 + vma_adjust(prev, prev->vm_start,
72277 + addr, prev->vm_pgoff, NULL);
72278 +- else /* cases 3, 8 */
72279 ++
72280 ++#ifdef CONFIG_PAX_SEGMEXEC
72281 ++ if (prev_m)
72282 ++ vma_adjust(prev_m, prev_m->vm_start,
72283 ++ addr_m, prev_m->vm_pgoff, NULL);
72284 ++#endif
72285 ++
72286 ++ } else { /* cases 3, 8 */
72287 + vma_adjust(area, addr, next->vm_end,
72288 + next->vm_pgoff - pglen, NULL);
72289 ++
72290 ++#ifdef CONFIG_PAX_SEGMEXEC
72291 ++ if (area_m)
72292 ++ vma_adjust(area_m, addr_m, next_m->vm_end,
72293 ++ next_m->vm_pgoff - pglen, NULL);
72294 ++ else if (next_m) {
72295 ++ vma_adjust(next_m, addr_m, next_m->vm_end,
72296 ++ next_m->vm_pgoff - pglen, NULL);
72297 ++ BUG_ON(area == next);
72298 ++ BUG_ON(area->vm_mirror);
72299 ++ BUG_ON(next_m->anon_vma && next_m->anon_vma != area->anon_vma);
72300 ++ BUG_ON(area->vm_file != next_m->vm_file);
72301 ++ BUG_ON(area->vm_end - area->vm_start != next_m->vm_end - next_m->vm_start);
72302 ++ BUG_ON(area->vm_pgoff != next_m->vm_pgoff);
72303 ++ area->vm_mirror = next_m;
72304 ++ next_m->vm_mirror = area;
72305 ++ if (area->anon_vma && !next_m->anon_vma) {
72306 ++ next_m->anon_vma = area->anon_vma;
72307 ++ anon_vma_link(next_m);
72308 ++ }
72309 ++ }
72310 ++#endif
72311 ++
72312 ++ }
72313 + return area;
72314 + }
72315 +
72316 +@@ -870,14 +969,11 @@ none:
72317 + void vm_stat_account(struct mm_struct *mm, unsigned long flags,
72318 + struct file *file, long pages)
72319 + {
72320 +- const unsigned long stack_flags
72321 +- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
72322 +-
72323 + if (file) {
72324 + mm->shared_vm += pages;
72325 + if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
72326 + mm->exec_vm += pages;
72327 +- } else if (flags & stack_flags)
72328 ++ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
72329 + mm->stack_vm += pages;
72330 + if (flags & (VM_RESERVED|VM_IO))
72331 + mm->reserved_vm += pages;
72332 +@@ -905,7 +1001,7 @@ unsigned long do_mmap_pgoff(struct file
72333 + * (the exception is when the underlying filesystem is noexec
72334 + * mounted, in which case we dont add PROT_EXEC.)
72335 + */
72336 +- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
72337 ++ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
72338 + if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
72339 + prot |= PROT_EXEC;
72340 +
72341 +@@ -915,15 +1011,15 @@ unsigned long do_mmap_pgoff(struct file
72342 + if (!(flags & MAP_FIXED))
72343 + addr = round_hint_to_min(addr);
72344 +
72345 +- error = arch_mmap_check(addr, len, flags);
72346 +- if (error)
72347 +- return error;
72348 +-
72349 + /* Careful about overflows.. */
72350 + len = PAGE_ALIGN(len);
72351 + if (!len || len > TASK_SIZE)
72352 + return -ENOMEM;
72353 +
72354 ++ error = arch_mmap_check(addr, len, flags);
72355 ++ if (error)
72356 ++ return error;
72357 ++
72358 + /* offset overflow? */
72359 + if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
72360 + return -EOVERFLOW;
72361 +@@ -935,7 +1031,7 @@ unsigned long do_mmap_pgoff(struct file
72362 + /* Obtain the address to map to. we verify (or select) it and ensure
72363 + * that it represents a valid section of the address space.
72364 + */
72365 +- addr = get_unmapped_area(file, addr, len, pgoff, flags);
72366 ++ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
72367 + if (addr & ~PAGE_MASK)
72368 + return addr;
72369 +
72370 +@@ -946,6 +1042,26 @@ unsigned long do_mmap_pgoff(struct file
72371 + vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
72372 + mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
72373 +
72374 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
72375 ++ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
72376 ++
72377 ++#ifdef CONFIG_PAX_MPROTECT
72378 ++ if (mm->pax_flags & MF_PAX_MPROTECT) {
72379 ++ if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
72380 ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
72381 ++ else
72382 ++ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
72383 ++ }
72384 ++#endif
72385 ++
72386 ++ }
72387 ++#endif
72388 ++
72389 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72390 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
72391 ++ vm_flags &= ~VM_PAGEEXEC;
72392 ++#endif
72393 ++
72394 + if (flags & MAP_LOCKED) {
72395 + if (!can_do_mlock())
72396 + return -EPERM;
72397 +@@ -958,6 +1074,7 @@ unsigned long do_mmap_pgoff(struct file
72398 + locked += mm->locked_vm;
72399 + lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
72400 + lock_limit >>= PAGE_SHIFT;
72401 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
72402 + if (locked > lock_limit && !capable(CAP_IPC_LOCK))
72403 + return -EAGAIN;
72404 + }
72405 +@@ -1026,6 +1143,9 @@ unsigned long do_mmap_pgoff(struct file
72406 + if (error)
72407 + return error;
72408 +
72409 ++ if (!gr_acl_handle_mmap(file, prot))
72410 ++ return -EACCES;
72411 ++
72412 + return mmap_region(file, addr, len, flags, vm_flags, pgoff,
72413 + accountable);
72414 + }
72415 +@@ -1039,10 +1159,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
72416 + */
72417 + int vma_wants_writenotify(struct vm_area_struct *vma)
72418 + {
72419 +- unsigned int vm_flags = vma->vm_flags;
72420 ++ unsigned long vm_flags = vma->vm_flags;
72421 +
72422 + /* If it was private or non-writable, the write bit is already clear */
72423 +- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
72424 ++ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
72425 + return 0;
72426 +
72427 + /* The backer wishes to know when pages are first written to? */
72428 +@@ -1077,14 +1197,24 @@ unsigned long mmap_region(struct file *f
72429 + unsigned long charged = 0;
72430 + struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
72431 +
72432 ++#ifdef CONFIG_PAX_SEGMEXEC
72433 ++ struct vm_area_struct *vma_m = NULL;
72434 ++#endif
72435 ++
72436 ++ /*
72437 ++ * mm->mmap_sem is required to protect against another thread
72438 ++ * changing the mappings in case we sleep.
72439 ++ */
72440 ++ verify_mm_writelocked(mm);
72441 ++
72442 + /* Clear old maps */
72443 + error = -ENOMEM;
72444 +-munmap_back:
72445 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
72446 + if (vma && vma->vm_start < addr + len) {
72447 + if (do_munmap(mm, addr, len))
72448 + return -ENOMEM;
72449 +- goto munmap_back;
72450 ++ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
72451 ++ BUG_ON(vma && vma->vm_start < addr + len);
72452 + }
72453 +
72454 + /* Check against address space limit. */
72455 +@@ -1128,6 +1258,16 @@ munmap_back:
72456 + goto unacct_error;
72457 + }
72458 +
72459 ++#ifdef CONFIG_PAX_SEGMEXEC
72460 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
72461 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
72462 ++ if (!vma_m) {
72463 ++ error = -ENOMEM;
72464 ++ goto free_vma;
72465 ++ }
72466 ++ }
72467 ++#endif
72468 ++
72469 + vma->vm_mm = mm;
72470 + vma->vm_start = addr;
72471 + vma->vm_end = addr + len;
72472 +@@ -1150,6 +1290,27 @@ munmap_back:
72473 + error = file->f_op->mmap(file, vma);
72474 + if (error)
72475 + goto unmap_and_free_vma;
72476 ++
72477 ++#ifdef CONFIG_PAX_SEGMEXEC
72478 ++ if (vma_m) {
72479 ++ struct mempolicy *pol;
72480 ++
72481 ++ pol = mpol_copy(vma_policy(vma));
72482 ++ if (IS_ERR(pol)) {
72483 ++ mpol_free(vma_policy(vma));
72484 ++ goto unmap_and_free_vma;
72485 ++ }
72486 ++ vma_set_policy(vma_m, pol);
72487 ++ }
72488 ++#endif
72489 ++
72490 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72491 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
72492 ++ vma->vm_flags |= VM_PAGEEXEC;
72493 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
72494 ++ }
72495 ++#endif
72496 ++
72497 + } else if (vm_flags & VM_SHARED) {
72498 + error = shmem_zero_setup(vma);
72499 + if (error)
72500 +@@ -1180,6 +1341,12 @@ munmap_back:
72501 + vma->vm_flags, NULL, file, pgoff, vma_policy(vma))) {
72502 + file = vma->vm_file;
72503 + vma_link(mm, vma, prev, rb_link, rb_parent);
72504 ++
72505 ++#ifdef CONFIG_PAX_SEGMEXEC
72506 ++ if (vma_m)
72507 ++ pax_mirror_vma(vma_m, vma);
72508 ++#endif
72509 ++
72510 + if (correct_wcount)
72511 + atomic_inc(&inode->i_writecount);
72512 + } else {
72513 +@@ -1190,10 +1357,20 @@ munmap_back:
72514 + }
72515 + mpol_free(vma_policy(vma));
72516 + kmem_cache_free(vm_area_cachep, vma);
72517 ++ vma = NULL;
72518 ++
72519 ++#ifdef CONFIG_PAX_SEGMEXEC
72520 ++ if (vma_m) {
72521 ++ mpol_free(vma_policy(vma_m));
72522 ++ kmem_cache_free(vm_area_cachep, vma_m);
72523 ++ }
72524 ++#endif
72525 ++
72526 + }
72527 + out:
72528 + mm->total_vm += len >> PAGE_SHIFT;
72529 + vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
72530 ++ track_exec_limit(mm, addr, addr + len, vm_flags);
72531 + if (vm_flags & VM_LOCKED) {
72532 + mm->locked_vm += len >> PAGE_SHIFT;
72533 + make_pages_present(addr, addr + len);
72534 +@@ -1212,6 +1389,12 @@ unmap_and_free_vma:
72535 + unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
72536 + charged = 0;
72537 + free_vma:
72538 ++
72539 ++#ifdef CONFIG_PAX_SEGMEXEC
72540 ++ if (vma_m)
72541 ++ kmem_cache_free(vm_area_cachep, vma_m);
72542 ++#endif
72543 ++
72544 + kmem_cache_free(vm_area_cachep, vma);
72545 + unacct_error:
72546 + if (charged)
72547 +@@ -1245,6 +1428,10 @@ arch_get_unmapped_area(struct file *filp
72548 + if (flags & MAP_FIXED)
72549 + return addr;
72550 +
72551 ++#ifdef CONFIG_PAX_RANDMMAP
72552 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
72553 ++#endif
72554 ++
72555 + if (addr) {
72556 + addr = PAGE_ALIGN(addr);
72557 + vma = find_vma(mm, addr);
72558 +@@ -1253,10 +1440,10 @@ arch_get_unmapped_area(struct file *filp
72559 + return addr;
72560 + }
72561 + if (len > mm->cached_hole_size) {
72562 +- start_addr = addr = mm->free_area_cache;
72563 ++ start_addr = addr = mm->free_area_cache;
72564 + } else {
72565 +- start_addr = addr = TASK_UNMAPPED_BASE;
72566 +- mm->cached_hole_size = 0;
72567 ++ start_addr = addr = mm->mmap_base;
72568 ++ mm->cached_hole_size = 0;
72569 + }
72570 +
72571 + full_search:
72572 +@@ -1267,9 +1454,8 @@ full_search:
72573 + * Start a new search - just in case we missed
72574 + * some holes.
72575 + */
72576 +- if (start_addr != TASK_UNMAPPED_BASE) {
72577 +- addr = TASK_UNMAPPED_BASE;
72578 +- start_addr = addr;
72579 ++ if (start_addr != mm->mmap_base) {
72580 ++ start_addr = addr = mm->mmap_base;
72581 + mm->cached_hole_size = 0;
72582 + goto full_search;
72583 + }
72584 +@@ -1291,10 +1477,16 @@ full_search:
72585 +
72586 + void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
72587 + {
72588 ++
72589 ++#ifdef CONFIG_PAX_SEGMEXEC
72590 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
72591 ++ return;
72592 ++#endif
72593 ++
72594 + /*
72595 + * Is this a new hole at the lowest possible address?
72596 + */
72597 +- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
72598 ++ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
72599 + mm->free_area_cache = addr;
72600 + mm->cached_hole_size = ~0UL;
72601 + }
72602 +@@ -1312,7 +1504,7 @@ arch_get_unmapped_area_topdown(struct fi
72603 + {
72604 + struct vm_area_struct *vma;
72605 + struct mm_struct *mm = current->mm;
72606 +- unsigned long addr = addr0;
72607 ++ unsigned long base = mm->mmap_base, addr = addr0;
72608 +
72609 + /* requested length too big for entire address space */
72610 + if (len > TASK_SIZE)
72611 +@@ -1321,6 +1513,10 @@ arch_get_unmapped_area_topdown(struct fi
72612 + if (flags & MAP_FIXED)
72613 + return addr;
72614 +
72615 ++#ifdef CONFIG_PAX_RANDMMAP
72616 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
72617 ++#endif
72618 ++
72619 + /* requesting a specific address */
72620 + if (addr) {
72621 + addr = PAGE_ALIGN(addr);
72622 +@@ -1378,13 +1574,21 @@ bottomup:
72623 + * can happen with large stack limits and large mmap()
72624 + * allocations.
72625 + */
72626 ++ mm->mmap_base = TASK_UNMAPPED_BASE;
72627 ++
72628 ++#ifdef CONFIG_PAX_RANDMMAP
72629 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
72630 ++ mm->mmap_base += mm->delta_mmap;
72631 ++#endif
72632 ++
72633 ++ mm->free_area_cache = mm->mmap_base;
72634 + mm->cached_hole_size = ~0UL;
72635 +- mm->free_area_cache = TASK_UNMAPPED_BASE;
72636 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
72637 + /*
72638 + * Restore the topdown base:
72639 + */
72640 +- mm->free_area_cache = mm->mmap_base;
72641 ++ mm->mmap_base = base;
72642 ++ mm->free_area_cache = base;
72643 + mm->cached_hole_size = ~0UL;
72644 +
72645 + return addr;
72646 +@@ -1393,6 +1597,12 @@ bottomup:
72647 +
72648 + void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
72649 + {
72650 ++
72651 ++#ifdef CONFIG_PAX_SEGMEXEC
72652 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
72653 ++ return;
72654 ++#endif
72655 ++
72656 + /*
72657 + * Is this a new hole at the highest possible address?
72658 + */
72659 +@@ -1400,8 +1610,10 @@ void arch_unmap_area_topdown(struct mm_s
72660 + mm->free_area_cache = addr;
72661 +
72662 + /* dont allow allocations above current base */
72663 +- if (mm->free_area_cache > mm->mmap_base)
72664 ++ if (mm->free_area_cache > mm->mmap_base) {
72665 + mm->free_area_cache = mm->mmap_base;
72666 ++ mm->cached_hole_size = ~0UL;
72667 ++ }
72668 + }
72669 +
72670 + unsigned long
72671 +@@ -1501,6 +1713,33 @@ out:
72672 + return prev ? prev->vm_next : vma;
72673 + }
72674 +
72675 ++#ifdef CONFIG_PAX_SEGMEXEC
72676 ++struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
72677 ++{
72678 ++ struct vm_area_struct *vma_m;
72679 ++
72680 ++ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
72681 ++ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
72682 ++ BUG_ON(vma->vm_mirror);
72683 ++ return NULL;
72684 ++ }
72685 ++ BUG_ON(vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < vma->vm_start - SEGMEXEC_TASK_SIZE - 1);
72686 ++ vma_m = vma->vm_mirror;
72687 ++ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
72688 ++ BUG_ON(vma->vm_file != vma_m->vm_file);
72689 ++ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
72690 ++ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
72691 ++
72692 ++#ifdef CONFIG_PAX_MPROTECT
72693 ++ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_MAYNOTWRITE));
72694 ++#else
72695 ++ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
72696 ++#endif
72697 ++
72698 ++ return vma_m;
72699 ++}
72700 ++#endif
72701 ++
72702 + /*
72703 + * Verify that the stack growth is acceptable and
72704 + * update accounting. This is shared with both the
72705 +@@ -1517,6 +1756,7 @@ static int acct_stack_growth(struct vm_a
72706 + return -ENOMEM;
72707 +
72708 + /* Stack limit test */
72709 ++ gr_learn_resource(current, RLIMIT_STACK, size, 1);
72710 + if (size > rlim[RLIMIT_STACK].rlim_cur)
72711 + return -ENOMEM;
72712 +
72713 +@@ -1526,6 +1766,7 @@ static int acct_stack_growth(struct vm_a
72714 + unsigned long limit;
72715 + locked = mm->locked_vm + grow;
72716 + limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
72717 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
72718 + if (locked > limit && !capable(CAP_IPC_LOCK))
72719 + return -ENOMEM;
72720 + }
72721 +@@ -1540,7 +1781,7 @@ static int acct_stack_growth(struct vm_a
72722 + * Overcommit.. This must be the final test, as it will
72723 + * update security statistics.
72724 + */
72725 +- if (security_vm_enough_memory(grow))
72726 ++ if (security_vm_enough_memory_mm(mm, grow))
72727 + return -ENOMEM;
72728 +
72729 + /* Ok, everything looks good - let it rip */
72730 +@@ -1561,35 +1802,40 @@ static inline
72731 + #endif
72732 + int expand_upwards(struct vm_area_struct *vma, unsigned long address)
72733 + {
72734 +- int error;
72735 ++ int error, locknext;
72736 +
72737 + if (!(vma->vm_flags & VM_GROWSUP))
72738 + return -EFAULT;
72739 +
72740 ++ /* Also guard against wrapping around to address 0. */
72741 ++ if (address < PAGE_ALIGN(address+1))
72742 ++ address = PAGE_ALIGN(address+1);
72743 ++ else
72744 ++ return -ENOMEM;
72745 ++
72746 + /*
72747 + * We must make sure the anon_vma is allocated
72748 + * so that the anon_vma locking is not a noop.
72749 + */
72750 + if (unlikely(anon_vma_prepare(vma)))
72751 + return -ENOMEM;
72752 ++ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
72753 ++ if (locknext && unlikely(anon_vma_prepare(vma->vm_next)))
72754 ++ return -ENOMEM;
72755 + anon_vma_lock(vma);
72756 ++ if (locknext)
72757 ++ anon_vma_lock(vma->vm_next);
72758 +
72759 + /*
72760 + * vma->vm_start/vm_end cannot change under us because the caller
72761 + * is required to hold the mmap_sem in read mode. We need the
72762 +- * anon_vma lock to serialize against concurrent expand_stacks.
72763 +- * Also guard against wrapping around to address 0.
72764 ++ * anon_vma locks to serialize against concurrent expand_stacks
72765 ++ * and expand_upwards.
72766 + */
72767 +- if (address < PAGE_ALIGN(address+4))
72768 +- address = PAGE_ALIGN(address+4);
72769 +- else {
72770 +- anon_vma_unlock(vma);
72771 +- return -ENOMEM;
72772 +- }
72773 + error = 0;
72774 +
72775 + /* Somebody else might have raced and expanded it already */
72776 +- if (address > vma->vm_end) {
72777 ++ if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
72778 + unsigned long size, grow;
72779 +
72780 + size = address - vma->vm_start;
72781 +@@ -1599,6 +1845,8 @@ int expand_upwards(struct vm_area_struct
72782 + if (!error)
72783 + vma->vm_end = address;
72784 + }
72785 ++ if (locknext)
72786 ++ anon_vma_unlock(vma->vm_next);
72787 + anon_vma_unlock(vma);
72788 + return error;
72789 + }
72790 +@@ -1610,7 +1858,8 @@ int expand_upwards(struct vm_area_struct
72791 + static inline int expand_downwards(struct vm_area_struct *vma,
72792 + unsigned long address)
72793 + {
72794 +- int error;
72795 ++ int error, lockprev = 0;
72796 ++ struct vm_area_struct *prev = NULL;
72797 +
72798 + /*
72799 + * We must make sure the anon_vma is allocated
72800 +@@ -1624,6 +1873,15 @@ static inline int expand_downwards(struc
72801 + if (error)
72802 + return error;
72803 +
72804 ++#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
72805 ++ find_vma_prev(address, &prev);
72806 ++ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
72807 ++#endif
72808 ++ if (lockprev && unlikely(anon_vma_prepare(prev)))
72809 ++ return -ENOMEM;
72810 ++ if (lockprev)
72811 ++ anon_vma_lock(prev);
72812 ++
72813 + anon_vma_lock(vma);
72814 +
72815 + /*
72816 +@@ -1633,9 +1891,15 @@ static inline int expand_downwards(struc
72817 + */
72818 +
72819 + /* Somebody else might have raced and expanded it already */
72820 +- if (address < vma->vm_start) {
72821 ++ if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
72822 + unsigned long size, grow;
72823 +
72824 ++#ifdef CONFIG_PAX_SEGMEXEC
72825 ++ struct vm_area_struct *vma_m;
72826 ++
72827 ++ vma_m = pax_find_mirror_vma(vma);
72828 ++#endif
72829 ++
72830 + size = vma->vm_end - address;
72831 + grow = (vma->vm_start - address) >> PAGE_SHIFT;
72832 +
72833 +@@ -1643,9 +1907,20 @@ static inline int expand_downwards(struc
72834 + if (!error) {
72835 + vma->vm_start = address;
72836 + vma->vm_pgoff -= grow;
72837 ++ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
72838 ++
72839 ++#ifdef CONFIG_PAX_SEGMEXEC
72840 ++ if (vma_m) {
72841 ++ vma_m->vm_start -= grow << PAGE_SHIFT;
72842 ++ vma_m->vm_pgoff -= grow;
72843 ++ }
72844 ++#endif
72845 ++
72846 + }
72847 + }
72848 + anon_vma_unlock(vma);
72849 ++ if (lockprev)
72850 ++ anon_vma_unlock(prev);
72851 + return error;
72852 + }
72853 +
72854 +@@ -1717,6 +1992,13 @@ static void remove_vma_list(struct mm_st
72855 + do {
72856 + long nrpages = vma_pages(vma);
72857 +
72858 ++#ifdef CONFIG_PAX_SEGMEXEC
72859 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
72860 ++ vma = remove_vma(vma);
72861 ++ continue;
72862 ++ }
72863 ++#endif
72864 ++
72865 + mm->total_vm -= nrpages;
72866 + if (vma->vm_flags & VM_LOCKED)
72867 + mm->locked_vm -= nrpages;
72868 +@@ -1763,6 +2045,16 @@ detach_vmas_to_be_unmapped(struct mm_str
72869 +
72870 + insertion_point = (prev ? &prev->vm_next : &mm->mmap);
72871 + do {
72872 ++
72873 ++#ifdef CONFIG_PAX_SEGMEXEC
72874 ++ if (vma->vm_mirror) {
72875 ++ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
72876 ++ vma->vm_mirror->vm_mirror = NULL;
72877 ++ vma->vm_mirror->vm_flags &= ~VM_EXEC;
72878 ++ vma->vm_mirror = NULL;
72879 ++ }
72880 ++#endif
72881 ++
72882 + rb_erase(&vma->vm_rb, &mm->mm_rb);
72883 + mm->map_count--;
72884 + tail_vma = vma;
72885 +@@ -1782,6 +2074,112 @@ detach_vmas_to_be_unmapped(struct mm_str
72886 + * Split a vma into two pieces at address 'addr', a new vma is allocated
72887 + * either for the first part or the tail.
72888 + */
72889 ++
72890 ++#ifdef CONFIG_PAX_SEGMEXEC
72891 ++int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
72892 ++ unsigned long addr, int new_below)
72893 ++{
72894 ++ struct mempolicy *pol, *pol_m;
72895 ++ struct vm_area_struct *new, *vma_m, *new_m = NULL;
72896 ++ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
72897 ++
72898 ++ if (is_vm_hugetlb_page(vma) && (addr & ~HPAGE_MASK))
72899 ++ return -EINVAL;
72900 ++
72901 ++ vma_m = pax_find_mirror_vma(vma);
72902 ++ if (vma_m) {
72903 ++ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
72904 ++ if (mm->map_count >= sysctl_max_map_count-1)
72905 ++ return -ENOMEM;
72906 ++ } else if (mm->map_count >= sysctl_max_map_count)
72907 ++ return -ENOMEM;
72908 ++
72909 ++ new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
72910 ++ if (!new)
72911 ++ return -ENOMEM;
72912 ++
72913 ++ if (vma_m) {
72914 ++ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
72915 ++ if (!new_m) {
72916 ++ kmem_cache_free(vm_area_cachep, new);
72917 ++ return -ENOMEM;
72918 ++ }
72919 ++ }
72920 ++
72921 ++ /* most fields are the same, copy all, and then fixup */
72922 ++ *new = *vma;
72923 ++
72924 ++ if (new_below)
72925 ++ new->vm_end = addr;
72926 ++ else {
72927 ++ new->vm_start = addr;
72928 ++ new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
72929 ++ }
72930 ++
72931 ++ if (vma_m) {
72932 ++ *new_m = *vma_m;
72933 ++ new_m->vm_mirror = new;
72934 ++ new->vm_mirror = new_m;
72935 ++
72936 ++ if (new_below)
72937 ++ new_m->vm_end = addr_m;
72938 ++ else {
72939 ++ new_m->vm_start = addr_m;
72940 ++ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
72941 ++ }
72942 ++ }
72943 ++
72944 ++ pol = mpol_copy(vma_policy(vma));
72945 ++ if (IS_ERR(pol)) {
72946 ++ if (new_m)
72947 ++ kmem_cache_free(vm_area_cachep, new_m);
72948 ++ kmem_cache_free(vm_area_cachep, new);
72949 ++ return PTR_ERR(pol);
72950 ++ }
72951 ++
72952 ++ if (vma_m) {
72953 ++ pol_m = mpol_copy(vma_policy(vma_m));
72954 ++ if (IS_ERR(pol_m)) {
72955 ++ mpol_free(pol);
72956 ++ kmem_cache_free(vm_area_cachep, new_m);
72957 ++ kmem_cache_free(vm_area_cachep, new);
72958 ++ return PTR_ERR(pol);
72959 ++ }
72960 ++ }
72961 ++
72962 ++ vma_set_policy(new, pol);
72963 ++
72964 ++ if (new->vm_file)
72965 ++ get_file(new->vm_file);
72966 ++
72967 ++ if (new->vm_ops && new->vm_ops->open)
72968 ++ new->vm_ops->open(new);
72969 ++
72970 ++ if (new_below)
72971 ++ vma_adjust(vma, addr, vma->vm_end, vma->vm_pgoff +
72972 ++ ((addr - new->vm_start) >> PAGE_SHIFT), new);
72973 ++ else
72974 ++ vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
72975 ++
72976 ++ if (vma_m) {
72977 ++ vma_set_policy(new_m, pol_m);
72978 ++
72979 ++ if (new_m->vm_file)
72980 ++ get_file(new_m->vm_file);
72981 ++
72982 ++ if (new_m->vm_ops && new_m->vm_ops->open)
72983 ++ new_m->vm_ops->open(new_m);
72984 ++
72985 ++ if (new_below)
72986 ++ vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
72987 ++ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
72988 ++ else
72989 ++ vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
72990 ++ }
72991 ++
72992 ++ return 0;
72993 ++}
72994 ++#else
72995 + int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
72996 + unsigned long addr, int new_below)
72997 + {
72998 +@@ -1829,17 +2227,37 @@ int split_vma(struct mm_struct * mm, str
72999 +
73000 + return 0;
73001 + }
73002 ++#endif
73003 +
73004 + /* Munmap is split into 2 main parts -- this part which finds
73005 + * what needs doing, and the areas themselves, which do the
73006 + * work. This now handles partial unmappings.
73007 + * Jeremy Fitzhardinge <jeremy@××××.org>
73008 + */
73009 ++#ifdef CONFIG_PAX_SEGMEXEC
73010 ++int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73011 ++{
73012 ++ int ret = __do_munmap(mm, start, len);
73013 ++ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
73014 ++ return ret;
73015 ++
73016 ++ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
73017 ++}
73018 ++
73019 ++int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73020 ++#else
73021 + int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73022 ++#endif
73023 + {
73024 + unsigned long end;
73025 + struct vm_area_struct *vma, *prev, *last;
73026 +
73027 ++ /*
73028 ++ * mm->mmap_sem is required to protect against another thread
73029 ++ * changing the mappings in case we sleep.
73030 ++ */
73031 ++ verify_mm_writelocked(mm);
73032 ++
73033 + if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
73034 + return -EINVAL;
73035 +
73036 +@@ -1889,6 +2307,8 @@ int do_munmap(struct mm_struct *mm, unsi
73037 + /* Fix up all other VM information */
73038 + remove_vma_list(mm, vma);
73039 +
73040 ++ track_exec_limit(mm, start, end, 0UL);
73041 ++
73042 + return 0;
73043 + }
73044 +
73045 +@@ -1901,22 +2321,18 @@ asmlinkage long sys_munmap(unsigned long
73046 +
73047 + profile_munmap(addr);
73048 +
73049 ++#ifdef CONFIG_PAX_SEGMEXEC
73050 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
73051 ++ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
73052 ++ return -EINVAL;
73053 ++#endif
73054 ++
73055 + down_write(&mm->mmap_sem);
73056 + ret = do_munmap(mm, addr, len);
73057 + up_write(&mm->mmap_sem);
73058 + return ret;
73059 + }
73060 +
73061 +-static inline void verify_mm_writelocked(struct mm_struct *mm)
73062 +-{
73063 +-#ifdef CONFIG_DEBUG_VM
73064 +- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
73065 +- WARN_ON(1);
73066 +- up_read(&mm->mmap_sem);
73067 +- }
73068 +-#endif
73069 +-}
73070 +-
73071 + /*
73072 + * this is really a simplified "do_mmap". it only handles
73073 + * anonymous maps. eventually we may be able to do some
73074 +@@ -1930,6 +2346,11 @@ unsigned long do_brk(unsigned long addr,
73075 + struct rb_node ** rb_link, * rb_parent;
73076 + pgoff_t pgoff = addr >> PAGE_SHIFT;
73077 + int error;
73078 ++ unsigned long charged;
73079 ++
73080 ++#ifdef CONFIG_PAX_SEGMEXEC
73081 ++ struct vm_area_struct *vma_m = NULL;
73082 ++#endif
73083 +
73084 + len = PAGE_ALIGN(len);
73085 + if (!len)
73086 +@@ -1947,19 +2368,34 @@ unsigned long do_brk(unsigned long addr,
73087 +
73088 + flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
73089 +
73090 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
73091 ++ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
73092 ++ flags &= ~VM_EXEC;
73093 ++
73094 ++#ifdef CONFIG_PAX_MPROTECT
73095 ++ if (mm->pax_flags & MF_PAX_MPROTECT)
73096 ++ flags &= ~VM_MAYEXEC;
73097 ++#endif
73098 ++
73099 ++ }
73100 ++#endif
73101 ++
73102 + error = arch_mmap_check(addr, len, flags);
73103 + if (error)
73104 + return error;
73105 +
73106 ++ charged = len >> PAGE_SHIFT;
73107 ++
73108 + /*
73109 + * mlock MCL_FUTURE?
73110 + */
73111 + if (mm->def_flags & VM_LOCKED) {
73112 + unsigned long locked, lock_limit;
73113 +- locked = len >> PAGE_SHIFT;
73114 ++ locked = charged;
73115 + locked += mm->locked_vm;
73116 + lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
73117 + lock_limit >>= PAGE_SHIFT;
73118 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
73119 + if (locked > lock_limit && !capable(CAP_IPC_LOCK))
73120 + return -EAGAIN;
73121 + }
73122 +@@ -1973,22 +2409,22 @@ unsigned long do_brk(unsigned long addr,
73123 + /*
73124 + * Clear old maps. this also does some error checking for us
73125 + */
73126 +- munmap_back:
73127 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73128 + if (vma && vma->vm_start < addr + len) {
73129 + if (do_munmap(mm, addr, len))
73130 + return -ENOMEM;
73131 +- goto munmap_back;
73132 ++ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73133 ++ BUG_ON(vma && vma->vm_start < addr + len);
73134 + }
73135 +
73136 + /* Check against address space limits *after* clearing old maps... */
73137 +- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
73138 ++ if (!may_expand_vm(mm, charged))
73139 + return -ENOMEM;
73140 +
73141 + if (mm->map_count > sysctl_max_map_count)
73142 + return -ENOMEM;
73143 +
73144 +- if (security_vm_enough_memory(len >> PAGE_SHIFT))
73145 ++ if (security_vm_enough_memory(charged))
73146 + return -ENOMEM;
73147 +
73148 + /* Can we just expand an old private anonymous mapping? */
73149 +@@ -2001,10 +2437,21 @@ unsigned long do_brk(unsigned long addr,
73150 + */
73151 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73152 + if (!vma) {
73153 +- vm_unacct_memory(len >> PAGE_SHIFT);
73154 ++ vm_unacct_memory(charged);
73155 + return -ENOMEM;
73156 + }
73157 +
73158 ++#ifdef CONFIG_PAX_SEGMEXEC
73159 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (flags & VM_EXEC)) {
73160 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73161 ++ if (!vma_m) {
73162 ++ kmem_cache_free(vm_area_cachep, vma);
73163 ++ vm_unacct_memory(charged);
73164 ++ return -ENOMEM;
73165 ++ }
73166 ++ }
73167 ++#endif
73168 ++
73169 + vma->vm_mm = mm;
73170 + vma->vm_start = addr;
73171 + vma->vm_end = addr + len;
73172 +@@ -2012,12 +2459,19 @@ unsigned long do_brk(unsigned long addr,
73173 + vma->vm_flags = flags;
73174 + vma->vm_page_prot = vm_get_page_prot(flags);
73175 + vma_link(mm, vma, prev, rb_link, rb_parent);
73176 ++
73177 ++#ifdef CONFIG_PAX_SEGMEXEC
73178 ++ if (vma_m)
73179 ++ pax_mirror_vma(vma_m, vma);
73180 ++#endif
73181 ++
73182 + out:
73183 +- mm->total_vm += len >> PAGE_SHIFT;
73184 ++ mm->total_vm += charged;
73185 + if (flags & VM_LOCKED) {
73186 +- mm->locked_vm += len >> PAGE_SHIFT;
73187 ++ mm->locked_vm += charged;
73188 + make_pages_present(addr, addr + len);
73189 + }
73190 ++ track_exec_limit(mm, addr, addr + len, flags);
73191 + return addr;
73192 + }
73193 +
73194 +@@ -2048,8 +2502,10 @@ void exit_mmap(struct mm_struct *mm)
73195 + * Walk the list again, actually closing and freeing it,
73196 + * with preemption enabled, without holding any MM locks.
73197 + */
73198 +- while (vma)
73199 ++ while (vma) {
73200 ++ vma->vm_mirror = NULL;
73201 + vma = remove_vma(vma);
73202 ++ }
73203 +
73204 + BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
73205 + }
73206 +@@ -2063,6 +2519,10 @@ int insert_vm_struct(struct mm_struct *
73207 + struct vm_area_struct * __vma, * prev;
73208 + struct rb_node ** rb_link, * rb_parent;
73209 +
73210 ++#ifdef CONFIG_PAX_SEGMEXEC
73211 ++ struct vm_area_struct *vma_m = NULL;
73212 ++#endif
73213 ++
73214 + /*
73215 + * The vm_pgoff of a purely anonymous vma should be irrelevant
73216 + * until its first write fault, when page's anon_vma and index
73217 +@@ -2085,7 +2545,22 @@ int insert_vm_struct(struct mm_struct *
73218 + if ((vma->vm_flags & VM_ACCOUNT) &&
73219 + security_vm_enough_memory_mm(mm, vma_pages(vma)))
73220 + return -ENOMEM;
73221 ++
73222 ++#ifdef CONFIG_PAX_SEGMEXEC
73223 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
73224 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73225 ++ if (!vma_m)
73226 ++ return -ENOMEM;
73227 ++ }
73228 ++#endif
73229 ++
73230 + vma_link(mm, vma, prev, rb_link, rb_parent);
73231 ++
73232 ++#ifdef CONFIG_PAX_SEGMEXEC
73233 ++ if (vma_m)
73234 ++ pax_mirror_vma(vma_m, vma);
73235 ++#endif
73236 ++
73237 + return 0;
73238 + }
73239 +
73240 +@@ -2103,6 +2578,8 @@ struct vm_area_struct *copy_vma(struct v
73241 + struct rb_node **rb_link, *rb_parent;
73242 + struct mempolicy *pol;
73243 +
73244 ++ BUG_ON(vma->vm_mirror);
73245 ++
73246 + /*
73247 + * If anonymous vma has not yet been faulted, update new pgoff
73248 + * to match new location, to increase its chance of merging.
73249 +@@ -2143,6 +2620,34 @@ struct vm_area_struct *copy_vma(struct v
73250 + return new_vma;
73251 + }
73252 +
73253 ++#ifdef CONFIG_PAX_SEGMEXEC
73254 ++void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
73255 ++{
73256 ++ struct vm_area_struct *prev_m;
73257 ++ struct rb_node **rb_link_m, *rb_parent_m;
73258 ++ struct mempolicy *pol_m;
73259 ++
73260 ++ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
73261 ++ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
73262 ++ BUG_ON(!vma_mpol_equal(vma, vma_m));
73263 ++ pol_m = vma_policy(vma_m);
73264 ++ *vma_m = *vma;
73265 ++ vma_set_policy(vma_m, pol_m);
73266 ++ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
73267 ++ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
73268 ++ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
73269 ++ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
73270 ++ if (vma_m->vm_file)
73271 ++ get_file(vma_m->vm_file);
73272 ++ if (vma_m->vm_ops && vma_m->vm_ops->open)
73273 ++ vma_m->vm_ops->open(vma_m);
73274 ++ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
73275 ++ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
73276 ++ vma_m->vm_mirror = vma;
73277 ++ vma->vm_mirror = vma_m;
73278 ++}
73279 ++#endif
73280 ++
73281 + /*
73282 + * Return true if the calling process may expand its vm space by the passed
73283 + * number of pages
73284 +@@ -2153,7 +2658,7 @@ int may_expand_vm(struct mm_struct *mm,
73285 + unsigned long lim;
73286 +
73287 + lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
73288 +-
73289 ++ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
73290 + if (cur + npages > lim)
73291 + return 0;
73292 + return 1;
73293 +@@ -2165,7 +2670,7 @@ static struct page *special_mapping_nopa
73294 + {
73295 + struct page **pages;
73296 +
73297 +- BUG_ON(address < vma->vm_start || address >= vma->vm_end);
73298 ++ BUG_ON(address < vma->vm_start || address >= vma->vm_end || (address & ~PAGE_MASK));
73299 +
73300 + address -= vma->vm_start;
73301 + for (pages = vma->vm_private_data; address > 0 && *pages; ++pages)
73302 +@@ -2215,6 +2720,15 @@ int install_special_mapping(struct mm_st
73303 + vma->vm_start = addr;
73304 + vma->vm_end = addr + len;
73305 +
73306 ++#ifdef CONFIG_PAX_MPROTECT
73307 ++ if (mm->pax_flags & MF_PAX_MPROTECT) {
73308 ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
73309 ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
73310 ++ else
73311 ++ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
73312 ++ }
73313 ++#endif
73314 ++
73315 + vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
73316 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
73317 +
73318 +diff -urNp linux-2.6.24.5/mm/mprotect.c linux-2.6.24.5/mm/mprotect.c
73319 +--- linux-2.6.24.5/mm/mprotect.c 2008-03-24 14:49:18.000000000 -0400
73320 ++++ linux-2.6.24.5/mm/mprotect.c 2008-03-26 20:21:09.000000000 -0400
73321 +@@ -21,10 +21,17 @@
73322 + #include <linux/syscalls.h>
73323 + #include <linux/swap.h>
73324 + #include <linux/swapops.h>
73325 ++#include <linux/grsecurity.h>
73326 ++
73327 ++#ifdef CONFIG_PAX_MPROTECT
73328 ++#include <linux/elf.h>
73329 ++#endif
73330 ++
73331 + #include <asm/uaccess.h>
73332 + #include <asm/pgtable.h>
73333 + #include <asm/cacheflush.h>
73334 + #include <asm/tlbflush.h>
73335 ++#include <asm/mmu_context.h>
73336 +
73337 + static void change_pte_range(struct mm_struct *mm, pmd_t *pmd,
73338 + unsigned long addr, unsigned long end, pgprot_t newprot,
73339 +@@ -127,6 +134,48 @@ static void change_protection(struct vm_
73340 + flush_tlb_range(vma, start, end);
73341 + }
73342 +
73343 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
73344 ++/* called while holding the mmap semaphor for writing except stack expansion */
73345 ++void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
73346 ++{
73347 ++ unsigned long oldlimit, newlimit = 0UL;
73348 ++
73349 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
73350 ++ return;
73351 ++
73352 ++ spin_lock(&mm->page_table_lock);
73353 ++ oldlimit = mm->context.user_cs_limit;
73354 ++ if ((prot & VM_EXEC) && oldlimit < end)
73355 ++ /* USER_CS limit moved up */
73356 ++ newlimit = end;
73357 ++ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
73358 ++ /* USER_CS limit moved down */
73359 ++ newlimit = start;
73360 ++
73361 ++ if (newlimit) {
73362 ++ mm->context.user_cs_limit = newlimit;
73363 ++
73364 ++#ifdef CONFIG_SMP
73365 ++ wmb();
73366 ++ cpus_clear(mm->context.cpu_user_cs_mask);
73367 ++ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
73368 ++#endif
73369 ++
73370 ++ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
73371 ++ }
73372 ++ spin_unlock(&mm->page_table_lock);
73373 ++ if (newlimit == end) {
73374 ++ struct vm_area_struct *vma = find_vma(mm, oldlimit);
73375 ++
73376 ++ for (; vma && vma->vm_start < end; vma = vma->vm_next)
73377 ++ if (is_vm_hugetlb_page(vma))
73378 ++ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
73379 ++ else
73380 ++ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
73381 ++ }
73382 ++}
73383 ++#endif
73384 ++
73385 + int
73386 + mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
73387 + unsigned long start, unsigned long end, unsigned long newflags)
73388 +@@ -139,11 +188,41 @@ mprotect_fixup(struct vm_area_struct *vm
73389 + int error;
73390 + int dirty_accountable = 0;
73391 +
73392 ++#ifdef CONFIG_PAX_SEGMEXEC
73393 ++ struct vm_area_struct *vma_m = NULL;
73394 ++ unsigned long start_m, end_m;
73395 ++
73396 ++ start_m = start + SEGMEXEC_TASK_SIZE;
73397 ++ end_m = end + SEGMEXEC_TASK_SIZE;
73398 ++#endif
73399 ++
73400 + if (newflags == oldflags) {
73401 + *pprev = vma;
73402 + return 0;
73403 + }
73404 +
73405 ++#ifdef CONFIG_PAX_SEGMEXEC
73406 ++ if (pax_find_mirror_vma(vma) && !(newflags & VM_EXEC)) {
73407 ++ if (start != vma->vm_start) {
73408 ++ error = split_vma(mm, vma, start, 1);
73409 ++ if (error)
73410 ++ return -ENOMEM;
73411 ++ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
73412 ++ *pprev = (*pprev)->vm_next;
73413 ++ }
73414 ++
73415 ++ if (end != vma->vm_end) {
73416 ++ error = split_vma(mm, vma, end, 0);
73417 ++ if (error)
73418 ++ return -ENOMEM;
73419 ++ }
73420 ++
73421 ++ error = __do_munmap(mm, start_m, end_m - start_m);
73422 ++ if (error)
73423 ++ return -ENOMEM;
73424 ++ }
73425 ++#endif
73426 ++
73427 + /*
73428 + * If we make a private mapping writable we increase our commit;
73429 + * but (without finer accounting) cannot reduce our commit if we
73430 +@@ -186,6 +265,25 @@ mprotect_fixup(struct vm_area_struct *vm
73431 + goto fail;
73432 + }
73433 +
73434 ++#ifdef CONFIG_PAX_SEGMEXEC
73435 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(oldflags & VM_EXEC) && (newflags & VM_EXEC)) {
73436 ++ struct mempolicy *pol;
73437 ++
73438 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73439 ++ if (!vma_m) {
73440 ++ error = -ENOMEM;
73441 ++ goto fail;
73442 ++ }
73443 ++ pol = mpol_copy(vma_policy(vma));
73444 ++ if (IS_ERR(pol)) {
73445 ++ kmem_cache_free(vm_area_cachep, vma_m);
73446 ++ error = -ENOMEM;
73447 ++ goto fail;
73448 ++ }
73449 ++ vma_set_policy(vma_m, pol);
73450 ++ }
73451 ++#endif
73452 ++
73453 + success:
73454 + /*
73455 + * vm_flags and vm_page_prot are protected by the mmap_sem
73456 +@@ -202,6 +300,12 @@ success:
73457 + hugetlb_change_protection(vma, start, end, vma->vm_page_prot);
73458 + else
73459 + change_protection(vma, start, end, vma->vm_page_prot, dirty_accountable);
73460 ++
73461 ++#ifdef CONFIG_PAX_SEGMEXEC
73462 ++ if (vma_m)
73463 ++ pax_mirror_vma(vma_m, vma);
73464 ++#endif
73465 ++
73466 + vm_stat_account(mm, oldflags, vma->vm_file, -nrpages);
73467 + vm_stat_account(mm, newflags, vma->vm_file, nrpages);
73468 + return 0;
73469 +@@ -211,6 +315,70 @@ fail:
73470 + return error;
73471 + }
73472 +
73473 ++#ifdef CONFIG_PAX_MPROTECT
73474 ++/* PaX: non-PIC ELF libraries need relocations on their executable segments
73475 ++ * therefore we'll grant them VM_MAYWRITE once during their life.
73476 ++ *
73477 ++ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
73478 ++ * basis because we want to allow the common case and not the special ones.
73479 ++ */
73480 ++static inline void pax_handle_maywrite(struct vm_area_struct *vma, unsigned long start)
73481 ++{
73482 ++ struct elfhdr elf_h;
73483 ++ struct elf_phdr elf_p;
73484 ++ elf_addr_t dyn_offset = 0UL;
73485 ++ elf_dyn dyn;
73486 ++ unsigned long i, j = 65536UL / sizeof(struct elf_phdr);
73487 ++
73488 ++#ifndef CONFIG_PAX_NOELFRELOCS
73489 ++ if ((vma->vm_start != start) ||
73490 ++ !vma->vm_file ||
73491 ++ !(vma->vm_flags & VM_MAYEXEC) ||
73492 ++ (vma->vm_flags & VM_MAYNOTWRITE))
73493 ++#endif
73494 ++
73495 ++ return;
73496 ++
73497 ++ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
73498 ++ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
73499 ++
73500 ++#ifdef CONFIG_PAX_ETEXECRELOCS
73501 ++ (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) ||
73502 ++#else
73503 ++ elf_h.e_type != ET_DYN ||
73504 ++#endif
73505 ++
73506 ++ !elf_check_arch(&elf_h) ||
73507 ++ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
73508 ++ elf_h.e_phnum > j)
73509 ++ return;
73510 ++
73511 ++ for (i = 0UL; i < elf_h.e_phnum; i++) {
73512 ++ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
73513 ++ return;
73514 ++ if (elf_p.p_type == PT_DYNAMIC) {
73515 ++ dyn_offset = elf_p.p_offset;
73516 ++ j = i;
73517 ++ }
73518 ++ }
73519 ++ if (elf_h.e_phnum <= j)
73520 ++ return;
73521 ++
73522 ++ i = 0UL;
73523 ++ do {
73524 ++ if (sizeof(dyn) != kernel_read(vma->vm_file, dyn_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
73525 ++ return;
73526 ++ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
73527 ++ gr_log_textrel(vma);
73528 ++ vma->vm_flags |= VM_MAYWRITE | VM_MAYNOTWRITE;
73529 ++ return;
73530 ++ }
73531 ++ i++;
73532 ++ } while (dyn.d_tag != DT_NULL);
73533 ++ return;
73534 ++}
73535 ++#endif
73536 ++
73537 + asmlinkage long
73538 + sys_mprotect(unsigned long start, size_t len, unsigned long prot)
73539 + {
73540 +@@ -230,6 +398,17 @@ sys_mprotect(unsigned long start, size_t
73541 + end = start + len;
73542 + if (end <= start)
73543 + return -ENOMEM;
73544 ++
73545 ++#ifdef CONFIG_PAX_SEGMEXEC
73546 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
73547 ++ if (end > SEGMEXEC_TASK_SIZE)
73548 ++ return -EINVAL;
73549 ++ } else
73550 ++#endif
73551 ++
73552 ++ if (end > TASK_SIZE)
73553 ++ return -EINVAL;
73554 ++
73555 + if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC | PROT_SEM))
73556 + return -EINVAL;
73557 +
73558 +@@ -237,7 +416,7 @@ sys_mprotect(unsigned long start, size_t
73559 + /*
73560 + * Does the application expect PROT_READ to imply PROT_EXEC:
73561 + */
73562 +- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
73563 ++ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
73564 + prot |= PROT_EXEC;
73565 +
73566 + vm_flags = calc_vm_prot_bits(prot);
73567 +@@ -269,6 +448,16 @@ sys_mprotect(unsigned long start, size_t
73568 + if (start > vma->vm_start)
73569 + prev = vma;
73570 +
73571 ++ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
73572 ++ error = -EACCES;
73573 ++ goto out;
73574 ++ }
73575 ++
73576 ++#ifdef CONFIG_PAX_MPROTECT
73577 ++ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && (prot & PROT_WRITE))
73578 ++ pax_handle_maywrite(vma, start);
73579 ++#endif
73580 ++
73581 + for (nstart = start ; ; ) {
73582 + unsigned long newflags;
73583 +
73584 +@@ -282,6 +471,12 @@ sys_mprotect(unsigned long start, size_t
73585 + goto out;
73586 + }
73587 +
73588 ++#ifdef CONFIG_PAX_MPROTECT
73589 ++ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
73590 ++ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && !(prot & PROT_WRITE) && (vma->vm_flags & VM_MAYNOTWRITE))
73591 ++ newflags &= ~VM_MAYWRITE;
73592 ++#endif
73593 ++
73594 + error = security_file_mprotect(vma, reqprot, prot);
73595 + if (error)
73596 + goto out;
73597 +@@ -292,6 +487,9 @@ sys_mprotect(unsigned long start, size_t
73598 + error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
73599 + if (error)
73600 + goto out;
73601 ++
73602 ++ track_exec_limit(current->mm, nstart, tmp, vm_flags);
73603 ++
73604 + nstart = tmp;
73605 +
73606 + if (nstart < prev->vm_end)
73607 +diff -urNp linux-2.6.24.5/mm/mremap.c linux-2.6.24.5/mm/mremap.c
73608 +--- linux-2.6.24.5/mm/mremap.c 2008-03-24 14:49:18.000000000 -0400
73609 ++++ linux-2.6.24.5/mm/mremap.c 2008-03-26 20:21:09.000000000 -0400
73610 +@@ -106,6 +106,12 @@ static void move_ptes(struct vm_area_str
73611 + continue;
73612 + pte = ptep_clear_flush(vma, old_addr, old_pte);
73613 + pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
73614 ++
73615 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
73616 ++ if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
73617 ++ pte = pte_exprotect(pte);
73618 ++#endif
73619 ++
73620 + set_pte_at(mm, new_addr, new_pte, pte);
73621 + }
73622 +
73623 +@@ -254,6 +260,7 @@ unsigned long do_mremap(unsigned long ad
73624 + struct vm_area_struct *vma;
73625 + unsigned long ret = -EINVAL;
73626 + unsigned long charged = 0;
73627 ++ unsigned long pax_task_size = TASK_SIZE;
73628 +
73629 + if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
73630 + goto out;
73631 +@@ -272,6 +279,15 @@ unsigned long do_mremap(unsigned long ad
73632 + if (!new_len)
73633 + goto out;
73634 +
73635 ++#ifdef CONFIG_PAX_SEGMEXEC
73636 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
73637 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
73638 ++#endif
73639 ++
73640 ++ if (new_len > pax_task_size || addr > pax_task_size-new_len ||
73641 ++ old_len > pax_task_size || addr > pax_task_size-old_len)
73642 ++ goto out;
73643 ++
73644 + /* new_addr is only valid if MREMAP_FIXED is specified */
73645 + if (flags & MREMAP_FIXED) {
73646 + if (new_addr & ~PAGE_MASK)
73647 +@@ -279,16 +295,13 @@ unsigned long do_mremap(unsigned long ad
73648 + if (!(flags & MREMAP_MAYMOVE))
73649 + goto out;
73650 +
73651 +- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
73652 ++ if (new_addr > pax_task_size - new_len)
73653 + goto out;
73654 +
73655 + /* Check if the location we're moving into overlaps the
73656 + * old location at all, and fail if it does.
73657 + */
73658 +- if ((new_addr <= addr) && (new_addr+new_len) > addr)
73659 +- goto out;
73660 +-
73661 +- if ((addr <= new_addr) && (addr+old_len) > new_addr)
73662 ++ if (addr + old_len > new_addr && new_addr + new_len > addr)
73663 + goto out;
73664 +
73665 + ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
73666 +@@ -326,6 +339,14 @@ unsigned long do_mremap(unsigned long ad
73667 + ret = -EINVAL;
73668 + goto out;
73669 + }
73670 ++
73671 ++#ifdef CONFIG_PAX_SEGMEXEC
73672 ++ if (pax_find_mirror_vma(vma)) {
73673 ++ ret = -EINVAL;
73674 ++ goto out;
73675 ++ }
73676 ++#endif
73677 ++
73678 + /* We can't remap across vm area boundaries */
73679 + if (old_len > vma->vm_end - addr)
73680 + goto out;
73681 +@@ -359,7 +380,7 @@ unsigned long do_mremap(unsigned long ad
73682 + if (old_len == vma->vm_end - addr &&
73683 + !((flags & MREMAP_FIXED) && (addr != new_addr)) &&
73684 + (old_len != new_len || !(flags & MREMAP_MAYMOVE))) {
73685 +- unsigned long max_addr = TASK_SIZE;
73686 ++ unsigned long max_addr = pax_task_size;
73687 + if (vma->vm_next)
73688 + max_addr = vma->vm_next->vm_start;
73689 + /* can we just expand the current mapping? */
73690 +@@ -377,6 +398,7 @@ unsigned long do_mremap(unsigned long ad
73691 + addr + new_len);
73692 + }
73693 + ret = addr;
73694 ++ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
73695 + goto out;
73696 + }
73697 + }
73698 +@@ -387,8 +409,8 @@ unsigned long do_mremap(unsigned long ad
73699 + */
73700 + ret = -ENOMEM;
73701 + if (flags & MREMAP_MAYMOVE) {
73702 ++ unsigned long map_flags = 0;
73703 + if (!(flags & MREMAP_FIXED)) {
73704 +- unsigned long map_flags = 0;
73705 + if (vma->vm_flags & VM_MAYSHARE)
73706 + map_flags |= MAP_SHARED;
73707 +
73708 +@@ -403,7 +425,12 @@ unsigned long do_mremap(unsigned long ad
73709 + if (ret)
73710 + goto out;
73711 + }
73712 ++ map_flags = vma->vm_flags;
73713 + ret = move_vma(vma, addr, old_len, new_len, new_addr);
73714 ++ if (!(ret & ~PAGE_MASK)) {
73715 ++ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
73716 ++ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
73717 ++ }
73718 + }
73719 + out:
73720 + if (ret & ~PAGE_MASK)
73721 +diff -urNp linux-2.6.24.5/mm/nommu.c linux-2.6.24.5/mm/nommu.c
73722 +--- linux-2.6.24.5/mm/nommu.c 2008-03-24 14:49:18.000000000 -0400
73723 ++++ linux-2.6.24.5/mm/nommu.c 2008-03-26 20:21:09.000000000 -0400
73724 +@@ -377,15 +377,6 @@ struct vm_area_struct *find_vma(struct m
73725 + }
73726 + EXPORT_SYMBOL(find_vma);
73727 +
73728 +-/*
73729 +- * find a VMA
73730 +- * - we don't extend stack VMAs under NOMMU conditions
73731 +- */
73732 +-struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
73733 +-{
73734 +- return find_vma(mm, addr);
73735 +-}
73736 +-
73737 + int expand_stack(struct vm_area_struct *vma, unsigned long address)
73738 + {
73739 + return -ENOMEM;
73740 +diff -urNp linux-2.6.24.5/mm/page_alloc.c linux-2.6.24.5/mm/page_alloc.c
73741 +--- linux-2.6.24.5/mm/page_alloc.c 2008-03-24 14:49:18.000000000 -0400
73742 ++++ linux-2.6.24.5/mm/page_alloc.c 2008-03-26 20:21:09.000000000 -0400
73743 +@@ -505,9 +505,20 @@ static void free_pages_bulk(struct zone
73744 +
73745 + static void free_one_page(struct zone *zone, struct page *page, int order)
73746 + {
73747 ++
73748 ++#ifdef CONFIG_PAX_MEMORY_SANITIZE
73749 ++ unsigned long index = 1UL << order;
73750 ++#endif
73751 ++
73752 + spin_lock(&zone->lock);
73753 + zone_clear_flag(zone, ZONE_ALL_UNRECLAIMABLE);
73754 + zone->pages_scanned = 0;
73755 ++
73756 ++#ifdef CONFIG_PAX_MEMORY_SANITIZE
73757 ++ for (; index; --index)
73758 ++ sanitize_highpage(page + index - 1);
73759 ++#endif
73760 ++
73761 + __free_one_page(page, zone, order);
73762 + spin_unlock(&zone->lock);
73763 + }
73764 +@@ -631,8 +642,10 @@ static int prep_new_page(struct page *pa
73765 + arch_alloc_page(page, order);
73766 + kernel_map_pages(page, 1 << order, 1);
73767 +
73768 ++#ifndef CONFIG_PAX_MEMORY_SANITIZE
73769 + if (gfp_flags & __GFP_ZERO)
73770 + prep_zero_page(page, order, gfp_flags);
73771 ++#endif
73772 +
73773 + if (order && (gfp_flags & __GFP_COMP))
73774 + prep_compound_page(page, order);
73775 +@@ -1007,6 +1020,11 @@ static void fastcall free_hot_cold_page(
73776 + list_add(&page->lru, &pcp->list);
73777 + set_page_private(page, get_pageblock_migratetype(page));
73778 + pcp->count++;
73779 ++
73780 ++#ifdef CONFIG_PAX_MEMORY_SANITIZE
73781 ++ sanitize_highpage(page);
73782 ++#endif
73783 ++
73784 + if (pcp->count >= pcp->high) {
73785 + free_pages_bulk(zone, pcp->batch, &pcp->list, 0);
73786 + pcp->count -= pcp->batch;
73787 +diff -urNp linux-2.6.24.5/mm/rmap.c linux-2.6.24.5/mm/rmap.c
73788 +--- linux-2.6.24.5/mm/rmap.c 2008-03-24 14:49:18.000000000 -0400
73789 ++++ linux-2.6.24.5/mm/rmap.c 2008-03-26 20:21:09.000000000 -0400
73790 +@@ -64,6 +64,10 @@ int anon_vma_prepare(struct vm_area_stru
73791 + struct mm_struct *mm = vma->vm_mm;
73792 + struct anon_vma *allocated, *locked;
73793 +
73794 ++#ifdef CONFIG_PAX_SEGMEXEC
73795 ++ struct vm_area_struct *vma_m;
73796 ++#endif
73797 ++
73798 + anon_vma = find_mergeable_anon_vma(vma);
73799 + if (anon_vma) {
73800 + allocated = NULL;
73801 +@@ -80,6 +84,15 @@ int anon_vma_prepare(struct vm_area_stru
73802 + /* page_table_lock to protect against threads */
73803 + spin_lock(&mm->page_table_lock);
73804 + if (likely(!vma->anon_vma)) {
73805 ++
73806 ++#ifdef CONFIG_PAX_SEGMEXEC
73807 ++ vma_m = pax_find_mirror_vma(vma);
73808 ++ if (vma_m) {
73809 ++ vma_m->anon_vma = anon_vma;
73810 ++ __anon_vma_link(vma_m);
73811 ++ }
73812 ++#endif
73813 ++
73814 + vma->anon_vma = anon_vma;
73815 + list_add_tail(&vma->anon_vma_node, &anon_vma->head);
73816 + allocated = NULL;
73817 +diff -urNp linux-2.6.24.5/mm/shmem.c linux-2.6.24.5/mm/shmem.c
73818 +--- linux-2.6.24.5/mm/shmem.c 2008-03-24 14:49:18.000000000 -0400
73819 ++++ linux-2.6.24.5/mm/shmem.c 2008-03-26 20:21:09.000000000 -0400
73820 +@@ -2462,7 +2462,7 @@ static struct file_system_type tmpfs_fs_
73821 + .get_sb = shmem_get_sb,
73822 + .kill_sb = kill_litter_super,
73823 + };
73824 +-static struct vfsmount *shm_mnt;
73825 ++struct vfsmount *shm_mnt;
73826 +
73827 + static int __init init_tmpfs(void)
73828 + {
73829 +diff -urNp linux-2.6.24.5/mm/slab.c linux-2.6.24.5/mm/slab.c
73830 +--- linux-2.6.24.5/mm/slab.c 2008-04-17 20:05:17.000000000 -0400
73831 ++++ linux-2.6.24.5/mm/slab.c 2008-04-17 20:05:01.000000000 -0400
73832 +@@ -305,7 +305,7 @@ struct kmem_list3 {
73833 + * Need this for bootstrapping a per node allocator.
73834 + */
73835 + #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
73836 +-struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
73837 ++struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
73838 + #define CACHE_CACHE 0
73839 + #define SIZE_AC MAX_NUMNODES
73840 + #define SIZE_L3 (2 * MAX_NUMNODES)
73841 +@@ -654,14 +654,14 @@ struct cache_names {
73842 + static struct cache_names __initdata cache_names[] = {
73843 + #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
73844 + #include <linux/kmalloc_sizes.h>
73845 +- {NULL,}
73846 ++ {NULL, NULL}
73847 + #undef CACHE
73848 + };
73849 +
73850 + static struct arraycache_init initarray_cache __initdata =
73851 +- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
73852 ++ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
73853 + static struct arraycache_init initarray_generic =
73854 +- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
73855 ++ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
73856 +
73857 + /* internal cache of cache description objs */
73858 + static struct kmem_cache cache_cache = {
73859 +@@ -3004,7 +3004,7 @@ retry:
73860 + * there must be at least one object available for
73861 + * allocation.
73862 + */
73863 +- BUG_ON(slabp->inuse < 0 || slabp->inuse >= cachep->num);
73864 ++ BUG_ON(slabp->inuse >= cachep->num);
73865 +
73866 + while (slabp->inuse < cachep->num && batchcount--) {
73867 + STATS_INC_ALLOCED(cachep);
73868 +diff -urNp linux-2.6.24.5/mm/slub.c linux-2.6.24.5/mm/slub.c
73869 +--- linux-2.6.24.5/mm/slub.c 2008-03-24 14:49:18.000000000 -0400
73870 ++++ linux-2.6.24.5/mm/slub.c 2008-03-26 20:21:09.000000000 -0400
73871 +@@ -1539,7 +1539,7 @@ debug:
73872 + *
73873 + * Otherwise we can simply pick the next object from the lockless free list.
73874 + */
73875 +-static void __always_inline *slab_alloc(struct kmem_cache *s,
73876 ++static __always_inline void *slab_alloc(struct kmem_cache *s,
73877 + gfp_t gfpflags, int node, void *addr)
73878 + {
73879 + void **object;
73880 +@@ -1647,7 +1647,7 @@ debug:
73881 + * If fastpath is not possible then fall back to __slab_free where we deal
73882 + * with all sorts of special processing.
73883 + */
73884 +-static void __always_inline slab_free(struct kmem_cache *s,
73885 ++static __always_inline void slab_free(struct kmem_cache *s,
73886 + struct page *page, void *x, void *addr)
73887 + {
73888 + void **object = (void *)x;
73889 +diff -urNp linux-2.6.24.5/mm/swap.c linux-2.6.24.5/mm/swap.c
73890 +--- linux-2.6.24.5/mm/swap.c 2008-03-24 14:49:18.000000000 -0400
73891 ++++ linux-2.6.24.5/mm/swap.c 2008-03-26 20:21:09.000000000 -0400
73892 +@@ -33,9 +33,9 @@
73893 + /* How many pages do we try to swap or page in/out together? */
73894 + int page_cluster;
73895 +
73896 +-static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, };
73897 +-static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, };
73898 +-static DEFINE_PER_CPU(struct pagevec, lru_rotate_pvecs) = { 0, };
73899 ++static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, 0, {NULL} };
73900 ++static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, 0, {NULL} };
73901 ++static DEFINE_PER_CPU(struct pagevec, lru_rotate_pvecs) = { 0, 0, {NULL} };
73902 +
73903 + /*
73904 + * This path almost never happens for VM activity - pages are normally
73905 +diff -urNp linux-2.6.24.5/mm/tiny-shmem.c linux-2.6.24.5/mm/tiny-shmem.c
73906 +--- linux-2.6.24.5/mm/tiny-shmem.c 2008-03-24 14:49:18.000000000 -0400
73907 ++++ linux-2.6.24.5/mm/tiny-shmem.c 2008-03-26 20:21:09.000000000 -0400
73908 +@@ -26,7 +26,7 @@ static struct file_system_type tmpfs_fs_
73909 + .kill_sb = kill_litter_super,
73910 + };
73911 +
73912 +-static struct vfsmount *shm_mnt;
73913 ++struct vfsmount *shm_mnt;
73914 +
73915 + static int __init init_tmpfs(void)
73916 + {
73917 +diff -urNp linux-2.6.24.5/mm/vmalloc.c linux-2.6.24.5/mm/vmalloc.c
73918 +--- linux-2.6.24.5/mm/vmalloc.c 2008-03-24 14:49:18.000000000 -0400
73919 ++++ linux-2.6.24.5/mm/vmalloc.c 2008-03-26 20:21:09.000000000 -0400
73920 +@@ -202,6 +202,8 @@ static struct vm_struct *__get_vm_area_n
73921 +
73922 + write_lock(&vmlist_lock);
73923 + for (p = &vmlist; (tmp = *p) != NULL ;p = &tmp->next) {
73924 ++ if (addr > end - size)
73925 ++ goto out;
73926 + if ((unsigned long)tmp->addr < addr) {
73927 + if((unsigned long)tmp->addr + tmp->size >= addr)
73928 + addr = ALIGN(tmp->size +
73929 +@@ -213,8 +215,6 @@ static struct vm_struct *__get_vm_area_n
73930 + if (size + addr <= (unsigned long)tmp->addr)
73931 + goto found;
73932 + addr = ALIGN(tmp->size + (unsigned long)tmp->addr, align);
73933 +- if (addr > end - size)
73934 +- goto out;
73935 + }
73936 +
73937 + found:
73938 +diff -urNp linux-2.6.24.5/net/bridge/br_stp_if.c linux-2.6.24.5/net/bridge/br_stp_if.c
73939 +--- linux-2.6.24.5/net/bridge/br_stp_if.c 2008-03-24 14:49:18.000000000 -0400
73940 ++++ linux-2.6.24.5/net/bridge/br_stp_if.c 2008-03-26 20:21:09.000000000 -0400
73941 +@@ -148,7 +148,7 @@ static void br_stp_stop(struct net_bridg
73942 + char *envp[] = { NULL };
73943 +
73944 + if (br->stp_enabled == BR_USER_STP) {
73945 +- r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
73946 ++ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
73947 + printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
73948 + br->dev->name, r);
73949 +
73950 +diff -urNp linux-2.6.24.5/net/core/flow.c linux-2.6.24.5/net/core/flow.c
73951 +--- linux-2.6.24.5/net/core/flow.c 2008-03-24 14:49:18.000000000 -0400
73952 ++++ linux-2.6.24.5/net/core/flow.c 2008-03-26 20:21:09.000000000 -0400
73953 +@@ -40,7 +40,7 @@ atomic_t flow_cache_genid = ATOMIC_INIT(
73954 +
73955 + static u32 flow_hash_shift;
73956 + #define flow_hash_size (1 << flow_hash_shift)
73957 +-static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
73958 ++static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
73959 +
73960 + #define flow_table(cpu) (per_cpu(flow_tables, cpu))
73961 +
73962 +@@ -53,7 +53,7 @@ struct flow_percpu_info {
73963 + u32 hash_rnd;
73964 + int count;
73965 + } ____cacheline_aligned;
73966 +-static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
73967 ++static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
73968 +
73969 + #define flow_hash_rnd_recalc(cpu) \
73970 + (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
73971 +@@ -70,7 +70,7 @@ struct flow_flush_info {
73972 + atomic_t cpuleft;
73973 + struct completion completion;
73974 + };
73975 +-static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
73976 ++static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
73977 +
73978 + #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
73979 +
73980 +diff -urNp linux-2.6.24.5/net/dccp/ccids/ccid3.c linux-2.6.24.5/net/dccp/ccids/ccid3.c
73981 +--- linux-2.6.24.5/net/dccp/ccids/ccid3.c 2008-03-24 14:49:18.000000000 -0400
73982 ++++ linux-2.6.24.5/net/dccp/ccids/ccid3.c 2008-03-26 20:21:09.000000000 -0400
73983 +@@ -46,7 +46,7 @@
73984 + static int ccid3_debug;
73985 + #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
73986 + #else
73987 +-#define ccid3_pr_debug(format, a...)
73988 ++#define ccid3_pr_debug(format, a...) do {} while (0)
73989 + #endif
73990 +
73991 + static struct dccp_tx_hist *ccid3_tx_hist;
73992 +diff -urNp linux-2.6.24.5/net/dccp/dccp.h linux-2.6.24.5/net/dccp/dccp.h
73993 +--- linux-2.6.24.5/net/dccp/dccp.h 2008-03-24 14:49:18.000000000 -0400
73994 ++++ linux-2.6.24.5/net/dccp/dccp.h 2008-03-26 20:21:09.000000000 -0400
73995 +@@ -43,8 +43,8 @@ extern int dccp_debug;
73996 + #define dccp_pr_debug(format, a...) DCCP_PR_DEBUG(dccp_debug, format, ##a)
73997 + #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
73998 + #else
73999 +-#define dccp_pr_debug(format, a...)
74000 +-#define dccp_pr_debug_cat(format, a...)
74001 ++#define dccp_pr_debug(format, a...) do {} while (0)
74002 ++#define dccp_pr_debug_cat(format, a...) do {} while (0)
74003 + #endif
74004 +
74005 + extern struct inet_hashinfo dccp_hashinfo;
74006 +diff -urNp linux-2.6.24.5/net/ipv4/inet_connection_sock.c linux-2.6.24.5/net/ipv4/inet_connection_sock.c
74007 +--- linux-2.6.24.5/net/ipv4/inet_connection_sock.c 2008-03-24 14:49:18.000000000 -0400
74008 ++++ linux-2.6.24.5/net/ipv4/inet_connection_sock.c 2008-03-26 20:21:09.000000000 -0400
74009 +@@ -15,6 +15,7 @@
74010 +
74011 + #include <linux/module.h>
74012 + #include <linux/jhash.h>
74013 ++#include <linux/grsecurity.h>
74014 +
74015 + #include <net/inet_connection_sock.h>
74016 + #include <net/inet_hashtables.h>
74017 +diff -urNp linux-2.6.24.5/net/ipv4/inet_hashtables.c linux-2.6.24.5/net/ipv4/inet_hashtables.c
74018 +--- linux-2.6.24.5/net/ipv4/inet_hashtables.c 2008-03-24 14:49:18.000000000 -0400
74019 ++++ linux-2.6.24.5/net/ipv4/inet_hashtables.c 2008-03-26 20:21:09.000000000 -0400
74020 +@@ -18,11 +18,14 @@
74021 + #include <linux/sched.h>
74022 + #include <linux/slab.h>
74023 + #include <linux/wait.h>
74024 ++#include <linux/grsecurity.h>
74025 +
74026 + #include <net/inet_connection_sock.h>
74027 + #include <net/inet_hashtables.h>
74028 + #include <net/ip.h>
74029 +
74030 ++extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
74031 ++
74032 + /*
74033 + * Allocate and initialize a new local port bind bucket.
74034 + * The bindhash mutex for snum's hash chain must be held here.
74035 +@@ -338,6 +341,8 @@ ok:
74036 + }
74037 + spin_unlock(&head->lock);
74038 +
74039 ++ gr_update_task_in_ip_table(current, inet_sk(sk));
74040 ++
74041 + if (tw) {
74042 + inet_twsk_deschedule(tw, death_row);
74043 + inet_twsk_put(tw);
74044 +diff -urNp linux-2.6.24.5/net/ipv4/netfilter/ipt_stealth.c linux-2.6.24.5/net/ipv4/netfilter/ipt_stealth.c
74045 +--- linux-2.6.24.5/net/ipv4/netfilter/ipt_stealth.c 1969-12-31 19:00:00.000000000 -0500
74046 ++++ linux-2.6.24.5/net/ipv4/netfilter/ipt_stealth.c 2008-03-26 20:21:09.000000000 -0400
74047 +@@ -0,0 +1,114 @@
74048 ++/* Kernel module to add stealth support.
74049 ++ *
74050 ++ * Copyright (C) 2002-2006 Brad Spengler <spender@××××××××××.net>
74051 ++ *
74052 ++ */
74053 ++
74054 ++#include <linux/kernel.h>
74055 ++#include <linux/module.h>
74056 ++#include <linux/skbuff.h>
74057 ++#include <linux/net.h>
74058 ++#include <linux/sched.h>
74059 ++#include <linux/inet.h>
74060 ++#include <linux/stddef.h>
74061 ++
74062 ++#include <net/ip.h>
74063 ++#include <net/sock.h>
74064 ++#include <net/tcp.h>
74065 ++#include <net/udp.h>
74066 ++#include <net/route.h>
74067 ++#include <net/inet_common.h>
74068 ++
74069 ++#include <linux/netfilter_ipv4/ip_tables.h>
74070 ++
74071 ++MODULE_LICENSE("GPL");
74072 ++
74073 ++extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
74074 ++
74075 ++static int
74076 ++match(const struct sk_buff *skb,
74077 ++ const struct net_device *in,
74078 ++ const struct net_device *out,
74079 ++ const struct xt_match *match,
74080 ++ const void *matchinfo,
74081 ++ int offset,
74082 ++ unsigned int protoff,
74083 ++ int *hotdrop)
74084 ++{
74085 ++ struct iphdr *ip = ip_hdr(skb);
74086 ++ struct tcphdr th;
74087 ++ struct udphdr uh;
74088 ++ struct sock *sk = NULL;
74089 ++
74090 ++ if (!ip || offset) return 0;
74091 ++
74092 ++ switch(ip->protocol) {
74093 ++ case IPPROTO_TCP:
74094 ++ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &th, sizeof(th)) < 0) {
74095 ++ *hotdrop = 1;
74096 ++ return 0;
74097 ++ }
74098 ++ if (!(th.syn && !th.ack)) return 0;
74099 ++ sk = inet_lookup_listener(&tcp_hashinfo, ip->daddr, th.dest, inet_iif(skb));
74100 ++ break;
74101 ++ case IPPROTO_UDP:
74102 ++ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &uh, sizeof(uh)) < 0) {
74103 ++ *hotdrop = 1;
74104 ++ return 0;
74105 ++ }
74106 ++ sk = udp_v4_lookup(ip->saddr, uh.source, ip->daddr, uh.dest, skb->dev->ifindex);
74107 ++ break;
74108 ++ default:
74109 ++ return 0;
74110 ++ }
74111 ++
74112 ++ if(!sk) // port is being listened on, match this
74113 ++ return 1;
74114 ++ else {
74115 ++ sock_put(sk);
74116 ++ return 0;
74117 ++ }
74118 ++}
74119 ++
74120 ++/* Called when user tries to insert an entry of this type. */
74121 ++static int
74122 ++checkentry(const char *tablename,
74123 ++ const void *nip,
74124 ++ const struct xt_match *match,
74125 ++ void *matchinfo,
74126 ++ unsigned int hook_mask)
74127 ++{
74128 ++ const struct ipt_ip *ip = (const struct ipt_ip *)nip;
74129 ++
74130 ++ if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) ||
74131 ++ ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO)))
74132 ++ && (hook_mask & (1 << NF_IP_LOCAL_IN)))
74133 ++ return 1;
74134 ++
74135 ++ printk("stealth: Only works on TCP and UDP for the INPUT chain.\n");
74136 ++
74137 ++ return 0;
74138 ++}
74139 ++
74140 ++
74141 ++static struct xt_match stealth_match = {
74142 ++ .name = "stealth",
74143 ++ .family = AF_INET,
74144 ++ .match = match,
74145 ++ .checkentry = checkentry,
74146 ++ .destroy = NULL,
74147 ++ .me = THIS_MODULE
74148 ++};
74149 ++
74150 ++static int __init init(void)
74151 ++{
74152 ++ return xt_register_match(&stealth_match);
74153 ++}
74154 ++
74155 ++static void __exit fini(void)
74156 ++{
74157 ++ xt_unregister_match(&stealth_match);
74158 ++}
74159 ++
74160 ++module_init(init);
74161 ++module_exit(fini);
74162 +diff -urNp linux-2.6.24.5/net/ipv4/netfilter/Kconfig linux-2.6.24.5/net/ipv4/netfilter/Kconfig
74163 +--- linux-2.6.24.5/net/ipv4/netfilter/Kconfig 2008-03-24 14:49:18.000000000 -0400
74164 ++++ linux-2.6.24.5/net/ipv4/netfilter/Kconfig 2008-03-26 20:21:09.000000000 -0400
74165 +@@ -130,6 +130,21 @@ config IP_NF_MATCH_ADDRTYPE
74166 + If you want to compile it as a module, say M here and read
74167 + <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
74168 +
74169 ++config IP_NF_MATCH_STEALTH
74170 ++ tristate "stealth match support"
74171 ++ depends on IP_NF_IPTABLES
74172 ++ help
74173 ++ Enabling this option will drop all syn packets coming to unserved tcp
74174 ++ ports as well as all packets coming to unserved udp ports. If you
74175 ++ are using your system to route any type of packets (ie. via NAT)
74176 ++ you should put this module at the end of your ruleset, since it will
74177 ++ drop packets that aren't going to ports that are listening on your
74178 ++ machine itself, it doesn't take into account that the packet might be
74179 ++ destined for someone on your internal network if you're using NAT for
74180 ++ instance.
74181 ++
74182 ++ To compile it as a module, choose M here. If unsure, say N.
74183 ++
74184 + # `filter', generic and specific targets
74185 + config IP_NF_FILTER
74186 + tristate "Packet filtering"
74187 +@@ -403,4 +418,3 @@ config IP_NF_ARP_MANGLE
74188 + hardware and network addresses.
74189 +
74190 + endmenu
74191 +-
74192 +diff -urNp linux-2.6.24.5/net/ipv4/netfilter/Makefile linux-2.6.24.5/net/ipv4/netfilter/Makefile
74193 +--- linux-2.6.24.5/net/ipv4/netfilter/Makefile 2008-03-24 14:49:18.000000000 -0400
74194 ++++ linux-2.6.24.5/net/ipv4/netfilter/Makefile 2008-03-26 20:21:09.000000000 -0400
74195 +@@ -47,6 +47,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
74196 + obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
74197 + obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
74198 + obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
74199 ++obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
74200 + obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
74201 + obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
74202 +
74203 +diff -urNp linux-2.6.24.5/net/ipv4/tcp.c linux-2.6.24.5/net/ipv4/tcp.c
74204 +--- linux-2.6.24.5/net/ipv4/tcp.c 2008-04-17 20:05:17.000000000 -0400
74205 ++++ linux-2.6.24.5/net/ipv4/tcp.c 2008-04-17 20:05:01.000000000 -0400
74206 +@@ -1054,7 +1054,8 @@ int tcp_read_sock(struct sock *sk, read_
74207 + return -ENOTCONN;
74208 + while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) {
74209 + if (offset < skb->len) {
74210 +- size_t used, len;
74211 ++ int used;
74212 ++ size_t len;
74213 +
74214 + len = skb->len - offset;
74215 + /* Stop reading if we hit a patch of urgent data */
74216 +diff -urNp linux-2.6.24.5/net/ipv4/tcp_ipv4.c linux-2.6.24.5/net/ipv4/tcp_ipv4.c
74217 +--- linux-2.6.24.5/net/ipv4/tcp_ipv4.c 2008-03-24 14:49:18.000000000 -0400
74218 ++++ linux-2.6.24.5/net/ipv4/tcp_ipv4.c 2008-03-26 20:21:09.000000000 -0400
74219 +@@ -61,6 +61,7 @@
74220 + #include <linux/jhash.h>
74221 + #include <linux/init.h>
74222 + #include <linux/times.h>
74223 ++#include <linux/grsecurity.h>
74224 +
74225 + #include <net/net_namespace.h>
74226 + #include <net/icmp.h>
74227 +diff -urNp linux-2.6.24.5/net/ipv4/udp.c linux-2.6.24.5/net/ipv4/udp.c
74228 +--- linux-2.6.24.5/net/ipv4/udp.c 2008-03-24 14:49:18.000000000 -0400
74229 ++++ linux-2.6.24.5/net/ipv4/udp.c 2008-03-26 20:21:09.000000000 -0400
74230 +@@ -98,6 +98,7 @@
74231 + #include <linux/skbuff.h>
74232 + #include <linux/proc_fs.h>
74233 + #include <linux/seq_file.h>
74234 ++#include <linux/grsecurity.h>
74235 + #include <net/net_namespace.h>
74236 + #include <net/icmp.h>
74237 + #include <net/route.h>
74238 +@@ -105,6 +106,11 @@
74239 + #include <net/xfrm.h>
74240 + #include "udp_impl.h"
74241 +
74242 ++extern int gr_search_udp_recvmsg(const struct sock *sk,
74243 ++ const struct sk_buff *skb);
74244 ++extern int gr_search_udp_sendmsg(const struct sock *sk,
74245 ++ const struct sockaddr_in *addr);
74246 ++
74247 + /*
74248 + * Snmp MIB for the UDP layer
74249 + */
74250 +@@ -295,6 +301,13 @@ static struct sock *__udp4_lib_lookup(__
74251 + return result;
74252 + }
74253 +
74254 ++struct sock *udp_v4_lookup(__be32 saddr, __be16 sport,
74255 ++ __be32 daddr, __be16 dport, int dif)
74256 ++{
74257 ++ return __udp4_lib_lookup(saddr, sport, daddr, dport, dif, udp_hash);
74258 ++}
74259 ++
74260 ++
74261 + static inline struct sock *udp_v4_mcast_next(struct sock *sk,
74262 + __be16 loc_port, __be32 loc_addr,
74263 + __be16 rmt_port, __be32 rmt_addr,
74264 +@@ -580,9 +593,16 @@ int udp_sendmsg(struct kiocb *iocb, stru
74265 + dport = usin->sin_port;
74266 + if (dport == 0)
74267 + return -EINVAL;
74268 ++
74269 ++ if (!gr_search_udp_sendmsg(sk, usin))
74270 ++ return -EPERM;
74271 + } else {
74272 + if (sk->sk_state != TCP_ESTABLISHED)
74273 + return -EDESTADDRREQ;
74274 ++
74275 ++ if (!gr_search_udp_sendmsg(sk, NULL))
74276 ++ return -EPERM;
74277 ++
74278 + daddr = inet->daddr;
74279 + dport = inet->dport;
74280 + /* Open fast path for connected socket.
74281 +@@ -842,6 +862,11 @@ try_again:
74282 + if (!skb)
74283 + goto out;
74284 +
74285 ++ if (!gr_search_udp_recvmsg(sk, skb)) {
74286 ++ err = -EPERM;
74287 ++ goto out_free;
74288 ++ }
74289 ++
74290 + ulen = skb->len - sizeof(struct udphdr);
74291 + copied = len;
74292 + if (copied > ulen)
74293 +diff -urNp linux-2.6.24.5/net/ipv6/exthdrs.c linux-2.6.24.5/net/ipv6/exthdrs.c
74294 +--- linux-2.6.24.5/net/ipv6/exthdrs.c 2008-03-24 14:49:18.000000000 -0400
74295 ++++ linux-2.6.24.5/net/ipv6/exthdrs.c 2008-03-26 20:21:09.000000000 -0400
74296 +@@ -621,7 +621,7 @@ static struct tlvtype_proc tlvprochopopt
74297 + .type = IPV6_TLV_JUMBO,
74298 + .func = ipv6_hop_jumbo,
74299 + },
74300 +- { -1, }
74301 ++ { -1, NULL }
74302 + };
74303 +
74304 + int ipv6_parse_hopopts(struct sk_buff *skb)
74305 +diff -urNp linux-2.6.24.5/net/ipv6/raw.c linux-2.6.24.5/net/ipv6/raw.c
74306 +--- linux-2.6.24.5/net/ipv6/raw.c 2008-03-24 14:49:18.000000000 -0400
74307 ++++ linux-2.6.24.5/net/ipv6/raw.c 2008-03-26 20:21:09.000000000 -0400
74308 +@@ -578,7 +578,7 @@ out:
74309 + return err;
74310 + }
74311 +
74312 +-static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
74313 ++static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
74314 + struct flowi *fl, struct rt6_info *rt,
74315 + unsigned int flags)
74316 + {
74317 +diff -urNp linux-2.6.24.5/net/irda/ircomm/ircomm_tty.c linux-2.6.24.5/net/irda/ircomm/ircomm_tty.c
74318 +--- linux-2.6.24.5/net/irda/ircomm/ircomm_tty.c 2008-03-24 14:49:18.000000000 -0400
74319 ++++ linux-2.6.24.5/net/irda/ircomm/ircomm_tty.c 2008-03-26 20:21:09.000000000 -0400
74320 +@@ -371,7 +371,7 @@ static int ircomm_tty_open(struct tty_st
74321 + IRDA_DEBUG(2, "%s()\n", __FUNCTION__ );
74322 +
74323 + line = tty->index;
74324 +- if ((line < 0) || (line >= IRCOMM_TTY_PORTS)) {
74325 ++ if (line >= IRCOMM_TTY_PORTS) {
74326 + return -ENODEV;
74327 + }
74328 +
74329 +diff -urNp linux-2.6.24.5/net/mac80211/regdomain.c linux-2.6.24.5/net/mac80211/regdomain.c
74330 +--- linux-2.6.24.5/net/mac80211/regdomain.c 2008-03-24 14:49:18.000000000 -0400
74331 ++++ linux-2.6.24.5/net/mac80211/regdomain.c 2008-03-26 20:21:09.000000000 -0400
74332 +@@ -61,14 +61,14 @@ static const struct ieee80211_channel_ra
74333 + { 5180, 5240, 17, 6 } /* IEEE 802.11a, channels 36..48 */,
74334 + { 5260, 5320, 23, 6 } /* IEEE 802.11a, channels 52..64 */,
74335 + { 5745, 5825, 30, 6 } /* IEEE 802.11a, channels 149..165, outdoor */,
74336 +- { 0 }
74337 ++ { 0, 0, 0, 0 }
74338 + };
74339 +
74340 + static const struct ieee80211_channel_range ieee80211_mkk_channels[] = {
74341 + { 2412, 2472, 20, 6 } /* IEEE 802.11b/g, channels 1..13 */,
74342 + { 5170, 5240, 20, 6 } /* IEEE 802.11a, channels 34..48 */,
74343 + { 5260, 5320, 20, 6 } /* IEEE 802.11a, channels 52..64 */,
74344 +- { 0 }
74345 ++ { 0, 0, 0, 0 }
74346 + };
74347 +
74348 +
74349 +diff -urNp linux-2.6.24.5/net/sctp/socket.c linux-2.6.24.5/net/sctp/socket.c
74350 +--- linux-2.6.24.5/net/sctp/socket.c 2008-03-24 14:49:18.000000000 -0400
74351 ++++ linux-2.6.24.5/net/sctp/socket.c 2008-03-26 20:21:09.000000000 -0400
74352 +@@ -1390,7 +1390,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
74353 + struct sctp_sndrcvinfo *sinfo;
74354 + struct sctp_initmsg *sinit;
74355 + sctp_assoc_t associd = 0;
74356 +- sctp_cmsgs_t cmsgs = { NULL };
74357 ++ sctp_cmsgs_t cmsgs = { NULL, NULL };
74358 + int err;
74359 + sctp_scope_t scope;
74360 + long timeo;
74361 +diff -urNp linux-2.6.24.5/net/socket.c linux-2.6.24.5/net/socket.c
74362 +--- linux-2.6.24.5/net/socket.c 2008-03-24 14:49:18.000000000 -0400
74363 ++++ linux-2.6.24.5/net/socket.c 2008-03-26 20:21:09.000000000 -0400
74364 +@@ -85,6 +85,7 @@
74365 + #include <linux/audit.h>
74366 + #include <linux/wireless.h>
74367 + #include <linux/nsproxy.h>
74368 ++#include <linux/in.h>
74369 +
74370 + #include <asm/uaccess.h>
74371 + #include <asm/unistd.h>
74372 +@@ -94,6 +95,21 @@
74373 + #include <net/sock.h>
74374 + #include <linux/netfilter.h>
74375 +
74376 ++extern void gr_attach_curr_ip(const struct sock *sk);
74377 ++extern int gr_handle_sock_all(const int family, const int type,
74378 ++ const int protocol);
74379 ++extern int gr_handle_sock_server(const struct sockaddr *sck);
74380 ++extern int gr_handle_sock_server_other(const struct socket *sck);
74381 ++extern int gr_handle_sock_client(const struct sockaddr *sck);
74382 ++extern int gr_search_connect(const struct socket * sock,
74383 ++ const struct sockaddr_in * addr);
74384 ++extern int gr_search_bind(const struct socket * sock,
74385 ++ const struct sockaddr_in * addr);
74386 ++extern int gr_search_listen(const struct socket * sock);
74387 ++extern int gr_search_accept(const struct socket * sock);
74388 ++extern int gr_search_socket(const int domain, const int type,
74389 ++ const int protocol);
74390 ++
74391 + static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
74392 + static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
74393 + unsigned long nr_segs, loff_t pos);
74394 +@@ -293,7 +309,7 @@ static int sockfs_get_sb(struct file_sys
74395 + mnt);
74396 + }
74397 +
74398 +-static struct vfsmount *sock_mnt __read_mostly;
74399 ++struct vfsmount *sock_mnt __read_mostly;
74400 +
74401 + static struct file_system_type sock_fs_type = {
74402 + .name = "sockfs",
74403 +@@ -1204,6 +1220,16 @@ asmlinkage long sys_socket(int family, i
74404 + int retval;
74405 + struct socket *sock;
74406 +
74407 ++ if(!gr_search_socket(family, type, protocol)) {
74408 ++ retval = -EACCES;
74409 ++ goto out;
74410 ++ }
74411 ++
74412 ++ if (gr_handle_sock_all(family, type, protocol)) {
74413 ++ retval = -EACCES;
74414 ++ goto out;
74415 ++ }
74416 ++
74417 + retval = sock_create(family, type, protocol, &sock);
74418 + if (retval < 0)
74419 + goto out;
74420 +@@ -1334,6 +1360,12 @@ asmlinkage long sys_bind(int fd, struct
74421 + if (sock) {
74422 + err = move_addr_to_kernel(umyaddr, addrlen, address);
74423 + if (err >= 0) {
74424 ++ if (!gr_search_bind(sock, (struct sockaddr_in *)address) ||
74425 ++ gr_handle_sock_server((struct sockaddr *)address)) {
74426 ++ err = -EACCES;
74427 ++ goto error;
74428 ++ }
74429 ++
74430 + err = security_socket_bind(sock,
74431 + (struct sockaddr *)address,
74432 + addrlen);
74433 +@@ -1342,6 +1374,7 @@ asmlinkage long sys_bind(int fd, struct
74434 + (struct sockaddr *)
74435 + address, addrlen);
74436 + }
74437 ++error:
74438 + fput_light(sock->file, fput_needed);
74439 + }
74440 + return err;
74441 +@@ -1365,10 +1398,17 @@ asmlinkage long sys_listen(int fd, int b
74442 + if ((unsigned)backlog > sysctl_somaxconn)
74443 + backlog = sysctl_somaxconn;
74444 +
74445 ++ if (gr_handle_sock_server_other(sock) ||
74446 ++ !gr_search_listen(sock)) {
74447 ++ err = -EPERM;
74448 ++ goto error;
74449 ++ }
74450 ++
74451 + err = security_socket_listen(sock, backlog);
74452 + if (!err)
74453 + err = sock->ops->listen(sock, backlog);
74454 +
74455 ++error:
74456 + fput_light(sock->file, fput_needed);
74457 + }
74458 + return err;
74459 +@@ -1405,6 +1445,13 @@ asmlinkage long sys_accept(int fd, struc
74460 + newsock->type = sock->type;
74461 + newsock->ops = sock->ops;
74462 +
74463 ++ if (gr_handle_sock_server_other(sock) ||
74464 ++ !gr_search_accept(sock)) {
74465 ++ err = -EPERM;
74466 ++ sock_release(newsock);
74467 ++ goto out_put;
74468 ++ }
74469 ++
74470 + /*
74471 + * We don't need try_module_get here, as the listening socket (sock)
74472 + * has the protocol module (sock->ops->owner) held.
74473 +@@ -1448,6 +1495,7 @@ asmlinkage long sys_accept(int fd, struc
74474 + err = newfd;
74475 +
74476 + security_socket_post_accept(sock, newsock);
74477 ++ gr_attach_curr_ip(newsock->sk);
74478 +
74479 + out_put:
74480 + fput_light(sock->file, fput_needed);
74481 +@@ -1481,6 +1529,7 @@ asmlinkage long sys_connect(int fd, stru
74482 + {
74483 + struct socket *sock;
74484 + char address[MAX_SOCK_ADDR];
74485 ++ struct sockaddr *sck;
74486 + int err, fput_needed;
74487 +
74488 + sock = sockfd_lookup_light(fd, &err, &fput_needed);
74489 +@@ -1490,6 +1539,13 @@ asmlinkage long sys_connect(int fd, stru
74490 + if (err < 0)
74491 + goto out_put;
74492 +
74493 ++ sck = (struct sockaddr *)address;
74494 ++ if (!gr_search_connect(sock, (struct sockaddr_in *)sck) ||
74495 ++ gr_handle_sock_client(sck)) {
74496 ++ err = -EACCES;
74497 ++ goto out_put;
74498 ++ }
74499 ++
74500 + err =
74501 + security_socket_connect(sock, (struct sockaddr *)address, addrlen);
74502 + if (err)
74503 +@@ -1767,6 +1823,7 @@ asmlinkage long sys_shutdown(int fd, int
74504 + err = sock->ops->shutdown(sock, how);
74505 + fput_light(sock->file, fput_needed);
74506 + }
74507 ++
74508 + return err;
74509 + }
74510 +
74511 +diff -urNp linux-2.6.24.5/net/unix/af_unix.c linux-2.6.24.5/net/unix/af_unix.c
74512 +--- linux-2.6.24.5/net/unix/af_unix.c 2008-03-24 14:49:18.000000000 -0400
74513 ++++ linux-2.6.24.5/net/unix/af_unix.c 2008-03-26 20:21:09.000000000 -0400
74514 +@@ -116,6 +116,7 @@
74515 + #include <linux/mount.h>
74516 + #include <net/checksum.h>
74517 + #include <linux/security.h>
74518 ++#include <linux/grsecurity.h>
74519 +
74520 + int sysctl_unix_max_dgram_qlen __read_mostly = 10;
74521 +
74522 +@@ -738,6 +739,11 @@ static struct sock *unix_find_other(stru
74523 + if (err)
74524 + goto put_fail;
74525 +
74526 ++ if (!gr_acl_handle_unix(nd.dentry, nd.mnt)) {
74527 ++ err = -EACCES;
74528 ++ goto put_fail;
74529 ++ }
74530 ++
74531 + err = -ECONNREFUSED;
74532 + if (!S_ISSOCK(nd.dentry->d_inode->i_mode))
74533 + goto put_fail;
74534 +@@ -761,6 +767,13 @@ static struct sock *unix_find_other(stru
74535 + if (u) {
74536 + struct dentry *dentry;
74537 + dentry = unix_sk(u)->dentry;
74538 ++
74539 ++ if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
74540 ++ err = -EPERM;
74541 ++ sock_put(u);
74542 ++ goto fail;
74543 ++ }
74544 ++
74545 + if (dentry)
74546 + touch_atime(unix_sk(u)->mnt, dentry);
74547 + } else
74548 +@@ -839,9 +852,18 @@ static int unix_bind(struct socket *sock
74549 + */
74550 + mode = S_IFSOCK |
74551 + (SOCK_INODE(sock)->i_mode & ~current->fs->umask);
74552 ++
74553 ++ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
74554 ++ err = -EACCES;
74555 ++ goto out_mknod_dput;
74556 ++ }
74557 ++
74558 + err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
74559 + if (err)
74560 + goto out_mknod_dput;
74561 ++
74562 ++ gr_handle_create(dentry, nd.mnt);
74563 ++
74564 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
74565 + dput(nd.dentry);
74566 + nd.dentry = dentry;
74567 +@@ -859,6 +881,10 @@ static int unix_bind(struct socket *sock
74568 + goto out_unlock;
74569 + }
74570 +
74571 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
74572 ++ sk->sk_peercred.pid = current->pid;
74573 ++#endif
74574 ++
74575 + list = &unix_socket_table[addr->hash];
74576 + } else {
74577 + list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
74578 +diff -urNp linux-2.6.24.5/scripts/pnmtologo.c linux-2.6.24.5/scripts/pnmtologo.c
74579 +--- linux-2.6.24.5/scripts/pnmtologo.c 2008-03-24 14:49:18.000000000 -0400
74580 ++++ linux-2.6.24.5/scripts/pnmtologo.c 2008-03-26 20:21:09.000000000 -0400
74581 +@@ -237,14 +237,14 @@ static void write_header(void)
74582 + fprintf(out, " * Linux logo %s\n", logoname);
74583 + fputs(" */\n\n", out);
74584 + fputs("#include <linux/linux_logo.h>\n\n", out);
74585 +- fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
74586 ++ fprintf(out, "static unsigned char %s_data[] = {\n",
74587 + logoname);
74588 + }
74589 +
74590 + static void write_footer(void)
74591 + {
74592 + fputs("\n};\n\n", out);
74593 +- fprintf(out, "struct linux_logo %s __initdata = {\n", logoname);
74594 ++ fprintf(out, "struct linux_logo %s = {\n", logoname);
74595 + fprintf(out, " .type\t= %s,\n", logo_types[logo_type]);
74596 + fprintf(out, " .width\t= %d,\n", logo_width);
74597 + fprintf(out, " .height\t= %d,\n", logo_height);
74598 +@@ -374,7 +374,7 @@ static void write_logo_clut224(void)
74599 + fputs("\n};\n\n", out);
74600 +
74601 + /* write logo clut */
74602 +- fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
74603 ++ fprintf(out, "static unsigned char %s_clut[] = {\n",
74604 + logoname);
74605 + write_hex_cnt = 0;
74606 + for (i = 0; i < logo_clutsize; i++) {
74607 +diff -urNp linux-2.6.24.5/security/commoncap.c linux-2.6.24.5/security/commoncap.c
74608 +--- linux-2.6.24.5/security/commoncap.c 2008-04-17 20:05:17.000000000 -0400
74609 ++++ linux-2.6.24.5/security/commoncap.c 2008-04-17 20:05:01.000000000 -0400
74610 +@@ -24,6 +24,7 @@
74611 + #include <linux/hugetlb.h>
74612 + #include <linux/mount.h>
74613 + #include <linux/sched.h>
74614 ++#include <linux/grsecurity.h>
74615 +
74616 + #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
74617 + /*
74618 +@@ -44,9 +45,11 @@ EXPORT_SYMBOL(cap_bset);
74619 + unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
74620 + EXPORT_SYMBOL(securebits);
74621 +
74622 ++extern __u32 gr_cap_rtnetlink(struct sock *sk);
74623 ++
74624 + int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
74625 + {
74626 +- NETLINK_CB(skb).eff_cap = current->cap_effective;
74627 ++ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
74628 + return 0;
74629 + }
74630 +
74631 +@@ -68,7 +71,15 @@ EXPORT_SYMBOL(cap_netlink_recv);
74632 + int cap_capable (struct task_struct *tsk, int cap)
74633 + {
74634 + /* Derived from include/linux/sched.h:capable. */
74635 +- if (cap_raised(tsk->cap_effective, cap))
74636 ++ if (cap_raised (tsk->cap_effective, cap))
74637 ++ return 0;
74638 ++ return -EPERM;
74639 ++}
74640 ++
74641 ++int cap_capable_nolog (struct task_struct *tsk, int cap)
74642 ++{
74643 ++ /* tsk = current for all callers */
74644 ++ if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
74645 + return 0;
74646 + return -EPERM;
74647 + }
74648 +@@ -343,8 +354,11 @@ void cap_bprm_apply_creds (struct linux_
74649 + }
74650 + }
74651 +
74652 +- current->suid = current->euid = current->fsuid = bprm->e_uid;
74653 +- current->sgid = current->egid = current->fsgid = bprm->e_gid;
74654 ++ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
74655 ++ current->suid = current->euid = current->fsuid = bprm->e_uid;
74656 ++
74657 ++ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
74658 ++ current->sgid = current->egid = current->fsgid = bprm->e_gid;
74659 +
74660 + /* For init, we want to retain the capabilities set
74661 + * in the init_task struct. Thus we skip the usual
74662 +@@ -355,6 +369,8 @@ void cap_bprm_apply_creds (struct linux_
74663 + new_permitted : 0;
74664 + }
74665 +
74666 ++ gr_handle_chroot_caps(current);
74667 ++
74668 + /* AUD: Audit candidate if current->cap_effective is set */
74669 +
74670 + current->keep_capabilities = 0;
74671 +@@ -563,7 +579,7 @@ int cap_vm_enough_memory(struct mm_struc
74672 + {
74673 + int cap_sys_admin = 0;
74674 +
74675 +- if (cap_capable(current, CAP_SYS_ADMIN) == 0)
74676 ++ if (cap_capable_nolog(current, CAP_SYS_ADMIN) == 0)
74677 + cap_sys_admin = 1;
74678 + return __vm_enough_memory(mm, pages, cap_sys_admin);
74679 + }
74680 +diff -urNp linux-2.6.24.5/security/dummy.c linux-2.6.24.5/security/dummy.c
74681 +--- linux-2.6.24.5/security/dummy.c 2008-03-24 14:49:18.000000000 -0400
74682 ++++ linux-2.6.24.5/security/dummy.c 2008-03-26 20:21:09.000000000 -0400
74683 +@@ -27,6 +27,7 @@
74684 + #include <linux/hugetlb.h>
74685 + #include <linux/ptrace.h>
74686 + #include <linux/file.h>
74687 ++#include <linux/grsecurity.h>
74688 +
74689 + static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
74690 + {
74691 +@@ -135,8 +136,11 @@ static void dummy_bprm_apply_creds (stru
74692 + }
74693 + }
74694 +
74695 +- current->suid = current->euid = current->fsuid = bprm->e_uid;
74696 +- current->sgid = current->egid = current->fsgid = bprm->e_gid;
74697 ++ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
74698 ++ current->suid = current->euid = current->fsuid = bprm->e_uid;
74699 ++
74700 ++ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
74701 ++ current->sgid = current->egid = current->fsgid = bprm->e_gid;
74702 +
74703 + dummy_capget(current, &current->cap_effective, &current->cap_inheritable, &current->cap_permitted);
74704 + }
74705 +diff -urNp linux-2.6.24.5/security/Kconfig linux-2.6.24.5/security/Kconfig
74706 +--- linux-2.6.24.5/security/Kconfig 2008-03-24 14:49:18.000000000 -0400
74707 ++++ linux-2.6.24.5/security/Kconfig 2008-03-26 20:21:09.000000000 -0400
74708 +@@ -4,6 +4,429 @@
74709 +
74710 + menu "Security options"
74711 +
74712 ++source grsecurity/Kconfig
74713 ++
74714 ++menu "PaX"
74715 ++
74716 ++config PAX
74717 ++ bool "Enable various PaX features"
74718 ++ depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
74719 ++ help
74720 ++ This allows you to enable various PaX features. PaX adds
74721 ++ intrusion prevention mechanisms to the kernel that reduce
74722 ++ the risks posed by exploitable memory corruption bugs.
74723 ++
74724 ++menu "PaX Control"
74725 ++ depends on PAX
74726 ++
74727 ++config PAX_SOFTMODE
74728 ++ bool 'Support soft mode'
74729 ++ help
74730 ++ Enabling this option will allow you to run PaX in soft mode, that
74731 ++ is, PaX features will not be enforced by default, only on executables
74732 ++ marked explicitly. You must also enable PT_PAX_FLAGS support as it
74733 ++ is the only way to mark executables for soft mode use.
74734 ++
74735 ++ Soft mode can be activated by using the "pax_softmode=1" kernel command
74736 ++ line option on boot. Furthermore you can control various PaX features
74737 ++ at runtime via the entries in /proc/sys/kernel/pax.
74738 ++
74739 ++config PAX_EI_PAX
74740 ++ bool 'Use legacy ELF header marking'
74741 ++ help
74742 ++ Enabling this option will allow you to control PaX features on
74743 ++ a per executable basis via the 'chpax' utility available at
74744 ++ http://pax.grsecurity.net/. The control flags will be read from
74745 ++ an otherwise reserved part of the ELF header. This marking has
74746 ++ numerous drawbacks (no support for soft-mode, toolchain does not
74747 ++ know about the non-standard use of the ELF header) therefore it
74748 ++ has been deprecated in favour of PT_PAX_FLAGS support.
74749 ++
74750 ++ If you have applications not marked by the PT_PAX_FLAGS ELF
74751 ++ program header then you MUST enable this option otherwise they
74752 ++ will not get any protection.
74753 ++
74754 ++ Note that if you enable PT_PAX_FLAGS marking support as well,
74755 ++ the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
74756 ++
74757 ++config PAX_PT_PAX_FLAGS
74758 ++ bool 'Use ELF program header marking'
74759 ++ help
74760 ++ Enabling this option will allow you to control PaX features on
74761 ++ a per executable basis via the 'paxctl' utility available at
74762 ++ http://pax.grsecurity.net/. The control flags will be read from
74763 ++ a PaX specific ELF program header (PT_PAX_FLAGS). This marking
74764 ++ has the benefits of supporting both soft mode and being fully
74765 ++ integrated into the toolchain (the binutils patch is available
74766 ++ from http://pax.grsecurity.net).
74767 ++
74768 ++ If you have applications not marked by the PT_PAX_FLAGS ELF
74769 ++ program header then you MUST enable the EI_PAX marking support
74770 ++ otherwise they will not get any protection.
74771 ++
74772 ++ Note that if you enable the legacy EI_PAX marking support as well,
74773 ++ the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
74774 ++
74775 ++choice
74776 ++ prompt 'MAC system integration'
74777 ++ default PAX_HAVE_ACL_FLAGS
74778 ++ help
74779 ++ Mandatory Access Control systems have the option of controlling
74780 ++ PaX flags on a per executable basis, choose the method supported
74781 ++ by your particular system.
74782 ++
74783 ++ - "none": if your MAC system does not interact with PaX,
74784 ++ - "direct": if your MAC system defines pax_set_initial_flags() itself,
74785 ++ - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
74786 ++
74787 ++ NOTE: this option is for developers/integrators only.
74788 ++
74789 ++ config PAX_NO_ACL_FLAGS
74790 ++ bool 'none'
74791 ++
74792 ++ config PAX_HAVE_ACL_FLAGS
74793 ++ bool 'direct'
74794 ++
74795 ++ config PAX_HOOK_ACL_FLAGS
74796 ++ bool 'hook'
74797 ++endchoice
74798 ++
74799 ++endmenu
74800 ++
74801 ++menu "Non-executable pages"
74802 ++ depends on PAX
74803 ++
74804 ++config PAX_NOEXEC
74805 ++ bool "Enforce non-executable pages"
74806 ++ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
74807 ++ help
74808 ++ By design some architectures do not allow for protecting memory
74809 ++ pages against execution or even if they do, Linux does not make
74810 ++ use of this feature. In practice this means that if a page is
74811 ++ readable (such as the stack or heap) it is also executable.
74812 ++
74813 ++ There is a well known exploit technique that makes use of this
74814 ++ fact and a common programming mistake where an attacker can
74815 ++ introduce code of his choice somewhere in the attacked program's
74816 ++ memory (typically the stack or the heap) and then execute it.
74817 ++
74818 ++ If the attacked program was running with different (typically
74819 ++ higher) privileges than that of the attacker, then he can elevate
74820 ++ his own privilege level (e.g. get a root shell, write to files for
74821 ++ which he does not have write access to, etc).
74822 ++
74823 ++ Enabling this option will let you choose from various features
74824 ++ that prevent the injection and execution of 'foreign' code in
74825 ++ a program.
74826 ++
74827 ++ This will also break programs that rely on the old behaviour and
74828 ++ expect that dynamically allocated memory via the malloc() family
74829 ++ of functions is executable (which it is not). Notable examples
74830 ++ are the XFree86 4.x server, the java runtime and wine.
74831 ++
74832 ++config PAX_PAGEEXEC
74833 ++ bool "Paging based non-executable pages"
74834 ++ depends on !COMPAT_VDSO && PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MPENTIUM4 || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2)
74835 ++ help
74836 ++ This implementation is based on the paging feature of the CPU.
74837 ++ On i386 without hardware non-executable bit support there is a
74838 ++ variable but usually low performance impact, however on Intel's
74839 ++ P4 core based CPUs it is very high so you should not enable this
74840 ++ for kernels meant to be used on such CPUs.
74841 ++
74842 ++ On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
74843 ++ with hardware non-executable bit support there is no performance
74844 ++ impact, on ppc the impact is negligible.
74845 ++
74846 ++ Note that several architectures require various emulations due to
74847 ++ badly designed userland ABIs, this will cause a performance impact
74848 ++ but will disappear as soon as userland is fixed (e.g., ppc users
74849 ++ can make use of the secure-plt feature found in binutils).
74850 ++
74851 ++config PAX_SEGMEXEC
74852 ++ bool "Segmentation based non-executable pages"
74853 ++ depends on !COMPAT_VDSO && PAX_NOEXEC && X86_32
74854 ++ help
74855 ++ This implementation is based on the segmentation feature of the
74856 ++ CPU and has a very small performance impact, however applications
74857 ++ will be limited to a 1.5 GB address space instead of the normal
74858 ++ 3 GB.
74859 ++
74860 ++config PAX_EMUTRAMP
74861 ++ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86)
74862 ++ default y if PARISC || PPC32
74863 ++ help
74864 ++ There are some programs and libraries that for one reason or
74865 ++ another attempt to execute special small code snippets from
74866 ++ non-executable memory pages. Most notable examples are the
74867 ++ signal handler return code generated by the kernel itself and
74868 ++ the GCC trampolines.
74869 ++
74870 ++ If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
74871 ++ such programs will no longer work under your kernel.
74872 ++
74873 ++ As a remedy you can say Y here and use the 'chpax' or 'paxctl'
74874 ++ utilities to enable trampoline emulation for the affected programs
74875 ++ yet still have the protection provided by the non-executable pages.
74876 ++
74877 ++ On parisc and ppc you MUST enable this option and EMUSIGRT as
74878 ++ well, otherwise your system will not even boot.
74879 ++
74880 ++ Alternatively you can say N here and use the 'chpax' or 'paxctl'
74881 ++ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
74882 ++ for the affected files.
74883 ++
74884 ++ NOTE: enabling this feature *may* open up a loophole in the
74885 ++ protection provided by non-executable pages that an attacker
74886 ++ could abuse. Therefore the best solution is to not have any
74887 ++ files on your system that would require this option. This can
74888 ++ be achieved by not using libc5 (which relies on the kernel
74889 ++ signal handler return code) and not using or rewriting programs
74890 ++ that make use of the nested function implementation of GCC.
74891 ++ Skilled users can just fix GCC itself so that it implements
74892 ++ nested function calls in a way that does not interfere with PaX.
74893 ++
74894 ++config PAX_EMUSIGRT
74895 ++ bool "Automatically emulate sigreturn trampolines"
74896 ++ depends on PAX_EMUTRAMP && (PARISC || PPC32)
74897 ++ default y
74898 ++ help
74899 ++ Enabling this option will have the kernel automatically detect
74900 ++ and emulate signal return trampolines executing on the stack
74901 ++ that would otherwise lead to task termination.
74902 ++
74903 ++ This solution is intended as a temporary one for users with
74904 ++ legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
74905 ++ Modula-3 runtime, etc) or executables linked to such, basically
74906 ++ everything that does not specify its own SA_RESTORER function in
74907 ++ normal executable memory like glibc 2.1+ does.
74908 ++
74909 ++ On parisc and ppc you MUST enable this option, otherwise your
74910 ++ system will not even boot.
74911 ++
74912 ++ NOTE: this feature cannot be disabled on a per executable basis
74913 ++ and since it *does* open up a loophole in the protection provided
74914 ++ by non-executable pages, the best solution is to not have any
74915 ++ files on your system that would require this option.
74916 ++
74917 ++config PAX_MPROTECT
74918 ++ bool "Restrict mprotect()"
74919 ++ depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && !PPC64
74920 ++ help
74921 ++ Enabling this option will prevent programs from
74922 ++ - changing the executable status of memory pages that were
74923 ++ not originally created as executable,
74924 ++ - making read-only executable pages writable again,
74925 ++ - creating executable pages from anonymous memory.
74926 ++
74927 ++ You should say Y here to complete the protection provided by
74928 ++ the enforcement of non-executable pages.
74929 ++
74930 ++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
74931 ++ this feature on a per file basis.
74932 ++
74933 ++config PAX_NOELFRELOCS
74934 ++ bool "Disallow ELF text relocations"
74935 ++ depends on PAX_MPROTECT && !PAX_ETEXECRELOCS && (IA64 || X86 || X86_64)
74936 ++ help
74937 ++ Non-executable pages and mprotect() restrictions are effective
74938 ++ in preventing the introduction of new executable code into an
74939 ++ attacked task's address space. There remain only two venues
74940 ++ for this kind of attack: if the attacker can execute already
74941 ++ existing code in the attacked task then he can either have it
74942 ++ create and mmap() a file containing his code or have it mmap()
74943 ++ an already existing ELF library that does not have position
74944 ++ independent code in it and use mprotect() on it to make it
74945 ++ writable and copy his code there. While protecting against
74946 ++ the former approach is beyond PaX, the latter can be prevented
74947 ++ by having only PIC ELF libraries on one's system (which do not
74948 ++ need to relocate their code). If you are sure this is your case,
74949 ++ then enable this option otherwise be careful as you may not even
74950 ++ be able to boot or log on your system (for example, some PAM
74951 ++ modules are erroneously compiled as non-PIC by default).
74952 ++
74953 ++ NOTE: if you are using dynamic ELF executables (as suggested
74954 ++ when using ASLR) then you must have made sure that you linked
74955 ++ your files using the PIC version of crt1 (the et_dyn.tar.gz package
74956 ++ referenced there has already been updated to support this).
74957 ++
74958 ++config PAX_ETEXECRELOCS
74959 ++ bool "Allow ELF ET_EXEC text relocations"
74960 ++ depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
74961 ++ default y
74962 ++ help
74963 ++ On some architectures there are incorrectly created applications
74964 ++ that require text relocations and would not work without enabling
74965 ++ this option. If you are an alpha, ia64 or parisc user, you should
74966 ++ enable this option and disable it once you have made sure that
74967 ++ none of your applications need it.
74968 ++
74969 ++config PAX_EMUPLT
74970 ++ bool "Automatically emulate ELF PLT"
74971 ++ depends on PAX_MPROTECT && (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
74972 ++ default y
74973 ++ help
74974 ++ Enabling this option will have the kernel automatically detect
74975 ++ and emulate the Procedure Linkage Table entries in ELF files.
74976 ++ On some architectures such entries are in writable memory, and
74977 ++ become non-executable leading to task termination. Therefore
74978 ++ it is mandatory that you enable this option on alpha, parisc,
74979 ++ ppc (if secure-plt is not used throughout in userland), sparc
74980 ++ and sparc64, otherwise your system would not even boot.
74981 ++
74982 ++ NOTE: this feature *does* open up a loophole in the protection
74983 ++ provided by the non-executable pages, therefore the proper
74984 ++ solution is to modify the toolchain to produce a PLT that does
74985 ++ not need to be writable.
74986 ++
74987 ++config PAX_DLRESOLVE
74988 ++ bool
74989 ++ depends on PAX_EMUPLT && (SPARC32 || SPARC64)
74990 ++ default y
74991 ++
74992 ++config PAX_SYSCALL
74993 ++ bool
74994 ++ depends on PAX_PAGEEXEC && PPC32
74995 ++ default y
74996 ++
74997 ++config PAX_KERNEXEC
74998 ++ bool "Enforce non-executable kernel pages"
74999 ++ depends on PAX_NOEXEC && X86 && !EFI && !COMPAT_VDSO && (!X86_32 || X86_WP_WORKS_OK) && !PARAVIRT
75000 ++ help
75001 ++ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
75002 ++ that is, enabling this option will make it harder to inject
75003 ++ and execute 'foreign' code in kernel memory itself.
75004 ++
75005 ++endmenu
75006 ++
75007 ++menu "Address Space Layout Randomization"
75008 ++ depends on PAX
75009 ++
75010 ++config PAX_ASLR
75011 ++ bool "Address Space Layout Randomization"
75012 ++ depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
75013 ++ help
75014 ++ Many if not most exploit techniques rely on the knowledge of
75015 ++ certain addresses in the attacked program. The following options
75016 ++ will allow the kernel to apply a certain amount of randomization
75017 ++ to specific parts of the program thereby forcing an attacker to
75018 ++ guess them in most cases. Any failed guess will most likely crash
75019 ++ the attacked program which allows the kernel to detect such attempts
75020 ++ and react on them. PaX itself provides no reaction mechanisms,
75021 ++ instead it is strongly encouraged that you make use of Nergal's
75022 ++ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
75023 ++ (http://www.grsecurity.net/) built-in crash detection features or
75024 ++ develop one yourself.
75025 ++
75026 ++ By saying Y here you can choose to randomize the following areas:
75027 ++ - top of the task's kernel stack
75028 ++ - top of the task's userland stack
75029 ++ - base address for mmap() requests that do not specify one
75030 ++ (this includes all libraries)
75031 ++ - base address of the main executable
75032 ++
75033 ++ It is strongly recommended to say Y here as address space layout
75034 ++ randomization has negligible impact on performance yet it provides
75035 ++ a very effective protection.
75036 ++
75037 ++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
75038 ++ this feature on a per file basis.
75039 ++
75040 ++config PAX_RANDKSTACK
75041 ++ bool "Randomize kernel stack base"
75042 ++ depends on PAX_ASLR && X86_TSC && X86_32
75043 ++ help
75044 ++ By saying Y here the kernel will randomize every task's kernel
75045 ++ stack on every system call. This will not only force an attacker
75046 ++ to guess it but also prevent him from making use of possible
75047 ++ leaked information about it.
75048 ++
75049 ++ Since the kernel stack is a rather scarce resource, randomization
75050 ++ may cause unexpected stack overflows, therefore you should very
75051 ++ carefully test your system. Note that once enabled in the kernel
75052 ++ configuration, this feature cannot be disabled on a per file basis.
75053 ++
75054 ++config PAX_RANDUSTACK
75055 ++ bool "Randomize user stack base"
75056 ++ depends on PAX_ASLR
75057 ++ help
75058 ++ By saying Y here the kernel will randomize every task's userland
75059 ++ stack. The randomization is done in two steps where the second
75060 ++ one may apply a big amount of shift to the top of the stack and
75061 ++ cause problems for programs that want to use lots of memory (more
75062 ++ than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
75063 ++ For this reason the second step can be controlled by 'chpax' or
75064 ++ 'paxctl' on a per file basis.
75065 ++
75066 ++config PAX_RANDMMAP
75067 ++ bool "Randomize mmap() base"
75068 ++ depends on PAX_ASLR
75069 ++ help
75070 ++ By saying Y here the kernel will use a randomized base address for
75071 ++ mmap() requests that do not specify one themselves. As a result
75072 ++ all dynamically loaded libraries will appear at random addresses
75073 ++ and therefore be harder to exploit by a technique where an attacker
75074 ++ attempts to execute library code for his purposes (e.g. spawn a
75075 ++ shell from an exploited program that is running at an elevated
75076 ++ privilege level).
75077 ++
75078 ++ Furthermore, if a program is relinked as a dynamic ELF file, its
75079 ++ base address will be randomized as well, completing the full
75080 ++ randomization of the address space layout. Attacking such programs
75081 ++ becomes a guess game. You can find an example of doing this at
75082 ++ http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
75083 ++ http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
75084 ++
75085 ++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
75086 ++ feature on a per file basis.
75087 ++
75088 ++endmenu
75089 ++
75090 ++menu "Miscellaneous hardening features"
75091 ++
75092 ++config PAX_MEMORY_SANITIZE
75093 ++ bool "Sanitize all freed memory"
75094 ++ help
75095 ++ By saying Y here the kernel will erase memory pages as soon as they
75096 ++ are freed. This in turn reduces the lifetime of data stored in the
75097 ++ pages, making it less likely that sensitive information such as
75098 ++ passwords, cryptographic secrets, etc stay in memory for too long.
75099 ++
75100 ++ This is especially useful for programs whose runtime is short, long
75101 ++ lived processes and the kernel itself benefit from this as long as
75102 ++ they operate on whole memory pages and ensure timely freeing of pages
75103 ++ that may hold sensitive information.
75104 ++
75105 ++ The tradeoff is performance impact, on a single CPU system kernel
75106 ++ compilation sees a 3% slowdown, other systems and workloads may vary
75107 ++ and you are advised to test this feature on your expected workload
75108 ++ before deploying it.
75109 ++
75110 ++ Note that this feature does not protect data stored in live pages,
75111 ++ e.g., process memory swapped to disk may stay there for a long time.
75112 ++
75113 ++config PAX_MEMORY_UDEREF
75114 ++ bool "Prevent invalid userland pointer dereference"
75115 ++ depends on X86_32 && !COMPAT_VDSO
75116 ++ help
75117 ++ By saying Y here the kernel will be prevented from dereferencing
75118 ++ userland pointers in contexts where the kernel expects only kernel
75119 ++ pointers. This is both a useful runtime debugging feature and a
75120 ++ security measure that prevents exploiting a class of kernel bugs.
75121 ++
75122 ++ The tradeoff is that some virtualization solutions may experience
75123 ++ a huge slowdown and therefore you should not enable this feature
75124 ++ for kernels meant to run in such environments. Whether a given VM
75125 ++ solution is affected or not is best determined by simply trying it
75126 ++ out, the performance impact will be obvious right on boot as this
75127 ++ mechanism engages from very early on. A good rule of thumb is that
75128 ++ VMs running on CPUs without hardware virtualization support (i.e.,
75129 ++ the majority of IA-32 CPUs) will likely experience the slowdown.
75130 ++
75131 ++endmenu
75132 ++
75133 ++endmenu
75134 ++
75135 + config KEYS
75136 + bool "Enable access key retention support"
75137 + help
75138 +diff -urNp linux-2.6.24.5/sound/core/oss/pcm_oss.c linux-2.6.24.5/sound/core/oss/pcm_oss.c
75139 +--- linux-2.6.24.5/sound/core/oss/pcm_oss.c 2008-03-24 14:49:18.000000000 -0400
75140 ++++ linux-2.6.24.5/sound/core/oss/pcm_oss.c 2008-03-26 20:21:09.000000000 -0400
75141 +@@ -2913,8 +2913,8 @@ static void snd_pcm_oss_proc_done(struct
75142 + }
75143 + }
75144 + #else /* !CONFIG_SND_VERBOSE_PROCFS */
75145 +-#define snd_pcm_oss_proc_init(pcm)
75146 +-#define snd_pcm_oss_proc_done(pcm)
75147 ++#define snd_pcm_oss_proc_init(pcm) do {} while (0)
75148 ++#define snd_pcm_oss_proc_done(pcm) do {} while (0)
75149 + #endif /* CONFIG_SND_VERBOSE_PROCFS */
75150 +
75151 + /*
75152 +diff -urNp linux-2.6.24.5/sound/core/seq/seq_lock.h linux-2.6.24.5/sound/core/seq/seq_lock.h
75153 +--- linux-2.6.24.5/sound/core/seq/seq_lock.h 2008-03-24 14:49:18.000000000 -0400
75154 ++++ linux-2.6.24.5/sound/core/seq/seq_lock.h 2008-03-26 20:21:09.000000000 -0400
75155 +@@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
75156 + #else /* SMP || CONFIG_SND_DEBUG */
75157 +
75158 + typedef spinlock_t snd_use_lock_t; /* dummy */
75159 +-#define snd_use_lock_init(lockp) /**/
75160 +-#define snd_use_lock_use(lockp) /**/
75161 +-#define snd_use_lock_free(lockp) /**/
75162 +-#define snd_use_lock_sync(lockp) /**/
75163 ++#define snd_use_lock_init(lockp) do {} while (0)
75164 ++#define snd_use_lock_use(lockp) do {} while (0)
75165 ++#define snd_use_lock_free(lockp) do {} while (0)
75166 ++#define snd_use_lock_sync(lockp) do {} while (0)
75167 +
75168 + #endif /* SMP || CONFIG_SND_DEBUG */
75169 +
75170 +diff -urNp linux-2.6.24.5/sound/pci/ac97/ac97_patch.c linux-2.6.24.5/sound/pci/ac97/ac97_patch.c
75171 +--- linux-2.6.24.5/sound/pci/ac97/ac97_patch.c 2008-03-24 14:49:18.000000000 -0400
75172 ++++ linux-2.6.24.5/sound/pci/ac97/ac97_patch.c 2008-03-26 20:21:09.000000000 -0400
75173 +@@ -1478,7 +1478,7 @@ static const struct snd_ac97_res_table a
75174 + { AC97_VIDEO, 0x9f1f },
75175 + { AC97_AUX, 0x9f1f },
75176 + { AC97_PCM, 0x9f1f },
75177 +- { } /* terminator */
75178 ++ { 0, 0 } /* terminator */
75179 + };
75180 +
75181 + static int patch_ad1819(struct snd_ac97 * ac97)
75182 +@@ -3537,7 +3537,7 @@ static struct snd_ac97_res_table lm4550_
75183 + { AC97_AUX, 0x1f1f },
75184 + { AC97_PCM, 0x1f1f },
75185 + { AC97_REC_GAIN, 0x0f0f },
75186 +- { } /* terminator */
75187 ++ { 0, 0 } /* terminator */
75188 + };
75189 +
75190 + static int patch_lm4550(struct snd_ac97 *ac97)
75191 +diff -urNp linux-2.6.24.5/sound/pci/ens1370.c linux-2.6.24.5/sound/pci/ens1370.c
75192 +--- linux-2.6.24.5/sound/pci/ens1370.c 2008-03-24 14:49:18.000000000 -0400
75193 ++++ linux-2.6.24.5/sound/pci/ens1370.c 2008-03-26 20:21:09.000000000 -0400
75194 +@@ -453,7 +453,7 @@ static struct pci_device_id snd_audiopci
75195 + { 0x1274, 0x5880, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* ES1373 - CT5880 */
75196 + { 0x1102, 0x8938, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* Ectiva EV1938 */
75197 + #endif
75198 +- { 0, }
75199 ++ { 0, 0, 0, 0, 0, 0, 0 }
75200 + };
75201 +
75202 + MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
75203 +diff -urNp linux-2.6.24.5/sound/pci/intel8x0.c linux-2.6.24.5/sound/pci/intel8x0.c
75204 +--- linux-2.6.24.5/sound/pci/intel8x0.c 2008-03-24 14:49:18.000000000 -0400
75205 ++++ linux-2.6.24.5/sound/pci/intel8x0.c 2008-03-26 20:21:09.000000000 -0400
75206 +@@ -436,7 +436,7 @@ static struct pci_device_id snd_intel8x0
75207 + { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
75208 + { 0x1022, 0x7445, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD768 */
75209 + { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
75210 +- { 0, }
75211 ++ { 0, 0, 0, 0, 0, 0, 0 }
75212 + };
75213 +
75214 + MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
75215 +@@ -2044,7 +2044,7 @@ static struct ac97_quirk ac97_quirks[] _
75216 + .type = AC97_TUNE_HP_ONLY
75217 + },
75218 + #endif
75219 +- { } /* terminator */
75220 ++ { 0, 0, 0, 0, NULL, 0 } /* terminator */
75221 + };
75222 +
75223 + static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
75224 +diff -urNp linux-2.6.24.5/sound/pci/intel8x0m.c linux-2.6.24.5/sound/pci/intel8x0m.c
75225 +--- linux-2.6.24.5/sound/pci/intel8x0m.c 2008-03-24 14:49:18.000000000 -0400
75226 ++++ linux-2.6.24.5/sound/pci/intel8x0m.c 2008-03-26 20:21:09.000000000 -0400
75227 +@@ -240,7 +240,7 @@ static struct pci_device_id snd_intel8x0
75228 + { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
75229 + { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
75230 + #endif
75231 +- { 0, }
75232 ++ { 0, 0, 0, 0, 0, 0, 0 }
75233 + };
75234 +
75235 + MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
75236 +@@ -1261,7 +1261,7 @@ static struct shortname_table {
75237 + { 0x5455, "ALi M5455" },
75238 + { 0x746d, "AMD AMD8111" },
75239 + #endif
75240 +- { 0 },
75241 ++ { 0, NULL },
75242 + };
75243 +
75244 + static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
75245
75246 Deleted: hardened-sources/2.6/trunk/2.6.24/4425_alpha-sysctl-uac-for-hardened.patch
75247 ===================================================================
75248 --- hardened-sources/2.6/trunk/2.6.24/4425_alpha-sysctl-uac-for-hardened.patch 2008-04-30 11:33:52 UTC (rev 91)
75249 +++ hardened-sources/2.6/trunk/2.6.24/4425_alpha-sysctl-uac-for-hardened.patch 2008-04-30 11:36:08 UTC (rev 92)
75250 @@ -1,181 +0,0 @@
75251 ---- a/arch/alpha/Kconfig
75252 -+++ b/arch/alpha/Kconfig
75253 -@@ -616,6 +616,32 @@ config VERBOSE_MCHECK_ON
75254 -
75255 - Take the default (1) unless you want more control or more info.
75256 -
75257 -+config ALPHA_UAC_SYSCTL
75258 -+ bool "Configure UAC policy via sysctl"
75259 -+ depends on SYSCTL
75260 -+ default y
75261 -+ ---help---
75262 -+ Configuring the UAC (unaligned access control) policy on a Linux
75263 -+ system usually involves setting a compile time define. If you say
75264 -+ Y here, you will be able to modify the UAC policy at runtime using
75265 -+ the /proc interface.
75266 -+
75267 -+ The UAC policy defines the action Linux should take when an
75268 -+ unaligned memory access occurs. The action can include printing a
75269 -+ warning message (NOPRINT), sending a signal to the offending
75270 -+ program to help developers debug their applications (SIGBUS), or
75271 -+ disabling the transparent fixing (NOFIX).
75272 -+
75273 -+ The sysctls will be initialized to the compile-time defined UAC
75274 -+ policy. You can change these manually, or with the sysctl(8)
75275 -+ userspace utility.
75276 -+
75277 -+ To disable the warning messages at runtime, you would use
75278 -+
75279 -+ echo 1 > /proc/sys/kernel/uac/noprint
75280 -+
75281 -+ This is pretty harmless. Say Y if you're not sure.
75282 -+
75283 - source "drivers/pci/Kconfig"
75284 - source "drivers/eisa/Kconfig"
75285 -
75286 ---- a/arch/alpha/kernel/traps.c
75287 -+++ b/arch/alpha/kernel/traps.c
75288 -@@ -14,6 +14,7 @@
75289 - #include <linux/delay.h>
75290 - #include <linux/smp_lock.h>
75291 - #include <linux/module.h>
75292 -+#include <linux/sysctl.h>
75293 - #include <linux/init.h>
75294 - #include <linux/kallsyms.h>
75295 -
75296 -@@ -102,6 +103,38 @@ static char * ireg_name[] = {"v0", "t0",
75297 - "t10", "t11", "ra", "pv", "at", "gp", "sp", "zero"};
75298 - #endif
75299 -
75300 -+#ifdef CONFIG_ALPHA_UAC_SYSCTL
75301 -+static struct ctl_table_header *uac_sysctl_header;
75302 -+
75303 -+static int enabled_noprint = 0;
75304 -+static int enabled_sigbus = 0;
75305 -+static int enabled_nofix = 0;
75306 -+
75307 -+ctl_table uac_table[] = {
75308 -+ {KERN_UAC_NOPRINT, "noprint", &enabled_noprint, sizeof (int), 0644, NULL, NULL, &proc_dointvec},
75309 -+ {KERN_UAC_SIGBUS, "sigbus", &enabled_sigbus, sizeof (int), 0644, NULL, NULL, &proc_dointvec},
75310 -+ {KERN_UAC_NOFIX, "nofix", &enabled_nofix, sizeof (int), 0644, NULL, NULL, &proc_dointvec},
75311 -+ {0}
75312 -+};
75313 -+
75314 -+static int __init init_uac_sysctl(void)
75315 -+{
75316 -+ /* Initialize sysctls with the #defined UAC policy */
75317 -+ enabled_noprint = (test_thread_flag (TIF_UAC_NOPRINT)) ? 1 : 0;
75318 -+ enabled_sigbus = (test_thread_flag (TIF_UAC_SIGBUS)) ? 1 : 0;
75319 -+ enabled_nofix = (test_thread_flag (TIF_UAC_NOFIX)) ? 1 : 0;
75320 -+
75321 -+ /* save this for later so we can clean up */
75322 -+ uac_sysctl_header = register_sysctl_table(uac_table);
75323 -+ return 0;
75324 -+}
75325 -+
75326 -+static void __exit exit_uac_sysctl(void)
75327 -+{
75328 -+ unregister_sysctl_table(uac_sysctl_header);
75329 -+}
75330 -+#endif
75331 -+
75332 - static void
75333 - dik_show_code(unsigned int *pc)
75334 - {
75335 -@@ -780,7 +813,11 @@ do_entUnaUser(void __user * va, unsigned
75336 - /* Check the UAC bits to decide what the user wants us to do
75337 - with the unaliged access. */
75338 -
75339 -+#ifndef CONFIG_ALPHA_UAC_SYSCTL
75340 - if (!test_thread_flag (TIF_UAC_NOPRINT)) {
75341 -+#else /* CONFIG_ALPHA_UAC_SYSCTL */
75342 -+ if (!(enabled_noprint)) {
75343 -+#endif /* CONFIG_ALPHA_UAC_SYSCTL */
75344 - if (cnt >= 5 && jiffies - last_time > 5*HZ) {
75345 - cnt = 0;
75346 - }
75347 -@@ -791,10 +828,18 @@ do_entUnaUser(void __user * va, unsigned
75348 - }
75349 - last_time = jiffies;
75350 - }
75351 -+#ifndef CONFIG_ALPHA_UAC_SYSCTL
75352 - if (test_thread_flag (TIF_UAC_SIGBUS))
75353 -+#else /* CONFIG_ALPHA_UAC_SYSCTL */
75354 -+ if (enabled_sigbus)
75355 -+#endif /* CONFIG_ALPHA_UAC_SYSCTL */
75356 - goto give_sigbus;
75357 - /* Not sure why you'd want to use this, but... */
75358 -+#ifndef CONFIG_ALPHA_UAC_SYSCTL
75359 - if (test_thread_flag (TIF_UAC_NOFIX))
75360 -+#else /* CONFIG_ALPHA_UAC_SYSCTL */
75361 -+ if (enabled_nofix)
75362 -+#endif /* CONFIG_ALPHA_UAC_SYSCTL */
75363 - return;
75364 -
75365 - /* Don't bother reading ds in the access check since we already
75366 -@@ -1089,3 +1134,7 @@ trap_init(void)
75367 - wrent(entSys, 5);
75368 - wrent(entDbg, 6);
75369 - }
75370 -+
75371 -+#ifdef CONFIG_ALPHA_UAC_SYSCTL
75372 -+__initcall(init_uac_sysctl);
75373 -+#endif
75374 ---- a/include/linux/sysctl.h
75375 -+++ b/include/linux/sysctl.h
75376 -@@ -164,6 +164,10 @@ enum
75377 - KERN_MAX_LOCK_DEPTH=74,
75378 - KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */
75379 - KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
75380 -+#ifdef CONFIG_ALPHA_UAC_SYSCTL
75381 -+ KERN_UAC_POLICY=77, /* int: Alpha unaligned access control policy flags */
75382 -+#endif /* CONFIG_ALPHA_UAC_SYSCTL */
75383 -+
75384 - #ifdef CONFIG_GRKERNSEC
75385 - KERN_GRSECURITY=98, /* grsecurity */
75386 - #endif
75387 -@@ -265,6 +269,17 @@ enum
75388 - PTY_NR=2
75389 - };
75390 -
75391 -+#ifdef CONFIG_ALPHA_UAC_SYSCTL
75392 -+/* /proc/sys/kernel/uac */
75393 -+enum
75394 -+{
75395 -+ /* UAC policy on Alpha */
75396 -+ KERN_UAC_NOPRINT=1, /* int: printk() on unaligned access */
75397 -+ KERN_UAC_SIGBUS=2, /* int: send SIGBUS on unaligned access */
75398 -+ KERN_UAC_NOFIX=3, /* int: don't fix the unaligned access */
75399 -+};
75400 -+#endif /* CONFIG_ALPHA_UAC_SYSCTL */
75401 -+
75402 - /* /proc/sys/bus/isa */
75403 - enum
75404 - {
75405 ---- a/kernel/sysctl.c
75406 -+++ b/kernel/sysctl.c
75407 -@@ -153,6 +153,9 @@ extern int max_lock_depth;
75408 - static int parse_table(int __user *, int, void __user *, size_t __user *,
75409 - void __user *, size_t, struct ctl_table *);
75410 - #endif
75411 -+#ifdef CONFIG_ALPHA_UAC_SYSCTL
75412 -+extern ctl_table uac_table[];
75413 -+#endif
75414 -
75415 -
75416 - #ifdef CONFIG_PROC_SYSCTL
75417 -@@ -254,6 +257,14 @@ static struct ctl_table root_table[] = {
75418 - * NOTE: do not add new entries to this table unless you have read
75419 - * Documentation/sysctl/ctl_unnumbered.txt
75420 - */
75421 -+#ifdef CONFIG_ALPHA_UAC_SYSCTL
75422 -+ {
75423 -+ .ctl_name = KERN_UAC_POLICY,
75424 -+ .procname = "uac",
75425 -+ .mode = 0555,
75426 -+ .child = uac_table,
75427 -+ },
75428 -+#endif /* CONFIG_ALPHA_UAC_SYSCTL */
75429 - { .ctl_name = 0 }
75430 - };
75431 -
75432
75433 Added: hardened-sources/2.6/trunk/2.6.24/4425_grsec-kconfig-default-gids.patch
75434 ===================================================================
75435 --- hardened-sources/2.6/trunk/2.6.24/4425_grsec-kconfig-default-gids.patch (rev 0)
75436 +++ hardened-sources/2.6/trunk/2.6.24/4425_grsec-kconfig-default-gids.patch 2008-04-30 11:36:08 UTC (rev 92)
75437 @@ -0,0 +1,76 @@
75438 +From: Kerin Millar <kerframil@×××××.com>
75439 +
75440 +grsecurity contains a number of options which allow certain protections
75441 +to be applied to or exempted from members of a given group. However, the
75442 +default GIDs specified in the upstream patch are entirely arbitrary and
75443 +there is no telling which (if any) groups the GIDs will correlate with
75444 +on an end-user's system. Because some users don't pay a great deal of
75445 +attention to the finer points of kernel configuration, it is probably
75446 +wise to specify some reasonable defaults so as to stop careless users
75447 +from shooting themselves in the foot.
75448 +
75449 +--- a/grsecurity/Kconfig
75450 ++++ b/grsecurity/Kconfig
75451 +@@ -352,7 +564,7 @@
75452 + config GRKERNSEC_PROC_GID
75453 + int "GID for special group"
75454 + depends on GRKERNSEC_PROC_USERGROUP
75455 +- default 1001
75456 ++ default 10
75457 +
75458 + config GRKERNSEC_PROC_ADD
75459 + bool "Additional restrictions"
75460 +@@ -547,7 +759,7 @@
75461 + config GRKERNSEC_AUDIT_GID
75462 + int "GID for auditing"
75463 + depends on GRKERNSEC_AUDIT_GROUP
75464 +- default 1007
75465 ++ default 100
75466 +
75467 + config GRKERNSEC_EXECLOG
75468 + bool "Exec logging"
75469 +@@ -700,7 +912,7 @@
75470 + config GRKERNSEC_TPE_GID
75471 + int "GID for untrusted users"
75472 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
75473 +- default 1005
75474 ++ default 100
75475 + help
75476 + If you have selected the "Invert GID option" above, setting this
75477 + GID determines what group TPE restrictions will be *disabled* for.
75478 +@@ -712,7 +924,7 @@
75479 + config GRKERNSEC_TPE_GID
75480 + int "GID for trusted users"
75481 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
75482 +- default 1005
75483 ++ default 10
75484 + help
75485 + If you have selected the "Invert GID option" above, setting this
75486 + GID determines what group TPE restrictions will be *disabled* for.
75487 +@@ -754,7 +966,7 @@
75488 + config GRKERNSEC_SOCKET_ALL_GID
75489 + int "GID to deny all sockets for"
75490 + depends on GRKERNSEC_SOCKET_ALL
75491 +- default 1004
75492 ++ default 65534
75493 + help
75494 + Here you can choose the GID to disable socket access for. Remember to
75495 + add the users you want socket access disabled for to the GID
75496 +@@ -775,7 +987,7 @@
75497 + config GRKERNSEC_SOCKET_CLIENT_GID
75498 + int "GID to deny client sockets for"
75499 + depends on GRKERNSEC_SOCKET_CLIENT
75500 +- default 1003
75501 ++ default 65534
75502 + help
75503 + Here you can choose the GID to disable client socket access for.
75504 + Remember to add the users you want client socket access disabled for to
75505 +@@ -793,7 +1005,7 @@
75506 + config GRKERNSEC_SOCKET_SERVER_GID
75507 + int "GID to deny server sockets for"
75508 + depends on GRKERNSEC_SOCKET_SERVER
75509 +- default 1002
75510 ++ default 65534
75511 + help
75512 + Here you can choose the GID to disable server socket access for.
75513 + Remember to add the users you want server socket access disabled for to
75514
75515 Deleted: hardened-sources/2.6/trunk/2.6.24/4430_grsec-kconfig-default-gids.patch
75516 ===================================================================
75517 --- hardened-sources/2.6/trunk/2.6.24/4430_grsec-kconfig-default-gids.patch 2008-04-30 11:33:52 UTC (rev 91)
75518 +++ hardened-sources/2.6/trunk/2.6.24/4430_grsec-kconfig-default-gids.patch 2008-04-30 11:36:08 UTC (rev 92)
75519 @@ -1,76 +0,0 @@
75520 -From: Kerin Millar <kerframil@×××××.com>
75521 -
75522 -grsecurity contains a number of options which allow certain protections
75523 -to be applied to or exempted from members of a given group. However, the
75524 -default GIDs specified in the upstream patch are entirely arbitrary and
75525 -there is no telling which (if any) groups the GIDs will correlate with
75526 -on an end-user's system. Because some users don't pay a great deal of
75527 -attention to the finer points of kernel configuration, it is probably
75528 -wise to specify some reasonable defaults so as to stop careless users
75529 -from shooting themselves in the foot.
75530 -
75531 ---- a/grsecurity/Kconfig
75532 -+++ b/grsecurity/Kconfig
75533 -@@ -352,7 +564,7 @@
75534 - config GRKERNSEC_PROC_GID
75535 - int "GID for special group"
75536 - depends on GRKERNSEC_PROC_USERGROUP
75537 -- default 1001
75538 -+ default 10
75539 -
75540 - config GRKERNSEC_PROC_ADD
75541 - bool "Additional restrictions"
75542 -@@ -547,7 +759,7 @@
75543 - config GRKERNSEC_AUDIT_GID
75544 - int "GID for auditing"
75545 - depends on GRKERNSEC_AUDIT_GROUP
75546 -- default 1007
75547 -+ default 100
75548 -
75549 - config GRKERNSEC_EXECLOG
75550 - bool "Exec logging"
75551 -@@ -700,7 +912,7 @@
75552 - config GRKERNSEC_TPE_GID
75553 - int "GID for untrusted users"
75554 - depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
75555 -- default 1005
75556 -+ default 100
75557 - help
75558 - If you have selected the "Invert GID option" above, setting this
75559 - GID determines what group TPE restrictions will be *disabled* for.
75560 -@@ -712,7 +924,7 @@
75561 - config GRKERNSEC_TPE_GID
75562 - int "GID for trusted users"
75563 - depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
75564 -- default 1005
75565 -+ default 10
75566 - help
75567 - If you have selected the "Invert GID option" above, setting this
75568 - GID determines what group TPE restrictions will be *disabled* for.
75569 -@@ -754,7 +966,7 @@
75570 - config GRKERNSEC_SOCKET_ALL_GID
75571 - int "GID to deny all sockets for"
75572 - depends on GRKERNSEC_SOCKET_ALL
75573 -- default 1004
75574 -+ default 65534
75575 - help
75576 - Here you can choose the GID to disable socket access for. Remember to
75577 - add the users you want socket access disabled for to the GID
75578 -@@ -775,7 +987,7 @@
75579 - config GRKERNSEC_SOCKET_CLIENT_GID
75580 - int "GID to deny client sockets for"
75581 - depends on GRKERNSEC_SOCKET_CLIENT
75582 -- default 1003
75583 -+ default 65534
75584 - help
75585 - Here you can choose the GID to disable client socket access for.
75586 - Remember to add the users you want client socket access disabled for to
75587 -@@ -793,7 +1005,7 @@
75588 - config GRKERNSEC_SOCKET_SERVER_GID
75589 - int "GID to deny server sockets for"
75590 - depends on GRKERNSEC_SOCKET_SERVER
75591 -- default 1002
75592 -+ default 65534
75593 - help
75594 - Here you can choose the GID to disable server socket access for.
75595 - Remember to add the users you want server socket access disabled for to
75596
75597 Added: hardened-sources/2.6/trunk/2.6.24/4430_grsec-kconfig-gentoo.patch
75598 ===================================================================
75599 --- hardened-sources/2.6/trunk/2.6.24/4430_grsec-kconfig-gentoo.patch (rev 0)
75600 +++ hardened-sources/2.6/trunk/2.6.24/4430_grsec-kconfig-gentoo.patch 2008-04-30 11:36:08 UTC (rev 92)
75601 @@ -0,0 +1,241 @@
75602 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
75603 +From: Kerin Millar <kerframil@×××××.com>
75604 +
75605 +Add Hardened Gentoo [server/workstation] predefined grsecurity
75606 +levels. They're designed to provide a comparitively high level of
75607 +security while remaining generally suitable for as great a majority
75608 +of the userbase as possible (particularly new users).
75609 +
75610 +Make Hardened Gentoo [workstation] predefined grsecurity level the
75611 +default. The Hardened Gentoo [server] level is more restrictive
75612 +and conflicts with some software and thus would be less suitable.
75613 +
75614 +The original version of this patch was conceived and created by:
75615 +Ned Ludd <solar@g.o>
75616 +
75617 +--- a/grsecurity/Kconfig
75618 ++++ b/grsecurity/Kconfig
75619 +@@ -20,7 +20,7 @@
75620 + choice
75621 + prompt "Security Level"
75622 + depends on GRKERNSEC
75623 +- default GRKERNSEC_CUSTOM
75624 ++ default GRKERNSEC_HARDENED_WORKSTATION
75625 +
75626 + config GRKERNSEC_LOW
75627 + bool "Low"
75628 +@@ -181,6 +181,214 @@
75629 + - Mount/unmount/remount logging
75630 + - Kernel symbol hiding
75631 + - Prevention of memory exhaustion-based exploits
75632 ++
75633 ++config GRKERNSEC_HARDENED_SERVER
75634 ++ bool "Hardened Gentoo [server]"
75635 ++ select GRKERNSEC_AUDIT_MOUNT
75636 ++ select GRKERNSEC_BRUTE
75637 ++ select GRKERNSEC_CHROOT
75638 ++ select GRKERNSEC_CHROOT_CAPS
75639 ++ select GRKERNSEC_CHROOT_CHDIR
75640 ++ select GRKERNSEC_CHROOT_CHMOD
75641 ++ select GRKERNSEC_CHROOT_DOUBLE
75642 ++ select GRKERNSEC_CHROOT_FCHDIR
75643 ++ select GRKERNSEC_CHROOT_FINDTASK
75644 ++ select GRKERNSEC_CHROOT_MKNOD
75645 ++ select GRKERNSEC_CHROOT_MOUNT
75646 ++ select GRKERNSEC_CHROOT_NICE
75647 ++ select GRKERNSEC_CHROOT_PIVOT
75648 ++ select GRKERNSEC_CHROOT_SHMAT
75649 ++ select GRKERNSEC_CHROOT_SYSCTL
75650 ++ select GRKERNSEC_CHROOT_UNIX
75651 ++ select GRKERNSEC_DMESG
75652 ++ select GRKERNSEC_EXECVE
75653 ++ select GRKERNSEC_FIFO
75654 ++ select GRKERNSEC_FORKFAIL
75655 ++ select GRKERNSEC_HIDESYM
75656 ++ select GRKERNSEC_IO if (X86)
75657 ++ select GRKERNSEC_KMEM
75658 ++ select GRKERNSEC_LINK
75659 ++ select GRKERNSEC_MODSTOP if (MODULES)
75660 ++ select GRKERNSEC_PROC
75661 ++ select GRKERNSEC_PROC_ADD
75662 ++ select GRKERNSEC_PROC_IPADDR
75663 ++ select GRKERNSEC_PROC_MEMMAP
75664 ++ select GRKERNSEC_PROC_USERGROUP
75665 ++ select GRKERNSEC_RANDNET
75666 ++ select GRKERNSEC_RESLOG
75667 ++ select GRKERNSEC_SIGNAL
75668 ++# select GRKERNSEC_SOCKET
75669 ++# select GRKERNSEC_SOCKET_SERVER
75670 ++ select GRKERNSEC_SYSCTL
75671 ++ select GRKERNSEC_SYSCTL_ON
75672 ++ select GRKERNSEC_TIME
75673 ++ select PAX
75674 ++ select PAX_ASLR
75675 ++ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
75676 ++ select PAX_EI_PAX
75677 ++ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
75678 ++ select PAX_EMUSIGRT if (PARISC || PPC32)
75679 ++ select PAX_EMUTRAMP if (PARISC || PPC32)
75680 ++ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
75681 ++ select PAX_KERNEXEC if (X86 && !EFI && !COMPAT_VDSO && !PARAVIRT && (!X86_32 || X86_WP_WORKS_OK))
75682 ++ select PAX_MEMORY_SANITIZE
75683 ++ select PAX_MEMORY_UDEREF if (X86_32 && !COMPAT_VDSO)
75684 ++ select PAX_MPROTECT if (!PPC64)
75685 ++ select PAX_HAVE_ACL_FLAGS
75686 ++ select PAX_NOELFRELOCS if (X86)
75687 ++ select PAX_NOEXEC
75688 ++ select PAX_PAGEEXEC
75689 ++ select PAX_PT_PAX_FLAGS
75690 ++ select PAX_RANDKSTACK if (X86_32 && X86_TSC)
75691 ++ select PAX_RANDMMAP
75692 ++ select PAX_RANDUSTACK
75693 ++ select PAX_SEGMEXEC if (X86_32)
75694 ++ select PAX_SYSCALL if (PPC32)
75695 ++ help
75696 ++ If you say Y here, a configuration will be used that is endorsed by
75697 ++ the Hardened Gentoo project. Therefore, many of the protections
75698 ++ made available by grsecurity and PaX will be enabled.
75699 ++
75700 ++ Hardened Gentoo's pre-defined security levels are designed to provide
75701 ++ a high level of security while minimizing incompatibilities with the
75702 ++ majority of available software. For further information, please
75703 ++ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
75704 ++ well as the Hardened Gentoo Primer at
75705 ++ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
75706 ++
75707 ++ This Hardened Gentoo [server] level is identical to the
75708 ++ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO,
75709 ++ PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled.
75710 ++ Accordingly, this is the preferred security level if the system will
75711 ++ not be utilizing software incompatible with the aforementioned
75712 ++ grsecurity/PaX features.
75713 ++
75714 ++ You may wish to emerge paxctl, a utility which allows you to toggle
75715 ++ PaX features on problematic binaries on an individual basis. Note that
75716 ++ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
75717 ++ Translated, this means that if you wish to toggle PaX features on
75718 ++ binaries provided by applications that are distributed only in binary
75719 ++ format (rather than being built locally from sources), you will need to
75720 ++ run paxctl -C on the binaries beforehand so as to inject the missing
75721 ++ headers.
75722 ++
75723 ++ When this level is selected, some options cannot be changed. However,
75724 ++ you may opt to fully customize the options that are selected by
75725 ++ choosing "Custom" in the Security Level menu. You may find it helpful
75726 ++ to inherit the options selected by the "Hardened Gentoo [server]"
75727 ++ security level as a starting point for further configuration. To
75728 ++ accomplish this, select this security level then exit the menuconfig
75729 ++ interface, saving changes when prompted. Then, run make menuconfig
75730 ++ again and select the "Custom" level.
75731 ++
75732 ++ Note that this security level probably should not be used if the
75733 ++ target system is a 32bit x86 virtualized guest. If you intend to run
75734 ++ the kernel in a 32bit x86 virtualized guest you will likely need to
75735 ++ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
75736 ++ impact on performance.
75737 ++
75738 ++config GRKERNSEC_HARDENED_WORKSTATION
75739 ++ bool "Hardened Gentoo [workstation]"
75740 ++ select GRKERNSEC_AUDIT_MOUNT
75741 ++ select GRKERNSEC_BRUTE
75742 ++ select GRKERNSEC_CHROOT
75743 ++ select GRKERNSEC_CHROOT_CAPS
75744 ++ select GRKERNSEC_CHROOT_CHDIR
75745 ++ select GRKERNSEC_CHROOT_CHMOD
75746 ++ select GRKERNSEC_CHROOT_DOUBLE
75747 ++ select GRKERNSEC_CHROOT_FCHDIR
75748 ++ select GRKERNSEC_CHROOT_FINDTASK
75749 ++ select GRKERNSEC_CHROOT_MKNOD
75750 ++ select GRKERNSEC_CHROOT_MOUNT
75751 ++ select GRKERNSEC_CHROOT_NICE
75752 ++ select GRKERNSEC_CHROOT_PIVOT
75753 ++ select GRKERNSEC_CHROOT_SHMAT
75754 ++ select GRKERNSEC_CHROOT_SYSCTL
75755 ++ select GRKERNSEC_CHROOT_UNIX
75756 ++ select GRKERNSEC_DMESG
75757 ++ select GRKERNSEC_EXECVE
75758 ++ select GRKERNSEC_FIFO
75759 ++ select GRKERNSEC_FORKFAIL
75760 ++ select GRKERNSEC_HIDESYM
75761 ++ select GRKERNSEC_KMEM
75762 ++ select GRKERNSEC_LINK
75763 ++ select GRKERNSEC_MODSTOP if (MODULES)
75764 ++ select GRKERNSEC_PROC
75765 ++ select GRKERNSEC_PROC_ADD
75766 ++ select GRKERNSEC_PROC_IPADDR
75767 ++ select GRKERNSEC_PROC_MEMMAP
75768 ++ select GRKERNSEC_PROC_USERGROUP
75769 ++ select GRKERNSEC_RANDNET
75770 ++ select GRKERNSEC_RESLOG
75771 ++ select GRKERNSEC_SIGNAL
75772 ++# select GRKERNSEC_SOCKET
75773 ++# select GRKERNSEC_SOCKET_SERVER
75774 ++ select GRKERNSEC_SYSCTL
75775 ++ select GRKERNSEC_SYSCTL_ON
75776 ++ select GRKERNSEC_TIME
75777 ++ select PAX
75778 ++ select PAX_ASLR
75779 ++ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
75780 ++ select PAX_EI_PAX
75781 ++ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
75782 ++ select PAX_EMUSIGRT if (PARISC || PPC32)
75783 ++ select PAX_EMUTRAMP if (PARISC || PPC32)
75784 ++ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
75785 ++ select PAX_MEMORY_SANITIZE
75786 ++ select PAX_MEMORY_UDEREF if (X86_32 && !COMPAT_VDSO)
75787 ++ select PAX_MPROTECT if (!PPC64)
75788 ++ select PAX_HAVE_ACL_FLAGS
75789 ++ select PAX_NOEXEC
75790 ++ select PAX_PAGEEXEC
75791 ++ select PAX_PT_PAX_FLAGS
75792 ++ select PAX_RANDKSTACK if (X86_32 && X86_TSC)
75793 ++ select PAX_RANDMMAP
75794 ++ select PAX_RANDUSTACK
75795 ++ select PAX_SEGMEXEC if (X86_32)
75796 ++ select PAX_SYSCALL if (PPC32)
75797 ++ help
75798 ++ If you say Y here, a configuration will be used that is endorsed by
75799 ++ the Hardened Gentoo project. Therefore, many of the protections
75800 ++ made available by grsecurity and PaX will be enabled.
75801 ++
75802 ++ Hardened Gentoo's pre-defined security levels are designed to provide
75803 ++ a high level of security while minimizing incompatibilities with the
75804 ++ majority of available software. For further information, please
75805 ++ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
75806 ++ well as the Hardened Gentoo Primer at
75807 ++ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
75808 ++
75809 ++ This Hardened Gentoo [workstation] level is designed for machines
75810 ++ which are intended to run software not compatible with the
75811 ++ GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity.
75812 ++ Accordingly, this security level is suitable for use with the X server
75813 ++ "Xorg" and/or any system that will act as host OS to the virtualization
75814 ++ softwares vmware-server or virtualbox.
75815 ++
75816 ++ You may wish to emerge paxctl, a utility which allows you to toggle
75817 ++ PaX features on problematic binaries on an individual basis. Note that
75818 ++ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
75819 ++ Translated, this means that if you wish to toggle PaX features on
75820 ++ binaries provided by applications that are distributed only in binary
75821 ++ format (rather than being built locally from sources), you will need to
75822 ++ run paxctl -C on the binaries beforehand so as to inject the missing
75823 ++ headers.
75824 ++
75825 ++ When this level is selected, some options cannot be changed. However,
75826 ++ you may opt to fully customize the options that are selected by
75827 ++ choosing "Custom" in the Security Level menu. You may find it helpful
75828 ++ to inherit the options selected by the "Hardened Gentoo [workstation]"
75829 ++ security level as a starting point for further configuration. To
75830 ++ accomplish this, select this security level then exit the menuconfig
75831 ++ interface, saving changes when prompted. Then, run make menuconfig
75832 ++ again and select the "Custom" level.
75833 ++
75834 ++ Note that this security level probably should not be used if the
75835 ++ target system is a 32bit x86 virtualized guest. If you intend to run
75836 ++ the kernel in a 32bit x86 virtualized guest you will likely need to
75837 ++ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
75838 ++ impact on performance.
75839 ++
75840 + config GRKERNSEC_CUSTOM
75841 + bool "Custom"
75842 + help
75843
75844 Deleted: hardened-sources/2.6/trunk/2.6.24/4435_grsec-kconfig-gentoo.patch
75845 ===================================================================
75846 --- hardened-sources/2.6/trunk/2.6.24/4435_grsec-kconfig-gentoo.patch 2008-04-30 11:33:52 UTC (rev 91)
75847 +++ hardened-sources/2.6/trunk/2.6.24/4435_grsec-kconfig-gentoo.patch 2008-04-30 11:36:08 UTC (rev 92)
75848 @@ -1,239 +0,0 @@
75849 -From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
75850 -From: Kerin Millar <kerframil@×××××.com>
75851 -
75852 -Add Hardened Gentoo [server/workstation] predefined grsecurity
75853 -levels. They're designed to provide a comparitively high level of
75854 -security while remaining generally suitable for as great a majority
75855 -of the userbase as possible (particularly new users).
75856 -
75857 -Make Hardened Gentoo [workstation] predefined grsecurity level the
75858 -default. The Hardened Gentoo [server] level is more restrictive
75859 -and conflicts with some software and thus would be less suitable.
75860 -
75861 -The original version of this patch was conceived and created by:
75862 -Ned Ludd <solar@g.o>
75863 -
75864 ---- a/grsecurity/Kconfig
75865 -+++ b/grsecurity/Kconfig
75866 -@@ -20,7 +20,7 @@
75867 - choice
75868 - prompt "Security Level"
75869 - depends on GRKERNSEC
75870 -- default GRKERNSEC_CUSTOM
75871 -+ default GRKERNSEC_HARDENED_WORKSTATION
75872 -
75873 - config GRKERNSEC_LOW
75874 - bool "Low"
75875 -@@ -181,6 +181,212 @@
75876 - - Mount/unmount/remount logging
75877 - - Kernel symbol hiding
75878 - - Prevention of memory exhaustion-based exploits
75879 -+
75880 -+config GRKERNSEC_HARDENED_SERVER
75881 -+ bool "Hardened Gentoo [server]"
75882 -+# select GRKERNSEC_AUDIT_MOUNT
75883 -+ select GRKERNSEC_BRUTE
75884 -+ select GRKERNSEC_CHROOT
75885 -+ select GRKERNSEC_CHROOT_CAPS
75886 -+ select GRKERNSEC_CHROOT_CHDIR
75887 -+ select GRKERNSEC_CHROOT_CHMOD
75888 -+ select GRKERNSEC_CHROOT_DOUBLE
75889 -+ select GRKERNSEC_CHROOT_FCHDIR
75890 -+ select GRKERNSEC_CHROOT_FINDTASK
75891 -+ select GRKERNSEC_CHROOT_MKNOD
75892 -+ select GRKERNSEC_CHROOT_MOUNT
75893 -+ select GRKERNSEC_CHROOT_NICE
75894 -+ select GRKERNSEC_CHROOT_PIVOT
75895 -+ select GRKERNSEC_CHROOT_SHMAT
75896 -+ select GRKERNSEC_CHROOT_SYSCTL
75897 -+ select GRKERNSEC_CHROOT_UNIX
75898 -+ select GRKERNSEC_DMESG
75899 -+ select GRKERNSEC_EXECVE
75900 -+ select GRKERNSEC_FIFO
75901 -+ select GRKERNSEC_FORKFAIL
75902 -+ select GRKERNSEC_HIDESYM
75903 -+ select GRKERNSEC_IO if (X86)
75904 -+ select GRKERNSEC_KMEM
75905 -+ select GRKERNSEC_LINK
75906 -+ select GRKERNSEC_MODSTOP if (MODULES)
75907 -+ select GRKERNSEC_PROC
75908 -+ select GRKERNSEC_PROC_ADD
75909 -+ select GRKERNSEC_PROC_IPADDR
75910 -+ select GRKERNSEC_PROC_MEMMAP
75911 -+ select GRKERNSEC_PROC_USERGROUP
75912 -+ select GRKERNSEC_RANDNET
75913 -+ select GRKERNSEC_RESLOG
75914 -+ select GRKERNSEC_SIGNAL
75915 -+# select GRKERNSEC_SOCKET
75916 -+# select GRKERNSEC_SOCKET_ALL
75917 -+ select GRKERNSEC_SYSCTL
75918 -+ select GRKERNSEC_SYSCTL_ON
75919 -+ select GRKERNSEC_TIME
75920 -+ select PAX
75921 -+ select PAX_ASLR
75922 -+ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
75923 -+ select PAX_EI_PAX
75924 -+ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
75925 -+ select PAX_EMUSIGRT if (PARISC || PPC32)
75926 -+ select PAX_EMUTRAMP if (PARISC || PPC32)
75927 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
75928 -+ select PAX_KERNEXEC if (X86 && !EFI && !COMPAT_VDSO && !PARAVIRT && (!X86_32 || X86_WP_WORKS_OK))
75929 -+ select PAX_MEMORY_SANITIZE
75930 -+ select PAX_MEMORY_UDEREF if (X86_32 && !COMPAT_VDSO)
75931 -+ select PAX_MPROTECT if (!PPC64)
75932 -+ select PAX_HAVE_ACL_FLAGS
75933 -+ select PAX_NOEXEC
75934 -+ select PAX_PAGEEXEC
75935 -+ select PAX_PT_PAX_FLAGS
75936 -+ select PAX_RANDKSTACK if (X86_32 && X86_TSC)
75937 -+ select PAX_RANDMMAP
75938 -+ select PAX_RANDUSTACK
75939 -+ select PAX_SEGMEXEC if (X86_32)
75940 -+ select PAX_SYSCALL if (PPC32)
75941 -+ help
75942 -+ If you say Y here, a configuration will be used that is endorsed by
75943 -+ the Hardened Gentoo project. Therefore, many of the protections
75944 -+ made available by grsecurity and PaX will be enabled.
75945 -+
75946 -+ Hardened Gentoo's pre-defined security levels are designed to provide
75947 -+ a high level of security while minimizing incompatibilities with the
75948 -+ majority of available software. For further information, please
75949 -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
75950 -+ well as the Hardened Gentoo Primer at
75951 -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
75952 -+
75953 -+ This Hardened Gentoo [server] level is identical to the
75954 -+ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO and
75955 -+ PAX_KERNEXEC security features enabled. Accordingly, this is the
75956 -+ preferred security level if the system will not be utilizing software
75957 -+ incompatible with the aforementioned grsecurity/PaX features.
75958 -+
75959 -+ You may wish to emerge paxctl, a utility which allows you to toggle
75960 -+ PaX features on problematic binaries on an individual basis. Note that
75961 -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
75962 -+ Translated, this means that if you wish to toggle PaX features on
75963 -+ binaries provided by applications that are distributed only in binary
75964 -+ format (rather than being built locally from sources), you will need to
75965 -+ run paxctl -C on the binaries beforehand so as to inject the missing
75966 -+ headers.
75967 -+
75968 -+ When this level is selected, some options cannot be changed. However,
75969 -+ you may opt to fully customize the options that are selected by
75970 -+ choosing "Custom" in the Security Level menu. You may find it helpful
75971 -+ to inherit the options selected by the "Hardened Gentoo [server]"
75972 -+ security level as a starting point for further configuration. To
75973 -+ accomplish this, select this security level then exit the menuconfig
75974 -+ interface, saving changes when prompted. Then, run make menuconfig
75975 -+ again and select the "Custom" level.
75976 -+
75977 -+ Note that this security level probably should not be used if the
75978 -+ target system is a 32bit x86 virtualized guest. If you intend to run
75979 -+ the kernel in a 32bit x86 virtualized guest you will likely need to
75980 -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
75981 -+ impact on performance.
75982 -+
75983 -+config GRKERNSEC_HARDENED_WORKSTATION
75984 -+ bool "Hardened Gentoo [workstation]"
75985 -+# select GRKERNSEC_AUDIT_MOUNT
75986 -+ select GRKERNSEC_BRUTE
75987 -+ select GRKERNSEC_CHROOT
75988 -+ select GRKERNSEC_CHROOT_CAPS
75989 -+ select GRKERNSEC_CHROOT_CHDIR
75990 -+ select GRKERNSEC_CHROOT_CHMOD
75991 -+ select GRKERNSEC_CHROOT_DOUBLE
75992 -+ select GRKERNSEC_CHROOT_FCHDIR
75993 -+ select GRKERNSEC_CHROOT_FINDTASK
75994 -+ select GRKERNSEC_CHROOT_MKNOD
75995 -+ select GRKERNSEC_CHROOT_MOUNT
75996 -+ select GRKERNSEC_CHROOT_NICE
75997 -+ select GRKERNSEC_CHROOT_PIVOT
75998 -+ select GRKERNSEC_CHROOT_SHMAT
75999 -+ select GRKERNSEC_CHROOT_SYSCTL
76000 -+ select GRKERNSEC_CHROOT_UNIX
76001 -+ select GRKERNSEC_DMESG
76002 -+ select GRKERNSEC_EXECVE
76003 -+ select GRKERNSEC_FIFO
76004 -+ select GRKERNSEC_FORKFAIL
76005 -+ select GRKERNSEC_HIDESYM
76006 -+ select GRKERNSEC_KMEM
76007 -+ select GRKERNSEC_LINK
76008 -+ select GRKERNSEC_MODSTOP if (MODULES)
76009 -+ select GRKERNSEC_PROC
76010 -+ select GRKERNSEC_PROC_ADD
76011 -+ select GRKERNSEC_PROC_IPADDR
76012 -+ select GRKERNSEC_PROC_MEMMAP
76013 -+ select GRKERNSEC_PROC_USERGROUP
76014 -+ select GRKERNSEC_RANDNET
76015 -+ select GRKERNSEC_RESLOG
76016 -+ select GRKERNSEC_SIGNAL
76017 -+# select GRKERNSEC_SOCKET
76018 -+# select GRKERNSEC_SOCKET_ALL
76019 -+ select GRKERNSEC_SYSCTL
76020 -+ select GRKERNSEC_SYSCTL_ON
76021 -+ select GRKERNSEC_TIME
76022 -+ select PAX
76023 -+ select PAX_ASLR
76024 -+ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
76025 -+ select PAX_EI_PAX
76026 -+ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
76027 -+ select PAX_EMUSIGRT if (PARISC || PPC32)
76028 -+ select PAX_EMUTRAMP if (PARISC || PPC32)
76029 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
76030 -+ select PAX_MEMORY_SANITIZE
76031 -+ select PAX_MEMORY_UDEREF if (X86_32 && !COMPAT_VDSO)
76032 -+ select PAX_MPROTECT if (!PPC64)
76033 -+ select PAX_HAVE_ACL_FLAGS
76034 -+ select PAX_NOEXEC
76035 -+ select PAX_PAGEEXEC
76036 -+ select PAX_PT_PAX_FLAGS
76037 -+ select PAX_RANDKSTACK if (X86_32 && X86_TSC)
76038 -+ select PAX_RANDMMAP
76039 -+ select PAX_RANDUSTACK
76040 -+ select PAX_SEGMEXEC if (X86_32)
76041 -+ select PAX_SYSCALL if (PPC32)
76042 -+ help
76043 -+ If you say Y here, a configuration will be used that is endorsed by
76044 -+ the Hardened Gentoo project. Therefore, many of the protections
76045 -+ made available by grsecurity and PaX will be enabled.
76046 -+
76047 -+ Hardened Gentoo's pre-defined security levels are designed to provide
76048 -+ a high level of security while minimizing incompatibilities with the
76049 -+ majority of available software. For further information, please
76050 -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
76051 -+ well as the Hardened Gentoo Primer at
76052 -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
76053 -+
76054 -+ This Hardened Gentoo [workstation] level is designed for machines
76055 -+ which are intended to run software not compatible with the GRKERNSEC_IO
76056 -+ and PAX_KERNEXEC features of grsecurity. Accordingly, this security
76057 -+ level is suitable for use with the X server "Xorg" and/or any system
76058 -+ that will act as host OS to the virtualization softwares vmware-server
76059 -+ or virtualbox.
76060 -+
76061 -+ You may wish to emerge paxctl, a utility which allows you to toggle
76062 -+ PaX features on problematic binaries on an individual basis. Note that
76063 -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
76064 -+ Translated, this means that if you wish to toggle PaX features on
76065 -+ binaries provided by applications that are distributed only in binary
76066 -+ format (rather than being built locally from sources), you will need to
76067 -+ run paxctl -C on the binaries beforehand so as to inject the missing
76068 -+ headers.
76069 -+
76070 -+ When this level is selected, some options cannot be changed. However,
76071 -+ you may opt to fully customize the options that are selected by
76072 -+ choosing "Custom" in the Security Level menu. You may find it helpful
76073 -+ to inherit the options selected by the "Hardened Gentoo [workstation]"
76074 -+ security level as a starting point for further configuration. To
76075 -+ accomplish this, select this security level then exit the menuconfig
76076 -+ interface, saving changes when prompted. Then, run make menuconfig
76077 -+ again and select the "Custom" level.
76078 -+
76079 -+ Note that this security level probably should not be used if the
76080 -+ target system is a 32bit x86 virtualized guest. If you intend to run
76081 -+ the kernel in a 32bit x86 virtualized guest you will likely need to
76082 -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
76083 -+ impact on performance.
76084 -+
76085 - config GRKERNSEC_CUSTOM
76086 - bool "Custom"
76087 - help
76088
76089 Added: hardened-sources/2.6/trunk/2.6.24/4435_grsec-kconfig-pax-without-grsec.patch
76090 ===================================================================
76091 --- hardened-sources/2.6/trunk/2.6.24/4435_grsec-kconfig-pax-without-grsec.patch (rev 0)
76092 +++ hardened-sources/2.6/trunk/2.6.24/4435_grsec-kconfig-pax-without-grsec.patch 2008-04-30 11:36:08 UTC (rev 92)
76093 @@ -0,0 +1,11 @@
76094 +--- a/security/Kconfig
76095 ++++ b/security/Kconfig
76096 +@@ -10,7 +10,7 @@ menu "PaX"
76097 +
76098 + config PAX
76099 + bool "Enable various PaX features"
76100 +- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
76101 ++ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
76102 + help
76103 + This allows you to enable various PaX features. PaX adds
76104 + intrusion prevention mechanisms to the kernel that reduce
76105
76106 Added: hardened-sources/2.6/trunk/2.6.24/4440_disable-compat_vdso.patch
76107 ===================================================================
76108 --- hardened-sources/2.6/trunk/2.6.24/4440_disable-compat_vdso.patch (rev 0)
76109 +++ hardened-sources/2.6/trunk/2.6.24/4440_disable-compat_vdso.patch 2008-04-30 11:36:08 UTC (rev 92)
76110 @@ -0,0 +1,66 @@
76111 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
76112 +From: Kerin Millar <kerframil@×××××.com>
76113 +
76114 +COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It
76115 +conflicts with various parts of PaX, crashing the system if enabled
76116 +while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents
76117 +a number of important PaX options from appearing in the configuration
76118 +menu, including all PaX NOEXEC implementations. Unfortunately, the
76119 +reason for the disappearance of these PaX configuration options is
76120 +often far from obvious to inexperienced users.
76121 +
76122 +Therefore, we disable the COMPAT_VDSO menu entry entirely. However,
76123 +COMPAT_VDSO operation can still be enabled via bootparam and sysctl
76124 +interfaces. Consequently, we must also disable the ability to select
76125 +COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so
76126 +that selecting COMPAT_VDSO operation at boot/runtime has no effect if
76127 +conflicting PaX options are enabled, leaving VDSO_ENABLED operation
76128 +intact.
76129 +
76130 +Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
76131 +
76132 +--- a/arch/x86/Kconfig
76133 ++++ b/arch/x86/Kconfig
76134 +@@ -1188,17 +1188,9 @@ config HOTPLUG_CPU
76135 + suspend.
76136 +
76137 + config COMPAT_VDSO
76138 +- bool "Compat VDSO support"
76139 ++ bool
76140 + default n
76141 + depends on X86_32 && !PAX_NOEXEC
76142 +- help
76143 +- Map the VDSO to the predictable old-style address too.
76144 +- ---help---
76145 +- Say N here if you are running a sufficiently recent glibc
76146 +- version (2.3.3 or later), to remove the high-mapped
76147 +- VDSO mapping and to exclusively use the randomized VDSO.
76148 +-
76149 +- If unsure, say Y.
76150 +
76151 + endmenu
76152 +
76153 +--- a/arch/x86/kernel/sysenter_32.c
76154 ++++ b/arch/x86/kernel/sysenter_32.c
76155 +@@ -278,9 +278,11 @@ int arch_setup_additional_pages(struct l
76156 +
76157 + map_compat_vdso(compat);
76158 +
76159 ++#if !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
76160 + if (compat)
76161 + addr = VDSO_HIGH_BASE;
76162 + else {
76163 ++#endif
76164 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
76165 + if (IS_ERR_VALUE(addr)) {
76166 + ret = addr;
76167 +@@ -304,7 +306,9 @@ int arch_setup_additional_pages(struct l
76168 +
76169 + if (ret)
76170 + goto up_fail;
76171 ++#if !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
76172 + }
76173 ++#endif
76174 +
76175 + current->mm->context.vdso = addr;
76176 + current_thread_info()->sysenter_return =
76177
76178 Deleted: hardened-sources/2.6/trunk/2.6.24/4440_grsec-kconfig-pax-without-grsec.patch
76179 ===================================================================
76180 --- hardened-sources/2.6/trunk/2.6.24/4440_grsec-kconfig-pax-without-grsec.patch 2008-04-30 11:33:52 UTC (rev 91)
76181 +++ hardened-sources/2.6/trunk/2.6.24/4440_grsec-kconfig-pax-without-grsec.patch 2008-04-30 11:36:08 UTC (rev 92)
76182 @@ -1,11 +0,0 @@
76183 ---- a/security/Kconfig
76184 -+++ b/security/Kconfig
76185 -@@ -10,7 +10,7 @@ menu "PaX"
76186 -
76187 - config PAX
76188 - bool "Enable various PaX features"
76189 -- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
76190 -+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
76191 - help
76192 - This allows you to enable various PaX features. PaX adds
76193 - intrusion prevention mechanisms to the kernel that reduce
76194
76195 Deleted: hardened-sources/2.6/trunk/2.6.24/4445_disable-compat_vdso.patch
76196 ===================================================================
76197 --- hardened-sources/2.6/trunk/2.6.24/4445_disable-compat_vdso.patch 2008-04-30 11:33:52 UTC (rev 91)
76198 +++ hardened-sources/2.6/trunk/2.6.24/4445_disable-compat_vdso.patch 2008-04-30 11:36:08 UTC (rev 92)
76199 @@ -1,66 +0,0 @@
76200 -From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
76201 -From: Kerin Millar <kerframil@×××××.com>
76202 -
76203 -COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It
76204 -conflicts with various parts of PaX, crashing the system if enabled
76205 -while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents
76206 -a number of important PaX options from appearing in the configuration
76207 -menu, including all PaX NOEXEC implementations. Unfortunately, the
76208 -reason for the disappearance of these PaX configuration options is
76209 -often far from obvious to inexperienced users.
76210 -
76211 -Therefore, we disable the COMPAT_VDSO menu entry entirely. However,
76212 -COMPAT_VDSO operation can still be enabled via bootparam and sysctl
76213 -interfaces. Consequently, we must also disable the ability to select
76214 -COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so
76215 -that selecting COMPAT_VDSO operation at boot/runtime has no effect if
76216 -conflicting PaX options are enabled, leaving VDSO_ENABLED operation
76217 -intact.
76218 -
76219 -Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
76220 -
76221 ---- a/arch/x86/Kconfig
76222 -+++ b/arch/x86/Kconfig
76223 -@@ -1188,17 +1188,9 @@ config HOTPLUG_CPU
76224 - suspend.
76225 -
76226 - config COMPAT_VDSO
76227 -- bool "Compat VDSO support"
76228 -+ bool
76229 - default n
76230 - depends on X86_32 && !PAX_NOEXEC
76231 -- help
76232 -- Map the VDSO to the predictable old-style address too.
76233 -- ---help---
76234 -- Say N here if you are running a sufficiently recent glibc
76235 -- version (2.3.3 or later), to remove the high-mapped
76236 -- VDSO mapping and to exclusively use the randomized VDSO.
76237 --
76238 -- If unsure, say Y.
76239 -
76240 - endmenu
76241 -
76242 ---- a/arch/x86/kernel/sysenter_32.c
76243 -+++ b/arch/x86/kernel/sysenter_32.c
76244 -@@ -278,9 +278,11 @@ int arch_setup_additional_pages(struct l
76245 -
76246 - map_compat_vdso(compat);
76247 -
76248 -+#if !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
76249 - if (compat)
76250 - addr = VDSO_HIGH_BASE;
76251 - else {
76252 -+#endif
76253 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
76254 - if (IS_ERR_VALUE(addr)) {
76255 - ret = addr;
76256 -@@ -304,7 +306,9 @@ int arch_setup_additional_pages(struct l
76257 -
76258 - if (ret)
76259 - goto up_fail;
76260 -+#if !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
76261 - }
76262 -+#endif
76263 -
76264 - current->mm->context.vdso = addr;
76265 - current_thread_info()->sysenter_return =
76266
76267 Added: hardened-sources/2.6/trunk/2.6.24/4445_grsec-2.1.11-mute-warnings.patch
76268 ===================================================================
76269 --- hardened-sources/2.6/trunk/2.6.24/4445_grsec-2.1.11-mute-warnings.patch (rev 0)
76270 +++ hardened-sources/2.6/trunk/2.6.24/4445_grsec-2.1.11-mute-warnings.patch 2008-04-30 11:36:08 UTC (rev 92)
76271 @@ -0,0 +1,19 @@
76272 +From: Alexander Gabert <gaberta@××××××××.de>
76273 +
76274 +This patch removes the warnings introduced by grsec patch 2.1.11 and later.
76275 +It removes the -W options added by the patch and restores the original
76276 +warning flags of vanilla kernel versions.
76277 +
76278 +Acked-by: Christian Heim <phreak@g.o>
76279 +
76280 +--- a/Makefile
76281 ++++ b/Makefile
76282 +@@ -214,7 +214,7 @@
76283 +
76284 + HOSTCC = gcc
76285 + HOSTCXX = g++
76286 +-HOSTCFLAGS = -Wall -W -Wno-unused -Wno-sign-compare -Wstrict-prototypes -O2 -fomit-frame-pointer
76287 ++HOSTCFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer
76288 + HOSTCXXFLAGS = -O2
76289 +
76290 + # Decide whether to build built-in, modular, or both.
76291
76292 Deleted: hardened-sources/2.6/trunk/2.6.24/4450_grsec-2.1.11-mute-warnings.patch
76293 ===================================================================
76294 --- hardened-sources/2.6/trunk/2.6.24/4450_grsec-2.1.11-mute-warnings.patch 2008-04-30 11:33:52 UTC (rev 91)
76295 +++ hardened-sources/2.6/trunk/2.6.24/4450_grsec-2.1.11-mute-warnings.patch 2008-04-30 11:36:08 UTC (rev 92)
76296 @@ -1,19 +0,0 @@
76297 -From: Alexander Gabert <gaberta@××××××××.de>
76298 -
76299 -This patch removes the warnings introduced by grsec patch 2.1.11 and later.
76300 -It removes the -W options added by the patch and restores the original
76301 -warning flags of vanilla kernel versions.
76302 -
76303 -Acked-by: Christian Heim <phreak@g.o>
76304 -
76305 ---- a/Makefile
76306 -+++ b/Makefile
76307 -@@ -214,7 +214,7 @@
76308 -
76309 - HOSTCC = gcc
76310 - HOSTCXX = g++
76311 --HOSTCFLAGS = -Wall -W -Wno-unused -Wno-sign-compare -Wstrict-prototypes -O2 -fomit-frame-pointer
76312 -+HOSTCFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer
76313 - HOSTCXXFLAGS = -O2
76314 -
76315 - # Decide whether to build built-in, modular, or both.
76316
76317 Added: hardened-sources/2.6/trunk/2.6.24/4450_grsec-2.1.11-pax-curr_ip-fixes.patch
76318 ===================================================================
76319 --- hardened-sources/2.6/trunk/2.6.24/4450_grsec-2.1.11-pax-curr_ip-fixes.patch (rev 0)
76320 +++ hardened-sources/2.6/trunk/2.6.24/4450_grsec-2.1.11-pax-curr_ip-fixes.patch 2008-04-30 11:36:08 UTC (rev 92)
76321 @@ -0,0 +1,29 @@
76322 +--- a/arch/x86/mm/fault_32.c
76323 ++++ b/arch/x86/mm/fault_32.c
76324 +@@ -730,10 +730,12 @@
76325 + #else
76326 + else if (init_mm.start_code <= address && address < init_mm.end_code)
76327 + #endif
76328 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
76329 + if (tsk->signal->curr_ip)
76330 + printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
76331 + NIPQUAD(tsk->signal->curr_ip), tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
76332 + else
76333 ++#endif
76334 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
76335 + tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
76336 + #endif
76337 +--- a/fs/exec.c
76338 ++++ b/fs/exec.c
76339 +@@ -1695,9 +1695,11 @@ void pax_report_fault(struct pt_regs *re
76340 + }
76341 + up_read(&mm->mmap_sem);
76342 + }
76343 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
76344 + if (tsk->signal->curr_ip)
76345 + printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
76346 + else
76347 ++#endif
76348 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
76349 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
76350 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
76351
76352 Deleted: hardened-sources/2.6/trunk/2.6.24/4455_grsec-2.1.11-pax-curr_ip-fixes.patch
76353 ===================================================================
76354 --- hardened-sources/2.6/trunk/2.6.24/4455_grsec-2.1.11-pax-curr_ip-fixes.patch 2008-04-30 11:33:52 UTC (rev 91)
76355 +++ hardened-sources/2.6/trunk/2.6.24/4455_grsec-2.1.11-pax-curr_ip-fixes.patch 2008-04-30 11:36:08 UTC (rev 92)
76356 @@ -1,29 +0,0 @@
76357 ---- a/arch/x86/mm/fault_32.c
76358 -+++ b/arch/x86/mm/fault_32.c
76359 -@@ -730,10 +730,12 @@
76360 - #else
76361 - else if (init_mm.start_code <= address && address < init_mm.end_code)
76362 - #endif
76363 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
76364 - if (tsk->signal->curr_ip)
76365 - printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
76366 - NIPQUAD(tsk->signal->curr_ip), tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
76367 - else
76368 -+#endif
76369 - printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
76370 - tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
76371 - #endif
76372 ---- a/fs/exec.c
76373 -+++ b/fs/exec.c
76374 -@@ -1695,9 +1695,11 @@ void pax_report_fault(struct pt_regs *re
76375 - }
76376 - up_read(&mm->mmap_sem);
76377 - }
76378 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
76379 - if (tsk->signal->curr_ip)
76380 - printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
76381 - else
76382 -+#endif
76383 - printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
76384 - printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
76385 - "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
76386
76387 Added: hardened-sources/2.6/trunk/2.6.24/4455_selinux-avc_audit-log-curr_ip.patch
76388 ===================================================================
76389 --- hardened-sources/2.6/trunk/2.6.24/4455_selinux-avc_audit-log-curr_ip.patch (rev 0)
76390 +++ hardened-sources/2.6/trunk/2.6.24/4455_selinux-avc_audit-log-curr_ip.patch 2008-04-30 11:36:08 UTC (rev 92)
76391 @@ -0,0 +1,25 @@
76392 +Provides support for a new field ipaddr within the SELinux
76393 +AVC audit log, relying in task_struct->curr_ip (ipv4 only)
76394 +provided by grSecurity patch to be applied before.
76395 +
76396 +Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
76397 +---
76398 +
76399 + security/selinux/avc.c | 6 ++++++
76400 + 1 file changed, 6 insertions(+)
76401 +
76402 +--- a/security/selinux/avc.c
76403 ++++ b/security/selinux/avc.c
76404 +@@ -202,6 +202,12 @@ static void avc_dump_query(struct audit_
76405 + char *scontext;
76406 + u32 scontext_len;
76407 +
76408 ++/* CONFIG_PROC_IPADDR if task-signal-curr_ip patch from lorenzo@×××.org is present */
76409 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
76410 ++ if (current->signal->curr_ip)
76411 ++ audit_log_format(ab, "ipaddr=%u.%u.%u.%u ", NIPQUAD(current->signal->curr_ip));
76412 ++#endif /* CONFIG_GRKERNSEC_PROC_IPADDR */
76413 ++
76414 + rc = security_sid_to_context(ssid, &scontext, &scontext_len);
76415 + if (rc)
76416 + audit_log_format(ab, "ssid=%d", ssid);
76417
76418 Deleted: hardened-sources/2.6/trunk/2.6.24/4460_selinux-avc_audit-log-curr_ip.patch
76419 ===================================================================
76420 --- hardened-sources/2.6/trunk/2.6.24/4460_selinux-avc_audit-log-curr_ip.patch 2008-04-30 11:33:52 UTC (rev 91)
76421 +++ hardened-sources/2.6/trunk/2.6.24/4460_selinux-avc_audit-log-curr_ip.patch 2008-04-30 11:36:08 UTC (rev 92)
76422 @@ -1,25 +0,0 @@
76423 -Provides support for a new field ipaddr within the SELinux
76424 -AVC audit log, relying in task_struct->curr_ip (ipv4 only)
76425 -provided by grSecurity patch to be applied before.
76426 -
76427 -Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
76428 ----
76429 -
76430 - security/selinux/avc.c | 6 ++++++
76431 - 1 file changed, 6 insertions(+)
76432 -
76433 ---- a/security/selinux/avc.c
76434 -+++ b/security/selinux/avc.c
76435 -@@ -202,6 +202,12 @@ static void avc_dump_query(struct audit_
76436 - char *scontext;
76437 - u32 scontext_len;
76438 -
76439 -+/* CONFIG_PROC_IPADDR if task-signal-curr_ip patch from lorenzo@×××.org is present */
76440 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
76441 -+ if (current->signal->curr_ip)
76442 -+ audit_log_format(ab, "ipaddr=%u.%u.%u.%u ", NIPQUAD(current->signal->curr_ip));
76443 -+#endif /* CONFIG_GRKERNSEC_PROC_IPADDR */
76444 -+
76445 - rc = security_sid_to_context(ssid, &scontext, &scontext_len);
76446 - if (rc)
76447 - audit_log_format(ab, "ssid=%d", ssid);
76448
76449 --
76450 gentoo-commits@l.g.o mailing list
Report Message
Find on MARC Find on Google Groups